1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * 4 * Bluetooth support for Intel devices 5 * 6 * Copyright (C) 2015 Intel Corporation 7 */ 8 9#include <linux/module.h> 10#include <linux/firmware.h> 11#include <linux/regmap.h> 12#include <linux/acpi.h> 13#include <acpi/acpi_bus.h> 14#include <asm/unaligned.h> 15 16#include <net/bluetooth/bluetooth.h> 17#include <net/bluetooth/hci_core.h> 18 19#include "btintel.h" 20 21#define VERSION "0.1" 22 23#define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 24#define RSA_HEADER_LEN 644 25#define CSS_HEADER_OFFSET 8 26#define ECDSA_OFFSET 644 27#define ECDSA_HEADER_LEN 320 28 29#define BTINTEL_PPAG_NAME "PPAG" 30 31enum { 32 DSM_SET_WDISABLE2_DELAY = 1, 33 DSM_SET_RESET_METHOD = 3, 34}; 35 36/* structure to store the PPAG data read from ACPI table */ 37struct btintel_ppag { 38 u32 domain; 39 u32 mode; 40 acpi_status status; 41 struct hci_dev *hdev; 42}; 43 44#define CMD_WRITE_BOOT_PARAMS 0xfc0e 45struct cmd_write_boot_params { 46 __le32 boot_addr; 47 u8 fw_build_num; 48 u8 fw_build_ww; 49 u8 fw_build_yy; 50} __packed; 51 52static struct { 53 const char *driver_name; 54 u8 hw_variant; 55 u32 fw_build_num; 56} coredump_info; 57 58static const guid_t btintel_guid_dsm = 59 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233, 60 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9); 61 62int btintel_check_bdaddr(struct hci_dev *hdev) 63{ 64 struct hci_rp_read_bd_addr *bda; 65 struct sk_buff *skb; 66 67 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 68 HCI_INIT_TIMEOUT); 69 if (IS_ERR(skb)) { 70 int err = PTR_ERR(skb); 71 bt_dev_err(hdev, "Reading Intel device address failed (%d)", 72 err); 73 return err; 74 } 75 76 if (skb->len != sizeof(*bda)) { 77 bt_dev_err(hdev, "Intel device address length mismatch"); 78 kfree_skb(skb); 79 return -EIO; 80 } 81 82 bda = (struct hci_rp_read_bd_addr *)skb->data; 83 84 /* For some Intel based controllers, the default Bluetooth device 85 * address 00:03:19:9E:8B:00 can be found. These controllers are 86 * fully operational, but have the danger of duplicate addresses 87 * and that in turn can cause problems with Bluetooth operation. 88 */ 89 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) { 90 bt_dev_err(hdev, "Found Intel default device address (%pMR)", 91 &bda->bdaddr); 92 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 93 } 94 95 kfree_skb(skb); 96 97 return 0; 98} 99EXPORT_SYMBOL_GPL(btintel_check_bdaddr); 100 101int btintel_enter_mfg(struct hci_dev *hdev) 102{ 103 static const u8 param[] = { 0x01, 0x00 }; 104 struct sk_buff *skb; 105 106 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 107 if (IS_ERR(skb)) { 108 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)", 109 PTR_ERR(skb)); 110 return PTR_ERR(skb); 111 } 112 kfree_skb(skb); 113 114 return 0; 115} 116EXPORT_SYMBOL_GPL(btintel_enter_mfg); 117 118int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched) 119{ 120 u8 param[] = { 0x00, 0x00 }; 121 struct sk_buff *skb; 122 123 /* The 2nd command parameter specifies the manufacturing exit method: 124 * 0x00: Just disable the manufacturing mode (0x00). 125 * 0x01: Disable manufacturing mode and reset with patches deactivated. 126 * 0x02: Disable manufacturing mode and reset with patches activated. 127 */ 128 if (reset) 129 param[1] |= patched ? 0x02 : 0x01; 130 131 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT); 132 if (IS_ERR(skb)) { 133 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)", 134 PTR_ERR(skb)); 135 return PTR_ERR(skb); 136 } 137 kfree_skb(skb); 138 139 return 0; 140} 141EXPORT_SYMBOL_GPL(btintel_exit_mfg); 142 143int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 144{ 145 struct sk_buff *skb; 146 int err; 147 148 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 149 if (IS_ERR(skb)) { 150 err = PTR_ERR(skb); 151 bt_dev_err(hdev, "Changing Intel device address failed (%d)", 152 err); 153 return err; 154 } 155 kfree_skb(skb); 156 157 return 0; 158} 159EXPORT_SYMBOL_GPL(btintel_set_bdaddr); 160 161static int btintel_set_event_mask(struct hci_dev *hdev, bool debug) 162{ 163 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 164 struct sk_buff *skb; 165 int err; 166 167 if (debug) 168 mask[1] |= 0x62; 169 170 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT); 171 if (IS_ERR(skb)) { 172 err = PTR_ERR(skb); 173 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err); 174 return err; 175 } 176 kfree_skb(skb); 177 178 return 0; 179} 180 181int btintel_set_diag(struct hci_dev *hdev, bool enable) 182{ 183 struct sk_buff *skb; 184 u8 param[3]; 185 int err; 186 187 if (enable) { 188 param[0] = 0x03; 189 param[1] = 0x03; 190 param[2] = 0x03; 191 } else { 192 param[0] = 0x00; 193 param[1] = 0x00; 194 param[2] = 0x00; 195 } 196 197 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT); 198 if (IS_ERR(skb)) { 199 err = PTR_ERR(skb); 200 if (err == -ENODATA) 201 goto done; 202 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)", 203 err); 204 return err; 205 } 206 kfree_skb(skb); 207 208done: 209 btintel_set_event_mask(hdev, enable); 210 return 0; 211} 212EXPORT_SYMBOL_GPL(btintel_set_diag); 213 214static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable) 215{ 216 int err, ret; 217 218 err = btintel_enter_mfg(hdev); 219 if (err) 220 return err; 221 222 ret = btintel_set_diag(hdev, enable); 223 224 err = btintel_exit_mfg(hdev, false, false); 225 if (err) 226 return err; 227 228 return ret; 229} 230 231static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable) 232{ 233 int ret; 234 235 /* Legacy ROM device needs to be in the manufacturer mode to apply 236 * diagnostic setting 237 * 238 * This flag is set after reading the Intel version. 239 */ 240 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY)) 241 ret = btintel_set_diag_mfg(hdev, enable); 242 else 243 ret = btintel_set_diag(hdev, enable); 244 245 return ret; 246} 247 248static void btintel_hw_error(struct hci_dev *hdev, u8 code) 249{ 250 struct sk_buff *skb; 251 u8 type = 0x00; 252 253 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 254 255 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 256 if (IS_ERR(skb)) { 257 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 258 PTR_ERR(skb)); 259 return; 260 } 261 kfree_skb(skb); 262 263 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 264 if (IS_ERR(skb)) { 265 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 266 PTR_ERR(skb)); 267 return; 268 } 269 270 if (skb->len != 13) { 271 bt_dev_err(hdev, "Exception info size mismatch"); 272 kfree_skb(skb); 273 return; 274 } 275 276 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 277 278 kfree_skb(skb); 279} 280 281int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) 282{ 283 const char *variant; 284 285 /* The hardware platform number has a fixed value of 0x37 and 286 * for now only accept this single value. 287 */ 288 if (ver->hw_platform != 0x37) { 289 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)", 290 ver->hw_platform); 291 return -EINVAL; 292 } 293 294 /* Check for supported iBT hardware variants of this firmware 295 * loading method. 296 * 297 * This check has been put in place to ensure correct forward 298 * compatibility options when newer hardware variants come along. 299 */ 300 switch (ver->hw_variant) { 301 case 0x07: /* WP - Legacy ROM */ 302 case 0x08: /* StP - Legacy ROM */ 303 case 0x0b: /* SfP */ 304 case 0x0c: /* WsP */ 305 case 0x11: /* JfP */ 306 case 0x12: /* ThP */ 307 case 0x13: /* HrP */ 308 case 0x14: /* CcP */ 309 break; 310 default: 311 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", 312 ver->hw_variant); 313 return -EINVAL; 314 } 315 316 switch (ver->fw_variant) { 317 case 0x01: 318 variant = "Legacy ROM 2.5"; 319 break; 320 case 0x06: 321 variant = "Bootloader"; 322 break; 323 case 0x22: 324 variant = "Legacy ROM 2.x"; 325 break; 326 case 0x23: 327 variant = "Firmware"; 328 break; 329 default: 330 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant); 331 return -EINVAL; 332 } 333 334 coredump_info.hw_variant = ver->hw_variant; 335 coredump_info.fw_build_num = ver->fw_build_num; 336 337 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u", 338 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 339 ver->fw_build_num, ver->fw_build_ww, 340 2000 + ver->fw_build_yy); 341 342 return 0; 343} 344EXPORT_SYMBOL_GPL(btintel_version_info); 345 346static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen, 347 const void *param) 348{ 349 while (plen > 0) { 350 struct sk_buff *skb; 351 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 352 353 cmd_param[0] = fragment_type; 354 memcpy(cmd_param + 1, param, fragment_len); 355 356 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 357 cmd_param, HCI_INIT_TIMEOUT); 358 if (IS_ERR(skb)) 359 return PTR_ERR(skb); 360 361 kfree_skb(skb); 362 363 plen -= fragment_len; 364 param += fragment_len; 365 } 366 367 return 0; 368} 369 370int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name) 371{ 372 const struct firmware *fw; 373 struct sk_buff *skb; 374 const u8 *fw_ptr; 375 int err; 376 377 err = request_firmware_direct(&fw, ddc_name, &hdev->dev); 378 if (err < 0) { 379 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)", 380 ddc_name, err); 381 return err; 382 } 383 384 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name); 385 386 fw_ptr = fw->data; 387 388 /* DDC file contains one or more DDC structure which has 389 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 390 */ 391 while (fw->size > fw_ptr - fw->data) { 392 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 393 394 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 395 HCI_INIT_TIMEOUT); 396 if (IS_ERR(skb)) { 397 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)", 398 PTR_ERR(skb)); 399 release_firmware(fw); 400 return PTR_ERR(skb); 401 } 402 403 fw_ptr += cmd_plen; 404 kfree_skb(skb); 405 } 406 407 release_firmware(fw); 408 409 bt_dev_info(hdev, "Applying Intel DDC parameters completed"); 410 411 return 0; 412} 413EXPORT_SYMBOL_GPL(btintel_load_ddc_config); 414 415int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug) 416{ 417 int err, ret; 418 419 err = btintel_enter_mfg(hdev); 420 if (err) 421 return err; 422 423 ret = btintel_set_event_mask(hdev, debug); 424 425 err = btintel_exit_mfg(hdev, false, false); 426 if (err) 427 return err; 428 429 return ret; 430} 431EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg); 432 433int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) 434{ 435 struct sk_buff *skb; 436 437 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); 438 if (IS_ERR(skb)) { 439 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 440 PTR_ERR(skb)); 441 return PTR_ERR(skb); 442 } 443 444 if (skb->len != sizeof(*ver)) { 445 bt_dev_err(hdev, "Intel version event size mismatch"); 446 kfree_skb(skb); 447 return -EILSEQ; 448 } 449 450 memcpy(ver, skb->data, sizeof(*ver)); 451 452 kfree_skb(skb); 453 454 return 0; 455} 456EXPORT_SYMBOL_GPL(btintel_read_version); 457 458static int btintel_version_info_tlv(struct hci_dev *hdev, 459 struct intel_version_tlv *version) 460{ 461 const char *variant; 462 463 /* The hardware platform number has a fixed value of 0x37 and 464 * for now only accept this single value. 465 */ 466 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) { 467 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 468 INTEL_HW_PLATFORM(version->cnvi_bt)); 469 return -EINVAL; 470 } 471 472 /* Check for supported iBT hardware variants of this firmware 473 * loading method. 474 * 475 * This check has been put in place to ensure correct forward 476 * compatibility options when newer hardware variants come along. 477 */ 478 switch (INTEL_HW_VARIANT(version->cnvi_bt)) { 479 case 0x17: /* TyP */ 480 case 0x18: /* Slr */ 481 case 0x19: /* Slr-F */ 482 case 0x1b: /* Mgr */ 483 case 0x1c: /* Gale Peak (GaP) */ 484 break; 485 default: 486 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)", 487 INTEL_HW_VARIANT(version->cnvi_bt)); 488 return -EINVAL; 489 } 490 491 switch (version->img_type) { 492 case 0x01: 493 variant = "Bootloader"; 494 /* It is required that every single firmware fragment is acknowledged 495 * with a command complete event. If the boot parameters indicate 496 * that this bootloader does not send them, then abort the setup. 497 */ 498 if (version->limited_cce != 0x00) { 499 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)", 500 version->limited_cce); 501 return -EINVAL; 502 } 503 504 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */ 505 if (version->sbe_type > 0x01) { 506 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)", 507 version->sbe_type); 508 return -EINVAL; 509 } 510 511 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id); 512 bt_dev_info(hdev, "Secure boot is %s", 513 version->secure_boot ? "enabled" : "disabled"); 514 bt_dev_info(hdev, "OTP lock is %s", 515 version->otp_lock ? "enabled" : "disabled"); 516 bt_dev_info(hdev, "API lock is %s", 517 version->api_lock ? "enabled" : "disabled"); 518 bt_dev_info(hdev, "Debug lock is %s", 519 version->debug_lock ? "enabled" : "disabled"); 520 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 521 version->min_fw_build_nn, version->min_fw_build_cw, 522 2000 + version->min_fw_build_yy); 523 break; 524 case 0x03: 525 variant = "Firmware"; 526 break; 527 default: 528 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type); 529 return -EINVAL; 530 } 531 532 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt); 533 coredump_info.fw_build_num = version->build_num; 534 535 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant, 536 2000 + (version->timestamp >> 8), version->timestamp & 0xff, 537 version->build_type, version->build_num); 538 539 return 0; 540} 541 542static int btintel_parse_version_tlv(struct hci_dev *hdev, 543 struct intel_version_tlv *version, 544 struct sk_buff *skb) 545{ 546 /* Consume Command Complete Status field */ 547 skb_pull(skb, 1); 548 549 /* Event parameters contatin multiple TLVs. Read each of them 550 * and only keep the required data. Also, it use existing legacy 551 * version field like hw_platform, hw_variant, and fw_variant 552 * to keep the existing setup flow 553 */ 554 while (skb->len) { 555 struct intel_tlv *tlv; 556 557 /* Make sure skb has a minimum length of the header */ 558 if (skb->len < sizeof(*tlv)) 559 return -EINVAL; 560 561 tlv = (struct intel_tlv *)skb->data; 562 563 /* Make sure skb has a enough data */ 564 if (skb->len < tlv->len + sizeof(*tlv)) 565 return -EINVAL; 566 567 switch (tlv->type) { 568 case INTEL_TLV_CNVI_TOP: 569 version->cnvi_top = get_unaligned_le32(tlv->val); 570 break; 571 case INTEL_TLV_CNVR_TOP: 572 version->cnvr_top = get_unaligned_le32(tlv->val); 573 break; 574 case INTEL_TLV_CNVI_BT: 575 version->cnvi_bt = get_unaligned_le32(tlv->val); 576 break; 577 case INTEL_TLV_CNVR_BT: 578 version->cnvr_bt = get_unaligned_le32(tlv->val); 579 break; 580 case INTEL_TLV_DEV_REV_ID: 581 version->dev_rev_id = get_unaligned_le16(tlv->val); 582 break; 583 case INTEL_TLV_IMAGE_TYPE: 584 version->img_type = tlv->val[0]; 585 break; 586 case INTEL_TLV_TIME_STAMP: 587 /* If image type is Operational firmware (0x03), then 588 * running FW Calendar Week and Year information can 589 * be extracted from Timestamp information 590 */ 591 version->min_fw_build_cw = tlv->val[0]; 592 version->min_fw_build_yy = tlv->val[1]; 593 version->timestamp = get_unaligned_le16(tlv->val); 594 break; 595 case INTEL_TLV_BUILD_TYPE: 596 version->build_type = tlv->val[0]; 597 break; 598 case INTEL_TLV_BUILD_NUM: 599 /* If image type is Operational firmware (0x03), then 600 * running FW build number can be extracted from the 601 * Build information 602 */ 603 version->min_fw_build_nn = tlv->val[0]; 604 version->build_num = get_unaligned_le32(tlv->val); 605 break; 606 case INTEL_TLV_SECURE_BOOT: 607 version->secure_boot = tlv->val[0]; 608 break; 609 case INTEL_TLV_OTP_LOCK: 610 version->otp_lock = tlv->val[0]; 611 break; 612 case INTEL_TLV_API_LOCK: 613 version->api_lock = tlv->val[0]; 614 break; 615 case INTEL_TLV_DEBUG_LOCK: 616 version->debug_lock = tlv->val[0]; 617 break; 618 case INTEL_TLV_MIN_FW: 619 version->min_fw_build_nn = tlv->val[0]; 620 version->min_fw_build_cw = tlv->val[1]; 621 version->min_fw_build_yy = tlv->val[2]; 622 break; 623 case INTEL_TLV_LIMITED_CCE: 624 version->limited_cce = tlv->val[0]; 625 break; 626 case INTEL_TLV_SBE_TYPE: 627 version->sbe_type = tlv->val[0]; 628 break; 629 case INTEL_TLV_OTP_BDADDR: 630 memcpy(&version->otp_bd_addr, tlv->val, 631 sizeof(bdaddr_t)); 632 break; 633 default: 634 /* Ignore rest of information */ 635 break; 636 } 637 /* consume the current tlv and move to next*/ 638 skb_pull(skb, tlv->len + sizeof(*tlv)); 639 } 640 641 return 0; 642} 643 644static int btintel_read_version_tlv(struct hci_dev *hdev, 645 struct intel_version_tlv *version) 646{ 647 struct sk_buff *skb; 648 const u8 param[1] = { 0xFF }; 649 650 if (!version) 651 return -EINVAL; 652 653 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 654 if (IS_ERR(skb)) { 655 bt_dev_err(hdev, "Reading Intel version information failed (%ld)", 656 PTR_ERR(skb)); 657 return PTR_ERR(skb); 658 } 659 660 if (skb->data[0]) { 661 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 662 skb->data[0]); 663 kfree_skb(skb); 664 return -EIO; 665 } 666 667 btintel_parse_version_tlv(hdev, version, skb); 668 669 kfree_skb(skb); 670 return 0; 671} 672 673/* ------- REGMAP IBT SUPPORT ------- */ 674 675#define IBT_REG_MODE_8BIT 0x00 676#define IBT_REG_MODE_16BIT 0x01 677#define IBT_REG_MODE_32BIT 0x02 678 679struct regmap_ibt_context { 680 struct hci_dev *hdev; 681 __u16 op_write; 682 __u16 op_read; 683}; 684 685struct ibt_cp_reg_access { 686 __le32 addr; 687 __u8 mode; 688 __u8 len; 689 __u8 data[]; 690} __packed; 691 692struct ibt_rp_reg_access { 693 __u8 status; 694 __le32 addr; 695 __u8 data[]; 696} __packed; 697 698static int regmap_ibt_read(void *context, const void *addr, size_t reg_size, 699 void *val, size_t val_size) 700{ 701 struct regmap_ibt_context *ctx = context; 702 struct ibt_cp_reg_access cp; 703 struct ibt_rp_reg_access *rp; 704 struct sk_buff *skb; 705 int err = 0; 706 707 if (reg_size != sizeof(__le32)) 708 return -EINVAL; 709 710 switch (val_size) { 711 case 1: 712 cp.mode = IBT_REG_MODE_8BIT; 713 break; 714 case 2: 715 cp.mode = IBT_REG_MODE_16BIT; 716 break; 717 case 4: 718 cp.mode = IBT_REG_MODE_32BIT; 719 break; 720 default: 721 return -EINVAL; 722 } 723 724 /* regmap provides a little-endian formatted addr */ 725 cp.addr = *(__le32 *)addr; 726 cp.len = val_size; 727 728 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr)); 729 730 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp, 731 HCI_CMD_TIMEOUT); 732 if (IS_ERR(skb)) { 733 err = PTR_ERR(skb); 734 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)", 735 le32_to_cpu(cp.addr), err); 736 return err; 737 } 738 739 if (skb->len != sizeof(*rp) + val_size) { 740 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len", 741 le32_to_cpu(cp.addr)); 742 err = -EINVAL; 743 goto done; 744 } 745 746 rp = (struct ibt_rp_reg_access *)skb->data; 747 748 if (rp->addr != cp.addr) { 749 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr", 750 le32_to_cpu(rp->addr)); 751 err = -EINVAL; 752 goto done; 753 } 754 755 memcpy(val, rp->data, val_size); 756 757done: 758 kfree_skb(skb); 759 return err; 760} 761 762static int regmap_ibt_gather_write(void *context, 763 const void *addr, size_t reg_size, 764 const void *val, size_t val_size) 765{ 766 struct regmap_ibt_context *ctx = context; 767 struct ibt_cp_reg_access *cp; 768 struct sk_buff *skb; 769 int plen = sizeof(*cp) + val_size; 770 u8 mode; 771 int err = 0; 772 773 if (reg_size != sizeof(__le32)) 774 return -EINVAL; 775 776 switch (val_size) { 777 case 1: 778 mode = IBT_REG_MODE_8BIT; 779 break; 780 case 2: 781 mode = IBT_REG_MODE_16BIT; 782 break; 783 case 4: 784 mode = IBT_REG_MODE_32BIT; 785 break; 786 default: 787 return -EINVAL; 788 } 789 790 cp = kmalloc(plen, GFP_KERNEL); 791 if (!cp) 792 return -ENOMEM; 793 794 /* regmap provides a little-endian formatted addr/value */ 795 cp->addr = *(__le32 *)addr; 796 cp->mode = mode; 797 cp->len = val_size; 798 memcpy(&cp->data, val, val_size); 799 800 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr)); 801 802 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT); 803 if (IS_ERR(skb)) { 804 err = PTR_ERR(skb); 805 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)", 806 le32_to_cpu(cp->addr), err); 807 goto done; 808 } 809 kfree_skb(skb); 810 811done: 812 kfree(cp); 813 return err; 814} 815 816static int regmap_ibt_write(void *context, const void *data, size_t count) 817{ 818 /* data contains register+value, since we only support 32bit addr, 819 * minimum data size is 4 bytes. 820 */ 821 if (WARN_ONCE(count < 4, "Invalid register access")) 822 return -EINVAL; 823 824 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4); 825} 826 827static void regmap_ibt_free_context(void *context) 828{ 829 kfree(context); 830} 831 832static const struct regmap_bus regmap_ibt = { 833 .read = regmap_ibt_read, 834 .write = regmap_ibt_write, 835 .gather_write = regmap_ibt_gather_write, 836 .free_context = regmap_ibt_free_context, 837 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE, 838 .val_format_endian_default = REGMAP_ENDIAN_LITTLE, 839}; 840 841/* Config is the same for all register regions */ 842static const struct regmap_config regmap_ibt_cfg = { 843 .name = "btintel_regmap", 844 .reg_bits = 32, 845 .val_bits = 32, 846}; 847 848struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read, 849 u16 opcode_write) 850{ 851 struct regmap_ibt_context *ctx; 852 853 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read, 854 opcode_write); 855 856 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 857 if (!ctx) 858 return ERR_PTR(-ENOMEM); 859 860 ctx->op_read = opcode_read; 861 ctx->op_write = opcode_write; 862 ctx->hdev = hdev; 863 864 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg); 865} 866EXPORT_SYMBOL_GPL(btintel_regmap_init); 867 868int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param) 869{ 870 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 }; 871 struct sk_buff *skb; 872 873 params.boot_param = cpu_to_le32(boot_param); 874 875 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms, 876 HCI_INIT_TIMEOUT); 877 if (IS_ERR(skb)) { 878 bt_dev_err(hdev, "Failed to send Intel Reset command"); 879 return PTR_ERR(skb); 880 } 881 882 kfree_skb(skb); 883 884 return 0; 885} 886EXPORT_SYMBOL_GPL(btintel_send_intel_reset); 887 888int btintel_read_boot_params(struct hci_dev *hdev, 889 struct intel_boot_params *params) 890{ 891 struct sk_buff *skb; 892 893 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 894 if (IS_ERR(skb)) { 895 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)", 896 PTR_ERR(skb)); 897 return PTR_ERR(skb); 898 } 899 900 if (skb->len != sizeof(*params)) { 901 bt_dev_err(hdev, "Intel boot parameters size mismatch"); 902 kfree_skb(skb); 903 return -EILSEQ; 904 } 905 906 memcpy(params, skb->data, sizeof(*params)); 907 908 kfree_skb(skb); 909 910 if (params->status) { 911 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)", 912 params->status); 913 return -bt_to_errno(params->status); 914 } 915 916 bt_dev_info(hdev, "Device revision is %u", 917 le16_to_cpu(params->dev_revid)); 918 919 bt_dev_info(hdev, "Secure boot is %s", 920 params->secure_boot ? "enabled" : "disabled"); 921 922 bt_dev_info(hdev, "OTP lock is %s", 923 params->otp_lock ? "enabled" : "disabled"); 924 925 bt_dev_info(hdev, "API lock is %s", 926 params->api_lock ? "enabled" : "disabled"); 927 928 bt_dev_info(hdev, "Debug lock is %s", 929 params->debug_lock ? "enabled" : "disabled"); 930 931 bt_dev_info(hdev, "Minimum firmware build %u week %u %u", 932 params->min_fw_build_nn, params->min_fw_build_cw, 933 2000 + params->min_fw_build_yy); 934 935 return 0; 936} 937EXPORT_SYMBOL_GPL(btintel_read_boot_params); 938 939static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev, 940 const struct firmware *fw) 941{ 942 int err; 943 944 /* Start the firmware download transaction with the Init fragment 945 * represented by the 128 bytes of CSS header. 946 */ 947 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 948 if (err < 0) { 949 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 950 goto done; 951 } 952 953 /* Send the 256 bytes of public key information from the firmware 954 * as the PKey fragment. 955 */ 956 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 957 if (err < 0) { 958 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 959 goto done; 960 } 961 962 /* Send the 256 bytes of signature information from the firmware 963 * as the Sign fragment. 964 */ 965 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 966 if (err < 0) { 967 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err); 968 goto done; 969 } 970 971done: 972 return err; 973} 974 975static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev, 976 const struct firmware *fw) 977{ 978 int err; 979 980 /* Start the firmware download transaction with the Init fragment 981 * represented by the 128 bytes of CSS header. 982 */ 983 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644); 984 if (err < 0) { 985 bt_dev_err(hdev, "Failed to send firmware header (%d)", err); 986 return err; 987 } 988 989 /* Send the 96 bytes of public key information from the firmware 990 * as the PKey fragment. 991 */ 992 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128); 993 if (err < 0) { 994 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err); 995 return err; 996 } 997 998 /* Send the 96 bytes of signature information from the firmware 999 * as the Sign fragment 1000 */ 1001 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224); 1002 if (err < 0) { 1003 bt_dev_err(hdev, "Failed to send firmware signature (%d)", 1004 err); 1005 return err; 1006 } 1007 return 0; 1008} 1009 1010static int btintel_download_firmware_payload(struct hci_dev *hdev, 1011 const struct firmware *fw, 1012 size_t offset) 1013{ 1014 int err; 1015 const u8 *fw_ptr; 1016 u32 frag_len; 1017 1018 fw_ptr = fw->data + offset; 1019 frag_len = 0; 1020 err = -EINVAL; 1021 1022 while (fw_ptr - fw->data < fw->size) { 1023 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 1024 1025 frag_len += sizeof(*cmd) + cmd->plen; 1026 1027 /* The parameter length of the secure send command requires 1028 * a 4 byte alignment. It happens so that the firmware file 1029 * contains proper Intel_NOP commands to align the fragments 1030 * as needed. 1031 * 1032 * Send set of commands with 4 byte alignment from the 1033 * firmware data buffer as a single Data fragement. 1034 */ 1035 if (!(frag_len % 4)) { 1036 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 1037 if (err < 0) { 1038 bt_dev_err(hdev, 1039 "Failed to send firmware data (%d)", 1040 err); 1041 goto done; 1042 } 1043 1044 fw_ptr += frag_len; 1045 frag_len = 0; 1046 } 1047 } 1048 1049done: 1050 return err; 1051} 1052 1053static bool btintel_firmware_version(struct hci_dev *hdev, 1054 u8 num, u8 ww, u8 yy, 1055 const struct firmware *fw, 1056 u32 *boot_addr) 1057{ 1058 const u8 *fw_ptr; 1059 1060 fw_ptr = fw->data; 1061 1062 while (fw_ptr - fw->data < fw->size) { 1063 struct hci_command_hdr *cmd = (void *)(fw_ptr); 1064 1065 /* Each SKU has a different reset parameter to use in the 1066 * HCI_Intel_Reset command and it is embedded in the firmware 1067 * data. So, instead of using static value per SKU, check 1068 * the firmware data and save it for later use. 1069 */ 1070 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) { 1071 struct cmd_write_boot_params *params; 1072 1073 params = (void *)(fw_ptr + sizeof(*cmd)); 1074 1075 *boot_addr = le32_to_cpu(params->boot_addr); 1076 1077 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr); 1078 1079 bt_dev_info(hdev, "Firmware Version: %u-%u.%u", 1080 params->fw_build_num, params->fw_build_ww, 1081 params->fw_build_yy); 1082 1083 return (num == params->fw_build_num && 1084 ww == params->fw_build_ww && 1085 yy == params->fw_build_yy); 1086 } 1087 1088 fw_ptr += sizeof(*cmd) + cmd->plen; 1089 } 1090 1091 return false; 1092} 1093 1094int btintel_download_firmware(struct hci_dev *hdev, 1095 struct intel_version *ver, 1096 const struct firmware *fw, 1097 u32 *boot_param) 1098{ 1099 int err; 1100 1101 /* SfP and WsP don't seem to update the firmware version on file 1102 * so version checking is currently not possible. 1103 */ 1104 switch (ver->hw_variant) { 1105 case 0x0b: /* SfP */ 1106 case 0x0c: /* WsP */ 1107 /* Skip version checking */ 1108 break; 1109 default: 1110 1111 /* Skip download if firmware has the same version */ 1112 if (btintel_firmware_version(hdev, ver->fw_build_num, 1113 ver->fw_build_ww, ver->fw_build_yy, 1114 fw, boot_param)) { 1115 bt_dev_info(hdev, "Firmware already loaded"); 1116 /* Return -EALREADY to indicate that the firmware has 1117 * already been loaded. 1118 */ 1119 return -EALREADY; 1120 } 1121 } 1122 1123 /* The firmware variant determines if the device is in bootloader 1124 * mode or is running operational firmware. The value 0x06 identifies 1125 * the bootloader and the value 0x23 identifies the operational 1126 * firmware. 1127 * 1128 * If the firmware version has changed that means it needs to be reset 1129 * to bootloader when operational so the new firmware can be loaded. 1130 */ 1131 if (ver->fw_variant == 0x23) 1132 return -EINVAL; 1133 1134 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1135 if (err) 1136 return err; 1137 1138 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1139} 1140EXPORT_SYMBOL_GPL(btintel_download_firmware); 1141 1142static int btintel_download_fw_tlv(struct hci_dev *hdev, 1143 struct intel_version_tlv *ver, 1144 const struct firmware *fw, u32 *boot_param, 1145 u8 hw_variant, u8 sbe_type) 1146{ 1147 int err; 1148 u32 css_header_ver; 1149 1150 /* Skip download if firmware has the same version */ 1151 if (btintel_firmware_version(hdev, ver->min_fw_build_nn, 1152 ver->min_fw_build_cw, 1153 ver->min_fw_build_yy, 1154 fw, boot_param)) { 1155 bt_dev_info(hdev, "Firmware already loaded"); 1156 /* Return -EALREADY to indicate that firmware has 1157 * already been loaded. 1158 */ 1159 return -EALREADY; 1160 } 1161 1162 /* The firmware variant determines if the device is in bootloader 1163 * mode or is running operational firmware. The value 0x01 identifies 1164 * the bootloader and the value 0x03 identifies the operational 1165 * firmware. 1166 * 1167 * If the firmware version has changed that means it needs to be reset 1168 * to bootloader when operational so the new firmware can be loaded. 1169 */ 1170 if (ver->img_type == 0x03) 1171 return -EINVAL; 1172 1173 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support 1174 * only RSA secure boot engine. Hence, the corresponding sfi file will 1175 * have RSA header of 644 bytes followed by Command Buffer. 1176 * 1177 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA 1178 * secure boot engine. As a result, the corresponding sfi file will 1179 * have RSA header of 644, ECDSA header of 320 bytes followed by 1180 * Command Buffer. 1181 * 1182 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header 1183 * version: RSA(0x00010000) , ECDSA (0x00020000) 1184 */ 1185 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET); 1186 if (css_header_ver != 0x00010000) { 1187 bt_dev_err(hdev, "Invalid CSS Header version"); 1188 return -EINVAL; 1189 } 1190 1191 if (hw_variant <= 0x14) { 1192 if (sbe_type != 0x00) { 1193 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)", 1194 hw_variant); 1195 return -EINVAL; 1196 } 1197 1198 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1199 if (err) 1200 return err; 1201 1202 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN); 1203 if (err) 1204 return err; 1205 } else if (hw_variant >= 0x17) { 1206 /* Check if CSS header for ECDSA follows the RSA header */ 1207 if (fw->data[ECDSA_OFFSET] != 0x06) 1208 return -EINVAL; 1209 1210 /* Check if the CSS Header version is ECDSA(0x00020000) */ 1211 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET); 1212 if (css_header_ver != 0x00020000) { 1213 bt_dev_err(hdev, "Invalid CSS Header version"); 1214 return -EINVAL; 1215 } 1216 1217 if (sbe_type == 0x00) { 1218 err = btintel_sfi_rsa_header_secure_send(hdev, fw); 1219 if (err) 1220 return err; 1221 1222 err = btintel_download_firmware_payload(hdev, fw, 1223 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1224 if (err) 1225 return err; 1226 } else if (sbe_type == 0x01) { 1227 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw); 1228 if (err) 1229 return err; 1230 1231 err = btintel_download_firmware_payload(hdev, fw, 1232 RSA_HEADER_LEN + ECDSA_HEADER_LEN); 1233 if (err) 1234 return err; 1235 } 1236 } 1237 return 0; 1238} 1239 1240static void btintel_reset_to_bootloader(struct hci_dev *hdev) 1241{ 1242 struct intel_reset params; 1243 struct sk_buff *skb; 1244 1245 /* Send Intel Reset command. This will result in 1246 * re-enumeration of BT controller. 1247 * 1248 * Intel Reset parameter description: 1249 * reset_type : 0x00 (Soft reset), 1250 * 0x01 (Hard reset) 1251 * patch_enable : 0x00 (Do not enable), 1252 * 0x01 (Enable) 1253 * ddc_reload : 0x00 (Do not reload), 1254 * 0x01 (Reload) 1255 * boot_option: 0x00 (Current image), 1256 * 0x01 (Specified boot address) 1257 * boot_param: Boot address 1258 * 1259 */ 1260 params.reset_type = 0x01; 1261 params.patch_enable = 0x01; 1262 params.ddc_reload = 0x01; 1263 params.boot_option = 0x00; 1264 params.boot_param = cpu_to_le32(0x00000000); 1265 1266 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), 1267 ¶ms, HCI_INIT_TIMEOUT); 1268 if (IS_ERR(skb)) { 1269 bt_dev_err(hdev, "FW download error recovery failed (%ld)", 1270 PTR_ERR(skb)); 1271 return; 1272 } 1273 bt_dev_info(hdev, "Intel reset sent to retry FW download"); 1274 kfree_skb(skb); 1275 1276 /* Current Intel BT controllers(ThP/JfP) hold the USB reset 1277 * lines for 2ms when it receives Intel Reset in bootloader mode. 1278 * Whereas, the upcoming Intel BT controllers will hold USB reset 1279 * for 150ms. To keep the delay generic, 150ms is chosen here. 1280 */ 1281 msleep(150); 1282} 1283 1284static int btintel_read_debug_features(struct hci_dev *hdev, 1285 struct intel_debug_features *features) 1286{ 1287 struct sk_buff *skb; 1288 u8 page_no = 1; 1289 1290 /* Intel controller supports two pages, each page is of 128-bit 1291 * feature bit mask. And each bit defines specific feature support 1292 */ 1293 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no, 1294 HCI_INIT_TIMEOUT); 1295 if (IS_ERR(skb)) { 1296 bt_dev_err(hdev, "Reading supported features failed (%ld)", 1297 PTR_ERR(skb)); 1298 return PTR_ERR(skb); 1299 } 1300 1301 if (skb->len != (sizeof(features->page1) + 3)) { 1302 bt_dev_err(hdev, "Supported features event size mismatch"); 1303 kfree_skb(skb); 1304 return -EILSEQ; 1305 } 1306 1307 memcpy(features->page1, skb->data + 3, sizeof(features->page1)); 1308 1309 /* Read the supported features page2 if required in future. 1310 */ 1311 kfree_skb(skb); 1312 return 0; 1313} 1314 1315static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data, 1316 void **ret) 1317{ 1318 acpi_status status; 1319 size_t len; 1320 struct btintel_ppag *ppag = data; 1321 union acpi_object *p, *elements; 1322 struct acpi_buffer string = {ACPI_ALLOCATE_BUFFER, NULL}; 1323 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL}; 1324 struct hci_dev *hdev = ppag->hdev; 1325 1326 status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &string); 1327 if (ACPI_FAILURE(status)) { 1328 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 1329 return status; 1330 } 1331 1332 len = strlen(string.pointer); 1333 if (len < strlen(BTINTEL_PPAG_NAME)) { 1334 kfree(string.pointer); 1335 return AE_OK; 1336 } 1337 1338 if (strncmp((char *)string.pointer + len - 4, BTINTEL_PPAG_NAME, 4)) { 1339 kfree(string.pointer); 1340 return AE_OK; 1341 } 1342 kfree(string.pointer); 1343 1344 status = acpi_evaluate_object(handle, NULL, NULL, &buffer); 1345 if (ACPI_FAILURE(status)) { 1346 ppag->status = status; 1347 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status)); 1348 return status; 1349 } 1350 1351 p = buffer.pointer; 1352 ppag = (struct btintel_ppag *)data; 1353 1354 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { 1355 kfree(buffer.pointer); 1356 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", 1357 p->type, p->package.count); 1358 ppag->status = AE_ERROR; 1359 return AE_ERROR; 1360 } 1361 1362 elements = p->package.elements; 1363 1364 /* PPAG table is located at element[1] */ 1365 p = &elements[1]; 1366 1367 ppag->domain = (u32)p->package.elements[0].integer.value; 1368 ppag->mode = (u32)p->package.elements[1].integer.value; 1369 ppag->status = AE_OK; 1370 kfree(buffer.pointer); 1371 return AE_CTRL_TERMINATE; 1372} 1373 1374static int btintel_set_debug_features(struct hci_dev *hdev, 1375 const struct intel_debug_features *features) 1376{ 1377 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00, 1378 0x00, 0x00, 0x00 }; 1379 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 }; 1380 u8 trace_enable = 0x02; 1381 struct sk_buff *skb; 1382 1383 if (!features) { 1384 bt_dev_warn(hdev, "Debug features not read"); 1385 return -EINVAL; 1386 } 1387 1388 if (!(features->page1[0] & 0x3f)) { 1389 bt_dev_info(hdev, "Telemetry exception format not supported"); 1390 return 0; 1391 } 1392 1393 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1394 if (IS_ERR(skb)) { 1395 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1396 PTR_ERR(skb)); 1397 return PTR_ERR(skb); 1398 } 1399 kfree_skb(skb); 1400 1401 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT); 1402 if (IS_ERR(skb)) { 1403 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)", 1404 PTR_ERR(skb)); 1405 return PTR_ERR(skb); 1406 } 1407 kfree_skb(skb); 1408 1409 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1410 if (IS_ERR(skb)) { 1411 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)", 1412 PTR_ERR(skb)); 1413 return PTR_ERR(skb); 1414 } 1415 kfree_skb(skb); 1416 1417 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x", 1418 trace_enable, mask[3]); 1419 1420 return 0; 1421} 1422 1423static int btintel_reset_debug_features(struct hci_dev *hdev, 1424 const struct intel_debug_features *features) 1425{ 1426 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 1427 0x00, 0x00, 0x00 }; 1428 u8 trace_enable = 0x00; 1429 struct sk_buff *skb; 1430 1431 if (!features) { 1432 bt_dev_warn(hdev, "Debug features not read"); 1433 return -EINVAL; 1434 } 1435 1436 if (!(features->page1[0] & 0x3f)) { 1437 bt_dev_info(hdev, "Telemetry exception format not supported"); 1438 return 0; 1439 } 1440 1441 /* Should stop the trace before writing ddc event mask. */ 1442 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT); 1443 if (IS_ERR(skb)) { 1444 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)", 1445 PTR_ERR(skb)); 1446 return PTR_ERR(skb); 1447 } 1448 kfree_skb(skb); 1449 1450 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT); 1451 if (IS_ERR(skb)) { 1452 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)", 1453 PTR_ERR(skb)); 1454 return PTR_ERR(skb); 1455 } 1456 kfree_skb(skb); 1457 1458 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x", 1459 trace_enable, mask[3]); 1460 1461 return 0; 1462} 1463 1464int btintel_set_quality_report(struct hci_dev *hdev, bool enable) 1465{ 1466 struct intel_debug_features features; 1467 int err; 1468 1469 bt_dev_dbg(hdev, "enable %d", enable); 1470 1471 /* Read the Intel supported features and if new exception formats 1472 * supported, need to load the additional DDC config to enable. 1473 */ 1474 err = btintel_read_debug_features(hdev, &features); 1475 if (err) 1476 return err; 1477 1478 /* Set or reset the debug features. */ 1479 if (enable) 1480 err = btintel_set_debug_features(hdev, &features); 1481 else 1482 err = btintel_reset_debug_features(hdev, &features); 1483 1484 return err; 1485} 1486EXPORT_SYMBOL_GPL(btintel_set_quality_report); 1487 1488static void btintel_coredump(struct hci_dev *hdev) 1489{ 1490 struct sk_buff *skb; 1491 1492 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT); 1493 if (IS_ERR(skb)) { 1494 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb)); 1495 return; 1496 } 1497 1498 kfree_skb(skb); 1499} 1500 1501static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb) 1502{ 1503 char buf[80]; 1504 1505 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n", 1506 coredump_info.hw_variant); 1507 skb_put_data(skb, buf, strlen(buf)); 1508 1509 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n", 1510 coredump_info.fw_build_num); 1511 skb_put_data(skb, buf, strlen(buf)); 1512 1513 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name); 1514 skb_put_data(skb, buf, strlen(buf)); 1515 1516 snprintf(buf, sizeof(buf), "Vendor: Intel\n"); 1517 skb_put_data(skb, buf, strlen(buf)); 1518} 1519 1520static int btintel_register_devcoredump_support(struct hci_dev *hdev) 1521{ 1522 struct intel_debug_features features; 1523 int err; 1524 1525 err = btintel_read_debug_features(hdev, &features); 1526 if (err) { 1527 bt_dev_info(hdev, "Error reading debug features"); 1528 return err; 1529 } 1530 1531 if (!(features.page1[0] & 0x3f)) { 1532 bt_dev_dbg(hdev, "Telemetry exception format not supported"); 1533 return -EOPNOTSUPP; 1534 } 1535 1536 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL); 1537 1538 return err; 1539} 1540 1541static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev, 1542 struct intel_version *ver) 1543{ 1544 const struct firmware *fw; 1545 char fwname[64]; 1546 int ret; 1547 1548 snprintf(fwname, sizeof(fwname), 1549 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1550 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1551 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1552 ver->fw_build_ww, ver->fw_build_yy); 1553 1554 ret = request_firmware(&fw, fwname, &hdev->dev); 1555 if (ret < 0) { 1556 if (ret == -EINVAL) { 1557 bt_dev_err(hdev, "Intel firmware file request failed (%d)", 1558 ret); 1559 return NULL; 1560 } 1561 1562 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)", 1563 fwname, ret); 1564 1565 /* If the correct firmware patch file is not found, use the 1566 * default firmware patch file instead 1567 */ 1568 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1569 ver->hw_platform, ver->hw_variant); 1570 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1571 bt_dev_err(hdev, "failed to open default fw file: %s", 1572 fwname); 1573 return NULL; 1574 } 1575 } 1576 1577 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname); 1578 1579 return fw; 1580} 1581 1582static int btintel_legacy_rom_patching(struct hci_dev *hdev, 1583 const struct firmware *fw, 1584 const u8 **fw_ptr, int *disable_patch) 1585{ 1586 struct sk_buff *skb; 1587 struct hci_command_hdr *cmd; 1588 const u8 *cmd_param; 1589 struct hci_event_hdr *evt = NULL; 1590 const u8 *evt_param = NULL; 1591 int remain = fw->size - (*fw_ptr - fw->data); 1592 1593 /* The first byte indicates the types of the patch command or event. 1594 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1595 * in the current firmware buffer doesn't start with 0x01 or 1596 * the size of remain buffer is smaller than HCI command header, 1597 * the firmware file is corrupted and it should stop the patching 1598 * process. 1599 */ 1600 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1601 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read"); 1602 return -EINVAL; 1603 } 1604 (*fw_ptr)++; 1605 remain--; 1606 1607 cmd = (struct hci_command_hdr *)(*fw_ptr); 1608 *fw_ptr += sizeof(*cmd); 1609 remain -= sizeof(*cmd); 1610 1611 /* Ensure that the remain firmware data is long enough than the length 1612 * of command parameter. If not, the firmware file is corrupted. 1613 */ 1614 if (remain < cmd->plen) { 1615 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len"); 1616 return -EFAULT; 1617 } 1618 1619 /* If there is a command that loads a patch in the firmware 1620 * file, then enable the patch upon success, otherwise just 1621 * disable the manufacturer mode, for example patch activation 1622 * is not required when the default firmware patch file is used 1623 * because there are no patch data to load. 1624 */ 1625 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1626 *disable_patch = 0; 1627 1628 cmd_param = *fw_ptr; 1629 *fw_ptr += cmd->plen; 1630 remain -= cmd->plen; 1631 1632 /* This reads the expected events when the above command is sent to the 1633 * device. Some vendor commands expects more than one events, for 1634 * example command status event followed by vendor specific event. 1635 * For this case, it only keeps the last expected event. so the command 1636 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1637 * last expected event. 1638 */ 1639 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1640 (*fw_ptr)++; 1641 remain--; 1642 1643 evt = (struct hci_event_hdr *)(*fw_ptr); 1644 *fw_ptr += sizeof(*evt); 1645 remain -= sizeof(*evt); 1646 1647 if (remain < evt->plen) { 1648 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len"); 1649 return -EFAULT; 1650 } 1651 1652 evt_param = *fw_ptr; 1653 *fw_ptr += evt->plen; 1654 remain -= evt->plen; 1655 } 1656 1657 /* Every HCI commands in the firmware file has its correspond event. 1658 * If event is not found or remain is smaller than zero, the firmware 1659 * file is corrupted. 1660 */ 1661 if (!evt || !evt_param || remain < 0) { 1662 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read"); 1663 return -EFAULT; 1664 } 1665 1666 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1667 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1668 if (IS_ERR(skb)) { 1669 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)", 1670 cmd->opcode, PTR_ERR(skb)); 1671 return PTR_ERR(skb); 1672 } 1673 1674 /* It ensures that the returned event matches the event data read from 1675 * the firmware file. At fist, it checks the length and then 1676 * the contents of the event. 1677 */ 1678 if (skb->len != evt->plen) { 1679 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)", 1680 le16_to_cpu(cmd->opcode)); 1681 kfree_skb(skb); 1682 return -EFAULT; 1683 } 1684 1685 if (memcmp(skb->data, evt_param, evt->plen)) { 1686 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)", 1687 le16_to_cpu(cmd->opcode)); 1688 kfree_skb(skb); 1689 return -EFAULT; 1690 } 1691 kfree_skb(skb); 1692 1693 return 0; 1694} 1695 1696static int btintel_legacy_rom_setup(struct hci_dev *hdev, 1697 struct intel_version *ver) 1698{ 1699 const struct firmware *fw; 1700 const u8 *fw_ptr; 1701 int disable_patch, err; 1702 struct intel_version new_ver; 1703 1704 BT_DBG("%s", hdev->name); 1705 1706 /* fw_patch_num indicates the version of patch the device currently 1707 * have. If there is no patch data in the device, it is always 0x00. 1708 * So, if it is other than 0x00, no need to patch the device again. 1709 */ 1710 if (ver->fw_patch_num) { 1711 bt_dev_info(hdev, 1712 "Intel device is already patched. patch num: %02x", 1713 ver->fw_patch_num); 1714 goto complete; 1715 } 1716 1717 /* Opens the firmware patch file based on the firmware version read 1718 * from the controller. If it fails to open the matching firmware 1719 * patch file, it tries to open the default firmware patch file. 1720 * If no patch file is found, allow the device to operate without 1721 * a patch. 1722 */ 1723 fw = btintel_legacy_rom_get_fw(hdev, ver); 1724 if (!fw) 1725 goto complete; 1726 fw_ptr = fw->data; 1727 1728 /* Enable the manufacturer mode of the controller. 1729 * Only while this mode is enabled, the driver can download the 1730 * firmware patch data and configuration parameters. 1731 */ 1732 err = btintel_enter_mfg(hdev); 1733 if (err) { 1734 release_firmware(fw); 1735 return err; 1736 } 1737 1738 disable_patch = 1; 1739 1740 /* The firmware data file consists of list of Intel specific HCI 1741 * commands and its expected events. The first byte indicates the 1742 * type of the message, either HCI command or HCI event. 1743 * 1744 * It reads the command and its expected event from the firmware file, 1745 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1746 * the returned event is compared with the event read from the firmware 1747 * file and it will continue until all the messages are downloaded to 1748 * the controller. 1749 * 1750 * Once the firmware patching is completed successfully, 1751 * the manufacturer mode is disabled with reset and activating the 1752 * downloaded patch. 1753 * 1754 * If the firmware patching fails, the manufacturer mode is 1755 * disabled with reset and deactivating the patch. 1756 * 1757 * If the default patch file is used, no reset is done when disabling 1758 * the manufacturer. 1759 */ 1760 while (fw->size > fw_ptr - fw->data) { 1761 int ret; 1762 1763 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr, 1764 &disable_patch); 1765 if (ret < 0) 1766 goto exit_mfg_deactivate; 1767 } 1768 1769 release_firmware(fw); 1770 1771 if (disable_patch) 1772 goto exit_mfg_disable; 1773 1774 /* Patching completed successfully and disable the manufacturer mode 1775 * with reset and activate the downloaded firmware patches. 1776 */ 1777 err = btintel_exit_mfg(hdev, true, true); 1778 if (err) 1779 return err; 1780 1781 /* Need build number for downloaded fw patches in 1782 * every power-on boot 1783 */ 1784 err = btintel_read_version(hdev, &new_ver); 1785 if (err) 1786 return err; 1787 1788 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated", 1789 new_ver.fw_patch_num); 1790 1791 goto complete; 1792 1793exit_mfg_disable: 1794 /* Disable the manufacturer mode without reset */ 1795 err = btintel_exit_mfg(hdev, false, false); 1796 if (err) 1797 return err; 1798 1799 bt_dev_info(hdev, "Intel firmware patch completed"); 1800 1801 goto complete; 1802 1803exit_mfg_deactivate: 1804 release_firmware(fw); 1805 1806 /* Patching failed. Disable the manufacturer mode with reset and 1807 * deactivate the downloaded firmware patches. 1808 */ 1809 err = btintel_exit_mfg(hdev, true, false); 1810 if (err) 1811 return err; 1812 1813 bt_dev_info(hdev, "Intel firmware patch completed and deactivated"); 1814 1815complete: 1816 /* Set the event mask for Intel specific vendor events. This enables 1817 * a few extra events that are useful during general operation. 1818 */ 1819 btintel_set_event_mask_mfg(hdev, false); 1820 1821 btintel_check_bdaddr(hdev); 1822 1823 return 0; 1824} 1825 1826static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1827{ 1828 ktime_t delta, rettime; 1829 unsigned long long duration; 1830 int err; 1831 1832 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 1833 1834 bt_dev_info(hdev, "Waiting for firmware download to complete"); 1835 1836 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING, 1837 TASK_INTERRUPTIBLE, 1838 msecs_to_jiffies(msec)); 1839 if (err == -EINTR) { 1840 bt_dev_err(hdev, "Firmware loading interrupted"); 1841 return err; 1842 } 1843 1844 if (err) { 1845 bt_dev_err(hdev, "Firmware loading timeout"); 1846 return -ETIMEDOUT; 1847 } 1848 1849 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) { 1850 bt_dev_err(hdev, "Firmware loading failed"); 1851 return -ENOEXEC; 1852 } 1853 1854 rettime = ktime_get(); 1855 delta = ktime_sub(rettime, calltime); 1856 duration = (unsigned long long)ktime_to_ns(delta) >> 10; 1857 1858 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration); 1859 1860 return 0; 1861} 1862 1863static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec) 1864{ 1865 ktime_t delta, rettime; 1866 unsigned long long duration; 1867 int err; 1868 1869 bt_dev_info(hdev, "Waiting for device to boot"); 1870 1871 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING, 1872 TASK_INTERRUPTIBLE, 1873 msecs_to_jiffies(msec)); 1874 if (err == -EINTR) { 1875 bt_dev_err(hdev, "Device boot interrupted"); 1876 return -EINTR; 1877 } 1878 1879 if (err) { 1880 bt_dev_err(hdev, "Device boot timeout"); 1881 return -ETIMEDOUT; 1882 } 1883 1884 rettime = ktime_get(); 1885 delta = ktime_sub(rettime, calltime); 1886 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 1887 1888 bt_dev_info(hdev, "Device booted in %llu usecs", duration); 1889 1890 return 0; 1891} 1892 1893static int btintel_boot(struct hci_dev *hdev, u32 boot_addr) 1894{ 1895 ktime_t calltime; 1896 int err; 1897 1898 calltime = ktime_get(); 1899 1900 btintel_set_flag(hdev, INTEL_BOOTING); 1901 1902 err = btintel_send_intel_reset(hdev, boot_addr); 1903 if (err) { 1904 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err); 1905 btintel_reset_to_bootloader(hdev); 1906 return err; 1907 } 1908 1909 /* The bootloader will not indicate when the device is ready. This 1910 * is done by the operational firmware sending bootup notification. 1911 * 1912 * Booting into operational firmware should not take longer than 1913 * 1 second. However if that happens, then just fail the setup 1914 * since something went wrong. 1915 */ 1916 err = btintel_boot_wait(hdev, calltime, 1000); 1917 if (err == -ETIMEDOUT) 1918 btintel_reset_to_bootloader(hdev); 1919 1920 return err; 1921} 1922 1923static int btintel_get_fw_name(struct intel_version *ver, 1924 struct intel_boot_params *params, 1925 char *fw_name, size_t len, 1926 const char *suffix) 1927{ 1928 switch (ver->hw_variant) { 1929 case 0x0b: /* SfP */ 1930 case 0x0c: /* WsP */ 1931 snprintf(fw_name, len, "intel/ibt-%u-%u.%s", 1932 ver->hw_variant, 1933 le16_to_cpu(params->dev_revid), 1934 suffix); 1935 break; 1936 case 0x11: /* JfP */ 1937 case 0x12: /* ThP */ 1938 case 0x13: /* HrP */ 1939 case 0x14: /* CcP */ 1940 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", 1941 ver->hw_variant, 1942 ver->hw_revision, 1943 ver->fw_revision, 1944 suffix); 1945 break; 1946 default: 1947 return -EINVAL; 1948 } 1949 1950 return 0; 1951} 1952 1953static int btintel_download_fw(struct hci_dev *hdev, 1954 struct intel_version *ver, 1955 struct intel_boot_params *params, 1956 u32 *boot_param) 1957{ 1958 const struct firmware *fw; 1959 char fwname[64]; 1960 int err; 1961 ktime_t calltime; 1962 1963 if (!ver || !params) 1964 return -EINVAL; 1965 1966 /* The firmware variant determines if the device is in bootloader 1967 * mode or is running operational firmware. The value 0x06 identifies 1968 * the bootloader and the value 0x23 identifies the operational 1969 * firmware. 1970 * 1971 * When the operational firmware is already present, then only 1972 * the check for valid Bluetooth device address is needed. This 1973 * determines if the device will be added as configured or 1974 * unconfigured controller. 1975 * 1976 * It is not possible to use the Secure Boot Parameters in this 1977 * case since that command is only available in bootloader mode. 1978 */ 1979 if (ver->fw_variant == 0x23) { 1980 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 1981 btintel_check_bdaddr(hdev); 1982 1983 /* SfP and WsP don't seem to update the firmware version on file 1984 * so version checking is currently possible. 1985 */ 1986 switch (ver->hw_variant) { 1987 case 0x0b: /* SfP */ 1988 case 0x0c: /* WsP */ 1989 return 0; 1990 } 1991 1992 /* Proceed to download to check if the version matches */ 1993 goto download; 1994 } 1995 1996 /* Read the secure boot parameters to identify the operating 1997 * details of the bootloader. 1998 */ 1999 err = btintel_read_boot_params(hdev, params); 2000 if (err) 2001 return err; 2002 2003 /* It is required that every single firmware fragment is acknowledged 2004 * with a command complete event. If the boot parameters indicate 2005 * that this bootloader does not send them, then abort the setup. 2006 */ 2007 if (params->limited_cce != 0x00) { 2008 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)", 2009 params->limited_cce); 2010 return -EINVAL; 2011 } 2012 2013 /* If the OTP has no valid Bluetooth device address, then there will 2014 * also be no valid address for the operational firmware. 2015 */ 2016 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2017 bt_dev_info(hdev, "No device address configured"); 2018 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2019 } 2020 2021download: 2022 /* With this Intel bootloader only the hardware variant and device 2023 * revision information are used to select the right firmware for SfP 2024 * and WsP. 2025 * 2026 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi. 2027 * 2028 * Currently the supported hardware variants are: 2029 * 11 (0x0b) for iBT3.0 (LnP/SfP) 2030 * 12 (0x0c) for iBT3.5 (WsP) 2031 * 2032 * For ThP/JfP and for future SKU's, the FW name varies based on HW 2033 * variant, HW revision and FW revision, as these are dependent on CNVi 2034 * and RF Combination. 2035 * 2036 * 17 (0x11) for iBT3.5 (JfP) 2037 * 18 (0x12) for iBT3.5 (ThP) 2038 * 2039 * The firmware file name for these will be 2040 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi. 2041 * 2042 */ 2043 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi"); 2044 if (err < 0) { 2045 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2046 /* Firmware has already been loaded */ 2047 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2048 return 0; 2049 } 2050 2051 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2052 return -EINVAL; 2053 } 2054 2055 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2056 if (err < 0) { 2057 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2058 /* Firmware has already been loaded */ 2059 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2060 return 0; 2061 } 2062 2063 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2064 fwname, err); 2065 return err; 2066 } 2067 2068 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2069 2070 if (fw->size < 644) { 2071 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2072 fw->size); 2073 err = -EBADF; 2074 goto done; 2075 } 2076 2077 calltime = ktime_get(); 2078 2079 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2080 2081 /* Start firmware downloading and get boot parameter */ 2082 err = btintel_download_firmware(hdev, ver, fw, boot_param); 2083 if (err < 0) { 2084 if (err == -EALREADY) { 2085 /* Firmware has already been loaded */ 2086 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2087 err = 0; 2088 goto done; 2089 } 2090 2091 /* When FW download fails, send Intel Reset to retry 2092 * FW download. 2093 */ 2094 btintel_reset_to_bootloader(hdev); 2095 goto done; 2096 } 2097 2098 /* Before switching the device into operational mode and with that 2099 * booting the loaded firmware, wait for the bootloader notification 2100 * that all fragments have been successfully received. 2101 * 2102 * When the event processing receives the notification, then the 2103 * INTEL_DOWNLOADING flag will be cleared. 2104 * 2105 * The firmware loading should not take longer than 5 seconds 2106 * and thus just timeout if that happens and fail the setup 2107 * of this device. 2108 */ 2109 err = btintel_download_wait(hdev, calltime, 5000); 2110 if (err == -ETIMEDOUT) 2111 btintel_reset_to_bootloader(hdev); 2112 2113done: 2114 release_firmware(fw); 2115 return err; 2116} 2117 2118static int btintel_bootloader_setup(struct hci_dev *hdev, 2119 struct intel_version *ver) 2120{ 2121 struct intel_version new_ver; 2122 struct intel_boot_params params; 2123 u32 boot_param; 2124 char ddcname[64]; 2125 int err; 2126 2127 BT_DBG("%s", hdev->name); 2128 2129 /* Set the default boot parameter to 0x0 and it is updated to 2130 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2131 * command while downloading the firmware. 2132 */ 2133 boot_param = 0x00000000; 2134 2135 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2136 2137 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param); 2138 if (err) 2139 return err; 2140 2141 /* controller is already having an operational firmware */ 2142 if (ver->fw_variant == 0x23) 2143 goto finish; 2144 2145 err = btintel_boot(hdev, boot_param); 2146 if (err) 2147 return err; 2148 2149 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2150 2151 err = btintel_get_fw_name(ver, ¶ms, ddcname, 2152 sizeof(ddcname), "ddc"); 2153 2154 if (err < 0) { 2155 bt_dev_err(hdev, "Unsupported Intel firmware naming"); 2156 } else { 2157 /* Once the device is running in operational mode, it needs to 2158 * apply the device configuration (DDC) parameters. 2159 * 2160 * The device can work without DDC parameters, so even if it 2161 * fails to load the file, no need to fail the setup. 2162 */ 2163 btintel_load_ddc_config(hdev, ddcname); 2164 } 2165 2166 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2167 2168 /* Read the Intel version information after loading the FW */ 2169 err = btintel_read_version(hdev, &new_ver); 2170 if (err) 2171 return err; 2172 2173 btintel_version_info(hdev, &new_ver); 2174 2175finish: 2176 /* Set the event mask for Intel specific vendor events. This enables 2177 * a few extra events that are useful during general operation. It 2178 * does not enable any debugging related events. 2179 * 2180 * The device will function correctly without these events enabled 2181 * and thus no need to fail the setup. 2182 */ 2183 btintel_set_event_mask(hdev, false); 2184 2185 return 0; 2186} 2187 2188static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver, 2189 char *fw_name, size_t len, 2190 const char *suffix) 2191{ 2192 /* The firmware file name for new generation controllers will be 2193 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step> 2194 */ 2195 snprintf(fw_name, len, "intel/ibt-%04x-%04x.%s", 2196 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top), 2197 INTEL_CNVX_TOP_STEP(ver->cnvi_top)), 2198 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top), 2199 INTEL_CNVX_TOP_STEP(ver->cnvr_top)), 2200 suffix); 2201} 2202 2203static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev, 2204 struct intel_version_tlv *ver, 2205 u32 *boot_param) 2206{ 2207 const struct firmware *fw; 2208 char fwname[64]; 2209 int err; 2210 ktime_t calltime; 2211 2212 if (!ver || !boot_param) 2213 return -EINVAL; 2214 2215 /* The firmware variant determines if the device is in bootloader 2216 * mode or is running operational firmware. The value 0x03 identifies 2217 * the bootloader and the value 0x23 identifies the operational 2218 * firmware. 2219 * 2220 * When the operational firmware is already present, then only 2221 * the check for valid Bluetooth device address is needed. This 2222 * determines if the device will be added as configured or 2223 * unconfigured controller. 2224 * 2225 * It is not possible to use the Secure Boot Parameters in this 2226 * case since that command is only available in bootloader mode. 2227 */ 2228 if (ver->img_type == 0x03) { 2229 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2230 btintel_check_bdaddr(hdev); 2231 } else { 2232 /* 2233 * Check for valid bd address in boot loader mode. Device 2234 * will be marked as unconfigured if empty bd address is 2235 * found. 2236 */ 2237 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) { 2238 bt_dev_info(hdev, "No device address configured"); 2239 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2240 } 2241 } 2242 2243 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi"); 2244 err = firmware_request_nowarn(&fw, fwname, &hdev->dev); 2245 if (err < 0) { 2246 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 2247 /* Firmware has already been loaded */ 2248 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2249 return 0; 2250 } 2251 2252 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)", 2253 fwname, err); 2254 2255 return err; 2256 } 2257 2258 bt_dev_info(hdev, "Found device firmware: %s", fwname); 2259 2260 if (fw->size < 644) { 2261 bt_dev_err(hdev, "Invalid size of firmware file (%zu)", 2262 fw->size); 2263 err = -EBADF; 2264 goto done; 2265 } 2266 2267 calltime = ktime_get(); 2268 2269 btintel_set_flag(hdev, INTEL_DOWNLOADING); 2270 2271 /* Start firmware downloading and get boot parameter */ 2272 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param, 2273 INTEL_HW_VARIANT(ver->cnvi_bt), 2274 ver->sbe_type); 2275 if (err < 0) { 2276 if (err == -EALREADY) { 2277 /* Firmware has already been loaded */ 2278 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED); 2279 err = 0; 2280 goto done; 2281 } 2282 2283 /* When FW download fails, send Intel Reset to retry 2284 * FW download. 2285 */ 2286 btintel_reset_to_bootloader(hdev); 2287 goto done; 2288 } 2289 2290 /* Before switching the device into operational mode and with that 2291 * booting the loaded firmware, wait for the bootloader notification 2292 * that all fragments have been successfully received. 2293 * 2294 * When the event processing receives the notification, then the 2295 * BTUSB_DOWNLOADING flag will be cleared. 2296 * 2297 * The firmware loading should not take longer than 5 seconds 2298 * and thus just timeout if that happens and fail the setup 2299 * of this device. 2300 */ 2301 err = btintel_download_wait(hdev, calltime, 5000); 2302 if (err == -ETIMEDOUT) 2303 btintel_reset_to_bootloader(hdev); 2304 2305done: 2306 release_firmware(fw); 2307 return err; 2308} 2309 2310static int btintel_get_codec_config_data(struct hci_dev *hdev, 2311 __u8 link, struct bt_codec *codec, 2312 __u8 *ven_len, __u8 **ven_data) 2313{ 2314 int err = 0; 2315 2316 if (!ven_data || !ven_len) 2317 return -EINVAL; 2318 2319 *ven_len = 0; 2320 *ven_data = NULL; 2321 2322 if (link != ESCO_LINK) { 2323 bt_dev_err(hdev, "Invalid link type(%u)", link); 2324 return -EINVAL; 2325 } 2326 2327 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL); 2328 if (!*ven_data) { 2329 err = -ENOMEM; 2330 goto error; 2331 } 2332 2333 /* supports only CVSD and mSBC offload codecs */ 2334 switch (codec->id) { 2335 case 0x02: 2336 **ven_data = 0x00; 2337 break; 2338 case 0x05: 2339 **ven_data = 0x01; 2340 break; 2341 default: 2342 err = -EINVAL; 2343 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id); 2344 goto error; 2345 } 2346 /* codec and its capabilities are pre-defined to ids 2347 * preset id = 0x00 represents CVSD codec with sampling rate 8K 2348 * preset id = 0x01 represents mSBC codec with sampling rate 16K 2349 */ 2350 *ven_len = sizeof(__u8); 2351 return err; 2352 2353error: 2354 kfree(*ven_data); 2355 *ven_data = NULL; 2356 return err; 2357} 2358 2359static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id) 2360{ 2361 /* Intel uses 1 as data path id for all the usecases */ 2362 *data_path_id = 1; 2363 return 0; 2364} 2365 2366static int btintel_configure_offload(struct hci_dev *hdev) 2367{ 2368 struct sk_buff *skb; 2369 int err = 0; 2370 struct intel_offload_use_cases *use_cases; 2371 2372 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT); 2373 if (IS_ERR(skb)) { 2374 bt_dev_err(hdev, "Reading offload use cases failed (%ld)", 2375 PTR_ERR(skb)); 2376 return PTR_ERR(skb); 2377 } 2378 2379 if (skb->len < sizeof(*use_cases)) { 2380 err = -EIO; 2381 goto error; 2382 } 2383 2384 use_cases = (void *)skb->data; 2385 2386 if (use_cases->status) { 2387 err = -bt_to_errno(skb->data[0]); 2388 goto error; 2389 } 2390 2391 if (use_cases->preset[0] & 0x03) { 2392 hdev->get_data_path_id = btintel_get_data_path_id; 2393 hdev->get_codec_config_data = btintel_get_codec_config_data; 2394 } 2395error: 2396 kfree_skb(skb); 2397 return err; 2398} 2399 2400static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver) 2401{ 2402 struct btintel_ppag ppag; 2403 struct sk_buff *skb; 2404 struct hci_ppag_enable_cmd ppag_cmd; 2405 acpi_handle handle; 2406 2407 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */ 2408 switch (ver->cnvr_top & 0xFFF) { 2409 case 0x504: /* Hrp2 */ 2410 case 0x202: /* Jfp2 */ 2411 case 0x201: /* Jfp1 */ 2412 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)", 2413 ver->cnvr_top & 0xFFF); 2414 return; 2415 } 2416 2417 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2418 if (!handle) { 2419 bt_dev_info(hdev, "No support for BT device in ACPI firmware"); 2420 return; 2421 } 2422 2423 memset(&ppag, 0, sizeof(ppag)); 2424 2425 ppag.hdev = hdev; 2426 ppag.status = AE_NOT_FOUND; 2427 acpi_walk_namespace(ACPI_TYPE_PACKAGE, handle, 1, NULL, 2428 btintel_ppag_callback, &ppag, NULL); 2429 2430 if (ACPI_FAILURE(ppag.status)) { 2431 if (ppag.status == AE_NOT_FOUND) { 2432 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found"); 2433 return; 2434 } 2435 return; 2436 } 2437 2438 if (ppag.domain != 0x12) { 2439 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware"); 2440 return; 2441 } 2442 2443 /* PPAG mode 2444 * BIT 0 : 0 Disabled in EU 2445 * 1 Enabled in EU 2446 * BIT 1 : 0 Disabled in China 2447 * 1 Enabled in China 2448 */ 2449 if ((ppag.mode & 0x01) != BIT(0) && (ppag.mode & 0x02) != BIT(1)) { 2450 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in CB/BIOS"); 2451 return; 2452 } 2453 2454 ppag_cmd.ppag_enable_flags = cpu_to_le32(ppag.mode); 2455 2456 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), &ppag_cmd, HCI_CMD_TIMEOUT); 2457 if (IS_ERR(skb)) { 2458 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb)); 2459 return; 2460 } 2461 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", ppag.mode); 2462 kfree_skb(skb); 2463} 2464 2465static int btintel_acpi_reset_method(struct hci_dev *hdev) 2466{ 2467 int ret = 0; 2468 acpi_status status; 2469 union acpi_object *p, *ref; 2470 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; 2471 2472 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer); 2473 if (ACPI_FAILURE(status)) { 2474 bt_dev_err(hdev, "Failed to run _PRR method"); 2475 ret = -ENODEV; 2476 return ret; 2477 } 2478 p = buffer.pointer; 2479 2480 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) { 2481 bt_dev_err(hdev, "Invalid arguments"); 2482 ret = -EINVAL; 2483 goto exit_on_error; 2484 } 2485 2486 ref = &p->package.elements[0]; 2487 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) { 2488 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type); 2489 ret = -EINVAL; 2490 goto exit_on_error; 2491 } 2492 2493 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL); 2494 if (ACPI_FAILURE(status)) { 2495 bt_dev_err(hdev, "Failed to run_RST method"); 2496 ret = -ENODEV; 2497 goto exit_on_error; 2498 } 2499 2500exit_on_error: 2501 kfree(buffer.pointer); 2502 return ret; 2503} 2504 2505static void btintel_set_dsm_reset_method(struct hci_dev *hdev, 2506 struct intel_version_tlv *ver_tlv) 2507{ 2508 struct btintel_data *data = hci_get_priv(hdev); 2509 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2510 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00}; 2511 union acpi_object *obj, argv4; 2512 enum { 2513 RESET_TYPE_WDISABLE2, 2514 RESET_TYPE_VSEC 2515 }; 2516 2517 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev)); 2518 2519 if (!handle) { 2520 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware"); 2521 return; 2522 } 2523 2524 if (!acpi_has_method(handle, "_PRR")) { 2525 bt_dev_err(hdev, "No support for _PRR ACPI method"); 2526 return; 2527 } 2528 2529 switch (ver_tlv->cnvi_top & 0xfff) { 2530 case 0x910: /* GalePeak2 */ 2531 reset_payload[2] = RESET_TYPE_VSEC; 2532 break; 2533 default: 2534 /* WDISABLE2 is the default reset method */ 2535 reset_payload[2] = RESET_TYPE_WDISABLE2; 2536 2537 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2538 BIT(DSM_SET_WDISABLE2_DELAY))) { 2539 bt_dev_err(hdev, "No dsm support to set reset delay"); 2540 return; 2541 } 2542 argv4.integer.type = ACPI_TYPE_INTEGER; 2543 /* delay required to toggle BT power */ 2544 argv4.integer.value = 160; 2545 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2546 DSM_SET_WDISABLE2_DELAY, &argv4); 2547 if (!obj) { 2548 bt_dev_err(hdev, "Failed to call dsm to set reset delay"); 2549 return; 2550 } 2551 ACPI_FREE(obj); 2552 } 2553 2554 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]); 2555 2556 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0, 2557 DSM_SET_RESET_METHOD)) { 2558 bt_dev_warn(hdev, "No support for dsm to set reset method"); 2559 return; 2560 } 2561 argv4.buffer.type = ACPI_TYPE_BUFFER; 2562 argv4.buffer.length = sizeof(reset_payload); 2563 argv4.buffer.pointer = reset_payload; 2564 2565 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0, 2566 DSM_SET_RESET_METHOD, &argv4); 2567 if (!obj) { 2568 bt_dev_err(hdev, "Failed to call dsm to set reset method"); 2569 return; 2570 } 2571 ACPI_FREE(obj); 2572 data->acpi_reset_method = btintel_acpi_reset_method; 2573} 2574 2575static int btintel_bootloader_setup_tlv(struct hci_dev *hdev, 2576 struct intel_version_tlv *ver) 2577{ 2578 u32 boot_param; 2579 char ddcname[64]; 2580 int err; 2581 struct intel_version_tlv new_ver; 2582 2583 bt_dev_dbg(hdev, ""); 2584 2585 /* Set the default boot parameter to 0x0 and it is updated to 2586 * SKU specific boot parameter after reading Intel_Write_Boot_Params 2587 * command while downloading the firmware. 2588 */ 2589 boot_param = 0x00000000; 2590 2591 btintel_set_flag(hdev, INTEL_BOOTLOADER); 2592 2593 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param); 2594 if (err) 2595 return err; 2596 2597 /* check if controller is already having an operational firmware */ 2598 if (ver->img_type == 0x03) 2599 goto finish; 2600 2601 err = btintel_boot(hdev, boot_param); 2602 if (err) 2603 return err; 2604 2605 btintel_clear_flag(hdev, INTEL_BOOTLOADER); 2606 2607 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc"); 2608 /* Once the device is running in operational mode, it needs to 2609 * apply the device configuration (DDC) parameters. 2610 * 2611 * The device can work without DDC parameters, so even if it 2612 * fails to load the file, no need to fail the setup. 2613 */ 2614 btintel_load_ddc_config(hdev, ddcname); 2615 2616 /* Read supported use cases and set callbacks to fetch datapath id */ 2617 btintel_configure_offload(hdev); 2618 2619 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT); 2620 2621 /* Set PPAG feature */ 2622 btintel_set_ppag(hdev, ver); 2623 2624 /* Read the Intel version information after loading the FW */ 2625 err = btintel_read_version_tlv(hdev, &new_ver); 2626 if (err) 2627 return err; 2628 2629 btintel_version_info_tlv(hdev, &new_ver); 2630 2631finish: 2632 /* Set the event mask for Intel specific vendor events. This enables 2633 * a few extra events that are useful during general operation. It 2634 * does not enable any debugging related events. 2635 * 2636 * The device will function correctly without these events enabled 2637 * and thus no need to fail the setup. 2638 */ 2639 btintel_set_event_mask(hdev, false); 2640 2641 return 0; 2642} 2643 2644static void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant) 2645{ 2646 switch (hw_variant) { 2647 /* Legacy bootloader devices that supports MSFT Extension */ 2648 case 0x11: /* JfP */ 2649 case 0x12: /* ThP */ 2650 case 0x13: /* HrP */ 2651 case 0x14: /* CcP */ 2652 /* All Intel new genration controllers support the Microsoft vendor 2653 * extension are using 0xFC1E for VsMsftOpCode. 2654 */ 2655 case 0x17: 2656 case 0x18: 2657 case 0x19: 2658 case 0x1b: 2659 case 0x1c: 2660 hci_set_msft_opcode(hdev, 0xFC1E); 2661 break; 2662 default: 2663 /* Not supported */ 2664 break; 2665 } 2666} 2667 2668static int btintel_setup_combined(struct hci_dev *hdev) 2669{ 2670 const u8 param[1] = { 0xFF }; 2671 struct intel_version ver; 2672 struct intel_version_tlv ver_tlv; 2673 struct sk_buff *skb; 2674 int err; 2675 2676 BT_DBG("%s", hdev->name); 2677 2678 /* The some controllers have a bug with the first HCI command sent to it 2679 * returning number of completed commands as zero. This would stall the 2680 * command processing in the Bluetooth core. 2681 * 2682 * As a workaround, send HCI Reset command first which will reset the 2683 * number of completed commands and allow normal command processing 2684 * from now on. 2685 * 2686 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe 2687 * in the SW_RFKILL ON state as a workaround of fixing LED issue during 2688 * the shutdown() procedure, and once the device is in SW_RFKILL ON 2689 * state, the only way to exit out of it is sending the HCI_Reset 2690 * command. 2691 */ 2692 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || 2693 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 2694 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, 2695 HCI_INIT_TIMEOUT); 2696 if (IS_ERR(skb)) { 2697 bt_dev_err(hdev, 2698 "sending initial HCI reset failed (%ld)", 2699 PTR_ERR(skb)); 2700 return PTR_ERR(skb); 2701 } 2702 kfree_skb(skb); 2703 } 2704 2705 /* Starting from TyP device, the command parameter and response are 2706 * changed even though the OCF for HCI_Intel_Read_Version command 2707 * remains same. The legacy devices can handle even if the 2708 * command has a parameter and returns a correct version information. 2709 * So, it uses new format to support both legacy and new format. 2710 */ 2711 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT); 2712 if (IS_ERR(skb)) { 2713 bt_dev_err(hdev, "Reading Intel version command failed (%ld)", 2714 PTR_ERR(skb)); 2715 return PTR_ERR(skb); 2716 } 2717 2718 /* Check the status */ 2719 if (skb->data[0]) { 2720 bt_dev_err(hdev, "Intel Read Version command failed (%02x)", 2721 skb->data[0]); 2722 err = -EIO; 2723 goto exit_error; 2724 } 2725 2726 /* Apply the common HCI quirks for Intel device */ 2727 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2728 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2729 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks); 2730 2731 /* Set up the quality report callback for Intel devices */ 2732 hdev->set_quality_report = btintel_set_quality_report; 2733 2734 /* For Legacy device, check the HW platform value and size */ 2735 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) { 2736 bt_dev_dbg(hdev, "Read the legacy Intel version information"); 2737 2738 memcpy(&ver, skb->data, sizeof(ver)); 2739 2740 /* Display version information */ 2741 btintel_version_info(hdev, &ver); 2742 2743 /* Check for supported iBT hardware variants of this firmware 2744 * loading method. 2745 * 2746 * This check has been put in place to ensure correct forward 2747 * compatibility options when newer hardware variants come 2748 * along. 2749 */ 2750 switch (ver.hw_variant) { 2751 case 0x07: /* WP */ 2752 case 0x08: /* StP */ 2753 /* Legacy ROM product */ 2754 btintel_set_flag(hdev, INTEL_ROM_LEGACY); 2755 2756 /* Apply the device specific HCI quirks 2757 * 2758 * WBS for SdP - For the Legacy ROM products, only SdP 2759 * supports the WBS. But the version information is not 2760 * enough to use here because the StP2 and SdP have same 2761 * hw_variant and fw_variant. So, this flag is set by 2762 * the transport driver (btusb) based on the HW info 2763 * (idProduct) 2764 */ 2765 if (!btintel_test_flag(hdev, 2766 INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) 2767 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2768 &hdev->quirks); 2769 if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22) 2770 set_bit(HCI_QUIRK_VALID_LE_STATES, 2771 &hdev->quirks); 2772 2773 err = btintel_legacy_rom_setup(hdev, &ver); 2774 break; 2775 case 0x0b: /* SfP */ 2776 case 0x11: /* JfP */ 2777 case 0x12: /* ThP */ 2778 case 0x13: /* HrP */ 2779 case 0x14: /* CcP */ 2780 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2781 fallthrough; 2782 case 0x0c: /* WsP */ 2783 /* Apply the device specific HCI quirks 2784 * 2785 * All Legacy bootloader devices support WBS 2786 */ 2787 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, 2788 &hdev->quirks); 2789 2790 /* These variants don't seem to support LE Coded PHY */ 2791 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 2792 2793 /* Setup MSFT Extension support */ 2794 btintel_set_msft_opcode(hdev, ver.hw_variant); 2795 2796 err = btintel_bootloader_setup(hdev, &ver); 2797 btintel_register_devcoredump_support(hdev); 2798 break; 2799 default: 2800 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 2801 ver.hw_variant); 2802 err = -EINVAL; 2803 } 2804 2805 goto exit_error; 2806 } 2807 2808 /* memset ver_tlv to start with clean state as few fields are exclusive 2809 * to bootloader mode and are not populated in operational mode 2810 */ 2811 memset(&ver_tlv, 0, sizeof(ver_tlv)); 2812 /* For TLV type device, parse the tlv data */ 2813 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb); 2814 if (err) { 2815 bt_dev_err(hdev, "Failed to parse TLV version information"); 2816 goto exit_error; 2817 } 2818 2819 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) { 2820 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)", 2821 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt)); 2822 err = -EINVAL; 2823 goto exit_error; 2824 } 2825 2826 /* Check for supported iBT hardware variants of this firmware 2827 * loading method. 2828 * 2829 * This check has been put in place to ensure correct forward 2830 * compatibility options when newer hardware variants come 2831 * along. 2832 */ 2833 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) { 2834 case 0x11: /* JfP */ 2835 case 0x12: /* ThP */ 2836 case 0x13: /* HrP */ 2837 case 0x14: /* CcP */ 2838 /* Some legacy bootloader devices starting from JfP, 2839 * the operational firmware supports both old and TLV based 2840 * HCI_Intel_Read_Version command based on the command 2841 * parameter. 2842 * 2843 * For upgrading firmware case, the TLV based version cannot 2844 * be used because the firmware filename for legacy bootloader 2845 * is based on the old format. 2846 * 2847 * Also, it is not easy to convert TLV based version from the 2848 * legacy version format. 2849 * 2850 * So, as a workaround for those devices, use the legacy 2851 * HCI_Intel_Read_Version to get the version information and 2852 * run the legacy bootloader setup. 2853 */ 2854 err = btintel_read_version(hdev, &ver); 2855 if (err) 2856 break; 2857 2858 /* Apply the device specific HCI quirks 2859 * 2860 * All Legacy bootloader devices support WBS 2861 */ 2862 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 2863 2864 /* These variants don't seem to support LE Coded PHY */ 2865 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks); 2866 2867 /* Set Valid LE States quirk */ 2868 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2869 2870 /* Setup MSFT Extension support */ 2871 btintel_set_msft_opcode(hdev, ver.hw_variant); 2872 2873 err = btintel_bootloader_setup(hdev, &ver); 2874 btintel_register_devcoredump_support(hdev); 2875 break; 2876 case 0x17: 2877 case 0x18: 2878 case 0x19: 2879 case 0x1b: 2880 case 0x1c: 2881 /* Display version information of TLV type */ 2882 btintel_version_info_tlv(hdev, &ver_tlv); 2883 2884 /* Apply the device specific HCI quirks for TLV based devices 2885 * 2886 * All TLV based devices support WBS 2887 */ 2888 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); 2889 2890 /* Apply LE States quirk from solar onwards */ 2891 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); 2892 2893 /* Setup MSFT Extension support */ 2894 btintel_set_msft_opcode(hdev, 2895 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 2896 btintel_set_dsm_reset_method(hdev, &ver_tlv); 2897 2898 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); 2899 btintel_register_devcoredump_support(hdev); 2900 break; 2901 default: 2902 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)", 2903 INTEL_HW_VARIANT(ver_tlv.cnvi_bt)); 2904 err = -EINVAL; 2905 break; 2906 } 2907 2908exit_error: 2909 kfree_skb(skb); 2910 2911 return err; 2912} 2913 2914static int btintel_shutdown_combined(struct hci_dev *hdev) 2915{ 2916 struct sk_buff *skb; 2917 int ret; 2918 2919 /* Send HCI Reset to the controller to stop any BT activity which 2920 * were triggered. This will help to save power and maintain the 2921 * sync b/w Host and controller 2922 */ 2923 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2924 if (IS_ERR(skb)) { 2925 bt_dev_err(hdev, "HCI reset during shutdown failed"); 2926 return PTR_ERR(skb); 2927 } 2928 kfree_skb(skb); 2929 2930 2931 /* Some platforms have an issue with BT LED when the interface is 2932 * down or BT radio is turned off, which takes 5 seconds to BT LED 2933 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the 2934 * device in the RFKILL ON state which turns off the BT LED immediately. 2935 */ 2936 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { 2937 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 2938 if (IS_ERR(skb)) { 2939 ret = PTR_ERR(skb); 2940 bt_dev_err(hdev, "turning off Intel device LED failed"); 2941 return ret; 2942 } 2943 kfree_skb(skb); 2944 } 2945 2946 return 0; 2947} 2948 2949int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name) 2950{ 2951 hdev->manufacturer = 2; 2952 hdev->setup = btintel_setup_combined; 2953 hdev->shutdown = btintel_shutdown_combined; 2954 hdev->hw_error = btintel_hw_error; 2955 hdev->set_diag = btintel_set_diag_combined; 2956 hdev->set_bdaddr = btintel_set_bdaddr; 2957 2958 coredump_info.driver_name = driver_name; 2959 2960 return 0; 2961} 2962EXPORT_SYMBOL_GPL(btintel_configure_setup); 2963 2964static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb) 2965{ 2966 struct intel_tlv *tlv = (void *)&skb->data[5]; 2967 2968 /* The first event is always an event type TLV */ 2969 if (tlv->type != INTEL_TLV_TYPE_ID) 2970 goto recv_frame; 2971 2972 switch (tlv->val[0]) { 2973 case INTEL_TLV_SYSTEM_EXCEPTION: 2974 case INTEL_TLV_FATAL_EXCEPTION: 2975 case INTEL_TLV_DEBUG_EXCEPTION: 2976 case INTEL_TLV_TEST_EXCEPTION: 2977 /* Generate devcoredump from exception */ 2978 if (!hci_devcd_init(hdev, skb->len)) { 2979 hci_devcd_append(hdev, skb); 2980 hci_devcd_complete(hdev); 2981 } else { 2982 bt_dev_err(hdev, "Failed to generate devcoredump"); 2983 kfree_skb(skb); 2984 } 2985 return 0; 2986 default: 2987 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]); 2988 } 2989 2990recv_frame: 2991 return hci_recv_frame(hdev, skb); 2992} 2993 2994int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb) 2995{ 2996 struct hci_event_hdr *hdr = (void *)skb->data; 2997 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 }; 2998 2999 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 3000 hdr->plen > 0) { 3001 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 3002 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 3003 3004 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) { 3005 switch (skb->data[2]) { 3006 case 0x02: 3007 /* When switching to the operational firmware 3008 * the device sends a vendor specific event 3009 * indicating that the bootup completed. 3010 */ 3011 btintel_bootup(hdev, ptr, len); 3012 break; 3013 case 0x06: 3014 /* When the firmware loading completes the 3015 * device sends out a vendor specific event 3016 * indicating the result of the firmware 3017 * loading. 3018 */ 3019 btintel_secure_send_result(hdev, ptr, len); 3020 break; 3021 } 3022 } 3023 3024 /* Handle all diagnostics events separately. May still call 3025 * hci_recv_frame. 3026 */ 3027 if (len >= sizeof(diagnostics_hdr) && 3028 memcmp(&skb->data[2], diagnostics_hdr, 3029 sizeof(diagnostics_hdr)) == 0) { 3030 return btintel_diagnostics(hdev, skb); 3031 } 3032 } 3033 3034 return hci_recv_frame(hdev, skb); 3035} 3036EXPORT_SYMBOL_GPL(btintel_recv_event); 3037 3038void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len) 3039{ 3040 const struct intel_bootup *evt = ptr; 3041 3042 if (len != sizeof(*evt)) 3043 return; 3044 3045 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING)) 3046 btintel_wake_up_flag(hdev, INTEL_BOOTING); 3047} 3048EXPORT_SYMBOL_GPL(btintel_bootup); 3049 3050void btintel_secure_send_result(struct hci_dev *hdev, 3051 const void *ptr, unsigned int len) 3052{ 3053 const struct intel_secure_send_result *evt = ptr; 3054 3055 if (len != sizeof(*evt)) 3056 return; 3057 3058 if (evt->result) 3059 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED); 3060 3061 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) && 3062 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED)) 3063 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING); 3064} 3065EXPORT_SYMBOL_GPL(btintel_secure_send_result); 3066 3067MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3068MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION); 3069MODULE_VERSION(VERSION); 3070MODULE_LICENSE("GPL"); 3071MODULE_FIRMWARE("intel/ibt-11-5.sfi"); 3072MODULE_FIRMWARE("intel/ibt-11-5.ddc"); 3073MODULE_FIRMWARE("intel/ibt-12-16.sfi"); 3074MODULE_FIRMWARE("intel/ibt-12-16.ddc"); 3075