Gitiles
Code Review Sign In
android-review.linaro.org / kernel / hikey-linaro / 09df123d2d128c52987f11c85397cdbc9ffc89c6 / . / drivers / bluetooth / hci_intel.c
blob: bc66a9baf532939a4afe925f9990d495ea7a9aae [file] [log] [blame]
Marcel Holtmann16e38872015-04-04 16:13:02 -0700[diff] [blame]1/*
2 *
3 * Bluetooth HCI UART driver for Intel devices
4 *
5 * Copyright (C) 2015 Intel Corporation
6 *
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 */
23
24#include <linux/kernel.h>
25#include <linux/errno.h>
26#include <linux/skbuff.h>
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]27#include <linux/firmware.h>
28#include <linux/wait.h>
Marcel Holtmann16e38872015-04-04 16:13:02 -0700[diff] [blame]29
30#include <net/bluetooth/bluetooth.h>
31#include <net/bluetooth/hci_core.h>
32
33#include "hci_uart.h"
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]34#include "btintel.h"
35
36#define STATE_BOOTLOADER 0
37#define STATE_DOWNLOADING 1
38#define STATE_FIRMWARE_LOADED 2
39#define STATE_FIRMWARE_FAILED 3
40#define STATE_BOOTING 4
41
42struct intel_data {
43 struct sk_buff *rx_skb;
44 struct sk_buff_head txq;
45 unsigned long flags;
46};
47
48static int intel_open(struct hci_uart *hu)
49{
50 struct intel_data *intel;
51
52 BT_DBG("hu %p", hu);
53
54 intel = kzalloc(sizeof(*intel), GFP_KERNEL);
55 if (!intel)
56 return -ENOMEM;
57
58 skb_queue_head_init(&intel->txq);
59
60 hu->priv = intel;
61 return 0;
62}
63
64static int intel_close(struct hci_uart *hu)
65{
66 struct intel_data *intel = hu->priv;
67
68 BT_DBG("hu %p", hu);
69
70 skb_queue_purge(&intel->txq);
71 kfree_skb(intel->rx_skb);
72 kfree(intel);
73
74 hu->priv = NULL;
75 return 0;
76}
77
78static int intel_flush(struct hci_uart *hu)
79{
80 struct intel_data *intel = hu->priv;
81
82 BT_DBG("hu %p", hu);
83
84 skb_queue_purge(&intel->txq);
85
86 return 0;
87}
88
89static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)
90{
91 struct sk_buff *skb;
92 struct hci_event_hdr *hdr;
93 struct hci_ev_cmd_complete *evt;
94
95 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC);
96 if (!skb)
97 return -ENOMEM;
98
99 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr));
100 hdr->evt = HCI_EV_CMD_COMPLETE;
101 hdr->plen = sizeof(*evt) + 1;
102
103 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt));
104 evt->ncmd = 0x01;
105 evt->opcode = cpu_to_le16(opcode);
106
107 *skb_put(skb, 1) = 0x00;
108
109 bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
110
111 return hci_recv_frame(hdev, skb);
112}
113
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]114static void intel_version_info(struct hci_dev *hdev,
115 struct intel_version *ver)
116{
117 const char *variant;
118
119 switch (ver->fw_variant) {
120 case 0x06:
121 variant = "Bootloader";
122 break;
123 case 0x23:
124 variant = "Firmware";
125 break;
126 default:
127 return;
128 }
129
130 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name,
131 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
132 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy);
133}
134
135static int intel_setup(struct hci_uart *hu)
136{
137 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01,
138 0x00, 0x08, 0x04, 0x00 };
139 struct intel_data *intel = hu->priv;
140 struct hci_dev *hdev = hu->hdev;
141 struct sk_buff *skb;
142 struct intel_version *ver;
143 struct intel_boot_params *params;
144 const struct firmware *fw;
145 const u8 *fw_ptr;
146 char fwname[64];
147 u32 frag_len;
148 ktime_t calltime, delta, rettime;
149 unsigned long long duration;
150 int err;
151
152 BT_DBG("%s", hdev->name);
153
Marcel Holtmann35ab8152015-07-05 14:37:40 +0200[diff] [blame]154 hu->hdev->set_bdaddr = btintel_set_bdaddr;
155
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]156 calltime = ktime_get();
157
158 set_bit(STATE_BOOTLOADER, &intel->flags);
159
160 /* Read the Intel version information to determine if the device
161 * is in bootloader mode or if it already has operational firmware
162 * loaded.
163 */
164 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
165 if (IS_ERR(skb)) {
166 BT_ERR("%s: Reading Intel version information failed (%ld)",
167 hdev->name, PTR_ERR(skb));
168 return PTR_ERR(skb);
169 }
170
171 if (skb->len != sizeof(*ver)) {
172 BT_ERR("%s: Intel version event size mismatch", hdev->name);
173 kfree_skb(skb);
174 return -EILSEQ;
175 }
176
177 ver = (struct intel_version *)skb->data;
178 if (ver->status) {
179 BT_ERR("%s: Intel version command failure (%02x)",
180 hdev->name, ver->status);
181 err = -bt_to_errno(ver->status);
182 kfree_skb(skb);
183 return err;
184 }
185
186 /* The hardware platform number has a fixed value of 0x37 and
187 * for now only accept this single value.
188 */
189 if (ver->hw_platform != 0x37) {
190 BT_ERR("%s: Unsupported Intel hardware platform (%u)",
191 hdev->name, ver->hw_platform);
192 kfree_skb(skb);
193 return -EINVAL;
194 }
195
196 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is
197 * supported by this firmware loading method. This check has been
198 * put in place to ensure correct forward compatibility options
199 * when newer hardware variants come along.
200 */
201 if (ver->hw_variant != 0x0b) {
202 BT_ERR("%s: Unsupported Intel hardware variant (%u)",
203 hdev->name, ver->hw_variant);
204 kfree_skb(skb);
205 return -EINVAL;
206 }
207
208 intel_version_info(hdev, ver);
209
210 /* The firmware variant determines if the device is in bootloader
211 * mode or is running operational firmware. The value 0x06 identifies
212 * the bootloader and the value 0x23 identifies the operational
213 * firmware.
214 *
215 * When the operational firmware is already present, then only
216 * the check for valid Bluetooth device address is needed. This
217 * determines if the device will be added as configured or
218 * unconfigured controller.
219 *
220 * It is not possible to use the Secure Boot Parameters in this
221 * case since that command is only available in bootloader mode.
222 */
223 if (ver->fw_variant == 0x23) {
224 kfree_skb(skb);
225 clear_bit(STATE_BOOTLOADER, &intel->flags);
226 btintel_check_bdaddr(hdev);
227 return 0;
228 }
229
230 /* If the device is not in bootloader mode, then the only possible
231 * choice is to return an error and abort the device initialization.
232 */
233 if (ver->fw_variant != 0x06) {
234 BT_ERR("%s: Unsupported Intel firmware variant (%u)",
235 hdev->name, ver->fw_variant);
236 kfree_skb(skb);
237 return -ENODEV;
238 }
239
240 kfree_skb(skb);
241
242 /* Read the secure boot parameters to identify the operating
243 * details of the bootloader.
244 */
245 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
246 if (IS_ERR(skb)) {
247 BT_ERR("%s: Reading Intel boot parameters failed (%ld)",
248 hdev->name, PTR_ERR(skb));
249 return PTR_ERR(skb);
250 }
251
252 if (skb->len != sizeof(*params)) {
253 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name);
254 kfree_skb(skb);
255 return -EILSEQ;
256 }
257
258 params = (struct intel_boot_params *)skb->data;
259 if (params->status) {
260 BT_ERR("%s: Intel boot parameters command failure (%02x)",
261 hdev->name, params->status);
262 err = -bt_to_errno(params->status);
263 kfree_skb(skb);
264 return err;
265 }
266
267 BT_INFO("%s: Device revision is %u", hdev->name,
268 le16_to_cpu(params->dev_revid));
269
270 BT_INFO("%s: Secure boot is %s", hdev->name,
271 params->secure_boot ? "enabled" : "disabled");
272
273 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name,
274 params->min_fw_build_nn, params->min_fw_build_cw,
275 2000 + params->min_fw_build_yy);
276
277 /* It is required that every single firmware fragment is acknowledged
278 * with a command complete event. If the boot parameters indicate
279 * that this bootloader does not send them, then abort the setup.
280 */
281 if (params->limited_cce != 0x00) {
282 BT_ERR("%s: Unsupported Intel firmware loading method (%u)",
283 hdev->name, params->limited_cce);
284 kfree_skb(skb);
285 return -EINVAL;
286 }
287
288 /* If the OTP has no valid Bluetooth device address, then there will
289 * also be no valid address for the operational firmware.
290 */
291 if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
292 BT_INFO("%s: No device address configured", hdev->name);
293 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
294 }
295
296 /* With this Intel bootloader only the hardware variant and device
297 * revision information are used to select the right firmware.
298 *
299 * Currently this bootloader support is limited to hardware variant
300 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b).
301 */
302 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi",
303 le16_to_cpu(params->dev_revid));
304
305 err = request_firmware(&fw, fwname, &hdev->dev);
306 if (err < 0) {
307 BT_ERR("%s: Failed to load Intel firmware file (%d)",
308 hdev->name, err);
309 kfree_skb(skb);
310 return err;
311 }
312
313 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname);
314
315 kfree_skb(skb);
316
317 if (fw->size < 644) {
318 BT_ERR("%s: Invalid size of firmware file (%zu)",
319 hdev->name, fw->size);
320 err = -EBADF;
321 goto done;
322 }
323
324 set_bit(STATE_DOWNLOADING, &intel->flags);
325
326 /* Start the firmware download transaction with the Init fragment
327 * represented by the 128 bytes of CSS header.
328 */
Marcel Holtmann09df1232015-07-05 14:55:36 +0200[diff] [blame^]329 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]330 if (err < 0) {
331 BT_ERR("%s: Failed to send firmware header (%d)",
332 hdev->name, err);
333 goto done;
334 }
335
336 /* Send the 256 bytes of public key information from the firmware
337 * as the PKey fragment.
338 */
Marcel Holtmann09df1232015-07-05 14:55:36 +0200[diff] [blame^]339 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]340 if (err < 0) {
341 BT_ERR("%s: Failed to send firmware public key (%d)",
342 hdev->name, err);
343 goto done;
344 }
345
346 /* Send the 256 bytes of signature information from the firmware
347 * as the Sign fragment.
348 */
Marcel Holtmann09df1232015-07-05 14:55:36 +0200[diff] [blame^]349 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]350 if (err < 0) {
351 BT_ERR("%s: Failed to send firmware signature (%d)",
352 hdev->name, err);
353 goto done;
354 }
355
356 fw_ptr = fw->data + 644;
357 frag_len = 0;
358
359 while (fw_ptr - fw->data < fw->size) {
360 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
361
362 frag_len += sizeof(*cmd) + cmd->plen;
363
364 BT_DBG("%s: patching %td/%zu", hdev->name,
365 (fw_ptr - fw->data), fw->size);
366
367 /* The parameter length of the secure send command requires
368 * a 4 byte alignment. It happens so that the firmware file
369 * contains proper Intel_NOP commands to align the fragments
370 * as needed.
371 *
372 * Send set of commands with 4 byte alignment from the
373 * firmware data buffer as a single Data fragement.
374 */
375 if (frag_len % 4)
376 continue;
377
378 /* Send each command from the firmware data buffer as
379 * a single Data fragment.
380 */
Marcel Holtmann09df1232015-07-05 14:55:36 +0200[diff] [blame^]381 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
Loic Poulainca93cee2015-07-01 12:20:26 +0200[diff] [blame]382 if (err < 0) {
383 BT_ERR("%s: Failed to send firmware data (%d)",
384 hdev->name, err);
385 goto done;
386 }
387
388 fw_ptr += frag_len;
389 frag_len = 0;
390 }
391
392 set_bit(STATE_FIRMWARE_LOADED, &intel->flags);
393
394 BT_INFO("%s: Waiting for firmware download to complete", hdev->name);
395
396 /* Before switching the device into operational mode and with that
397 * booting the loaded firmware, wait for the bootloader notification
398 * that all fragments have been successfully received.
399 *
400 * When the event processing receives the notification, then the
401 * STATE_DOWNLOADING flag will be cleared.
402 *
403 * The firmware loading should not take longer than 5 seconds
404 * and thus just timeout if that happens and fail the setup
405 * of this device.
406 */
407 err = wait_on_bit_timeout(&intel->flags, STATE_DOWNLOADING,
408 TASK_INTERRUPTIBLE,
409 msecs_to_jiffies(5000));
410 if (err == 1) {
411 BT_ERR("%s: Firmware loading interrupted", hdev->name);
412 err = -EINTR;
413 goto done;
414 }
415
416 if (err) {
417 BT_ERR("%s: Firmware loading timeout", hdev->name);
418 err = -ETIMEDOUT;
419 goto done;
420 }
421
422 if (test_bit(STATE_FIRMWARE_FAILED, &intel->flags)) {
423 BT_ERR("%s: Firmware loading failed", hdev->name);
424 err = -ENOEXEC;
425 goto done;
426 }
427
428 rettime = ktime_get();
429 delta = ktime_sub(rettime, calltime);
430 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
431
432 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration);
433
434done:
435 release_firmware(fw);
436
437 if (err < 0)
438 return err;
439
440 calltime = ktime_get();
441
442 set_bit(STATE_BOOTING, &intel->flags);
443
444 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param,
445 HCI_INIT_TIMEOUT);
446 if (IS_ERR(skb))
447 return PTR_ERR(skb);
448
449 kfree_skb(skb);
450
451 /* The bootloader will not indicate when the device is ready. This
452 * is done by the operational firmware sending bootup notification.
453 *
454 * Booting into operational firmware should not take longer than
455 * 1 second. However if that happens, then just fail the setup
456 * since something went wrong.
457 */
458 BT_INFO("%s: Waiting for device to boot", hdev->name);
459
460 err = wait_on_bit_timeout(&intel->flags, STATE_BOOTING,
461 TASK_INTERRUPTIBLE,
462 msecs_to_jiffies(1000));
463
464 if (err == 1) {
465 BT_ERR("%s: Device boot interrupted", hdev->name);
466 return -EINTR;
467 }
468
469 if (err) {
470 BT_ERR("%s: Device boot timeout", hdev->name);
471 return -ETIMEDOUT;
472 }
473
474 rettime = ktime_get();
475 delta = ktime_sub(rettime, calltime);
476 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
477
478 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration);
479
480 clear_bit(STATE_BOOTLOADER, &intel->flags);
481
482 return 0;
483}
484
485static int intel_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
486{
487 struct hci_uart *hu = hci_get_drvdata(hdev);
488 struct intel_data *intel = hu->priv;
489 struct hci_event_hdr *hdr;
490
491 if (!test_bit(STATE_BOOTLOADER, &intel->flags))
492 goto recv;
493
494 hdr = (void *)skb->data;
495
496 /* When the firmware loading completes the device sends
497 * out a vendor specific event indicating the result of
498 * the firmware loading.
499 */
500 if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 &&
501 skb->data[2] == 0x06) {
502 if (skb->data[3] != 0x00)
503 set_bit(STATE_FIRMWARE_FAILED, &intel->flags);
504
505 if (test_and_clear_bit(STATE_DOWNLOADING, &intel->flags) &&
506 test_bit(STATE_FIRMWARE_LOADED, &intel->flags)) {
507 smp_mb__after_atomic();
508 wake_up_bit(&intel->flags, STATE_DOWNLOADING);
509 }
510
511 /* When switching to the operational firmware the device
512 * sends a vendor specific event indicating that the bootup
513 * completed.
514 */
515 } else if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 &&
516 skb->data[2] == 0x02) {
517 if (test_and_clear_bit(STATE_BOOTING, &intel->flags)) {
518 smp_mb__after_atomic();
519 wake_up_bit(&intel->flags, STATE_BOOTING);
520 }
521 }
522recv:
523 return hci_recv_frame(hdev, skb);
524}
525
526static const struct h4_recv_pkt intel_recv_pkts[] = {
527 { H4_RECV_ACL, .recv = hci_recv_frame },
528 { H4_RECV_SCO, .recv = hci_recv_frame },
529 { H4_RECV_EVENT, .recv = intel_recv_event },
530};
531
532static int intel_recv(struct hci_uart *hu, const void *data, int count)
533{
534 struct intel_data *intel = hu->priv;
535
536 if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
537 return -EUNATCH;
538
539 intel->rx_skb = h4_recv_buf(hu->hdev, intel->rx_skb, data, count,
540 intel_recv_pkts,
541 ARRAY_SIZE(intel_recv_pkts));
542 if (IS_ERR(intel->rx_skb)) {
543 int err = PTR_ERR(intel->rx_skb);
544 BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
545 intel->rx_skb = NULL;
546 return err;
547 }
548
549 return count;
550}
551
552static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb)
553{
554 struct intel_data *intel = hu->priv;
555
556 BT_DBG("hu %p skb %p", hu, skb);
557
558 skb_queue_tail(&intel->txq, skb);
559
560 return 0;
561}
562
563static struct sk_buff *intel_dequeue(struct hci_uart *hu)
564{
565 struct intel_data *intel = hu->priv;
566 struct sk_buff *skb;
567
568 skb = skb_dequeue(&intel->txq);
569 if (!skb)
570 return skb;
571
572 if (test_bit(STATE_BOOTLOADER, &intel->flags) &&
573 (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT)) {
574 struct hci_command_hdr *cmd = (void *)skb->data;
575 __u16 opcode = le16_to_cpu(cmd->opcode);
576
577 /* When the 0xfc01 command is issued to boot into
578 * the operational firmware, it will actually not
579 * send a command complete event. To keep the flow
580 * control working inject that event here.
581 */
582 if (opcode == 0xfc01)
583 inject_cmd_complete(hu->hdev, opcode);
584 }
585
586 /* Prepend skb with frame type */
587 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
588
589 return skb;
590}
591
592static const struct hci_uart_proto intel_proto = {
593 .id = HCI_UART_INTEL,
594 .name = "Intel",
595 .init_speed = 115200,
596 .open = intel_open,
597 .close = intel_close,
598 .flush = intel_flush,
599 .setup = intel_setup,
600 .recv = intel_recv,
601 .enqueue = intel_enqueue,
602 .dequeue = intel_dequeue,
603};
604
605int __init intel_init(void)
606{
607 return hci_uart_register_proto(&intel_proto);
608}
609
610int __exit intel_deinit(void)
611{
612 return hci_uart_unregister_proto(&intel_proto);
613}