1 // SPDX-License-Identifier: MIT
2 /*
3  * Copyright © 2016-2019 Intel Corporation
4  */
5 
6 #include <linux/types.h>
7 
8 #include "gt/intel_gt.h"
9 #include "intel_guc_reg.h"
10 #include "intel_huc.h"
11 #include "i915_drv.h"
12 
13 #include <linux/device/bus.h>
14 #include <linux/mei_aux.h>
15 
16 /**
17  * DOC: HuC
18  *
19  * The HuC is a dedicated microcontroller for usage in media HEVC (High
20  * Efficiency Video Coding) operations. Userspace can directly use the firmware
21  * capabilities by adding HuC specific commands to batch buffers.
22  *
23  * The kernel driver is only responsible for loading the HuC firmware and
24  * triggering its security authentication, which is performed by the GuC on
25  * older platforms and by the GSC on newer ones. For the GuC to correctly
26  * perform the authentication, the HuC binary must be loaded before the GuC one.
27  * Loading the HuC is optional; however, not using the HuC might negatively
28  * impact power usage and/or performance of media workloads, depending on the
29  * use-cases.
30  * HuC must be reloaded on events that cause the WOPCM to lose its contents
31  * (S3/S4, FLR); GuC-authenticated HuC must also be reloaded on GuC/GT reset,
32  * while GSC-managed HuC will survive that.
33  *
34  * See https://github.com/intel/media-driver for the latest details on HuC
35  * functionality.
36  */
37 
38 /**
39  * DOC: HuC Memory Management
40  *
41  * Similarly to the GuC, the HuC can't do any memory allocations on its own,
42  * with the difference being that the allocations for HuC usage are handled by
43  * the userspace driver instead of the kernel one. The HuC accesses the memory
44  * via the PPGTT belonging to the context loaded on the VCS executing the
45  * HuC-specific commands.
46  */
47 
48 /*
49  * MEI-GSC load is an async process. The probing of the exposed aux device
50  * (see intel_gsc.c) usually happens a few seconds after i915 probe, depending
51  * on when the kernel schedules it. Unless something goes terribly wrong, we're
52  * guaranteed for this to happen during boot, so the big timeout is a safety net
53  * that we never expect to need.
54  * MEI-PXP + HuC load usually takes ~300ms, but if the GSC needs to be resumed
55  * and/or reset, this can take longer. Note that the kernel might schedule
56  * other work between the i915 init/resume and the MEI one, which can add to
57  * the delay.
58  */
59 #define GSC_INIT_TIMEOUT_MS 10000
60 #define PXP_INIT_TIMEOUT_MS 5000
61 
sw_fence_dummy_notify(struct i915_sw_fence * sf,enum i915_sw_fence_notify state)62 static int sw_fence_dummy_notify(struct i915_sw_fence *sf,
63 				 enum i915_sw_fence_notify state)
64 {
65 	return NOTIFY_DONE;
66 }
67 
__delayed_huc_load_complete(struct intel_huc * huc)68 static void __delayed_huc_load_complete(struct intel_huc *huc)
69 {
70 	if (!i915_sw_fence_done(&huc->delayed_load.fence))
71 		i915_sw_fence_complete(&huc->delayed_load.fence);
72 }
73 
delayed_huc_load_complete(struct intel_huc * huc)74 static void delayed_huc_load_complete(struct intel_huc *huc)
75 {
76 	hrtimer_cancel(&huc->delayed_load.timer);
77 	__delayed_huc_load_complete(huc);
78 }
79 
__gsc_init_error(struct intel_huc * huc)80 static void __gsc_init_error(struct intel_huc *huc)
81 {
82 	huc->delayed_load.status = INTEL_HUC_DELAYED_LOAD_ERROR;
83 	__delayed_huc_load_complete(huc);
84 }
85 
gsc_init_error(struct intel_huc * huc)86 static void gsc_init_error(struct intel_huc *huc)
87 {
88 	hrtimer_cancel(&huc->delayed_load.timer);
89 	__gsc_init_error(huc);
90 }
91 
gsc_init_done(struct intel_huc * huc)92 static void gsc_init_done(struct intel_huc *huc)
93 {
94 	hrtimer_cancel(&huc->delayed_load.timer);
95 
96 	/* MEI-GSC init is done, now we wait for MEI-PXP to bind */
97 	huc->delayed_load.status = INTEL_HUC_WAITING_ON_PXP;
98 	if (!i915_sw_fence_done(&huc->delayed_load.fence))
99 		hrtimer_start(&huc->delayed_load.timer,
100 			      ms_to_ktime(PXP_INIT_TIMEOUT_MS),
101 			      HRTIMER_MODE_REL);
102 }
103 
huc_delayed_load_timer_callback(struct hrtimer * hrtimer)104 static enum hrtimer_restart huc_delayed_load_timer_callback(struct hrtimer *hrtimer)
105 {
106 	struct intel_huc *huc = container_of(hrtimer, struct intel_huc, delayed_load.timer);
107 
108 	if (!intel_huc_is_authenticated(huc)) {
109 		if (huc->delayed_load.status == INTEL_HUC_WAITING_ON_GSC)
110 			drm_notice(&huc_to_gt(huc)->i915->drm,
111 				   "timed out waiting for MEI GSC init to load HuC\n");
112 		else if (huc->delayed_load.status == INTEL_HUC_WAITING_ON_PXP)
113 			drm_notice(&huc_to_gt(huc)->i915->drm,
114 				   "timed out waiting for MEI PXP init to load HuC\n");
115 		else
116 			MISSING_CASE(huc->delayed_load.status);
117 
118 		__gsc_init_error(huc);
119 	}
120 
121 	return HRTIMER_NORESTART;
122 }
123 
huc_delayed_load_start(struct intel_huc * huc)124 static void huc_delayed_load_start(struct intel_huc *huc)
125 {
126 	ktime_t delay;
127 
128 	GEM_BUG_ON(intel_huc_is_authenticated(huc));
129 
130 	/*
131 	 * On resume we don't have to wait for MEI-GSC to be re-probed, but we
132 	 * do need to wait for MEI-PXP to reset & re-bind
133 	 */
134 	switch (huc->delayed_load.status) {
135 	case INTEL_HUC_WAITING_ON_GSC:
136 		delay = ms_to_ktime(GSC_INIT_TIMEOUT_MS);
137 		break;
138 	case INTEL_HUC_WAITING_ON_PXP:
139 		delay = ms_to_ktime(PXP_INIT_TIMEOUT_MS);
140 		break;
141 	default:
142 		gsc_init_error(huc);
143 		return;
144 	}
145 
146 	/*
147 	 * This fence is always complete unless we're waiting for the
148 	 * GSC device to come up to load the HuC. We arm the fence here
149 	 * and complete it when we confirm that the HuC is loaded from
150 	 * the PXP bind callback.
151 	 */
152 	GEM_BUG_ON(!i915_sw_fence_done(&huc->delayed_load.fence));
153 	i915_sw_fence_fini(&huc->delayed_load.fence);
154 	i915_sw_fence_reinit(&huc->delayed_load.fence);
155 	i915_sw_fence_await(&huc->delayed_load.fence);
156 	i915_sw_fence_commit(&huc->delayed_load.fence);
157 
158 	hrtimer_start(&huc->delayed_load.timer, delay, HRTIMER_MODE_REL);
159 }
160 
gsc_notifier(struct notifier_block * nb,unsigned long action,void * data)161 static int gsc_notifier(struct notifier_block *nb, unsigned long action, void *data)
162 {
163 	struct device *dev = data;
164 	struct intel_huc *huc = container_of(nb, struct intel_huc, delayed_load.nb);
165 	struct intel_gsc_intf *intf = &huc_to_gt(huc)->gsc.intf[0];
166 
167 	if (!intf->adev || &intf->adev->aux_dev.dev != dev)
168 		return 0;
169 
170 	switch (action) {
171 	case BUS_NOTIFY_BOUND_DRIVER: /* mei driver bound to aux device */
172 		gsc_init_done(huc);
173 		break;
174 
175 	case BUS_NOTIFY_DRIVER_NOT_BOUND: /* mei driver fails to be bound */
176 	case BUS_NOTIFY_UNBIND_DRIVER: /* mei driver about to be unbound */
177 		drm_info(&huc_to_gt(huc)->i915->drm,
178 			 "mei driver not bound, disabling HuC load\n");
179 		gsc_init_error(huc);
180 		break;
181 	}
182 
183 	return 0;
184 }
185 
intel_huc_register_gsc_notifier(struct intel_huc * huc,struct bus_type * bus)186 void intel_huc_register_gsc_notifier(struct intel_huc *huc, struct bus_type *bus)
187 {
188 	int ret;
189 
190 	if (!intel_huc_is_loaded_by_gsc(huc))
191 		return;
192 
193 	huc->delayed_load.nb.notifier_call = gsc_notifier;
194 	ret = bus_register_notifier(bus, &huc->delayed_load.nb);
195 	if (ret) {
196 		drm_err(&huc_to_gt(huc)->i915->drm,
197 			"failed to register GSC notifier\n");
198 		huc->delayed_load.nb.notifier_call = NULL;
199 		gsc_init_error(huc);
200 	}
201 }
202 
intel_huc_unregister_gsc_notifier(struct intel_huc * huc,struct bus_type * bus)203 void intel_huc_unregister_gsc_notifier(struct intel_huc *huc, struct bus_type *bus)
204 {
205 	if (!huc->delayed_load.nb.notifier_call)
206 		return;
207 
208 	delayed_huc_load_complete(huc);
209 
210 	bus_unregister_notifier(bus, &huc->delayed_load.nb);
211 	huc->delayed_load.nb.notifier_call = NULL;
212 }
213 
delayed_huc_load_init(struct intel_huc * huc)214 static void delayed_huc_load_init(struct intel_huc *huc)
215 {
216 	/*
217 	 * Initialize fence to be complete as this is expected to be complete
218 	 * unless there is a delayed HuC load in progress.
219 	 */
220 	i915_sw_fence_init(&huc->delayed_load.fence,
221 			   sw_fence_dummy_notify);
222 	i915_sw_fence_commit(&huc->delayed_load.fence);
223 
224 	hrtimer_init(&huc->delayed_load.timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
225 	huc->delayed_load.timer.function = huc_delayed_load_timer_callback;
226 }
227 
delayed_huc_load_fini(struct intel_huc * huc)228 static void delayed_huc_load_fini(struct intel_huc *huc)
229 {
230 	/*
231 	 * the fence is initialized in init_early, so we need to clean it up
232 	 * even if HuC loading is off.
233 	 */
234 	delayed_huc_load_complete(huc);
235 	i915_sw_fence_fini(&huc->delayed_load.fence);
236 }
237 
vcs_supported(struct intel_gt * gt)238 static bool vcs_supported(struct intel_gt *gt)
239 {
240 	intel_engine_mask_t mask = gt->info.engine_mask;
241 
242 	/*
243 	 * We reach here from i915_driver_early_probe for the primary GT before
244 	 * its engine mask is set, so we use the device info engine mask for it;
245 	 * this means we're not taking VCS fusing into account, but if the
246 	 * primary GT supports VCS engines we expect at least one of them to
247 	 * remain unfused so we're fine.
248 	 * For other GTs we expect the GT-specific mask to be set before we
249 	 * call this function.
250 	 */
251 	GEM_BUG_ON(!gt_is_root(gt) && !gt->info.engine_mask);
252 
253 	if (gt_is_root(gt))
254 		mask = RUNTIME_INFO(gt->i915)->platform_engine_mask;
255 	else
256 		mask = gt->info.engine_mask;
257 
258 	return __ENGINE_INSTANCES_MASK(mask, VCS0, I915_MAX_VCS);
259 }
260 
intel_huc_init_early(struct intel_huc * huc)261 void intel_huc_init_early(struct intel_huc *huc)
262 {
263 	struct drm_i915_private *i915 = huc_to_gt(huc)->i915;
264 	struct intel_gt *gt = huc_to_gt(huc);
265 
266 	intel_uc_fw_init_early(&huc->fw, INTEL_UC_FW_TYPE_HUC);
267 
268 	/*
269 	 * we always init the fence as already completed, even if HuC is not
270 	 * supported. This way we don't have to distinguish between HuC not
271 	 * supported/disabled or already loaded, and can focus on if the load
272 	 * is currently in progress (fence not complete) or not, which is what
273 	 * we care about for stalling userspace submissions.
274 	 */
275 	delayed_huc_load_init(huc);
276 
277 	if (!vcs_supported(gt)) {
278 		intel_uc_fw_change_status(&huc->fw, INTEL_UC_FIRMWARE_NOT_SUPPORTED);
279 		return;
280 	}
281 
282 	if (GRAPHICS_VER(i915) >= 11) {
283 		huc->status.reg = GEN11_HUC_KERNEL_LOAD_INFO;
284 		huc->status.mask = HUC_LOAD_SUCCESSFUL;
285 		huc->status.value = HUC_LOAD_SUCCESSFUL;
286 	} else {
287 		huc->status.reg = HUC_STATUS2;
288 		huc->status.mask = HUC_FW_VERIFIED;
289 		huc->status.value = HUC_FW_VERIFIED;
290 	}
291 }
292 
293 #define HUC_LOAD_MODE_STRING(x) (x ? "GSC" : "legacy")
check_huc_loading_mode(struct intel_huc * huc)294 static int check_huc_loading_mode(struct intel_huc *huc)
295 {
296 	struct intel_gt *gt = huc_to_gt(huc);
297 	bool fw_needs_gsc = intel_huc_is_loaded_by_gsc(huc);
298 	bool hw_uses_gsc = false;
299 
300 	/*
301 	 * The fuse for HuC load via GSC is only valid on platforms that have
302 	 * GuC deprivilege.
303 	 */
304 	if (HAS_GUC_DEPRIVILEGE(gt->i915))
305 		hw_uses_gsc = intel_uncore_read(gt->uncore, GUC_SHIM_CONTROL2) &
306 			      GSC_LOADS_HUC;
307 
308 	if (fw_needs_gsc != hw_uses_gsc) {
309 		drm_err(&gt->i915->drm,
310 			"mismatch between HuC FW (%s) and HW (%s) load modes\n",
311 			HUC_LOAD_MODE_STRING(fw_needs_gsc),
312 			HUC_LOAD_MODE_STRING(hw_uses_gsc));
313 		return -ENOEXEC;
314 	}
315 
316 	/* make sure we can access the GSC via the mei driver if we need it */
317 	if (!(IS_ENABLED(CONFIG_INTEL_MEI_PXP) && IS_ENABLED(CONFIG_INTEL_MEI_GSC)) &&
318 	    fw_needs_gsc) {
319 		drm_info(&gt->i915->drm,
320 			 "Can't load HuC due to missing MEI modules\n");
321 		return -EIO;
322 	}
323 
324 	drm_dbg(&gt->i915->drm, "GSC loads huc=%s\n", str_yes_no(fw_needs_gsc));
325 
326 	return 0;
327 }
328 
intel_huc_init(struct intel_huc * huc)329 int intel_huc_init(struct intel_huc *huc)
330 {
331 	struct drm_i915_private *i915 = huc_to_gt(huc)->i915;
332 	int err;
333 
334 	err = check_huc_loading_mode(huc);
335 	if (err)
336 		goto out;
337 
338 	err = intel_uc_fw_init(&huc->fw);
339 	if (err)
340 		goto out;
341 
342 	intel_uc_fw_change_status(&huc->fw, INTEL_UC_FIRMWARE_LOADABLE);
343 
344 	return 0;
345 
346 out:
347 	intel_uc_fw_change_status(&huc->fw, INTEL_UC_FIRMWARE_INIT_FAIL);
348 	drm_info(&i915->drm, "HuC init failed with %d\n", err);
349 	return err;
350 }
351 
intel_huc_fini(struct intel_huc * huc)352 void intel_huc_fini(struct intel_huc *huc)
353 {
354 	/*
355 	 * the fence is initialized in init_early, so we need to clean it up
356 	 * even if HuC loading is off.
357 	 */
358 	delayed_huc_load_fini(huc);
359 
360 	if (intel_uc_fw_is_loadable(&huc->fw))
361 		intel_uc_fw_fini(&huc->fw);
362 }
363 
intel_huc_suspend(struct intel_huc * huc)364 void intel_huc_suspend(struct intel_huc *huc)
365 {
366 	if (!intel_uc_fw_is_loadable(&huc->fw))
367 		return;
368 
369 	/*
370 	 * in the unlikely case that we're suspending before the GSC has
371 	 * completed its loading sequence, just stop waiting. We'll restart
372 	 * on resume.
373 	 */
374 	delayed_huc_load_complete(huc);
375 }
376 
intel_huc_wait_for_auth_complete(struct intel_huc * huc)377 int intel_huc_wait_for_auth_complete(struct intel_huc *huc)
378 {
379 	struct intel_gt *gt = huc_to_gt(huc);
380 	int ret;
381 
382 	ret = __intel_wait_for_register(gt->uncore,
383 					huc->status.reg,
384 					huc->status.mask,
385 					huc->status.value,
386 					2, 50, NULL);
387 
388 	/* mark the load process as complete even if the wait failed */
389 	delayed_huc_load_complete(huc);
390 
391 	if (ret) {
392 		drm_err(&gt->i915->drm, "HuC: Firmware not verified %d\n", ret);
393 		intel_uc_fw_change_status(&huc->fw, INTEL_UC_FIRMWARE_LOAD_FAIL);
394 		return ret;
395 	}
396 
397 	intel_uc_fw_change_status(&huc->fw, INTEL_UC_FIRMWARE_RUNNING);
398 	drm_info(&gt->i915->drm, "HuC authenticated\n");
399 	return 0;
400 }
401 
402 /**
403  * intel_huc_auth() - Authenticate HuC uCode
404  * @huc: intel_huc structure
405  *
406  * Called after HuC and GuC firmware loading during intel_uc_init_hw().
407  *
408  * This function invokes the GuC action to authenticate the HuC firmware,
409  * passing the offset of the RSA signature to intel_guc_auth_huc(). It then
410  * waits for up to 50ms for firmware verification ACK.
411  */
intel_huc_auth(struct intel_huc * huc)412 int intel_huc_auth(struct intel_huc *huc)
413 {
414 	struct intel_gt *gt = huc_to_gt(huc);
415 	struct intel_guc *guc = &gt->uc.guc;
416 	int ret;
417 
418 	if (!intel_uc_fw_is_loaded(&huc->fw))
419 		return -ENOEXEC;
420 
421 	/* GSC will do the auth */
422 	if (intel_huc_is_loaded_by_gsc(huc))
423 		return -ENODEV;
424 
425 	ret = i915_inject_probe_error(gt->i915, -ENXIO);
426 	if (ret)
427 		goto fail;
428 
429 	GEM_BUG_ON(intel_uc_fw_is_running(&huc->fw));
430 
431 	ret = intel_guc_auth_huc(guc, intel_guc_ggtt_offset(guc, huc->fw.rsa_data));
432 	if (ret) {
433 		DRM_ERROR("HuC: GuC did not ack Auth request %d\n", ret);
434 		goto fail;
435 	}
436 
437 	/* Check authentication status, it should be done by now */
438 	ret = intel_huc_wait_for_auth_complete(huc);
439 	if (ret)
440 		goto fail;
441 
442 	return 0;
443 
444 fail:
445 	i915_probe_error(gt->i915, "HuC: Authentication failed %d\n", ret);
446 	return ret;
447 }
448 
intel_huc_is_authenticated(struct intel_huc * huc)449 bool intel_huc_is_authenticated(struct intel_huc *huc)
450 {
451 	struct intel_gt *gt = huc_to_gt(huc);
452 	intel_wakeref_t wakeref;
453 	u32 status = 0;
454 
455 	with_intel_runtime_pm(gt->uncore->rpm, wakeref)
456 		status = intel_uncore_read(gt->uncore, huc->status.reg);
457 
458 	return (status & huc->status.mask) == huc->status.value;
459 }
460 
461 /**
462  * intel_huc_check_status() - check HuC status
463  * @huc: intel_huc structure
464  *
465  * This function reads status register to verify if HuC
466  * firmware was successfully loaded.
467  *
468  * The return values match what is expected for the I915_PARAM_HUC_STATUS
469  * getparam.
470  */
intel_huc_check_status(struct intel_huc * huc)471 int intel_huc_check_status(struct intel_huc *huc)
472 {
473 	switch (__intel_uc_fw_status(&huc->fw)) {
474 	case INTEL_UC_FIRMWARE_NOT_SUPPORTED:
475 		return -ENODEV;
476 	case INTEL_UC_FIRMWARE_DISABLED:
477 		return -EOPNOTSUPP;
478 	case INTEL_UC_FIRMWARE_MISSING:
479 		return -ENOPKG;
480 	case INTEL_UC_FIRMWARE_ERROR:
481 		return -ENOEXEC;
482 	case INTEL_UC_FIRMWARE_INIT_FAIL:
483 		return -ENOMEM;
484 	case INTEL_UC_FIRMWARE_LOAD_FAIL:
485 		return -EIO;
486 	default:
487 		break;
488 	}
489 
490 	return intel_huc_is_authenticated(huc);
491 }
492 
huc_has_delayed_load(struct intel_huc * huc)493 static bool huc_has_delayed_load(struct intel_huc *huc)
494 {
495 	return intel_huc_is_loaded_by_gsc(huc) &&
496 	       (huc->delayed_load.status != INTEL_HUC_DELAYED_LOAD_ERROR);
497 }
498 
intel_huc_update_auth_status(struct intel_huc * huc)499 void intel_huc_update_auth_status(struct intel_huc *huc)
500 {
501 	if (!intel_uc_fw_is_loadable(&huc->fw))
502 		return;
503 
504 	if (intel_huc_is_authenticated(huc))
505 		intel_uc_fw_change_status(&huc->fw,
506 					  INTEL_UC_FIRMWARE_RUNNING);
507 	else if (huc_has_delayed_load(huc))
508 		huc_delayed_load_start(huc);
509 }
510 
511 /**
512  * intel_huc_load_status - dump information about HuC load status
513  * @huc: the HuC
514  * @p: the &drm_printer
515  *
516  * Pretty printer for HuC load status.
517  */
intel_huc_load_status(struct intel_huc * huc,struct drm_printer * p)518 void intel_huc_load_status(struct intel_huc *huc, struct drm_printer *p)
519 {
520 	struct intel_gt *gt = huc_to_gt(huc);
521 	intel_wakeref_t wakeref;
522 
523 	if (!intel_huc_is_supported(huc)) {
524 		drm_printf(p, "HuC not supported\n");
525 		return;
526 	}
527 
528 	if (!intel_huc_is_wanted(huc)) {
529 		drm_printf(p, "HuC disabled\n");
530 		return;
531 	}
532 
533 	intel_uc_fw_dump(&huc->fw, p);
534 
535 	with_intel_runtime_pm(gt->uncore->rpm, wakeref)
536 		drm_printf(p, "HuC status: 0x%08x\n",
537 			   intel_uncore_read(gt->uncore, huc->status.reg));
538 }
539