1 // SPDX-License-Identifier: GPL-2.0
3 * Microchip Polarfire SoC "Auto Update" FPGA reprogramming.
5 * Documentation of this functionality is available in the "PolarFire® FPGA and
6 * PolarFire SoC FPGA Programming" User Guide.
8 * Copyright (c) 2022-2023 Microchip Corporation. All rights reserved.
10 * Author: Conor Dooley <conor.dooley@microchip.com>
12 #include <linux/debugfs.h>
13 #include <linux/firmware.h>
14 #include <linux/math.h>
15 #include <linux/module.h>
16 #include <linux/mtd/mtd.h>
17 #include <linux/platform_device.h>
18 #include <linux/sizes.h>
20 #include <soc/microchip/mpfs.h>
22 #define AUTO_UPDATE_DEFAULT_MBOX_OFFSET 0u
23 #define AUTO_UPDATE_DEFAULT_RESP_OFFSET 0u
25 #define AUTO_UPDATE_FEATURE_CMD_OPCODE 0x05u
26 #define AUTO_UPDATE_FEATURE_CMD_DATA_SIZE 0u
27 #define AUTO_UPDATE_FEATURE_RESP_SIZE 33u
28 #define AUTO_UPDATE_FEATURE_CMD_DATA NULL
29 #define AUTO_UPDATE_FEATURE_ENABLED BIT(5)
31 #define AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE 0x22u
32 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE 0u
33 #define AUTO_UPDATE_AUTHENTICATE_RESP_SIZE 1u
34 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA NULL
36 #define AUTO_UPDATE_PROGRAM_CMD_OPCODE 0x46u
37 #define AUTO_UPDATE_PROGRAM_CMD_DATA_SIZE 0u
38 #define AUTO_UPDATE_PROGRAM_RESP_SIZE 1u
39 #define AUTO_UPDATE_PROGRAM_CMD_DATA NULL
42 * SPI Flash layout example:
43 * |------------------------------| 0x0000000
45 * | SPI "directories" |
46 * |------------------------------| 0x0000400
49 * | Used for bitstream info |
50 * |------------------------------| 0x0100400
53 * |------------------------------| 0x1500400
55 * | Auto Upgrade Image |
56 * |------------------------------| 0x2900400
58 * | Reserved for multi-image IAP |
59 * | Unused for Auto Upgrade |
60 * |------------------------------| 0x3D00400
63 * |------------------------------| 0x?
65 #define AUTO_UPDATE_DIRECTORY_BASE 0u
66 #define AUTO_UPDATE_DIRECTORY_WIDTH 4u
67 #define AUTO_UPDATE_GOLDEN_INDEX 0u
68 #define AUTO_UPDATE_UPGRADE_INDEX 1u
69 #define AUTO_UPDATE_BLANK_INDEX 2u
70 #define AUTO_UPDATE_GOLDEN_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_GOLDEN_INDEX)
71 #define AUTO_UPDATE_UPGRADE_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_UPGRADE_INDEX)
72 #define AUTO_UPDATE_BLANK_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_BLANK_INDEX)
73 #define AUTO_UPDATE_DIRECTORY_SIZE SZ_1K
74 #define AUTO_UPDATE_RESERVED_SIZE SZ_1M
75 #define AUTO_UPDATE_BITSTREAM_BASE (AUTO_UPDATE_DIRECTORY_SIZE + AUTO_UPDATE_RESERVED_SIZE)
77 #define AUTO_UPDATE_TIMEOUT_MS 60000
79 struct mpfs_auto_update_priv {
80 struct mpfs_sys_controller *sys_controller;
82 struct mtd_info *flash;
83 struct fw_upload *fw_uploader;
84 struct completion programming_complete;
85 size_t size_per_bitstream;
89 static enum fw_upload_err mpfs_auto_update_prepare(struct fw_upload *fw_uploader, const u8 *data,
92 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
93 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
96 * Verifying the Golden Image is idealistic. It will be evaluated
97 * against the currently programmed image and thus may fail - due to
98 * either rollback protection (if its an older version than that in use)
99 * or if the version is the same as that of the in-use image.
100 * Extracting the information as to why a failure occurred is not
101 * currently possible due to limitations of the system controller
102 * driver. If those are fixed, verification of the Golden Image should
106 priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
108 return FW_UPLOAD_ERR_HW_ERROR;
110 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
113 * We need to calculate if we have enough space in the flash for the
115 * First, chop off the first 1 KiB as it's reserved for the directory.
116 * The 1 MiB reserved for design info needs to be ignored also.
117 * All that remains is carved into 3 & rounded down to the erasesize.
118 * If this is smaller than the image size, we abort.
119 * There's also no need to consume more than 20 MiB per image.
121 priv->size_per_bitstream = priv->flash->size - SZ_1K - SZ_1M;
122 priv->size_per_bitstream = round_down(priv->size_per_bitstream / 3, erase_size);
123 if (priv->size_per_bitstream > 20 * SZ_1M)
124 priv->size_per_bitstream = 20 * SZ_1M;
126 if (priv->size_per_bitstream < size) {
128 "flash device has insufficient capacity to store this bitstream\n");
129 return FW_UPLOAD_ERR_INVALID_SIZE;
132 priv->cancel_request = false;
134 return FW_UPLOAD_ERR_NONE;
137 static void mpfs_auto_update_cancel(struct fw_upload *fw_uploader)
139 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
141 priv->cancel_request = true;
144 static enum fw_upload_err mpfs_auto_update_poll_complete(struct fw_upload *fw_uploader)
146 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
150 * There is no meaningful way to get the status of the programming while
151 * it is in progress, so attempting anything other than waiting for it
152 * to complete would be misplaced.
154 ret = wait_for_completion_timeout(&priv->programming_complete,
155 msecs_to_jiffies(AUTO_UPDATE_TIMEOUT_MS));
157 return FW_UPLOAD_ERR_TIMEOUT;
159 return FW_UPLOAD_ERR_NONE;
162 static int mpfs_auto_update_verify_image(struct fw_upload *fw_uploader)
164 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
165 struct mpfs_mss_response *response;
166 struct mpfs_mss_msg *message;
170 response_msg = devm_kzalloc(priv->dev, AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg),
175 response = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_response), GFP_KERNEL);
178 goto free_response_msg;
181 message = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_msg), GFP_KERNEL);
188 * The system controller can verify that an image in the flash is valid.
189 * Rather than duplicate the check in this driver, call the relevant
190 * service from the system controller instead.
191 * This service has no command data and no response data. It overloads
192 * mbox_offset with the image index in the flash's SPI directory where
193 * the bitstream is located.
195 response->resp_msg = response_msg;
196 response->resp_size = AUTO_UPDATE_AUTHENTICATE_RESP_SIZE;
197 message->cmd_opcode = AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE;
198 message->cmd_data_size = AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE;
199 message->response = response;
200 message->cmd_data = AUTO_UPDATE_AUTHENTICATE_CMD_DATA;
201 message->mbox_offset = AUTO_UPDATE_UPGRADE_INDEX;
202 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
204 dev_info(priv->dev, "Running verification of Upgrade Image\n");
205 ret = mpfs_blocking_transaction(priv->sys_controller, message);
206 if (ret | response->resp_status) {
207 dev_warn(priv->dev, "Verification of Upgrade Image failed!\n");
208 ret = ret ? ret : -EBADMSG;
212 dev_info(priv->dev, "Verification of Upgrade Image passed!\n");
215 devm_kfree(priv->dev, message);
217 devm_kfree(priv->dev, response);
219 devm_kfree(priv->dev, response_msg);
224 static int mpfs_auto_update_set_image_address(struct mpfs_auto_update_priv *priv, char *buffer,
225 u32 image_address, loff_t directory_address)
227 struct erase_info erase;
228 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
229 size_t bytes_written = 0, bytes_read = 0;
232 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
234 erase.addr = AUTO_UPDATE_DIRECTORY_BASE;
235 erase.len = erase_size;
238 * We need to write the "SPI DIRECTORY" to the first 1 KiB, telling
239 * the system controller where to find the actual bitstream. Since
240 * this is spi-nor, we have to read the first eraseblock, erase that
241 * portion of the flash, modify the data and then write it back.
242 * There's no need to do this though if things are already the way they
243 * should be, so check and save the write in that case.
245 ret = mtd_read(priv->flash, AUTO_UPDATE_DIRECTORY_BASE, erase_size, &bytes_read,
250 if (bytes_read != erase_size)
253 if ((*(u32 *)(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY) == image_address) &&
254 !(*(u32 *)(buffer + AUTO_UPDATE_BLANK_DIRECTORY)))
257 ret = mtd_erase(priv->flash, &erase);
262 * Populate the image address and then zero out the next directory so
263 * that the system controller doesn't complain if in "Single Image"
266 memcpy(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY, &image_address,
267 AUTO_UPDATE_DIRECTORY_WIDTH);
268 memset(buffer + AUTO_UPDATE_BLANK_DIRECTORY, 0x0, AUTO_UPDATE_DIRECTORY_WIDTH);
270 dev_info(priv->dev, "Writing the image address (%x) to the flash directory (%llx)\n",
271 image_address, directory_address);
273 ret = mtd_write(priv->flash, 0x0, erase_size, &bytes_written, (u_char *)buffer);
277 if (bytes_written != erase_size)
283 static int mpfs_auto_update_write_bitstream(struct fw_upload *fw_uploader, const u8 *data,
284 u32 offset, u32 size, u32 *written)
286 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
287 struct erase_info erase;
289 loff_t directory_address = AUTO_UPDATE_UPGRADE_DIRECTORY;
290 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
291 size_t bytes_written = 0;
295 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
297 image_address = AUTO_UPDATE_BITSTREAM_BASE +
298 AUTO_UPDATE_UPGRADE_INDEX * priv->size_per_bitstream;
300 buffer = devm_kzalloc(priv->dev, erase_size, GFP_KERNEL);
304 ret = mpfs_auto_update_set_image_address(priv, buffer, image_address, directory_address);
306 dev_err(priv->dev, "failed to set image address in the SPI directory: %d\n", ret);
311 * Now the .spi image itself can be written to the flash. Preservation
312 * of contents here is not important here, unlike the spi "directory"
313 * which must be RMWed.
315 erase.len = round_up(size, (size_t)priv->flash->erasesize);
316 erase.addr = image_address;
318 dev_info(priv->dev, "Erasing the flash at address (%x)\n", image_address);
319 ret = mtd_erase(priv->flash, &erase);
324 * No parsing etc of the bitstream is required. The system controller
325 * will do all of that itself - including verifying that the bitstream
328 dev_info(priv->dev, "Writing the image to the flash at address (%x)\n", image_address);
329 ret = mtd_write(priv->flash, (loff_t)image_address, size, &bytes_written, data);
333 if (bytes_written != size) {
338 *written = bytes_written;
341 devm_kfree(priv->dev, buffer);
345 static enum fw_upload_err mpfs_auto_update_write(struct fw_upload *fw_uploader, const u8 *data,
346 u32 offset, u32 size, u32 *written)
348 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
349 enum fw_upload_err err = FW_UPLOAD_ERR_NONE;
352 reinit_completion(&priv->programming_complete);
354 ret = mpfs_auto_update_write_bitstream(fw_uploader, data, offset, size, written);
356 err = FW_UPLOAD_ERR_RW_ERROR;
360 if (priv->cancel_request) {
361 err = FW_UPLOAD_ERR_CANCELED;
365 ret = mpfs_auto_update_verify_image(fw_uploader);
367 err = FW_UPLOAD_ERR_FW_INVALID;
370 complete(&priv->programming_complete);
375 static const struct fw_upload_ops mpfs_auto_update_ops = {
376 .prepare = mpfs_auto_update_prepare,
377 .write = mpfs_auto_update_write,
378 .poll_complete = mpfs_auto_update_poll_complete,
379 .cancel = mpfs_auto_update_cancel,
382 static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv)
384 struct mpfs_mss_response *response;
385 struct mpfs_mss_msg *message;
389 response_msg = devm_kzalloc(priv->dev,
390 AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg),
395 response = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_response), GFP_KERNEL);
399 message = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_msg), GFP_KERNEL);
404 * To verify that Auto Update is possible, the "Query Security Service
405 * Request" is performed.
406 * This service has no command data & does not overload mbox_offset.
408 response->resp_msg = response_msg;
409 response->resp_size = AUTO_UPDATE_FEATURE_RESP_SIZE;
410 message->cmd_opcode = AUTO_UPDATE_FEATURE_CMD_OPCODE;
411 message->cmd_data_size = AUTO_UPDATE_FEATURE_CMD_DATA_SIZE;
412 message->response = response;
413 message->cmd_data = AUTO_UPDATE_FEATURE_CMD_DATA;
414 message->mbox_offset = AUTO_UPDATE_DEFAULT_MBOX_OFFSET;
415 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
417 ret = mpfs_blocking_transaction(priv->sys_controller, message);
422 * Currently, the system controller's firmware does not generate any
423 * interrupts for failed services, so mpfs_blocking_transaction() should
424 * time out & therefore return an error.
425 * Hitting this check is highly unlikely at present, but if the system
426 * controller's behaviour changes so that it does generate interrupts
427 * for failed services, it will be required.
429 if (response->resp_status)
433 * Bit 5 of byte 1 is "UL_Auto Update" & if it is set, Auto Update is
436 if (response_msg[1] & AUTO_UPDATE_FEATURE_ENABLED)
442 static int mpfs_auto_update_probe(struct platform_device *pdev)
444 struct device *dev = &pdev->dev;
445 struct mpfs_auto_update_priv *priv;
446 struct fw_upload *fw_uploader;
449 priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
453 priv->sys_controller = mpfs_sys_controller_get(dev);
454 if (IS_ERR(priv->sys_controller))
455 return dev_err_probe(dev, PTR_ERR(priv->sys_controller),
456 "Could not register as a sub device of the system controller\n");
459 platform_set_drvdata(pdev, priv);
461 ret = mpfs_auto_update_available(priv);
463 return dev_err_probe(dev, ret,
464 "The current bitstream does not support auto-update\n");
466 init_completion(&priv->programming_complete);
468 fw_uploader = firmware_upload_register(THIS_MODULE, dev, "mpfs-auto-update",
469 &mpfs_auto_update_ops, priv);
470 if (IS_ERR(fw_uploader))
471 return dev_err_probe(dev, PTR_ERR(fw_uploader),
472 "Failed to register the bitstream uploader\n");
474 priv->fw_uploader = fw_uploader;
479 static void mpfs_auto_update_remove(struct platform_device *pdev)
481 struct mpfs_auto_update_priv *priv = platform_get_drvdata(pdev);
483 firmware_upload_unregister(priv->fw_uploader);
486 static struct platform_driver mpfs_auto_update_driver = {
488 .name = "mpfs-auto-update",
490 .probe = mpfs_auto_update_probe,
491 .remove_new = mpfs_auto_update_remove,
493 module_platform_driver(mpfs_auto_update_driver);
495 MODULE_LICENSE("GPL");
496 MODULE_AUTHOR("Conor Dooley <conor.dooley@microchip.com>");
497 MODULE_DESCRIPTION("PolarFire SoC Auto Update FPGA reprogramming");
projects / linux.git / blob