search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd: sd: Only SDSC cards support CMD28/29/30
[qemu/ar7.git] / hw / sd / sd.c
blobdd1ce0bdae437dbe771f12a730f1e20cec4c3bd2
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88 };
89
90 struct SDState {
91 DeviceState parent_obj;
92
93 /* If true, created by sd_init() for a non-qdevified caller */
94 /* TODO purge them with fire */
95 bool me_no_qdev_me_kill_mammoth_with_rocks;
96
97 /* SD Memory Card Registers */
98 uint32_t ocr;
99 uint8_t scr[8];
100 uint8_t cid[16];
101 uint8_t csd[16];
102 uint16_t rca;
103 uint32_t card_status;
104 uint8_t sd_status[64];
105
106 /* Static properties */
107
108 uint8_t spec_version;
109 BlockBackend *blk;
110 bool spi;
111
112 /* Runtime changeables */
113
114 uint32_t mode; /* current card mode, one of SDCardModes */
115 int32_t state; /* current card state, one of SDCardStates */
116 uint32_t vhs;
117 bool wp_switch;
118 unsigned long *wp_groups;
119 int32_t wpgrps_size;
120 uint64_t size;
121 uint32_t blk_len;
122 uint32_t multi_blk_cnt;
123 uint32_t erase_start;
124 uint32_t erase_end;
125 uint8_t pwd[16];
126 uint32_t pwd_len;
127 uint8_t function_group[6];
128 uint8_t current_cmd;
129 /* True if we will handle the next command as an ACMD. Note that this does
130 * *not* track the APP_CMD status bit!
131 */
132 bool expecting_acmd;
133 uint32_t blk_written;
134 uint64_t data_start;
135 uint32_t data_offset;
136 uint8_t data[512];
137 qemu_irq readonly_cb;
138 qemu_irq inserted_cb;
139 QEMUTimer *ocr_power_timer;
140 const char *proto_name;
141 bool enable;
142 uint8_t dat_lines;
143 bool cmd_line;
144 };
145
146 static void sd_realize(DeviceState *dev, Error **errp);
147
148 static const char *sd_state_name(enum SDCardStates state)
149 {
150 static const char *state_name[] = {
151 [sd_idle_state] = "idle",
152 [sd_ready_state] = "ready",
153 [sd_identification_state] = "identification",
154 [sd_standby_state] = "standby",
155 [sd_transfer_state] = "transfer",
156 [sd_sendingdata_state] = "sendingdata",
157 [sd_receivingdata_state] = "receivingdata",
158 [sd_programming_state] = "programming",
159 [sd_disconnect_state] = "disconnect",
160 };
161 if (state == sd_inactive_state) {
162 return "inactive";
163 }
164 assert(state < ARRAY_SIZE(state_name));
165 return state_name[state];
166 }
167
168 static const char *sd_response_name(sd_rsp_type_t rsp)
169 {
170 static const char *response_name[] = {
171 [sd_r0] = "RESP#0 (no response)",
172 [sd_r1] = "RESP#1 (normal cmd)",
173 [sd_r2_i] = "RESP#2 (CID reg)",
174 [sd_r2_s] = "RESP#2 (CSD reg)",
175 [sd_r3] = "RESP#3 (OCR reg)",
176 [sd_r6] = "RESP#6 (RCA)",
177 [sd_r7] = "RESP#7 (operating voltage)",
178 };
179 if (rsp == sd_illegal) {
180 return "ILLEGAL RESP";
181 }
182 if (rsp == sd_r1b) {
183 rsp = sd_r1;
184 }
185 assert(rsp < ARRAY_SIZE(response_name));
186 return response_name[rsp];
187 }
188
189 static uint8_t sd_get_dat_lines(SDState *sd)
190 {
191 return sd->enable ? sd->dat_lines : 0;
192 }
193
194 static bool sd_get_cmd_line(SDState *sd)
195 {
196 return sd->enable ? sd->cmd_line : false;
197 }
198
199 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
200 {
201 trace_sdcard_set_voltage(millivolts);
202
203 switch (millivolts) {
204 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
205 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
206 break;
207 default:
208 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
209 millivolts / 1000.f);
210 }
211 }
212
213 static void sd_set_mode(SDState *sd)
214 {
215 switch (sd->state) {
216 case sd_inactive_state:
217 sd->mode = sd_inactive;
218 break;
219
220 case sd_idle_state:
221 case sd_ready_state:
222 case sd_identification_state:
223 sd->mode = sd_card_identification_mode;
224 break;
225
226 case sd_standby_state:
227 case sd_transfer_state:
228 case sd_sendingdata_state:
229 case sd_receivingdata_state:
230 case sd_programming_state:
231 case sd_disconnect_state:
232 sd->mode = sd_data_transfer_mode;
233 break;
234 }
235 }
236
237 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
238 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
239 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
240 /* 16 */
241 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
242 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
243 /* 32 */
244 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
245 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
246 /* 48 */
247 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
248 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
249 };
250
251 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
252 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
253 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
254 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
255 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
256 };
257
258 static uint8_t sd_crc7(const void *message, size_t width)
259 {
260 int i, bit;
261 uint8_t shift_reg = 0x00;
262 const uint8_t *msg = (const uint8_t *)message;
263
264 for (i = 0; i < width; i ++, msg ++)
265 for (bit = 7; bit >= 0; bit --) {
266 shift_reg <<= 1;
267 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
268 shift_reg ^= 0x89;
269 }
270
271 return shift_reg;
272 }
273
274 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
275
276 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
277 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
278 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
279 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
280 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
281 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
282 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
283 FIELD(OCR, CARD_POWER_UP, 31, 1)
284
285 #define ACMD41_ENQUIRY_MASK 0x00ffffff
286 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
287 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
288 | R_OCR_UHS_II_CARD_MASK \
289 | R_OCR_CARD_CAPACITY_MASK \
290 | R_OCR_CARD_POWER_UP_MASK)
291
292 static void sd_set_ocr(SDState *sd)
293 {
294 /* All voltages OK */
295 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
296 }
297
298 static void sd_ocr_powerup(void *opaque)
299 {
300 SDState *sd = opaque;
301
302 trace_sdcard_powerup();
303 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
304
305 /* card power-up OK */
306 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
307
308 if (sd->size > SDSC_MAX_CAPACITY) {
309 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
310 }
311 }
312
313 static void sd_set_scr(SDState *sd)
314 {
315 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
316 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
317 sd->scr[0] |= 1; /* Spec Version 1.10 */
318 } else {
319 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
320 }
321 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
322 | 0b0101; /* 1-bit or 4-bit width bus modes */
323 sd->scr[2] = 0x00; /* Extended Security is not supported. */
324 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
325 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
326 }
327 sd->scr[3] = 0x00;
328 /* reserved for manufacturer usage */
329 sd->scr[4] = 0x00;
330 sd->scr[5] = 0x00;
331 sd->scr[6] = 0x00;
332 sd->scr[7] = 0x00;
333 }
334
335 #define MID 0xaa
336 #define OID "XY"
337 #define PNM "QEMU!"
338 #define PRV 0x01
339 #define MDT_YR 2006
340 #define MDT_MON 2
341
342 static void sd_set_cid(SDState *sd)
343 {
344 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
345 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
346 sd->cid[2] = OID[1];
347 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
348 sd->cid[4] = PNM[1];
349 sd->cid[5] = PNM[2];
350 sd->cid[6] = PNM[3];
351 sd->cid[7] = PNM[4];
352 sd->cid[8] = PRV; /* Fake product revision (PRV) */
353 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
354 sd->cid[10] = 0xad;
355 sd->cid[11] = 0xbe;
356 sd->cid[12] = 0xef;
357 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
358 ((MDT_YR - 2000) / 10);
359 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
360 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
361 }
362
363 #define HWBLOCK_SHIFT 9 /* 512 bytes */
364 #define SECTOR_SHIFT 5 /* 16 kilobytes */
365 #define WPGROUP_SHIFT 7 /* 2 megs */
366 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
367 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
368
369 static const uint8_t sd_csd_rw_mask[16] = {
370 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
372 };
373
374 static void sd_set_csd(SDState *sd, uint64_t size)
375 {
376 int hwblock_shift = HWBLOCK_SHIFT;
377 uint32_t csize;
378 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
379 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
380
381 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
382 if (size == SDSC_MAX_CAPACITY) {
383 hwblock_shift += 1;
384 }
385 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
386
387 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
388 sd->csd[0] = 0x00; /* CSD structure */
389 sd->csd[1] = 0x26; /* Data read access-time-1 */
390 sd->csd[2] = 0x00; /* Data read access-time-2 */
391 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
392 sd->csd[4] = 0x5f; /* Card Command Classes */
393 sd->csd[5] = 0x50 | /* Max. read data block length */
394 hwblock_shift;
395 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
396 ((csize >> 10) & 0x03);
397 sd->csd[7] = 0x00 | /* Device size */
398 ((csize >> 2) & 0xff);
399 sd->csd[8] = 0x3f | /* Max. read current */
400 ((csize << 6) & 0xc0);
401 sd->csd[9] = 0xfc | /* Max. write current */
402 ((CMULT_SHIFT - 2) >> 1);
403 sd->csd[10] = 0x40 | /* Erase sector size */
404 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
405 sd->csd[11] = 0x00 | /* Write protect group size */
406 ((sectsize << 7) & 0x80) | wpsize;
407 sd->csd[12] = 0x90 | /* Write speed factor */
408 (hwblock_shift >> 2);
409 sd->csd[13] = 0x20 | /* Max. write data block length */
410 ((hwblock_shift << 6) & 0xc0);
411 sd->csd[14] = 0x00; /* File format group */
412 } else { /* SDHC */
413 size /= 512 * KiB;
414 size -= 1;
415 sd->csd[0] = 0x40;
416 sd->csd[1] = 0x0e;
417 sd->csd[2] = 0x00;
418 sd->csd[3] = 0x32;
419 sd->csd[4] = 0x5b;
420 sd->csd[5] = 0x59;
421 sd->csd[6] = 0x00;
422 sd->csd[7] = (size >> 16) & 0xff;
423 sd->csd[8] = (size >> 8) & 0xff;
424 sd->csd[9] = (size & 0xff);
425 sd->csd[10] = 0x7f;
426 sd->csd[11] = 0x80;
427 sd->csd[12] = 0x0a;
428 sd->csd[13] = 0x40;
429 sd->csd[14] = 0x00;
430 }
431 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
432 }
433
434 static void sd_set_rca(SDState *sd)
435 {
436 sd->rca += 0x4567;
437 }
438
439 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
440 FIELD(CSR, APP_CMD, 5, 1)
441 FIELD(CSR, FX_EVENT, 6, 1)
442 FIELD(CSR, READY_FOR_DATA, 8, 1)
443 FIELD(CSR, CURRENT_STATE, 9, 4)
444 FIELD(CSR, ERASE_RESET, 13, 1)
445 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
446 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
447 FIELD(CSR, CSD_OVERWRITE, 16, 1)
448 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
449 FIELD(CSR, ERROR, 19, 1)
450 FIELD(CSR, CC_ERROR, 20, 1)
451 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
452 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
453 FIELD(CSR, COM_CRC_ERROR, 23, 1)
454 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
455 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
456 FIELD(CSR, WP_VIOLATION, 26, 1)
457 FIELD(CSR, ERASE_PARAM, 27, 1)
458 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
459 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
460 FIELD(CSR, ADDRESS_ERROR, 30, 1)
461 FIELD(CSR, OUT_OF_RANGE, 31, 1)
462
463 /* Card status bits, split by clear condition:
464 * A : According to the card current state
465 * B : Always related to the previous command
466 * C : Cleared by read
467 */
468 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
469 | R_CSR_CARD_ECC_DISABLED_MASK \
470 | R_CSR_CARD_IS_LOCKED_MASK)
471 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
472 | R_CSR_ILLEGAL_COMMAND_MASK \
473 | R_CSR_COM_CRC_ERROR_MASK)
474 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
475 | R_CSR_APP_CMD_MASK \
476 | R_CSR_ERASE_RESET_MASK \
477 | R_CSR_WP_ERASE_SKIP_MASK \
478 | R_CSR_CSD_OVERWRITE_MASK \
479 | R_CSR_ERROR_MASK \
480 | R_CSR_CC_ERROR_MASK \
481 | R_CSR_CARD_ECC_FAILED_MASK \
482 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
483 | R_CSR_WP_VIOLATION_MASK \
484 | R_CSR_ERASE_PARAM_MASK \
485 | R_CSR_ERASE_SEQ_ERROR_MASK \
486 | R_CSR_BLOCK_LEN_ERROR_MASK \
487 | R_CSR_ADDRESS_ERROR_MASK \
488 | R_CSR_OUT_OF_RANGE_MASK)
489
490 static void sd_set_cardstatus(SDState *sd)
491 {
492 sd->card_status = 0x00000100;
493 }
494
495 static void sd_set_sdstatus(SDState *sd)
496 {
497 memset(sd->sd_status, 0, 64);
498 }
499
500 static int sd_req_crc_validate(SDRequest *req)
501 {
502 uint8_t buffer[5];
503 buffer[0] = 0x40 | req->cmd;
504 stl_be_p(&buffer[1], req->arg);
505 return 0;
506 return sd_crc7(buffer, 5) != req->crc; /* TODO */
507 }
508
509 static void sd_response_r1_make(SDState *sd, uint8_t *response)
510 {
511 stl_be_p(response, sd->card_status);
512
513 /* Clear the "clear on read" status bits */
514 sd->card_status &= ~CARD_STATUS_C;
515 }
516
517 static void sd_response_r3_make(SDState *sd, uint8_t *response)
518 {
519 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
520 }
521
522 static void sd_response_r6_make(SDState *sd, uint8_t *response)
523 {
524 uint16_t status;
525
526 status = ((sd->card_status >> 8) & 0xc000) |
527 ((sd->card_status >> 6) & 0x2000) |
528 (sd->card_status & 0x1fff);
529 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
530 stw_be_p(response + 0, sd->rca);
531 stw_be_p(response + 2, status);
532 }
533
534 static void sd_response_r7_make(SDState *sd, uint8_t *response)
535 {
536 stl_be_p(response, sd->vhs);
537 }
538
539 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
540 {
541 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
542 }
543
544 static void sd_reset(DeviceState *dev)
545 {
546 SDState *sd = SD_CARD(dev);
547 uint64_t size;
548 uint64_t sect;
549
550 trace_sdcard_reset();
551 if (sd->blk) {
552 blk_get_geometry(sd->blk, &sect);
553 } else {
554 sect = 0;
555 }
556 size = sect << 9;
557
558 sect = sd_addr_to_wpnum(size) + 1;
559
560 sd->state = sd_idle_state;
561 sd->rca = 0x0000;
562 sd_set_ocr(sd);
563 sd_set_scr(sd);
564 sd_set_cid(sd);
565 sd_set_csd(sd, size);
566 sd_set_cardstatus(sd);
567 sd_set_sdstatus(sd);
568
569 g_free(sd->wp_groups);
570 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
571 sd->wpgrps_size = sect;
572 sd->wp_groups = bitmap_new(sd->wpgrps_size);
573 memset(sd->function_group, 0, sizeof(sd->function_group));
574 sd->erase_start = INVALID_ADDRESS;
575 sd->erase_end = INVALID_ADDRESS;
576 sd->size = size;
577 sd->blk_len = 0x200;
578 sd->pwd_len = 0;
579 sd->expecting_acmd = false;
580 sd->dat_lines = 0xf;
581 sd->cmd_line = true;
582 sd->multi_blk_cnt = 0;
583 }
584
585 static bool sd_get_inserted(SDState *sd)
586 {
587 return sd->blk && blk_is_inserted(sd->blk);
588 }
589
590 static bool sd_get_readonly(SDState *sd)
591 {
592 return sd->wp_switch;
593 }
594
595 static void sd_cardchange(void *opaque, bool load, Error **errp)
596 {
597 SDState *sd = opaque;
598 DeviceState *dev = DEVICE(sd);
599 SDBus *sdbus;
600 bool inserted = sd_get_inserted(sd);
601 bool readonly = sd_get_readonly(sd);
602
603 if (inserted) {
604 trace_sdcard_inserted(readonly);
605 sd_reset(dev);
606 } else {
607 trace_sdcard_ejected();
608 }
609
610 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
611 qemu_set_irq(sd->inserted_cb, inserted);
612 if (inserted) {
613 qemu_set_irq(sd->readonly_cb, readonly);
614 }
615 } else {
616 sdbus = SD_BUS(qdev_get_parent_bus(dev));
617 sdbus_set_inserted(sdbus, inserted);
618 if (inserted) {
619 sdbus_set_readonly(sdbus, readonly);
620 }
621 }
622 }
623
624 static const BlockDevOps sd_block_ops = {
625 .change_media_cb = sd_cardchange,
626 };
627
628 static bool sd_ocr_vmstate_needed(void *opaque)
629 {
630 SDState *sd = opaque;
631
632 /* Include the OCR state (and timer) if it is not yet powered up */
633 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
634 }
635
636 static const VMStateDescription sd_ocr_vmstate = {
637 .name = "sd-card/ocr-state",
638 .version_id = 1,
639 .minimum_version_id = 1,
640 .needed = sd_ocr_vmstate_needed,
641 .fields = (VMStateField[]) {
642 VMSTATE_UINT32(ocr, SDState),
643 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
644 VMSTATE_END_OF_LIST()
645 },
646 };
647
648 static int sd_vmstate_pre_load(void *opaque)
649 {
650 SDState *sd = opaque;
651
652 /* If the OCR state is not included (prior versions, or not
653 * needed), then the OCR must be set as powered up. If the OCR state
654 * is included, this will be replaced by the state restore.
655 */
656 sd_ocr_powerup(sd);
657
658 return 0;
659 }
660
661 static const VMStateDescription sd_vmstate = {
662 .name = "sd-card",
663 .version_id = 2,
664 .minimum_version_id = 2,
665 .pre_load = sd_vmstate_pre_load,
666 .fields = (VMStateField[]) {
667 VMSTATE_UINT32(mode, SDState),
668 VMSTATE_INT32(state, SDState),
669 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
670 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
671 VMSTATE_UINT16(rca, SDState),
672 VMSTATE_UINT32(card_status, SDState),
673 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
674 VMSTATE_UINT32(vhs, SDState),
675 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
676 VMSTATE_UINT32(blk_len, SDState),
677 VMSTATE_UINT32(multi_blk_cnt, SDState),
678 VMSTATE_UINT32(erase_start, SDState),
679 VMSTATE_UINT32(erase_end, SDState),
680 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
681 VMSTATE_UINT32(pwd_len, SDState),
682 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
683 VMSTATE_UINT8(current_cmd, SDState),
684 VMSTATE_BOOL(expecting_acmd, SDState),
685 VMSTATE_UINT32(blk_written, SDState),
686 VMSTATE_UINT64(data_start, SDState),
687 VMSTATE_UINT32(data_offset, SDState),
688 VMSTATE_UINT8_ARRAY(data, SDState, 512),
689 VMSTATE_UNUSED_V(1, 512),
690 VMSTATE_BOOL(enable, SDState),
691 VMSTATE_END_OF_LIST()
692 },
693 .subsections = (const VMStateDescription*[]) {
694 &sd_ocr_vmstate,
695 NULL
696 },
697 };
698
699 /* Legacy initialization function for use by non-qdevified callers */
700 SDState *sd_init(BlockBackend *blk, bool is_spi)
701 {
702 Object *obj;
703 DeviceState *dev;
704 SDState *sd;
705 Error *err = NULL;
706
707 obj = object_new(TYPE_SD_CARD);
708 dev = DEVICE(obj);
709 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
710 error_reportf_err(err, "sd_init failed: ");
711 return NULL;
712 }
713 qdev_prop_set_bit(dev, "spi", is_spi);
714
715 /*
716 * Realizing the device properly would put it into the QOM
717 * composition tree even though it is not plugged into an
718 * appropriate bus. That's a no-no. Hide the device from
719 * QOM/qdev, and call its qdev realize callback directly.
720 */
721 object_ref(obj);
722 object_unparent(obj);
723 sd_realize(dev, &err);
724 if (err) {
725 error_reportf_err(err, "sd_init failed: ");
726 return NULL;
727 }
728
729 sd = SD_CARD(dev);
730 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
731 return sd;
732 }
733
734 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
735 {
736 sd->readonly_cb = readonly;
737 sd->inserted_cb = insert;
738 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
739 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
740 }
741
742 static void sd_erase(SDState *sd)
743 {
744 int i;
745 uint64_t erase_start = sd->erase_start;
746 uint64_t erase_end = sd->erase_end;
747
748 trace_sdcard_erase(sd->erase_start, sd->erase_end);
749 if (sd->erase_start == INVALID_ADDRESS
750 || sd->erase_end == INVALID_ADDRESS) {
751 sd->card_status |= ERASE_SEQ_ERROR;
752 sd->erase_start = INVALID_ADDRESS;
753 sd->erase_end = INVALID_ADDRESS;
754 return;
755 }
756
757 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
758 /* High capacity memory card: erase units are 512 byte blocks */
759 erase_start *= 512;
760 erase_end *= 512;
761 }
762
763 if (erase_start > sd->size || erase_end > sd->size) {
764 sd->card_status |= OUT_OF_RANGE;
765 sd->erase_start = INVALID_ADDRESS;
766 sd->erase_end = INVALID_ADDRESS;
767 return;
768 }
769
770 erase_start = sd_addr_to_wpnum(erase_start);
771 erase_end = sd_addr_to_wpnum(erase_end);
772 sd->erase_start = INVALID_ADDRESS;
773 sd->erase_end = INVALID_ADDRESS;
774 sd->csd[14] |= 0x40;
775
776 for (i = erase_start; i <= erase_end; i++) {
777 assert(i < sd->wpgrps_size);
778 if (test_bit(i, sd->wp_groups)) {
779 sd->card_status |= WP_ERASE_SKIP;
780 }
781 }
782 }
783
784 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
785 {
786 uint32_t i, wpnum;
787 uint32_t ret = 0;
788
789 wpnum = sd_addr_to_wpnum(addr);
790
791 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
792 assert(wpnum < sd->wpgrps_size);
793 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
794 ret |= (1 << i);
795 }
796 }
797
798 return ret;
799 }
800
801 static void sd_function_switch(SDState *sd, uint32_t arg)
802 {
803 int i, mode, new_func;
804 mode = !!(arg & 0x80000000);
805
806 sd->data[0] = 0x00; /* Maximum current consumption */
807 sd->data[1] = 0x01;
808 sd->data[2] = 0x80; /* Supported group 6 functions */
809 sd->data[3] = 0x01;
810 sd->data[4] = 0x80; /* Supported group 5 functions */
811 sd->data[5] = 0x01;
812 sd->data[6] = 0x80; /* Supported group 4 functions */
813 sd->data[7] = 0x01;
814 sd->data[8] = 0x80; /* Supported group 3 functions */
815 sd->data[9] = 0x01;
816 sd->data[10] = 0x80; /* Supported group 2 functions */
817 sd->data[11] = 0x43;
818 sd->data[12] = 0x80; /* Supported group 1 functions */
819 sd->data[13] = 0x03;
820
821 memset(&sd->data[14], 0, 3);
822 for (i = 0; i < 6; i ++) {
823 new_func = (arg >> (i * 4)) & 0x0f;
824 if (mode && new_func != 0x0f)
825 sd->function_group[i] = new_func;
826 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
827 }
828 memset(&sd->data[17], 0, 47);
829 }
830
831 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
832 {
833 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
834 }
835
836 static void sd_lock_command(SDState *sd)
837 {
838 int erase, lock, clr_pwd, set_pwd, pwd_len;
839 erase = !!(sd->data[0] & 0x08);
840 lock = sd->data[0] & 0x04;
841 clr_pwd = sd->data[0] & 0x02;
842 set_pwd = sd->data[0] & 0x01;
843
844 if (sd->blk_len > 1)
845 pwd_len = sd->data[1];
846 else
847 pwd_len = 0;
848
849 if (lock) {
850 trace_sdcard_lock();
851 } else {
852 trace_sdcard_unlock();
853 }
854 if (erase) {
855 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
856 set_pwd || clr_pwd || lock || sd->wp_switch ||
857 (sd->csd[14] & 0x20)) {
858 sd->card_status |= LOCK_UNLOCK_FAILED;
859 return;
860 }
861 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
862 sd->csd[14] &= ~0x10;
863 sd->card_status &= ~CARD_IS_LOCKED;
864 sd->pwd_len = 0;
865 /* Erasing the entire card here! */
866 fprintf(stderr, "SD: Card force-erased by CMD42\n");
867 return;
868 }
869
870 if (sd->blk_len < 2 + pwd_len ||
871 pwd_len <= sd->pwd_len ||
872 pwd_len > sd->pwd_len + 16) {
873 sd->card_status |= LOCK_UNLOCK_FAILED;
874 return;
875 }
876
877 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
878 sd->card_status |= LOCK_UNLOCK_FAILED;
879 return;
880 }
881
882 pwd_len -= sd->pwd_len;
883 if ((pwd_len && !set_pwd) ||
884 (clr_pwd && (set_pwd || lock)) ||
885 (lock && !sd->pwd_len && !set_pwd) ||
886 (!set_pwd && !clr_pwd &&
887 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
888 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
889 sd->card_status |= LOCK_UNLOCK_FAILED;
890 return;
891 }
892
893 if (set_pwd) {
894 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
895 sd->pwd_len = pwd_len;
896 }
897
898 if (clr_pwd) {
899 sd->pwd_len = 0;
900 }
901
902 if (lock)
903 sd->card_status |= CARD_IS_LOCKED;
904 else
905 sd->card_status &= ~CARD_IS_LOCKED;
906 }
907
908 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
909 {
910 uint32_t rca = 0x0000;
911 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
912
913 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
914 * However there is no ACMD55, so we want to trace this particular case.
915 */
916 if (req.cmd != 55 || sd->expecting_acmd) {
917 trace_sdcard_normal_command(sd->proto_name,
918 sd_cmd_name(req.cmd), req.cmd,
919 req.arg, sd_state_name(sd->state));
920 }
921
922 /* Not interpreting this as an app command */
923 sd->card_status &= ~APP_CMD;
924
925 if (sd_cmd_type[req.cmd] == sd_ac
926 || sd_cmd_type[req.cmd] == sd_adtc) {
927 rca = req.arg >> 16;
928 }
929
930 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
931 * if not, its effects are cancelled */
932 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
933 sd->multi_blk_cnt = 0;
934 }
935
936 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
937 /* Only Standard Capacity cards support class 6 commands */
938 return sd_illegal;
939 }
940
941 switch (req.cmd) {
942 /* Basic commands (Class 0 and Class 1) */
943 case 0: /* CMD0: GO_IDLE_STATE */
944 switch (sd->state) {
945 case sd_inactive_state:
946 return sd->spi ? sd_r1 : sd_r0;
947
948 default:
949 sd->state = sd_idle_state;
950 sd_reset(DEVICE(sd));
951 return sd->spi ? sd_r1 : sd_r0;
952 }
953 break;
954
955 case 1: /* CMD1: SEND_OP_CMD */
956 if (!sd->spi)
957 goto bad_cmd;
958
959 sd->state = sd_transfer_state;
960 return sd_r1;
961
962 case 2: /* CMD2: ALL_SEND_CID */
963 if (sd->spi)
964 goto bad_cmd;
965 switch (sd->state) {
966 case sd_ready_state:
967 sd->state = sd_identification_state;
968 return sd_r2_i;
969
970 default:
971 break;
972 }
973 break;
974
975 case 3: /* CMD3: SEND_RELATIVE_ADDR */
976 if (sd->spi)
977 goto bad_cmd;
978 switch (sd->state) {
979 case sd_identification_state:
980 case sd_standby_state:
981 sd->state = sd_standby_state;
982 sd_set_rca(sd);
983 return sd_r6;
984
985 default:
986 break;
987 }
988 break;
989
990 case 4: /* CMD4: SEND_DSR */
991 if (sd->spi)
992 goto bad_cmd;
993 switch (sd->state) {
994 case sd_standby_state:
995 break;
996
997 default:
998 break;
999 }
1000 break;
1001
1002 case 5: /* CMD5: reserved for SDIO cards */
1003 return sd_illegal;
1004
1005 case 6: /* CMD6: SWITCH_FUNCTION */
1006 switch (sd->mode) {
1007 case sd_data_transfer_mode:
1008 sd_function_switch(sd, req.arg);
1009 sd->state = sd_sendingdata_state;
1010 sd->data_start = 0;
1011 sd->data_offset = 0;
1012 return sd_r1;
1013
1014 default:
1015 break;
1016 }
1017 break;
1018
1019 case 7: /* CMD7: SELECT/DESELECT_CARD */
1020 if (sd->spi)
1021 goto bad_cmd;
1022 switch (sd->state) {
1023 case sd_standby_state:
1024 if (sd->rca != rca)
1025 return sd_r0;
1026
1027 sd->state = sd_transfer_state;
1028 return sd_r1b;
1029
1030 case sd_transfer_state:
1031 case sd_sendingdata_state:
1032 if (sd->rca == rca)
1033 break;
1034
1035 sd->state = sd_standby_state;
1036 return sd_r1b;
1037
1038 case sd_disconnect_state:
1039 if (sd->rca != rca)
1040 return sd_r0;
1041
1042 sd->state = sd_programming_state;
1043 return sd_r1b;
1044
1045 case sd_programming_state:
1046 if (sd->rca == rca)
1047 break;
1048
1049 sd->state = sd_disconnect_state;
1050 return sd_r1b;
1051
1052 default:
1053 break;
1054 }
1055 break;
1056
1057 case 8: /* CMD8: SEND_IF_COND */
1058 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1059 break;
1060 }
1061 if (sd->state != sd_idle_state) {
1062 break;
1063 }
1064 sd->vhs = 0;
1065
1066 /* No response if not exactly one VHS bit is set. */
1067 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1068 return sd->spi ? sd_r7 : sd_r0;
1069 }
1070
1071 /* Accept. */
1072 sd->vhs = req.arg;
1073 return sd_r7;
1074
1075 case 9: /* CMD9: SEND_CSD */
1076 switch (sd->state) {
1077 case sd_standby_state:
1078 if (sd->rca != rca)
1079 return sd_r0;
1080
1081 return sd_r2_s;
1082
1083 case sd_transfer_state:
1084 if (!sd->spi)
1085 break;
1086 sd->state = sd_sendingdata_state;
1087 memcpy(sd->data, sd->csd, 16);
1088 sd->data_start = addr;
1089 sd->data_offset = 0;
1090 return sd_r1;
1091
1092 default:
1093 break;
1094 }
1095 break;
1096
1097 case 10: /* CMD10: SEND_CID */
1098 switch (sd->state) {
1099 case sd_standby_state:
1100 if (sd->rca != rca)
1101 return sd_r0;
1102
1103 return sd_r2_i;
1104
1105 case sd_transfer_state:
1106 if (!sd->spi)
1107 break;
1108 sd->state = sd_sendingdata_state;
1109 memcpy(sd->data, sd->cid, 16);
1110 sd->data_start = addr;
1111 sd->data_offset = 0;
1112 return sd_r1;
1113
1114 default:
1115 break;
1116 }
1117 break;
1118
1119 case 12: /* CMD12: STOP_TRANSMISSION */
1120 switch (sd->state) {
1121 case sd_sendingdata_state:
1122 sd->state = sd_transfer_state;
1123 return sd_r1b;
1124
1125 case sd_receivingdata_state:
1126 sd->state = sd_programming_state;
1127 /* Bzzzzzzztt .... Operation complete. */
1128 sd->state = sd_transfer_state;
1129 return sd_r1b;
1130
1131 default:
1132 break;
1133 }
1134 break;
1135
1136 case 13: /* CMD13: SEND_STATUS */
1137 switch (sd->mode) {
1138 case sd_data_transfer_mode:
1139 if (sd->rca != rca)
1140 return sd_r0;
1141
1142 return sd_r1;
1143
1144 default:
1145 break;
1146 }
1147 break;
1148
1149 case 15: /* CMD15: GO_INACTIVE_STATE */
1150 if (sd->spi)
1151 goto bad_cmd;
1152 switch (sd->mode) {
1153 case sd_data_transfer_mode:
1154 if (sd->rca != rca)
1155 return sd_r0;
1156
1157 sd->state = sd_inactive_state;
1158 return sd_r0;
1159
1160 default:
1161 break;
1162 }
1163 break;
1164
1165 /* Block read commands (Classs 2) */
1166 case 16: /* CMD16: SET_BLOCKLEN */
1167 switch (sd->state) {
1168 case sd_transfer_state:
1169 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1170 sd->card_status |= BLOCK_LEN_ERROR;
1171 } else {
1172 trace_sdcard_set_blocklen(req.arg);
1173 sd->blk_len = req.arg;
1174 }
1175
1176 return sd_r1;
1177
1178 default:
1179 break;
1180 }
1181 break;
1182
1183 case 17: /* CMD17: READ_SINGLE_BLOCK */
1184 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1185 switch (sd->state) {
1186 case sd_transfer_state:
1187
1188 if (addr + sd->blk_len > sd->size) {
1189 sd->card_status |= ADDRESS_ERROR;
1190 return sd_r1;
1191 }
1192
1193 sd->state = sd_sendingdata_state;
1194 sd->data_start = addr;
1195 sd->data_offset = 0;
1196 return sd_r1;
1197
1198 default:
1199 break;
1200 }
1201 break;
1202
1203 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1204 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1205 break;
1206 }
1207 if (sd->state == sd_transfer_state) {
1208 sd->state = sd_sendingdata_state;
1209 sd->data_offset = 0;
1210 return sd_r1;
1211 }
1212 break;
1213
1214 case 23: /* CMD23: SET_BLOCK_COUNT */
1215 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1216 break;
1217 }
1218 switch (sd->state) {
1219 case sd_transfer_state:
1220 sd->multi_blk_cnt = req.arg;
1221 return sd_r1;
1222
1223 default:
1224 break;
1225 }
1226 break;
1227
1228 /* Block write commands (Class 4) */
1229 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1230 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1231 switch (sd->state) {
1232 case sd_transfer_state:
1233
1234 if (addr + sd->blk_len > sd->size) {
1235 sd->card_status |= ADDRESS_ERROR;
1236 return sd_r1;
1237 }
1238
1239 sd->state = sd_receivingdata_state;
1240 sd->data_start = addr;
1241 sd->data_offset = 0;
1242 sd->blk_written = 0;
1243
1244 if (sd_wp_addr(sd, sd->data_start)) {
1245 sd->card_status |= WP_VIOLATION;
1246 }
1247 if (sd->csd[14] & 0x30) {
1248 sd->card_status |= WP_VIOLATION;
1249 }
1250 return sd_r1;
1251
1252 default:
1253 break;
1254 }
1255 break;
1256
1257 case 26: /* CMD26: PROGRAM_CID */
1258 if (sd->spi)
1259 goto bad_cmd;
1260 switch (sd->state) {
1261 case sd_transfer_state:
1262 sd->state = sd_receivingdata_state;
1263 sd->data_start = 0;
1264 sd->data_offset = 0;
1265 return sd_r1;
1266
1267 default:
1268 break;
1269 }
1270 break;
1271
1272 case 27: /* CMD27: PROGRAM_CSD */
1273 switch (sd->state) {
1274 case sd_transfer_state:
1275 sd->state = sd_receivingdata_state;
1276 sd->data_start = 0;
1277 sd->data_offset = 0;
1278 return sd_r1;
1279
1280 default:
1281 break;
1282 }
1283 break;
1284
1285 /* Write protection (Class 6) */
1286 case 28: /* CMD28: SET_WRITE_PROT */
1287 if (sd->size > SDSC_MAX_CAPACITY) {
1288 return sd_illegal;
1289 }
1290
1291 switch (sd->state) {
1292 case sd_transfer_state:
1293 if (addr >= sd->size) {
1294 sd->card_status |= ADDRESS_ERROR;
1295 return sd_r1b;
1296 }
1297
1298 sd->state = sd_programming_state;
1299 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1300 /* Bzzzzzzztt .... Operation complete. */
1301 sd->state = sd_transfer_state;
1302 return sd_r1b;
1303
1304 default:
1305 break;
1306 }
1307 break;
1308
1309 case 29: /* CMD29: CLR_WRITE_PROT */
1310 if (sd->size > SDSC_MAX_CAPACITY) {
1311 return sd_illegal;
1312 }
1313
1314 switch (sd->state) {
1315 case sd_transfer_state:
1316 if (addr >= sd->size) {
1317 sd->card_status |= ADDRESS_ERROR;
1318 return sd_r1b;
1319 }
1320
1321 sd->state = sd_programming_state;
1322 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1323 /* Bzzzzzzztt .... Operation complete. */
1324 sd->state = sd_transfer_state;
1325 return sd_r1b;
1326
1327 default:
1328 break;
1329 }
1330 break;
1331
1332 case 30: /* CMD30: SEND_WRITE_PROT */
1333 if (sd->size > SDSC_MAX_CAPACITY) {
1334 return sd_illegal;
1335 }
1336
1337 switch (sd->state) {
1338 case sd_transfer_state:
1339 sd->state = sd_sendingdata_state;
1340 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1341 sd->data_start = addr;
1342 sd->data_offset = 0;
1343 return sd_r1b;
1344
1345 default:
1346 break;
1347 }
1348 break;
1349
1350 /* Erase commands (Class 5) */
1351 case 32: /* CMD32: ERASE_WR_BLK_START */
1352 switch (sd->state) {
1353 case sd_transfer_state:
1354 sd->erase_start = req.arg;
1355 return sd_r1;
1356
1357 default:
1358 break;
1359 }
1360 break;
1361
1362 case 33: /* CMD33: ERASE_WR_BLK_END */
1363 switch (sd->state) {
1364 case sd_transfer_state:
1365 sd->erase_end = req.arg;
1366 return sd_r1;
1367
1368 default:
1369 break;
1370 }
1371 break;
1372
1373 case 38: /* CMD38: ERASE */
1374 switch (sd->state) {
1375 case sd_transfer_state:
1376 if (sd->csd[14] & 0x30) {
1377 sd->card_status |= WP_VIOLATION;
1378 return sd_r1b;
1379 }
1380
1381 sd->state = sd_programming_state;
1382 sd_erase(sd);
1383 /* Bzzzzzzztt .... Operation complete. */
1384 sd->state = sd_transfer_state;
1385 return sd_r1b;
1386
1387 default:
1388 break;
1389 }
1390 break;
1391
1392 /* Lock card commands (Class 7) */
1393 case 42: /* CMD42: LOCK_UNLOCK */
1394 switch (sd->state) {
1395 case sd_transfer_state:
1396 sd->state = sd_receivingdata_state;
1397 sd->data_start = 0;
1398 sd->data_offset = 0;
1399 return sd_r1;
1400
1401 default:
1402 break;
1403 }
1404 break;
1405
1406 case 52 ... 54:
1407 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1408 * (see the SDIO Simplified Specification V2.0)
1409 * Handle as illegal command but do not complain
1410 * on stderr, as some OSes may use these in their
1411 * probing for presence of an SDIO card.
1412 */
1413 return sd_illegal;
1414
1415 /* Application specific commands (Class 8) */
1416 case 55: /* CMD55: APP_CMD */
1417 switch (sd->state) {
1418 case sd_ready_state:
1419 case sd_identification_state:
1420 case sd_inactive_state:
1421 return sd_illegal;
1422 case sd_idle_state:
1423 if (rca) {
1424 qemu_log_mask(LOG_GUEST_ERROR,
1425 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1426 }
1427 default:
1428 break;
1429 }
1430 if (!sd->spi) {
1431 if (sd->rca != rca) {
1432 return sd_r0;
1433 }
1434 }
1435 sd->expecting_acmd = true;
1436 sd->card_status |= APP_CMD;
1437 return sd_r1;
1438
1439 case 56: /* CMD56: GEN_CMD */
1440 switch (sd->state) {
1441 case sd_transfer_state:
1442 sd->data_offset = 0;
1443 if (req.arg & 1)
1444 sd->state = sd_sendingdata_state;
1445 else
1446 sd->state = sd_receivingdata_state;
1447 return sd_r1;
1448
1449 default:
1450 break;
1451 }
1452 break;
1453
1454 case 58: /* CMD58: READ_OCR (SPI) */
1455 if (!sd->spi) {
1456 goto bad_cmd;
1457 }
1458 return sd_r3;
1459
1460 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1461 if (!sd->spi) {
1462 goto bad_cmd;
1463 }
1464 return sd_r1;
1465
1466 default:
1467 bad_cmd:
1468 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1469 return sd_illegal;
1470 }
1471
1472 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1473 return sd_illegal;
1474 }
1475
1476 static sd_rsp_type_t sd_app_command(SDState *sd,
1477 SDRequest req)
1478 {
1479 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1480 req.cmd, req.arg, sd_state_name(sd->state));
1481 sd->card_status |= APP_CMD;
1482 switch (req.cmd) {
1483 case 6: /* ACMD6: SET_BUS_WIDTH */
1484 if (sd->spi) {
1485 goto unimplemented_spi_cmd;
1486 }
1487 switch (sd->state) {
1488 case sd_transfer_state:
1489 sd->sd_status[0] &= 0x3f;
1490 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1491 return sd_r1;
1492
1493 default:
1494 break;
1495 }
1496 break;
1497
1498 case 13: /* ACMD13: SD_STATUS */
1499 switch (sd->state) {
1500 case sd_transfer_state:
1501 sd->state = sd_sendingdata_state;
1502 sd->data_start = 0;
1503 sd->data_offset = 0;
1504 return sd_r1;
1505
1506 default:
1507 break;
1508 }
1509 break;
1510
1511 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1512 switch (sd->state) {
1513 case sd_transfer_state:
1514 *(uint32_t *) sd->data = sd->blk_written;
1515
1516 sd->state = sd_sendingdata_state;
1517 sd->data_start = 0;
1518 sd->data_offset = 0;
1519 return sd_r1;
1520
1521 default:
1522 break;
1523 }
1524 break;
1525
1526 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1527 switch (sd->state) {
1528 case sd_transfer_state:
1529 return sd_r1;
1530
1531 default:
1532 break;
1533 }
1534 break;
1535
1536 case 41: /* ACMD41: SD_APP_OP_COND */
1537 if (sd->spi) {
1538 /* SEND_OP_CMD */
1539 sd->state = sd_transfer_state;
1540 return sd_r1;
1541 }
1542 if (sd->state != sd_idle_state) {
1543 break;
1544 }
1545 /* If it's the first ACMD41 since reset, we need to decide
1546 * whether to power up. If this is not an enquiry ACMD41,
1547 * we immediately report power on and proceed below to the
1548 * ready state, but if it is, we set a timer to model a
1549 * delay for power up. This works around a bug in EDK2
1550 * UEFI, which sends an initial enquiry ACMD41, but
1551 * assumes that the card is in ready state as soon as it
1552 * sees the power up bit set. */
1553 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1554 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1555 timer_del(sd->ocr_power_timer);
1556 sd_ocr_powerup(sd);
1557 } else {
1558 trace_sdcard_inquiry_cmd41();
1559 if (!timer_pending(sd->ocr_power_timer)) {
1560 timer_mod_ns(sd->ocr_power_timer,
1561 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1562 + OCR_POWER_DELAY_NS));
1563 }
1564 }
1565 }
1566
1567 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1568 /* We accept any voltage. 10000 V is nothing.
1569 *
1570 * Once we're powered up, we advance straight to ready state
1571 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1572 */
1573 sd->state = sd_ready_state;
1574 }
1575
1576 return sd_r3;
1577
1578 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1579 switch (sd->state) {
1580 case sd_transfer_state:
1581 /* Bringing in the 50KOhm pull-up resistor... Done. */
1582 return sd_r1;
1583
1584 default:
1585 break;
1586 }
1587 break;
1588
1589 case 51: /* ACMD51: SEND_SCR */
1590 switch (sd->state) {
1591 case sd_transfer_state:
1592 sd->state = sd_sendingdata_state;
1593 sd->data_start = 0;
1594 sd->data_offset = 0;
1595 return sd_r1;
1596
1597 default:
1598 break;
1599 }
1600 break;
1601
1602 case 18: /* Reserved for SD security applications */
1603 case 25:
1604 case 26:
1605 case 38:
1606 case 43 ... 49:
1607 /* Refer to the "SD Specifications Part3 Security Specification" for
1608 * information about the SD Security Features.
1609 */
1610 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1611 req.cmd);
1612 return sd_illegal;
1613
1614 default:
1615 /* Fall back to standard commands. */
1616 return sd_normal_command(sd, req);
1617
1618 unimplemented_spi_cmd:
1619 /* Commands that are recognised but not yet implemented in SPI mode. */
1620 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1621 req.cmd);
1622 return sd_illegal;
1623 }
1624
1625 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1626 return sd_illegal;
1627 }
1628
1629 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1630 {
1631 /* Valid commands in locked state:
1632 * basic class (0)
1633 * lock card class (7)
1634 * CMD16
1635 * implicitly, the ACMD prefix CMD55
1636 * ACMD41 and ACMD42
1637 * Anything else provokes an "illegal command" response.
1638 */
1639 if (sd->expecting_acmd) {
1640 return cmd == 41 || cmd == 42;
1641 }
1642 if (cmd == 16 || cmd == 55) {
1643 return 1;
1644 }
1645 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1646 }
1647
1648 int sd_do_command(SDState *sd, SDRequest *req,
1649 uint8_t *response) {
1650 int last_state;
1651 sd_rsp_type_t rtype;
1652 int rsplen;
1653
1654 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1655 return 0;
1656 }
1657
1658 if (sd_req_crc_validate(req)) {
1659 sd->card_status |= COM_CRC_ERROR;
1660 rtype = sd_illegal;
1661 goto send_response;
1662 }
1663
1664 if (req->cmd >= SDMMC_CMD_MAX) {
1665 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1666 req->cmd);
1667 req->cmd &= 0x3f;
1668 }
1669
1670 if (sd->card_status & CARD_IS_LOCKED) {
1671 if (!cmd_valid_while_locked(sd, req->cmd)) {
1672 sd->card_status |= ILLEGAL_COMMAND;
1673 sd->expecting_acmd = false;
1674 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1675 rtype = sd_illegal;
1676 goto send_response;
1677 }
1678 }
1679
1680 last_state = sd->state;
1681 sd_set_mode(sd);
1682
1683 if (sd->expecting_acmd) {
1684 sd->expecting_acmd = false;
1685 rtype = sd_app_command(sd, *req);
1686 } else {
1687 rtype = sd_normal_command(sd, *req);
1688 }
1689
1690 if (rtype == sd_illegal) {
1691 sd->card_status |= ILLEGAL_COMMAND;
1692 } else {
1693 /* Valid command, we can update the 'state before command' bits.
1694 * (Do this now so they appear in r1 responses.)
1695 */
1696 sd->current_cmd = req->cmd;
1697 sd->card_status &= ~CURRENT_STATE;
1698 sd->card_status |= (last_state << 9);
1699 }
1700
1701 send_response:
1702 switch (rtype) {
1703 case sd_r1:
1704 case sd_r1b:
1705 sd_response_r1_make(sd, response);
1706 rsplen = 4;
1707 break;
1708
1709 case sd_r2_i:
1710 memcpy(response, sd->cid, sizeof(sd->cid));
1711 rsplen = 16;
1712 break;
1713
1714 case sd_r2_s:
1715 memcpy(response, sd->csd, sizeof(sd->csd));
1716 rsplen = 16;
1717 break;
1718
1719 case sd_r3:
1720 sd_response_r3_make(sd, response);
1721 rsplen = 4;
1722 break;
1723
1724 case sd_r6:
1725 sd_response_r6_make(sd, response);
1726 rsplen = 4;
1727 break;
1728
1729 case sd_r7:
1730 sd_response_r7_make(sd, response);
1731 rsplen = 4;
1732 break;
1733
1734 case sd_r0:
1735 case sd_illegal:
1736 rsplen = 0;
1737 break;
1738 default:
1739 g_assert_not_reached();
1740 }
1741 trace_sdcard_response(sd_response_name(rtype), rsplen);
1742
1743 if (rtype != sd_illegal) {
1744 /* Clear the "clear on valid command" status bits now we've
1745 * sent any response
1746 */
1747 sd->card_status &= ~CARD_STATUS_B;
1748 }
1749
1750 #ifdef DEBUG_SD
1751 qemu_hexdump(stderr, "Response", response, rsplen);
1752 #endif
1753
1754 return rsplen;
1755 }
1756
1757 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1758 {
1759 trace_sdcard_read_block(addr, len);
1760 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1761 fprintf(stderr, "sd_blk_read: read error on host side\n");
1762 }
1763 }
1764
1765 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1766 {
1767 trace_sdcard_write_block(addr, len);
1768 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1769 fprintf(stderr, "sd_blk_write: write error on host side\n");
1770 }
1771 }
1772
1773 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1774 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1775 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1776 #define APP_WRITE_BLOCK(a, len)
1777
1778 void sd_write_byte(SDState *sd, uint8_t value)
1779 {
1780 int i;
1781
1782 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1783 return;
1784
1785 if (sd->state != sd_receivingdata_state) {
1786 qemu_log_mask(LOG_GUEST_ERROR,
1787 "%s: not in Receiving-Data state\n", __func__);
1788 return;
1789 }
1790
1791 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1792 return;
1793
1794 trace_sdcard_write_data(sd->proto_name,
1795 sd_acmd_name(sd->current_cmd),
1796 sd->current_cmd, value);
1797 switch (sd->current_cmd) {
1798 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1799 sd->data[sd->data_offset ++] = value;
1800 if (sd->data_offset >= sd->blk_len) {
1801 /* TODO: Check CRC before committing */
1802 sd->state = sd_programming_state;
1803 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1804 sd->blk_written ++;
1805 sd->csd[14] |= 0x40;
1806 /* Bzzzzzzztt .... Operation complete. */
1807 sd->state = sd_transfer_state;
1808 }
1809 break;
1810
1811 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1812 if (sd->data_offset == 0) {
1813 /* Start of the block - let's check the address is valid */
1814 if (sd->data_start + sd->blk_len > sd->size) {
1815 sd->card_status |= ADDRESS_ERROR;
1816 break;
1817 }
1818 if (sd_wp_addr(sd, sd->data_start)) {
1819 sd->card_status |= WP_VIOLATION;
1820 break;
1821 }
1822 }
1823 sd->data[sd->data_offset++] = value;
1824 if (sd->data_offset >= sd->blk_len) {
1825 /* TODO: Check CRC before committing */
1826 sd->state = sd_programming_state;
1827 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1828 sd->blk_written++;
1829 sd->data_start += sd->blk_len;
1830 sd->data_offset = 0;
1831 sd->csd[14] |= 0x40;
1832
1833 /* Bzzzzzzztt .... Operation complete. */
1834 if (sd->multi_blk_cnt != 0) {
1835 if (--sd->multi_blk_cnt == 0) {
1836 /* Stop! */
1837 sd->state = sd_transfer_state;
1838 break;
1839 }
1840 }
1841
1842 sd->state = sd_receivingdata_state;
1843 }
1844 break;
1845
1846 case 26: /* CMD26: PROGRAM_CID */
1847 sd->data[sd->data_offset ++] = value;
1848 if (sd->data_offset >= sizeof(sd->cid)) {
1849 /* TODO: Check CRC before committing */
1850 sd->state = sd_programming_state;
1851 for (i = 0; i < sizeof(sd->cid); i ++)
1852 if ((sd->cid[i] | 0x00) != sd->data[i])
1853 sd->card_status |= CID_CSD_OVERWRITE;
1854
1855 if (!(sd->card_status & CID_CSD_OVERWRITE))
1856 for (i = 0; i < sizeof(sd->cid); i ++) {
1857 sd->cid[i] |= 0x00;
1858 sd->cid[i] &= sd->data[i];
1859 }
1860 /* Bzzzzzzztt .... Operation complete. */
1861 sd->state = sd_transfer_state;
1862 }
1863 break;
1864
1865 case 27: /* CMD27: PROGRAM_CSD */
1866 sd->data[sd->data_offset ++] = value;
1867 if (sd->data_offset >= sizeof(sd->csd)) {
1868 /* TODO: Check CRC before committing */
1869 sd->state = sd_programming_state;
1870 for (i = 0; i < sizeof(sd->csd); i ++)
1871 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1872 (sd->data[i] | sd_csd_rw_mask[i]))
1873 sd->card_status |= CID_CSD_OVERWRITE;
1874
1875 /* Copy flag (OTP) & Permanent write protect */
1876 if (sd->csd[14] & ~sd->data[14] & 0x60)
1877 sd->card_status |= CID_CSD_OVERWRITE;
1878
1879 if (!(sd->card_status & CID_CSD_OVERWRITE))
1880 for (i = 0; i < sizeof(sd->csd); i ++) {
1881 sd->csd[i] |= sd_csd_rw_mask[i];
1882 sd->csd[i] &= sd->data[i];
1883 }
1884 /* Bzzzzzzztt .... Operation complete. */
1885 sd->state = sd_transfer_state;
1886 }
1887 break;
1888
1889 case 42: /* CMD42: LOCK_UNLOCK */
1890 sd->data[sd->data_offset ++] = value;
1891 if (sd->data_offset >= sd->blk_len) {
1892 /* TODO: Check CRC before committing */
1893 sd->state = sd_programming_state;
1894 sd_lock_command(sd);
1895 /* Bzzzzzzztt .... Operation complete. */
1896 sd->state = sd_transfer_state;
1897 }
1898 break;
1899
1900 case 56: /* CMD56: GEN_CMD */
1901 sd->data[sd->data_offset ++] = value;
1902 if (sd->data_offset >= sd->blk_len) {
1903 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1904 sd->state = sd_transfer_state;
1905 }
1906 break;
1907
1908 default:
1909 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1910 break;
1911 }
1912 }
1913
1914 #define SD_TUNING_BLOCK_SIZE 64
1915
1916 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1917 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1918 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1919 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1920 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1921 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1922 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1923 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1924 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1925 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1926 };
1927
1928 uint8_t sd_read_byte(SDState *sd)
1929 {
1930 /* TODO: Append CRCs */
1931 uint8_t ret;
1932 uint32_t io_len;
1933
1934 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1935 return 0x00;
1936
1937 if (sd->state != sd_sendingdata_state) {
1938 qemu_log_mask(LOG_GUEST_ERROR,
1939 "%s: not in Sending-Data state\n", __func__);
1940 return 0x00;
1941 }
1942
1943 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1944 return 0x00;
1945
1946 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1947
1948 trace_sdcard_read_data(sd->proto_name,
1949 sd_acmd_name(sd->current_cmd),
1950 sd->current_cmd, io_len);
1951 switch (sd->current_cmd) {
1952 case 6: /* CMD6: SWITCH_FUNCTION */
1953 ret = sd->data[sd->data_offset ++];
1954
1955 if (sd->data_offset >= 64)
1956 sd->state = sd_transfer_state;
1957 break;
1958
1959 case 9: /* CMD9: SEND_CSD */
1960 case 10: /* CMD10: SEND_CID */
1961 ret = sd->data[sd->data_offset ++];
1962
1963 if (sd->data_offset >= 16)
1964 sd->state = sd_transfer_state;
1965 break;
1966
1967 case 13: /* ACMD13: SD_STATUS */
1968 ret = sd->sd_status[sd->data_offset ++];
1969
1970 if (sd->data_offset >= sizeof(sd->sd_status))
1971 sd->state = sd_transfer_state;
1972 break;
1973
1974 case 17: /* CMD17: READ_SINGLE_BLOCK */
1975 if (sd->data_offset == 0)
1976 BLK_READ_BLOCK(sd->data_start, io_len);
1977 ret = sd->data[sd->data_offset ++];
1978
1979 if (sd->data_offset >= io_len)
1980 sd->state = sd_transfer_state;
1981 break;
1982
1983 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1984 if (sd->data_offset == 0) {
1985 if (sd->data_start + io_len > sd->size) {
1986 sd->card_status |= ADDRESS_ERROR;
1987 return 0x00;
1988 }
1989 BLK_READ_BLOCK(sd->data_start, io_len);
1990 }
1991 ret = sd->data[sd->data_offset ++];
1992
1993 if (sd->data_offset >= io_len) {
1994 sd->data_start += io_len;
1995 sd->data_offset = 0;
1996
1997 if (sd->multi_blk_cnt != 0) {
1998 if (--sd->multi_blk_cnt == 0) {
1999 /* Stop! */
2000 sd->state = sd_transfer_state;
2001 break;
2002 }
2003 }
2004 }
2005 break;
2006
2007 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2008 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2009 sd->state = sd_transfer_state;
2010 }
2011 ret = sd_tuning_block_pattern[sd->data_offset++];
2012 break;
2013
2014 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2015 ret = sd->data[sd->data_offset ++];
2016
2017 if (sd->data_offset >= 4)
2018 sd->state = sd_transfer_state;
2019 break;
2020
2021 case 30: /* CMD30: SEND_WRITE_PROT */
2022 ret = sd->data[sd->data_offset ++];
2023
2024 if (sd->data_offset >= 4)
2025 sd->state = sd_transfer_state;
2026 break;
2027
2028 case 51: /* ACMD51: SEND_SCR */
2029 ret = sd->scr[sd->data_offset ++];
2030
2031 if (sd->data_offset >= sizeof(sd->scr))
2032 sd->state = sd_transfer_state;
2033 break;
2034
2035 case 56: /* CMD56: GEN_CMD */
2036 if (sd->data_offset == 0)
2037 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2038 ret = sd->data[sd->data_offset ++];
2039
2040 if (sd->data_offset >= sd->blk_len)
2041 sd->state = sd_transfer_state;
2042 break;
2043
2044 default:
2045 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2046 return 0x00;
2047 }
2048
2049 return ret;
2050 }
2051
2052 static bool sd_receive_ready(SDState *sd)
2053 {
2054 return sd->state == sd_receivingdata_state;
2055 }
2056
2057 static bool sd_data_ready(SDState *sd)
2058 {
2059 return sd->state == sd_sendingdata_state;
2060 }
2061
2062 void sd_enable(SDState *sd, bool enable)
2063 {
2064 sd->enable = enable;
2065 }
2066
2067 static void sd_instance_init(Object *obj)
2068 {
2069 SDState *sd = SD_CARD(obj);
2070
2071 sd->enable = true;
2072 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2073 }
2074
2075 static void sd_instance_finalize(Object *obj)
2076 {
2077 SDState *sd = SD_CARD(obj);
2078
2079 timer_free(sd->ocr_power_timer);
2080 }
2081
2082 static void sd_realize(DeviceState *dev, Error **errp)
2083 {
2084 SDState *sd = SD_CARD(dev);
2085 int ret;
2086
2087 sd->proto_name = sd->spi ? "SPI" : "SD";
2088
2089 switch (sd->spec_version) {
2090 case SD_PHY_SPECv1_10_VERS
2091 ... SD_PHY_SPECv3_01_VERS:
2092 break;
2093 default:
2094 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2095 return;
2096 }
2097
2098 if (sd->blk) {
2099 int64_t blk_size;
2100
2101 if (!blk_supports_write_perm(sd->blk)) {
2102 error_setg(errp, "Cannot use read-only drive as SD card");
2103 return;
2104 }
2105
2106 blk_size = blk_getlength(sd->blk);
2107 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2108 int64_t blk_size_aligned = pow2ceil(blk_size);
2109 char *blk_size_str;
2110
2111 blk_size_str = size_to_str(blk_size);
2112 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2113 g_free(blk_size_str);
2114
2115 blk_size_str = size_to_str(blk_size_aligned);
2116 error_append_hint(errp,
2117 "SD card size has to be a power of 2, e.g. %s.\n"
2118 "You can resize disk images with"
2119 " 'qemu-img resize <imagefile> <new-size>'\n"
2120 "(note that this will lose data if you make the"
2121 " image smaller than it currently is).\n",
2122 blk_size_str);
2123 g_free(blk_size_str);
2124
2125 return;
2126 }
2127
2128 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2129 BLK_PERM_ALL, errp);
2130 if (ret < 0) {
2131 return;
2132 }
2133 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2134 }
2135 }
2136
2137 static Property sd_properties[] = {
2138 DEFINE_PROP_UINT8("spec_version", SDState,
2139 spec_version, SD_PHY_SPECv2_00_VERS),
2140 DEFINE_PROP_DRIVE("drive", SDState, blk),
2141 /* We do not model the chip select pin, so allow the board to select
2142 * whether card should be in SSI or MMC/SD mode. It is also up to the
2143 * board to ensure that ssi transfers only occur when the chip select
2144 * is asserted. */
2145 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2146 DEFINE_PROP_END_OF_LIST()
2147 };
2148
2149 static void sd_class_init(ObjectClass *klass, void *data)
2150 {
2151 DeviceClass *dc = DEVICE_CLASS(klass);
2152 SDCardClass *sc = SD_CARD_CLASS(klass);
2153
2154 dc->realize = sd_realize;
2155 device_class_set_props(dc, sd_properties);
2156 dc->vmsd = &sd_vmstate;
2157 dc->reset = sd_reset;
2158 dc->bus_type = TYPE_SD_BUS;
2159 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2160
2161 sc->set_voltage = sd_set_voltage;
2162 sc->get_dat_lines = sd_get_dat_lines;
2163 sc->get_cmd_line = sd_get_cmd_line;
2164 sc->do_command = sd_do_command;
2165 sc->write_byte = sd_write_byte;
2166 sc->read_byte = sd_read_byte;
2167 sc->receive_ready = sd_receive_ready;
2168 sc->data_ready = sd_data_ready;
2169 sc->enable = sd_enable;
2170 sc->get_inserted = sd_get_inserted;
2171 sc->get_readonly = sd_get_readonly;
2172 }
2173
2174 static const TypeInfo sd_info = {
2175 .name = TYPE_SD_CARD,
2176 .parent = TYPE_DEVICE,
2177 .instance_size = sizeof(SDState),
2178 .class_size = sizeof(SDCardClass),
2179 .class_init = sd_class_init,
2180 .instance_init = sd_instance_init,
2181 .instance_finalize = sd_instance_finalize,
2182 };
2183
2184 static void sd_register_types(void)
2185 {
2186 type_register_static(&sd_info);
2187 }
2188
2189 type_init(sd_register_types)
AR7 emulation for QEMU