3 * Bluetooth HCI UART driver for Intel devices
5 * Copyright (C) 2015 Intel Corporation
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 #include <linux/kernel.h>
25 #include <linux/errno.h>
26 #include <linux/skbuff.h>
27 #include <linux/firmware.h>
28 #include <linux/module.h>
29 #include <linux/wait.h>
30 #include <linux/tty.h>
31 #include <linux/platform_device.h>
32 #include <linux/gpio/consumer.h>
33 #include <linux/acpi.h>
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
41 #define STATE_BOOTLOADER 0
42 #define STATE_DOWNLOADING 1
43 #define STATE_FIRMWARE_LOADED 2
44 #define STATE_FIRMWARE_FAILED 3
45 #define STATE_BOOTING 4
48 struct list_head list
;
49 struct platform_device
*pdev
;
50 struct gpio_desc
*reset
;
53 static LIST_HEAD(intel_device_list
);
54 static DEFINE_SPINLOCK(intel_device_list_lock
);
57 struct sk_buff
*rx_skb
;
58 struct sk_buff_head txq
;
62 static u8
intel_convert_speed(unsigned int speed
)
94 static int intel_wait_booting(struct hci_uart
*hu
)
96 struct intel_data
*intel
= hu
->priv
;
99 err
= wait_on_bit_timeout(&intel
->flags
, STATE_BOOTING
,
101 msecs_to_jiffies(1000));
104 BT_ERR("%s: Device boot interrupted", hu
->hdev
->name
);
109 BT_ERR("%s: Device boot timeout", hu
->hdev
->name
);
116 static int intel_set_power(struct hci_uart
*hu
, bool powered
)
121 spin_lock(&intel_device_list_lock
);
123 list_for_each(p
, &intel_device_list
) {
124 struct intel_device
*idev
= list_entry(p
, struct intel_device
,
127 /* tty device and pdev device should share the same parent
128 * which is the UART port.
130 if (hu
->tty
->dev
->parent
!= idev
->pdev
->dev
.parent
)
138 BT_INFO("hu %p, Switching compatible pm device (%s) to %u",
139 hu
, dev_name(&idev
->pdev
->dev
), powered
);
141 gpiod_set_value(idev
->reset
, powered
);
144 spin_unlock(&intel_device_list_lock
);
149 static int intel_open(struct hci_uart
*hu
)
151 struct intel_data
*intel
;
155 intel
= kzalloc(sizeof(*intel
), GFP_KERNEL
);
159 skb_queue_head_init(&intel
->txq
);
163 if (!intel_set_power(hu
, true))
164 set_bit(STATE_BOOTING
, &intel
->flags
);
169 static int intel_close(struct hci_uart
*hu
)
171 struct intel_data
*intel
= hu
->priv
;
175 intel_set_power(hu
, false);
177 skb_queue_purge(&intel
->txq
);
178 kfree_skb(intel
->rx_skb
);
185 static int intel_flush(struct hci_uart
*hu
)
187 struct intel_data
*intel
= hu
->priv
;
191 skb_queue_purge(&intel
->txq
);
196 static int inject_cmd_complete(struct hci_dev
*hdev
, __u16 opcode
)
199 struct hci_event_hdr
*hdr
;
200 struct hci_ev_cmd_complete
*evt
;
202 skb
= bt_skb_alloc(sizeof(*hdr
) + sizeof(*evt
) + 1, GFP_ATOMIC
);
206 hdr
= (struct hci_event_hdr
*)skb_put(skb
, sizeof(*hdr
));
207 hdr
->evt
= HCI_EV_CMD_COMPLETE
;
208 hdr
->plen
= sizeof(*evt
) + 1;
210 evt
= (struct hci_ev_cmd_complete
*)skb_put(skb
, sizeof(*evt
));
212 evt
->opcode
= cpu_to_le16(opcode
);
214 *skb_put(skb
, 1) = 0x00;
216 bt_cb(skb
)->pkt_type
= HCI_EVENT_PKT
;
218 return hci_recv_frame(hdev
, skb
);
221 static int intel_set_baudrate(struct hci_uart
*hu
, unsigned int speed
)
223 struct intel_data
*intel
= hu
->priv
;
224 struct hci_dev
*hdev
= hu
->hdev
;
225 u8 speed_cmd
[] = { 0x06, 0xfc, 0x01, 0x00 };
229 /* This can be the first command sent to the chip, check
230 * that the controller is ready.
232 err
= intel_wait_booting(hu
);
234 clear_bit(STATE_BOOTING
, &intel
->flags
);
236 /* In case of timeout, try to continue anyway */
237 if (err
&& err
!= ETIMEDOUT
)
240 BT_INFO("%s: Change controller speed to %d", hdev
->name
, speed
);
242 speed_cmd
[3] = intel_convert_speed(speed
);
243 if (speed_cmd
[3] == 0xff) {
244 BT_ERR("%s: Unsupported speed", hdev
->name
);
248 /* Device will not accept speed change if Intel version has not been
249 * previously requested.
251 skb
= __hci_cmd_sync(hdev
, 0xfc05, 0, NULL
, HCI_INIT_TIMEOUT
);
253 BT_ERR("%s: Reading Intel version information failed (%ld)",
254 hdev
->name
, PTR_ERR(skb
));
259 skb
= bt_skb_alloc(sizeof(speed_cmd
), GFP_KERNEL
);
261 BT_ERR("%s: Failed to allocate memory for baudrate packet",
266 memcpy(skb_put(skb
, sizeof(speed_cmd
)), speed_cmd
, sizeof(speed_cmd
));
267 bt_cb(skb
)->pkt_type
= HCI_COMMAND_PKT
;
269 hci_uart_set_flow_control(hu
, true);
271 skb_queue_tail(&intel
->txq
, skb
);
272 hci_uart_tx_wakeup(hu
);
274 /* wait 100ms to change baudrate on controller side */
277 hci_uart_set_baudrate(hu
, speed
);
278 hci_uart_set_flow_control(hu
, false);
283 static int intel_setup(struct hci_uart
*hu
)
285 static const u8 reset_param
[] = { 0x00, 0x01, 0x00, 0x01,
286 0x00, 0x08, 0x04, 0x00 };
287 struct intel_data
*intel
= hu
->priv
;
288 struct hci_dev
*hdev
= hu
->hdev
;
290 struct intel_version
*ver
;
291 struct intel_boot_params
*params
;
292 const struct firmware
*fw
;
296 ktime_t calltime
, delta
, rettime
;
297 unsigned long long duration
;
298 unsigned int init_speed
, oper_speed
;
299 int speed_change
= 0;
302 BT_DBG("%s", hdev
->name
);
304 hu
->hdev
->set_bdaddr
= btintel_set_bdaddr
;
306 calltime
= ktime_get();
309 init_speed
= hu
->init_speed
;
311 init_speed
= hu
->proto
->init_speed
;
314 oper_speed
= hu
->oper_speed
;
316 oper_speed
= hu
->proto
->oper_speed
;
318 if (oper_speed
&& init_speed
&& oper_speed
!= init_speed
)
321 /* Check that the controller is ready */
322 err
= intel_wait_booting(hu
);
324 clear_bit(STATE_BOOTING
, &intel
->flags
);
326 /* In case of timeout, try to continue anyway */
327 if (err
&& err
!= ETIMEDOUT
)
330 set_bit(STATE_BOOTLOADER
, &intel
->flags
);
332 /* Read the Intel version information to determine if the device
333 * is in bootloader mode or if it already has operational firmware
336 skb
= __hci_cmd_sync(hdev
, 0xfc05, 0, NULL
, HCI_INIT_TIMEOUT
);
338 BT_ERR("%s: Reading Intel version information failed (%ld)",
339 hdev
->name
, PTR_ERR(skb
));
343 if (skb
->len
!= sizeof(*ver
)) {
344 BT_ERR("%s: Intel version event size mismatch", hdev
->name
);
349 ver
= (struct intel_version
*)skb
->data
;
351 BT_ERR("%s: Intel version command failure (%02x)",
352 hdev
->name
, ver
->status
);
353 err
= -bt_to_errno(ver
->status
);
358 /* The hardware platform number has a fixed value of 0x37 and
359 * for now only accept this single value.
361 if (ver
->hw_platform
!= 0x37) {
362 BT_ERR("%s: Unsupported Intel hardware platform (%u)",
363 hdev
->name
, ver
->hw_platform
);
368 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is
369 * supported by this firmware loading method. This check has been
370 * put in place to ensure correct forward compatibility options
371 * when newer hardware variants come along.
373 if (ver
->hw_variant
!= 0x0b) {
374 BT_ERR("%s: Unsupported Intel hardware variant (%u)",
375 hdev
->name
, ver
->hw_variant
);
380 btintel_version_info(hdev
, ver
);
382 /* The firmware variant determines if the device is in bootloader
383 * mode or is running operational firmware. The value 0x06 identifies
384 * the bootloader and the value 0x23 identifies the operational
387 * When the operational firmware is already present, then only
388 * the check for valid Bluetooth device address is needed. This
389 * determines if the device will be added as configured or
390 * unconfigured controller.
392 * It is not possible to use the Secure Boot Parameters in this
393 * case since that command is only available in bootloader mode.
395 if (ver
->fw_variant
== 0x23) {
397 clear_bit(STATE_BOOTLOADER
, &intel
->flags
);
398 btintel_check_bdaddr(hdev
);
402 /* If the device is not in bootloader mode, then the only possible
403 * choice is to return an error and abort the device initialization.
405 if (ver
->fw_variant
!= 0x06) {
406 BT_ERR("%s: Unsupported Intel firmware variant (%u)",
407 hdev
->name
, ver
->fw_variant
);
414 /* Read the secure boot parameters to identify the operating
415 * details of the bootloader.
417 skb
= __hci_cmd_sync(hdev
, 0xfc0d, 0, NULL
, HCI_INIT_TIMEOUT
);
419 BT_ERR("%s: Reading Intel boot parameters failed (%ld)",
420 hdev
->name
, PTR_ERR(skb
));
424 if (skb
->len
!= sizeof(*params
)) {
425 BT_ERR("%s: Intel boot parameters size mismatch", hdev
->name
);
430 params
= (struct intel_boot_params
*)skb
->data
;
431 if (params
->status
) {
432 BT_ERR("%s: Intel boot parameters command failure (%02x)",
433 hdev
->name
, params
->status
);
434 err
= -bt_to_errno(params
->status
);
439 BT_INFO("%s: Device revision is %u", hdev
->name
,
440 le16_to_cpu(params
->dev_revid
));
442 BT_INFO("%s: Secure boot is %s", hdev
->name
,
443 params
->secure_boot
? "enabled" : "disabled");
445 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev
->name
,
446 params
->min_fw_build_nn
, params
->min_fw_build_cw
,
447 2000 + params
->min_fw_build_yy
);
449 /* It is required that every single firmware fragment is acknowledged
450 * with a command complete event. If the boot parameters indicate
451 * that this bootloader does not send them, then abort the setup.
453 if (params
->limited_cce
!= 0x00) {
454 BT_ERR("%s: Unsupported Intel firmware loading method (%u)",
455 hdev
->name
, params
->limited_cce
);
460 /* If the OTP has no valid Bluetooth device address, then there will
461 * also be no valid address for the operational firmware.
463 if (!bacmp(¶ms
->otp_bdaddr
, BDADDR_ANY
)) {
464 BT_INFO("%s: No device address configured", hdev
->name
);
465 set_bit(HCI_QUIRK_INVALID_BDADDR
, &hdev
->quirks
);
468 /* With this Intel bootloader only the hardware variant and device
469 * revision information are used to select the right firmware.
471 * Currently this bootloader support is limited to hardware variant
472 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b).
474 snprintf(fwname
, sizeof(fwname
), "intel/ibt-11-%u.sfi",
475 le16_to_cpu(params
->dev_revid
));
477 err
= request_firmware(&fw
, fwname
, &hdev
->dev
);
479 BT_ERR("%s: Failed to load Intel firmware file (%d)",
485 BT_INFO("%s: Found device firmware: %s", hdev
->name
, fwname
);
489 if (fw
->size
< 644) {
490 BT_ERR("%s: Invalid size of firmware file (%zu)",
491 hdev
->name
, fw
->size
);
496 set_bit(STATE_DOWNLOADING
, &intel
->flags
);
498 /* Start the firmware download transaction with the Init fragment
499 * represented by the 128 bytes of CSS header.
501 err
= btintel_secure_send(hdev
, 0x00, 128, fw
->data
);
503 BT_ERR("%s: Failed to send firmware header (%d)",
508 /* Send the 256 bytes of public key information from the firmware
509 * as the PKey fragment.
511 err
= btintel_secure_send(hdev
, 0x03, 256, fw
->data
+ 128);
513 BT_ERR("%s: Failed to send firmware public key (%d)",
518 /* Send the 256 bytes of signature information from the firmware
519 * as the Sign fragment.
521 err
= btintel_secure_send(hdev
, 0x02, 256, fw
->data
+ 388);
523 BT_ERR("%s: Failed to send firmware signature (%d)",
528 fw_ptr
= fw
->data
+ 644;
531 while (fw_ptr
- fw
->data
< fw
->size
) {
532 struct hci_command_hdr
*cmd
= (void *)(fw_ptr
+ frag_len
);
534 frag_len
+= sizeof(*cmd
) + cmd
->plen
;
536 BT_DBG("%s: patching %td/%zu", hdev
->name
,
537 (fw_ptr
- fw
->data
), fw
->size
);
539 /* The parameter length of the secure send command requires
540 * a 4 byte alignment. It happens so that the firmware file
541 * contains proper Intel_NOP commands to align the fragments
544 * Send set of commands with 4 byte alignment from the
545 * firmware data buffer as a single Data fragement.
550 /* Send each command from the firmware data buffer as
551 * a single Data fragment.
553 err
= btintel_secure_send(hdev
, 0x01, frag_len
, fw_ptr
);
555 BT_ERR("%s: Failed to send firmware data (%d)",
564 set_bit(STATE_FIRMWARE_LOADED
, &intel
->flags
);
566 BT_INFO("%s: Waiting for firmware download to complete", hdev
->name
);
568 /* Before switching the device into operational mode and with that
569 * booting the loaded firmware, wait for the bootloader notification
570 * that all fragments have been successfully received.
572 * When the event processing receives the notification, then the
573 * STATE_DOWNLOADING flag will be cleared.
575 * The firmware loading should not take longer than 5 seconds
576 * and thus just timeout if that happens and fail the setup
579 err
= wait_on_bit_timeout(&intel
->flags
, STATE_DOWNLOADING
,
581 msecs_to_jiffies(5000));
583 BT_ERR("%s: Firmware loading interrupted", hdev
->name
);
589 BT_ERR("%s: Firmware loading timeout", hdev
->name
);
594 if (test_bit(STATE_FIRMWARE_FAILED
, &intel
->flags
)) {
595 BT_ERR("%s: Firmware loading failed", hdev
->name
);
600 rettime
= ktime_get();
601 delta
= ktime_sub(rettime
, calltime
);
602 duration
= (unsigned long long) ktime_to_ns(delta
) >> 10;
604 BT_INFO("%s: Firmware loaded in %llu usecs", hdev
->name
, duration
);
607 release_firmware(fw
);
612 /* We need to restore the default speed before Intel reset */
614 err
= intel_set_baudrate(hu
, init_speed
);
619 calltime
= ktime_get();
621 set_bit(STATE_BOOTING
, &intel
->flags
);
623 skb
= __hci_cmd_sync(hdev
, 0xfc01, sizeof(reset_param
), reset_param
,
630 /* The bootloader will not indicate when the device is ready. This
631 * is done by the operational firmware sending bootup notification.
633 * Booting into operational firmware should not take longer than
634 * 1 second. However if that happens, then just fail the setup
635 * since something went wrong.
637 BT_INFO("%s: Waiting for device to boot", hdev
->name
);
639 err
= intel_wait_booting(hu
);
643 clear_bit(STATE_BOOTING
, &intel
->flags
);
645 rettime
= ktime_get();
646 delta
= ktime_sub(rettime
, calltime
);
647 duration
= (unsigned long long) ktime_to_ns(delta
) >> 10;
649 BT_INFO("%s: Device booted in %llu usecs", hdev
->name
, duration
);
651 skb
= __hci_cmd_sync(hdev
, HCI_OP_RESET
, 0, NULL
, HCI_CMD_TIMEOUT
);
657 err
= intel_set_baudrate(hu
, oper_speed
);
662 BT_INFO("%s: Setup complete", hdev
->name
);
664 clear_bit(STATE_BOOTLOADER
, &intel
->flags
);
669 static int intel_recv_event(struct hci_dev
*hdev
, struct sk_buff
*skb
)
671 struct hci_uart
*hu
= hci_get_drvdata(hdev
);
672 struct intel_data
*intel
= hu
->priv
;
673 struct hci_event_hdr
*hdr
;
675 if (!test_bit(STATE_BOOTLOADER
, &intel
->flags
) &&
676 !test_bit(STATE_BOOTING
, &intel
->flags
))
679 hdr
= (void *)skb
->data
;
681 /* When the firmware loading completes the device sends
682 * out a vendor specific event indicating the result of
683 * the firmware loading.
685 if (skb
->len
== 7 && hdr
->evt
== 0xff && hdr
->plen
== 0x05 &&
686 skb
->data
[2] == 0x06) {
687 if (skb
->data
[3] != 0x00)
688 set_bit(STATE_FIRMWARE_FAILED
, &intel
->flags
);
690 if (test_and_clear_bit(STATE_DOWNLOADING
, &intel
->flags
) &&
691 test_bit(STATE_FIRMWARE_LOADED
, &intel
->flags
)) {
692 smp_mb__after_atomic();
693 wake_up_bit(&intel
->flags
, STATE_DOWNLOADING
);
696 /* When switching to the operational firmware the device
697 * sends a vendor specific event indicating that the bootup
700 } else if (skb
->len
== 9 && hdr
->evt
== 0xff && hdr
->plen
== 0x07 &&
701 skb
->data
[2] == 0x02) {
702 if (test_and_clear_bit(STATE_BOOTING
, &intel
->flags
)) {
703 smp_mb__after_atomic();
704 wake_up_bit(&intel
->flags
, STATE_BOOTING
);
708 return hci_recv_frame(hdev
, skb
);
711 static const struct h4_recv_pkt intel_recv_pkts
[] = {
712 { H4_RECV_ACL
, .recv
= hci_recv_frame
},
713 { H4_RECV_SCO
, .recv
= hci_recv_frame
},
714 { H4_RECV_EVENT
, .recv
= intel_recv_event
},
717 static int intel_recv(struct hci_uart
*hu
, const void *data
, int count
)
719 struct intel_data
*intel
= hu
->priv
;
721 if (!test_bit(HCI_UART_REGISTERED
, &hu
->flags
))
724 intel
->rx_skb
= h4_recv_buf(hu
->hdev
, intel
->rx_skb
, data
, count
,
726 ARRAY_SIZE(intel_recv_pkts
));
727 if (IS_ERR(intel
->rx_skb
)) {
728 int err
= PTR_ERR(intel
->rx_skb
);
729 BT_ERR("%s: Frame reassembly failed (%d)", hu
->hdev
->name
, err
);
730 intel
->rx_skb
= NULL
;
737 static int intel_enqueue(struct hci_uart
*hu
, struct sk_buff
*skb
)
739 struct intel_data
*intel
= hu
->priv
;
741 BT_DBG("hu %p skb %p", hu
, skb
);
743 skb_queue_tail(&intel
->txq
, skb
);
748 static struct sk_buff
*intel_dequeue(struct hci_uart
*hu
)
750 struct intel_data
*intel
= hu
->priv
;
753 skb
= skb_dequeue(&intel
->txq
);
757 if (test_bit(STATE_BOOTLOADER
, &intel
->flags
) &&
758 (bt_cb(skb
)->pkt_type
== HCI_COMMAND_PKT
)) {
759 struct hci_command_hdr
*cmd
= (void *)skb
->data
;
760 __u16 opcode
= le16_to_cpu(cmd
->opcode
);
762 /* When the 0xfc01 command is issued to boot into
763 * the operational firmware, it will actually not
764 * send a command complete event. To keep the flow
765 * control working inject that event here.
767 if (opcode
== 0xfc01)
768 inject_cmd_complete(hu
->hdev
, opcode
);
771 /* Prepend skb with frame type */
772 memcpy(skb_push(skb
, 1), &bt_cb(skb
)->pkt_type
, 1);
777 static const struct hci_uart_proto intel_proto
= {
778 .id
= HCI_UART_INTEL
,
780 .init_speed
= 115200,
781 .oper_speed
= 3000000,
783 .close
= intel_close
,
784 .flush
= intel_flush
,
785 .setup
= intel_setup
,
786 .set_baudrate
= intel_set_baudrate
,
788 .enqueue
= intel_enqueue
,
789 .dequeue
= intel_dequeue
,
793 static const struct acpi_device_id intel_acpi_match
[] = {
797 MODULE_DEVICE_TABLE(acpi
, intel_acpi_match
);
799 static int intel_acpi_probe(struct intel_device
*idev
)
801 const struct acpi_device_id
*id
;
803 id
= acpi_match_device(intel_acpi_match
, &idev
->pdev
->dev
);
810 static int intel_acpi_probe(struct intel_device
*idev
)
816 static int intel_probe(struct platform_device
*pdev
)
818 struct intel_device
*idev
;
820 idev
= devm_kzalloc(&pdev
->dev
, sizeof(*idev
), GFP_KERNEL
);
826 if (ACPI_HANDLE(&pdev
->dev
)) {
827 int err
= intel_acpi_probe(idev
);
834 idev
->reset
= devm_gpiod_get_optional(&pdev
->dev
, "reset",
836 if (IS_ERR(idev
->reset
)) {
837 dev_err(&pdev
->dev
, "Unable to retrieve gpio\n");
838 return PTR_ERR(idev
->reset
);
841 platform_set_drvdata(pdev
, idev
);
843 /* Place this instance on the device list */
844 spin_lock(&intel_device_list_lock
);
845 list_add_tail(&idev
->list
, &intel_device_list
);
846 spin_unlock(&intel_device_list_lock
);
848 dev_info(&pdev
->dev
, "registered.\n");
853 static int intel_remove(struct platform_device
*pdev
)
855 struct intel_device
*idev
= platform_get_drvdata(pdev
);
857 spin_lock(&intel_device_list_lock
);
858 list_del(&idev
->list
);
859 spin_unlock(&intel_device_list_lock
);
861 dev_info(&pdev
->dev
, "unregistered.\n");
866 static struct platform_driver intel_driver
= {
867 .probe
= intel_probe
,
868 .remove
= intel_remove
,
871 .acpi_match_table
= ACPI_PTR(intel_acpi_match
),
875 int __init
intel_init(void)
877 platform_driver_register(&intel_driver
);
879 return hci_uart_register_proto(&intel_proto
);
882 int __exit
intel_deinit(void)
884 platform_driver_unregister(&intel_driver
);
886 return hci_uart_unregister_proto(&intel_proto
);