linux/drivers/net/wimax/i2400m/fw.c
<<
>>
Prefs
   1/*
   2 * Intel Wireless WiMAX Connection 2400m
   3 * Firmware uploader
   4 *
   5 *
   6 * Copyright (C) 2007-2008 Intel Corporation. All rights reserved.
   7 *
   8 * Redistribution and use in source and binary forms, with or without
   9 * modification, are permitted provided that the following conditions
  10 * are met:
  11 *
  12 *   * Redistributions of source code must retain the above copyright
  13 *     notice, this list of conditions and the following disclaimer.
  14 *   * Redistributions in binary form must reproduce the above copyright
  15 *     notice, this list of conditions and the following disclaimer in
  16 *     the documentation and/or other materials provided with the
  17 *     distribution.
  18 *   * Neither the name of Intel Corporation nor the names of its
  19 *     contributors may be used to endorse or promote products derived
  20 *     from this software without specific prior written permission.
  21 *
  22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  25 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  26 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  27 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  28 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  33 *
  34 *
  35 * Intel Corporation <linux-wimax@intel.com>
  36 * Yanir Lubetkin <yanirx.lubetkin@intel.com>
  37 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
  38 *  - Initial implementation
  39 *
  40 *
  41 * THE PROCEDURE
  42 *
  43 * The 2400m and derived devices work in two modes: boot-mode or
  44 * normal mode. In boot mode we can execute only a handful of commands
  45 * targeted at uploading the firmware and launching it.
  46 *
  47 * The 2400m enters boot mode when it is first connected to the
  48 * system, when it crashes and when you ask it to reboot. There are
  49 * two submodes of the boot mode: signed and non-signed. Signed takes
  50 * firmwares signed with a certain private key, non-signed takes any
  51 * firmware. Normal hardware takes only signed firmware.
  52 *
  53 * On boot mode, in USB, we write to the device using the bulk out
  54 * endpoint and read from it in the notification endpoint.
  55 *
  56 * Upon entrance to boot mode, the device sends (preceded with a few
  57 * zero length packets (ZLPs) on the notification endpoint in USB) a
  58 * reboot barker (4 le32 words with the same value). We ack it by
  59 * sending the same barker to the device. The device acks with a
  60 * reboot ack barker (4 le32 words with value I2400M_ACK_BARKER) and
  61 * then is fully booted. At this point we can upload the firmware.
  62 *
  63 * Note that different iterations of the device and EEPROM
  64 * configurations will send different [re]boot barkers; these are
  65 * collected in i2400m_barker_db along with the firmware
  66 * characteristics they require.
  67 *
  68 * This process is accomplished by the i2400m_bootrom_init()
  69 * function. All the device interaction happens through the
  70 * i2400m_bm_cmd() [boot mode command]. Special return values will
  71 * indicate if the device did reset during the process.
  72 *
  73 * After this, we read the MAC address and then (if needed)
  74 * reinitialize the device. We need to read it ahead of time because
  75 * in the future, we might not upload the firmware until userspace
  76 * 'ifconfig up's the device.
  77 *
  78 * We can then upload the firmware file. The file is composed of a BCF
  79 * header (basic data, keys and signatures) and a list of write
  80 * commands and payloads. Optionally more BCF headers might follow the
  81 * main payload. We first upload the header [i2400m_dnload_init()] and
  82 * then pass the commands and payloads verbatim to the i2400m_bm_cmd()
  83 * function [i2400m_dnload_bcf()]. Then we tell the device to jump to
  84 * the new firmware [i2400m_dnload_finalize()].
  85 *
  86 * Once firmware is uploaded, we are good to go :)
  87 *
  88 * When we don't know in which mode we are, we first try by sending a
  89 * warm reset request that will take us to boot-mode. If we time out
  90 * waiting for a reboot barker, that means maybe we are already in
  91 * boot mode, so we send a reboot barker.
  92 *
  93 * COMMAND EXECUTION
  94 *
  95 * This code (and process) is single threaded; for executing commands,
  96 * we post a URB to the notification endpoint, post the command, wait
  97 * for data on the notification buffer. We don't need to worry about
  98 * others as we know we are the only ones in there.
  99 *
 100 * BACKEND IMPLEMENTATION
 101 *
 102 * This code is bus-generic; the bus-specific driver provides back end
 103 * implementations to send a boot mode command to the device and to
 104 * read an acknolwedgement from it (or an asynchronous notification)
 105 * from it.
 106 *
 107 * FIRMWARE LOADING
 108 *
 109 * Note that in some cases, we can't just load a firmware file (for
 110 * example, when resuming). For that, we might cache the firmware
 111 * file. Thus, when doing the bootstrap, if there is a cache firmware
 112 * file, it is used; if not, loading from disk is attempted.
 113 *
 114 * ROADMAP
 115 *
 116 * i2400m_barker_db_init              Called by i2400m_driver_init()
 117 *   i2400m_barker_db_add
 118 *
 119 * i2400m_barker_db_exit              Called by i2400m_driver_exit()
 120 *
 121 * i2400m_dev_bootstrap               Called by __i2400m_dev_start()
 122 *   request_firmware
 123 *   i2400m_fw_bootstrap
 124 *     i2400m_fw_check
 125 *       i2400m_fw_hdr_check
 126 *     i2400m_fw_dnload
 127 *   release_firmware
 128 *
 129 * i2400m_fw_dnload
 130 *   i2400m_bootrom_init
 131 *     i2400m_bm_cmd
 132 *     i2400m_reset
 133 *   i2400m_dnload_init
 134 *     i2400m_dnload_init_signed
 135 *     i2400m_dnload_init_nonsigned
 136 *       i2400m_download_chunk
 137 *         i2400m_bm_cmd
 138 *   i2400m_dnload_bcf
 139 *     i2400m_bm_cmd
 140 *   i2400m_dnload_finalize
 141 *     i2400m_bm_cmd
 142 *
 143 * i2400m_bm_cmd
 144 *   i2400m->bus_bm_cmd_send()
 145 *   i2400m->bus_bm_wait_for_ack
 146 *   __i2400m_bm_ack_verify
 147 *     i2400m_is_boot_barker
 148 *
 149 * i2400m_bm_cmd_prepare              Used by bus-drivers to prep
 150 *                                    commands before sending
 151 *
 152 * i2400m_pm_notifier                 Called on Power Management events
 153 *   i2400m_fw_cache
 154 *   i2400m_fw_uncache
 155 */
 156#include <linux/firmware.h>
 157#include <linux/sched.h>
 158#include <linux/slab.h>
 159#include <linux/usb.h>
 160#include <linux/export.h>
 161#include "i2400m.h"
 162
 163
 164#define D_SUBMODULE fw
 165#include "debug-levels.h"
 166
 167
 168static const __le32 i2400m_ACK_BARKER[4] = {
 169        cpu_to_le32(I2400M_ACK_BARKER),
 170        cpu_to_le32(I2400M_ACK_BARKER),
 171        cpu_to_le32(I2400M_ACK_BARKER),
 172        cpu_to_le32(I2400M_ACK_BARKER)
 173};
 174
 175
 176/**
 177 * Prepare a boot-mode command for delivery
 178 *
 179 * @cmd: pointer to bootrom header to prepare
 180 *
 181 * Computes checksum if so needed. After calling this function, DO NOT
 182 * modify the command or header as the checksum won't work anymore.
 183 *
 184 * We do it from here because some times we cannot do it in the
 185 * original context the command was sent (it is a const), so when we
 186 * copy it to our staging buffer, we add the checksum there.
 187 */
 188void i2400m_bm_cmd_prepare(struct i2400m_bootrom_header *cmd)
 189{
 190        if (i2400m_brh_get_use_checksum(cmd)) {
 191                int i;
 192                u32 checksum = 0;
 193                const u32 *checksum_ptr = (void *) cmd->payload;
 194                for (i = 0; i < cmd->data_size / 4; i++)
 195                        checksum += cpu_to_le32(*checksum_ptr++);
 196                checksum += cmd->command + cmd->target_addr + cmd->data_size;
 197                cmd->block_checksum = cpu_to_le32(checksum);
 198        }
 199}
 200EXPORT_SYMBOL_GPL(i2400m_bm_cmd_prepare);
 201
 202
 203/*
 204 * Database of known barkers.
 205 *
 206 * A barker is what the device sends indicating he is ready to be
 207 * bootloaded. Different versions of the device will send different
 208 * barkers. Depending on the barker, it might mean the device wants
 209 * some kind of firmware or the other.
 210 */
 211static struct i2400m_barker_db {
 212        __le32 data[4];
 213} *i2400m_barker_db;
 214static size_t i2400m_barker_db_used, i2400m_barker_db_size;
 215
 216
 217static
 218int i2400m_zrealloc_2x(void **ptr, size_t *_count, size_t el_size,
 219                       gfp_t gfp_flags)
 220{
 221        size_t old_count = *_count,
 222                new_count = old_count ? 2 * old_count : 2,
 223                old_size = el_size * old_count,
 224                new_size = el_size * new_count;
 225        void *nptr = krealloc(*ptr, new_size, gfp_flags);
 226        if (nptr) {
 227                /* zero the other half or the whole thing if old_count
 228                 * was zero */
 229                if (old_size == 0)
 230                        memset(nptr, 0, new_size);
 231                else
 232                        memset(nptr + old_size, 0, old_size);
 233                *_count = new_count;
 234                *ptr = nptr;
 235                return 0;
 236        } else
 237                return -ENOMEM;
 238}
 239
 240
 241/*
 242 * Add a barker to the database
 243 *
 244 * This cannot used outside of this module and only at at module_init
 245 * time. This is to avoid the need to do locking.
 246 */
 247static
 248int i2400m_barker_db_add(u32 barker_id)
 249{
 250        int result;
 251
 252        struct i2400m_barker_db *barker;
 253        if (i2400m_barker_db_used >= i2400m_barker_db_size) {
 254                result = i2400m_zrealloc_2x(
 255                        (void **) &i2400m_barker_db, &i2400m_barker_db_size,
 256                        sizeof(i2400m_barker_db[0]), GFP_KERNEL);
 257                if (result < 0)
 258                        return result;
 259        }
 260        barker = i2400m_barker_db + i2400m_barker_db_used++;
 261        barker->data[0] = le32_to_cpu(barker_id);
 262        barker->data[1] = le32_to_cpu(barker_id);
 263        barker->data[2] = le32_to_cpu(barker_id);
 264        barker->data[3] = le32_to_cpu(barker_id);
 265        return 0;
 266}
 267
 268
 269void i2400m_barker_db_exit(void)
 270{
 271        kfree(i2400m_barker_db);
 272        i2400m_barker_db = NULL;
 273        i2400m_barker_db_size = 0;
 274        i2400m_barker_db_used = 0;
 275}
 276
 277
 278/*
 279 * Helper function to add all the known stable barkers to the barker
 280 * database.
 281 */
 282static
 283int i2400m_barker_db_known_barkers(void)
 284{
 285        int result;
 286
 287        result = i2400m_barker_db_add(I2400M_NBOOT_BARKER);
 288        if (result < 0)
 289                goto error_add;
 290        result = i2400m_barker_db_add(I2400M_SBOOT_BARKER);
 291        if (result < 0)
 292                goto error_add;
 293        result = i2400m_barker_db_add(I2400M_SBOOT_BARKER_6050);
 294        if (result < 0)
 295                goto error_add;
 296error_add:
 297       return result;
 298}
 299
 300
 301/*
 302 * Initialize the barker database
 303 *
 304 * This can only be used from the module_init function for this
 305 * module; this is to avoid the need to do locking.
 306 *
 307 * @options: command line argument with extra barkers to
 308 *     recognize. This is a comma-separated list of 32-bit hex
 309 *     numbers. They are appended to the existing list. Setting 0
 310 *     cleans the existing list and starts a new one.
 311 */
 312int i2400m_barker_db_init(const char *_options)
 313{
 314        int result;
 315        char *options = NULL, *options_orig, *token;
 316
 317        i2400m_barker_db = NULL;
 318        i2400m_barker_db_size = 0;
 319        i2400m_barker_db_used = 0;
 320
 321        result = i2400m_barker_db_known_barkers();
 322        if (result < 0)
 323                goto error_add;
 324        /* parse command line options from i2400m.barkers */
 325        if (_options != NULL) {
 326                unsigned barker;
 327
 328                options_orig = kstrdup(_options, GFP_KERNEL);
 329                if (options_orig == NULL) {
 330                        result = -ENOMEM;
 331                        goto error_parse;
 332                }
 333                options = options_orig;
 334
 335                while ((token = strsep(&options, ",")) != NULL) {
 336                        if (*token == '\0')     /* eat joint commas */
 337                                continue;
 338                        if (sscanf(token, "%x", &barker) != 1
 339                            || barker > 0xffffffff) {
 340                                printk(KERN_ERR "%s: can't recognize "
 341                                       "i2400m.barkers value '%s' as "
 342                                       "a 32-bit number\n",
 343                                       __func__, token);
 344                                result = -EINVAL;
 345                                goto error_parse;
 346                        }
 347                        if (barker == 0) {
 348                                /* clean list and start new */
 349                                i2400m_barker_db_exit();
 350                                continue;
 351                        }
 352                        result = i2400m_barker_db_add(barker);
 353                        if (result < 0)
 354                                goto error_parse_add;
 355                }
 356                kfree(options_orig);
 357        }
 358        return 0;
 359
 360error_parse_add:
 361error_parse:
 362        kfree(options_orig);
 363error_add:
 364        kfree(i2400m_barker_db);
 365        return result;
 366}
 367
 368
 369/*
 370 * Recognize a boot barker
 371 *
 372 * @buf: buffer where the boot barker.
 373 * @buf_size: size of the buffer (has to be 16 bytes). It is passed
 374 *     here so the function can check it for the caller.
 375 *
 376 * Note that as a side effect, upon identifying the obtained boot
 377 * barker, this function will set i2400m->barker to point to the right
 378 * barker database entry. Subsequent calls to the function will result
 379 * in verifying that the same type of boot barker is returned when the
 380 * device [re]boots (as long as the same device instance is used).
 381 *
 382 * Return: 0 if @buf matches a known boot barker. -ENOENT if the
 383 *     buffer in @buf doesn't match any boot barker in the database or
 384 *     -EILSEQ if the buffer doesn't have the right size.
 385 */
 386int i2400m_is_boot_barker(struct i2400m *i2400m,
 387                          const void *buf, size_t buf_size)
 388{
 389        int result;
 390        struct device *dev = i2400m_dev(i2400m);
 391        struct i2400m_barker_db *barker;
 392        int i;
 393
 394        result = -ENOENT;
 395        if (buf_size != sizeof(i2400m_barker_db[i].data))
 396                return result;
 397
 398        /* Short circuit if we have already discovered the barker
 399         * associated with the device. */
 400        if (i2400m->barker &&
 401            !memcmp(buf, i2400m->barker, sizeof(i2400m->barker->data)))
 402                return 0;
 403
 404        for (i = 0; i < i2400m_barker_db_used; i++) {
 405                barker = &i2400m_barker_db[i];
 406                BUILD_BUG_ON(sizeof(barker->data) != 16);
 407                if (memcmp(buf, barker->data, sizeof(barker->data)))
 408                        continue;
 409
 410                if (i2400m->barker == NULL) {
 411                        i2400m->barker = barker;
 412                        d_printf(1, dev, "boot barker set to #%u/%08x\n",
 413                                 i, le32_to_cpu(barker->data[0]));
 414                        if (barker->data[0] == le32_to_cpu(I2400M_NBOOT_BARKER))
 415                                i2400m->sboot = 0;
 416                        else
 417                                i2400m->sboot = 1;
 418                } else if (i2400m->barker != barker) {
 419                        dev_err(dev, "HW inconsistency: device "
 420                                "reports a different boot barker "
 421                                "than set (from %08x to %08x)\n",
 422                                le32_to_cpu(i2400m->barker->data[0]),
 423                                le32_to_cpu(barker->data[0]));
 424                        result = -EIO;
 425                } else
 426                        d_printf(2, dev, "boot barker confirmed #%u/%08x\n",
 427                                 i, le32_to_cpu(barker->data[0]));
 428                result = 0;
 429                break;
 430        }
 431        return result;
 432}
 433EXPORT_SYMBOL_GPL(i2400m_is_boot_barker);
 434
 435
 436/*
 437 * Verify the ack data received
 438 *
 439 * Given a reply to a boot mode command, chew it and verify everything
 440 * is ok.
 441 *
 442 * @opcode: opcode which generated this ack. For error messages.
 443 * @ack: pointer to ack data we received
 444 * @ack_size: size of that data buffer
 445 * @flags: I2400M_BM_CMD_* flags we called the command with.
 446 *
 447 * Way too long function -- maybe it should be further split
 448 */
 449static
 450ssize_t __i2400m_bm_ack_verify(struct i2400m *i2400m, int opcode,
 451                               struct i2400m_bootrom_header *ack,
 452                               size_t ack_size, int flags)
 453{
 454        ssize_t result = -ENOMEM;
 455        struct device *dev = i2400m_dev(i2400m);
 456
 457        d_fnstart(8, dev, "(i2400m %p opcode %d ack %p size %zu)\n",
 458                  i2400m, opcode, ack, ack_size);
 459        if (ack_size < sizeof(*ack)) {
 460                result = -EIO;
 461                dev_err(dev, "boot-mode cmd %d: HW BUG? notification didn't "
 462                        "return enough data (%zu bytes vs %zu expected)\n",
 463                        opcode, ack_size, sizeof(*ack));
 464                goto error_ack_short;
 465        }
 466        result = i2400m_is_boot_barker(i2400m, ack, ack_size);
 467        if (result >= 0) {
 468                result = -ERESTARTSYS;
 469                d_printf(6, dev, "boot-mode cmd %d: HW boot barker\n", opcode);
 470                goto error_reboot;
 471        }
 472        if (ack_size == sizeof(i2400m_ACK_BARKER)
 473                 && memcmp(ack, i2400m_ACK_BARKER, sizeof(*ack)) == 0) {
 474                result = -EISCONN;
 475                d_printf(3, dev, "boot-mode cmd %d: HW reboot ack barker\n",
 476                         opcode);
 477                goto error_reboot_ack;
 478        }
 479        result = 0;
 480        if (flags & I2400M_BM_CMD_RAW)
 481                goto out_raw;
 482        ack->data_size = le32_to_cpu(ack->data_size);
 483        ack->target_addr = le32_to_cpu(ack->target_addr);
 484        ack->block_checksum = le32_to_cpu(ack->block_checksum);
 485        d_printf(5, dev, "boot-mode cmd %d: notification for opcode %u "
 486                 "response %u csum %u rr %u da %u\n",
 487                 opcode, i2400m_brh_get_opcode(ack),
 488                 i2400m_brh_get_response(ack),
 489                 i2400m_brh_get_use_checksum(ack),
 490                 i2400m_brh_get_response_required(ack),
 491                 i2400m_brh_get_direct_access(ack));
 492        result = -EIO;
 493        if (i2400m_brh_get_signature(ack) != 0xcbbc) {
 494                dev_err(dev, "boot-mode cmd %d: HW BUG? wrong signature "
 495                        "0x%04x\n", opcode, i2400m_brh_get_signature(ack));
 496                goto error_ack_signature;
 497        }
 498        if (opcode != -1 && opcode != i2400m_brh_get_opcode(ack)) {
 499                dev_err(dev, "boot-mode cmd %d: HW BUG? "
 500                        "received response for opcode %u, expected %u\n",
 501                        opcode, i2400m_brh_get_opcode(ack), opcode);
 502                goto error_ack_opcode;
 503        }
 504        if (i2400m_brh_get_response(ack) != 0) {        /* failed? */
 505                dev_err(dev, "boot-mode cmd %d: error; hw response %u\n",
 506                        opcode, i2400m_brh_get_response(ack));
 507                goto error_ack_failed;
 508        }
 509        if (ack_size < ack->data_size + sizeof(*ack)) {
 510                dev_err(dev, "boot-mode cmd %d: SW BUG "
 511                        "driver provided only %zu bytes for %zu bytes "
 512                        "of data\n", opcode, ack_size,
 513                        (size_t) le32_to_cpu(ack->data_size) + sizeof(*ack));
 514                goto error_ack_short_buffer;
 515        }
 516        result = ack_size;
 517        /* Don't you love this stack of empty targets? Well, I don't
 518         * either, but it helps track exactly who comes in here and
 519         * why :) */
 520error_ack_short_buffer:
 521error_ack_failed:
 522error_ack_opcode:
 523error_ack_signature:
 524out_raw:
 525error_reboot_ack:
 526error_reboot:
 527error_ack_short:
 528        d_fnend(8, dev, "(i2400m %p opcode %d ack %p size %zu) = %d\n",
 529                i2400m, opcode, ack, ack_size, (int) result);
 530        return result;
 531}
 532
 533
 534/**
 535 * i2400m_bm_cmd - Execute a boot mode command
 536 *
 537 * @cmd: buffer containing the command data (pointing at the header).
 538 *     This data can be ANYWHERE (for USB, we will copy it to an
 539 *     specific buffer). Make sure everything is in proper little
 540 *     endian.
 541 *
 542 *     A raw buffer can be also sent, just cast it and set flags to
 543 *     I2400M_BM_CMD_RAW.
 544 *
 545 *     This function will generate a checksum for you if the
 546 *     checksum bit in the command is set (unless I2400M_BM_CMD_RAW
 547 *     is set).
 548 *
 549 *     You can use the i2400m->bm_cmd_buf to stage your commands and
 550 *     send them.
 551 *
 552 *     If NULL, no command is sent (we just wait for an ack).
 553 *
 554 * @cmd_size: size of the command. Will be auto padded to the
 555 *     bus-specific drivers padding requirements.
 556 *
 557 * @ack: buffer where to place the acknowledgement. If it is a regular
 558 *     command response, all fields will be returned with the right,
 559 *     native endianess.
 560 *
 561 *     You *cannot* use i2400m->bm_ack_buf for this buffer.
 562 *
 563 * @ack_size: size of @ack, 16 aligned; you need to provide at least
 564 *     sizeof(*ack) bytes and then enough to contain the return data
 565 *     from the command
 566 *
 567 * @flags: see I2400M_BM_CMD_* above.
 568 *
 569 * @returns: bytes received by the notification; if < 0, an errno code
 570 *     denoting an error or:
 571 *
 572 *     -ERESTARTSYS  The device has rebooted
 573 *
 574 * Executes a boot-mode command and waits for a response, doing basic
 575 * validation on it; if a zero length response is received, it retries
 576 * waiting for a response until a non-zero one is received (timing out
 577 * after %I2400M_BOOT_RETRIES retries).
 578 */
 579static
 580ssize_t i2400m_bm_cmd(struct i2400m *i2400m,
 581                      const struct i2400m_bootrom_header *cmd, size_t cmd_size,
 582                      struct i2400m_bootrom_header *ack, size_t ack_size,
 583                      int flags)
 584{
 585        ssize_t result = -ENOMEM, rx_bytes;
 586        struct device *dev = i2400m_dev(i2400m);
 587        int opcode = cmd == NULL ? -1 : i2400m_brh_get_opcode(cmd);
 588
 589        d_fnstart(6, dev, "(i2400m %p cmd %p size %zu ack %p size %zu)\n",
 590                  i2400m, cmd, cmd_size, ack, ack_size);
 591        BUG_ON(ack_size < sizeof(*ack));
 592        BUG_ON(i2400m->boot_mode == 0);
 593
 594        if (cmd != NULL) {              /* send the command */
 595                result = i2400m->bus_bm_cmd_send(i2400m, cmd, cmd_size, flags);
 596                if (result < 0)
 597                        goto error_cmd_send;
 598                if ((flags & I2400M_BM_CMD_RAW) == 0)
 599                        d_printf(5, dev,
 600                                 "boot-mode cmd %d csum %u rr %u da %u: "
 601                                 "addr 0x%04x size %u block csum 0x%04x\n",
 602                                 opcode, i2400m_brh_get_use_checksum(cmd),
 603                                 i2400m_brh_get_response_required(cmd),
 604                                 i2400m_brh_get_direct_access(cmd),
 605                                 cmd->target_addr, cmd->data_size,
 606                                 cmd->block_checksum);
 607        }
 608        result = i2400m->bus_bm_wait_for_ack(i2400m, ack, ack_size);
 609        if (result < 0) {
 610                dev_err(dev, "boot-mode cmd %d: error waiting for an ack: %d\n",
 611                        opcode, (int) result);  /* bah, %zd doesn't work */
 612                goto error_wait_for_ack;
 613        }
 614        rx_bytes = result;
 615        /* verify the ack and read more if necessary [result is the
 616         * final amount of bytes we get in the ack]  */
 617        result = __i2400m_bm_ack_verify(i2400m, opcode, ack, ack_size, flags);
 618        if (result < 0)
 619                goto error_bad_ack;
 620        /* Don't you love this stack of empty targets? Well, I don't
 621         * either, but it helps track exactly who comes in here and
 622         * why :) */
 623        result = rx_bytes;
 624error_bad_ack:
 625error_wait_for_ack:
 626error_cmd_send:
 627        d_fnend(6, dev, "(i2400m %p cmd %p size %zu ack %p size %zu) = %d\n",
 628                i2400m, cmd, cmd_size, ack, ack_size, (int) result);
 629        return result;
 630}
 631
 632
 633/**
 634 * i2400m_download_chunk - write a single chunk of data to the device's memory
 635 *
 636 * @i2400m: device descriptor
 637 * @buf: the buffer to write
 638 * @buf_len: length of the buffer to write
 639 * @addr: address in the device memory space
 640 * @direct: bootrom write mode
 641 * @do_csum: should a checksum validation be performed
 642 */
 643static int i2400m_download_chunk(struct i2400m *i2400m, const void *chunk,
 644                                 size_t __chunk_len, unsigned long addr,
 645                                 unsigned int direct, unsigned int do_csum)
 646{
 647        int ret;
 648        size_t chunk_len = ALIGN(__chunk_len, I2400M_PL_ALIGN);
 649        struct device *dev = i2400m_dev(i2400m);
 650        struct {
 651                struct i2400m_bootrom_header cmd;
 652                u8 cmd_payload[];
 653        } __packed *buf;
 654        struct i2400m_bootrom_header ack;
 655
 656        d_fnstart(5, dev, "(i2400m %p chunk %p __chunk_len %zu addr 0x%08lx "
 657                  "direct %u do_csum %u)\n", i2400m, chunk, __chunk_len,
 658                  addr, direct, do_csum);
 659        buf = i2400m->bm_cmd_buf;
 660        memcpy(buf->cmd_payload, chunk, __chunk_len);
 661        memset(buf->cmd_payload + __chunk_len, 0xad, chunk_len - __chunk_len);
 662
 663        buf->cmd.command = i2400m_brh_command(I2400M_BRH_WRITE,
 664                                              __chunk_len & 0x3 ? 0 : do_csum,
 665                                              __chunk_len & 0xf ? 0 : direct);
 666        buf->cmd.target_addr = cpu_to_le32(addr);
 667        buf->cmd.data_size = cpu_to_le32(__chunk_len);
 668        ret = i2400m_bm_cmd(i2400m, &buf->cmd, sizeof(buf->cmd) + chunk_len,
 669                            &ack, sizeof(ack), 0);
 670        if (ret >= 0)
 671                ret = 0;
 672        d_fnend(5, dev, "(i2400m %p chunk %p __chunk_len %zu addr 0x%08lx "
 673                "direct %u do_csum %u) = %d\n", i2400m, chunk, __chunk_len,
 674                addr, direct, do_csum, ret);
 675        return ret;
 676}
 677
 678
 679/*
 680 * Download a BCF file's sections to the device
 681 *
 682 * @i2400m: device descriptor
 683 * @bcf: pointer to firmware data (first header followed by the
 684 *     payloads). Assumed verified and consistent.
 685 * @bcf_len: length (in bytes) of the @bcf buffer.
 686 *
 687 * Returns: < 0 errno code on error or the offset to the jump instruction.
 688 *
 689 * Given a BCF file, downloads each section (a command and a payload)
 690 * to the device's address space. Actually, it just executes each
 691 * command i the BCF file.
 692 *
 693 * The section size has to be aligned to 4 bytes AND the padding has
 694 * to be taken from the firmware file, as the signature takes it into
 695 * account.
 696 */
 697static
 698ssize_t i2400m_dnload_bcf(struct i2400m *i2400m,
 699                          const struct i2400m_bcf_hdr *bcf, size_t bcf_len)
 700{
 701        ssize_t ret;
 702        struct device *dev = i2400m_dev(i2400m);
 703        size_t offset,          /* iterator offset */
 704                data_size,      /* Size of the data payload */
 705                section_size,   /* Size of the whole section (cmd + payload) */
 706                section = 1;
 707        const struct i2400m_bootrom_header *bh;
 708        struct i2400m_bootrom_header ack;
 709
 710        d_fnstart(3, dev, "(i2400m %p bcf %p bcf_len %zu)\n",
 711                  i2400m, bcf, bcf_len);
 712        /* Iterate over the command blocks in the BCF file that start
 713         * after the header */
 714        offset = le32_to_cpu(bcf->header_len) * sizeof(u32);
 715        while (1) {     /* start sending the file */
 716                bh = (void *) bcf + offset;
 717                data_size = le32_to_cpu(bh->data_size);
 718                section_size = ALIGN(sizeof(*bh) + data_size, 4);
 719                d_printf(7, dev,
 720                         "downloading section #%zu (@%zu %zu B) to 0x%08x\n",
 721                         section, offset, sizeof(*bh) + data_size,
 722                         le32_to_cpu(bh->target_addr));
 723                /*
 724                 * We look for JUMP cmd from the bootmode header,
 725                 * either I2400M_BRH_SIGNED_JUMP for secure boot
 726                 * or I2400M_BRH_JUMP for unsecure boot, the last chunk
 727                 * should be the bootmode header with JUMP cmd.
 728                 */
 729                if (i2400m_brh_get_opcode(bh) == I2400M_BRH_SIGNED_JUMP ||
 730                        i2400m_brh_get_opcode(bh) == I2400M_BRH_JUMP) {
 731                        d_printf(5, dev,  "jump found @%zu\n", offset);
 732                        break;
 733                }
 734                if (offset + section_size > bcf_len) {
 735                        dev_err(dev, "fw %s: bad section #%zu, "
 736                                "end (@%zu) beyond EOF (@%zu)\n",
 737                                i2400m->fw_name, section,
 738                                offset + section_size,  bcf_len);
 739                        ret = -EINVAL;
 740                        goto error_section_beyond_eof;
 741                }
 742                __i2400m_msleep(20);
 743                ret = i2400m_bm_cmd(i2400m, bh, section_size,
 744                                    &ack, sizeof(ack), I2400M_BM_CMD_RAW);
 745                if (ret < 0) {
 746                        dev_err(dev, "fw %s: section #%zu (@%zu %zu B) "
 747                                "failed %d\n", i2400m->fw_name, section,
 748                                offset, sizeof(*bh) + data_size, (int) ret);
 749                        goto error_send;
 750                }
 751                offset += section_size;
 752                section++;
 753        }
 754        ret = offset;
 755error_section_beyond_eof:
 756error_send:
 757        d_fnend(3, dev, "(i2400m %p bcf %p bcf_len %zu) = %d\n",
 758                i2400m, bcf, bcf_len, (int) ret);
 759        return ret;
 760}
 761
 762
 763/*
 764 * Indicate if the device emitted a reboot barker that indicates
 765 * "signed boot"
 766 */
 767static
 768unsigned i2400m_boot_is_signed(struct i2400m *i2400m)
 769{
 770        return likely(i2400m->sboot);
 771}
 772
 773
 774/*
 775 * Do the final steps of uploading firmware
 776 *
 777 * @bcf_hdr: BCF header we are actually using
 778 * @bcf: pointer to the firmware image (which matches the first header
 779 *     that is followed by the actual payloads).
 780 * @offset: [byte] offset into @bcf for the command we need to send.
 781 *
 782 * Depending on the boot mode (signed vs non-signed), different
 783 * actions need to be taken.
 784 */
 785static
 786int i2400m_dnload_finalize(struct i2400m *i2400m,
 787                           const struct i2400m_bcf_hdr *bcf_hdr,
 788                           const struct i2400m_bcf_hdr *bcf, size_t offset)
 789{
 790        int ret = 0;
 791        struct device *dev = i2400m_dev(i2400m);
 792        struct i2400m_bootrom_header *cmd, ack;
 793        struct {
 794                struct i2400m_bootrom_header cmd;
 795                u8 cmd_pl[0];
 796        } __packed *cmd_buf;
 797        size_t signature_block_offset, signature_block_size;
 798
 799        d_fnstart(3, dev, "offset %zu\n", offset);
 800        cmd = (void *) bcf + offset;
 801        if (i2400m_boot_is_signed(i2400m) == 0) {
 802                struct i2400m_bootrom_header jump_ack;
 803                d_printf(1, dev, "unsecure boot, jumping to 0x%08x\n",
 804                        le32_to_cpu(cmd->target_addr));
 805                cmd_buf = i2400m->bm_cmd_buf;
 806                memcpy(&cmd_buf->cmd, cmd, sizeof(*cmd));
 807                cmd = &cmd_buf->cmd;
 808                /* now cmd points to the actual bootrom_header in cmd_buf */
 809                i2400m_brh_set_opcode(cmd, I2400M_BRH_JUMP);
 810                cmd->data_size = 0;
 811                ret = i2400m_bm_cmd(i2400m, cmd, sizeof(*cmd),
 812                                    &jump_ack, sizeof(jump_ack), 0);
 813        } else {
 814                d_printf(1, dev, "secure boot, jumping to 0x%08x\n",
 815                         le32_to_cpu(cmd->target_addr));
 816                cmd_buf = i2400m->bm_cmd_buf;
 817                memcpy(&cmd_buf->cmd, cmd, sizeof(*cmd));
 818                signature_block_offset =
 819                        sizeof(*bcf_hdr)
 820                        + le32_to_cpu(bcf_hdr->key_size) * sizeof(u32)
 821                        + le32_to_cpu(bcf_hdr->exponent_size) * sizeof(u32);
 822                signature_block_size =
 823                        le32_to_cpu(bcf_hdr->modulus_size) * sizeof(u32);
 824                memcpy(cmd_buf->cmd_pl,
 825                       (void *) bcf_hdr + signature_block_offset,
 826                       signature_block_size);
 827                ret = i2400m_bm_cmd(i2400m, &cmd_buf->cmd,
 828                                    sizeof(cmd_buf->cmd) + signature_block_size,
 829                                    &ack, sizeof(ack), I2400M_BM_CMD_RAW);
 830        }
 831        d_fnend(3, dev, "returning %d\n", ret);
 832        return ret;
 833}
 834
 835
 836/**
 837 * i2400m_bootrom_init - Reboots a powered device into boot mode
 838 *
 839 * @i2400m: device descriptor
 840 * @flags:
 841 *      I2400M_BRI_SOFT: a reboot barker has been seen
 842 *          already, so don't wait for it.
 843 *
 844 *      I2400M_BRI_NO_REBOOT: Don't send a reboot command, but wait
 845 *          for a reboot barker notification. This is a one shot; if
 846 *          the state machine needs to send a reboot command it will.
 847 *
 848 * Returns:
 849 *
 850 *     < 0 errno code on error, 0 if ok.
 851 *
 852 * Description:
 853 *
 854 * Tries hard enough to put the device in boot-mode. There are two
 855 * main phases to this:
 856 *
 857 * a. (1) send a reboot command and (2) get a reboot barker
 858 *
 859 * b. (1) echo/ack the reboot sending the reboot barker back and (2)
 860 *        getting an ack barker in return
 861 *
 862 * We want to skip (a) in some cases [soft]. The state machine is
 863 * horrible, but it is basically: on each phase, send what has to be
 864 * sent (if any), wait for the answer and act on the answer. We might
 865 * have to backtrack and retry, so we keep a max tries counter for
 866 * that.
 867 *
 868 * It sucks because we don't know ahead of time which is going to be
 869 * the reboot barker (the device might send different ones depending
 870 * on its EEPROM config) and once the device reboots and waits for the
 871 * echo/ack reboot barker being sent back, it doesn't understand
 872 * anything else. So we can be left at the point where we don't know
 873 * what to send to it -- cold reset and bus reset seem to have little
 874 * effect. So the function iterates (in this case) through all the
 875 * known barkers and tries them all until an ACK is
 876 * received. Otherwise, it gives up.
 877 *
 878 * If we get a timeout after sending a warm reset, we do it again.
 879 */
 880int i2400m_bootrom_init(struct i2400m *i2400m, enum i2400m_bri flags)
 881{
 882        int result;
 883        struct device *dev = i2400m_dev(i2400m);
 884        struct i2400m_bootrom_header *cmd;
 885        struct i2400m_bootrom_header ack;
 886        int count = i2400m->bus_bm_retries;
 887        int ack_timeout_cnt = 1;
 888        unsigned i;
 889
 890        BUILD_BUG_ON(sizeof(*cmd) != sizeof(i2400m_barker_db[0].data));
 891        BUILD_BUG_ON(sizeof(ack) != sizeof(i2400m_ACK_BARKER));
 892
 893        d_fnstart(4, dev, "(i2400m %p flags 0x%08x)\n", i2400m, flags);
 894        result = -ENOMEM;
 895        cmd = i2400m->bm_cmd_buf;
 896        if (flags & I2400M_BRI_SOFT)
 897                goto do_reboot_ack;
 898do_reboot:
 899        ack_timeout_cnt = 1;
 900        if (--count < 0)
 901                goto error_timeout;
 902        d_printf(4, dev, "device reboot: reboot command [%d # left]\n",
 903                 count);
 904        if ((flags & I2400M_BRI_NO_REBOOT) == 0)
 905                i2400m_reset(i2400m, I2400M_RT_WARM);
 906        result = i2400m_bm_cmd(i2400m, NULL, 0, &ack, sizeof(ack),
 907                               I2400M_BM_CMD_RAW);
 908        flags &= ~I2400M_BRI_NO_REBOOT;
 909        switch (result) {
 910        case -ERESTARTSYS:
 911                /*
 912                 * at this point, i2400m_bm_cmd(), through
 913                 * __i2400m_bm_ack_process(), has updated
 914                 * i2400m->barker and we are good to go.
 915                 */
 916                d_printf(4, dev, "device reboot: got reboot barker\n");
 917                break;
 918        case -EISCONN:  /* we don't know how it got here...but we follow it */
 919                d_printf(4, dev, "device reboot: got ack barker - whatever\n");
 920                goto do_reboot;
 921        case -ETIMEDOUT:
 922                /*
 923                 * Device has timed out, we might be in boot mode
 924                 * already and expecting an ack; if we don't know what
 925                 * the barker is, we just send them all. Cold reset
 926                 * and bus reset don't work. Beats me.
 927                 */
 928                if (i2400m->barker != NULL) {
 929                        dev_err(dev, "device boot: reboot barker timed out, "
 930                                "trying (set) %08x echo/ack\n",
 931                                le32_to_cpu(i2400m->barker->data[0]));
 932                        goto do_reboot_ack;
 933                }
 934                for (i = 0; i < i2400m_barker_db_used; i++) {
 935                        struct i2400m_barker_db *barker = &i2400m_barker_db[i];
 936                        memcpy(cmd, barker->data, sizeof(barker->data));
 937                        result = i2400m_bm_cmd(i2400m, cmd, sizeof(*cmd),
 938                                               &ack, sizeof(ack),
 939                                               I2400M_BM_CMD_RAW);
 940                        if (result == -EISCONN) {
 941                                dev_warn(dev, "device boot: got ack barker "
 942                                         "after sending echo/ack barker "
 943                                         "#%d/%08x; rebooting j.i.c.\n",
 944                                         i, le32_to_cpu(barker->data[0]));
 945                                flags &= ~I2400M_BRI_NO_REBOOT;
 946                                goto do_reboot;
 947                        }
 948                }
 949                dev_err(dev, "device boot: tried all the echo/acks, could "
 950                        "not get device to respond; giving up");
 951                result = -ESHUTDOWN;
 952        case -EPROTO:
 953        case -ESHUTDOWN:        /* dev is gone */
 954        case -EINTR:            /* user cancelled */
 955                goto error_dev_gone;
 956        default:
 957                dev_err(dev, "device reboot: error %d while waiting "
 958                        "for reboot barker - rebooting\n", result);
 959                d_dump(1, dev, &ack, result);
 960                goto do_reboot;
 961        }
 962        /* At this point we ack back with 4 REBOOT barkers and expect
 963         * 4 ACK barkers. This is ugly, as we send a raw command --
 964         * hence the cast. _bm_cmd() will catch the reboot ack
 965         * notification and report it as -EISCONN. */
 966do_reboot_ack:
 967        d_printf(4, dev, "device reboot ack: sending ack [%d # left]\n", count);
 968        memcpy(cmd, i2400m->barker->data, sizeof(i2400m->barker->data));
 969        result = i2400m_bm_cmd(i2400m, cmd, sizeof(*cmd),
 970                               &ack, sizeof(ack), I2400M_BM_CMD_RAW);
 971        switch (result) {
 972        case -ERESTARTSYS:
 973                d_printf(4, dev, "reboot ack: got reboot barker - retrying\n");
 974                if (--count < 0)
 975                        goto error_timeout;
 976                goto do_reboot_ack;
 977        case -EISCONN:
 978                d_printf(4, dev, "reboot ack: got ack barker - good\n");
 979                break;
 980        case -ETIMEDOUT:        /* no response, maybe it is the other type? */
 981                if (ack_timeout_cnt-- < 0) {
 982                        d_printf(4, dev, "reboot ack timedout: retrying\n");
 983                        goto do_reboot_ack;
 984                } else {
 985                        dev_err(dev, "reboot ack timedout too long: "
 986                                "trying reboot\n");
 987                        goto do_reboot;
 988                }
 989                break;
 990        case -EPROTO:
 991        case -ESHUTDOWN:        /* dev is gone */
 992                goto error_dev_gone;
 993        default:
 994                dev_err(dev, "device reboot ack: error %d while waiting for "
 995                        "reboot ack barker - rebooting\n", result);
 996                goto do_reboot;
 997        }
 998        d_printf(2, dev, "device reboot ack: got ack barker - boot done\n");
 999        result = 0;
1000exit_timeout:
1001error_dev_gone:
1002        d_fnend(4, dev, "(i2400m %p flags 0x%08x) = %d\n",
1003                i2400m, flags, result);
1004        return result;
1005
1006error_timeout:
1007        dev_err(dev, "Timed out waiting for reboot ack\n");
1008        result = -ETIMEDOUT;
1009        goto exit_timeout;
1010}
1011
1012
1013/*
1014 * Read the MAC addr
1015 *
1016 * The position this function reads is fixed in device memory and
1017 * always available, even without firmware.
1018 *
1019 * Note we specify we want to read only six bytes, but provide space
1020 * for 16, as we always get it rounded up.
1021 */
1022int i2400m_read_mac_addr(struct i2400m *i2400m)
1023{
1024        int result;
1025        struct device *dev = i2400m_dev(i2400m);
1026        struct net_device *net_dev = i2400m->wimax_dev.net_dev;
1027        struct i2400m_bootrom_header *cmd;
1028        struct {
1029                struct i2400m_bootrom_header ack;
1030                u8 ack_pl[16];
1031        } __packed ack_buf;
1032
1033        d_fnstart(5, dev, "(i2400m %p)\n", i2400m);
1034        cmd = i2400m->bm_cmd_buf;
1035        cmd->command = i2400m_brh_command(I2400M_BRH_READ, 0, 1);
1036        cmd->target_addr = cpu_to_le32(0x00203fe8);
1037        cmd->data_size = cpu_to_le32(6);
1038        result = i2400m_bm_cmd(i2400m, cmd, sizeof(*cmd),
1039                               &ack_buf.ack, sizeof(ack_buf), 0);
1040        if (result < 0) {
1041                dev_err(dev, "BM: read mac addr failed: %d\n", result);
1042                goto error_read_mac;
1043        }
1044        d_printf(2, dev, "mac addr is %pM\n", ack_buf.ack_pl);
1045        if (i2400m->bus_bm_mac_addr_impaired == 1) {
1046                ack_buf.ack_pl[0] = 0x00;
1047                ack_buf.ack_pl[1] = 0x16;
1048                ack_buf.ack_pl[2] = 0xd3;
1049                get_random_bytes(&ack_buf.ack_pl[3], 3);
1050                dev_err(dev, "BM is MAC addr impaired, faking MAC addr to "
1051                        "mac addr is %pM\n", ack_buf.ack_pl);
1052                result = 0;
1053        }
1054        net_dev->addr_len = ETH_ALEN;
1055        memcpy(net_dev->dev_addr, ack_buf.ack_pl, ETH_ALEN);
1056error_read_mac:
1057        d_fnend(5, dev, "(i2400m %p) = %d\n", i2400m, result);
1058        return result;
1059}
1060
1061
1062/*
1063 * Initialize a non signed boot
1064 *
1065 * This implies sending some magic values to the device's memory. Note
1066 * we convert the values to little endian in the same array
1067 * declaration.
1068 */
1069static
1070int i2400m_dnload_init_nonsigned(struct i2400m *i2400m)
1071{
1072        unsigned i = 0;
1073        int ret = 0;
1074        struct device *dev = i2400m_dev(i2400m);
1075        d_fnstart(5, dev, "(i2400m %p)\n", i2400m);
1076        if (i2400m->bus_bm_pokes_table) {
1077                while (i2400m->bus_bm_pokes_table[i].address) {
1078                        ret = i2400m_download_chunk(
1079                                i2400m,
1080                                &i2400m->bus_bm_pokes_table[i].data,
1081                                sizeof(i2400m->bus_bm_pokes_table[i].data),
1082                                i2400m->bus_bm_pokes_table[i].address, 1, 1);
1083                        if (ret < 0)
1084                                break;
1085                        i++;
1086                }
1087        }
1088        d_fnend(5, dev, "(i2400m %p) = %d\n", i2400m, ret);
1089        return ret;
1090}
1091
1092
1093/*
1094 * Initialize the signed boot process
1095 *
1096 * @i2400m: device descriptor
1097 *
1098 * @bcf_hdr: pointer to the firmware header; assumes it is fully in
1099 *     memory (it has gone through basic validation).
1100 *
1101 * Returns: 0 if ok, < 0 errno code on error, -ERESTARTSYS if the hw
1102 *     rebooted.
1103 *
1104 * This writes the firmware BCF header to the device using the
1105 * HASH_PAYLOAD_ONLY command.
1106 */
1107static
1108int i2400m_dnload_init_signed(struct i2400m *i2400m,
1109                              const struct i2400m_bcf_hdr *bcf_hdr)
1110{
1111        int ret;
1112        struct device *dev = i2400m_dev(i2400m);
1113        struct {
1114                struct i2400m_bootrom_header cmd;
1115                struct i2400m_bcf_hdr cmd_pl;
1116        } __packed *cmd_buf;
1117        struct i2400m_bootrom_header ack;
1118
1119        d_fnstart(5, dev, "(i2400m %p bcf_hdr %p)\n", i2400m, bcf_hdr);
1120        cmd_buf = i2400m->bm_cmd_buf;
1121        cmd_buf->cmd.command =
1122                i2400m_brh_command(I2400M_BRH_HASH_PAYLOAD_ONLY, 0, 0);
1123        cmd_buf->cmd.target_addr = 0;
1124        cmd_buf->cmd.data_size = cpu_to_le32(sizeof(cmd_buf->cmd_pl));
1125        memcpy(&cmd_buf->cmd_pl, bcf_hdr, sizeof(*bcf_hdr));
1126        ret = i2400m_bm_cmd(i2400m, &cmd_buf->cmd, sizeof(*cmd_buf),
1127                            &ack, sizeof(ack), 0);
1128        if (ret >= 0)
1129                ret = 0;
1130        d_fnend(5, dev, "(i2400m %p bcf_hdr %p) = %d\n", i2400m, bcf_hdr, ret);
1131        return ret;
1132}
1133
1134
1135/*
1136 * Initialize the firmware download at the device size
1137 *
1138 * Multiplex to the one that matters based on the device's mode
1139 * (signed or non-signed).
1140 */
1141static
1142int i2400m_dnload_init(struct i2400m *i2400m,
1143                       const struct i2400m_bcf_hdr *bcf_hdr)
1144{
1145        int result;
1146        struct device *dev = i2400m_dev(i2400m);
1147
1148        if (i2400m_boot_is_signed(i2400m)) {
1149                d_printf(1, dev, "signed boot\n");
1150                result = i2400m_dnload_init_signed(i2400m, bcf_hdr);
1151                if (result == -ERESTARTSYS)
1152                        return result;
1153                if (result < 0)
1154                        dev_err(dev, "firmware %s: signed boot download "
1155                                "initialization failed: %d\n",
1156                                i2400m->fw_name, result);
1157        } else {
1158                /* non-signed boot process without pokes */
1159                d_printf(1, dev, "non-signed boot\n");
1160                result = i2400m_dnload_init_nonsigned(i2400m);
1161                if (result == -ERESTARTSYS)
1162                        return result;
1163                if (result < 0)
1164                        dev_err(dev, "firmware %s: non-signed download "
1165                                "initialization failed: %d\n",
1166                                i2400m->fw_name, result);
1167        }
1168        return result;
1169}
1170
1171
1172/*
1173 * Run consistency tests on the firmware file and load up headers
1174 *
1175 * Check for the firmware being made for the i2400m device,
1176 * etc...These checks are mostly informative, as the device will make
1177 * them too; but the driver's response is more informative on what
1178 * went wrong.
1179 *
1180 * This will also look at all the headers present on the firmware
1181 * file, and update i2400m->fw_bcf_hdr to point to them.
1182 */
1183static
1184int i2400m_fw_hdr_check(struct i2400m *i2400m,
1185                        const struct i2400m_bcf_hdr *bcf_hdr,
1186                        size_t index, size_t offset)
1187{
1188        struct device *dev = i2400m_dev(i2400m);
1189
1190        unsigned module_type, header_len, major_version, minor_version,
1191                module_id, module_vendor, date, size;
1192
1193        module_type = le32_to_cpu(bcf_hdr->module_type);
1194        header_len = sizeof(u32) * le32_to_cpu(bcf_hdr->header_len);
1195        major_version = (le32_to_cpu(bcf_hdr->header_version) & 0xffff0000)
1196                >> 16;
1197        minor_version = le32_to_cpu(bcf_hdr->header_version) & 0x0000ffff;
1198        module_id = le32_to_cpu(bcf_hdr->module_id);
1199        module_vendor = le32_to_cpu(bcf_hdr->module_vendor);
1200        date = le32_to_cpu(bcf_hdr->date);
1201        size = sizeof(u32) * le32_to_cpu(bcf_hdr->size);
1202
1203        d_printf(1, dev, "firmware %s #%zd@%08zx: BCF header "
1204                 "type:vendor:id 0x%x:%x:%x v%u.%u (%u/%u B) built %08x\n",
1205                 i2400m->fw_name, index, offset,
1206                 module_type, module_vendor, module_id,
1207                 major_version, minor_version, header_len, size, date);
1208
1209        /* Hard errors */
1210        if (major_version != 1) {
1211                dev_err(dev, "firmware %s #%zd@%08zx: major header version "
1212                        "v%u.%u not supported\n",
1213                        i2400m->fw_name, index, offset,
1214                        major_version, minor_version);
1215                return -EBADF;
1216        }
1217
1218        if (module_type != 6) {         /* built for the right hardware? */
1219                dev_err(dev, "firmware %s #%zd@%08zx: unexpected module "
1220                        "type 0x%x; aborting\n",
1221                        i2400m->fw_name, index, offset,
1222                        module_type);
1223                return -EBADF;
1224        }
1225
1226        if (module_vendor != 0x8086) {
1227                dev_err(dev, "firmware %s #%zd@%08zx: unexpected module "
1228                        "vendor 0x%x; aborting\n",
1229                        i2400m->fw_name, index, offset, module_vendor);
1230                return -EBADF;
1231        }
1232
1233        if (date < 0x20080300)
1234                dev_warn(dev, "firmware %s #%zd@%08zx: build date %08x "
1235                         "too old; unsupported\n",
1236                         i2400m->fw_name, index, offset, date);
1237        return 0;
1238}
1239
1240
1241/*
1242 * Run consistency tests on the firmware file and load up headers
1243 *
1244 * Check for the firmware being made for the i2400m device,
1245 * etc...These checks are mostly informative, as the device will make
1246 * them too; but the driver's response is more informative on what
1247 * went wrong.
1248 *
1249 * This will also look at all the headers present on the firmware
1250 * file, and update i2400m->fw_hdrs to point to them.
1251 */
1252static
1253int i2400m_fw_check(struct i2400m *i2400m, const void *bcf, size_t bcf_size)
1254{
1255        int result;
1256        struct device *dev = i2400m_dev(i2400m);
1257        size_t headers = 0;
1258        const struct i2400m_bcf_hdr *bcf_hdr;
1259        const void *itr, *next, *top;
1260        size_t slots = 0, used_slots = 0;
1261
1262        for (itr = bcf, top = itr + bcf_size;
1263             itr < top;
1264             headers++, itr = next) {
1265                size_t leftover, offset, header_len, size;
1266
1267                leftover = top - itr;
1268                offset = itr - bcf;
1269                if (leftover <= sizeof(*bcf_hdr)) {
1270                        dev_err(dev, "firmware %s: %zu B left at @%zx, "
1271                                "not enough for BCF header\n",
1272                                i2400m->fw_name, leftover, offset);
1273                        break;
1274                }
1275                bcf_hdr = itr;
1276                /* Only the first header is supposed to be followed by
1277                 * payload */
1278                header_len = sizeof(u32) * le32_to_cpu(bcf_hdr->header_len);
1279                size = sizeof(u32) * le32_to_cpu(bcf_hdr->size);
1280                if (headers == 0)
1281                        next = itr + size;
1282                else
1283                        next = itr + header_len;
1284
1285                result = i2400m_fw_hdr_check(i2400m, bcf_hdr, headers, offset);
1286                if (result < 0)
1287                        continue;
1288                if (used_slots + 1 >= slots) {
1289                        /* +1 -> we need to account for the one we'll
1290                         * occupy and at least an extra one for
1291                         * always being NULL */
1292                        result = i2400m_zrealloc_2x(
1293                                (void **) &i2400m->fw_hdrs, &slots,
1294                                sizeof(i2400m->fw_hdrs[0]),
1295                                GFP_KERNEL);
1296                        if (result < 0)
1297                                goto error_zrealloc;
1298                }
1299                i2400m->fw_hdrs[used_slots] = bcf_hdr;
1300                used_slots++;
1301        }
1302        if (headers == 0) {
1303                dev_err(dev, "firmware %s: no usable headers found\n",
1304                        i2400m->fw_name);
1305                result = -EBADF;
1306        } else
1307                result = 0;
1308error_zrealloc:
1309        return result;
1310}
1311
1312
1313/*
1314 * Match a barker to a BCF header module ID
1315 *
1316 * The device sends a barker which tells the firmware loader which
1317 * header in the BCF file has to be used. This does the matching.
1318 */
1319static
1320unsigned i2400m_bcf_hdr_match(struct i2400m *i2400m,
1321                              const struct i2400m_bcf_hdr *bcf_hdr)
1322{
1323        u32 barker = le32_to_cpu(i2400m->barker->data[0])
1324                & 0x7fffffff;
1325        u32 module_id = le32_to_cpu(bcf_hdr->module_id)
1326                & 0x7fffffff;   /* high bit used for something else */
1327
1328        /* special case for 5x50 */
1329        if (barker == I2400M_SBOOT_BARKER && module_id == 0)
1330                return 1;
1331        if (module_id == barker)
1332                return 1;
1333        return 0;
1334}
1335
1336static
1337const struct i2400m_bcf_hdr *i2400m_bcf_hdr_find(struct i2400m *i2400m)
1338{
1339        struct device *dev = i2400m_dev(i2400m);
1340        const struct i2400m_bcf_hdr **bcf_itr, *bcf_hdr;
1341        unsigned i = 0;
1342        u32 barker = le32_to_cpu(i2400m->barker->data[0]);
1343
1344        d_printf(2, dev, "finding BCF header for barker %08x\n", barker);
1345        if (barker == I2400M_NBOOT_BARKER) {
1346                bcf_hdr = i2400m->fw_hdrs[0];
1347                d_printf(1, dev, "using BCF header #%u/%08x for non-signed "
1348                         "barker\n", 0, le32_to_cpu(bcf_hdr->module_id));
1349                return bcf_hdr;
1350        }
1351        for (bcf_itr = i2400m->fw_hdrs; *bcf_itr != NULL; bcf_itr++, i++) {
1352                bcf_hdr = *bcf_itr;
1353                if (i2400m_bcf_hdr_match(i2400m, bcf_hdr)) {
1354                        d_printf(1, dev, "hit on BCF hdr #%u/%08x\n",
1355                                 i, le32_to_cpu(bcf_hdr->module_id));
1356                        return bcf_hdr;
1357                } else
1358                        d_printf(1, dev, "miss on BCF hdr #%u/%08x\n",
1359                                 i, le32_to_cpu(bcf_hdr->module_id));
1360        }
1361        dev_err(dev, "cannot find a matching BCF header for barker %08x\n",
1362                barker);
1363        return NULL;
1364}
1365
1366
1367/*
1368 * Download the firmware to the device
1369 *
1370 * @i2400m: device descriptor
1371 * @bcf: pointer to loaded (and minimally verified for consistency)
1372 *    firmware
1373 * @bcf_size: size of the @bcf buffer (header plus payloads)
1374 *
1375 * The process for doing this is described in this file's header.
1376 *
1377 * Note we only reinitialize boot-mode if the flags say so. Some hw
1378 * iterations need it, some don't. In any case, if we loop, we always
1379 * need to reinitialize the boot room, hence the flags modification.
1380 */
1381static
1382int i2400m_fw_dnload(struct i2400m *i2400m, const struct i2400m_bcf_hdr *bcf,
1383                     size_t fw_size, enum i2400m_bri flags)
1384{
1385        int ret = 0;
1386        struct device *dev = i2400m_dev(i2400m);
1387        int count = i2400m->bus_bm_retries;
1388        const struct i2400m_bcf_hdr *bcf_hdr;
1389        size_t bcf_size;
1390
1391        d_fnstart(5, dev, "(i2400m %p bcf %p fw size %zu)\n",
1392                  i2400m, bcf, fw_size);
1393        i2400m->boot_mode = 1;
1394        wmb();          /* Make sure other readers see it */
1395hw_reboot:
1396        if (count-- == 0) {
1397                ret = -ERESTARTSYS;
1398                dev_err(dev, "device rebooted too many times, aborting\n");
1399                goto error_too_many_reboots;
1400        }
1401        if (flags & I2400M_BRI_MAC_REINIT) {
1402                ret = i2400m_bootrom_init(i2400m, flags);
1403                if (ret < 0) {
1404                        dev_err(dev, "bootrom init failed: %d\n", ret);
1405                        goto error_bootrom_init;
1406                }
1407        }
1408        flags |= I2400M_BRI_MAC_REINIT;
1409
1410        /*
1411         * Initialize the download, push the bytes to the device and
1412         * then jump to the new firmware. Note @ret is passed with the
1413         * offset of the jump instruction to _dnload_finalize()
1414         *
1415         * Note we need to use the BCF header in the firmware image
1416         * that matches the barker that the device sent when it
1417         * rebooted, so it has to be passed along.
1418         */
1419        ret = -EBADF;
1420        bcf_hdr = i2400m_bcf_hdr_find(i2400m);
1421        if (bcf_hdr == NULL)
1422                goto error_bcf_hdr_find;
1423
1424        ret = i2400m_dnload_init(i2400m, bcf_hdr);
1425        if (ret == -ERESTARTSYS)
1426                goto error_dev_rebooted;
1427        if (ret < 0)
1428                goto error_dnload_init;
1429
1430        /*
1431         * bcf_size refers to one header size plus the fw sections size
1432         * indicated by the header,ie. if there are other extended headers
1433         * at the tail, they are not counted
1434         */
1435        bcf_size = sizeof(u32) * le32_to_cpu(bcf_hdr->size);
1436        ret = i2400m_dnload_bcf(i2400m, bcf, bcf_size);
1437        if (ret == -ERESTARTSYS)
1438                goto error_dev_rebooted;
1439        if (ret < 0) {
1440                dev_err(dev, "fw %s: download failed: %d\n",
1441                        i2400m->fw_name, ret);
1442                goto error_dnload_bcf;
1443        }
1444
1445        ret = i2400m_dnload_finalize(i2400m, bcf_hdr, bcf, ret);
1446        if (ret == -ERESTARTSYS)
1447                goto error_dev_rebooted;
1448        if (ret < 0) {
1449                dev_err(dev, "fw %s: "
1450                        "download finalization failed: %d\n",
1451                        i2400m->fw_name, ret);
1452                goto error_dnload_finalize;
1453        }
1454
1455        d_printf(2, dev, "fw %s successfully uploaded\n",
1456                 i2400m->fw_name);
1457        i2400m->boot_mode = 0;
1458        wmb();          /* Make sure i2400m_msg_to_dev() sees boot_mode */
1459error_dnload_finalize:
1460error_dnload_bcf:
1461error_dnload_init:
1462error_bcf_hdr_find:
1463error_bootrom_init:
1464error_too_many_reboots:
1465        d_fnend(5, dev, "(i2400m %p bcf %p size %zu) = %d\n",
1466                i2400m, bcf, fw_size, ret);
1467        return ret;
1468
1469error_dev_rebooted:
1470        dev_err(dev, "device rebooted, %d tries left\n", count);
1471        /* we got the notification already, no need to wait for it again */
1472        flags |= I2400M_BRI_SOFT;
1473        goto hw_reboot;
1474}
1475
1476static
1477int i2400m_fw_bootstrap(struct i2400m *i2400m, const struct firmware *fw,
1478                        enum i2400m_bri flags)
1479{
1480        int ret;
1481        struct device *dev = i2400m_dev(i2400m);
1482        const struct i2400m_bcf_hdr *bcf;       /* Firmware data */
1483
1484        d_fnstart(5, dev, "(i2400m %p)\n", i2400m);
1485        bcf = (void *) fw->data;
1486        ret = i2400m_fw_check(i2400m, bcf, fw->size);
1487        if (ret >= 0)
1488                ret = i2400m_fw_dnload(i2400m, bcf, fw->size, flags);
1489        if (ret < 0)
1490                dev_err(dev, "%s: cannot use: %d, skipping\n",
1491                        i2400m->fw_name, ret);
1492        kfree(i2400m->fw_hdrs);
1493        i2400m->fw_hdrs = NULL;
1494        d_fnend(5, dev, "(i2400m %p) = %d\n", i2400m, ret);
1495        return ret;
1496}
1497
1498
1499/* Refcounted container for firmware data */
1500struct i2400m_fw {
1501        struct kref kref;
1502        const struct firmware *fw;
1503};
1504
1505
1506static
1507void i2400m_fw_destroy(struct kref *kref)
1508{
1509        struct i2400m_fw *i2400m_fw =
1510                container_of(kref, struct i2400m_fw, kref);
1511        release_firmware(i2400m_fw->fw);
1512        kfree(i2400m_fw);
1513}
1514
1515
1516static
1517struct i2400m_fw *i2400m_fw_get(struct i2400m_fw *i2400m_fw)
1518{
1519        if (i2400m_fw != NULL && i2400m_fw != (void *) ~0)
1520                kref_get(&i2400m_fw->kref);
1521        return i2400m_fw;
1522}
1523
1524
1525static
1526void i2400m_fw_put(struct i2400m_fw *i2400m_fw)
1527{
1528        kref_put(&i2400m_fw->kref, i2400m_fw_destroy);
1529}
1530
1531
1532/**
1533 * i2400m_dev_bootstrap - Bring the device to a known state and upload firmware
1534 *
1535 * @i2400m: device descriptor
1536 *
1537 * Returns: >= 0 if ok, < 0 errno code on error.
1538 *
1539 * This sets up the firmware upload environment, loads the firmware
1540 * file from disk, verifies and then calls the firmware upload process
1541 * per se.
1542 *
1543 * Can be called either from probe, or after a warm reset.  Can not be
1544 * called from within an interrupt.  All the flow in this code is
1545 * single-threade; all I/Os are synchronous.
1546 */
1547int i2400m_dev_bootstrap(struct i2400m *i2400m, enum i2400m_bri flags)
1548{
1549        int ret, itr;
1550        struct device *dev = i2400m_dev(i2400m);
1551        struct i2400m_fw *i2400m_fw;
1552        const struct firmware *fw;
1553        const char *fw_name;
1554
1555        d_fnstart(5, dev, "(i2400m %p)\n", i2400m);
1556
1557        ret = -ENODEV;
1558        spin_lock(&i2400m->rx_lock);
1559        i2400m_fw = i2400m_fw_get(i2400m->fw_cached);
1560        spin_unlock(&i2400m->rx_lock);
1561        if (i2400m_fw == (void *) ~0) {
1562                dev_err(dev, "can't load firmware now!");
1563                goto out;
1564        } else if (i2400m_fw != NULL) {
1565                dev_info(dev, "firmware %s: loading from cache\n",
1566                         i2400m->fw_name);
1567                ret = i2400m_fw_bootstrap(i2400m, i2400m_fw->fw, flags);
1568                i2400m_fw_put(i2400m_fw);
1569                goto out;
1570        }
1571
1572        /* Load firmware files to memory. */
1573        for (itr = 0, ret = -ENOENT; ; itr++) {
1574                fw_name = i2400m->bus_fw_names[itr];
1575                if (fw_name == NULL) {
1576                        dev_err(dev, "Could not find a usable firmware image\n");
1577                        break;
1578                }
1579                d_printf(1, dev, "trying firmware %s (%d)\n", fw_name, itr);
1580                ret = request_firmware(&fw, fw_name, dev);
1581                if (ret < 0) {
1582                        dev_err(dev, "fw %s: cannot load file: %d\n",
1583                                fw_name, ret);
1584                        continue;
1585                }
1586                i2400m->fw_name = fw_name;
1587                ret = i2400m_fw_bootstrap(i2400m, fw, flags);
1588                release_firmware(fw);
1589                if (ret >= 0)   /* firmware loaded successfully */
1590                        break;
1591                i2400m->fw_name = NULL;
1592        }
1593out:
1594        d_fnend(5, dev, "(i2400m %p) = %d\n", i2400m, ret);
1595        return ret;
1596}
1597EXPORT_SYMBOL_GPL(i2400m_dev_bootstrap);
1598
1599
1600void i2400m_fw_cache(struct i2400m *i2400m)
1601{
1602        int result;
1603        struct i2400m_fw *i2400m_fw;
1604        struct device *dev = i2400m_dev(i2400m);
1605
1606        /* if there is anything there, free it -- now, this'd be weird */
1607        spin_lock(&i2400m->rx_lock);
1608        i2400m_fw = i2400m->fw_cached;
1609        spin_unlock(&i2400m->rx_lock);
1610        if (i2400m_fw != NULL && i2400m_fw != (void *) ~0) {
1611                i2400m_fw_put(i2400m_fw);
1612                WARN(1, "%s:%u: still cached fw still present?\n",
1613                     __func__, __LINE__);
1614        }
1615
1616        if (i2400m->fw_name == NULL) {
1617                dev_err(dev, "firmware n/a: can't cache\n");
1618                i2400m_fw = (void *) ~0;
1619                goto out;
1620        }
1621
1622        i2400m_fw = kzalloc(sizeof(*i2400m_fw), GFP_ATOMIC);
1623        if (i2400m_fw == NULL)
1624                goto out;
1625        kref_init(&i2400m_fw->kref);
1626        result = request_firmware(&i2400m_fw->fw, i2400m->fw_name, dev);
1627        if (result < 0) {
1628                dev_err(dev, "firmware %s: failed to cache: %d\n",
1629                        i2400m->fw_name, result);
1630                kfree(i2400m_fw);
1631                i2400m_fw = (void *) ~0;
1632        } else
1633                dev_info(dev, "firmware %s: cached\n", i2400m->fw_name);
1634out:
1635        spin_lock(&i2400m->rx_lock);
1636        i2400m->fw_cached = i2400m_fw;
1637        spin_unlock(&i2400m->rx_lock);
1638}
1639
1640
1641void i2400m_fw_uncache(struct i2400m *i2400m)
1642{
1643        struct i2400m_fw *i2400m_fw;
1644
1645        spin_lock(&i2400m->rx_lock);
1646        i2400m_fw = i2400m->fw_cached;
1647        i2400m->fw_cached = NULL;
1648        spin_unlock(&i2400m->rx_lock);
1649
1650        if (i2400m_fw != NULL && i2400m_fw != (void *) ~0)
1651                i2400m_fw_put(i2400m_fw);
1652}
1653
1654