search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
qdev: Use returned bool to check for failure, Coccinelle part
[qemu/ar7.git] / hw / sd / sd.c
blob5137168d6611f71eb4ec1c3eb59e55ccffff6eb1
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "hw/irq.h"
36 #include "hw/registerfields.h"
37 #include "sysemu/block-backend.h"
38 #include "hw/sd/sd.h"
39 #include "migration/vmstate.h"
40 #include "qapi/error.h"
41 #include "qemu/bitmap.h"
42 #include "hw/qdev-properties.h"
43 #include "qemu/error-report.h"
44 #include "qemu/timer.h"
45 #include "qemu/log.h"
46 #include "qemu/module.h"
47 #include "sdmmc-internal.h"
48 #include "trace.h"
49
50 //#define DEBUG_SD 1
51
52 typedef enum {
53 sd_r0 = 0, /* no response */
54 sd_r1, /* normal response command */
55 sd_r2_i, /* CID register */
56 sd_r2_s, /* CSD register */
57 sd_r3, /* OCR register */
58 sd_r6 = 6, /* Published RCA response */
59 sd_r7, /* Operating voltage */
60 sd_r1b = -1,
61 sd_illegal = -2,
62 } sd_rsp_type_t;
63
64 enum SDCardModes {
65 sd_inactive,
66 sd_card_identification_mode,
67 sd_data_transfer_mode,
68 };
69
70 enum SDCardStates {
71 sd_inactive_state = -1,
72 sd_idle_state = 0,
73 sd_ready_state,
74 sd_identification_state,
75 sd_standby_state,
76 sd_transfer_state,
77 sd_sendingdata_state,
78 sd_receivingdata_state,
79 sd_programming_state,
80 sd_disconnect_state,
81 };
82
83 struct SDState {
84 DeviceState parent_obj;
85
86 /* If true, created by sd_init() for a non-qdevified caller */
87 /* TODO purge them with fire */
88 bool me_no_qdev_me_kill_mammoth_with_rocks;
89
90 /* SD Memory Card Registers */
91 uint32_t ocr;
92 uint8_t scr[8];
93 uint8_t cid[16];
94 uint8_t csd[16];
95 uint16_t rca;
96 uint32_t card_status;
97 uint8_t sd_status[64];
98
99 /* Configurable properties */
100 uint8_t spec_version;
101 BlockBackend *blk;
102 bool spi;
103
104 uint32_t mode; /* current card mode, one of SDCardModes */
105 int32_t state; /* current card state, one of SDCardStates */
106 uint32_t vhs;
107 bool wp_switch;
108 unsigned long *wp_groups;
109 int32_t wpgrps_size;
110 uint64_t size;
111 uint32_t blk_len;
112 uint32_t multi_blk_cnt;
113 uint32_t erase_start;
114 uint32_t erase_end;
115 uint8_t pwd[16];
116 uint32_t pwd_len;
117 uint8_t function_group[6];
118 uint8_t current_cmd;
119 /* True if we will handle the next command as an ACMD. Note that this does
120 * *not* track the APP_CMD status bit!
121 */
122 bool expecting_acmd;
123 uint32_t blk_written;
124 uint64_t data_start;
125 uint32_t data_offset;
126 uint8_t data[512];
127 qemu_irq readonly_cb;
128 qemu_irq inserted_cb;
129 QEMUTimer *ocr_power_timer;
130 const char *proto_name;
131 bool enable;
132 uint8_t dat_lines;
133 bool cmd_line;
134 };
135
136 static void sd_realize(DeviceState *dev, Error **errp);
137
138 static const char *sd_state_name(enum SDCardStates state)
139 {
140 static const char *state_name[] = {
141 [sd_idle_state] = "idle",
142 [sd_ready_state] = "ready",
143 [sd_identification_state] = "identification",
144 [sd_standby_state] = "standby",
145 [sd_transfer_state] = "transfer",
146 [sd_sendingdata_state] = "sendingdata",
147 [sd_receivingdata_state] = "receivingdata",
148 [sd_programming_state] = "programming",
149 [sd_disconnect_state] = "disconnect",
150 };
151 if (state == sd_inactive_state) {
152 return "inactive";
153 }
154 assert(state < ARRAY_SIZE(state_name));
155 return state_name[state];
156 }
157
158 static const char *sd_response_name(sd_rsp_type_t rsp)
159 {
160 static const char *response_name[] = {
161 [sd_r0] = "RESP#0 (no response)",
162 [sd_r1] = "RESP#1 (normal cmd)",
163 [sd_r2_i] = "RESP#2 (CID reg)",
164 [sd_r2_s] = "RESP#2 (CSD reg)",
165 [sd_r3] = "RESP#3 (OCR reg)",
166 [sd_r6] = "RESP#6 (RCA)",
167 [sd_r7] = "RESP#7 (operating voltage)",
168 };
169 if (rsp == sd_illegal) {
170 return "ILLEGAL RESP";
171 }
172 if (rsp == sd_r1b) {
173 rsp = sd_r1;
174 }
175 assert(rsp < ARRAY_SIZE(response_name));
176 return response_name[rsp];
177 }
178
179 static uint8_t sd_get_dat_lines(SDState *sd)
180 {
181 return sd->enable ? sd->dat_lines : 0;
182 }
183
184 static bool sd_get_cmd_line(SDState *sd)
185 {
186 return sd->enable ? sd->cmd_line : false;
187 }
188
189 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
190 {
191 trace_sdcard_set_voltage(millivolts);
192
193 switch (millivolts) {
194 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
195 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
196 break;
197 default:
198 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
199 millivolts / 1000.f);
200 }
201 }
202
203 static void sd_set_mode(SDState *sd)
204 {
205 switch (sd->state) {
206 case sd_inactive_state:
207 sd->mode = sd_inactive;
208 break;
209
210 case sd_idle_state:
211 case sd_ready_state:
212 case sd_identification_state:
213 sd->mode = sd_card_identification_mode;
214 break;
215
216 case sd_standby_state:
217 case sd_transfer_state:
218 case sd_sendingdata_state:
219 case sd_receivingdata_state:
220 case sd_programming_state:
221 case sd_disconnect_state:
222 sd->mode = sd_data_transfer_mode;
223 break;
224 }
225 }
226
227 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
228 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
229 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
230 /* 16 */
231 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
232 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
233 /* 32 */
234 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
235 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
236 /* 48 */
237 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
238 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
239 };
240
241 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
242 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
243 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
244 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
245 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
246 };
247
248 static uint8_t sd_crc7(void *message, size_t width)
249 {
250 int i, bit;
251 uint8_t shift_reg = 0x00;
252 uint8_t *msg = (uint8_t *) message;
253
254 for (i = 0; i < width; i ++, msg ++)
255 for (bit = 7; bit >= 0; bit --) {
256 shift_reg <<= 1;
257 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
258 shift_reg ^= 0x89;
259 }
260
261 return shift_reg;
262 }
263
264 static uint16_t sd_crc16(void *message, size_t width)
265 {
266 int i, bit;
267 uint16_t shift_reg = 0x0000;
268 uint16_t *msg = (uint16_t *) message;
269 width <<= 1;
270
271 for (i = 0; i < width; i ++, msg ++)
272 for (bit = 15; bit >= 0; bit --) {
273 shift_reg <<= 1;
274 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
275 shift_reg ^= 0x1011;
276 }
277
278 return shift_reg;
279 }
280
281 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
282
283 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
284 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
285 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
286 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
287 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
288 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
289 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
290 FIELD(OCR, CARD_POWER_UP, 31, 1)
291
292 #define ACMD41_ENQUIRY_MASK 0x00ffffff
293 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
294 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
295 | R_OCR_UHS_II_CARD_MASK \
296 | R_OCR_CARD_CAPACITY_MASK \
297 | R_OCR_CARD_POWER_UP_MASK)
298
299 static void sd_set_ocr(SDState *sd)
300 {
301 /* All voltages OK */
302 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
303 }
304
305 static void sd_ocr_powerup(void *opaque)
306 {
307 SDState *sd = opaque;
308
309 trace_sdcard_powerup();
310 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
311
312 /* card power-up OK */
313 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
314
315 if (sd->size > 1 * GiB) {
316 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
317 }
318 }
319
320 static void sd_set_scr(SDState *sd)
321 {
322 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
323 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
324 sd->scr[0] |= 1; /* Spec Version 1.10 */
325 } else {
326 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
327 }
328 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
329 | 0b0101; /* 1-bit or 4-bit width bus modes */
330 sd->scr[2] = 0x00; /* Extended Security is not supported. */
331 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
332 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
333 }
334 sd->scr[3] = 0x00;
335 /* reserved for manufacturer usage */
336 sd->scr[4] = 0x00;
337 sd->scr[5] = 0x00;
338 sd->scr[6] = 0x00;
339 sd->scr[7] = 0x00;
340 }
341
342 #define MID 0xaa
343 #define OID "XY"
344 #define PNM "QEMU!"
345 #define PRV 0x01
346 #define MDT_YR 2006
347 #define MDT_MON 2
348
349 static void sd_set_cid(SDState *sd)
350 {
351 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
352 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
353 sd->cid[2] = OID[1];
354 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
355 sd->cid[4] = PNM[1];
356 sd->cid[5] = PNM[2];
357 sd->cid[6] = PNM[3];
358 sd->cid[7] = PNM[4];
359 sd->cid[8] = PRV; /* Fake product revision (PRV) */
360 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
361 sd->cid[10] = 0xad;
362 sd->cid[11] = 0xbe;
363 sd->cid[12] = 0xef;
364 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
365 ((MDT_YR - 2000) / 10);
366 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
367 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
368 }
369
370 #define HWBLOCK_SHIFT 9 /* 512 bytes */
371 #define SECTOR_SHIFT 5 /* 16 kilobytes */
372 #define WPGROUP_SHIFT 7 /* 2 megs */
373 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
374 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
375
376 static const uint8_t sd_csd_rw_mask[16] = {
377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
379 };
380
381 static void sd_set_csd(SDState *sd, uint64_t size)
382 {
383 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
384 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
385 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
386
387 if (size <= 1 * GiB) { /* Standard Capacity SD */
388 sd->csd[0] = 0x00; /* CSD structure */
389 sd->csd[1] = 0x26; /* Data read access-time-1 */
390 sd->csd[2] = 0x00; /* Data read access-time-2 */
391 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
392 sd->csd[4] = 0x5f; /* Card Command Classes */
393 sd->csd[5] = 0x50 | /* Max. read data block length */
394 HWBLOCK_SHIFT;
395 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
396 ((csize >> 10) & 0x03);
397 sd->csd[7] = 0x00 | /* Device size */
398 ((csize >> 2) & 0xff);
399 sd->csd[8] = 0x3f | /* Max. read current */
400 ((csize << 6) & 0xc0);
401 sd->csd[9] = 0xfc | /* Max. write current */
402 ((CMULT_SHIFT - 2) >> 1);
403 sd->csd[10] = 0x40 | /* Erase sector size */
404 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
405 sd->csd[11] = 0x00 | /* Write protect group size */
406 ((sectsize << 7) & 0x80) | wpsize;
407 sd->csd[12] = 0x90 | /* Write speed factor */
408 (HWBLOCK_SHIFT >> 2);
409 sd->csd[13] = 0x20 | /* Max. write data block length */
410 ((HWBLOCK_SHIFT << 6) & 0xc0);
411 sd->csd[14] = 0x00; /* File format group */
412 } else { /* SDHC */
413 size /= 512 * KiB;
414 size -= 1;
415 sd->csd[0] = 0x40;
416 sd->csd[1] = 0x0e;
417 sd->csd[2] = 0x00;
418 sd->csd[3] = 0x32;
419 sd->csd[4] = 0x5b;
420 sd->csd[5] = 0x59;
421 sd->csd[6] = 0x00;
422 sd->csd[7] = (size >> 16) & 0xff;
423 sd->csd[8] = (size >> 8) & 0xff;
424 sd->csd[9] = (size & 0xff);
425 sd->csd[10] = 0x7f;
426 sd->csd[11] = 0x80;
427 sd->csd[12] = 0x0a;
428 sd->csd[13] = 0x40;
429 sd->csd[14] = 0x00;
430 }
431 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
432 }
433
434 static void sd_set_rca(SDState *sd)
435 {
436 sd->rca += 0x4567;
437 }
438
439 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
440 FIELD(CSR, APP_CMD, 5, 1)
441 FIELD(CSR, FX_EVENT, 6, 1)
442 FIELD(CSR, READY_FOR_DATA, 8, 1)
443 FIELD(CSR, CURRENT_STATE, 9, 4)
444 FIELD(CSR, ERASE_RESET, 13, 1)
445 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
446 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
447 FIELD(CSR, CSD_OVERWRITE, 16, 1)
448 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
449 FIELD(CSR, ERROR, 19, 1)
450 FIELD(CSR, CC_ERROR, 20, 1)
451 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
452 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
453 FIELD(CSR, COM_CRC_ERROR, 23, 1)
454 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
455 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
456 FIELD(CSR, WP_VIOLATION, 26, 1)
457 FIELD(CSR, ERASE_PARAM, 27, 1)
458 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
459 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
460 FIELD(CSR, ADDRESS_ERROR, 30, 1)
461 FIELD(CSR, OUT_OF_RANGE, 31, 1)
462
463 /* Card status bits, split by clear condition:
464 * A : According to the card current state
465 * B : Always related to the previous command
466 * C : Cleared by read
467 */
468 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
469 | R_CSR_CARD_ECC_DISABLED_MASK \
470 | R_CSR_CARD_IS_LOCKED_MASK)
471 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
472 | R_CSR_ILLEGAL_COMMAND_MASK \
473 | R_CSR_COM_CRC_ERROR_MASK)
474 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
475 | R_CSR_APP_CMD_MASK \
476 | R_CSR_ERASE_RESET_MASK \
477 | R_CSR_WP_ERASE_SKIP_MASK \
478 | R_CSR_CSD_OVERWRITE_MASK \
479 | R_CSR_ERROR_MASK \
480 | R_CSR_CC_ERROR_MASK \
481 | R_CSR_CARD_ECC_FAILED_MASK \
482 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
483 | R_CSR_WP_VIOLATION_MASK \
484 | R_CSR_ERASE_PARAM_MASK \
485 | R_CSR_ERASE_SEQ_ERROR_MASK \
486 | R_CSR_BLOCK_LEN_ERROR_MASK \
487 | R_CSR_ADDRESS_ERROR_MASK \
488 | R_CSR_OUT_OF_RANGE_MASK)
489
490 static void sd_set_cardstatus(SDState *sd)
491 {
492 sd->card_status = 0x00000100;
493 }
494
495 static void sd_set_sdstatus(SDState *sd)
496 {
497 memset(sd->sd_status, 0, 64);
498 }
499
500 static int sd_req_crc_validate(SDRequest *req)
501 {
502 uint8_t buffer[5];
503 buffer[0] = 0x40 | req->cmd;
504 stl_be_p(&buffer[1], req->arg);
505 return 0;
506 return sd_crc7(buffer, 5) != req->crc; /* TODO */
507 }
508
509 static void sd_response_r1_make(SDState *sd, uint8_t *response)
510 {
511 stl_be_p(response, sd->card_status);
512
513 /* Clear the "clear on read" status bits */
514 sd->card_status &= ~CARD_STATUS_C;
515 }
516
517 static void sd_response_r3_make(SDState *sd, uint8_t *response)
518 {
519 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
520 }
521
522 static void sd_response_r6_make(SDState *sd, uint8_t *response)
523 {
524 uint16_t status;
525
526 status = ((sd->card_status >> 8) & 0xc000) |
527 ((sd->card_status >> 6) & 0x2000) |
528 (sd->card_status & 0x1fff);
529 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
530 stw_be_p(response + 0, sd->rca);
531 stw_be_p(response + 2, status);
532 }
533
534 static void sd_response_r7_make(SDState *sd, uint8_t *response)
535 {
536 stl_be_p(response, sd->vhs);
537 }
538
539 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
540 {
541 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
542 }
543
544 static void sd_reset(DeviceState *dev)
545 {
546 SDState *sd = SD_CARD(dev);
547 uint64_t size;
548 uint64_t sect;
549
550 trace_sdcard_reset();
551 if (sd->blk) {
552 blk_get_geometry(sd->blk, &sect);
553 } else {
554 sect = 0;
555 }
556 size = sect << 9;
557
558 sect = sd_addr_to_wpnum(size) + 1;
559
560 sd->state = sd_idle_state;
561 sd->rca = 0x0000;
562 sd_set_ocr(sd);
563 sd_set_scr(sd);
564 sd_set_cid(sd);
565 sd_set_csd(sd, size);
566 sd_set_cardstatus(sd);
567 sd_set_sdstatus(sd);
568
569 g_free(sd->wp_groups);
570 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
571 sd->wpgrps_size = sect;
572 sd->wp_groups = bitmap_new(sd->wpgrps_size);
573 memset(sd->function_group, 0, sizeof(sd->function_group));
574 sd->erase_start = 0;
575 sd->erase_end = 0;
576 sd->size = size;
577 sd->blk_len = 0x200;
578 sd->pwd_len = 0;
579 sd->expecting_acmd = false;
580 sd->dat_lines = 0xf;
581 sd->cmd_line = true;
582 sd->multi_blk_cnt = 0;
583 }
584
585 static bool sd_get_inserted(SDState *sd)
586 {
587 return sd->blk && blk_is_inserted(sd->blk);
588 }
589
590 static bool sd_get_readonly(SDState *sd)
591 {
592 return sd->wp_switch;
593 }
594
595 static void sd_cardchange(void *opaque, bool load, Error **errp)
596 {
597 SDState *sd = opaque;
598 DeviceState *dev = DEVICE(sd);
599 SDBus *sdbus;
600 bool inserted = sd_get_inserted(sd);
601 bool readonly = sd_get_readonly(sd);
602
603 if (inserted) {
604 trace_sdcard_inserted(readonly);
605 sd_reset(dev);
606 } else {
607 trace_sdcard_ejected();
608 }
609
610 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
611 qemu_set_irq(sd->inserted_cb, inserted);
612 if (inserted) {
613 qemu_set_irq(sd->readonly_cb, readonly);
614 }
615 } else {
616 sdbus = SD_BUS(qdev_get_parent_bus(dev));
617 sdbus_set_inserted(sdbus, inserted);
618 if (inserted) {
619 sdbus_set_readonly(sdbus, readonly);
620 }
621 }
622 }
623
624 static const BlockDevOps sd_block_ops = {
625 .change_media_cb = sd_cardchange,
626 };
627
628 static bool sd_ocr_vmstate_needed(void *opaque)
629 {
630 SDState *sd = opaque;
631
632 /* Include the OCR state (and timer) if it is not yet powered up */
633 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
634 }
635
636 static const VMStateDescription sd_ocr_vmstate = {
637 .name = "sd-card/ocr-state",
638 .version_id = 1,
639 .minimum_version_id = 1,
640 .needed = sd_ocr_vmstate_needed,
641 .fields = (VMStateField[]) {
642 VMSTATE_UINT32(ocr, SDState),
643 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
644 VMSTATE_END_OF_LIST()
645 },
646 };
647
648 static int sd_vmstate_pre_load(void *opaque)
649 {
650 SDState *sd = opaque;
651
652 /* If the OCR state is not included (prior versions, or not
653 * needed), then the OCR must be set as powered up. If the OCR state
654 * is included, this will be replaced by the state restore.
655 */
656 sd_ocr_powerup(sd);
657
658 return 0;
659 }
660
661 static const VMStateDescription sd_vmstate = {
662 .name = "sd-card",
663 .version_id = 1,
664 .minimum_version_id = 1,
665 .pre_load = sd_vmstate_pre_load,
666 .fields = (VMStateField[]) {
667 VMSTATE_UINT32(mode, SDState),
668 VMSTATE_INT32(state, SDState),
669 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
670 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
671 VMSTATE_UINT16(rca, SDState),
672 VMSTATE_UINT32(card_status, SDState),
673 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
674 VMSTATE_UINT32(vhs, SDState),
675 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
676 VMSTATE_UINT32(blk_len, SDState),
677 VMSTATE_UINT32(multi_blk_cnt, SDState),
678 VMSTATE_UINT32(erase_start, SDState),
679 VMSTATE_UINT32(erase_end, SDState),
680 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
681 VMSTATE_UINT32(pwd_len, SDState),
682 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
683 VMSTATE_UINT8(current_cmd, SDState),
684 VMSTATE_BOOL(expecting_acmd, SDState),
685 VMSTATE_UINT32(blk_written, SDState),
686 VMSTATE_UINT64(data_start, SDState),
687 VMSTATE_UINT32(data_offset, SDState),
688 VMSTATE_UINT8_ARRAY(data, SDState, 512),
689 VMSTATE_UNUSED_V(1, 512),
690 VMSTATE_BOOL(enable, SDState),
691 VMSTATE_END_OF_LIST()
692 },
693 .subsections = (const VMStateDescription*[]) {
694 &sd_ocr_vmstate,
695 NULL
696 },
697 };
698
699 /* Legacy initialization function for use by non-qdevified callers */
700 SDState *sd_init(BlockBackend *blk, bool is_spi)
701 {
702 Object *obj;
703 DeviceState *dev;
704 SDState *sd;
705 Error *err = NULL;
706
707 obj = object_new(TYPE_SD_CARD);
708 dev = DEVICE(obj);
709 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
710 error_reportf_err(err, "sd_init failed: ");
711 return NULL;
712 }
713 qdev_prop_set_bit(dev, "spi", is_spi);
714
715 /*
716 * Realizing the device properly would put it into the QOM
717 * composition tree even though it is not plugged into an
718 * appropriate bus. That's a no-no. Hide the device from
719 * QOM/qdev, and call its qdev realize callback directly.
720 */
721 object_ref(obj);
722 object_unparent(obj);
723 sd_realize(dev, &err);
724 if (err) {
725 error_reportf_err(err, "sd_init failed: ");
726 return NULL;
727 }
728
729 sd = SD_CARD(dev);
730 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
731 return sd;
732 }
733
734 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
735 {
736 sd->readonly_cb = readonly;
737 sd->inserted_cb = insert;
738 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
739 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
740 }
741
742 static void sd_erase(SDState *sd)
743 {
744 int i;
745 uint64_t erase_start = sd->erase_start;
746 uint64_t erase_end = sd->erase_end;
747
748 trace_sdcard_erase();
749 if (!sd->erase_start || !sd->erase_end) {
750 sd->card_status |= ERASE_SEQ_ERROR;
751 return;
752 }
753
754 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
755 /* High capacity memory card: erase units are 512 byte blocks */
756 erase_start *= 512;
757 erase_end *= 512;
758 }
759
760 erase_start = sd_addr_to_wpnum(erase_start);
761 erase_end = sd_addr_to_wpnum(erase_end);
762 sd->erase_start = 0;
763 sd->erase_end = 0;
764 sd->csd[14] |= 0x40;
765
766 for (i = erase_start; i <= erase_end; i++) {
767 if (test_bit(i, sd->wp_groups)) {
768 sd->card_status |= WP_ERASE_SKIP;
769 }
770 }
771 }
772
773 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
774 {
775 uint32_t i, wpnum;
776 uint32_t ret = 0;
777
778 wpnum = sd_addr_to_wpnum(addr);
779
780 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
781 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
782 ret |= (1 << i);
783 }
784 }
785
786 return ret;
787 }
788
789 static void sd_function_switch(SDState *sd, uint32_t arg)
790 {
791 int i, mode, new_func;
792 mode = !!(arg & 0x80000000);
793
794 sd->data[0] = 0x00; /* Maximum current consumption */
795 sd->data[1] = 0x01;
796 sd->data[2] = 0x80; /* Supported group 6 functions */
797 sd->data[3] = 0x01;
798 sd->data[4] = 0x80; /* Supported group 5 functions */
799 sd->data[5] = 0x01;
800 sd->data[6] = 0x80; /* Supported group 4 functions */
801 sd->data[7] = 0x01;
802 sd->data[8] = 0x80; /* Supported group 3 functions */
803 sd->data[9] = 0x01;
804 sd->data[10] = 0x80; /* Supported group 2 functions */
805 sd->data[11] = 0x43;
806 sd->data[12] = 0x80; /* Supported group 1 functions */
807 sd->data[13] = 0x03;
808 for (i = 0; i < 6; i ++) {
809 new_func = (arg >> (i * 4)) & 0x0f;
810 if (mode && new_func != 0x0f)
811 sd->function_group[i] = new_func;
812 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
813 }
814 memset(&sd->data[17], 0, 47);
815 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
816 }
817
818 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
819 {
820 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
821 }
822
823 static void sd_lock_command(SDState *sd)
824 {
825 int erase, lock, clr_pwd, set_pwd, pwd_len;
826 erase = !!(sd->data[0] & 0x08);
827 lock = sd->data[0] & 0x04;
828 clr_pwd = sd->data[0] & 0x02;
829 set_pwd = sd->data[0] & 0x01;
830
831 if (sd->blk_len > 1)
832 pwd_len = sd->data[1];
833 else
834 pwd_len = 0;
835
836 if (lock) {
837 trace_sdcard_lock();
838 } else {
839 trace_sdcard_unlock();
840 }
841 if (erase) {
842 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
843 set_pwd || clr_pwd || lock || sd->wp_switch ||
844 (sd->csd[14] & 0x20)) {
845 sd->card_status |= LOCK_UNLOCK_FAILED;
846 return;
847 }
848 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
849 sd->csd[14] &= ~0x10;
850 sd->card_status &= ~CARD_IS_LOCKED;
851 sd->pwd_len = 0;
852 /* Erasing the entire card here! */
853 fprintf(stderr, "SD: Card force-erased by CMD42\n");
854 return;
855 }
856
857 if (sd->blk_len < 2 + pwd_len ||
858 pwd_len <= sd->pwd_len ||
859 pwd_len > sd->pwd_len + 16) {
860 sd->card_status |= LOCK_UNLOCK_FAILED;
861 return;
862 }
863
864 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
865 sd->card_status |= LOCK_UNLOCK_FAILED;
866 return;
867 }
868
869 pwd_len -= sd->pwd_len;
870 if ((pwd_len && !set_pwd) ||
871 (clr_pwd && (set_pwd || lock)) ||
872 (lock && !sd->pwd_len && !set_pwd) ||
873 (!set_pwd && !clr_pwd &&
874 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
875 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
876 sd->card_status |= LOCK_UNLOCK_FAILED;
877 return;
878 }
879
880 if (set_pwd) {
881 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
882 sd->pwd_len = pwd_len;
883 }
884
885 if (clr_pwd) {
886 sd->pwd_len = 0;
887 }
888
889 if (lock)
890 sd->card_status |= CARD_IS_LOCKED;
891 else
892 sd->card_status &= ~CARD_IS_LOCKED;
893 }
894
895 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
896 {
897 uint32_t rca = 0x0000;
898 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
899
900 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
901 * However there is no ACMD55, so we want to trace this particular case.
902 */
903 if (req.cmd != 55 || sd->expecting_acmd) {
904 trace_sdcard_normal_command(sd->proto_name,
905 sd_cmd_name(req.cmd), req.cmd,
906 req.arg, sd_state_name(sd->state));
907 }
908
909 /* Not interpreting this as an app command */
910 sd->card_status &= ~APP_CMD;
911
912 if (sd_cmd_type[req.cmd] == sd_ac
913 || sd_cmd_type[req.cmd] == sd_adtc) {
914 rca = req.arg >> 16;
915 }
916
917 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
918 * if not, its effects are cancelled */
919 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
920 sd->multi_blk_cnt = 0;
921 }
922
923 switch (req.cmd) {
924 /* Basic commands (Class 0 and Class 1) */
925 case 0: /* CMD0: GO_IDLE_STATE */
926 switch (sd->state) {
927 case sd_inactive_state:
928 return sd->spi ? sd_r1 : sd_r0;
929
930 default:
931 sd->state = sd_idle_state;
932 sd_reset(DEVICE(sd));
933 return sd->spi ? sd_r1 : sd_r0;
934 }
935 break;
936
937 case 1: /* CMD1: SEND_OP_CMD */
938 if (!sd->spi)
939 goto bad_cmd;
940
941 sd->state = sd_transfer_state;
942 return sd_r1;
943
944 case 2: /* CMD2: ALL_SEND_CID */
945 if (sd->spi)
946 goto bad_cmd;
947 switch (sd->state) {
948 case sd_ready_state:
949 sd->state = sd_identification_state;
950 return sd_r2_i;
951
952 default:
953 break;
954 }
955 break;
956
957 case 3: /* CMD3: SEND_RELATIVE_ADDR */
958 if (sd->spi)
959 goto bad_cmd;
960 switch (sd->state) {
961 case sd_identification_state:
962 case sd_standby_state:
963 sd->state = sd_standby_state;
964 sd_set_rca(sd);
965 return sd_r6;
966
967 default:
968 break;
969 }
970 break;
971
972 case 4: /* CMD4: SEND_DSR */
973 if (sd->spi)
974 goto bad_cmd;
975 switch (sd->state) {
976 case sd_standby_state:
977 break;
978
979 default:
980 break;
981 }
982 break;
983
984 case 5: /* CMD5: reserved for SDIO cards */
985 return sd_illegal;
986
987 case 6: /* CMD6: SWITCH_FUNCTION */
988 switch (sd->mode) {
989 case sd_data_transfer_mode:
990 sd_function_switch(sd, req.arg);
991 sd->state = sd_sendingdata_state;
992 sd->data_start = 0;
993 sd->data_offset = 0;
994 return sd_r1;
995
996 default:
997 break;
998 }
999 break;
1000
1001 case 7: /* CMD7: SELECT/DESELECT_CARD */
1002 if (sd->spi)
1003 goto bad_cmd;
1004 switch (sd->state) {
1005 case sd_standby_state:
1006 if (sd->rca != rca)
1007 return sd_r0;
1008
1009 sd->state = sd_transfer_state;
1010 return sd_r1b;
1011
1012 case sd_transfer_state:
1013 case sd_sendingdata_state:
1014 if (sd->rca == rca)
1015 break;
1016
1017 sd->state = sd_standby_state;
1018 return sd_r1b;
1019
1020 case sd_disconnect_state:
1021 if (sd->rca != rca)
1022 return sd_r0;
1023
1024 sd->state = sd_programming_state;
1025 return sd_r1b;
1026
1027 case sd_programming_state:
1028 if (sd->rca == rca)
1029 break;
1030
1031 sd->state = sd_disconnect_state;
1032 return sd_r1b;
1033
1034 default:
1035 break;
1036 }
1037 break;
1038
1039 case 8: /* CMD8: SEND_IF_COND */
1040 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1041 break;
1042 }
1043 if (sd->state != sd_idle_state) {
1044 break;
1045 }
1046 sd->vhs = 0;
1047
1048 /* No response if not exactly one VHS bit is set. */
1049 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1050 return sd->spi ? sd_r7 : sd_r0;
1051 }
1052
1053 /* Accept. */
1054 sd->vhs = req.arg;
1055 return sd_r7;
1056
1057 case 9: /* CMD9: SEND_CSD */
1058 switch (sd->state) {
1059 case sd_standby_state:
1060 if (sd->rca != rca)
1061 return sd_r0;
1062
1063 return sd_r2_s;
1064
1065 case sd_transfer_state:
1066 if (!sd->spi)
1067 break;
1068 sd->state = sd_sendingdata_state;
1069 memcpy(sd->data, sd->csd, 16);
1070 sd->data_start = addr;
1071 sd->data_offset = 0;
1072 return sd_r1;
1073
1074 default:
1075 break;
1076 }
1077 break;
1078
1079 case 10: /* CMD10: SEND_CID */
1080 switch (sd->state) {
1081 case sd_standby_state:
1082 if (sd->rca != rca)
1083 return sd_r0;
1084
1085 return sd_r2_i;
1086
1087 case sd_transfer_state:
1088 if (!sd->spi)
1089 break;
1090 sd->state = sd_sendingdata_state;
1091 memcpy(sd->data, sd->cid, 16);
1092 sd->data_start = addr;
1093 sd->data_offset = 0;
1094 return sd_r1;
1095
1096 default:
1097 break;
1098 }
1099 break;
1100
1101 case 12: /* CMD12: STOP_TRANSMISSION */
1102 switch (sd->state) {
1103 case sd_sendingdata_state:
1104 sd->state = sd_transfer_state;
1105 return sd_r1b;
1106
1107 case sd_receivingdata_state:
1108 sd->state = sd_programming_state;
1109 /* Bzzzzzzztt .... Operation complete. */
1110 sd->state = sd_transfer_state;
1111 return sd_r1b;
1112
1113 default:
1114 break;
1115 }
1116 break;
1117
1118 case 13: /* CMD13: SEND_STATUS */
1119 switch (sd->mode) {
1120 case sd_data_transfer_mode:
1121 if (sd->rca != rca)
1122 return sd_r0;
1123
1124 return sd_r1;
1125
1126 default:
1127 break;
1128 }
1129 break;
1130
1131 case 15: /* CMD15: GO_INACTIVE_STATE */
1132 if (sd->spi)
1133 goto bad_cmd;
1134 switch (sd->mode) {
1135 case sd_data_transfer_mode:
1136 if (sd->rca != rca)
1137 return sd_r0;
1138
1139 sd->state = sd_inactive_state;
1140 return sd_r0;
1141
1142 default:
1143 break;
1144 }
1145 break;
1146
1147 /* Block read commands (Classs 2) */
1148 case 16: /* CMD16: SET_BLOCKLEN */
1149 switch (sd->state) {
1150 case sd_transfer_state:
1151 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1152 sd->card_status |= BLOCK_LEN_ERROR;
1153 } else {
1154 trace_sdcard_set_blocklen(req.arg);
1155 sd->blk_len = req.arg;
1156 }
1157
1158 return sd_r1;
1159
1160 default:
1161 break;
1162 }
1163 break;
1164
1165 case 17: /* CMD17: READ_SINGLE_BLOCK */
1166 switch (sd->state) {
1167 case sd_transfer_state:
1168 sd->state = sd_sendingdata_state;
1169 sd->data_start = addr;
1170 sd->data_offset = 0;
1171
1172 if (sd->data_start + sd->blk_len > sd->size)
1173 sd->card_status |= ADDRESS_ERROR;
1174 return sd_r1;
1175
1176 default:
1177 break;
1178 }
1179 break;
1180
1181 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1182 switch (sd->state) {
1183 case sd_transfer_state:
1184 sd->state = sd_sendingdata_state;
1185 sd->data_start = addr;
1186 sd->data_offset = 0;
1187
1188 if (sd->data_start + sd->blk_len > sd->size)
1189 sd->card_status |= ADDRESS_ERROR;
1190 return sd_r1;
1191
1192 default:
1193 break;
1194 }
1195 break;
1196
1197 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1198 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1199 break;
1200 }
1201 if (sd->state == sd_transfer_state) {
1202 sd->state = sd_sendingdata_state;
1203 sd->data_offset = 0;
1204 return sd_r1;
1205 }
1206 break;
1207
1208 case 23: /* CMD23: SET_BLOCK_COUNT */
1209 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1210 break;
1211 }
1212 switch (sd->state) {
1213 case sd_transfer_state:
1214 sd->multi_blk_cnt = req.arg;
1215 return sd_r1;
1216
1217 default:
1218 break;
1219 }
1220 break;
1221
1222 /* Block write commands (Class 4) */
1223 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1224 switch (sd->state) {
1225 case sd_transfer_state:
1226 /* Writing in SPI mode not implemented. */
1227 if (sd->spi)
1228 break;
1229 sd->state = sd_receivingdata_state;
1230 sd->data_start = addr;
1231 sd->data_offset = 0;
1232 sd->blk_written = 0;
1233
1234 if (sd->data_start + sd->blk_len > sd->size)
1235 sd->card_status |= ADDRESS_ERROR;
1236 if (sd_wp_addr(sd, sd->data_start))
1237 sd->card_status |= WP_VIOLATION;
1238 if (sd->csd[14] & 0x30)
1239 sd->card_status |= WP_VIOLATION;
1240 return sd_r1;
1241
1242 default:
1243 break;
1244 }
1245 break;
1246
1247 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1248 switch (sd->state) {
1249 case sd_transfer_state:
1250 /* Writing in SPI mode not implemented. */
1251 if (sd->spi)
1252 break;
1253 sd->state = sd_receivingdata_state;
1254 sd->data_start = addr;
1255 sd->data_offset = 0;
1256 sd->blk_written = 0;
1257
1258 if (sd->data_start + sd->blk_len > sd->size)
1259 sd->card_status |= ADDRESS_ERROR;
1260 if (sd_wp_addr(sd, sd->data_start))
1261 sd->card_status |= WP_VIOLATION;
1262 if (sd->csd[14] & 0x30)
1263 sd->card_status |= WP_VIOLATION;
1264 return sd_r1;
1265
1266 default:
1267 break;
1268 }
1269 break;
1270
1271 case 26: /* CMD26: PROGRAM_CID */
1272 if (sd->spi)
1273 goto bad_cmd;
1274 switch (sd->state) {
1275 case sd_transfer_state:
1276 sd->state = sd_receivingdata_state;
1277 sd->data_start = 0;
1278 sd->data_offset = 0;
1279 return sd_r1;
1280
1281 default:
1282 break;
1283 }
1284 break;
1285
1286 case 27: /* CMD27: PROGRAM_CSD */
1287 switch (sd->state) {
1288 case sd_transfer_state:
1289 sd->state = sd_receivingdata_state;
1290 sd->data_start = 0;
1291 sd->data_offset = 0;
1292 return sd_r1;
1293
1294 default:
1295 break;
1296 }
1297 break;
1298
1299 /* Write protection (Class 6) */
1300 case 28: /* CMD28: SET_WRITE_PROT */
1301 switch (sd->state) {
1302 case sd_transfer_state:
1303 if (addr >= sd->size) {
1304 sd->card_status |= ADDRESS_ERROR;
1305 return sd_r1b;
1306 }
1307
1308 sd->state = sd_programming_state;
1309 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1310 /* Bzzzzzzztt .... Operation complete. */
1311 sd->state = sd_transfer_state;
1312 return sd_r1b;
1313
1314 default:
1315 break;
1316 }
1317 break;
1318
1319 case 29: /* CMD29: CLR_WRITE_PROT */
1320 switch (sd->state) {
1321 case sd_transfer_state:
1322 if (addr >= sd->size) {
1323 sd->card_status |= ADDRESS_ERROR;
1324 return sd_r1b;
1325 }
1326
1327 sd->state = sd_programming_state;
1328 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1329 /* Bzzzzzzztt .... Operation complete. */
1330 sd->state = sd_transfer_state;
1331 return sd_r1b;
1332
1333 default:
1334 break;
1335 }
1336 break;
1337
1338 case 30: /* CMD30: SEND_WRITE_PROT */
1339 switch (sd->state) {
1340 case sd_transfer_state:
1341 sd->state = sd_sendingdata_state;
1342 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1343 sd->data_start = addr;
1344 sd->data_offset = 0;
1345 return sd_r1b;
1346
1347 default:
1348 break;
1349 }
1350 break;
1351
1352 /* Erase commands (Class 5) */
1353 case 32: /* CMD32: ERASE_WR_BLK_START */
1354 switch (sd->state) {
1355 case sd_transfer_state:
1356 sd->erase_start = req.arg;
1357 return sd_r1;
1358
1359 default:
1360 break;
1361 }
1362 break;
1363
1364 case 33: /* CMD33: ERASE_WR_BLK_END */
1365 switch (sd->state) {
1366 case sd_transfer_state:
1367 sd->erase_end = req.arg;
1368 return sd_r1;
1369
1370 default:
1371 break;
1372 }
1373 break;
1374
1375 case 38: /* CMD38: ERASE */
1376 switch (sd->state) {
1377 case sd_transfer_state:
1378 if (sd->csd[14] & 0x30) {
1379 sd->card_status |= WP_VIOLATION;
1380 return sd_r1b;
1381 }
1382
1383 sd->state = sd_programming_state;
1384 sd_erase(sd);
1385 /* Bzzzzzzztt .... Operation complete. */
1386 sd->state = sd_transfer_state;
1387 return sd_r1b;
1388
1389 default:
1390 break;
1391 }
1392 break;
1393
1394 /* Lock card commands (Class 7) */
1395 case 42: /* CMD42: LOCK_UNLOCK */
1396 switch (sd->state) {
1397 case sd_transfer_state:
1398 sd->state = sd_receivingdata_state;
1399 sd->data_start = 0;
1400 sd->data_offset = 0;
1401 return sd_r1;
1402
1403 default:
1404 break;
1405 }
1406 break;
1407
1408 case 52 ... 54:
1409 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1410 * (see the SDIO Simplified Specification V2.0)
1411 * Handle as illegal command but do not complain
1412 * on stderr, as some OSes may use these in their
1413 * probing for presence of an SDIO card.
1414 */
1415 return sd_illegal;
1416
1417 /* Application specific commands (Class 8) */
1418 case 55: /* CMD55: APP_CMD */
1419 switch (sd->state) {
1420 case sd_ready_state:
1421 case sd_identification_state:
1422 case sd_inactive_state:
1423 return sd_illegal;
1424 case sd_idle_state:
1425 if (rca) {
1426 qemu_log_mask(LOG_GUEST_ERROR,
1427 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1428 }
1429 default:
1430 break;
1431 }
1432 if (!sd->spi) {
1433 if (sd->rca != rca) {
1434 return sd_r0;
1435 }
1436 }
1437 sd->expecting_acmd = true;
1438 sd->card_status |= APP_CMD;
1439 return sd_r1;
1440
1441 case 56: /* CMD56: GEN_CMD */
1442 switch (sd->state) {
1443 case sd_transfer_state:
1444 sd->data_offset = 0;
1445 if (req.arg & 1)
1446 sd->state = sd_sendingdata_state;
1447 else
1448 sd->state = sd_receivingdata_state;
1449 return sd_r1;
1450
1451 default:
1452 break;
1453 }
1454 break;
1455
1456 case 58: /* CMD58: READ_OCR (SPI) */
1457 if (!sd->spi) {
1458 goto bad_cmd;
1459 }
1460 return sd_r3;
1461
1462 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1463 if (!sd->spi) {
1464 goto bad_cmd;
1465 }
1466 goto unimplemented_spi_cmd;
1467
1468 default:
1469 bad_cmd:
1470 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1471 return sd_illegal;
1472
1473 unimplemented_spi_cmd:
1474 /* Commands that are recognised but not yet implemented in SPI mode. */
1475 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1476 req.cmd);
1477 return sd_illegal;
1478 }
1479
1480 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1481 return sd_illegal;
1482 }
1483
1484 static sd_rsp_type_t sd_app_command(SDState *sd,
1485 SDRequest req)
1486 {
1487 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1488 req.cmd, req.arg, sd_state_name(sd->state));
1489 sd->card_status |= APP_CMD;
1490 switch (req.cmd) {
1491 case 6: /* ACMD6: SET_BUS_WIDTH */
1492 if (sd->spi) {
1493 goto unimplemented_spi_cmd;
1494 }
1495 switch (sd->state) {
1496 case sd_transfer_state:
1497 sd->sd_status[0] &= 0x3f;
1498 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1499 return sd_r1;
1500
1501 default:
1502 break;
1503 }
1504 break;
1505
1506 case 13: /* ACMD13: SD_STATUS */
1507 switch (sd->state) {
1508 case sd_transfer_state:
1509 sd->state = sd_sendingdata_state;
1510 sd->data_start = 0;
1511 sd->data_offset = 0;
1512 return sd_r1;
1513
1514 default:
1515 break;
1516 }
1517 break;
1518
1519 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1520 switch (sd->state) {
1521 case sd_transfer_state:
1522 *(uint32_t *) sd->data = sd->blk_written;
1523
1524 sd->state = sd_sendingdata_state;
1525 sd->data_start = 0;
1526 sd->data_offset = 0;
1527 return sd_r1;
1528
1529 default:
1530 break;
1531 }
1532 break;
1533
1534 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1535 switch (sd->state) {
1536 case sd_transfer_state:
1537 return sd_r1;
1538
1539 default:
1540 break;
1541 }
1542 break;
1543
1544 case 41: /* ACMD41: SD_APP_OP_COND */
1545 if (sd->spi) {
1546 /* SEND_OP_CMD */
1547 sd->state = sd_transfer_state;
1548 return sd_r1;
1549 }
1550 if (sd->state != sd_idle_state) {
1551 break;
1552 }
1553 /* If it's the first ACMD41 since reset, we need to decide
1554 * whether to power up. If this is not an enquiry ACMD41,
1555 * we immediately report power on and proceed below to the
1556 * ready state, but if it is, we set a timer to model a
1557 * delay for power up. This works around a bug in EDK2
1558 * UEFI, which sends an initial enquiry ACMD41, but
1559 * assumes that the card is in ready state as soon as it
1560 * sees the power up bit set. */
1561 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1562 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1563 timer_del(sd->ocr_power_timer);
1564 sd_ocr_powerup(sd);
1565 } else {
1566 trace_sdcard_inquiry_cmd41();
1567 if (!timer_pending(sd->ocr_power_timer)) {
1568 timer_mod_ns(sd->ocr_power_timer,
1569 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1570 + OCR_POWER_DELAY_NS));
1571 }
1572 }
1573 }
1574
1575 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1576 /* We accept any voltage. 10000 V is nothing.
1577 *
1578 * Once we're powered up, we advance straight to ready state
1579 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1580 */
1581 sd->state = sd_ready_state;
1582 }
1583
1584 return sd_r3;
1585
1586 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1587 switch (sd->state) {
1588 case sd_transfer_state:
1589 /* Bringing in the 50KOhm pull-up resistor... Done. */
1590 return sd_r1;
1591
1592 default:
1593 break;
1594 }
1595 break;
1596
1597 case 51: /* ACMD51: SEND_SCR */
1598 switch (sd->state) {
1599 case sd_transfer_state:
1600 sd->state = sd_sendingdata_state;
1601 sd->data_start = 0;
1602 sd->data_offset = 0;
1603 return sd_r1;
1604
1605 default:
1606 break;
1607 }
1608 break;
1609
1610 case 18: /* Reserved for SD security applications */
1611 case 25:
1612 case 26:
1613 case 38:
1614 case 43 ... 49:
1615 /* Refer to the "SD Specifications Part3 Security Specification" for
1616 * information about the SD Security Features.
1617 */
1618 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1619 req.cmd);
1620 return sd_illegal;
1621
1622 default:
1623 /* Fall back to standard commands. */
1624 return sd_normal_command(sd, req);
1625
1626 unimplemented_spi_cmd:
1627 /* Commands that are recognised but not yet implemented in SPI mode. */
1628 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1629 req.cmd);
1630 return sd_illegal;
1631 }
1632
1633 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1634 return sd_illegal;
1635 }
1636
1637 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1638 {
1639 /* Valid commands in locked state:
1640 * basic class (0)
1641 * lock card class (7)
1642 * CMD16
1643 * implicitly, the ACMD prefix CMD55
1644 * ACMD41 and ACMD42
1645 * Anything else provokes an "illegal command" response.
1646 */
1647 if (sd->expecting_acmd) {
1648 return req->cmd == 41 || req->cmd == 42;
1649 }
1650 if (req->cmd == 16 || req->cmd == 55) {
1651 return 1;
1652 }
1653 return sd_cmd_class[req->cmd] == 0
1654 || sd_cmd_class[req->cmd] == 7;
1655 }
1656
1657 int sd_do_command(SDState *sd, SDRequest *req,
1658 uint8_t *response) {
1659 int last_state;
1660 sd_rsp_type_t rtype;
1661 int rsplen;
1662
1663 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1664 return 0;
1665 }
1666
1667 if (sd_req_crc_validate(req)) {
1668 sd->card_status |= COM_CRC_ERROR;
1669 rtype = sd_illegal;
1670 goto send_response;
1671 }
1672
1673 if (req->cmd >= SDMMC_CMD_MAX) {
1674 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1675 req->cmd);
1676 req->cmd &= 0x3f;
1677 }
1678
1679 if (sd->card_status & CARD_IS_LOCKED) {
1680 if (!cmd_valid_while_locked(sd, req)) {
1681 sd->card_status |= ILLEGAL_COMMAND;
1682 sd->expecting_acmd = false;
1683 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1684 rtype = sd_illegal;
1685 goto send_response;
1686 }
1687 }
1688
1689 last_state = sd->state;
1690 sd_set_mode(sd);
1691
1692 if (sd->expecting_acmd) {
1693 sd->expecting_acmd = false;
1694 rtype = sd_app_command(sd, *req);
1695 } else {
1696 rtype = sd_normal_command(sd, *req);
1697 }
1698
1699 if (rtype == sd_illegal) {
1700 sd->card_status |= ILLEGAL_COMMAND;
1701 } else {
1702 /* Valid command, we can update the 'state before command' bits.
1703 * (Do this now so they appear in r1 responses.)
1704 */
1705 sd->current_cmd = req->cmd;
1706 sd->card_status &= ~CURRENT_STATE;
1707 sd->card_status |= (last_state << 9);
1708 }
1709
1710 send_response:
1711 switch (rtype) {
1712 case sd_r1:
1713 case sd_r1b:
1714 sd_response_r1_make(sd, response);
1715 rsplen = 4;
1716 break;
1717
1718 case sd_r2_i:
1719 memcpy(response, sd->cid, sizeof(sd->cid));
1720 rsplen = 16;
1721 break;
1722
1723 case sd_r2_s:
1724 memcpy(response, sd->csd, sizeof(sd->csd));
1725 rsplen = 16;
1726 break;
1727
1728 case sd_r3:
1729 sd_response_r3_make(sd, response);
1730 rsplen = 4;
1731 break;
1732
1733 case sd_r6:
1734 sd_response_r6_make(sd, response);
1735 rsplen = 4;
1736 break;
1737
1738 case sd_r7:
1739 sd_response_r7_make(sd, response);
1740 rsplen = 4;
1741 break;
1742
1743 case sd_r0:
1744 case sd_illegal:
1745 rsplen = 0;
1746 break;
1747 default:
1748 g_assert_not_reached();
1749 }
1750 trace_sdcard_response(sd_response_name(rtype), rsplen);
1751
1752 if (rtype != sd_illegal) {
1753 /* Clear the "clear on valid command" status bits now we've
1754 * sent any response
1755 */
1756 sd->card_status &= ~CARD_STATUS_B;
1757 }
1758
1759 #ifdef DEBUG_SD
1760 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1761 #endif
1762
1763 return rsplen;
1764 }
1765
1766 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1767 {
1768 trace_sdcard_read_block(addr, len);
1769 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1770 fprintf(stderr, "sd_blk_read: read error on host side\n");
1771 }
1772 }
1773
1774 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1775 {
1776 trace_sdcard_write_block(addr, len);
1777 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1778 fprintf(stderr, "sd_blk_write: write error on host side\n");
1779 }
1780 }
1781
1782 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1783 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1784 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1785 #define APP_WRITE_BLOCK(a, len)
1786
1787 void sd_write_data(SDState *sd, uint8_t value)
1788 {
1789 int i;
1790
1791 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1792 return;
1793
1794 if (sd->state != sd_receivingdata_state) {
1795 qemu_log_mask(LOG_GUEST_ERROR,
1796 "sd_write_data: not in Receiving-Data state\n");
1797 return;
1798 }
1799
1800 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1801 return;
1802
1803 trace_sdcard_write_data(sd->proto_name,
1804 sd_acmd_name(sd->current_cmd),
1805 sd->current_cmd, value);
1806 switch (sd->current_cmd) {
1807 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1808 sd->data[sd->data_offset ++] = value;
1809 if (sd->data_offset >= sd->blk_len) {
1810 /* TODO: Check CRC before committing */
1811 sd->state = sd_programming_state;
1812 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1813 sd->blk_written ++;
1814 sd->csd[14] |= 0x40;
1815 /* Bzzzzzzztt .... Operation complete. */
1816 sd->state = sd_transfer_state;
1817 }
1818 break;
1819
1820 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1821 if (sd->data_offset == 0) {
1822 /* Start of the block - let's check the address is valid */
1823 if (sd->data_start + sd->blk_len > sd->size) {
1824 sd->card_status |= ADDRESS_ERROR;
1825 break;
1826 }
1827 if (sd_wp_addr(sd, sd->data_start)) {
1828 sd->card_status |= WP_VIOLATION;
1829 break;
1830 }
1831 }
1832 sd->data[sd->data_offset++] = value;
1833 if (sd->data_offset >= sd->blk_len) {
1834 /* TODO: Check CRC before committing */
1835 sd->state = sd_programming_state;
1836 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1837 sd->blk_written++;
1838 sd->data_start += sd->blk_len;
1839 sd->data_offset = 0;
1840 sd->csd[14] |= 0x40;
1841
1842 /* Bzzzzzzztt .... Operation complete. */
1843 if (sd->multi_blk_cnt != 0) {
1844 if (--sd->multi_blk_cnt == 0) {
1845 /* Stop! */
1846 sd->state = sd_transfer_state;
1847 break;
1848 }
1849 }
1850
1851 sd->state = sd_receivingdata_state;
1852 }
1853 break;
1854
1855 case 26: /* CMD26: PROGRAM_CID */
1856 sd->data[sd->data_offset ++] = value;
1857 if (sd->data_offset >= sizeof(sd->cid)) {
1858 /* TODO: Check CRC before committing */
1859 sd->state = sd_programming_state;
1860 for (i = 0; i < sizeof(sd->cid); i ++)
1861 if ((sd->cid[i] | 0x00) != sd->data[i])
1862 sd->card_status |= CID_CSD_OVERWRITE;
1863
1864 if (!(sd->card_status & CID_CSD_OVERWRITE))
1865 for (i = 0; i < sizeof(sd->cid); i ++) {
1866 sd->cid[i] |= 0x00;
1867 sd->cid[i] &= sd->data[i];
1868 }
1869 /* Bzzzzzzztt .... Operation complete. */
1870 sd->state = sd_transfer_state;
1871 }
1872 break;
1873
1874 case 27: /* CMD27: PROGRAM_CSD */
1875 sd->data[sd->data_offset ++] = value;
1876 if (sd->data_offset >= sizeof(sd->csd)) {
1877 /* TODO: Check CRC before committing */
1878 sd->state = sd_programming_state;
1879 for (i = 0; i < sizeof(sd->csd); i ++)
1880 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1881 (sd->data[i] | sd_csd_rw_mask[i]))
1882 sd->card_status |= CID_CSD_OVERWRITE;
1883
1884 /* Copy flag (OTP) & Permanent write protect */
1885 if (sd->csd[14] & ~sd->data[14] & 0x60)
1886 sd->card_status |= CID_CSD_OVERWRITE;
1887
1888 if (!(sd->card_status & CID_CSD_OVERWRITE))
1889 for (i = 0; i < sizeof(sd->csd); i ++) {
1890 sd->csd[i] |= sd_csd_rw_mask[i];
1891 sd->csd[i] &= sd->data[i];
1892 }
1893 /* Bzzzzzzztt .... Operation complete. */
1894 sd->state = sd_transfer_state;
1895 }
1896 break;
1897
1898 case 42: /* CMD42: LOCK_UNLOCK */
1899 sd->data[sd->data_offset ++] = value;
1900 if (sd->data_offset >= sd->blk_len) {
1901 /* TODO: Check CRC before committing */
1902 sd->state = sd_programming_state;
1903 sd_lock_command(sd);
1904 /* Bzzzzzzztt .... Operation complete. */
1905 sd->state = sd_transfer_state;
1906 }
1907 break;
1908
1909 case 56: /* CMD56: GEN_CMD */
1910 sd->data[sd->data_offset ++] = value;
1911 if (sd->data_offset >= sd->blk_len) {
1912 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1913 sd->state = sd_transfer_state;
1914 }
1915 break;
1916
1917 default:
1918 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1919 break;
1920 }
1921 }
1922
1923 #define SD_TUNING_BLOCK_SIZE 64
1924
1925 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1926 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1927 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1928 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1929 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1930 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1931 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1932 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1933 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1934 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1935 };
1936
1937 uint8_t sd_read_data(SDState *sd)
1938 {
1939 /* TODO: Append CRCs */
1940 uint8_t ret;
1941 int io_len;
1942
1943 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1944 return 0x00;
1945
1946 if (sd->state != sd_sendingdata_state) {
1947 qemu_log_mask(LOG_GUEST_ERROR,
1948 "sd_read_data: not in Sending-Data state\n");
1949 return 0x00;
1950 }
1951
1952 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1953 return 0x00;
1954
1955 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1956
1957 trace_sdcard_read_data(sd->proto_name,
1958 sd_acmd_name(sd->current_cmd),
1959 sd->current_cmd, io_len);
1960 switch (sd->current_cmd) {
1961 case 6: /* CMD6: SWITCH_FUNCTION */
1962 ret = sd->data[sd->data_offset ++];
1963
1964 if (sd->data_offset >= 64)
1965 sd->state = sd_transfer_state;
1966 break;
1967
1968 case 9: /* CMD9: SEND_CSD */
1969 case 10: /* CMD10: SEND_CID */
1970 ret = sd->data[sd->data_offset ++];
1971
1972 if (sd->data_offset >= 16)
1973 sd->state = sd_transfer_state;
1974 break;
1975
1976 case 13: /* ACMD13: SD_STATUS */
1977 ret = sd->sd_status[sd->data_offset ++];
1978
1979 if (sd->data_offset >= sizeof(sd->sd_status))
1980 sd->state = sd_transfer_state;
1981 break;
1982
1983 case 17: /* CMD17: READ_SINGLE_BLOCK */
1984 if (sd->data_offset == 0)
1985 BLK_READ_BLOCK(sd->data_start, io_len);
1986 ret = sd->data[sd->data_offset ++];
1987
1988 if (sd->data_offset >= io_len)
1989 sd->state = sd_transfer_state;
1990 break;
1991
1992 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1993 if (sd->data_offset == 0) {
1994 if (sd->data_start + io_len > sd->size) {
1995 sd->card_status |= ADDRESS_ERROR;
1996 return 0x00;
1997 }
1998 BLK_READ_BLOCK(sd->data_start, io_len);
1999 }
2000 ret = sd->data[sd->data_offset ++];
2001
2002 if (sd->data_offset >= io_len) {
2003 sd->data_start += io_len;
2004 sd->data_offset = 0;
2005
2006 if (sd->multi_blk_cnt != 0) {
2007 if (--sd->multi_blk_cnt == 0) {
2008 /* Stop! */
2009 sd->state = sd_transfer_state;
2010 break;
2011 }
2012 }
2013 }
2014 break;
2015
2016 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2017 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2018 sd->state = sd_transfer_state;
2019 }
2020 ret = sd_tuning_block_pattern[sd->data_offset++];
2021 break;
2022
2023 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2024 ret = sd->data[sd->data_offset ++];
2025
2026 if (sd->data_offset >= 4)
2027 sd->state = sd_transfer_state;
2028 break;
2029
2030 case 30: /* CMD30: SEND_WRITE_PROT */
2031 ret = sd->data[sd->data_offset ++];
2032
2033 if (sd->data_offset >= 4)
2034 sd->state = sd_transfer_state;
2035 break;
2036
2037 case 51: /* ACMD51: SEND_SCR */
2038 ret = sd->scr[sd->data_offset ++];
2039
2040 if (sd->data_offset >= sizeof(sd->scr))
2041 sd->state = sd_transfer_state;
2042 break;
2043
2044 case 56: /* CMD56: GEN_CMD */
2045 if (sd->data_offset == 0)
2046 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2047 ret = sd->data[sd->data_offset ++];
2048
2049 if (sd->data_offset >= sd->blk_len)
2050 sd->state = sd_transfer_state;
2051 break;
2052
2053 default:
2054 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2055 return 0x00;
2056 }
2057
2058 return ret;
2059 }
2060
2061 bool sd_data_ready(SDState *sd)
2062 {
2063 return sd->state == sd_sendingdata_state;
2064 }
2065
2066 void sd_enable(SDState *sd, bool enable)
2067 {
2068 sd->enable = enable;
2069 }
2070
2071 static void sd_instance_init(Object *obj)
2072 {
2073 SDState *sd = SD_CARD(obj);
2074
2075 sd->enable = true;
2076 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2077 }
2078
2079 static void sd_instance_finalize(Object *obj)
2080 {
2081 SDState *sd = SD_CARD(obj);
2082
2083 timer_del(sd->ocr_power_timer);
2084 timer_free(sd->ocr_power_timer);
2085 }
2086
2087 static void sd_realize(DeviceState *dev, Error **errp)
2088 {
2089 SDState *sd = SD_CARD(dev);
2090 int ret;
2091
2092 sd->proto_name = sd->spi ? "SPI" : "SD";
2093
2094 switch (sd->spec_version) {
2095 case SD_PHY_SPECv1_10_VERS
2096 ... SD_PHY_SPECv3_01_VERS:
2097 break;
2098 default:
2099 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2100 return;
2101 }
2102
2103 if (sd->blk && blk_is_read_only(sd->blk)) {
2104 error_setg(errp, "Cannot use read-only drive as SD card");
2105 return;
2106 }
2107
2108 if (sd->blk) {
2109 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2110 BLK_PERM_ALL, errp);
2111 if (ret < 0) {
2112 return;
2113 }
2114 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2115 }
2116 }
2117
2118 static Property sd_properties[] = {
2119 DEFINE_PROP_UINT8("spec_version", SDState,
2120 spec_version, SD_PHY_SPECv2_00_VERS),
2121 DEFINE_PROP_DRIVE("drive", SDState, blk),
2122 /* We do not model the chip select pin, so allow the board to select
2123 * whether card should be in SSI or MMC/SD mode. It is also up to the
2124 * board to ensure that ssi transfers only occur when the chip select
2125 * is asserted. */
2126 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2127 DEFINE_PROP_END_OF_LIST()
2128 };
2129
2130 static void sd_class_init(ObjectClass *klass, void *data)
2131 {
2132 DeviceClass *dc = DEVICE_CLASS(klass);
2133 SDCardClass *sc = SD_CARD_CLASS(klass);
2134
2135 dc->realize = sd_realize;
2136 device_class_set_props(dc, sd_properties);
2137 dc->vmsd = &sd_vmstate;
2138 dc->reset = sd_reset;
2139 dc->bus_type = TYPE_SD_BUS;
2140 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2141
2142 sc->set_voltage = sd_set_voltage;
2143 sc->get_dat_lines = sd_get_dat_lines;
2144 sc->get_cmd_line = sd_get_cmd_line;
2145 sc->do_command = sd_do_command;
2146 sc->write_data = sd_write_data;
2147 sc->read_data = sd_read_data;
2148 sc->data_ready = sd_data_ready;
2149 sc->enable = sd_enable;
2150 sc->get_inserted = sd_get_inserted;
2151 sc->get_readonly = sd_get_readonly;
2152 }
2153
2154 static const TypeInfo sd_info = {
2155 .name = TYPE_SD_CARD,
2156 .parent = TYPE_DEVICE,
2157 .instance_size = sizeof(SDState),
2158 .class_size = sizeof(SDCardClass),
2159 .class_init = sd_class_init,
2160 .instance_init = sd_instance_init,
2161 .instance_finalize = sd_instance_finalize,
2162 };
2163
2164 static void sd_register_types(void)
2165 {
2166 type_register_static(&sd_info);
2167 }
2168
2169 type_init(sd_register_types)
AR7 emulation for QEMU