1 // SPDX-License-Identifier: GPL-2.0-or-later
4 * Bluetooth support for Intel devices
6 * Copyright (C) 2015 Intel Corporation
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <linux/regmap.h>
12 #include <linux/acpi.h>
13 #include <acpi/acpi_bus.h>
14 #include <asm/unaligned.h>
16 #include <net/bluetooth/bluetooth.h>
17 #include <net/bluetooth/hci_core.h>
23 #define BDADDR_INTEL (&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
24 #define RSA_HEADER_LEN 644
25 #define CSS_HEADER_OFFSET 8
26 #define ECDSA_OFFSET 644
27 #define ECDSA_HEADER_LEN 320
30 DSM_SET_WDISABLE2_DELAY = 1,
31 DSM_SET_RESET_METHOD = 3,
34 #define CMD_WRITE_BOOT_PARAMS 0xfc0e
35 struct cmd_write_boot_params {
43 const char *driver_name;
48 static const guid_t btintel_guid_dsm =
49 GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233,
50 0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9);
52 int btintel_check_bdaddr(struct hci_dev *hdev)
54 struct hci_rp_read_bd_addr *bda;
57 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
60 int err = PTR_ERR(skb);
61 bt_dev_err(hdev, "Reading Intel device address failed (%d)",
66 if (skb->len != sizeof(*bda)) {
67 bt_dev_err(hdev, "Intel device address length mismatch");
72 bda = (struct hci_rp_read_bd_addr *)skb->data;
74 /* For some Intel based controllers, the default Bluetooth device
75 * address 00:03:19:9E:8B:00 can be found. These controllers are
76 * fully operational, but have the danger of duplicate addresses
77 * and that in turn can cause problems with Bluetooth operation.
79 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
80 bt_dev_err(hdev, "Found Intel default device address (%pMR)",
82 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
89 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
91 int btintel_enter_mfg(struct hci_dev *hdev)
93 static const u8 param[] = { 0x01, 0x00 };
96 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
98 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
106 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
108 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
110 u8 param[] = { 0x00, 0x00 };
113 /* The 2nd command parameter specifies the manufacturing exit method:
114 * 0x00: Just disable the manufacturing mode (0x00).
115 * 0x01: Disable manufacturing mode and reset with patches deactivated.
116 * 0x02: Disable manufacturing mode and reset with patches activated.
119 param[1] |= patched ? 0x02 : 0x01;
121 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
123 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
131 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
133 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
138 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
141 bt_dev_err(hdev, "Changing Intel device address failed (%d)",
149 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
151 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
153 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
160 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
163 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
171 int btintel_set_diag(struct hci_dev *hdev, bool enable)
187 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
192 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
199 btintel_set_event_mask(hdev, enable);
202 EXPORT_SYMBOL_GPL(btintel_set_diag);
204 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
208 err = btintel_enter_mfg(hdev);
212 ret = btintel_set_diag(hdev, enable);
214 err = btintel_exit_mfg(hdev, false, false);
221 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable)
225 /* Legacy ROM device needs to be in the manufacturer mode to apply
228 * This flag is set after reading the Intel version.
230 if (btintel_test_flag(hdev, INTEL_ROM_LEGACY))
231 ret = btintel_set_diag_mfg(hdev, enable);
233 ret = btintel_set_diag(hdev, enable);
238 void btintel_hw_error(struct hci_dev *hdev, u8 code)
243 bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
245 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
247 bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
253 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
255 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
260 if (skb->len != 13) {
261 bt_dev_err(hdev, "Exception info size mismatch");
266 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
270 EXPORT_SYMBOL_GPL(btintel_hw_error);
272 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
276 /* The hardware platform number has a fixed value of 0x37 and
277 * for now only accept this single value.
279 if (ver->hw_platform != 0x37) {
280 bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
285 /* Check for supported iBT hardware variants of this firmware
288 * This check has been put in place to ensure correct forward
289 * compatibility options when newer hardware variants come along.
291 switch (ver->hw_variant) {
292 case 0x07: /* WP - Legacy ROM */
293 case 0x08: /* StP - Legacy ROM */
302 bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
307 switch (ver->fw_variant) {
309 variant = "Legacy ROM 2.5";
312 variant = "Bootloader";
315 variant = "Legacy ROM 2.x";
318 variant = "Firmware";
321 bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
325 coredump_info.hw_variant = ver->hw_variant;
326 coredump_info.fw_build_num = ver->fw_build_num;
328 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
329 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
330 ver->fw_build_num, ver->fw_build_ww,
331 2000 + ver->fw_build_yy);
335 EXPORT_SYMBOL_GPL(btintel_version_info);
337 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
342 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
344 cmd_param[0] = fragment_type;
345 memcpy(cmd_param + 1, param, fragment_len);
347 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
348 cmd_param, HCI_INIT_TIMEOUT);
354 plen -= fragment_len;
355 param += fragment_len;
361 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
363 const struct firmware *fw;
368 err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
370 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
375 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
379 /* DDC file contains one or more DDC structure which has
380 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
382 while (fw->size > fw_ptr - fw->data) {
383 u8 cmd_plen = fw_ptr[0] + sizeof(u8);
385 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
388 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
390 release_firmware(fw);
398 release_firmware(fw);
400 bt_dev_info(hdev, "Applying Intel DDC parameters completed");
404 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
406 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
410 err = btintel_enter_mfg(hdev);
414 ret = btintel_set_event_mask(hdev, debug);
416 err = btintel_exit_mfg(hdev, false, false);
422 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
424 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
428 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
430 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
435 if (!skb || skb->len != sizeof(*ver)) {
436 bt_dev_err(hdev, "Intel version event size mismatch");
441 memcpy(ver, skb->data, sizeof(*ver));
447 EXPORT_SYMBOL_GPL(btintel_read_version);
449 int btintel_version_info_tlv(struct hci_dev *hdev,
450 struct intel_version_tlv *version)
454 /* The hardware platform number has a fixed value of 0x37 and
455 * for now only accept this single value.
457 if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
458 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
459 INTEL_HW_PLATFORM(version->cnvi_bt));
463 /* Check for supported iBT hardware variants of this firmware
466 * This check has been put in place to ensure correct forward
467 * compatibility options when newer hardware variants come along.
469 switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
472 case 0x19: /* Slr-F */
474 case 0x1c: /* Gale Peak (GaP) */
475 case 0x1d: /* BlazarU (BzrU) */
476 case 0x1e: /* BlazarI (Bzr) */
479 bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
480 INTEL_HW_VARIANT(version->cnvi_bt));
484 switch (version->img_type) {
485 case BTINTEL_IMG_BOOTLOADER:
486 variant = "Bootloader";
487 /* It is required that every single firmware fragment is acknowledged
488 * with a command complete event. If the boot parameters indicate
489 * that this bootloader does not send them, then abort the setup.
491 if (version->limited_cce != 0x00) {
492 bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
493 version->limited_cce);
497 /* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
498 if (version->sbe_type > 0x01) {
499 bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
504 bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
505 bt_dev_info(hdev, "Secure boot is %s",
506 version->secure_boot ? "enabled" : "disabled");
507 bt_dev_info(hdev, "OTP lock is %s",
508 version->otp_lock ? "enabled" : "disabled");
509 bt_dev_info(hdev, "API lock is %s",
510 version->api_lock ? "enabled" : "disabled");
511 bt_dev_info(hdev, "Debug lock is %s",
512 version->debug_lock ? "enabled" : "disabled");
513 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
514 version->min_fw_build_nn, version->min_fw_build_cw,
515 2000 + version->min_fw_build_yy);
517 case BTINTEL_IMG_IML:
518 variant = "Intermediate loader";
521 variant = "Firmware";
524 bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
528 coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt);
529 coredump_info.fw_build_num = version->build_num;
531 bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
532 2000 + (version->timestamp >> 8), version->timestamp & 0xff,
533 version->build_type, version->build_num);
534 if (version->img_type == BTINTEL_IMG_OP)
535 bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1);
539 EXPORT_SYMBOL_GPL(btintel_version_info_tlv);
541 int btintel_parse_version_tlv(struct hci_dev *hdev,
542 struct intel_version_tlv *version,
545 /* Consume Command Complete Status field */
548 /* Event parameters contatin multiple TLVs. Read each of them
549 * and only keep the required data. Also, it use existing legacy
550 * version field like hw_platform, hw_variant, and fw_variant
551 * to keep the existing setup flow
554 struct intel_tlv *tlv;
556 /* Make sure skb has a minimum length of the header */
557 if (skb->len < sizeof(*tlv))
560 tlv = (struct intel_tlv *)skb->data;
562 /* Make sure skb has a enough data */
563 if (skb->len < tlv->len + sizeof(*tlv))
567 case INTEL_TLV_CNVI_TOP:
568 version->cnvi_top = get_unaligned_le32(tlv->val);
570 case INTEL_TLV_CNVR_TOP:
571 version->cnvr_top = get_unaligned_le32(tlv->val);
573 case INTEL_TLV_CNVI_BT:
574 version->cnvi_bt = get_unaligned_le32(tlv->val);
576 case INTEL_TLV_CNVR_BT:
577 version->cnvr_bt = get_unaligned_le32(tlv->val);
579 case INTEL_TLV_DEV_REV_ID:
580 version->dev_rev_id = get_unaligned_le16(tlv->val);
582 case INTEL_TLV_IMAGE_TYPE:
583 version->img_type = tlv->val[0];
585 case INTEL_TLV_TIME_STAMP:
586 /* If image type is Operational firmware (0x03), then
587 * running FW Calendar Week and Year information can
588 * be extracted from Timestamp information
590 version->min_fw_build_cw = tlv->val[0];
591 version->min_fw_build_yy = tlv->val[1];
592 version->timestamp = get_unaligned_le16(tlv->val);
594 case INTEL_TLV_BUILD_TYPE:
595 version->build_type = tlv->val[0];
597 case INTEL_TLV_BUILD_NUM:
598 /* If image type is Operational firmware (0x03), then
599 * running FW build number can be extracted from the
602 version->min_fw_build_nn = tlv->val[0];
603 version->build_num = get_unaligned_le32(tlv->val);
605 case INTEL_TLV_SECURE_BOOT:
606 version->secure_boot = tlv->val[0];
608 case INTEL_TLV_OTP_LOCK:
609 version->otp_lock = tlv->val[0];
611 case INTEL_TLV_API_LOCK:
612 version->api_lock = tlv->val[0];
614 case INTEL_TLV_DEBUG_LOCK:
615 version->debug_lock = tlv->val[0];
617 case INTEL_TLV_MIN_FW:
618 version->min_fw_build_nn = tlv->val[0];
619 version->min_fw_build_cw = tlv->val[1];
620 version->min_fw_build_yy = tlv->val[2];
622 case INTEL_TLV_LIMITED_CCE:
623 version->limited_cce = tlv->val[0];
625 case INTEL_TLV_SBE_TYPE:
626 version->sbe_type = tlv->val[0];
628 case INTEL_TLV_OTP_BDADDR:
629 memcpy(&version->otp_bd_addr, tlv->val,
632 case INTEL_TLV_GIT_SHA1:
633 version->git_sha1 = get_unaligned_le32(tlv->val);
635 case INTEL_TLV_FW_ID:
636 snprintf(version->fw_id, sizeof(version->fw_id),
640 /* Ignore rest of information */
643 /* consume the current tlv and move to next*/
644 skb_pull(skb, tlv->len + sizeof(*tlv));
649 EXPORT_SYMBOL_GPL(btintel_parse_version_tlv);
651 static int btintel_read_version_tlv(struct hci_dev *hdev,
652 struct intel_version_tlv *version)
655 const u8 param[1] = { 0xFF };
660 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
662 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
668 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
674 btintel_parse_version_tlv(hdev, version, skb);
680 /* ------- REGMAP IBT SUPPORT ------- */
682 #define IBT_REG_MODE_8BIT 0x00
683 #define IBT_REG_MODE_16BIT 0x01
684 #define IBT_REG_MODE_32BIT 0x02
686 struct regmap_ibt_context {
687 struct hci_dev *hdev;
692 struct ibt_cp_reg_access {
699 struct ibt_rp_reg_access {
705 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
706 void *val, size_t val_size)
708 struct regmap_ibt_context *ctx = context;
709 struct ibt_cp_reg_access cp;
710 struct ibt_rp_reg_access *rp;
714 if (reg_size != sizeof(__le32))
719 cp.mode = IBT_REG_MODE_8BIT;
722 cp.mode = IBT_REG_MODE_16BIT;
725 cp.mode = IBT_REG_MODE_32BIT;
731 /* regmap provides a little-endian formatted addr */
732 cp.addr = *(__le32 *)addr;
735 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
737 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
741 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
742 le32_to_cpu(cp.addr), err);
746 if (skb->len != sizeof(*rp) + val_size) {
747 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
748 le32_to_cpu(cp.addr));
753 rp = (struct ibt_rp_reg_access *)skb->data;
755 if (rp->addr != cp.addr) {
756 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
757 le32_to_cpu(rp->addr));
762 memcpy(val, rp->data, val_size);
769 static int regmap_ibt_gather_write(void *context,
770 const void *addr, size_t reg_size,
771 const void *val, size_t val_size)
773 struct regmap_ibt_context *ctx = context;
774 struct ibt_cp_reg_access *cp;
776 int plen = sizeof(*cp) + val_size;
780 if (reg_size != sizeof(__le32))
785 mode = IBT_REG_MODE_8BIT;
788 mode = IBT_REG_MODE_16BIT;
791 mode = IBT_REG_MODE_32BIT;
797 cp = kmalloc(plen, GFP_KERNEL);
801 /* regmap provides a little-endian formatted addr/value */
802 cp->addr = *(__le32 *)addr;
805 memcpy(&cp->data, val, val_size);
807 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
809 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
812 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
813 le32_to_cpu(cp->addr), err);
823 static int regmap_ibt_write(void *context, const void *data, size_t count)
825 /* data contains register+value, since we only support 32bit addr,
826 * minimum data size is 4 bytes.
828 if (WARN_ONCE(count < 4, "Invalid register access"))
831 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
834 static void regmap_ibt_free_context(void *context)
839 static const struct regmap_bus regmap_ibt = {
840 .read = regmap_ibt_read,
841 .write = regmap_ibt_write,
842 .gather_write = regmap_ibt_gather_write,
843 .free_context = regmap_ibt_free_context,
844 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
845 .val_format_endian_default = REGMAP_ENDIAN_LITTLE,
848 /* Config is the same for all register regions */
849 static const struct regmap_config regmap_ibt_cfg = {
850 .name = "btintel_regmap",
855 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
858 struct regmap_ibt_context *ctx;
860 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
863 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
865 return ERR_PTR(-ENOMEM);
867 ctx->op_read = opcode_read;
868 ctx->op_write = opcode_write;
871 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg);
873 EXPORT_SYMBOL_GPL(btintel_regmap_init);
875 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
877 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
880 params.boot_param = cpu_to_le32(boot_param);
882 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms,
885 bt_dev_err(hdev, "Failed to send Intel Reset command");
893 EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
895 int btintel_read_boot_params(struct hci_dev *hdev,
896 struct intel_boot_params *params)
900 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
902 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
907 if (skb->len != sizeof(*params)) {
908 bt_dev_err(hdev, "Intel boot parameters size mismatch");
913 memcpy(params, skb->data, sizeof(*params));
917 if (params->status) {
918 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
920 return -bt_to_errno(params->status);
923 bt_dev_info(hdev, "Device revision is %u",
924 le16_to_cpu(params->dev_revid));
926 bt_dev_info(hdev, "Secure boot is %s",
927 params->secure_boot ? "enabled" : "disabled");
929 bt_dev_info(hdev, "OTP lock is %s",
930 params->otp_lock ? "enabled" : "disabled");
932 bt_dev_info(hdev, "API lock is %s",
933 params->api_lock ? "enabled" : "disabled");
935 bt_dev_info(hdev, "Debug lock is %s",
936 params->debug_lock ? "enabled" : "disabled");
938 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
939 params->min_fw_build_nn, params->min_fw_build_cw,
940 2000 + params->min_fw_build_yy);
944 EXPORT_SYMBOL_GPL(btintel_read_boot_params);
946 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
947 const struct firmware *fw)
951 /* Start the firmware download transaction with the Init fragment
952 * represented by the 128 bytes of CSS header.
954 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
956 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
960 /* Send the 256 bytes of public key information from the firmware
961 * as the PKey fragment.
963 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
965 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
969 /* Send the 256 bytes of signature information from the firmware
970 * as the Sign fragment.
972 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
974 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
982 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
983 const struct firmware *fw)
987 /* Start the firmware download transaction with the Init fragment
988 * represented by the 128 bytes of CSS header.
990 err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
992 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
996 /* Send the 96 bytes of public key information from the firmware
997 * as the PKey fragment.
999 err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
1001 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
1005 /* Send the 96 bytes of signature information from the firmware
1006 * as the Sign fragment
1008 err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
1010 bt_dev_err(hdev, "Failed to send firmware signature (%d)",
1017 static int btintel_download_firmware_payload(struct hci_dev *hdev,
1018 const struct firmware *fw,
1025 fw_ptr = fw->data + offset;
1029 while (fw_ptr - fw->data < fw->size) {
1030 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
1032 frag_len += sizeof(*cmd) + cmd->plen;
1034 /* The parameter length of the secure send command requires
1035 * a 4 byte alignment. It happens so that the firmware file
1036 * contains proper Intel_NOP commands to align the fragments
1039 * Send set of commands with 4 byte alignment from the
1040 * firmware data buffer as a single Data fragement.
1042 if (!(frag_len % 4)) {
1043 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
1046 "Failed to send firmware data (%d)",
1060 static bool btintel_firmware_version(struct hci_dev *hdev,
1061 u8 num, u8 ww, u8 yy,
1062 const struct firmware *fw,
1069 while (fw_ptr - fw->data < fw->size) {
1070 struct hci_command_hdr *cmd = (void *)(fw_ptr);
1072 /* Each SKU has a different reset parameter to use in the
1073 * HCI_Intel_Reset command and it is embedded in the firmware
1074 * data. So, instead of using static value per SKU, check
1075 * the firmware data and save it for later use.
1077 if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
1078 struct cmd_write_boot_params *params;
1080 params = (void *)(fw_ptr + sizeof(*cmd));
1082 *boot_addr = le32_to_cpu(params->boot_addr);
1084 bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr);
1086 bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1087 params->fw_build_num, params->fw_build_ww,
1088 params->fw_build_yy);
1090 return (num == params->fw_build_num &&
1091 ww == params->fw_build_ww &&
1092 yy == params->fw_build_yy);
1095 fw_ptr += sizeof(*cmd) + cmd->plen;
1101 int btintel_download_firmware(struct hci_dev *hdev,
1102 struct intel_version *ver,
1103 const struct firmware *fw,
1108 /* SfP and WsP don't seem to update the firmware version on file
1109 * so version checking is currently not possible.
1111 switch (ver->hw_variant) {
1112 case 0x0b: /* SfP */
1113 case 0x0c: /* WsP */
1114 /* Skip version checking */
1118 /* Skip download if firmware has the same version */
1119 if (btintel_firmware_version(hdev, ver->fw_build_num,
1120 ver->fw_build_ww, ver->fw_build_yy,
1122 bt_dev_info(hdev, "Firmware already loaded");
1123 /* Return -EALREADY to indicate that the firmware has
1124 * already been loaded.
1130 /* The firmware variant determines if the device is in bootloader
1131 * mode or is running operational firmware. The value 0x06 identifies
1132 * the bootloader and the value 0x23 identifies the operational
1135 * If the firmware version has changed that means it needs to be reset
1136 * to bootloader when operational so the new firmware can be loaded.
1138 if (ver->fw_variant == 0x23)
1141 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1145 return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1147 EXPORT_SYMBOL_GPL(btintel_download_firmware);
1149 static int btintel_download_fw_tlv(struct hci_dev *hdev,
1150 struct intel_version_tlv *ver,
1151 const struct firmware *fw, u32 *boot_param,
1152 u8 hw_variant, u8 sbe_type)
1157 /* Skip download if firmware has the same version */
1158 if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1159 ver->min_fw_build_cw,
1160 ver->min_fw_build_yy,
1162 bt_dev_info(hdev, "Firmware already loaded");
1163 /* Return -EALREADY to indicate that firmware has
1164 * already been loaded.
1169 /* The firmware variant determines if the device is in bootloader
1170 * mode or is running operational firmware. The value 0x01 identifies
1171 * the bootloader and the value 0x03 identifies the operational
1174 * If the firmware version has changed that means it needs to be reset
1175 * to bootloader when operational so the new firmware can be loaded.
1177 if (ver->img_type == BTINTEL_IMG_OP)
1180 /* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1181 * only RSA secure boot engine. Hence, the corresponding sfi file will
1182 * have RSA header of 644 bytes followed by Command Buffer.
1184 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1185 * secure boot engine. As a result, the corresponding sfi file will
1186 * have RSA header of 644, ECDSA header of 320 bytes followed by
1189 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1190 * version: RSA(0x00010000) , ECDSA (0x00020000)
1192 css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1193 if (css_header_ver != 0x00010000) {
1194 bt_dev_err(hdev, "Invalid CSS Header version");
1198 if (hw_variant <= 0x14) {
1199 if (sbe_type != 0x00) {
1200 bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1205 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1209 err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1212 } else if (hw_variant >= 0x17) {
1213 /* Check if CSS header for ECDSA follows the RSA header */
1214 if (fw->data[ECDSA_OFFSET] != 0x06)
1217 /* Check if the CSS Header version is ECDSA(0x00020000) */
1218 css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1219 if (css_header_ver != 0x00020000) {
1220 bt_dev_err(hdev, "Invalid CSS Header version");
1224 if (sbe_type == 0x00) {
1225 err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1229 err = btintel_download_firmware_payload(hdev, fw,
1230 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1233 } else if (sbe_type == 0x01) {
1234 err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1238 err = btintel_download_firmware_payload(hdev, fw,
1239 RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1247 static void btintel_reset_to_bootloader(struct hci_dev *hdev)
1249 struct intel_reset params;
1250 struct sk_buff *skb;
1252 /* Send Intel Reset command. This will result in
1253 * re-enumeration of BT controller.
1255 * Intel Reset parameter description:
1256 * reset_type : 0x00 (Soft reset),
1258 * patch_enable : 0x00 (Do not enable),
1260 * ddc_reload : 0x00 (Do not reload),
1262 * boot_option: 0x00 (Current image),
1263 * 0x01 (Specified boot address)
1264 * boot_param: Boot address
1267 params.reset_type = 0x01;
1268 params.patch_enable = 0x01;
1269 params.ddc_reload = 0x01;
1270 params.boot_option = 0x00;
1271 params.boot_param = cpu_to_le32(0x00000000);
1273 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
1274 ¶ms, HCI_INIT_TIMEOUT);
1276 bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1280 bt_dev_info(hdev, "Intel reset sent to retry FW download");
1283 /* Current Intel BT controllers(ThP/JfP) hold the USB reset
1284 * lines for 2ms when it receives Intel Reset in bootloader mode.
1285 * Whereas, the upcoming Intel BT controllers will hold USB reset
1286 * for 150ms. To keep the delay generic, 150ms is chosen here.
1291 static int btintel_read_debug_features(struct hci_dev *hdev,
1292 struct intel_debug_features *features)
1294 struct sk_buff *skb;
1297 /* Intel controller supports two pages, each page is of 128-bit
1298 * feature bit mask. And each bit defines specific feature support
1300 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1303 bt_dev_err(hdev, "Reading supported features failed (%ld)",
1305 return PTR_ERR(skb);
1308 if (skb->len != (sizeof(features->page1) + 3)) {
1309 bt_dev_err(hdev, "Supported features event size mismatch");
1314 memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1316 /* Read the supported features page2 if required in future.
1322 static int btintel_set_debug_features(struct hci_dev *hdev,
1323 const struct intel_debug_features *features)
1325 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00,
1327 u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 };
1328 u8 trace_enable = 0x02;
1329 struct sk_buff *skb;
1332 bt_dev_warn(hdev, "Debug features not read");
1336 if (!(features->page1[0] & 0x3f)) {
1337 bt_dev_info(hdev, "Telemetry exception format not supported");
1341 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1343 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1345 return PTR_ERR(skb);
1349 skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT);
1351 bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)",
1353 return PTR_ERR(skb);
1357 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1359 bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)",
1361 return PTR_ERR(skb);
1365 bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x",
1366 trace_enable, mask[3]);
1371 static int btintel_reset_debug_features(struct hci_dev *hdev,
1372 const struct intel_debug_features *features)
1374 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
1376 u8 trace_enable = 0x00;
1377 struct sk_buff *skb;
1380 bt_dev_warn(hdev, "Debug features not read");
1384 if (!(features->page1[0] & 0x3f)) {
1385 bt_dev_info(hdev, "Telemetry exception format not supported");
1389 /* Should stop the trace before writing ddc event mask. */
1390 skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1392 bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)",
1394 return PTR_ERR(skb);
1398 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1400 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1402 return PTR_ERR(skb);
1406 bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x",
1407 trace_enable, mask[3]);
1412 int btintel_set_quality_report(struct hci_dev *hdev, bool enable)
1414 struct intel_debug_features features;
1417 bt_dev_dbg(hdev, "enable %d", enable);
1419 /* Read the Intel supported features and if new exception formats
1420 * supported, need to load the additional DDC config to enable.
1422 err = btintel_read_debug_features(hdev, &features);
1426 /* Set or reset the debug features. */
1428 err = btintel_set_debug_features(hdev, &features);
1430 err = btintel_reset_debug_features(hdev, &features);
1434 EXPORT_SYMBOL_GPL(btintel_set_quality_report);
1436 static void btintel_coredump(struct hci_dev *hdev)
1438 struct sk_buff *skb;
1440 skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT);
1442 bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb));
1449 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb)
1453 snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n",
1454 coredump_info.hw_variant);
1455 skb_put_data(skb, buf, strlen(buf));
1457 snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n",
1458 coredump_info.fw_build_num);
1459 skb_put_data(skb, buf, strlen(buf));
1461 snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name);
1462 skb_put_data(skb, buf, strlen(buf));
1464 snprintf(buf, sizeof(buf), "Vendor: Intel\n");
1465 skb_put_data(skb, buf, strlen(buf));
1468 static int btintel_register_devcoredump_support(struct hci_dev *hdev)
1470 struct intel_debug_features features;
1473 err = btintel_read_debug_features(hdev, &features);
1475 bt_dev_info(hdev, "Error reading debug features");
1479 if (!(features.page1[0] & 0x3f)) {
1480 bt_dev_dbg(hdev, "Telemetry exception format not supported");
1484 hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL);
1489 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev,
1490 struct intel_version *ver)
1492 const struct firmware *fw;
1496 snprintf(fwname, sizeof(fwname),
1497 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1498 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1499 ver->fw_variant, ver->fw_revision, ver->fw_build_num,
1500 ver->fw_build_ww, ver->fw_build_yy);
1502 ret = request_firmware(&fw, fwname, &hdev->dev);
1504 if (ret == -EINVAL) {
1505 bt_dev_err(hdev, "Intel firmware file request failed (%d)",
1510 bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)",
1513 /* If the correct firmware patch file is not found, use the
1514 * default firmware patch file instead
1516 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1517 ver->hw_platform, ver->hw_variant);
1518 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1519 bt_dev_err(hdev, "failed to open default fw file: %s",
1525 bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname);
1530 static int btintel_legacy_rom_patching(struct hci_dev *hdev,
1531 const struct firmware *fw,
1532 const u8 **fw_ptr, int *disable_patch)
1534 struct sk_buff *skb;
1535 struct hci_command_hdr *cmd;
1536 const u8 *cmd_param;
1537 struct hci_event_hdr *evt = NULL;
1538 const u8 *evt_param = NULL;
1539 int remain = fw->size - (*fw_ptr - fw->data);
1541 /* The first byte indicates the types of the patch command or event.
1542 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1543 * in the current firmware buffer doesn't start with 0x01 or
1544 * the size of remain buffer is smaller than HCI command header,
1545 * the firmware file is corrupted and it should stop the patching
1548 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1549 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read");
1555 cmd = (struct hci_command_hdr *)(*fw_ptr);
1556 *fw_ptr += sizeof(*cmd);
1557 remain -= sizeof(*cmd);
1559 /* Ensure that the remain firmware data is long enough than the length
1560 * of command parameter. If not, the firmware file is corrupted.
1562 if (remain < cmd->plen) {
1563 bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len");
1567 /* If there is a command that loads a patch in the firmware
1568 * file, then enable the patch upon success, otherwise just
1569 * disable the manufacturer mode, for example patch activation
1570 * is not required when the default firmware patch file is used
1571 * because there are no patch data to load.
1573 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1576 cmd_param = *fw_ptr;
1577 *fw_ptr += cmd->plen;
1578 remain -= cmd->plen;
1580 /* This reads the expected events when the above command is sent to the
1581 * device. Some vendor commands expects more than one events, for
1582 * example command status event followed by vendor specific event.
1583 * For this case, it only keeps the last expected event. so the command
1584 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1585 * last expected event.
1587 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1591 evt = (struct hci_event_hdr *)(*fw_ptr);
1592 *fw_ptr += sizeof(*evt);
1593 remain -= sizeof(*evt);
1595 if (remain < evt->plen) {
1596 bt_dev_err(hdev, "Intel fw corrupted: invalid evt len");
1600 evt_param = *fw_ptr;
1601 *fw_ptr += evt->plen;
1602 remain -= evt->plen;
1605 /* Every HCI commands in the firmware file has its correspond event.
1606 * If event is not found or remain is smaller than zero, the firmware
1607 * file is corrupted.
1609 if (!evt || !evt_param || remain < 0) {
1610 bt_dev_err(hdev, "Intel fw corrupted: invalid evt read");
1614 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1615 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1617 bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)",
1618 cmd->opcode, PTR_ERR(skb));
1619 return PTR_ERR(skb);
1622 /* It ensures that the returned event matches the event data read from
1623 * the firmware file. At fist, it checks the length and then
1624 * the contents of the event.
1626 if (skb->len != evt->plen) {
1627 bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)",
1628 le16_to_cpu(cmd->opcode));
1633 if (memcmp(skb->data, evt_param, evt->plen)) {
1634 bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)",
1635 le16_to_cpu(cmd->opcode));
1644 static int btintel_legacy_rom_setup(struct hci_dev *hdev,
1645 struct intel_version *ver)
1647 const struct firmware *fw;
1649 int disable_patch, err;
1650 struct intel_version new_ver;
1652 BT_DBG("%s", hdev->name);
1654 /* fw_patch_num indicates the version of patch the device currently
1655 * have. If there is no patch data in the device, it is always 0x00.
1656 * So, if it is other than 0x00, no need to patch the device again.
1658 if (ver->fw_patch_num) {
1660 "Intel device is already patched. patch num: %02x",
1665 /* Opens the firmware patch file based on the firmware version read
1666 * from the controller. If it fails to open the matching firmware
1667 * patch file, it tries to open the default firmware patch file.
1668 * If no patch file is found, allow the device to operate without
1671 fw = btintel_legacy_rom_get_fw(hdev, ver);
1676 /* Enable the manufacturer mode of the controller.
1677 * Only while this mode is enabled, the driver can download the
1678 * firmware patch data and configuration parameters.
1680 err = btintel_enter_mfg(hdev);
1682 release_firmware(fw);
1688 /* The firmware data file consists of list of Intel specific HCI
1689 * commands and its expected events. The first byte indicates the
1690 * type of the message, either HCI command or HCI event.
1692 * It reads the command and its expected event from the firmware file,
1693 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1694 * the returned event is compared with the event read from the firmware
1695 * file and it will continue until all the messages are downloaded to
1698 * Once the firmware patching is completed successfully,
1699 * the manufacturer mode is disabled with reset and activating the
1702 * If the firmware patching fails, the manufacturer mode is
1703 * disabled with reset and deactivating the patch.
1705 * If the default patch file is used, no reset is done when disabling
1708 while (fw->size > fw_ptr - fw->data) {
1711 ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr,
1714 goto exit_mfg_deactivate;
1717 release_firmware(fw);
1720 goto exit_mfg_disable;
1722 /* Patching completed successfully and disable the manufacturer mode
1723 * with reset and activate the downloaded firmware patches.
1725 err = btintel_exit_mfg(hdev, true, true);
1729 /* Need build number for downloaded fw patches in
1730 * every power-on boot
1732 err = btintel_read_version(hdev, &new_ver);
1736 bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated",
1737 new_ver.fw_patch_num);
1742 /* Disable the manufacturer mode without reset */
1743 err = btintel_exit_mfg(hdev, false, false);
1747 bt_dev_info(hdev, "Intel firmware patch completed");
1751 exit_mfg_deactivate:
1752 release_firmware(fw);
1754 /* Patching failed. Disable the manufacturer mode with reset and
1755 * deactivate the downloaded firmware patches.
1757 err = btintel_exit_mfg(hdev, true, false);
1761 bt_dev_info(hdev, "Intel firmware patch completed and deactivated");
1764 /* Set the event mask for Intel specific vendor events. This enables
1765 * a few extra events that are useful during general operation.
1767 btintel_set_event_mask_mfg(hdev, false);
1769 btintel_check_bdaddr(hdev);
1774 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1776 ktime_t delta, rettime;
1777 unsigned long long duration;
1780 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1782 bt_dev_info(hdev, "Waiting for firmware download to complete");
1784 err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING,
1786 msecs_to_jiffies(msec));
1787 if (err == -EINTR) {
1788 bt_dev_err(hdev, "Firmware loading interrupted");
1793 bt_dev_err(hdev, "Firmware loading timeout");
1797 if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) {
1798 bt_dev_err(hdev, "Firmware loading failed");
1802 rettime = ktime_get();
1803 delta = ktime_sub(rettime, calltime);
1804 duration = (unsigned long long)ktime_to_ns(delta) >> 10;
1806 bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration);
1811 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1813 ktime_t delta, rettime;
1814 unsigned long long duration;
1817 bt_dev_info(hdev, "Waiting for device to boot");
1819 err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING,
1821 msecs_to_jiffies(msec));
1822 if (err == -EINTR) {
1823 bt_dev_err(hdev, "Device boot interrupted");
1828 bt_dev_err(hdev, "Device boot timeout");
1832 rettime = ktime_get();
1833 delta = ktime_sub(rettime, calltime);
1834 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
1836 bt_dev_info(hdev, "Device booted in %llu usecs", duration);
1841 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr)
1846 calltime = ktime_get();
1848 btintel_set_flag(hdev, INTEL_BOOTING);
1850 err = btintel_send_intel_reset(hdev, boot_addr);
1852 bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err);
1853 btintel_reset_to_bootloader(hdev);
1857 /* The bootloader will not indicate when the device is ready. This
1858 * is done by the operational firmware sending bootup notification.
1860 * Booting into operational firmware should not take longer than
1861 * 1 second. However if that happens, then just fail the setup
1862 * since something went wrong.
1864 err = btintel_boot_wait(hdev, calltime, 1000);
1865 if (err == -ETIMEDOUT)
1866 btintel_reset_to_bootloader(hdev);
1871 static int btintel_get_fw_name(struct intel_version *ver,
1872 struct intel_boot_params *params,
1873 char *fw_name, size_t len,
1876 switch (ver->hw_variant) {
1877 case 0x0b: /* SfP */
1878 case 0x0c: /* WsP */
1879 snprintf(fw_name, len, "intel/ibt-%u-%u.%s",
1881 le16_to_cpu(params->dev_revid),
1884 case 0x11: /* JfP */
1885 case 0x12: /* ThP */
1886 case 0x13: /* HrP */
1887 case 0x14: /* CcP */
1888 snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s",
1901 static int btintel_download_fw(struct hci_dev *hdev,
1902 struct intel_version *ver,
1903 struct intel_boot_params *params,
1906 const struct firmware *fw;
1911 if (!ver || !params)
1914 /* The firmware variant determines if the device is in bootloader
1915 * mode or is running operational firmware. The value 0x06 identifies
1916 * the bootloader and the value 0x23 identifies the operational
1919 * When the operational firmware is already present, then only
1920 * the check for valid Bluetooth device address is needed. This
1921 * determines if the device will be added as configured or
1922 * unconfigured controller.
1924 * It is not possible to use the Secure Boot Parameters in this
1925 * case since that command is only available in bootloader mode.
1927 if (ver->fw_variant == 0x23) {
1928 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
1929 btintel_check_bdaddr(hdev);
1931 /* SfP and WsP don't seem to update the firmware version on file
1932 * so version checking is currently possible.
1934 switch (ver->hw_variant) {
1935 case 0x0b: /* SfP */
1936 case 0x0c: /* WsP */
1940 /* Proceed to download to check if the version matches */
1944 /* Read the secure boot parameters to identify the operating
1945 * details of the bootloader.
1947 err = btintel_read_boot_params(hdev, params);
1951 /* It is required that every single firmware fragment is acknowledged
1952 * with a command complete event. If the boot parameters indicate
1953 * that this bootloader does not send them, then abort the setup.
1955 if (params->limited_cce != 0x00) {
1956 bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)",
1957 params->limited_cce);
1961 /* If the OTP has no valid Bluetooth device address, then there will
1962 * also be no valid address for the operational firmware.
1964 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) {
1965 bt_dev_info(hdev, "No device address configured");
1966 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1970 /* With this Intel bootloader only the hardware variant and device
1971 * revision information are used to select the right firmware for SfP
1974 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi.
1976 * Currently the supported hardware variants are:
1977 * 11 (0x0b) for iBT3.0 (LnP/SfP)
1978 * 12 (0x0c) for iBT3.5 (WsP)
1980 * For ThP/JfP and for future SKU's, the FW name varies based on HW
1981 * variant, HW revision and FW revision, as these are dependent on CNVi
1982 * and RF Combination.
1984 * 17 (0x11) for iBT3.5 (JfP)
1985 * 18 (0x12) for iBT3.5 (ThP)
1987 * The firmware file name for these will be
1988 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi.
1991 err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi");
1993 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
1994 /* Firmware has already been loaded */
1995 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1999 bt_dev_err(hdev, "Unsupported Intel firmware naming");
2003 err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2005 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2006 /* Firmware has already been loaded */
2007 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2011 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2016 bt_dev_info(hdev, "Found device firmware: %s", fwname);
2018 if (fw->size < 644) {
2019 bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2025 calltime = ktime_get();
2027 btintel_set_flag(hdev, INTEL_DOWNLOADING);
2029 /* Start firmware downloading and get boot parameter */
2030 err = btintel_download_firmware(hdev, ver, fw, boot_param);
2032 if (err == -EALREADY) {
2033 /* Firmware has already been loaded */
2034 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2039 /* When FW download fails, send Intel Reset to retry
2042 btintel_reset_to_bootloader(hdev);
2046 /* Before switching the device into operational mode and with that
2047 * booting the loaded firmware, wait for the bootloader notification
2048 * that all fragments have been successfully received.
2050 * When the event processing receives the notification, then the
2051 * INTEL_DOWNLOADING flag will be cleared.
2053 * The firmware loading should not take longer than 5 seconds
2054 * and thus just timeout if that happens and fail the setup
2057 err = btintel_download_wait(hdev, calltime, 5000);
2058 if (err == -ETIMEDOUT)
2059 btintel_reset_to_bootloader(hdev);
2062 release_firmware(fw);
2066 static int btintel_bootloader_setup(struct hci_dev *hdev,
2067 struct intel_version *ver)
2069 struct intel_version new_ver;
2070 struct intel_boot_params params;
2075 BT_DBG("%s", hdev->name);
2077 /* Set the default boot parameter to 0x0 and it is updated to
2078 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2079 * command while downloading the firmware.
2081 boot_param = 0x00000000;
2083 btintel_set_flag(hdev, INTEL_BOOTLOADER);
2085 err = btintel_download_fw(hdev, ver, ¶ms, &boot_param);
2089 /* controller is already having an operational firmware */
2090 if (ver->fw_variant == 0x23)
2093 err = btintel_boot(hdev, boot_param);
2097 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2099 err = btintel_get_fw_name(ver, ¶ms, ddcname,
2100 sizeof(ddcname), "ddc");
2103 bt_dev_err(hdev, "Unsupported Intel firmware naming");
2105 /* Once the device is running in operational mode, it needs to
2106 * apply the device configuration (DDC) parameters.
2108 * The device can work without DDC parameters, so even if it
2109 * fails to load the file, no need to fail the setup.
2111 btintel_load_ddc_config(hdev, ddcname);
2114 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2116 /* Read the Intel version information after loading the FW */
2117 err = btintel_read_version(hdev, &new_ver);
2121 btintel_version_info(hdev, &new_ver);
2124 /* Set the event mask for Intel specific vendor events. This enables
2125 * a few extra events that are useful during general operation. It
2126 * does not enable any debugging related events.
2128 * The device will function correctly without these events enabled
2129 * and thus no need to fail the setup.
2131 btintel_set_event_mask(hdev, false);
2136 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver,
2137 char *fw_name, size_t len,
2143 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top),
2144 INTEL_CNVX_TOP_STEP(ver->cnvi_top));
2146 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top),
2147 INTEL_CNVX_TOP_STEP(ver->cnvr_top));
2149 /* Only Blazar product supports downloading of intermediate loader
2152 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) {
2153 u8 zero[BTINTEL_FWID_MAXLEN];
2155 if (ver->img_type == BTINTEL_IMG_BOOTLOADER) {
2156 format = "intel/ibt-%04x-%04x-iml.%s";
2157 snprintf(fw_name, len, format, cnvi, cnvr, suffix);
2161 memset(zero, 0, sizeof(zero));
2163 /* ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step-fw_id> */
2164 if (memcmp(ver->fw_id, zero, sizeof(zero))) {
2165 format = "intel/ibt-%04x-%04x-%s.%s";
2166 snprintf(fw_name, len, format, cnvi, cnvr,
2167 ver->fw_id, suffix);
2170 /* If firmware id is not present, fallback to legacy naming
2174 /* Fallback to legacy naming convention for other controllers
2175 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step>
2177 format = "intel/ibt-%04x-%04x.%s";
2178 snprintf(fw_name, len, format, cnvi, cnvr, suffix);
2181 static void btintel_get_iml_tlv(const struct intel_version_tlv *ver,
2182 char *fw_name, size_t len,
2188 cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top),
2189 INTEL_CNVX_TOP_STEP(ver->cnvi_top));
2191 cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top),
2192 INTEL_CNVX_TOP_STEP(ver->cnvr_top));
2194 format = "intel/ibt-%04x-%04x-iml.%s";
2195 snprintf(fw_name, len, format, cnvi, cnvr, suffix);
2198 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev,
2199 struct intel_version_tlv *ver,
2202 const struct firmware *fw;
2207 if (!ver || !boot_param)
2210 /* The firmware variant determines if the device is in bootloader
2211 * mode or is running operational firmware. The value 0x03 identifies
2212 * the bootloader and the value 0x23 identifies the operational
2215 * When the operational firmware is already present, then only
2216 * the check for valid Bluetooth device address is needed. This
2217 * determines if the device will be added as configured or
2218 * unconfigured controller.
2220 * It is not possible to use the Secure Boot Parameters in this
2221 * case since that command is only available in bootloader mode.
2223 if (ver->img_type == BTINTEL_IMG_OP) {
2224 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2225 btintel_check_bdaddr(hdev);
2228 * Check for valid bd address in boot loader mode. Device
2229 * will be marked as unconfigured if empty bd address is
2232 if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) {
2233 bt_dev_info(hdev, "No device address configured");
2234 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2238 if (ver->img_type == BTINTEL_IMG_OP) {
2239 /* Controller running OP image. In case of FW downgrade,
2240 * FWID TLV may not be present and driver may attempt to load
2241 * firmware image which doesn't exist. Lets compare the version
2244 if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e)
2245 btintel_get_iml_tlv(ver, fwname, sizeof(fwname), "sfi");
2247 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi");
2249 btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi");
2252 err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2254 if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2255 /* Firmware has already been loaded */
2256 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2260 bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2266 bt_dev_info(hdev, "Found device firmware: %s", fwname);
2268 if (fw->size < 644) {
2269 bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2275 calltime = ktime_get();
2277 btintel_set_flag(hdev, INTEL_DOWNLOADING);
2279 /* Start firmware downloading and get boot parameter */
2280 err = btintel_download_fw_tlv(hdev, ver, fw, boot_param,
2281 INTEL_HW_VARIANT(ver->cnvi_bt),
2284 if (err == -EALREADY) {
2285 /* Firmware has already been loaded */
2286 btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2291 /* When FW download fails, send Intel Reset to retry
2294 btintel_reset_to_bootloader(hdev);
2298 /* Before switching the device into operational mode and with that
2299 * booting the loaded firmware, wait for the bootloader notification
2300 * that all fragments have been successfully received.
2302 * When the event processing receives the notification, then the
2303 * BTUSB_DOWNLOADING flag will be cleared.
2305 * The firmware loading should not take longer than 5 seconds
2306 * and thus just timeout if that happens and fail the setup
2309 err = btintel_download_wait(hdev, calltime, 5000);
2310 if (err == -ETIMEDOUT)
2311 btintel_reset_to_bootloader(hdev);
2314 release_firmware(fw);
2318 static int btintel_get_codec_config_data(struct hci_dev *hdev,
2319 __u8 link, struct bt_codec *codec,
2320 __u8 *ven_len, __u8 **ven_data)
2324 if (!ven_data || !ven_len)
2330 if (link != ESCO_LINK) {
2331 bt_dev_err(hdev, "Invalid link type(%u)", link);
2335 *ven_data = kmalloc(sizeof(__u8), GFP_KERNEL);
2341 /* supports only CVSD and mSBC offload codecs */
2342 switch (codec->id) {
2351 bt_dev_err(hdev, "Invalid codec id(%u)", codec->id);
2354 /* codec and its capabilities are pre-defined to ids
2355 * preset id = 0x00 represents CVSD codec with sampling rate 8K
2356 * preset id = 0x01 represents mSBC codec with sampling rate 16K
2358 *ven_len = sizeof(__u8);
2367 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id)
2369 /* Intel uses 1 as data path id for all the usecases */
2374 static int btintel_configure_offload(struct hci_dev *hdev)
2376 struct sk_buff *skb;
2378 struct intel_offload_use_cases *use_cases;
2380 skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT);
2382 bt_dev_err(hdev, "Reading offload use cases failed (%ld)",
2384 return PTR_ERR(skb);
2387 if (skb->len < sizeof(*use_cases)) {
2392 use_cases = (void *)skb->data;
2394 if (use_cases->status) {
2395 err = -bt_to_errno(skb->data[0]);
2399 if (use_cases->preset[0] & 0x03) {
2400 hdev->get_data_path_id = btintel_get_data_path_id;
2401 hdev->get_codec_config_data = btintel_get_codec_config_data;
2408 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver)
2410 struct sk_buff *skb;
2411 struct hci_ppag_enable_cmd ppag_cmd;
2413 struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL};
2414 union acpi_object *p, *elements;
2418 /* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */
2419 switch (ver->cnvr_top & 0xFFF) {
2420 case 0x504: /* Hrp2 */
2421 case 0x202: /* Jfp2 */
2422 case 0x201: /* Jfp1 */
2423 bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)",
2424 ver->cnvr_top & 0xFFF);
2428 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2430 bt_dev_info(hdev, "No support for BT device in ACPI firmware");
2434 status = acpi_evaluate_object(handle, "PPAG", NULL, &buffer);
2435 if (ACPI_FAILURE(status)) {
2436 if (status == AE_NOT_FOUND) {
2437 bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found");
2440 bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status));
2445 if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
2446 bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d",
2447 p->type, p->package.count);
2448 kfree(buffer.pointer);
2452 elements = p->package.elements;
2454 /* PPAG table is located at element[1] */
2457 domain = (u32)p->package.elements[0].integer.value;
2458 mode = (u32)p->package.elements[1].integer.value;
2459 kfree(buffer.pointer);
2461 if (domain != 0x12) {
2462 bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware");
2467 * BIT 0 : 0 Disabled in EU
2469 * BIT 1 : 0 Disabled in China
2470 * 1 Enabled in China
2475 bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in BIOS");
2479 ppag_cmd.ppag_enable_flags = cpu_to_le32(mode);
2481 skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd),
2482 &ppag_cmd, HCI_CMD_TIMEOUT);
2484 bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb));
2487 bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", mode);
2491 static int btintel_acpi_reset_method(struct hci_dev *hdev)
2495 union acpi_object *p, *ref;
2496 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
2498 status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer);
2499 if (ACPI_FAILURE(status)) {
2500 bt_dev_err(hdev, "Failed to run _PRR method");
2506 if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) {
2507 bt_dev_err(hdev, "Invalid arguments");
2512 ref = &p->package.elements[0];
2513 if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) {
2514 bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type);
2519 status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL);
2520 if (ACPI_FAILURE(status)) {
2521 bt_dev_err(hdev, "Failed to run_RST method");
2527 kfree(buffer.pointer);
2531 static void btintel_set_dsm_reset_method(struct hci_dev *hdev,
2532 struct intel_version_tlv *ver_tlv)
2534 struct btintel_data *data = hci_get_priv(hdev);
2535 acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2536 u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00};
2537 union acpi_object *obj, argv4;
2539 RESET_TYPE_WDISABLE2,
2543 handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2546 bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware");
2550 if (!acpi_has_method(handle, "_PRR")) {
2551 bt_dev_err(hdev, "No support for _PRR ACPI method");
2555 switch (ver_tlv->cnvi_top & 0xfff) {
2556 case 0x910: /* GalePeak2 */
2557 reset_payload[2] = RESET_TYPE_VSEC;
2560 /* WDISABLE2 is the default reset method */
2561 reset_payload[2] = RESET_TYPE_WDISABLE2;
2563 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0,
2564 BIT(DSM_SET_WDISABLE2_DELAY))) {
2565 bt_dev_err(hdev, "No dsm support to set reset delay");
2568 argv4.integer.type = ACPI_TYPE_INTEGER;
2569 /* delay required to toggle BT power */
2570 argv4.integer.value = 160;
2571 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0,
2572 DSM_SET_WDISABLE2_DELAY, &argv4);
2574 bt_dev_err(hdev, "Failed to call dsm to set reset delay");
2580 bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]);
2582 if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0,
2583 DSM_SET_RESET_METHOD)) {
2584 bt_dev_warn(hdev, "No support for dsm to set reset method");
2587 argv4.buffer.type = ACPI_TYPE_BUFFER;
2588 argv4.buffer.length = sizeof(reset_payload);
2589 argv4.buffer.pointer = reset_payload;
2591 obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0,
2592 DSM_SET_RESET_METHOD, &argv4);
2594 bt_dev_err(hdev, "Failed to call dsm to set reset method");
2598 data->acpi_reset_method = btintel_acpi_reset_method;
2601 #define BTINTEL_ISODATA_HANDLE_BASE 0x900
2603 static u8 btintel_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb)
2606 * Distinguish ISO data packets form ACL data packets
2607 * based on their connection handle value range.
2609 if (hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) {
2610 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle);
2612 if (hci_handle(handle) >= BTINTEL_ISODATA_HANDLE_BASE)
2613 return HCI_ISODATA_PKT;
2616 return hci_skb_pkt_type(skb);
2619 int btintel_bootloader_setup_tlv(struct hci_dev *hdev,
2620 struct intel_version_tlv *ver)
2625 struct intel_version_tlv new_ver;
2627 bt_dev_dbg(hdev, "");
2629 /* Set the default boot parameter to 0x0 and it is updated to
2630 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2631 * command while downloading the firmware.
2633 boot_param = 0x00000000;
2635 btintel_set_flag(hdev, INTEL_BOOTLOADER);
2637 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param);
2641 /* check if controller is already having an operational firmware */
2642 if (ver->img_type == BTINTEL_IMG_OP)
2645 err = btintel_boot(hdev, boot_param);
2649 err = btintel_read_version_tlv(hdev, ver);
2653 /* If image type returned is BTINTEL_IMG_IML, then controller supports
2654 * intermediate loader image
2656 if (ver->img_type == BTINTEL_IMG_IML) {
2657 err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param);
2661 err = btintel_boot(hdev, boot_param);
2666 btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2668 btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc");
2669 /* Once the device is running in operational mode, it needs to
2670 * apply the device configuration (DDC) parameters.
2672 * The device can work without DDC parameters, so even if it
2673 * fails to load the file, no need to fail the setup.
2675 btintel_load_ddc_config(hdev, ddcname);
2677 /* Read supported use cases and set callbacks to fetch datapath id */
2678 btintel_configure_offload(hdev);
2680 hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2682 /* Set PPAG feature */
2683 btintel_set_ppag(hdev, ver);
2685 /* Read the Intel version information after loading the FW */
2686 err = btintel_read_version_tlv(hdev, &new_ver);
2690 btintel_version_info_tlv(hdev, &new_ver);
2693 /* Set the event mask for Intel specific vendor events. This enables
2694 * a few extra events that are useful during general operation. It
2695 * does not enable any debugging related events.
2697 * The device will function correctly without these events enabled
2698 * and thus no need to fail the setup.
2700 btintel_set_event_mask(hdev, false);
2704 EXPORT_SYMBOL_GPL(btintel_bootloader_setup_tlv);
2706 void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant)
2708 switch (hw_variant) {
2709 /* Legacy bootloader devices that supports MSFT Extension */
2710 case 0x11: /* JfP */
2711 case 0x12: /* ThP */
2712 case 0x13: /* HrP */
2713 case 0x14: /* CcP */
2714 /* All Intel new genration controllers support the Microsoft vendor
2715 * extension are using 0xFC1E for VsMsftOpCode.
2724 hci_set_msft_opcode(hdev, 0xFC1E);
2731 EXPORT_SYMBOL_GPL(btintel_set_msft_opcode);
2733 void btintel_print_fseq_info(struct hci_dev *hdev)
2735 struct sk_buff *skb;
2740 skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT);
2742 bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)",
2747 if (skb->len < (sizeof(u32) * 16 + 2)) {
2748 bt_dev_dbg(hdev, "Malformed packet of length %u received",
2754 p = skb_pull_data(skb, 1);
2756 bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p);
2761 p = skb_pull_data(skb, 1);
2767 str = "Fatal error";
2770 str = "Semaphore acquire error";
2773 str = "Unknown error";
2778 bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p);
2783 bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p);
2785 val = get_unaligned_le32(skb_pull_data(skb, 4));
2786 bt_dev_dbg(hdev, "Reason: 0x%8.8x", val);
2788 val = get_unaligned_le32(skb_pull_data(skb, 4));
2789 bt_dev_dbg(hdev, "Global version: 0x%8.8x", val);
2791 val = get_unaligned_le32(skb_pull_data(skb, 4));
2792 bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val);
2795 skb_pull_data(skb, 4);
2796 bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1],
2800 skb_pull_data(skb, 4);
2801 bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1],
2804 val = get_unaligned_le32(skb_pull_data(skb, 4));
2805 bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val);
2807 val = get_unaligned_le32(skb_pull_data(skb, 4));
2808 bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val);
2810 val = get_unaligned_le32(skb_pull_data(skb, 4));
2811 bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val);
2813 val = get_unaligned_le32(skb_pull_data(skb, 4));
2814 bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val);
2816 val = get_unaligned_le32(skb_pull_data(skb, 4));
2817 bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val);
2819 val = get_unaligned_le32(skb_pull_data(skb, 4));
2820 bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val);
2822 val = get_unaligned_le32(skb_pull_data(skb, 4));
2823 bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val);
2825 val = get_unaligned_le32(skb_pull_data(skb, 4));
2826 bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val);
2828 val = get_unaligned_le32(skb_pull_data(skb, 4));
2829 bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val);
2831 val = get_unaligned_le32(skb_pull_data(skb, 4));
2832 bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val);
2834 val = get_unaligned_le32(skb_pull_data(skb, 4));
2835 bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val);
2837 val = get_unaligned_le32(skb_pull_data(skb, 4));
2838 bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val);
2840 val = get_unaligned_le32(skb_pull_data(skb, 4));
2841 bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val);
2845 EXPORT_SYMBOL_GPL(btintel_print_fseq_info);
2847 static int btintel_setup_combined(struct hci_dev *hdev)
2849 const u8 param[1] = { 0xFF };
2850 struct intel_version ver;
2851 struct intel_version_tlv ver_tlv;
2852 struct sk_buff *skb;
2855 BT_DBG("%s", hdev->name);
2857 /* The some controllers have a bug with the first HCI command sent to it
2858 * returning number of completed commands as zero. This would stall the
2859 * command processing in the Bluetooth core.
2861 * As a workaround, send HCI Reset command first which will reset the
2862 * number of completed commands and allow normal command processing
2865 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe
2866 * in the SW_RFKILL ON state as a workaround of fixing LED issue during
2867 * the shutdown() procedure, and once the device is in SW_RFKILL ON
2868 * state, the only way to exit out of it is sending the HCI_Reset
2871 if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) ||
2872 btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
2873 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
2877 "sending initial HCI reset failed (%ld)",
2879 return PTR_ERR(skb);
2884 /* Starting from TyP device, the command parameter and response are
2885 * changed even though the OCF for HCI_Intel_Read_Version command
2886 * remains same. The legacy devices can handle even if the
2887 * command has a parameter and returns a correct version information.
2888 * So, it uses new format to support both legacy and new format.
2890 skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
2892 bt_dev_err(hdev, "Reading Intel version command failed (%ld)",
2894 return PTR_ERR(skb);
2897 /* Check the status */
2899 bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
2905 /* Apply the common HCI quirks for Intel device */
2906 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2907 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
2908 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
2910 /* Set up the quality report callback for Intel devices */
2911 hdev->set_quality_report = btintel_set_quality_report;
2913 /* For Legacy device, check the HW platform value and size */
2914 if (skb->len == sizeof(ver) && skb->data[1] == 0x37) {
2915 bt_dev_dbg(hdev, "Read the legacy Intel version information");
2917 memcpy(&ver, skb->data, sizeof(ver));
2919 /* Display version information */
2920 btintel_version_info(hdev, &ver);
2922 /* Check for supported iBT hardware variants of this firmware
2925 * This check has been put in place to ensure correct forward
2926 * compatibility options when newer hardware variants come
2929 switch (ver.hw_variant) {
2931 case 0x08: /* StP */
2932 /* Legacy ROM product */
2933 btintel_set_flag(hdev, INTEL_ROM_LEGACY);
2935 /* Apply the device specific HCI quirks
2937 * WBS for SdP - For the Legacy ROM products, only SdP
2938 * supports the WBS. But the version information is not
2939 * enough to use here because the StP2 and SdP have same
2940 * hw_variant and fw_variant. So, this flag is set by
2941 * the transport driver (btusb) based on the HW info
2944 if (!btintel_test_flag(hdev,
2945 INTEL_ROM_LEGACY_NO_WBS_SUPPORT))
2946 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2948 if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22)
2949 set_bit(HCI_QUIRK_VALID_LE_STATES,
2952 err = btintel_legacy_rom_setup(hdev, &ver);
2954 case 0x0b: /* SfP */
2955 case 0x11: /* JfP */
2956 case 0x12: /* ThP */
2957 case 0x13: /* HrP */
2958 case 0x14: /* CcP */
2959 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2961 case 0x0c: /* WsP */
2962 /* Apply the device specific HCI quirks
2964 * All Legacy bootloader devices support WBS
2966 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2969 /* These variants don't seem to support LE Coded PHY */
2970 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks);
2972 /* Setup MSFT Extension support */
2973 btintel_set_msft_opcode(hdev, ver.hw_variant);
2975 err = btintel_bootloader_setup(hdev, &ver);
2976 btintel_register_devcoredump_support(hdev);
2979 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
2984 hci_set_hw_info(hdev,
2985 "INTEL platform=%u variant=%u revision=%u",
2986 ver.hw_platform, ver.hw_variant,
2992 /* memset ver_tlv to start with clean state as few fields are exclusive
2993 * to bootloader mode and are not populated in operational mode
2995 memset(&ver_tlv, 0, sizeof(ver_tlv));
2996 /* For TLV type device, parse the tlv data */
2997 err = btintel_parse_version_tlv(hdev, &ver_tlv, skb);
2999 bt_dev_err(hdev, "Failed to parse TLV version information");
3003 if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) {
3004 bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
3005 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt));
3010 /* Check for supported iBT hardware variants of this firmware
3013 * This check has been put in place to ensure correct forward
3014 * compatibility options when newer hardware variants come
3017 switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) {
3018 case 0x11: /* JfP */
3019 case 0x12: /* ThP */
3020 case 0x13: /* HrP */
3021 case 0x14: /* CcP */
3022 /* Some legacy bootloader devices starting from JfP,
3023 * the operational firmware supports both old and TLV based
3024 * HCI_Intel_Read_Version command based on the command
3027 * For upgrading firmware case, the TLV based version cannot
3028 * be used because the firmware filename for legacy bootloader
3029 * is based on the old format.
3031 * Also, it is not easy to convert TLV based version from the
3032 * legacy version format.
3034 * So, as a workaround for those devices, use the legacy
3035 * HCI_Intel_Read_Version to get the version information and
3036 * run the legacy bootloader setup.
3038 err = btintel_read_version(hdev, &ver);
3042 /* Apply the device specific HCI quirks
3044 * All Legacy bootloader devices support WBS
3046 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
3048 /* These variants don't seem to support LE Coded PHY */
3049 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks);
3051 /* Set Valid LE States quirk */
3052 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
3054 /* Setup MSFT Extension support */
3055 btintel_set_msft_opcode(hdev, ver.hw_variant);
3057 err = btintel_bootloader_setup(hdev, &ver);
3058 btintel_register_devcoredump_support(hdev);
3060 case 0x18: /* GfP2 */
3061 case 0x1c: /* GaP */
3062 /* Re-classify packet type for controllers with LE audio */
3063 hdev->classify_pkt_type = btintel_classify_pkt_type;
3070 /* Display version information of TLV type */
3071 btintel_version_info_tlv(hdev, &ver_tlv);
3073 /* Apply the device specific HCI quirks for TLV based devices
3075 * All TLV based devices support WBS
3077 set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
3079 /* Apply LE States quirk from solar onwards */
3080 set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
3082 /* Setup MSFT Extension support */
3083 btintel_set_msft_opcode(hdev,
3084 INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3085 btintel_set_dsm_reset_method(hdev, &ver_tlv);
3087 err = btintel_bootloader_setup_tlv(hdev, &ver_tlv);
3091 btintel_register_devcoredump_support(hdev);
3092 btintel_print_fseq_info(hdev);
3095 bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
3096 INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3101 hci_set_hw_info(hdev, "INTEL platform=%u variant=%u",
3102 INTEL_HW_PLATFORM(ver_tlv.cnvi_bt),
3103 INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3111 int btintel_shutdown_combined(struct hci_dev *hdev)
3113 struct sk_buff *skb;
3116 /* Send HCI Reset to the controller to stop any BT activity which
3117 * were triggered. This will help to save power and maintain the
3118 * sync b/w Host and controller
3120 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
3122 bt_dev_err(hdev, "HCI reset during shutdown failed");
3123 return PTR_ERR(skb);
3128 /* Some platforms have an issue with BT LED when the interface is
3129 * down or BT radio is turned off, which takes 5 seconds to BT LED
3130 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the
3131 * device in the RFKILL ON state which turns off the BT LED immediately.
3133 if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
3134 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
3137 bt_dev_err(hdev, "turning off Intel device LED failed");
3145 EXPORT_SYMBOL_GPL(btintel_shutdown_combined);
3147 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name)
3149 hdev->manufacturer = 2;
3150 hdev->setup = btintel_setup_combined;
3151 hdev->shutdown = btintel_shutdown_combined;
3152 hdev->hw_error = btintel_hw_error;
3153 hdev->set_diag = btintel_set_diag_combined;
3154 hdev->set_bdaddr = btintel_set_bdaddr;
3156 coredump_info.driver_name = driver_name;
3160 EXPORT_SYMBOL_GPL(btintel_configure_setup);
3162 static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb)
3164 struct intel_tlv *tlv = (void *)&skb->data[5];
3166 /* The first event is always an event type TLV */
3167 if (tlv->type != INTEL_TLV_TYPE_ID)
3170 switch (tlv->val[0]) {
3171 case INTEL_TLV_SYSTEM_EXCEPTION:
3172 case INTEL_TLV_FATAL_EXCEPTION:
3173 case INTEL_TLV_DEBUG_EXCEPTION:
3174 case INTEL_TLV_TEST_EXCEPTION:
3175 /* Generate devcoredump from exception */
3176 if (!hci_devcd_init(hdev, skb->len)) {
3177 hci_devcd_append(hdev, skb);
3178 hci_devcd_complete(hdev);
3180 bt_dev_err(hdev, "Failed to generate devcoredump");
3185 bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]);
3189 return hci_recv_frame(hdev, skb);
3192 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
3194 struct hci_event_hdr *hdr = (void *)skb->data;
3195 const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 };
3197 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff &&
3199 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1;
3200 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1;
3202 if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
3203 switch (skb->data[2]) {
3205 /* When switching to the operational firmware
3206 * the device sends a vendor specific event
3207 * indicating that the bootup completed.
3209 btintel_bootup(hdev, ptr, len);
3212 /* When the firmware loading completes the
3213 * device sends out a vendor specific event
3214 * indicating the result of the firmware
3217 btintel_secure_send_result(hdev, ptr, len);
3222 /* Handle all diagnostics events separately. May still call
3225 if (len >= sizeof(diagnostics_hdr) &&
3226 memcmp(&skb->data[2], diagnostics_hdr,
3227 sizeof(diagnostics_hdr)) == 0) {
3228 return btintel_diagnostics(hdev, skb);
3232 return hci_recv_frame(hdev, skb);
3234 EXPORT_SYMBOL_GPL(btintel_recv_event);
3236 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len)
3238 const struct intel_bootup *evt = ptr;
3240 if (len != sizeof(*evt))
3243 if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING))
3244 btintel_wake_up_flag(hdev, INTEL_BOOTING);
3246 EXPORT_SYMBOL_GPL(btintel_bootup);
3248 void btintel_secure_send_result(struct hci_dev *hdev,
3249 const void *ptr, unsigned int len)
3251 const struct intel_secure_send_result *evt = ptr;
3253 if (len != sizeof(*evt))
3257 btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED);
3259 if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) &&
3260 btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED))
3261 btintel_wake_up_flag(hdev, INTEL_DOWNLOADING);
3263 EXPORT_SYMBOL_GPL(btintel_secure_send_result);
3266 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
3267 MODULE_VERSION(VERSION);
3268 MODULE_LICENSE("GPL");
3269 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
3270 MODULE_FIRMWARE("intel/ibt-11-5.ddc");
3271 MODULE_FIRMWARE("intel/ibt-12-16.sfi");
3272 MODULE_FIRMWARE("intel/ibt-12-16.ddc");