[linux-2.6-block.git] / drivers / firmware / efi / capsule.c

/*
 * EFI capsule support.
 *
 * Copyright 2013 Intel Corporation; author Matt Fleming
 *
 * This file is part of the Linux kernel, and is made available under
 * the terms of the GNU General Public License version 2.
 */

#define pr_fmt(fmt) "efi: " fmt

#include <linux/slab.h>
#include <linux/mutex.h>
#include <linux/highmem.h>
#include <linux/efi.h>
#include <linux/vmalloc.h>
#include <asm/io.h>

typedef struct {
	u64 length;
	u64 data;
} efi_capsule_block_desc_t;

static bool capsule_pending;
static bool stop_capsules;
static int efi_reset_type = -1;

/*
 * capsule_mutex serialises access to both capsule_pending and
 * efi_reset_type and stop_capsules.
 */
static DEFINE_MUTEX(capsule_mutex);

/**
 * efi_capsule_pending - has a capsule been passed to the firmware?
 * @reset_type: store the type of EFI reset if capsule is pending
 *
 * To ensure that the registered capsule is processed correctly by the
 * firmware we need to perform a specific type of reset. If a capsule is
 * pending return the reset type in @reset_type.
 *
 * This function will race with callers of efi_capsule_update(), for
 * example, calling this function while somebody else is in
 * efi_capsule_update() but hasn't reached efi_capsue_update_locked()
 * will miss the updates to capsule_pending and efi_reset_type after
 * efi_capsule_update_locked() completes.
 *
 * A non-racy use is from platform reboot code because we use
 * system_state to ensure no capsules can be sent to the firmware once
 * we're at SYSTEM_RESTART. See efi_capsule_update_locked().
 */
bool efi_capsule_pending(int *reset_type)
{
	if (!capsule_pending)
		return false;

	if (reset_type)
		*reset_type = efi_reset_type;

	return true;
}

/*
 * Whitelist of EFI capsule flags that we support.
 *
 * We do not handle EFI_CAPSULE_INITIATE_RESET because that would
 * require us to prepare the kernel for reboot. Refuse to load any
 * capsules with that flag and any other flags that we do not know how
 * to handle.
 */
#define EFI_CAPSULE_SUPPORTED_FLAG_MASK			\
	(EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE)

/**
 * efi_capsule_supported - does the firmware support the capsule?
 * @guid: vendor guid of capsule
 * @flags: capsule flags
 * @size: size of capsule data
 * @reset: the reset type required for this capsule
 *
 * Check whether a capsule with @flags is supported by the firmware
 * and that @size doesn't exceed the maximum size for a capsule.
 *
 * No attempt is made to check @reset against the reset type required
 * by any pending capsules because of the races involved.
 */
int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
{
	efi_capsule_header_t *capsule;
	efi_status_t status;
	u64 max_size;
	int rv = 0;

	if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
		return -EINVAL;

	capsule = kmalloc(sizeof(*capsule), GFP_KERNEL);
	if (!capsule)
		return -ENOMEM;

	capsule->headersize = capsule->imagesize = sizeof(*capsule);
	memcpy(&capsule->guid, &guid, sizeof(efi_guid_t));
	capsule->flags = flags;

	status = efi.query_capsule_caps(&capsule, 1, &max_size, reset);
	if (status != EFI_SUCCESS) {
		rv = efi_status_to_err(status);
		goto out;
	}

	if (size > max_size)
		rv = -ENOSPC;
out:
	kfree(capsule);
	return rv;
}
EXPORT_SYMBOL_GPL(efi_capsule_supported);

/*
 * Every scatter gather list (block descriptor) page must end with a
 * continuation pointer. The last continuation pointer of the last
 * page must be zero to mark the end of the chain.
 */
#define SGLIST_PER_PAGE	((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1)

/*
 * How many scatter gather list (block descriptor) pages do we need
 * to map @count pages?
 */
static inline unsigned int sg_pages_num(unsigned int count)
{
	return DIV_ROUND_UP(count, SGLIST_PER_PAGE);
}

/**
 * efi_capsule_update_locked - pass a single capsule to the firmware
 * @capsule: capsule to send to the firmware
 * @sg_pages: array of scatter gather (block descriptor) pages
 * @reset: the reset type required for @capsule
 *
 * Since this function must be called under capsule_mutex check
 * whether efi_reset_type will conflict with @reset, and atomically
 * set it and capsule_pending if a capsule was successfully sent to
 * the firmware.
 *
 * We also check to see if the system is about to restart, and if so,
 * abort. This avoids races between efi_capsule_update() and
 * efi_capsule_pending().
 */
static int
efi_capsule_update_locked(efi_capsule_header_t *capsule,
			  struct page **sg_pages, int reset)
{
	efi_physical_addr_t sglist_phys;
	efi_status_t status;

	lockdep_assert_held(&capsule_mutex);

	/*
	 * If someone has already registered a capsule that requires a
	 * different reset type, we're out of luck and must abort.
	 */
	if (efi_reset_type >= 0 && efi_reset_type != reset) {
		pr_err("Conflicting capsule reset type %d (%d).\n",
		       reset, efi_reset_type);
		return -EINVAL;
	}

	/*
	 * If the system is getting ready to restart it may have
	 * called efi_capsule_pending() to make decisions (such as
	 * whether to force an EFI reboot), and we're racing against
	 * that call. Abort in that case.
	 */
	if (unlikely(stop_capsules)) {
		pr_warn("Capsule update raced with reboot, aborting.\n");
		return -EINVAL;
	}

	sglist_phys = page_to_phys(sg_pages[0]);

	status = efi.update_capsule(&capsule, 1, sglist_phys);
	if (status == EFI_SUCCESS) {
		capsule_pending = true;
		efi_reset_type = reset;
	}

	return efi_status_to_err(status);
}

/**
 * efi_capsule_update - send a capsule to the firmware
 * @capsule: capsule to send to firmware
 * @pages: an array of capsule data pages
 *
 * Build a scatter gather list with EFI capsule block descriptors to
 * map the capsule described by @capsule with its data in @pages and
 * send it to the firmware via the UpdateCapsule() runtime service.
 *
 * @capsule must be a virtual mapping of the first page in @pages
 * (@pages[0]) in the kernel address space. That is, a
 * capsule_header_t that describes the entire contents of the capsule
 * must be at the start of the first data page.
 *
 * Even though this function will validate that the firmware supports
 * the capsule guid, users will likely want to check that
 * efi_capsule_supported() returns true before calling this function
 * because it makes it easier to print helpful error messages.
 *
 * If the capsule is successfully submitted to the firmware, any
 * subsequent calls to efi_capsule_pending() will return true. @pages
 * must not be released or modified if this function returns
 * successfully.
 *
 * Callers must be prepared for this function to fail, which can
 * happen if we raced with system reboot or if there is already a
 * pending capsule that has a reset type that conflicts with the one
 * required by @capsule. Do NOT use efi_capsule_pending() to detect
 * this conflict since that would be racy. Instead, submit the capsule
 * to efi_capsule_update() and check the return value.
 *
 * Return 0 on success, a converted EFI status code on failure.
 */
int efi_capsule_update(efi_capsule_header_t *capsule, struct page **pages)
{
	u32 imagesize = capsule->imagesize;
	efi_guid_t guid = capsule->guid;
	unsigned int count, sg_count;
	u32 flags = capsule->flags;
	struct page **sg_pages;
	int rv, reset_type;
	int i, j;

	rv = efi_capsule_supported(guid, flags, imagesize, &reset_type);
	if (rv)
		return rv;

	count = DIV_ROUND_UP(imagesize, PAGE_SIZE);
	sg_count = sg_pages_num(count);

	sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL);
	if (!sg_pages)
		return -ENOMEM;

	for (i = 0; i < sg_count; i++) {
		sg_pages[i] = alloc_page(GFP_KERNEL);
		if (!sg_pages[i]) {
			rv = -ENOMEM;
			goto out;
		}
	}

	for (i = 0; i < sg_count; i++) {
		efi_capsule_block_desc_t *sglist;

		sglist = kmap(sg_pages[i]);
		if (!sglist) {
			rv = -ENOMEM;
			goto out;
		}

		for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) {
			u64 sz = min_t(u64, imagesize, PAGE_SIZE);

			sglist[j].length = sz;
			sglist[j].data = page_to_phys(*pages++);

			imagesize -= sz;
			count--;
		}

		/* Continuation pointer */
		sglist[j].length = 0;

		if (i + 1 == sg_count)
			sglist[j].data = 0;
		else
			sglist[j].data = page_to_phys(sg_pages[i + 1]);

		kunmap(sg_pages[i]);
	}

	mutex_lock(&capsule_mutex);
	rv = efi_capsule_update_locked(capsule, sg_pages, reset_type);
	mutex_unlock(&capsule_mutex);

out:
	for (i = 0; rv && i < sg_count; i++) {
		if (sg_pages[i])
			__free_page(sg_pages[i]);
	}

	kfree(sg_pages);
	return rv;
}
EXPORT_SYMBOL_GPL(efi_capsule_update);

static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd)
{
	mutex_lock(&capsule_mutex);
	stop_capsules = true;
	mutex_unlock(&capsule_mutex);

	return NOTIFY_DONE;
}

static struct notifier_block capsule_reboot_nb = {
	.notifier_call = capsule_reboot_notify,
};

static int __init capsule_reboot_register(void)
{
	return register_reboot_notifier(&capsule_reboot_nb);
}
core_initcall(capsule_reboot_register);
Commit	Line	Data
f0133f3c MF	1	/*
	2	* EFI capsule support.
	3	*
	4	* Copyright 2013 Intel Corporation; author Matt Fleming
	5	*
	6	* This file is part of the Linux kernel, and is made available under
	7	* the terms of the GNU General Public License version 2.
	8	*/
	9
	10	#define pr_fmt(fmt) "efi: " fmt
	11
	12	#include <linux/slab.h>
	13	#include <linux/mutex.h>
	14	#include <linux/highmem.h>
	15	#include <linux/efi.h>
	16	#include <linux/vmalloc.h>
	17	#include <asm/io.h>
	18
	19	typedef struct {
	20	u64 length;
	21	u64 data;
	22	} efi_capsule_block_desc_t;
	23
	24	static bool capsule_pending;
62075e58	25	static bool stop_capsules;
f0133f3c MF	26	static int efi_reset_type = -1;
	27
	28	/*
	29	* capsule_mutex serialises access to both capsule_pending and
62075e58	30	* efi_reset_type and stop_capsules.
f0133f3c MF	31	*/
	32	static DEFINE_MUTEX(capsule_mutex);
	33
	34	/**
	35	* efi_capsule_pending - has a capsule been passed to the firmware?
	36	* @reset_type: store the type of EFI reset if capsule is pending
	37	*
	38	* To ensure that the registered capsule is processed correctly by the
	39	* firmware we need to perform a specific type of reset. If a capsule is
	40	* pending return the reset type in @reset_type.
	41	*
	42	* This function will race with callers of efi_capsule_update(), for
	43	* example, calling this function while somebody else is in
	44	* efi_capsule_update() but hasn't reached efi_capsue_update_locked()
	45	* will miss the updates to capsule_pending and efi_reset_type after
	46	* efi_capsule_update_locked() completes.
	47	*
	48	* A non-racy use is from platform reboot code because we use
	49	* system_state to ensure no capsules can be sent to the firmware once
	50	* we're at SYSTEM_RESTART. See efi_capsule_update_locked().
	51	*/
	52	bool efi_capsule_pending(int *reset_type)
	53	{
f0133f3c	54	if (!capsule_pending)
62075e58	55	return false;
f0133f3c MF	56
	57	if (reset_type)
	58	*reset_type = efi_reset_type;
62075e58 MF	59
62075e58 MF	60	return true;
f0133f3c MF	61	}
	62
	63	/*
	64	* Whitelist of EFI capsule flags that we support.
	65	*
	66	* We do not handle EFI_CAPSULE_INITIATE_RESET because that would
	67	* require us to prepare the kernel for reboot. Refuse to load any
	68	* capsules with that flag and any other flags that we do not know how
	69	* to handle.
	70	*/
	71	#define EFI_CAPSULE_SUPPORTED_FLAG_MASK \
	72	(EFI_CAPSULE_PERSIST_ACROSS_RESET \| EFI_CAPSULE_POPULATE_SYSTEM_TABLE)
	73
	74	/**
	75	* efi_capsule_supported - does the firmware support the capsule?
	76	* @guid: vendor guid of capsule
	77	* @flags: capsule flags
	78	* @size: size of capsule data
	79	* @reset: the reset type required for this capsule
	80	*
	81	* Check whether a capsule with @flags is supported by the firmware
	82	* and that @size doesn't exceed the maximum size for a capsule.
	83	*
	84	* No attempt is made to check @reset against the reset type required
	85	* by any pending capsules because of the races involved.
	86	*/
	87	int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
	88	{
	89	efi_capsule_header_t *capsule;
	90	efi_status_t status;
	91	u64 max_size;
	92	int rv = 0;
	93
	94	if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
	95	return -EINVAL;
	96
	97	capsule = kmalloc(sizeof(*capsule), GFP_KERNEL);
	98	if (!capsule)
	99	return -ENOMEM;
	100
	101	capsule->headersize = capsule->imagesize = sizeof(*capsule);
	102	memcpy(&capsule->guid, &guid, sizeof(efi_guid_t));
	103	capsule->flags = flags;
	104
	105	status = efi.query_capsule_caps(&capsule, 1, &max_size, reset);
	106	if (status != EFI_SUCCESS) {
	107	rv = efi_status_to_err(status);
	108	goto out;
	109	}
	110
	111	if (size > max_size)
	112	rv = -ENOSPC;
	113	out:
	114	kfree(capsule);
	115	return rv;
	116	}
	117	EXPORT_SYMBOL_GPL(efi_capsule_supported);
	118
	119	/*
	120	* Every scatter gather list (block descriptor) page must end with a
	121	* continuation pointer. The last continuation pointer of the last
	122	* page must be zero to mark the end of the chain.
	123	*/
	124	#define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1)
125
126	/*
127	* How many scatter gather list (block descriptor) pages do we need
128	* to map @count pages?
129	*/
130	static inline unsigned int sg_pages_num(unsigned int count)
131	{
132	return DIV_ROUND_UP(count, SGLIST_PER_PAGE);
133	}
134
135	/**
136	* efi_capsule_update_locked - pass a single capsule to the firmware
137	* @capsule: capsule to send to the firmware
138	* @sg_pages: array of scatter gather (block descriptor) pages
139	* @reset: the reset type required for @capsule
140	*
141	* Since this function must be called under capsule_mutex check
142	* whether efi_reset_type will conflict with @reset, and atomically
143	* set it and capsule_pending if a capsule was successfully sent to
144	* the firmware.
145	*
146	* We also check to see if the system is about to restart, and if so,
147	* abort. This avoids races between efi_capsule_update() and
148	* efi_capsule_pending().
149	*/
150	static int
151	efi_capsule_update_locked(efi_capsule_header_t *capsule,
152	struct page **sg_pages, int reset)
153	{
154	efi_physical_addr_t sglist_phys;
155	efi_status_t status;
156
157	lockdep_assert_held(&capsule_mutex);
158
159	/*
160	* If someone has already registered a capsule that requires a
161	* different reset type, we're out of luck and must abort.
162	*/
163	if (efi_reset_type >= 0 && efi_reset_type != reset) {
164	pr_err("Conflicting capsule reset type %d (%d).\n",
165	reset, efi_reset_type);
166	return -EINVAL;
167	}
168
169	/*
170	* If the system is getting ready to restart it may have
171	* called efi_capsule_pending() to make decisions (such as
172	* whether to force an EFI reboot), and we're racing against
173	* that call. Abort in that case.
174	*/
62075e58	175	if (unlikely(stop_capsules)) {
f0133f3c MF	176	pr_warn("Capsule update raced with reboot, aborting.\n");
	177	return -EINVAL;
	178	}
	179
	180	sglist_phys = page_to_phys(sg_pages[0]);
	181
	182	status = efi.update_capsule(&capsule, 1, sglist_phys);
	183	if (status == EFI_SUCCESS) {
	184	capsule_pending = true;
	185	efi_reset_type = reset;
	186	}
	187
	188	return efi_status_to_err(status);
	189	}
	190
	191	/**
	192	* efi_capsule_update - send a capsule to the firmware
	193	* @capsule: capsule to send to firmware
	194	* @pages: an array of capsule data pages
	195	*
	196	* Build a scatter gather list with EFI capsule block descriptors to
	197	* map the capsule described by @capsule with its data in @pages and
	198	* send it to the firmware via the UpdateCapsule() runtime service.
	199	*
	200	* @capsule must be a virtual mapping of the first page in @pages
	201	* (@pages[0]) in the kernel address space. That is, a
	202	* capsule_header_t that describes the entire contents of the capsule
	203	* must be at the start of the first data page.
	204	*
	205	* Even though this function will validate that the firmware supports
	206	* the capsule guid, users will likely want to check that
	207	* efi_capsule_supported() returns true before calling this function
	208	* because it makes it easier to print helpful error messages.
	209	*
	210	* If the capsule is successfully submitted to the firmware, any
	211	* subsequent calls to efi_capsule_pending() will return true. @pages
	212	* must not be released or modified if this function returns
	213	* successfully.
	214	*
	215	* Callers must be prepared for this function to fail, which can
	216	* happen if we raced with system reboot or if there is already a
	217	* pending capsule that has a reset type that conflicts with the one
	218	* required by @capsule. Do NOT use efi_capsule_pending() to detect
	219	* this conflict since that would be racy. Instead, submit the capsule
	220	* to efi_capsule_update() and check the return value.
	221	*
	222	* Return 0 on success, a converted EFI status code on failure.
	223	*/
	224	int efi_capsule_update(efi_capsule_header_t capsule, struct page *pages)
	225	{
	226	u32 imagesize = capsule->imagesize;
	227	efi_guid_t guid = capsule->guid;
	228	unsigned int count, sg_count;
	229	u32 flags = capsule->flags;
	230	struct page **sg_pages;
	231	int rv, reset_type;
	232	int i, j;
	233
	234	rv = efi_capsule_supported(guid, flags, imagesize, &reset_type);
	235	if (rv)
	236	return rv;
	237
	238	count = DIV_ROUND_UP(imagesize, PAGE_SIZE);
	239	sg_count = sg_pages_num(count);
240
241	sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL);
242	if (!sg_pages)
243	return -ENOMEM;
244
245	for (i = 0; i < sg_count; i++) {
246	sg_pages[i] = alloc_page(GFP_KERNEL);
247	if (!sg_pages[i]) {
248	rv = -ENOMEM;
249	goto out;
250	}
251	}
252
253	for (i = 0; i < sg_count; i++) {
254	efi_capsule_block_desc_t *sglist;
255
256	sglist = kmap(sg_pages[i]);
257	if (!sglist) {
258	rv = -ENOMEM;
259	goto out;
260	}
261
262	for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) {
263	u64 sz = min_t(u64, imagesize, PAGE_SIZE);
264
265	sglist[j].length = sz;
266	sglist[j].data = page_to_phys(*pages++);
267
268	imagesize -= sz;
269	count--;
270	}
271
272	/* Continuation pointer */
273	sglist[j].length = 0;
274
275	if (i + 1 == sg_count)
276	sglist[j].data = 0;
277	else
278	sglist[j].data = page_to_phys(sg_pages[i + 1]);
279
280	kunmap(sg_pages[i]);
281	}
282
283	mutex_lock(&capsule_mutex);
284	rv = efi_capsule_update_locked(capsule, sg_pages, reset_type);
285	mutex_unlock(&capsule_mutex);
286
287	out:
288	for (i = 0; rv && i < sg_count; i++) {
289	if (sg_pages[i])
290	__free_page(sg_pages[i]);
291	}
292
293	kfree(sg_pages);
294	return rv;
295	}
296	EXPORT_SYMBOL_GPL(efi_capsule_update);
62075e58 MF	297
	298	static int capsule_reboot_notify(struct notifier_block nb, unsigned long event, void cmd)
	299	{
	300	mutex_lock(&capsule_mutex);
	301	stop_capsules = true;
	302	mutex_unlock(&capsule_mutex);
	303
	304	return NOTIFY_DONE;
	305	}
	306
	307	static struct notifier_block capsule_reboot_nb = {
	308	.notifier_call = capsule_reboot_notify,
	309	};
	310
	311	static int __init capsule_reboot_register(void)
	312	{
	313	return register_reboot_notifier(&capsule_reboot_nb);
	314	}
	315	core_initcall(capsule_reboot_register);