Back to home page

OSCL-LXR
 
 

     

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * EFI capsule support.
0004  *
0005  * Copyright 2013 Intel Corporation; author Matt Fleming
0006  */
0007 
0008 #define pr_fmt(fmt) "efi: " fmt
0009 
0010 #include <linux/slab.h>
0011 #include <linux/mutex.h>
0012 #include <linux/highmem.h>
0013 #include <linux/efi.h>
0014 #include <linux/vmalloc.h>
0015 #include <asm/efi.h>
0016 #include <asm/io.h>
0017 
0018 typedef struct {
0019     u64 length;
0020     u64 data;
0021 } efi_capsule_block_desc_t;
0022 
0023 static bool capsule_pending;
0024 static bool stop_capsules;
0025 static int efi_reset_type = -1;
0026 
0027 /*
0028  * capsule_mutex serialises access to both capsule_pending and
0029  * efi_reset_type and stop_capsules.
0030  */
0031 static DEFINE_MUTEX(capsule_mutex);
0032 
0033 /**
0034  * efi_capsule_pending - has a capsule been passed to the firmware?
0035  * @reset_type: store the type of EFI reset if capsule is pending
0036  *
0037  * To ensure that the registered capsule is processed correctly by the
0038  * firmware we need to perform a specific type of reset. If a capsule is
0039  * pending return the reset type in @reset_type.
0040  *
0041  * This function will race with callers of efi_capsule_update(), for
0042  * example, calling this function while somebody else is in
0043  * efi_capsule_update() but hasn't reached efi_capsue_update_locked()
0044  * will miss the updates to capsule_pending and efi_reset_type after
0045  * efi_capsule_update_locked() completes.
0046  *
0047  * A non-racy use is from platform reboot code because we use
0048  * system_state to ensure no capsules can be sent to the firmware once
0049  * we're at SYSTEM_RESTART. See efi_capsule_update_locked().
0050  */
0051 bool efi_capsule_pending(int *reset_type)
0052 {
0053     if (!capsule_pending)
0054         return false;
0055 
0056     if (reset_type)
0057         *reset_type = efi_reset_type;
0058 
0059     return true;
0060 }
0061 
0062 /*
0063  * Whitelist of EFI capsule flags that we support.
0064  *
0065  * We do not handle EFI_CAPSULE_INITIATE_RESET because that would
0066  * require us to prepare the kernel for reboot. Refuse to load any
0067  * capsules with that flag and any other flags that we do not know how
0068  * to handle.
0069  */
0070 #define EFI_CAPSULE_SUPPORTED_FLAG_MASK         \
0071     (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE)
0072 
0073 /**
0074  * efi_capsule_supported - does the firmware support the capsule?
0075  * @guid: vendor guid of capsule
0076  * @flags: capsule flags
0077  * @size: size of capsule data
0078  * @reset: the reset type required for this capsule
0079  *
0080  * Check whether a capsule with @flags is supported by the firmware
0081  * and that @size doesn't exceed the maximum size for a capsule.
0082  *
0083  * No attempt is made to check @reset against the reset type required
0084  * by any pending capsules because of the races involved.
0085  */
0086 int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
0087 {
0088     efi_capsule_header_t capsule;
0089     efi_capsule_header_t *cap_list[] = { &capsule };
0090     efi_status_t status;
0091     u64 max_size;
0092 
0093     if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
0094         return -EINVAL;
0095 
0096     capsule.headersize = capsule.imagesize = sizeof(capsule);
0097     memcpy(&capsule.guid, &guid, sizeof(efi_guid_t));
0098     capsule.flags = flags;
0099 
0100     status = efi.query_capsule_caps(cap_list, 1, &max_size, reset);
0101     if (status != EFI_SUCCESS)
0102         return efi_status_to_err(status);
0103 
0104     if (size > max_size)
0105         return -ENOSPC;
0106 
0107     return 0;
0108 }
0109 EXPORT_SYMBOL_GPL(efi_capsule_supported);
0110 
0111 /*
0112  * Every scatter gather list (block descriptor) page must end with a
0113  * continuation pointer. The last continuation pointer of the last
0114  * page must be zero to mark the end of the chain.
0115  */
0116 #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1)
0117 
0118 /*
0119  * How many scatter gather list (block descriptor) pages do we need
0120  * to map @count pages?
0121  */
0122 static inline unsigned int sg_pages_num(unsigned int count)
0123 {
0124     return DIV_ROUND_UP(count, SGLIST_PER_PAGE);
0125 }
0126 
0127 /**
0128  * efi_capsule_update_locked - pass a single capsule to the firmware
0129  * @capsule: capsule to send to the firmware
0130  * @sg_pages: array of scatter gather (block descriptor) pages
0131  * @reset: the reset type required for @capsule
0132  *
0133  * Since this function must be called under capsule_mutex check
0134  * whether efi_reset_type will conflict with @reset, and atomically
0135  * set it and capsule_pending if a capsule was successfully sent to
0136  * the firmware.
0137  *
0138  * We also check to see if the system is about to restart, and if so,
0139  * abort. This avoids races between efi_capsule_update() and
0140  * efi_capsule_pending().
0141  */
0142 static int
0143 efi_capsule_update_locked(efi_capsule_header_t *capsule,
0144               struct page **sg_pages, int reset)
0145 {
0146     efi_physical_addr_t sglist_phys;
0147     efi_status_t status;
0148 
0149     lockdep_assert_held(&capsule_mutex);
0150 
0151     /*
0152      * If someone has already registered a capsule that requires a
0153      * different reset type, we're out of luck and must abort.
0154      */
0155     if (efi_reset_type >= 0 && efi_reset_type != reset) {
0156         pr_err("Conflicting capsule reset type %d (%d).\n",
0157                reset, efi_reset_type);
0158         return -EINVAL;
0159     }
0160 
0161     /*
0162      * If the system is getting ready to restart it may have
0163      * called efi_capsule_pending() to make decisions (such as
0164      * whether to force an EFI reboot), and we're racing against
0165      * that call. Abort in that case.
0166      */
0167     if (unlikely(stop_capsules)) {
0168         pr_warn("Capsule update raced with reboot, aborting.\n");
0169         return -EINVAL;
0170     }
0171 
0172     sglist_phys = page_to_phys(sg_pages[0]);
0173 
0174     status = efi.update_capsule(&capsule, 1, sglist_phys);
0175     if (status == EFI_SUCCESS) {
0176         capsule_pending = true;
0177         efi_reset_type = reset;
0178     }
0179 
0180     return efi_status_to_err(status);
0181 }
0182 
0183 /**
0184  * efi_capsule_update - send a capsule to the firmware
0185  * @capsule: capsule to send to firmware
0186  * @pages: an array of capsule data pages
0187  *
0188  * Build a scatter gather list with EFI capsule block descriptors to
0189  * map the capsule described by @capsule with its data in @pages and
0190  * send it to the firmware via the UpdateCapsule() runtime service.
0191  *
0192  * @capsule must be a virtual mapping of the complete capsule update in the
0193  * kernel address space, as the capsule can be consumed immediately.
0194  * A capsule_header_t that describes the entire contents of the capsule
0195  * must be at the start of the first data page.
0196  *
0197  * Even though this function will validate that the firmware supports
0198  * the capsule guid, users will likely want to check that
0199  * efi_capsule_supported() returns true before calling this function
0200  * because it makes it easier to print helpful error messages.
0201  *
0202  * If the capsule is successfully submitted to the firmware, any
0203  * subsequent calls to efi_capsule_pending() will return true. @pages
0204  * must not be released or modified if this function returns
0205  * successfully.
0206  *
0207  * Callers must be prepared for this function to fail, which can
0208  * happen if we raced with system reboot or if there is already a
0209  * pending capsule that has a reset type that conflicts with the one
0210  * required by @capsule. Do NOT use efi_capsule_pending() to detect
0211  * this conflict since that would be racy. Instead, submit the capsule
0212  * to efi_capsule_update() and check the return value.
0213  *
0214  * Return 0 on success, a converted EFI status code on failure.
0215  */
0216 int efi_capsule_update(efi_capsule_header_t *capsule, phys_addr_t *pages)
0217 {
0218     u32 imagesize = capsule->imagesize;
0219     efi_guid_t guid = capsule->guid;
0220     unsigned int count, sg_count;
0221     u32 flags = capsule->flags;
0222     struct page **sg_pages;
0223     int rv, reset_type;
0224     int i, j;
0225 
0226     rv = efi_capsule_supported(guid, flags, imagesize, &reset_type);
0227     if (rv)
0228         return rv;
0229 
0230     count = DIV_ROUND_UP(imagesize, PAGE_SIZE);
0231     sg_count = sg_pages_num(count);
0232 
0233     sg_pages = kcalloc(sg_count, sizeof(*sg_pages), GFP_KERNEL);
0234     if (!sg_pages)
0235         return -ENOMEM;
0236 
0237     for (i = 0; i < sg_count; i++) {
0238         sg_pages[i] = alloc_page(GFP_KERNEL);
0239         if (!sg_pages[i]) {
0240             rv = -ENOMEM;
0241             goto out;
0242         }
0243     }
0244 
0245     for (i = 0; i < sg_count; i++) {
0246         efi_capsule_block_desc_t *sglist;
0247 
0248         sglist = kmap_atomic(sg_pages[i]);
0249 
0250         for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) {
0251             u64 sz = min_t(u64, imagesize,
0252                        PAGE_SIZE - (u64)*pages % PAGE_SIZE);
0253 
0254             sglist[j].length = sz;
0255             sglist[j].data = *pages++;
0256 
0257             imagesize -= sz;
0258             count--;
0259         }
0260 
0261         /* Continuation pointer */
0262         sglist[j].length = 0;
0263 
0264         if (i + 1 == sg_count)
0265             sglist[j].data = 0;
0266         else
0267             sglist[j].data = page_to_phys(sg_pages[i + 1]);
0268 
0269 #if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
0270         /*
0271          * At runtime, the firmware has no way to find out where the
0272          * sglist elements are mapped, if they are mapped in the first
0273          * place. Therefore, on architectures that can only perform
0274          * cache maintenance by virtual address, the firmware is unable
0275          * to perform this maintenance, and so it is up to the OS to do
0276          * it instead.
0277          */
0278         efi_capsule_flush_cache_range(sglist, PAGE_SIZE);
0279 #endif
0280         kunmap_atomic(sglist);
0281     }
0282 
0283     mutex_lock(&capsule_mutex);
0284     rv = efi_capsule_update_locked(capsule, sg_pages, reset_type);
0285     mutex_unlock(&capsule_mutex);
0286 
0287 out:
0288     for (i = 0; rv && i < sg_count; i++) {
0289         if (sg_pages[i])
0290             __free_page(sg_pages[i]);
0291     }
0292 
0293     kfree(sg_pages);
0294     return rv;
0295 }
0296 EXPORT_SYMBOL_GPL(efi_capsule_update);
0297 
0298 static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd)
0299 {
0300     mutex_lock(&capsule_mutex);
0301     stop_capsules = true;
0302     mutex_unlock(&capsule_mutex);
0303 
0304     return NOTIFY_DONE;
0305 }
0306 
0307 static struct notifier_block capsule_reboot_nb = {
0308     .notifier_call = capsule_reboot_notify,
0309 };
0310 
0311 static int __init capsule_reboot_register(void)
0312 {
0313     return register_reboot_notifier(&capsule_reboot_nb);
0314 }
0315 core_initcall(capsule_reboot_register);
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!