1 // SPDX-License-Identifier: GPL-2.0
2 
3 #include <linux/bitfield.h>
4 #include <linux/of.h>
5 #include <linux/firmware.h>
6 #include <linux/crc-itu-t.h>
7 #include <linux/nvmem-consumer.h>
8 
9 #include <linux/unaligned.h>
10 
11 #include "aquantia.h"
12 
13 #define UP_RESET_SLEEP		100
14 
15 /* addresses of memory segments in the phy */
16 #define DRAM_BASE_ADDR		0x3FFE0000
17 #define IRAM_BASE_ADDR		0x40000000
18 
19 /* firmware image format constants */
20 #define VERSION_STRING_SIZE		0x40
21 #define VERSION_STRING_OFFSET		0x0200
22 /* primary offset is written at an offset from the start of the fw blob */
23 #define PRIMARY_OFFSET_OFFSET		0x8
24 /* primary offset needs to be then added to a base offset */
25 #define PRIMARY_OFFSET_SHIFT		12
26 #define PRIMARY_OFFSET(x)		((x) << PRIMARY_OFFSET_SHIFT)
27 #define HEADER_OFFSET			0x300
28 
29 struct aqr_fw_header {
30 	u32 padding;
31 	u8 iram_offset[3];
32 	u8 iram_size[3];
33 	u8 dram_offset[3];
34 	u8 dram_size[3];
35 } __packed;
36 
37 enum aqr_fw_src {
38 	AQR_FW_SRC_NVMEM = 0,
39 	AQR_FW_SRC_FS,
40 };
41 
42 static const char * const aqr_fw_src_string[] = {
43 	[AQR_FW_SRC_NVMEM] = "NVMEM",
44 	[AQR_FW_SRC_FS] = "FS",
45 };
46 
47 /* AQR firmware doesn't have fixed offsets for iram and dram section
48  * but instead provide an header with the offset to use on reading
49  * and parsing the firmware.
50  *
51  * AQR firmware can't be trusted and each offset is validated to be
52  * not negative and be in the size of the firmware itself.
53  */
aqr_fw_validate_get(size_t size,size_t offset,size_t get_size)54 static bool aqr_fw_validate_get(size_t size, size_t offset, size_t get_size)
55 {
56 	return offset + get_size <= size;
57 }
58 
aqr_fw_get_be16(const u8 * data,size_t offset,size_t size,u16 * value)59 static int aqr_fw_get_be16(const u8 *data, size_t offset, size_t size, u16 *value)
60 {
61 	if (!aqr_fw_validate_get(size, offset, sizeof(u16)))
62 		return -EINVAL;
63 
64 	*value = get_unaligned_be16(data + offset);
65 
66 	return 0;
67 }
68 
aqr_fw_get_le16(const u8 * data,size_t offset,size_t size,u16 * value)69 static int aqr_fw_get_le16(const u8 *data, size_t offset, size_t size, u16 *value)
70 {
71 	if (!aqr_fw_validate_get(size, offset, sizeof(u16)))
72 		return -EINVAL;
73 
74 	*value = get_unaligned_le16(data + offset);
75 
76 	return 0;
77 }
78 
aqr_fw_get_le24(const u8 * data,size_t offset,size_t size,u32 * value)79 static int aqr_fw_get_le24(const u8 *data, size_t offset, size_t size, u32 *value)
80 {
81 	if (!aqr_fw_validate_get(size, offset, sizeof(u8) * 3))
82 		return -EINVAL;
83 
84 	*value = get_unaligned_le24(data + offset);
85 
86 	return 0;
87 }
88 
89 /* load data into the phy's memory */
aqr_fw_load_memory(struct phy_device * phydev,u32 addr,const u8 * data,size_t len)90 static int aqr_fw_load_memory(struct phy_device *phydev, u32 addr,
91 			      const u8 *data, size_t len)
92 {
93 	u16 crc = 0, up_crc;
94 	size_t pos;
95 
96 	phy_write_mmd(phydev, MDIO_MMD_VEND1,
97 		      VEND1_GLOBAL_MAILBOX_INTERFACE1,
98 		      VEND1_GLOBAL_MAILBOX_INTERFACE1_CRC_RESET);
99 	phy_write_mmd(phydev, MDIO_MMD_VEND1,
100 		      VEND1_GLOBAL_MAILBOX_INTERFACE3,
101 		      VEND1_GLOBAL_MAILBOX_INTERFACE3_MSW_ADDR(addr));
102 	phy_write_mmd(phydev, MDIO_MMD_VEND1,
103 		      VEND1_GLOBAL_MAILBOX_INTERFACE4,
104 		      VEND1_GLOBAL_MAILBOX_INTERFACE4_LSW_ADDR(addr));
105 
106 	/* We assume and enforce the size to be word aligned.
107 	 * If a firmware that is not word aligned is found, please report upstream.
108 	 */
109 	for (pos = 0; pos < len; pos += sizeof(u32)) {
110 		u8 crc_data[4];
111 		u32 word;
112 
113 		/* FW data is always stored in little-endian */
114 		word = get_unaligned_le32((const u32 *)(data + pos));
115 
116 		phy_write_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_MAILBOX_INTERFACE5,
117 			      VEND1_GLOBAL_MAILBOX_INTERFACE5_MSW_DATA(word));
118 		phy_write_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_MAILBOX_INTERFACE6,
119 			      VEND1_GLOBAL_MAILBOX_INTERFACE6_LSW_DATA(word));
120 
121 		phy_write_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_MAILBOX_INTERFACE1,
122 			      VEND1_GLOBAL_MAILBOX_INTERFACE1_EXECUTE |
123 			      VEND1_GLOBAL_MAILBOX_INTERFACE1_WRITE);
124 
125 		/* Word is swapped internally and MAILBOX CRC is calculated
126 		 * using big-endian order. Mimic what the PHY does to have a
127 		 * matching CRC...
128 		 */
129 		crc_data[0] = word >> 24;
130 		crc_data[1] = word >> 16;
131 		crc_data[2] = word >> 8;
132 		crc_data[3] = word;
133 
134 		/* ...calculate CRC as we load data... */
135 		crc = crc_itu_t(crc, crc_data, sizeof(crc_data));
136 	}
137 	/* ...gets CRC from MAILBOX after we have loaded the entire section... */
138 	up_crc = phy_read_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_MAILBOX_INTERFACE2);
139 	/* ...and make sure it does match our calculated CRC */
140 	if (crc != up_crc) {
141 		phydev_err(phydev, "CRC mismatch: calculated 0x%04x PHY 0x%04x\n",
142 			   crc, up_crc);
143 		return -EINVAL;
144 	}
145 
146 	return 0;
147 }
148 
aqr_fw_boot(struct phy_device * phydev,const u8 * data,size_t size,enum aqr_fw_src fw_src)149 static int aqr_fw_boot(struct phy_device *phydev, const u8 *data, size_t size,
150 		       enum aqr_fw_src fw_src)
151 {
152 	u16 calculated_crc, read_crc, read_primary_offset;
153 	u32 iram_offset = 0, iram_size = 0;
154 	u32 dram_offset = 0, dram_size = 0;
155 	char version[VERSION_STRING_SIZE];
156 	u32 primary_offset = 0;
157 	int ret;
158 
159 	/* extract saved CRC at the end of the fw
160 	 * CRC is saved in big-endian as PHY is BE
161 	 */
162 	ret = aqr_fw_get_be16(data, size - sizeof(u16), size, &read_crc);
163 	if (ret) {
164 		phydev_err(phydev, "bad firmware CRC in firmware\n");
165 		return ret;
166 	}
167 	calculated_crc = crc_itu_t(0, data, size - sizeof(u16));
168 	if (read_crc != calculated_crc) {
169 		phydev_err(phydev, "bad firmware CRC: file 0x%04x calculated 0x%04x\n",
170 			   read_crc, calculated_crc);
171 		return -EINVAL;
172 	}
173 
174 	/* Get the primary offset to extract DRAM and IRAM sections. */
175 	ret = aqr_fw_get_le16(data, PRIMARY_OFFSET_OFFSET, size, &read_primary_offset);
176 	if (ret) {
177 		phydev_err(phydev, "bad primary offset in firmware\n");
178 		return ret;
179 	}
180 	primary_offset = PRIMARY_OFFSET(read_primary_offset);
181 
182 	/* Find the DRAM and IRAM sections within the firmware file.
183 	 * Make sure the fw_header is correctly in the firmware.
184 	 */
185 	if (!aqr_fw_validate_get(size, primary_offset + HEADER_OFFSET,
186 				 sizeof(struct aqr_fw_header))) {
187 		phydev_err(phydev, "bad fw_header in firmware\n");
188 		return -EINVAL;
189 	}
190 
191 	/* offset are in LE and values needs to be converted to cpu endian */
192 	ret = aqr_fw_get_le24(data, primary_offset + HEADER_OFFSET +
193 			      offsetof(struct aqr_fw_header, iram_offset),
194 			      size, &iram_offset);
195 	if (ret) {
196 		phydev_err(phydev, "bad iram offset in firmware\n");
197 		return ret;
198 	}
199 	ret = aqr_fw_get_le24(data, primary_offset + HEADER_OFFSET +
200 			      offsetof(struct aqr_fw_header, iram_size),
201 			      size, &iram_size);
202 	if (ret) {
203 		phydev_err(phydev, "invalid iram size in firmware\n");
204 		return ret;
205 	}
206 	ret = aqr_fw_get_le24(data, primary_offset + HEADER_OFFSET +
207 			      offsetof(struct aqr_fw_header, dram_offset),
208 			      size, &dram_offset);
209 	if (ret) {
210 		phydev_err(phydev, "bad dram offset in firmware\n");
211 		return ret;
212 	}
213 	ret = aqr_fw_get_le24(data, primary_offset + HEADER_OFFSET +
214 			      offsetof(struct aqr_fw_header, dram_size),
215 			      size, &dram_size);
216 	if (ret) {
217 		phydev_err(phydev, "invalid dram size in firmware\n");
218 		return ret;
219 	}
220 
221 	/* Increment the offset with the primary offset.
222 	 * Validate iram/dram offset and size.
223 	 */
224 	iram_offset += primary_offset;
225 	if (iram_size % sizeof(u32)) {
226 		phydev_err(phydev, "iram size if not aligned to word size. Please report this upstream!\n");
227 		return -EINVAL;
228 	}
229 	if (!aqr_fw_validate_get(size, iram_offset, iram_size)) {
230 		phydev_err(phydev, "invalid iram offset for iram size\n");
231 		return -EINVAL;
232 	}
233 
234 	dram_offset += primary_offset;
235 	if (dram_size % sizeof(u32)) {
236 		phydev_err(phydev, "dram size if not aligned to word size. Please report this upstream!\n");
237 		return -EINVAL;
238 	}
239 	if (!aqr_fw_validate_get(size, dram_offset, dram_size)) {
240 		phydev_err(phydev, "invalid iram offset for iram size\n");
241 		return -EINVAL;
242 	}
243 
244 	phydev_dbg(phydev, "primary %d IRAM offset=%d size=%d DRAM offset=%d size=%d\n",
245 		   primary_offset, iram_offset, iram_size, dram_offset, dram_size);
246 
247 	if (!aqr_fw_validate_get(size, dram_offset + VERSION_STRING_OFFSET,
248 				 VERSION_STRING_SIZE)) {
249 		phydev_err(phydev, "invalid version in firmware\n");
250 		return -EINVAL;
251 	}
252 	strscpy(version, (char *)data + dram_offset + VERSION_STRING_OFFSET,
253 		VERSION_STRING_SIZE);
254 	if (version[0] == '\0') {
255 		phydev_err(phydev, "invalid version in firmware\n");
256 		return -EINVAL;
257 	}
258 	phydev_info(phydev, "loading firmware version '%s' from '%s'\n", version,
259 		    aqr_fw_src_string[fw_src]);
260 
261 	/* stall the microcprocessor */
262 	phy_write_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_CONTROL2,
263 		      VEND1_GLOBAL_CONTROL2_UP_RUN_STALL | VEND1_GLOBAL_CONTROL2_UP_RUN_STALL_OVD);
264 
265 	phydev_dbg(phydev, "loading DRAM 0x%08x from offset=%d size=%d\n",
266 		   DRAM_BASE_ADDR, dram_offset, dram_size);
267 	ret = aqr_fw_load_memory(phydev, DRAM_BASE_ADDR, data + dram_offset,
268 				 dram_size);
269 	if (ret)
270 		return ret;
271 
272 	phydev_dbg(phydev, "loading IRAM 0x%08x from offset=%d size=%d\n",
273 		   IRAM_BASE_ADDR, iram_offset, iram_size);
274 	ret = aqr_fw_load_memory(phydev, IRAM_BASE_ADDR, data + iram_offset,
275 				 iram_size);
276 	if (ret)
277 		return ret;
278 
279 	/* make sure soft reset and low power mode are clear */
280 	phy_clear_bits_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_SC,
281 			   VEND1_GLOBAL_SC_SOFT_RESET | VEND1_GLOBAL_SC_LOW_POWER);
282 
283 	/* Release the microprocessor. UP_RESET must be held for 100 usec. */
284 	phy_write_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_CONTROL2,
285 		      VEND1_GLOBAL_CONTROL2_UP_RUN_STALL |
286 		      VEND1_GLOBAL_CONTROL2_UP_RUN_STALL_OVD |
287 		      VEND1_GLOBAL_CONTROL2_UP_RUN_STALL_RST);
288 	usleep_range(UP_RESET_SLEEP, UP_RESET_SLEEP * 2);
289 
290 	phy_write_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_CONTROL2,
291 		      VEND1_GLOBAL_CONTROL2_UP_RUN_STALL_OVD);
292 
293 	return 0;
294 }
295 
aqr_firmware_load_nvmem(struct phy_device * phydev)296 static int aqr_firmware_load_nvmem(struct phy_device *phydev)
297 {
298 	struct nvmem_cell *cell;
299 	size_t size;
300 	u8 *buf;
301 	int ret;
302 
303 	cell = nvmem_cell_get(&phydev->mdio.dev, "firmware");
304 	if (IS_ERR(cell))
305 		return PTR_ERR(cell);
306 
307 	buf = nvmem_cell_read(cell, &size);
308 	if (IS_ERR(buf)) {
309 		ret = PTR_ERR(buf);
310 		goto exit;
311 	}
312 
313 	ret = aqr_fw_boot(phydev, buf, size, AQR_FW_SRC_NVMEM);
314 	if (ret)
315 		phydev_err(phydev, "firmware loading failed: %d\n", ret);
316 
317 	kfree(buf);
318 exit:
319 	nvmem_cell_put(cell);
320 
321 	return ret;
322 }
323 
aqr_firmware_load_fs(struct phy_device * phydev)324 static int aqr_firmware_load_fs(struct phy_device *phydev)
325 {
326 	struct device *dev = &phydev->mdio.dev;
327 	const struct firmware *fw;
328 	const char *fw_name;
329 	int ret;
330 
331 	ret = of_property_read_string(dev->of_node, "firmware-name",
332 				      &fw_name);
333 	if (ret)
334 		return ret;
335 
336 	ret = request_firmware(&fw, fw_name, dev);
337 	if (ret) {
338 		phydev_err(phydev, "failed to find FW file %s (%d)\n",
339 			   fw_name, ret);
340 		return ret;
341 	}
342 
343 	ret = aqr_fw_boot(phydev, fw->data, fw->size, AQR_FW_SRC_FS);
344 	if (ret)
345 		phydev_err(phydev, "firmware loading failed: %d\n", ret);
346 
347 	release_firmware(fw);
348 
349 	return ret;
350 }
351 
aqr_firmware_load(struct phy_device * phydev)352 int aqr_firmware_load(struct phy_device *phydev)
353 {
354 	int ret;
355 
356 	/* Check if the firmware is not already loaded by polling
357 	 * the current version returned by the PHY.
358 	 */
359 	ret = aqr_wait_reset_complete(phydev);
360 	switch (ret) {
361 	case 0:
362 		/* Some firmware is loaded => do nothing */
363 		return 0;
364 	case -ETIMEDOUT:
365 		/* VEND1_GLOBAL_FW_ID still reads 0 after 2 seconds of polling.
366 		 * We don't have full confidence that no firmware is loaded (in
367 		 * theory it might just not have loaded yet), but we will
368 		 * assume that, and load a new image.
369 		 */
370 		ret = aqr_firmware_load_nvmem(phydev);
371 		if (!ret)
372 			return ret;
373 
374 		ret = aqr_firmware_load_fs(phydev);
375 		if (ret)
376 			return ret;
377 		break;
378 	default:
379 		/* PHY read error, propagate it to the caller */
380 		return ret;
381 	}
382 
383 	return 0;
384 }
385