blob: 6d19080711e473b0a58cc2585054b78b58b8cf7a [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0-only
/*
* GXP MicroController Unit firmware management.
*
* Copyright (C) 2022 Google LLC
*/
#include <linux/delay.h>
#include <linux/device.h>
#include <linux/firmware.h>
#include <linux/io.h>
#include <linux/lockdep.h>
#include <linux/mutex.h>
#include <linux/resource.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/workqueue.h>
#include <gcip/gcip-common-image-header.h>
#include <gcip/gcip-fault-injection.h>
#include <gcip/gcip-image-config.h>
#include <gcip/gcip-iommu.h>
#include <gcip/gcip-pm.h>
#include <gcip/gcip-thermal.h>
#include "gxp-bpm.h"
#include "gxp-config.h"
#include "gxp-core-telemetry.h"
#include "gxp-debug-dump.h"
#include "gxp-doorbell.h"
#include "gxp-firmware-loader.h"
#include "gxp-gsa.h"
#include "gxp-internal.h"
#include "gxp-kci.h"
#include "gxp-lpm.h"
#include "gxp-mailbox-driver.h"
#include "gxp-mcu-firmware.h"
#include "gxp-mcu-platform.h"
#include "gxp-mcu.h"
#include "gxp-pm.h"
#include "mobile-soc.h"
#if IS_GXP_TEST
#define TEST_FLUSH_KCI_WORKERS(kci) \
do { \
kthread_flush_worker(&(kci).mbx->response_worker); \
flush_work(&(kci).mbx->mbx_impl.gcip_kci->work); \
flush_work(&(kci).mbx->mbx_impl.gcip_kci->rkci.work); \
} while (0)
#else
#define TEST_FLUSH_KCI_WORKERS(...)
#endif
/* Value of Magic field in the common header "DSPF' as a 32-bit LE int */
#define GXP_FW_MAGIC 0x46505344
/* The number of times trying to rescue MCU. */
#define MCU_RESCUE_TRY 3
/* Time(us) to boot MCU in recovery mode. */
#define GXP_MCU_RECOVERY_BOOT_DELAY 100
/*
* Programs instruction remap CSRs.
*/
static void program_iremap_csr(struct gxp_dev *gxp,
struct gxp_mapped_resource *buf)
{
dev_info(gxp->dev, "Program instruction remap CSRs");
gxp_soc_set_iremap_context(gxp);
gxp_write_32(gxp, GXP_REG_CFGVECTABLE0, buf->daddr);
gxp_write_32(gxp, GXP_REG_IREMAP_LOW, buf->daddr);
gxp_write_32(gxp, GXP_REG_IREMAP_HIGH, buf->daddr + buf->size);
gxp_write_32(gxp, GXP_REG_IREMAP_TARGET, buf->daddr);
gxp_write_32(gxp, GXP_REG_IREMAP_ENABLE, 1);
}
/*
* Check whether the firmware file is signed or not.
*/
static bool is_signed_firmware(const struct firmware *fw,
const struct gcip_common_image_header *hdr)
{
if (fw->size < GCIP_FW_HEADER_SIZE)
return false;
if (hdr->common.magic != GXP_FW_MAGIC)
return false;
return true;
}
static void gxp_mcu_set_boot_mode(struct gxp_mcu_firmware *mcu_fw, uint32_t mode)
{
writel(mode, GXP_MCU_BOOT_MODE_OFFSET + mcu_fw->image_buf.vaddr);
}
static int gxp_mcu_firmware_handshake(struct gxp_mcu_firmware *mcu_fw)
{
struct gxp_dev *gxp = mcu_fw->gxp;
struct gxp_mcu *mcu = container_of(mcu_fw, struct gxp_mcu, fw);
enum gcip_fw_flavor fw_flavor;
int ret;
dev_dbg(gxp->dev, "Detecting MCU firmware info...");
mcu_fw->fw_info.fw_build_time = 0;
mcu_fw->fw_info.fw_flavor = GCIP_FW_FLAVOR_UNKNOWN;
mcu_fw->fw_info.fw_changelist = 0;
ret = gxp_mailbox_wait_for_device_mailbox_init(mcu->kci.mbx);
if (!ret) {
fw_flavor = gxp_kci_fw_info(&mcu->kci, &mcu_fw->fw_info);
} else {
fw_flavor = ret;
dev_err(gxp->dev, "Device mailbox init failed: %d", ret);
}
dev_info(gxp->dev, "MCU boot stage: %u\n", gxp_read_32(gxp, GXP_REG_MCU_BOOT_STAGE));
if (fw_flavor < 0) {
dev_err(gxp->dev, "MCU firmware handshake failed: %d",
fw_flavor);
mcu_fw->fw_info.fw_flavor = GCIP_FW_FLAVOR_UNKNOWN;
mcu_fw->fw_info.fw_changelist = 0;
mcu_fw->fw_info.fw_build_time = 0;
return fw_flavor;
}
dev_info(gxp->dev, "loaded %s MCU firmware (%u)",
gcip_fw_flavor_str(fw_flavor), mcu_fw->fw_info.fw_changelist);
gxp_bpm_stop(gxp, GXP_MCU_CORE_ID);
dev_notice(gxp->dev, "MCU Instruction read transactions: 0x%x\n",
gxp_bpm_read_counter(gxp, GXP_MCU_CORE_ID, INST_BPM_OFFSET));
ret = gxp_mcu_telemetry_kci(mcu);
if (ret)
dev_warn(gxp->dev, "telemetry KCI error: %d", ret);
ret = gcip_thermal_restore_on_powering(gxp->thermal);
if (ret)
dev_warn(gxp->dev, "thermal restore error: %d", ret);
ret = gxp_kci_set_device_properties(&mcu->kci, &gxp->device_prop);
if (ret)
dev_warn(gxp->dev, "Failed to pass device_prop to fw: %d\n", ret);
return 0;
}
/*
* Waits for the MCU LPM transition to the PG state.
*
* Must be called with holding @mcu_fw->lock.
*
* @force: force MCU to boot in recovery mode and execute WFI so that it can
* go in PG state.
* Returns true if MCU successfully transited to PG state, otherwise false.
*/
static bool gxp_pg_by_recovery_boot(struct gxp_dev *gxp, bool force)
{
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
int try = MCU_RESCUE_TRY, ret;
lockdep_assert_held(&mcu_fw->lock);
do {
if (force) {
gxp_mcu_set_boot_mode(mcu_fw, GXP_MCU_BOOT_MODE_RECOVERY);
ret = gxp_mcu_reset(gxp, true);
udelay(GXP_MCU_RECOVERY_BOOT_DELAY);
if (ret) {
dev_err(gxp->dev, "Failed to reset MCU (ret=%d)", ret);
continue;
}
}
if (gxp_lpm_wait_state_eq(gxp, CORE_TO_PSM(GXP_MCU_CORE_ID), LPM_PG_STATE))
return true;
dev_warn(gxp->dev, "MCU PSM transition to PS3 fails, current state: %u, try: %d",
gxp_lpm_get_state(gxp, CORE_TO_PSM(GXP_MCU_CORE_ID)), try);
/*
* If PG transition fails, MCU will not fall into WFI after the reset.
* Therefore, we must boot into recovery to force WFI transition.
*/
force = true;
} while (--try > 0);
return false;
}
/*
* Waits for the MCU LPM transition to the PG state.
*
* Must be called with holding @mcu_fw->lock.
*
* @ring_doorbell: If the situation is that the MCU cannot execute the transition by itself such
* as HW watchdog timeout, it must be passed as true to trigger the doorbell and
* let the MCU do that forcefully.
*
* Returns true if MCU successfully transited to PG state, otherwise false.
*/
static bool gxp_pg_by_doorbell(struct gxp_dev *gxp, bool ring_doorbell)
{
struct gxp_mcu *mcu = &to_mcu_dev(gxp)->mcu;
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
int try = MCU_RESCUE_TRY, ret;
lockdep_assert_held(&mcu_fw->lock);
do {
if (ring_doorbell) {
gxp_mailbox_set_control(mcu->kci.mbx, GXP_MBOX_CONTROL_MAGIC_POWER_DOWN);
gxp_doorbell_enable_for_core(gxp, CORE_WAKEUP_DOORBELL(GXP_MCU_CORE_ID),
GXP_MCU_CORE_ID);
gxp_doorbell_set(gxp, CORE_WAKEUP_DOORBELL(GXP_MCU_CORE_ID));
}
if (gxp_lpm_wait_state_eq(gxp, CORE_TO_PSM(GXP_MCU_CORE_ID), LPM_PG_STATE))
return true;
dev_warn(gxp->dev, "MCU PSM transition to PS3 fails, current state: %u, try: %d",
gxp_lpm_get_state(gxp, CORE_TO_PSM(GXP_MCU_CORE_ID)), try);
/*
* If PG transition fails, MCU will not fall into WFI after the reset below.
* Therefore, we must ring doorbell to let it fall into WFI from the next try.
*/
ring_doorbell = true;
ret = gxp_mcu_reset(gxp, true);
if (ret) {
dev_err(gxp->dev, "Failed to reset MCU after PG transition fails (ret=%d)",
ret);
continue;
}
/*
* We should give enough time to MCU to register doorbell handler. We hope MCU
* successfully registers the handler after the reset even if the handshake fails.
*/
ret = gxp_mcu_firmware_handshake(mcu_fw);
if (ret)
dev_err(gxp->dev,
"Failed to handshake with MCU after PG transition fails (ret=%d)",
ret);
} while (--try > 0);
return false;
}
static bool wait_for_pg_state_locked(struct gxp_dev *gxp, bool force)
{
bool ret;
/* TODO(b/317756665): Remove when recovery mode boot is supported in firmware. */
ret = gxp_pg_by_doorbell(gxp, force);
if (ret)
return ret;
/* For firmwares that supports recovery mode. */
return gxp_pg_by_recovery_boot(gxp, force);
}
int gxp_mcu_firmware_load(struct gxp_dev *gxp, char *fw_name,
const struct firmware **fw)
{
int ret;
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
struct device *dev = gxp->dev;
struct gcip_image_config *imgcfg;
struct gcip_common_image_header *hdr;
size_t size;
mutex_lock(&mcu_fw->lock);
if (mcu_fw->status == GCIP_FW_LOADING ||
mcu_fw->status == GCIP_FW_VALID) {
dev_info(gxp->dev, "MCU firmware is loaded, skip loading");
goto out;
}
mcu_fw->status = GCIP_FW_LOADING;
if (fw_name == NULL)
fw_name = GXP_DEFAULT_MCU_FIRMWARE;
dev_info(gxp->dev, "MCU firmware %s loading", fw_name);
ret = request_firmware(fw, fw_name, dev);
if (ret) {
dev_err(dev, "request firmware '%s' failed: %d", fw_name, ret);
goto err_out;
}
hdr = (struct gcip_common_image_header *)(*fw)->data;
if (!is_signed_firmware(*fw, hdr)) {
dev_err(dev, "Invalid firmware format %s", fw_name);
ret = -EINVAL;
goto err_release_firmware;
}
size = (*fw)->size - GCIP_FW_HEADER_SIZE;
if (size > mcu_fw->image_buf.size) {
dev_err(dev, "firmware %s size %#zx exceeds buffer size %#llx",
fw_name, size, mcu_fw->image_buf.size);
ret = -ENOSPC;
goto err_release_firmware;
}
imgcfg = get_image_config_from_hdr(hdr);
if (!imgcfg) {
dev_err(dev, "Unsupported image header generation");
ret = -EINVAL;
goto err_release_firmware;
}
/* Initialize the secure telemetry buffers if available. */
if (imgcfg->secure_telemetry_region_start) {
ret = gxp_secure_core_telemetry_init(
gxp, imgcfg->secure_telemetry_region_start);
if (ret)
dev_warn(dev,
"Secure telemetry initialization failed.");
}
ret = gcip_image_config_parse(&mcu_fw->cfg_parser, imgcfg);
if (ret) {
dev_err(dev, "image config parsing failed: %d", ret);
goto err_release_firmware;
}
if (!gcip_image_config_is_ns(imgcfg) && !gxp->gsa_dev) {
dev_err(dev,
"Can't run MCU in secure mode without the GSA device");
ret = -EINVAL;
goto err_clear_config;
}
mcu_fw->is_secure = !gcip_image_config_is_ns(imgcfg);
memcpy(mcu_fw->image_buf.vaddr, (*fw)->data + GCIP_FW_HEADER_SIZE,
size);
out:
mutex_unlock(&mcu_fw->lock);
return 0;
err_clear_config:
gcip_image_config_clear(&mcu_fw->cfg_parser);
err_release_firmware:
release_firmware(*fw);
err_out:
mcu_fw->status = GCIP_FW_INVALID;
mutex_unlock(&mcu_fw->lock);
return ret;
}
void gxp_mcu_firmware_unload(struct gxp_dev *gxp, const struct firmware *fw)
{
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
mutex_lock(&mcu_fw->lock);
if (mcu_fw->status == GCIP_FW_INVALID) {
dev_err(mcu_fw->gxp->dev, "Failed to unload MCU firmware");
mutex_unlock(&mcu_fw->lock);
return;
}
gcip_image_config_clear(&mcu_fw->cfg_parser);
mcu_fw->status = GCIP_FW_INVALID;
mutex_unlock(&mcu_fw->lock);
}
/*
* Boots up the MCU and program instructions.
* It sends `START` command to GSA in the secure mode.
*/
static int gxp_mcu_firmware_start(struct gxp_mcu_firmware *mcu_fw)
{
struct gxp_dev *gxp = mcu_fw->gxp;
int ret, state;
gxp_bpm_configure(gxp, GXP_MCU_CORE_ID, INST_BPM_OFFSET,
BPM_EVENT_READ_XFER);
ret = gxp_lpm_up(gxp, GXP_MCU_CORE_ID);
if (ret)
return ret;
gxp_write_32(gxp, GXP_REG_MCU_BOOT_STAGE, 0);
gxp_mcu_set_boot_mode(mcu_fw, GXP_MCU_BOOT_MODE_NORMAL);
if (mcu_fw->is_secure) {
state = gsa_send_dsp_cmd(gxp->gsa_dev, GSA_DSP_START);
if (state != GSA_DSP_STATE_RUNNING) {
gxp_lpm_down(gxp, GXP_MCU_CORE_ID);
return -EIO;
}
} else {
program_iremap_csr(gxp, &mcu_fw->image_buf);
/* Raise wakeup doorbell */
dev_dbg(gxp->dev, "Raising doorbell %d interrupt\n",
CORE_WAKEUP_DOORBELL(GXP_MCU_CORE_ID));
gxp_doorbell_enable_for_core(
gxp, CORE_WAKEUP_DOORBELL(GXP_MCU_CORE_ID),
GXP_MCU_CORE_ID);
gxp_doorbell_set(gxp, CORE_WAKEUP_DOORBELL(GXP_MCU_CORE_ID));
}
return 0;
}
/*
* Shutdowns the MCU.
* It sends `SHUTDOWN` command to GSA in the secure mode.
*
* Note that this function doesn't call `gxp_lpm_down`.
*
* 1. When MCU normally powered off after SHUTDOWN KCI.
* : It is already in PG state and we don't need to call that.
*
* 2. When we are going to shutdown MCU which is in abnormal state even after trying to rescue it.
* : We can't decide the state of MCU PSM or the AUR_BLOCK and accessing LPM CSRs might not be
* a good idea.
*/
static void gxp_mcu_firmware_shutdown(struct gxp_mcu_firmware *mcu_fw)
{
struct gxp_dev *gxp = mcu_fw->gxp;
if (mcu_fw->is_secure)
gsa_send_dsp_cmd(gxp->gsa_dev, GSA_DSP_SHUTDOWN);
}
/*
* Rescues the MCU which is not working properly. After the rescue, the MCU must be in PS0 state
* with an expectation of working normally. Basically, what this function doing is resetting MCU,
* block power cycling and handshaking with MCU.
*
* Must be called with holding @mcu_fw->lock and @pm->lock.
*
* Returns 0 if it successfully rescued and hanshaked with the MCU.
*/
static int gxp_mcu_firmware_rescue(struct gxp_dev *gxp)
{
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
int try = MCU_RESCUE_TRY, ret = 0;
gcip_pm_lockdep_assert_held(gxp->power_mgr->pm);
lockdep_assert_held(&mcu_fw->lock);
do {
dev_warn(gxp->dev, "Try to rescue MCU (try=%d)", try);
if (!wait_for_pg_state_locked(gxp, true)) {
dev_err(gxp->dev,
"Cannot proceed MCU rescue because it is not in PG state");
ret = -EAGAIN;
continue;
}
/* Try power cycle after resetting the MCU and still holding the reset bits. */
ret = gxp_mcu_reset(gxp, false);
if (ret) {
dev_err(gxp->dev, "Failed to reset MCU (ret=%d)", ret);
continue;
}
gxp_mcu_firmware_shutdown(mcu_fw);
ret = gxp_pm_blk_reboot(gxp, 5000);
if (ret) {
dev_err(gxp->dev, "Failed to power cycle AUR block, (ret=%d)", ret);
continue;
}
#if GXP_LPM_IN_AON
/*
* MCU reset mechanisms are chip specific. For some chips, reset assert bits may
* belong to LPM csr space which doesn't get reset on block power cycle and still be
* held. Release reset bits to arm MCU for a run.
*/
ret = gxp_mcu_reset(gxp, true);
if (ret) {
dev_err(gxp->dev, "Failed to reset MCU after blk reboot (ret=%d)", ret);
continue;
}
#endif
/* Try booting MCU up again and handshaking with it. */
ret = gxp_mcu_firmware_start(mcu_fw);
if (ret) {
dev_err(gxp->dev, "Failed to boot MCU up, (ret=%d)", ret);
continue;
}
ret = gxp_mcu_firmware_handshake(mcu_fw);
if (ret) {
dev_err(gxp->dev, "Failed to handshake with MCU even after rescue (ret=%d)",
ret);
continue;
}
dev_info(gxp->dev, "Succeeded in rescuing MCU");
} while (ret && --try > 0);
return ret;
}
static void gxp_mcu_firmware_stop_locked(struct gxp_mcu_firmware *mcu_fw)
{
struct gxp_dev *gxp = mcu_fw->gxp;
struct gxp_mcu *mcu = container_of(mcu_fw, struct gxp_mcu, fw);
int ret;
lockdep_assert_held(&mcu_fw->lock);
gxp_lpm_enable_state(gxp, CORE_TO_PSM(GXP_MCU_CORE_ID), LPM_PG_STATE);
/* Clear doorbell to refuse non-expected interrupts */
gxp_doorbell_clear(gxp, CORE_WAKEUP_DOORBELL(GXP_MCU_CORE_ID));
ret = gxp_kci_shutdown(&mcu->kci);
if (ret)
dev_warn(gxp->dev, "KCI shutdown failed: %d", ret);
/* TODO(b/296980539): revert this change after the bug is fixed. */
#if IS_ENABLED(CONFIG_GXP_GEM5)
gxp_lpm_set_state(gxp, LPM_PSM_MCU, LPM_PG_STATE, true);
#else
/*
* Waits for MCU transiting to PG state. If KCI shutdown was failed above (ret != 0), it
* will force to PG state.
*/
if (!wait_for_pg_state_locked(gxp, /*force=*/ret))
dev_warn(gxp->dev, "Failed to transit MCU to PG state after KCI shutdown");
#endif /* IS_ENABLED(CONFIG_GXP_GEM5) */
/* To test the case of the MCU FW sending FW_CRASH RKCI in the middle. */
TEST_FLUSH_KCI_WORKERS(mcu->kci);
gxp_kci_cancel_work_queues(&mcu->kci);
/*
* Clears up all remaining UCI/KCI commands. Otherwise, MCU may drain them improperly after
* it reboots.
*/
gxp_mcu_reset_mailbox(mcu);
gxp_mcu_firmware_shutdown(mcu_fw);
}
/*
* Caller must hold firmware lock.
*/
static int gxp_mcu_firmware_run_locked(struct gxp_mcu_firmware *mcu_fw)
{
struct gxp_dev *gxp = mcu_fw->gxp;
struct gxp_mcu *mcu = container_of(mcu_fw, struct gxp_mcu, fw);
int ret;
lockdep_assert_held(&mcu_fw->lock);
/*
* Resets UCI/KCI CSRs to ensure that no unconsumed commands are carried over from the last
* execution.
*/
gxp_mcu_reset_mailbox(mcu);
ret = gxp_mcu_firmware_start(mcu_fw);
if (ret)
return ret;
gcip_fault_inject_send(mcu_fw->fault_inject);
ret = gxp_mcu_firmware_handshake(mcu_fw);
if (ret) {
dev_warn(gxp->dev, "Retry MCU firmware handshake with resetting MCU");
if (!gxp_mcu_reset(gxp, true))
ret = gxp_mcu_firmware_handshake(mcu_fw);
}
/*
* We don't need to handshake again if it successfully rescues MCU because it will try
* handshake internally.
*/
if (ret) {
ret = gxp_mcu_firmware_rescue(gxp);
if (ret) {
dev_err(gxp->dev, "Failed to run MCU even after trying to rescue it: %d",
ret);
gxp_mcu_firmware_shutdown(mcu_fw);
wait_for_pg_state_locked(gxp, true);
return ret;
}
}
mcu_fw->status = GCIP_FW_VALID;
dev_info(gxp->dev, "MCU firmware run succeeded");
return 0;
}
static int init_mcu_firmware_buf(struct gxp_dev *gxp,
struct gxp_mapped_resource *buf)
{
struct resource r;
int ret;
ret = gxp_acquire_rmem_resource(gxp, &r, "gxp-mcu-fw-region");
if (ret)
return ret;
buf->size = resource_size(&r);
buf->paddr = r.start;
buf->daddr = GXP_IREMAP_CODE_BASE;
buf->vaddr =
devm_memremap(gxp->dev, buf->paddr, buf->size, MEMREMAP_WC);
if (IS_ERR(buf->vaddr))
ret = PTR_ERR(buf->vaddr);
return ret;
}
static char *fw_name_from_buf(struct gxp_dev *gxp, const char *buf)
{
size_t len;
char *name;
len = strlen(buf);
/* buf from sysfs attribute contains the last line feed character */
if (len == 0 || buf[len - 1] != '\n')
return ERR_PTR(-EINVAL);
name = devm_kstrdup(gxp->dev, buf, GFP_KERNEL);
if (!name)
return ERR_PTR(-ENOMEM);
/* name should not contain the last line feed character */
name[len - 1] = '\0';
return name;
}
static ssize_t load_firmware_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct gxp_dev *gxp = dev_get_drvdata(dev);
ssize_t ret;
char *firmware_name = gxp_firmware_loader_get_mcu_fw_name(gxp);
ret = sysfs_emit(buf, "%s\n", firmware_name);
kfree(firmware_name);
return ret;
}
static ssize_t load_firmware_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct gxp_dev *gxp = dev_get_drvdata(dev);
int ret;
char *name;
name = fw_name_from_buf(gxp, buf);
if (IS_ERR(name))
return PTR_ERR(name);
if (gcip_pm_is_powered(gxp->power_mgr->pm)) {
dev_err(gxp->dev,
"Reject firmware loading because wakelocks are holding");
return -EBUSY;
/*
* Note: it's still possible a wakelock is acquired by
* clients after the check above, but this function is for
* development purpose only, we don't insist on preventing
* race condition bugs.
*/
}
dev_info(gxp->dev, "loading firmware %s from SysFS", name);
/*
* It's possible a race condition bug here that someone opens a gxp
* device and loads the firmware between below unload/load functions in
* another thread, but this interface is only for developer debugging.
* We don't insist on preventing the race condition bug.
*/
gxp_firmware_loader_unload(gxp);
gxp_firmware_loader_set_mcu_fw_name(gxp, name);
ret = gxp_firmware_loader_load_if_needed(gxp);
if (ret) {
dev_err(gxp->dev, "Failed to load MCU firmware: %s\n", name);
return ret;
}
return count;
}
static DEVICE_ATTR_RW(load_firmware);
/* Provide the version info of the firmware including CL and privilege_level */
static ssize_t firmware_version_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct gxp_dev *gxp = dev_get_drvdata(dev);
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
const char *priv;
if (mcu_fw->status != GCIP_FW_VALID) {
dev_warn(gxp->dev, "firmware_version is not available, firmware status: %d",
mcu_fw->status);
return -ENODEV;
}
switch (mcu_fw->cfg_parser.last_config.privilege_level) {
case GCIP_FW_PRIV_LEVEL_GSA:
priv = "GSA";
break;
case GCIP_FW_PRIV_LEVEL_TZ:
priv = "secure";
break;
case GCIP_FW_PRIV_LEVEL_NS:
priv = "non-secure";
break;
default:
priv = "error";
}
return sysfs_emit(buf, "cl=%d priv=%s\n", mcu_fw->fw_info.fw_changelist, priv);
}
static DEVICE_ATTR_RO(firmware_version);
/* Provide the count of firmware crash. */
static ssize_t firmware_crash_counter_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
struct gxp_dev *gxp = dev_get_drvdata(dev);
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
return sysfs_emit(buf, "%d\n", mcu_fw->crash_cnt);
}
static DEVICE_ATTR_RO(firmware_crash_counter);
static struct attribute *dev_attrs[] = {
&dev_attr_load_firmware.attr,
&dev_attr_firmware_version.attr,
&dev_attr_firmware_crash_counter.attr,
NULL,
};
static const struct attribute_group firmware_attr_group = {
.attrs = dev_attrs,
};
static int image_config_map(void *data, dma_addr_t daddr, phys_addr_t paddr,
size_t size, unsigned int flags)
{
struct gxp_dev *gxp = data;
const bool ns = !(flags & GCIP_IMAGE_CONFIG_FLAGS_SECURE);
if (ns) {
dev_err(gxp->dev, "image config NS mappings are not supported");
return -EINVAL;
}
return gcip_iommu_map(gxp_iommu_get_domain_for_dev(gxp), daddr, paddr, size,
GCIP_MAP_FLAGS_DMA_RW);
}
static void image_config_unmap(void *data, dma_addr_t daddr, size_t size, unsigned int flags)
{
struct gxp_dev *gxp = data;
gcip_iommu_unmap(gxp_iommu_get_domain_for_dev(gxp), daddr, size);
}
static void gxp_mcu_firmware_crash_handler_work(struct work_struct *work)
{
struct gxp_mcu_firmware *mcu_fw =
container_of(work, struct gxp_mcu_firmware, fw_crash_handler_work);
gxp_mcu_firmware_crash_handler(mcu_fw->gxp, GCIP_FW_CRASH_UNRECOVERABLE_FAULT);
}
static int gxp_mcu_firmware_fault_inject_init(struct gxp_mcu_firmware *mcu_fw)
{
struct gxp_dev *gxp = mcu_fw->gxp;
struct gxp_mcu *mcu = container_of(mcu_fw, struct gxp_mcu, fw);
struct gcip_fault_inject *injection;
const struct gcip_fault_inject_args args = { .dev = gxp->dev,
.parent_dentry = gxp->d_entry,
.pm = gxp->power_mgr->pm,
.send_kci = gxp_kci_fault_injection,
.kci_data = &mcu->kci };
injection = gcip_fault_inject_create(&args);
if (IS_ERR(injection))
return PTR_ERR(injection);
mcu_fw->fault_inject = injection;
return 0;
}
static void gxp_mcu_firmware_fault_inject_exit(struct gxp_mcu_firmware *mcu_fw)
{
gcip_fault_inject_destroy(mcu_fw->fault_inject);
}
int gxp_mcu_firmware_init(struct gxp_dev *gxp, struct gxp_mcu_firmware *mcu_fw)
{
static const struct gcip_image_config_ops image_config_parser_ops = {
.map = image_config_map,
.unmap = image_config_unmap,
};
int ret;
ret = gcip_image_config_parser_init(
&mcu_fw->cfg_parser, &image_config_parser_ops, gxp->dev, gxp);
if (unlikely(ret)) {
dev_err(gxp->dev, "failed to init config parser: %d", ret);
return ret;
}
ret = init_mcu_firmware_buf(gxp, &mcu_fw->image_buf);
if (ret) {
dev_err(gxp->dev, "failed to init MCU firmware buffer: %d",
ret);
return ret;
}
mcu_fw->gxp = gxp;
mcu_fw->status = GCIP_FW_INVALID;
mcu_fw->crash_cnt = 0;
mutex_init(&mcu_fw->lock);
INIT_WORK(&mcu_fw->fw_crash_handler_work, gxp_mcu_firmware_crash_handler_work);
ret = device_add_group(gxp->dev, &firmware_attr_group);
if (ret) {
dev_err(gxp->dev, "failed to create firmware device group");
return ret;
}
ret = gxp_mcu_firmware_fault_inject_init(mcu_fw);
if (ret)
dev_warn(gxp->dev, "failed to init fault injection: %d", ret);
return 0;
}
void gxp_mcu_firmware_exit(struct gxp_mcu_firmware *mcu_fw)
{
if (IS_GXP_TEST && (!mcu_fw || !mcu_fw->gxp))
return;
gxp_mcu_firmware_fault_inject_exit(mcu_fw);
cancel_work_sync(&mcu_fw->fw_crash_handler_work);
device_remove_group(mcu_fw->gxp->dev, &firmware_attr_group);
}
int gxp_mcu_firmware_run(struct gxp_mcu_firmware *mcu_fw)
{
int ret;
mutex_lock(&mcu_fw->lock);
if (mcu_fw->status == GCIP_FW_INVALID)
ret = -EINVAL;
else
ret = gxp_mcu_firmware_run_locked(mcu_fw);
mutex_unlock(&mcu_fw->lock);
return ret;
}
void gxp_mcu_firmware_stop(struct gxp_mcu_firmware *mcu_fw)
{
mutex_lock(&mcu_fw->lock);
gxp_mcu_firmware_stop_locked(mcu_fw);
mutex_unlock(&mcu_fw->lock);
}
void gxp_mcu_firmware_crash_handler(struct gxp_dev *gxp,
enum gcip_fw_crash_type crash_type)
{
struct gxp_mcu_firmware *mcu_fw = gxp_mcu_firmware_of(gxp);
struct gxp_client *client;
struct gcip_pm *pm = gxp->power_mgr->pm;
int ret;
dev_err(gxp->dev, "MCU firmware is crashed, crash_type=%d", crash_type);
/*
* This crash handler can be triggered in two cases:
* 1. The MCU firmware detects some unrecoverable faults and sends FW_CRASH RKCI to the
* kernel driver. (GCIP_FW_CRASH_UNRECOVERABLE_FAULT)
* 2. The MCU firmware is crashed some reasons which cannot be detected by itself and the
* kernel driver notices the MCU crash with the HW watchdog timeout.
* (GCIP_FW_CRASH_HW_WDG_TIMEOUT)
*
* As those two cases are asynchronous, they can happen simultaneously. In the first case,
* the MCU firmware must turn off the HW watchdog first to prevent that race case.
*/
if (crash_type != GCIP_FW_CRASH_UNRECOVERABLE_FAULT &&
crash_type != GCIP_FW_CRASH_HW_WDG_TIMEOUT)
return;
dev_err(gxp->dev, "Unrecoverable MCU firmware fault, handle it");
mcu_fw->crash_cnt += 1;
/*
* In the case of stopping MCU FW while it is handling `CLIENT_FATAL_ERROR` RKCI, it will
* acquire locks in this order:
* gcip_pm_put -> holds @pm->lock -> gxp_mcu_firmware_stop -> holds @mcu_fw->lock
* -> waits for the completion of RKCI handler -> gxp_vd_invalidate_with_client_id
* -> holds @gxp->client_list_lock -> hold @client->semaphore -> holds @gxp->vd_semaphore
*
* Also, in the case of starting MCU FW, the locking order will be:
* gcip_pm_get -> holds @pm->lock -> gxp_mcu_firmware_run -> holds @mcu_fw->lock
*
* To prevent a deadlock issue, we have to follow the same locking order from here.
*/
/*
* Holding the PM lock due to the reasons listed below.
* 1. As we are recovering the MCU firmware, we should block the PM requests (e.g.,
* acquiring or releasing the block wakelock) until the rescuing is finished.
* 2. Restarting the MCU firmware might involve restore functions (e.g.,
* gcip_thermal_restore_on_powering) which require the caller to hold the PM lock.
*/
gcip_pm_lock(pm);
/*
* By the race, if all clients left earlier than this handler, all block wakleock should be
* already released and the BLK is turned off. We don't have to rescue the MCU firmware.
*/
if (!gcip_pm_is_powered(pm)) {
dev_info(
gxp->dev,
"The block wakelock is already released, skip restarting MCU firmware");
goto out_unlock_pm;
}
/* Hold @mcu_fw->lock because manipulating the MCU FW state must be a critical section. */
mutex_lock(&mcu_fw->lock);
/*
* Prevent @gxp->client_list is being changed while handling the crash.
* The user cannot open or close a fd until this function releases the lock.
*/
mutex_lock(&gxp->client_list_lock);
/*
* Hold @client->semaphore first to prevent deadlock.
* By holding this lock, clients cannot proceed most IOCTLs.
*/
list_for_each_entry (client, &gxp->client_list, list_entry) {
down_write(&client->semaphore);
}
/*
* Holding @client->semaphore will block the most client actions, but let's make sure
* it by holding the locks directly related to the actions we want to block accordingly.
* For example, in the case of the block wakelock, the debug dump can try to acquire it
* which cannot be blocked by holding @client->semaphore.
*
* However, we don't lock @gxp->vd_semaphore for not increasing lock dependency since
* holding @gxp->client_list_lock and @client->semaphore is enough to ensure no new VD
* being allocated.
*/
/*
* Discard all pending/unconsumed UCI responses and change the state of all virtual devices
* to GXP_VD_UNAVAILABLE. From now on, all clients cannot request new UCI commands.
*/
list_for_each_entry (client, &gxp->client_list, list_entry) {
if (client->has_block_wakelock && client->vd) {
gxp_vd_invalidate(gxp, client->vd, GXP_INVALIDATED_MCU_CRASH);
client->vd->mcu_crashed = true;
}
}
/* Dump diagnostic information for MCU crash before resetting it. */
gxp_debug_dump_report_mcu_crash(gxp);
/* Waits for the MCU transiting to PG state and restart the MCU firmware. */
if (!wait_for_pg_state_locked(gxp, crash_type == GCIP_FW_CRASH_HW_WDG_TIMEOUT)) {
dev_warn(gxp->dev, "Failed to transit MCU LPM state to PG");
goto out;
}
ret = gxp_mcu_firmware_run_locked(mcu_fw);
if (ret)
dev_warn(gxp->dev, "Failed to run MCU firmware (ret=%d)", ret);
out:
list_for_each_entry (client, &gxp->client_list, list_entry) {
up_write(&client->semaphore);
}
mutex_unlock(&gxp->client_list_lock);
mutex_unlock(&mcu_fw->lock);
out_unlock_pm:
gcip_pm_unlock(pm);
}