1 // SPDX-License-Identifier: GPL-2.0-or-later
4 * Bluetooth support for Intel devices
6 * Copyright (C) 2015 Intel Corporation
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <linux/regmap.h>
12 #include <asm/unaligned.h>
14 #include <net/bluetooth/bluetooth.h>
15 #include <net/bluetooth/hci_core.h>
21 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
22 #define RSA_HEADER_LEN 644
23 #define CSS_HEADER_OFFSET 8
24 #define ECDSA_OFFSET 644
25 #define ECDSA_HEADER_LEN 320
27 #define CMD_WRITE_BOOT_PARAMS 0xfc0e
28 struct cmd_write_boot_params {
35 int btintel_check_bdaddr(struct hci_dev *hdev)
37 struct hci_rp_read_bd_addr *bda;
40 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
43 int err = PTR_ERR(skb);
44 bt_dev_err(hdev, "Reading Intel device address failed (%d)",
49 if (skb->len != sizeof(*bda)) {
50 bt_dev_err(hdev, "Intel device address length mismatch");
55 bda = (struct hci_rp_read_bd_addr *)skb->data;
57 /* For some Intel based controllers, the default Bluetooth device
58 * address 00:03:19:9E:8B:00 can be found. These controllers are
59 * fully operational, but have the danger of duplicate addresses
60 * and that in turn can cause problems with Bluetooth operation.
62 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
63 bt_dev_err(hdev, "Found Intel default device address (%pMR)",
65 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
72 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
74 int btintel_enter_mfg(struct hci_dev *hdev)
76 static const u8 param[] = { 0x01, 0x00 };
79 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
81 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
89 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
91 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
93 u8 param[] = { 0x00, 0x00 };
96 /* The 2nd command parameter specifies the manufacturing exit method:
97 * 0x00: Just disable the manufacturing mode (0x00).
98 * 0x01: Disable manufacturing mode and reset with patches deactivated.
99 * 0x02: Disable manufacturing mode and reset with patches activated.
102 param[1] |= patched ? 0x02 : 0x01;
104 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
106 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
114 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
116 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
121 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
124 bt_dev_err(hdev, "Changing Intel device address failed (%d)",
132 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
134 int btintel_set_diag(struct hci_dev *hdev, bool enable)
150 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
155 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
162 btintel_set_event_mask(hdev, enable);
165 EXPORT_SYMBOL_GPL(btintel_set_diag);
167 int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
171 err = btintel_enter_mfg(hdev);
175 ret = btintel_set_diag(hdev, enable);
177 err = btintel_exit_mfg(hdev, false, false);
183 EXPORT_SYMBOL_GPL(btintel_set_diag_mfg);
185 void btintel_hw_error(struct hci_dev *hdev, u8 code)
190 bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
192 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
194 bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
200 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
202 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
207 if (skb->len != 13) {
208 bt_dev_err(hdev, "Exception info size mismatch");
213 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
217 EXPORT_SYMBOL_GPL(btintel_hw_error);
219 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
223 /* The hardware platform number has a fixed value of 0x37 and
224 * for now only accept this single value.
226 if (ver->hw_platform != 0x37) {
227 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
232 /* Check for supported iBT hardware variants of this firmware
235 * This check has been put in place to ensure correct forward
236 * compatibility options when newer hardware variants come along.
238 switch (ver->hw_variant) {
239 case 0x07: /* WP - Legacy ROM */
240 case 0x08: /* StP - Legacy ROM */
249 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
254 switch (ver->fw_variant) {
256 variant = "Legacy ROM 2.5";
259 variant = "Bootloader";
262 variant = "Legacy ROM 2.x";
265 variant = "Firmware";
268 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
272 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
273 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
274 ver->fw_build_num, ver->fw_build_ww,
275 2000 + ver->fw_build_yy);
279 EXPORT_SYMBOL_GPL(btintel_version_info);
281 int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
286 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
288 cmd_param[0] = fragment_type;
289 memcpy(cmd_param + 1, param, fragment_len);
291 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
292 cmd_param, HCI_INIT_TIMEOUT);
298 plen -= fragment_len;
299 param += fragment_len;
304 EXPORT_SYMBOL_GPL(btintel_secure_send);
306 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
308 const struct firmware *fw;
313 err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
315 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
320 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
324 /* DDC file contains one or more DDC structure which has
325 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
327 while (fw->size > fw_ptr - fw->data) {
328 u8 cmd_plen = fw_ptr[0] + sizeof(u8);
330 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
333 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
335 release_firmware(fw);
343 release_firmware(fw);
345 bt_dev_info(hdev, "Applying Intel DDC parameters completed");
349 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
351 int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
353 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
360 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
363 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
370 EXPORT_SYMBOL_GPL(btintel_set_event_mask);
372 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
376 err = btintel_enter_mfg(hdev);
380 ret = btintel_set_event_mask(hdev, debug);
382 err = btintel_exit_mfg(hdev, false, false);
388 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
390 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
394 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
396 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
401 if (skb->len != sizeof(*ver)) {
402 bt_dev_err(hdev, "Intel version event size mismatch");
407 memcpy(ver, skb->data, sizeof(*ver));
413 EXPORT_SYMBOL_GPL(btintel_read_version);
415 int btintel_version_info_tlv(struct hci_dev *hdev, struct intel_version_tlv *version)
419 /* The hardware platform number has a fixed value of 0x37 and
420 * for now only accept this single value.
422 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
423 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
424 INTEL_HW_PLATFORM(version->cnvi_bt));
428 /* Check for supported iBT hardware variants of this firmware
431 * This check has been put in place to ensure correct forward
432 * compatibility options when newer hardware variants come along.
434 switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
437 case 0x19: /* Slr-F */
440 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
441 INTEL_HW_VARIANT(version->cnvi_bt));
445 switch (version->img_type) {
447 variant = "Bootloader";
448 /* It is required that every single firmware fragment is acknowledged
449 * with a command complete event. If the boot parameters indicate
450 * that this bootloader does not send them, then abort the setup.
452 if (version->limited_cce != 0x00) {
453 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
454 version->limited_cce);
458 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
459 if (version->sbe_type > 0x01) {
460 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
465 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
466 bt_dev_info(hdev, "Secure boot is %s",
467 version->secure_boot ? "enabled" : "disabled");
468 bt_dev_info(hdev, "OTP lock is %s",
469 version->otp_lock ? "enabled" : "disabled");
470 bt_dev_info(hdev, "API lock is %s",
471 version->api_lock ? "enabled" : "disabled");
472 bt_dev_info(hdev, "Debug lock is %s",
473 version->debug_lock ? "enabled" : "disabled");
474 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
475 version->min_fw_build_nn, version->min_fw_build_cw,
476 2000 + version->min_fw_build_yy);
479 variant = "Firmware";
482 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
486 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
487 2000 + (version->timestamp >> 8), version->timestamp & 0xff,
488 version->build_type, version->build_num);
492 EXPORT_SYMBOL_GPL(btintel_version_info_tlv);
494 static int btintel_parse_version_tlv(struct hci_dev *hdev,
495 struct intel_version_tlv *version,
498 /* Consume Command Complete Status field */
501 /* Event parameters contatin multiple TLVs. Read each of them
502 * and only keep the required data. Also, it use existing legacy
503 * version field like hw_platform, hw_variant, and fw_variant
504 * to keep the existing setup flow
507 struct intel_tlv *tlv;
509 /* Make sure skb has a minimum length of the header */
510 if (skb->len < sizeof(*tlv))
513 tlv = (struct intel_tlv *)skb->data;
515 /* Make sure skb has a enough data */
516 if (skb->len < tlv->len + sizeof(*tlv))
520 case INTEL_TLV_CNVI_TOP:
521 version->cnvi_top = get_unaligned_le32(tlv->val);
523 case INTEL_TLV_CNVR_TOP:
524 version->cnvr_top = get_unaligned_le32(tlv->val);
526 case INTEL_TLV_CNVI_BT:
527 version->cnvi_bt = get_unaligned_le32(tlv->val);
529 case INTEL_TLV_CNVR_BT:
530 version->cnvr_bt = get_unaligned_le32(tlv->val);
532 case INTEL_TLV_DEV_REV_ID:
533 version->dev_rev_id = get_unaligned_le16(tlv->val);
535 case INTEL_TLV_IMAGE_TYPE:
536 version->img_type = tlv->val[0];
538 case INTEL_TLV_TIME_STAMP:
539 /* If image type is Operational firmware (0x03), then
540 * running FW Calendar Week and Year information can
541 * be extracted from Timestamp information
543 version->min_fw_build_cw = tlv->val[0];
544 version->min_fw_build_yy = tlv->val[1];
545 version->timestamp = get_unaligned_le16(tlv->val);
547 case INTEL_TLV_BUILD_TYPE:
548 version->build_type = tlv->val[0];
550 case INTEL_TLV_BUILD_NUM:
551 /* If image type is Operational firmware (0x03), then
552 * running FW build number can be extracted from the
555 version->min_fw_build_nn = tlv->val[0];
556 version->build_num = get_unaligned_le32(tlv->val);
558 case INTEL_TLV_SECURE_BOOT:
559 version->secure_boot = tlv->val[0];
561 case INTEL_TLV_OTP_LOCK:
562 version->otp_lock = tlv->val[0];
564 case INTEL_TLV_API_LOCK:
565 version->api_lock = tlv->val[0];
567 case INTEL_TLV_DEBUG_LOCK:
568 version->debug_lock = tlv->val[0];
570 case INTEL_TLV_MIN_FW:
571 version->min_fw_build_nn = tlv->val[0];
572 version->min_fw_build_cw = tlv->val[1];
573 version->min_fw_build_yy = tlv->val[2];
575 case INTEL_TLV_LIMITED_CCE:
576 version->limited_cce = tlv->val[0];
578 case INTEL_TLV_SBE_TYPE:
579 version->sbe_type = tlv->val[0];
581 case INTEL_TLV_OTP_BDADDR:
582 memcpy(&version->otp_bd_addr, tlv->val,
586 /* Ignore rest of information */
589 /* consume the current tlv and move to next*/
590 skb_pull(skb, tlv->len + sizeof(*tlv));
596 int btintel_read_version_tlv(struct hci_dev *hdev, struct intel_version_tlv *version)
599 const u8 param[1] = { 0xFF };
604 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
606 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
612 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
618 /* Consume Command Complete Status field */
621 /* Event parameters contatin multiple TLVs. Read each of them
622 * and only keep the required data. Also, it use existing legacy
623 * version field like hw_platform, hw_variant, and fw_variant
624 * to keep the existing setup flow
627 struct intel_tlv *tlv;
629 tlv = (struct intel_tlv *)skb->data;
631 case INTEL_TLV_CNVI_TOP:
632 version->cnvi_top = get_unaligned_le32(tlv->val);
634 case INTEL_TLV_CNVR_TOP:
635 version->cnvr_top = get_unaligned_le32(tlv->val);
637 case INTEL_TLV_CNVI_BT:
638 version->cnvi_bt = get_unaligned_le32(tlv->val);
640 case INTEL_TLV_CNVR_BT:
641 version->cnvr_bt = get_unaligned_le32(tlv->val);
643 case INTEL_TLV_DEV_REV_ID:
644 version->dev_rev_id = get_unaligned_le16(tlv->val);
646 case INTEL_TLV_IMAGE_TYPE:
647 version->img_type = tlv->val[0];
649 case INTEL_TLV_TIME_STAMP:
650 /* If image type is Operational firmware (0x03), then
651 * running FW Calendar Week and Year information can
652 * be extracted from Timestamp information
654 version->min_fw_build_cw = tlv->val[0];
655 version->min_fw_build_yy = tlv->val[1];
656 version->timestamp = get_unaligned_le16(tlv->val);
658 case INTEL_TLV_BUILD_TYPE:
659 version->build_type = tlv->val[0];
661 case INTEL_TLV_BUILD_NUM:
662 /* If image type is Operational firmware (0x03), then
663 * running FW build number can be extracted from the
666 version->min_fw_build_nn = tlv->val[0];
667 version->build_num = get_unaligned_le32(tlv->val);
669 case INTEL_TLV_SECURE_BOOT:
670 version->secure_boot = tlv->val[0];
672 case INTEL_TLV_OTP_LOCK:
673 version->otp_lock = tlv->val[0];
675 case INTEL_TLV_API_LOCK:
676 version->api_lock = tlv->val[0];
678 case INTEL_TLV_DEBUG_LOCK:
679 version->debug_lock = tlv->val[0];
681 case INTEL_TLV_MIN_FW:
682 version->min_fw_build_nn = tlv->val[0];
683 version->min_fw_build_cw = tlv->val[1];
684 version->min_fw_build_yy = tlv->val[2];
686 case INTEL_TLV_LIMITED_CCE:
687 version->limited_cce = tlv->val[0];
689 case INTEL_TLV_SBE_TYPE:
690 version->sbe_type = tlv->val[0];
692 case INTEL_TLV_OTP_BDADDR:
693 memcpy(&version->otp_bd_addr, tlv->val, tlv->len);
696 /* Ignore rest of information */
699 /* consume the current tlv and move to next*/
700 skb_pull(skb, tlv->len + sizeof(*tlv));
706 EXPORT_SYMBOL_GPL(btintel_read_version_tlv);
708 /* ------- REGMAP IBT SUPPORT ------- */
710 #define IBT_REG_MODE_8BIT 0x00
711 #define IBT_REG_MODE_16BIT 0x01
712 #define IBT_REG_MODE_32BIT 0x02
714 struct regmap_ibt_context {
715 struct hci_dev *hdev;
720 struct ibt_cp_reg_access {
727 struct ibt_rp_reg_access {
733 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
734 void *val, size_t val_size)
736 struct regmap_ibt_context *ctx = context;
737 struct ibt_cp_reg_access cp;
738 struct ibt_rp_reg_access *rp;
742 if (reg_size != sizeof(__le32))
747 cp.mode = IBT_REG_MODE_8BIT;
750 cp.mode = IBT_REG_MODE_16BIT;
753 cp.mode = IBT_REG_MODE_32BIT;
759 /* regmap provides a little-endian formatted addr */
760 cp.addr = *(__le32 *)addr;
763 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
765 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
769 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
770 le32_to_cpu(cp.addr), err);
774 if (skb->len != sizeof(*rp) + val_size) {
775 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
776 le32_to_cpu(cp.addr));
781 rp = (struct ibt_rp_reg_access *)skb->data;
783 if (rp->addr != cp.addr) {
784 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
785 le32_to_cpu(rp->addr));
790 memcpy(val, rp->data, val_size);
797 static int regmap_ibt_gather_write(void *context,
798 const void *addr, size_t reg_size,
799 const void *val, size_t val_size)
801 struct regmap_ibt_context *ctx = context;
802 struct ibt_cp_reg_access *cp;
804 int plen = sizeof(*cp) + val_size;
808 if (reg_size != sizeof(__le32))
813 mode = IBT_REG_MODE_8BIT;
816 mode = IBT_REG_MODE_16BIT;
819 mode = IBT_REG_MODE_32BIT;
825 cp = kmalloc(plen, GFP_KERNEL);
829 /* regmap provides a little-endian formatted addr/value */
830 cp->addr = *(__le32 *)addr;
833 memcpy(&cp->data, val, val_size);
835 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
837 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
840 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
841 le32_to_cpu(cp->addr), err);
851 static int regmap_ibt_write(void *context, const void *data, size_t count)
853 /* data contains register+value, since we only support 32bit addr,
854 * minimum data size is 4 bytes.
856 if (WARN_ONCE(count < 4, "Invalid register access"))
859 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
862 static void regmap_ibt_free_context(void *context)
867 static struct regmap_bus regmap_ibt = {
868 .read = regmap_ibt_read,
869 .write = regmap_ibt_write,
870 .gather_write = regmap_ibt_gather_write,
871 .free_context = regmap_ibt_free_context,
872 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
873 .val_format_endian_default = REGMAP_ENDIAN_LITTLE,
876 /* Config is the same for all register regions */
877 static const struct regmap_config regmap_ibt_cfg = {
878 .name = "btintel_regmap",
883 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
886 struct regmap_ibt_context *ctx;
888 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
891 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
893 return ERR_PTR(-ENOMEM);
895 ctx->op_read = opcode_read;
896 ctx->op_write = opcode_write;
899 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg);
901 EXPORT_SYMBOL_GPL(btintel_regmap_init);
903 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
905 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
908 params.boot_param = cpu_to_le32(boot_param);
910 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms,
913 bt_dev_err(hdev, "Failed to send Intel Reset command");
921 EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
923 int btintel_read_boot_params(struct hci_dev *hdev,
924 struct intel_boot_params *params)
928 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
930 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
935 if (skb->len != sizeof(*params)) {
936 bt_dev_err(hdev, "Intel boot parameters size mismatch");
941 memcpy(params, skb->data, sizeof(*params));
945 if (params->status) {
946 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
948 return -bt_to_errno(params->status);
951 bt_dev_info(hdev, "Device revision is %u",
952 le16_to_cpu(params->dev_revid));
954 bt_dev_info(hdev, "Secure boot is %s",
955 params->secure_boot ? "enabled" : "disabled");
957 bt_dev_info(hdev, "OTP lock is %s",
958 params->otp_lock ? "enabled" : "disabled");
960 bt_dev_info(hdev, "API lock is %s",
961 params->api_lock ? "enabled" : "disabled");
963 bt_dev_info(hdev, "Debug lock is %s",
964 params->debug_lock ? "enabled" : "disabled");
966 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
967 params->min_fw_build_nn, params->min_fw_build_cw,
968 2000 + params->min_fw_build_yy);
972 EXPORT_SYMBOL_GPL(btintel_read_boot_params);
974 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
975 const struct firmware *fw)
979 /* Start the firmware download transaction with the Init fragment
980 * represented by the 128 bytes of CSS header.
982 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
984 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
988 /* Send the 256 bytes of public key information from the firmware
989 * as the PKey fragment.
991 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
993 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
997 /* Send the 256 bytes of signature information from the firmware
998 * as the Sign fragment.
1000 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
1002 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
1010 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
1011 const struct firmware *fw)
1015 /* Start the firmware download transaction with the Init fragment
1016 * represented by the 128 bytes of CSS header.
1018 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
1020 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
1024 /* Send the 96 bytes of public key information from the firmware
1025 * as the PKey fragment.
1027 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
1029 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
1033 /* Send the 96 bytes of signature information from the firmware
1034 * as the Sign fragment
1036 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
1038 bt_dev_err(hdev, "Failed to send firmware signature (%d)",
1045 static int btintel_download_firmware_payload(struct hci_dev *hdev,
1046 const struct firmware *fw,
1053 fw_ptr = fw->data + offset;
1057 while (fw_ptr - fw->data < fw->size) {
1058 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
1060 frag_len += sizeof(*cmd) + cmd->plen;
1062 /* The parameter length of the secure send command requires
1063 * a 4 byte alignment. It happens so that the firmware file
1064 * contains proper Intel_NOP commands to align the fragments
1067 * Send set of commands with 4 byte alignment from the
1068 * firmware data buffer as a single Data fragement.
1070 if (!(frag_len % 4)) {
1071 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
1074 "Failed to send firmware data (%d)",
1088 static bool btintel_firmware_version(struct hci_dev *hdev,
1089 u8 num, u8 ww, u8 yy,
1090 const struct firmware *fw,
1097 while (fw_ptr - fw->data < fw->size) {
1098 struct hci_command_hdr *cmd = (void *)(fw_ptr);
1100 /* Each SKU has a different reset parameter to use in the
1101 * HCI_Intel_Reset command and it is embedded in the firmware
1102 * data. So, instead of using static value per SKU, check
1103 * the firmware data and save it for later use.
1105 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
1106 struct cmd_write_boot_params *params;
1108 params = (void *)(fw_ptr + sizeof(*cmd));
1110 bt_dev_info(hdev, "Boot Address: 0x%x",
1111 le32_to_cpu(params->boot_addr));
1113 bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1114 params->fw_build_num, params->fw_build_ww,
1115 params->fw_build_yy);
1117 return (num == params->fw_build_num &&
1118 ww == params->fw_build_ww &&
1119 yy == params->fw_build_yy);
1122 fw_ptr += sizeof(*cmd) + cmd->plen;
1128 int btintel_download_firmware(struct hci_dev *hdev,
1129 struct intel_version *ver,
1130 const struct firmware *fw,
1135 /* SfP and WsP don't seem to update the firmware version on file
1136 * so version checking is currently not possible.
1138 switch (ver->hw_variant) {
1139 case 0x0b: /* SfP */
1140 case 0x0c: /* WsP */
1141 /* Skip version checking */
1144 /* Skip reading firmware file version in bootloader mode */
1145 if (ver->fw_variant == 0x06)
1148 /* Skip download if firmware has the same version */
1149 if (btintel_firmware_version(hdev, ver->fw_build_num,
1150 ver->fw_build_ww, ver->fw_build_yy,
1152 bt_dev_info(hdev, "Firmware already loaded");
1153 /* Return -EALREADY to indicate that the firmware has
1154 * already been loaded.
1160 /* The firmware variant determines if the device is in bootloader
1161 * mode or is running operational firmware. The value 0x06 identifies
1162 * the bootloader and the value 0x23 identifies the operational
1165 * If the firmware version has changed that means it needs to be reset
1166 * to bootloader when operational so the new firmware can be loaded.
1168 if (ver->fw_variant == 0x23)
1171 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1175 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1177 EXPORT_SYMBOL_GPL(btintel_download_firmware);
1179 int btintel_download_firmware_newgen(struct hci_dev *hdev,
1180 struct intel_version_tlv *ver,
1181 const struct firmware *fw, u32 *boot_param,
1182 u8 hw_variant, u8 sbe_type)
1187 /* Skip reading firmware file version in bootloader mode */
1188 if (ver->img_type != 0x01) {
1189 /* Skip download if firmware has the same version */
1190 if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1191 ver->min_fw_build_cw,
1192 ver->min_fw_build_yy,
1194 bt_dev_info(hdev, "Firmware already loaded");
1195 /* Return -EALREADY to indicate that firmware has
1196 * already been loaded.
1202 /* The firmware variant determines if the device is in bootloader
1203 * mode or is running operational firmware. The value 0x01 identifies
1204 * the bootloader and the value 0x03 identifies the operational
1207 * If the firmware version has changed that means it needs to be reset
1208 * to bootloader when operational so the new firmware can be loaded.
1210 if (ver->img_type == 0x03)
1213 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1214 * only RSA secure boot engine. Hence, the corresponding sfi file will
1215 * have RSA header of 644 bytes followed by Command Buffer.
1217 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1218 * secure boot engine. As a result, the corresponding sfi file will
1219 * have RSA header of 644, ECDSA header of 320 bytes followed by
1222 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1223 * version: RSA(0x00010000) , ECDSA (0x00020000)
1225 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1226 if (css_header_ver != 0x00010000) {
1227 bt_dev_err(hdev, "Invalid CSS Header version");
1231 if (hw_variant <= 0x14) {
1232 if (sbe_type != 0x00) {
1233 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1238 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1242 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1245 } else if (hw_variant >= 0x17) {
1246 /* Check if CSS header for ECDSA follows the RSA header */
1247 if (fw->data[ECDSA_OFFSET] != 0x06)
1250 /* Check if the CSS Header version is ECDSA(0x00020000) */
1251 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1252 if (css_header_ver != 0x00020000) {
1253 bt_dev_err(hdev, "Invalid CSS Header version");
1257 if (sbe_type == 0x00) {
1258 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1262 err = btintel_download_firmware_payload(hdev, fw,
1263 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1266 } else if (sbe_type == 0x01) {
1267 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1271 err = btintel_download_firmware_payload(hdev, fw,
1272 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1279 EXPORT_SYMBOL_GPL(btintel_download_firmware_newgen);
1281 void btintel_reset_to_bootloader(struct hci_dev *hdev)
1283 struct intel_reset params;
1284 struct sk_buff *skb;
1286 /* Send Intel Reset command. This will result in
1287 * re-enumeration of BT controller.
1289 * Intel Reset parameter description:
1290 * reset_type : 0x00 (Soft reset),
1292 * patch_enable : 0x00 (Do not enable),
1294 * ddc_reload : 0x00 (Do not reload),
1296 * boot_option: 0x00 (Current image),
1297 * 0x01 (Specified boot address)
1298 * boot_param: Boot address
1301 params.reset_type = 0x01;
1302 params.patch_enable = 0x01;
1303 params.ddc_reload = 0x01;
1304 params.boot_option = 0x00;
1305 params.boot_param = cpu_to_le32(0x00000000);
1307 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
1308 ¶ms, HCI_INIT_TIMEOUT);
1310 bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1314 bt_dev_info(hdev, "Intel reset sent to retry FW download");
1317 /* Current Intel BT controllers(ThP/JfP) hold the USB reset
1318 * lines for 2ms when it receives Intel Reset in bootloader mode.
1319 * Whereas, the upcoming Intel BT controllers will hold USB reset
1320 * for 150ms. To keep the delay generic, 150ms is chosen here.
1324 EXPORT_SYMBOL_GPL(btintel_reset_to_bootloader);
1326 int btintel_read_debug_features(struct hci_dev *hdev,
1327 struct intel_debug_features *features)
1329 struct sk_buff *skb;
1332 /* Intel controller supports two pages, each page is of 128-bit
1333 * feature bit mask. And each bit defines specific feature support
1335 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1338 bt_dev_err(hdev, "Reading supported features failed (%ld)",
1340 return PTR_ERR(skb);
1343 if (skb->len != (sizeof(features->page1) + 3)) {
1344 bt_dev_err(hdev, "Supported features event size mismatch");
1349 memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1351 /* Read the supported features page2 if required in future.
1356 EXPORT_SYMBOL_GPL(btintel_read_debug_features);
1358 int btintel_set_debug_features(struct hci_dev *hdev,
1359 const struct intel_debug_features *features)
1361 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x07, 0x00, 0x00, 0x00, 0x00,
1363 struct sk_buff *skb;
1368 if (!(features->page1[0] & 0x3f)) {
1369 bt_dev_info(hdev, "Telemetry exception format not supported");
1373 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1375 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1377 return PTR_ERR(skb);
1383 EXPORT_SYMBOL_GPL(btintel_set_debug_features);
1385 static int btintel_setup_combined(struct hci_dev *hdev)
1387 const u8 param[1] = { 0xFF };
1388 struct intel_version ver;
1389 struct intel_version_tlv ver_tlv;
1390 struct sk_buff *skb;
1393 BT_DBG("%s", hdev->name);
1395 /* Starting from TyP device, the command parameter and response are
1396 * changed even though the OCF for HCI_Intel_Read_Version command
1397 * remains same. The legacy devices can handle even if the
1398 * command has a parameter and returns a correct version information.
1399 * So, it uses new format to support both legacy and new format.
1401 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
1403 bt_dev_err(hdev, "Reading Intel version command failed (%ld)",
1405 return PTR_ERR(skb);
1408 /* Check the status */
1410 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
1416 /* For Legacy device, check the HW platform value and size */
1417 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) {
1418 bt_dev_dbg(hdev, "Read the legacy Intel version information");
1420 memcpy(&ver, skb->data, sizeof(ver));
1422 /* Display version information */
1423 btintel_version_info(hdev, &ver);
1425 /* Check for supported iBT hardware variants of this firmware
1428 * This check has been put in place to ensure correct forward
1429 * compatibility options when newer hardware variants come
1432 switch (ver.hw_variant) {
1434 case 0x08: /* StP */
1435 /* Legacy ROM product */
1436 /* TODO: call setup routine for legacy rom product */
1438 case 0x0b: /* SfP */
1439 case 0x0c: /* WsP */
1440 case 0x11: /* JfP */
1441 case 0x12: /* ThP */
1442 case 0x13: /* HrP */
1443 case 0x14: /* CcP */
1444 /* TODO: call setup routine for bootloader product */
1447 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
1455 /* For TLV type device, parse the tlv data */
1456 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb);
1458 bt_dev_err(hdev, "Failed to parse TLV version information");
1462 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) {
1463 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
1464 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt));
1469 /* Display version information of TLV type */
1470 btintel_version_info_tlv(hdev, &ver_tlv);
1472 /* TODO: Need to filter the device for new generation */
1473 /* TODO: call setup routine for tlv based bootloader product */
1481 static int btintel_shutdown_combined(struct hci_dev *hdev)
1483 struct sk_buff *skb;
1485 /* Send HCI Reset to the controller to stop any BT activity which
1486 * were triggered. This will help to save power and maintain the
1487 * sync b/w Host and controller
1489 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1491 bt_dev_err(hdev, "HCI reset during shutdown failed");
1492 return PTR_ERR(skb);
1499 int btintel_configure_setup(struct hci_dev *hdev)
1501 /* TODO: Setup hdev callback here */
1502 hdev->manufacturer = 2;
1503 hdev->setup = btintel_setup_combined;
1504 hdev->shutdown = btintel_shutdown_combined;
1508 EXPORT_SYMBOL_GPL(btintel_configure_setup);
1510 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1511 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
1512 MODULE_VERSION(VERSION);
1513 MODULE_LICENSE("GPL");
1514 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
1515 MODULE_FIRMWARE("intel/ibt-11-5.ddc");
1516 MODULE_FIRMWARE("intel/ibt-12-16.sfi");
1517 MODULE_FIRMWARE("intel/ibt-12-16.ddc");
projects / linux-2.6-microblaze.git / blob