search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd: sd: Skip write protect groups check in CMD24/25 for high capacity cards
[qemu/ar7.git] / hw / sd / sd.c
blob3a515a5365f1c295f46baa9b488573efb3943eef
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88 };
89
90 struct SDState {
91 DeviceState parent_obj;
92
93 /* If true, created by sd_init() for a non-qdevified caller */
94 /* TODO purge them with fire */
95 bool me_no_qdev_me_kill_mammoth_with_rocks;
96
97 /* SD Memory Card Registers */
98 uint32_t ocr;
99 uint8_t scr[8];
100 uint8_t cid[16];
101 uint8_t csd[16];
102 uint16_t rca;
103 uint32_t card_status;
104 uint8_t sd_status[64];
105
106 /* Static properties */
107
108 uint8_t spec_version;
109 BlockBackend *blk;
110 bool spi;
111
112 /* Runtime changeables */
113
114 uint32_t mode; /* current card mode, one of SDCardModes */
115 int32_t state; /* current card state, one of SDCardStates */
116 uint32_t vhs;
117 bool wp_switch;
118 unsigned long *wp_groups;
119 int32_t wpgrps_size;
120 uint64_t size;
121 uint32_t blk_len;
122 uint32_t multi_blk_cnt;
123 uint32_t erase_start;
124 uint32_t erase_end;
125 uint8_t pwd[16];
126 uint32_t pwd_len;
127 uint8_t function_group[6];
128 uint8_t current_cmd;
129 /* True if we will handle the next command as an ACMD. Note that this does
130 * *not* track the APP_CMD status bit!
131 */
132 bool expecting_acmd;
133 uint32_t blk_written;
134 uint64_t data_start;
135 uint32_t data_offset;
136 uint8_t data[512];
137 qemu_irq readonly_cb;
138 qemu_irq inserted_cb;
139 QEMUTimer *ocr_power_timer;
140 const char *proto_name;
141 bool enable;
142 uint8_t dat_lines;
143 bool cmd_line;
144 };
145
146 static void sd_realize(DeviceState *dev, Error **errp);
147
148 static const char *sd_state_name(enum SDCardStates state)
149 {
150 static const char *state_name[] = {
151 [sd_idle_state] = "idle",
152 [sd_ready_state] = "ready",
153 [sd_identification_state] = "identification",
154 [sd_standby_state] = "standby",
155 [sd_transfer_state] = "transfer",
156 [sd_sendingdata_state] = "sendingdata",
157 [sd_receivingdata_state] = "receivingdata",
158 [sd_programming_state] = "programming",
159 [sd_disconnect_state] = "disconnect",
160 };
161 if (state == sd_inactive_state) {
162 return "inactive";
163 }
164 assert(state < ARRAY_SIZE(state_name));
165 return state_name[state];
166 }
167
168 static const char *sd_response_name(sd_rsp_type_t rsp)
169 {
170 static const char *response_name[] = {
171 [sd_r0] = "RESP#0 (no response)",
172 [sd_r1] = "RESP#1 (normal cmd)",
173 [sd_r2_i] = "RESP#2 (CID reg)",
174 [sd_r2_s] = "RESP#2 (CSD reg)",
175 [sd_r3] = "RESP#3 (OCR reg)",
176 [sd_r6] = "RESP#6 (RCA)",
177 [sd_r7] = "RESP#7 (operating voltage)",
178 };
179 if (rsp == sd_illegal) {
180 return "ILLEGAL RESP";
181 }
182 if (rsp == sd_r1b) {
183 rsp = sd_r1;
184 }
185 assert(rsp < ARRAY_SIZE(response_name));
186 return response_name[rsp];
187 }
188
189 static uint8_t sd_get_dat_lines(SDState *sd)
190 {
191 return sd->enable ? sd->dat_lines : 0;
192 }
193
194 static bool sd_get_cmd_line(SDState *sd)
195 {
196 return sd->enable ? sd->cmd_line : false;
197 }
198
199 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
200 {
201 trace_sdcard_set_voltage(millivolts);
202
203 switch (millivolts) {
204 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
205 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
206 break;
207 default:
208 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
209 millivolts / 1000.f);
210 }
211 }
212
213 static void sd_set_mode(SDState *sd)
214 {
215 switch (sd->state) {
216 case sd_inactive_state:
217 sd->mode = sd_inactive;
218 break;
219
220 case sd_idle_state:
221 case sd_ready_state:
222 case sd_identification_state:
223 sd->mode = sd_card_identification_mode;
224 break;
225
226 case sd_standby_state:
227 case sd_transfer_state:
228 case sd_sendingdata_state:
229 case sd_receivingdata_state:
230 case sd_programming_state:
231 case sd_disconnect_state:
232 sd->mode = sd_data_transfer_mode;
233 break;
234 }
235 }
236
237 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
238 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
239 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
240 /* 16 */
241 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
242 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
243 /* 32 */
244 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
245 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
246 /* 48 */
247 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
248 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
249 };
250
251 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
252 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
253 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
254 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
255 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
256 };
257
258 static uint8_t sd_crc7(const void *message, size_t width)
259 {
260 int i, bit;
261 uint8_t shift_reg = 0x00;
262 const uint8_t *msg = (const uint8_t *)message;
263
264 for (i = 0; i < width; i ++, msg ++)
265 for (bit = 7; bit >= 0; bit --) {
266 shift_reg <<= 1;
267 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
268 shift_reg ^= 0x89;
269 }
270
271 return shift_reg;
272 }
273
274 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
275
276 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
277 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
278 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
279 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
280 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
281 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
282 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
283 FIELD(OCR, CARD_POWER_UP, 31, 1)
284
285 #define ACMD41_ENQUIRY_MASK 0x00ffffff
286 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
287 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
288 | R_OCR_UHS_II_CARD_MASK \
289 | R_OCR_CARD_CAPACITY_MASK \
290 | R_OCR_CARD_POWER_UP_MASK)
291
292 static void sd_set_ocr(SDState *sd)
293 {
294 /* All voltages OK */
295 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
296 }
297
298 static void sd_ocr_powerup(void *opaque)
299 {
300 SDState *sd = opaque;
301
302 trace_sdcard_powerup();
303 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
304
305 /* card power-up OK */
306 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
307
308 if (sd->size > SDSC_MAX_CAPACITY) {
309 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
310 }
311 }
312
313 static void sd_set_scr(SDState *sd)
314 {
315 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
316 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
317 sd->scr[0] |= 1; /* Spec Version 1.10 */
318 } else {
319 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
320 }
321 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
322 | 0b0101; /* 1-bit or 4-bit width bus modes */
323 sd->scr[2] = 0x00; /* Extended Security is not supported. */
324 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
325 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
326 }
327 sd->scr[3] = 0x00;
328 /* reserved for manufacturer usage */
329 sd->scr[4] = 0x00;
330 sd->scr[5] = 0x00;
331 sd->scr[6] = 0x00;
332 sd->scr[7] = 0x00;
333 }
334
335 #define MID 0xaa
336 #define OID "XY"
337 #define PNM "QEMU!"
338 #define PRV 0x01
339 #define MDT_YR 2006
340 #define MDT_MON 2
341
342 static void sd_set_cid(SDState *sd)
343 {
344 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
345 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
346 sd->cid[2] = OID[1];
347 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
348 sd->cid[4] = PNM[1];
349 sd->cid[5] = PNM[2];
350 sd->cid[6] = PNM[3];
351 sd->cid[7] = PNM[4];
352 sd->cid[8] = PRV; /* Fake product revision (PRV) */
353 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
354 sd->cid[10] = 0xad;
355 sd->cid[11] = 0xbe;
356 sd->cid[12] = 0xef;
357 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
358 ((MDT_YR - 2000) / 10);
359 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
360 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
361 }
362
363 #define HWBLOCK_SHIFT 9 /* 512 bytes */
364 #define SECTOR_SHIFT 5 /* 16 kilobytes */
365 #define WPGROUP_SHIFT 7 /* 2 megs */
366 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
367 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
368
369 static const uint8_t sd_csd_rw_mask[16] = {
370 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
372 };
373
374 static void sd_set_csd(SDState *sd, uint64_t size)
375 {
376 int hwblock_shift = HWBLOCK_SHIFT;
377 uint32_t csize;
378 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
379 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
380
381 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
382 if (size == SDSC_MAX_CAPACITY) {
383 hwblock_shift += 1;
384 }
385 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
386
387 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
388 sd->csd[0] = 0x00; /* CSD structure */
389 sd->csd[1] = 0x26; /* Data read access-time-1 */
390 sd->csd[2] = 0x00; /* Data read access-time-2 */
391 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
392 sd->csd[4] = 0x5f; /* Card Command Classes */
393 sd->csd[5] = 0x50 | /* Max. read data block length */
394 hwblock_shift;
395 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
396 ((csize >> 10) & 0x03);
397 sd->csd[7] = 0x00 | /* Device size */
398 ((csize >> 2) & 0xff);
399 sd->csd[8] = 0x3f | /* Max. read current */
400 ((csize << 6) & 0xc0);
401 sd->csd[9] = 0xfc | /* Max. write current */
402 ((CMULT_SHIFT - 2) >> 1);
403 sd->csd[10] = 0x40 | /* Erase sector size */
404 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
405 sd->csd[11] = 0x00 | /* Write protect group size */
406 ((sectsize << 7) & 0x80) | wpsize;
407 sd->csd[12] = 0x90 | /* Write speed factor */
408 (hwblock_shift >> 2);
409 sd->csd[13] = 0x20 | /* Max. write data block length */
410 ((hwblock_shift << 6) & 0xc0);
411 sd->csd[14] = 0x00; /* File format group */
412 } else { /* SDHC */
413 size /= 512 * KiB;
414 size -= 1;
415 sd->csd[0] = 0x40;
416 sd->csd[1] = 0x0e;
417 sd->csd[2] = 0x00;
418 sd->csd[3] = 0x32;
419 sd->csd[4] = 0x5b;
420 sd->csd[5] = 0x59;
421 sd->csd[6] = 0x00;
422 sd->csd[7] = (size >> 16) & 0xff;
423 sd->csd[8] = (size >> 8) & 0xff;
424 sd->csd[9] = (size & 0xff);
425 sd->csd[10] = 0x7f;
426 sd->csd[11] = 0x80;
427 sd->csd[12] = 0x0a;
428 sd->csd[13] = 0x40;
429 sd->csd[14] = 0x00;
430 }
431 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
432 }
433
434 static void sd_set_rca(SDState *sd)
435 {
436 sd->rca += 0x4567;
437 }
438
439 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
440 FIELD(CSR, APP_CMD, 5, 1)
441 FIELD(CSR, FX_EVENT, 6, 1)
442 FIELD(CSR, READY_FOR_DATA, 8, 1)
443 FIELD(CSR, CURRENT_STATE, 9, 4)
444 FIELD(CSR, ERASE_RESET, 13, 1)
445 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
446 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
447 FIELD(CSR, CSD_OVERWRITE, 16, 1)
448 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
449 FIELD(CSR, ERROR, 19, 1)
450 FIELD(CSR, CC_ERROR, 20, 1)
451 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
452 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
453 FIELD(CSR, COM_CRC_ERROR, 23, 1)
454 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
455 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
456 FIELD(CSR, WP_VIOLATION, 26, 1)
457 FIELD(CSR, ERASE_PARAM, 27, 1)
458 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
459 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
460 FIELD(CSR, ADDRESS_ERROR, 30, 1)
461 FIELD(CSR, OUT_OF_RANGE, 31, 1)
462
463 /* Card status bits, split by clear condition:
464 * A : According to the card current state
465 * B : Always related to the previous command
466 * C : Cleared by read
467 */
468 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
469 | R_CSR_CARD_ECC_DISABLED_MASK \
470 | R_CSR_CARD_IS_LOCKED_MASK)
471 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
472 | R_CSR_ILLEGAL_COMMAND_MASK \
473 | R_CSR_COM_CRC_ERROR_MASK)
474 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
475 | R_CSR_APP_CMD_MASK \
476 | R_CSR_ERASE_RESET_MASK \
477 | R_CSR_WP_ERASE_SKIP_MASK \
478 | R_CSR_CSD_OVERWRITE_MASK \
479 | R_CSR_ERROR_MASK \
480 | R_CSR_CC_ERROR_MASK \
481 | R_CSR_CARD_ECC_FAILED_MASK \
482 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
483 | R_CSR_WP_VIOLATION_MASK \
484 | R_CSR_ERASE_PARAM_MASK \
485 | R_CSR_ERASE_SEQ_ERROR_MASK \
486 | R_CSR_BLOCK_LEN_ERROR_MASK \
487 | R_CSR_ADDRESS_ERROR_MASK \
488 | R_CSR_OUT_OF_RANGE_MASK)
489
490 static void sd_set_cardstatus(SDState *sd)
491 {
492 sd->card_status = 0x00000100;
493 }
494
495 static void sd_set_sdstatus(SDState *sd)
496 {
497 memset(sd->sd_status, 0, 64);
498 }
499
500 static int sd_req_crc_validate(SDRequest *req)
501 {
502 uint8_t buffer[5];
503 buffer[0] = 0x40 | req->cmd;
504 stl_be_p(&buffer[1], req->arg);
505 return 0;
506 return sd_crc7(buffer, 5) != req->crc; /* TODO */
507 }
508
509 static void sd_response_r1_make(SDState *sd, uint8_t *response)
510 {
511 stl_be_p(response, sd->card_status);
512
513 /* Clear the "clear on read" status bits */
514 sd->card_status &= ~CARD_STATUS_C;
515 }
516
517 static void sd_response_r3_make(SDState *sd, uint8_t *response)
518 {
519 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
520 }
521
522 static void sd_response_r6_make(SDState *sd, uint8_t *response)
523 {
524 uint16_t status;
525
526 status = ((sd->card_status >> 8) & 0xc000) |
527 ((sd->card_status >> 6) & 0x2000) |
528 (sd->card_status & 0x1fff);
529 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
530 stw_be_p(response + 0, sd->rca);
531 stw_be_p(response + 2, status);
532 }
533
534 static void sd_response_r7_make(SDState *sd, uint8_t *response)
535 {
536 stl_be_p(response, sd->vhs);
537 }
538
539 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
540 {
541 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
542 }
543
544 static void sd_reset(DeviceState *dev)
545 {
546 SDState *sd = SD_CARD(dev);
547 uint64_t size;
548 uint64_t sect;
549
550 trace_sdcard_reset();
551 if (sd->blk) {
552 blk_get_geometry(sd->blk, &sect);
553 } else {
554 sect = 0;
555 }
556 size = sect << 9;
557
558 sect = sd_addr_to_wpnum(size) + 1;
559
560 sd->state = sd_idle_state;
561 sd->rca = 0x0000;
562 sd_set_ocr(sd);
563 sd_set_scr(sd);
564 sd_set_cid(sd);
565 sd_set_csd(sd, size);
566 sd_set_cardstatus(sd);
567 sd_set_sdstatus(sd);
568
569 g_free(sd->wp_groups);
570 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
571 sd->wpgrps_size = sect;
572 sd->wp_groups = bitmap_new(sd->wpgrps_size);
573 memset(sd->function_group, 0, sizeof(sd->function_group));
574 sd->erase_start = INVALID_ADDRESS;
575 sd->erase_end = INVALID_ADDRESS;
576 sd->size = size;
577 sd->blk_len = 0x200;
578 sd->pwd_len = 0;
579 sd->expecting_acmd = false;
580 sd->dat_lines = 0xf;
581 sd->cmd_line = true;
582 sd->multi_blk_cnt = 0;
583 }
584
585 static bool sd_get_inserted(SDState *sd)
586 {
587 return sd->blk && blk_is_inserted(sd->blk);
588 }
589
590 static bool sd_get_readonly(SDState *sd)
591 {
592 return sd->wp_switch;
593 }
594
595 static void sd_cardchange(void *opaque, bool load, Error **errp)
596 {
597 SDState *sd = opaque;
598 DeviceState *dev = DEVICE(sd);
599 SDBus *sdbus;
600 bool inserted = sd_get_inserted(sd);
601 bool readonly = sd_get_readonly(sd);
602
603 if (inserted) {
604 trace_sdcard_inserted(readonly);
605 sd_reset(dev);
606 } else {
607 trace_sdcard_ejected();
608 }
609
610 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
611 qemu_set_irq(sd->inserted_cb, inserted);
612 if (inserted) {
613 qemu_set_irq(sd->readonly_cb, readonly);
614 }
615 } else {
616 sdbus = SD_BUS(qdev_get_parent_bus(dev));
617 sdbus_set_inserted(sdbus, inserted);
618 if (inserted) {
619 sdbus_set_readonly(sdbus, readonly);
620 }
621 }
622 }
623
624 static const BlockDevOps sd_block_ops = {
625 .change_media_cb = sd_cardchange,
626 };
627
628 static bool sd_ocr_vmstate_needed(void *opaque)
629 {
630 SDState *sd = opaque;
631
632 /* Include the OCR state (and timer) if it is not yet powered up */
633 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
634 }
635
636 static const VMStateDescription sd_ocr_vmstate = {
637 .name = "sd-card/ocr-state",
638 .version_id = 1,
639 .minimum_version_id = 1,
640 .needed = sd_ocr_vmstate_needed,
641 .fields = (VMStateField[]) {
642 VMSTATE_UINT32(ocr, SDState),
643 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
644 VMSTATE_END_OF_LIST()
645 },
646 };
647
648 static int sd_vmstate_pre_load(void *opaque)
649 {
650 SDState *sd = opaque;
651
652 /* If the OCR state is not included (prior versions, or not
653 * needed), then the OCR must be set as powered up. If the OCR state
654 * is included, this will be replaced by the state restore.
655 */
656 sd_ocr_powerup(sd);
657
658 return 0;
659 }
660
661 static const VMStateDescription sd_vmstate = {
662 .name = "sd-card",
663 .version_id = 2,
664 .minimum_version_id = 2,
665 .pre_load = sd_vmstate_pre_load,
666 .fields = (VMStateField[]) {
667 VMSTATE_UINT32(mode, SDState),
668 VMSTATE_INT32(state, SDState),
669 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
670 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
671 VMSTATE_UINT16(rca, SDState),
672 VMSTATE_UINT32(card_status, SDState),
673 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
674 VMSTATE_UINT32(vhs, SDState),
675 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
676 VMSTATE_UINT32(blk_len, SDState),
677 VMSTATE_UINT32(multi_blk_cnt, SDState),
678 VMSTATE_UINT32(erase_start, SDState),
679 VMSTATE_UINT32(erase_end, SDState),
680 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
681 VMSTATE_UINT32(pwd_len, SDState),
682 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
683 VMSTATE_UINT8(current_cmd, SDState),
684 VMSTATE_BOOL(expecting_acmd, SDState),
685 VMSTATE_UINT32(blk_written, SDState),
686 VMSTATE_UINT64(data_start, SDState),
687 VMSTATE_UINT32(data_offset, SDState),
688 VMSTATE_UINT8_ARRAY(data, SDState, 512),
689 VMSTATE_UNUSED_V(1, 512),
690 VMSTATE_BOOL(enable, SDState),
691 VMSTATE_END_OF_LIST()
692 },
693 .subsections = (const VMStateDescription*[]) {
694 &sd_ocr_vmstate,
695 NULL
696 },
697 };
698
699 /* Legacy initialization function for use by non-qdevified callers */
700 SDState *sd_init(BlockBackend *blk, bool is_spi)
701 {
702 Object *obj;
703 DeviceState *dev;
704 SDState *sd;
705 Error *err = NULL;
706
707 obj = object_new(TYPE_SD_CARD);
708 dev = DEVICE(obj);
709 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
710 error_reportf_err(err, "sd_init failed: ");
711 return NULL;
712 }
713 qdev_prop_set_bit(dev, "spi", is_spi);
714
715 /*
716 * Realizing the device properly would put it into the QOM
717 * composition tree even though it is not plugged into an
718 * appropriate bus. That's a no-no. Hide the device from
719 * QOM/qdev, and call its qdev realize callback directly.
720 */
721 object_ref(obj);
722 object_unparent(obj);
723 sd_realize(dev, &err);
724 if (err) {
725 error_reportf_err(err, "sd_init failed: ");
726 return NULL;
727 }
728
729 sd = SD_CARD(dev);
730 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
731 return sd;
732 }
733
734 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
735 {
736 sd->readonly_cb = readonly;
737 sd->inserted_cb = insert;
738 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
739 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
740 }
741
742 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
743 {
744 trace_sdcard_read_block(addr, len);
745 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
746 fprintf(stderr, "sd_blk_read: read error on host side\n");
747 }
748 }
749
750 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
751 {
752 trace_sdcard_write_block(addr, len);
753 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
754 fprintf(stderr, "sd_blk_write: write error on host side\n");
755 }
756 }
757
758 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
759 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
760 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
761 #define APP_WRITE_BLOCK(a, len)
762
763 static void sd_erase(SDState *sd)
764 {
765 int i;
766 uint64_t erase_start = sd->erase_start;
767 uint64_t erase_end = sd->erase_end;
768 bool sdsc = true;
769
770 trace_sdcard_erase(sd->erase_start, sd->erase_end);
771 if (sd->erase_start == INVALID_ADDRESS
772 || sd->erase_end == INVALID_ADDRESS) {
773 sd->card_status |= ERASE_SEQ_ERROR;
774 sd->erase_start = INVALID_ADDRESS;
775 sd->erase_end = INVALID_ADDRESS;
776 return;
777 }
778
779 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
780 /* High capacity memory card: erase units are 512 byte blocks */
781 erase_start *= 512;
782 erase_end *= 512;
783 sdsc = false;
784 }
785
786 if (erase_start > sd->size || erase_end > sd->size) {
787 sd->card_status |= OUT_OF_RANGE;
788 sd->erase_start = INVALID_ADDRESS;
789 sd->erase_end = INVALID_ADDRESS;
790 return;
791 }
792
793 sd->erase_start = INVALID_ADDRESS;
794 sd->erase_end = INVALID_ADDRESS;
795 sd->csd[14] |= 0x40;
796
797 /* Only SDSC cards support write protect groups */
798 if (sdsc) {
799 erase_start = sd_addr_to_wpnum(erase_start);
800 erase_end = sd_addr_to_wpnum(erase_end);
801
802 for (i = erase_start; i <= erase_end; i++) {
803 assert(i < sd->wpgrps_size);
804 if (test_bit(i, sd->wp_groups)) {
805 sd->card_status |= WP_ERASE_SKIP;
806 }
807 }
808 }
809 }
810
811 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
812 {
813 uint32_t i, wpnum;
814 uint32_t ret = 0;
815
816 wpnum = sd_addr_to_wpnum(addr);
817
818 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
819 assert(wpnum < sd->wpgrps_size);
820 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
821 ret |= (1 << i);
822 }
823 }
824
825 return ret;
826 }
827
828 static void sd_function_switch(SDState *sd, uint32_t arg)
829 {
830 int i, mode, new_func;
831 mode = !!(arg & 0x80000000);
832
833 sd->data[0] = 0x00; /* Maximum current consumption */
834 sd->data[1] = 0x01;
835 sd->data[2] = 0x80; /* Supported group 6 functions */
836 sd->data[3] = 0x01;
837 sd->data[4] = 0x80; /* Supported group 5 functions */
838 sd->data[5] = 0x01;
839 sd->data[6] = 0x80; /* Supported group 4 functions */
840 sd->data[7] = 0x01;
841 sd->data[8] = 0x80; /* Supported group 3 functions */
842 sd->data[9] = 0x01;
843 sd->data[10] = 0x80; /* Supported group 2 functions */
844 sd->data[11] = 0x43;
845 sd->data[12] = 0x80; /* Supported group 1 functions */
846 sd->data[13] = 0x03;
847
848 memset(&sd->data[14], 0, 3);
849 for (i = 0; i < 6; i ++) {
850 new_func = (arg >> (i * 4)) & 0x0f;
851 if (mode && new_func != 0x0f)
852 sd->function_group[i] = new_func;
853 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
854 }
855 memset(&sd->data[17], 0, 47);
856 }
857
858 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
859 {
860 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
861 }
862
863 static void sd_lock_command(SDState *sd)
864 {
865 int erase, lock, clr_pwd, set_pwd, pwd_len;
866 erase = !!(sd->data[0] & 0x08);
867 lock = sd->data[0] & 0x04;
868 clr_pwd = sd->data[0] & 0x02;
869 set_pwd = sd->data[0] & 0x01;
870
871 if (sd->blk_len > 1)
872 pwd_len = sd->data[1];
873 else
874 pwd_len = 0;
875
876 if (lock) {
877 trace_sdcard_lock();
878 } else {
879 trace_sdcard_unlock();
880 }
881 if (erase) {
882 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
883 set_pwd || clr_pwd || lock || sd->wp_switch ||
884 (sd->csd[14] & 0x20)) {
885 sd->card_status |= LOCK_UNLOCK_FAILED;
886 return;
887 }
888 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
889 sd->csd[14] &= ~0x10;
890 sd->card_status &= ~CARD_IS_LOCKED;
891 sd->pwd_len = 0;
892 /* Erasing the entire card here! */
893 fprintf(stderr, "SD: Card force-erased by CMD42\n");
894 return;
895 }
896
897 if (sd->blk_len < 2 + pwd_len ||
898 pwd_len <= sd->pwd_len ||
899 pwd_len > sd->pwd_len + 16) {
900 sd->card_status |= LOCK_UNLOCK_FAILED;
901 return;
902 }
903
904 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
905 sd->card_status |= LOCK_UNLOCK_FAILED;
906 return;
907 }
908
909 pwd_len -= sd->pwd_len;
910 if ((pwd_len && !set_pwd) ||
911 (clr_pwd && (set_pwd || lock)) ||
912 (lock && !sd->pwd_len && !set_pwd) ||
913 (!set_pwd && !clr_pwd &&
914 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
915 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
916 sd->card_status |= LOCK_UNLOCK_FAILED;
917 return;
918 }
919
920 if (set_pwd) {
921 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
922 sd->pwd_len = pwd_len;
923 }
924
925 if (clr_pwd) {
926 sd->pwd_len = 0;
927 }
928
929 if (lock)
930 sd->card_status |= CARD_IS_LOCKED;
931 else
932 sd->card_status &= ~CARD_IS_LOCKED;
933 }
934
935 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
936 {
937 uint32_t rca = 0x0000;
938 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
939
940 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
941 * However there is no ACMD55, so we want to trace this particular case.
942 */
943 if (req.cmd != 55 || sd->expecting_acmd) {
944 trace_sdcard_normal_command(sd->proto_name,
945 sd_cmd_name(req.cmd), req.cmd,
946 req.arg, sd_state_name(sd->state));
947 }
948
949 /* Not interpreting this as an app command */
950 sd->card_status &= ~APP_CMD;
951
952 if (sd_cmd_type[req.cmd] == sd_ac
953 || sd_cmd_type[req.cmd] == sd_adtc) {
954 rca = req.arg >> 16;
955 }
956
957 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
958 * if not, its effects are cancelled */
959 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
960 sd->multi_blk_cnt = 0;
961 }
962
963 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
964 /* Only Standard Capacity cards support class 6 commands */
965 return sd_illegal;
966 }
967
968 switch (req.cmd) {
969 /* Basic commands (Class 0 and Class 1) */
970 case 0: /* CMD0: GO_IDLE_STATE */
971 switch (sd->state) {
972 case sd_inactive_state:
973 return sd->spi ? sd_r1 : sd_r0;
974
975 default:
976 sd->state = sd_idle_state;
977 sd_reset(DEVICE(sd));
978 return sd->spi ? sd_r1 : sd_r0;
979 }
980 break;
981
982 case 1: /* CMD1: SEND_OP_CMD */
983 if (!sd->spi)
984 goto bad_cmd;
985
986 sd->state = sd_transfer_state;
987 return sd_r1;
988
989 case 2: /* CMD2: ALL_SEND_CID */
990 if (sd->spi)
991 goto bad_cmd;
992 switch (sd->state) {
993 case sd_ready_state:
994 sd->state = sd_identification_state;
995 return sd_r2_i;
996
997 default:
998 break;
999 }
1000 break;
1001
1002 case 3: /* CMD3: SEND_RELATIVE_ADDR */
1003 if (sd->spi)
1004 goto bad_cmd;
1005 switch (sd->state) {
1006 case sd_identification_state:
1007 case sd_standby_state:
1008 sd->state = sd_standby_state;
1009 sd_set_rca(sd);
1010 return sd_r6;
1011
1012 default:
1013 break;
1014 }
1015 break;
1016
1017 case 4: /* CMD4: SEND_DSR */
1018 if (sd->spi)
1019 goto bad_cmd;
1020 switch (sd->state) {
1021 case sd_standby_state:
1022 break;
1023
1024 default:
1025 break;
1026 }
1027 break;
1028
1029 case 5: /* CMD5: reserved for SDIO cards */
1030 return sd_illegal;
1031
1032 case 6: /* CMD6: SWITCH_FUNCTION */
1033 switch (sd->mode) {
1034 case sd_data_transfer_mode:
1035 sd_function_switch(sd, req.arg);
1036 sd->state = sd_sendingdata_state;
1037 sd->data_start = 0;
1038 sd->data_offset = 0;
1039 return sd_r1;
1040
1041 default:
1042 break;
1043 }
1044 break;
1045
1046 case 7: /* CMD7: SELECT/DESELECT_CARD */
1047 if (sd->spi)
1048 goto bad_cmd;
1049 switch (sd->state) {
1050 case sd_standby_state:
1051 if (sd->rca != rca)
1052 return sd_r0;
1053
1054 sd->state = sd_transfer_state;
1055 return sd_r1b;
1056
1057 case sd_transfer_state:
1058 case sd_sendingdata_state:
1059 if (sd->rca == rca)
1060 break;
1061
1062 sd->state = sd_standby_state;
1063 return sd_r1b;
1064
1065 case sd_disconnect_state:
1066 if (sd->rca != rca)
1067 return sd_r0;
1068
1069 sd->state = sd_programming_state;
1070 return sd_r1b;
1071
1072 case sd_programming_state:
1073 if (sd->rca == rca)
1074 break;
1075
1076 sd->state = sd_disconnect_state;
1077 return sd_r1b;
1078
1079 default:
1080 break;
1081 }
1082 break;
1083
1084 case 8: /* CMD8: SEND_IF_COND */
1085 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1086 break;
1087 }
1088 if (sd->state != sd_idle_state) {
1089 break;
1090 }
1091 sd->vhs = 0;
1092
1093 /* No response if not exactly one VHS bit is set. */
1094 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1095 return sd->spi ? sd_r7 : sd_r0;
1096 }
1097
1098 /* Accept. */
1099 sd->vhs = req.arg;
1100 return sd_r7;
1101
1102 case 9: /* CMD9: SEND_CSD */
1103 switch (sd->state) {
1104 case sd_standby_state:
1105 if (sd->rca != rca)
1106 return sd_r0;
1107
1108 return sd_r2_s;
1109
1110 case sd_transfer_state:
1111 if (!sd->spi)
1112 break;
1113 sd->state = sd_sendingdata_state;
1114 memcpy(sd->data, sd->csd, 16);
1115 sd->data_start = addr;
1116 sd->data_offset = 0;
1117 return sd_r1;
1118
1119 default:
1120 break;
1121 }
1122 break;
1123
1124 case 10: /* CMD10: SEND_CID */
1125 switch (sd->state) {
1126 case sd_standby_state:
1127 if (sd->rca != rca)
1128 return sd_r0;
1129
1130 return sd_r2_i;
1131
1132 case sd_transfer_state:
1133 if (!sd->spi)
1134 break;
1135 sd->state = sd_sendingdata_state;
1136 memcpy(sd->data, sd->cid, 16);
1137 sd->data_start = addr;
1138 sd->data_offset = 0;
1139 return sd_r1;
1140
1141 default:
1142 break;
1143 }
1144 break;
1145
1146 case 12: /* CMD12: STOP_TRANSMISSION */
1147 switch (sd->state) {
1148 case sd_sendingdata_state:
1149 sd->state = sd_transfer_state;
1150 return sd_r1b;
1151
1152 case sd_receivingdata_state:
1153 sd->state = sd_programming_state;
1154 /* Bzzzzzzztt .... Operation complete. */
1155 sd->state = sd_transfer_state;
1156 return sd_r1b;
1157
1158 default:
1159 break;
1160 }
1161 break;
1162
1163 case 13: /* CMD13: SEND_STATUS */
1164 switch (sd->mode) {
1165 case sd_data_transfer_mode:
1166 if (sd->rca != rca)
1167 return sd_r0;
1168
1169 return sd_r1;
1170
1171 default:
1172 break;
1173 }
1174 break;
1175
1176 case 15: /* CMD15: GO_INACTIVE_STATE */
1177 if (sd->spi)
1178 goto bad_cmd;
1179 switch (sd->mode) {
1180 case sd_data_transfer_mode:
1181 if (sd->rca != rca)
1182 return sd_r0;
1183
1184 sd->state = sd_inactive_state;
1185 return sd_r0;
1186
1187 default:
1188 break;
1189 }
1190 break;
1191
1192 /* Block read commands (Classs 2) */
1193 case 16: /* CMD16: SET_BLOCKLEN */
1194 switch (sd->state) {
1195 case sd_transfer_state:
1196 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1197 sd->card_status |= BLOCK_LEN_ERROR;
1198 } else {
1199 trace_sdcard_set_blocklen(req.arg);
1200 sd->blk_len = req.arg;
1201 }
1202
1203 return sd_r1;
1204
1205 default:
1206 break;
1207 }
1208 break;
1209
1210 case 17: /* CMD17: READ_SINGLE_BLOCK */
1211 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1212 switch (sd->state) {
1213 case sd_transfer_state:
1214
1215 if (addr + sd->blk_len > sd->size) {
1216 sd->card_status |= ADDRESS_ERROR;
1217 return sd_r1;
1218 }
1219
1220 sd->state = sd_sendingdata_state;
1221 sd->data_start = addr;
1222 sd->data_offset = 0;
1223 return sd_r1;
1224
1225 default:
1226 break;
1227 }
1228 break;
1229
1230 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1231 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1232 break;
1233 }
1234 if (sd->state == sd_transfer_state) {
1235 sd->state = sd_sendingdata_state;
1236 sd->data_offset = 0;
1237 return sd_r1;
1238 }
1239 break;
1240
1241 case 23: /* CMD23: SET_BLOCK_COUNT */
1242 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1243 break;
1244 }
1245 switch (sd->state) {
1246 case sd_transfer_state:
1247 sd->multi_blk_cnt = req.arg;
1248 return sd_r1;
1249
1250 default:
1251 break;
1252 }
1253 break;
1254
1255 /* Block write commands (Class 4) */
1256 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1257 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1258 switch (sd->state) {
1259 case sd_transfer_state:
1260
1261 if (addr + sd->blk_len > sd->size) {
1262 sd->card_status |= ADDRESS_ERROR;
1263 return sd_r1;
1264 }
1265
1266 sd->state = sd_receivingdata_state;
1267 sd->data_start = addr;
1268 sd->data_offset = 0;
1269 sd->blk_written = 0;
1270
1271 if (sd->size <= SDSC_MAX_CAPACITY) {
1272 if (sd_wp_addr(sd, sd->data_start)) {
1273 sd->card_status |= WP_VIOLATION;
1274 }
1275 }
1276 if (sd->csd[14] & 0x30) {
1277 sd->card_status |= WP_VIOLATION;
1278 }
1279 return sd_r1;
1280
1281 default:
1282 break;
1283 }
1284 break;
1285
1286 case 26: /* CMD26: PROGRAM_CID */
1287 if (sd->spi)
1288 goto bad_cmd;
1289 switch (sd->state) {
1290 case sd_transfer_state:
1291 sd->state = sd_receivingdata_state;
1292 sd->data_start = 0;
1293 sd->data_offset = 0;
1294 return sd_r1;
1295
1296 default:
1297 break;
1298 }
1299 break;
1300
1301 case 27: /* CMD27: PROGRAM_CSD */
1302 switch (sd->state) {
1303 case sd_transfer_state:
1304 sd->state = sd_receivingdata_state;
1305 sd->data_start = 0;
1306 sd->data_offset = 0;
1307 return sd_r1;
1308
1309 default:
1310 break;
1311 }
1312 break;
1313
1314 /* Write protection (Class 6) */
1315 case 28: /* CMD28: SET_WRITE_PROT */
1316 if (sd->size > SDSC_MAX_CAPACITY) {
1317 return sd_illegal;
1318 }
1319
1320 switch (sd->state) {
1321 case sd_transfer_state:
1322 if (addr >= sd->size) {
1323 sd->card_status |= ADDRESS_ERROR;
1324 return sd_r1b;
1325 }
1326
1327 sd->state = sd_programming_state;
1328 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1329 /* Bzzzzzzztt .... Operation complete. */
1330 sd->state = sd_transfer_state;
1331 return sd_r1b;
1332
1333 default:
1334 break;
1335 }
1336 break;
1337
1338 case 29: /* CMD29: CLR_WRITE_PROT */
1339 if (sd->size > SDSC_MAX_CAPACITY) {
1340 return sd_illegal;
1341 }
1342
1343 switch (sd->state) {
1344 case sd_transfer_state:
1345 if (addr >= sd->size) {
1346 sd->card_status |= ADDRESS_ERROR;
1347 return sd_r1b;
1348 }
1349
1350 sd->state = sd_programming_state;
1351 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1352 /* Bzzzzzzztt .... Operation complete. */
1353 sd->state = sd_transfer_state;
1354 return sd_r1b;
1355
1356 default:
1357 break;
1358 }
1359 break;
1360
1361 case 30: /* CMD30: SEND_WRITE_PROT */
1362 if (sd->size > SDSC_MAX_CAPACITY) {
1363 return sd_illegal;
1364 }
1365
1366 switch (sd->state) {
1367 case sd_transfer_state:
1368 sd->state = sd_sendingdata_state;
1369 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1370 sd->data_start = addr;
1371 sd->data_offset = 0;
1372 return sd_r1;
1373
1374 default:
1375 break;
1376 }
1377 break;
1378
1379 /* Erase commands (Class 5) */
1380 case 32: /* CMD32: ERASE_WR_BLK_START */
1381 switch (sd->state) {
1382 case sd_transfer_state:
1383 sd->erase_start = req.arg;
1384 return sd_r1;
1385
1386 default:
1387 break;
1388 }
1389 break;
1390
1391 case 33: /* CMD33: ERASE_WR_BLK_END */
1392 switch (sd->state) {
1393 case sd_transfer_state:
1394 sd->erase_end = req.arg;
1395 return sd_r1;
1396
1397 default:
1398 break;
1399 }
1400 break;
1401
1402 case 38: /* CMD38: ERASE */
1403 switch (sd->state) {
1404 case sd_transfer_state:
1405 if (sd->csd[14] & 0x30) {
1406 sd->card_status |= WP_VIOLATION;
1407 return sd_r1b;
1408 }
1409
1410 sd->state = sd_programming_state;
1411 sd_erase(sd);
1412 /* Bzzzzzzztt .... Operation complete. */
1413 sd->state = sd_transfer_state;
1414 return sd_r1b;
1415
1416 default:
1417 break;
1418 }
1419 break;
1420
1421 /* Lock card commands (Class 7) */
1422 case 42: /* CMD42: LOCK_UNLOCK */
1423 switch (sd->state) {
1424 case sd_transfer_state:
1425 sd->state = sd_receivingdata_state;
1426 sd->data_start = 0;
1427 sd->data_offset = 0;
1428 return sd_r1;
1429
1430 default:
1431 break;
1432 }
1433 break;
1434
1435 case 52 ... 54:
1436 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1437 * (see the SDIO Simplified Specification V2.0)
1438 * Handle as illegal command but do not complain
1439 * on stderr, as some OSes may use these in their
1440 * probing for presence of an SDIO card.
1441 */
1442 return sd_illegal;
1443
1444 /* Application specific commands (Class 8) */
1445 case 55: /* CMD55: APP_CMD */
1446 switch (sd->state) {
1447 case sd_ready_state:
1448 case sd_identification_state:
1449 case sd_inactive_state:
1450 return sd_illegal;
1451 case sd_idle_state:
1452 if (rca) {
1453 qemu_log_mask(LOG_GUEST_ERROR,
1454 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1455 }
1456 default:
1457 break;
1458 }
1459 if (!sd->spi) {
1460 if (sd->rca != rca) {
1461 return sd_r0;
1462 }
1463 }
1464 sd->expecting_acmd = true;
1465 sd->card_status |= APP_CMD;
1466 return sd_r1;
1467
1468 case 56: /* CMD56: GEN_CMD */
1469 switch (sd->state) {
1470 case sd_transfer_state:
1471 sd->data_offset = 0;
1472 if (req.arg & 1)
1473 sd->state = sd_sendingdata_state;
1474 else
1475 sd->state = sd_receivingdata_state;
1476 return sd_r1;
1477
1478 default:
1479 break;
1480 }
1481 break;
1482
1483 case 58: /* CMD58: READ_OCR (SPI) */
1484 if (!sd->spi) {
1485 goto bad_cmd;
1486 }
1487 return sd_r3;
1488
1489 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1490 if (!sd->spi) {
1491 goto bad_cmd;
1492 }
1493 return sd_r1;
1494
1495 default:
1496 bad_cmd:
1497 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1498 return sd_illegal;
1499 }
1500
1501 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1502 return sd_illegal;
1503 }
1504
1505 static sd_rsp_type_t sd_app_command(SDState *sd,
1506 SDRequest req)
1507 {
1508 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1509 req.cmd, req.arg, sd_state_name(sd->state));
1510 sd->card_status |= APP_CMD;
1511 switch (req.cmd) {
1512 case 6: /* ACMD6: SET_BUS_WIDTH */
1513 if (sd->spi) {
1514 goto unimplemented_spi_cmd;
1515 }
1516 switch (sd->state) {
1517 case sd_transfer_state:
1518 sd->sd_status[0] &= 0x3f;
1519 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1520 return sd_r1;
1521
1522 default:
1523 break;
1524 }
1525 break;
1526
1527 case 13: /* ACMD13: SD_STATUS */
1528 switch (sd->state) {
1529 case sd_transfer_state:
1530 sd->state = sd_sendingdata_state;
1531 sd->data_start = 0;
1532 sd->data_offset = 0;
1533 return sd_r1;
1534
1535 default:
1536 break;
1537 }
1538 break;
1539
1540 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1541 switch (sd->state) {
1542 case sd_transfer_state:
1543 *(uint32_t *) sd->data = sd->blk_written;
1544
1545 sd->state = sd_sendingdata_state;
1546 sd->data_start = 0;
1547 sd->data_offset = 0;
1548 return sd_r1;
1549
1550 default:
1551 break;
1552 }
1553 break;
1554
1555 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1556 switch (sd->state) {
1557 case sd_transfer_state:
1558 return sd_r1;
1559
1560 default:
1561 break;
1562 }
1563 break;
1564
1565 case 41: /* ACMD41: SD_APP_OP_COND */
1566 if (sd->spi) {
1567 /* SEND_OP_CMD */
1568 sd->state = sd_transfer_state;
1569 return sd_r1;
1570 }
1571 if (sd->state != sd_idle_state) {
1572 break;
1573 }
1574 /* If it's the first ACMD41 since reset, we need to decide
1575 * whether to power up. If this is not an enquiry ACMD41,
1576 * we immediately report power on and proceed below to the
1577 * ready state, but if it is, we set a timer to model a
1578 * delay for power up. This works around a bug in EDK2
1579 * UEFI, which sends an initial enquiry ACMD41, but
1580 * assumes that the card is in ready state as soon as it
1581 * sees the power up bit set. */
1582 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1583 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1584 timer_del(sd->ocr_power_timer);
1585 sd_ocr_powerup(sd);
1586 } else {
1587 trace_sdcard_inquiry_cmd41();
1588 if (!timer_pending(sd->ocr_power_timer)) {
1589 timer_mod_ns(sd->ocr_power_timer,
1590 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1591 + OCR_POWER_DELAY_NS));
1592 }
1593 }
1594 }
1595
1596 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1597 /* We accept any voltage. 10000 V is nothing.
1598 *
1599 * Once we're powered up, we advance straight to ready state
1600 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1601 */
1602 sd->state = sd_ready_state;
1603 }
1604
1605 return sd_r3;
1606
1607 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1608 switch (sd->state) {
1609 case sd_transfer_state:
1610 /* Bringing in the 50KOhm pull-up resistor... Done. */
1611 return sd_r1;
1612
1613 default:
1614 break;
1615 }
1616 break;
1617
1618 case 51: /* ACMD51: SEND_SCR */
1619 switch (sd->state) {
1620 case sd_transfer_state:
1621 sd->state = sd_sendingdata_state;
1622 sd->data_start = 0;
1623 sd->data_offset = 0;
1624 return sd_r1;
1625
1626 default:
1627 break;
1628 }
1629 break;
1630
1631 case 18: /* Reserved for SD security applications */
1632 case 25:
1633 case 26:
1634 case 38:
1635 case 43 ... 49:
1636 /* Refer to the "SD Specifications Part3 Security Specification" for
1637 * information about the SD Security Features.
1638 */
1639 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1640 req.cmd);
1641 return sd_illegal;
1642
1643 default:
1644 /* Fall back to standard commands. */
1645 return sd_normal_command(sd, req);
1646
1647 unimplemented_spi_cmd:
1648 /* Commands that are recognised but not yet implemented in SPI mode. */
1649 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1650 req.cmd);
1651 return sd_illegal;
1652 }
1653
1654 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1655 return sd_illegal;
1656 }
1657
1658 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1659 {
1660 /* Valid commands in locked state:
1661 * basic class (0)
1662 * lock card class (7)
1663 * CMD16
1664 * implicitly, the ACMD prefix CMD55
1665 * ACMD41 and ACMD42
1666 * Anything else provokes an "illegal command" response.
1667 */
1668 if (sd->expecting_acmd) {
1669 return cmd == 41 || cmd == 42;
1670 }
1671 if (cmd == 16 || cmd == 55) {
1672 return 1;
1673 }
1674 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1675 }
1676
1677 int sd_do_command(SDState *sd, SDRequest *req,
1678 uint8_t *response) {
1679 int last_state;
1680 sd_rsp_type_t rtype;
1681 int rsplen;
1682
1683 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1684 return 0;
1685 }
1686
1687 if (sd_req_crc_validate(req)) {
1688 sd->card_status |= COM_CRC_ERROR;
1689 rtype = sd_illegal;
1690 goto send_response;
1691 }
1692
1693 if (req->cmd >= SDMMC_CMD_MAX) {
1694 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1695 req->cmd);
1696 req->cmd &= 0x3f;
1697 }
1698
1699 if (sd->card_status & CARD_IS_LOCKED) {
1700 if (!cmd_valid_while_locked(sd, req->cmd)) {
1701 sd->card_status |= ILLEGAL_COMMAND;
1702 sd->expecting_acmd = false;
1703 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1704 rtype = sd_illegal;
1705 goto send_response;
1706 }
1707 }
1708
1709 last_state = sd->state;
1710 sd_set_mode(sd);
1711
1712 if (sd->expecting_acmd) {
1713 sd->expecting_acmd = false;
1714 rtype = sd_app_command(sd, *req);
1715 } else {
1716 rtype = sd_normal_command(sd, *req);
1717 }
1718
1719 if (rtype == sd_illegal) {
1720 sd->card_status |= ILLEGAL_COMMAND;
1721 } else {
1722 /* Valid command, we can update the 'state before command' bits.
1723 * (Do this now so they appear in r1 responses.)
1724 */
1725 sd->current_cmd = req->cmd;
1726 sd->card_status &= ~CURRENT_STATE;
1727 sd->card_status |= (last_state << 9);
1728 }
1729
1730 send_response:
1731 switch (rtype) {
1732 case sd_r1:
1733 case sd_r1b:
1734 sd_response_r1_make(sd, response);
1735 rsplen = 4;
1736 break;
1737
1738 case sd_r2_i:
1739 memcpy(response, sd->cid, sizeof(sd->cid));
1740 rsplen = 16;
1741 break;
1742
1743 case sd_r2_s:
1744 memcpy(response, sd->csd, sizeof(sd->csd));
1745 rsplen = 16;
1746 break;
1747
1748 case sd_r3:
1749 sd_response_r3_make(sd, response);
1750 rsplen = 4;
1751 break;
1752
1753 case sd_r6:
1754 sd_response_r6_make(sd, response);
1755 rsplen = 4;
1756 break;
1757
1758 case sd_r7:
1759 sd_response_r7_make(sd, response);
1760 rsplen = 4;
1761 break;
1762
1763 case sd_r0:
1764 case sd_illegal:
1765 rsplen = 0;
1766 break;
1767 default:
1768 g_assert_not_reached();
1769 }
1770 trace_sdcard_response(sd_response_name(rtype), rsplen);
1771
1772 if (rtype != sd_illegal) {
1773 /* Clear the "clear on valid command" status bits now we've
1774 * sent any response
1775 */
1776 sd->card_status &= ~CARD_STATUS_B;
1777 }
1778
1779 #ifdef DEBUG_SD
1780 qemu_hexdump(stderr, "Response", response, rsplen);
1781 #endif
1782
1783 return rsplen;
1784 }
1785
1786 void sd_write_byte(SDState *sd, uint8_t value)
1787 {
1788 int i;
1789
1790 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1791 return;
1792
1793 if (sd->state != sd_receivingdata_state) {
1794 qemu_log_mask(LOG_GUEST_ERROR,
1795 "%s: not in Receiving-Data state\n", __func__);
1796 return;
1797 }
1798
1799 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1800 return;
1801
1802 trace_sdcard_write_data(sd->proto_name,
1803 sd_acmd_name(sd->current_cmd),
1804 sd->current_cmd, value);
1805 switch (sd->current_cmd) {
1806 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1807 sd->data[sd->data_offset ++] = value;
1808 if (sd->data_offset >= sd->blk_len) {
1809 /* TODO: Check CRC before committing */
1810 sd->state = sd_programming_state;
1811 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1812 sd->blk_written ++;
1813 sd->csd[14] |= 0x40;
1814 /* Bzzzzzzztt .... Operation complete. */
1815 sd->state = sd_transfer_state;
1816 }
1817 break;
1818
1819 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1820 if (sd->data_offset == 0) {
1821 /* Start of the block - let's check the address is valid */
1822 if (sd->data_start + sd->blk_len > sd->size) {
1823 sd->card_status |= ADDRESS_ERROR;
1824 break;
1825 }
1826 if (sd->size <= SDSC_MAX_CAPACITY) {
1827 if (sd_wp_addr(sd, sd->data_start)) {
1828 sd->card_status |= WP_VIOLATION;
1829 break;
1830 }
1831 }
1832 }
1833 sd->data[sd->data_offset++] = value;
1834 if (sd->data_offset >= sd->blk_len) {
1835 /* TODO: Check CRC before committing */
1836 sd->state = sd_programming_state;
1837 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1838 sd->blk_written++;
1839 sd->data_start += sd->blk_len;
1840 sd->data_offset = 0;
1841 sd->csd[14] |= 0x40;
1842
1843 /* Bzzzzzzztt .... Operation complete. */
1844 if (sd->multi_blk_cnt != 0) {
1845 if (--sd->multi_blk_cnt == 0) {
1846 /* Stop! */
1847 sd->state = sd_transfer_state;
1848 break;
1849 }
1850 }
1851
1852 sd->state = sd_receivingdata_state;
1853 }
1854 break;
1855
1856 case 26: /* CMD26: PROGRAM_CID */
1857 sd->data[sd->data_offset ++] = value;
1858 if (sd->data_offset >= sizeof(sd->cid)) {
1859 /* TODO: Check CRC before committing */
1860 sd->state = sd_programming_state;
1861 for (i = 0; i < sizeof(sd->cid); i ++)
1862 if ((sd->cid[i] | 0x00) != sd->data[i])
1863 sd->card_status |= CID_CSD_OVERWRITE;
1864
1865 if (!(sd->card_status & CID_CSD_OVERWRITE))
1866 for (i = 0; i < sizeof(sd->cid); i ++) {
1867 sd->cid[i] |= 0x00;
1868 sd->cid[i] &= sd->data[i];
1869 }
1870 /* Bzzzzzzztt .... Operation complete. */
1871 sd->state = sd_transfer_state;
1872 }
1873 break;
1874
1875 case 27: /* CMD27: PROGRAM_CSD */
1876 sd->data[sd->data_offset ++] = value;
1877 if (sd->data_offset >= sizeof(sd->csd)) {
1878 /* TODO: Check CRC before committing */
1879 sd->state = sd_programming_state;
1880 for (i = 0; i < sizeof(sd->csd); i ++)
1881 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1882 (sd->data[i] | sd_csd_rw_mask[i]))
1883 sd->card_status |= CID_CSD_OVERWRITE;
1884
1885 /* Copy flag (OTP) & Permanent write protect */
1886 if (sd->csd[14] & ~sd->data[14] & 0x60)
1887 sd->card_status |= CID_CSD_OVERWRITE;
1888
1889 if (!(sd->card_status & CID_CSD_OVERWRITE))
1890 for (i = 0; i < sizeof(sd->csd); i ++) {
1891 sd->csd[i] |= sd_csd_rw_mask[i];
1892 sd->csd[i] &= sd->data[i];
1893 }
1894 /* Bzzzzzzztt .... Operation complete. */
1895 sd->state = sd_transfer_state;
1896 }
1897 break;
1898
1899 case 42: /* CMD42: LOCK_UNLOCK */
1900 sd->data[sd->data_offset ++] = value;
1901 if (sd->data_offset >= sd->blk_len) {
1902 /* TODO: Check CRC before committing */
1903 sd->state = sd_programming_state;
1904 sd_lock_command(sd);
1905 /* Bzzzzzzztt .... Operation complete. */
1906 sd->state = sd_transfer_state;
1907 }
1908 break;
1909
1910 case 56: /* CMD56: GEN_CMD */
1911 sd->data[sd->data_offset ++] = value;
1912 if (sd->data_offset >= sd->blk_len) {
1913 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1914 sd->state = sd_transfer_state;
1915 }
1916 break;
1917
1918 default:
1919 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1920 break;
1921 }
1922 }
1923
1924 #define SD_TUNING_BLOCK_SIZE 64
1925
1926 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1927 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1928 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1929 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1930 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1931 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1932 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1933 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1934 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1935 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1936 };
1937
1938 uint8_t sd_read_byte(SDState *sd)
1939 {
1940 /* TODO: Append CRCs */
1941 uint8_t ret;
1942 uint32_t io_len;
1943
1944 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1945 return 0x00;
1946
1947 if (sd->state != sd_sendingdata_state) {
1948 qemu_log_mask(LOG_GUEST_ERROR,
1949 "%s: not in Sending-Data state\n", __func__);
1950 return 0x00;
1951 }
1952
1953 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1954 return 0x00;
1955
1956 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1957
1958 trace_sdcard_read_data(sd->proto_name,
1959 sd_acmd_name(sd->current_cmd),
1960 sd->current_cmd, io_len);
1961 switch (sd->current_cmd) {
1962 case 6: /* CMD6: SWITCH_FUNCTION */
1963 ret = sd->data[sd->data_offset ++];
1964
1965 if (sd->data_offset >= 64)
1966 sd->state = sd_transfer_state;
1967 break;
1968
1969 case 9: /* CMD9: SEND_CSD */
1970 case 10: /* CMD10: SEND_CID */
1971 ret = sd->data[sd->data_offset ++];
1972
1973 if (sd->data_offset >= 16)
1974 sd->state = sd_transfer_state;
1975 break;
1976
1977 case 13: /* ACMD13: SD_STATUS */
1978 ret = sd->sd_status[sd->data_offset ++];
1979
1980 if (sd->data_offset >= sizeof(sd->sd_status))
1981 sd->state = sd_transfer_state;
1982 break;
1983
1984 case 17: /* CMD17: READ_SINGLE_BLOCK */
1985 if (sd->data_offset == 0)
1986 BLK_READ_BLOCK(sd->data_start, io_len);
1987 ret = sd->data[sd->data_offset ++];
1988
1989 if (sd->data_offset >= io_len)
1990 sd->state = sd_transfer_state;
1991 break;
1992
1993 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1994 if (sd->data_offset == 0) {
1995 if (sd->data_start + io_len > sd->size) {
1996 sd->card_status |= ADDRESS_ERROR;
1997 return 0x00;
1998 }
1999 BLK_READ_BLOCK(sd->data_start, io_len);
2000 }
2001 ret = sd->data[sd->data_offset ++];
2002
2003 if (sd->data_offset >= io_len) {
2004 sd->data_start += io_len;
2005 sd->data_offset = 0;
2006
2007 if (sd->multi_blk_cnt != 0) {
2008 if (--sd->multi_blk_cnt == 0) {
2009 /* Stop! */
2010 sd->state = sd_transfer_state;
2011 break;
2012 }
2013 }
2014 }
2015 break;
2016
2017 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2018 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2019 sd->state = sd_transfer_state;
2020 }
2021 ret = sd_tuning_block_pattern[sd->data_offset++];
2022 break;
2023
2024 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2025 ret = sd->data[sd->data_offset ++];
2026
2027 if (sd->data_offset >= 4)
2028 sd->state = sd_transfer_state;
2029 break;
2030
2031 case 30: /* CMD30: SEND_WRITE_PROT */
2032 ret = sd->data[sd->data_offset ++];
2033
2034 if (sd->data_offset >= 4)
2035 sd->state = sd_transfer_state;
2036 break;
2037
2038 case 51: /* ACMD51: SEND_SCR */
2039 ret = sd->scr[sd->data_offset ++];
2040
2041 if (sd->data_offset >= sizeof(sd->scr))
2042 sd->state = sd_transfer_state;
2043 break;
2044
2045 case 56: /* CMD56: GEN_CMD */
2046 if (sd->data_offset == 0)
2047 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2048 ret = sd->data[sd->data_offset ++];
2049
2050 if (sd->data_offset >= sd->blk_len)
2051 sd->state = sd_transfer_state;
2052 break;
2053
2054 default:
2055 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2056 return 0x00;
2057 }
2058
2059 return ret;
2060 }
2061
2062 static bool sd_receive_ready(SDState *sd)
2063 {
2064 return sd->state == sd_receivingdata_state;
2065 }
2066
2067 static bool sd_data_ready(SDState *sd)
2068 {
2069 return sd->state == sd_sendingdata_state;
2070 }
2071
2072 void sd_enable(SDState *sd, bool enable)
2073 {
2074 sd->enable = enable;
2075 }
2076
2077 static void sd_instance_init(Object *obj)
2078 {
2079 SDState *sd = SD_CARD(obj);
2080
2081 sd->enable = true;
2082 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2083 }
2084
2085 static void sd_instance_finalize(Object *obj)
2086 {
2087 SDState *sd = SD_CARD(obj);
2088
2089 timer_free(sd->ocr_power_timer);
2090 }
2091
2092 static void sd_realize(DeviceState *dev, Error **errp)
2093 {
2094 SDState *sd = SD_CARD(dev);
2095 int ret;
2096
2097 sd->proto_name = sd->spi ? "SPI" : "SD";
2098
2099 switch (sd->spec_version) {
2100 case SD_PHY_SPECv1_10_VERS
2101 ... SD_PHY_SPECv3_01_VERS:
2102 break;
2103 default:
2104 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2105 return;
2106 }
2107
2108 if (sd->blk) {
2109 int64_t blk_size;
2110
2111 if (!blk_supports_write_perm(sd->blk)) {
2112 error_setg(errp, "Cannot use read-only drive as SD card");
2113 return;
2114 }
2115
2116 blk_size = blk_getlength(sd->blk);
2117 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2118 int64_t blk_size_aligned = pow2ceil(blk_size);
2119 char *blk_size_str;
2120
2121 blk_size_str = size_to_str(blk_size);
2122 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2123 g_free(blk_size_str);
2124
2125 blk_size_str = size_to_str(blk_size_aligned);
2126 error_append_hint(errp,
2127 "SD card size has to be a power of 2, e.g. %s.\n"
2128 "You can resize disk images with"
2129 " 'qemu-img resize <imagefile> <new-size>'\n"
2130 "(note that this will lose data if you make the"
2131 " image smaller than it currently is).\n",
2132 blk_size_str);
2133 g_free(blk_size_str);
2134
2135 return;
2136 }
2137
2138 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2139 BLK_PERM_ALL, errp);
2140 if (ret < 0) {
2141 return;
2142 }
2143 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2144 }
2145 }
2146
2147 static Property sd_properties[] = {
2148 DEFINE_PROP_UINT8("spec_version", SDState,
2149 spec_version, SD_PHY_SPECv2_00_VERS),
2150 DEFINE_PROP_DRIVE("drive", SDState, blk),
2151 /* We do not model the chip select pin, so allow the board to select
2152 * whether card should be in SSI or MMC/SD mode. It is also up to the
2153 * board to ensure that ssi transfers only occur when the chip select
2154 * is asserted. */
2155 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2156 DEFINE_PROP_END_OF_LIST()
2157 };
2158
2159 static void sd_class_init(ObjectClass *klass, void *data)
2160 {
2161 DeviceClass *dc = DEVICE_CLASS(klass);
2162 SDCardClass *sc = SD_CARD_CLASS(klass);
2163
2164 dc->realize = sd_realize;
2165 device_class_set_props(dc, sd_properties);
2166 dc->vmsd = &sd_vmstate;
2167 dc->reset = sd_reset;
2168 dc->bus_type = TYPE_SD_BUS;
2169 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2170
2171 sc->set_voltage = sd_set_voltage;
2172 sc->get_dat_lines = sd_get_dat_lines;
2173 sc->get_cmd_line = sd_get_cmd_line;
2174 sc->do_command = sd_do_command;
2175 sc->write_byte = sd_write_byte;
2176 sc->read_byte = sd_read_byte;
2177 sc->receive_ready = sd_receive_ready;
2178 sc->data_ready = sd_data_ready;
2179 sc->enable = sd_enable;
2180 sc->get_inserted = sd_get_inserted;
2181 sc->get_readonly = sd_get_readonly;
2182 }
2183
2184 static const TypeInfo sd_info = {
2185 .name = TYPE_SD_CARD,
2186 .parent = TYPE_DEVICE,
2187 .instance_size = sizeof(SDState),
2188 .class_size = sizeof(SDCardClass),
2189 .class_init = sd_class_init,
2190 .instance_init = sd_instance_init,
2191 .instance_finalize = sd_instance_finalize,
2192 };
2193
2194 static void sd_register_types(void)
2195 {
2196 type_register_static(&sd_info);
2197 }
2198
2199 type_init(sd_register_types)
AR7 emulation for QEMU