1 // SPDX-License-Identifier: GPL-2.0-or-later
4 * Bluetooth support for Intel devices
6 * Copyright (C) 2015 Intel Corporation
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <linux/regmap.h>
12 #include <asm/unaligned.h>
14 #include <net/bluetooth/bluetooth.h>
15 #include <net/bluetooth/hci_core.h>
21 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
22 #define RSA_HEADER_LEN 644
23 #define CSS_HEADER_OFFSET 8
24 #define ECDSA_OFFSET 644
25 #define ECDSA_HEADER_LEN 320
27 #define CMD_WRITE_BOOT_PARAMS 0xfc0e
28 struct cmd_write_boot_params {
35 int btintel_check_bdaddr(struct hci_dev *hdev)
37 struct hci_rp_read_bd_addr *bda;
40 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
43 int err = PTR_ERR(skb);
44 bt_dev_err(hdev, "Reading Intel device address failed (%d)",
49 if (skb->len != sizeof(*bda)) {
50 bt_dev_err(hdev, "Intel device address length mismatch");
55 bda = (struct hci_rp_read_bd_addr *)skb->data;
57 /* For some Intel based controllers, the default Bluetooth device
58 * address 00:03:19:9E:8B:00 can be found. These controllers are
59 * fully operational, but have the danger of duplicate addresses
60 * and that in turn can cause problems with Bluetooth operation.
62 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
63 bt_dev_err(hdev, "Found Intel default device address (%pMR)",
65 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
72 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
74 int btintel_enter_mfg(struct hci_dev *hdev)
76 static const u8 param[] = { 0x01, 0x00 };
79 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
81 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
89 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
91 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
93 u8 param[] = { 0x00, 0x00 };
96 /* The 2nd command parameter specifies the manufacturing exit method:
97 * 0x00: Just disable the manufacturing mode (0x00).
98 * 0x01: Disable manufacturing mode and reset with patches deactivated.
99 * 0x02: Disable manufacturing mode and reset with patches activated.
102 param[1] |= patched ? 0x02 : 0x01;
104 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
106 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
114 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
116 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
121 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
124 bt_dev_err(hdev, "Changing Intel device address failed (%d)",
132 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
134 int btintel_set_diag(struct hci_dev *hdev, bool enable)
150 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
155 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
162 btintel_set_event_mask(hdev, enable);
165 EXPORT_SYMBOL_GPL(btintel_set_diag);
167 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
171 err = btintel_enter_mfg(hdev);
175 ret = btintel_set_diag(hdev, enable);
177 err = btintel_exit_mfg(hdev, false, false);
184 void btintel_hw_error(struct hci_dev *hdev, u8 code)
189 bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
191 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
193 bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
199 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
201 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
206 if (skb->len != 13) {
207 bt_dev_err(hdev, "Exception info size mismatch");
212 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
216 EXPORT_SYMBOL_GPL(btintel_hw_error);
218 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
222 /* The hardware platform number has a fixed value of 0x37 and
223 * for now only accept this single value.
225 if (ver->hw_platform != 0x37) {
226 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
231 /* Check for supported iBT hardware variants of this firmware
234 * This check has been put in place to ensure correct forward
235 * compatibility options when newer hardware variants come along.
237 switch (ver->hw_variant) {
238 case 0x07: /* WP - Legacy ROM */
239 case 0x08: /* StP - Legacy ROM */
248 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
253 switch (ver->fw_variant) {
255 variant = "Legacy ROM 2.5";
258 variant = "Bootloader";
261 variant = "Legacy ROM 2.x";
264 variant = "Firmware";
267 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
271 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
272 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
273 ver->fw_build_num, ver->fw_build_ww,
274 2000 + ver->fw_build_yy);
278 EXPORT_SYMBOL_GPL(btintel_version_info);
280 int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
285 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
287 cmd_param[0] = fragment_type;
288 memcpy(cmd_param + 1, param, fragment_len);
290 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
291 cmd_param, HCI_INIT_TIMEOUT);
297 plen -= fragment_len;
298 param += fragment_len;
303 EXPORT_SYMBOL_GPL(btintel_secure_send);
305 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
307 const struct firmware *fw;
312 err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
314 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
319 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
323 /* DDC file contains one or more DDC structure which has
324 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
326 while (fw->size > fw_ptr - fw->data) {
327 u8 cmd_plen = fw_ptr[0] + sizeof(u8);
329 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
332 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
334 release_firmware(fw);
342 release_firmware(fw);
344 bt_dev_info(hdev, "Applying Intel DDC parameters completed");
348 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
350 int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
352 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
359 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
362 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
369 EXPORT_SYMBOL_GPL(btintel_set_event_mask);
371 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
375 err = btintel_enter_mfg(hdev);
379 ret = btintel_set_event_mask(hdev, debug);
381 err = btintel_exit_mfg(hdev, false, false);
387 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
389 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
393 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
395 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
400 if (skb->len != sizeof(*ver)) {
401 bt_dev_err(hdev, "Intel version event size mismatch");
406 memcpy(ver, skb->data, sizeof(*ver));
412 EXPORT_SYMBOL_GPL(btintel_read_version);
414 int btintel_version_info_tlv(struct hci_dev *hdev, struct intel_version_tlv *version)
418 /* The hardware platform number has a fixed value of 0x37 and
419 * for now only accept this single value.
421 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
422 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
423 INTEL_HW_PLATFORM(version->cnvi_bt));
427 /* Check for supported iBT hardware variants of this firmware
430 * This check has been put in place to ensure correct forward
431 * compatibility options when newer hardware variants come along.
433 switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
436 case 0x19: /* Slr-F */
439 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
440 INTEL_HW_VARIANT(version->cnvi_bt));
444 switch (version->img_type) {
446 variant = "Bootloader";
447 /* It is required that every single firmware fragment is acknowledged
448 * with a command complete event. If the boot parameters indicate
449 * that this bootloader does not send them, then abort the setup.
451 if (version->limited_cce != 0x00) {
452 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
453 version->limited_cce);
457 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
458 if (version->sbe_type > 0x01) {
459 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
464 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
465 bt_dev_info(hdev, "Secure boot is %s",
466 version->secure_boot ? "enabled" : "disabled");
467 bt_dev_info(hdev, "OTP lock is %s",
468 version->otp_lock ? "enabled" : "disabled");
469 bt_dev_info(hdev, "API lock is %s",
470 version->api_lock ? "enabled" : "disabled");
471 bt_dev_info(hdev, "Debug lock is %s",
472 version->debug_lock ? "enabled" : "disabled");
473 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
474 version->min_fw_build_nn, version->min_fw_build_cw,
475 2000 + version->min_fw_build_yy);
478 variant = "Firmware";
481 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
485 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
486 2000 + (version->timestamp >> 8), version->timestamp & 0xff,
487 version->build_type, version->build_num);
491 EXPORT_SYMBOL_GPL(btintel_version_info_tlv);
493 static int btintel_parse_version_tlv(struct hci_dev *hdev,
494 struct intel_version_tlv *version,
497 /* Consume Command Complete Status field */
500 /* Event parameters contatin multiple TLVs. Read each of them
501 * and only keep the required data. Also, it use existing legacy
502 * version field like hw_platform, hw_variant, and fw_variant
503 * to keep the existing setup flow
506 struct intel_tlv *tlv;
508 /* Make sure skb has a minimum length of the header */
509 if (skb->len < sizeof(*tlv))
512 tlv = (struct intel_tlv *)skb->data;
514 /* Make sure skb has a enough data */
515 if (skb->len < tlv->len + sizeof(*tlv))
519 case INTEL_TLV_CNVI_TOP:
520 version->cnvi_top = get_unaligned_le32(tlv->val);
522 case INTEL_TLV_CNVR_TOP:
523 version->cnvr_top = get_unaligned_le32(tlv->val);
525 case INTEL_TLV_CNVI_BT:
526 version->cnvi_bt = get_unaligned_le32(tlv->val);
528 case INTEL_TLV_CNVR_BT:
529 version->cnvr_bt = get_unaligned_le32(tlv->val);
531 case INTEL_TLV_DEV_REV_ID:
532 version->dev_rev_id = get_unaligned_le16(tlv->val);
534 case INTEL_TLV_IMAGE_TYPE:
535 version->img_type = tlv->val[0];
537 case INTEL_TLV_TIME_STAMP:
538 /* If image type is Operational firmware (0x03), then
539 * running FW Calendar Week and Year information can
540 * be extracted from Timestamp information
542 version->min_fw_build_cw = tlv->val[0];
543 version->min_fw_build_yy = tlv->val[1];
544 version->timestamp = get_unaligned_le16(tlv->val);
546 case INTEL_TLV_BUILD_TYPE:
547 version->build_type = tlv->val[0];
549 case INTEL_TLV_BUILD_NUM:
550 /* If image type is Operational firmware (0x03), then
551 * running FW build number can be extracted from the
554 version->min_fw_build_nn = tlv->val[0];
555 version->build_num = get_unaligned_le32(tlv->val);
557 case INTEL_TLV_SECURE_BOOT:
558 version->secure_boot = tlv->val[0];
560 case INTEL_TLV_OTP_LOCK:
561 version->otp_lock = tlv->val[0];
563 case INTEL_TLV_API_LOCK:
564 version->api_lock = tlv->val[0];
566 case INTEL_TLV_DEBUG_LOCK:
567 version->debug_lock = tlv->val[0];
569 case INTEL_TLV_MIN_FW:
570 version->min_fw_build_nn = tlv->val[0];
571 version->min_fw_build_cw = tlv->val[1];
572 version->min_fw_build_yy = tlv->val[2];
574 case INTEL_TLV_LIMITED_CCE:
575 version->limited_cce = tlv->val[0];
577 case INTEL_TLV_SBE_TYPE:
578 version->sbe_type = tlv->val[0];
580 case INTEL_TLV_OTP_BDADDR:
581 memcpy(&version->otp_bd_addr, tlv->val,
585 /* Ignore rest of information */
588 /* consume the current tlv and move to next*/
589 skb_pull(skb, tlv->len + sizeof(*tlv));
595 int btintel_read_version_tlv(struct hci_dev *hdev, struct intel_version_tlv *version)
598 const u8 param[1] = { 0xFF };
603 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
605 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
611 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
617 /* Consume Command Complete Status field */
620 /* Event parameters contatin multiple TLVs. Read each of them
621 * and only keep the required data. Also, it use existing legacy
622 * version field like hw_platform, hw_variant, and fw_variant
623 * to keep the existing setup flow
626 struct intel_tlv *tlv;
628 tlv = (struct intel_tlv *)skb->data;
630 case INTEL_TLV_CNVI_TOP:
631 version->cnvi_top = get_unaligned_le32(tlv->val);
633 case INTEL_TLV_CNVR_TOP:
634 version->cnvr_top = get_unaligned_le32(tlv->val);
636 case INTEL_TLV_CNVI_BT:
637 version->cnvi_bt = get_unaligned_le32(tlv->val);
639 case INTEL_TLV_CNVR_BT:
640 version->cnvr_bt = get_unaligned_le32(tlv->val);
642 case INTEL_TLV_DEV_REV_ID:
643 version->dev_rev_id = get_unaligned_le16(tlv->val);
645 case INTEL_TLV_IMAGE_TYPE:
646 version->img_type = tlv->val[0];
648 case INTEL_TLV_TIME_STAMP:
649 /* If image type is Operational firmware (0x03), then
650 * running FW Calendar Week and Year information can
651 * be extracted from Timestamp information
653 version->min_fw_build_cw = tlv->val[0];
654 version->min_fw_build_yy = tlv->val[1];
655 version->timestamp = get_unaligned_le16(tlv->val);
657 case INTEL_TLV_BUILD_TYPE:
658 version->build_type = tlv->val[0];
660 case INTEL_TLV_BUILD_NUM:
661 /* If image type is Operational firmware (0x03), then
662 * running FW build number can be extracted from the
665 version->min_fw_build_nn = tlv->val[0];
666 version->build_num = get_unaligned_le32(tlv->val);
668 case INTEL_TLV_SECURE_BOOT:
669 version->secure_boot = tlv->val[0];
671 case INTEL_TLV_OTP_LOCK:
672 version->otp_lock = tlv->val[0];
674 case INTEL_TLV_API_LOCK:
675 version->api_lock = tlv->val[0];
677 case INTEL_TLV_DEBUG_LOCK:
678 version->debug_lock = tlv->val[0];
680 case INTEL_TLV_MIN_FW:
681 version->min_fw_build_nn = tlv->val[0];
682 version->min_fw_build_cw = tlv->val[1];
683 version->min_fw_build_yy = tlv->val[2];
685 case INTEL_TLV_LIMITED_CCE:
686 version->limited_cce = tlv->val[0];
688 case INTEL_TLV_SBE_TYPE:
689 version->sbe_type = tlv->val[0];
691 case INTEL_TLV_OTP_BDADDR:
692 memcpy(&version->otp_bd_addr, tlv->val, tlv->len);
695 /* Ignore rest of information */
698 /* consume the current tlv and move to next*/
699 skb_pull(skb, tlv->len + sizeof(*tlv));
705 EXPORT_SYMBOL_GPL(btintel_read_version_tlv);
707 /* ------- REGMAP IBT SUPPORT ------- */
709 #define IBT_REG_MODE_8BIT 0x00
710 #define IBT_REG_MODE_16BIT 0x01
711 #define IBT_REG_MODE_32BIT 0x02
713 struct regmap_ibt_context {
714 struct hci_dev *hdev;
719 struct ibt_cp_reg_access {
726 struct ibt_rp_reg_access {
732 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
733 void *val, size_t val_size)
735 struct regmap_ibt_context *ctx = context;
736 struct ibt_cp_reg_access cp;
737 struct ibt_rp_reg_access *rp;
741 if (reg_size != sizeof(__le32))
746 cp.mode = IBT_REG_MODE_8BIT;
749 cp.mode = IBT_REG_MODE_16BIT;
752 cp.mode = IBT_REG_MODE_32BIT;
758 /* regmap provides a little-endian formatted addr */
759 cp.addr = *(__le32 *)addr;
762 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
764 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
768 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
769 le32_to_cpu(cp.addr), err);
773 if (skb->len != sizeof(*rp) + val_size) {
774 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
775 le32_to_cpu(cp.addr));
780 rp = (struct ibt_rp_reg_access *)skb->data;
782 if (rp->addr != cp.addr) {
783 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
784 le32_to_cpu(rp->addr));
789 memcpy(val, rp->data, val_size);
796 static int regmap_ibt_gather_write(void *context,
797 const void *addr, size_t reg_size,
798 const void *val, size_t val_size)
800 struct regmap_ibt_context *ctx = context;
801 struct ibt_cp_reg_access *cp;
803 int plen = sizeof(*cp) + val_size;
807 if (reg_size != sizeof(__le32))
812 mode = IBT_REG_MODE_8BIT;
815 mode = IBT_REG_MODE_16BIT;
818 mode = IBT_REG_MODE_32BIT;
824 cp = kmalloc(plen, GFP_KERNEL);
828 /* regmap provides a little-endian formatted addr/value */
829 cp->addr = *(__le32 *)addr;
832 memcpy(&cp->data, val, val_size);
834 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
836 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
839 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
840 le32_to_cpu(cp->addr), err);
850 static int regmap_ibt_write(void *context, const void *data, size_t count)
852 /* data contains register+value, since we only support 32bit addr,
853 * minimum data size is 4 bytes.
855 if (WARN_ONCE(count < 4, "Invalid register access"))
858 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
861 static void regmap_ibt_free_context(void *context)
866 static struct regmap_bus regmap_ibt = {
867 .read = regmap_ibt_read,
868 .write = regmap_ibt_write,
869 .gather_write = regmap_ibt_gather_write,
870 .free_context = regmap_ibt_free_context,
871 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
872 .val_format_endian_default = REGMAP_ENDIAN_LITTLE,
875 /* Config is the same for all register regions */
876 static const struct regmap_config regmap_ibt_cfg = {
877 .name = "btintel_regmap",
882 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
885 struct regmap_ibt_context *ctx;
887 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
890 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
892 return ERR_PTR(-ENOMEM);
894 ctx->op_read = opcode_read;
895 ctx->op_write = opcode_write;
898 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg);
900 EXPORT_SYMBOL_GPL(btintel_regmap_init);
902 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
904 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
907 params.boot_param = cpu_to_le32(boot_param);
909 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms,
912 bt_dev_err(hdev, "Failed to send Intel Reset command");
920 EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
922 int btintel_read_boot_params(struct hci_dev *hdev,
923 struct intel_boot_params *params)
927 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
929 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
934 if (skb->len != sizeof(*params)) {
935 bt_dev_err(hdev, "Intel boot parameters size mismatch");
940 memcpy(params, skb->data, sizeof(*params));
944 if (params->status) {
945 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
947 return -bt_to_errno(params->status);
950 bt_dev_info(hdev, "Device revision is %u",
951 le16_to_cpu(params->dev_revid));
953 bt_dev_info(hdev, "Secure boot is %s",
954 params->secure_boot ? "enabled" : "disabled");
956 bt_dev_info(hdev, "OTP lock is %s",
957 params->otp_lock ? "enabled" : "disabled");
959 bt_dev_info(hdev, "API lock is %s",
960 params->api_lock ? "enabled" : "disabled");
962 bt_dev_info(hdev, "Debug lock is %s",
963 params->debug_lock ? "enabled" : "disabled");
965 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
966 params->min_fw_build_nn, params->min_fw_build_cw,
967 2000 + params->min_fw_build_yy);
971 EXPORT_SYMBOL_GPL(btintel_read_boot_params);
973 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
974 const struct firmware *fw)
978 /* Start the firmware download transaction with the Init fragment
979 * represented by the 128 bytes of CSS header.
981 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
983 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
987 /* Send the 256 bytes of public key information from the firmware
988 * as the PKey fragment.
990 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
992 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
996 /* Send the 256 bytes of signature information from the firmware
997 * as the Sign fragment.
999 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
1001 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
1009 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
1010 const struct firmware *fw)
1014 /* Start the firmware download transaction with the Init fragment
1015 * represented by the 128 bytes of CSS header.
1017 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
1019 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
1023 /* Send the 96 bytes of public key information from the firmware
1024 * as the PKey fragment.
1026 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
1028 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
1032 /* Send the 96 bytes of signature information from the firmware
1033 * as the Sign fragment
1035 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
1037 bt_dev_err(hdev, "Failed to send firmware signature (%d)",
1044 static int btintel_download_firmware_payload(struct hci_dev *hdev,
1045 const struct firmware *fw,
1052 fw_ptr = fw->data + offset;
1056 while (fw_ptr - fw->data < fw->size) {
1057 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
1059 frag_len += sizeof(*cmd) + cmd->plen;
1061 /* The parameter length of the secure send command requires
1062 * a 4 byte alignment. It happens so that the firmware file
1063 * contains proper Intel_NOP commands to align the fragments
1066 * Send set of commands with 4 byte alignment from the
1067 * firmware data buffer as a single Data fragement.
1069 if (!(frag_len % 4)) {
1070 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
1073 "Failed to send firmware data (%d)",
1087 static bool btintel_firmware_version(struct hci_dev *hdev,
1088 u8 num, u8 ww, u8 yy,
1089 const struct firmware *fw,
1096 while (fw_ptr - fw->data < fw->size) {
1097 struct hci_command_hdr *cmd = (void *)(fw_ptr);
1099 /* Each SKU has a different reset parameter to use in the
1100 * HCI_Intel_Reset command and it is embedded in the firmware
1101 * data. So, instead of using static value per SKU, check
1102 * the firmware data and save it for later use.
1104 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
1105 struct cmd_write_boot_params *params;
1107 params = (void *)(fw_ptr + sizeof(*cmd));
1109 bt_dev_info(hdev, "Boot Address: 0x%x",
1110 le32_to_cpu(params->boot_addr));
1112 bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1113 params->fw_build_num, params->fw_build_ww,
1114 params->fw_build_yy);
1116 return (num == params->fw_build_num &&
1117 ww == params->fw_build_ww &&
1118 yy == params->fw_build_yy);
1121 fw_ptr += sizeof(*cmd) + cmd->plen;
1127 int btintel_download_firmware(struct hci_dev *hdev,
1128 struct intel_version *ver,
1129 const struct firmware *fw,
1134 /* SfP and WsP don't seem to update the firmware version on file
1135 * so version checking is currently not possible.
1137 switch (ver->hw_variant) {
1138 case 0x0b: /* SfP */
1139 case 0x0c: /* WsP */
1140 /* Skip version checking */
1143 /* Skip reading firmware file version in bootloader mode */
1144 if (ver->fw_variant == 0x06)
1147 /* Skip download if firmware has the same version */
1148 if (btintel_firmware_version(hdev, ver->fw_build_num,
1149 ver->fw_build_ww, ver->fw_build_yy,
1151 bt_dev_info(hdev, "Firmware already loaded");
1152 /* Return -EALREADY to indicate that the firmware has
1153 * already been loaded.
1159 /* The firmware variant determines if the device is in bootloader
1160 * mode or is running operational firmware. The value 0x06 identifies
1161 * the bootloader and the value 0x23 identifies the operational
1164 * If the firmware version has changed that means it needs to be reset
1165 * to bootloader when operational so the new firmware can be loaded.
1167 if (ver->fw_variant == 0x23)
1170 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1174 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1176 EXPORT_SYMBOL_GPL(btintel_download_firmware);
1178 int btintel_download_firmware_newgen(struct hci_dev *hdev,
1179 struct intel_version_tlv *ver,
1180 const struct firmware *fw, u32 *boot_param,
1181 u8 hw_variant, u8 sbe_type)
1186 /* Skip reading firmware file version in bootloader mode */
1187 if (ver->img_type != 0x01) {
1188 /* Skip download if firmware has the same version */
1189 if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1190 ver->min_fw_build_cw,
1191 ver->min_fw_build_yy,
1193 bt_dev_info(hdev, "Firmware already loaded");
1194 /* Return -EALREADY to indicate that firmware has
1195 * already been loaded.
1201 /* The firmware variant determines if the device is in bootloader
1202 * mode or is running operational firmware. The value 0x01 identifies
1203 * the bootloader and the value 0x03 identifies the operational
1206 * If the firmware version has changed that means it needs to be reset
1207 * to bootloader when operational so the new firmware can be loaded.
1209 if (ver->img_type == 0x03)
1212 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1213 * only RSA secure boot engine. Hence, the corresponding sfi file will
1214 * have RSA header of 644 bytes followed by Command Buffer.
1216 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1217 * secure boot engine. As a result, the corresponding sfi file will
1218 * have RSA header of 644, ECDSA header of 320 bytes followed by
1221 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1222 * version: RSA(0x00010000) , ECDSA (0x00020000)
1224 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1225 if (css_header_ver != 0x00010000) {
1226 bt_dev_err(hdev, "Invalid CSS Header version");
1230 if (hw_variant <= 0x14) {
1231 if (sbe_type != 0x00) {
1232 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1237 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1241 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1244 } else if (hw_variant >= 0x17) {
1245 /* Check if CSS header for ECDSA follows the RSA header */
1246 if (fw->data[ECDSA_OFFSET] != 0x06)
1249 /* Check if the CSS Header version is ECDSA(0x00020000) */
1250 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1251 if (css_header_ver != 0x00020000) {
1252 bt_dev_err(hdev, "Invalid CSS Header version");
1256 if (sbe_type == 0x00) {
1257 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1261 err = btintel_download_firmware_payload(hdev, fw,
1262 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1265 } else if (sbe_type == 0x01) {
1266 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1270 err = btintel_download_firmware_payload(hdev, fw,
1271 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1278 EXPORT_SYMBOL_GPL(btintel_download_firmware_newgen);
1280 void btintel_reset_to_bootloader(struct hci_dev *hdev)
1282 struct intel_reset params;
1283 struct sk_buff *skb;
1285 /* Send Intel Reset command. This will result in
1286 * re-enumeration of BT controller.
1288 * Intel Reset parameter description:
1289 * reset_type : 0x00 (Soft reset),
1291 * patch_enable : 0x00 (Do not enable),
1293 * ddc_reload : 0x00 (Do not reload),
1295 * boot_option: 0x00 (Current image),
1296 * 0x01 (Specified boot address)
1297 * boot_param: Boot address
1300 params.reset_type = 0x01;
1301 params.patch_enable = 0x01;
1302 params.ddc_reload = 0x01;
1303 params.boot_option = 0x00;
1304 params.boot_param = cpu_to_le32(0x00000000);
1306 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
1307 ¶ms, HCI_INIT_TIMEOUT);
1309 bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1313 bt_dev_info(hdev, "Intel reset sent to retry FW download");
1316 /* Current Intel BT controllers(ThP/JfP) hold the USB reset
1317 * lines for 2ms when it receives Intel Reset in bootloader mode.
1318 * Whereas, the upcoming Intel BT controllers will hold USB reset
1319 * for 150ms. To keep the delay generic, 150ms is chosen here.
1323 EXPORT_SYMBOL_GPL(btintel_reset_to_bootloader);
1325 int btintel_read_debug_features(struct hci_dev *hdev,
1326 struct intel_debug_features *features)
1328 struct sk_buff *skb;
1331 /* Intel controller supports two pages, each page is of 128-bit
1332 * feature bit mask. And each bit defines specific feature support
1334 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1337 bt_dev_err(hdev, "Reading supported features failed (%ld)",
1339 return PTR_ERR(skb);
1342 if (skb->len != (sizeof(features->page1) + 3)) {
1343 bt_dev_err(hdev, "Supported features event size mismatch");
1348 memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1350 /* Read the supported features page2 if required in future.
1355 EXPORT_SYMBOL_GPL(btintel_read_debug_features);
1357 int btintel_set_debug_features(struct hci_dev *hdev,
1358 const struct intel_debug_features *features)
1360 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x07, 0x00, 0x00, 0x00, 0x00,
1362 struct sk_buff *skb;
1367 if (!(features->page1[0] & 0x3f)) {
1368 bt_dev_info(hdev, "Telemetry exception format not supported");
1372 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1374 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1376 return PTR_ERR(skb);
1382 EXPORT_SYMBOL_GPL(btintel_set_debug_features);
1384 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev,
1385 struct intel_version *ver)
1387 const struct firmware *fw;
1391 snprintf(fwname, sizeof(fwname),
1392 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1393 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1394 ver->fw_variant, ver->fw_revision, ver->fw_build_num,
1395 ver->fw_build_ww, ver->fw_build_yy);
1397 ret = request_firmware(&fw, fwname, &hdev->dev);
1399 if (ret == -EINVAL) {
1400 bt_dev_err(hdev, "Intel firmware file request failed (%d)",
1405 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)",
1408 /* If the correct firmware patch file is not found, use the
1409 * default firmware patch file instead
1411 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1412 ver->hw_platform, ver->hw_variant);
1413 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1414 bt_dev_err(hdev, "failed to open default fw file: %s",
1420 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname);
1425 static int btintel_legacy_rom_patching(struct hci_dev *hdev,
1426 const struct firmware *fw,
1427 const u8 **fw_ptr, int *disable_patch)
1429 struct sk_buff *skb;
1430 struct hci_command_hdr *cmd;
1431 const u8 *cmd_param;
1432 struct hci_event_hdr *evt = NULL;
1433 const u8 *evt_param = NULL;
1434 int remain = fw->size - (*fw_ptr - fw->data);
1436 /* The first byte indicates the types of the patch command or event.
1437 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1438 * in the current firmware buffer doesn't start with 0x01 or
1439 * the size of remain buffer is smaller than HCI command header,
1440 * the firmware file is corrupted and it should stop the patching
1443 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1444 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read");
1450 cmd = (struct hci_command_hdr *)(*fw_ptr);
1451 *fw_ptr += sizeof(*cmd);
1452 remain -= sizeof(*cmd);
1454 /* Ensure that the remain firmware data is long enough than the length
1455 * of command parameter. If not, the firmware file is corrupted.
1457 if (remain < cmd->plen) {
1458 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len");
1462 /* If there is a command that loads a patch in the firmware
1463 * file, then enable the patch upon success, otherwise just
1464 * disable the manufacturer mode, for example patch activation
1465 * is not required when the default firmware patch file is used
1466 * because there are no patch data to load.
1468 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1471 cmd_param = *fw_ptr;
1472 *fw_ptr += cmd->plen;
1473 remain -= cmd->plen;
1475 /* This reads the expected events when the above command is sent to the
1476 * device. Some vendor commands expects more than one events, for
1477 * example command status event followed by vendor specific event.
1478 * For this case, it only keeps the last expected event. so the command
1479 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1480 * last expected event.
1482 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1486 evt = (struct hci_event_hdr *)(*fw_ptr);
1487 *fw_ptr += sizeof(*evt);
1488 remain -= sizeof(*evt);
1490 if (remain < evt->plen) {
1491 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len");
1495 evt_param = *fw_ptr;
1496 *fw_ptr += evt->plen;
1497 remain -= evt->plen;
1500 /* Every HCI commands in the firmware file has its correspond event.
1501 * If event is not found or remain is smaller than zero, the firmware
1502 * file is corrupted.
1504 if (!evt || !evt_param || remain < 0) {
1505 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read");
1509 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1510 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1512 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)",
1513 cmd->opcode, PTR_ERR(skb));
1514 return PTR_ERR(skb);
1517 /* It ensures that the returned event matches the event data read from
1518 * the firmware file. At fist, it checks the length and then
1519 * the contents of the event.
1521 if (skb->len != evt->plen) {
1522 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)",
1523 le16_to_cpu(cmd->opcode));
1528 if (memcmp(skb->data, evt_param, evt->plen)) {
1529 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)",
1530 le16_to_cpu(cmd->opcode));
1539 static int btintel_legacy_rom_setup(struct hci_dev *hdev,
1540 struct intel_version *ver)
1542 const struct firmware *fw;
1544 int disable_patch, err;
1545 struct intel_version new_ver;
1547 BT_DBG("%s", hdev->name);
1549 /* fw_patch_num indicates the version of patch the device currently
1550 * have. If there is no patch data in the device, it is always 0x00.
1551 * So, if it is other than 0x00, no need to patch the device again.
1553 if (ver->fw_patch_num) {
1555 "Intel device is already patched. patch num: %02x",
1560 /* Opens the firmware patch file based on the firmware version read
1561 * from the controller. If it fails to open the matching firmware
1562 * patch file, it tries to open the default firmware patch file.
1563 * If no patch file is found, allow the device to operate without
1566 fw = btintel_legacy_rom_get_fw(hdev, ver);
1571 /* Enable the manufacturer mode of the controller.
1572 * Only while this mode is enabled, the driver can download the
1573 * firmware patch data and configuration parameters.
1575 err = btintel_enter_mfg(hdev);
1577 release_firmware(fw);
1583 /* The firmware data file consists of list of Intel specific HCI
1584 * commands and its expected events. The first byte indicates the
1585 * type of the message, either HCI command or HCI event.
1587 * It reads the command and its expected event from the firmware file,
1588 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1589 * the returned event is compared with the event read from the firmware
1590 * file and it will continue until all the messages are downloaded to
1593 * Once the firmware patching is completed successfully,
1594 * the manufacturer mode is disabled with reset and activating the
1597 * If the firmware patching fails, the manufacturer mode is
1598 * disabled with reset and deactivating the patch.
1600 * If the default patch file is used, no reset is done when disabling
1603 while (fw->size > fw_ptr - fw->data) {
1606 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr,
1609 goto exit_mfg_deactivate;
1612 release_firmware(fw);
1615 goto exit_mfg_disable;
1617 /* Patching completed successfully and disable the manufacturer mode
1618 * with reset and activate the downloaded firmware patches.
1620 err = btintel_exit_mfg(hdev, true, true);
1624 /* Need build number for downloaded fw patches in
1625 * every power-on boot
1627 err = btintel_read_version(hdev, &new_ver);
1631 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated",
1632 new_ver.fw_patch_num);
1637 /* Disable the manufacturer mode without reset */
1638 err = btintel_exit_mfg(hdev, false, false);
1642 bt_dev_info(hdev, "Intel firmware patch completed");
1646 exit_mfg_deactivate:
1647 release_firmware(fw);
1649 /* Patching failed. Disable the manufacturer mode with reset and
1650 * deactivate the downloaded firmware patches.
1652 err = btintel_exit_mfg(hdev, true, false);
1656 bt_dev_info(hdev, "Intel firmware patch completed and deactivated");
1659 /* Set the event mask for Intel specific vendor events. This enables
1660 * a few extra events that are useful during general operation.
1662 btintel_set_event_mask_mfg(hdev, false);
1664 btintel_check_bdaddr(hdev);
1669 static int btintel_setup_combined(struct hci_dev *hdev)
1671 const u8 param[1] = { 0xFF };
1672 struct intel_version ver;
1673 struct intel_version_tlv ver_tlv;
1674 struct sk_buff *skb;
1677 BT_DBG("%s", hdev->name);
1679 /* Starting from TyP device, the command parameter and response are
1680 * changed even though the OCF for HCI_Intel_Read_Version command
1681 * remains same. The legacy devices can handle even if the
1682 * command has a parameter and returns a correct version information.
1683 * So, it uses new format to support both legacy and new format.
1685 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
1687 bt_dev_err(hdev, "Reading Intel version command failed (%ld)",
1689 return PTR_ERR(skb);
1692 /* Check the status */
1694 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
1700 /* For Legacy device, check the HW platform value and size */
1701 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) {
1702 bt_dev_dbg(hdev, "Read the legacy Intel version information");
1704 memcpy(&ver, skb->data, sizeof(ver));
1706 /* Display version information */
1707 btintel_version_info(hdev, &ver);
1709 /* Check for supported iBT hardware variants of this firmware
1712 * This check has been put in place to ensure correct forward
1713 * compatibility options when newer hardware variants come
1716 switch (ver.hw_variant) {
1718 case 0x08: /* StP */
1719 /* Legacy ROM product */
1720 err = btintel_legacy_rom_setup(hdev, &ver);
1722 case 0x0b: /* SfP */
1723 case 0x0c: /* WsP */
1724 case 0x11: /* JfP */
1725 case 0x12: /* ThP */
1726 case 0x13: /* HrP */
1727 case 0x14: /* CcP */
1728 /* TODO: call setup routine for bootloader product */
1731 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
1739 /* For TLV type device, parse the tlv data */
1740 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb);
1742 bt_dev_err(hdev, "Failed to parse TLV version information");
1746 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) {
1747 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
1748 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt));
1753 /* Display version information of TLV type */
1754 btintel_version_info_tlv(hdev, &ver_tlv);
1756 /* TODO: Need to filter the device for new generation */
1757 /* TODO: call setup routine for tlv based bootloader product */
1765 static int btintel_shutdown_combined(struct hci_dev *hdev)
1767 struct sk_buff *skb;
1769 /* Send HCI Reset to the controller to stop any BT activity which
1770 * were triggered. This will help to save power and maintain the
1771 * sync b/w Host and controller
1773 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1775 bt_dev_err(hdev, "HCI reset during shutdown failed");
1776 return PTR_ERR(skb);
1783 int btintel_configure_setup(struct hci_dev *hdev)
1785 hdev->manufacturer = 2;
1786 hdev->setup = btintel_setup_combined;
1787 hdev->shutdown = btintel_shutdown_combined;
1788 hdev->set_diag = btintel_set_diag_mfg;
1789 hdev->set_bdaddr = btintel_set_bdaddr;
1793 EXPORT_SYMBOL_GPL(btintel_configure_setup);
1795 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1796 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
1797 MODULE_VERSION(VERSION);
1798 MODULE_LICENSE("GPL");
1799 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
1800 MODULE_FIRMWARE("intel/ibt-11-5.ddc");
1801 MODULE_FIRMWARE("intel/ibt-12-16.sfi");
1802 MODULE_FIRMWARE("intel/ibt-12-16.ddc");