drivers/firmware/microchip/mpfs-auto-update.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * Microchip Polarfire SoC "Auto Update" FPGA reprogramming.
   4  *
   5  * Documentation of this functionality is available in the "PolarFire® FPGA and
   6  * PolarFire SoC FPGA Programming" User Guide.
   7  *
   8  * Copyright (c) 2022-2023 Microchip Corporation. All rights reserved.
   9  *
  10  * Author: Conor Dooley <conor.dooley@microchip.com>
  11  */
  12 #include <linux/cleanup.h>
  13 #include <linux/debugfs.h>
  14 #include <linux/firmware.h>
  15 #include <linux/math.h>
  16 #include <linux/module.h>
  17 #include <linux/mtd/mtd.h>
  18 #include <linux/platform_device.h>
  19 #include <linux/sizes.h>
  20
  21 #include <soc/microchip/mpfs.h>
  22
  23 #define AUTO_UPDATE_DEFAULT_MBOX_OFFSET         0u
  24 #define AUTO_UPDATE_DEFAULT_RESP_OFFSET         0u
  25
  26 #define AUTO_UPDATE_FEATURE_CMD_OPCODE          0x05u
  27 #define AUTO_UPDATE_FEATURE_CMD_DATA_SIZE       0u
  28 #define AUTO_UPDATE_FEATURE_RESP_SIZE           33u
  29 #define AUTO_UPDATE_FEATURE_CMD_DATA            NULL
  30 #define AUTO_UPDATE_FEATURE_ENABLED             BIT(5)
  31
  32 #define AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE     0x22u
  33 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE  0u
  34 #define AUTO_UPDATE_AUTHENTICATE_RESP_SIZE      1u
  35 #define AUTO_UPDATE_AUTHENTICATE_CMD_DATA       NULL
  36
  37 #define AUTO_UPDATE_PROGRAM_CMD_OPCODE          0x46u
  38 #define AUTO_UPDATE_PROGRAM_CMD_DATA_SIZE       0u
  39 #define AUTO_UPDATE_PROGRAM_RESP_SIZE           1u
  40 #define AUTO_UPDATE_PROGRAM_CMD_DATA            NULL
  41
  42 /*
  43  * SPI Flash layout example:
  44  * |------------------------------| 0x0000000
  45  * | 1 KiB                        |
  46  * | SPI "directories"            |
  47  * |------------------------------| 0x0000400
  48  * | 1 MiB                        |
  49  * | Reserved area                |
  50  * | Used for bitstream info      |
  51  * |------------------------------| 0x0100400
  52  * | 20 MiB                       |
  53  * | Golden Image                 |
  54  * |------------------------------| 0x1500400
  55  * | 20 MiB                       |
  56  * | Auto Upgrade Image           |
  57  * |------------------------------| 0x2900400
  58  * | 20 MiB                       |
  59  * | Reserved for multi-image IAP |
  60  * | Unused for Auto Upgrade      |
  61  * |------------------------------| 0x3D00400
  62  * | ? B                          |
  63  * | Unused                       |
  64  * |------------------------------| 0x?
  65  */
  66 #define AUTO_UPDATE_DIRECTORY_BASE      0u
  67 #define AUTO_UPDATE_DIRECTORY_WIDTH     4u
  68 #define AUTO_UPDATE_GOLDEN_INDEX        0u
  69 #define AUTO_UPDATE_UPGRADE_INDEX       1u
  70 #define AUTO_UPDATE_BLANK_INDEX         2u
  71 #define AUTO_UPDATE_GOLDEN_DIRECTORY    (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_GOLDEN_INDEX)
  72 #define AUTO_UPDATE_UPGRADE_DIRECTORY   (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_UPGRADE_INDEX)
  73 #define AUTO_UPDATE_BLANK_DIRECTORY     (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_BLANK_INDEX)
  74 #define AUTO_UPDATE_DIRECTORY_SIZE      SZ_1K
  75 #define AUTO_UPDATE_INFO_BASE           AUTO_UPDATE_DIRECTORY_SIZE
  76 #define AUTO_UPDATE_INFO_SIZE           SZ_1M
  77 #define AUTO_UPDATE_BITSTREAM_BASE      (AUTO_UPDATE_DIRECTORY_SIZE + AUTO_UPDATE_INFO_SIZE)
  78
  79 struct mpfs_auto_update_priv {
  80         struct mpfs_sys_controller *sys_controller;
  81         struct device *dev;
  82         struct mtd_info *flash;
  83         struct fw_upload *fw_uploader;
  84         size_t size_per_bitstream;
  85         bool cancel_request;
  86 };
  87
  88 static bool mpfs_auto_update_is_bitstream_info(const u8 *data, u32 size)
  89 {
  90         if (size < 4)
  91                 return false;
  92
  93         if (data[0] == 0x4d && data[1] == 0x43 && data[2] == 0x48 && data[3] == 0x50)
  94                 return true;
  95
  96         return false;
  97 }
  98
  99 static enum fw_upload_err mpfs_auto_update_prepare(struct fw_upload *fw_uploader, const u8 *data,
 100                                                    u32 size)
 101 {
 102         struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
 103         size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
 104
 105         /*
 106          * Verifying the Golden Image is idealistic. It will be evaluated
 107          * against the currently programmed image and thus may fail - due to
 108          * either rollback protection (if its an older version than that in use)
 109          * or if the version is the same as that of the in-use image.
 110          * Extracting the information as to why a failure occurred is not
 111          * currently possible due to limitations of the system controller
 112          * driver. If those are fixed, verification of the Golden Image should
 113          * be added here.
 114          */
 115
 116         priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
 117         if (!priv->flash)
 118                 return FW_UPLOAD_ERR_HW_ERROR;
 119
 120         erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
 121
 122         /*
 123          * We need to calculate if we have enough space in the flash for the
 124          * new image.
 125          * First, chop off the first 1 KiB as it's reserved for the directory.
 126          * The 1 MiB reserved for design info needs to be ignored also.
 127          * All that remains is carved into 3 & rounded down to the erasesize.
 128          * If this is smaller than the image size, we abort.
 129          * There's also no need to consume more than 20 MiB per image.
 130          */
 131         priv->size_per_bitstream = priv->flash->size - SZ_1K - SZ_1M;
 132         priv->size_per_bitstream = round_down(priv->size_per_bitstream / 3, erase_size);
 133         if (priv->size_per_bitstream > 20 * SZ_1M)
 134                 priv->size_per_bitstream = 20 * SZ_1M;
 135
 136         if (priv->size_per_bitstream < size) {
 137                 dev_err(priv->dev,
 138                         "flash device has insufficient capacity to store this bitstream\n");
 139                 return FW_UPLOAD_ERR_INVALID_SIZE;
 140         }
 141
 142         priv->cancel_request = false;
 143
 144         return FW_UPLOAD_ERR_NONE;
 145 }
 146
 147 static void mpfs_auto_update_cancel(struct fw_upload *fw_uploader)
 148 {
 149         struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
 150
 151         priv->cancel_request = true;
 152 }
 153
 154 static enum fw_upload_err mpfs_auto_update_poll_complete(struct fw_upload *fw_uploader)
 155 {
 156         return FW_UPLOAD_ERR_NONE;
 157 }
 158
 159 static int mpfs_auto_update_verify_image(struct fw_upload *fw_uploader)
 160 {
 161         struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
 162         u32 *response_msg __free(kfree) =
 163                 kzalloc(AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), GFP_KERNEL);
 164         struct mpfs_mss_response *response __free(kfree) =
 165                 kzalloc(sizeof(struct mpfs_mss_response), GFP_KERNEL);
 166         struct mpfs_mss_msg *message __free(kfree) =
 167                 kzalloc(sizeof(struct mpfs_mss_msg), GFP_KERNEL);
 168         int ret;
 169
 170         if (!response_msg || !response || !message)
 171                 return -ENOMEM;
 172
 173         /*
 174          * The system controller can verify that an image in the flash is valid.
 175          * Rather than duplicate the check in this driver, call the relevant
 176          * service from the system controller instead.
 177          * This service has no command data and no response data. It overloads
 178          * mbox_offset with the image index in the flash's SPI directory where
 179          * the bitstream is located.
 180          */
 181         response->resp_msg = response_msg;
 182         response->resp_size = AUTO_UPDATE_AUTHENTICATE_RESP_SIZE;
 183         message->cmd_opcode = AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE;
 184         message->cmd_data_size = AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE;
 185         message->response = response;
 186         message->cmd_data = AUTO_UPDATE_AUTHENTICATE_CMD_DATA;
 187         message->mbox_offset = AUTO_UPDATE_UPGRADE_INDEX;
 188         message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
 189
 190         dev_info(priv->dev, "Running verification of Upgrade Image\n");
 191         ret = mpfs_blocking_transaction(priv->sys_controller, message);
 192         if (ret | response->resp_status) {
 193                 dev_warn(priv->dev, "Verification of Upgrade Image failed!\n");
 194                 return ret ? ret : -EBADMSG;
 195         }
 196
 197         dev_info(priv->dev, "Verification of Upgrade Image passed!\n");
 198
 199         return 0;
 200 }
 201
 202 static int mpfs_auto_update_set_image_address(struct mpfs_auto_update_priv *priv,
 203                                               u32 image_address, loff_t directory_address)
 204 {
 205         struct erase_info erase;
 206         size_t erase_size = round_up(AUTO_UPDATE_DIRECTORY_SIZE, (u64)priv->flash->erasesize);
 207         size_t bytes_written = 0, bytes_read = 0;
 208         char *buffer __free(kfree) = kzalloc(erase_size, GFP_KERNEL);
 209         int ret;
 210
 211         if (!buffer)
 212                 return -ENOMEM;
 213
 214         erase.addr = AUTO_UPDATE_DIRECTORY_BASE;
 215         erase.len = erase_size;
 216
 217         /*
 218          * We need to write the "SPI DIRECTORY" to the first 1 KiB, telling
 219          * the system controller where to find the actual bitstream. Since
 220          * this is spi-nor, we have to read the first eraseblock, erase that
 221          * portion of the flash, modify the data and then write it back.
 222          * There's no need to do this though if things are already the way they
 223          * should be, so check and save the write in that case.
 224          */
 225         ret = mtd_read(priv->flash, AUTO_UPDATE_DIRECTORY_BASE, erase_size, &bytes_read,
 226                        (u_char *)buffer);
 227         if (ret)
 228                 return ret;
 229
 230         if (bytes_read != erase_size)
 231                 return -EIO;
 232
 233         if ((*(u32 *)(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY) == image_address) &&
 234             !(*(u32 *)(buffer + AUTO_UPDATE_BLANK_DIRECTORY)))
 235                 return 0;
 236
 237         ret = mtd_erase(priv->flash, &erase);
 238         if (ret)
 239                 return ret;
 240
 241         /*
 242          * Populate the image address and then zero out the next directory so
 243          * that the system controller doesn't complain if in "Single Image"
 244          * mode.
 245          */
 246         memcpy(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY, &image_address,
 247                AUTO_UPDATE_DIRECTORY_WIDTH);
 248         memset(buffer + AUTO_UPDATE_BLANK_DIRECTORY, 0x0, AUTO_UPDATE_DIRECTORY_WIDTH);
 249
 250         dev_info(priv->dev, "Writing the image address (0x%x) to the flash directory (0x%llx)\n",
 251                  image_address, directory_address);
 252
 253         ret = mtd_write(priv->flash, 0x0, erase_size, &bytes_written, (u_char *)buffer);
 254         if (ret)
 255                 return ret;
 256
 257         if (bytes_written != erase_size)
 258                 return -EIO;
 259
 260         return 0;
 261 }
 262
 263 static int mpfs_auto_update_write_bitstream(struct fw_upload *fw_uploader, const u8 *data,
 264                                             u32 offset, u32 size, u32 *written)
 265 {
 266         struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
 267         struct erase_info erase;
 268         loff_t directory_address = AUTO_UPDATE_UPGRADE_DIRECTORY;
 269         size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
 270         size_t bytes_written = 0;
 271         bool is_info = mpfs_auto_update_is_bitstream_info(data, size);
 272         u32 image_address;
 273         int ret;
 274
 275         erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
 276
 277         if (is_info)
 278                 image_address = AUTO_UPDATE_INFO_BASE;
 279         else
 280                 image_address = AUTO_UPDATE_BITSTREAM_BASE +
 281                                 AUTO_UPDATE_UPGRADE_INDEX * priv->size_per_bitstream;
 282
 283         /*
 284          * For bitstream info, the descriptor is written to a fixed offset,
 285          * so there is no need to set the image address.
 286          */
 287         if (!is_info) {
 288                 ret = mpfs_auto_update_set_image_address(priv, image_address, directory_address);
 289                 if (ret) {
 290                         dev_err(priv->dev, "failed to set image address in the SPI directory: %d\n", ret);
 291                         return ret;
 292                 }
 293         } else {
 294                 if (size > AUTO_UPDATE_INFO_SIZE) {
 295                         dev_err(priv->dev, "bitstream info exceeds permitted size\n");
 296                         return -ENOSPC;
 297                 }
 298         }
 299
 300         /*
 301          * Now the .spi image itself can be written to the flash. Preservation
 302          * of contents here is not important here, unlike the spi "directory"
 303          * which must be RMWed.
 304          */
 305         erase.len = round_up(size, (size_t)priv->flash->erasesize);
 306         erase.addr = image_address;
 307
 308         dev_info(priv->dev, "Erasing the flash at address (0x%x)\n", image_address);
 309         ret = mtd_erase(priv->flash, &erase);
 310         if (ret)
 311                 return ret;
 312
 313         /*
 314          * No parsing etc of the bitstream is required. The system controller
 315          * will do all of that itself - including verifying that the bitstream
 316          * is valid.
 317          */
 318         dev_info(priv->dev, "Writing the image to the flash at address (0x%x)\n", image_address);
 319         ret = mtd_write(priv->flash, (loff_t)image_address, size, &bytes_written, data);
 320         if (ret)
 321                 return ret;
 322
 323         if (bytes_written != size)
 324                 return -EIO;
 325
 326         *written = bytes_written;
 327         dev_info(priv->dev, "Wrote 0x%zx bytes to the flash\n", bytes_written);
 328
 329         return 0;
 330 }
 331
 332 static enum fw_upload_err mpfs_auto_update_write(struct fw_upload *fw_uploader, const u8 *data,
 333                                                  u32 offset, u32 size, u32 *written)
 334 {
 335         struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
 336         int ret;
 337
 338         ret = mpfs_auto_update_write_bitstream(fw_uploader, data, offset, size, written);
 339         if (ret)
 340                 return FW_UPLOAD_ERR_RW_ERROR;
 341
 342         if (priv->cancel_request)
 343                 return FW_UPLOAD_ERR_CANCELED;
 344
 345         if (mpfs_auto_update_is_bitstream_info(data, size))
 346                 return FW_UPLOAD_ERR_NONE;
 347
 348         ret = mpfs_auto_update_verify_image(fw_uploader);
 349         if (ret)
 350                 return FW_UPLOAD_ERR_FW_INVALID;
 351
 352         return FW_UPLOAD_ERR_NONE;
 353 }
 354
 355 static const struct fw_upload_ops mpfs_auto_update_ops = {
 356         .prepare = mpfs_auto_update_prepare,
 357         .write = mpfs_auto_update_write,
 358         .poll_complete = mpfs_auto_update_poll_complete,
 359         .cancel = mpfs_auto_update_cancel,
 360 };
 361
 362 static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv)
 363 {
 364         u32 *response_msg __free(kfree) =
 365                 kzalloc(AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), GFP_KERNEL);
 366         struct mpfs_mss_response *response __free(kfree) =
 367                 kzalloc(sizeof(struct mpfs_mss_response), GFP_KERNEL);
 368         struct mpfs_mss_msg *message __free(kfree) =
 369                 kzalloc(sizeof(struct mpfs_mss_msg), GFP_KERNEL);
 370         int ret;
 371
 372         if (!response_msg || !response || !message)
 373                 return -ENOMEM;
 374
 375         /*
 376          * To verify that Auto Update is possible, the "Query Security Service
 377          * Request" is performed.
 378          * This service has no command data & does not overload mbox_offset.
 379          */
 380         response->resp_msg = response_msg;
 381         response->resp_size = AUTO_UPDATE_FEATURE_RESP_SIZE;
 382         message->cmd_opcode = AUTO_UPDATE_FEATURE_CMD_OPCODE;
 383         message->cmd_data_size = AUTO_UPDATE_FEATURE_CMD_DATA_SIZE;
 384         message->response = response;
 385         message->cmd_data = AUTO_UPDATE_FEATURE_CMD_DATA;
 386         message->mbox_offset = AUTO_UPDATE_DEFAULT_MBOX_OFFSET;
 387         message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
 388
 389         ret = mpfs_blocking_transaction(priv->sys_controller, message);
 390         if (ret)
 391                 return ret;
 392
 393         /*
 394          * Currently, the system controller's firmware does not generate any
 395          * interrupts for failed services, so mpfs_blocking_transaction() should
 396          * time out & therefore return an error.
 397          * Hitting this check is highly unlikely at present, but if the system
 398          * controller's behaviour changes so that it does generate interrupts
 399          * for failed services, it will be required.
 400          */
 401         if (response->resp_status)
 402                 return -EIO;
 403
 404         /*
 405          * Bit 5 of byte 1 is "UL_Auto Update" & if it is set, Auto Update is
 406          * not possible.
 407          */
 408         if (response_msg[1] & AUTO_UPDATE_FEATURE_ENABLED)
 409                 return -EPERM;
 410
 411         return 0;
 412 }
 413
 414 static int mpfs_auto_update_probe(struct platform_device *pdev)
 415 {
 416         struct device *dev = &pdev->dev;
 417         struct mpfs_auto_update_priv *priv;
 418         struct fw_upload *fw_uploader;
 419         int ret;
 420
 421         priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
 422         if (!priv)
 423                 return -ENOMEM;
 424
 425         priv->sys_controller = mpfs_sys_controller_get(dev);
 426         if (IS_ERR(priv->sys_controller))
 427                 return dev_err_probe(dev, PTR_ERR(priv->sys_controller),
 428                                      "Could not register as a sub device of the system controller\n");
 429
 430         priv->dev = dev;
 431         platform_set_drvdata(pdev, priv);
 432
 433         ret = mpfs_auto_update_available(priv);
 434         if (ret)
 435                 return dev_err_probe(dev, ret,
 436                                      "The current bitstream does not support auto-update\n");
 437
 438         fw_uploader = firmware_upload_register(THIS_MODULE, dev, "mpfs-auto-update",
 439                                                &mpfs_auto_update_ops, priv);
 440         if (IS_ERR(fw_uploader))
 441                 return dev_err_probe(dev, PTR_ERR(fw_uploader),
 442                                      "Failed to register the bitstream uploader\n");
 443
 444         priv->fw_uploader = fw_uploader;
 445
 446         return 0;
 447 }
 448
 449 static void mpfs_auto_update_remove(struct platform_device *pdev)
 450 {
 451         struct mpfs_auto_update_priv *priv = platform_get_drvdata(pdev);
 452
 453         firmware_upload_unregister(priv->fw_uploader);
 454 }
 455
 456 static struct platform_driver mpfs_auto_update_driver = {
 457         .driver = {
 458                 .name = "mpfs-auto-update",
 459         },
 460         .probe = mpfs_auto_update_probe,
 461         .remove = mpfs_auto_update_remove,
 462 };
 463 module_platform_driver(mpfs_auto_update_driver);
 464
 465 MODULE_LICENSE("GPL");
 466 MODULE_AUTHOR("Conor Dooley <conor.dooley@microchip.com>");
 467 MODULE_DESCRIPTION("PolarFire SoC Auto Update FPGA reprogramming");