1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * EFI capsule support.
4 *
5 * Copyright 2013 Intel Corporation; author Matt Fleming
6 */
7
8 #define pr_fmt(fmt) "efi: " fmt
9
10 #include <linux/slab.h>
11 #include <linux/mutex.h>
12 #include <linux/highmem.h>
13 #include <linux/efi.h>
14 #include <linux/vmalloc.h>
15 #include <asm/io.h>
16
17 typedef struct {
18 u64 length;
19 u64 data;
20 } efi_capsule_block_desc_t;
21
22 static bool capsule_pending;
23 static bool stop_capsules;
24 static int efi_reset_type = -1;
25
26 /*
27 * capsule_mutex serialises access to both capsule_pending and
28 * efi_reset_type and stop_capsules.
29 */
30 static DEFINE_MUTEX(capsule_mutex);
31
32 /**
33 * efi_capsule_pending - has a capsule been passed to the firmware?
34 * @reset_type: store the type of EFI reset if capsule is pending
35 *
36 * To ensure that the registered capsule is processed correctly by the
37 * firmware we need to perform a specific type of reset. If a capsule is
38 * pending return the reset type in @reset_type.
39 *
40 * This function will race with callers of efi_capsule_update(), for
41 * example, calling this function while somebody else is in
42 * efi_capsule_update() but hasn't reached efi_capsue_update_locked()
43 * will miss the updates to capsule_pending and efi_reset_type after
44 * efi_capsule_update_locked() completes.
45 *
46 * A non-racy use is from platform reboot code because we use
47 * system_state to ensure no capsules can be sent to the firmware once
48 * we're at SYSTEM_RESTART. See efi_capsule_update_locked().
49 */
50 bool efi_capsule_pending(int *reset_type)
51 {
52 if (!capsule_pending)
53 return false;
54
55 if (reset_type)
56 *reset_type = efi_reset_type;
57
58 return true;
59 }
60
61 /*
62 * Whitelist of EFI capsule flags that we support.
63 *
64 * We do not handle EFI_CAPSULE_INITIATE_RESET because that would
65 * require us to prepare the kernel for reboot. Refuse to load any
66 * capsules with that flag and any other flags that we do not know how
67 * to handle.
68 */
69 #define EFI_CAPSULE_SUPPORTED_FLAG_MASK \
70 (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE)
71
72 /**
73 * efi_capsule_supported - does the firmware support the capsule?
74 * @guid: vendor guid of capsule
75 * @flags: capsule flags
76 * @size: size of capsule data
77 * @reset: the reset type required for this capsule
78 *
79 * Check whether a capsule with @flags is supported by the firmware
80 * and that @size doesn't exceed the maximum size for a capsule.
81 *
82 * No attempt is made to check @reset against the reset type required
83 * by any pending capsules because of the races involved.
84 */
85 int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
86 {
87 efi_capsule_header_t capsule;
88 efi_capsule_header_t *cap_list[] = { &capsule };
89 efi_status_t status;
90 u64 max_size;
91
92 if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
93 return -EINVAL;
94
95 capsule.headersize = capsule.imagesize = sizeof(capsule);
96 memcpy(&capsule.guid, &guid, sizeof(efi_guid_t));
97 capsule.flags = flags;
98
99 status = efi.query_capsule_caps(cap_list, 1, &max_size, reset);
100 if (status != EFI_SUCCESS)
101 return efi_status_to_err(status);
102
103 if (size > max_size)
104 return -ENOSPC;
105
106 return 0;
107 }
108 EXPORT_SYMBOL_GPL(efi_capsule_supported);
109
110 /*
111 * Every scatter gather list (block descriptor) page must end with a
112 * continuation pointer. The last continuation pointer of the last
113 * page must be zero to mark the end of the chain.
114 */
115 #define SGLIST_PER_PAGE ((PAGE_SIZE / sizeof(efi_capsule_block_desc_t)) - 1)
116
117 /*
118 * How many scatter gather list (block descriptor) pages do we need
119 * to map @count pages?
120 */
121 static inline unsigned int sg_pages_num(unsigned int count)
122 {
123 return DIV_ROUND_UP(count, SGLIST_PER_PAGE);
124 }
125
126 /**
127 * efi_capsule_update_locked - pass a single capsule to the firmware
128 * @capsule: capsule to send to the firmware
129 * @sg_pages: array of scatter gather (block descriptor) pages
130 * @reset: the reset type required for @capsule
131 *
132 * Since this function must be called under capsule_mutex check
133 * whether efi_reset_type will conflict with @reset, and atomically
134 * set it and capsule_pending if a capsule was successfully sent to
135 * the firmware.
136 *
137 * We also check to see if the system is about to restart, and if so,
138 * abort. This avoids races between efi_capsule_update() and
139 * efi_capsule_pending().
140 */
141 static int
142 efi_capsule_update_locked(efi_capsule_header_t *capsule,
143 struct page **sg_pages, int reset)
144 {
145 efi_physical_addr_t sglist_phys;
146 efi_status_t status;
147
148 lockdep_assert_held(&capsule_mutex);
149
150 /*
151 * If someone has already registered a capsule that requires a
152 * different reset type, we're out of luck and must abort.
153 */
154 if (efi_reset_type >= 0 && efi_reset_type != reset) {
155 pr_err("Conflicting capsule reset type %d (%d).\n",
156 reset, efi_reset_type);
157 return -EINVAL;
158 }
159
160 /*
161 * If the system is getting ready to restart it may have
162 * called efi_capsule_pending() to make decisions (such as
163 * whether to force an EFI reboot), and we're racing against
164 * that call. Abort in that case.
165 */
166 if (unlikely(stop_capsules)) {
167 pr_warn("Capsule update raced with reboot, aborting.\n");
168 return -EINVAL;
169 }
170
171 sglist_phys = page_to_phys(sg_pages[0]);
172
173 status = efi.update_capsule(&capsule, 1, sglist_phys);
174 if (status == EFI_SUCCESS) {
175 capsule_pending = true;
176 efi_reset_type = reset;
177 }
178
179 return efi_status_to_err(status);
180 }
181
182 /**
183 * efi_capsule_update - send a capsule to the firmware
184 * @capsule: capsule to send to firmware
185 * @pages: an array of capsule data pages
186 *
187 * Build a scatter gather list with EFI capsule block descriptors to
188 * map the capsule described by @capsule with its data in @pages and
189 * send it to the firmware via the UpdateCapsule() runtime service.
190 *
191 * @capsule must be a virtual mapping of the complete capsule update in the
192 * kernel address space, as the capsule can be consumed immediately.
193 * A capsule_header_t that describes the entire contents of the capsule
194 * must be at the start of the first data page.
195 *
196 * Even though this function will validate that the firmware supports
197 * the capsule guid, users will likely want to check that
198 * efi_capsule_supported() returns true before calling this function
199 * because it makes it easier to print helpful error messages.
200 *
201 * If the capsule is successfully submitted to the firmware, any
202 * subsequent calls to efi_capsule_pending() will return true. @pages
203 * must not be released or modified if this function returns
204 * successfully.
205 *
206 * Callers must be prepared for this function to fail, which can
207 * happen if we raced with system reboot or if there is already a
208 * pending capsule that has a reset type that conflicts with the one
209 * required by @capsule. Do NOT use efi_capsule_pending() to detect
210 * this conflict since that would be racy. Instead, submit the capsule
211 * to efi_capsule_update() and check the return value.
212 *
213 * Return 0 on success, a converted EFI status code on failure.
214 */
215 int efi_capsule_update(efi_capsule_header_t *capsule, phys_addr_t *pages)
216 {
217 u32 imagesize = capsule->imagesize;
218 efi_guid_t guid = capsule->guid;
219 unsigned int count, sg_count;
220 u32 flags = capsule->flags;
221 struct page **sg_pages;
222 int rv, reset_type;
223 int i, j;
224
225 rv = efi_capsule_supported(guid, flags, imagesize, &reset_type);
226 if (rv)
227 return rv;
228
229 count = DIV_ROUND_UP(imagesize, PAGE_SIZE);
230 sg_count = sg_pages_num(count);
231
232 sg_pages = kcalloc(sg_count, sizeof(*sg_pages), GFP_KERNEL);
233 if (!sg_pages)
234 return -ENOMEM;
235
236 for (i = 0; i < sg_count; i++) {
237 sg_pages[i] = alloc_page(GFP_KERNEL);
238 if (!sg_pages[i]) {
239 rv = -ENOMEM;
240 goto out;
241 }
242 }
243
244 for (i = 0; i < sg_count; i++) {
245 efi_capsule_block_desc_t *sglist;
246
247 sglist = kmap(sg_pages[i]);
248
249 for (j = 0; j < SGLIST_PER_PAGE && count > 0; j++) {
250 u64 sz = min_t(u64, imagesize,
251 PAGE_SIZE - (u64)*pages % PAGE_SIZE);
252
253 sglist[j].length = sz;
254 sglist[j].data = *pages++;
255
256 imagesize -= sz;
257 count--;
258 }
259
260 /* Continuation pointer */
261 sglist[j].length = 0;
262
263 if (i + 1 == sg_count)
264 sglist[j].data = 0;
265 else
266 sglist[j].data = page_to_phys(sg_pages[i + 1]);
267
268 kunmap(sg_pages[i]);
269 }
270
271 mutex_lock(&capsule_mutex);
272 rv = efi_capsule_update_locked(capsule, sg_pages, reset_type);
273 mutex_unlock(&capsule_mutex);
274
275 out:
276 for (i = 0; rv && i < sg_count; i++) {
277 if (sg_pages[i])
278 __free_page(sg_pages[i]);
279 }
280
281 kfree(sg_pages);
282 return rv;
283 }
284 EXPORT_SYMBOL_GPL(efi_capsule_update);
285
286 static int capsule_reboot_notify(struct notifier_block *nb, unsigned long event, void *cmd)
287 {
288 mutex_lock(&capsule_mutex);
289 stop_capsules = true;
290 mutex_unlock(&capsule_mutex);
291
292 return NOTIFY_DONE;
293 }
294
295 static struct notifier_block capsule_reboot_nb = {
296 .notifier_call = capsule_reboot_notify,
297 };
298
299 static int __init capsule_reboot_register(void)
300 {
301 return register_reboot_notifier(&capsule_reboot_nb);
302 }
303 core_initcall(capsule_reboot_register);