xref: /kvmtool/hw/cfi_flash.c (revision 25cf3198b589292cf14880c53873de9ff87e089d) 
1 #include <stdbool.h>
2 #include <stdlib.h>
3 #include <string.h>
4 #include <linux/bitops.h>
5 #include <linux/err.h>
6 #include <linux/sizes.h>
7 #include <linux/types.h>
8 
9 #include "kvm/kvm.h"
10 #include "kvm/kvm-arch.h"
11 #include "kvm/devices.h"
12 #include "kvm/fdt.h"
13 #include "kvm/mutex.h"
14 #include "kvm/util.h"
15 
16 /*
17  * The EDK2 driver hardcodes two 16-bit chips on a 32-bit bus.
18  * This code supports one or two chips (enforced below).
19  */
20 #define CFI_NR_FLASH_CHIPS			2
21 
22 /* We always emulate a 32 bit bus width. */
23 #define CFI_BUS_WIDTH				4
24 
25 /* The *effective* size of an erase block (over all chips) */
26 #define FLASH_BLOCK_SIZE			SZ_64K
27 #define FLASH_BLOCK_SIZE_PER_CHIP					\
28 	(FLASH_BLOCK_SIZE / CFI_NR_FLASH_CHIPS)
29 
30 #define PROGRAM_BUFF_SIZE_BITS			7
31 #define PROGRAM_BUFF_SIZE			(1U << PROGRAM_BUFF_SIZE_BITS)
32 #define PROGRAM_BUFF_SIZE_BITS_PER_CHIP					\
33 	(PROGRAM_BUFF_SIZE_BITS + 1 - CFI_NR_FLASH_CHIPS)
34 
35 /* CFI commands */
36 #define CFI_CMD_LOCK_BLOCK			0x01
37 #define CFI_CMD_ALTERNATE_WORD_PROGRAM		0x10
38 #define CFI_CMD_ERASE_BLOCK_SETUP		0x20
39 #define CFI_CMD_WORD_PROGRAM			0x40
40 #define CFI_CMD_CLEAR_STATUS_REG		0x50
41 #define CFI_CMD_LOCK_BLOCK_SETUP		0x60
42 #define CFI_CMD_READ_STATUS_REG			0x70
43 #define CFI_CMD_READ_JEDEC_DEVID		0x90
44 #define CFI_CMD_READ_CFI_QUERY			0x98
45 #define CFI_CMD_CONFIRM				0xd0
46 #define CFI_CMD_BUFFERED_PROGRAM_SETUP		0xe8
47 #define CFI_CMD_READ_ARRAY			0xff
48 
49 #define CFI_STATUS_PROTECT_BIT		0x02
50 #define CFI_STATUS_PROGRAM_LOCK_BIT	0x10
51 #define CFI_STATUS_ERASE_CLEAR_LOCK_BIT	0x20
52 #define CFI_STATUS_LOCK_ERROR		CFI_STATUS_PROGRAM_LOCK_BIT |	\
53 					CFI_STATUS_PROTECT_BIT
54 #define CFI_STATUS_ERASE_ERROR		CFI_STATUS_ERASE_CLEAR_LOCK_BIT | \
55 					CFI_STATUS_PROGRAM_LOCK_BIT
56 #define CFI_STATUS_READY		0x80
57 
58 /*
59  * CFI query table contents, as far as it is constant.
60  * The dynamic information (size, etc.) will be generated on the fly.
61  */
62 #define CFI_GEOM_OFFSET				0x27
63 static const u8 cfi_query_table[] = {
64 		/* CFI query identification string */
65 	[0x10] = 'Q', 'R', 'Y',		/* ID string */
66 	0x01, 0x00,		/* primary command set: Intel/Sharp extended */
67 	0x31, 0x00,		/* address of primary extended query table */
68 	0x00, 0x00,		/* alternative command set: unused */
69 	0x00, 0x00,		/* address of alternative extended query table*/
70 		/* system interface information */
71 	[0x1b] = 0x45,			/* minimum Vcc voltage: 4.5V */
72 	0x55,			/* maximum Vcc voltage: 5.5V */
73 	0x00,			/* minimum Vpp voltage: 0.0V (unused) */
74 	0x00,			/* maximum Vpp voltage: 0.0V *(unused) */
75 	0x01,			/* timeout for single word program: 2 us */
76 	0x01,			/* timeout for multi-byte program: 2 us */
77 	0x01,			/* timeout for block erase: 2 ms */
78 	0x00,			/* timeout for full chip erase: not supported */
79 	0x00,			/* max timeout for single word program: 1x */
80 	0x00,			/* max timeout for mulit-byte program: 1x */
81 	0x00,			/* max timeout for block erase: 1x */
82 	0x00,			/* max timeout for chip erase: not supported */
83 		/* flash geometry information */
84 	[0x27] = 0x00,		/* size in power-of-2 bytes, filled later */
85 	0x05, 0x00,		/* interface description: 32 and 16 bits */
86 	PROGRAM_BUFF_SIZE_BITS_PER_CHIP, 0x00,
87 				/* number of bytes in write buffer */
88 	0x01,			/* one erase block region */
89 	0x00, 0x00, 0x00, 0x00, /* number and size of erase blocks, generated */
90 		/* Intel primary algorithm extended query table */
91 	[0x31] = 'P', 'R', 'I',
92 	'1', '0',		/* version 1.0 */
93 	0xa0, 0x00, 0x00, 0x00, /* optional features: instant lock & pm-read */
94 	0x00,			/* no functions after suspend */
95 	0x01, 0x00,		/* only lock bit supported */
96 	0x50,			/* best Vcc value: 5.0V */
97 	0x00,			/* best Vpp value: 0.0V (unused) */
98 	0x01,			/* number of protection register fields */
99 	0x00, 0x00, 0x00, 0x00,	/* protection field 1 description */
100 };
101 
102 /*
103  * Those states represent a subset of the CFI flash state machine.
104  */
105 enum cfi_flash_state {
106 	READY,
107 	LOCK_BLOCK_SETUP,
108 	WORD_PROGRAM,
109 	BUFFERED_PROGRAM_SETUP,
110 	BUFFER_WRITE,
111 	ERASE_BLOCK_SETUP,
112 };
113 
114 /*
115  * The device can be in several **Read** modes.
116  * We don't implement the asynchronous burst mode.
117  */
118 enum cfi_read_mode {
119 	READ_ARRAY,
120 	READ_STATUS_REG,
121 	READ_JEDEC_DEVID,
122 	READ_CFI_QUERY,
123 };
124 
125 struct cfi_flash_device {
126 	struct device_header	dev_hdr;
127 	/* Protects the CFI state machine variables in this data structure. */
128 	struct mutex		mutex;
129 	u64			base_addr;
130 	u32			size;
131 
132 	void			*flash_memory;
133 	u8			program_buffer[PROGRAM_BUFF_SIZE];
134 	unsigned long		*lock_bm;
135 	u64			block_address;
136 	unsigned int		buff_written;
137 	unsigned int		buffer_length;
138 
139 	enum cfi_flash_state	state;
140 	enum cfi_read_mode	read_mode;
141 	u8			sr;
142 };
143 
144 static int nr_erase_blocks(struct cfi_flash_device *sfdev)
145 {
146 	return sfdev->size / FLASH_BLOCK_SIZE;
147 }
148 
149 /*
150  * CFI queries always deal with one byte of information, possibly mirrored
151  * to other bytes on the bus. This is dealt with in the callers.
152  * The address provided is the one for 8-bit addressing, and would need to
153  * be adjusted for wider accesses.
154  */
155 static u8 read_cfi(struct cfi_flash_device *sfdev, u64 faddr)
156 {
157 	if (faddr > sizeof(cfi_query_table)) {
158 		pr_debug("CFI query read access beyond the end of table");
159 		return 0;
160 	}
161 
162 	/* Fixup dynamic information in the geometry part of the table. */
163 	switch (faddr) {
164 	case 0x27:		/* device size in bytes, power of two */
165 		return pow2_size(sfdev->size / CFI_NR_FLASH_CHIPS);
166 	case 0x2d + 0:	/* number of erase blocks, minus one */
167 		return (nr_erase_blocks(sfdev) - 1) & 0xff;
168 	case 0x2d + 1:
169 		return ((nr_erase_blocks(sfdev) - 1) >> 8) & 0xff;
170 	case 0x2d + 2:	/* erase block size, in units of 256 */
171 		return (FLASH_BLOCK_SIZE_PER_CHIP / 256) & 0xff;
172 	case 0x2d + 3:
173 		return ((FLASH_BLOCK_SIZE_PER_CHIP / 256) >> 8) & 0xff;
174 	}
175 
176 	return cfi_query_table[faddr];
177 }
178 
179 static bool block_is_locked(struct cfi_flash_device *sfdev, u64 faddr)
180 {
181 	int block_nr = faddr / FLASH_BLOCK_SIZE;
182 
183 	return test_bit(block_nr, sfdev->lock_bm);
184 }
185 
186 #define DEV_ID_MASK 0x7ff
187 static u16 read_dev_id(struct cfi_flash_device *sfdev, u64 faddr)
188 {
189 	switch ((faddr & DEV_ID_MASK) / CFI_BUS_WIDTH) {
190 	case 0x0:				/* vendor ID */
191 		return 0x0000;
192 	case 0x1:				/* device ID */
193 		return 0xffff;
194 	case 0x2:
195 		return block_is_locked(sfdev, faddr & ~DEV_ID_MASK);
196 	default:			/* Ignore the other entries. */
197 		return 0;
198 	}
199 }
200 
201 static void lock_block(struct cfi_flash_device *sfdev, u64 faddr, bool lock)
202 {
203 	int block_nr = faddr / FLASH_BLOCK_SIZE;
204 
205 	if (lock)
206 		set_bit(block_nr, sfdev->lock_bm);
207 	else
208 		clear_bit(block_nr, sfdev->lock_bm);
209 }
210 
211 static void word_program(struct cfi_flash_device *sfdev,
212 			 u64 faddr, void *data, int len)
213 {
214 	if (block_is_locked(sfdev, faddr)) {
215 		sfdev->sr |= CFI_STATUS_LOCK_ERROR;
216 		return;
217 	}
218 
219 	memcpy(sfdev->flash_memory + faddr, data, len);
220 }
221 
222 /* Reset the program buffer state to prepare for follow-up writes. */
223 static void buffer_setup(struct cfi_flash_device *sfdev)
224 {
225 	memset(sfdev->program_buffer, 0, sizeof(sfdev->program_buffer));
226 	sfdev->block_address = ~0ULL;
227 	sfdev->buff_written = 0;
228 }
229 
230 static bool buffer_write(struct cfi_flash_device *sfdev,
231 			 u64 faddr, void *buffer, int len)
232 {
233 	unsigned int buff_addr;
234 
235 	if (sfdev->buff_written >= sfdev->buffer_length)
236 		return false;
237 
238 	/*
239 	 * The first word written into the buffer after the setup command
240 	 * happens to be the base address for the buffer.
241 	 * All subsequent writes need to be within this address and this
242 	 * address plus the buffer size, so keep this value around.
243 	 */
244 	if (sfdev->block_address == ~0ULL)
245 		sfdev->block_address = faddr;
246 
247 	if (faddr < sfdev->block_address)
248 		return false;
249 	buff_addr = faddr - sfdev->block_address;
250 	if (buff_addr >= PROGRAM_BUFF_SIZE)
251 		return false;
252 
253 	memcpy(sfdev->program_buffer + buff_addr, buffer, len);
254 	sfdev->buff_written += len;
255 
256 	return true;
257 }
258 
259 static void buffer_confirm(struct cfi_flash_device *sfdev)
260 {
261 	if (block_is_locked(sfdev, sfdev->block_address)) {
262 		sfdev->sr |= CFI_STATUS_LOCK_ERROR;
263 		return;
264 	}
265 	memcpy(sfdev->flash_memory + sfdev->block_address,
266 	       sfdev->program_buffer, sfdev->buff_written);
267 }
268 
269 static void block_erase_confirm(struct cfi_flash_device *sfdev, u64 faddr)
270 {
271 	if (block_is_locked(sfdev, faddr)) {
272 		sfdev->sr |= CFI_STATUS_LOCK_ERROR;
273 		return;
274 	}
275 
276 	memset(sfdev->flash_memory + faddr, 0xff, FLASH_BLOCK_SIZE);
277 }
278 
279 static void cfi_flash_read(struct cfi_flash_device *sfdev,
280 			   u64 faddr, u8 *data, u32 len)
281 {
282 	u16 cfi_value = 0;
283 
284 	switch (sfdev->read_mode) {
285 	case READ_ARRAY:
286 		/* just copy the requested bytes from the array */
287 		memcpy(data, sfdev->flash_memory + faddr, len);
288 		return;
289 	case READ_STATUS_REG:
290 		cfi_value = sfdev->sr;
291 		break;
292 	case READ_JEDEC_DEVID:
293 		cfi_value = read_dev_id(sfdev, faddr);
294 		break;
295 	case READ_CFI_QUERY:
296 		cfi_value = read_cfi(sfdev, faddr / CFI_BUS_WIDTH);
297 		break;
298 	}
299 	switch (len) {
300 	case 1:
301 		*data = cfi_value;
302 		break;
303 	case 8: memset(data + 4, 0, 4);
304 		/* fall-through */
305 	case 4:
306 		if (CFI_NR_FLASH_CHIPS == 2)
307 			memcpy(data + 2, &cfi_value, 2);
308 		else
309 			memset(data + 2, 0, 2);
310 		/* fall-through */
311 	case 2:
312 		memcpy(data, &cfi_value, 2);
313 		break;
314 	default:
315 		pr_debug("CFI flash: illegal access length %d for read mode %d",
316 			 len, sfdev->read_mode);
317 		break;
318 	}
319 }
320 
321 /*
322  * Any writes happening in "READY" state don't actually write to the memory,
323  * but are really treated as commands to advance the state machine and select
324  * the next action.
325  * Change the state and modes according to the value written. The address
326  * that value is written to does not matter and is ignored.
327  */
328 static void cfi_flash_write_ready(struct cfi_flash_device *sfdev, u8 command)
329 {
330 	switch (command) {
331 	case CFI_CMD_READ_JEDEC_DEVID:
332 		sfdev->read_mode = READ_JEDEC_DEVID;
333 		break;
334 	case CFI_CMD_READ_STATUS_REG:
335 		sfdev->read_mode = READ_STATUS_REG;
336 		break;
337 	case CFI_CMD_READ_CFI_QUERY:
338 		sfdev->read_mode = READ_CFI_QUERY;
339 		break;
340 	case CFI_CMD_CLEAR_STATUS_REG:
341 		sfdev->sr = CFI_STATUS_READY;
342 		break;
343 	case CFI_CMD_WORD_PROGRAM:
344 	case CFI_CMD_ALTERNATE_WORD_PROGRAM:
345 		sfdev->state = WORD_PROGRAM;
346 		sfdev->read_mode = READ_STATUS_REG;
347 		break;
348 	case CFI_CMD_LOCK_BLOCK_SETUP:
349 		sfdev->state = LOCK_BLOCK_SETUP;
350 		break;
351 	case CFI_CMD_ERASE_BLOCK_SETUP:
352 		sfdev->state = ERASE_BLOCK_SETUP;
353 		sfdev->read_mode = READ_STATUS_REG;
354 		break;
355 	case CFI_CMD_BUFFERED_PROGRAM_SETUP:
356 		buffer_setup(sfdev);
357 		sfdev->state = BUFFERED_PROGRAM_SETUP;
358 		sfdev->read_mode = READ_STATUS_REG;
359 		break;
360 	case CFI_CMD_CONFIRM:
361 		pr_debug("CFI flash: unexpected confirm command 0xd0");
362 		break;
363 	default:
364 		pr_debug("CFI flash: unknown command 0x%x", command);
365 		/* fall-through */
366 	case CFI_CMD_READ_ARRAY:
367 		sfdev->read_mode = READ_ARRAY;
368 		break;
369 	}
370 }
371 
372 static void cfi_flash_write(struct cfi_flash_device *sfdev, u16 command,
373 			    u64 faddr, u8 *data, u32 len)
374 {
375 	switch (sfdev->state) {
376 	case READY:
377 		cfi_flash_write_ready(sfdev, command & 0xff);
378 		return;
379 	case LOCK_BLOCK_SETUP:
380 		switch (command & 0xff) {
381 		case CFI_CMD_LOCK_BLOCK:
382 			lock_block(sfdev, faddr, true);
383 			sfdev->read_mode = READ_STATUS_REG;
384 			break;
385 		case CFI_CMD_CONFIRM:
386 			lock_block(sfdev, faddr, false);
387 			sfdev->read_mode = READ_STATUS_REG;
388 			break;
389 		default:
390 			sfdev->sr |= CFI_STATUS_ERASE_ERROR;
391 			break;
392 		}
393 		sfdev->state = READY;
394 		break;
395 
396 	case WORD_PROGRAM:
397 		word_program(sfdev, faddr, data, len);
398 		sfdev->read_mode = READ_STATUS_REG;
399 		sfdev->state = READY;
400 		break;
401 
402 	case BUFFER_WRITE:
403 		if (buffer_write(sfdev, faddr, data, len))
404 			break;
405 
406 		if ((command & 0xff) == CFI_CMD_CONFIRM) {
407 			buffer_confirm(sfdev);
408 			sfdev->read_mode = READ_STATUS_REG;
409 		} else {
410 			pr_debug("CFI flash: BUFFER_WRITE: expected CONFIRM(0xd0), got 0x%x @ 0x%llx",
411 				 command, faddr);
412 			sfdev->sr |= CFI_STATUS_PROGRAM_LOCK_BIT;
413 		}
414 		sfdev->state = READY;
415 		break;
416 
417 	case BUFFERED_PROGRAM_SETUP:
418 		sfdev->buffer_length = (command + 1) * CFI_BUS_WIDTH;
419 		if (sfdev->buffer_length > PROGRAM_BUFF_SIZE)
420 			sfdev->buffer_length = PROGRAM_BUFF_SIZE;
421 		sfdev->state = BUFFER_WRITE;
422 		sfdev->read_mode = READ_STATUS_REG;
423 		break;
424 
425 	case ERASE_BLOCK_SETUP:
426 		if ((command & 0xff) == CFI_CMD_CONFIRM)
427 			block_erase_confirm(sfdev, faddr);
428 		else
429 			sfdev->sr |= CFI_STATUS_ERASE_ERROR;
430 
431 		sfdev->state = READY;
432 		sfdev->read_mode = READ_STATUS_REG;
433 		break;
434 	default:
435 		pr_debug("CFI flash: unexpected/unknown command 0x%x", command);
436 		break;
437 	}
438 }
439 
440 static void cfi_flash_mmio(struct kvm_cpu *vcpu,
441 			   u64 addr, u8 *data, u32 len, u8 is_write,
442 			   void *context)
443 {
444 	struct cfi_flash_device *sfdev = context;
445 	u64 faddr = addr - sfdev->base_addr;
446 	u32 value;
447 
448 	if (!is_write) {
449 		mutex_lock(&sfdev->mutex);
450 
451 		cfi_flash_read(sfdev, faddr, data, len);
452 
453 		mutex_unlock(&sfdev->mutex);
454 
455 		return;
456 	}
457 
458 	if (len > 4) {
459 		pr_info("CFI flash: MMIO %d-bit write access not supported",
460 			 len * 8);
461 		return;
462 	}
463 
464 	memcpy(&value, data, len);
465 
466 	mutex_lock(&sfdev->mutex);
467 
468 	cfi_flash_write(sfdev, value & 0xffff, faddr, data, len);
469 
470 	mutex_unlock(&sfdev->mutex);
471 }
472 
473 #ifdef CONFIG_HAS_LIBFDT
474 static void generate_cfi_flash_fdt_node(void *fdt,
475 					struct device_header *dev_hdr,
476 					void (*generate_irq_prop)(void *fdt,
477 								  u8 irq,
478 								enum irq_type))
479 {
480 	struct cfi_flash_device *sfdev;
481 	u64 reg_prop[2];
482 
483 	sfdev = container_of(dev_hdr, struct cfi_flash_device, dev_hdr);
484 	reg_prop[0] = cpu_to_fdt64(sfdev->base_addr);
485 	reg_prop[1] = cpu_to_fdt64(sfdev->size);
486 
487 	_FDT(fdt_begin_node(fdt, "flash"));
488 	_FDT(fdt_property_cell(fdt, "bank-width", CFI_BUS_WIDTH));
489 	_FDT(fdt_property_cell(fdt, "#address-cells", 0x1));
490 	_FDT(fdt_property_cell(fdt, "#size-cells", 0x1));
491 	_FDT(fdt_property_string(fdt, "compatible", "cfi-flash"));
492 	_FDT(fdt_property_string(fdt, "label", "System-firmware"));
493 	_FDT(fdt_property(fdt, "reg", &reg_prop, sizeof(reg_prop)));
494 	_FDT(fdt_end_node(fdt));
495 }
496 #else
497 #define generate_cfi_flash_fdt_node NULL
498 #endif
499 
500 static struct cfi_flash_device *create_flash_device_file(struct kvm *kvm,
501 							 const char *filename)
502 {
503 	struct cfi_flash_device *sfdev;
504 	struct stat statbuf;
505 	unsigned int value;
506 	int ret;
507 	int fd;
508 
509 	fd = open(filename, O_RDWR);
510 	if (fd < 0)
511 		return ERR_PTR(-errno);
512 
513 	if (fstat(fd, &statbuf) < 0) {
514 		ret = -errno;
515 		goto out_close;
516 	}
517 
518 	sfdev = malloc(sizeof(struct cfi_flash_device));
519 	if (!sfdev) {
520 		ret = -ENOMEM;
521 		goto out_close;
522 	}
523 
524 	sfdev->size = statbuf.st_size;
525 	/* Round down to nearest power-of-2 size value. */
526 	sfdev->size = 1U << (pow2_size(sfdev->size + 1) - 1);
527 	if (sfdev->size > KVM_FLASH_MAX_SIZE)
528 		sfdev->size = KVM_FLASH_MAX_SIZE;
529 	if (sfdev->size < statbuf.st_size) {
530 		pr_info("flash file size (%llu bytes) is not a power of two",
531 			(unsigned long long)statbuf.st_size);
532 		pr_info("only using first %u bytes", sfdev->size);
533 	}
534 	sfdev->flash_memory = mmap(NULL, sfdev->size,
535 				   PROT_READ | PROT_WRITE, MAP_SHARED,
536 				   fd, 0);
537 	if (sfdev->flash_memory == MAP_FAILED) {
538 		ret = -errno;
539 		goto out_free;
540 	}
541 	sfdev->base_addr = KVM_FLASH_MMIO_BASE;
542 	sfdev->state = READY;
543 	sfdev->read_mode = READ_ARRAY;
544 	sfdev->sr = CFI_STATUS_READY;
545 
546 	value = roundup(nr_erase_blocks(sfdev), BITS_PER_LONG) / 8;
547 	sfdev->lock_bm = malloc(value);
548 	memset(sfdev->lock_bm, 0, value);
549 
550 	sfdev->dev_hdr.bus_type = DEVICE_BUS_MMIO;
551 	sfdev->dev_hdr.data = generate_cfi_flash_fdt_node;
552 	mutex_init(&sfdev->mutex);
553 	ret = device__register(&sfdev->dev_hdr);
554 	if (ret)
555 		goto out_unmap;
556 
557 	ret = kvm__register_mmio(kvm,
558 				 sfdev->base_addr, sfdev->size,
559 				 false, cfi_flash_mmio, sfdev);
560 	if (ret) {
561 		device__unregister(&sfdev->dev_hdr);
562 		goto out_unmap;
563 	}
564 
565 	return sfdev;
566 
567 out_unmap:
568 	munmap(sfdev->flash_memory, sfdev->size);
569 out_free:
570 	free(sfdev);
571 out_close:
572 	close(fd);
573 
574 	return ERR_PTR(ret);
575 }
576 
577 static int cfi_flash__init(struct kvm *kvm)
578 {
579 	struct cfi_flash_device *sfdev;
580 
581 	BUILD_BUG_ON(CFI_NR_FLASH_CHIPS != 1 && CFI_NR_FLASH_CHIPS != 2);
582 
583 	if (!kvm->cfg.flash_filename)
584 		return 0;
585 
586 	sfdev = create_flash_device_file(kvm, kvm->cfg.flash_filename);
587 	if (IS_ERR(sfdev))
588 		return PTR_ERR(sfdev);
589 
590 	return 0;
591 }
592 dev_init(cfi_flash__init);
593