1 /*
2  * Remote Processor Framework Elf loader
3  *
4  * Copyright (C) 2011 Texas Instruments, Inc.
5  * Copyright (C) 2011 Google, Inc.
6  *
7  * Ohad Ben-Cohen <ohad@wizery.com>
8  * Brian Swetland <swetland@google.com>
9  * Mark Grosen <mgrosen@ti.com>
10  * Fernando Guzman Lugo <fernando.lugo@ti.com>
11  * Suman Anna <s-anna@ti.com>
12  * Robert Tivy <rtivy@ti.com>
13  * Armando Uribe De Leon <x0095078@ti.com>
14  * Sjur Brændeland <sjur.brandeland@stericsson.com>
15  *
16  * This program is free software; you can redistribute it and/or
17  * modify it under the terms of the GNU General Public License
18  * version 2 as published by the Free Software Foundation.
19  *
20  * This program is distributed in the hope that it will be useful,
21  * but WITHOUT ANY WARRANTY; without even the implied warranty of
22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23  * GNU General Public License for more details.
24  */
25 
26 #define pr_fmt(fmt)    "%s: " fmt, __func__
27 
28 #include <linux/module.h>
29 #include <linux/firmware.h>
30 #include <linux/remoteproc.h>
31 #include <linux/elf.h>
32 
33 #include "remoteproc_internal.h"
34 
35 /**
36  * rproc_elf_sanity_check() - Sanity Check ELF firmware image
37  * @rproc: the remote processor handle
38  * @fw: the ELF firmware image
39  *
40  * Make sure this fw image is sane.
41  */
42 int rproc_elf_sanity_check(struct rproc *rproc, const struct firmware *fw)
43 {
44 	const char *name = rproc->firmware;
45 	struct device *dev = &rproc->dev;
46 	struct elf32_hdr *ehdr;
47 	char class;
48 
49 	if (!fw) {
50 		dev_err(dev, "failed to load %s\n", name);
51 		return -EINVAL;
52 	}
53 
54 	if (fw->size < sizeof(struct elf32_hdr)) {
55 		dev_err(dev, "Image is too small\n");
56 		return -EINVAL;
57 	}
58 
59 	ehdr = (struct elf32_hdr *)fw->data;
60 
61 	/* We only support ELF32 at this point */
62 	class = ehdr->e_ident[EI_CLASS];
63 	if (class != ELFCLASS32) {
64 		dev_err(dev, "Unsupported class: %d\n", class);
65 		return -EINVAL;
66 	}
67 
68 	/* We assume the firmware has the same endianness as the host */
69 # ifdef __LITTLE_ENDIAN
70 	if (ehdr->e_ident[EI_DATA] != ELFDATA2LSB) {
71 # else /* BIG ENDIAN */
72 	if (ehdr->e_ident[EI_DATA] != ELFDATA2MSB) {
73 # endif
74 		dev_err(dev, "Unsupported firmware endianness\n");
75 		return -EINVAL;
76 	}
77 
78 	if (fw->size < ehdr->e_shoff + sizeof(struct elf32_shdr)) {
79 		dev_err(dev, "Image is too small\n");
80 		return -EINVAL;
81 	}
82 
83 	if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG)) {
84 		dev_err(dev, "Image is corrupted (bad magic)\n");
85 		return -EINVAL;
86 	}
87 
88 	if (ehdr->e_phnum == 0) {
89 		dev_err(dev, "No loadable segments\n");
90 		return -EINVAL;
91 	}
92 
93 	if (ehdr->e_phoff > fw->size) {
94 		dev_err(dev, "Firmware size is too small\n");
95 		return -EINVAL;
96 	}
97 
98 	return 0;
99 }
100 EXPORT_SYMBOL(rproc_elf_sanity_check);
101 
102 /**
103  * rproc_elf_get_boot_addr() - Get rproc's boot address.
104  * @rproc: the remote processor handle
105  * @fw: the ELF firmware image
106  *
107  * This function returns the entry point address of the ELF
108  * image.
109  *
110  * Note that the boot address is not a configurable property of all remote
111  * processors. Some will always boot at a specific hard-coded address.
112  */
113 u32 rproc_elf_get_boot_addr(struct rproc *rproc, const struct firmware *fw)
114 {
115 	struct elf32_hdr *ehdr  = (struct elf32_hdr *)fw->data;
116 
117 	return ehdr->e_entry;
118 }
119 EXPORT_SYMBOL(rproc_elf_get_boot_addr);
120 
121 /**
122  * rproc_elf_load_segments() - load firmware segments to memory
123  * @rproc: remote processor which will be booted using these fw segments
124  * @fw: the ELF firmware image
125  *
126  * This function loads the firmware segments to memory, where the remote
127  * processor expects them.
128  *
129  * Some remote processors will expect their code and data to be placed
130  * in specific device addresses, and can't have them dynamically assigned.
131  *
132  * We currently support only those kind of remote processors, and expect
133  * the program header's paddr member to contain those addresses. We then go
134  * through the physically contiguous "carveout" memory regions which we
135  * allocated (and mapped) earlier on behalf of the remote processor,
136  * and "translate" device address to kernel addresses, so we can copy the
137  * segments where they are expected.
138  *
139  * Currently we only support remote processors that required carveout
140  * allocations and got them mapped onto their iommus. Some processors
141  * might be different: they might not have iommus, and would prefer to
142  * directly allocate memory for every segment/resource. This is not yet
143  * supported, though.
144  */
145 int rproc_elf_load_segments(struct rproc *rproc, const struct firmware *fw)
146 {
147 	struct device *dev = &rproc->dev;
148 	struct elf32_hdr *ehdr;
149 	struct elf32_phdr *phdr;
150 	int i, ret = 0;
151 	const u8 *elf_data = fw->data;
152 
153 	ehdr = (struct elf32_hdr *)elf_data;
154 	phdr = (struct elf32_phdr *)(elf_data + ehdr->e_phoff);
155 
156 	/* go through the available ELF segments */
157 	for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
158 		u32 da = phdr->p_paddr;
159 		u32 memsz = phdr->p_memsz;
160 		u32 filesz = phdr->p_filesz;
161 		u32 offset = phdr->p_offset;
162 		void *ptr;
163 
164 		if (phdr->p_type != PT_LOAD)
165 			continue;
166 
167 		dev_dbg(dev, "phdr: type %d da 0x%x memsz 0x%x filesz 0x%x\n",
168 			phdr->p_type, da, memsz, filesz);
169 
170 		if (filesz > memsz) {
171 			dev_err(dev, "bad phdr filesz 0x%x memsz 0x%x\n",
172 				filesz, memsz);
173 			ret = -EINVAL;
174 			break;
175 		}
176 
177 		if (offset + filesz > fw->size) {
178 			dev_err(dev, "truncated fw: need 0x%x avail 0x%zx\n",
179 				offset + filesz, fw->size);
180 			ret = -EINVAL;
181 			break;
182 		}
183 
184 		/* grab the kernel address for this device address */
185 		ptr = rproc_da_to_va(rproc, da, memsz);
186 		if (!ptr) {
187 			dev_err(dev, "bad phdr da 0x%x mem 0x%x\n", da, memsz);
188 			ret = -EINVAL;
189 			break;
190 		}
191 
192 		/* put the segment where the remote processor expects it */
193 		if (phdr->p_filesz)
194 			memcpy(ptr, elf_data + phdr->p_offset, filesz);
195 
196 		/*
197 		 * Zero out remaining memory for this segment.
198 		 *
199 		 * This isn't strictly required since dma_alloc_coherent already
200 		 * did this for us. albeit harmless, we may consider removing
201 		 * this.
202 		 */
203 		if (memsz > filesz)
204 			memset(ptr + filesz, 0, memsz - filesz);
205 	}
206 
207 	return ret;
208 }
209 EXPORT_SYMBOL(rproc_elf_load_segments);
210 
211 static struct elf32_shdr *
212 find_table(struct device *dev, struct elf32_hdr *ehdr, size_t fw_size)
213 {
214 	struct elf32_shdr *shdr;
215 	int i;
216 	const char *name_table;
217 	struct resource_table *table = NULL;
218 	const u8 *elf_data = (void *)ehdr;
219 
220 	/* look for the resource table and handle it */
221 	shdr = (struct elf32_shdr *)(elf_data + ehdr->e_shoff);
222 	name_table = elf_data + shdr[ehdr->e_shstrndx].sh_offset;
223 
224 	for (i = 0; i < ehdr->e_shnum; i++, shdr++) {
225 		u32 size = shdr->sh_size;
226 		u32 offset = shdr->sh_offset;
227 
228 		if (strcmp(name_table + shdr->sh_name, ".resource_table"))
229 			continue;
230 
231 		table = (struct resource_table *)(elf_data + offset);
232 
233 		/* make sure we have the entire table */
234 		if (offset + size > fw_size || offset + size < size) {
235 			dev_err(dev, "resource table truncated\n");
236 			return NULL;
237 		}
238 
239 		/* make sure table has at least the header */
240 		if (sizeof(struct resource_table) > size) {
241 			dev_err(dev, "header-less resource table\n");
242 			return NULL;
243 		}
244 
245 		/* we don't support any version beyond the first */
246 		if (table->ver != 1) {
247 			dev_err(dev, "unsupported fw ver: %d\n", table->ver);
248 			return NULL;
249 		}
250 
251 		/* make sure reserved bytes are zeroes */
252 		if (table->reserved[0] || table->reserved[1]) {
253 			dev_err(dev, "non zero reserved bytes\n");
254 			return NULL;
255 		}
256 
257 		/* make sure the offsets array isn't truncated */
258 		if (table->num * sizeof(table->offset[0]) +
259 				sizeof(struct resource_table) > size) {
260 			dev_err(dev, "resource table incomplete\n");
261 			return NULL;
262 		}
263 
264 		return shdr;
265 	}
266 
267 	return NULL;
268 }
269 
270 /**
271  * rproc_elf_load_rsc_table() - load the resource table
272  * @rproc: the rproc handle
273  * @fw: the ELF firmware image
274  *
275  * This function finds the resource table inside the remote processor's
276  * firmware, load it into the @cached_table and update @table_ptr.
277  *
278  * Return: 0 on success, negative errno on failure.
279  */
280 int rproc_elf_load_rsc_table(struct rproc *rproc, const struct firmware *fw)
281 {
282 	struct elf32_hdr *ehdr;
283 	struct elf32_shdr *shdr;
284 	struct device *dev = &rproc->dev;
285 	struct resource_table *table = NULL;
286 	const u8 *elf_data = fw->data;
287 	size_t tablesz;
288 
289 	ehdr = (struct elf32_hdr *)elf_data;
290 
291 	shdr = find_table(dev, ehdr, fw->size);
292 	if (!shdr)
293 		return -EINVAL;
294 
295 	table = (struct resource_table *)(elf_data + shdr->sh_offset);
296 	tablesz = shdr->sh_size;
297 
298 	/*
299 	 * Create a copy of the resource table. When a virtio device starts
300 	 * and calls vring_new_virtqueue() the address of the allocated vring
301 	 * will be stored in the cached_table. Before the device is started,
302 	 * cached_table will be copied into device memory.
303 	 */
304 	rproc->cached_table = kmemdup(table, tablesz, GFP_KERNEL);
305 	if (!rproc->cached_table)
306 		return -ENOMEM;
307 
308 	rproc->table_ptr = rproc->cached_table;
309 	rproc->table_sz = tablesz;
310 
311 	return 0;
312 }
313 EXPORT_SYMBOL(rproc_elf_load_rsc_table);
314 
315 /**
316  * rproc_elf_find_loaded_rsc_table() - find the loaded resource table
317  * @rproc: the rproc handle
318  * @fw: the ELF firmware image
319  *
320  * This function finds the location of the loaded resource table. Don't
321  * call this function if the table wasn't loaded yet - it's a bug if you do.
322  *
323  * Returns the pointer to the resource table if it is found or NULL otherwise.
324  * If the table wasn't loaded yet the result is unspecified.
325  */
326 struct resource_table *rproc_elf_find_loaded_rsc_table(struct rproc *rproc,
327 						       const struct firmware *fw)
328 {
329 	struct elf32_hdr *ehdr = (struct elf32_hdr *)fw->data;
330 	struct elf32_shdr *shdr;
331 
332 	shdr = find_table(&rproc->dev, ehdr, fw->size);
333 	if (!shdr)
334 		return NULL;
335 
336 	return rproc_da_to_va(rproc, shdr->sh_addr, shdr->sh_size);
337 }
338 EXPORT_SYMBOL(rproc_elf_find_loaded_rsc_table);
339