1 // SPDX-License-Identifier: GPL-2.0-only
5 * Copyright (c) 2017-2019, Silicon Laboratories, Inc.
6 * Copyright (c) 2010, ST-Ericsson
8 #include <linux/firmware.h>
9 #include <linux/slab.h>
11 #include <linux/bitfield.h>
17 // Addresses below are in SRAM area
18 #define WFX_DNLD_FIFO 0x09004000
19 #define DNLD_BLOCK_SIZE 0x0400
20 #define DNLD_FIFO_SIZE 0x8000 // (32 * DNLD_BLOCK_SIZE)
21 // Download Control Area (DCA)
22 #define WFX_DCA_IMAGE_SIZE 0x0900C000
23 #define WFX_DCA_PUT 0x0900C004
24 #define WFX_DCA_GET 0x0900C008
25 #define WFX_DCA_HOST_STATUS 0x0900C00C
26 #define HOST_READY 0x87654321
27 #define HOST_INFO_READ 0xA753BD99
28 #define HOST_UPLOAD_PENDING 0xABCDDCBA
29 #define HOST_UPLOAD_COMPLETE 0xD4C64A99
30 #define HOST_OK_TO_JUMP 0x174FC882
31 #define WFX_DCA_NCP_STATUS 0x0900C010
32 #define NCP_NOT_READY 0x12345678
33 #define NCP_READY 0x87654321
34 #define NCP_INFO_READY 0xBD53EF99
35 #define NCP_DOWNLOAD_PENDING 0xABCDDCBA
36 #define NCP_DOWNLOAD_COMPLETE 0xCAFEFECA
37 #define NCP_AUTH_OK 0xD4C64A99
38 #define NCP_AUTH_FAIL 0x174FC882
39 #define NCP_PUB_KEY_RDY 0x7AB41D19
40 #define WFX_DCA_FW_SIGNATURE 0x0900C014
41 #define FW_SIGNATURE_SIZE 0x40
42 #define WFX_DCA_FW_HASH 0x0900C054
43 #define FW_HASH_SIZE 0x08
44 #define WFX_DCA_FW_VERSION 0x0900C05C
45 #define FW_VERSION_SIZE 0x04
46 #define WFX_DCA_RESERVED 0x0900C060
47 #define DCA_RESERVED_SIZE 0x20
48 #define WFX_STATUS_INFO 0x0900C080
49 #define WFX_BOOTLOADER_LABEL 0x0900C084
50 #define BOOTLOADER_LABEL_SIZE 0x3C
51 #define WFX_PTE_INFO 0x0900C0C0
52 #define PTE_INFO_KEYSET_IDX 0x0D
53 #define PTE_INFO_SIZE 0x10
54 #define WFX_ERR_INFO 0x0900C0D0
55 #define ERR_INVALID_SEC_TYPE 0x05
56 #define ERR_SIG_VERIF_FAILED 0x0F
57 #define ERR_AES_CTRL_KEY 0x10
58 #define ERR_ECC_PUB_KEY 0x11
59 #define ERR_MAC_KEY 0x18
61 #define DCA_TIMEOUT 50 // milliseconds
62 #define WAKEUP_TIMEOUT 200 // milliseconds
64 static const char * const fwio_errors
[] = {
65 [ERR_INVALID_SEC_TYPE
] = "Invalid section type or wrong encryption",
66 [ERR_SIG_VERIF_FAILED
] = "Signature verification failed",
67 [ERR_AES_CTRL_KEY
] = "AES control key not initialized",
68 [ERR_ECC_PUB_KEY
] = "ECC public key not initialized",
69 [ERR_MAC_KEY
] = "MAC key not initialized",
73 * request_firmware() allocate data using vmalloc(). It is not compatible with
74 * underlying hardware that use DMA. Function below detect this case and
75 * allocate a bounce buffer if necessary.
77 * Notice that, in doubt, you can enable CONFIG_DEBUG_SG to ask kernel to
78 * detect this problem at runtime (else, kernel silently fail).
80 * NOTE: it may also be possible to use 'pages' from struct firmware and avoid
83 static int sram_write_dma_safe(struct wfx_dev
*wdev
, u32 addr
, const u8
*buf
,
89 if (!virt_addr_valid(buf
)) {
90 tmp
= kmemdup(buf
, len
, GFP_KERNEL
);
96 ret
= sram_buf_write(wdev
, addr
, tmp
, len
);
97 if (!virt_addr_valid(buf
))
102 int get_firmware(struct wfx_dev
*wdev
, u32 keyset_chip
,
103 const struct firmware
**fw
, int *file_offset
)
110 snprintf(filename
, sizeof(filename
), "%s_%02X.sec", wdev
->pdata
.file_fw
,
112 ret
= firmware_request_nowarn(fw
, filename
, wdev
->dev
);
114 dev_info(wdev
->dev
, "can't load %s, falling back to %s.sec\n",
115 filename
, wdev
->pdata
.file_fw
);
116 snprintf(filename
, sizeof(filename
), "%s.sec",
117 wdev
->pdata
.file_fw
);
118 ret
= request_firmware(fw
, filename
, wdev
->dev
);
120 dev_err(wdev
->dev
, "can't load %s\n", filename
);
127 if (memcmp(data
, "KEYSET", 6) != 0) {
128 // Legacy firmware format
133 keyset_file
= (hex_to_bin(data
[6]) * 16) | hex_to_bin(data
[7]);
134 if (keyset_file
< 0) {
135 dev_err(wdev
->dev
, "%s corrupted\n", filename
);
136 release_firmware(*fw
);
141 if (keyset_file
!= keyset_chip
) {
142 dev_err(wdev
->dev
, "firmware keyset is incompatible with chip (file: 0x%02X, chip: 0x%02X)\n",
143 keyset_file
, keyset_chip
);
144 release_firmware(*fw
);
148 wdev
->keyset
= keyset_file
;
152 static int wait_ncp_status(struct wfx_dev
*wdev
, u32 status
)
160 ret
= sram_reg_read(wdev
, WFX_DCA_NCP_STATUS
, ®
);
166 if (ktime_after(now
, ktime_add_ms(start
, DCA_TIMEOUT
)))
169 if (ktime_compare(now
, start
))
170 dev_dbg(wdev
->dev
, "chip answer after %lldus\n",
171 ktime_us_delta(now
, start
));
173 dev_dbg(wdev
->dev
, "chip answer immediately\n");
177 static int upload_firmware(struct wfx_dev
*wdev
, const u8
*data
, size_t len
)
180 u32 offs
, bytes_done
;
183 if (len
% DNLD_BLOCK_SIZE
) {
184 dev_err(wdev
->dev
, "firmware size is not aligned. Buffer overrun will occur\n");
191 ret
= sram_reg_read(wdev
, WFX_DCA_GET
, &bytes_done
);
196 DNLD_BLOCK_SIZE
- bytes_done
< DNLD_FIFO_SIZE
)
198 if (ktime_after(now
, ktime_add_ms(start
, DCA_TIMEOUT
)))
201 if (ktime_compare(now
, start
))
202 dev_dbg(wdev
->dev
, "answer after %lldus\n",
203 ktime_us_delta(now
, start
));
205 ret
= sram_write_dma_safe(wdev
, WFX_DNLD_FIFO
+
206 (offs
% DNLD_FIFO_SIZE
),
207 data
+ offs
, DNLD_BLOCK_SIZE
);
211 // WFx seems to not support writing 0 in this register during
213 offs
+= DNLD_BLOCK_SIZE
;
214 ret
= sram_reg_write(wdev
, WFX_DCA_PUT
, offs
);
221 static void print_boot_status(struct wfx_dev
*wdev
)
225 sram_reg_read(wdev
, WFX_STATUS_INFO
, ®
);
226 if (reg
== 0x12345678)
228 sram_reg_read(wdev
, WFX_ERR_INFO
, ®
);
229 if (reg
< ARRAY_SIZE(fwio_errors
) && fwio_errors
[reg
])
230 dev_info(wdev
->dev
, "secure boot: %s\n", fwio_errors
[reg
]);
232 dev_info(wdev
->dev
, "secure boot: Error %#02x\n", reg
);
235 static int load_firmware_secure(struct wfx_dev
*wdev
)
237 const struct firmware
*fw
= NULL
;
244 BUILD_BUG_ON(PTE_INFO_SIZE
> BOOTLOADER_LABEL_SIZE
);
245 buf
= kmalloc(BOOTLOADER_LABEL_SIZE
+ 1, GFP_KERNEL
);
249 sram_reg_write(wdev
, WFX_DCA_HOST_STATUS
, HOST_READY
);
250 ret
= wait_ncp_status(wdev
, NCP_INFO_READY
);
254 sram_buf_read(wdev
, WFX_BOOTLOADER_LABEL
, buf
, BOOTLOADER_LABEL_SIZE
);
255 buf
[BOOTLOADER_LABEL_SIZE
] = 0;
256 dev_dbg(wdev
->dev
, "bootloader: \"%s\"\n", buf
);
258 sram_buf_read(wdev
, WFX_PTE_INFO
, buf
, PTE_INFO_SIZE
);
259 ret
= get_firmware(wdev
, buf
[PTE_INFO_KEYSET_IDX
], &fw
, &fw_offset
);
262 header_size
= fw_offset
+ FW_SIGNATURE_SIZE
+ FW_HASH_SIZE
;
264 sram_reg_write(wdev
, WFX_DCA_HOST_STATUS
, HOST_INFO_READ
);
265 ret
= wait_ncp_status(wdev
, NCP_READY
);
269 sram_reg_write(wdev
, WFX_DNLD_FIFO
, 0xFFFFFFFF); // Fifo init
270 sram_write_dma_safe(wdev
, WFX_DCA_FW_VERSION
, "\x01\x00\x00\x00",
272 sram_write_dma_safe(wdev
, WFX_DCA_FW_SIGNATURE
, fw
->data
+ fw_offset
,
274 sram_write_dma_safe(wdev
, WFX_DCA_FW_HASH
,
275 fw
->data
+ fw_offset
+ FW_SIGNATURE_SIZE
,
277 sram_reg_write(wdev
, WFX_DCA_IMAGE_SIZE
, fw
->size
- header_size
);
278 sram_reg_write(wdev
, WFX_DCA_HOST_STATUS
, HOST_UPLOAD_PENDING
);
279 ret
= wait_ncp_status(wdev
, NCP_DOWNLOAD_PENDING
);
284 ret
= upload_firmware(wdev
, fw
->data
+ header_size
,
285 fw
->size
- header_size
);
288 dev_dbg(wdev
->dev
, "firmware load after %lldus\n",
289 ktime_us_delta(ktime_get(), start
));
291 sram_reg_write(wdev
, WFX_DCA_HOST_STATUS
, HOST_UPLOAD_COMPLETE
);
292 ret
= wait_ncp_status(wdev
, NCP_AUTH_OK
);
293 // Legacy ROM support
295 ret
= wait_ncp_status(wdev
, NCP_PUB_KEY_RDY
);
298 sram_reg_write(wdev
, WFX_DCA_HOST_STATUS
, HOST_OK_TO_JUMP
);
303 release_firmware(fw
);
305 print_boot_status(wdev
);
309 static int init_gpr(struct wfx_dev
*wdev
)
312 static const struct {
323 for (i
= 0; i
< ARRAY_SIZE(gpr_init
); i
++) {
324 ret
= igpr_reg_write(wdev
, gpr_init
[i
].index
,
328 dev_dbg(wdev
->dev
, " index %02x: %08x\n", gpr_init
[i
].index
,
334 int wfx_init_device(struct wfx_dev
*wdev
)
337 int hw_revision
, hw_type
;
338 int wakeup_timeout
= 50; // ms
342 reg
= CFG_DIRECT_ACCESS_MODE
| CFG_CPU_RESET
| CFG_BYTE_ORDER_ABCD
;
343 if (wdev
->pdata
.use_rising_clk
)
344 reg
|= CFG_CLK_RISE_EDGE
;
345 ret
= config_reg_write(wdev
, reg
);
347 dev_err(wdev
->dev
, "bus returned an error during first write access. Host configuration error?\n");
351 ret
= config_reg_read(wdev
, ®
);
353 dev_err(wdev
->dev
, "bus returned an error during first read access. Bus configuration error?\n");
356 if (reg
== 0 || reg
== ~0) {
357 dev_err(wdev
->dev
, "chip mute. Bus configuration error or chip wasn't reset?\n");
360 dev_dbg(wdev
->dev
, "initial config register value: %08x\n", reg
);
362 hw_revision
= FIELD_GET(CFG_DEVICE_ID_MAJOR
, reg
);
363 if (hw_revision
== 0 || hw_revision
> 2) {
364 dev_err(wdev
->dev
, "bad hardware revision number: %d\n",
368 hw_type
= FIELD_GET(CFG_DEVICE_ID_TYPE
, reg
);
370 dev_notice(wdev
->dev
, "development hardware detected\n");
371 wakeup_timeout
= 2000;
374 ret
= init_gpr(wdev
);
378 ret
= control_reg_write(wdev
, CTRL_WLAN_WAKEUP
);
383 ret
= control_reg_read(wdev
, ®
);
385 if (reg
& CTRL_WLAN_READY
)
387 if (ktime_after(now
, ktime_add_ms(start
, wakeup_timeout
))) {
388 dev_err(wdev
->dev
, "chip didn't wake up. Chip wasn't reset?\n");
392 dev_dbg(wdev
->dev
, "chip wake up after %lldus\n",
393 ktime_us_delta(now
, start
));
395 ret
= config_reg_write_bits(wdev
, CFG_CPU_RESET
, 0);
398 ret
= load_firmware_secure(wdev
);
401 ret
= config_reg_write_bits(wdev
,
402 CFG_DIRECT_ACCESS_MODE
|
403 CFG_IRQ_ENABLE_DATA
|
405 CFG_IRQ_ENABLE_DATA
);