1 files changed, 308 insertions, 0 deletions
diff --git a/drivers/firmware/efi/capsule.c b/drivers/firmware/efi/capsule.c
new file mode 100644
index 000000000000..53b9fd2293ee
--- /dev/null
+++ b/drivers/firmware/efi/capsule.c
@@ -0,0 +1,308 @@
+/*
+ * EFI capsule support.
+ *
+ * Copyright 2013 Intel Corporation; author Matt Fleming
+ *
+ * This file is part of the Linux kernel, and is made available under
+ * the terms of the GNU General Public License version 2.
+ */
+#define pr_fmt(fmt) "efi: " fmt
+#include <linux/slab.h>
+#include <linux/mutex.h>
+#include <linux/highmem.h>
+#include <linux/efi.h>
+#include <linux/vmalloc.h>
+#include <asm/io.h>
+typedef struct {
+        u64 length;
+        u64 data;
+} efi_capsule_block_desc_t;
+static bool capsule_pending;
+static bool stop_capsules;
+static int efi_reset_type = -1;
+/*
+ * capsule_mutex serialises access to both capsule_pending and
+ * efi_reset_type and stop_capsules.
+ */
+static DEFINE_MUTEX(capsule_mutex);
+/**
+ * efi_capsule_pending - has a capsule been passed to the firmware?
+ * @reset_type: store the type of EFI reset if capsule is pending
+ *
+ * To ensure that the registered capsule is processed correctly by the
+ * firmware we need to perform a specific type of reset. If a capsule is
+ * pending return the reset type in @reset_type.
+ *
+ * This function will race with callers of efi_capsule_update(), for
+ * example, calling this function while somebody else is in
+ * efi_capsule_update() but hasn't reached efi_capsue_update_locked()
+ * will miss the updates to capsule_pending and efi_reset_type after
+ * efi_capsule_update_locked() completes.
+ *
+ * A non-racy use is from platform reboot code because we use
+ * system_state to ensure no capsules can be sent to the firmware once
+ * we're at SYSTEM_RESTART. See efi_capsule_update_locked().
+ */
+bool efi_capsule_pending(int *reset_type)
+{
+        if (!capsule_pending)
+                return false;
+        if (reset_type)
+                *reset_type = efi_reset_type;
+        return true;
+}
+/*
+ * Whitelist of EFI capsule flags that we support.
+ *
+ * We do not handle EFI_CAPSULE_INITIATE_RESET because that would
+ * require us to prepare the kernel for reboot. Refuse to load any
+ * capsules with that flag and any other flags that we do not know how
+ * to handle.
+ */
+#define EFI_CAPSULE_SUPPORTED_FLAG_MASK                 \
+        (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE)
+/**
+ * efi_capsule_supported - does the firmware support the capsule?
+ * @guid: vendor guid of capsule
+ * @flags: capsule flags
+ * @size: size of capsule data
+ * @reset: the reset type required for this capsule
+ *
+ * Check whether a capsule with @flags is supported by the firmware
+ * and that @size doesn't exceed the maximum size for a capsule.
+ *
+ * No attempt is made to check @reset against the reset type required
+ * by any pending capsules because of the races involved.
+ */
+int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
+{
+        efi_capsule_header_t capsule;
+        efi_capsule_header_t *cap_list[] = { &capsule };
+        efi_status_t status;
+        u64 max_size;
+        if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
+                return -EINVAL;
+        capsule.headersize = capsule.imagesize = sizeof(capsule);
+        memcpy(&capsule.guid, &guid, sizeof(efi_guid_t));
+        capsule.flags = flags;
+        status = efi.query_capsule_caps(cap_list, 1, &max_size, reset);
+        if (status != EFI_SUCCESS)
+                return efi_status_to_err(status);
+        if (size > max_size)
+                return -ENOSPC;
+        return 0;
+}
+EXPORT_SYMBOL_GPL(efi_capsule_supported);
+/*
+ * Every scatter gather list (block descriptor) page must end with a
+ * continuation pointer. The last continuation pointer of the last
+ * page must be zero to mark the end of the chain.
+ */
+#define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1)
+/*
+ * How many scatter gather list (block descriptor) pages do we need
+ * to map @count pages?
+ */
+static inline unsigned int sg_pages_num(unsigned int count)
+{
+        return DIV_ROUND_UP(count, SGLIST_PER_PAGE);
+}
+/**
+ * efi_capsule_update_locked - pass a single capsule to the firmware
+ * @capsule: capsule to send to the firmware
+ * @sg_pages: array of scatter gather (block descriptor) pages
+ * @reset: the reset type required for @capsule
+ *
+ * Since this function must be called under capsule_mutex check
+ * whether efi_reset_type will conflict with @reset, and atomically
+ * set it and capsule_pending if a capsule was successfully sent to
+ * the firmware.
+ *
+ * We also check to see if the system is about to restart, and if so,
+ * abort. This avoids races between efi_capsule_update() and
+ * efi_capsule_pending().
+ */
+static int
+efi_capsule_update_locked(efi_capsule_header_t *capsule,
+                          struct page **sg_pages, int reset)
+{
+        efi_physical_addr_t sglist_phys;
+        efi_status_t status;
+        lockdep_assert_held(&capsule_mutex);
+        /*
+         * If someone has already registered a capsule that requires a
+         * different reset type, we're out of luck and must abort.
+         */
+        if (efi_reset_type >= 0 && efi_reset_type != reset) {
+                pr_err("Conflicting capsule reset type %d (%d).\n",
+                       reset, efi_reset_type);
+                return -EINVAL;
+        }
+        /*
+         * If the system is getting ready to restart it may have
+         * called efi_capsule_pending() to make decisions (such as
+         * whether to force an EFI reboot), and we're racing against
+         * that call. Abort in that case.
+         */
+        if (unlikely(stop_capsules)) {
+                pr_warn("Capsule update raced with reboot, aborting.\n");
+                return -EINVAL;
+        }
+        sglist_phys = page_to_phys(sg_pages[0]);
+        status = efi.update_capsule(&capsule, 1, sglist_phys);
+        if (status == EFI_SUCCESS) {
+                capsule_pending = true;
+                efi_reset_type = reset;
+        }
+        return efi_status_to_err(status);
+}
+/**
+ * efi_capsule_update - send a capsule to the firmware
+ * @capsule: capsule to send to firmware
+ * @pages: an array of capsule data pages
+ *
+ * Build a scatter gather list with EFI capsule block descriptors to
+ * map the capsule described by @capsule with its data in @pages and
+ * send it to the firmware via the UpdateCapsule() runtime service.
+ *
+ * @capsule must be a virtual mapping of the first page in @pages
+ * (@pages[0]) in the kernel address space. That is, a
+ * capsule_header_t that describes the entire contents of the capsule
+ * must be at the start of the first data page.
+ *
+ * Even though this function will validate that the firmware supports
+ * the capsule guid, users will likely want to check that
+ * efi_capsule_supported() returns true before calling this function
+ * because it makes it easier to print helpful error messages.
+ *
+ * If the capsule is successfully submitted to the firmware, any
+ * subsequent calls to efi_capsule_pending() will return true. @pages
+ * must not be released or modified if this function returns
+ * successfully.
+ *
+ * Callers must be prepared for this function to fail, which can
+ * happen if we raced with system reboot or if there is already a
+ * pending capsule that has a reset type that conflicts with the one
+ * required by @capsule. Do NOT use efi_capsule_pending() to detect
+ * this conflict since that would be racy. Instead, submit the capsule
+ * to efi_capsule_update() and check the return value.
+ *
+ * Return 0 on success, a converted EFI status code on failure.
+ */
+int efi_capsule_update(efi_capsule_header_t *capsule, struct page **pages)
+{
+        u32 imagesize = capsule->imagesize;
+        efi_guid_t guid = capsule->guid;
+        unsigned int count, sg_count;
+        u32 flags = capsule->flags;
+        struct page **sg_pages;
+        int rv, reset_type;
+        int i, j;
+        rv = efi_capsule_supported(guid, flags, imagesize, &reset_type);
+        if (rv)
+                return rv;
+        count = DIV_ROUND_UP(imagesize, PAGE_SIZE);
+        sg_count = sg_pages_num(count);
+        sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL);
+        if (!sg_pages)
+                return -ENOMEM;
+        for (i = 0; i < sg_count; i++) {
+                sg_pages[i] = alloc_page(GFP_KERNEL);
+                if (!sg_pages[i]) {
+                        rv = -ENOMEM;
+                        goto out;
+                }
+        }
+        for (i = 0; i < sg_count; i++) {
+                efi_capsule_block_desc_t *sglist;
+                sglist = kmap(sg_pages[i]);
+                if (!sglist) {
+                        rv = -ENOMEM;
+                        goto out;
+                }
+                for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) {
+                        u64 sz = min_t(u64, imagesize, PAGE_SIZE);
+                        sglist[j].length = sz;
+                        sglist[j].data = page_to_phys(*pages++);
+                        imagesize -= sz;
+                        count--;
+                }
+                /* Continuation pointer */
+                sglist[j].length = 0;
+                if (i + 1 == sg_count)
+                        sglist[j].data = 0;
+                else
+                        sglist[j].data = page_to_phys(sg_pages[i + 1]);
+                kunmap(sg_pages[i]);
+        }
+        mutex_lock(&capsule_mutex);
+        rv = efi_capsule_update_locked(capsule, sg_pages, reset_type);
+        mutex_unlock(&capsule_mutex);
+out:
+        for (i = 0; rv && i < sg_count; i++) {
+                if (sg_pages[i])
+                        __free_page(sg_pages[i]);
+        }
+        kfree(sg_pages);
+        return rv;
+}
+EXPORT_SYMBOL_GPL(efi_capsule_update);
+static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd)
+{
+        mutex_lock(&capsule_mutex);
+        stop_capsules = true;
+        mutex_unlock(&capsule_mutex);
+        return NOTIFY_DONE;
+}
+static struct notifier_block capsule_reboot_nb = {
+        .notifier_call = capsule_reboot_notify,
+};
+static int __init capsule_reboot_register(void)
+{
+        return register_reboot_notifier(&capsule_reboot_nb);
+}
+core_initcall(capsule_reboot_register);

diff --git a/drivers/firmware/efi/capsule.c b/drivers/firmware/efi/capsule.c new file mode 100644 index 000000000000..53b9fd2293ee --- /dev/null +++ b/drivers/firmware/efi/capsule.c
@@ -0,0 +1,308 @@
	1	/*
	2	* EFI capsule support.
	3	*
	4	* Copyright 2013 Intel Corporation; author Matt Fleming
	5	*
	6	* This file is part of the Linux kernel, and is made available under
	7	* the terms of the GNU General Public License version 2.
	8	*/
	9
	10	#define pr_fmt(fmt) "efi: " fmt
	11
	12	#include <linux/slab.h>
	13	#include <linux/mutex.h>
	14	#include <linux/highmem.h>
	15	#include <linux/efi.h>
	16	#include <linux/vmalloc.h>
	17	#include <asm/io.h>
	18
	19	typedef struct {
	20	u64 length;
	21	u64 data;
	22	} efi_capsule_block_desc_t;
	23
	24	static bool capsule_pending;
	25	static bool stop_capsules;
	26	static int efi_reset_type = -1;
	27
	28	/*
	29	* capsule_mutex serialises access to both capsule_pending and
	30	* efi_reset_type and stop_capsules.
	31	*/
	32	static DEFINE_MUTEX(capsule_mutex);
	33
	34	/**
	35	* efi_capsule_pending - has a capsule been passed to the firmware?
	36	* @reset_type: store the type of EFI reset if capsule is pending
	37	*
	38	* To ensure that the registered capsule is processed correctly by the
	39	* firmware we need to perform a specific type of reset. If a capsule is
	40	* pending return the reset type in @reset_type.
	41	*
	42	* This function will race with callers of efi_capsule_update(), for
	43	* example, calling this function while somebody else is in
	44	* efi_capsule_update() but hasn't reached efi_capsue_update_locked()
	45	* will miss the updates to capsule_pending and efi_reset_type after
	46	* efi_capsule_update_locked() completes.
	47	*
	48	* A non-racy use is from platform reboot code because we use
	49	* system_state to ensure no capsules can be sent to the firmware once
	50	* we're at SYSTEM_RESTART. See efi_capsule_update_locked().
	51	*/
	52	bool efi_capsule_pending(int *reset_type)
	53	{
	54	if (!capsule_pending)
	55	return false;
	56
	57	if (reset_type)
	58	*reset_type = efi_reset_type;
	59
	60	return true;
	61	}
	62
	63	/*
	64	* Whitelist of EFI capsule flags that we support.
	65	*
	66	* We do not handle EFI_CAPSULE_INITIATE_RESET because that would
	67	* require us to prepare the kernel for reboot. Refuse to load any
	68	* capsules with that flag and any other flags that we do not know how
	69	* to handle.
	70	*/
	71	#define EFI_CAPSULE_SUPPORTED_FLAG_MASK \
	72	(EFI_CAPSULE_PERSIST_ACROSS_RESET \| EFI_CAPSULE_POPULATE_SYSTEM_TABLE)
	73
	74	/**
	75	* efi_capsule_supported - does the firmware support the capsule?
	76	* @guid: vendor guid of capsule
	77	* @flags: capsule flags
	78	* @size: size of capsule data
	79	* @reset: the reset type required for this capsule
	80	*
	81	* Check whether a capsule with @flags is supported by the firmware
	82	* and that @size doesn't exceed the maximum size for a capsule.
	83	*
	84	* No attempt is made to check @reset against the reset type required
	85	* by any pending capsules because of the races involved.
	86	*/
	87	int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
	88	{
	89	efi_capsule_header_t capsule;
	90	efi_capsule_header_t *cap_list[] = { &capsule };
	91	efi_status_t status;
	92	u64 max_size;
	93
	94	if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
	95	return -EINVAL;
	96
	97	capsule.headersize = capsule.imagesize = sizeof(capsule);
	98	memcpy(&capsule.guid, &guid, sizeof(efi_guid_t));
	99	capsule.flags = flags;
	100
	101	status = efi.query_capsule_caps(cap_list, 1, &max_size, reset);
	102	if (status != EFI_SUCCESS)
	103	return efi_status_to_err(status);
	104
	105	if (size > max_size)
	106	return -ENOSPC;
	107
	108	return 0;
	109	}
	110	EXPORT_SYMBOL_GPL(efi_capsule_supported);
	111
	112	/*
	113	* Every scatter gather list (block descriptor) page must end with a
	114	* continuation pointer. The last continuation pointer of the last
	115	* page must be zero to mark the end of the chain.
	116	*/
	117	#define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1)
	118
	119	/*
	120	* How many scatter gather list (block descriptor) pages do we need
	121	* to map @count pages?
	122	*/
	123	static inline unsigned int sg_pages_num(unsigned int count)
	124	{
	125	return DIV_ROUND_UP(count, SGLIST_PER_PAGE);
	126	}
	127
	128	/**
	129	* efi_capsule_update_locked - pass a single capsule to the firmware
	130	* @capsule: capsule to send to the firmware
	131	* @sg_pages: array of scatter gather (block descriptor) pages
	132	* @reset: the reset type required for @capsule
	133	*
	134	* Since this function must be called under capsule_mutex check
	135	* whether efi_reset_type will conflict with @reset, and atomically
	136	* set it and capsule_pending if a capsule was successfully sent to
	137	* the firmware.
	138	*
	139	* We also check to see if the system is about to restart, and if so,
	140	* abort. This avoids races between efi_capsule_update() and
	141	* efi_capsule_pending().
	142	*/
	143	static int
	144	efi_capsule_update_locked(efi_capsule_header_t *capsule,
	145	struct page **sg_pages, int reset)
	146	{
	147	efi_physical_addr_t sglist_phys;
	148	efi_status_t status;
	149
	150	lockdep_assert_held(&capsule_mutex);
	151
	152	/*
	153	* If someone has already registered a capsule that requires a
	154	* different reset type, we're out of luck and must abort.
	155	*/
	156	if (efi_reset_type >= 0 && efi_reset_type != reset) {
	157	pr_err("Conflicting capsule reset type %d (%d).\n",
	158	reset, efi_reset_type);
	159	return -EINVAL;
	160	}
	161
	162	/*
	163	* If the system is getting ready to restart it may have
	164	* called efi_capsule_pending() to make decisions (such as
	165	* whether to force an EFI reboot), and we're racing against
	166	* that call. Abort in that case.
	167	*/
	168	if (unlikely(stop_capsules)) {
	169	pr_warn("Capsule update raced with reboot, aborting.\n");
	170	return -EINVAL;
	171	}
	172
	173	sglist_phys = page_to_phys(sg_pages[0]);
	174
	175	status = efi.update_capsule(&capsule, 1, sglist_phys);
	176	if (status == EFI_SUCCESS) {
	177	capsule_pending = true;
	178	efi_reset_type = reset;
	179	}
	180
	181	return efi_status_to_err(status);
	182	}
	183
	184	/**
	185	* efi_capsule_update - send a capsule to the firmware
	186	* @capsule: capsule to send to firmware
	187	* @pages: an array of capsule data pages
	188	*
	189	* Build a scatter gather list with EFI capsule block descriptors to
	190	* map the capsule described by @capsule with its data in @pages and
	191	* send it to the firmware via the UpdateCapsule() runtime service.
	192	*
	193	* @capsule must be a virtual mapping of the first page in @pages
	194	* (@pages[0]) in the kernel address space. That is, a
	195	* capsule_header_t that describes the entire contents of the capsule
	196	* must be at the start of the first data page.
	197	*
	198	* Even though this function will validate that the firmware supports
	199	* the capsule guid, users will likely want to check that
	200	* efi_capsule_supported() returns true before calling this function
	201	* because it makes it easier to print helpful error messages.
	202	*
	203	* If the capsule is successfully submitted to the firmware, any
	204	* subsequent calls to efi_capsule_pending() will return true. @pages
	205	* must not be released or modified if this function returns
	206	* successfully.
	207	*
	208	* Callers must be prepared for this function to fail, which can
	209	* happen if we raced with system reboot or if there is already a
	210	* pending capsule that has a reset type that conflicts with the one
	211	* required by @capsule. Do NOT use efi_capsule_pending() to detect
	212	* this conflict since that would be racy. Instead, submit the capsule
	213	* to efi_capsule_update() and check the return value.
	214	*
	215	* Return 0 on success, a converted EFI status code on failure.
	216	*/
	217	int efi_capsule_update(efi_capsule_header_t capsule, struct page *pages)
	218	{
	219	u32 imagesize = capsule->imagesize;
	220	efi_guid_t guid = capsule->guid;
	221	unsigned int count, sg_count;
	222	u32 flags = capsule->flags;
	223	struct page **sg_pages;
	224	int rv, reset_type;
	225	int i, j;
	226
	227	rv = efi_capsule_supported(guid, flags, imagesize, &reset_type);
	228	if (rv)
	229	return rv;
	230
	231	count = DIV_ROUND_UP(imagesize, PAGE_SIZE);
	232	sg_count = sg_pages_num(count);
	233
	234	sg_pages = kzalloc(sg_count * sizeof(*sg_pages), GFP_KERNEL);
	235	if (!sg_pages)
	236	return -ENOMEM;
	237
	238	for (i = 0; i < sg_count; i++) {
	239	sg_pages[i] = alloc_page(GFP_KERNEL);
	240	if (!sg_pages[i]) {
	241	rv = -ENOMEM;
	242	goto out;
	243	}
	244	}
	245
	246	for (i = 0; i < sg_count; i++) {
	247	efi_capsule_block_desc_t *sglist;
	248
	249	sglist = kmap(sg_pages[i]);
	250	if (!sglist) {
	251	rv = -ENOMEM;
	252	goto out;
	253	}
	254
	255	for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) {
	256	u64 sz = min_t(u64, imagesize, PAGE_SIZE);
	257
	258	sglist[j].length = sz;
	259	sglist[j].data = page_to_phys(*pages++);
	260
	261	imagesize -= sz;
	262	count--;
	263	}
	264
	265	/* Continuation pointer */
	266	sglist[j].length = 0;
	267
	268	if (i + 1 == sg_count)
	269	sglist[j].data = 0;
	270	else
	271	sglist[j].data = page_to_phys(sg_pages[i + 1]);
	272
	273	kunmap(sg_pages[i]);
	274	}
	275
	276	mutex_lock(&capsule_mutex);
	277	rv = efi_capsule_update_locked(capsule, sg_pages, reset_type);
	278	mutex_unlock(&capsule_mutex);
	279
	280	out:
	281	for (i = 0; rv && i < sg_count; i++) {
	282	if (sg_pages[i])
	283	__free_page(sg_pages[i]);
	284	}
	285
	286	kfree(sg_pages);
	287	return rv;
	288	}
	289	EXPORT_SYMBOL_GPL(efi_capsule_update);
	290
	291	static int capsule_reboot_notify(struct notifier_block nb, unsigned long event, void cmd)
	292	{
	293	mutex_lock(&capsule_mutex);
	294	stop_capsules = true;
	295	mutex_unlock(&capsule_mutex);
	296
	297	return NOTIFY_DONE;
	298	}
	299
	300	static struct notifier_block capsule_reboot_nb = {
	301	.notifier_call = capsule_reboot_notify,
	302	};
	303
	304	static int __init capsule_reboot_register(void)
	305	{
	306	return register_reboot_notifier(&capsule_reboot_nb);
	307	}
	308	core_initcall(capsule_reboot_register);