Loading...
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Microchip Polarfire SoC "Auto Update" FPGA reprogramming.
4 *
5 * Documentation of this functionality is available in the "PolarFire® FPGA and
6 * PolarFire SoC FPGA Programming" User Guide.
7 *
8 * Copyright (c) 2022-2023 Microchip Corporation. All rights reserved.
9 *
10 * Author: Conor Dooley <conor.dooley@microchip.com>
11 */
12#include <linux/debugfs.h>
13#include <linux/firmware.h>
14#include <linux/math.h>
15#include <linux/module.h>
16#include <linux/mtd/mtd.h>
17#include <linux/platform_device.h>
18#include <linux/sizes.h>
19
20#include <soc/microchip/mpfs.h>
21
22#define AUTO_UPDATE_DEFAULT_MBOX_OFFSET 0u
23#define AUTO_UPDATE_DEFAULT_RESP_OFFSET 0u
24
25#define AUTO_UPDATE_FEATURE_CMD_OPCODE 0x05u
26#define AUTO_UPDATE_FEATURE_CMD_DATA_SIZE 0u
27#define AUTO_UPDATE_FEATURE_RESP_SIZE 33u
28#define AUTO_UPDATE_FEATURE_CMD_DATA NULL
29#define AUTO_UPDATE_FEATURE_ENABLED BIT(5)
30
31#define AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE 0x22u
32#define AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE 0u
33#define AUTO_UPDATE_AUTHENTICATE_RESP_SIZE 1u
34#define AUTO_UPDATE_AUTHENTICATE_CMD_DATA NULL
35
36#define AUTO_UPDATE_PROGRAM_CMD_OPCODE 0x46u
37#define AUTO_UPDATE_PROGRAM_CMD_DATA_SIZE 0u
38#define AUTO_UPDATE_PROGRAM_RESP_SIZE 1u
39#define AUTO_UPDATE_PROGRAM_CMD_DATA NULL
40
41/*
42 * SPI Flash layout example:
43 * |------------------------------| 0x0000000
44 * | 1 KiB |
45 * | SPI "directories" |
46 * |------------------------------| 0x0000400
47 * | 1 MiB |
48 * | Reserved area |
49 * | Used for bitstream info |
50 * |------------------------------| 0x0100400
51 * | 20 MiB |
52 * | Golden Image |
53 * |------------------------------| 0x1500400
54 * | 20 MiB |
55 * | Auto Upgrade Image |
56 * |------------------------------| 0x2900400
57 * | 20 MiB |
58 * | Reserved for multi-image IAP |
59 * | Unused for Auto Upgrade |
60 * |------------------------------| 0x3D00400
61 * | ? B |
62 * | Unused |
63 * |------------------------------| 0x?
64 */
65#define AUTO_UPDATE_DIRECTORY_BASE 0u
66#define AUTO_UPDATE_DIRECTORY_WIDTH 4u
67#define AUTO_UPDATE_GOLDEN_INDEX 0u
68#define AUTO_UPDATE_UPGRADE_INDEX 1u
69#define AUTO_UPDATE_BLANK_INDEX 2u
70#define AUTO_UPDATE_GOLDEN_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_GOLDEN_INDEX)
71#define AUTO_UPDATE_UPGRADE_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_UPGRADE_INDEX)
72#define AUTO_UPDATE_BLANK_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_BLANK_INDEX)
73#define AUTO_UPDATE_DIRECTORY_SIZE SZ_1K
74#define AUTO_UPDATE_RESERVED_SIZE SZ_1M
75#define AUTO_UPDATE_BITSTREAM_BASE (AUTO_UPDATE_DIRECTORY_SIZE + AUTO_UPDATE_RESERVED_SIZE)
76
77#define AUTO_UPDATE_TIMEOUT_MS 60000
78
79struct mpfs_auto_update_priv {
80 struct mpfs_sys_controller *sys_controller;
81 struct device *dev;
82 struct mtd_info *flash;
83 struct fw_upload *fw_uploader;
84 struct completion programming_complete;
85 size_t size_per_bitstream;
86 bool cancel_request;
87};
88
89static enum fw_upload_err mpfs_auto_update_prepare(struct fw_upload *fw_uploader, const u8 *data,
90 u32 size)
91{
92 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
93 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
94
95 /*
96 * Verifying the Golden Image is idealistic. It will be evaluated
97 * against the currently programmed image and thus may fail - due to
98 * either rollback protection (if its an older version than that in use)
99 * or if the version is the same as that of the in-use image.
100 * Extracting the information as to why a failure occurred is not
101 * currently possible due to limitations of the system controller
102 * driver. If those are fixed, verification of the Golden Image should
103 * be added here.
104 */
105
106 priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
107 if (!priv->flash)
108 return FW_UPLOAD_ERR_HW_ERROR;
109
110 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
111
112 /*
113 * We need to calculate if we have enough space in the flash for the
114 * new image.
115 * First, chop off the first 1 KiB as it's reserved for the directory.
116 * The 1 MiB reserved for design info needs to be ignored also.
117 * All that remains is carved into 3 & rounded down to the erasesize.
118 * If this is smaller than the image size, we abort.
119 * There's also no need to consume more than 20 MiB per image.
120 */
121 priv->size_per_bitstream = priv->flash->size - SZ_1K - SZ_1M;
122 priv->size_per_bitstream = round_down(priv->size_per_bitstream / 3, erase_size);
123 if (priv->size_per_bitstream > 20 * SZ_1M)
124 priv->size_per_bitstream = 20 * SZ_1M;
125
126 if (priv->size_per_bitstream < size) {
127 dev_err(priv->dev,
128 "flash device has insufficient capacity to store this bitstream\n");
129 return FW_UPLOAD_ERR_INVALID_SIZE;
130 }
131
132 priv->cancel_request = false;
133
134 return FW_UPLOAD_ERR_NONE;
135}
136
137static void mpfs_auto_update_cancel(struct fw_upload *fw_uploader)
138{
139 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
140
141 priv->cancel_request = true;
142}
143
144static enum fw_upload_err mpfs_auto_update_poll_complete(struct fw_upload *fw_uploader)
145{
146 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
147 int ret;
148
149 /*
150 * There is no meaningful way to get the status of the programming while
151 * it is in progress, so attempting anything other than waiting for it
152 * to complete would be misplaced.
153 */
154 ret = wait_for_completion_timeout(&priv->programming_complete,
155 msecs_to_jiffies(AUTO_UPDATE_TIMEOUT_MS));
156 if (ret)
157 return FW_UPLOAD_ERR_TIMEOUT;
158
159 return FW_UPLOAD_ERR_NONE;
160}
161
162static int mpfs_auto_update_verify_image(struct fw_upload *fw_uploader)
163{
164 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
165 struct mpfs_mss_response *response;
166 struct mpfs_mss_msg *message;
167 u32 *response_msg;
168 int ret;
169
170 response_msg = devm_kzalloc(priv->dev, AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg),
171 GFP_KERNEL);
172 if (!response_msg)
173 return -ENOMEM;
174
175 response = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_response), GFP_KERNEL);
176 if (!response) {
177 ret = -ENOMEM;
178 goto free_response_msg;
179 }
180
181 message = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_msg), GFP_KERNEL);
182 if (!message) {
183 ret = -ENOMEM;
184 goto free_response;
185 }
186
187 /*
188 * The system controller can verify that an image in the flash is valid.
189 * Rather than duplicate the check in this driver, call the relevant
190 * service from the system controller instead.
191 * This service has no command data and no response data. It overloads
192 * mbox_offset with the image index in the flash's SPI directory where
193 * the bitstream is located.
194 */
195 response->resp_msg = response_msg;
196 response->resp_size = AUTO_UPDATE_AUTHENTICATE_RESP_SIZE;
197 message->cmd_opcode = AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE;
198 message->cmd_data_size = AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE;
199 message->response = response;
200 message->cmd_data = AUTO_UPDATE_AUTHENTICATE_CMD_DATA;
201 message->mbox_offset = AUTO_UPDATE_UPGRADE_INDEX;
202 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
203
204 dev_info(priv->dev, "Running verification of Upgrade Image\n");
205 ret = mpfs_blocking_transaction(priv->sys_controller, message);
206 if (ret | response->resp_status) {
207 dev_warn(priv->dev, "Verification of Upgrade Image failed!\n");
208 ret = ret ? ret : -EBADMSG;
209 }
210
211 dev_info(priv->dev, "Verification of Upgrade Image passed!\n");
212
213 devm_kfree(priv->dev, message);
214free_response:
215 devm_kfree(priv->dev, response);
216free_response_msg:
217 devm_kfree(priv->dev, response_msg);
218
219 return ret;
220}
221
222static int mpfs_auto_update_set_image_address(struct mpfs_auto_update_priv *priv, char *buffer,
223 u32 image_address, loff_t directory_address)
224{
225 struct erase_info erase;
226 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
227 size_t bytes_written = 0, bytes_read = 0;
228 int ret;
229
230 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
231
232 erase.addr = AUTO_UPDATE_DIRECTORY_BASE;
233 erase.len = erase_size;
234
235 /*
236 * We need to write the "SPI DIRECTORY" to the first 1 KiB, telling
237 * the system controller where to find the actual bitstream. Since
238 * this is spi-nor, we have to read the first eraseblock, erase that
239 * portion of the flash, modify the data and then write it back.
240 * There's no need to do this though if things are already the way they
241 * should be, so check and save the write in that case.
242 */
243 ret = mtd_read(priv->flash, AUTO_UPDATE_DIRECTORY_BASE, erase_size, &bytes_read,
244 (u_char *)buffer);
245 if (ret)
246 return ret;
247
248 if (bytes_read != erase_size)
249 return -EIO;
250
251 if ((*(u32 *)(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY) == image_address) &&
252 !(*(u32 *)(buffer + AUTO_UPDATE_BLANK_DIRECTORY)))
253 return 0;
254
255 ret = mtd_erase(priv->flash, &erase);
256 if (ret)
257 return ret;
258
259 /*
260 * Populate the image address and then zero out the next directory so
261 * that the system controller doesn't complain if in "Single Image"
262 * mode.
263 */
264 memcpy(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY, &image_address,
265 AUTO_UPDATE_DIRECTORY_WIDTH);
266 memset(buffer + AUTO_UPDATE_BLANK_DIRECTORY, 0x0, AUTO_UPDATE_DIRECTORY_WIDTH);
267
268 dev_info(priv->dev, "Writing the image address (%x) to the flash directory (%llx)\n",
269 image_address, directory_address);
270
271 ret = mtd_write(priv->flash, 0x0, erase_size, &bytes_written, (u_char *)buffer);
272 if (ret)
273 return ret;
274
275 if (bytes_written != erase_size)
276 return ret;
277
278 return 0;
279}
280
281static int mpfs_auto_update_write_bitstream(struct fw_upload *fw_uploader, const u8 *data,
282 u32 offset, u32 size, u32 *written)
283{
284 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
285 struct erase_info erase;
286 char *buffer;
287 loff_t directory_address = AUTO_UPDATE_UPGRADE_DIRECTORY;
288 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
289 size_t bytes_written = 0;
290 u32 image_address;
291 int ret;
292
293 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
294
295 image_address = AUTO_UPDATE_BITSTREAM_BASE +
296 AUTO_UPDATE_UPGRADE_INDEX * priv->size_per_bitstream;
297
298 buffer = devm_kzalloc(priv->dev, erase_size, GFP_KERNEL);
299 if (!buffer)
300 return -ENOMEM;
301
302 ret = mpfs_auto_update_set_image_address(priv, buffer, image_address, directory_address);
303 if (ret) {
304 dev_err(priv->dev, "failed to set image address in the SPI directory: %d\n", ret);
305 goto out;
306 }
307
308 /*
309 * Now the .spi image itself can be written to the flash. Preservation
310 * of contents here is not important here, unlike the spi "directory"
311 * which must be RMWed.
312 */
313 erase.len = round_up(size, (size_t)priv->flash->erasesize);
314 erase.addr = image_address;
315
316 dev_info(priv->dev, "Erasing the flash at address (%x)\n", image_address);
317 ret = mtd_erase(priv->flash, &erase);
318 if (ret)
319 goto out;
320
321 /*
322 * No parsing etc of the bitstream is required. The system controller
323 * will do all of that itself - including verifying that the bitstream
324 * is valid.
325 */
326 dev_info(priv->dev, "Writing the image to the flash at address (%x)\n", image_address);
327 ret = mtd_write(priv->flash, (loff_t)image_address, size, &bytes_written, data);
328 if (ret)
329 goto out;
330
331 if (bytes_written != size) {
332 ret = -EIO;
333 goto out;
334 }
335
336 *written = bytes_written;
337
338out:
339 devm_kfree(priv->dev, buffer);
340 return ret;
341}
342
343static enum fw_upload_err mpfs_auto_update_write(struct fw_upload *fw_uploader, const u8 *data,
344 u32 offset, u32 size, u32 *written)
345{
346 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
347 enum fw_upload_err err = FW_UPLOAD_ERR_NONE;
348 int ret;
349
350 reinit_completion(&priv->programming_complete);
351
352 ret = mpfs_auto_update_write_bitstream(fw_uploader, data, offset, size, written);
353 if (ret) {
354 err = FW_UPLOAD_ERR_RW_ERROR;
355 goto out;
356 }
357
358 if (priv->cancel_request) {
359 err = FW_UPLOAD_ERR_CANCELED;
360 goto out;
361 }
362
363 ret = mpfs_auto_update_verify_image(fw_uploader);
364 if (ret)
365 err = FW_UPLOAD_ERR_FW_INVALID;
366
367out:
368 complete(&priv->programming_complete);
369
370 return err;
371}
372
373static const struct fw_upload_ops mpfs_auto_update_ops = {
374 .prepare = mpfs_auto_update_prepare,
375 .write = mpfs_auto_update_write,
376 .poll_complete = mpfs_auto_update_poll_complete,
377 .cancel = mpfs_auto_update_cancel,
378};
379
380static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv)
381{
382 struct mpfs_mss_response *response;
383 struct mpfs_mss_msg *message;
384 u32 *response_msg;
385 int ret;
386
387 response_msg = devm_kzalloc(priv->dev,
388 AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg),
389 GFP_KERNEL);
390 if (!response_msg)
391 return -ENOMEM;
392
393 response = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_response), GFP_KERNEL);
394 if (!response)
395 return -ENOMEM;
396
397 message = devm_kzalloc(priv->dev, sizeof(struct mpfs_mss_msg), GFP_KERNEL);
398 if (!message)
399 return -ENOMEM;
400
401 /*
402 * To verify that Auto Update is possible, the "Query Security Service
403 * Request" is performed.
404 * This service has no command data & does not overload mbox_offset.
405 */
406 response->resp_msg = response_msg;
407 response->resp_size = AUTO_UPDATE_FEATURE_RESP_SIZE;
408 message->cmd_opcode = AUTO_UPDATE_FEATURE_CMD_OPCODE;
409 message->cmd_data_size = AUTO_UPDATE_FEATURE_CMD_DATA_SIZE;
410 message->response = response;
411 message->cmd_data = AUTO_UPDATE_FEATURE_CMD_DATA;
412 message->mbox_offset = AUTO_UPDATE_DEFAULT_MBOX_OFFSET;
413 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
414
415 ret = mpfs_blocking_transaction(priv->sys_controller, message);
416 if (ret)
417 return ret;
418
419 /*
420 * Currently, the system controller's firmware does not generate any
421 * interrupts for failed services, so mpfs_blocking_transaction() should
422 * time out & therefore return an error.
423 * Hitting this check is highly unlikely at present, but if the system
424 * controller's behaviour changes so that it does generate interrupts
425 * for failed services, it will be required.
426 */
427 if (response->resp_status)
428 return -EIO;
429
430 /*
431 * Bit 5 of byte 1 is "UL_Auto Update" & if it is set, Auto Update is
432 * not possible.
433 */
434 if (response_msg[1] & AUTO_UPDATE_FEATURE_ENABLED)
435 return -EPERM;
436
437 return 0;
438}
439
440static int mpfs_auto_update_probe(struct platform_device *pdev)
441{
442 struct device *dev = &pdev->dev;
443 struct mpfs_auto_update_priv *priv;
444 struct fw_upload *fw_uploader;
445 int ret;
446
447 priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
448 if (!priv)
449 return -ENOMEM;
450
451 priv->sys_controller = mpfs_sys_controller_get(dev);
452 if (IS_ERR(priv->sys_controller))
453 return dev_err_probe(dev, PTR_ERR(priv->sys_controller),
454 "Could not register as a sub device of the system controller\n");
455
456 priv->dev = dev;
457 platform_set_drvdata(pdev, priv);
458
459 ret = mpfs_auto_update_available(priv);
460 if (ret)
461 return dev_err_probe(dev, ret,
462 "The current bitstream does not support auto-update\n");
463
464 init_completion(&priv->programming_complete);
465
466 fw_uploader = firmware_upload_register(THIS_MODULE, dev, "mpfs-auto-update",
467 &mpfs_auto_update_ops, priv);
468 if (IS_ERR(fw_uploader))
469 return dev_err_probe(dev, PTR_ERR(fw_uploader),
470 "Failed to register the bitstream uploader\n");
471
472 priv->fw_uploader = fw_uploader;
473
474 return 0;
475}
476
477static void mpfs_auto_update_remove(struct platform_device *pdev)
478{
479 struct mpfs_auto_update_priv *priv = platform_get_drvdata(pdev);
480
481 firmware_upload_unregister(priv->fw_uploader);
482}
483
484static struct platform_driver mpfs_auto_update_driver = {
485 .driver = {
486 .name = "mpfs-auto-update",
487 },
488 .probe = mpfs_auto_update_probe,
489 .remove_new = mpfs_auto_update_remove,
490};
491module_platform_driver(mpfs_auto_update_driver);
492
493MODULE_LICENSE("GPL");
494MODULE_AUTHOR("Conor Dooley <conor.dooley@microchip.com>");
495MODULE_DESCRIPTION("PolarFire SoC Auto Update FPGA reprogramming");
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Microchip Polarfire SoC "Auto Update" FPGA reprogramming.
4 *
5 * Documentation of this functionality is available in the "PolarFire® FPGA and
6 * PolarFire SoC FPGA Programming" User Guide.
7 *
8 * Copyright (c) 2022-2023 Microchip Corporation. All rights reserved.
9 *
10 * Author: Conor Dooley <conor.dooley@microchip.com>
11 */
12#include <linux/cleanup.h>
13#include <linux/debugfs.h>
14#include <linux/firmware.h>
15#include <linux/math.h>
16#include <linux/module.h>
17#include <linux/mtd/mtd.h>
18#include <linux/platform_device.h>
19#include <linux/sizes.h>
20
21#include <soc/microchip/mpfs.h>
22
23#define AUTO_UPDATE_DEFAULT_MBOX_OFFSET 0u
24#define AUTO_UPDATE_DEFAULT_RESP_OFFSET 0u
25
26#define AUTO_UPDATE_FEATURE_CMD_OPCODE 0x05u
27#define AUTO_UPDATE_FEATURE_CMD_DATA_SIZE 0u
28#define AUTO_UPDATE_FEATURE_RESP_SIZE 33u
29#define AUTO_UPDATE_FEATURE_CMD_DATA NULL
30#define AUTO_UPDATE_FEATURE_ENABLED BIT(5)
31
32#define AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE 0x22u
33#define AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE 0u
34#define AUTO_UPDATE_AUTHENTICATE_RESP_SIZE 1u
35#define AUTO_UPDATE_AUTHENTICATE_CMD_DATA NULL
36
37#define AUTO_UPDATE_PROGRAM_CMD_OPCODE 0x46u
38#define AUTO_UPDATE_PROGRAM_CMD_DATA_SIZE 0u
39#define AUTO_UPDATE_PROGRAM_RESP_SIZE 1u
40#define AUTO_UPDATE_PROGRAM_CMD_DATA NULL
41
42/*
43 * SPI Flash layout example:
44 * |------------------------------| 0x0000000
45 * | 1 KiB |
46 * | SPI "directories" |
47 * |------------------------------| 0x0000400
48 * | 1 MiB |
49 * | Reserved area |
50 * | Used for bitstream info |
51 * |------------------------------| 0x0100400
52 * | 20 MiB |
53 * | Golden Image |
54 * |------------------------------| 0x1500400
55 * | 20 MiB |
56 * | Auto Upgrade Image |
57 * |------------------------------| 0x2900400
58 * | 20 MiB |
59 * | Reserved for multi-image IAP |
60 * | Unused for Auto Upgrade |
61 * |------------------------------| 0x3D00400
62 * | ? B |
63 * | Unused |
64 * |------------------------------| 0x?
65 */
66#define AUTO_UPDATE_DIRECTORY_BASE 0u
67#define AUTO_UPDATE_DIRECTORY_WIDTH 4u
68#define AUTO_UPDATE_GOLDEN_INDEX 0u
69#define AUTO_UPDATE_UPGRADE_INDEX 1u
70#define AUTO_UPDATE_BLANK_INDEX 2u
71#define AUTO_UPDATE_GOLDEN_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_GOLDEN_INDEX)
72#define AUTO_UPDATE_UPGRADE_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_UPGRADE_INDEX)
73#define AUTO_UPDATE_BLANK_DIRECTORY (AUTO_UPDATE_DIRECTORY_WIDTH * AUTO_UPDATE_BLANK_INDEX)
74#define AUTO_UPDATE_DIRECTORY_SIZE SZ_1K
75#define AUTO_UPDATE_INFO_BASE AUTO_UPDATE_DIRECTORY_SIZE
76#define AUTO_UPDATE_INFO_SIZE SZ_1M
77#define AUTO_UPDATE_BITSTREAM_BASE (AUTO_UPDATE_DIRECTORY_SIZE + AUTO_UPDATE_INFO_SIZE)
78
79struct mpfs_auto_update_priv {
80 struct mpfs_sys_controller *sys_controller;
81 struct device *dev;
82 struct mtd_info *flash;
83 struct fw_upload *fw_uploader;
84 size_t size_per_bitstream;
85 bool cancel_request;
86};
87
88static bool mpfs_auto_update_is_bitstream_info(const u8 *data, u32 size)
89{
90 if (size < 4)
91 return false;
92
93 if (data[0] == 0x4d && data[1] == 0x43 && data[2] == 0x48 && data[3] == 0x50)
94 return true;
95
96 return false;
97}
98
99static enum fw_upload_err mpfs_auto_update_prepare(struct fw_upload *fw_uploader, const u8 *data,
100 u32 size)
101{
102 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
103 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
104
105 /*
106 * Verifying the Golden Image is idealistic. It will be evaluated
107 * against the currently programmed image and thus may fail - due to
108 * either rollback protection (if its an older version than that in use)
109 * or if the version is the same as that of the in-use image.
110 * Extracting the information as to why a failure occurred is not
111 * currently possible due to limitations of the system controller
112 * driver. If those are fixed, verification of the Golden Image should
113 * be added here.
114 */
115
116 priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
117 if (!priv->flash)
118 return FW_UPLOAD_ERR_HW_ERROR;
119
120 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
121
122 /*
123 * We need to calculate if we have enough space in the flash for the
124 * new image.
125 * First, chop off the first 1 KiB as it's reserved for the directory.
126 * The 1 MiB reserved for design info needs to be ignored also.
127 * All that remains is carved into 3 & rounded down to the erasesize.
128 * If this is smaller than the image size, we abort.
129 * There's also no need to consume more than 20 MiB per image.
130 */
131 priv->size_per_bitstream = priv->flash->size - SZ_1K - SZ_1M;
132 priv->size_per_bitstream = round_down(priv->size_per_bitstream / 3, erase_size);
133 if (priv->size_per_bitstream > 20 * SZ_1M)
134 priv->size_per_bitstream = 20 * SZ_1M;
135
136 if (priv->size_per_bitstream < size) {
137 dev_err(priv->dev,
138 "flash device has insufficient capacity to store this bitstream\n");
139 return FW_UPLOAD_ERR_INVALID_SIZE;
140 }
141
142 priv->cancel_request = false;
143
144 return FW_UPLOAD_ERR_NONE;
145}
146
147static void mpfs_auto_update_cancel(struct fw_upload *fw_uploader)
148{
149 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
150
151 priv->cancel_request = true;
152}
153
154static enum fw_upload_err mpfs_auto_update_poll_complete(struct fw_upload *fw_uploader)
155{
156 return FW_UPLOAD_ERR_NONE;
157}
158
159static int mpfs_auto_update_verify_image(struct fw_upload *fw_uploader)
160{
161 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
162 u32 *response_msg __free(kfree) =
163 kzalloc(AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), GFP_KERNEL);
164 struct mpfs_mss_response *response __free(kfree) =
165 kzalloc(sizeof(struct mpfs_mss_response), GFP_KERNEL);
166 struct mpfs_mss_msg *message __free(kfree) =
167 kzalloc(sizeof(struct mpfs_mss_msg), GFP_KERNEL);
168 int ret;
169
170 if (!response_msg || !response || !message)
171 return -ENOMEM;
172
173 /*
174 * The system controller can verify that an image in the flash is valid.
175 * Rather than duplicate the check in this driver, call the relevant
176 * service from the system controller instead.
177 * This service has no command data and no response data. It overloads
178 * mbox_offset with the image index in the flash's SPI directory where
179 * the bitstream is located.
180 */
181 response->resp_msg = response_msg;
182 response->resp_size = AUTO_UPDATE_AUTHENTICATE_RESP_SIZE;
183 message->cmd_opcode = AUTO_UPDATE_AUTHENTICATE_CMD_OPCODE;
184 message->cmd_data_size = AUTO_UPDATE_AUTHENTICATE_CMD_DATA_SIZE;
185 message->response = response;
186 message->cmd_data = AUTO_UPDATE_AUTHENTICATE_CMD_DATA;
187 message->mbox_offset = AUTO_UPDATE_UPGRADE_INDEX;
188 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
189
190 dev_info(priv->dev, "Running verification of Upgrade Image\n");
191 ret = mpfs_blocking_transaction(priv->sys_controller, message);
192 if (ret | response->resp_status) {
193 dev_warn(priv->dev, "Verification of Upgrade Image failed!\n");
194 return ret ? ret : -EBADMSG;
195 }
196
197 dev_info(priv->dev, "Verification of Upgrade Image passed!\n");
198
199 return 0;
200}
201
202static int mpfs_auto_update_set_image_address(struct mpfs_auto_update_priv *priv,
203 u32 image_address, loff_t directory_address)
204{
205 struct erase_info erase;
206 size_t erase_size = round_up(AUTO_UPDATE_DIRECTORY_SIZE, (u64)priv->flash->erasesize);
207 size_t bytes_written = 0, bytes_read = 0;
208 char *buffer __free(kfree) = kzalloc(erase_size, GFP_KERNEL);
209 int ret;
210
211 if (!buffer)
212 return -ENOMEM;
213
214 erase.addr = AUTO_UPDATE_DIRECTORY_BASE;
215 erase.len = erase_size;
216
217 /*
218 * We need to write the "SPI DIRECTORY" to the first 1 KiB, telling
219 * the system controller where to find the actual bitstream. Since
220 * this is spi-nor, we have to read the first eraseblock, erase that
221 * portion of the flash, modify the data and then write it back.
222 * There's no need to do this though if things are already the way they
223 * should be, so check and save the write in that case.
224 */
225 ret = mtd_read(priv->flash, AUTO_UPDATE_DIRECTORY_BASE, erase_size, &bytes_read,
226 (u_char *)buffer);
227 if (ret)
228 return ret;
229
230 if (bytes_read != erase_size)
231 return -EIO;
232
233 if ((*(u32 *)(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY) == image_address) &&
234 !(*(u32 *)(buffer + AUTO_UPDATE_BLANK_DIRECTORY)))
235 return 0;
236
237 ret = mtd_erase(priv->flash, &erase);
238 if (ret)
239 return ret;
240
241 /*
242 * Populate the image address and then zero out the next directory so
243 * that the system controller doesn't complain if in "Single Image"
244 * mode.
245 */
246 memcpy(buffer + AUTO_UPDATE_UPGRADE_DIRECTORY, &image_address,
247 AUTO_UPDATE_DIRECTORY_WIDTH);
248 memset(buffer + AUTO_UPDATE_BLANK_DIRECTORY, 0x0, AUTO_UPDATE_DIRECTORY_WIDTH);
249
250 dev_info(priv->dev, "Writing the image address (0x%x) to the flash directory (0x%llx)\n",
251 image_address, directory_address);
252
253 ret = mtd_write(priv->flash, 0x0, erase_size, &bytes_written, (u_char *)buffer);
254 if (ret)
255 return ret;
256
257 if (bytes_written != erase_size)
258 return -EIO;
259
260 return 0;
261}
262
263static int mpfs_auto_update_write_bitstream(struct fw_upload *fw_uploader, const u8 *data,
264 u32 offset, u32 size, u32 *written)
265{
266 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
267 struct erase_info erase;
268 loff_t directory_address = AUTO_UPDATE_UPGRADE_DIRECTORY;
269 size_t erase_size = AUTO_UPDATE_DIRECTORY_SIZE;
270 size_t bytes_written = 0;
271 bool is_info = mpfs_auto_update_is_bitstream_info(data, size);
272 u32 image_address;
273 int ret;
274
275 erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
276
277 if (is_info)
278 image_address = AUTO_UPDATE_INFO_BASE;
279 else
280 image_address = AUTO_UPDATE_BITSTREAM_BASE +
281 AUTO_UPDATE_UPGRADE_INDEX * priv->size_per_bitstream;
282
283 /*
284 * For bitstream info, the descriptor is written to a fixed offset,
285 * so there is no need to set the image address.
286 */
287 if (!is_info) {
288 ret = mpfs_auto_update_set_image_address(priv, image_address, directory_address);
289 if (ret) {
290 dev_err(priv->dev, "failed to set image address in the SPI directory: %d\n", ret);
291 return ret;
292 }
293 } else {
294 if (size > AUTO_UPDATE_INFO_SIZE) {
295 dev_err(priv->dev, "bitstream info exceeds permitted size\n");
296 return -ENOSPC;
297 }
298 }
299
300 /*
301 * Now the .spi image itself can be written to the flash. Preservation
302 * of contents here is not important here, unlike the spi "directory"
303 * which must be RMWed.
304 */
305 erase.len = round_up(size, (size_t)priv->flash->erasesize);
306 erase.addr = image_address;
307
308 dev_info(priv->dev, "Erasing the flash at address (0x%x)\n", image_address);
309 ret = mtd_erase(priv->flash, &erase);
310 if (ret)
311 return ret;
312
313 /*
314 * No parsing etc of the bitstream is required. The system controller
315 * will do all of that itself - including verifying that the bitstream
316 * is valid.
317 */
318 dev_info(priv->dev, "Writing the image to the flash at address (0x%x)\n", image_address);
319 ret = mtd_write(priv->flash, (loff_t)image_address, size, &bytes_written, data);
320 if (ret)
321 return ret;
322
323 if (bytes_written != size)
324 return -EIO;
325
326 *written = bytes_written;
327 dev_info(priv->dev, "Wrote 0x%zx bytes to the flash\n", bytes_written);
328
329 return 0;
330}
331
332static enum fw_upload_err mpfs_auto_update_write(struct fw_upload *fw_uploader, const u8 *data,
333 u32 offset, u32 size, u32 *written)
334{
335 struct mpfs_auto_update_priv *priv = fw_uploader->dd_handle;
336 int ret;
337
338 ret = mpfs_auto_update_write_bitstream(fw_uploader, data, offset, size, written);
339 if (ret)
340 return FW_UPLOAD_ERR_RW_ERROR;
341
342 if (priv->cancel_request)
343 return FW_UPLOAD_ERR_CANCELED;
344
345 if (mpfs_auto_update_is_bitstream_info(data, size))
346 return FW_UPLOAD_ERR_NONE;
347
348 ret = mpfs_auto_update_verify_image(fw_uploader);
349 if (ret)
350 return FW_UPLOAD_ERR_FW_INVALID;
351
352 return FW_UPLOAD_ERR_NONE;
353}
354
355static const struct fw_upload_ops mpfs_auto_update_ops = {
356 .prepare = mpfs_auto_update_prepare,
357 .write = mpfs_auto_update_write,
358 .poll_complete = mpfs_auto_update_poll_complete,
359 .cancel = mpfs_auto_update_cancel,
360};
361
362static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv)
363{
364 u32 *response_msg __free(kfree) =
365 kzalloc(AUTO_UPDATE_FEATURE_RESP_SIZE * sizeof(*response_msg), GFP_KERNEL);
366 struct mpfs_mss_response *response __free(kfree) =
367 kzalloc(sizeof(struct mpfs_mss_response), GFP_KERNEL);
368 struct mpfs_mss_msg *message __free(kfree) =
369 kzalloc(sizeof(struct mpfs_mss_msg), GFP_KERNEL);
370 int ret;
371
372 if (!response_msg || !response || !message)
373 return -ENOMEM;
374
375 /*
376 * To verify that Auto Update is possible, the "Query Security Service
377 * Request" is performed.
378 * This service has no command data & does not overload mbox_offset.
379 */
380 response->resp_msg = response_msg;
381 response->resp_size = AUTO_UPDATE_FEATURE_RESP_SIZE;
382 message->cmd_opcode = AUTO_UPDATE_FEATURE_CMD_OPCODE;
383 message->cmd_data_size = AUTO_UPDATE_FEATURE_CMD_DATA_SIZE;
384 message->response = response;
385 message->cmd_data = AUTO_UPDATE_FEATURE_CMD_DATA;
386 message->mbox_offset = AUTO_UPDATE_DEFAULT_MBOX_OFFSET;
387 message->resp_offset = AUTO_UPDATE_DEFAULT_RESP_OFFSET;
388
389 ret = mpfs_blocking_transaction(priv->sys_controller, message);
390 if (ret)
391 return ret;
392
393 /*
394 * Currently, the system controller's firmware does not generate any
395 * interrupts for failed services, so mpfs_blocking_transaction() should
396 * time out & therefore return an error.
397 * Hitting this check is highly unlikely at present, but if the system
398 * controller's behaviour changes so that it does generate interrupts
399 * for failed services, it will be required.
400 */
401 if (response->resp_status)
402 return -EIO;
403
404 /*
405 * Bit 5 of byte 1 is "UL_IAP" & if it is set, Auto Update is
406 * not possible.
407 */
408 if ((((u8 *)response_msg)[1] & AUTO_UPDATE_FEATURE_ENABLED))
409 return -EPERM;
410
411 return 0;
412}
413
414static int mpfs_auto_update_probe(struct platform_device *pdev)
415{
416 struct device *dev = &pdev->dev;
417 struct mpfs_auto_update_priv *priv;
418 struct fw_upload *fw_uploader;
419 int ret;
420
421 priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
422 if (!priv)
423 return -ENOMEM;
424
425 priv->sys_controller = mpfs_sys_controller_get(dev);
426 if (IS_ERR(priv->sys_controller))
427 return dev_err_probe(dev, PTR_ERR(priv->sys_controller),
428 "Could not register as a sub device of the system controller\n");
429
430 priv->dev = dev;
431 platform_set_drvdata(pdev, priv);
432
433 ret = mpfs_auto_update_available(priv);
434 if (ret)
435 return dev_err_probe(dev, ret,
436 "The current bitstream does not support auto-update\n");
437
438 fw_uploader = firmware_upload_register(THIS_MODULE, dev, "mpfs-auto-update",
439 &mpfs_auto_update_ops, priv);
440 if (IS_ERR(fw_uploader))
441 return dev_err_probe(dev, PTR_ERR(fw_uploader),
442 "Failed to register the bitstream uploader\n");
443
444 priv->fw_uploader = fw_uploader;
445
446 return 0;
447}
448
449static void mpfs_auto_update_remove(struct platform_device *pdev)
450{
451 struct mpfs_auto_update_priv *priv = platform_get_drvdata(pdev);
452
453 firmware_upload_unregister(priv->fw_uploader);
454}
455
456static struct platform_driver mpfs_auto_update_driver = {
457 .driver = {
458 .name = "mpfs-auto-update",
459 },
460 .probe = mpfs_auto_update_probe,
461 .remove = mpfs_auto_update_remove,
462};
463module_platform_driver(mpfs_auto_update_driver);
464
465MODULE_LICENSE("GPL");
466MODULE_AUTHOR("Conor Dooley <conor.dooley@microchip.com>");
467MODULE_DESCRIPTION("PolarFire SoC Auto Update FPGA reprogramming");