1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Qualcomm Peripheral Image Loader
4 *
5 * Copyright (C) 2016 Linaro Ltd
6 * Copyright (C) 2015 Sony Mobile Communications Inc
7 * Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
8 */
9
10#include <linux/device.h>
11#include <linux/elf.h>
12#include <linux/firmware.h>
13#include <linux/kernel.h>
14#include <linux/module.h>
15#include <linux/firmware/qcom/qcom_scm.h>
16#include <linux/sizes.h>
17#include <linux/slab.h>
18#include <linux/soc/qcom/mdt_loader.h>
19
20static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
21{
22 if (phdr->p_type != PT_LOAD)
23 return false;
24
25 if ((phdr->p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH)
26 return false;
27
28 if (!phdr->p_memsz)
29 return false;
30
31 return true;
32}
33
34static ssize_t mdt_load_split_segment(void *ptr, const struct elf32_phdr *phdrs,
35 unsigned int segment, const char *fw_name,
36 struct device *dev)
37{
38 const struct elf32_phdr *phdr = &phdrs[segment];
39 const struct firmware *seg_fw;
40 char *seg_name;
41 ssize_t ret;
42
43 if (strlen(fw_name) < 4)
44 return -EINVAL;
45
46 seg_name = kstrdup(s: fw_name, GFP_KERNEL);
47 if (!seg_name)
48 return -ENOMEM;
49
50 sprintf(buf: seg_name + strlen(fw_name) - 3, fmt: "b%02d", segment);
51 ret = request_firmware_into_buf(firmware_p: &seg_fw, name: seg_name, device: dev,
52 buf: ptr, size: phdr->p_filesz);
53 if (ret) {
54 dev_err(dev, "error %zd loading %s\n", ret, seg_name);
55 kfree(objp: seg_name);
56 return ret;
57 }
58
59 if (seg_fw->size != phdr->p_filesz) {
60 dev_err(dev,
61 "failed to load segment %d from truncated file %s\n",
62 segment, seg_name);
63 ret = -EINVAL;
64 }
65
66 release_firmware(fw: seg_fw);
67 kfree(objp: seg_name);
68
69 return ret;
70}
71
72/**
73 * qcom_mdt_get_size() - acquire size of the memory region needed to load mdt
74 * @fw: firmware object for the mdt file
75 *
76 * Returns size of the loaded firmware blob, or -EINVAL on failure.
77 */
78ssize_t qcom_mdt_get_size(const struct firmware *fw)
79{
80 const struct elf32_phdr *phdrs;
81 const struct elf32_phdr *phdr;
82 const struct elf32_hdr *ehdr;
83 phys_addr_t min_addr = PHYS_ADDR_MAX;
84 phys_addr_t max_addr = 0;
85 int i;
86
87 ehdr = (struct elf32_hdr *)fw->data;
88 phdrs = (struct elf32_phdr *)(ehdr + 1);
89
90 for (i = 0; i < ehdr->e_phnum; i++) {
91 phdr = &phdrs[i];
92
93 if (!mdt_phdr_valid(phdr))
94 continue;
95
96 if (phdr->p_paddr < min_addr)
97 min_addr = phdr->p_paddr;
98
99 if (phdr->p_paddr + phdr->p_memsz > max_addr)
100 max_addr = ALIGN(phdr->p_paddr + phdr->p_memsz, SZ_4K);
101 }
102
103 return min_addr < max_addr ? max_addr - min_addr : -EINVAL;
104}
105EXPORT_SYMBOL_GPL(qcom_mdt_get_size);
106
107/**
108 * qcom_mdt_read_metadata() - read header and metadata from mdt or mbn
109 * @fw: firmware of mdt header or mbn
110 * @data_len: length of the read metadata blob
111 * @fw_name: name of the firmware, for construction of segment file names
112 * @dev: device handle to associate resources with
113 *
114 * The mechanism that performs the authentication of the loading firmware
115 * expects an ELF header directly followed by the segment of hashes, with no
116 * padding inbetween. This function allocates a chunk of memory for this pair
117 * and copy the two pieces into the buffer.
118 *
119 * In the case of split firmware the hash is found directly following the ELF
120 * header, rather than at p_offset described by the second program header.
121 *
122 * The caller is responsible to free (kfree()) the returned pointer.
123 *
124 * Return: pointer to data, or ERR_PTR()
125 */
126void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len,
127 const char *fw_name, struct device *dev)
128{
129 const struct elf32_phdr *phdrs;
130 const struct elf32_hdr *ehdr;
131 unsigned int hash_segment = 0;
132 size_t hash_offset;
133 size_t hash_size;
134 size_t ehdr_size;
135 unsigned int i;
136 ssize_t ret;
137 void *data;
138
139 ehdr = (struct elf32_hdr *)fw->data;
140 phdrs = (struct elf32_phdr *)(ehdr + 1);
141
142 if (ehdr->e_phnum < 2)
143 return ERR_PTR(error: -EINVAL);
144
145 if (phdrs[0].p_type == PT_LOAD)
146 return ERR_PTR(error: -EINVAL);
147
148 for (i = 1; i < ehdr->e_phnum; i++) {
149 if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) {
150 hash_segment = i;
151 break;
152 }
153 }
154
155 if (!hash_segment) {
156 dev_err(dev, "no hash segment found in %s\n", fw_name);
157 return ERR_PTR(error: -EINVAL);
158 }
159
160 ehdr_size = phdrs[0].p_filesz;
161 hash_size = phdrs[hash_segment].p_filesz;
162
163 data = kmalloc(size: ehdr_size + hash_size, GFP_KERNEL);
164 if (!data)
165 return ERR_PTR(error: -ENOMEM);
166
167 /* Copy ELF header */
168 memcpy(data, fw->data, ehdr_size);
169
170 if (ehdr_size + hash_size == fw->size) {
171 /* Firmware is split and hash is packed following the ELF header */
172 hash_offset = phdrs[0].p_filesz;
173 memcpy(data + ehdr_size, fw->data + hash_offset, hash_size);
174 } else if (phdrs[hash_segment].p_offset + hash_size <= fw->size) {
175 /* Hash is in its own segment, but within the loaded file */
176 hash_offset = phdrs[hash_segment].p_offset;
177 memcpy(data + ehdr_size, fw->data + hash_offset, hash_size);
178 } else {
179 /* Hash is in its own segment, beyond the loaded file */
180 ret = mdt_load_split_segment(ptr: data + ehdr_size, phdrs, segment: hash_segment, fw_name, dev);
181 if (ret) {
182 kfree(objp: data);
183 return ERR_PTR(error: ret);
184 }
185 }
186
187 *data_len = ehdr_size + hash_size;
188
189 return data;
190}
191EXPORT_SYMBOL_GPL(qcom_mdt_read_metadata);
192
193/**
194 * qcom_mdt_pas_init() - initialize PAS region for firmware loading
195 * @dev: device handle to associate resources with
196 * @fw: firmware object for the mdt file
197 * @fw_name: name of the firmware, for construction of segment file names
198 * @pas_id: PAS identifier
199 * @mem_phys: physical address of allocated memory region
200 * @ctx: PAS metadata context, to be released by caller
201 *
202 * Returns 0 on success, negative errno otherwise.
203 */
204int qcom_mdt_pas_init(struct device *dev, const struct firmware *fw,
205 const char *fw_name, int pas_id, phys_addr_t mem_phys,
206 struct qcom_scm_pas_metadata *ctx)
207{
208 const struct elf32_phdr *phdrs;
209 const struct elf32_phdr *phdr;
210 const struct elf32_hdr *ehdr;
211 phys_addr_t min_addr = PHYS_ADDR_MAX;
212 phys_addr_t max_addr = 0;
213 bool relocate = false;
214 size_t metadata_len;
215 void *metadata;
216 int ret;
217 int i;
218
219 ehdr = (struct elf32_hdr *)fw->data;
220 phdrs = (struct elf32_phdr *)(ehdr + 1);
221
222 for (i = 0; i < ehdr->e_phnum; i++) {
223 phdr = &phdrs[i];
224
225 if (!mdt_phdr_valid(phdr))
226 continue;
227
228 if (phdr->p_flags & QCOM_MDT_RELOCATABLE)
229 relocate = true;
230
231 if (phdr->p_paddr < min_addr)
232 min_addr = phdr->p_paddr;
233
234 if (phdr->p_paddr + phdr->p_memsz > max_addr)
235 max_addr = ALIGN(phdr->p_paddr + phdr->p_memsz, SZ_4K);
236 }
237
238 metadata = qcom_mdt_read_metadata(fw, &metadata_len, fw_name, dev);
239 if (IS_ERR(ptr: metadata)) {
240 ret = PTR_ERR(ptr: metadata);
241 dev_err(dev, "error %d reading firmware %s metadata\n", ret, fw_name);
242 goto out;
243 }
244
245 ret = qcom_scm_pas_init_image(peripheral: pas_id, metadata, size: metadata_len, ctx);
246 kfree(objp: metadata);
247 if (ret) {
248 /* Invalid firmware metadata */
249 dev_err(dev, "error %d initializing firmware %s\n", ret, fw_name);
250 goto out;
251 }
252
253 if (relocate) {
254 ret = qcom_scm_pas_mem_setup(peripheral: pas_id, addr: mem_phys, size: max_addr - min_addr);
255 if (ret) {
256 /* Unable to set up relocation */
257 dev_err(dev, "error %d setting up firmware %s\n", ret, fw_name);
258 goto out;
259 }
260 }
261
262out:
263 return ret;
264}
265EXPORT_SYMBOL_GPL(qcom_mdt_pas_init);
266
267static bool qcom_mdt_bins_are_split(const struct firmware *fw, const char *fw_name)
268{
269 const struct elf32_phdr *phdrs;
270 const struct elf32_hdr *ehdr;
271 uint64_t seg_start, seg_end;
272 int i;
273
274 ehdr = (struct elf32_hdr *)fw->data;
275 phdrs = (struct elf32_phdr *)(ehdr + 1);
276
277 for (i = 0; i < ehdr->e_phnum; i++) {
278 /*
279 * The size of the MDT file is not padded to include any
280 * zero-sized segments at the end. Ignore these, as they should
281 * not affect the decision about image being split or not.
282 */
283 if (!phdrs[i].p_filesz)
284 continue;
285
286 seg_start = phdrs[i].p_offset;
287 seg_end = phdrs[i].p_offset + phdrs[i].p_filesz;
288 if (seg_start > fw->size || seg_end > fw->size)
289 return true;
290 }
291
292 return false;
293}
294
295static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
296 const char *fw_name, int pas_id, void *mem_region,
297 phys_addr_t mem_phys, size_t mem_size,
298 phys_addr_t *reloc_base, bool pas_init)
299{
300 const struct elf32_phdr *phdrs;
301 const struct elf32_phdr *phdr;
302 const struct elf32_hdr *ehdr;
303 phys_addr_t mem_reloc;
304 phys_addr_t min_addr = PHYS_ADDR_MAX;
305 ssize_t offset;
306 bool relocate = false;
307 bool is_split;
308 void *ptr;
309 int ret = 0;
310 int i;
311
312 if (!fw || !mem_region || !mem_phys || !mem_size)
313 return -EINVAL;
314
315 is_split = qcom_mdt_bins_are_split(fw, fw_name);
316 ehdr = (struct elf32_hdr *)fw->data;
317 phdrs = (struct elf32_phdr *)(ehdr + 1);
318
319 for (i = 0; i < ehdr->e_phnum; i++) {
320 phdr = &phdrs[i];
321
322 if (!mdt_phdr_valid(phdr))
323 continue;
324
325 if (phdr->p_flags & QCOM_MDT_RELOCATABLE)
326 relocate = true;
327
328 if (phdr->p_paddr < min_addr)
329 min_addr = phdr->p_paddr;
330 }
331
332 if (relocate) {
333 /*
334 * The image is relocatable, so offset each segment based on
335 * the lowest segment address.
336 */
337 mem_reloc = min_addr;
338 } else {
339 /*
340 * Image is not relocatable, so offset each segment based on
341 * the allocated physical chunk of memory.
342 */
343 mem_reloc = mem_phys;
344 }
345
346 for (i = 0; i < ehdr->e_phnum; i++) {
347 phdr = &phdrs[i];
348
349 if (!mdt_phdr_valid(phdr))
350 continue;
351
352 offset = phdr->p_paddr - mem_reloc;
353 if (offset < 0 || offset + phdr->p_memsz > mem_size) {
354 dev_err(dev, "segment outside memory range\n");
355 ret = -EINVAL;
356 break;
357 }
358
359 if (phdr->p_filesz > phdr->p_memsz) {
360 dev_err(dev,
361 "refusing to load segment %d with p_filesz > p_memsz\n",
362 i);
363 ret = -EINVAL;
364 break;
365 }
366
367 ptr = mem_region + offset;
368
369 if (phdr->p_filesz && !is_split) {
370 /* Firmware is large enough to be non-split */
371 if (phdr->p_offset + phdr->p_filesz > fw->size) {
372 dev_err(dev, "file %s segment %d would be truncated\n",
373 fw_name, i);
374 ret = -EINVAL;
375 break;
376 }
377
378 memcpy(ptr, fw->data + phdr->p_offset, phdr->p_filesz);
379 } else if (phdr->p_filesz) {
380 /* Firmware not large enough, load split-out segments */
381 ret = mdt_load_split_segment(ptr, phdrs, segment: i, fw_name, dev);
382 if (ret)
383 break;
384 }
385
386 if (phdr->p_memsz > phdr->p_filesz)
387 memset(ptr + phdr->p_filesz, 0, phdr->p_memsz - phdr->p_filesz);
388 }
389
390 if (reloc_base)
391 *reloc_base = mem_reloc;
392
393 return ret;
394}
395
396/**
397 * qcom_mdt_load() - load the firmware which header is loaded as fw
398 * @dev: device handle to associate resources with
399 * @fw: firmware object for the mdt file
400 * @firmware: name of the firmware, for construction of segment file names
401 * @pas_id: PAS identifier
402 * @mem_region: allocated memory region to load firmware into
403 * @mem_phys: physical address of allocated memory region
404 * @mem_size: size of the allocated memory region
405 * @reloc_base: adjusted physical address after relocation
406 *
407 * Returns 0 on success, negative errno otherwise.
408 */
409int qcom_mdt_load(struct device *dev, const struct firmware *fw,
410 const char *firmware, int pas_id, void *mem_region,
411 phys_addr_t mem_phys, size_t mem_size,
412 phys_addr_t *reloc_base)
413{
414 int ret;
415
416 ret = qcom_mdt_pas_init(dev, fw, firmware, pas_id, mem_phys, NULL);
417 if (ret)
418 return ret;
419
420 return __qcom_mdt_load(dev, fw, fw_name: firmware, pas_id, mem_region, mem_phys,
421 mem_size, reloc_base, pas_init: true);
422}
423EXPORT_SYMBOL_GPL(qcom_mdt_load);
424
425/**
426 * qcom_mdt_load_no_init() - load the firmware which header is loaded as fw
427 * @dev: device handle to associate resources with
428 * @fw: firmware object for the mdt file
429 * @firmware: name of the firmware, for construction of segment file names
430 * @pas_id: PAS identifier
431 * @mem_region: allocated memory region to load firmware into
432 * @mem_phys: physical address of allocated memory region
433 * @mem_size: size of the allocated memory region
434 * @reloc_base: adjusted physical address after relocation
435 *
436 * Returns 0 on success, negative errno otherwise.
437 */
438int qcom_mdt_load_no_init(struct device *dev, const struct firmware *fw,
439 const char *firmware, int pas_id,
440 void *mem_region, phys_addr_t mem_phys,
441 size_t mem_size, phys_addr_t *reloc_base)
442{
443 return __qcom_mdt_load(dev, fw, fw_name: firmware, pas_id, mem_region, mem_phys,
444 mem_size, reloc_base, pas_init: false);
445}
446EXPORT_SYMBOL_GPL(qcom_mdt_load_no_init);
447
448MODULE_DESCRIPTION("Firmware parser for Qualcomm MDT format");
449MODULE_LICENSE("GPL v2");
450

source code of linux/drivers/soc/qcom/mdt_loader.c