4 * Copyright(c) 2013 Intel Corporation.
5 * Copyright(c) 2015 Bryan O'Donoghue <pure.logic@nexus-software.ie>
7 * IMR registers define an isolated region of memory that can
8 * be masked to prohibit certain system agents from accessing memory.
9 * When a device behind a masked port performs an access - snooped or
10 * not, an IMR may optionally prevent that transaction from changing
11 * the state of memory or from getting correct data in response to the
14 * Write data will be dropped and reads will return 0xFFFFFFFF, the
15 * system will reset and system BIOS will print out an error message to
16 * inform the user that an IMR has been violated.
18 * This code is based on the Linux MTRR code and reference code from
19 * Intel's Quark BSP EFI, Linux and grub code.
21 * See quark-x1000-datasheet.pdf for register definitions.
22 * http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/quark-x1000-datasheet.pdf
25 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
27 #include <asm-generic/sections.h>
28 #include <asm/cpu_device_id.h>
30 #include <asm/iosf_mbi.h>
31 #include <linux/debugfs.h>
32 #include <linux/init.h>
34 #include <linux/module.h>
35 #include <linux/types.h>
45 static struct imr_device imr_dev;
48 * IMR read/write mask control registers.
49 * See quark-x1000-datasheet.pdf sections 12.7.4.5 and 12.7.4.6 for
55 * 23:2 1 KiB aligned lo address
60 * 23:2 1 KiB aligned hi address
63 #define IMR_LOCK BIT(31)
72 #define IMR_NUM_REGS (sizeof(struct imr_regs)/sizeof(u32))
74 #define imr_to_phys(x) ((x) << IMR_SHIFT)
75 #define phys_to_imr(x) ((x) >> IMR_SHIFT)
78 * imr_is_enabled - true if an IMR is enabled false otherwise.
80 * Determines if an IMR is enabled based on address range and read/write
81 * mask. An IMR set with an address range set to zero and a read/write
82 * access mask set to all is considered to be disabled. An IMR in any
83 * other state - for example set to zero but without read/write access
84 * all is considered to be enabled. This definition of disabled is how
85 * firmware switches off an IMR and is maintained in kernel for
88 * @imr: pointer to IMR descriptor.
89 * @return: true if IMR enabled false if disabled.
91 static inline int imr_is_enabled(struct imr_regs *imr)
93 return !(imr->rmask == IMR_READ_ACCESS_ALL &&
94 imr->wmask == IMR_WRITE_ACCESS_ALL &&
95 imr_to_phys(imr->addr_lo) == 0 &&
96 imr_to_phys(imr->addr_hi) == 0);
100 * imr_read - read an IMR at a given index.
102 * Requires caller to hold imr mutex.
104 * @idev: pointer to imr_device structure.
105 * @imr_id: IMR entry to read.
106 * @imr: IMR structure representing address and access masks.
107 * @return: 0 on success or error code passed from mbi_iosf on failure.
109 static int imr_read(struct imr_device *idev, u32 imr_id, struct imr_regs *imr)
111 u32 reg = imr_id * IMR_NUM_REGS + idev->reg_base;
114 ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
115 reg++, &imr->addr_lo);
119 ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
120 reg++, &imr->addr_hi);
124 ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
129 ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
138 * imr_write - write an IMR at a given index.
140 * Requires caller to hold imr mutex.
141 * Note lock bits need to be written independently of address bits.
143 * @idev: pointer to imr_device structure.
144 * @imr_id: IMR entry to write.
145 * @imr: IMR structure representing address and access masks.
146 * @lock: indicates if the IMR lock bit should be applied.
147 * @return: 0 on success or error code passed from mbi_iosf on failure.
149 static int imr_write(struct imr_device *idev, u32 imr_id,
150 struct imr_regs *imr, bool lock)
153 u32 reg = imr_id * IMR_NUM_REGS + idev->reg_base;
156 local_irq_save(flags);
158 ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE, reg++,
163 ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
164 reg++, imr->addr_hi);
168 ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
173 ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
178 /* Lock bit must be set separately to addr_lo address bits. */
180 imr->addr_lo |= IMR_LOCK;
181 ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
182 reg - IMR_NUM_REGS, imr->addr_lo);
187 local_irq_restore(flags);
191 * If writing to the IOSF failed then we're in an unknown state,
192 * likely a very bad state. An IMR in an invalid state will almost
193 * certainly lead to a memory access violation.
195 local_irq_restore(flags);
196 WARN(ret, "IOSF-MBI write fail range 0x%08x-0x%08x unreliable\n",
197 imr_to_phys(imr->addr_lo), imr_to_phys(imr->addr_hi) + IMR_MASK);
203 * imr_dbgfs_state_show - print state of IMR registers.
205 * @s: pointer to seq_file for output.
206 * @unused: unused parameter.
207 * @return: 0 on success or error code passed from mbi_iosf on failure.
209 static int imr_dbgfs_state_show(struct seq_file *s, void *unused)
214 struct imr_device *idev = s->private;
219 mutex_lock(&idev->lock);
221 for (i = 0; i < idev->max_imr; i++) {
223 ret = imr_read(idev, i, &imr);
228 * Remember to add IMR_ALIGN bytes to size to indicate the
229 * inherent IMR_ALIGN size bytes contained in the masked away
232 if (imr_is_enabled(&imr)) {
233 base = imr_to_phys(imr.addr_lo);
234 end = imr_to_phys(imr.addr_hi) + IMR_MASK;
240 seq_printf(s, "imr%02i: base=%pa, end=%pa, size=0x%08zx "
241 "rmask=0x%08x, wmask=0x%08x, %s, %s\n", i,
242 &base, &end, size, imr.rmask, imr.wmask,
243 imr_is_enabled(&imr) ? "enabled " : "disabled",
244 imr.addr_lo & IMR_LOCK ? "locked" : "unlocked");
247 mutex_unlock(&idev->lock);
252 * imr_state_open - debugfs open callback.
254 * @inode: pointer to struct inode.
255 * @file: pointer to struct file.
256 * @return: result of single open.
258 static int imr_state_open(struct inode *inode, struct file *file)
260 return single_open(file, imr_dbgfs_state_show, inode->i_private);
263 static const struct file_operations imr_state_ops = {
264 .open = imr_state_open,
267 .release = single_release,
271 * imr_debugfs_register - register debugfs hooks.
273 * @idev: pointer to imr_device structure.
274 * @return: 0 on success - errno on failure.
276 static int imr_debugfs_register(struct imr_device *idev)
278 idev->file = debugfs_create_file("imr_state", S_IFREG | S_IRUGO, NULL,
279 idev, &imr_state_ops);
280 if (IS_ERR(idev->file))
281 return PTR_ERR(idev->file);
287 * imr_debugfs_unregister - unregister debugfs hooks.
289 * @idev: pointer to imr_device structure.
292 static void imr_debugfs_unregister(struct imr_device *idev)
294 debugfs_remove(idev->file);
298 * imr_check_params - check passed address range IMR alignment and non-zero size
300 * @base: base address of intended IMR.
301 * @size: size of intended IMR.
302 * @return: zero on valid range -EINVAL on unaligned base/size.
304 static int imr_check_params(phys_addr_t base, size_t size)
306 if ((base & IMR_MASK) || (size & IMR_MASK)) {
307 pr_err("base %pa size 0x%08zx must align to 1KiB\n",
318 * imr_raw_size - account for the IMR_ALIGN bytes that addr_hi appends.
320 * IMR addr_hi has a built in offset of plus IMR_ALIGN (0x400) bytes from the
321 * value in the register. We need to subtract IMR_ALIGN bytes from input sizes
324 * @size: input size bytes.
325 * @return: reduced size.
327 static inline size_t imr_raw_size(size_t size)
329 return size - IMR_ALIGN;
333 * imr_address_overlap - detects an address overlap.
335 * @addr: address to check against an existing IMR.
336 * @imr: imr being checked.
337 * @return: true for overlap false for no overlap.
339 static inline int imr_address_overlap(phys_addr_t addr, struct imr_regs *imr)
341 return addr >= imr_to_phys(imr->addr_lo) && addr <= imr_to_phys(imr->addr_hi);
345 * imr_add_range - add an Isolated Memory Region.
347 * @base: physical base address of region aligned to 1KiB.
348 * @size: physical size of region in bytes must be aligned to 1KiB.
349 * @read_mask: read access mask.
350 * @write_mask: write access mask.
351 * @lock: indicates whether or not to permanently lock this region.
352 * @return: zero on success or negative value indicating error.
354 int imr_add_range(phys_addr_t base, size_t size,
355 unsigned int rmask, unsigned int wmask, bool lock)
359 struct imr_device *idev = &imr_dev;
365 if (WARN_ONCE(idev->init == false, "driver not initialized"))
368 ret = imr_check_params(base, size);
372 /* Tweak the size value. */
373 raw_size = imr_raw_size(size);
374 end = base + raw_size;
377 * Check for reserved IMR value common to firmware, kernel and grub
378 * indicating a disabled IMR.
380 imr.addr_lo = phys_to_imr(base);
381 imr.addr_hi = phys_to_imr(end);
384 if (!imr_is_enabled(&imr))
387 mutex_lock(&idev->lock);
390 * Find a free IMR while checking for an existing overlapping range.
391 * Note there's no restriction in silicon to prevent IMR overlaps.
392 * For the sake of simplicity and ease in defining/debugging an IMR
393 * memory map we exclude IMR overlaps.
396 for (i = 0; i < idev->max_imr; i++) {
397 ret = imr_read(idev, i, &imr);
401 /* Find overlap @ base or end of requested range. */
403 if (imr_is_enabled(&imr)) {
404 if (imr_address_overlap(base, &imr))
406 if (imr_address_overlap(end, &imr))
413 /* Error out if we have no free IMR entries. */
419 pr_debug("add %d phys %pa-%pa size %zx mask 0x%08x wmask 0x%08x\n",
420 reg, &base, &end, raw_size, rmask, wmask);
422 /* Enable IMR at specified range and access mask. */
423 imr.addr_lo = phys_to_imr(base);
424 imr.addr_hi = phys_to_imr(end);
428 ret = imr_write(idev, reg, &imr, lock);
431 * In the highly unlikely event iosf_mbi_write failed
432 * attempt to rollback the IMR setup skipping the trapping
433 * of further IOSF write failures.
437 imr.rmask = IMR_READ_ACCESS_ALL;
438 imr.wmask = IMR_WRITE_ACCESS_ALL;
439 imr_write(idev, reg, &imr, false);
442 mutex_unlock(&idev->lock);
445 EXPORT_SYMBOL_GPL(imr_add_range);
448 * __imr_remove_range - delete an Isolated Memory Region.
450 * This function allows you to delete an IMR by its index specified by reg or
451 * by address range specified by base and size respectively. If you specify an
452 * index on its own the base and size parameters are ignored.
453 * imr_remove_range(0, base, size); delete IMR at index 0 base/size ignored.
454 * imr_remove_range(-1, base, size); delete IMR from base to base+size.
456 * @reg: imr index to remove.
457 * @base: physical base address of region aligned to 1 KiB.
458 * @size: physical size of region in bytes aligned to 1 KiB.
459 * @return: -EINVAL on invalid range or out or range id
460 * -ENODEV if reg is valid but no IMR exists or is locked
463 static int __imr_remove_range(int reg, phys_addr_t base, size_t size)
468 struct imr_device *idev = &imr_dev;
473 if (WARN_ONCE(idev->init == false, "driver not initialized"))
477 * Validate address range if deleting by address, else we are
478 * deleting by index where base and size will be ignored.
481 ret = imr_check_params(base, size);
486 /* Tweak the size value. */
487 raw_size = imr_raw_size(size);
488 end = base + raw_size;
490 mutex_lock(&idev->lock);
493 /* If a specific IMR is given try to use it. */
494 ret = imr_read(idev, reg, &imr);
498 if (!imr_is_enabled(&imr) || imr.addr_lo & IMR_LOCK) {
504 /* Search for match based on address range. */
505 for (i = 0; i < idev->max_imr; i++) {
506 ret = imr_read(idev, i, &imr);
510 if (!imr_is_enabled(&imr) || imr.addr_lo & IMR_LOCK)
513 if ((imr_to_phys(imr.addr_lo) == base) &&
514 (imr_to_phys(imr.addr_hi) == end)) {
527 pr_debug("remove %d phys %pa-%pa size %zx\n", reg, &base, &end, raw_size);
529 /* Tear down the IMR. */
532 imr.rmask = IMR_READ_ACCESS_ALL;
533 imr.wmask = IMR_WRITE_ACCESS_ALL;
535 ret = imr_write(idev, reg, &imr, false);
538 mutex_unlock(&idev->lock);
543 * imr_remove_range - delete an Isolated Memory Region by address
545 * This function allows you to delete an IMR by an address range specified
546 * by base and size respectively.
547 * imr_remove_range(base, size); delete IMR from base to base+size.
549 * @base: physical base address of region aligned to 1 KiB.
550 * @size: physical size of region in bytes aligned to 1 KiB.
551 * @return: -EINVAL on invalid range or out or range id
552 * -ENODEV if reg is valid but no IMR exists or is locked
555 int imr_remove_range(phys_addr_t base, size_t size)
557 return __imr_remove_range(-1, base, size);
559 EXPORT_SYMBOL_GPL(imr_remove_range);
562 * imr_clear - delete an Isolated Memory Region by index
564 * This function allows you to delete an IMR by an address range specified
565 * by the index of the IMR. Useful for initial sanitization of the IMR
567 * imr_ge(base, size); delete IMR from base to base+size.
569 * @reg: imr index to remove.
570 * @return: -EINVAL on invalid range or out or range id
571 * -ENODEV if reg is valid but no IMR exists or is locked
574 static inline int imr_clear(int reg)
576 return __imr_remove_range(reg, 0, 0);
580 * imr_fixup_memmap - Tear down IMRs used during bootup.
582 * BIOS and Grub both setup IMRs around compressed kernel, initrd memory
583 * that need to be removed before the kernel hands out one of the IMR
584 * encased addresses to a downstream DMA agent such as the SD or Ethernet.
585 * IMRs on Galileo are setup to immediately reset the system on violation.
586 * As a result if you're running a root filesystem from SD - you'll need
587 * the boot-time IMRs torn down or you'll find seemingly random resets when
588 * using your filesystem.
590 * @idev: pointer to imr_device structure.
593 static void __init imr_fixup_memmap(struct imr_device *idev)
595 phys_addr_t base = virt_to_phys(&_text);
596 size_t size = virt_to_phys(&__end_rodata) - base;
600 /* Tear down all existing unlocked IMRs. */
601 for (i = 0; i < idev->max_imr; i++)
605 * Setup a locked IMR around the physical extent of the kernel
606 * from the beginning of the .text secton to the end of the
607 * .rodata section as one physically contiguous block.
609 ret = imr_add_range(base, size, IMR_CPU, IMR_CPU, true);
611 pr_err("unable to setup IMR for kernel: (%p - %p)\n",
612 &_text, &__end_rodata);
614 pr_info("protecting kernel .text - .rodata: %zu KiB (%p - %p)\n",
615 size / 1024, &_text, &__end_rodata);
620 static const struct x86_cpu_id imr_ids[] __initconst = {
621 { X86_VENDOR_INTEL, 5, 9 }, /* Intel Quark SoC X1000. */
624 MODULE_DEVICE_TABLE(x86cpu, imr_ids);
627 * imr_init - entry point for IMR driver.
629 * return: -ENODEV for no IMR support 0 if good to go.
631 static int __init imr_init(void)
633 struct imr_device *idev = &imr_dev;
636 if (!x86_match_cpu(imr_ids) || !iosf_mbi_available())
639 idev->max_imr = QUARK_X1000_IMR_MAX;
640 idev->reg_base = QUARK_X1000_IMR_REGBASE;
643 mutex_init(&idev->lock);
644 ret = imr_debugfs_register(idev);
646 pr_warn("debugfs register failed!\n");
647 imr_fixup_memmap(idev);
652 * imr_exit - exit point for IMR code.
654 * Deregisters debugfs, leave IMR state as-is.
658 static void __exit imr_exit(void)
660 imr_debugfs_unregister(&imr_dev);
663 module_init(imr_init);
664 module_exit(imr_exit);
666 MODULE_AUTHOR("Bryan O'Donoghue <pure.logic@nexus-software.ie>");
667 MODULE_DESCRIPTION("Intel Isolated Memory Region driver");
668 MODULE_LICENSE("Dual BSD/GPL");