3 * Bluetooth HCI UART driver for Intel devices
5 * Copyright (C) 2015 Intel Corporation
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 #include <linux/kernel.h>
25 #include <linux/errno.h>
26 #include <linux/skbuff.h>
27 #include <linux/firmware.h>
28 #include <linux/wait.h>
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
36 #define STATE_BOOTLOADER 0
37 #define STATE_DOWNLOADING 1
38 #define STATE_FIRMWARE_LOADED 2
39 #define STATE_FIRMWARE_FAILED 3
40 #define STATE_BOOTING 4
43 struct sk_buff *rx_skb;
44 struct sk_buff_head txq;
48 static int intel_open(struct hci_uart *hu)
50 struct intel_data *intel;
54 intel = kzalloc(sizeof(*intel), GFP_KERNEL);
58 skb_queue_head_init(&intel->txq);
64 static int intel_close(struct hci_uart *hu)
66 struct intel_data *intel = hu->priv;
70 skb_queue_purge(&intel->txq);
71 kfree_skb(intel->rx_skb);
78 static int intel_flush(struct hci_uart *hu)
80 struct intel_data *intel = hu->priv;
84 skb_queue_purge(&intel->txq);
89 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)
92 struct hci_event_hdr *hdr;
93 struct hci_ev_cmd_complete *evt;
95 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC);
99 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr));
100 hdr->evt = HCI_EV_CMD_COMPLETE;
101 hdr->plen = sizeof(*evt) + 1;
103 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt));
105 evt->opcode = cpu_to_le16(opcode);
107 *skb_put(skb, 1) = 0x00;
109 bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
111 return hci_recv_frame(hdev, skb);
114 static int intel_setup(struct hci_uart *hu)
116 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01,
117 0x00, 0x08, 0x04, 0x00 };
118 struct intel_data *intel = hu->priv;
119 struct hci_dev *hdev = hu->hdev;
121 struct intel_version *ver;
122 struct intel_boot_params *params;
123 const struct firmware *fw;
127 ktime_t calltime, delta, rettime;
128 unsigned long long duration;
131 BT_DBG("%s", hdev->name);
133 hu->hdev->set_bdaddr = btintel_set_bdaddr;
135 calltime = ktime_get();
137 set_bit(STATE_BOOTLOADER, &intel->flags);
139 /* Read the Intel version information to determine if the device
140 * is in bootloader mode or if it already has operational firmware
143 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
145 BT_ERR("%s: Reading Intel version information failed (%ld)",
146 hdev->name, PTR_ERR(skb));
150 if (skb->len != sizeof(*ver)) {
151 BT_ERR("%s: Intel version event size mismatch", hdev->name);
156 ver = (struct intel_version *)skb->data;
158 BT_ERR("%s: Intel version command failure (%02x)",
159 hdev->name, ver->status);
160 err = -bt_to_errno(ver->status);
165 /* The hardware platform number has a fixed value of 0x37 and
166 * for now only accept this single value.
168 if (ver->hw_platform != 0x37) {
169 BT_ERR("%s: Unsupported Intel hardware platform (%u)",
170 hdev->name, ver->hw_platform);
175 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is
176 * supported by this firmware loading method. This check has been
177 * put in place to ensure correct forward compatibility options
178 * when newer hardware variants come along.
180 if (ver->hw_variant != 0x0b) {
181 BT_ERR("%s: Unsupported Intel hardware variant (%u)",
182 hdev->name, ver->hw_variant);
187 btintel_version_info(hdev, ver);
189 /* The firmware variant determines if the device is in bootloader
190 * mode or is running operational firmware. The value 0x06 identifies
191 * the bootloader and the value 0x23 identifies the operational
194 * When the operational firmware is already present, then only
195 * the check for valid Bluetooth device address is needed. This
196 * determines if the device will be added as configured or
197 * unconfigured controller.
199 * It is not possible to use the Secure Boot Parameters in this
200 * case since that command is only available in bootloader mode.
202 if (ver->fw_variant == 0x23) {
204 clear_bit(STATE_BOOTLOADER, &intel->flags);
205 btintel_check_bdaddr(hdev);
209 /* If the device is not in bootloader mode, then the only possible
210 * choice is to return an error and abort the device initialization.
212 if (ver->fw_variant != 0x06) {
213 BT_ERR("%s: Unsupported Intel firmware variant (%u)",
214 hdev->name, ver->fw_variant);
221 /* Read the secure boot parameters to identify the operating
222 * details of the bootloader.
224 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
226 BT_ERR("%s: Reading Intel boot parameters failed (%ld)",
227 hdev->name, PTR_ERR(skb));
231 if (skb->len != sizeof(*params)) {
232 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name);
237 params = (struct intel_boot_params *)skb->data;
238 if (params->status) {
239 BT_ERR("%s: Intel boot parameters command failure (%02x)",
240 hdev->name, params->status);
241 err = -bt_to_errno(params->status);
246 BT_INFO("%s: Device revision is %u", hdev->name,
247 le16_to_cpu(params->dev_revid));
249 BT_INFO("%s: Secure boot is %s", hdev->name,
250 params->secure_boot ? "enabled" : "disabled");
252 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name,
253 params->min_fw_build_nn, params->min_fw_build_cw,
254 2000 + params->min_fw_build_yy);
256 /* It is required that every single firmware fragment is acknowledged
257 * with a command complete event. If the boot parameters indicate
258 * that this bootloader does not send them, then abort the setup.
260 if (params->limited_cce != 0x00) {
261 BT_ERR("%s: Unsupported Intel firmware loading method (%u)",
262 hdev->name, params->limited_cce);
267 /* If the OTP has no valid Bluetooth device address, then there will
268 * also be no valid address for the operational firmware.
270 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) {
271 BT_INFO("%s: No device address configured", hdev->name);
272 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
275 /* With this Intel bootloader only the hardware variant and device
276 * revision information are used to select the right firmware.
278 * Currently this bootloader support is limited to hardware variant
279 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b).
281 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi",
282 le16_to_cpu(params->dev_revid));
284 err = request_firmware(&fw, fwname, &hdev->dev);
286 BT_ERR("%s: Failed to load Intel firmware file (%d)",
292 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname);
296 if (fw->size < 644) {
297 BT_ERR("%s: Invalid size of firmware file (%zu)",
298 hdev->name, fw->size);
303 set_bit(STATE_DOWNLOADING, &intel->flags);
305 /* Start the firmware download transaction with the Init fragment
306 * represented by the 128 bytes of CSS header.
308 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
310 BT_ERR("%s: Failed to send firmware header (%d)",
315 /* Send the 256 bytes of public key information from the firmware
316 * as the PKey fragment.
318 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
320 BT_ERR("%s: Failed to send firmware public key (%d)",
325 /* Send the 256 bytes of signature information from the firmware
326 * as the Sign fragment.
328 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
330 BT_ERR("%s: Failed to send firmware signature (%d)",
335 fw_ptr = fw->data + 644;
338 while (fw_ptr - fw->data < fw->size) {
339 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
341 frag_len += sizeof(*cmd) + cmd->plen;
343 BT_DBG("%s: patching %td/%zu", hdev->name,
344 (fw_ptr - fw->data), fw->size);
346 /* The parameter length of the secure send command requires
347 * a 4 byte alignment. It happens so that the firmware file
348 * contains proper Intel_NOP commands to align the fragments
351 * Send set of commands with 4 byte alignment from the
352 * firmware data buffer as a single Data fragement.
357 /* Send each command from the firmware data buffer as
358 * a single Data fragment.
360 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
362 BT_ERR("%s: Failed to send firmware data (%d)",
371 set_bit(STATE_FIRMWARE_LOADED, &intel->flags);
373 BT_INFO("%s: Waiting for firmware download to complete", hdev->name);
375 /* Before switching the device into operational mode and with that
376 * booting the loaded firmware, wait for the bootloader notification
377 * that all fragments have been successfully received.
379 * When the event processing receives the notification, then the
380 * STATE_DOWNLOADING flag will be cleared.
382 * The firmware loading should not take longer than 5 seconds
383 * and thus just timeout if that happens and fail the setup
386 err = wait_on_bit_timeout(&intel->flags, STATE_DOWNLOADING,
388 msecs_to_jiffies(5000));
390 BT_ERR("%s: Firmware loading interrupted", hdev->name);
396 BT_ERR("%s: Firmware loading timeout", hdev->name);
401 if (test_bit(STATE_FIRMWARE_FAILED, &intel->flags)) {
402 BT_ERR("%s: Firmware loading failed", hdev->name);
407 rettime = ktime_get();
408 delta = ktime_sub(rettime, calltime);
409 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
411 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration);
414 release_firmware(fw);
419 calltime = ktime_get();
421 set_bit(STATE_BOOTING, &intel->flags);
423 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param,
430 /* The bootloader will not indicate when the device is ready. This
431 * is done by the operational firmware sending bootup notification.
433 * Booting into operational firmware should not take longer than
434 * 1 second. However if that happens, then just fail the setup
435 * since something went wrong.
437 BT_INFO("%s: Waiting for device to boot", hdev->name);
439 err = wait_on_bit_timeout(&intel->flags, STATE_BOOTING,
441 msecs_to_jiffies(1000));
444 BT_ERR("%s: Device boot interrupted", hdev->name);
449 BT_ERR("%s: Device boot timeout", hdev->name);
453 rettime = ktime_get();
454 delta = ktime_sub(rettime, calltime);
455 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
457 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration);
459 clear_bit(STATE_BOOTLOADER, &intel->flags);
464 static int intel_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
466 struct hci_uart *hu = hci_get_drvdata(hdev);
467 struct intel_data *intel = hu->priv;
468 struct hci_event_hdr *hdr;
470 if (!test_bit(STATE_BOOTLOADER, &intel->flags))
473 hdr = (void *)skb->data;
475 /* When the firmware loading completes the device sends
476 * out a vendor specific event indicating the result of
477 * the firmware loading.
479 if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 &&
480 skb->data[2] == 0x06) {
481 if (skb->data[3] != 0x00)
482 set_bit(STATE_FIRMWARE_FAILED, &intel->flags);
484 if (test_and_clear_bit(STATE_DOWNLOADING, &intel->flags) &&
485 test_bit(STATE_FIRMWARE_LOADED, &intel->flags)) {
486 smp_mb__after_atomic();
487 wake_up_bit(&intel->flags, STATE_DOWNLOADING);
490 /* When switching to the operational firmware the device
491 * sends a vendor specific event indicating that the bootup
494 } else if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 &&
495 skb->data[2] == 0x02) {
496 if (test_and_clear_bit(STATE_BOOTING, &intel->flags)) {
497 smp_mb__after_atomic();
498 wake_up_bit(&intel->flags, STATE_BOOTING);
502 return hci_recv_frame(hdev, skb);
505 static const struct h4_recv_pkt intel_recv_pkts[] = {
506 { H4_RECV_ACL, .recv = hci_recv_frame },
507 { H4_RECV_SCO, .recv = hci_recv_frame },
508 { H4_RECV_EVENT, .recv = intel_recv_event },
511 static int intel_recv(struct hci_uart *hu, const void *data, int count)
513 struct intel_data *intel = hu->priv;
515 if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
518 intel->rx_skb = h4_recv_buf(hu->hdev, intel->rx_skb, data, count,
520 ARRAY_SIZE(intel_recv_pkts));
521 if (IS_ERR(intel->rx_skb)) {
522 int err = PTR_ERR(intel->rx_skb);
523 BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
524 intel->rx_skb = NULL;
531 static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb)
533 struct intel_data *intel = hu->priv;
535 BT_DBG("hu %p skb %p", hu, skb);
537 skb_queue_tail(&intel->txq, skb);
542 static struct sk_buff *intel_dequeue(struct hci_uart *hu)
544 struct intel_data *intel = hu->priv;
547 skb = skb_dequeue(&intel->txq);
551 if (test_bit(STATE_BOOTLOADER, &intel->flags) &&
552 (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT)) {
553 struct hci_command_hdr *cmd = (void *)skb->data;
554 __u16 opcode = le16_to_cpu(cmd->opcode);
556 /* When the 0xfc01 command is issued to boot into
557 * the operational firmware, it will actually not
558 * send a command complete event. To keep the flow
559 * control working inject that event here.
561 if (opcode == 0xfc01)
562 inject_cmd_complete(hu->hdev, opcode);
565 /* Prepend skb with frame type */
566 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
571 static const struct hci_uart_proto intel_proto = {
572 .id = HCI_UART_INTEL,
574 .init_speed = 115200,
576 .close = intel_close,
577 .flush = intel_flush,
578 .setup = intel_setup,
580 .enqueue = intel_enqueue,
581 .dequeue = intel_dequeue,
584 int __init intel_init(void)
586 return hci_uart_register_proto(&intel_proto);
589 int __exit intel_deinit(void)
591 return hci_uart_unregister_proto(&intel_proto);
projects / firefly-linux-kernel-4.4.55.git / blob