1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 *
4 * Bluetooth support for Intel devices
5 *
6 * Copyright (C) 2015 Intel Corporation
7 */
8
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <linux/regmap.h>
12 #include <linux/acpi.h>
13 #include <asm/unaligned.h>
14
15 #include <net/bluetooth/bluetooth.h>
16 #include <net/bluetooth/hci_core.h>
17
18 #include "btintel.h"
19
20 #define VERSION "0.1"
21
22 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
23 #define RSA_HEADER_LEN 644
24 #define CSS_HEADER_OFFSET 8
25 #define ECDSA_OFFSET 644
26 #define ECDSA_HEADER_LEN 320
27
28 #define BTINTEL_PPAG_NAME "PPAG"
29 #define BTINTEL_PPAG_PREFIX "\\_SB_.PCI0.XHCI.RHUB"
30
31 #define CMD_WRITE_BOOT_PARAMS 0xfc0e
32 struct cmd_write_boot_params {
33 __le32 boot_addr;
34 u8 fw_build_num;
35 u8 fw_build_ww;
36 u8 fw_build_yy;
37 } __packed;
38
btintel_check_bdaddr(struct hci_dev * hdev)39 int btintel_check_bdaddr(struct hci_dev *hdev)
40 {
41 struct hci_rp_read_bd_addr *bda;
42 struct sk_buff *skb;
43
44 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
45 HCI_INIT_TIMEOUT);
46 if (IS_ERR(skb)) {
47 int err = PTR_ERR(skb);
48 bt_dev_err(hdev, "Reading Intel device address failed (%d)",
49 err);
50 return err;
51 }
52
53 if (skb->len != sizeof(*bda)) {
54 bt_dev_err(hdev, "Intel device address length mismatch");
55 kfree_skb(skb);
56 return -EIO;
57 }
58
59 bda = (struct hci_rp_read_bd_addr *)skb->data;
60
61 /* For some Intel based controllers, the default Bluetooth device
62 * address 00:03:19:9E:8B:00 can be found. These controllers are
63 * fully operational, but have the danger of duplicate addresses
64 * and that in turn can cause problems with Bluetooth operation.
65 */
66 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
67 bt_dev_err(hdev, "Found Intel default device address (%pMR)",
68 &bda->bdaddr);
69 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
70 }
71
72 kfree_skb(skb);
73
74 return 0;
75 }
76 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
77
btintel_enter_mfg(struct hci_dev * hdev)78 int btintel_enter_mfg(struct hci_dev *hdev)
79 {
80 static const u8 param[] = { 0x01, 0x00 };
81 struct sk_buff *skb;
82
83 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
84 if (IS_ERR(skb)) {
85 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
86 PTR_ERR(skb));
87 return PTR_ERR(skb);
88 }
89 kfree_skb(skb);
90
91 return 0;
92 }
93 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
94
btintel_exit_mfg(struct hci_dev * hdev,bool reset,bool patched)95 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
96 {
97 u8 param[] = { 0x00, 0x00 };
98 struct sk_buff *skb;
99
100 /* The 2nd command parameter specifies the manufacturing exit method:
101 * 0x00: Just disable the manufacturing mode (0x00).
102 * 0x01: Disable manufacturing mode and reset with patches deactivated.
103 * 0x02: Disable manufacturing mode and reset with patches activated.
104 */
105 if (reset)
106 param[1] |= patched ? 0x02 : 0x01;
107
108 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
109 if (IS_ERR(skb)) {
110 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
111 PTR_ERR(skb));
112 return PTR_ERR(skb);
113 }
114 kfree_skb(skb);
115
116 return 0;
117 }
118 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
119
btintel_set_bdaddr(struct hci_dev * hdev,const bdaddr_t * bdaddr)120 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
121 {
122 struct sk_buff *skb;
123 int err;
124
125 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
126 if (IS_ERR(skb)) {
127 err = PTR_ERR(skb);
128 bt_dev_err(hdev, "Changing Intel device address failed (%d)",
129 err);
130 return err;
131 }
132 kfree_skb(skb);
133
134 return 0;
135 }
136 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
137
btintel_set_event_mask(struct hci_dev * hdev,bool debug)138 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
139 {
140 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
141 struct sk_buff *skb;
142 int err;
143
144 if (debug)
145 mask[1] |= 0x62;
146
147 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
148 if (IS_ERR(skb)) {
149 err = PTR_ERR(skb);
150 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
151 return err;
152 }
153 kfree_skb(skb);
154
155 return 0;
156 }
157
btintel_set_diag(struct hci_dev * hdev,bool enable)158 int btintel_set_diag(struct hci_dev *hdev, bool enable)
159 {
160 struct sk_buff *skb;
161 u8 param[3];
162 int err;
163
164 if (enable) {
165 param[0] = 0x03;
166 param[1] = 0x03;
167 param[2] = 0x03;
168 } else {
169 param[0] = 0x00;
170 param[1] = 0x00;
171 param[2] = 0x00;
172 }
173
174 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
175 if (IS_ERR(skb)) {
176 err = PTR_ERR(skb);
177 if (err == -ENODATA)
178 goto done;
179 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
180 err);
181 return err;
182 }
183 kfree_skb(skb);
184
185 done:
186 btintel_set_event_mask(hdev, enable);
187 return 0;
188 }
189 EXPORT_SYMBOL_GPL(btintel_set_diag);
190
btintel_set_diag_mfg(struct hci_dev * hdev,bool enable)191 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
192 {
193 int err, ret;
194
195 err = btintel_enter_mfg(hdev);
196 if (err)
197 return err;
198
199 ret = btintel_set_diag(hdev, enable);
200
201 err = btintel_exit_mfg(hdev, false, false);
202 if (err)
203 return err;
204
205 return ret;
206 }
207
btintel_set_diag_combined(struct hci_dev * hdev,bool enable)208 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable)
209 {
210 int ret;
211
212 /* Legacy ROM device needs to be in the manufacturer mode to apply
213 * diagnostic setting
214 *
215 * This flag is set after reading the Intel version.
216 */
217 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY))
218 ret = btintel_set_diag_mfg(hdev, enable);
219 else
220 ret = btintel_set_diag(hdev, enable);
221
222 return ret;
223 }
224
btintel_hw_error(struct hci_dev * hdev,u8 code)225 static void btintel_hw_error(struct hci_dev *hdev, u8 code)
226 {
227 struct sk_buff *skb;
228 u8 type = 0x00;
229
230 bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
231
232 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
233 if (IS_ERR(skb)) {
234 bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
235 PTR_ERR(skb));
236 return;
237 }
238 kfree_skb(skb);
239
240 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
241 if (IS_ERR(skb)) {
242 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
243 PTR_ERR(skb));
244 return;
245 }
246
247 if (skb->len != 13) {
248 bt_dev_err(hdev, "Exception info size mismatch");
249 kfree_skb(skb);
250 return;
251 }
252
253 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
254
255 kfree_skb(skb);
256 }
257
btintel_version_info(struct hci_dev * hdev,struct intel_version * ver)258 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
259 {
260 const char *variant;
261
262 /* The hardware platform number has a fixed value of 0x37 and
263 * for now only accept this single value.
264 */
265 if (ver->hw_platform != 0x37) {
266 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
267 ver->hw_platform);
268 return -EINVAL;
269 }
270
271 /* Check for supported iBT hardware variants of this firmware
272 * loading method.
273 *
274 * This check has been put in place to ensure correct forward
275 * compatibility options when newer hardware variants come along.
276 */
277 switch (ver->hw_variant) {
278 case 0x07: /* WP - Legacy ROM */
279 case 0x08: /* StP - Legacy ROM */
280 case 0x0b: /* SfP */
281 case 0x0c: /* WsP */
282 case 0x11: /* JfP */
283 case 0x12: /* ThP */
284 case 0x13: /* HrP */
285 case 0x14: /* CcP */
286 break;
287 default:
288 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
289 ver->hw_variant);
290 return -EINVAL;
291 }
292
293 switch (ver->fw_variant) {
294 case 0x01:
295 variant = "Legacy ROM 2.5";
296 break;
297 case 0x06:
298 variant = "Bootloader";
299 break;
300 case 0x22:
301 variant = "Legacy ROM 2.x";
302 break;
303 case 0x23:
304 variant = "Firmware";
305 break;
306 default:
307 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
308 return -EINVAL;
309 }
310
311 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
312 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
313 ver->fw_build_num, ver->fw_build_ww,
314 2000 + ver->fw_build_yy);
315
316 return 0;
317 }
318 EXPORT_SYMBOL_GPL(btintel_version_info);
319
btintel_secure_send(struct hci_dev * hdev,u8 fragment_type,u32 plen,const void * param)320 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
321 const void *param)
322 {
323 while (plen > 0) {
324 struct sk_buff *skb;
325 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
326
327 cmd_param[0] = fragment_type;
328 memcpy(cmd_param + 1, param, fragment_len);
329
330 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
331 cmd_param, HCI_INIT_TIMEOUT);
332 if (IS_ERR(skb))
333 return PTR_ERR(skb);
334
335 kfree_skb(skb);
336
337 plen -= fragment_len;
338 param += fragment_len;
339 }
340
341 return 0;
342 }
343
btintel_load_ddc_config(struct hci_dev * hdev,const char * ddc_name)344 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
345 {
346 const struct firmware *fw;
347 struct sk_buff *skb;
348 const u8 *fw_ptr;
349 int err;
350
351 err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
352 if (err < 0) {
353 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
354 ddc_name, err);
355 return err;
356 }
357
358 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
359
360 fw_ptr = fw->data;
361
362 /* DDC file contains one or more DDC structure which has
363 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
364 */
365 while (fw->size > fw_ptr - fw->data) {
366 u8 cmd_plen = fw_ptr[0] + sizeof(u8);
367
368 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
369 HCI_INIT_TIMEOUT);
370 if (IS_ERR(skb)) {
371 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
372 PTR_ERR(skb));
373 release_firmware(fw);
374 return PTR_ERR(skb);
375 }
376
377 fw_ptr += cmd_plen;
378 kfree_skb(skb);
379 }
380
381 release_firmware(fw);
382
383 bt_dev_info(hdev, "Applying Intel DDC parameters completed");
384
385 return 0;
386 }
387 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
388
btintel_set_event_mask_mfg(struct hci_dev * hdev,bool debug)389 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
390 {
391 int err, ret;
392
393 err = btintel_enter_mfg(hdev);
394 if (err)
395 return err;
396
397 ret = btintel_set_event_mask(hdev, debug);
398
399 err = btintel_exit_mfg(hdev, false, false);
400 if (err)
401 return err;
402
403 return ret;
404 }
405 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
406
btintel_read_version(struct hci_dev * hdev,struct intel_version * ver)407 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
408 {
409 struct sk_buff *skb;
410
411 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
412 if (IS_ERR(skb)) {
413 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
414 PTR_ERR(skb));
415 return PTR_ERR(skb);
416 }
417
418 if (skb->len != sizeof(*ver)) {
419 bt_dev_err(hdev, "Intel version event size mismatch");
420 kfree_skb(skb);
421 return -EILSEQ;
422 }
423
424 memcpy(ver, skb->data, sizeof(*ver));
425
426 kfree_skb(skb);
427
428 return 0;
429 }
430 EXPORT_SYMBOL_GPL(btintel_read_version);
431
btintel_version_info_tlv(struct hci_dev * hdev,struct intel_version_tlv * version)432 static int btintel_version_info_tlv(struct hci_dev *hdev,
433 struct intel_version_tlv *version)
434 {
435 const char *variant;
436
437 /* The hardware platform number has a fixed value of 0x37 and
438 * for now only accept this single value.
439 */
440 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
441 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
442 INTEL_HW_PLATFORM(version->cnvi_bt));
443 return -EINVAL;
444 }
445
446 /* Check for supported iBT hardware variants of this firmware
447 * loading method.
448 *
449 * This check has been put in place to ensure correct forward
450 * compatibility options when newer hardware variants come along.
451 */
452 switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
453 case 0x17: /* TyP */
454 case 0x18: /* Slr */
455 case 0x19: /* Slr-F */
456 case 0x1b: /* Mgr */
457 break;
458 default:
459 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
460 INTEL_HW_VARIANT(version->cnvi_bt));
461 return -EINVAL;
462 }
463
464 switch (version->img_type) {
465 case 0x01:
466 variant = "Bootloader";
467 /* It is required that every single firmware fragment is acknowledged
468 * with a command complete event. If the boot parameters indicate
469 * that this bootloader does not send them, then abort the setup.
470 */
471 if (version->limited_cce != 0x00) {
472 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
473 version->limited_cce);
474 return -EINVAL;
475 }
476
477 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
478 if (version->sbe_type > 0x01) {
479 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
480 version->sbe_type);
481 return -EINVAL;
482 }
483
484 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
485 bt_dev_info(hdev, "Secure boot is %s",
486 version->secure_boot ? "enabled" : "disabled");
487 bt_dev_info(hdev, "OTP lock is %s",
488 version->otp_lock ? "enabled" : "disabled");
489 bt_dev_info(hdev, "API lock is %s",
490 version->api_lock ? "enabled" : "disabled");
491 bt_dev_info(hdev, "Debug lock is %s",
492 version->debug_lock ? "enabled" : "disabled");
493 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
494 version->min_fw_build_nn, version->min_fw_build_cw,
495 2000 + version->min_fw_build_yy);
496 break;
497 case 0x03:
498 variant = "Firmware";
499 break;
500 default:
501 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
502 return -EINVAL;
503 }
504
505 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
506 2000 + (version->timestamp >> 8), version->timestamp & 0xff,
507 version->build_type, version->build_num);
508
509 return 0;
510 }
511
btintel_parse_version_tlv(struct hci_dev * hdev,struct intel_version_tlv * version,struct sk_buff * skb)512 static int btintel_parse_version_tlv(struct hci_dev *hdev,
513 struct intel_version_tlv *version,
514 struct sk_buff *skb)
515 {
516 /* Consume Command Complete Status field */
517 skb_pull(skb, 1);
518
519 /* Event parameters contatin multiple TLVs. Read each of them
520 * and only keep the required data. Also, it use existing legacy
521 * version field like hw_platform, hw_variant, and fw_variant
522 * to keep the existing setup flow
523 */
524 while (skb->len) {
525 struct intel_tlv *tlv;
526
527 /* Make sure skb has a minimum length of the header */
528 if (skb->len < sizeof(*tlv))
529 return -EINVAL;
530
531 tlv = (struct intel_tlv *)skb->data;
532
533 /* Make sure skb has a enough data */
534 if (skb->len < tlv->len + sizeof(*tlv))
535 return -EINVAL;
536
537 switch (tlv->type) {
538 case INTEL_TLV_CNVI_TOP:
539 version->cnvi_top = get_unaligned_le32(tlv->val);
540 break;
541 case INTEL_TLV_CNVR_TOP:
542 version->cnvr_top = get_unaligned_le32(tlv->val);
543 break;
544 case INTEL_TLV_CNVI_BT:
545 version->cnvi_bt = get_unaligned_le32(tlv->val);
546 break;
547 case INTEL_TLV_CNVR_BT:
548 version->cnvr_bt = get_unaligned_le32(tlv->val);
549 break;
550 case INTEL_TLV_DEV_REV_ID:
551 version->dev_rev_id = get_unaligned_le16(tlv->val);
552 break;
553 case INTEL_TLV_IMAGE_TYPE:
554 version->img_type = tlv->val[0];
555 break;
556 case INTEL_TLV_TIME_STAMP:
557 /* If image type is Operational firmware (0x03), then
558 * running FW Calendar Week and Year information can
559 * be extracted from Timestamp information
560 */
561 version->min_fw_build_cw = tlv->val[0];
562 version->min_fw_build_yy = tlv->val[1];
563 version->timestamp = get_unaligned_le16(tlv->val);
564 break;
565 case INTEL_TLV_BUILD_TYPE:
566 version->build_type = tlv->val[0];
567 break;
568 case INTEL_TLV_BUILD_NUM:
569 /* If image type is Operational firmware (0x03), then
570 * running FW build number can be extracted from the
571 * Build information
572 */
573 version->min_fw_build_nn = tlv->val[0];
574 version->build_num = get_unaligned_le32(tlv->val);
575 break;
576 case INTEL_TLV_SECURE_BOOT:
577 version->secure_boot = tlv->val[0];
578 break;
579 case INTEL_TLV_OTP_LOCK:
580 version->otp_lock = tlv->val[0];
581 break;
582 case INTEL_TLV_API_LOCK:
583 version->api_lock = tlv->val[0];
584 break;
585 case INTEL_TLV_DEBUG_LOCK:
586 version->debug_lock = tlv->val[0];
587 break;
588 case INTEL_TLV_MIN_FW:
589 version->min_fw_build_nn = tlv->val[0];
590 version->min_fw_build_cw = tlv->val[1];
591 version->min_fw_build_yy = tlv->val[2];
592 break;
593 case INTEL_TLV_LIMITED_CCE:
594 version->limited_cce = tlv->val[0];
595 break;
596 case INTEL_TLV_SBE_TYPE:
597 version->sbe_type = tlv->val[0];
598 break;
599 case INTEL_TLV_OTP_BDADDR:
600 memcpy(&version->otp_bd_addr, tlv->val,
601 sizeof(bdaddr_t));
602 break;
603 default:
604 /* Ignore rest of information */
605 break;
606 }
607 /* consume the current tlv and move to next*/
608 skb_pull(skb, tlv->len + sizeof(*tlv));
609 }
610
611 return 0;
612 }
613
btintel_read_version_tlv(struct hci_dev * hdev,struct intel_version_tlv * version)614 static int btintel_read_version_tlv(struct hci_dev *hdev,
615 struct intel_version_tlv *version)
616 {
617 struct sk_buff *skb;
618 const u8 param[1] = { 0xFF };
619
620 if (!version)
621 return -EINVAL;
622
623 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
624 if (IS_ERR(skb)) {
625 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
626 PTR_ERR(skb));
627 return PTR_ERR(skb);
628 }
629
630 if (skb->data[0]) {
631 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
632 skb->data[0]);
633 kfree_skb(skb);
634 return -EIO;
635 }
636
637 btintel_parse_version_tlv(hdev, version, skb);
638
639 kfree_skb(skb);
640 return 0;
641 }
642
643 /* ------- REGMAP IBT SUPPORT ------- */
644
645 #define IBT_REG_MODE_8BIT 0x00
646 #define IBT_REG_MODE_16BIT 0x01
647 #define IBT_REG_MODE_32BIT 0x02
648
649 struct regmap_ibt_context {
650 struct hci_dev *hdev;
651 __u16 op_write;
652 __u16 op_read;
653 };
654
655 struct ibt_cp_reg_access {
656 __le32 addr;
657 __u8 mode;
658 __u8 len;
659 __u8 data[];
660 } __packed;
661
662 struct ibt_rp_reg_access {
663 __u8 status;
664 __le32 addr;
665 __u8 data[];
666 } __packed;
667
regmap_ibt_read(void * context,const void * addr,size_t reg_size,void * val,size_t val_size)668 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
669 void *val, size_t val_size)
670 {
671 struct regmap_ibt_context *ctx = context;
672 struct ibt_cp_reg_access cp;
673 struct ibt_rp_reg_access *rp;
674 struct sk_buff *skb;
675 int err = 0;
676
677 if (reg_size != sizeof(__le32))
678 return -EINVAL;
679
680 switch (val_size) {
681 case 1:
682 cp.mode = IBT_REG_MODE_8BIT;
683 break;
684 case 2:
685 cp.mode = IBT_REG_MODE_16BIT;
686 break;
687 case 4:
688 cp.mode = IBT_REG_MODE_32BIT;
689 break;
690 default:
691 return -EINVAL;
692 }
693
694 /* regmap provides a little-endian formatted addr */
695 cp.addr = *(__le32 *)addr;
696 cp.len = val_size;
697
698 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
699
700 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
701 HCI_CMD_TIMEOUT);
702 if (IS_ERR(skb)) {
703 err = PTR_ERR(skb);
704 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
705 le32_to_cpu(cp.addr), err);
706 return err;
707 }
708
709 if (skb->len != sizeof(*rp) + val_size) {
710 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
711 le32_to_cpu(cp.addr));
712 err = -EINVAL;
713 goto done;
714 }
715
716 rp = (struct ibt_rp_reg_access *)skb->data;
717
718 if (rp->addr != cp.addr) {
719 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
720 le32_to_cpu(rp->addr));
721 err = -EINVAL;
722 goto done;
723 }
724
725 memcpy(val, rp->data, val_size);
726
727 done:
728 kfree_skb(skb);
729 return err;
730 }
731
regmap_ibt_gather_write(void * context,const void * addr,size_t reg_size,const void * val,size_t val_size)732 static int regmap_ibt_gather_write(void *context,
733 const void *addr, size_t reg_size,
734 const void *val, size_t val_size)
735 {
736 struct regmap_ibt_context *ctx = context;
737 struct ibt_cp_reg_access *cp;
738 struct sk_buff *skb;
739 int plen = sizeof(*cp) + val_size;
740 u8 mode;
741 int err = 0;
742
743 if (reg_size != sizeof(__le32))
744 return -EINVAL;
745
746 switch (val_size) {
747 case 1:
748 mode = IBT_REG_MODE_8BIT;
749 break;
750 case 2:
751 mode = IBT_REG_MODE_16BIT;
752 break;
753 case 4:
754 mode = IBT_REG_MODE_32BIT;
755 break;
756 default:
757 return -EINVAL;
758 }
759
760 cp = kmalloc(plen, GFP_KERNEL);
761 if (!cp)
762 return -ENOMEM;
763
764 /* regmap provides a little-endian formatted addr/value */
765 cp->addr = *(__le32 *)addr;
766 cp->mode = mode;
767 cp->len = val_size;
768 memcpy(&cp->data, val, val_size);
769
770 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
771
772 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
773 if (IS_ERR(skb)) {
774 err = PTR_ERR(skb);
775 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
776 le32_to_cpu(cp->addr), err);
777 goto done;
778 }
779 kfree_skb(skb);
780
781 done:
782 kfree(cp);
783 return err;
784 }
785
regmap_ibt_write(void * context,const void * data,size_t count)786 static int regmap_ibt_write(void *context, const void *data, size_t count)
787 {
788 /* data contains register+value, since we only support 32bit addr,
789 * minimum data size is 4 bytes.
790 */
791 if (WARN_ONCE(count < 4, "Invalid register access"))
792 return -EINVAL;
793
794 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
795 }
796
regmap_ibt_free_context(void * context)797 static void regmap_ibt_free_context(void *context)
798 {
799 kfree(context);
800 }
801
802 static const struct regmap_bus regmap_ibt = {
803 .read = regmap_ibt_read,
804 .write = regmap_ibt_write,
805 .gather_write = regmap_ibt_gather_write,
806 .free_context = regmap_ibt_free_context,
807 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
808 .val_format_endian_default = REGMAP_ENDIAN_LITTLE,
809 };
810
811 /* Config is the same for all register regions */
812 static const struct regmap_config regmap_ibt_cfg = {
813 .name = "btintel_regmap",
814 .reg_bits = 32,
815 .val_bits = 32,
816 };
817
btintel_regmap_init(struct hci_dev * hdev,u16 opcode_read,u16 opcode_write)818 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
819 u16 opcode_write)
820 {
821 struct regmap_ibt_context *ctx;
822
823 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
824 opcode_write);
825
826 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
827 if (!ctx)
828 return ERR_PTR(-ENOMEM);
829
830 ctx->op_read = opcode_read;
831 ctx->op_write = opcode_write;
832 ctx->hdev = hdev;
833
834 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg);
835 }
836 EXPORT_SYMBOL_GPL(btintel_regmap_init);
837
btintel_send_intel_reset(struct hci_dev * hdev,u32 boot_param)838 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
839 {
840 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
841 struct sk_buff *skb;
842
843 params.boot_param = cpu_to_le32(boot_param);
844
845 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms,
846 HCI_INIT_TIMEOUT);
847 if (IS_ERR(skb)) {
848 bt_dev_err(hdev, "Failed to send Intel Reset command");
849 return PTR_ERR(skb);
850 }
851
852 kfree_skb(skb);
853
854 return 0;
855 }
856 EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
857
btintel_read_boot_params(struct hci_dev * hdev,struct intel_boot_params * params)858 int btintel_read_boot_params(struct hci_dev *hdev,
859 struct intel_boot_params *params)
860 {
861 struct sk_buff *skb;
862
863 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
864 if (IS_ERR(skb)) {
865 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
866 PTR_ERR(skb));
867 return PTR_ERR(skb);
868 }
869
870 if (skb->len != sizeof(*params)) {
871 bt_dev_err(hdev, "Intel boot parameters size mismatch");
872 kfree_skb(skb);
873 return -EILSEQ;
874 }
875
876 memcpy(params, skb->data, sizeof(*params));
877
878 kfree_skb(skb);
879
880 if (params->status) {
881 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
882 params->status);
883 return -bt_to_errno(params->status);
884 }
885
886 bt_dev_info(hdev, "Device revision is %u",
887 le16_to_cpu(params->dev_revid));
888
889 bt_dev_info(hdev, "Secure boot is %s",
890 params->secure_boot ? "enabled" : "disabled");
891
892 bt_dev_info(hdev, "OTP lock is %s",
893 params->otp_lock ? "enabled" : "disabled");
894
895 bt_dev_info(hdev, "API lock is %s",
896 params->api_lock ? "enabled" : "disabled");
897
898 bt_dev_info(hdev, "Debug lock is %s",
899 params->debug_lock ? "enabled" : "disabled");
900
901 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
902 params->min_fw_build_nn, params->min_fw_build_cw,
903 2000 + params->min_fw_build_yy);
904
905 return 0;
906 }
907 EXPORT_SYMBOL_GPL(btintel_read_boot_params);
908
btintel_sfi_rsa_header_secure_send(struct hci_dev * hdev,const struct firmware * fw)909 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
910 const struct firmware *fw)
911 {
912 int err;
913
914 /* Start the firmware download transaction with the Init fragment
915 * represented by the 128 bytes of CSS header.
916 */
917 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
918 if (err < 0) {
919 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
920 goto done;
921 }
922
923 /* Send the 256 bytes of public key information from the firmware
924 * as the PKey fragment.
925 */
926 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
927 if (err < 0) {
928 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
929 goto done;
930 }
931
932 /* Send the 256 bytes of signature information from the firmware
933 * as the Sign fragment.
934 */
935 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
936 if (err < 0) {
937 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
938 goto done;
939 }
940
941 done:
942 return err;
943 }
944
btintel_sfi_ecdsa_header_secure_send(struct hci_dev * hdev,const struct firmware * fw)945 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
946 const struct firmware *fw)
947 {
948 int err;
949
950 /* Start the firmware download transaction with the Init fragment
951 * represented by the 128 bytes of CSS header.
952 */
953 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
954 if (err < 0) {
955 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
956 return err;
957 }
958
959 /* Send the 96 bytes of public key information from the firmware
960 * as the PKey fragment.
961 */
962 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
963 if (err < 0) {
964 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
965 return err;
966 }
967
968 /* Send the 96 bytes of signature information from the firmware
969 * as the Sign fragment
970 */
971 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
972 if (err < 0) {
973 bt_dev_err(hdev, "Failed to send firmware signature (%d)",
974 err);
975 return err;
976 }
977 return 0;
978 }
979
btintel_download_firmware_payload(struct hci_dev * hdev,const struct firmware * fw,size_t offset)980 static int btintel_download_firmware_payload(struct hci_dev *hdev,
981 const struct firmware *fw,
982 size_t offset)
983 {
984 int err;
985 const u8 *fw_ptr;
986 u32 frag_len;
987
988 fw_ptr = fw->data + offset;
989 frag_len = 0;
990 err = -EINVAL;
991
992 while (fw_ptr - fw->data < fw->size) {
993 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
994
995 frag_len += sizeof(*cmd) + cmd->plen;
996
997 /* The parameter length of the secure send command requires
998 * a 4 byte alignment. It happens so that the firmware file
999 * contains proper Intel_NOP commands to align the fragments
1000 * as needed.
1001 *
1002 * Send set of commands with 4 byte alignment from the
1003 * firmware data buffer as a single Data fragement.
1004 */
1005 if (!(frag_len % 4)) {
1006 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
1007 if (err < 0) {
1008 bt_dev_err(hdev,
1009 "Failed to send firmware data (%d)",
1010 err);
1011 goto done;
1012 }
1013
1014 fw_ptr += frag_len;
1015 frag_len = 0;
1016 }
1017 }
1018
1019 done:
1020 return err;
1021 }
1022
btintel_firmware_version(struct hci_dev * hdev,u8 num,u8 ww,u8 yy,const struct firmware * fw,u32 * boot_addr)1023 static bool btintel_firmware_version(struct hci_dev *hdev,
1024 u8 num, u8 ww, u8 yy,
1025 const struct firmware *fw,
1026 u32 *boot_addr)
1027 {
1028 const u8 *fw_ptr;
1029
1030 fw_ptr = fw->data;
1031
1032 while (fw_ptr - fw->data < fw->size) {
1033 struct hci_command_hdr *cmd = (void *)(fw_ptr);
1034
1035 /* Each SKU has a different reset parameter to use in the
1036 * HCI_Intel_Reset command and it is embedded in the firmware
1037 * data. So, instead of using static value per SKU, check
1038 * the firmware data and save it for later use.
1039 */
1040 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
1041 struct cmd_write_boot_params *params;
1042
1043 params = (void *)(fw_ptr + sizeof(*cmd));
1044
1045 *boot_addr = le32_to_cpu(params->boot_addr);
1046
1047 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr);
1048
1049 bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1050 params->fw_build_num, params->fw_build_ww,
1051 params->fw_build_yy);
1052
1053 return (num == params->fw_build_num &&
1054 ww == params->fw_build_ww &&
1055 yy == params->fw_build_yy);
1056 }
1057
1058 fw_ptr += sizeof(*cmd) + cmd->plen;
1059 }
1060
1061 return false;
1062 }
1063
btintel_download_firmware(struct hci_dev * hdev,struct intel_version * ver,const struct firmware * fw,u32 * boot_param)1064 int btintel_download_firmware(struct hci_dev *hdev,
1065 struct intel_version *ver,
1066 const struct firmware *fw,
1067 u32 *boot_param)
1068 {
1069 int err;
1070
1071 /* SfP and WsP don't seem to update the firmware version on file
1072 * so version checking is currently not possible.
1073 */
1074 switch (ver->hw_variant) {
1075 case 0x0b: /* SfP */
1076 case 0x0c: /* WsP */
1077 /* Skip version checking */
1078 break;
1079 default:
1080
1081 /* Skip download if firmware has the same version */
1082 if (btintel_firmware_version(hdev, ver->fw_build_num,
1083 ver->fw_build_ww, ver->fw_build_yy,
1084 fw, boot_param)) {
1085 bt_dev_info(hdev, "Firmware already loaded");
1086 /* Return -EALREADY to indicate that the firmware has
1087 * already been loaded.
1088 */
1089 return -EALREADY;
1090 }
1091 }
1092
1093 /* The firmware variant determines if the device is in bootloader
1094 * mode or is running operational firmware. The value 0x06 identifies
1095 * the bootloader and the value 0x23 identifies the operational
1096 * firmware.
1097 *
1098 * If the firmware version has changed that means it needs to be reset
1099 * to bootloader when operational so the new firmware can be loaded.
1100 */
1101 if (ver->fw_variant == 0x23)
1102 return -EINVAL;
1103
1104 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1105 if (err)
1106 return err;
1107
1108 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1109 }
1110 EXPORT_SYMBOL_GPL(btintel_download_firmware);
1111
btintel_download_fw_tlv(struct hci_dev * hdev,struct intel_version_tlv * ver,const struct firmware * fw,u32 * boot_param,u8 hw_variant,u8 sbe_type)1112 static int btintel_download_fw_tlv(struct hci_dev *hdev,
1113 struct intel_version_tlv *ver,
1114 const struct firmware *fw, u32 *boot_param,
1115 u8 hw_variant, u8 sbe_type)
1116 {
1117 int err;
1118 u32 css_header_ver;
1119
1120 /* Skip download if firmware has the same version */
1121 if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1122 ver->min_fw_build_cw,
1123 ver->min_fw_build_yy,
1124 fw, boot_param)) {
1125 bt_dev_info(hdev, "Firmware already loaded");
1126 /* Return -EALREADY to indicate that firmware has
1127 * already been loaded.
1128 */
1129 return -EALREADY;
1130 }
1131
1132 /* The firmware variant determines if the device is in bootloader
1133 * mode or is running operational firmware. The value 0x01 identifies
1134 * the bootloader and the value 0x03 identifies the operational
1135 * firmware.
1136 *
1137 * If the firmware version has changed that means it needs to be reset
1138 * to bootloader when operational so the new firmware can be loaded.
1139 */
1140 if (ver->img_type == 0x03)
1141 return -EINVAL;
1142
1143 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1144 * only RSA secure boot engine. Hence, the corresponding sfi file will
1145 * have RSA header of 644 bytes followed by Command Buffer.
1146 *
1147 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1148 * secure boot engine. As a result, the corresponding sfi file will
1149 * have RSA header of 644, ECDSA header of 320 bytes followed by
1150 * Command Buffer.
1151 *
1152 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1153 * version: RSA(0x00010000) , ECDSA (0x00020000)
1154 */
1155 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1156 if (css_header_ver != 0x00010000) {
1157 bt_dev_err(hdev, "Invalid CSS Header version");
1158 return -EINVAL;
1159 }
1160
1161 if (hw_variant <= 0x14) {
1162 if (sbe_type != 0x00) {
1163 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1164 hw_variant);
1165 return -EINVAL;
1166 }
1167
1168 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1169 if (err)
1170 return err;
1171
1172 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1173 if (err)
1174 return err;
1175 } else if (hw_variant >= 0x17) {
1176 /* Check if CSS header for ECDSA follows the RSA header */
1177 if (fw->data[ECDSA_OFFSET] != 0x06)
1178 return -EINVAL;
1179
1180 /* Check if the CSS Header version is ECDSA(0x00020000) */
1181 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1182 if (css_header_ver != 0x00020000) {
1183 bt_dev_err(hdev, "Invalid CSS Header version");
1184 return -EINVAL;
1185 }
1186
1187 if (sbe_type == 0x00) {
1188 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1189 if (err)
1190 return err;
1191
1192 err = btintel_download_firmware_payload(hdev, fw,
1193 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1194 if (err)
1195 return err;
1196 } else if (sbe_type == 0x01) {
1197 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1198 if (err)
1199 return err;
1200
1201 err = btintel_download_firmware_payload(hdev, fw,
1202 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1203 if (err)
1204 return err;
1205 }
1206 }
1207 return 0;
1208 }
1209
btintel_reset_to_bootloader(struct hci_dev * hdev)1210 static void btintel_reset_to_bootloader(struct hci_dev *hdev)
1211 {
1212 struct intel_reset params;
1213 struct sk_buff *skb;
1214
1215 /* Send Intel Reset command. This will result in
1216 * re-enumeration of BT controller.
1217 *
1218 * Intel Reset parameter description:
1219 * reset_type : 0x00 (Soft reset),
1220 * 0x01 (Hard reset)
1221 * patch_enable : 0x00 (Do not enable),
1222 * 0x01 (Enable)
1223 * ddc_reload : 0x00 (Do not reload),
1224 * 0x01 (Reload)
1225 * boot_option: 0x00 (Current image),
1226 * 0x01 (Specified boot address)
1227 * boot_param: Boot address
1228 *
1229 */
1230 params.reset_type = 0x01;
1231 params.patch_enable = 0x01;
1232 params.ddc_reload = 0x01;
1233 params.boot_option = 0x00;
1234 params.boot_param = cpu_to_le32(0x00000000);
1235
1236 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
1237 ¶ms, HCI_INIT_TIMEOUT);
1238 if (IS_ERR(skb)) {
1239 bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1240 PTR_ERR(skb));
1241 return;
1242 }
1243 bt_dev_info(hdev, "Intel reset sent to retry FW download");
1244 kfree_skb(skb);
1245
1246 /* Current Intel BT controllers(ThP/JfP) hold the USB reset
1247 * lines for 2ms when it receives Intel Reset in bootloader mode.
1248 * Whereas, the upcoming Intel BT controllers will hold USB reset
1249 * for 150ms. To keep the delay generic, 150ms is chosen here.
1250 */
1251 msleep(150);
1252 }
1253
btintel_read_debug_features(struct hci_dev * hdev,struct intel_debug_features * features)1254 static int btintel_read_debug_features(struct hci_dev *hdev,
1255 struct intel_debug_features *features)
1256 {
1257 struct sk_buff *skb;
1258 u8 page_no = 1;
1259
1260 /* Intel controller supports two pages, each page is of 128-bit
1261 * feature bit mask. And each bit defines specific feature support
1262 */
1263 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1264 HCI_INIT_TIMEOUT);
1265 if (IS_ERR(skb)) {
1266 bt_dev_err(hdev, "Reading supported features failed (%ld)",
1267 PTR_ERR(skb));
1268 return PTR_ERR(skb);
1269 }
1270
1271 if (skb->len != (sizeof(features->page1) + 3)) {
1272 bt_dev_err(hdev, "Supported features event size mismatch");
1273 kfree_skb(skb);
1274 return -EILSEQ;
1275 }
1276
1277 memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1278
1279 /* Read the supported features page2 if required in future.
1280 */
1281 kfree_skb(skb);
1282 return 0;
1283 }
1284
btintel_ppag_callback(acpi_handle handle,u32 lvl,void * data,void ** ret)1285 static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data,
1286 void **ret)
1287 {
1288 acpi_status status;
1289 size_t len;
1290 struct btintel_ppag *ppag = data;
1291 union acpi_object *p, *elements;
1292 struct acpi_buffer string = {ACPI_ALLOCATE_BUFFER, NULL};
1293 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL};
1294 struct hci_dev *hdev = ppag->hdev;
1295
1296 status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &string);
1297 if (ACPI_FAILURE(status)) {
1298 bt_dev_warn(hdev, "ACPI Failure: %s", acpi_format_exception(status));
1299 return status;
1300 }
1301
1302 if (strncmp(BTINTEL_PPAG_PREFIX, string.pointer,
1303 strlen(BTINTEL_PPAG_PREFIX))) {
1304 kfree(string.pointer);
1305 return AE_OK;
1306 }
1307
1308 len = strlen(string.pointer);
1309 if (strncmp((char *)string.pointer + len - 4, BTINTEL_PPAG_NAME, 4)) {
1310 kfree(string.pointer);
1311 return AE_OK;
1312 }
1313 kfree(string.pointer);
1314
1315 status = acpi_evaluate_object(handle, NULL, NULL, &buffer);
1316 if (ACPI_FAILURE(status)) {
1317 bt_dev_warn(hdev, "ACPI Failure: %s", acpi_format_exception(status));
1318 return status;
1319 }
1320
1321 p = buffer.pointer;
1322 ppag = (struct btintel_ppag *)data;
1323
1324 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
1325 kfree(buffer.pointer);
1326 bt_dev_warn(hdev, "Invalid object type: %d or package count: %d",
1327 p->type, p->package.count);
1328 return AE_ERROR;
1329 }
1330
1331 elements = p->package.elements;
1332
1333 /* PPAG table is located at element[1] */
1334 p = &elements[1];
1335
1336 ppag->domain = (u32)p->package.elements[0].integer.value;
1337 ppag->mode = (u32)p->package.elements[1].integer.value;
1338 kfree(buffer.pointer);
1339 return AE_CTRL_TERMINATE;
1340 }
1341
btintel_set_debug_features(struct hci_dev * hdev,const struct intel_debug_features * features)1342 static int btintel_set_debug_features(struct hci_dev *hdev,
1343 const struct intel_debug_features *features)
1344 {
1345 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00,
1346 0x00, 0x00, 0x00 };
1347 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 };
1348 u8 trace_enable = 0x02;
1349 struct sk_buff *skb;
1350
1351 if (!features) {
1352 bt_dev_warn(hdev, "Debug features not read");
1353 return -EINVAL;
1354 }
1355
1356 if (!(features->page1[0] & 0x3f)) {
1357 bt_dev_info(hdev, "Telemetry exception format not supported");
1358 return 0;
1359 }
1360
1361 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1362 if (IS_ERR(skb)) {
1363 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1364 PTR_ERR(skb));
1365 return PTR_ERR(skb);
1366 }
1367 kfree_skb(skb);
1368
1369 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT);
1370 if (IS_ERR(skb)) {
1371 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)",
1372 PTR_ERR(skb));
1373 return PTR_ERR(skb);
1374 }
1375 kfree_skb(skb);
1376
1377 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1378 if (IS_ERR(skb)) {
1379 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)",
1380 PTR_ERR(skb));
1381 return PTR_ERR(skb);
1382 }
1383 kfree_skb(skb);
1384
1385 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x",
1386 trace_enable, mask[3]);
1387
1388 return 0;
1389 }
1390
btintel_reset_debug_features(struct hci_dev * hdev,const struct intel_debug_features * features)1391 static int btintel_reset_debug_features(struct hci_dev *hdev,
1392 const struct intel_debug_features *features)
1393 {
1394 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
1395 0x00, 0x00, 0x00 };
1396 u8 trace_enable = 0x00;
1397 struct sk_buff *skb;
1398
1399 if (!features) {
1400 bt_dev_warn(hdev, "Debug features not read");
1401 return -EINVAL;
1402 }
1403
1404 if (!(features->page1[0] & 0x3f)) {
1405 bt_dev_info(hdev, "Telemetry exception format not supported");
1406 return 0;
1407 }
1408
1409 /* Should stop the trace before writing ddc event mask. */
1410 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1411 if (IS_ERR(skb)) {
1412 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)",
1413 PTR_ERR(skb));
1414 return PTR_ERR(skb);
1415 }
1416 kfree_skb(skb);
1417
1418 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1419 if (IS_ERR(skb)) {
1420 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1421 PTR_ERR(skb));
1422 return PTR_ERR(skb);
1423 }
1424 kfree_skb(skb);
1425
1426 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x",
1427 trace_enable, mask[3]);
1428
1429 return 0;
1430 }
1431
btintel_set_quality_report(struct hci_dev * hdev,bool enable)1432 int btintel_set_quality_report(struct hci_dev *hdev, bool enable)
1433 {
1434 struct intel_debug_features features;
1435 int err;
1436
1437 bt_dev_dbg(hdev, "enable %d", enable);
1438
1439 /* Read the Intel supported features and if new exception formats
1440 * supported, need to load the additional DDC config to enable.
1441 */
1442 err = btintel_read_debug_features(hdev, &features);
1443 if (err)
1444 return err;
1445
1446 /* Set or reset the debug features. */
1447 if (enable)
1448 err = btintel_set_debug_features(hdev, &features);
1449 else
1450 err = btintel_reset_debug_features(hdev, &features);
1451
1452 return err;
1453 }
1454 EXPORT_SYMBOL_GPL(btintel_set_quality_report);
1455
btintel_legacy_rom_get_fw(struct hci_dev * hdev,struct intel_version * ver)1456 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev,
1457 struct intel_version *ver)
1458 {
1459 const struct firmware *fw;
1460 char fwname[64];
1461 int ret;
1462
1463 snprintf(fwname, sizeof(fwname),
1464 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1465 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1466 ver->fw_variant, ver->fw_revision, ver->fw_build_num,
1467 ver->fw_build_ww, ver->fw_build_yy);
1468
1469 ret = request_firmware(&fw, fwname, &hdev->dev);
1470 if (ret < 0) {
1471 if (ret == -EINVAL) {
1472 bt_dev_err(hdev, "Intel firmware file request failed (%d)",
1473 ret);
1474 return NULL;
1475 }
1476
1477 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)",
1478 fwname, ret);
1479
1480 /* If the correct firmware patch file is not found, use the
1481 * default firmware patch file instead
1482 */
1483 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1484 ver->hw_platform, ver->hw_variant);
1485 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1486 bt_dev_err(hdev, "failed to open default fw file: %s",
1487 fwname);
1488 return NULL;
1489 }
1490 }
1491
1492 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname);
1493
1494 return fw;
1495 }
1496
btintel_legacy_rom_patching(struct hci_dev * hdev,const struct firmware * fw,const u8 ** fw_ptr,int * disable_patch)1497 static int btintel_legacy_rom_patching(struct hci_dev *hdev,
1498 const struct firmware *fw,
1499 const u8 **fw_ptr, int *disable_patch)
1500 {
1501 struct sk_buff *skb;
1502 struct hci_command_hdr *cmd;
1503 const u8 *cmd_param;
1504 struct hci_event_hdr *evt = NULL;
1505 const u8 *evt_param = NULL;
1506 int remain = fw->size - (*fw_ptr - fw->data);
1507
1508 /* The first byte indicates the types of the patch command or event.
1509 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1510 * in the current firmware buffer doesn't start with 0x01 or
1511 * the size of remain buffer is smaller than HCI command header,
1512 * the firmware file is corrupted and it should stop the patching
1513 * process.
1514 */
1515 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1516 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read");
1517 return -EINVAL;
1518 }
1519 (*fw_ptr)++;
1520 remain--;
1521
1522 cmd = (struct hci_command_hdr *)(*fw_ptr);
1523 *fw_ptr += sizeof(*cmd);
1524 remain -= sizeof(*cmd);
1525
1526 /* Ensure that the remain firmware data is long enough than the length
1527 * of command parameter. If not, the firmware file is corrupted.
1528 */
1529 if (remain < cmd->plen) {
1530 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len");
1531 return -EFAULT;
1532 }
1533
1534 /* If there is a command that loads a patch in the firmware
1535 * file, then enable the patch upon success, otherwise just
1536 * disable the manufacturer mode, for example patch activation
1537 * is not required when the default firmware patch file is used
1538 * because there are no patch data to load.
1539 */
1540 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1541 *disable_patch = 0;
1542
1543 cmd_param = *fw_ptr;
1544 *fw_ptr += cmd->plen;
1545 remain -= cmd->plen;
1546
1547 /* This reads the expected events when the above command is sent to the
1548 * device. Some vendor commands expects more than one events, for
1549 * example command status event followed by vendor specific event.
1550 * For this case, it only keeps the last expected event. so the command
1551 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1552 * last expected event.
1553 */
1554 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1555 (*fw_ptr)++;
1556 remain--;
1557
1558 evt = (struct hci_event_hdr *)(*fw_ptr);
1559 *fw_ptr += sizeof(*evt);
1560 remain -= sizeof(*evt);
1561
1562 if (remain < evt->plen) {
1563 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len");
1564 return -EFAULT;
1565 }
1566
1567 evt_param = *fw_ptr;
1568 *fw_ptr += evt->plen;
1569 remain -= evt->plen;
1570 }
1571
1572 /* Every HCI commands in the firmware file has its correspond event.
1573 * If event is not found or remain is smaller than zero, the firmware
1574 * file is corrupted.
1575 */
1576 if (!evt || !evt_param || remain < 0) {
1577 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read");
1578 return -EFAULT;
1579 }
1580
1581 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1582 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1583 if (IS_ERR(skb)) {
1584 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)",
1585 cmd->opcode, PTR_ERR(skb));
1586 return PTR_ERR(skb);
1587 }
1588
1589 /* It ensures that the returned event matches the event data read from
1590 * the firmware file. At fist, it checks the length and then
1591 * the contents of the event.
1592 */
1593 if (skb->len != evt->plen) {
1594 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)",
1595 le16_to_cpu(cmd->opcode));
1596 kfree_skb(skb);
1597 return -EFAULT;
1598 }
1599
1600 if (memcmp(skb->data, evt_param, evt->plen)) {
1601 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)",
1602 le16_to_cpu(cmd->opcode));
1603 kfree_skb(skb);
1604 return -EFAULT;
1605 }
1606 kfree_skb(skb);
1607
1608 return 0;
1609 }
1610
btintel_legacy_rom_setup(struct hci_dev * hdev,struct intel_version * ver)1611 static int btintel_legacy_rom_setup(struct hci_dev *hdev,
1612 struct intel_version *ver)
1613 {
1614 const struct firmware *fw;
1615 const u8 *fw_ptr;
1616 int disable_patch, err;
1617 struct intel_version new_ver;
1618
1619 BT_DBG("%s", hdev->name);
1620
1621 /* fw_patch_num indicates the version of patch the device currently
1622 * have. If there is no patch data in the device, it is always 0x00.
1623 * So, if it is other than 0x00, no need to patch the device again.
1624 */
1625 if (ver->fw_patch_num) {
1626 bt_dev_info(hdev,
1627 "Intel device is already patched. patch num: %02x",
1628 ver->fw_patch_num);
1629 goto complete;
1630 }
1631
1632 /* Opens the firmware patch file based on the firmware version read
1633 * from the controller. If it fails to open the matching firmware
1634 * patch file, it tries to open the default firmware patch file.
1635 * If no patch file is found, allow the device to operate without
1636 * a patch.
1637 */
1638 fw = btintel_legacy_rom_get_fw(hdev, ver);
1639 if (!fw)
1640 goto complete;
1641 fw_ptr = fw->data;
1642
1643 /* Enable the manufacturer mode of the controller.
1644 * Only while this mode is enabled, the driver can download the
1645 * firmware patch data and configuration parameters.
1646 */
1647 err = btintel_enter_mfg(hdev);
1648 if (err) {
1649 release_firmware(fw);
1650 return err;
1651 }
1652
1653 disable_patch = 1;
1654
1655 /* The firmware data file consists of list of Intel specific HCI
1656 * commands and its expected events. The first byte indicates the
1657 * type of the message, either HCI command or HCI event.
1658 *
1659 * It reads the command and its expected event from the firmware file,
1660 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1661 * the returned event is compared with the event read from the firmware
1662 * file and it will continue until all the messages are downloaded to
1663 * the controller.
1664 *
1665 * Once the firmware patching is completed successfully,
1666 * the manufacturer mode is disabled with reset and activating the
1667 * downloaded patch.
1668 *
1669 * If the firmware patching fails, the manufacturer mode is
1670 * disabled with reset and deactivating the patch.
1671 *
1672 * If the default patch file is used, no reset is done when disabling
1673 * the manufacturer.
1674 */
1675 while (fw->size > fw_ptr - fw->data) {
1676 int ret;
1677
1678 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr,
1679 &disable_patch);
1680 if (ret < 0)
1681 goto exit_mfg_deactivate;
1682 }
1683
1684 release_firmware(fw);
1685
1686 if (disable_patch)
1687 goto exit_mfg_disable;
1688
1689 /* Patching completed successfully and disable the manufacturer mode
1690 * with reset and activate the downloaded firmware patches.
1691 */
1692 err = btintel_exit_mfg(hdev, true, true);
1693 if (err)
1694 return err;
1695
1696 /* Need build number for downloaded fw patches in
1697 * every power-on boot
1698 */
1699 err = btintel_read_version(hdev, &new_ver);
1700 if (err)
1701 return err;
1702
1703 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated",
1704 new_ver.fw_patch_num);
1705
1706 goto complete;
1707
1708 exit_mfg_disable:
1709 /* Disable the manufacturer mode without reset */
1710 err = btintel_exit_mfg(hdev, false, false);
1711 if (err)
1712 return err;
1713
1714 bt_dev_info(hdev, "Intel firmware patch completed");
1715
1716 goto complete;
1717
1718 exit_mfg_deactivate:
1719 release_firmware(fw);
1720
1721 /* Patching failed. Disable the manufacturer mode with reset and
1722 * deactivate the downloaded firmware patches.
1723 */
1724 err = btintel_exit_mfg(hdev, true, false);
1725 if (err)
1726 return err;
1727
1728 bt_dev_info(hdev, "Intel firmware patch completed and deactivated");
1729
1730 complete:
1731 /* Set the event mask for Intel specific vendor events. This enables
1732 * a few extra events that are useful during general operation.
1733 */
1734 btintel_set_event_mask_mfg(hdev, false);
1735
1736 btintel_check_bdaddr(hdev);
1737
1738 return 0;
1739 }
1740
btintel_download_wait(struct hci_dev * hdev,ktime_t calltime,int msec)1741 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1742 {
1743 ktime_t delta, rettime;
1744 unsigned long long duration;
1745 int err;
1746
1747 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1748
1749 bt_dev_info(hdev, "Waiting for firmware download to complete");
1750
1751 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING,
1752 TASK_INTERRUPTIBLE,
1753 msecs_to_jiffies(msec));
1754 if (err == -EINTR) {
1755 bt_dev_err(hdev, "Firmware loading interrupted");
1756 return err;
1757 }
1758
1759 if (err) {
1760 bt_dev_err(hdev, "Firmware loading timeout");
1761 return -ETIMEDOUT;
1762 }
1763
1764 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) {
1765 bt_dev_err(hdev, "Firmware loading failed");
1766 return -ENOEXEC;
1767 }
1768
1769 rettime = ktime_get();
1770 delta = ktime_sub(rettime, calltime);
1771 duration = (unsigned long long)ktime_to_ns(delta) >> 10;
1772
1773 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration);
1774
1775 return 0;
1776 }
1777
btintel_boot_wait(struct hci_dev * hdev,ktime_t calltime,int msec)1778 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1779 {
1780 ktime_t delta, rettime;
1781 unsigned long long duration;
1782 int err;
1783
1784 bt_dev_info(hdev, "Waiting for device to boot");
1785
1786 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING,
1787 TASK_INTERRUPTIBLE,
1788 msecs_to_jiffies(msec));
1789 if (err == -EINTR) {
1790 bt_dev_err(hdev, "Device boot interrupted");
1791 return -EINTR;
1792 }
1793
1794 if (err) {
1795 bt_dev_err(hdev, "Device boot timeout");
1796 return -ETIMEDOUT;
1797 }
1798
1799 rettime = ktime_get();
1800 delta = ktime_sub(rettime, calltime);
1801 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
1802
1803 bt_dev_info(hdev, "Device booted in %llu usecs", duration);
1804
1805 return 0;
1806 }
1807
btintel_boot(struct hci_dev * hdev,u32 boot_addr)1808 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr)
1809 {
1810 ktime_t calltime;
1811 int err;
1812
1813 calltime = ktime_get();
1814
1815 btintel_set_flag(hdev, INTEL_BOOTING);
1816
1817 err = btintel_send_intel_reset(hdev, boot_addr);
1818 if (err) {
1819 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err);
1820 btintel_reset_to_bootloader(hdev);
1821 return err;
1822 }
1823
1824 /* The bootloader will not indicate when the device is ready. This
1825 * is done by the operational firmware sending bootup notification.
1826 *
1827 * Booting into operational firmware should not take longer than
1828 * 1 second. However if that happens, then just fail the setup
1829 * since something went wrong.
1830 */
1831 err = btintel_boot_wait(hdev, calltime, 1000);
1832 if (err == -ETIMEDOUT)
1833 btintel_reset_to_bootloader(hdev);
1834
1835 return err;
1836 }
1837
btintel_get_fw_name(struct intel_version * ver,struct intel_boot_params * params,char * fw_name,size_t len,const char * suffix)1838 static int btintel_get_fw_name(struct intel_version *ver,
1839 struct intel_boot_params *params,
1840 char *fw_name, size_t len,
1841 const char *suffix)
1842 {
1843 switch (ver->hw_variant) {
1844 case 0x0b: /* SfP */
1845 case 0x0c: /* WsP */
1846 snprintf(fw_name, len, "intel/ibt-%u-%u.%s",
1847 ver->hw_variant,
1848 le16_to_cpu(params->dev_revid),
1849 suffix);
1850 break;
1851 case 0x11: /* JfP */
1852 case 0x12: /* ThP */
1853 case 0x13: /* HrP */
1854 case 0x14: /* CcP */
1855 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s",
1856 ver->hw_variant,
1857 ver->hw_revision,
1858 ver->fw_revision,
1859 suffix);
1860 break;
1861 default:
1862 return -EINVAL;
1863 }
1864
1865 return 0;
1866 }
1867
btintel_download_fw(struct hci_dev * hdev,struct intel_version * ver,struct intel_boot_params * params,u32 * boot_param)1868 static int btintel_download_fw(struct hci_dev *hdev,
1869 struct intel_version *ver,
1870 struct intel_boot_params *params,
1871 u32 *boot_param)
1872 {
1873 const struct firmware *fw;
1874 char fwname[64];
1875 int err;
1876 ktime_t calltime;
1877
1878 if (!ver || !params)
1879 return -EINVAL;
1880
1881 /* The firmware variant determines if the device is in bootloader
1882 * mode or is running operational firmware. The value 0x06 identifies
1883 * the bootloader and the value 0x23 identifies the operational
1884 * firmware.
1885 *
1886 * When the operational firmware is already present, then only
1887 * the check for valid Bluetooth device address is needed. This
1888 * determines if the device will be added as configured or
1889 * unconfigured controller.
1890 *
1891 * It is not possible to use the Secure Boot Parameters in this
1892 * case since that command is only available in bootloader mode.
1893 */
1894 if (ver->fw_variant == 0x23) {
1895 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
1896 btintel_check_bdaddr(hdev);
1897
1898 /* SfP and WsP don't seem to update the firmware version on file
1899 * so version checking is currently possible.
1900 */
1901 switch (ver->hw_variant) {
1902 case 0x0b: /* SfP */
1903 case 0x0c: /* WsP */
1904 return 0;
1905 }
1906
1907 /* Proceed to download to check if the version matches */
1908 goto download;
1909 }
1910
1911 /* Read the secure boot parameters to identify the operating
1912 * details of the bootloader.
1913 */
1914 err = btintel_read_boot_params(hdev, params);
1915 if (err)
1916 return err;
1917
1918 /* It is required that every single firmware fragment is acknowledged
1919 * with a command complete event. If the boot parameters indicate
1920 * that this bootloader does not send them, then abort the setup.
1921 */
1922 if (params->limited_cce != 0x00) {
1923 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)",
1924 params->limited_cce);
1925 return -EINVAL;
1926 }
1927
1928 /* If the OTP has no valid Bluetooth device address, then there will
1929 * also be no valid address for the operational firmware.
1930 */
1931 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) {
1932 bt_dev_info(hdev, "No device address configured");
1933 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1934 }
1935
1936 download:
1937 /* With this Intel bootloader only the hardware variant and device
1938 * revision information are used to select the right firmware for SfP
1939 * and WsP.
1940 *
1941 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi.
1942 *
1943 * Currently the supported hardware variants are:
1944 * 11 (0x0b) for iBT3.0 (LnP/SfP)
1945 * 12 (0x0c) for iBT3.5 (WsP)
1946 *
1947 * For ThP/JfP and for future SKU's, the FW name varies based on HW
1948 * variant, HW revision and FW revision, as these are dependent on CNVi
1949 * and RF Combination.
1950 *
1951 * 17 (0x11) for iBT3.5 (JfP)
1952 * 18 (0x12) for iBT3.5 (ThP)
1953 *
1954 * The firmware file name for these will be
1955 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi.
1956 *
1957 */
1958 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi");
1959 if (err < 0) {
1960 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
1961 /* Firmware has already been loaded */
1962 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1963 return 0;
1964 }
1965
1966 bt_dev_err(hdev, "Unsupported Intel firmware naming");
1967 return -EINVAL;
1968 }
1969
1970 err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
1971 if (err < 0) {
1972 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
1973 /* Firmware has already been loaded */
1974 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1975 return 0;
1976 }
1977
1978 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
1979 fwname, err);
1980 return err;
1981 }
1982
1983 bt_dev_info(hdev, "Found device firmware: %s", fwname);
1984
1985 if (fw->size < 644) {
1986 bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
1987 fw->size);
1988 err = -EBADF;
1989 goto done;
1990 }
1991
1992 calltime = ktime_get();
1993
1994 btintel_set_flag(hdev, INTEL_DOWNLOADING);
1995
1996 /* Start firmware downloading and get boot parameter */
1997 err = btintel_download_firmware(hdev, ver, fw, boot_param);
1998 if (err < 0) {
1999 if (err == -EALREADY) {
2000 /* Firmware has already been loaded */
2001 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2002 err = 0;
2003 goto done;
2004 }
2005
2006 /* When FW download fails, send Intel Reset to retry
2007 * FW download.
2008 */
2009 btintel_reset_to_bootloader(hdev);
2010 goto done;
2011 }
2012
2013 /* Before switching the device into operational mode and with that
2014 * booting the loaded firmware, wait for the bootloader notification
2015 * that all fragments have been successfully received.
2016 *
2017 * When the event processing receives the notification, then the
2018 * INTEL_DOWNLOADING flag will be cleared.
2019 *
2020 * The firmware loading should not take longer than 5 seconds
2021 * and thus just timeout if that happens and fail the setup
2022 * of this device.
2023 */
2024 err = btintel_download_wait(hdev, calltime, 5000);
2025 if (err == -ETIMEDOUT)
2026 btintel_reset_to_bootloader(hdev);
2027
2028 done:
2029 release_firmware(fw);
2030 return err;
2031 }
2032
btintel_bootloader_setup(struct hci_dev * hdev,struct intel_version * ver)2033 static int btintel_bootloader_setup(struct hci_dev *hdev,
2034 struct intel_version *ver)
2035 {
2036 struct intel_version new_ver;
2037 struct intel_boot_params params;
2038 u32 boot_param;
2039 char ddcname[64];
2040 int err;
2041
2042 BT_DBG("%s", hdev->name);
2043
2044 /* Set the default boot parameter to 0x0 and it is updated to
2045 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2046 * command while downloading the firmware.
2047 */
2048 boot_param = 0x00000000;
2049
2050 btintel_set_flag(hdev, INTEL_BOOTLOADER);
2051
2052 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param);
2053 if (err)
2054 return err;
2055
2056 /* controller is already having an operational firmware */
2057 if (ver->fw_variant == 0x23)
2058 goto finish;
2059
2060 err = btintel_boot(hdev, boot_param);
2061 if (err)
2062 return err;
2063
2064 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2065
2066 err = btintel_get_fw_name(ver, ¶ms, ddcname,
2067 sizeof(ddcname), "ddc");
2068
2069 if (err < 0) {
2070 bt_dev_err(hdev, "Unsupported Intel firmware naming");
2071 } else {
2072 /* Once the device is running in operational mode, it needs to
2073 * apply the device configuration (DDC) parameters.
2074 *
2075 * The device can work without DDC parameters, so even if it
2076 * fails to load the file, no need to fail the setup.
2077 */
2078 btintel_load_ddc_config(hdev, ddcname);
2079 }
2080
2081 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2082
2083 /* Read the Intel version information after loading the FW */
2084 err = btintel_read_version(hdev, &new_ver);
2085 if (err)
2086 return err;
2087
2088 btintel_version_info(hdev, &new_ver);
2089
2090 finish:
2091 /* Set the event mask for Intel specific vendor events. This enables
2092 * a few extra events that are useful during general operation. It
2093 * does not enable any debugging related events.
2094 *
2095 * The device will function correctly without these events enabled
2096 * and thus no need to fail the setup.
2097 */
2098 btintel_set_event_mask(hdev, false);
2099
2100 return 0;
2101 }
2102
btintel_get_fw_name_tlv(const struct intel_version_tlv * ver,char * fw_name,size_t len,const char * suffix)2103 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver,
2104 char *fw_name, size_t len,
2105 const char *suffix)
2106 {
2107 /* The firmware file name for new generation controllers will be
2108 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step>
2109 */
2110 snprintf(fw_name, len, "intel/ibt-%04x-%04x.%s",
2111 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top),
2112 INTEL_CNVX_TOP_STEP(ver->cnvi_top)),
2113 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top),
2114 INTEL_CNVX_TOP_STEP(ver->cnvr_top)),
2115 suffix);
2116 }
2117
btintel_prepare_fw_download_tlv(struct hci_dev * hdev,struct intel_version_tlv * ver,u32 * boot_param)2118 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev,
2119 struct intel_version_tlv *ver,
2120 u32 *boot_param)
2121 {
2122 const struct firmware *fw;
2123 char fwname[64];
2124 int err;
2125 ktime_t calltime;
2126
2127 if (!ver || !boot_param)
2128 return -EINVAL;
2129
2130 /* The firmware variant determines if the device is in bootloader
2131 * mode or is running operational firmware. The value 0x03 identifies
2132 * the bootloader and the value 0x23 identifies the operational
2133 * firmware.
2134 *
2135 * When the operational firmware is already present, then only
2136 * the check for valid Bluetooth device address is needed. This
2137 * determines if the device will be added as configured or
2138 * unconfigured controller.
2139 *
2140 * It is not possible to use the Secure Boot Parameters in this
2141 * case since that command is only available in bootloader mode.
2142 */
2143 if (ver->img_type == 0x03) {
2144 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2145 btintel_check_bdaddr(hdev);
2146 } else {
2147 /*
2148 * Check for valid bd address in boot loader mode. Device
2149 * will be marked as unconfigured if empty bd address is
2150 * found.
2151 */
2152 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) {
2153 bt_dev_info(hdev, "No device address configured");
2154 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2155 }
2156 }
2157
2158 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi");
2159 err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2160 if (err < 0) {
2161 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2162 /* Firmware has already been loaded */
2163 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2164 return 0;
2165 }
2166
2167 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2168 fwname, err);
2169
2170 return err;
2171 }
2172
2173 bt_dev_info(hdev, "Found device firmware: %s", fwname);
2174
2175 if (fw->size < 644) {
2176 bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2177 fw->size);
2178 err = -EBADF;
2179 goto done;
2180 }
2181
2182 calltime = ktime_get();
2183
2184 btintel_set_flag(hdev, INTEL_DOWNLOADING);
2185
2186 /* Start firmware downloading and get boot parameter */
2187 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param,
2188 INTEL_HW_VARIANT(ver->cnvi_bt),
2189 ver->sbe_type);
2190 if (err < 0) {
2191 if (err == -EALREADY) {
2192 /* Firmware has already been loaded */
2193 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2194 err = 0;
2195 goto done;
2196 }
2197
2198 /* When FW download fails, send Intel Reset to retry
2199 * FW download.
2200 */
2201 btintel_reset_to_bootloader(hdev);
2202 goto done;
2203 }
2204
2205 /* Before switching the device into operational mode and with that
2206 * booting the loaded firmware, wait for the bootloader notification
2207 * that all fragments have been successfully received.
2208 *
2209 * When the event processing receives the notification, then the
2210 * BTUSB_DOWNLOADING flag will be cleared.
2211 *
2212 * The firmware loading should not take longer than 5 seconds
2213 * and thus just timeout if that happens and fail the setup
2214 * of this device.
2215 */
2216 err = btintel_download_wait(hdev, calltime, 5000);
2217 if (err == -ETIMEDOUT)
2218 btintel_reset_to_bootloader(hdev);
2219
2220 done:
2221 release_firmware(fw);
2222 return err;
2223 }
2224
btintel_get_codec_config_data(struct hci_dev * hdev,__u8 link,struct bt_codec * codec,__u8 * ven_len,__u8 ** ven_data)2225 static int btintel_get_codec_config_data(struct hci_dev *hdev,
2226 __u8 link, struct bt_codec *codec,
2227 __u8 *ven_len, __u8 **ven_data)
2228 {
2229 int err = 0;
2230
2231 if (!ven_data || !ven_len)
2232 return -EINVAL;
2233
2234 *ven_len = 0;
2235 *ven_data = NULL;
2236
2237 if (link != ESCO_LINK) {
2238 bt_dev_err(hdev, "Invalid link type(%u)", link);
2239 return -EINVAL;
2240 }
2241
2242 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL);
2243 if (!*ven_data) {
2244 err = -ENOMEM;
2245 goto error;
2246 }
2247
2248 /* supports only CVSD and mSBC offload codecs */
2249 switch (codec->id) {
2250 case 0x02:
2251 **ven_data = 0x00;
2252 break;
2253 case 0x05:
2254 **ven_data = 0x01;
2255 break;
2256 default:
2257 err = -EINVAL;
2258 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id);
2259 goto error;
2260 }
2261 /* codec and its capabilities are pre-defined to ids
2262 * preset id = 0x00 represents CVSD codec with sampling rate 8K
2263 * preset id = 0x01 represents mSBC codec with sampling rate 16K
2264 */
2265 *ven_len = sizeof(__u8);
2266 return err;
2267
2268 error:
2269 kfree(*ven_data);
2270 *ven_data = NULL;
2271 return err;
2272 }
2273
btintel_get_data_path_id(struct hci_dev * hdev,__u8 * data_path_id)2274 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id)
2275 {
2276 /* Intel uses 1 as data path id for all the usecases */
2277 *data_path_id = 1;
2278 return 0;
2279 }
2280
btintel_configure_offload(struct hci_dev * hdev)2281 static int btintel_configure_offload(struct hci_dev *hdev)
2282 {
2283 struct sk_buff *skb;
2284 int err = 0;
2285 struct intel_offload_use_cases *use_cases;
2286
2287 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT);
2288 if (IS_ERR(skb)) {
2289 bt_dev_err(hdev, "Reading offload use cases failed (%ld)",
2290 PTR_ERR(skb));
2291 return PTR_ERR(skb);
2292 }
2293
2294 if (skb->len < sizeof(*use_cases)) {
2295 err = -EIO;
2296 goto error;
2297 }
2298
2299 use_cases = (void *)skb->data;
2300
2301 if (use_cases->status) {
2302 err = -bt_to_errno(skb->data[0]);
2303 goto error;
2304 }
2305
2306 if (use_cases->preset[0] & 0x03) {
2307 hdev->get_data_path_id = btintel_get_data_path_id;
2308 hdev->get_codec_config_data = btintel_get_codec_config_data;
2309 }
2310 error:
2311 kfree_skb(skb);
2312 return err;
2313 }
2314
btintel_set_ppag(struct hci_dev * hdev,struct intel_version_tlv * ver)2315 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver)
2316 {
2317 acpi_status status;
2318 struct btintel_ppag ppag;
2319 struct sk_buff *skb;
2320 struct btintel_loc_aware_reg ppag_cmd;
2321
2322 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */
2323 switch (ver->cnvr_top & 0xFFF) {
2324 case 0x504: /* Hrp2 */
2325 case 0x202: /* Jfp2 */
2326 case 0x201: /* Jfp1 */
2327 return;
2328 }
2329
2330 memset(&ppag, 0, sizeof(ppag));
2331
2332 ppag.hdev = hdev;
2333 status = acpi_walk_namespace(ACPI_TYPE_ANY, ACPI_ROOT_OBJECT,
2334 ACPI_UINT32_MAX, NULL,
2335 btintel_ppag_callback, &ppag, NULL);
2336
2337 if (ACPI_FAILURE(status)) {
2338 /* Do not log warning message if ACPI entry is not found */
2339 if (status == AE_NOT_FOUND)
2340 return;
2341 bt_dev_warn(hdev, "PPAG: ACPI Failure: %s", acpi_format_exception(status));
2342 return;
2343 }
2344
2345 if (ppag.domain != 0x12) {
2346 bt_dev_warn(hdev, "PPAG-BT Domain disabled");
2347 return;
2348 }
2349
2350 /* PPAG mode, BIT0 = 0 Disabled, BIT0 = 1 Enabled */
2351 if (!(ppag.mode & BIT(0))) {
2352 bt_dev_dbg(hdev, "PPAG disabled");
2353 return;
2354 }
2355
2356 ppag_cmd.mcc = cpu_to_le32(0);
2357 ppag_cmd.sel = cpu_to_le32(0); /* 0 - Enable , 1 - Disable, 2 - Testing mode */
2358 ppag_cmd.delta = cpu_to_le32(0);
2359 skb = __hci_cmd_sync(hdev, 0xfe19, sizeof(ppag_cmd), &ppag_cmd, HCI_CMD_TIMEOUT);
2360 if (IS_ERR(skb)) {
2361 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb));
2362 return;
2363 }
2364 kfree_skb(skb);
2365 }
2366
btintel_bootloader_setup_tlv(struct hci_dev * hdev,struct intel_version_tlv * ver)2367 static int btintel_bootloader_setup_tlv(struct hci_dev *hdev,
2368 struct intel_version_tlv *ver)
2369 {
2370 u32 boot_param;
2371 char ddcname[64];
2372 int err;
2373 struct intel_version_tlv new_ver;
2374
2375 bt_dev_dbg(hdev, "");
2376
2377 /* Set the default boot parameter to 0x0 and it is updated to
2378 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2379 * command while downloading the firmware.
2380 */
2381 boot_param = 0x00000000;
2382
2383 btintel_set_flag(hdev, INTEL_BOOTLOADER);
2384
2385 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param);
2386 if (err)
2387 return err;
2388
2389 /* check if controller is already having an operational firmware */
2390 if (ver->img_type == 0x03)
2391 goto finish;
2392
2393 err = btintel_boot(hdev, boot_param);
2394 if (err)
2395 return err;
2396
2397 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2398
2399 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc");
2400 /* Once the device is running in operational mode, it needs to
2401 * apply the device configuration (DDC) parameters.
2402 *
2403 * The device can work without DDC parameters, so even if it
2404 * fails to load the file, no need to fail the setup.
2405 */
2406 btintel_load_ddc_config(hdev, ddcname);
2407
2408 /* Read supported use cases and set callbacks to fetch datapath id */
2409 btintel_configure_offload(hdev);
2410
2411 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2412
2413 /* Set PPAG feature */
2414 btintel_set_ppag(hdev, ver);
2415
2416 /* Read the Intel version information after loading the FW */
2417 err = btintel_read_version_tlv(hdev, &new_ver);
2418 if (err)
2419 return err;
2420
2421 btintel_version_info_tlv(hdev, &new_ver);
2422
2423 finish:
2424 /* Set the event mask for Intel specific vendor events. This enables
2425 * a few extra events that are useful during general operation. It
2426 * does not enable any debugging related events.
2427 *
2428 * The device will function correctly without these events enabled
2429 * and thus no need to fail the setup.
2430 */
2431 btintel_set_event_mask(hdev, false);
2432
2433 return 0;
2434 }
2435
btintel_set_msft_opcode(struct hci_dev * hdev,u8 hw_variant)2436 static void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant)
2437 {
2438 switch (hw_variant) {
2439 /* Legacy bootloader devices that supports MSFT Extension */
2440 case 0x11: /* JfP */
2441 case 0x12: /* ThP */
2442 case 0x13: /* HrP */
2443 case 0x14: /* CcP */
2444 /* All Intel new genration controllers support the Microsoft vendor
2445 * extension are using 0xFC1E for VsMsftOpCode.
2446 */
2447 case 0x17:
2448 case 0x18:
2449 case 0x19:
2450 case 0x1b:
2451 hci_set_msft_opcode(hdev, 0xFC1E);
2452 break;
2453 default:
2454 /* Not supported */
2455 break;
2456 }
2457 }
2458
btintel_setup_combined(struct hci_dev * hdev)2459 static int btintel_setup_combined(struct hci_dev *hdev)
2460 {
2461 const u8 param[1] = { 0xFF };
2462 struct intel_version ver;
2463 struct intel_version_tlv ver_tlv;
2464 struct sk_buff *skb;
2465 int err;
2466
2467 BT_DBG("%s", hdev->name);
2468
2469 /* The some controllers have a bug with the first HCI command sent to it
2470 * returning number of completed commands as zero. This would stall the
2471 * command processing in the Bluetooth core.
2472 *
2473 * As a workaround, send HCI Reset command first which will reset the
2474 * number of completed commands and allow normal command processing
2475 * from now on.
2476 *
2477 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe
2478 * in the SW_RFKILL ON state as a workaround of fixing LED issue during
2479 * the shutdown() procedure, and once the device is in SW_RFKILL ON
2480 * state, the only way to exit out of it is sending the HCI_Reset
2481 * command.
2482 */
2483 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) ||
2484 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
2485 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
2486 HCI_INIT_TIMEOUT);
2487 if (IS_ERR(skb)) {
2488 bt_dev_err(hdev,
2489 "sending initial HCI reset failed (%ld)",
2490 PTR_ERR(skb));
2491 return PTR_ERR(skb);
2492 }
2493 kfree_skb(skb);
2494 }
2495
2496 /* Starting from TyP device, the command parameter and response are
2497 * changed even though the OCF for HCI_Intel_Read_Version command
2498 * remains same. The legacy devices can handle even if the
2499 * command has a parameter and returns a correct version information.
2500 * So, it uses new format to support both legacy and new format.
2501 */
2502 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
2503 if (IS_ERR(skb)) {
2504 bt_dev_err(hdev, "Reading Intel version command failed (%ld)",
2505 PTR_ERR(skb));
2506 return PTR_ERR(skb);
2507 }
2508
2509 /* Check the status */
2510 if (skb->data[0]) {
2511 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
2512 skb->data[0]);
2513 err = -EIO;
2514 goto exit_error;
2515 }
2516
2517 /* Apply the common HCI quirks for Intel device */
2518 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2519 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
2520 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
2521
2522 /* Set up the quality report callback for Intel devices */
2523 hdev->set_quality_report = btintel_set_quality_report;
2524
2525 /* For Legacy device, check the HW platform value and size */
2526 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) {
2527 bt_dev_dbg(hdev, "Read the legacy Intel version information");
2528
2529 memcpy(&ver, skb->data, sizeof(ver));
2530
2531 /* Display version information */
2532 btintel_version_info(hdev, &ver);
2533
2534 /* Check for supported iBT hardware variants of this firmware
2535 * loading method.
2536 *
2537 * This check has been put in place to ensure correct forward
2538 * compatibility options when newer hardware variants come
2539 * along.
2540 */
2541 switch (ver.hw_variant) {
2542 case 0x07: /* WP */
2543 case 0x08: /* StP */
2544 /* Legacy ROM product */
2545 btintel_set_flag(hdev, INTEL_ROM_LEGACY);
2546
2547 /* Apply the device specific HCI quirks
2548 *
2549 * WBS for SdP - For the Legacy ROM products, only SdP
2550 * supports the WBS. But the version information is not
2551 * enough to use here because the StP2 and SdP have same
2552 * hw_variant and fw_variant. So, this flag is set by
2553 * the transport driver (btusb) based on the HW info
2554 * (idProduct)
2555 */
2556 if (!btintel_test_flag(hdev,
2557 INTEL_ROM_LEGACY_NO_WBS_SUPPORT))
2558 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2559 &hdev->quirks);
2560 if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22)
2561 set_bit(HCI_QUIRK_VALID_LE_STATES,
2562 &hdev->quirks);
2563
2564 err = btintel_legacy_rom_setup(hdev, &ver);
2565 break;
2566 case 0x0b: /* SfP */
2567 case 0x11: /* JfP */
2568 case 0x12: /* ThP */
2569 case 0x13: /* HrP */
2570 case 0x14: /* CcP */
2571 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2572 fallthrough;
2573 case 0x0c: /* WsP */
2574 /* Apply the device specific HCI quirks
2575 *
2576 * All Legacy bootloader devices support WBS
2577 */
2578 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2579 &hdev->quirks);
2580
2581 /* Setup MSFT Extension support */
2582 btintel_set_msft_opcode(hdev, ver.hw_variant);
2583
2584 err = btintel_bootloader_setup(hdev, &ver);
2585 break;
2586 default:
2587 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
2588 ver.hw_variant);
2589 err = -EINVAL;
2590 }
2591
2592 goto exit_error;
2593 }
2594
2595 /* memset ver_tlv to start with clean state as few fields are exclusive
2596 * to bootloader mode and are not populated in operational mode
2597 */
2598 memset(&ver_tlv, 0, sizeof(ver_tlv));
2599 /* For TLV type device, parse the tlv data */
2600 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb);
2601 if (err) {
2602 bt_dev_err(hdev, "Failed to parse TLV version information");
2603 goto exit_error;
2604 }
2605
2606 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) {
2607 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
2608 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt));
2609 err = -EINVAL;
2610 goto exit_error;
2611 }
2612
2613 /* Check for supported iBT hardware variants of this firmware
2614 * loading method.
2615 *
2616 * This check has been put in place to ensure correct forward
2617 * compatibility options when newer hardware variants come
2618 * along.
2619 */
2620 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) {
2621 case 0x11: /* JfP */
2622 case 0x12: /* ThP */
2623 case 0x13: /* HrP */
2624 case 0x14: /* CcP */
2625 /* Some legacy bootloader devices starting from JfP,
2626 * the operational firmware supports both old and TLV based
2627 * HCI_Intel_Read_Version command based on the command
2628 * parameter.
2629 *
2630 * For upgrading firmware case, the TLV based version cannot
2631 * be used because the firmware filename for legacy bootloader
2632 * is based on the old format.
2633 *
2634 * Also, it is not easy to convert TLV based version from the
2635 * legacy version format.
2636 *
2637 * So, as a workaround for those devices, use the legacy
2638 * HCI_Intel_Read_Version to get the version information and
2639 * run the legacy bootloader setup.
2640 */
2641 err = btintel_read_version(hdev, &ver);
2642 if (err)
2643 break;
2644
2645 /* Apply the device specific HCI quirks
2646 *
2647 * All Legacy bootloader devices support WBS
2648 */
2649 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
2650
2651 /* Set Valid LE States quirk */
2652 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2653
2654 /* Setup MSFT Extension support */
2655 btintel_set_msft_opcode(hdev, ver.hw_variant);
2656
2657 err = btintel_bootloader_setup(hdev, &ver);
2658 break;
2659 case 0x17:
2660 case 0x18:
2661 case 0x19:
2662 case 0x1b:
2663 /* Display version information of TLV type */
2664 btintel_version_info_tlv(hdev, &ver_tlv);
2665
2666 /* Apply the device specific HCI quirks for TLV based devices
2667 *
2668 * All TLV based devices support WBS
2669 */
2670 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
2671
2672 /* Valid LE States quirk for GfP */
2673 if (INTEL_HW_VARIANT(ver_tlv.cnvi_bt) == 0x18)
2674 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2675
2676 /* Setup MSFT Extension support */
2677 btintel_set_msft_opcode(hdev,
2678 INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
2679
2680 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv);
2681 break;
2682 default:
2683 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
2684 INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
2685 err = -EINVAL;
2686 break;
2687 }
2688
2689 exit_error:
2690 kfree_skb(skb);
2691
2692 return err;
2693 }
2694
btintel_shutdown_combined(struct hci_dev * hdev)2695 static int btintel_shutdown_combined(struct hci_dev *hdev)
2696 {
2697 struct sk_buff *skb;
2698 int ret;
2699
2700 /* Send HCI Reset to the controller to stop any BT activity which
2701 * were triggered. This will help to save power and maintain the
2702 * sync b/w Host and controller
2703 */
2704 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2705 if (IS_ERR(skb)) {
2706 bt_dev_err(hdev, "HCI reset during shutdown failed");
2707 return PTR_ERR(skb);
2708 }
2709 kfree_skb(skb);
2710
2711
2712 /* Some platforms have an issue with BT LED when the interface is
2713 * down or BT radio is turned off, which takes 5 seconds to BT LED
2714 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the
2715 * device in the RFKILL ON state which turns off the BT LED immediately.
2716 */
2717 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
2718 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
2719 if (IS_ERR(skb)) {
2720 ret = PTR_ERR(skb);
2721 bt_dev_err(hdev, "turning off Intel device LED failed");
2722 return ret;
2723 }
2724 kfree_skb(skb);
2725 }
2726
2727 return 0;
2728 }
2729
btintel_configure_setup(struct hci_dev * hdev)2730 int btintel_configure_setup(struct hci_dev *hdev)
2731 {
2732 hdev->manufacturer = 2;
2733 hdev->setup = btintel_setup_combined;
2734 hdev->shutdown = btintel_shutdown_combined;
2735 hdev->hw_error = btintel_hw_error;
2736 hdev->set_diag = btintel_set_diag_combined;
2737 hdev->set_bdaddr = btintel_set_bdaddr;
2738
2739 return 0;
2740 }
2741 EXPORT_SYMBOL_GPL(btintel_configure_setup);
2742
btintel_bootup(struct hci_dev * hdev,const void * ptr,unsigned int len)2743 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len)
2744 {
2745 const struct intel_bootup *evt = ptr;
2746
2747 if (len != sizeof(*evt))
2748 return;
2749
2750 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING))
2751 btintel_wake_up_flag(hdev, INTEL_BOOTING);
2752 }
2753 EXPORT_SYMBOL_GPL(btintel_bootup);
2754
btintel_secure_send_result(struct hci_dev * hdev,const void * ptr,unsigned int len)2755 void btintel_secure_send_result(struct hci_dev *hdev,
2756 const void *ptr, unsigned int len)
2757 {
2758 const struct intel_secure_send_result *evt = ptr;
2759
2760 if (len != sizeof(*evt))
2761 return;
2762
2763 if (evt->result)
2764 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED);
2765
2766 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) &&
2767 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED))
2768 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING);
2769 }
2770 EXPORT_SYMBOL_GPL(btintel_secure_send_result);
2771
2772 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2773 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
2774 MODULE_VERSION(VERSION);
2775 MODULE_LICENSE("GPL");
2776 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
2777 MODULE_FIRMWARE("intel/ibt-11-5.ddc");
2778 MODULE_FIRMWARE("intel/ibt-12-16.sfi");
2779 MODULE_FIRMWARE("intel/ibt-12-16.ddc");
2780