162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * EFI capsule support. 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Copyright 2013 Intel Corporation; author Matt Fleming 662306a36Sopenharmony_ci */ 762306a36Sopenharmony_ci 862306a36Sopenharmony_ci#define pr_fmt(fmt) "efi: " fmt 962306a36Sopenharmony_ci 1062306a36Sopenharmony_ci#include <linux/slab.h> 1162306a36Sopenharmony_ci#include <linux/mutex.h> 1262306a36Sopenharmony_ci#include <linux/highmem.h> 1362306a36Sopenharmony_ci#include <linux/efi.h> 1462306a36Sopenharmony_ci#include <linux/vmalloc.h> 1562306a36Sopenharmony_ci#include <asm/efi.h> 1662306a36Sopenharmony_ci#include <asm/io.h> 1762306a36Sopenharmony_ci 1862306a36Sopenharmony_citypedef struct { 1962306a36Sopenharmony_ci u64 length; 2062306a36Sopenharmony_ci u64 data; 2162306a36Sopenharmony_ci} efi_capsule_block_desc_t; 2262306a36Sopenharmony_ci 2362306a36Sopenharmony_cistatic bool capsule_pending; 2462306a36Sopenharmony_cistatic bool stop_capsules; 2562306a36Sopenharmony_cistatic int efi_reset_type = -1; 2662306a36Sopenharmony_ci 2762306a36Sopenharmony_ci/* 2862306a36Sopenharmony_ci * capsule_mutex serialises access to both capsule_pending and 2962306a36Sopenharmony_ci * efi_reset_type and stop_capsules. 3062306a36Sopenharmony_ci */ 3162306a36Sopenharmony_cistatic DEFINE_MUTEX(capsule_mutex); 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_ci/** 3462306a36Sopenharmony_ci * efi_capsule_pending - has a capsule been passed to the firmware? 3562306a36Sopenharmony_ci * @reset_type: store the type of EFI reset if capsule is pending 3662306a36Sopenharmony_ci * 3762306a36Sopenharmony_ci * To ensure that the registered capsule is processed correctly by the 3862306a36Sopenharmony_ci * firmware we need to perform a specific type of reset. If a capsule is 3962306a36Sopenharmony_ci * pending return the reset type in @reset_type. 4062306a36Sopenharmony_ci * 4162306a36Sopenharmony_ci * This function will race with callers of efi_capsule_update(), for 4262306a36Sopenharmony_ci * example, calling this function while somebody else is in 4362306a36Sopenharmony_ci * efi_capsule_update() but hasn't reached efi_capsue_update_locked() 4462306a36Sopenharmony_ci * will miss the updates to capsule_pending and efi_reset_type after 4562306a36Sopenharmony_ci * efi_capsule_update_locked() completes. 4662306a36Sopenharmony_ci * 4762306a36Sopenharmony_ci * A non-racy use is from platform reboot code because we use 4862306a36Sopenharmony_ci * system_state to ensure no capsules can be sent to the firmware once 4962306a36Sopenharmony_ci * we're at SYSTEM_RESTART. See efi_capsule_update_locked(). 5062306a36Sopenharmony_ci */ 5162306a36Sopenharmony_cibool efi_capsule_pending(int *reset_type) 5262306a36Sopenharmony_ci{ 5362306a36Sopenharmony_ci if (!capsule_pending) 5462306a36Sopenharmony_ci return false; 5562306a36Sopenharmony_ci 5662306a36Sopenharmony_ci if (reset_type) 5762306a36Sopenharmony_ci *reset_type = efi_reset_type; 5862306a36Sopenharmony_ci 5962306a36Sopenharmony_ci return true; 6062306a36Sopenharmony_ci} 6162306a36Sopenharmony_ci 6262306a36Sopenharmony_ci/* 6362306a36Sopenharmony_ci * Whitelist of EFI capsule flags that we support. 6462306a36Sopenharmony_ci * 6562306a36Sopenharmony_ci * We do not handle EFI_CAPSULE_INITIATE_RESET because that would 6662306a36Sopenharmony_ci * require us to prepare the kernel for reboot. Refuse to load any 6762306a36Sopenharmony_ci * capsules with that flag and any other flags that we do not know how 6862306a36Sopenharmony_ci * to handle. 6962306a36Sopenharmony_ci */ 7062306a36Sopenharmony_ci#define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ 7162306a36Sopenharmony_ci (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) 7262306a36Sopenharmony_ci 7362306a36Sopenharmony_ci/** 7462306a36Sopenharmony_ci * efi_capsule_supported - does the firmware support the capsule? 7562306a36Sopenharmony_ci * @guid: vendor guid of capsule 7662306a36Sopenharmony_ci * @flags: capsule flags 7762306a36Sopenharmony_ci * @size: size of capsule data 7862306a36Sopenharmony_ci * @reset: the reset type required for this capsule 7962306a36Sopenharmony_ci * 8062306a36Sopenharmony_ci * Check whether a capsule with @flags is supported by the firmware 8162306a36Sopenharmony_ci * and that @size doesn't exceed the maximum size for a capsule. 8262306a36Sopenharmony_ci * 8362306a36Sopenharmony_ci * No attempt is made to check @reset against the reset type required 8462306a36Sopenharmony_ci * by any pending capsules because of the races involved. 8562306a36Sopenharmony_ci */ 8662306a36Sopenharmony_ciint efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) 8762306a36Sopenharmony_ci{ 8862306a36Sopenharmony_ci efi_capsule_header_t capsule; 8962306a36Sopenharmony_ci efi_capsule_header_t *cap_list[] = { &capsule }; 9062306a36Sopenharmony_ci efi_status_t status; 9162306a36Sopenharmony_ci u64 max_size; 9262306a36Sopenharmony_ci 9362306a36Sopenharmony_ci if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) 9462306a36Sopenharmony_ci return -EINVAL; 9562306a36Sopenharmony_ci 9662306a36Sopenharmony_ci capsule.headersize = capsule.imagesize = sizeof(capsule); 9762306a36Sopenharmony_ci memcpy(&capsule.guid, &guid, sizeof(efi_guid_t)); 9862306a36Sopenharmony_ci capsule.flags = flags; 9962306a36Sopenharmony_ci 10062306a36Sopenharmony_ci status = efi.query_capsule_caps(cap_list, 1, &max_size, reset); 10162306a36Sopenharmony_ci if (status != EFI_SUCCESS) 10262306a36Sopenharmony_ci return efi_status_to_err(status); 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_ci if (size > max_size) 10562306a36Sopenharmony_ci return -ENOSPC; 10662306a36Sopenharmony_ci 10762306a36Sopenharmony_ci return 0; 10862306a36Sopenharmony_ci} 10962306a36Sopenharmony_ciEXPORT_SYMBOL_GPL(efi_capsule_supported); 11062306a36Sopenharmony_ci 11162306a36Sopenharmony_ci/* 11262306a36Sopenharmony_ci * Every scatter gather list (block descriptor) page must end with a 11362306a36Sopenharmony_ci * continuation pointer. The last continuation pointer of the last 11462306a36Sopenharmony_ci * page must be zero to mark the end of the chain. 11562306a36Sopenharmony_ci */ 11662306a36Sopenharmony_ci#define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1) 11762306a36Sopenharmony_ci 11862306a36Sopenharmony_ci/* 11962306a36Sopenharmony_ci * How many scatter gather list (block descriptor) pages do we need 12062306a36Sopenharmony_ci * to map @count pages? 12162306a36Sopenharmony_ci */ 12262306a36Sopenharmony_cistatic inline unsigned int sg_pages_num(unsigned int count) 12362306a36Sopenharmony_ci{ 12462306a36Sopenharmony_ci return DIV_ROUND_UP(count, SGLIST_PER_PAGE); 12562306a36Sopenharmony_ci} 12662306a36Sopenharmony_ci 12762306a36Sopenharmony_ci/** 12862306a36Sopenharmony_ci * efi_capsule_update_locked - pass a single capsule to the firmware 12962306a36Sopenharmony_ci * @capsule: capsule to send to the firmware 13062306a36Sopenharmony_ci * @sg_pages: array of scatter gather (block descriptor) pages 13162306a36Sopenharmony_ci * @reset: the reset type required for @capsule 13262306a36Sopenharmony_ci * 13362306a36Sopenharmony_ci * Since this function must be called under capsule_mutex check 13462306a36Sopenharmony_ci * whether efi_reset_type will conflict with @reset, and atomically 13562306a36Sopenharmony_ci * set it and capsule_pending if a capsule was successfully sent to 13662306a36Sopenharmony_ci * the firmware. 13762306a36Sopenharmony_ci * 13862306a36Sopenharmony_ci * We also check to see if the system is about to restart, and if so, 13962306a36Sopenharmony_ci * abort. This avoids races between efi_capsule_update() and 14062306a36Sopenharmony_ci * efi_capsule_pending(). 14162306a36Sopenharmony_ci */ 14262306a36Sopenharmony_cistatic int 14362306a36Sopenharmony_ciefi_capsule_update_locked(efi_capsule_header_t *capsule, 14462306a36Sopenharmony_ci struct page **sg_pages, int reset) 14562306a36Sopenharmony_ci{ 14662306a36Sopenharmony_ci efi_physical_addr_t sglist_phys; 14762306a36Sopenharmony_ci efi_status_t status; 14862306a36Sopenharmony_ci 14962306a36Sopenharmony_ci lockdep_assert_held(&capsule_mutex); 15062306a36Sopenharmony_ci 15162306a36Sopenharmony_ci /* 15262306a36Sopenharmony_ci * If someone has already registered a capsule that requires a 15362306a36Sopenharmony_ci * different reset type, we're out of luck and must abort. 15462306a36Sopenharmony_ci */ 15562306a36Sopenharmony_ci if (efi_reset_type >= 0 && efi_reset_type != reset) { 15662306a36Sopenharmony_ci pr_err("Conflicting capsule reset type %d (%d).\n", 15762306a36Sopenharmony_ci reset, efi_reset_type); 15862306a36Sopenharmony_ci return -EINVAL; 15962306a36Sopenharmony_ci } 16062306a36Sopenharmony_ci 16162306a36Sopenharmony_ci /* 16262306a36Sopenharmony_ci * If the system is getting ready to restart it may have 16362306a36Sopenharmony_ci * called efi_capsule_pending() to make decisions (such as 16462306a36Sopenharmony_ci * whether to force an EFI reboot), and we're racing against 16562306a36Sopenharmony_ci * that call. Abort in that case. 16662306a36Sopenharmony_ci */ 16762306a36Sopenharmony_ci if (unlikely(stop_capsules)) { 16862306a36Sopenharmony_ci pr_warn("Capsule update raced with reboot, aborting.\n"); 16962306a36Sopenharmony_ci return -EINVAL; 17062306a36Sopenharmony_ci } 17162306a36Sopenharmony_ci 17262306a36Sopenharmony_ci sglist_phys = page_to_phys(sg_pages[0]); 17362306a36Sopenharmony_ci 17462306a36Sopenharmony_ci status = efi.update_capsule(&capsule, 1, sglist_phys); 17562306a36Sopenharmony_ci if (status == EFI_SUCCESS) { 17662306a36Sopenharmony_ci capsule_pending = true; 17762306a36Sopenharmony_ci efi_reset_type = reset; 17862306a36Sopenharmony_ci } 17962306a36Sopenharmony_ci 18062306a36Sopenharmony_ci return efi_status_to_err(status); 18162306a36Sopenharmony_ci} 18262306a36Sopenharmony_ci 18362306a36Sopenharmony_ci/** 18462306a36Sopenharmony_ci * efi_capsule_update - send a capsule to the firmware 18562306a36Sopenharmony_ci * @capsule: capsule to send to firmware 18662306a36Sopenharmony_ci * @pages: an array of capsule data pages 18762306a36Sopenharmony_ci * 18862306a36Sopenharmony_ci * Build a scatter gather list with EFI capsule block descriptors to 18962306a36Sopenharmony_ci * map the capsule described by @capsule with its data in @pages and 19062306a36Sopenharmony_ci * send it to the firmware via the UpdateCapsule() runtime service. 19162306a36Sopenharmony_ci * 19262306a36Sopenharmony_ci * @capsule must be a virtual mapping of the complete capsule update in the 19362306a36Sopenharmony_ci * kernel address space, as the capsule can be consumed immediately. 19462306a36Sopenharmony_ci * A capsule_header_t that describes the entire contents of the capsule 19562306a36Sopenharmony_ci * must be at the start of the first data page. 19662306a36Sopenharmony_ci * 19762306a36Sopenharmony_ci * Even though this function will validate that the firmware supports 19862306a36Sopenharmony_ci * the capsule guid, users will likely want to check that 19962306a36Sopenharmony_ci * efi_capsule_supported() returns true before calling this function 20062306a36Sopenharmony_ci * because it makes it easier to print helpful error messages. 20162306a36Sopenharmony_ci * 20262306a36Sopenharmony_ci * If the capsule is successfully submitted to the firmware, any 20362306a36Sopenharmony_ci * subsequent calls to efi_capsule_pending() will return true. @pages 20462306a36Sopenharmony_ci * must not be released or modified if this function returns 20562306a36Sopenharmony_ci * successfully. 20662306a36Sopenharmony_ci * 20762306a36Sopenharmony_ci * Callers must be prepared for this function to fail, which can 20862306a36Sopenharmony_ci * happen if we raced with system reboot or if there is already a 20962306a36Sopenharmony_ci * pending capsule that has a reset type that conflicts with the one 21062306a36Sopenharmony_ci * required by @capsule. Do NOT use efi_capsule_pending() to detect 21162306a36Sopenharmony_ci * this conflict since that would be racy. Instead, submit the capsule 21262306a36Sopenharmony_ci * to efi_capsule_update() and check the return value. 21362306a36Sopenharmony_ci * 21462306a36Sopenharmony_ci * Return 0 on success, a converted EFI status code on failure. 21562306a36Sopenharmony_ci */ 21662306a36Sopenharmony_ciint efi_capsule_update(efi_capsule_header_t *capsule, phys_addr_t *pages) 21762306a36Sopenharmony_ci{ 21862306a36Sopenharmony_ci u32 imagesize = capsule->imagesize; 21962306a36Sopenharmony_ci efi_guid_t guid = capsule->guid; 22062306a36Sopenharmony_ci unsigned int count, sg_count; 22162306a36Sopenharmony_ci u32 flags = capsule->flags; 22262306a36Sopenharmony_ci struct page **sg_pages; 22362306a36Sopenharmony_ci int rv, reset_type; 22462306a36Sopenharmony_ci int i, j; 22562306a36Sopenharmony_ci 22662306a36Sopenharmony_ci rv = efi_capsule_supported(guid, flags, imagesize, &reset_type); 22762306a36Sopenharmony_ci if (rv) 22862306a36Sopenharmony_ci return rv; 22962306a36Sopenharmony_ci 23062306a36Sopenharmony_ci count = DIV_ROUND_UP(imagesize, PAGE_SIZE); 23162306a36Sopenharmony_ci sg_count = sg_pages_num(count); 23262306a36Sopenharmony_ci 23362306a36Sopenharmony_ci sg_pages = kcalloc(sg_count, sizeof(*sg_pages), GFP_KERNEL); 23462306a36Sopenharmony_ci if (!sg_pages) 23562306a36Sopenharmony_ci return -ENOMEM; 23662306a36Sopenharmony_ci 23762306a36Sopenharmony_ci for (i = 0; i < sg_count; i++) { 23862306a36Sopenharmony_ci sg_pages[i] = alloc_page(GFP_KERNEL); 23962306a36Sopenharmony_ci if (!sg_pages[i]) { 24062306a36Sopenharmony_ci rv = -ENOMEM; 24162306a36Sopenharmony_ci goto out; 24262306a36Sopenharmony_ci } 24362306a36Sopenharmony_ci } 24462306a36Sopenharmony_ci 24562306a36Sopenharmony_ci for (i = 0; i < sg_count; i++) { 24662306a36Sopenharmony_ci efi_capsule_block_desc_t *sglist; 24762306a36Sopenharmony_ci 24862306a36Sopenharmony_ci sglist = kmap_atomic(sg_pages[i]); 24962306a36Sopenharmony_ci 25062306a36Sopenharmony_ci for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) { 25162306a36Sopenharmony_ci u64 sz = min_t(u64, imagesize, 25262306a36Sopenharmony_ci PAGE_SIZE - (u64)*pages % PAGE_SIZE); 25362306a36Sopenharmony_ci 25462306a36Sopenharmony_ci sglist[j].length = sz; 25562306a36Sopenharmony_ci sglist[j].data = *pages++; 25662306a36Sopenharmony_ci 25762306a36Sopenharmony_ci imagesize -= sz; 25862306a36Sopenharmony_ci count--; 25962306a36Sopenharmony_ci } 26062306a36Sopenharmony_ci 26162306a36Sopenharmony_ci /* Continuation pointer */ 26262306a36Sopenharmony_ci sglist[j].length = 0; 26362306a36Sopenharmony_ci 26462306a36Sopenharmony_ci if (i + 1 == sg_count) 26562306a36Sopenharmony_ci sglist[j].data = 0; 26662306a36Sopenharmony_ci else 26762306a36Sopenharmony_ci sglist[j].data = page_to_phys(sg_pages[i + 1]); 26862306a36Sopenharmony_ci 26962306a36Sopenharmony_ci#if defined(CONFIG_ARM) || defined(CONFIG_ARM64) 27062306a36Sopenharmony_ci /* 27162306a36Sopenharmony_ci * At runtime, the firmware has no way to find out where the 27262306a36Sopenharmony_ci * sglist elements are mapped, if they are mapped in the first 27362306a36Sopenharmony_ci * place. Therefore, on architectures that can only perform 27462306a36Sopenharmony_ci * cache maintenance by virtual address, the firmware is unable 27562306a36Sopenharmony_ci * to perform this maintenance, and so it is up to the OS to do 27662306a36Sopenharmony_ci * it instead. 27762306a36Sopenharmony_ci */ 27862306a36Sopenharmony_ci efi_capsule_flush_cache_range(sglist, PAGE_SIZE); 27962306a36Sopenharmony_ci#endif 28062306a36Sopenharmony_ci kunmap_atomic(sglist); 28162306a36Sopenharmony_ci } 28262306a36Sopenharmony_ci 28362306a36Sopenharmony_ci mutex_lock(&capsule_mutex); 28462306a36Sopenharmony_ci rv = efi_capsule_update_locked(capsule, sg_pages, reset_type); 28562306a36Sopenharmony_ci mutex_unlock(&capsule_mutex); 28662306a36Sopenharmony_ci 28762306a36Sopenharmony_ciout: 28862306a36Sopenharmony_ci for (i = 0; rv && i < sg_count; i++) { 28962306a36Sopenharmony_ci if (sg_pages[i]) 29062306a36Sopenharmony_ci __free_page(sg_pages[i]); 29162306a36Sopenharmony_ci } 29262306a36Sopenharmony_ci 29362306a36Sopenharmony_ci kfree(sg_pages); 29462306a36Sopenharmony_ci return rv; 29562306a36Sopenharmony_ci} 29662306a36Sopenharmony_ciEXPORT_SYMBOL_GPL(efi_capsule_update); 29762306a36Sopenharmony_ci 29862306a36Sopenharmony_cistatic int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd) 29962306a36Sopenharmony_ci{ 30062306a36Sopenharmony_ci mutex_lock(&capsule_mutex); 30162306a36Sopenharmony_ci stop_capsules = true; 30262306a36Sopenharmony_ci mutex_unlock(&capsule_mutex); 30362306a36Sopenharmony_ci 30462306a36Sopenharmony_ci return NOTIFY_DONE; 30562306a36Sopenharmony_ci} 30662306a36Sopenharmony_ci 30762306a36Sopenharmony_cistatic struct notifier_block capsule_reboot_nb = { 30862306a36Sopenharmony_ci .notifier_call = capsule_reboot_notify, 30962306a36Sopenharmony_ci}; 31062306a36Sopenharmony_ci 31162306a36Sopenharmony_cistatic int __init capsule_reboot_register(void) 31262306a36Sopenharmony_ci{ 31362306a36Sopenharmony_ci return register_reboot_notifier(&capsule_reboot_nb); 31462306a36Sopenharmony_ci} 31562306a36Sopenharmony_cicore_initcall(capsule_reboot_register); 316