1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 *
4
 *  Bluetooth support for Intel devices
5
 *
6
 *  Copyright (C) 2015  Intel Corporation
7
 */
8

9
#include <linux/module.h>
10
#include <linux/firmware.h>
11
#include <linux/regmap.h>
12
#include <linux/string_choices.h>
13
#include <linux/acpi.h>
14
#include <acpi/acpi_bus.h>
15
#include <linux/unaligned.h>
16
#include <linux/efi.h>
17

18
#include <net/bluetooth/bluetooth.h>
19
#include <net/bluetooth/hci_core.h>
20

21
#include "btintel.h"
22

23
#define VERSION "0.1"
24

25
#define BDADDR_INTEL		(&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
26
#define RSA_HEADER_LEN		644
27
#define CSS_HEADER_OFFSET	8
28
#define ECDSA_OFFSET		644
29
#define ECDSA_HEADER_LEN	320
30

31
#define BTINTEL_EFI_DSBR	L"UefiCnvCommonDSBR"
32

33
enum {
34
	DSM_SET_WDISABLE2_DELAY = 1,
35
	DSM_SET_RESET_METHOD = 3,
36
};
37

38
#define BTINTEL_BT_DOMAIN		0x12
39
#define BTINTEL_SAR_LEGACY		0
40
#define BTINTEL_SAR_INC_PWR		1
41
#define BTINTEL_SAR_INC_PWR_SUPPORTED	0
42

43
#define CMD_WRITE_BOOT_PARAMS	0xfc0e
44
struct cmd_write_boot_params {
45
	__le32 boot_addr;
46
	u8  fw_build_num;
47
	u8  fw_build_ww;
48
	u8  fw_build_yy;
49
} __packed;
50

51
static struct {
52
	const char *driver_name;
53
	u8         hw_variant;
54
	u32        fw_build_num;
55
} coredump_info;
56

57
static const guid_t btintel_guid_dsm =
58
	GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233,
59
		  0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9);
60

61
int btintel_check_bdaddr(struct hci_dev *hdev)
62
{
63
	struct hci_rp_read_bd_addr *bda;
64
	struct sk_buff *skb;
65

66
	skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
67
			     HCI_INIT_TIMEOUT);
68
	if (IS_ERR(skb)) {
69
		int err = PTR_ERR(skb);
70
		bt_dev_err(hdev, "Reading Intel device address failed (%d)",
71
			   err);
72
		return err;
73
	}
74

75
	if (skb->len != sizeof(*bda)) {
76
		bt_dev_err(hdev, "Intel device address length mismatch");
77
		kfree_skb(skb);
78
		return -EIO;
79
	}
80

81
	bda = (struct hci_rp_read_bd_addr *)skb->data;
82

83
	/* For some Intel based controllers, the default Bluetooth device
84
	 * address 00:03:19:9E:8B:00 can be found. These controllers are
85
	 * fully operational, but have the danger of duplicate addresses
86
	 * and that in turn can cause problems with Bluetooth operation.
87
	 */
88
	if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
89
		bt_dev_err(hdev, "Found Intel default device address (%pMR)",
90
			   &bda->bdaddr);
91
		hci_set_quirk(hdev, HCI_QUIRK_INVALID_BDADDR);
92
	}
93

94
	kfree_skb(skb);
95

96
	return 0;
97
}
98
EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
99

100
int btintel_enter_mfg(struct hci_dev *hdev)
101
{
102
	static const u8 param[] = { 0x01, 0x00 };
103
	struct sk_buff *skb;
104

105
	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
106
	if (IS_ERR(skb)) {
107
		bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
108
			   PTR_ERR(skb));
109
		return PTR_ERR(skb);
110
	}
111
	kfree_skb(skb);
112

113
	return 0;
114
}
115
EXPORT_SYMBOL_GPL(btintel_enter_mfg);
116

117
int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
118
{
119
	u8 param[] = { 0x00, 0x00 };
120
	struct sk_buff *skb;
121

122
	/* The 2nd command parameter specifies the manufacturing exit method:
123
	 * 0x00: Just disable the manufacturing mode (0x00).
124
	 * 0x01: Disable manufacturing mode and reset with patches deactivated.
125
	 * 0x02: Disable manufacturing mode and reset with patches activated.
126
	 */
127
	if (reset)
128
		param[1] |= patched ? 0x02 : 0x01;
129

130
	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
131
	if (IS_ERR(skb)) {
132
		bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
133
			   PTR_ERR(skb));
134
		return PTR_ERR(skb);
135
	}
136
	kfree_skb(skb);
137

138
	return 0;
139
}
140
EXPORT_SYMBOL_GPL(btintel_exit_mfg);
141

142
int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
143
{
144
	struct sk_buff *skb;
145
	int err;
146

147
	skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
148
	if (IS_ERR(skb)) {
149
		err = PTR_ERR(skb);
150
		bt_dev_err(hdev, "Changing Intel device address failed (%d)",
151
			   err);
152
		return err;
153
	}
154
	kfree_skb(skb);
155

156
	return 0;
157
}
158
EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
159

160
static int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
161
{
162
	u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
163
	struct sk_buff *skb;
164
	int err;
165

166
	if (debug)
167
		mask[1] |= 0x62;
168

169
	skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
170
	if (IS_ERR(skb)) {
171
		err = PTR_ERR(skb);
172
		bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
173
		return err;
174
	}
175
	kfree_skb(skb);
176

177
	return 0;
178
}
179

180
int btintel_set_diag(struct hci_dev *hdev, bool enable)
181
{
182
	struct sk_buff *skb;
183
	u8 param[3];
184
	int err;
185

186
	if (enable) {
187
		param[0] = 0x03;
188
		param[1] = 0x03;
189
		param[2] = 0x03;
190
	} else {
191
		param[0] = 0x00;
192
		param[1] = 0x00;
193
		param[2] = 0x00;
194
	}
195

196
	skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
197
	if (IS_ERR(skb)) {
198
		err = PTR_ERR(skb);
199
		if (err == -ENODATA)
200
			goto done;
201
		bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
202
			   err);
203
		return err;
204
	}
205
	kfree_skb(skb);
206

207
done:
208
	btintel_set_event_mask(hdev, enable);
209
	return 0;
210
}
211
EXPORT_SYMBOL_GPL(btintel_set_diag);
212

213
static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
214
{
215
	int err, ret;
216

217
	err = btintel_enter_mfg(hdev);
218
	if (err)
219
		return err;
220

221
	ret = btintel_set_diag(hdev, enable);
222

223
	err = btintel_exit_mfg(hdev, false, false);
224
	if (err)
225
		return err;
226

227
	return ret;
228
}
229

230
static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable)
231
{
232
	int ret;
233

234
	/* Legacy ROM device needs to be in the manufacturer mode to apply
235
	 * diagnostic setting
236
	 *
237
	 * This flag is set after reading the Intel version.
238
	 */
239
	if (btintel_test_flag(hdev, INTEL_ROM_LEGACY))
240
		ret = btintel_set_diag_mfg(hdev, enable);
241
	else
242
		ret = btintel_set_diag(hdev, enable);
243

244
	return ret;
245
}
246

247
void btintel_hw_error(struct hci_dev *hdev, u8 code)
248
{
249
	struct sk_buff *skb;
250
	u8 type = 0x00;
251

252
	bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
253

254
	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
255
	if (IS_ERR(skb)) {
256
		bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
257
			   PTR_ERR(skb));
258
		return;
259
	}
260
	kfree_skb(skb);
261

262
	skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
263
	if (IS_ERR(skb)) {
264
		bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
265
			   PTR_ERR(skb));
266
		return;
267
	}
268

269
	if (skb->len != 13) {
270
		bt_dev_err(hdev, "Exception info size mismatch");
271
		kfree_skb(skb);
272
		return;
273
	}
274

275
	bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
276

277
	kfree_skb(skb);
278
}
279
EXPORT_SYMBOL_GPL(btintel_hw_error);
280

281
int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
282
{
283
	const char *variant;
284

285
	/* The hardware platform number has a fixed value of 0x37 and
286
	 * for now only accept this single value.
287
	 */
288
	if (ver->hw_platform != 0x37) {
289
		bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
290
			   ver->hw_platform);
291
		return -EINVAL;
292
	}
293

294
	/* Check for supported iBT hardware variants of this firmware
295
	 * loading method.
296
	 *
297
	 * This check has been put in place to ensure correct forward
298
	 * compatibility options when newer hardware variants come along.
299
	 */
300
	switch (ver->hw_variant) {
301
	case 0x07:	/* WP - Legacy ROM */
302
	case 0x08:	/* StP - Legacy ROM */
303
	case 0x0b:      /* SfP */
304
	case 0x0c:      /* WsP */
305
	case 0x11:      /* JfP */
306
	case 0x12:      /* ThP */
307
	case 0x13:      /* HrP */
308
	case 0x14:      /* CcP */
309
		break;
310
	default:
311
		bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
312
			   ver->hw_variant);
313
		return -EINVAL;
314
	}
315

316
	switch (ver->fw_variant) {
317
	case 0x01:
318
		variant = "Legacy ROM 2.5";
319
		break;
320
	case 0x06:
321
		variant = "Bootloader";
322
		break;
323
	case 0x22:
324
		variant = "Legacy ROM 2.x";
325
		break;
326
	case 0x23:
327
		variant = "Firmware";
328
		break;
329
	default:
330
		bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
331
		return -EINVAL;
332
	}
333

334
	coredump_info.hw_variant = ver->hw_variant;
335
	coredump_info.fw_build_num = ver->fw_build_num;
336

337
	bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
338
		    variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
339
		    ver->fw_build_num, ver->fw_build_ww,
340
		    2000 + ver->fw_build_yy);
341

342
	return 0;
343
}
344
EXPORT_SYMBOL_GPL(btintel_version_info);
345

346
static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
347
			       const void *param)
348
{
349
	while (plen > 0) {
350
		struct sk_buff *skb;
351
		u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
352

353
		cmd_param[0] = fragment_type;
354
		memcpy(cmd_param + 1, param, fragment_len);
355

356
		skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
357
				     cmd_param, HCI_INIT_TIMEOUT);
358
		if (IS_ERR(skb))
359
			return PTR_ERR(skb);
360

361
		kfree_skb(skb);
362

363
		plen -= fragment_len;
364
		param += fragment_len;
365
	}
366

367
	return 0;
368
}
369

370
int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
371
{
372
	const struct firmware *fw;
373
	struct sk_buff *skb;
374
	const u8 *fw_ptr;
375
	int err;
376

377
	err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
378
	if (err < 0) {
379
		bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
380
			   ddc_name, err);
381
		return err;
382
	}
383

384
	bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
385

386
	fw_ptr = fw->data;
387

388
	/* DDC file contains one or more DDC structure which has
389
	 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
390
	 */
391
	while (fw->size > fw_ptr - fw->data) {
392
		u8 cmd_plen = fw_ptr[0] + sizeof(u8);
393

394
		skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
395
				     HCI_INIT_TIMEOUT);
396
		if (IS_ERR(skb)) {
397
			bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
398
				   PTR_ERR(skb));
399
			release_firmware(fw);
400
			return PTR_ERR(skb);
401
		}
402

403
		fw_ptr += cmd_plen;
404
		kfree_skb(skb);
405
	}
406

407
	release_firmware(fw);
408

409
	bt_dev_info(hdev, "Applying Intel DDC parameters completed");
410

411
	return 0;
412
}
413
EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
414

415
int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
416
{
417
	int err, ret;
418

419
	err = btintel_enter_mfg(hdev);
420
	if (err)
421
		return err;
422

423
	ret = btintel_set_event_mask(hdev, debug);
424

425
	err = btintel_exit_mfg(hdev, false, false);
426
	if (err)
427
		return err;
428

429
	return ret;
430
}
431
EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
432

433
int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
434
{
435
	struct sk_buff *skb;
436

437
	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
438
	if (IS_ERR(skb)) {
439
		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
440
			   PTR_ERR(skb));
441
		return PTR_ERR(skb);
442
	}
443

444
	if (!skb || skb->len != sizeof(*ver)) {
445
		bt_dev_err(hdev, "Intel version event size mismatch");
446
		kfree_skb(skb);
447
		return -EILSEQ;
448
	}
449

450
	memcpy(ver, skb->data, sizeof(*ver));
451

452
	kfree_skb(skb);
453

454
	return 0;
455
}
456
EXPORT_SYMBOL_GPL(btintel_read_version);
457

458
int btintel_version_info_tlv(struct hci_dev *hdev,
459
			     struct intel_version_tlv *version)
460
{
461
	const char *variant;
462

463
	/* The hardware platform number has a fixed value of 0x37 and
464
	 * for now only accept this single value.
465
	 */
466
	if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
467
		bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
468
			   INTEL_HW_PLATFORM(version->cnvi_bt));
469
		return -EINVAL;
470
	}
471

472
	/* Check for supported iBT hardware variants of this firmware
473
	 * loading method.
474
	 *
475
	 * This check has been put in place to ensure correct forward
476
	 * compatibility options when newer hardware variants come along.
477
	 */
478
	switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
479
	case 0x17:	/* TyP */
480
	case 0x18:	/* Slr */
481
	case 0x19:	/* Slr-F */
482
	case 0x1b:      /* Mgr */
483
	case 0x1c:	/* Gale Peak (GaP) */
484
	case 0x1d:	/* BlazarU (BzrU) */
485
	case 0x1e:	/* BlazarI (Bzr) */
486
	case 0x1f:      /* Scorpious Peak */
487
		break;
488
	default:
489
		bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
490
			   INTEL_HW_VARIANT(version->cnvi_bt));
491
		return -EINVAL;
492
	}
493

494
	switch (version->img_type) {
495
	case BTINTEL_IMG_BOOTLOADER:
496
		variant = "Bootloader";
497
		/* It is required that every single firmware fragment is acknowledged
498
		 * with a command complete event. If the boot parameters indicate
499
		 * that this bootloader does not send them, then abort the setup.
500
		 */
501
		if (version->limited_cce != 0x00) {
502
			bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
503
				   version->limited_cce);
504
			return -EINVAL;
505
		}
506

507
		/* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
508
		if (version->sbe_type > 0x01) {
509
			bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
510
				   version->sbe_type);
511
			return -EINVAL;
512
		}
513

514
		bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
515
		bt_dev_info(hdev, "Secure boot is %s",
516
			    str_enabled_disabled(version->secure_boot));
517
		bt_dev_info(hdev, "OTP lock is %s",
518
			    str_enabled_disabled(version->otp_lock));
519
		bt_dev_info(hdev, "API lock is %s",
520
			    str_enabled_disabled(version->api_lock));
521
		bt_dev_info(hdev, "Debug lock is %s",
522
			    str_enabled_disabled(version->debug_lock));
523
		bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
524
			    version->min_fw_build_nn, version->min_fw_build_cw,
525
			    2000 + version->min_fw_build_yy);
526
		break;
527
	case BTINTEL_IMG_IML:
528
		variant = "Intermediate loader";
529
		break;
530
	case BTINTEL_IMG_OP:
531
		variant = "Firmware";
532
		break;
533
	default:
534
		bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
535
		return -EINVAL;
536
	}
537

538
	coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt);
539
	coredump_info.fw_build_num = version->build_num;
540

541
	bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
542
		    2000 + (version->timestamp >> 8), version->timestamp & 0xff,
543
		    version->build_type, version->build_num);
544
	if (version->img_type == BTINTEL_IMG_OP)
545
		bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1);
546

547
	return 0;
548
}
549
EXPORT_SYMBOL_GPL(btintel_version_info_tlv);
550

551
int btintel_parse_version_tlv(struct hci_dev *hdev,
552
			      struct intel_version_tlv *version,
553
			      struct sk_buff *skb)
554
{
555
	/* Consume Command Complete Status field */
556
	skb_pull(skb, 1);
557

558
	/* Event parameters contain multiple TLVs. Read each of them
559
	 * and only keep the required data. Also, it use existing legacy
560
	 * version field like hw_platform, hw_variant, and fw_variant
561
	 * to keep the existing setup flow
562
	 */
563
	while (skb->len) {
564
		struct intel_tlv *tlv;
565

566
		/* Make sure skb has a minimum length of the header */
567
		if (skb->len < sizeof(*tlv))
568
			return -EINVAL;
569

570
		tlv = (struct intel_tlv *)skb->data;
571

572
		/* Make sure skb has a enough data */
573
		if (skb->len < tlv->len + sizeof(*tlv))
574
			return -EINVAL;
575

576
		switch (tlv->type) {
577
		case INTEL_TLV_CNVI_TOP:
578
			version->cnvi_top = get_unaligned_le32(tlv->val);
579
			break;
580
		case INTEL_TLV_CNVR_TOP:
581
			version->cnvr_top = get_unaligned_le32(tlv->val);
582
			break;
583
		case INTEL_TLV_CNVI_BT:
584
			version->cnvi_bt = get_unaligned_le32(tlv->val);
585
			break;
586
		case INTEL_TLV_CNVR_BT:
587
			version->cnvr_bt = get_unaligned_le32(tlv->val);
588
			break;
589
		case INTEL_TLV_DEV_REV_ID:
590
			version->dev_rev_id = get_unaligned_le16(tlv->val);
591
			break;
592
		case INTEL_TLV_IMAGE_TYPE:
593
			version->img_type = tlv->val[0];
594
			break;
595
		case INTEL_TLV_TIME_STAMP:
596
			/* If image type is Operational firmware (0x03), then
597
			 * running FW Calendar Week and Year information can
598
			 * be extracted from Timestamp information
599
			 */
600
			version->min_fw_build_cw = tlv->val[0];
601
			version->min_fw_build_yy = tlv->val[1];
602
			version->timestamp = get_unaligned_le16(tlv->val);
603
			break;
604
		case INTEL_TLV_BUILD_TYPE:
605
			version->build_type = tlv->val[0];
606
			break;
607
		case INTEL_TLV_BUILD_NUM:
608
			/* If image type is Operational firmware (0x03), then
609
			 * running FW build number can be extracted from the
610
			 * Build information
611
			 */
612
			version->min_fw_build_nn = tlv->val[0];
613
			version->build_num = get_unaligned_le32(tlv->val);
614
			break;
615
		case INTEL_TLV_SECURE_BOOT:
616
			version->secure_boot = tlv->val[0];
617
			break;
618
		case INTEL_TLV_OTP_LOCK:
619
			version->otp_lock = tlv->val[0];
620
			break;
621
		case INTEL_TLV_API_LOCK:
622
			version->api_lock = tlv->val[0];
623
			break;
624
		case INTEL_TLV_DEBUG_LOCK:
625
			version->debug_lock = tlv->val[0];
626
			break;
627
		case INTEL_TLV_MIN_FW:
628
			version->min_fw_build_nn = tlv->val[0];
629
			version->min_fw_build_cw = tlv->val[1];
630
			version->min_fw_build_yy = tlv->val[2];
631
			break;
632
		case INTEL_TLV_LIMITED_CCE:
633
			version->limited_cce = tlv->val[0];
634
			break;
635
		case INTEL_TLV_SBE_TYPE:
636
			version->sbe_type = tlv->val[0];
637
			break;
638
		case INTEL_TLV_OTP_BDADDR:
639
			memcpy(&version->otp_bd_addr, tlv->val,
640
							sizeof(bdaddr_t));
641
			break;
642
		case INTEL_TLV_GIT_SHA1:
643
			version->git_sha1 = get_unaligned_le32(tlv->val);
644
			break;
645
		case INTEL_TLV_FW_ID:
646
			snprintf(version->fw_id, sizeof(version->fw_id),
647
				 "%s", tlv->val);
648
			break;
649
		default:
650
			/* Ignore rest of information */
651
			break;
652
		}
653
		/* consume the current tlv and move to next*/
654
		skb_pull(skb, tlv->len + sizeof(*tlv));
655
	}
656

657
	return 0;
658
}
659
EXPORT_SYMBOL_GPL(btintel_parse_version_tlv);
660

661
static int btintel_read_version_tlv(struct hci_dev *hdev,
662
				    struct intel_version_tlv *version)
663
{
664
	struct sk_buff *skb;
665
	const u8 param[1] = { 0xFF };
666

667
	if (!version)
668
		return -EINVAL;
669

670
	skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
671
	if (IS_ERR(skb)) {
672
		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
673
			   PTR_ERR(skb));
674
		return PTR_ERR(skb);
675
	}
676

677
	if (skb->data[0]) {
678
		bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
679
			   skb->data[0]);
680
		kfree_skb(skb);
681
		return -EIO;
682
	}
683

684
	btintel_parse_version_tlv(hdev, version, skb);
685

686
	kfree_skb(skb);
687
	return 0;
688
}
689

690
/* ------- REGMAP IBT SUPPORT ------- */
691

692
#define IBT_REG_MODE_8BIT  0x00
693
#define IBT_REG_MODE_16BIT 0x01
694
#define IBT_REG_MODE_32BIT 0x02
695

696
struct regmap_ibt_context {
697
	struct hci_dev *hdev;
698
	__u16 op_write;
699
	__u16 op_read;
700
};
701

702
struct ibt_cp_reg_access {
703
	__le32  addr;
704
	__u8    mode;
705
	__u8    len;
706
	__u8    data[];
707
} __packed;
708

709
struct ibt_rp_reg_access {
710
	__u8    status;
711
	__le32  addr;
712
	__u8    data[];
713
} __packed;
714

715
static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
716
			   void *val, size_t val_size)
717
{
718
	struct regmap_ibt_context *ctx = context;
719
	struct ibt_cp_reg_access cp;
720
	struct ibt_rp_reg_access *rp;
721
	struct sk_buff *skb;
722
	int err = 0;
723

724
	if (reg_size != sizeof(__le32))
725
		return -EINVAL;
726

727
	switch (val_size) {
728
	case 1:
729
		cp.mode = IBT_REG_MODE_8BIT;
730
		break;
731
	case 2:
732
		cp.mode = IBT_REG_MODE_16BIT;
733
		break;
734
	case 4:
735
		cp.mode = IBT_REG_MODE_32BIT;
736
		break;
737
	default:
738
		return -EINVAL;
739
	}
740

741
	/* regmap provides a little-endian formatted addr */
742
	cp.addr = *(__le32 *)addr;
743
	cp.len = val_size;
744

745
	bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
746

747
	skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
748
			   HCI_CMD_TIMEOUT);
749
	if (IS_ERR(skb)) {
750
		err = PTR_ERR(skb);
751
		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
752
			   le32_to_cpu(cp.addr), err);
753
		return err;
754
	}
755

756
	if (skb->len != sizeof(*rp) + val_size) {
757
		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
758
			   le32_to_cpu(cp.addr));
759
		err = -EINVAL;
760
		goto done;
761
	}
762

763
	rp = (struct ibt_rp_reg_access *)skb->data;
764

765
	if (rp->addr != cp.addr) {
766
		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
767
			   le32_to_cpu(rp->addr));
768
		err = -EINVAL;
769
		goto done;
770
	}
771

772
	memcpy(val, rp->data, val_size);
773

774
done:
775
	kfree_skb(skb);
776
	return err;
777
}
778

779
static int regmap_ibt_gather_write(void *context,
780
				   const void *addr, size_t reg_size,
781
				   const void *val, size_t val_size)
782
{
783
	struct regmap_ibt_context *ctx = context;
784
	struct ibt_cp_reg_access *cp;
785
	struct sk_buff *skb;
786
	int plen = sizeof(*cp) + val_size;
787
	u8 mode;
788
	int err = 0;
789

790
	if (reg_size != sizeof(__le32))
791
		return -EINVAL;
792

793
	switch (val_size) {
794
	case 1:
795
		mode = IBT_REG_MODE_8BIT;
796
		break;
797
	case 2:
798
		mode = IBT_REG_MODE_16BIT;
799
		break;
800
	case 4:
801
		mode = IBT_REG_MODE_32BIT;
802
		break;
803
	default:
804
		return -EINVAL;
805
	}
806

807
	cp = kmalloc(plen, GFP_KERNEL);
808
	if (!cp)
809
		return -ENOMEM;
810

811
	/* regmap provides a little-endian formatted addr/value */
812
	cp->addr = *(__le32 *)addr;
813
	cp->mode = mode;
814
	cp->len = val_size;
815
	memcpy(&cp->data, val, val_size);
816

817
	bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
818

819
	skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
820
	if (IS_ERR(skb)) {
821
		err = PTR_ERR(skb);
822
		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
823
			   le32_to_cpu(cp->addr), err);
824
		goto done;
825
	}
826
	kfree_skb(skb);
827

828
done:
829
	kfree(cp);
830
	return err;
831
}
832

833
static int regmap_ibt_write(void *context, const void *data, size_t count)
834
{
835
	/* data contains register+value, since we only support 32bit addr,
836
	 * minimum data size is 4 bytes.
837
	 */
838
	if (WARN_ONCE(count < 4, "Invalid register access"))
839
		return -EINVAL;
840

841
	return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
842
}
843

844
static void regmap_ibt_free_context(void *context)
845
{
846
	kfree(context);
847
}
848

849
static const struct regmap_bus regmap_ibt = {
850
	.read = regmap_ibt_read,
851
	.write = regmap_ibt_write,
852
	.gather_write = regmap_ibt_gather_write,
853
	.free_context = regmap_ibt_free_context,
854
	.reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
855
	.val_format_endian_default = REGMAP_ENDIAN_LITTLE,
856
};
857

858
/* Config is the same for all register regions */
859
static const struct regmap_config regmap_ibt_cfg = {
860
	.name      = "btintel_regmap",
861
	.reg_bits  = 32,
862
	.val_bits  = 32,
863
};
864

865
struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
866
				   u16 opcode_write)
867
{
868
	struct regmap_ibt_context *ctx;
869

870
	bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
871
		    opcode_write);
872

873
	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
874
	if (!ctx)
875
		return ERR_PTR(-ENOMEM);
876

877
	ctx->op_read = opcode_read;
878
	ctx->op_write = opcode_write;
879
	ctx->hdev = hdev;
880

881
	return regmap_init(&hdev->dev, &regmap_ibt, ctx, &regmap_ibt_cfg);
882
}
883
EXPORT_SYMBOL_GPL(btintel_regmap_init);
884

885
int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
886
{
887
	struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
888
	struct sk_buff *skb;
889

890
	params.boot_param = cpu_to_le32(boot_param);
891

892
	skb = __hci_cmd_sync(hdev, BTINTEL_HCI_OP_RESET, sizeof(params), &params,
893
			     HCI_INIT_TIMEOUT);
894
	if (IS_ERR(skb)) {
895
		bt_dev_err(hdev, "Failed to send Intel Reset command");
896
		return PTR_ERR(skb);
897
	}
898

899
	kfree_skb(skb);
900

901
	return 0;
902
}
903
EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
904

905
int btintel_read_boot_params(struct hci_dev *hdev,
906
			     struct intel_boot_params *params)
907
{
908
	struct sk_buff *skb;
909

910
	skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
911
	if (IS_ERR(skb)) {
912
		bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
913
			   PTR_ERR(skb));
914
		return PTR_ERR(skb);
915
	}
916

917
	if (skb->len != sizeof(*params)) {
918
		bt_dev_err(hdev, "Intel boot parameters size mismatch");
919
		kfree_skb(skb);
920
		return -EILSEQ;
921
	}
922

923
	memcpy(params, skb->data, sizeof(*params));
924

925
	kfree_skb(skb);
926

927
	if (params->status) {
928
		bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
929
			   params->status);
930
		return -bt_to_errno(params->status);
931
	}
932

933
	bt_dev_info(hdev, "Device revision is %u",
934
		    le16_to_cpu(params->dev_revid));
935

936
	bt_dev_info(hdev, "Secure boot is %s",
937
		    str_enabled_disabled(params->secure_boot));
938

939
	bt_dev_info(hdev, "OTP lock is %s",
940
		    str_enabled_disabled(params->otp_lock));
941

942
	bt_dev_info(hdev, "API lock is %s",
943
		    str_enabled_disabled(params->api_lock));
944

945
	bt_dev_info(hdev, "Debug lock is %s",
946
		    str_enabled_disabled(params->debug_lock));
947

948
	bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
949
		    params->min_fw_build_nn, params->min_fw_build_cw,
950
		    2000 + params->min_fw_build_yy);
951

952
	return 0;
953
}
954
EXPORT_SYMBOL_GPL(btintel_read_boot_params);
955

956
static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
957
					      const struct firmware *fw)
958
{
959
	int err;
960

961
	/* Start the firmware download transaction with the Init fragment
962
	 * represented by the 128 bytes of CSS header.
963
	 */
964
	err = btintel_secure_send(hdev, 0x00, 128, fw->data);
965
	if (err < 0) {
966
		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
967
		goto done;
968
	}
969

970
	/* Send the 256 bytes of public key information from the firmware
971
	 * as the PKey fragment.
972
	 */
973
	err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
974
	if (err < 0) {
975
		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
976
		goto done;
977
	}
978

979
	/* Send the 256 bytes of signature information from the firmware
980
	 * as the Sign fragment.
981
	 */
982
	err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
983
	if (err < 0) {
984
		bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
985
		goto done;
986
	}
987

988
done:
989
	return err;
990
}
991

992
static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
993
						const struct firmware *fw)
994
{
995
	int err;
996

997
	/* Start the firmware download transaction with the Init fragment
998
	 * represented by the 128 bytes of CSS header.
999
	 */
1000
	err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
1001
	if (err < 0) {
1002
		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
1003
		return err;
1004
	}
1005

1006
	/* Send the 96 bytes of public key information from the firmware
1007
	 * as the PKey fragment.
1008
	 */
1009
	err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
1010
	if (err < 0) {
1011
		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
1012
		return err;
1013
	}
1014

1015
	/* Send the 96 bytes of signature information from the firmware
1016
	 * as the Sign fragment
1017
	 */
1018
	err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
1019
	if (err < 0) {
1020
		bt_dev_err(hdev, "Failed to send firmware signature (%d)",
1021
			   err);
1022
		return err;
1023
	}
1024
	return 0;
1025
}
1026

1027
static int btintel_download_firmware_payload(struct hci_dev *hdev,
1028
					     const struct firmware *fw,
1029
					     size_t offset)
1030
{
1031
	int err;
1032
	const u8 *fw_ptr;
1033
	u32 frag_len;
1034

1035
	fw_ptr = fw->data + offset;
1036
	frag_len = 0;
1037
	err = -EINVAL;
1038

1039
	while (fw_ptr - fw->data < fw->size) {
1040
		struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
1041

1042
		frag_len += sizeof(*cmd) + cmd->plen;
1043

1044
		/* The parameter length of the secure send command requires
1045
		 * a 4 byte alignment. It happens so that the firmware file
1046
		 * contains proper Intel_NOP commands to align the fragments
1047
		 * as needed.
1048
		 *
1049
		 * Send set of commands with 4 byte alignment from the
1050
		 * firmware data buffer as a single Data fragment.
1051
		 */
1052
		if (!(frag_len % 4)) {
1053
			err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
1054
			if (err < 0) {
1055
				bt_dev_err(hdev,
1056
					   "Failed to send firmware data (%d)",
1057
					   err);
1058
				goto done;
1059
			}
1060

1061
			fw_ptr += frag_len;
1062
			frag_len = 0;
1063
		}
1064
	}
1065

1066
done:
1067
	return err;
1068
}
1069

1070
static bool btintel_firmware_version(struct hci_dev *hdev,
1071
				     u8 num, u8 ww, u8 yy,
1072
				     const struct firmware *fw,
1073
				     u32 *boot_addr)
1074
{
1075
	const u8 *fw_ptr;
1076

1077
	fw_ptr = fw->data;
1078

1079
	while (fw_ptr - fw->data < fw->size) {
1080
		struct hci_command_hdr *cmd = (void *)(fw_ptr);
1081

1082
		/* Each SKU has a different reset parameter to use in the
1083
		 * HCI_Intel_Reset command and it is embedded in the firmware
1084
		 * data. So, instead of using static value per SKU, check
1085
		 * the firmware data and save it for later use.
1086
		 */
1087
		if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
1088
			struct cmd_write_boot_params *params;
1089

1090
			params = (void *)(fw_ptr + sizeof(*cmd));
1091

1092
			*boot_addr = le32_to_cpu(params->boot_addr);
1093

1094
			bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr);
1095

1096
			bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1097
				    params->fw_build_num, params->fw_build_ww,
1098
				    params->fw_build_yy);
1099

1100
			return (num == params->fw_build_num &&
1101
				ww == params->fw_build_ww &&
1102
				yy == params->fw_build_yy);
1103
		}
1104

1105
		fw_ptr += sizeof(*cmd) + cmd->plen;
1106
	}
1107

1108
	return false;
1109
}
1110

1111
int btintel_download_firmware(struct hci_dev *hdev,
1112
			      struct intel_version *ver,
1113
			      const struct firmware *fw,
1114
			      u32 *boot_param)
1115
{
1116
	int err;
1117

1118
	/* SfP and WsP don't seem to update the firmware version on file
1119
	 * so version checking is currently not possible.
1120
	 */
1121
	switch (ver->hw_variant) {
1122
	case 0x0b:	/* SfP */
1123
	case 0x0c:	/* WsP */
1124
		/* Skip version checking */
1125
		break;
1126
	default:
1127

1128
		/* Skip download if firmware has the same version */
1129
		if (btintel_firmware_version(hdev, ver->fw_build_num,
1130
					     ver->fw_build_ww, ver->fw_build_yy,
1131
					     fw, boot_param)) {
1132
			bt_dev_info(hdev, "Firmware already loaded");
1133
			/* Return -EALREADY to indicate that the firmware has
1134
			 * already been loaded.
1135
			 */
1136
			return -EALREADY;
1137
		}
1138
	}
1139

1140
	/* The firmware variant determines if the device is in bootloader
1141
	 * mode or is running operational firmware. The value 0x06 identifies
1142
	 * the bootloader and the value 0x23 identifies the operational
1143
	 * firmware.
1144
	 *
1145
	 * If the firmware version has changed that means it needs to be reset
1146
	 * to bootloader when operational so the new firmware can be loaded.
1147
	 */
1148
	if (ver->fw_variant == 0x23)
1149
		return -EINVAL;
1150

1151
	err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1152
	if (err)
1153
		return err;
1154

1155
	return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1156
}
1157
EXPORT_SYMBOL_GPL(btintel_download_firmware);
1158

1159
static int btintel_download_fw_tlv(struct hci_dev *hdev,
1160
				   struct intel_version_tlv *ver,
1161
				   const struct firmware *fw, u32 *boot_param,
1162
				   u8 hw_variant, u8 sbe_type)
1163
{
1164
	int err;
1165
	u32 css_header_ver;
1166

1167
	/* Skip download if firmware has the same version */
1168
	if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1169
				     ver->min_fw_build_cw,
1170
				     ver->min_fw_build_yy,
1171
				     fw, boot_param)) {
1172
		bt_dev_info(hdev, "Firmware already loaded");
1173
		/* Return -EALREADY to indicate that firmware has
1174
		 * already been loaded.
1175
		 */
1176
		return -EALREADY;
1177
	}
1178

1179
	/* The firmware variant determines if the device is in bootloader
1180
	 * mode or is running operational firmware. The value 0x01 identifies
1181
	 * the bootloader and the value 0x03 identifies the operational
1182
	 * firmware.
1183
	 *
1184
	 * If the firmware version has changed that means it needs to be reset
1185
	 * to bootloader when operational so the new firmware can be loaded.
1186
	 */
1187
	if (ver->img_type == BTINTEL_IMG_OP)
1188
		return -EINVAL;
1189

1190
	/* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1191
	 * only RSA secure boot engine. Hence, the corresponding sfi file will
1192
	 * have RSA header of 644 bytes followed by Command Buffer.
1193
	 *
1194
	 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1195
	 * secure boot engine. As a result, the corresponding sfi file will
1196
	 * have RSA header of 644, ECDSA header of 320 bytes followed by
1197
	 * Command Buffer.
1198
	 *
1199
	 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1200
	 * version: RSA(0x00010000) , ECDSA (0x00020000)
1201
	 */
1202
	css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1203
	if (css_header_ver != 0x00010000) {
1204
		bt_dev_err(hdev, "Invalid CSS Header version");
1205
		return -EINVAL;
1206
	}
1207

1208
	if (hw_variant <= 0x14) {
1209
		if (sbe_type != 0x00) {
1210
			bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1211
				   hw_variant);
1212
			return -EINVAL;
1213
		}
1214

1215
		err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1216
		if (err)
1217
			return err;
1218

1219
		err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1220
		if (err)
1221
			return err;
1222
	} else if (hw_variant >= 0x17) {
1223
		/* Check if CSS header for ECDSA follows the RSA header */
1224
		if (fw->data[ECDSA_OFFSET] != 0x06)
1225
			return -EINVAL;
1226

1227
		/* Check if the CSS Header version is ECDSA(0x00020000) */
1228
		css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1229
		if (css_header_ver != 0x00020000) {
1230
			bt_dev_err(hdev, "Invalid CSS Header version");
1231
			return -EINVAL;
1232
		}
1233

1234
		if (sbe_type == 0x00) {
1235
			err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1236
			if (err)
1237
				return err;
1238

1239
			err = btintel_download_firmware_payload(hdev, fw,
1240
								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1241
			if (err)
1242
				return err;
1243
		} else if (sbe_type == 0x01) {
1244
			err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1245
			if (err)
1246
				return err;
1247

1248
			err = btintel_download_firmware_payload(hdev, fw,
1249
								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1250
			if (err)
1251
				return err;
1252
		}
1253
	}
1254
	return 0;
1255
}
1256

1257
static void btintel_reset_to_bootloader(struct hci_dev *hdev)
1258
{
1259
	struct intel_reset params;
1260
	struct sk_buff *skb;
1261

1262
	/* PCIe transport uses shared hardware reset mechanism for recovery
1263
	 * which gets triggered in pcie *setup* function on error.
1264
	 */
1265
	if (hdev->bus == HCI_PCI)
1266
		return;
1267

1268
	/* Send Intel Reset command. This will result in
1269
	 * re-enumeration of BT controller.
1270
	 *
1271
	 * Intel Reset parameter description:
1272
	 * reset_type :   0x00 (Soft reset),
1273
	 *		  0x01 (Hard reset)
1274
	 * patch_enable : 0x00 (Do not enable),
1275
	 *		  0x01 (Enable)
1276
	 * ddc_reload :   0x00 (Do not reload),
1277
	 *		  0x01 (Reload)
1278
	 * boot_option:   0x00 (Current image),
1279
	 *                0x01 (Specified boot address)
1280
	 * boot_param:    Boot address
1281
	 *
1282
	 */
1283

1284
	params.reset_type = 0x01;
1285
	params.patch_enable = 0x01;
1286
	params.ddc_reload = 0x01;
1287
	params.boot_option = 0x00;
1288
	params.boot_param = cpu_to_le32(0x00000000);
1289

1290
	skb = __hci_cmd_sync(hdev, BTINTEL_HCI_OP_RESET, sizeof(params),
1291
			     &params, HCI_INIT_TIMEOUT);
1292
	if (IS_ERR(skb)) {
1293
		bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1294
			   PTR_ERR(skb));
1295
		return;
1296
	}
1297
	bt_dev_info(hdev, "Intel reset sent to retry FW download");
1298
	kfree_skb(skb);
1299

1300
	/* Current Intel BT controllers(ThP/JfP) hold the USB reset
1301
	 * lines for 2ms when it receives Intel Reset in bootloader mode.
1302
	 * Whereas, the upcoming Intel BT controllers will hold USB reset
1303
	 * for 150ms. To keep the delay generic, 150ms is chosen here.
1304
	 */
1305
	msleep(150);
1306
}
1307

1308
static int btintel_read_debug_features(struct hci_dev *hdev,
1309
				       struct intel_debug_features *features)
1310
{
1311
	struct sk_buff *skb;
1312
	u8 page_no = 1;
1313

1314
	/* Intel controller supports two pages, each page is of 128-bit
1315
	 * feature bit mask. And each bit defines specific feature support
1316
	 */
1317
	skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1318
			     HCI_INIT_TIMEOUT);
1319
	if (IS_ERR(skb)) {
1320
		bt_dev_err(hdev, "Reading supported features failed (%ld)",
1321
			   PTR_ERR(skb));
1322
		return PTR_ERR(skb);
1323
	}
1324

1325
	if (skb->len != (sizeof(features->page1) + 3)) {
1326
		bt_dev_err(hdev, "Supported features event size mismatch");
1327
		kfree_skb(skb);
1328
		return -EILSEQ;
1329
	}
1330

1331
	memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1332

1333
	/* Read the supported features page2 if required in future.
1334
	 */
1335
	kfree_skb(skb);
1336
	return 0;
1337
}
1338

1339
static int btintel_set_debug_features(struct hci_dev *hdev,
1340
			       const struct intel_debug_features *features)
1341
{
1342
	u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00,
1343
			0x00, 0x00, 0x00 };
1344
	u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 };
1345
	u8 trace_enable = 0x02;
1346
	struct sk_buff *skb;
1347

1348
	if (!features) {
1349
		bt_dev_warn(hdev, "Debug features not read");
1350
		return -EINVAL;
1351
	}
1352

1353
	if (!(features->page1[0] & 0x3f)) {
1354
		bt_dev_info(hdev, "Telemetry exception format not supported");
1355
		return 0;
1356
	}
1357

1358
	skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1359
	if (IS_ERR(skb)) {
1360
		bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1361
			   PTR_ERR(skb));
1362
		return PTR_ERR(skb);
1363
	}
1364
	kfree_skb(skb);
1365

1366
	skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT);
1367
	if (IS_ERR(skb)) {
1368
		bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)",
1369
			   PTR_ERR(skb));
1370
		return PTR_ERR(skb);
1371
	}
1372
	kfree_skb(skb);
1373

1374
	skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1375
	if (IS_ERR(skb)) {
1376
		bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)",
1377
			   PTR_ERR(skb));
1378
		return PTR_ERR(skb);
1379
	}
1380
	kfree_skb(skb);
1381

1382
	bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x",
1383
		    trace_enable, mask[3]);
1384

1385
	return 0;
1386
}
1387

1388
static int btintel_reset_debug_features(struct hci_dev *hdev,
1389
				 const struct intel_debug_features *features)
1390
{
1391
	u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
1392
			0x00, 0x00, 0x00 };
1393
	u8 trace_enable = 0x00;
1394
	struct sk_buff *skb;
1395

1396
	if (!features) {
1397
		bt_dev_warn(hdev, "Debug features not read");
1398
		return -EINVAL;
1399
	}
1400

1401
	if (!(features->page1[0] & 0x3f)) {
1402
		bt_dev_info(hdev, "Telemetry exception format not supported");
1403
		return 0;
1404
	}
1405

1406
	/* Should stop the trace before writing ddc event mask. */
1407
	skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1408
	if (IS_ERR(skb)) {
1409
		bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)",
1410
			   PTR_ERR(skb));
1411
		return PTR_ERR(skb);
1412
	}
1413
	kfree_skb(skb);
1414

1415
	skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1416
	if (IS_ERR(skb)) {
1417
		bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1418
			   PTR_ERR(skb));
1419
		return PTR_ERR(skb);
1420
	}
1421
	kfree_skb(skb);
1422

1423
	bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x",
1424
		    trace_enable, mask[3]);
1425

1426
	return 0;
1427
}
1428

1429
int btintel_set_quality_report(struct hci_dev *hdev, bool enable)
1430
{
1431
	struct intel_debug_features features;
1432
	int err;
1433

1434
	bt_dev_dbg(hdev, "enable %d", enable);
1435

1436
	/* Read the Intel supported features and if new exception formats
1437
	 * supported, need to load the additional DDC config to enable.
1438
	 */
1439
	err = btintel_read_debug_features(hdev, &features);
1440
	if (err)
1441
		return err;
1442

1443
	/* Set or reset the debug features. */
1444
	if (enable)
1445
		err = btintel_set_debug_features(hdev, &features);
1446
	else
1447
		err = btintel_reset_debug_features(hdev, &features);
1448

1449
	return err;
1450
}
1451
EXPORT_SYMBOL_GPL(btintel_set_quality_report);
1452

1453
static void btintel_coredump(struct hci_dev *hdev)
1454
{
1455
	struct sk_buff *skb;
1456

1457
	skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT);
1458
	if (IS_ERR(skb)) {
1459
		bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb));
1460
		return;
1461
	}
1462

1463
	kfree_skb(skb);
1464
}
1465

1466
static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb)
1467
{
1468
	char buf[80];
1469

1470
	snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n",
1471
		 coredump_info.hw_variant);
1472
	skb_put_data(skb, buf, strlen(buf));
1473

1474
	snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n",
1475
		 coredump_info.fw_build_num);
1476
	skb_put_data(skb, buf, strlen(buf));
1477

1478
	snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name);
1479
	skb_put_data(skb, buf, strlen(buf));
1480

1481
	snprintf(buf, sizeof(buf), "Vendor: Intel\n");
1482
	skb_put_data(skb, buf, strlen(buf));
1483
}
1484

1485
static int btintel_register_devcoredump_support(struct hci_dev *hdev)
1486
{
1487
	struct intel_debug_features features;
1488
	int err;
1489

1490
	err = btintel_read_debug_features(hdev, &features);
1491
	if (err) {
1492
		bt_dev_info(hdev, "Error reading debug features");
1493
		return err;
1494
	}
1495

1496
	if (!(features.page1[0] & 0x3f)) {
1497
		bt_dev_dbg(hdev, "Telemetry exception format not supported");
1498
		return -EOPNOTSUPP;
1499
	}
1500

1501
	hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL);
1502

1503
	return err;
1504
}
1505

1506
static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev,
1507
					       struct intel_version *ver)
1508
{
1509
	const struct firmware *fw;
1510
	char fwname[64];
1511
	int ret;
1512

1513
	snprintf(fwname, sizeof(fwname),
1514
		 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1515
		 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1516
		 ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1517
		 ver->fw_build_ww, ver->fw_build_yy);
1518

1519
	ret = request_firmware(&fw, fwname, &hdev->dev);
1520
	if (ret < 0) {
1521
		if (ret == -EINVAL) {
1522
			bt_dev_err(hdev, "Intel firmware file request failed (%d)",
1523
				   ret);
1524
			return NULL;
1525
		}
1526

1527
		bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)",
1528
			   fwname, ret);
1529

1530
		/* If the correct firmware patch file is not found, use the
1531
		 * default firmware patch file instead
1532
		 */
1533
		snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1534
			 ver->hw_platform, ver->hw_variant);
1535
		if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1536
			bt_dev_err(hdev, "failed to open default fw file: %s",
1537
				   fwname);
1538
			return NULL;
1539
		}
1540
	}
1541

1542
	bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname);
1543

1544
	return fw;
1545
}
1546

1547
static int btintel_legacy_rom_patching(struct hci_dev *hdev,
1548
				      const struct firmware *fw,
1549
				      const u8 **fw_ptr, int *disable_patch)
1550
{
1551
	struct sk_buff *skb;
1552
	struct hci_command_hdr *cmd;
1553
	const u8 *cmd_param;
1554
	struct hci_event_hdr *evt = NULL;
1555
	const u8 *evt_param = NULL;
1556
	int remain = fw->size - (*fw_ptr - fw->data);
1557

1558
	/* The first byte indicates the types of the patch command or event.
1559
	 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1560
	 * in the current firmware buffer doesn't start with 0x01 or
1561
	 * the size of remain buffer is smaller than HCI command header,
1562
	 * the firmware file is corrupted and it should stop the patching
1563
	 * process.
1564
	 */
1565
	if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1566
		bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read");
1567
		return -EINVAL;
1568
	}
1569
	(*fw_ptr)++;
1570
	remain--;
1571

1572
	cmd = (struct hci_command_hdr *)(*fw_ptr);
1573
	*fw_ptr += sizeof(*cmd);
1574
	remain -= sizeof(*cmd);
1575

1576
	/* Ensure that the remain firmware data is long enough than the length
1577
	 * of command parameter. If not, the firmware file is corrupted.
1578
	 */
1579
	if (remain < cmd->plen) {
1580
		bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len");
1581
		return -EFAULT;
1582
	}
1583

1584
	/* If there is a command that loads a patch in the firmware
1585
	 * file, then enable the patch upon success, otherwise just
1586
	 * disable the manufacturer mode, for example patch activation
1587
	 * is not required when the default firmware patch file is used
1588
	 * because there are no patch data to load.
1589
	 */
1590
	if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1591
		*disable_patch = 0;
1592

1593
	cmd_param = *fw_ptr;
1594
	*fw_ptr += cmd->plen;
1595
	remain -= cmd->plen;
1596

1597
	/* This reads the expected events when the above command is sent to the
1598
	 * device. Some vendor commands expects more than one events, for
1599
	 * example command status event followed by vendor specific event.
1600
	 * For this case, it only keeps the last expected event. so the command
1601
	 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1602
	 * last expected event.
1603
	 */
1604
	while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1605
		(*fw_ptr)++;
1606
		remain--;
1607

1608
		evt = (struct hci_event_hdr *)(*fw_ptr);
1609
		*fw_ptr += sizeof(*evt);
1610
		remain -= sizeof(*evt);
1611

1612
		if (remain < evt->plen) {
1613
			bt_dev_err(hdev, "Intel fw corrupted: invalid evt len");
1614
			return -EFAULT;
1615
		}
1616

1617
		evt_param = *fw_ptr;
1618
		*fw_ptr += evt->plen;
1619
		remain -= evt->plen;
1620
	}
1621

1622
	/* Every HCI commands in the firmware file has its correspond event.
1623
	 * If event is not found or remain is smaller than zero, the firmware
1624
	 * file is corrupted.
1625
	 */
1626
	if (!evt || !evt_param || remain < 0) {
1627
		bt_dev_err(hdev, "Intel fw corrupted: invalid evt read");
1628
		return -EFAULT;
1629
	}
1630

1631
	skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1632
				cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1633
	if (IS_ERR(skb)) {
1634
		bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)",
1635
			   cmd->opcode, PTR_ERR(skb));
1636
		return PTR_ERR(skb);
1637
	}
1638

1639
	/* It ensures that the returned event matches the event data read from
1640
	 * the firmware file. At fist, it checks the length and then
1641
	 * the contents of the event.
1642
	 */
1643
	if (skb->len != evt->plen) {
1644
		bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)",
1645
			   le16_to_cpu(cmd->opcode));
1646
		kfree_skb(skb);
1647
		return -EFAULT;
1648
	}
1649

1650
	if (memcmp(skb->data, evt_param, evt->plen)) {
1651
		bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)",
1652
			   le16_to_cpu(cmd->opcode));
1653
		kfree_skb(skb);
1654
		return -EFAULT;
1655
	}
1656
	kfree_skb(skb);
1657

1658
	return 0;
1659
}
1660

1661
static int btintel_legacy_rom_setup(struct hci_dev *hdev,
1662
				    struct intel_version *ver)
1663
{
1664
	const struct firmware *fw;
1665
	const u8 *fw_ptr;
1666
	int disable_patch, err;
1667
	struct intel_version new_ver;
1668

1669
	BT_DBG("%s", hdev->name);
1670

1671
	/* fw_patch_num indicates the version of patch the device currently
1672
	 * have. If there is no patch data in the device, it is always 0x00.
1673
	 * So, if it is other than 0x00, no need to patch the device again.
1674
	 */
1675
	if (ver->fw_patch_num) {
1676
		bt_dev_info(hdev,
1677
			    "Intel device is already patched. patch num: %02x",
1678
			    ver->fw_patch_num);
1679
		goto complete;
1680
	}
1681

1682
	/* Opens the firmware patch file based on the firmware version read
1683
	 * from the controller. If it fails to open the matching firmware
1684
	 * patch file, it tries to open the default firmware patch file.
1685
	 * If no patch file is found, allow the device to operate without
1686
	 * a patch.
1687
	 */
1688
	fw = btintel_legacy_rom_get_fw(hdev, ver);
1689
	if (!fw)
1690
		goto complete;
1691
	fw_ptr = fw->data;
1692

1693
	/* Enable the manufacturer mode of the controller.
1694
	 * Only while this mode is enabled, the driver can download the
1695
	 * firmware patch data and configuration parameters.
1696
	 */
1697
	err = btintel_enter_mfg(hdev);
1698
	if (err) {
1699
		release_firmware(fw);
1700
		return err;
1701
	}
1702

1703
	disable_patch = 1;
1704

1705
	/* The firmware data file consists of list of Intel specific HCI
1706
	 * commands and its expected events. The first byte indicates the
1707
	 * type of the message, either HCI command or HCI event.
1708
	 *
1709
	 * It reads the command and its expected event from the firmware file,
1710
	 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1711
	 * the returned event is compared with the event read from the firmware
1712
	 * file and it will continue until all the messages are downloaded to
1713
	 * the controller.
1714
	 *
1715
	 * Once the firmware patching is completed successfully,
1716
	 * the manufacturer mode is disabled with reset and activating the
1717
	 * downloaded patch.
1718
	 *
1719
	 * If the firmware patching fails, the manufacturer mode is
1720
	 * disabled with reset and deactivating the patch.
1721
	 *
1722
	 * If the default patch file is used, no reset is done when disabling
1723
	 * the manufacturer.
1724
	 */
1725
	while (fw->size > fw_ptr - fw->data) {
1726
		int ret;
1727

1728
		ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr,
1729
						 &disable_patch);
1730
		if (ret < 0)
1731
			goto exit_mfg_deactivate;
1732
	}
1733

1734
	release_firmware(fw);
1735

1736
	if (disable_patch)
1737
		goto exit_mfg_disable;
1738

1739
	/* Patching completed successfully and disable the manufacturer mode
1740
	 * with reset and activate the downloaded firmware patches.
1741
	 */
1742
	err = btintel_exit_mfg(hdev, true, true);
1743
	if (err)
1744
		return err;
1745

1746
	/* Need build number for downloaded fw patches in
1747
	 * every power-on boot
1748
	 */
1749
	err = btintel_read_version(hdev, &new_ver);
1750
	if (err)
1751
		return err;
1752

1753
	bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated",
1754
		    new_ver.fw_patch_num);
1755

1756
	goto complete;
1757

1758
exit_mfg_disable:
1759
	/* Disable the manufacturer mode without reset */
1760
	err = btintel_exit_mfg(hdev, false, false);
1761
	if (err)
1762
		return err;
1763

1764
	bt_dev_info(hdev, "Intel firmware patch completed");
1765

1766
	goto complete;
1767

1768
exit_mfg_deactivate:
1769
	release_firmware(fw);
1770

1771
	/* Patching failed. Disable the manufacturer mode with reset and
1772
	 * deactivate the downloaded firmware patches.
1773
	 */
1774
	err = btintel_exit_mfg(hdev, true, false);
1775
	if (err)
1776
		return err;
1777

1778
	bt_dev_info(hdev, "Intel firmware patch completed and deactivated");
1779

1780
complete:
1781
	/* Set the event mask for Intel specific vendor events. This enables
1782
	 * a few extra events that are useful during general operation.
1783
	 */
1784
	btintel_set_event_mask_mfg(hdev, false);
1785

1786
	btintel_check_bdaddr(hdev);
1787

1788
	return 0;
1789
}
1790

1791
static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1792
{
1793
	ktime_t delta, rettime;
1794
	unsigned long long duration;
1795
	int err;
1796

1797
	btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1798

1799
	bt_dev_info(hdev, "Waiting for firmware download to complete");
1800

1801
	err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING,
1802
					   TASK_INTERRUPTIBLE,
1803
					   msecs_to_jiffies(msec));
1804
	if (err == -EINTR) {
1805
		bt_dev_err(hdev, "Firmware loading interrupted");
1806
		return err;
1807
	}
1808

1809
	if (err) {
1810
		bt_dev_err(hdev, "Firmware loading timeout");
1811
		return -ETIMEDOUT;
1812
	}
1813

1814
	if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) {
1815
		bt_dev_err(hdev, "Firmware loading failed");
1816
		return -ENOEXEC;
1817
	}
1818

1819
	rettime = ktime_get();
1820
	delta = ktime_sub(rettime, calltime);
1821
	duration = (unsigned long long)ktime_to_ns(delta) >> 10;
1822

1823
	bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration);
1824

1825
	return 0;
1826
}
1827

1828
static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1829
{
1830
	ktime_t delta, rettime;
1831
	unsigned long long duration;
1832
	int err;
1833

1834
	bt_dev_info(hdev, "Waiting for device to boot");
1835

1836
	err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING,
1837
					   TASK_INTERRUPTIBLE,
1838
					   msecs_to_jiffies(msec));
1839
	if (err == -EINTR) {
1840
		bt_dev_err(hdev, "Device boot interrupted");
1841
		return -EINTR;
1842
	}
1843

1844
	if (err) {
1845
		bt_dev_err(hdev, "Device boot timeout");
1846
		return -ETIMEDOUT;
1847
	}
1848

1849
	rettime = ktime_get();
1850
	delta = ktime_sub(rettime, calltime);
1851
	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
1852

1853
	bt_dev_info(hdev, "Device booted in %llu usecs", duration);
1854

1855
	return 0;
1856
}
1857

1858
static int btintel_boot_wait_d0(struct hci_dev *hdev, ktime_t calltime,
1859
				int msec)
1860
{
1861
	ktime_t delta, rettime;
1862
	unsigned long long duration;
1863
	int err;
1864

1865
	bt_dev_info(hdev, "Waiting for device transition to d0");
1866

1867
	err = btintel_wait_on_flag_timeout(hdev, INTEL_WAIT_FOR_D0,
1868
					   TASK_INTERRUPTIBLE,
1869
					   msecs_to_jiffies(msec));
1870
	if (err == -EINTR) {
1871
		bt_dev_err(hdev, "Device d0 move interrupted");
1872
		return -EINTR;
1873
	}
1874

1875
	if (err) {
1876
		bt_dev_err(hdev, "Device d0 move timeout");
1877
		return -ETIMEDOUT;
1878
	}
1879

1880
	rettime = ktime_get();
1881
	delta = ktime_sub(rettime, calltime);
1882
	duration = (unsigned long long)ktime_to_ns(delta) >> 10;
1883

1884
	bt_dev_info(hdev, "Device moved to D0 in %llu usecs", duration);
1885

1886
	return 0;
1887
}
1888

1889
static int btintel_boot(struct hci_dev *hdev, u32 boot_addr)
1890
{
1891
	ktime_t calltime;
1892
	int err;
1893

1894
	calltime = ktime_get();
1895

1896
	btintel_set_flag(hdev, INTEL_BOOTING);
1897
	btintel_set_flag(hdev, INTEL_WAIT_FOR_D0);
1898

1899
	err = btintel_send_intel_reset(hdev, boot_addr);
1900
	if (err) {
1901
		bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err);
1902
		btintel_reset_to_bootloader(hdev);
1903
		return err;
1904
	}
1905

1906
	/* The bootloader will not indicate when the device is ready. This
1907
	 * is done by the operational firmware sending bootup notification.
1908
	 *
1909
	 * Booting into operational firmware should not take longer than
1910
	 * 5 second. However if that happens, then just fail the setup
1911
	 * since something went wrong.
1912
	 */
1913
	err = btintel_boot_wait(hdev, calltime, 5000);
1914
	if (err == -ETIMEDOUT) {
1915
		btintel_reset_to_bootloader(hdev);
1916
		goto exit_error;
1917
	}
1918

1919
	if (hdev->bus == HCI_PCI) {
1920
		/* In case of PCIe, after receiving bootup event, driver performs
1921
		 * D0 entry by writing 0 to sleep control register (check
1922
		 * btintel_pcie_recv_event())
1923
		 * Firmware acks with alive interrupt indicating host is full ready to
1924
		 * perform BT operation. Lets wait here till INTEL_WAIT_FOR_D0
1925
		 * bit is cleared.
1926
		 */
1927
		calltime = ktime_get();
1928
		err = btintel_boot_wait_d0(hdev, calltime, 2000);
1929
	}
1930

1931
exit_error:
1932
	return err;
1933
}
1934

1935
static int btintel_get_fw_name(struct intel_version *ver,
1936
					     struct intel_boot_params *params,
1937
					     char *fw_name, size_t len,
1938
					     const char *suffix)
1939
{
1940
	switch (ver->hw_variant) {
1941
	case 0x0b:	/* SfP */
1942
	case 0x0c:	/* WsP */
1943
		snprintf(fw_name, len, "intel/ibt-%u-%u.%s",
1944
			 ver->hw_variant,
1945
			 le16_to_cpu(params->dev_revid),
1946
			 suffix);
1947
		break;
1948
	case 0x11:	/* JfP */
1949
	case 0x12:	/* ThP */
1950
	case 0x13:	/* HrP */
1951
	case 0x14:	/* CcP */
1952
		snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s",
1953
			 ver->hw_variant,
1954
			 ver->hw_revision,
1955
			 ver->fw_revision,
1956
			 suffix);
1957
		break;
1958
	default:
1959
		return -EINVAL;
1960
	}
1961

1962
	return 0;
1963
}
1964

1965
static int btintel_download_fw(struct hci_dev *hdev,
1966
					 struct intel_version *ver,
1967
					 struct intel_boot_params *params,
1968
					 u32 *boot_param)
1969
{
1970
	const struct firmware *fw;
1971
	char fwname[64];
1972
	int err;
1973
	ktime_t calltime;
1974

1975
	if (!ver || !params)
1976
		return -EINVAL;
1977

1978
	/* The firmware variant determines if the device is in bootloader
1979
	 * mode or is running operational firmware. The value 0x06 identifies
1980
	 * the bootloader and the value 0x23 identifies the operational
1981
	 * firmware.
1982
	 *
1983
	 * When the operational firmware is already present, then only
1984
	 * the check for valid Bluetooth device address is needed. This
1985
	 * determines if the device will be added as configured or
1986
	 * unconfigured controller.
1987
	 *
1988
	 * It is not possible to use the Secure Boot Parameters in this
1989
	 * case since that command is only available in bootloader mode.
1990
	 */
1991
	if (ver->fw_variant == 0x23) {
1992
		btintel_clear_flag(hdev, INTEL_BOOTLOADER);
1993
		btintel_check_bdaddr(hdev);
1994

1995
		/* SfP and WsP don't seem to update the firmware version on file
1996
		 * so version checking is currently possible.
1997
		 */
1998
		switch (ver->hw_variant) {
1999
		case 0x0b:	/* SfP */
2000
		case 0x0c:	/* WsP */
2001
			return 0;
2002
		}
2003

2004
		/* Proceed to download to check if the version matches */
2005
		goto download;
2006
	}
2007

2008
	/* Read the secure boot parameters to identify the operating
2009
	 * details of the bootloader.
2010
	 */
2011
	err = btintel_read_boot_params(hdev, params);
2012
	if (err)
2013
		return err;
2014

2015
	/* It is required that every single firmware fragment is acknowledged
2016
	 * with a command complete event. If the boot parameters indicate
2017
	 * that this bootloader does not send them, then abort the setup.
2018
	 */
2019
	if (params->limited_cce != 0x00) {
2020
		bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)",
2021
			   params->limited_cce);
2022
		return -EINVAL;
2023
	}
2024

2025
	/* If the OTP has no valid Bluetooth device address, then there will
2026
	 * also be no valid address for the operational firmware.
2027
	 */
2028
	if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
2029
		bt_dev_info(hdev, "No device address configured");
2030
		hci_set_quirk(hdev, HCI_QUIRK_INVALID_BDADDR);
2031
	}
2032

2033
download:
2034
	/* With this Intel bootloader only the hardware variant and device
2035
	 * revision information are used to select the right firmware for SfP
2036
	 * and WsP.
2037
	 *
2038
	 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi.
2039
	 *
2040
	 * Currently the supported hardware variants are:
2041
	 *   11 (0x0b) for iBT3.0 (LnP/SfP)
2042
	 *   12 (0x0c) for iBT3.5 (WsP)
2043
	 *
2044
	 * For ThP/JfP and for future SKU's, the FW name varies based on HW
2045
	 * variant, HW revision and FW revision, as these are dependent on CNVi
2046
	 * and RF Combination.
2047
	 *
2048
	 *   17 (0x11) for iBT3.5 (JfP)
2049
	 *   18 (0x12) for iBT3.5 (ThP)
2050
	 *
2051
	 * The firmware file name for these will be
2052
	 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi.
2053
	 *
2054
	 */
2055
	err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi");
2056
	if (err < 0) {
2057
		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2058
			/* Firmware has already been loaded */
2059
			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2060
			return 0;
2061
		}
2062

2063
		bt_dev_err(hdev, "Unsupported Intel firmware naming");
2064
		return -EINVAL;
2065
	}
2066

2067
	err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2068
	if (err < 0) {
2069
		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2070
			/* Firmware has already been loaded */
2071
			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2072
			return 0;
2073
		}
2074

2075
		bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2076
			   fwname, err);
2077
		return err;
2078
	}
2079

2080
	bt_dev_info(hdev, "Found device firmware: %s", fwname);
2081

2082
	if (fw->size < 644) {
2083
		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2084
			   fw->size);
2085
		err = -EBADF;
2086
		goto done;
2087
	}
2088

2089
	calltime = ktime_get();
2090

2091
	btintel_set_flag(hdev, INTEL_DOWNLOADING);
2092

2093
	/* Start firmware downloading and get boot parameter */
2094
	err = btintel_download_firmware(hdev, ver, fw, boot_param);
2095
	if (err < 0) {
2096
		if (err == -EALREADY) {
2097
			/* Firmware has already been loaded */
2098
			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2099
			err = 0;
2100
			goto done;
2101
		}
2102

2103
		/* When FW download fails, send Intel Reset to retry
2104
		 * FW download.
2105
		 */
2106
		btintel_reset_to_bootloader(hdev);
2107
		goto done;
2108
	}
2109

2110
	/* Before switching the device into operational mode and with that
2111
	 * booting the loaded firmware, wait for the bootloader notification
2112
	 * that all fragments have been successfully received.
2113
	 *
2114
	 * When the event processing receives the notification, then the
2115
	 * INTEL_DOWNLOADING flag will be cleared.
2116
	 *
2117
	 * The firmware loading should not take longer than 5 seconds
2118
	 * and thus just timeout if that happens and fail the setup
2119
	 * of this device.
2120
	 */
2121
	err = btintel_download_wait(hdev, calltime, 5000);
2122
	if (err == -ETIMEDOUT)
2123
		btintel_reset_to_bootloader(hdev);
2124

2125
done:
2126
	release_firmware(fw);
2127
	return err;
2128
}
2129

2130
static int btintel_bootloader_setup(struct hci_dev *hdev,
2131
				    struct intel_version *ver)
2132
{
2133
	struct intel_version new_ver;
2134
	struct intel_boot_params params;
2135
	u32 boot_param;
2136
	char ddcname[64];
2137
	int err;
2138

2139
	BT_DBG("%s", hdev->name);
2140

2141
	/* Set the default boot parameter to 0x0 and it is updated to
2142
	 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2143
	 * command while downloading the firmware.
2144
	 */
2145
	boot_param = 0x00000000;
2146

2147
	btintel_set_flag(hdev, INTEL_BOOTLOADER);
2148

2149
	err = btintel_download_fw(hdev, ver, &params, &boot_param);
2150
	if (err)
2151
		return err;
2152

2153
	/* controller is already having an operational firmware */
2154
	if (ver->fw_variant == 0x23)
2155
		goto finish;
2156

2157
	err = btintel_boot(hdev, boot_param);
2158
	if (err)
2159
		return err;
2160

2161
	btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2162

2163
	err = btintel_get_fw_name(ver, &params, ddcname,
2164
						sizeof(ddcname), "ddc");
2165

2166
	if (err < 0) {
2167
		bt_dev_err(hdev, "Unsupported Intel firmware naming");
2168
	} else {
2169
		/* Once the device is running in operational mode, it needs to
2170
		 * apply the device configuration (DDC) parameters.
2171
		 *
2172
		 * The device can work without DDC parameters, so even if it
2173
		 * fails to load the file, no need to fail the setup.
2174
		 */
2175
		btintel_load_ddc_config(hdev, ddcname);
2176
	}
2177

2178
	hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2179

2180
	/* Read the Intel version information after loading the FW  */
2181
	err = btintel_read_version(hdev, &new_ver);
2182
	if (err)
2183
		return err;
2184

2185
	btintel_version_info(hdev, &new_ver);
2186

2187
finish:
2188
	/* Set the event mask for Intel specific vendor events. This enables
2189
	 * a few extra events that are useful during general operation. It
2190
	 * does not enable any debugging related events.
2191
	 *
2192
	 * The device will function correctly without these events enabled
2193
	 * and thus no need to fail the setup.
2194
	 */
2195
	btintel_set_event_mask(hdev, false);
2196

2197
	return 0;
2198
}
2199

2200
static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver,
2201
				    char *fw_name, size_t len,
2202
				    const char *suffix)
2203
{
2204
	const char *format;
2205
	u32 cnvi, cnvr;
2206

2207
	cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top),
2208
					INTEL_CNVX_TOP_STEP(ver->cnvi_top));
2209

2210
	cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top),
2211
					INTEL_CNVX_TOP_STEP(ver->cnvr_top));
2212

2213
	/* Only Blazar  product supports downloading of intermediate loader
2214
	 * image
2215
	 */
2216
	if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e) {
2217
		u8 zero[BTINTEL_FWID_MAXLEN];
2218

2219
		if (ver->img_type == BTINTEL_IMG_BOOTLOADER) {
2220
			format = "intel/ibt-%04x-%04x-iml.%s";
2221
			snprintf(fw_name, len, format, cnvi, cnvr, suffix);
2222
			return;
2223
		}
2224

2225
		memset(zero, 0, sizeof(zero));
2226

2227
		/* ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step-fw_id> */
2228
		if (memcmp(ver->fw_id, zero, sizeof(zero))) {
2229
			format = "intel/ibt-%04x-%04x-%s.%s";
2230
			snprintf(fw_name, len, format, cnvi, cnvr,
2231
				 ver->fw_id, suffix);
2232
			return;
2233
		}
2234
		/* If firmware id is not present, fallback to legacy naming
2235
		 * convention
2236
		 */
2237
	}
2238
	/* Fallback to legacy naming convention for other controllers
2239
	 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step>
2240
	 */
2241
	format = "intel/ibt-%04x-%04x.%s";
2242
	snprintf(fw_name, len, format, cnvi, cnvr, suffix);
2243
}
2244

2245
static void btintel_get_iml_tlv(const struct intel_version_tlv *ver,
2246
				char *fw_name, size_t len,
2247
				const char *suffix)
2248
{
2249
	const char *format;
2250
	u32 cnvi, cnvr;
2251

2252
	cnvi = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top),
2253
					INTEL_CNVX_TOP_STEP(ver->cnvi_top));
2254

2255
	cnvr = INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top),
2256
					INTEL_CNVX_TOP_STEP(ver->cnvr_top));
2257

2258
	format = "intel/ibt-%04x-%04x-iml.%s";
2259
	snprintf(fw_name, len, format, cnvi, cnvr, suffix);
2260
}
2261

2262
static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev,
2263
					   struct intel_version_tlv *ver,
2264
					   u32 *boot_param)
2265
{
2266
	const struct firmware *fw;
2267
	char fwname[128];
2268
	int err;
2269
	ktime_t calltime;
2270

2271
	if (!ver || !boot_param)
2272
		return -EINVAL;
2273

2274
	/* The firmware variant determines if the device is in bootloader
2275
	 * mode or is running operational firmware. The value 0x03 identifies
2276
	 * the bootloader and the value 0x23 identifies the operational
2277
	 * firmware.
2278
	 *
2279
	 * When the operational firmware is already present, then only
2280
	 * the check for valid Bluetooth device address is needed. This
2281
	 * determines if the device will be added as configured or
2282
	 * unconfigured controller.
2283
	 *
2284
	 * It is not possible to use the Secure Boot Parameters in this
2285
	 * case since that command is only available in bootloader mode.
2286
	 */
2287
	if (ver->img_type == BTINTEL_IMG_OP) {
2288
		btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2289
		btintel_check_bdaddr(hdev);
2290
	} else {
2291
		/*
2292
		 * Check for valid bd address in boot loader mode. Device
2293
		 * will be marked as unconfigured if empty bd address is
2294
		 * found.
2295
		 */
2296
		if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) {
2297
			bt_dev_info(hdev, "No device address configured");
2298
			hci_set_quirk(hdev, HCI_QUIRK_INVALID_BDADDR);
2299
		}
2300
	}
2301

2302
	if (ver->img_type == BTINTEL_IMG_OP) {
2303
		/* Controller running OP image. In case of FW downgrade,
2304
		 * FWID TLV may not be present and driver may attempt to load
2305
		 * firmware image which doesn't exist. Lets compare the version
2306
		 * of IML image
2307
		 */
2308
		if (INTEL_HW_VARIANT(ver->cnvi_bt) >= 0x1e)
2309
			btintel_get_iml_tlv(ver, fwname, sizeof(fwname), "sfi");
2310
		else
2311
			btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi");
2312
	} else {
2313
		btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi");
2314
	}
2315

2316
	err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2317
	if (err < 0) {
2318
		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2319
			/* Firmware has already been loaded */
2320
			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2321
			return 0;
2322
		}
2323

2324
		bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2325
			   fwname, err);
2326

2327
		return err;
2328
	}
2329

2330
	bt_dev_info(hdev, "Found device firmware: %s", fwname);
2331

2332
	if (fw->size < 644) {
2333
		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2334
			   fw->size);
2335
		err = -EBADF;
2336
		goto done;
2337
	}
2338

2339
	calltime = ktime_get();
2340

2341
	btintel_set_flag(hdev, INTEL_DOWNLOADING);
2342

2343
	/* Start firmware downloading and get boot parameter */
2344
	err = btintel_download_fw_tlv(hdev, ver, fw, boot_param,
2345
					       INTEL_HW_VARIANT(ver->cnvi_bt),
2346
					       ver->sbe_type);
2347
	if (err < 0) {
2348
		if (err == -EALREADY) {
2349
			/* Firmware has already been loaded */
2350
			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2351
			err = 0;
2352
			goto done;
2353
		}
2354

2355
		/* When FW download fails, send Intel Reset to retry
2356
		 * FW download.
2357
		 */
2358
		btintel_reset_to_bootloader(hdev);
2359
		goto done;
2360
	}
2361

2362
	/* Before switching the device into operational mode and with that
2363
	 * booting the loaded firmware, wait for the bootloader notification
2364
	 * that all fragments have been successfully received.
2365
	 *
2366
	 * When the event processing receives the notification, then the
2367
	 * BTUSB_DOWNLOADING flag will be cleared.
2368
	 *
2369
	 * The firmware loading should not take longer than 5 seconds
2370
	 * and thus just timeout if that happens and fail the setup
2371
	 * of this device.
2372
	 */
2373
	err = btintel_download_wait(hdev, calltime, 5000);
2374
	if (err == -ETIMEDOUT)
2375
		btintel_reset_to_bootloader(hdev);
2376

2377
done:
2378
	release_firmware(fw);
2379
	return err;
2380
}
2381

2382
static int btintel_get_codec_config_data(struct hci_dev *hdev,
2383
					 __u8 link, struct bt_codec *codec,
2384
					 __u8 *ven_len, __u8 **ven_data)
2385
{
2386
	int err = 0;
2387

2388
	if (!ven_data || !ven_len)
2389
		return -EINVAL;
2390

2391
	*ven_len = 0;
2392
	*ven_data = NULL;
2393

2394
	if (link != ESCO_LINK) {
2395
		bt_dev_err(hdev, "Invalid link type(%u)", link);
2396
		return -EINVAL;
2397
	}
2398

2399
	*ven_data = kmalloc(sizeof(__u8), GFP_KERNEL);
2400
	if (!*ven_data) {
2401
		err = -ENOMEM;
2402
		goto error;
2403
	}
2404

2405
	/* supports only CVSD and mSBC offload codecs */
2406
	switch (codec->id) {
2407
	case 0x02:
2408
		**ven_data = 0x00;
2409
		break;
2410
	case 0x05:
2411
		**ven_data = 0x01;
2412
		break;
2413
	default:
2414
		err = -EINVAL;
2415
		bt_dev_err(hdev, "Invalid codec id(%u)", codec->id);
2416
		goto error;
2417
	}
2418
	/* codec and its capabilities are pre-defined to ids
2419
	 * preset id = 0x00 represents CVSD codec with sampling rate 8K
2420
	 * preset id = 0x01 represents mSBC codec with sampling rate 16K
2421
	 */
2422
	*ven_len = sizeof(__u8);
2423
	return err;
2424

2425
error:
2426
	kfree(*ven_data);
2427
	*ven_data = NULL;
2428
	return err;
2429
}
2430

2431
static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id)
2432
{
2433
	/* Intel uses 1 as data path id for all the usecases */
2434
	*data_path_id = 1;
2435
	return 0;
2436
}
2437

2438
static int btintel_configure_offload(struct hci_dev *hdev)
2439
{
2440
	struct sk_buff *skb;
2441
	int err = 0;
2442
	struct intel_offload_use_cases *use_cases;
2443

2444
	skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT);
2445
	if (IS_ERR(skb)) {
2446
		bt_dev_err(hdev, "Reading offload use cases failed (%ld)",
2447
			   PTR_ERR(skb));
2448
		return PTR_ERR(skb);
2449
	}
2450

2451
	if (skb->len < sizeof(*use_cases)) {
2452
		err = -EIO;
2453
		goto error;
2454
	}
2455

2456
	use_cases = (void *)skb->data;
2457

2458
	if (use_cases->status) {
2459
		err = -bt_to_errno(skb->data[0]);
2460
		goto error;
2461
	}
2462

2463
	if (use_cases->preset[0] & 0x03) {
2464
		hdev->get_data_path_id = btintel_get_data_path_id;
2465
		hdev->get_codec_config_data = btintel_get_codec_config_data;
2466
	}
2467
error:
2468
	kfree_skb(skb);
2469
	return err;
2470
}
2471

2472
static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver)
2473
{
2474
	struct sk_buff *skb;
2475
	struct hci_ppag_enable_cmd ppag_cmd;
2476
	acpi_handle handle;
2477
	struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL};
2478
	union acpi_object *p, *elements;
2479
	u32 domain, mode;
2480
	acpi_status status;
2481

2482
	/* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */
2483
	switch (ver->cnvr_top & 0xFFF) {
2484
	case 0x504:     /* Hrp2 */
2485
	case 0x202:     /* Jfp2 */
2486
	case 0x201:     /* Jfp1 */
2487
		bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)",
2488
			   ver->cnvr_top & 0xFFF);
2489
		return;
2490
	}
2491

2492
	handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2493
	if (!handle) {
2494
		bt_dev_info(hdev, "No support for BT device in ACPI firmware");
2495
		return;
2496
	}
2497

2498
	status = acpi_evaluate_object(handle, "PPAG", NULL, &buffer);
2499
	if (ACPI_FAILURE(status)) {
2500
		if (status == AE_NOT_FOUND) {
2501
			bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found");
2502
			return;
2503
		}
2504
		bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status));
2505
		return;
2506
	}
2507

2508
	p = buffer.pointer;
2509
	if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
2510
		bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d",
2511
			    p->type, p->package.count);
2512
		kfree(buffer.pointer);
2513
		return;
2514
	}
2515

2516
	elements = p->package.elements;
2517

2518
	/* PPAG table is located at element[1] */
2519
	p = &elements[1];
2520

2521
	domain = (u32)p->package.elements[0].integer.value;
2522
	mode = (u32)p->package.elements[1].integer.value;
2523
	kfree(buffer.pointer);
2524

2525
	if (domain != 0x12) {
2526
		bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware");
2527
		return;
2528
	}
2529

2530
	/* PPAG mode
2531
	 * BIT 0 : 0 Disabled in EU
2532
	 *         1 Enabled in EU
2533
	 * BIT 1 : 0 Disabled in China
2534
	 *         1 Enabled in China
2535
	 */
2536
	mode &= 0x03;
2537

2538
	if (!mode) {
2539
		bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in BIOS");
2540
		return;
2541
	}
2542

2543
	ppag_cmd.ppag_enable_flags = cpu_to_le32(mode);
2544

2545
	skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd),
2546
			     &ppag_cmd, HCI_CMD_TIMEOUT);
2547
	if (IS_ERR(skb)) {
2548
		bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb));
2549
		return;
2550
	}
2551
	bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", mode);
2552
	kfree_skb(skb);
2553
}
2554

2555
static int btintel_acpi_reset_method(struct hci_dev *hdev)
2556
{
2557
	int ret = 0;
2558
	acpi_status status;
2559
	union acpi_object *p, *ref;
2560
	struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
2561

2562
	status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer);
2563
	if (ACPI_FAILURE(status)) {
2564
		bt_dev_err(hdev, "Failed to run _PRR method");
2565
		ret = -ENODEV;
2566
		return ret;
2567
	}
2568
	p = buffer.pointer;
2569

2570
	if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) {
2571
		bt_dev_err(hdev, "Invalid arguments");
2572
		ret = -EINVAL;
2573
		goto exit_on_error;
2574
	}
2575

2576
	ref = &p->package.elements[0];
2577
	if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) {
2578
		bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type);
2579
		ret = -EINVAL;
2580
		goto exit_on_error;
2581
	}
2582

2583
	status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL);
2584
	if (ACPI_FAILURE(status)) {
2585
		bt_dev_err(hdev, "Failed to run_RST method");
2586
		ret = -ENODEV;
2587
		goto exit_on_error;
2588
	}
2589

2590
exit_on_error:
2591
	kfree(buffer.pointer);
2592
	return ret;
2593
}
2594

2595
static void btintel_set_dsm_reset_method(struct hci_dev *hdev,
2596
					 struct intel_version_tlv *ver_tlv)
2597
{
2598
	struct btintel_data *data = hci_get_priv(hdev);
2599
	acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2600
	u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00};
2601
	union acpi_object *obj, argv4;
2602
	enum {
2603
		RESET_TYPE_WDISABLE2,
2604
		RESET_TYPE_VSEC
2605
	};
2606

2607
	handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2608

2609
	if (!handle) {
2610
		bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware");
2611
		return;
2612
	}
2613

2614
	if (!acpi_has_method(handle, "_PRR")) {
2615
		bt_dev_err(hdev, "No support for _PRR ACPI method");
2616
		return;
2617
	}
2618

2619
	switch (ver_tlv->cnvi_top & 0xfff) {
2620
	case 0x910: /* GalePeak2 */
2621
		reset_payload[2] = RESET_TYPE_VSEC;
2622
		break;
2623
	default:
2624
		/* WDISABLE2 is the default reset method */
2625
		reset_payload[2] = RESET_TYPE_WDISABLE2;
2626

2627
		if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0,
2628
				    BIT(DSM_SET_WDISABLE2_DELAY))) {
2629
			bt_dev_err(hdev, "No dsm support to set reset delay");
2630
			return;
2631
		}
2632
		argv4.integer.type = ACPI_TYPE_INTEGER;
2633
		/* delay required to toggle BT power */
2634
		argv4.integer.value = 160;
2635
		obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0,
2636
					DSM_SET_WDISABLE2_DELAY, &argv4);
2637
		if (!obj) {
2638
			bt_dev_err(hdev, "Failed to call dsm to set reset delay");
2639
			return;
2640
		}
2641
		ACPI_FREE(obj);
2642
	}
2643

2644
	bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]);
2645

2646
	if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0,
2647
			    DSM_SET_RESET_METHOD)) {
2648
		bt_dev_warn(hdev, "No support for dsm to set reset method");
2649
		return;
2650
	}
2651
	argv4.buffer.type = ACPI_TYPE_BUFFER;
2652
	argv4.buffer.length = sizeof(reset_payload);
2653
	argv4.buffer.pointer = reset_payload;
2654

2655
	obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0,
2656
				DSM_SET_RESET_METHOD, &argv4);
2657
	if (!obj) {
2658
		bt_dev_err(hdev, "Failed to call dsm to set reset method");
2659
		return;
2660
	}
2661
	ACPI_FREE(obj);
2662
	data->acpi_reset_method = btintel_acpi_reset_method;
2663
}
2664

2665
#define BTINTEL_ISODATA_HANDLE_BASE 0x900
2666

2667
static u8 btintel_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb)
2668
{
2669
	/*
2670
	 * Distinguish ISO data packets form ACL data packets
2671
	 * based on their connection handle value range.
2672
	 */
2673
	if (iso_capable(hdev) && hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) {
2674
		__u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle);
2675

2676
		if (hci_handle(handle) >= BTINTEL_ISODATA_HANDLE_BASE)
2677
			return HCI_ISODATA_PKT;
2678
	}
2679

2680
	return hci_skb_pkt_type(skb);
2681
}
2682

2683
/*
2684
 * UefiCnvCommonDSBR UEFI variable provides information from the OEM platforms
2685
 * if they have replaced the BRI (Bluetooth Radio Interface) resistor to
2686
 * overcome the potential STEP errors on their designs. Based on the
2687
 * configauration, bluetooth firmware shall adjust the BRI response line drive
2688
 * strength. The below structure represents DSBR data.
2689
 * struct {
2690
 *	u8 header;
2691
 *	u32 dsbr;
2692
 * } __packed;
2693
 *
2694
 * header - defines revision number of the structure
2695
 * dsbr - defines drive strength BRI response
2696
 *	bit0
2697
 *		0 - instructs bluetooth firmware to use default values
2698
 *		1 - instructs bluetooth firmware to override default values
2699
 *	bit3:1
2700
 *		Reserved
2701
 *	bit7:4
2702
 *		DSBR override values (only if bit0 is set. Default value is 0xF
2703
 *	bit31:7
2704
 *		Reserved
2705
 * Expected values for dsbr field:
2706
 *	1. 0xF1 - indicates that the resistor on board is 33 Ohm
2707
 *	2. 0x00 or 0xB1 - indicates that the resistor on board is 10 Ohm
2708
 *	3. Non existing UEFI variable or invalid (none of the above) - indicates
2709
 *	   that the resistor on board is 10 Ohm
2710
 * Even if uefi variable is not present, driver shall send 0xfc0a command to
2711
 * firmware to use default values.
2712
 *
2713
 */
2714
static int btintel_uefi_get_dsbr(u32 *dsbr_var)
2715
{
2716
	struct btintel_dsbr {
2717
		u8 header;
2718
		u32 dsbr;
2719
	} __packed data;
2720

2721
	efi_status_t status;
2722
	unsigned long data_size = sizeof(data);
2723
	efi_guid_t guid = EFI_GUID(0xe65d8884, 0xd4af, 0x4b20, 0x8d, 0x03,
2724
				   0x77, 0x2e, 0xcc, 0x3d, 0xa5, 0x31);
2725

2726
	if (!IS_ENABLED(CONFIG_EFI))
2727
		return -EOPNOTSUPP;
2728

2729
	if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
2730
		return -EOPNOTSUPP;
2731

2732
	status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size,
2733
				  &data);
2734

2735
	if (status != EFI_SUCCESS || data_size != sizeof(data))
2736
		return -ENXIO;
2737

2738
	*dsbr_var = data.dsbr;
2739
	return 0;
2740
}
2741

2742
static int btintel_set_dsbr(struct hci_dev *hdev, struct intel_version_tlv *ver)
2743
{
2744
	struct btintel_dsbr_cmd {
2745
		u8 enable;
2746
		u8 dsbr;
2747
	} __packed;
2748

2749
	struct btintel_dsbr_cmd cmd;
2750
	struct sk_buff *skb;
2751
	u32 dsbr, cnvi;
2752
	u8 status;
2753
	int err;
2754

2755
	cnvi = ver->cnvi_top & 0xfff;
2756
	/* DSBR command needs to be sent for,
2757
	 * 1. BlazarI or BlazarIW + B0 step product in IML image.
2758
	 * 2. Gale Peak2 or BlazarU in OP image.
2759
	 * 3. Scorpious Peak in IML image.
2760
	 */
2761

2762
	switch (cnvi) {
2763
	case BTINTEL_CNVI_BLAZARI:
2764
	case BTINTEL_CNVI_BLAZARIW:
2765
		if (ver->img_type == BTINTEL_IMG_IML &&
2766
		    INTEL_CNVX_TOP_STEP(ver->cnvi_top) == 0x01)
2767
			break;
2768
		return 0;
2769
	case BTINTEL_CNVI_GAP:
2770
	case BTINTEL_CNVI_BLAZARU:
2771
		if (ver->img_type == BTINTEL_IMG_OP &&
2772
		    hdev->bus == HCI_USB)
2773
			break;
2774
		return 0;
2775
	case BTINTEL_CNVI_SCP:
2776
		if (ver->img_type == BTINTEL_IMG_IML)
2777
			break;
2778
		return 0;
2779
	default:
2780
		return 0;
2781
	}
2782

2783
	dsbr = 0;
2784
	err = btintel_uefi_get_dsbr(&dsbr);
2785
	if (err < 0)
2786
		bt_dev_dbg(hdev, "Error reading efi: %ls  (%d)",
2787
			   BTINTEL_EFI_DSBR, err);
2788

2789
	cmd.enable = dsbr & BIT(0);
2790
	cmd.dsbr = dsbr >> 4 & 0xF;
2791

2792
	bt_dev_info(hdev, "dsbr: enable: 0x%2.2x value: 0x%2.2x", cmd.enable,
2793
		    cmd.dsbr);
2794

2795
	skb = __hci_cmd_sync(hdev, 0xfc0a, sizeof(cmd), &cmd,  HCI_CMD_TIMEOUT);
2796
	if (IS_ERR(skb))
2797
		return -bt_to_errno(PTR_ERR(skb));
2798

2799
	status = skb->data[0];
2800
	kfree_skb(skb);
2801

2802
	if (status)
2803
		return -bt_to_errno(status);
2804

2805
	return 0;
2806
}
2807

2808
#ifdef CONFIG_ACPI
2809
static acpi_status btintel_evaluate_acpi_method(struct hci_dev *hdev,
2810
						acpi_string method,
2811
						union acpi_object **ptr,
2812
						u8 pkg_size)
2813
{
2814
	struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
2815
	union acpi_object *p;
2816
	acpi_status status;
2817
	acpi_handle handle;
2818

2819
	handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2820
	if (!handle) {
2821
		bt_dev_dbg(hdev, "ACPI-BT: No ACPI support for Bluetooth device");
2822
		return AE_NOT_EXIST;
2823
	}
2824

2825
	status = acpi_evaluate_object(handle, method, NULL, &buffer);
2826

2827
	if (ACPI_FAILURE(status)) {
2828
		bt_dev_dbg(hdev, "ACPI-BT: ACPI Failure: %s method: %s",
2829
			   acpi_format_exception(status), method);
2830
		return status;
2831
	}
2832

2833
	p = buffer.pointer;
2834

2835
	if (p->type != ACPI_TYPE_PACKAGE || p->package.count < pkg_size) {
2836
		bt_dev_warn(hdev, "ACPI-BT: Invalid object type: %d or package count: %d",
2837
			    p->type, p->package.count);
2838
		kfree(buffer.pointer);
2839
		return AE_ERROR;
2840
	}
2841

2842
	*ptr = buffer.pointer;
2843
	return 0;
2844
}
2845

2846
static union acpi_object *btintel_acpi_get_bt_pkg(union acpi_object *buffer)
2847
{
2848
	union acpi_object *domain, *bt_pkg;
2849
	int i;
2850

2851
	for (i = 1; i < buffer->package.count; i++) {
2852
		bt_pkg = &buffer->package.elements[i];
2853
		domain = &bt_pkg->package.elements[0];
2854
		if (domain->type == ACPI_TYPE_INTEGER &&
2855
		    domain->integer.value == BTINTEL_BT_DOMAIN)
2856
			return bt_pkg;
2857
	}
2858
	return ERR_PTR(-ENOENT);
2859
}
2860

2861
static int btintel_send_sar_ddc(struct hci_dev *hdev, struct btintel_cp_ddc_write *data, u8 len)
2862
{
2863
	struct sk_buff *skb;
2864

2865
	skb = __hci_cmd_sync(hdev, 0xfc8b, len, data, HCI_CMD_TIMEOUT);
2866
	if (IS_ERR(skb)) {
2867
		bt_dev_warn(hdev, "Failed to send sar ddc id:0x%4.4x (%ld)",
2868
			    le16_to_cpu(data->id), PTR_ERR(skb));
2869
		return PTR_ERR(skb);
2870
	}
2871
	kfree_skb(skb);
2872
	return 0;
2873
}
2874

2875
static int btintel_send_edr(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd,
2876
			    int id, struct btintel_sar_inc_pwr *sar)
2877
{
2878
	cmd->len = 5;
2879
	cmd->id = cpu_to_le16(id);
2880
	cmd->data[0] = sar->br >> 3;
2881
	cmd->data[1] = sar->edr2 >> 3;
2882
	cmd->data[2] = sar->edr3 >> 3;
2883
	return btintel_send_sar_ddc(hdev, cmd, 6);
2884
}
2885

2886
static int btintel_send_le(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd,
2887
			   int id, struct btintel_sar_inc_pwr *sar)
2888
{
2889
	cmd->len = 3;
2890
	cmd->id = cpu_to_le16(id);
2891
	cmd->data[0] = min3(sar->le, sar->le_lr, sar->le_2mhz) >> 3;
2892
	return btintel_send_sar_ddc(hdev, cmd, 4);
2893
}
2894

2895
static int btintel_send_br(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd,
2896
			   int id, struct btintel_sar_inc_pwr *sar)
2897
{
2898
	cmd->len = 3;
2899
	cmd->id = cpu_to_le16(id);
2900
	cmd->data[0] = sar->br >> 3;
2901
	return btintel_send_sar_ddc(hdev, cmd, 4);
2902
}
2903

2904
static int btintel_send_br_mutual(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd,
2905
				  int id, struct btintel_sar_inc_pwr *sar)
2906
{
2907
	cmd->len = 3;
2908
	cmd->id = cpu_to_le16(id);
2909
	cmd->data[0] = sar->br;
2910
	return btintel_send_sar_ddc(hdev, cmd, 4);
2911
}
2912

2913
static int btintel_send_edr2(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd,
2914
			     int id, struct btintel_sar_inc_pwr *sar)
2915
{
2916
	cmd->len = 3;
2917
	cmd->id = cpu_to_le16(id);
2918
	cmd->data[0] = sar->edr2;
2919
	return btintel_send_sar_ddc(hdev, cmd, 4);
2920
}
2921

2922
static int btintel_send_edr3(struct hci_dev *hdev, struct btintel_cp_ddc_write *cmd,
2923
			     int id, struct btintel_sar_inc_pwr *sar)
2924
{
2925
	cmd->len = 3;
2926
	cmd->id = cpu_to_le16(id);
2927
	cmd->data[0] = sar->edr3;
2928
	return btintel_send_sar_ddc(hdev, cmd, 4);
2929
}
2930

2931
static int btintel_set_legacy_sar(struct hci_dev *hdev, struct btintel_sar_inc_pwr *sar)
2932
{
2933
	struct btintel_cp_ddc_write *cmd;
2934
	u8 buffer[64];
2935
	int ret;
2936

2937
	cmd = (void *)buffer;
2938
	ret = btintel_send_br(hdev, cmd, 0x0131, sar);
2939
	if (ret)
2940
		return ret;
2941

2942
	ret = btintel_send_br(hdev, cmd, 0x0132, sar);
2943
	if (ret)
2944
		return ret;
2945

2946
	ret = btintel_send_le(hdev, cmd, 0x0133, sar);
2947
	if (ret)
2948
		return ret;
2949

2950
	ret = btintel_send_edr(hdev, cmd, 0x0137, sar);
2951
	if (ret)
2952
		return ret;
2953

2954
	ret = btintel_send_edr(hdev, cmd, 0x0138, sar);
2955
	if (ret)
2956
		return ret;
2957

2958
	ret = btintel_send_edr(hdev, cmd, 0x013b, sar);
2959
	if (ret)
2960
		return ret;
2961

2962
	ret = btintel_send_edr(hdev, cmd, 0x013c, sar);
2963

2964
	return ret;
2965
}
2966

2967
static int btintel_set_mutual_sar(struct hci_dev *hdev, struct btintel_sar_inc_pwr *sar)
2968
{
2969
	struct btintel_cp_ddc_write *cmd;
2970
	struct sk_buff *skb;
2971
	u8 buffer[64];
2972
	bool enable;
2973
	int ret;
2974

2975
	cmd = (void *)buffer;
2976

2977
	cmd->len = 3;
2978
	cmd->id = cpu_to_le16(0x019e);
2979

2980
	if (sar->revision == BTINTEL_SAR_INC_PWR &&
2981
	    sar->inc_power_mode == BTINTEL_SAR_INC_PWR_SUPPORTED)
2982
		cmd->data[0] = 0x01;
2983
	else
2984
		cmd->data[0] = 0x00;
2985

2986
	ret = btintel_send_sar_ddc(hdev, cmd, 4);
2987
	if (ret)
2988
		return ret;
2989

2990
	if (sar->revision == BTINTEL_SAR_INC_PWR &&
2991
	    sar->inc_power_mode == BTINTEL_SAR_INC_PWR_SUPPORTED) {
2992
		cmd->len = 3;
2993
		cmd->id = cpu_to_le16(0x019f);
2994
		cmd->data[0] = sar->sar_2400_chain_a;
2995

2996
		ret = btintel_send_sar_ddc(hdev, cmd, 4);
2997
		if (ret)
2998
			return ret;
2999
	}
3000

3001
	ret = btintel_send_br_mutual(hdev, cmd, 0x01a0, sar);
3002
	if (ret)
3003
		return ret;
3004

3005
	ret = btintel_send_edr2(hdev, cmd, 0x01a1, sar);
3006
	if (ret)
3007
		return ret;
3008

3009
	ret = btintel_send_edr3(hdev, cmd, 0x01a2, sar);
3010
	if (ret)
3011
		return ret;
3012

3013
	ret = btintel_send_le(hdev, cmd, 0x01a3, sar);
3014
	if (ret)
3015
		return ret;
3016

3017
	enable = true;
3018
	skb = __hci_cmd_sync(hdev, 0xfe25, 1, &enable, HCI_CMD_TIMEOUT);
3019
	if (IS_ERR(skb)) {
3020
		bt_dev_warn(hdev, "Failed to send Intel SAR Enable (%ld)", PTR_ERR(skb));
3021
		return PTR_ERR(skb);
3022
	}
3023

3024
	kfree_skb(skb);
3025
	return 0;
3026
}
3027

3028
static int btintel_sar_send_to_device(struct hci_dev *hdev, struct btintel_sar_inc_pwr *sar,
3029
				      struct intel_version_tlv *ver)
3030
{
3031
	u16 cnvi, cnvr;
3032
	int ret;
3033

3034
	cnvi = ver->cnvi_top & 0xfff;
3035
	cnvr = ver->cnvr_top & 0xfff;
3036

3037
	if (cnvi < BTINTEL_CNVI_BLAZARI && cnvr < BTINTEL_CNVR_FMP2) {
3038
		bt_dev_info(hdev, "Applying legacy Bluetooth SAR");
3039
		ret = btintel_set_legacy_sar(hdev, sar);
3040
	} else if (cnvi == BTINTEL_CNVI_GAP || cnvr == BTINTEL_CNVR_FMP2) {
3041
		bt_dev_info(hdev, "Applying mutual Bluetooth SAR");
3042
		ret = btintel_set_mutual_sar(hdev, sar);
3043
	} else {
3044
		ret = -EOPNOTSUPP;
3045
	}
3046

3047
	return ret;
3048
}
3049

3050
static int btintel_acpi_set_sar(struct hci_dev *hdev, struct intel_version_tlv *ver)
3051
{
3052
	union acpi_object *bt_pkg, *buffer = NULL;
3053
	struct btintel_sar_inc_pwr sar;
3054
	acpi_status status;
3055
	u8 revision;
3056
	int ret;
3057

3058
	status = btintel_evaluate_acpi_method(hdev, "BRDS", &buffer, 2);
3059
	if (ACPI_FAILURE(status))
3060
		return -ENOENT;
3061

3062
	bt_pkg = btintel_acpi_get_bt_pkg(buffer);
3063

3064
	if (IS_ERR(bt_pkg)) {
3065
		ret = PTR_ERR(bt_pkg);
3066
		goto error;
3067
	}
3068

3069
	if (!bt_pkg->package.count) {
3070
		ret = -EINVAL;
3071
		goto error;
3072
	}
3073

3074
	revision = buffer->package.elements[0].integer.value;
3075

3076
	if (revision > BTINTEL_SAR_INC_PWR) {
3077
		bt_dev_dbg(hdev, "BT_SAR: revision: 0x%2.2x not supported", revision);
3078
		ret = -EOPNOTSUPP;
3079
		goto error;
3080
	}
3081

3082
	memset(&sar, 0, sizeof(sar));
3083

3084
	if (revision == BTINTEL_SAR_LEGACY && bt_pkg->package.count == 8) {
3085
		sar.revision = revision;
3086
		sar.bt_sar_bios = bt_pkg->package.elements[1].integer.value;
3087
		sar.br = bt_pkg->package.elements[2].integer.value;
3088
		sar.edr2 = bt_pkg->package.elements[3].integer.value;
3089
		sar.edr3 = bt_pkg->package.elements[4].integer.value;
3090
		sar.le = bt_pkg->package.elements[5].integer.value;
3091
		sar.le_2mhz = bt_pkg->package.elements[6].integer.value;
3092
		sar.le_lr  = bt_pkg->package.elements[7].integer.value;
3093

3094
	} else if (revision == BTINTEL_SAR_INC_PWR && bt_pkg->package.count == 10) {
3095
		sar.revision = revision;
3096
		sar.bt_sar_bios = bt_pkg->package.elements[1].integer.value;
3097
		sar.inc_power_mode = bt_pkg->package.elements[2].integer.value;
3098
		sar.sar_2400_chain_a = bt_pkg->package.elements[3].integer.value;
3099
		sar.br = bt_pkg->package.elements[4].integer.value;
3100
		sar.edr2 = bt_pkg->package.elements[5].integer.value;
3101
		sar.edr3 = bt_pkg->package.elements[6].integer.value;
3102
		sar.le = bt_pkg->package.elements[7].integer.value;
3103
		sar.le_2mhz = bt_pkg->package.elements[8].integer.value;
3104
		sar.le_lr  = bt_pkg->package.elements[9].integer.value;
3105
	} else {
3106
		ret = -EINVAL;
3107
		goto error;
3108
	}
3109

3110
	/* Apply only if it is enabled in BIOS */
3111
	if (sar.bt_sar_bios != 1) {
3112
		bt_dev_dbg(hdev, "Bluetooth SAR is not enabled");
3113
		ret = -EOPNOTSUPP;
3114
		goto error;
3115
	}
3116

3117
	ret = btintel_sar_send_to_device(hdev, &sar, ver);
3118
error:
3119
	kfree(buffer);
3120
	return ret;
3121
}
3122
#endif /* CONFIG_ACPI */
3123

3124
static int btintel_set_specific_absorption_rate(struct hci_dev *hdev,
3125
						struct intel_version_tlv *ver)
3126
{
3127
#ifdef CONFIG_ACPI
3128
	return btintel_acpi_set_sar(hdev, ver);
3129
#endif
3130
	return 0;
3131
}
3132

3133
int btintel_bootloader_setup_tlv(struct hci_dev *hdev,
3134
				 struct intel_version_tlv *ver)
3135
{
3136
	u32 boot_param;
3137
	char ddcname[64];
3138
	int err;
3139
	struct intel_version_tlv new_ver;
3140

3141
	bt_dev_dbg(hdev, "");
3142

3143
	/* Set the default boot parameter to 0x0 and it is updated to
3144
	 * SKU specific boot parameter after reading Intel_Write_Boot_Params
3145
	 * command while downloading the firmware.
3146
	 */
3147
	boot_param = 0x00000000;
3148

3149
	/* In case of PCIe, this function might get called multiple times with
3150
	 * same hdev instance if there is any error on firmware download.
3151
	 * Need to clear stale bits of previous firmware download attempt.
3152
	 */
3153
	for (int i = 0; i < __INTEL_NUM_FLAGS; i++)
3154
		btintel_clear_flag(hdev, i);
3155

3156
	btintel_set_flag(hdev, INTEL_BOOTLOADER);
3157

3158
	err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param);
3159
	if (err)
3160
		return err;
3161

3162
	/* check if controller is already having an operational firmware */
3163
	if (ver->img_type == BTINTEL_IMG_OP)
3164
		goto finish;
3165

3166
	err = btintel_boot(hdev, boot_param);
3167
	if (err)
3168
		return err;
3169

3170
	err = btintel_read_version_tlv(hdev, ver);
3171
	if (err)
3172
		return err;
3173

3174
	/* set drive strength of BRI response */
3175
	err = btintel_set_dsbr(hdev, ver);
3176
	if (err) {
3177
		bt_dev_err(hdev, "Failed to send dsbr command (%d)", err);
3178
		return err;
3179
	}
3180

3181
	/* If image type returned is BTINTEL_IMG_IML, then controller supports
3182
	 * intermediate loader image
3183
	 */
3184
	if (ver->img_type == BTINTEL_IMG_IML) {
3185
		err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param);
3186
		if (err)
3187
			return err;
3188

3189
		err = btintel_boot(hdev, boot_param);
3190
		if (err)
3191
			return err;
3192
	}
3193

3194
	btintel_clear_flag(hdev, INTEL_BOOTLOADER);
3195

3196
	btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc");
3197
	/* Once the device is running in operational mode, it needs to
3198
	 * apply the device configuration (DDC) parameters.
3199
	 *
3200
	 * The device can work without DDC parameters, so even if it
3201
	 * fails to load the file, no need to fail the setup.
3202
	 */
3203
	btintel_load_ddc_config(hdev, ddcname);
3204

3205
	/* Read supported use cases and set callbacks to fetch datapath id */
3206
	btintel_configure_offload(hdev);
3207

3208
	hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
3209

3210
	/* Send sar values to controller */
3211
	btintel_set_specific_absorption_rate(hdev, ver);
3212

3213
	/* Set PPAG feature */
3214
	btintel_set_ppag(hdev, ver);
3215

3216
	/* Read the Intel version information after loading the FW  */
3217
	err = btintel_read_version_tlv(hdev, &new_ver);
3218
	if (err)
3219
		return err;
3220

3221
	btintel_version_info_tlv(hdev, &new_ver);
3222

3223
finish:
3224
	/* Set the event mask for Intel specific vendor events. This enables
3225
	 * a few extra events that are useful during general operation. It
3226
	 * does not enable any debugging related events.
3227
	 *
3228
	 * The device will function correctly without these events enabled
3229
	 * and thus no need to fail the setup.
3230
	 */
3231
	btintel_set_event_mask(hdev, false);
3232

3233
	return 0;
3234
}
3235
EXPORT_SYMBOL_GPL(btintel_bootloader_setup_tlv);
3236

3237
void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant)
3238
{
3239
	switch (hw_variant) {
3240
	/* Legacy bootloader devices that supports MSFT Extension */
3241
	case 0x11:	/* JfP */
3242
	case 0x12:	/* ThP */
3243
	case 0x13:	/* HrP */
3244
	case 0x14:	/* CcP */
3245
	/* All Intel new generation controllers support the Microsoft vendor
3246
	 * extension are using 0xFC1E for VsMsftOpCode.
3247
	 */
3248
	case 0x17:
3249
	case 0x18:
3250
	case 0x19:
3251
	case 0x1b:
3252
	case 0x1c:
3253
	case 0x1d:
3254
	case 0x1e:
3255
	case 0x1f:
3256
		hci_set_msft_opcode(hdev, 0xFC1E);
3257
		break;
3258
	default:
3259
		/* Not supported */
3260
		break;
3261
	}
3262
}
3263
EXPORT_SYMBOL_GPL(btintel_set_msft_opcode);
3264

3265
void btintel_print_fseq_info(struct hci_dev *hdev)
3266
{
3267
	struct sk_buff *skb;
3268
	u8 *p;
3269
	u32 val;
3270
	const char *str;
3271

3272
	skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT);
3273
	if (IS_ERR(skb)) {
3274
		bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)",
3275
			   PTR_ERR(skb));
3276
		return;
3277
	}
3278

3279
	if (skb->len < (sizeof(u32) * 16 + 2)) {
3280
		bt_dev_dbg(hdev, "Malformed packet of length %u received",
3281
			   skb->len);
3282
		kfree_skb(skb);
3283
		return;
3284
	}
3285

3286
	p = skb_pull_data(skb, 1);
3287
	if (*p) {
3288
		bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p);
3289
		kfree_skb(skb);
3290
		return;
3291
	}
3292

3293
	p = skb_pull_data(skb, 1);
3294
	switch (*p) {
3295
	case 0:
3296
		str = "Success";
3297
		break;
3298
	case 1:
3299
		str = "Fatal error";
3300
		break;
3301
	case 2:
3302
		str = "Semaphore acquire error";
3303
		break;
3304
	default:
3305
		str = "Unknown error";
3306
		break;
3307
	}
3308

3309
	if (*p) {
3310
		bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p);
3311
		kfree_skb(skb);
3312
		return;
3313
	}
3314

3315
	bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p);
3316

3317
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3318
	bt_dev_dbg(hdev, "Reason: 0x%8.8x", val);
3319

3320
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3321
	bt_dev_dbg(hdev, "Global version: 0x%8.8x", val);
3322

3323
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3324
	bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val);
3325

3326
	p = skb->data;
3327
	skb_pull_data(skb, 4);
3328
	bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1],
3329
		    p[2], p[3]);
3330

3331
	p = skb->data;
3332
	skb_pull_data(skb, 4);
3333
	bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1],
3334
		    p[2], p[3]);
3335

3336
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3337
	bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val);
3338

3339
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3340
	bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val);
3341

3342
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3343
	bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val);
3344

3345
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3346
	bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val);
3347

3348
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3349
	bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val);
3350

3351
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3352
	bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val);
3353

3354
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3355
	bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val);
3356

3357
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3358
	bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val);
3359

3360
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3361
	bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val);
3362

3363
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3364
	bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val);
3365

3366
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3367
	bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val);
3368

3369
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3370
	bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val);
3371

3372
	val = get_unaligned_le32(skb_pull_data(skb, 4));
3373
	bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val);
3374

3375
	kfree_skb(skb);
3376
}
3377
EXPORT_SYMBOL_GPL(btintel_print_fseq_info);
3378

3379
static int btintel_setup_combined(struct hci_dev *hdev)
3380
{
3381
	const u8 param[1] = { 0xFF };
3382
	struct intel_version ver;
3383
	struct intel_version_tlv ver_tlv;
3384
	struct sk_buff *skb;
3385
	int err;
3386

3387
	BT_DBG("%s", hdev->name);
3388

3389
	/* The some controllers have a bug with the first HCI command sent to it
3390
	 * returning number of completed commands as zero. This would stall the
3391
	 * command processing in the Bluetooth core.
3392
	 *
3393
	 * As a workaround, send HCI Reset command first which will reset the
3394
	 * number of completed commands and allow normal command processing
3395
	 * from now on.
3396
	 *
3397
	 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe
3398
	 * in the SW_RFKILL ON state as a workaround of fixing LED issue during
3399
	 * the shutdown() procedure, and once the device is in SW_RFKILL ON
3400
	 * state, the only way to exit out of it is sending the HCI_Reset
3401
	 * command.
3402
	 */
3403
	if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) ||
3404
	    btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
3405
		skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
3406
				     HCI_INIT_TIMEOUT);
3407
		if (IS_ERR(skb)) {
3408
			bt_dev_err(hdev,
3409
				   "sending initial HCI reset failed (%ld)",
3410
				   PTR_ERR(skb));
3411
			return PTR_ERR(skb);
3412
		}
3413
		kfree_skb(skb);
3414
	}
3415

3416
	/* Starting from TyP device, the command parameter and response are
3417
	 * changed even though the OCF for HCI_Intel_Read_Version command
3418
	 * remains same. The legacy devices can handle even if the
3419
	 * command has a parameter and returns a correct version information.
3420
	 * So, it uses new format to support both legacy and new format.
3421
	 */
3422
	skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
3423
	if (IS_ERR(skb)) {
3424
		bt_dev_err(hdev, "Reading Intel version command failed (%ld)",
3425
			   PTR_ERR(skb));
3426
		return PTR_ERR(skb);
3427
	}
3428

3429
	/* Check the status */
3430
	if (skb->data[0]) {
3431
		bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
3432
			   skb->data[0]);
3433
		err = -EIO;
3434
		goto exit_error;
3435
	}
3436

3437
	/* Apply the common HCI quirks for Intel device */
3438
	hci_set_quirk(hdev, HCI_QUIRK_STRICT_DUPLICATE_FILTER);
3439
	hci_set_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY);
3440
	hci_set_quirk(hdev, HCI_QUIRK_NON_PERSISTENT_DIAG);
3441

3442
	/* Set up the quality report callback for Intel devices */
3443
	hdev->set_quality_report = btintel_set_quality_report;
3444

3445
	/* For Legacy device, check the HW platform value and size */
3446
	if (skb->len == sizeof(ver) && skb->data[1] == 0x37) {
3447
		bt_dev_dbg(hdev, "Read the legacy Intel version information");
3448

3449
		memcpy(&ver, skb->data, sizeof(ver));
3450

3451
		/* Display version information */
3452
		btintel_version_info(hdev, &ver);
3453

3454
		/* Check for supported iBT hardware variants of this firmware
3455
		 * loading method.
3456
		 *
3457
		 * This check has been put in place to ensure correct forward
3458
		 * compatibility options when newer hardware variants come
3459
		 * along.
3460
		 */
3461
		switch (ver.hw_variant) {
3462
		case 0x07:	/* WP */
3463
		case 0x08:	/* StP */
3464
			/* Legacy ROM product */
3465
			btintel_set_flag(hdev, INTEL_ROM_LEGACY);
3466

3467
			/* Apply the device specific HCI quirks
3468
			 *
3469
			 * WBS for SdP - For the Legacy ROM products, only SdP
3470
			 * supports the WBS. But the version information is not
3471
			 * enough to use here because the StP2 and SdP have same
3472
			 * hw_variant and fw_variant. So, this flag is set by
3473
			 * the transport driver (btusb) based on the HW info
3474
			 * (idProduct)
3475
			 */
3476
			if (!btintel_test_flag(hdev,
3477
					       INTEL_ROM_LEGACY_NO_WBS_SUPPORT))
3478
				hci_set_quirk(hdev,
3479
					      HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED);
3480

3481
			err = btintel_legacy_rom_setup(hdev, &ver);
3482
			break;
3483
		case 0x0b:      /* SfP */
3484
		case 0x11:      /* JfP */
3485
		case 0x12:      /* ThP */
3486
		case 0x13:      /* HrP */
3487
		case 0x14:      /* CcP */
3488
			fallthrough;
3489
		case 0x0c:	/* WsP */
3490
			/* Apply the device specific HCI quirks
3491
			 *
3492
			 * All Legacy bootloader devices support WBS
3493
			 */
3494
			hci_set_quirk(hdev,
3495
				      HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED);
3496

3497
			/* These variants don't seem to support LE Coded PHY */
3498
			hci_set_quirk(hdev, HCI_QUIRK_BROKEN_LE_CODED);
3499

3500
			/* Setup MSFT Extension support */
3501
			btintel_set_msft_opcode(hdev, ver.hw_variant);
3502

3503
			err = btintel_bootloader_setup(hdev, &ver);
3504
			btintel_register_devcoredump_support(hdev);
3505
			break;
3506
		default:
3507
			bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
3508
				   ver.hw_variant);
3509
			err = -EINVAL;
3510
		}
3511

3512
		hci_set_hw_info(hdev,
3513
				"INTEL platform=%u variant=%u revision=%u",
3514
				ver.hw_platform, ver.hw_variant,
3515
				ver.hw_revision);
3516

3517
		goto exit_error;
3518
	}
3519

3520
	/* memset ver_tlv to start with clean state as few fields are exclusive
3521
	 * to bootloader mode and are not populated in operational mode
3522
	 */
3523
	memset(&ver_tlv, 0, sizeof(ver_tlv));
3524
	/* For TLV type device, parse the tlv data */
3525
	err = btintel_parse_version_tlv(hdev, &ver_tlv, skb);
3526
	if (err) {
3527
		bt_dev_err(hdev, "Failed to parse TLV version information");
3528
		goto exit_error;
3529
	}
3530

3531
	if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) {
3532
		bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
3533
			   INTEL_HW_PLATFORM(ver_tlv.cnvi_bt));
3534
		err = -EINVAL;
3535
		goto exit_error;
3536
	}
3537

3538
	/* Check for supported iBT hardware variants of this firmware
3539
	 * loading method.
3540
	 *
3541
	 * This check has been put in place to ensure correct forward
3542
	 * compatibility options when newer hardware variants come
3543
	 * along.
3544
	 */
3545
	switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) {
3546
	case 0x11:      /* JfP */
3547
	case 0x12:      /* ThP */
3548
	case 0x13:      /* HrP */
3549
	case 0x14:      /* CcP */
3550
		/* Some legacy bootloader devices starting from JfP,
3551
		 * the operational firmware supports both old and TLV based
3552
		 * HCI_Intel_Read_Version command based on the command
3553
		 * parameter.
3554
		 *
3555
		 * For upgrading firmware case, the TLV based version cannot
3556
		 * be used because the firmware filename for legacy bootloader
3557
		 * is based on the old format.
3558
		 *
3559
		 * Also, it is not easy to convert TLV based version from the
3560
		 * legacy version format.
3561
		 *
3562
		 * So, as a workaround for those devices, use the legacy
3563
		 * HCI_Intel_Read_Version to get the version information and
3564
		 * run the legacy bootloader setup.
3565
		 */
3566
		err = btintel_read_version(hdev, &ver);
3567
		if (err)
3568
			break;
3569

3570
		/* Apply the device specific HCI quirks
3571
		 *
3572
		 * All Legacy bootloader devices support WBS
3573
		 */
3574
		hci_set_quirk(hdev, HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED);
3575

3576
		/* These variants don't seem to support LE Coded PHY */
3577
		hci_set_quirk(hdev, HCI_QUIRK_BROKEN_LE_CODED);
3578

3579
		/* Setup MSFT Extension support */
3580
		btintel_set_msft_opcode(hdev, ver.hw_variant);
3581

3582
		err = btintel_bootloader_setup(hdev, &ver);
3583
		btintel_register_devcoredump_support(hdev);
3584
		break;
3585
	case 0x18: /* GfP2 */
3586
	case 0x1c: /* GaP */
3587
		/* Re-classify packet type for controllers with LE audio */
3588
		hdev->classify_pkt_type = btintel_classify_pkt_type;
3589
		fallthrough;
3590
	case 0x17:
3591
	case 0x19:
3592
	case 0x1b:
3593
	case 0x1d:
3594
	case 0x1e:
3595
	case 0x1f:
3596
		/* Display version information of TLV type */
3597
		btintel_version_info_tlv(hdev, &ver_tlv);
3598

3599
		/* Apply the device specific HCI quirks for TLV based devices
3600
		 *
3601
		 * All TLV based devices support WBS
3602
		 */
3603
		hci_set_quirk(hdev, HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED);
3604

3605
		/* Setup MSFT Extension support */
3606
		btintel_set_msft_opcode(hdev,
3607
					INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3608
		btintel_set_dsm_reset_method(hdev, &ver_tlv);
3609

3610
		err = btintel_bootloader_setup_tlv(hdev, &ver_tlv);
3611
		if (err)
3612
			goto exit_error;
3613

3614
		btintel_register_devcoredump_support(hdev);
3615
		btintel_print_fseq_info(hdev);
3616
		break;
3617
	default:
3618
		bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
3619
			   INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3620
		err = -EINVAL;
3621
		break;
3622
	}
3623

3624
	hci_set_hw_info(hdev, "INTEL platform=%u variant=%u",
3625
			INTEL_HW_PLATFORM(ver_tlv.cnvi_bt),
3626
			INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3627

3628
exit_error:
3629
	kfree_skb(skb);
3630

3631
	return err;
3632
}
3633

3634
int btintel_shutdown_combined(struct hci_dev *hdev)
3635
{
3636
	struct sk_buff *skb;
3637
	int ret;
3638

3639
	/* Send HCI Reset to the controller to stop any BT activity which
3640
	 * were triggered. This will help to save power and maintain the
3641
	 * sync b/w Host and controller
3642
	 */
3643
	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
3644
	if (IS_ERR(skb)) {
3645
		bt_dev_err(hdev, "HCI reset during shutdown failed");
3646
		return PTR_ERR(skb);
3647
	}
3648
	kfree_skb(skb);
3649

3650

3651
	/* Some platforms have an issue with BT LED when the interface is
3652
	 * down or BT radio is turned off, which takes 5 seconds to BT LED
3653
	 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the
3654
	 * device in the RFKILL ON state which turns off the BT LED immediately.
3655
	 */
3656
	if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
3657
		skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
3658
		if (IS_ERR(skb)) {
3659
			ret = PTR_ERR(skb);
3660
			bt_dev_err(hdev, "turning off Intel device LED failed");
3661
			return ret;
3662
		}
3663
		kfree_skb(skb);
3664
	}
3665

3666
	return 0;
3667
}
3668
EXPORT_SYMBOL_GPL(btintel_shutdown_combined);
3669

3670
int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name)
3671
{
3672
	hdev->manufacturer = 2;
3673
	hdev->setup = btintel_setup_combined;
3674
	hdev->shutdown = btintel_shutdown_combined;
3675
	hdev->hw_error = btintel_hw_error;
3676
	hdev->set_diag = btintel_set_diag_combined;
3677
	hdev->set_bdaddr = btintel_set_bdaddr;
3678

3679
	coredump_info.driver_name = driver_name;
3680

3681
	return 0;
3682
}
3683
EXPORT_SYMBOL_GPL(btintel_configure_setup);
3684

3685
static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb)
3686
{
3687
	struct intel_tlv *tlv = (void *)&skb->data[5];
3688

3689
	/* The first event is always an event type TLV */
3690
	if (tlv->type != INTEL_TLV_TYPE_ID)
3691
		goto recv_frame;
3692

3693
	switch (tlv->val[0]) {
3694
	case INTEL_TLV_SYSTEM_EXCEPTION:
3695
	case INTEL_TLV_FATAL_EXCEPTION:
3696
	case INTEL_TLV_DEBUG_EXCEPTION:
3697
	case INTEL_TLV_TEST_EXCEPTION:
3698
		/* Generate devcoredump from exception */
3699
		if (!hci_devcd_init(hdev, skb->len)) {
3700
			hci_devcd_append(hdev, skb_clone(skb, GFP_ATOMIC));
3701
			hci_devcd_complete(hdev);
3702
		} else {
3703
			bt_dev_err(hdev, "Failed to generate devcoredump");
3704
		}
3705
	break;
3706
	default:
3707
		bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]);
3708
	}
3709

3710
recv_frame:
3711
	return hci_recv_frame(hdev, skb);
3712
}
3713

3714
int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
3715
{
3716
	struct hci_event_hdr *hdr = (void *)skb->data;
3717
	const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 };
3718

3719
	if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff &&
3720
	    hdr->plen > 0) {
3721
		const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1;
3722
		unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1;
3723

3724
		if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
3725
			switch (skb->data[2]) {
3726
			case 0x02:
3727
				/* When switching to the operational firmware
3728
				 * the device sends a vendor specific event
3729
				 * indicating that the bootup completed.
3730
				 */
3731
				btintel_bootup(hdev, ptr, len);
3732
				kfree_skb(skb);
3733
				return 0;
3734
			case 0x06:
3735
				/* When the firmware loading completes the
3736
				 * device sends out a vendor specific event
3737
				 * indicating the result of the firmware
3738
				 * loading.
3739
				 */
3740
				btintel_secure_send_result(hdev, ptr, len);
3741
				kfree_skb(skb);
3742
				return 0;
3743
			}
3744
		}
3745

3746
		/* Handle all diagnostics events separately. May still call
3747
		 * hci_recv_frame.
3748
		 */
3749
		if (len >= sizeof(diagnostics_hdr) &&
3750
		    memcmp(&skb->data[2], diagnostics_hdr,
3751
			   sizeof(diagnostics_hdr)) == 0) {
3752
			return btintel_diagnostics(hdev, skb);
3753
		}
3754
	}
3755

3756
	return hci_recv_frame(hdev, skb);
3757
}
3758
EXPORT_SYMBOL_GPL(btintel_recv_event);
3759

3760
void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len)
3761
{
3762
	const struct intel_bootup *evt = ptr;
3763

3764
	if (len != sizeof(*evt))
3765
		return;
3766

3767
	if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING))
3768
		btintel_wake_up_flag(hdev, INTEL_BOOTING);
3769
}
3770
EXPORT_SYMBOL_GPL(btintel_bootup);
3771

3772
void btintel_secure_send_result(struct hci_dev *hdev,
3773
				const void *ptr, unsigned int len)
3774
{
3775
	const struct intel_secure_send_result *evt = ptr;
3776

3777
	if (len != sizeof(*evt))
3778
		return;
3779

3780
	if (evt->result)
3781
		btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED);
3782

3783
	if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) &&
3784
	    btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED))
3785
		btintel_wake_up_flag(hdev, INTEL_DOWNLOADING);
3786
}
3787
EXPORT_SYMBOL_GPL(btintel_secure_send_result);
3788

3789
MODULE_AUTHOR("Marcel Holtmann <[email protected]>");
3790
MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
3791
MODULE_VERSION(VERSION);
3792
MODULE_LICENSE("GPL");
3793
MODULE_FIRMWARE("intel/ibt-11-5.sfi");
3794
MODULE_FIRMWARE("intel/ibt-11-5.ddc");
3795
MODULE_FIRMWARE("intel/ibt-12-16.sfi");
3796
MODULE_FIRMWARE("intel/ibt-12-16.ddc");
3797

3798