search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
avocado/ppc_74xx.py: check TCG accel for all tests
[qemu.git] / hw / sd / sd.c
blobcd67a7bac8e204b65593df6192dc0bfe6ae01693
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "qemu-common.h"
51 #include "sdmmc-internal.h"
52 #include "trace.h"
53
54 //#define DEBUG_SD 1
55
56 #define SDSC_MAX_CAPACITY (2 * GiB)
57
58 #define INVALID_ADDRESS UINT32_MAX
59
60 typedef enum {
61 sd_r0 = 0, /* no response */
62 sd_r1, /* normal response command */
63 sd_r2_i, /* CID register */
64 sd_r2_s, /* CSD register */
65 sd_r3, /* OCR register */
66 sd_r6 = 6, /* Published RCA response */
67 sd_r7, /* Operating voltage */
68 sd_r1b = -1,
69 sd_illegal = -2,
70 } sd_rsp_type_t;
71
72 enum SDCardModes {
73 sd_inactive,
74 sd_card_identification_mode,
75 sd_data_transfer_mode,
76 };
77
78 enum SDCardStates {
79 sd_inactive_state = -1,
80 sd_idle_state = 0,
81 sd_ready_state,
82 sd_identification_state,
83 sd_standby_state,
84 sd_transfer_state,
85 sd_sendingdata_state,
86 sd_receivingdata_state,
87 sd_programming_state,
88 sd_disconnect_state,
89 };
90
91 struct SDState {
92 DeviceState parent_obj;
93
94 /* If true, created by sd_init() for a non-qdevified caller */
95 /* TODO purge them with fire */
96 bool me_no_qdev_me_kill_mammoth_with_rocks;
97
98 /* SD Memory Card Registers */
99 uint32_t ocr;
100 uint8_t scr[8];
101 uint8_t cid[16];
102 uint8_t csd[16];
103 uint16_t rca;
104 uint32_t card_status;
105 uint8_t sd_status[64];
106
107 /* Static properties */
108
109 uint8_t spec_version;
110 BlockBackend *blk;
111 bool spi;
112
113 /* Runtime changeables */
114
115 uint32_t mode; /* current card mode, one of SDCardModes */
116 int32_t state; /* current card state, one of SDCardStates */
117 uint32_t vhs;
118 bool wp_switch;
119 unsigned long *wp_group_bmap;
120 int32_t wp_group_bits;
121 uint64_t size;
122 uint32_t blk_len;
123 uint32_t multi_blk_cnt;
124 uint32_t erase_start;
125 uint32_t erase_end;
126 uint8_t pwd[16];
127 uint32_t pwd_len;
128 uint8_t function_group[6];
129 uint8_t current_cmd;
130 /* True if we will handle the next command as an ACMD. Note that this does
131 * *not* track the APP_CMD status bit!
132 */
133 bool expecting_acmd;
134 uint32_t blk_written;
135 uint64_t data_start;
136 uint32_t data_offset;
137 uint8_t data[512];
138 qemu_irq readonly_cb;
139 qemu_irq inserted_cb;
140 QEMUTimer *ocr_power_timer;
141 const char *proto_name;
142 bool enable;
143 uint8_t dat_lines;
144 bool cmd_line;
145 };
146
147 static void sd_realize(DeviceState *dev, Error **errp);
148
149 static const char *sd_state_name(enum SDCardStates state)
150 {
151 static const char *state_name[] = {
152 [sd_idle_state] = "idle",
153 [sd_ready_state] = "ready",
154 [sd_identification_state] = "identification",
155 [sd_standby_state] = "standby",
156 [sd_transfer_state] = "transfer",
157 [sd_sendingdata_state] = "sendingdata",
158 [sd_receivingdata_state] = "receivingdata",
159 [sd_programming_state] = "programming",
160 [sd_disconnect_state] = "disconnect",
161 };
162 if (state == sd_inactive_state) {
163 return "inactive";
164 }
165 assert(state < ARRAY_SIZE(state_name));
166 return state_name[state];
167 }
168
169 static const char *sd_response_name(sd_rsp_type_t rsp)
170 {
171 static const char *response_name[] = {
172 [sd_r0] = "RESP#0 (no response)",
173 [sd_r1] = "RESP#1 (normal cmd)",
174 [sd_r2_i] = "RESP#2 (CID reg)",
175 [sd_r2_s] = "RESP#2 (CSD reg)",
176 [sd_r3] = "RESP#3 (OCR reg)",
177 [sd_r6] = "RESP#6 (RCA)",
178 [sd_r7] = "RESP#7 (operating voltage)",
179 };
180 if (rsp == sd_illegal) {
181 return "ILLEGAL RESP";
182 }
183 if (rsp == sd_r1b) {
184 rsp = sd_r1;
185 }
186 assert(rsp < ARRAY_SIZE(response_name));
187 return response_name[rsp];
188 }
189
190 static uint8_t sd_get_dat_lines(SDState *sd)
191 {
192 return sd->enable ? sd->dat_lines : 0;
193 }
194
195 static bool sd_get_cmd_line(SDState *sd)
196 {
197 return sd->enable ? sd->cmd_line : false;
198 }
199
200 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
201 {
202 trace_sdcard_set_voltage(millivolts);
203
204 switch (millivolts) {
205 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
206 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
207 break;
208 default:
209 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
210 millivolts / 1000.f);
211 }
212 }
213
214 static void sd_set_mode(SDState *sd)
215 {
216 switch (sd->state) {
217 case sd_inactive_state:
218 sd->mode = sd_inactive;
219 break;
220
221 case sd_idle_state:
222 case sd_ready_state:
223 case sd_identification_state:
224 sd->mode = sd_card_identification_mode;
225 break;
226
227 case sd_standby_state:
228 case sd_transfer_state:
229 case sd_sendingdata_state:
230 case sd_receivingdata_state:
231 case sd_programming_state:
232 case sd_disconnect_state:
233 sd->mode = sd_data_transfer_mode;
234 break;
235 }
236 }
237
238 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
239 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
240 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
241 /* 16 */
242 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
243 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
244 /* 32 */
245 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
246 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
247 /* 48 */
248 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
249 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
250 };
251
252 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
253 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
254 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
255 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
256 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
257 };
258
259 static uint8_t sd_crc7(const void *message, size_t width)
260 {
261 int i, bit;
262 uint8_t shift_reg = 0x00;
263 const uint8_t *msg = (const uint8_t *)message;
264
265 for (i = 0; i < width; i ++, msg ++)
266 for (bit = 7; bit >= 0; bit --) {
267 shift_reg <<= 1;
268 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
269 shift_reg ^= 0x89;
270 }
271
272 return shift_reg;
273 }
274
275 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
276
277 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
278 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
279 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
280 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
281 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
282 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
283 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
284 FIELD(OCR, CARD_POWER_UP, 31, 1)
285
286 #define ACMD41_ENQUIRY_MASK 0x00ffffff
287 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
288 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
289 | R_OCR_UHS_II_CARD_MASK \
290 | R_OCR_CARD_CAPACITY_MASK \
291 | R_OCR_CARD_POWER_UP_MASK)
292
293 static void sd_ocr_powerup(void *opaque)
294 {
295 SDState *sd = opaque;
296
297 trace_sdcard_powerup();
298 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
299
300 /* card power-up OK */
301 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
302
303 if (sd->size > SDSC_MAX_CAPACITY) {
304 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
305 }
306 }
307
308 static void sd_set_ocr(SDState *sd)
309 {
310 /* All voltages OK */
311 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
312
313 if (sd->spi) {
314 /*
315 * We don't need to emulate power up sequence in SPI-mode.
316 * Thus, the card's power up status bit should be set to 1 when reset.
317 * The card's capacity status bit should also be set if SD card size
318 * is larger than 2GB for SDHC support.
319 */
320 sd_ocr_powerup(sd);
321 }
322 }
323
324 static void sd_set_scr(SDState *sd)
325 {
326 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
327 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
328 sd->scr[0] |= 1; /* Spec Version 1.10 */
329 } else {
330 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
331 }
332 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
333 | 0b0101; /* 1-bit or 4-bit width bus modes */
334 sd->scr[2] = 0x00; /* Extended Security is not supported. */
335 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
336 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
337 }
338 sd->scr[3] = 0x00;
339 /* reserved for manufacturer usage */
340 sd->scr[4] = 0x00;
341 sd->scr[5] = 0x00;
342 sd->scr[6] = 0x00;
343 sd->scr[7] = 0x00;
344 }
345
346 #define MID 0xaa
347 #define OID "XY"
348 #define PNM "QEMU!"
349 #define PRV 0x01
350 #define MDT_YR 2006
351 #define MDT_MON 2
352
353 static void sd_set_cid(SDState *sd)
354 {
355 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
356 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
357 sd->cid[2] = OID[1];
358 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
359 sd->cid[4] = PNM[1];
360 sd->cid[5] = PNM[2];
361 sd->cid[6] = PNM[3];
362 sd->cid[7] = PNM[4];
363 sd->cid[8] = PRV; /* Fake product revision (PRV) */
364 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
365 sd->cid[10] = 0xad;
366 sd->cid[11] = 0xbe;
367 sd->cid[12] = 0xef;
368 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
369 ((MDT_YR - 2000) / 10);
370 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
371 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
372 }
373
374 #define HWBLOCK_SHIFT 9 /* 512 bytes */
375 #define SECTOR_SHIFT 5 /* 16 kilobytes */
376 #define WPGROUP_SHIFT 7 /* 2 megs */
377 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
378 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
379
380 static const uint8_t sd_csd_rw_mask[16] = {
381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
383 };
384
385 static void sd_set_csd(SDState *sd, uint64_t size)
386 {
387 int hwblock_shift = HWBLOCK_SHIFT;
388 uint32_t csize;
389 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
390 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
391
392 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
393 if (size == SDSC_MAX_CAPACITY) {
394 hwblock_shift += 1;
395 }
396 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
397
398 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
399 sd->csd[0] = 0x00; /* CSD structure */
400 sd->csd[1] = 0x26; /* Data read access-time-1 */
401 sd->csd[2] = 0x00; /* Data read access-time-2 */
402 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
403 sd->csd[4] = 0x5f; /* Card Command Classes */
404 sd->csd[5] = 0x50 | /* Max. read data block length */
405 hwblock_shift;
406 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
407 ((csize >> 10) & 0x03);
408 sd->csd[7] = 0x00 | /* Device size */
409 ((csize >> 2) & 0xff);
410 sd->csd[8] = 0x3f | /* Max. read current */
411 ((csize << 6) & 0xc0);
412 sd->csd[9] = 0xfc | /* Max. write current */
413 ((CMULT_SHIFT - 2) >> 1);
414 sd->csd[10] = 0x40 | /* Erase sector size */
415 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
416 sd->csd[11] = 0x00 | /* Write protect group size */
417 ((sectsize << 7) & 0x80) | wpsize;
418 sd->csd[12] = 0x90 | /* Write speed factor */
419 (hwblock_shift >> 2);
420 sd->csd[13] = 0x20 | /* Max. write data block length */
421 ((hwblock_shift << 6) & 0xc0);
422 sd->csd[14] = 0x00; /* File format group */
423 } else { /* SDHC */
424 size /= 512 * KiB;
425 size -= 1;
426 sd->csd[0] = 0x40;
427 sd->csd[1] = 0x0e;
428 sd->csd[2] = 0x00;
429 sd->csd[3] = 0x32;
430 sd->csd[4] = 0x5b;
431 sd->csd[5] = 0x59;
432 sd->csd[6] = 0x00;
433 sd->csd[7] = (size >> 16) & 0xff;
434 sd->csd[8] = (size >> 8) & 0xff;
435 sd->csd[9] = (size & 0xff);
436 sd->csd[10] = 0x7f;
437 sd->csd[11] = 0x80;
438 sd->csd[12] = 0x0a;
439 sd->csd[13] = 0x40;
440 sd->csd[14] = 0x00;
441 }
442 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
443 }
444
445 static void sd_set_rca(SDState *sd)
446 {
447 sd->rca += 0x4567;
448 }
449
450 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
451 FIELD(CSR, APP_CMD, 5, 1)
452 FIELD(CSR, FX_EVENT, 6, 1)
453 FIELD(CSR, READY_FOR_DATA, 8, 1)
454 FIELD(CSR, CURRENT_STATE, 9, 4)
455 FIELD(CSR, ERASE_RESET, 13, 1)
456 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
457 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
458 FIELD(CSR, CSD_OVERWRITE, 16, 1)
459 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
460 FIELD(CSR, ERROR, 19, 1)
461 FIELD(CSR, CC_ERROR, 20, 1)
462 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
463 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
464 FIELD(CSR, COM_CRC_ERROR, 23, 1)
465 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
466 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
467 FIELD(CSR, WP_VIOLATION, 26, 1)
468 FIELD(CSR, ERASE_PARAM, 27, 1)
469 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
470 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
471 FIELD(CSR, ADDRESS_ERROR, 30, 1)
472 FIELD(CSR, OUT_OF_RANGE, 31, 1)
473
474 /* Card status bits, split by clear condition:
475 * A : According to the card current state
476 * B : Always related to the previous command
477 * C : Cleared by read
478 */
479 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
480 | R_CSR_CARD_ECC_DISABLED_MASK \
481 | R_CSR_CARD_IS_LOCKED_MASK)
482 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
483 | R_CSR_ILLEGAL_COMMAND_MASK \
484 | R_CSR_COM_CRC_ERROR_MASK)
485 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
486 | R_CSR_APP_CMD_MASK \
487 | R_CSR_ERASE_RESET_MASK \
488 | R_CSR_WP_ERASE_SKIP_MASK \
489 | R_CSR_CSD_OVERWRITE_MASK \
490 | R_CSR_ERROR_MASK \
491 | R_CSR_CC_ERROR_MASK \
492 | R_CSR_CARD_ECC_FAILED_MASK \
493 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
494 | R_CSR_WP_VIOLATION_MASK \
495 | R_CSR_ERASE_PARAM_MASK \
496 | R_CSR_ERASE_SEQ_ERROR_MASK \
497 | R_CSR_BLOCK_LEN_ERROR_MASK \
498 | R_CSR_ADDRESS_ERROR_MASK \
499 | R_CSR_OUT_OF_RANGE_MASK)
500
501 static void sd_set_cardstatus(SDState *sd)
502 {
503 sd->card_status = 0x00000100;
504 }
505
506 static void sd_set_sdstatus(SDState *sd)
507 {
508 memset(sd->sd_status, 0, 64);
509 }
510
511 static int sd_req_crc_validate(SDRequest *req)
512 {
513 uint8_t buffer[5];
514 buffer[0] = 0x40 | req->cmd;
515 stl_be_p(&buffer[1], req->arg);
516 return 0;
517 return sd_crc7(buffer, 5) != req->crc; /* TODO */
518 }
519
520 static void sd_response_r1_make(SDState *sd, uint8_t *response)
521 {
522 stl_be_p(response, sd->card_status);
523
524 /* Clear the "clear on read" status bits */
525 sd->card_status &= ~CARD_STATUS_C;
526 }
527
528 static void sd_response_r3_make(SDState *sd, uint8_t *response)
529 {
530 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
531 }
532
533 static void sd_response_r6_make(SDState *sd, uint8_t *response)
534 {
535 uint16_t status;
536
537 status = ((sd->card_status >> 8) & 0xc000) |
538 ((sd->card_status >> 6) & 0x2000) |
539 (sd->card_status & 0x1fff);
540 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
541 stw_be_p(response + 0, sd->rca);
542 stw_be_p(response + 2, status);
543 }
544
545 static void sd_response_r7_make(SDState *sd, uint8_t *response)
546 {
547 stl_be_p(response, sd->vhs);
548 }
549
550 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
551 {
552 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
553 }
554
555 static void sd_reset(DeviceState *dev)
556 {
557 SDState *sd = SD_CARD(dev);
558 uint64_t size;
559 uint64_t sect;
560
561 trace_sdcard_reset();
562 if (sd->blk) {
563 blk_get_geometry(sd->blk, &sect);
564 } else {
565 sect = 0;
566 }
567 size = sect << 9;
568
569 sect = sd_addr_to_wpnum(size) + 1;
570
571 sd->state = sd_idle_state;
572 sd->rca = 0x0000;
573 sd->size = size;
574 sd_set_ocr(sd);
575 sd_set_scr(sd);
576 sd_set_cid(sd);
577 sd_set_csd(sd, size);
578 sd_set_cardstatus(sd);
579 sd_set_sdstatus(sd);
580
581 g_free(sd->wp_group_bmap);
582 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
583 sd->wp_group_bits = sect;
584 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
585 memset(sd->function_group, 0, sizeof(sd->function_group));
586 sd->erase_start = INVALID_ADDRESS;
587 sd->erase_end = INVALID_ADDRESS;
588 sd->blk_len = 0x200;
589 sd->pwd_len = 0;
590 sd->expecting_acmd = false;
591 sd->dat_lines = 0xf;
592 sd->cmd_line = true;
593 sd->multi_blk_cnt = 0;
594 }
595
596 static bool sd_get_inserted(SDState *sd)
597 {
598 return sd->blk && blk_is_inserted(sd->blk);
599 }
600
601 static bool sd_get_readonly(SDState *sd)
602 {
603 return sd->wp_switch;
604 }
605
606 static void sd_cardchange(void *opaque, bool load, Error **errp)
607 {
608 SDState *sd = opaque;
609 DeviceState *dev = DEVICE(sd);
610 SDBus *sdbus;
611 bool inserted = sd_get_inserted(sd);
612 bool readonly = sd_get_readonly(sd);
613
614 if (inserted) {
615 trace_sdcard_inserted(readonly);
616 sd_reset(dev);
617 } else {
618 trace_sdcard_ejected();
619 }
620
621 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
622 qemu_set_irq(sd->inserted_cb, inserted);
623 if (inserted) {
624 qemu_set_irq(sd->readonly_cb, readonly);
625 }
626 } else {
627 sdbus = SD_BUS(qdev_get_parent_bus(dev));
628 sdbus_set_inserted(sdbus, inserted);
629 if (inserted) {
630 sdbus_set_readonly(sdbus, readonly);
631 }
632 }
633 }
634
635 static const BlockDevOps sd_block_ops = {
636 .change_media_cb = sd_cardchange,
637 };
638
639 static bool sd_ocr_vmstate_needed(void *opaque)
640 {
641 SDState *sd = opaque;
642
643 /* Include the OCR state (and timer) if it is not yet powered up */
644 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
645 }
646
647 static const VMStateDescription sd_ocr_vmstate = {
648 .name = "sd-card/ocr-state",
649 .version_id = 1,
650 .minimum_version_id = 1,
651 .needed = sd_ocr_vmstate_needed,
652 .fields = (VMStateField[]) {
653 VMSTATE_UINT32(ocr, SDState),
654 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
655 VMSTATE_END_OF_LIST()
656 },
657 };
658
659 static int sd_vmstate_pre_load(void *opaque)
660 {
661 SDState *sd = opaque;
662
663 /* If the OCR state is not included (prior versions, or not
664 * needed), then the OCR must be set as powered up. If the OCR state
665 * is included, this will be replaced by the state restore.
666 */
667 sd_ocr_powerup(sd);
668
669 return 0;
670 }
671
672 static const VMStateDescription sd_vmstate = {
673 .name = "sd-card",
674 .version_id = 2,
675 .minimum_version_id = 2,
676 .pre_load = sd_vmstate_pre_load,
677 .fields = (VMStateField[]) {
678 VMSTATE_UINT32(mode, SDState),
679 VMSTATE_INT32(state, SDState),
680 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
681 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
682 VMSTATE_UINT16(rca, SDState),
683 VMSTATE_UINT32(card_status, SDState),
684 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
685 VMSTATE_UINT32(vhs, SDState),
686 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
687 VMSTATE_UINT32(blk_len, SDState),
688 VMSTATE_UINT32(multi_blk_cnt, SDState),
689 VMSTATE_UINT32(erase_start, SDState),
690 VMSTATE_UINT32(erase_end, SDState),
691 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
692 VMSTATE_UINT32(pwd_len, SDState),
693 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
694 VMSTATE_UINT8(current_cmd, SDState),
695 VMSTATE_BOOL(expecting_acmd, SDState),
696 VMSTATE_UINT32(blk_written, SDState),
697 VMSTATE_UINT64(data_start, SDState),
698 VMSTATE_UINT32(data_offset, SDState),
699 VMSTATE_UINT8_ARRAY(data, SDState, 512),
700 VMSTATE_UNUSED_V(1, 512),
701 VMSTATE_BOOL(enable, SDState),
702 VMSTATE_END_OF_LIST()
703 },
704 .subsections = (const VMStateDescription*[]) {
705 &sd_ocr_vmstate,
706 NULL
707 },
708 };
709
710 /* Legacy initialization function for use by non-qdevified callers */
711 SDState *sd_init(BlockBackend *blk, bool is_spi)
712 {
713 Object *obj;
714 DeviceState *dev;
715 SDState *sd;
716 Error *err = NULL;
717
718 obj = object_new(TYPE_SD_CARD);
719 dev = DEVICE(obj);
720 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
721 error_reportf_err(err, "sd_init failed: ");
722 return NULL;
723 }
724 qdev_prop_set_bit(dev, "spi", is_spi);
725
726 /*
727 * Realizing the device properly would put it into the QOM
728 * composition tree even though it is not plugged into an
729 * appropriate bus. That's a no-no. Hide the device from
730 * QOM/qdev, and call its qdev realize callback directly.
731 */
732 object_ref(obj);
733 object_unparent(obj);
734 sd_realize(dev, &err);
735 if (err) {
736 error_reportf_err(err, "sd_init failed: ");
737 return NULL;
738 }
739
740 sd = SD_CARD(dev);
741 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
742 return sd;
743 }
744
745 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
746 {
747 sd->readonly_cb = readonly;
748 sd->inserted_cb = insert;
749 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
750 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
751 }
752
753 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
754 {
755 trace_sdcard_read_block(addr, len);
756 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
757 fprintf(stderr, "sd_blk_read: read error on host side\n");
758 }
759 }
760
761 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
762 {
763 trace_sdcard_write_block(addr, len);
764 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
765 fprintf(stderr, "sd_blk_write: write error on host side\n");
766 }
767 }
768
769 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
770 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
771 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
772 #define APP_WRITE_BLOCK(a, len)
773
774 static void sd_erase(SDState *sd)
775 {
776 uint64_t erase_start = sd->erase_start;
777 uint64_t erase_end = sd->erase_end;
778 bool sdsc = true;
779 uint64_t wpnum;
780 uint64_t erase_addr;
781 int erase_len = 1 << HWBLOCK_SHIFT;
782
783 trace_sdcard_erase(sd->erase_start, sd->erase_end);
784 if (sd->erase_start == INVALID_ADDRESS
785 || sd->erase_end == INVALID_ADDRESS) {
786 sd->card_status |= ERASE_SEQ_ERROR;
787 sd->erase_start = INVALID_ADDRESS;
788 sd->erase_end = INVALID_ADDRESS;
789 return;
790 }
791
792 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
793 /* High capacity memory card: erase units are 512 byte blocks */
794 erase_start *= 512;
795 erase_end *= 512;
796 sdsc = false;
797 }
798
799 if (erase_start > sd->size || erase_end > sd->size) {
800 sd->card_status |= OUT_OF_RANGE;
801 sd->erase_start = INVALID_ADDRESS;
802 sd->erase_end = INVALID_ADDRESS;
803 return;
804 }
805
806 sd->erase_start = INVALID_ADDRESS;
807 sd->erase_end = INVALID_ADDRESS;
808 sd->csd[14] |= 0x40;
809
810 memset(sd->data, 0xff, erase_len);
811 for (erase_addr = erase_start; erase_addr <= erase_end;
812 erase_addr += erase_len) {
813 if (sdsc) {
814 /* Only SDSC cards support write protect groups */
815 wpnum = sd_addr_to_wpnum(erase_addr);
816 assert(wpnum < sd->wp_group_bits);
817 if (test_bit(wpnum, sd->wp_group_bmap)) {
818 sd->card_status |= WP_ERASE_SKIP;
819 continue;
820 }
821 }
822 BLK_WRITE_BLOCK(erase_addr, erase_len);
823 }
824 }
825
826 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
827 {
828 uint32_t i, wpnum;
829 uint32_t ret = 0;
830
831 wpnum = sd_addr_to_wpnum(addr);
832
833 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
834 if (addr >= sd->size) {
835 /*
836 * If the addresses of the last groups are outside the valid range,
837 * then the corresponding write protection bits shall be set to 0.
838 */
839 continue;
840 }
841 assert(wpnum < sd->wp_group_bits);
842 if (test_bit(wpnum, sd->wp_group_bmap)) {
843 ret |= (1 << i);
844 }
845 }
846
847 return ret;
848 }
849
850 static void sd_function_switch(SDState *sd, uint32_t arg)
851 {
852 int i, mode, new_func;
853 mode = !!(arg & 0x80000000);
854
855 sd->data[0] = 0x00; /* Maximum current consumption */
856 sd->data[1] = 0x01;
857 sd->data[2] = 0x80; /* Supported group 6 functions */
858 sd->data[3] = 0x01;
859 sd->data[4] = 0x80; /* Supported group 5 functions */
860 sd->data[5] = 0x01;
861 sd->data[6] = 0x80; /* Supported group 4 functions */
862 sd->data[7] = 0x01;
863 sd->data[8] = 0x80; /* Supported group 3 functions */
864 sd->data[9] = 0x01;
865 sd->data[10] = 0x80; /* Supported group 2 functions */
866 sd->data[11] = 0x43;
867 sd->data[12] = 0x80; /* Supported group 1 functions */
868 sd->data[13] = 0x03;
869
870 memset(&sd->data[14], 0, 3);
871 for (i = 0; i < 6; i ++) {
872 new_func = (arg >> (i * 4)) & 0x0f;
873 if (mode && new_func != 0x0f)
874 sd->function_group[i] = new_func;
875 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
876 }
877 memset(&sd->data[17], 0, 47);
878 }
879
880 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
881 {
882 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
883 }
884
885 static void sd_lock_command(SDState *sd)
886 {
887 int erase, lock, clr_pwd, set_pwd, pwd_len;
888 erase = !!(sd->data[0] & 0x08);
889 lock = sd->data[0] & 0x04;
890 clr_pwd = sd->data[0] & 0x02;
891 set_pwd = sd->data[0] & 0x01;
892
893 if (sd->blk_len > 1)
894 pwd_len = sd->data[1];
895 else
896 pwd_len = 0;
897
898 if (lock) {
899 trace_sdcard_lock();
900 } else {
901 trace_sdcard_unlock();
902 }
903 if (erase) {
904 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
905 set_pwd || clr_pwd || lock || sd->wp_switch ||
906 (sd->csd[14] & 0x20)) {
907 sd->card_status |= LOCK_UNLOCK_FAILED;
908 return;
909 }
910 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
911 sd->csd[14] &= ~0x10;
912 sd->card_status &= ~CARD_IS_LOCKED;
913 sd->pwd_len = 0;
914 /* Erasing the entire card here! */
915 fprintf(stderr, "SD: Card force-erased by CMD42\n");
916 return;
917 }
918
919 if (sd->blk_len < 2 + pwd_len ||
920 pwd_len <= sd->pwd_len ||
921 pwd_len > sd->pwd_len + 16) {
922 sd->card_status |= LOCK_UNLOCK_FAILED;
923 return;
924 }
925
926 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
927 sd->card_status |= LOCK_UNLOCK_FAILED;
928 return;
929 }
930
931 pwd_len -= sd->pwd_len;
932 if ((pwd_len && !set_pwd) ||
933 (clr_pwd && (set_pwd || lock)) ||
934 (lock && !sd->pwd_len && !set_pwd) ||
935 (!set_pwd && !clr_pwd &&
936 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
937 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
938 sd->card_status |= LOCK_UNLOCK_FAILED;
939 return;
940 }
941
942 if (set_pwd) {
943 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
944 sd->pwd_len = pwd_len;
945 }
946
947 if (clr_pwd) {
948 sd->pwd_len = 0;
949 }
950
951 if (lock)
952 sd->card_status |= CARD_IS_LOCKED;
953 else
954 sd->card_status &= ~CARD_IS_LOCKED;
955 }
956
957 static bool address_in_range(SDState *sd, const char *desc,
958 uint64_t addr, uint32_t length)
959 {
960 if (addr + length > sd->size) {
961 qemu_log_mask(LOG_GUEST_ERROR,
962 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
963 desc, addr, sd->size, length);
964 sd->card_status |= ADDRESS_ERROR;
965 return false;
966 }
967 return true;
968 }
969
970 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
971 {
972 uint32_t rca = 0x0000;
973 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
974
975 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
976 * However there is no ACMD55, so we want to trace this particular case.
977 */
978 if (req.cmd != 55 || sd->expecting_acmd) {
979 trace_sdcard_normal_command(sd->proto_name,
980 sd_cmd_name(req.cmd), req.cmd,
981 req.arg, sd_state_name(sd->state));
982 }
983
984 /* Not interpreting this as an app command */
985 sd->card_status &= ~APP_CMD;
986
987 if (sd_cmd_type[req.cmd] == sd_ac
988 || sd_cmd_type[req.cmd] == sd_adtc) {
989 rca = req.arg >> 16;
990 }
991
992 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
993 * if not, its effects are cancelled */
994 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
995 sd->multi_blk_cnt = 0;
996 }
997
998 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
999 /* Only Standard Capacity cards support class 6 commands */
1000 return sd_illegal;
1001 }
1002
1003 switch (req.cmd) {
1004 /* Basic commands (Class 0 and Class 1) */
1005 case 0: /* CMD0: GO_IDLE_STATE */
1006 switch (sd->state) {
1007 case sd_inactive_state:
1008 return sd->spi ? sd_r1 : sd_r0;
1009
1010 default:
1011 sd->state = sd_idle_state;
1012 sd_reset(DEVICE(sd));
1013 return sd->spi ? sd_r1 : sd_r0;
1014 }
1015 break;
1016
1017 case 1: /* CMD1: SEND_OP_CMD */
1018 if (!sd->spi)
1019 goto bad_cmd;
1020
1021 sd->state = sd_transfer_state;
1022 return sd_r1;
1023
1024 case 2: /* CMD2: ALL_SEND_CID */
1025 if (sd->spi)
1026 goto bad_cmd;
1027 switch (sd->state) {
1028 case sd_ready_state:
1029 sd->state = sd_identification_state;
1030 return sd_r2_i;
1031
1032 default:
1033 break;
1034 }
1035 break;
1036
1037 case 3: /* CMD3: SEND_RELATIVE_ADDR */
1038 if (sd->spi)
1039 goto bad_cmd;
1040 switch (sd->state) {
1041 case sd_identification_state:
1042 case sd_standby_state:
1043 sd->state = sd_standby_state;
1044 sd_set_rca(sd);
1045 return sd_r6;
1046
1047 default:
1048 break;
1049 }
1050 break;
1051
1052 case 4: /* CMD4: SEND_DSR */
1053 if (sd->spi)
1054 goto bad_cmd;
1055 switch (sd->state) {
1056 case sd_standby_state:
1057 break;
1058
1059 default:
1060 break;
1061 }
1062 break;
1063
1064 case 5: /* CMD5: reserved for SDIO cards */
1065 return sd_illegal;
1066
1067 case 6: /* CMD6: SWITCH_FUNCTION */
1068 switch (sd->mode) {
1069 case sd_data_transfer_mode:
1070 sd_function_switch(sd, req.arg);
1071 sd->state = sd_sendingdata_state;
1072 sd->data_start = 0;
1073 sd->data_offset = 0;
1074 return sd_r1;
1075
1076 default:
1077 break;
1078 }
1079 break;
1080
1081 case 7: /* CMD7: SELECT/DESELECT_CARD */
1082 if (sd->spi)
1083 goto bad_cmd;
1084 switch (sd->state) {
1085 case sd_standby_state:
1086 if (sd->rca != rca)
1087 return sd_r0;
1088
1089 sd->state = sd_transfer_state;
1090 return sd_r1b;
1091
1092 case sd_transfer_state:
1093 case sd_sendingdata_state:
1094 if (sd->rca == rca)
1095 break;
1096
1097 sd->state = sd_standby_state;
1098 return sd_r1b;
1099
1100 case sd_disconnect_state:
1101 if (sd->rca != rca)
1102 return sd_r0;
1103
1104 sd->state = sd_programming_state;
1105 return sd_r1b;
1106
1107 case sd_programming_state:
1108 if (sd->rca == rca)
1109 break;
1110
1111 sd->state = sd_disconnect_state;
1112 return sd_r1b;
1113
1114 default:
1115 break;
1116 }
1117 break;
1118
1119 case 8: /* CMD8: SEND_IF_COND */
1120 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1121 break;
1122 }
1123 if (sd->state != sd_idle_state) {
1124 break;
1125 }
1126 sd->vhs = 0;
1127
1128 /* No response if not exactly one VHS bit is set. */
1129 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1130 return sd->spi ? sd_r7 : sd_r0;
1131 }
1132
1133 /* Accept. */
1134 sd->vhs = req.arg;
1135 return sd_r7;
1136
1137 case 9: /* CMD9: SEND_CSD */
1138 switch (sd->state) {
1139 case sd_standby_state:
1140 if (sd->rca != rca)
1141 return sd_r0;
1142
1143 return sd_r2_s;
1144
1145 case sd_transfer_state:
1146 if (!sd->spi)
1147 break;
1148 sd->state = sd_sendingdata_state;
1149 memcpy(sd->data, sd->csd, 16);
1150 sd->data_start = addr;
1151 sd->data_offset = 0;
1152 return sd_r1;
1153
1154 default:
1155 break;
1156 }
1157 break;
1158
1159 case 10: /* CMD10: SEND_CID */
1160 switch (sd->state) {
1161 case sd_standby_state:
1162 if (sd->rca != rca)
1163 return sd_r0;
1164
1165 return sd_r2_i;
1166
1167 case sd_transfer_state:
1168 if (!sd->spi)
1169 break;
1170 sd->state = sd_sendingdata_state;
1171 memcpy(sd->data, sd->cid, 16);
1172 sd->data_start = addr;
1173 sd->data_offset = 0;
1174 return sd_r1;
1175
1176 default:
1177 break;
1178 }
1179 break;
1180
1181 case 12: /* CMD12: STOP_TRANSMISSION */
1182 switch (sd->state) {
1183 case sd_sendingdata_state:
1184 sd->state = sd_transfer_state;
1185 return sd_r1b;
1186
1187 case sd_receivingdata_state:
1188 sd->state = sd_programming_state;
1189 /* Bzzzzzzztt .... Operation complete. */
1190 sd->state = sd_transfer_state;
1191 return sd_r1b;
1192
1193 default:
1194 break;
1195 }
1196 break;
1197
1198 case 13: /* CMD13: SEND_STATUS */
1199 switch (sd->mode) {
1200 case sd_data_transfer_mode:
1201 if (!sd->spi && sd->rca != rca) {
1202 return sd_r0;
1203 }
1204
1205 return sd_r1;
1206
1207 default:
1208 break;
1209 }
1210 break;
1211
1212 case 15: /* CMD15: GO_INACTIVE_STATE */
1213 if (sd->spi)
1214 goto bad_cmd;
1215 switch (sd->mode) {
1216 case sd_data_transfer_mode:
1217 if (sd->rca != rca)
1218 return sd_r0;
1219
1220 sd->state = sd_inactive_state;
1221 return sd_r0;
1222
1223 default:
1224 break;
1225 }
1226 break;
1227
1228 /* Block read commands (Classs 2) */
1229 case 16: /* CMD16: SET_BLOCKLEN */
1230 switch (sd->state) {
1231 case sd_transfer_state:
1232 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1233 sd->card_status |= BLOCK_LEN_ERROR;
1234 } else {
1235 trace_sdcard_set_blocklen(req.arg);
1236 sd->blk_len = req.arg;
1237 }
1238
1239 return sd_r1;
1240
1241 default:
1242 break;
1243 }
1244 break;
1245
1246 case 17: /* CMD17: READ_SINGLE_BLOCK */
1247 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1248 switch (sd->state) {
1249 case sd_transfer_state:
1250
1251 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1252 return sd_r1;
1253 }
1254
1255 sd->state = sd_sendingdata_state;
1256 sd->data_start = addr;
1257 sd->data_offset = 0;
1258 return sd_r1;
1259
1260 default:
1261 break;
1262 }
1263 break;
1264
1265 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1266 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1267 break;
1268 }
1269 if (sd->state == sd_transfer_state) {
1270 sd->state = sd_sendingdata_state;
1271 sd->data_offset = 0;
1272 return sd_r1;
1273 }
1274 break;
1275
1276 case 23: /* CMD23: SET_BLOCK_COUNT */
1277 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1278 break;
1279 }
1280 switch (sd->state) {
1281 case sd_transfer_state:
1282 sd->multi_blk_cnt = req.arg;
1283 return sd_r1;
1284
1285 default:
1286 break;
1287 }
1288 break;
1289
1290 /* Block write commands (Class 4) */
1291 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1292 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1293 switch (sd->state) {
1294 case sd_transfer_state:
1295
1296 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1297 return sd_r1;
1298 }
1299
1300 sd->state = sd_receivingdata_state;
1301 sd->data_start = addr;
1302 sd->data_offset = 0;
1303 sd->blk_written = 0;
1304
1305 if (sd->size <= SDSC_MAX_CAPACITY) {
1306 if (sd_wp_addr(sd, sd->data_start)) {
1307 sd->card_status |= WP_VIOLATION;
1308 }
1309 }
1310 if (sd->csd[14] & 0x30) {
1311 sd->card_status |= WP_VIOLATION;
1312 }
1313 return sd_r1;
1314
1315 default:
1316 break;
1317 }
1318 break;
1319
1320 case 26: /* CMD26: PROGRAM_CID */
1321 if (sd->spi)
1322 goto bad_cmd;
1323 switch (sd->state) {
1324 case sd_transfer_state:
1325 sd->state = sd_receivingdata_state;
1326 sd->data_start = 0;
1327 sd->data_offset = 0;
1328 return sd_r1;
1329
1330 default:
1331 break;
1332 }
1333 break;
1334
1335 case 27: /* CMD27: PROGRAM_CSD */
1336 switch (sd->state) {
1337 case sd_transfer_state:
1338 sd->state = sd_receivingdata_state;
1339 sd->data_start = 0;
1340 sd->data_offset = 0;
1341 return sd_r1;
1342
1343 default:
1344 break;
1345 }
1346 break;
1347
1348 /* Write protection (Class 6) */
1349 case 28: /* CMD28: SET_WRITE_PROT */
1350 if (sd->size > SDSC_MAX_CAPACITY) {
1351 return sd_illegal;
1352 }
1353
1354 switch (sd->state) {
1355 case sd_transfer_state:
1356 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1357 return sd_r1b;
1358 }
1359
1360 sd->state = sd_programming_state;
1361 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1362 /* Bzzzzzzztt .... Operation complete. */
1363 sd->state = sd_transfer_state;
1364 return sd_r1b;
1365
1366 default:
1367 break;
1368 }
1369 break;
1370
1371 case 29: /* CMD29: CLR_WRITE_PROT */
1372 if (sd->size > SDSC_MAX_CAPACITY) {
1373 return sd_illegal;
1374 }
1375
1376 switch (sd->state) {
1377 case sd_transfer_state:
1378 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1379 return sd_r1b;
1380 }
1381
1382 sd->state = sd_programming_state;
1383 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1384 /* Bzzzzzzztt .... Operation complete. */
1385 sd->state = sd_transfer_state;
1386 return sd_r1b;
1387
1388 default:
1389 break;
1390 }
1391 break;
1392
1393 case 30: /* CMD30: SEND_WRITE_PROT */
1394 if (sd->size > SDSC_MAX_CAPACITY) {
1395 return sd_illegal;
1396 }
1397
1398 switch (sd->state) {
1399 case sd_transfer_state:
1400 if (!address_in_range(sd, "SEND_WRITE_PROT",
1401 req.arg, sd->blk_len)) {
1402 return sd_r1;
1403 }
1404
1405 sd->state = sd_sendingdata_state;
1406 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1407 sd->data_start = addr;
1408 sd->data_offset = 0;
1409 return sd_r1;
1410
1411 default:
1412 break;
1413 }
1414 break;
1415
1416 /* Erase commands (Class 5) */
1417 case 32: /* CMD32: ERASE_WR_BLK_START */
1418 switch (sd->state) {
1419 case sd_transfer_state:
1420 sd->erase_start = req.arg;
1421 return sd_r1;
1422
1423 default:
1424 break;
1425 }
1426 break;
1427
1428 case 33: /* CMD33: ERASE_WR_BLK_END */
1429 switch (sd->state) {
1430 case sd_transfer_state:
1431 sd->erase_end = req.arg;
1432 return sd_r1;
1433
1434 default:
1435 break;
1436 }
1437 break;
1438
1439 case 38: /* CMD38: ERASE */
1440 switch (sd->state) {
1441 case sd_transfer_state:
1442 if (sd->csd[14] & 0x30) {
1443 sd->card_status |= WP_VIOLATION;
1444 return sd_r1b;
1445 }
1446
1447 sd->state = sd_programming_state;
1448 sd_erase(sd);
1449 /* Bzzzzzzztt .... Operation complete. */
1450 sd->state = sd_transfer_state;
1451 return sd_r1b;
1452
1453 default:
1454 break;
1455 }
1456 break;
1457
1458 /* Lock card commands (Class 7) */
1459 case 42: /* CMD42: LOCK_UNLOCK */
1460 switch (sd->state) {
1461 case sd_transfer_state:
1462 sd->state = sd_receivingdata_state;
1463 sd->data_start = 0;
1464 sd->data_offset = 0;
1465 return sd_r1;
1466
1467 default:
1468 break;
1469 }
1470 break;
1471
1472 case 52 ... 54:
1473 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1474 * (see the SDIO Simplified Specification V2.0)
1475 * Handle as illegal command but do not complain
1476 * on stderr, as some OSes may use these in their
1477 * probing for presence of an SDIO card.
1478 */
1479 return sd_illegal;
1480
1481 /* Application specific commands (Class 8) */
1482 case 55: /* CMD55: APP_CMD */
1483 switch (sd->state) {
1484 case sd_ready_state:
1485 case sd_identification_state:
1486 case sd_inactive_state:
1487 return sd_illegal;
1488 case sd_idle_state:
1489 if (rca) {
1490 qemu_log_mask(LOG_GUEST_ERROR,
1491 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1492 }
1493 default:
1494 break;
1495 }
1496 if (!sd->spi) {
1497 if (sd->rca != rca) {
1498 return sd_r0;
1499 }
1500 }
1501 sd->expecting_acmd = true;
1502 sd->card_status |= APP_CMD;
1503 return sd_r1;
1504
1505 case 56: /* CMD56: GEN_CMD */
1506 switch (sd->state) {
1507 case sd_transfer_state:
1508 sd->data_offset = 0;
1509 if (req.arg & 1)
1510 sd->state = sd_sendingdata_state;
1511 else
1512 sd->state = sd_receivingdata_state;
1513 return sd_r1;
1514
1515 default:
1516 break;
1517 }
1518 break;
1519
1520 case 58: /* CMD58: READ_OCR (SPI) */
1521 if (!sd->spi) {
1522 goto bad_cmd;
1523 }
1524 return sd_r3;
1525
1526 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1527 if (!sd->spi) {
1528 goto bad_cmd;
1529 }
1530 return sd_r1;
1531
1532 default:
1533 bad_cmd:
1534 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1535 return sd_illegal;
1536 }
1537
1538 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
1539 req.cmd, sd_state_name(sd->state));
1540 return sd_illegal;
1541 }
1542
1543 static sd_rsp_type_t sd_app_command(SDState *sd,
1544 SDRequest req)
1545 {
1546 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1547 req.cmd, req.arg, sd_state_name(sd->state));
1548 sd->card_status |= APP_CMD;
1549 switch (req.cmd) {
1550 case 6: /* ACMD6: SET_BUS_WIDTH */
1551 if (sd->spi) {
1552 goto unimplemented_spi_cmd;
1553 }
1554 switch (sd->state) {
1555 case sd_transfer_state:
1556 sd->sd_status[0] &= 0x3f;
1557 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1558 return sd_r1;
1559
1560 default:
1561 break;
1562 }
1563 break;
1564
1565 case 13: /* ACMD13: SD_STATUS */
1566 switch (sd->state) {
1567 case sd_transfer_state:
1568 sd->state = sd_sendingdata_state;
1569 sd->data_start = 0;
1570 sd->data_offset = 0;
1571 return sd_r1;
1572
1573 default:
1574 break;
1575 }
1576 break;
1577
1578 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1579 switch (sd->state) {
1580 case sd_transfer_state:
1581 *(uint32_t *) sd->data = sd->blk_written;
1582
1583 sd->state = sd_sendingdata_state;
1584 sd->data_start = 0;
1585 sd->data_offset = 0;
1586 return sd_r1;
1587
1588 default:
1589 break;
1590 }
1591 break;
1592
1593 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1594 switch (sd->state) {
1595 case sd_transfer_state:
1596 return sd_r1;
1597
1598 default:
1599 break;
1600 }
1601 break;
1602
1603 case 41: /* ACMD41: SD_APP_OP_COND */
1604 if (sd->spi) {
1605 /* SEND_OP_CMD */
1606 sd->state = sd_transfer_state;
1607 return sd_r1;
1608 }
1609 if (sd->state != sd_idle_state) {
1610 break;
1611 }
1612 /* If it's the first ACMD41 since reset, we need to decide
1613 * whether to power up. If this is not an enquiry ACMD41,
1614 * we immediately report power on and proceed below to the
1615 * ready state, but if it is, we set a timer to model a
1616 * delay for power up. This works around a bug in EDK2
1617 * UEFI, which sends an initial enquiry ACMD41, but
1618 * assumes that the card is in ready state as soon as it
1619 * sees the power up bit set. */
1620 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1621 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1622 timer_del(sd->ocr_power_timer);
1623 sd_ocr_powerup(sd);
1624 } else {
1625 trace_sdcard_inquiry_cmd41();
1626 if (!timer_pending(sd->ocr_power_timer)) {
1627 timer_mod_ns(sd->ocr_power_timer,
1628 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1629 + OCR_POWER_DELAY_NS));
1630 }
1631 }
1632 }
1633
1634 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1635 /* We accept any voltage. 10000 V is nothing.
1636 *
1637 * Once we're powered up, we advance straight to ready state
1638 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1639 */
1640 sd->state = sd_ready_state;
1641 }
1642
1643 return sd_r3;
1644
1645 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1646 switch (sd->state) {
1647 case sd_transfer_state:
1648 /* Bringing in the 50KOhm pull-up resistor... Done. */
1649 return sd_r1;
1650
1651 default:
1652 break;
1653 }
1654 break;
1655
1656 case 51: /* ACMD51: SEND_SCR */
1657 switch (sd->state) {
1658 case sd_transfer_state:
1659 sd->state = sd_sendingdata_state;
1660 sd->data_start = 0;
1661 sd->data_offset = 0;
1662 return sd_r1;
1663
1664 default:
1665 break;
1666 }
1667 break;
1668
1669 case 18: /* Reserved for SD security applications */
1670 case 25:
1671 case 26:
1672 case 38:
1673 case 43 ... 49:
1674 /* Refer to the "SD Specifications Part3 Security Specification" for
1675 * information about the SD Security Features.
1676 */
1677 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1678 req.cmd);
1679 return sd_illegal;
1680
1681 default:
1682 /* Fall back to standard commands. */
1683 return sd_normal_command(sd, req);
1684
1685 unimplemented_spi_cmd:
1686 /* Commands that are recognised but not yet implemented in SPI mode. */
1687 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1688 req.cmd);
1689 return sd_illegal;
1690 }
1691
1692 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1693 return sd_illegal;
1694 }
1695
1696 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1697 {
1698 /* Valid commands in locked state:
1699 * basic class (0)
1700 * lock card class (7)
1701 * CMD16
1702 * implicitly, the ACMD prefix CMD55
1703 * ACMD41 and ACMD42
1704 * Anything else provokes an "illegal command" response.
1705 */
1706 if (sd->expecting_acmd) {
1707 return cmd == 41 || cmd == 42;
1708 }
1709 if (cmd == 16 || cmd == 55) {
1710 return 1;
1711 }
1712 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1713 }
1714
1715 int sd_do_command(SDState *sd, SDRequest *req,
1716 uint8_t *response) {
1717 int last_state;
1718 sd_rsp_type_t rtype;
1719 int rsplen;
1720
1721 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1722 return 0;
1723 }
1724
1725 if (sd_req_crc_validate(req)) {
1726 sd->card_status |= COM_CRC_ERROR;
1727 rtype = sd_illegal;
1728 goto send_response;
1729 }
1730
1731 if (req->cmd >= SDMMC_CMD_MAX) {
1732 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1733 req->cmd);
1734 req->cmd &= 0x3f;
1735 }
1736
1737 if (sd->card_status & CARD_IS_LOCKED) {
1738 if (!cmd_valid_while_locked(sd, req->cmd)) {
1739 sd->card_status |= ILLEGAL_COMMAND;
1740 sd->expecting_acmd = false;
1741 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1742 rtype = sd_illegal;
1743 goto send_response;
1744 }
1745 }
1746
1747 last_state = sd->state;
1748 sd_set_mode(sd);
1749
1750 if (sd->expecting_acmd) {
1751 sd->expecting_acmd = false;
1752 rtype = sd_app_command(sd, *req);
1753 } else {
1754 rtype = sd_normal_command(sd, *req);
1755 }
1756
1757 if (rtype == sd_illegal) {
1758 sd->card_status |= ILLEGAL_COMMAND;
1759 } else {
1760 /* Valid command, we can update the 'state before command' bits.
1761 * (Do this now so they appear in r1 responses.)
1762 */
1763 sd->current_cmd = req->cmd;
1764 sd->card_status &= ~CURRENT_STATE;
1765 sd->card_status |= (last_state << 9);
1766 }
1767
1768 send_response:
1769 switch (rtype) {
1770 case sd_r1:
1771 case sd_r1b:
1772 sd_response_r1_make(sd, response);
1773 rsplen = 4;
1774 break;
1775
1776 case sd_r2_i:
1777 memcpy(response, sd->cid, sizeof(sd->cid));
1778 rsplen = 16;
1779 break;
1780
1781 case sd_r2_s:
1782 memcpy(response, sd->csd, sizeof(sd->csd));
1783 rsplen = 16;
1784 break;
1785
1786 case sd_r3:
1787 sd_response_r3_make(sd, response);
1788 rsplen = 4;
1789 break;
1790
1791 case sd_r6:
1792 sd_response_r6_make(sd, response);
1793 rsplen = 4;
1794 break;
1795
1796 case sd_r7:
1797 sd_response_r7_make(sd, response);
1798 rsplen = 4;
1799 break;
1800
1801 case sd_r0:
1802 case sd_illegal:
1803 rsplen = 0;
1804 break;
1805 default:
1806 g_assert_not_reached();
1807 }
1808 trace_sdcard_response(sd_response_name(rtype), rsplen);
1809
1810 if (rtype != sd_illegal) {
1811 /* Clear the "clear on valid command" status bits now we've
1812 * sent any response
1813 */
1814 sd->card_status &= ~CARD_STATUS_B;
1815 }
1816
1817 #ifdef DEBUG_SD
1818 qemu_hexdump(stderr, "Response", response, rsplen);
1819 #endif
1820
1821 return rsplen;
1822 }
1823
1824 void sd_write_byte(SDState *sd, uint8_t value)
1825 {
1826 int i;
1827
1828 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1829 return;
1830
1831 if (sd->state != sd_receivingdata_state) {
1832 qemu_log_mask(LOG_GUEST_ERROR,
1833 "%s: not in Receiving-Data state\n", __func__);
1834 return;
1835 }
1836
1837 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1838 return;
1839
1840 trace_sdcard_write_data(sd->proto_name,
1841 sd_acmd_name(sd->current_cmd),
1842 sd->current_cmd, value);
1843 switch (sd->current_cmd) {
1844 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1845 sd->data[sd->data_offset ++] = value;
1846 if (sd->data_offset >= sd->blk_len) {
1847 /* TODO: Check CRC before committing */
1848 sd->state = sd_programming_state;
1849 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1850 sd->blk_written ++;
1851 sd->csd[14] |= 0x40;
1852 /* Bzzzzzzztt .... Operation complete. */
1853 sd->state = sd_transfer_state;
1854 }
1855 break;
1856
1857 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1858 if (sd->data_offset == 0) {
1859 /* Start of the block - let's check the address is valid */
1860 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
1861 sd->data_start, sd->blk_len)) {
1862 break;
1863 }
1864 if (sd->size <= SDSC_MAX_CAPACITY) {
1865 if (sd_wp_addr(sd, sd->data_start)) {
1866 sd->card_status |= WP_VIOLATION;
1867 break;
1868 }
1869 }
1870 }
1871 sd->data[sd->data_offset++] = value;
1872 if (sd->data_offset >= sd->blk_len) {
1873 /* TODO: Check CRC before committing */
1874 sd->state = sd_programming_state;
1875 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1876 sd->blk_written++;
1877 sd->data_start += sd->blk_len;
1878 sd->data_offset = 0;
1879 sd->csd[14] |= 0x40;
1880
1881 /* Bzzzzzzztt .... Operation complete. */
1882 if (sd->multi_blk_cnt != 0) {
1883 if (--sd->multi_blk_cnt == 0) {
1884 /* Stop! */
1885 sd->state = sd_transfer_state;
1886 break;
1887 }
1888 }
1889
1890 sd->state = sd_receivingdata_state;
1891 }
1892 break;
1893
1894 case 26: /* CMD26: PROGRAM_CID */
1895 sd->data[sd->data_offset ++] = value;
1896 if (sd->data_offset >= sizeof(sd->cid)) {
1897 /* TODO: Check CRC before committing */
1898 sd->state = sd_programming_state;
1899 for (i = 0; i < sizeof(sd->cid); i ++)
1900 if ((sd->cid[i] | 0x00) != sd->data[i])
1901 sd->card_status |= CID_CSD_OVERWRITE;
1902
1903 if (!(sd->card_status & CID_CSD_OVERWRITE))
1904 for (i = 0; i < sizeof(sd->cid); i ++) {
1905 sd->cid[i] |= 0x00;
1906 sd->cid[i] &= sd->data[i];
1907 }
1908 /* Bzzzzzzztt .... Operation complete. */
1909 sd->state = sd_transfer_state;
1910 }
1911 break;
1912
1913 case 27: /* CMD27: PROGRAM_CSD */
1914 sd->data[sd->data_offset ++] = value;
1915 if (sd->data_offset >= sizeof(sd->csd)) {
1916 /* TODO: Check CRC before committing */
1917 sd->state = sd_programming_state;
1918 for (i = 0; i < sizeof(sd->csd); i ++)
1919 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1920 (sd->data[i] | sd_csd_rw_mask[i]))
1921 sd->card_status |= CID_CSD_OVERWRITE;
1922
1923 /* Copy flag (OTP) & Permanent write protect */
1924 if (sd->csd[14] & ~sd->data[14] & 0x60)
1925 sd->card_status |= CID_CSD_OVERWRITE;
1926
1927 if (!(sd->card_status & CID_CSD_OVERWRITE))
1928 for (i = 0; i < sizeof(sd->csd); i ++) {
1929 sd->csd[i] |= sd_csd_rw_mask[i];
1930 sd->csd[i] &= sd->data[i];
1931 }
1932 /* Bzzzzzzztt .... Operation complete. */
1933 sd->state = sd_transfer_state;
1934 }
1935 break;
1936
1937 case 42: /* CMD42: LOCK_UNLOCK */
1938 sd->data[sd->data_offset ++] = value;
1939 if (sd->data_offset >= sd->blk_len) {
1940 /* TODO: Check CRC before committing */
1941 sd->state = sd_programming_state;
1942 sd_lock_command(sd);
1943 /* Bzzzzzzztt .... Operation complete. */
1944 sd->state = sd_transfer_state;
1945 }
1946 break;
1947
1948 case 56: /* CMD56: GEN_CMD */
1949 sd->data[sd->data_offset ++] = value;
1950 if (sd->data_offset >= sd->blk_len) {
1951 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1952 sd->state = sd_transfer_state;
1953 }
1954 break;
1955
1956 default:
1957 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1958 break;
1959 }
1960 }
1961
1962 #define SD_TUNING_BLOCK_SIZE 64
1963
1964 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1965 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1966 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1967 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1968 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1969 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1970 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1971 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1972 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1973 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1974 };
1975
1976 uint8_t sd_read_byte(SDState *sd)
1977 {
1978 /* TODO: Append CRCs */
1979 uint8_t ret;
1980 uint32_t io_len;
1981
1982 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1983 return 0x00;
1984
1985 if (sd->state != sd_sendingdata_state) {
1986 qemu_log_mask(LOG_GUEST_ERROR,
1987 "%s: not in Sending-Data state\n", __func__);
1988 return 0x00;
1989 }
1990
1991 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1992 return 0x00;
1993
1994 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1995
1996 trace_sdcard_read_data(sd->proto_name,
1997 sd_acmd_name(sd->current_cmd),
1998 sd->current_cmd, io_len);
1999 switch (sd->current_cmd) {
2000 case 6: /* CMD6: SWITCH_FUNCTION */
2001 ret = sd->data[sd->data_offset ++];
2002
2003 if (sd->data_offset >= 64)
2004 sd->state = sd_transfer_state;
2005 break;
2006
2007 case 9: /* CMD9: SEND_CSD */
2008 case 10: /* CMD10: SEND_CID */
2009 ret = sd->data[sd->data_offset ++];
2010
2011 if (sd->data_offset >= 16)
2012 sd->state = sd_transfer_state;
2013 break;
2014
2015 case 13: /* ACMD13: SD_STATUS */
2016 ret = sd->sd_status[sd->data_offset ++];
2017
2018 if (sd->data_offset >= sizeof(sd->sd_status))
2019 sd->state = sd_transfer_state;
2020 break;
2021
2022 case 17: /* CMD17: READ_SINGLE_BLOCK */
2023 if (sd->data_offset == 0)
2024 BLK_READ_BLOCK(sd->data_start, io_len);
2025 ret = sd->data[sd->data_offset ++];
2026
2027 if (sd->data_offset >= io_len)
2028 sd->state = sd_transfer_state;
2029 break;
2030
2031 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2032 if (sd->data_offset == 0) {
2033 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2034 sd->data_start, io_len)) {
2035 return 0x00;
2036 }
2037 BLK_READ_BLOCK(sd->data_start, io_len);
2038 }
2039 ret = sd->data[sd->data_offset ++];
2040
2041 if (sd->data_offset >= io_len) {
2042 sd->data_start += io_len;
2043 sd->data_offset = 0;
2044
2045 if (sd->multi_blk_cnt != 0) {
2046 if (--sd->multi_blk_cnt == 0) {
2047 /* Stop! */
2048 sd->state = sd_transfer_state;
2049 break;
2050 }
2051 }
2052 }
2053 break;
2054
2055 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2056 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2057 sd->state = sd_transfer_state;
2058 }
2059 ret = sd_tuning_block_pattern[sd->data_offset++];
2060 break;
2061
2062 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2063 ret = sd->data[sd->data_offset ++];
2064
2065 if (sd->data_offset >= 4)
2066 sd->state = sd_transfer_state;
2067 break;
2068
2069 case 30: /* CMD30: SEND_WRITE_PROT */
2070 ret = sd->data[sd->data_offset ++];
2071
2072 if (sd->data_offset >= 4)
2073 sd->state = sd_transfer_state;
2074 break;
2075
2076 case 51: /* ACMD51: SEND_SCR */
2077 ret = sd->scr[sd->data_offset ++];
2078
2079 if (sd->data_offset >= sizeof(sd->scr))
2080 sd->state = sd_transfer_state;
2081 break;
2082
2083 case 56: /* CMD56: GEN_CMD */
2084 if (sd->data_offset == 0)
2085 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2086 ret = sd->data[sd->data_offset ++];
2087
2088 if (sd->data_offset >= sd->blk_len)
2089 sd->state = sd_transfer_state;
2090 break;
2091
2092 default:
2093 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2094 return 0x00;
2095 }
2096
2097 return ret;
2098 }
2099
2100 static bool sd_receive_ready(SDState *sd)
2101 {
2102 return sd->state == sd_receivingdata_state;
2103 }
2104
2105 static bool sd_data_ready(SDState *sd)
2106 {
2107 return sd->state == sd_sendingdata_state;
2108 }
2109
2110 void sd_enable(SDState *sd, bool enable)
2111 {
2112 sd->enable = enable;
2113 }
2114
2115 static void sd_instance_init(Object *obj)
2116 {
2117 SDState *sd = SD_CARD(obj);
2118
2119 sd->enable = true;
2120 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2121 }
2122
2123 static void sd_instance_finalize(Object *obj)
2124 {
2125 SDState *sd = SD_CARD(obj);
2126
2127 timer_free(sd->ocr_power_timer);
2128 }
2129
2130 static void sd_realize(DeviceState *dev, Error **errp)
2131 {
2132 SDState *sd = SD_CARD(dev);
2133 int ret;
2134
2135 sd->proto_name = sd->spi ? "SPI" : "SD";
2136
2137 switch (sd->spec_version) {
2138 case SD_PHY_SPECv1_10_VERS
2139 ... SD_PHY_SPECv3_01_VERS:
2140 break;
2141 default:
2142 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2143 return;
2144 }
2145
2146 if (sd->blk) {
2147 int64_t blk_size;
2148
2149 if (!blk_supports_write_perm(sd->blk)) {
2150 error_setg(errp, "Cannot use read-only drive as SD card");
2151 return;
2152 }
2153
2154 blk_size = blk_getlength(sd->blk);
2155 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2156 int64_t blk_size_aligned = pow2ceil(blk_size);
2157 char *blk_size_str;
2158
2159 blk_size_str = size_to_str(blk_size);
2160 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2161 g_free(blk_size_str);
2162
2163 blk_size_str = size_to_str(blk_size_aligned);
2164 error_append_hint(errp,
2165 "SD card size has to be a power of 2, e.g. %s.\n"
2166 "You can resize disk images with"
2167 " 'qemu-img resize <imagefile> <new-size>'\n"
2168 "(note that this will lose data if you make the"
2169 " image smaller than it currently is).\n",
2170 blk_size_str);
2171 g_free(blk_size_str);
2172
2173 return;
2174 }
2175
2176 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2177 BLK_PERM_ALL, errp);
2178 if (ret < 0) {
2179 return;
2180 }
2181 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2182 }
2183 }
2184
2185 static Property sd_properties[] = {
2186 DEFINE_PROP_UINT8("spec_version", SDState,
2187 spec_version, SD_PHY_SPECv2_00_VERS),
2188 DEFINE_PROP_DRIVE("drive", SDState, blk),
2189 /* We do not model the chip select pin, so allow the board to select
2190 * whether card should be in SSI or MMC/SD mode. It is also up to the
2191 * board to ensure that ssi transfers only occur when the chip select
2192 * is asserted. */
2193 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2194 DEFINE_PROP_END_OF_LIST()
2195 };
2196
2197 static void sd_class_init(ObjectClass *klass, void *data)
2198 {
2199 DeviceClass *dc = DEVICE_CLASS(klass);
2200 SDCardClass *sc = SD_CARD_CLASS(klass);
2201
2202 dc->realize = sd_realize;
2203 device_class_set_props(dc, sd_properties);
2204 dc->vmsd = &sd_vmstate;
2205 dc->reset = sd_reset;
2206 dc->bus_type = TYPE_SD_BUS;
2207 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2208
2209 sc->set_voltage = sd_set_voltage;
2210 sc->get_dat_lines = sd_get_dat_lines;
2211 sc->get_cmd_line = sd_get_cmd_line;
2212 sc->do_command = sd_do_command;
2213 sc->write_byte = sd_write_byte;
2214 sc->read_byte = sd_read_byte;
2215 sc->receive_ready = sd_receive_ready;
2216 sc->data_ready = sd_data_ready;
2217 sc->enable = sd_enable;
2218 sc->get_inserted = sd_get_inserted;
2219 sc->get_readonly = sd_get_readonly;
2220 }
2221
2222 static const TypeInfo sd_info = {
2223 .name = TYPE_SD_CARD,
2224 .parent = TYPE_DEVICE,
2225 .instance_size = sizeof(SDState),
2226 .class_size = sizeof(SDCardClass),
2227 .class_init = sd_class_init,
2228 .instance_init = sd_instance_init,
2229 .instance_finalize = sd_instance_finalize,
2230 };
2231
2232 static void sd_register_types(void)
2233 {
2234 type_register_static(&sd_info);
2235 }
2236
2237 type_init(sd_register_types)
QEmu