1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Firmware loading.
4 *
5 * Copyright (c) 2017-2020, Silicon Laboratories, Inc.
6 * Copyright (c) 2010, ST-Ericsson
7 */
8 #include <linux/firmware.h>
9 #include <linux/slab.h>
10 #include <linux/mm.h>
11 #include <linux/bitfield.h>
12
13 #include "fwio.h"
14 #include "wfx.h"
15 #include "hwio.h"
16
17 /* Addresses below are in SRAM area */
18 #define WFX_DNLD_FIFO 0x09004000
19 #define DNLD_BLOCK_SIZE 0x0400
20 #define DNLD_FIFO_SIZE 0x8000 /* (32 * DNLD_BLOCK_SIZE) */
21 /* Download Control Area (DCA) */
22 #define WFX_DCA_IMAGE_SIZE 0x0900C000
23 #define WFX_DCA_PUT 0x0900C004
24 #define WFX_DCA_GET 0x0900C008
25 #define WFX_DCA_HOST_STATUS 0x0900C00C
26 #define HOST_READY 0x87654321
27 #define HOST_INFO_READ 0xA753BD99
28 #define HOST_UPLOAD_PENDING 0xABCDDCBA
29 #define HOST_UPLOAD_COMPLETE 0xD4C64A99
30 #define HOST_OK_TO_JUMP 0x174FC882
31 #define WFX_DCA_NCP_STATUS 0x0900C010
32 #define NCP_NOT_READY 0x12345678
33 #define NCP_READY 0x87654321
34 #define NCP_INFO_READY 0xBD53EF99
35 #define NCP_DOWNLOAD_PENDING 0xABCDDCBA
36 #define NCP_DOWNLOAD_COMPLETE 0xCAFEFECA
37 #define NCP_AUTH_OK 0xD4C64A99
38 #define NCP_AUTH_FAIL 0x174FC882
39 #define NCP_PUB_KEY_RDY 0x7AB41D19
40 #define WFX_DCA_FW_SIGNATURE 0x0900C014
41 #define FW_SIGNATURE_SIZE 0x40
42 #define WFX_DCA_FW_HASH 0x0900C054
43 #define FW_HASH_SIZE 0x08
44 #define WFX_DCA_FW_VERSION 0x0900C05C
45 #define FW_VERSION_SIZE 0x04
46 #define WFX_DCA_RESERVED 0x0900C060
47 #define DCA_RESERVED_SIZE 0x20
48 #define WFX_STATUS_INFO 0x0900C080
49 #define WFX_BOOTLOADER_LABEL 0x0900C084
50 #define BOOTLOADER_LABEL_SIZE 0x3C
51 #define WFX_PTE_INFO 0x0900C0C0
52 #define PTE_INFO_KEYSET_IDX 0x0D
53 #define PTE_INFO_SIZE 0x10
54 #define WFX_ERR_INFO 0x0900C0D0
55 #define ERR_INVALID_SEC_TYPE 0x05
56 #define ERR_SIG_VERIF_FAILED 0x0F
57 #define ERR_AES_CTRL_KEY 0x10
58 #define ERR_ECC_PUB_KEY 0x11
59 #define ERR_MAC_KEY 0x18
60
61 #define DCA_TIMEOUT 50 /* milliseconds */
62 #define WAKEUP_TIMEOUT 200 /* milliseconds */
63
64 static const char * const fwio_errors[] = {
65 [ERR_INVALID_SEC_TYPE] = "Invalid section type or wrong encryption",
66 [ERR_SIG_VERIF_FAILED] = "Signature verification failed",
67 [ERR_AES_CTRL_KEY] = "AES control key not initialized",
68 [ERR_ECC_PUB_KEY] = "ECC public key not initialized",
69 [ERR_MAC_KEY] = "MAC key not initialized",
70 };
71
72 /* request_firmware() allocate data using vmalloc(). It is not compatible with
73 * underlying hardware that use DMA. Function below detect this case and
74 * allocate a bounce buffer if necessary.
75 *
76 * Notice that, in doubt, you can enable CONFIG_DEBUG_SG to ask kernel to
77 * detect this problem at runtime (else, kernel silently fail).
78 *
79 * NOTE: it may also be possible to use 'pages' from struct firmware and avoid
80 * bounce buffer
81 */
sram_write_dma_safe(struct wfx_dev * wdev,u32 addr,const u8 * buf,size_t len)82 static int sram_write_dma_safe(struct wfx_dev *wdev, u32 addr, const u8 *buf,
83 size_t len)
84 {
85 int ret;
86 const u8 *tmp;
87
88 if (!virt_addr_valid(buf)) {
89 tmp = kmemdup(buf, len, GFP_KERNEL);
90 if (!tmp)
91 return -ENOMEM;
92 } else {
93 tmp = buf;
94 }
95 ret = sram_buf_write(wdev, addr, tmp, len);
96 if (tmp != buf)
97 kfree(tmp);
98 return ret;
99 }
100
get_firmware(struct wfx_dev * wdev,u32 keyset_chip,const struct firmware ** fw,int * file_offset)101 static int get_firmware(struct wfx_dev *wdev, u32 keyset_chip,
102 const struct firmware **fw, int *file_offset)
103 {
104 int keyset_file;
105 char filename[256];
106 const char *data;
107 int ret;
108
109 snprintf(filename, sizeof(filename), "%s_%02X.sec",
110 wdev->pdata.file_fw, keyset_chip);
111 ret = firmware_request_nowarn(fw, filename, wdev->dev);
112 if (ret) {
113 dev_info(wdev->dev, "can't load %s, falling back to %s.sec\n",
114 filename, wdev->pdata.file_fw);
115 snprintf(filename, sizeof(filename), "%s.sec",
116 wdev->pdata.file_fw);
117 ret = request_firmware(fw, filename, wdev->dev);
118 if (ret) {
119 dev_err(wdev->dev, "can't load %s\n", filename);
120 *fw = NULL;
121 return ret;
122 }
123 }
124
125 data = (*fw)->data;
126 if (memcmp(data, "KEYSET", 6) != 0) {
127 /* Legacy firmware format */
128 *file_offset = 0;
129 keyset_file = 0x90;
130 } else {
131 *file_offset = 8;
132 keyset_file = (hex_to_bin(data[6]) * 16) | hex_to_bin(data[7]);
133 if (keyset_file < 0) {
134 dev_err(wdev->dev, "%s corrupted\n", filename);
135 release_firmware(*fw);
136 *fw = NULL;
137 return -EINVAL;
138 }
139 }
140 if (keyset_file != keyset_chip) {
141 dev_err(wdev->dev, "firmware keyset is incompatible with chip (file: 0x%02X, chip: 0x%02X)\n",
142 keyset_file, keyset_chip);
143 release_firmware(*fw);
144 *fw = NULL;
145 return -ENODEV;
146 }
147 wdev->keyset = keyset_file;
148 return 0;
149 }
150
wait_ncp_status(struct wfx_dev * wdev,u32 status)151 static int wait_ncp_status(struct wfx_dev *wdev, u32 status)
152 {
153 ktime_t now, start;
154 u32 reg;
155 int ret;
156
157 start = ktime_get();
158 for (;;) {
159 ret = sram_reg_read(wdev, WFX_DCA_NCP_STATUS, ®);
160 if (ret < 0)
161 return -EIO;
162 now = ktime_get();
163 if (reg == status)
164 break;
165 if (ktime_after(now, ktime_add_ms(start, DCA_TIMEOUT)))
166 return -ETIMEDOUT;
167 }
168 if (ktime_compare(now, start))
169 dev_dbg(wdev->dev, "chip answer after %lldus\n",
170 ktime_us_delta(now, start));
171 else
172 dev_dbg(wdev->dev, "chip answer immediately\n");
173 return 0;
174 }
175
upload_firmware(struct wfx_dev * wdev,const u8 * data,size_t len)176 static int upload_firmware(struct wfx_dev *wdev, const u8 *data, size_t len)
177 {
178 int ret;
179 u32 offs, bytes_done = 0;
180 ktime_t now, start;
181
182 if (len % DNLD_BLOCK_SIZE) {
183 dev_err(wdev->dev, "firmware size is not aligned. Buffer overrun will occur\n");
184 return -EIO;
185 }
186 offs = 0;
187 while (offs < len) {
188 start = ktime_get();
189 for (;;) {
190 now = ktime_get();
191 if (offs + DNLD_BLOCK_SIZE - bytes_done < DNLD_FIFO_SIZE)
192 break;
193 if (ktime_after(now, ktime_add_ms(start, DCA_TIMEOUT)))
194 return -ETIMEDOUT;
195 ret = sram_reg_read(wdev, WFX_DCA_GET, &bytes_done);
196 if (ret < 0)
197 return ret;
198 }
199 if (ktime_compare(now, start))
200 dev_dbg(wdev->dev, "answer after %lldus\n",
201 ktime_us_delta(now, start));
202
203 ret = sram_write_dma_safe(wdev, WFX_DNLD_FIFO +
204 (offs % DNLD_FIFO_SIZE),
205 data + offs, DNLD_BLOCK_SIZE);
206 if (ret < 0)
207 return ret;
208
209 /* The device seems to not support writing 0 in this register
210 * during first loop
211 */
212 offs += DNLD_BLOCK_SIZE;
213 ret = sram_reg_write(wdev, WFX_DCA_PUT, offs);
214 if (ret < 0)
215 return ret;
216 }
217 return 0;
218 }
219
print_boot_status(struct wfx_dev * wdev)220 static void print_boot_status(struct wfx_dev *wdev)
221 {
222 u32 reg;
223
224 sram_reg_read(wdev, WFX_STATUS_INFO, ®);
225 if (reg == 0x12345678)
226 return;
227 sram_reg_read(wdev, WFX_ERR_INFO, ®);
228 if (reg < ARRAY_SIZE(fwio_errors) && fwio_errors[reg])
229 dev_info(wdev->dev, "secure boot: %s\n", fwio_errors[reg]);
230 else
231 dev_info(wdev->dev, "secure boot: Error %#02x\n", reg);
232 }
233
load_firmware_secure(struct wfx_dev * wdev)234 static int load_firmware_secure(struct wfx_dev *wdev)
235 {
236 const struct firmware *fw = NULL;
237 int header_size;
238 int fw_offset;
239 ktime_t start;
240 u8 *buf;
241 int ret;
242
243 BUILD_BUG_ON(PTE_INFO_SIZE > BOOTLOADER_LABEL_SIZE);
244 buf = kmalloc(BOOTLOADER_LABEL_SIZE + 1, GFP_KERNEL);
245 if (!buf)
246 return -ENOMEM;
247
248 sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_READY);
249 ret = wait_ncp_status(wdev, NCP_INFO_READY);
250 if (ret)
251 goto error;
252
253 sram_buf_read(wdev, WFX_BOOTLOADER_LABEL, buf, BOOTLOADER_LABEL_SIZE);
254 buf[BOOTLOADER_LABEL_SIZE] = 0;
255 dev_dbg(wdev->dev, "bootloader: \"%s\"\n", buf);
256
257 sram_buf_read(wdev, WFX_PTE_INFO, buf, PTE_INFO_SIZE);
258 ret = get_firmware(wdev, buf[PTE_INFO_KEYSET_IDX], &fw, &fw_offset);
259 if (ret)
260 goto error;
261 header_size = fw_offset + FW_SIGNATURE_SIZE + FW_HASH_SIZE;
262
263 sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_INFO_READ);
264 ret = wait_ncp_status(wdev, NCP_READY);
265 if (ret)
266 goto error;
267
268 sram_reg_write(wdev, WFX_DNLD_FIFO, 0xFFFFFFFF); /* Fifo init */
269 sram_write_dma_safe(wdev, WFX_DCA_FW_VERSION, "\x01\x00\x00\x00",
270 FW_VERSION_SIZE);
271 sram_write_dma_safe(wdev, WFX_DCA_FW_SIGNATURE, fw->data + fw_offset,
272 FW_SIGNATURE_SIZE);
273 sram_write_dma_safe(wdev, WFX_DCA_FW_HASH,
274 fw->data + fw_offset + FW_SIGNATURE_SIZE,
275 FW_HASH_SIZE);
276 sram_reg_write(wdev, WFX_DCA_IMAGE_SIZE, fw->size - header_size);
277 sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_UPLOAD_PENDING);
278 ret = wait_ncp_status(wdev, NCP_DOWNLOAD_PENDING);
279 if (ret)
280 goto error;
281
282 start = ktime_get();
283 ret = upload_firmware(wdev, fw->data + header_size,
284 fw->size - header_size);
285 if (ret)
286 goto error;
287 dev_dbg(wdev->dev, "firmware load after %lldus\n",
288 ktime_us_delta(ktime_get(), start));
289
290 sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_UPLOAD_COMPLETE);
291 ret = wait_ncp_status(wdev, NCP_AUTH_OK);
292 /* Legacy ROM support */
293 if (ret < 0)
294 ret = wait_ncp_status(wdev, NCP_PUB_KEY_RDY);
295 if (ret < 0)
296 goto error;
297 sram_reg_write(wdev, WFX_DCA_HOST_STATUS, HOST_OK_TO_JUMP);
298
299 error:
300 kfree(buf);
301 if (fw)
302 release_firmware(fw);
303 if (ret)
304 print_boot_status(wdev);
305 return ret;
306 }
307
init_gpr(struct wfx_dev * wdev)308 static int init_gpr(struct wfx_dev *wdev)
309 {
310 int ret, i;
311 static const struct {
312 int index;
313 u32 value;
314 } gpr_init[] = {
315 { 0x07, 0x208775 },
316 { 0x08, 0x2EC020 },
317 { 0x09, 0x3C3C3C },
318 { 0x0B, 0x322C44 },
319 { 0x0C, 0xA06497 },
320 };
321
322 for (i = 0; i < ARRAY_SIZE(gpr_init); i++) {
323 ret = igpr_reg_write(wdev, gpr_init[i].index,
324 gpr_init[i].value);
325 if (ret < 0)
326 return ret;
327 dev_dbg(wdev->dev, " index %02x: %08x\n",
328 gpr_init[i].index, gpr_init[i].value);
329 }
330 return 0;
331 }
332
wfx_init_device(struct wfx_dev * wdev)333 int wfx_init_device(struct wfx_dev *wdev)
334 {
335 int ret;
336 int hw_revision, hw_type;
337 int wakeup_timeout = 50; /* ms */
338 ktime_t now, start;
339 u32 reg;
340
341 reg = CFG_DIRECT_ACCESS_MODE | CFG_CPU_RESET | CFG_BYTE_ORDER_ABCD;
342 if (wdev->pdata.use_rising_clk)
343 reg |= CFG_CLK_RISE_EDGE;
344 ret = config_reg_write(wdev, reg);
345 if (ret < 0) {
346 dev_err(wdev->dev, "bus returned an error during first write access. Host configuration error?\n");
347 return -EIO;
348 }
349
350 ret = config_reg_read(wdev, ®);
351 if (ret < 0) {
352 dev_err(wdev->dev, "bus returned an error during first read access. Bus configuration error?\n");
353 return -EIO;
354 }
355 if (reg == 0 || reg == ~0) {
356 dev_err(wdev->dev, "chip mute. Bus configuration error or chip wasn't reset?\n");
357 return -EIO;
358 }
359 dev_dbg(wdev->dev, "initial config register value: %08x\n", reg);
360
361 hw_revision = FIELD_GET(CFG_DEVICE_ID_MAJOR, reg);
362 if (hw_revision == 0) {
363 dev_err(wdev->dev, "bad hardware revision number: %d\n",
364 hw_revision);
365 return -ENODEV;
366 }
367 hw_type = FIELD_GET(CFG_DEVICE_ID_TYPE, reg);
368 if (hw_type == 1) {
369 dev_notice(wdev->dev, "development hardware detected\n");
370 wakeup_timeout = 2000;
371 }
372
373 ret = init_gpr(wdev);
374 if (ret < 0)
375 return ret;
376
377 ret = control_reg_write(wdev, CTRL_WLAN_WAKEUP);
378 if (ret < 0)
379 return -EIO;
380 start = ktime_get();
381 for (;;) {
382 ret = control_reg_read(wdev, ®);
383 now = ktime_get();
384 if (reg & CTRL_WLAN_READY)
385 break;
386 if (ktime_after(now, ktime_add_ms(start, wakeup_timeout))) {
387 dev_err(wdev->dev, "chip didn't wake up. Chip wasn't reset?\n");
388 return -ETIMEDOUT;
389 }
390 }
391 dev_dbg(wdev->dev, "chip wake up after %lldus\n",
392 ktime_us_delta(now, start));
393
394 ret = config_reg_write_bits(wdev, CFG_CPU_RESET, 0);
395 if (ret < 0)
396 return ret;
397 ret = load_firmware_secure(wdev);
398 if (ret < 0)
399 return ret;
400 return config_reg_write_bits(wdev,
401 CFG_DIRECT_ACCESS_MODE |
402 CFG_IRQ_ENABLE_DATA |
403 CFG_IRQ_ENABLE_WRDY,
404 CFG_IRQ_ENABLE_DATA);
405 }
406