search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Do not attempt to erase out of range addresses
[qemu/ar7.git] / hw / sd / sd.c
blob4454d168e2fc377668f439c3fa70360581d1f10b
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "qemu/error-report.h"
46 #include "qemu/timer.h"
47 #include "qemu/log.h"
48 #include "qemu/module.h"
49 #include "sdmmc-internal.h"
50 #include "trace.h"
51
52 //#define DEBUG_SD 1
53
54 #define SDSC_MAX_CAPACITY (2 * GiB)
55
56 #define INVALID_ADDRESS UINT32_MAX
57
58 typedef enum {
59 sd_r0 = 0, /* no response */
60 sd_r1, /* normal response command */
61 sd_r2_i, /* CID register */
62 sd_r2_s, /* CSD register */
63 sd_r3, /* OCR register */
64 sd_r6 = 6, /* Published RCA response */
65 sd_r7, /* Operating voltage */
66 sd_r1b = -1,
67 sd_illegal = -2,
68 } sd_rsp_type_t;
69
70 enum SDCardModes {
71 sd_inactive,
72 sd_card_identification_mode,
73 sd_data_transfer_mode,
74 };
75
76 enum SDCardStates {
77 sd_inactive_state = -1,
78 sd_idle_state = 0,
79 sd_ready_state,
80 sd_identification_state,
81 sd_standby_state,
82 sd_transfer_state,
83 sd_sendingdata_state,
84 sd_receivingdata_state,
85 sd_programming_state,
86 sd_disconnect_state,
87 };
88
89 struct SDState {
90 DeviceState parent_obj;
91
92 /* If true, created by sd_init() for a non-qdevified caller */
93 /* TODO purge them with fire */
94 bool me_no_qdev_me_kill_mammoth_with_rocks;
95
96 /* SD Memory Card Registers */
97 uint32_t ocr;
98 uint8_t scr[8];
99 uint8_t cid[16];
100 uint8_t csd[16];
101 uint16_t rca;
102 uint32_t card_status;
103 uint8_t sd_status[64];
104
105 /* Configurable properties */
106 uint8_t spec_version;
107 BlockBackend *blk;
108 bool spi;
109
110 uint32_t mode; /* current card mode, one of SDCardModes */
111 int32_t state; /* current card state, one of SDCardStates */
112 uint32_t vhs;
113 bool wp_switch;
114 unsigned long *wp_groups;
115 int32_t wpgrps_size;
116 uint64_t size;
117 uint32_t blk_len;
118 uint32_t multi_blk_cnt;
119 uint32_t erase_start;
120 uint32_t erase_end;
121 uint8_t pwd[16];
122 uint32_t pwd_len;
123 uint8_t function_group[6];
124 uint8_t current_cmd;
125 /* True if we will handle the next command as an ACMD. Note that this does
126 * *not* track the APP_CMD status bit!
127 */
128 bool expecting_acmd;
129 uint32_t blk_written;
130 uint64_t data_start;
131 uint32_t data_offset;
132 uint8_t data[512];
133 qemu_irq readonly_cb;
134 qemu_irq inserted_cb;
135 QEMUTimer *ocr_power_timer;
136 const char *proto_name;
137 bool enable;
138 uint8_t dat_lines;
139 bool cmd_line;
140 };
141
142 static void sd_realize(DeviceState *dev, Error **errp);
143
144 static const char *sd_state_name(enum SDCardStates state)
145 {
146 static const char *state_name[] = {
147 [sd_idle_state] = "idle",
148 [sd_ready_state] = "ready",
149 [sd_identification_state] = "identification",
150 [sd_standby_state] = "standby",
151 [sd_transfer_state] = "transfer",
152 [sd_sendingdata_state] = "sendingdata",
153 [sd_receivingdata_state] = "receivingdata",
154 [sd_programming_state] = "programming",
155 [sd_disconnect_state] = "disconnect",
156 };
157 if (state == sd_inactive_state) {
158 return "inactive";
159 }
160 assert(state < ARRAY_SIZE(state_name));
161 return state_name[state];
162 }
163
164 static const char *sd_response_name(sd_rsp_type_t rsp)
165 {
166 static const char *response_name[] = {
167 [sd_r0] = "RESP#0 (no response)",
168 [sd_r1] = "RESP#1 (normal cmd)",
169 [sd_r2_i] = "RESP#2 (CID reg)",
170 [sd_r2_s] = "RESP#2 (CSD reg)",
171 [sd_r3] = "RESP#3 (OCR reg)",
172 [sd_r6] = "RESP#6 (RCA)",
173 [sd_r7] = "RESP#7 (operating voltage)",
174 };
175 if (rsp == sd_illegal) {
176 return "ILLEGAL RESP";
177 }
178 if (rsp == sd_r1b) {
179 rsp = sd_r1;
180 }
181 assert(rsp < ARRAY_SIZE(response_name));
182 return response_name[rsp];
183 }
184
185 static uint8_t sd_get_dat_lines(SDState *sd)
186 {
187 return sd->enable ? sd->dat_lines : 0;
188 }
189
190 static bool sd_get_cmd_line(SDState *sd)
191 {
192 return sd->enable ? sd->cmd_line : false;
193 }
194
195 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
196 {
197 trace_sdcard_set_voltage(millivolts);
198
199 switch (millivolts) {
200 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
201 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
202 break;
203 default:
204 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
205 millivolts / 1000.f);
206 }
207 }
208
209 static void sd_set_mode(SDState *sd)
210 {
211 switch (sd->state) {
212 case sd_inactive_state:
213 sd->mode = sd_inactive;
214 break;
215
216 case sd_idle_state:
217 case sd_ready_state:
218 case sd_identification_state:
219 sd->mode = sd_card_identification_mode;
220 break;
221
222 case sd_standby_state:
223 case sd_transfer_state:
224 case sd_sendingdata_state:
225 case sd_receivingdata_state:
226 case sd_programming_state:
227 case sd_disconnect_state:
228 sd->mode = sd_data_transfer_mode;
229 break;
230 }
231 }
232
233 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
234 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
235 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
236 /* 16 */
237 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
238 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
239 /* 32 */
240 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
241 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
242 /* 48 */
243 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
244 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
245 };
246
247 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
248 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
249 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
250 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
251 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
252 };
253
254 static uint8_t sd_crc7(void *message, size_t width)
255 {
256 int i, bit;
257 uint8_t shift_reg = 0x00;
258 uint8_t *msg = (uint8_t *) message;
259
260 for (i = 0; i < width; i ++, msg ++)
261 for (bit = 7; bit >= 0; bit --) {
262 shift_reg <<= 1;
263 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
264 shift_reg ^= 0x89;
265 }
266
267 return shift_reg;
268 }
269
270 static uint16_t sd_crc16(void *message, size_t width)
271 {
272 int i, bit;
273 uint16_t shift_reg = 0x0000;
274 uint16_t *msg = (uint16_t *) message;
275 width <<= 1;
276
277 for (i = 0; i < width; i ++, msg ++)
278 for (bit = 15; bit >= 0; bit --) {
279 shift_reg <<= 1;
280 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
281 shift_reg ^= 0x1011;
282 }
283
284 return shift_reg;
285 }
286
287 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
288
289 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
290 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
291 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
292 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
293 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
294 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
295 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
296 FIELD(OCR, CARD_POWER_UP, 31, 1)
297
298 #define ACMD41_ENQUIRY_MASK 0x00ffffff
299 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
300 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
301 | R_OCR_UHS_II_CARD_MASK \
302 | R_OCR_CARD_CAPACITY_MASK \
303 | R_OCR_CARD_POWER_UP_MASK)
304
305 static void sd_set_ocr(SDState *sd)
306 {
307 /* All voltages OK */
308 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
309 }
310
311 static void sd_ocr_powerup(void *opaque)
312 {
313 SDState *sd = opaque;
314
315 trace_sdcard_powerup();
316 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
317
318 /* card power-up OK */
319 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
320
321 if (sd->size > SDSC_MAX_CAPACITY) {
322 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
323 }
324 }
325
326 static void sd_set_scr(SDState *sd)
327 {
328 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
329 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
330 sd->scr[0] |= 1; /* Spec Version 1.10 */
331 } else {
332 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
333 }
334 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
335 | 0b0101; /* 1-bit or 4-bit width bus modes */
336 sd->scr[2] = 0x00; /* Extended Security is not supported. */
337 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
338 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
339 }
340 sd->scr[3] = 0x00;
341 /* reserved for manufacturer usage */
342 sd->scr[4] = 0x00;
343 sd->scr[5] = 0x00;
344 sd->scr[6] = 0x00;
345 sd->scr[7] = 0x00;
346 }
347
348 #define MID 0xaa
349 #define OID "XY"
350 #define PNM "QEMU!"
351 #define PRV 0x01
352 #define MDT_YR 2006
353 #define MDT_MON 2
354
355 static void sd_set_cid(SDState *sd)
356 {
357 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
358 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
359 sd->cid[2] = OID[1];
360 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
361 sd->cid[4] = PNM[1];
362 sd->cid[5] = PNM[2];
363 sd->cid[6] = PNM[3];
364 sd->cid[7] = PNM[4];
365 sd->cid[8] = PRV; /* Fake product revision (PRV) */
366 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
367 sd->cid[10] = 0xad;
368 sd->cid[11] = 0xbe;
369 sd->cid[12] = 0xef;
370 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
371 ((MDT_YR - 2000) / 10);
372 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
373 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
374 }
375
376 #define HWBLOCK_SHIFT 9 /* 512 bytes */
377 #define SECTOR_SHIFT 5 /* 16 kilobytes */
378 #define WPGROUP_SHIFT 7 /* 2 megs */
379 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
380 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
381
382 static const uint8_t sd_csd_rw_mask[16] = {
383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
385 };
386
387 static void sd_set_csd(SDState *sd, uint64_t size)
388 {
389 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
390 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
391 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
392
393 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
394 sd->csd[0] = 0x00; /* CSD structure */
395 sd->csd[1] = 0x26; /* Data read access-time-1 */
396 sd->csd[2] = 0x00; /* Data read access-time-2 */
397 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
398 sd->csd[4] = 0x5f; /* Card Command Classes */
399 sd->csd[5] = 0x50 | /* Max. read data block length */
400 HWBLOCK_SHIFT;
401 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
402 ((csize >> 10) & 0x03);
403 sd->csd[7] = 0x00 | /* Device size */
404 ((csize >> 2) & 0xff);
405 sd->csd[8] = 0x3f | /* Max. read current */
406 ((csize << 6) & 0xc0);
407 sd->csd[9] = 0xfc | /* Max. write current */
408 ((CMULT_SHIFT - 2) >> 1);
409 sd->csd[10] = 0x40 | /* Erase sector size */
410 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
411 sd->csd[11] = 0x00 | /* Write protect group size */
412 ((sectsize << 7) & 0x80) | wpsize;
413 sd->csd[12] = 0x90 | /* Write speed factor */
414 (HWBLOCK_SHIFT >> 2);
415 sd->csd[13] = 0x20 | /* Max. write data block length */
416 ((HWBLOCK_SHIFT << 6) & 0xc0);
417 sd->csd[14] = 0x00; /* File format group */
418 } else { /* SDHC */
419 size /= 512 * KiB;
420 size -= 1;
421 sd->csd[0] = 0x40;
422 sd->csd[1] = 0x0e;
423 sd->csd[2] = 0x00;
424 sd->csd[3] = 0x32;
425 sd->csd[4] = 0x5b;
426 sd->csd[5] = 0x59;
427 sd->csd[6] = 0x00;
428 sd->csd[7] = (size >> 16) & 0xff;
429 sd->csd[8] = (size >> 8) & 0xff;
430 sd->csd[9] = (size & 0xff);
431 sd->csd[10] = 0x7f;
432 sd->csd[11] = 0x80;
433 sd->csd[12] = 0x0a;
434 sd->csd[13] = 0x40;
435 sd->csd[14] = 0x00;
436 }
437 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
438 }
439
440 static void sd_set_rca(SDState *sd)
441 {
442 sd->rca += 0x4567;
443 }
444
445 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
446 FIELD(CSR, APP_CMD, 5, 1)
447 FIELD(CSR, FX_EVENT, 6, 1)
448 FIELD(CSR, READY_FOR_DATA, 8, 1)
449 FIELD(CSR, CURRENT_STATE, 9, 4)
450 FIELD(CSR, ERASE_RESET, 13, 1)
451 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
452 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
453 FIELD(CSR, CSD_OVERWRITE, 16, 1)
454 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
455 FIELD(CSR, ERROR, 19, 1)
456 FIELD(CSR, CC_ERROR, 20, 1)
457 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
458 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
459 FIELD(CSR, COM_CRC_ERROR, 23, 1)
460 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
461 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
462 FIELD(CSR, WP_VIOLATION, 26, 1)
463 FIELD(CSR, ERASE_PARAM, 27, 1)
464 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
465 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
466 FIELD(CSR, ADDRESS_ERROR, 30, 1)
467 FIELD(CSR, OUT_OF_RANGE, 31, 1)
468
469 /* Card status bits, split by clear condition:
470 * A : According to the card current state
471 * B : Always related to the previous command
472 * C : Cleared by read
473 */
474 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
475 | R_CSR_CARD_ECC_DISABLED_MASK \
476 | R_CSR_CARD_IS_LOCKED_MASK)
477 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
478 | R_CSR_ILLEGAL_COMMAND_MASK \
479 | R_CSR_COM_CRC_ERROR_MASK)
480 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
481 | R_CSR_APP_CMD_MASK \
482 | R_CSR_ERASE_RESET_MASK \
483 | R_CSR_WP_ERASE_SKIP_MASK \
484 | R_CSR_CSD_OVERWRITE_MASK \
485 | R_CSR_ERROR_MASK \
486 | R_CSR_CC_ERROR_MASK \
487 | R_CSR_CARD_ECC_FAILED_MASK \
488 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
489 | R_CSR_WP_VIOLATION_MASK \
490 | R_CSR_ERASE_PARAM_MASK \
491 | R_CSR_ERASE_SEQ_ERROR_MASK \
492 | R_CSR_BLOCK_LEN_ERROR_MASK \
493 | R_CSR_ADDRESS_ERROR_MASK \
494 | R_CSR_OUT_OF_RANGE_MASK)
495
496 static void sd_set_cardstatus(SDState *sd)
497 {
498 sd->card_status = 0x00000100;
499 }
500
501 static void sd_set_sdstatus(SDState *sd)
502 {
503 memset(sd->sd_status, 0, 64);
504 }
505
506 static int sd_req_crc_validate(SDRequest *req)
507 {
508 uint8_t buffer[5];
509 buffer[0] = 0x40 | req->cmd;
510 stl_be_p(&buffer[1], req->arg);
511 return 0;
512 return sd_crc7(buffer, 5) != req->crc; /* TODO */
513 }
514
515 static void sd_response_r1_make(SDState *sd, uint8_t *response)
516 {
517 stl_be_p(response, sd->card_status);
518
519 /* Clear the "clear on read" status bits */
520 sd->card_status &= ~CARD_STATUS_C;
521 }
522
523 static void sd_response_r3_make(SDState *sd, uint8_t *response)
524 {
525 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
526 }
527
528 static void sd_response_r6_make(SDState *sd, uint8_t *response)
529 {
530 uint16_t status;
531
532 status = ((sd->card_status >> 8) & 0xc000) |
533 ((sd->card_status >> 6) & 0x2000) |
534 (sd->card_status & 0x1fff);
535 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
536 stw_be_p(response + 0, sd->rca);
537 stw_be_p(response + 2, status);
538 }
539
540 static void sd_response_r7_make(SDState *sd, uint8_t *response)
541 {
542 stl_be_p(response, sd->vhs);
543 }
544
545 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
546 {
547 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
548 }
549
550 static void sd_reset(DeviceState *dev)
551 {
552 SDState *sd = SD_CARD(dev);
553 uint64_t size;
554 uint64_t sect;
555
556 trace_sdcard_reset();
557 if (sd->blk) {
558 blk_get_geometry(sd->blk, &sect);
559 } else {
560 sect = 0;
561 }
562 size = sect << 9;
563
564 sect = sd_addr_to_wpnum(size) + 1;
565
566 sd->state = sd_idle_state;
567 sd->rca = 0x0000;
568 sd_set_ocr(sd);
569 sd_set_scr(sd);
570 sd_set_cid(sd);
571 sd_set_csd(sd, size);
572 sd_set_cardstatus(sd);
573 sd_set_sdstatus(sd);
574
575 g_free(sd->wp_groups);
576 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
577 sd->wpgrps_size = sect;
578 sd->wp_groups = bitmap_new(sd->wpgrps_size);
579 memset(sd->function_group, 0, sizeof(sd->function_group));
580 sd->erase_start = INVALID_ADDRESS;
581 sd->erase_end = INVALID_ADDRESS;
582 sd->size = size;
583 sd->blk_len = 0x200;
584 sd->pwd_len = 0;
585 sd->expecting_acmd = false;
586 sd->dat_lines = 0xf;
587 sd->cmd_line = true;
588 sd->multi_blk_cnt = 0;
589 }
590
591 static bool sd_get_inserted(SDState *sd)
592 {
593 return sd->blk && blk_is_inserted(sd->blk);
594 }
595
596 static bool sd_get_readonly(SDState *sd)
597 {
598 return sd->wp_switch;
599 }
600
601 static void sd_cardchange(void *opaque, bool load, Error **errp)
602 {
603 SDState *sd = opaque;
604 DeviceState *dev = DEVICE(sd);
605 SDBus *sdbus;
606 bool inserted = sd_get_inserted(sd);
607 bool readonly = sd_get_readonly(sd);
608
609 if (inserted) {
610 trace_sdcard_inserted(readonly);
611 sd_reset(dev);
612 } else {
613 trace_sdcard_ejected();
614 }
615
616 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
617 qemu_set_irq(sd->inserted_cb, inserted);
618 if (inserted) {
619 qemu_set_irq(sd->readonly_cb, readonly);
620 }
621 } else {
622 sdbus = SD_BUS(qdev_get_parent_bus(dev));
623 sdbus_set_inserted(sdbus, inserted);
624 if (inserted) {
625 sdbus_set_readonly(sdbus, readonly);
626 }
627 }
628 }
629
630 static const BlockDevOps sd_block_ops = {
631 .change_media_cb = sd_cardchange,
632 };
633
634 static bool sd_ocr_vmstate_needed(void *opaque)
635 {
636 SDState *sd = opaque;
637
638 /* Include the OCR state (and timer) if it is not yet powered up */
639 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
640 }
641
642 static const VMStateDescription sd_ocr_vmstate = {
643 .name = "sd-card/ocr-state",
644 .version_id = 1,
645 .minimum_version_id = 1,
646 .needed = sd_ocr_vmstate_needed,
647 .fields = (VMStateField[]) {
648 VMSTATE_UINT32(ocr, SDState),
649 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
650 VMSTATE_END_OF_LIST()
651 },
652 };
653
654 static int sd_vmstate_pre_load(void *opaque)
655 {
656 SDState *sd = opaque;
657
658 /* If the OCR state is not included (prior versions, or not
659 * needed), then the OCR must be set as powered up. If the OCR state
660 * is included, this will be replaced by the state restore.
661 */
662 sd_ocr_powerup(sd);
663
664 return 0;
665 }
666
667 static const VMStateDescription sd_vmstate = {
668 .name = "sd-card",
669 .version_id = 2,
670 .minimum_version_id = 2,
671 .pre_load = sd_vmstate_pre_load,
672 .fields = (VMStateField[]) {
673 VMSTATE_UINT32(mode, SDState),
674 VMSTATE_INT32(state, SDState),
675 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
676 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
677 VMSTATE_UINT16(rca, SDState),
678 VMSTATE_UINT32(card_status, SDState),
679 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
680 VMSTATE_UINT32(vhs, SDState),
681 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
682 VMSTATE_UINT32(blk_len, SDState),
683 VMSTATE_UINT32(multi_blk_cnt, SDState),
684 VMSTATE_UINT32(erase_start, SDState),
685 VMSTATE_UINT32(erase_end, SDState),
686 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
687 VMSTATE_UINT32(pwd_len, SDState),
688 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
689 VMSTATE_UINT8(current_cmd, SDState),
690 VMSTATE_BOOL(expecting_acmd, SDState),
691 VMSTATE_UINT32(blk_written, SDState),
692 VMSTATE_UINT64(data_start, SDState),
693 VMSTATE_UINT32(data_offset, SDState),
694 VMSTATE_UINT8_ARRAY(data, SDState, 512),
695 VMSTATE_UNUSED_V(1, 512),
696 VMSTATE_BOOL(enable, SDState),
697 VMSTATE_END_OF_LIST()
698 },
699 .subsections = (const VMStateDescription*[]) {
700 &sd_ocr_vmstate,
701 NULL
702 },
703 };
704
705 /* Legacy initialization function for use by non-qdevified callers */
706 SDState *sd_init(BlockBackend *blk, bool is_spi)
707 {
708 Object *obj;
709 DeviceState *dev;
710 SDState *sd;
711 Error *err = NULL;
712
713 obj = object_new(TYPE_SD_CARD);
714 dev = DEVICE(obj);
715 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
716 error_reportf_err(err, "sd_init failed: ");
717 return NULL;
718 }
719 qdev_prop_set_bit(dev, "spi", is_spi);
720
721 /*
722 * Realizing the device properly would put it into the QOM
723 * composition tree even though it is not plugged into an
724 * appropriate bus. That's a no-no. Hide the device from
725 * QOM/qdev, and call its qdev realize callback directly.
726 */
727 object_ref(obj);
728 object_unparent(obj);
729 sd_realize(dev, &err);
730 if (err) {
731 error_reportf_err(err, "sd_init failed: ");
732 return NULL;
733 }
734
735 sd = SD_CARD(dev);
736 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
737 return sd;
738 }
739
740 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
741 {
742 sd->readonly_cb = readonly;
743 sd->inserted_cb = insert;
744 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
745 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
746 }
747
748 static void sd_erase(SDState *sd)
749 {
750 int i;
751 uint64_t erase_start = sd->erase_start;
752 uint64_t erase_end = sd->erase_end;
753
754 trace_sdcard_erase(sd->erase_start, sd->erase_end);
755 if (sd->erase_start == INVALID_ADDRESS
756 || sd->erase_end == INVALID_ADDRESS) {
757 sd->card_status |= ERASE_SEQ_ERROR;
758 sd->erase_start = INVALID_ADDRESS;
759 sd->erase_end = INVALID_ADDRESS;
760 return;
761 }
762
763 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
764 /* High capacity memory card: erase units are 512 byte blocks */
765 erase_start *= 512;
766 erase_end *= 512;
767 }
768
769 if (sd->erase_start > sd->size || sd->erase_end > sd->size) {
770 sd->card_status |= OUT_OF_RANGE;
771 sd->erase_start = INVALID_ADDRESS;
772 sd->erase_end = INVALID_ADDRESS;
773 return;
774 }
775
776 erase_start = sd_addr_to_wpnum(erase_start);
777 erase_end = sd_addr_to_wpnum(erase_end);
778 sd->erase_start = INVALID_ADDRESS;
779 sd->erase_end = INVALID_ADDRESS;
780 sd->csd[14] |= 0x40;
781
782 for (i = erase_start; i <= erase_end; i++) {
783 if (test_bit(i, sd->wp_groups)) {
784 sd->card_status |= WP_ERASE_SKIP;
785 }
786 }
787 }
788
789 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
790 {
791 uint32_t i, wpnum;
792 uint32_t ret = 0;
793
794 wpnum = sd_addr_to_wpnum(addr);
795
796 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
797 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
798 ret |= (1 << i);
799 }
800 }
801
802 return ret;
803 }
804
805 static void sd_function_switch(SDState *sd, uint32_t arg)
806 {
807 int i, mode, new_func;
808 mode = !!(arg & 0x80000000);
809
810 sd->data[0] = 0x00; /* Maximum current consumption */
811 sd->data[1] = 0x01;
812 sd->data[2] = 0x80; /* Supported group 6 functions */
813 sd->data[3] = 0x01;
814 sd->data[4] = 0x80; /* Supported group 5 functions */
815 sd->data[5] = 0x01;
816 sd->data[6] = 0x80; /* Supported group 4 functions */
817 sd->data[7] = 0x01;
818 sd->data[8] = 0x80; /* Supported group 3 functions */
819 sd->data[9] = 0x01;
820 sd->data[10] = 0x80; /* Supported group 2 functions */
821 sd->data[11] = 0x43;
822 sd->data[12] = 0x80; /* Supported group 1 functions */
823 sd->data[13] = 0x03;
824
825 for (i = 0; i < 6; i ++) {
826 new_func = (arg >> (i * 4)) & 0x0f;
827 if (mode && new_func != 0x0f)
828 sd->function_group[i] = new_func;
829 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
830 }
831 memset(&sd->data[17], 0, 47);
832 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
833 }
834
835 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
836 {
837 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
838 }
839
840 static void sd_lock_command(SDState *sd)
841 {
842 int erase, lock, clr_pwd, set_pwd, pwd_len;
843 erase = !!(sd->data[0] & 0x08);
844 lock = sd->data[0] & 0x04;
845 clr_pwd = sd->data[0] & 0x02;
846 set_pwd = sd->data[0] & 0x01;
847
848 if (sd->blk_len > 1)
849 pwd_len = sd->data[1];
850 else
851 pwd_len = 0;
852
853 if (lock) {
854 trace_sdcard_lock();
855 } else {
856 trace_sdcard_unlock();
857 }
858 if (erase) {
859 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
860 set_pwd || clr_pwd || lock || sd->wp_switch ||
861 (sd->csd[14] & 0x20)) {
862 sd->card_status |= LOCK_UNLOCK_FAILED;
863 return;
864 }
865 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
866 sd->csd[14] &= ~0x10;
867 sd->card_status &= ~CARD_IS_LOCKED;
868 sd->pwd_len = 0;
869 /* Erasing the entire card here! */
870 fprintf(stderr, "SD: Card force-erased by CMD42\n");
871 return;
872 }
873
874 if (sd->blk_len < 2 + pwd_len ||
875 pwd_len <= sd->pwd_len ||
876 pwd_len > sd->pwd_len + 16) {
877 sd->card_status |= LOCK_UNLOCK_FAILED;
878 return;
879 }
880
881 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
882 sd->card_status |= LOCK_UNLOCK_FAILED;
883 return;
884 }
885
886 pwd_len -= sd->pwd_len;
887 if ((pwd_len && !set_pwd) ||
888 (clr_pwd && (set_pwd || lock)) ||
889 (lock && !sd->pwd_len && !set_pwd) ||
890 (!set_pwd && !clr_pwd &&
891 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
892 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
893 sd->card_status |= LOCK_UNLOCK_FAILED;
894 return;
895 }
896
897 if (set_pwd) {
898 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
899 sd->pwd_len = pwd_len;
900 }
901
902 if (clr_pwd) {
903 sd->pwd_len = 0;
904 }
905
906 if (lock)
907 sd->card_status |= CARD_IS_LOCKED;
908 else
909 sd->card_status &= ~CARD_IS_LOCKED;
910 }
911
912 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
913 {
914 uint32_t rca = 0x0000;
915 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
916
917 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
918 * However there is no ACMD55, so we want to trace this particular case.
919 */
920 if (req.cmd != 55 || sd->expecting_acmd) {
921 trace_sdcard_normal_command(sd->proto_name,
922 sd_cmd_name(req.cmd), req.cmd,
923 req.arg, sd_state_name(sd->state));
924 }
925
926 /* Not interpreting this as an app command */
927 sd->card_status &= ~APP_CMD;
928
929 if (sd_cmd_type[req.cmd] == sd_ac
930 || sd_cmd_type[req.cmd] == sd_adtc) {
931 rca = req.arg >> 16;
932 }
933
934 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
935 * if not, its effects are cancelled */
936 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
937 sd->multi_blk_cnt = 0;
938 }
939
940 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
941 /* Only Standard Capacity cards support class 6 commands */
942 return sd_illegal;
943 }
944
945 switch (req.cmd) {
946 /* Basic commands (Class 0 and Class 1) */
947 case 0: /* CMD0: GO_IDLE_STATE */
948 switch (sd->state) {
949 case sd_inactive_state:
950 return sd->spi ? sd_r1 : sd_r0;
951
952 default:
953 sd->state = sd_idle_state;
954 sd_reset(DEVICE(sd));
955 return sd->spi ? sd_r1 : sd_r0;
956 }
957 break;
958
959 case 1: /* CMD1: SEND_OP_CMD */
960 if (!sd->spi)
961 goto bad_cmd;
962
963 sd->state = sd_transfer_state;
964 return sd_r1;
965
966 case 2: /* CMD2: ALL_SEND_CID */
967 if (sd->spi)
968 goto bad_cmd;
969 switch (sd->state) {
970 case sd_ready_state:
971 sd->state = sd_identification_state;
972 return sd_r2_i;
973
974 default:
975 break;
976 }
977 break;
978
979 case 3: /* CMD3: SEND_RELATIVE_ADDR */
980 if (sd->spi)
981 goto bad_cmd;
982 switch (sd->state) {
983 case sd_identification_state:
984 case sd_standby_state:
985 sd->state = sd_standby_state;
986 sd_set_rca(sd);
987 return sd_r6;
988
989 default:
990 break;
991 }
992 break;
993
994 case 4: /* CMD4: SEND_DSR */
995 if (sd->spi)
996 goto bad_cmd;
997 switch (sd->state) {
998 case sd_standby_state:
999 break;
1000
1001 default:
1002 break;
1003 }
1004 break;
1005
1006 case 5: /* CMD5: reserved for SDIO cards */
1007 return sd_illegal;
1008
1009 case 6: /* CMD6: SWITCH_FUNCTION */
1010 switch (sd->mode) {
1011 case sd_data_transfer_mode:
1012 sd_function_switch(sd, req.arg);
1013 sd->state = sd_sendingdata_state;
1014 sd->data_start = 0;
1015 sd->data_offset = 0;
1016 return sd_r1;
1017
1018 default:
1019 break;
1020 }
1021 break;
1022
1023 case 7: /* CMD7: SELECT/DESELECT_CARD */
1024 if (sd->spi)
1025 goto bad_cmd;
1026 switch (sd->state) {
1027 case sd_standby_state:
1028 if (sd->rca != rca)
1029 return sd_r0;
1030
1031 sd->state = sd_transfer_state;
1032 return sd_r1b;
1033
1034 case sd_transfer_state:
1035 case sd_sendingdata_state:
1036 if (sd->rca == rca)
1037 break;
1038
1039 sd->state = sd_standby_state;
1040 return sd_r1b;
1041
1042 case sd_disconnect_state:
1043 if (sd->rca != rca)
1044 return sd_r0;
1045
1046 sd->state = sd_programming_state;
1047 return sd_r1b;
1048
1049 case sd_programming_state:
1050 if (sd->rca == rca)
1051 break;
1052
1053 sd->state = sd_disconnect_state;
1054 return sd_r1b;
1055
1056 default:
1057 break;
1058 }
1059 break;
1060
1061 case 8: /* CMD8: SEND_IF_COND */
1062 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1063 break;
1064 }
1065 if (sd->state != sd_idle_state) {
1066 break;
1067 }
1068 sd->vhs = 0;
1069
1070 /* No response if not exactly one VHS bit is set. */
1071 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1072 return sd->spi ? sd_r7 : sd_r0;
1073 }
1074
1075 /* Accept. */
1076 sd->vhs = req.arg;
1077 return sd_r7;
1078
1079 case 9: /* CMD9: SEND_CSD */
1080 switch (sd->state) {
1081 case sd_standby_state:
1082 if (sd->rca != rca)
1083 return sd_r0;
1084
1085 return sd_r2_s;
1086
1087 case sd_transfer_state:
1088 if (!sd->spi)
1089 break;
1090 sd->state = sd_sendingdata_state;
1091 memcpy(sd->data, sd->csd, 16);
1092 sd->data_start = addr;
1093 sd->data_offset = 0;
1094 return sd_r1;
1095
1096 default:
1097 break;
1098 }
1099 break;
1100
1101 case 10: /* CMD10: SEND_CID */
1102 switch (sd->state) {
1103 case sd_standby_state:
1104 if (sd->rca != rca)
1105 return sd_r0;
1106
1107 return sd_r2_i;
1108
1109 case sd_transfer_state:
1110 if (!sd->spi)
1111 break;
1112 sd->state = sd_sendingdata_state;
1113 memcpy(sd->data, sd->cid, 16);
1114 sd->data_start = addr;
1115 sd->data_offset = 0;
1116 return sd_r1;
1117
1118 default:
1119 break;
1120 }
1121 break;
1122
1123 case 12: /* CMD12: STOP_TRANSMISSION */
1124 switch (sd->state) {
1125 case sd_sendingdata_state:
1126 sd->state = sd_transfer_state;
1127 return sd_r1b;
1128
1129 case sd_receivingdata_state:
1130 sd->state = sd_programming_state;
1131 /* Bzzzzzzztt .... Operation complete. */
1132 sd->state = sd_transfer_state;
1133 return sd_r1b;
1134
1135 default:
1136 break;
1137 }
1138 break;
1139
1140 case 13: /* CMD13: SEND_STATUS */
1141 switch (sd->mode) {
1142 case sd_data_transfer_mode:
1143 if (sd->rca != rca)
1144 return sd_r0;
1145
1146 return sd_r1;
1147
1148 default:
1149 break;
1150 }
1151 break;
1152
1153 case 15: /* CMD15: GO_INACTIVE_STATE */
1154 if (sd->spi)
1155 goto bad_cmd;
1156 switch (sd->mode) {
1157 case sd_data_transfer_mode:
1158 if (sd->rca != rca)
1159 return sd_r0;
1160
1161 sd->state = sd_inactive_state;
1162 return sd_r0;
1163
1164 default:
1165 break;
1166 }
1167 break;
1168
1169 /* Block read commands (Classs 2) */
1170 case 16: /* CMD16: SET_BLOCKLEN */
1171 switch (sd->state) {
1172 case sd_transfer_state:
1173 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1174 sd->card_status |= BLOCK_LEN_ERROR;
1175 } else {
1176 trace_sdcard_set_blocklen(req.arg);
1177 sd->blk_len = req.arg;
1178 }
1179
1180 return sd_r1;
1181
1182 default:
1183 break;
1184 }
1185 break;
1186
1187 case 17: /* CMD17: READ_SINGLE_BLOCK */
1188 switch (sd->state) {
1189 case sd_transfer_state:
1190
1191 if (addr + sd->blk_len > sd->size) {
1192 sd->card_status |= ADDRESS_ERROR;
1193 return sd_r1;
1194 }
1195
1196 sd->state = sd_sendingdata_state;
1197 sd->data_start = addr;
1198 sd->data_offset = 0;
1199 return sd_r1;
1200
1201 default:
1202 break;
1203 }
1204 break;
1205
1206 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1207 switch (sd->state) {
1208 case sd_transfer_state:
1209
1210 if (addr + sd->blk_len > sd->size) {
1211 sd->card_status |= ADDRESS_ERROR;
1212 return sd_r1;
1213 }
1214
1215 sd->state = sd_sendingdata_state;
1216 sd->data_start = addr;
1217 sd->data_offset = 0;
1218 return sd_r1;
1219
1220 default:
1221 break;
1222 }
1223 break;
1224
1225 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1226 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1227 break;
1228 }
1229 if (sd->state == sd_transfer_state) {
1230 sd->state = sd_sendingdata_state;
1231 sd->data_offset = 0;
1232 return sd_r1;
1233 }
1234 break;
1235
1236 case 23: /* CMD23: SET_BLOCK_COUNT */
1237 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1238 break;
1239 }
1240 switch (sd->state) {
1241 case sd_transfer_state:
1242 sd->multi_blk_cnt = req.arg;
1243 return sd_r1;
1244
1245 default:
1246 break;
1247 }
1248 break;
1249
1250 /* Block write commands (Class 4) */
1251 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1252 switch (sd->state) {
1253 case sd_transfer_state:
1254 /* Writing in SPI mode not implemented. */
1255 if (sd->spi)
1256 break;
1257
1258 if (addr + sd->blk_len > sd->size) {
1259 sd->card_status |= ADDRESS_ERROR;
1260 return sd_r1;
1261 }
1262
1263 sd->state = sd_receivingdata_state;
1264 sd->data_start = addr;
1265 sd->data_offset = 0;
1266 sd->blk_written = 0;
1267
1268 if (sd_wp_addr(sd, sd->data_start)) {
1269 sd->card_status |= WP_VIOLATION;
1270 }
1271 if (sd->csd[14] & 0x30) {
1272 sd->card_status |= WP_VIOLATION;
1273 }
1274 return sd_r1;
1275
1276 default:
1277 break;
1278 }
1279 break;
1280
1281 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1282 switch (sd->state) {
1283 case sd_transfer_state:
1284 /* Writing in SPI mode not implemented. */
1285 if (sd->spi)
1286 break;
1287
1288 if (addr + sd->blk_len > sd->size) {
1289 sd->card_status |= ADDRESS_ERROR;
1290 return sd_r1;
1291 }
1292
1293 sd->state = sd_receivingdata_state;
1294 sd->data_start = addr;
1295 sd->data_offset = 0;
1296 sd->blk_written = 0;
1297
1298 if (sd_wp_addr(sd, sd->data_start)) {
1299 sd->card_status |= WP_VIOLATION;
1300 }
1301 if (sd->csd[14] & 0x30) {
1302 sd->card_status |= WP_VIOLATION;
1303 }
1304 return sd_r1;
1305
1306 default:
1307 break;
1308 }
1309 break;
1310
1311 case 26: /* CMD26: PROGRAM_CID */
1312 if (sd->spi)
1313 goto bad_cmd;
1314 switch (sd->state) {
1315 case sd_transfer_state:
1316 sd->state = sd_receivingdata_state;
1317 sd->data_start = 0;
1318 sd->data_offset = 0;
1319 return sd_r1;
1320
1321 default:
1322 break;
1323 }
1324 break;
1325
1326 case 27: /* CMD27: PROGRAM_CSD */
1327 switch (sd->state) {
1328 case sd_transfer_state:
1329 sd->state = sd_receivingdata_state;
1330 sd->data_start = 0;
1331 sd->data_offset = 0;
1332 return sd_r1;
1333
1334 default:
1335 break;
1336 }
1337 break;
1338
1339 /* Write protection (Class 6) */
1340 case 28: /* CMD28: SET_WRITE_PROT */
1341 switch (sd->state) {
1342 case sd_transfer_state:
1343 if (addr >= sd->size) {
1344 sd->card_status |= ADDRESS_ERROR;
1345 return sd_r1b;
1346 }
1347
1348 sd->state = sd_programming_state;
1349 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1350 /* Bzzzzzzztt .... Operation complete. */
1351 sd->state = sd_transfer_state;
1352 return sd_r1b;
1353
1354 default:
1355 break;
1356 }
1357 break;
1358
1359 case 29: /* CMD29: CLR_WRITE_PROT */
1360 switch (sd->state) {
1361 case sd_transfer_state:
1362 if (addr >= sd->size) {
1363 sd->card_status |= ADDRESS_ERROR;
1364 return sd_r1b;
1365 }
1366
1367 sd->state = sd_programming_state;
1368 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1369 /* Bzzzzzzztt .... Operation complete. */
1370 sd->state = sd_transfer_state;
1371 return sd_r1b;
1372
1373 default:
1374 break;
1375 }
1376 break;
1377
1378 case 30: /* CMD30: SEND_WRITE_PROT */
1379 switch (sd->state) {
1380 case sd_transfer_state:
1381 sd->state = sd_sendingdata_state;
1382 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1383 sd->data_start = addr;
1384 sd->data_offset = 0;
1385 return sd_r1b;
1386
1387 default:
1388 break;
1389 }
1390 break;
1391
1392 /* Erase commands (Class 5) */
1393 case 32: /* CMD32: ERASE_WR_BLK_START */
1394 switch (sd->state) {
1395 case sd_transfer_state:
1396 sd->erase_start = req.arg;
1397 return sd_r1;
1398
1399 default:
1400 break;
1401 }
1402 break;
1403
1404 case 33: /* CMD33: ERASE_WR_BLK_END */
1405 switch (sd->state) {
1406 case sd_transfer_state:
1407 sd->erase_end = req.arg;
1408 return sd_r1;
1409
1410 default:
1411 break;
1412 }
1413 break;
1414
1415 case 38: /* CMD38: ERASE */
1416 switch (sd->state) {
1417 case sd_transfer_state:
1418 if (sd->csd[14] & 0x30) {
1419 sd->card_status |= WP_VIOLATION;
1420 return sd_r1b;
1421 }
1422
1423 sd->state = sd_programming_state;
1424 sd_erase(sd);
1425 /* Bzzzzzzztt .... Operation complete. */
1426 sd->state = sd_transfer_state;
1427 return sd_r1b;
1428
1429 default:
1430 break;
1431 }
1432 break;
1433
1434 /* Lock card commands (Class 7) */
1435 case 42: /* CMD42: LOCK_UNLOCK */
1436 switch (sd->state) {
1437 case sd_transfer_state:
1438 sd->state = sd_receivingdata_state;
1439 sd->data_start = 0;
1440 sd->data_offset = 0;
1441 return sd_r1;
1442
1443 default:
1444 break;
1445 }
1446 break;
1447
1448 case 52 ... 54:
1449 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1450 * (see the SDIO Simplified Specification V2.0)
1451 * Handle as illegal command but do not complain
1452 * on stderr, as some OSes may use these in their
1453 * probing for presence of an SDIO card.
1454 */
1455 return sd_illegal;
1456
1457 /* Application specific commands (Class 8) */
1458 case 55: /* CMD55: APP_CMD */
1459 switch (sd->state) {
1460 case sd_ready_state:
1461 case sd_identification_state:
1462 case sd_inactive_state:
1463 return sd_illegal;
1464 case sd_idle_state:
1465 if (rca) {
1466 qemu_log_mask(LOG_GUEST_ERROR,
1467 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1468 }
1469 default:
1470 break;
1471 }
1472 if (!sd->spi) {
1473 if (sd->rca != rca) {
1474 return sd_r0;
1475 }
1476 }
1477 sd->expecting_acmd = true;
1478 sd->card_status |= APP_CMD;
1479 return sd_r1;
1480
1481 case 56: /* CMD56: GEN_CMD */
1482 switch (sd->state) {
1483 case sd_transfer_state:
1484 sd->data_offset = 0;
1485 if (req.arg & 1)
1486 sd->state = sd_sendingdata_state;
1487 else
1488 sd->state = sd_receivingdata_state;
1489 return sd_r1;
1490
1491 default:
1492 break;
1493 }
1494 break;
1495
1496 case 58: /* CMD58: READ_OCR (SPI) */
1497 if (!sd->spi) {
1498 goto bad_cmd;
1499 }
1500 return sd_r3;
1501
1502 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1503 if (!sd->spi) {
1504 goto bad_cmd;
1505 }
1506 goto unimplemented_spi_cmd;
1507
1508 default:
1509 bad_cmd:
1510 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1511 return sd_illegal;
1512
1513 unimplemented_spi_cmd:
1514 /* Commands that are recognised but not yet implemented in SPI mode. */
1515 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1516 req.cmd);
1517 return sd_illegal;
1518 }
1519
1520 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1521 return sd_illegal;
1522 }
1523
1524 static sd_rsp_type_t sd_app_command(SDState *sd,
1525 SDRequest req)
1526 {
1527 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1528 req.cmd, req.arg, sd_state_name(sd->state));
1529 sd->card_status |= APP_CMD;
1530 switch (req.cmd) {
1531 case 6: /* ACMD6: SET_BUS_WIDTH */
1532 if (sd->spi) {
1533 goto unimplemented_spi_cmd;
1534 }
1535 switch (sd->state) {
1536 case sd_transfer_state:
1537 sd->sd_status[0] &= 0x3f;
1538 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1539 return sd_r1;
1540
1541 default:
1542 break;
1543 }
1544 break;
1545
1546 case 13: /* ACMD13: SD_STATUS */
1547 switch (sd->state) {
1548 case sd_transfer_state:
1549 sd->state = sd_sendingdata_state;
1550 sd->data_start = 0;
1551 sd->data_offset = 0;
1552 return sd_r1;
1553
1554 default:
1555 break;
1556 }
1557 break;
1558
1559 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1560 switch (sd->state) {
1561 case sd_transfer_state:
1562 *(uint32_t *) sd->data = sd->blk_written;
1563
1564 sd->state = sd_sendingdata_state;
1565 sd->data_start = 0;
1566 sd->data_offset = 0;
1567 return sd_r1;
1568
1569 default:
1570 break;
1571 }
1572 break;
1573
1574 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1575 switch (sd->state) {
1576 case sd_transfer_state:
1577 return sd_r1;
1578
1579 default:
1580 break;
1581 }
1582 break;
1583
1584 case 41: /* ACMD41: SD_APP_OP_COND */
1585 if (sd->spi) {
1586 /* SEND_OP_CMD */
1587 sd->state = sd_transfer_state;
1588 return sd_r1;
1589 }
1590 if (sd->state != sd_idle_state) {
1591 break;
1592 }
1593 /* If it's the first ACMD41 since reset, we need to decide
1594 * whether to power up. If this is not an enquiry ACMD41,
1595 * we immediately report power on and proceed below to the
1596 * ready state, but if it is, we set a timer to model a
1597 * delay for power up. This works around a bug in EDK2
1598 * UEFI, which sends an initial enquiry ACMD41, but
1599 * assumes that the card is in ready state as soon as it
1600 * sees the power up bit set. */
1601 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1602 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1603 timer_del(sd->ocr_power_timer);
1604 sd_ocr_powerup(sd);
1605 } else {
1606 trace_sdcard_inquiry_cmd41();
1607 if (!timer_pending(sd->ocr_power_timer)) {
1608 timer_mod_ns(sd->ocr_power_timer,
1609 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1610 + OCR_POWER_DELAY_NS));
1611 }
1612 }
1613 }
1614
1615 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1616 /* We accept any voltage. 10000 V is nothing.
1617 *
1618 * Once we're powered up, we advance straight to ready state
1619 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1620 */
1621 sd->state = sd_ready_state;
1622 }
1623
1624 return sd_r3;
1625
1626 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1627 switch (sd->state) {
1628 case sd_transfer_state:
1629 /* Bringing in the 50KOhm pull-up resistor... Done. */
1630 return sd_r1;
1631
1632 default:
1633 break;
1634 }
1635 break;
1636
1637 case 51: /* ACMD51: SEND_SCR */
1638 switch (sd->state) {
1639 case sd_transfer_state:
1640 sd->state = sd_sendingdata_state;
1641 sd->data_start = 0;
1642 sd->data_offset = 0;
1643 return sd_r1;
1644
1645 default:
1646 break;
1647 }
1648 break;
1649
1650 case 18: /* Reserved for SD security applications */
1651 case 25:
1652 case 26:
1653 case 38:
1654 case 43 ... 49:
1655 /* Refer to the "SD Specifications Part3 Security Specification" for
1656 * information about the SD Security Features.
1657 */
1658 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1659 req.cmd);
1660 return sd_illegal;
1661
1662 default:
1663 /* Fall back to standard commands. */
1664 return sd_normal_command(sd, req);
1665
1666 unimplemented_spi_cmd:
1667 /* Commands that are recognised but not yet implemented in SPI mode. */
1668 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1669 req.cmd);
1670 return sd_illegal;
1671 }
1672
1673 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1674 return sd_illegal;
1675 }
1676
1677 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1678 {
1679 /* Valid commands in locked state:
1680 * basic class (0)
1681 * lock card class (7)
1682 * CMD16
1683 * implicitly, the ACMD prefix CMD55
1684 * ACMD41 and ACMD42
1685 * Anything else provokes an "illegal command" response.
1686 */
1687 if (sd->expecting_acmd) {
1688 return req->cmd == 41 || req->cmd == 42;
1689 }
1690 if (req->cmd == 16 || req->cmd == 55) {
1691 return 1;
1692 }
1693 return sd_cmd_class[req->cmd] == 0
1694 || sd_cmd_class[req->cmd] == 7;
1695 }
1696
1697 int sd_do_command(SDState *sd, SDRequest *req,
1698 uint8_t *response) {
1699 int last_state;
1700 sd_rsp_type_t rtype;
1701 int rsplen;
1702
1703 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1704 return 0;
1705 }
1706
1707 if (sd_req_crc_validate(req)) {
1708 sd->card_status |= COM_CRC_ERROR;
1709 rtype = sd_illegal;
1710 goto send_response;
1711 }
1712
1713 if (req->cmd >= SDMMC_CMD_MAX) {
1714 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1715 req->cmd);
1716 req->cmd &= 0x3f;
1717 }
1718
1719 if (sd->card_status & CARD_IS_LOCKED) {
1720 if (!cmd_valid_while_locked(sd, req)) {
1721 sd->card_status |= ILLEGAL_COMMAND;
1722 sd->expecting_acmd = false;
1723 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1724 rtype = sd_illegal;
1725 goto send_response;
1726 }
1727 }
1728
1729 last_state = sd->state;
1730 sd_set_mode(sd);
1731
1732 if (sd->expecting_acmd) {
1733 sd->expecting_acmd = false;
1734 rtype = sd_app_command(sd, *req);
1735 } else {
1736 rtype = sd_normal_command(sd, *req);
1737 }
1738
1739 if (rtype == sd_illegal) {
1740 sd->card_status |= ILLEGAL_COMMAND;
1741 } else {
1742 /* Valid command, we can update the 'state before command' bits.
1743 * (Do this now so they appear in r1 responses.)
1744 */
1745 sd->current_cmd = req->cmd;
1746 sd->card_status &= ~CURRENT_STATE;
1747 sd->card_status |= (last_state << 9);
1748 }
1749
1750 send_response:
1751 switch (rtype) {
1752 case sd_r1:
1753 case sd_r1b:
1754 sd_response_r1_make(sd, response);
1755 rsplen = 4;
1756 break;
1757
1758 case sd_r2_i:
1759 memcpy(response, sd->cid, sizeof(sd->cid));
1760 rsplen = 16;
1761 break;
1762
1763 case sd_r2_s:
1764 memcpy(response, sd->csd, sizeof(sd->csd));
1765 rsplen = 16;
1766 break;
1767
1768 case sd_r3:
1769 sd_response_r3_make(sd, response);
1770 rsplen = 4;
1771 break;
1772
1773 case sd_r6:
1774 sd_response_r6_make(sd, response);
1775 rsplen = 4;
1776 break;
1777
1778 case sd_r7:
1779 sd_response_r7_make(sd, response);
1780 rsplen = 4;
1781 break;
1782
1783 case sd_r0:
1784 case sd_illegal:
1785 rsplen = 0;
1786 break;
1787 default:
1788 g_assert_not_reached();
1789 }
1790 trace_sdcard_response(sd_response_name(rtype), rsplen);
1791
1792 if (rtype != sd_illegal) {
1793 /* Clear the "clear on valid command" status bits now we've
1794 * sent any response
1795 */
1796 sd->card_status &= ~CARD_STATUS_B;
1797 }
1798
1799 #ifdef DEBUG_SD
1800 qemu_hexdump(stderr, "Response", response, rsplen);
1801 #endif
1802
1803 return rsplen;
1804 }
1805
1806 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1807 {
1808 trace_sdcard_read_block(addr, len);
1809 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1810 fprintf(stderr, "sd_blk_read: read error on host side\n");
1811 }
1812 }
1813
1814 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1815 {
1816 trace_sdcard_write_block(addr, len);
1817 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1818 fprintf(stderr, "sd_blk_write: write error on host side\n");
1819 }
1820 }
1821
1822 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1823 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1824 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1825 #define APP_WRITE_BLOCK(a, len)
1826
1827 void sd_write_byte(SDState *sd, uint8_t value)
1828 {
1829 int i;
1830
1831 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1832 return;
1833
1834 if (sd->state != sd_receivingdata_state) {
1835 qemu_log_mask(LOG_GUEST_ERROR,
1836 "%s: not in Receiving-Data state\n", __func__);
1837 return;
1838 }
1839
1840 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1841 return;
1842
1843 trace_sdcard_write_data(sd->proto_name,
1844 sd_acmd_name(sd->current_cmd),
1845 sd->current_cmd, value);
1846 switch (sd->current_cmd) {
1847 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1848 sd->data[sd->data_offset ++] = value;
1849 if (sd->data_offset >= sd->blk_len) {
1850 /* TODO: Check CRC before committing */
1851 sd->state = sd_programming_state;
1852 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1853 sd->blk_written ++;
1854 sd->csd[14] |= 0x40;
1855 /* Bzzzzzzztt .... Operation complete. */
1856 sd->state = sd_transfer_state;
1857 }
1858 break;
1859
1860 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1861 if (sd->data_offset == 0) {
1862 /* Start of the block - let's check the address is valid */
1863 if (sd->data_start + sd->blk_len > sd->size) {
1864 sd->card_status |= ADDRESS_ERROR;
1865 break;
1866 }
1867 if (sd_wp_addr(sd, sd->data_start)) {
1868 sd->card_status |= WP_VIOLATION;
1869 break;
1870 }
1871 }
1872 sd->data[sd->data_offset++] = value;
1873 if (sd->data_offset >= sd->blk_len) {
1874 /* TODO: Check CRC before committing */
1875 sd->state = sd_programming_state;
1876 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1877 sd->blk_written++;
1878 sd->data_start += sd->blk_len;
1879 sd->data_offset = 0;
1880 sd->csd[14] |= 0x40;
1881
1882 /* Bzzzzzzztt .... Operation complete. */
1883 if (sd->multi_blk_cnt != 0) {
1884 if (--sd->multi_blk_cnt == 0) {
1885 /* Stop! */
1886 sd->state = sd_transfer_state;
1887 break;
1888 }
1889 }
1890
1891 sd->state = sd_receivingdata_state;
1892 }
1893 break;
1894
1895 case 26: /* CMD26: PROGRAM_CID */
1896 sd->data[sd->data_offset ++] = value;
1897 if (sd->data_offset >= sizeof(sd->cid)) {
1898 /* TODO: Check CRC before committing */
1899 sd->state = sd_programming_state;
1900 for (i = 0; i < sizeof(sd->cid); i ++)
1901 if ((sd->cid[i] | 0x00) != sd->data[i])
1902 sd->card_status |= CID_CSD_OVERWRITE;
1903
1904 if (!(sd->card_status & CID_CSD_OVERWRITE))
1905 for (i = 0; i < sizeof(sd->cid); i ++) {
1906 sd->cid[i] |= 0x00;
1907 sd->cid[i] &= sd->data[i];
1908 }
1909 /* Bzzzzzzztt .... Operation complete. */
1910 sd->state = sd_transfer_state;
1911 }
1912 break;
1913
1914 case 27: /* CMD27: PROGRAM_CSD */
1915 sd->data[sd->data_offset ++] = value;
1916 if (sd->data_offset >= sizeof(sd->csd)) {
1917 /* TODO: Check CRC before committing */
1918 sd->state = sd_programming_state;
1919 for (i = 0; i < sizeof(sd->csd); i ++)
1920 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1921 (sd->data[i] | sd_csd_rw_mask[i]))
1922 sd->card_status |= CID_CSD_OVERWRITE;
1923
1924 /* Copy flag (OTP) & Permanent write protect */
1925 if (sd->csd[14] & ~sd->data[14] & 0x60)
1926 sd->card_status |= CID_CSD_OVERWRITE;
1927
1928 if (!(sd->card_status & CID_CSD_OVERWRITE))
1929 for (i = 0; i < sizeof(sd->csd); i ++) {
1930 sd->csd[i] |= sd_csd_rw_mask[i];
1931 sd->csd[i] &= sd->data[i];
1932 }
1933 /* Bzzzzzzztt .... Operation complete. */
1934 sd->state = sd_transfer_state;
1935 }
1936 break;
1937
1938 case 42: /* CMD42: LOCK_UNLOCK */
1939 sd->data[sd->data_offset ++] = value;
1940 if (sd->data_offset >= sd->blk_len) {
1941 /* TODO: Check CRC before committing */
1942 sd->state = sd_programming_state;
1943 sd_lock_command(sd);
1944 /* Bzzzzzzztt .... Operation complete. */
1945 sd->state = sd_transfer_state;
1946 }
1947 break;
1948
1949 case 56: /* CMD56: GEN_CMD */
1950 sd->data[sd->data_offset ++] = value;
1951 if (sd->data_offset >= sd->blk_len) {
1952 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1953 sd->state = sd_transfer_state;
1954 }
1955 break;
1956
1957 default:
1958 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1959 break;
1960 }
1961 }
1962
1963 #define SD_TUNING_BLOCK_SIZE 64
1964
1965 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1966 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1967 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1968 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1969 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1970 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1971 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1972 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1973 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1974 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1975 };
1976
1977 uint8_t sd_read_byte(SDState *sd)
1978 {
1979 /* TODO: Append CRCs */
1980 uint8_t ret;
1981 int io_len;
1982
1983 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1984 return 0x00;
1985
1986 if (sd->state != sd_sendingdata_state) {
1987 qemu_log_mask(LOG_GUEST_ERROR,
1988 "%s: not in Sending-Data state\n", __func__);
1989 return 0x00;
1990 }
1991
1992 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1993 return 0x00;
1994
1995 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1996
1997 trace_sdcard_read_data(sd->proto_name,
1998 sd_acmd_name(sd->current_cmd),
1999 sd->current_cmd, io_len);
2000 switch (sd->current_cmd) {
2001 case 6: /* CMD6: SWITCH_FUNCTION */
2002 ret = sd->data[sd->data_offset ++];
2003
2004 if (sd->data_offset >= 64)
2005 sd->state = sd_transfer_state;
2006 break;
2007
2008 case 9: /* CMD9: SEND_CSD */
2009 case 10: /* CMD10: SEND_CID */
2010 ret = sd->data[sd->data_offset ++];
2011
2012 if (sd->data_offset >= 16)
2013 sd->state = sd_transfer_state;
2014 break;
2015
2016 case 13: /* ACMD13: SD_STATUS */
2017 ret = sd->sd_status[sd->data_offset ++];
2018
2019 if (sd->data_offset >= sizeof(sd->sd_status))
2020 sd->state = sd_transfer_state;
2021 break;
2022
2023 case 17: /* CMD17: READ_SINGLE_BLOCK */
2024 if (sd->data_offset == 0)
2025 BLK_READ_BLOCK(sd->data_start, io_len);
2026 ret = sd->data[sd->data_offset ++];
2027
2028 if (sd->data_offset >= io_len)
2029 sd->state = sd_transfer_state;
2030 break;
2031
2032 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2033 if (sd->data_offset == 0) {
2034 if (sd->data_start + io_len > sd->size) {
2035 sd->card_status |= ADDRESS_ERROR;
2036 return 0x00;
2037 }
2038 BLK_READ_BLOCK(sd->data_start, io_len);
2039 }
2040 ret = sd->data[sd->data_offset ++];
2041
2042 if (sd->data_offset >= io_len) {
2043 sd->data_start += io_len;
2044 sd->data_offset = 0;
2045
2046 if (sd->multi_blk_cnt != 0) {
2047 if (--sd->multi_blk_cnt == 0) {
2048 /* Stop! */
2049 sd->state = sd_transfer_state;
2050 break;
2051 }
2052 }
2053 }
2054 break;
2055
2056 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2057 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2058 sd->state = sd_transfer_state;
2059 }
2060 ret = sd_tuning_block_pattern[sd->data_offset++];
2061 break;
2062
2063 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2064 ret = sd->data[sd->data_offset ++];
2065
2066 if (sd->data_offset >= 4)
2067 sd->state = sd_transfer_state;
2068 break;
2069
2070 case 30: /* CMD30: SEND_WRITE_PROT */
2071 ret = sd->data[sd->data_offset ++];
2072
2073 if (sd->data_offset >= 4)
2074 sd->state = sd_transfer_state;
2075 break;
2076
2077 case 51: /* ACMD51: SEND_SCR */
2078 ret = sd->scr[sd->data_offset ++];
2079
2080 if (sd->data_offset >= sizeof(sd->scr))
2081 sd->state = sd_transfer_state;
2082 break;
2083
2084 case 56: /* CMD56: GEN_CMD */
2085 if (sd->data_offset == 0)
2086 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2087 ret = sd->data[sd->data_offset ++];
2088
2089 if (sd->data_offset >= sd->blk_len)
2090 sd->state = sd_transfer_state;
2091 break;
2092
2093 default:
2094 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2095 return 0x00;
2096 }
2097
2098 return ret;
2099 }
2100
2101 static bool sd_data_ready(SDState *sd)
2102 {
2103 return sd->state == sd_sendingdata_state;
2104 }
2105
2106 void sd_enable(SDState *sd, bool enable)
2107 {
2108 sd->enable = enable;
2109 }
2110
2111 static void sd_instance_init(Object *obj)
2112 {
2113 SDState *sd = SD_CARD(obj);
2114
2115 sd->enable = true;
2116 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2117 }
2118
2119 static void sd_instance_finalize(Object *obj)
2120 {
2121 SDState *sd = SD_CARD(obj);
2122
2123 timer_del(sd->ocr_power_timer);
2124 timer_free(sd->ocr_power_timer);
2125 }
2126
2127 static void sd_realize(DeviceState *dev, Error **errp)
2128 {
2129 SDState *sd = SD_CARD(dev);
2130 int ret;
2131
2132 sd->proto_name = sd->spi ? "SPI" : "SD";
2133
2134 switch (sd->spec_version) {
2135 case SD_PHY_SPECv1_10_VERS
2136 ... SD_PHY_SPECv3_01_VERS:
2137 break;
2138 default:
2139 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2140 return;
2141 }
2142
2143 if (sd->blk) {
2144 int64_t blk_size;
2145
2146 if (blk_is_read_only(sd->blk)) {
2147 error_setg(errp, "Cannot use read-only drive as SD card");
2148 return;
2149 }
2150
2151 blk_size = blk_getlength(sd->blk);
2152 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2153 int64_t blk_size_aligned = pow2ceil(blk_size);
2154 char *blk_size_str;
2155
2156 blk_size_str = size_to_str(blk_size);
2157 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2158 g_free(blk_size_str);
2159
2160 blk_size_str = size_to_str(blk_size_aligned);
2161 error_append_hint(errp,
2162 "SD card size has to be a power of 2, e.g. %s.\n"
2163 "You can resize disk images with"
2164 " 'qemu-img resize <imagefile> <new-size>'\n"
2165 "(note that this will lose data if you make the"
2166 " image smaller than it currently is).\n",
2167 blk_size_str);
2168 g_free(blk_size_str);
2169
2170 return;
2171 }
2172
2173 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2174 BLK_PERM_ALL, errp);
2175 if (ret < 0) {
2176 return;
2177 }
2178 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2179 }
2180 }
2181
2182 static Property sd_properties[] = {
2183 DEFINE_PROP_UINT8("spec_version", SDState,
2184 spec_version, SD_PHY_SPECv2_00_VERS),
2185 DEFINE_PROP_DRIVE("drive", SDState, blk),
2186 /* We do not model the chip select pin, so allow the board to select
2187 * whether card should be in SSI or MMC/SD mode. It is also up to the
2188 * board to ensure that ssi transfers only occur when the chip select
2189 * is asserted. */
2190 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2191 DEFINE_PROP_END_OF_LIST()
2192 };
2193
2194 static void sd_class_init(ObjectClass *klass, void *data)
2195 {
2196 DeviceClass *dc = DEVICE_CLASS(klass);
2197 SDCardClass *sc = SD_CARD_CLASS(klass);
2198
2199 dc->realize = sd_realize;
2200 device_class_set_props(dc, sd_properties);
2201 dc->vmsd = &sd_vmstate;
2202 dc->reset = sd_reset;
2203 dc->bus_type = TYPE_SD_BUS;
2204 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2205
2206 sc->set_voltage = sd_set_voltage;
2207 sc->get_dat_lines = sd_get_dat_lines;
2208 sc->get_cmd_line = sd_get_cmd_line;
2209 sc->do_command = sd_do_command;
2210 sc->write_byte = sd_write_byte;
2211 sc->read_byte = sd_read_byte;
2212 sc->data_ready = sd_data_ready;
2213 sc->enable = sd_enable;
2214 sc->get_inserted = sd_get_inserted;
2215 sc->get_readonly = sd_get_readonly;
2216 }
2217
2218 static const TypeInfo sd_info = {
2219 .name = TYPE_SD_CARD,
2220 .parent = TYPE_DEVICE,
2221 .instance_size = sizeof(SDState),
2222 .class_size = sizeof(SDCardClass),
2223 .class_init = sd_class_init,
2224 .instance_init = sd_instance_init,
2225 .instance_finalize = sd_instance_finalize,
2226 };
2227
2228 static void sd_register_types(void)
2229 {
2230 type_register_static(&sd_info);
2231 }
2232
2233 type_init(sd_register_types)
AR7 emulation for QEMU