search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Update coding style to make checkpatch.pl happy
[qemu/ar7.git] / hw / sd / sd.c
blobf4f76f8fd291bd8955d69fb8c0437204e42929f3
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "migration/vmstate.h"
41 #include "qapi/error.h"
42 #include "qemu/bitmap.h"
43 #include "hw/qdev-properties.h"
44 #include "qemu/error-report.h"
45 #include "qemu/timer.h"
46 #include "qemu/log.h"
47 #include "qemu/module.h"
48 #include "sdmmc-internal.h"
49 #include "trace.h"
50
51 //#define DEBUG_SD 1
52
53 typedef enum {
54 sd_r0 = 0, /* no response */
55 sd_r1, /* normal response command */
56 sd_r2_i, /* CID register */
57 sd_r2_s, /* CSD register */
58 sd_r3, /* OCR register */
59 sd_r6 = 6, /* Published RCA response */
60 sd_r7, /* Operating voltage */
61 sd_r1b = -1,
62 sd_illegal = -2,
63 } sd_rsp_type_t;
64
65 enum SDCardModes {
66 sd_inactive,
67 sd_card_identification_mode,
68 sd_data_transfer_mode,
69 };
70
71 enum SDCardStates {
72 sd_inactive_state = -1,
73 sd_idle_state = 0,
74 sd_ready_state,
75 sd_identification_state,
76 sd_standby_state,
77 sd_transfer_state,
78 sd_sendingdata_state,
79 sd_receivingdata_state,
80 sd_programming_state,
81 sd_disconnect_state,
82 };
83
84 struct SDState {
85 DeviceState parent_obj;
86
87 /* If true, created by sd_init() for a non-qdevified caller */
88 /* TODO purge them with fire */
89 bool me_no_qdev_me_kill_mammoth_with_rocks;
90
91 /* SD Memory Card Registers */
92 uint32_t ocr;
93 uint8_t scr[8];
94 uint8_t cid[16];
95 uint8_t csd[16];
96 uint16_t rca;
97 uint32_t card_status;
98 uint8_t sd_status[64];
99
100 /* Configurable properties */
101 uint8_t spec_version;
102 BlockBackend *blk;
103 bool spi;
104
105 uint32_t mode; /* current card mode, one of SDCardModes */
106 int32_t state; /* current card state, one of SDCardStates */
107 uint32_t vhs;
108 bool wp_switch;
109 unsigned long *wp_groups;
110 int32_t wpgrps_size;
111 uint64_t size;
112 uint32_t blk_len;
113 uint32_t multi_blk_cnt;
114 uint32_t erase_start;
115 uint32_t erase_end;
116 uint8_t pwd[16];
117 uint32_t pwd_len;
118 uint8_t function_group[6];
119 uint8_t current_cmd;
120 /* True if we will handle the next command as an ACMD. Note that this does
121 * *not* track the APP_CMD status bit!
122 */
123 bool expecting_acmd;
124 uint32_t blk_written;
125 uint64_t data_start;
126 uint32_t data_offset;
127 uint8_t data[512];
128 qemu_irq readonly_cb;
129 qemu_irq inserted_cb;
130 QEMUTimer *ocr_power_timer;
131 const char *proto_name;
132 bool enable;
133 uint8_t dat_lines;
134 bool cmd_line;
135 };
136
137 static void sd_realize(DeviceState *dev, Error **errp);
138
139 static const char *sd_state_name(enum SDCardStates state)
140 {
141 static const char *state_name[] = {
142 [sd_idle_state] = "idle",
143 [sd_ready_state] = "ready",
144 [sd_identification_state] = "identification",
145 [sd_standby_state] = "standby",
146 [sd_transfer_state] = "transfer",
147 [sd_sendingdata_state] = "sendingdata",
148 [sd_receivingdata_state] = "receivingdata",
149 [sd_programming_state] = "programming",
150 [sd_disconnect_state] = "disconnect",
151 };
152 if (state == sd_inactive_state) {
153 return "inactive";
154 }
155 assert(state < ARRAY_SIZE(state_name));
156 return state_name[state];
157 }
158
159 static const char *sd_response_name(sd_rsp_type_t rsp)
160 {
161 static const char *response_name[] = {
162 [sd_r0] = "RESP#0 (no response)",
163 [sd_r1] = "RESP#1 (normal cmd)",
164 [sd_r2_i] = "RESP#2 (CID reg)",
165 [sd_r2_s] = "RESP#2 (CSD reg)",
166 [sd_r3] = "RESP#3 (OCR reg)",
167 [sd_r6] = "RESP#6 (RCA)",
168 [sd_r7] = "RESP#7 (operating voltage)",
169 };
170 if (rsp == sd_illegal) {
171 return "ILLEGAL RESP";
172 }
173 if (rsp == sd_r1b) {
174 rsp = sd_r1;
175 }
176 assert(rsp < ARRAY_SIZE(response_name));
177 return response_name[rsp];
178 }
179
180 static uint8_t sd_get_dat_lines(SDState *sd)
181 {
182 return sd->enable ? sd->dat_lines : 0;
183 }
184
185 static bool sd_get_cmd_line(SDState *sd)
186 {
187 return sd->enable ? sd->cmd_line : false;
188 }
189
190 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
191 {
192 trace_sdcard_set_voltage(millivolts);
193
194 switch (millivolts) {
195 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
196 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
197 break;
198 default:
199 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
200 millivolts / 1000.f);
201 }
202 }
203
204 static void sd_set_mode(SDState *sd)
205 {
206 switch (sd->state) {
207 case sd_inactive_state:
208 sd->mode = sd_inactive;
209 break;
210
211 case sd_idle_state:
212 case sd_ready_state:
213 case sd_identification_state:
214 sd->mode = sd_card_identification_mode;
215 break;
216
217 case sd_standby_state:
218 case sd_transfer_state:
219 case sd_sendingdata_state:
220 case sd_receivingdata_state:
221 case sd_programming_state:
222 case sd_disconnect_state:
223 sd->mode = sd_data_transfer_mode;
224 break;
225 }
226 }
227
228 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
229 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
230 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
231 /* 16 */
232 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
233 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
234 /* 32 */
235 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
236 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
237 /* 48 */
238 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
239 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
240 };
241
242 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
243 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
244 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
245 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
246 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
247 };
248
249 static uint8_t sd_crc7(void *message, size_t width)
250 {
251 int i, bit;
252 uint8_t shift_reg = 0x00;
253 uint8_t *msg = (uint8_t *) message;
254
255 for (i = 0; i < width; i ++, msg ++)
256 for (bit = 7; bit >= 0; bit --) {
257 shift_reg <<= 1;
258 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
259 shift_reg ^= 0x89;
260 }
261
262 return shift_reg;
263 }
264
265 static uint16_t sd_crc16(void *message, size_t width)
266 {
267 int i, bit;
268 uint16_t shift_reg = 0x0000;
269 uint16_t *msg = (uint16_t *) message;
270 width <<= 1;
271
272 for (i = 0; i < width; i ++, msg ++)
273 for (bit = 15; bit >= 0; bit --) {
274 shift_reg <<= 1;
275 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
276 shift_reg ^= 0x1011;
277 }
278
279 return shift_reg;
280 }
281
282 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
283
284 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
285 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
286 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
287 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
288 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
289 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
290 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
291 FIELD(OCR, CARD_POWER_UP, 31, 1)
292
293 #define ACMD41_ENQUIRY_MASK 0x00ffffff
294 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
295 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
296 | R_OCR_UHS_II_CARD_MASK \
297 | R_OCR_CARD_CAPACITY_MASK \
298 | R_OCR_CARD_POWER_UP_MASK)
299
300 static void sd_set_ocr(SDState *sd)
301 {
302 /* All voltages OK */
303 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
304 }
305
306 static void sd_ocr_powerup(void *opaque)
307 {
308 SDState *sd = opaque;
309
310 trace_sdcard_powerup();
311 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
312
313 /* card power-up OK */
314 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
315
316 if (sd->size > 1 * GiB) {
317 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
318 }
319 }
320
321 static void sd_set_scr(SDState *sd)
322 {
323 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
324 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
325 sd->scr[0] |= 1; /* Spec Version 1.10 */
326 } else {
327 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
328 }
329 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
330 | 0b0101; /* 1-bit or 4-bit width bus modes */
331 sd->scr[2] = 0x00; /* Extended Security is not supported. */
332 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
333 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
334 }
335 sd->scr[3] = 0x00;
336 /* reserved for manufacturer usage */
337 sd->scr[4] = 0x00;
338 sd->scr[5] = 0x00;
339 sd->scr[6] = 0x00;
340 sd->scr[7] = 0x00;
341 }
342
343 #define MID 0xaa
344 #define OID "XY"
345 #define PNM "QEMU!"
346 #define PRV 0x01
347 #define MDT_YR 2006
348 #define MDT_MON 2
349
350 static void sd_set_cid(SDState *sd)
351 {
352 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
353 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
354 sd->cid[2] = OID[1];
355 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
356 sd->cid[4] = PNM[1];
357 sd->cid[5] = PNM[2];
358 sd->cid[6] = PNM[3];
359 sd->cid[7] = PNM[4];
360 sd->cid[8] = PRV; /* Fake product revision (PRV) */
361 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
362 sd->cid[10] = 0xad;
363 sd->cid[11] = 0xbe;
364 sd->cid[12] = 0xef;
365 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
366 ((MDT_YR - 2000) / 10);
367 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
368 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
369 }
370
371 #define HWBLOCK_SHIFT 9 /* 512 bytes */
372 #define SECTOR_SHIFT 5 /* 16 kilobytes */
373 #define WPGROUP_SHIFT 7 /* 2 megs */
374 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
375 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
376
377 static const uint8_t sd_csd_rw_mask[16] = {
378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
380 };
381
382 static void sd_set_csd(SDState *sd, uint64_t size)
383 {
384 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
385 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
386 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
387
388 if (size <= 1 * GiB) { /* Standard Capacity SD */
389 sd->csd[0] = 0x00; /* CSD structure */
390 sd->csd[1] = 0x26; /* Data read access-time-1 */
391 sd->csd[2] = 0x00; /* Data read access-time-2 */
392 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
393 sd->csd[4] = 0x5f; /* Card Command Classes */
394 sd->csd[5] = 0x50 | /* Max. read data block length */
395 HWBLOCK_SHIFT;
396 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
397 ((csize >> 10) & 0x03);
398 sd->csd[7] = 0x00 | /* Device size */
399 ((csize >> 2) & 0xff);
400 sd->csd[8] = 0x3f | /* Max. read current */
401 ((csize << 6) & 0xc0);
402 sd->csd[9] = 0xfc | /* Max. write current */
403 ((CMULT_SHIFT - 2) >> 1);
404 sd->csd[10] = 0x40 | /* Erase sector size */
405 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
406 sd->csd[11] = 0x00 | /* Write protect group size */
407 ((sectsize << 7) & 0x80) | wpsize;
408 sd->csd[12] = 0x90 | /* Write speed factor */
409 (HWBLOCK_SHIFT >> 2);
410 sd->csd[13] = 0x20 | /* Max. write data block length */
411 ((HWBLOCK_SHIFT << 6) & 0xc0);
412 sd->csd[14] = 0x00; /* File format group */
413 } else { /* SDHC */
414 size /= 512 * KiB;
415 size -= 1;
416 sd->csd[0] = 0x40;
417 sd->csd[1] = 0x0e;
418 sd->csd[2] = 0x00;
419 sd->csd[3] = 0x32;
420 sd->csd[4] = 0x5b;
421 sd->csd[5] = 0x59;
422 sd->csd[6] = 0x00;
423 sd->csd[7] = (size >> 16) & 0xff;
424 sd->csd[8] = (size >> 8) & 0xff;
425 sd->csd[9] = (size & 0xff);
426 sd->csd[10] = 0x7f;
427 sd->csd[11] = 0x80;
428 sd->csd[12] = 0x0a;
429 sd->csd[13] = 0x40;
430 sd->csd[14] = 0x00;
431 }
432 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
433 }
434
435 static void sd_set_rca(SDState *sd)
436 {
437 sd->rca += 0x4567;
438 }
439
440 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
441 FIELD(CSR, APP_CMD, 5, 1)
442 FIELD(CSR, FX_EVENT, 6, 1)
443 FIELD(CSR, READY_FOR_DATA, 8, 1)
444 FIELD(CSR, CURRENT_STATE, 9, 4)
445 FIELD(CSR, ERASE_RESET, 13, 1)
446 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
447 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
448 FIELD(CSR, CSD_OVERWRITE, 16, 1)
449 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
450 FIELD(CSR, ERROR, 19, 1)
451 FIELD(CSR, CC_ERROR, 20, 1)
452 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
453 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
454 FIELD(CSR, COM_CRC_ERROR, 23, 1)
455 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
456 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
457 FIELD(CSR, WP_VIOLATION, 26, 1)
458 FIELD(CSR, ERASE_PARAM, 27, 1)
459 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
460 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
461 FIELD(CSR, ADDRESS_ERROR, 30, 1)
462 FIELD(CSR, OUT_OF_RANGE, 31, 1)
463
464 /* Card status bits, split by clear condition:
465 * A : According to the card current state
466 * B : Always related to the previous command
467 * C : Cleared by read
468 */
469 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
470 | R_CSR_CARD_ECC_DISABLED_MASK \
471 | R_CSR_CARD_IS_LOCKED_MASK)
472 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
473 | R_CSR_ILLEGAL_COMMAND_MASK \
474 | R_CSR_COM_CRC_ERROR_MASK)
475 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
476 | R_CSR_APP_CMD_MASK \
477 | R_CSR_ERASE_RESET_MASK \
478 | R_CSR_WP_ERASE_SKIP_MASK \
479 | R_CSR_CSD_OVERWRITE_MASK \
480 | R_CSR_ERROR_MASK \
481 | R_CSR_CC_ERROR_MASK \
482 | R_CSR_CARD_ECC_FAILED_MASK \
483 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
484 | R_CSR_WP_VIOLATION_MASK \
485 | R_CSR_ERASE_PARAM_MASK \
486 | R_CSR_ERASE_SEQ_ERROR_MASK \
487 | R_CSR_BLOCK_LEN_ERROR_MASK \
488 | R_CSR_ADDRESS_ERROR_MASK \
489 | R_CSR_OUT_OF_RANGE_MASK)
490
491 static void sd_set_cardstatus(SDState *sd)
492 {
493 sd->card_status = 0x00000100;
494 }
495
496 static void sd_set_sdstatus(SDState *sd)
497 {
498 memset(sd->sd_status, 0, 64);
499 }
500
501 static int sd_req_crc_validate(SDRequest *req)
502 {
503 uint8_t buffer[5];
504 buffer[0] = 0x40 | req->cmd;
505 stl_be_p(&buffer[1], req->arg);
506 return 0;
507 return sd_crc7(buffer, 5) != req->crc; /* TODO */
508 }
509
510 static void sd_response_r1_make(SDState *sd, uint8_t *response)
511 {
512 stl_be_p(response, sd->card_status);
513
514 /* Clear the "clear on read" status bits */
515 sd->card_status &= ~CARD_STATUS_C;
516 }
517
518 static void sd_response_r3_make(SDState *sd, uint8_t *response)
519 {
520 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
521 }
522
523 static void sd_response_r6_make(SDState *sd, uint8_t *response)
524 {
525 uint16_t status;
526
527 status = ((sd->card_status >> 8) & 0xc000) |
528 ((sd->card_status >> 6) & 0x2000) |
529 (sd->card_status & 0x1fff);
530 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
531 stw_be_p(response + 0, sd->rca);
532 stw_be_p(response + 2, status);
533 }
534
535 static void sd_response_r7_make(SDState *sd, uint8_t *response)
536 {
537 stl_be_p(response, sd->vhs);
538 }
539
540 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
541 {
542 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
543 }
544
545 static void sd_reset(DeviceState *dev)
546 {
547 SDState *sd = SD_CARD(dev);
548 uint64_t size;
549 uint64_t sect;
550
551 trace_sdcard_reset();
552 if (sd->blk) {
553 blk_get_geometry(sd->blk, &sect);
554 } else {
555 sect = 0;
556 }
557 size = sect << 9;
558
559 sect = sd_addr_to_wpnum(size) + 1;
560
561 sd->state = sd_idle_state;
562 sd->rca = 0x0000;
563 sd_set_ocr(sd);
564 sd_set_scr(sd);
565 sd_set_cid(sd);
566 sd_set_csd(sd, size);
567 sd_set_cardstatus(sd);
568 sd_set_sdstatus(sd);
569
570 g_free(sd->wp_groups);
571 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
572 sd->wpgrps_size = sect;
573 sd->wp_groups = bitmap_new(sd->wpgrps_size);
574 memset(sd->function_group, 0, sizeof(sd->function_group));
575 sd->erase_start = 0;
576 sd->erase_end = 0;
577 sd->size = size;
578 sd->blk_len = 0x200;
579 sd->pwd_len = 0;
580 sd->expecting_acmd = false;
581 sd->dat_lines = 0xf;
582 sd->cmd_line = true;
583 sd->multi_blk_cnt = 0;
584 }
585
586 static bool sd_get_inserted(SDState *sd)
587 {
588 return sd->blk && blk_is_inserted(sd->blk);
589 }
590
591 static bool sd_get_readonly(SDState *sd)
592 {
593 return sd->wp_switch;
594 }
595
596 static void sd_cardchange(void *opaque, bool load, Error **errp)
597 {
598 SDState *sd = opaque;
599 DeviceState *dev = DEVICE(sd);
600 SDBus *sdbus;
601 bool inserted = sd_get_inserted(sd);
602 bool readonly = sd_get_readonly(sd);
603
604 if (inserted) {
605 trace_sdcard_inserted(readonly);
606 sd_reset(dev);
607 } else {
608 trace_sdcard_ejected();
609 }
610
611 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
612 qemu_set_irq(sd->inserted_cb, inserted);
613 if (inserted) {
614 qemu_set_irq(sd->readonly_cb, readonly);
615 }
616 } else {
617 sdbus = SD_BUS(qdev_get_parent_bus(dev));
618 sdbus_set_inserted(sdbus, inserted);
619 if (inserted) {
620 sdbus_set_readonly(sdbus, readonly);
621 }
622 }
623 }
624
625 static const BlockDevOps sd_block_ops = {
626 .change_media_cb = sd_cardchange,
627 };
628
629 static bool sd_ocr_vmstate_needed(void *opaque)
630 {
631 SDState *sd = opaque;
632
633 /* Include the OCR state (and timer) if it is not yet powered up */
634 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
635 }
636
637 static const VMStateDescription sd_ocr_vmstate = {
638 .name = "sd-card/ocr-state",
639 .version_id = 1,
640 .minimum_version_id = 1,
641 .needed = sd_ocr_vmstate_needed,
642 .fields = (VMStateField[]) {
643 VMSTATE_UINT32(ocr, SDState),
644 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
645 VMSTATE_END_OF_LIST()
646 },
647 };
648
649 static int sd_vmstate_pre_load(void *opaque)
650 {
651 SDState *sd = opaque;
652
653 /* If the OCR state is not included (prior versions, or not
654 * needed), then the OCR must be set as powered up. If the OCR state
655 * is included, this will be replaced by the state restore.
656 */
657 sd_ocr_powerup(sd);
658
659 return 0;
660 }
661
662 static const VMStateDescription sd_vmstate = {
663 .name = "sd-card",
664 .version_id = 1,
665 .minimum_version_id = 1,
666 .pre_load = sd_vmstate_pre_load,
667 .fields = (VMStateField[]) {
668 VMSTATE_UINT32(mode, SDState),
669 VMSTATE_INT32(state, SDState),
670 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
671 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
672 VMSTATE_UINT16(rca, SDState),
673 VMSTATE_UINT32(card_status, SDState),
674 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
675 VMSTATE_UINT32(vhs, SDState),
676 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
677 VMSTATE_UINT32(blk_len, SDState),
678 VMSTATE_UINT32(multi_blk_cnt, SDState),
679 VMSTATE_UINT32(erase_start, SDState),
680 VMSTATE_UINT32(erase_end, SDState),
681 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
682 VMSTATE_UINT32(pwd_len, SDState),
683 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
684 VMSTATE_UINT8(current_cmd, SDState),
685 VMSTATE_BOOL(expecting_acmd, SDState),
686 VMSTATE_UINT32(blk_written, SDState),
687 VMSTATE_UINT64(data_start, SDState),
688 VMSTATE_UINT32(data_offset, SDState),
689 VMSTATE_UINT8_ARRAY(data, SDState, 512),
690 VMSTATE_UNUSED_V(1, 512),
691 VMSTATE_BOOL(enable, SDState),
692 VMSTATE_END_OF_LIST()
693 },
694 .subsections = (const VMStateDescription*[]) {
695 &sd_ocr_vmstate,
696 NULL
697 },
698 };
699
700 /* Legacy initialization function for use by non-qdevified callers */
701 SDState *sd_init(BlockBackend *blk, bool is_spi)
702 {
703 Object *obj;
704 DeviceState *dev;
705 SDState *sd;
706 Error *err = NULL;
707
708 obj = object_new(TYPE_SD_CARD);
709 dev = DEVICE(obj);
710 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
711 error_reportf_err(err, "sd_init failed: ");
712 return NULL;
713 }
714 qdev_prop_set_bit(dev, "spi", is_spi);
715
716 /*
717 * Realizing the device properly would put it into the QOM
718 * composition tree even though it is not plugged into an
719 * appropriate bus. That's a no-no. Hide the device from
720 * QOM/qdev, and call its qdev realize callback directly.
721 */
722 object_ref(obj);
723 object_unparent(obj);
724 sd_realize(dev, &err);
725 if (err) {
726 error_reportf_err(err, "sd_init failed: ");
727 return NULL;
728 }
729
730 sd = SD_CARD(dev);
731 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
732 return sd;
733 }
734
735 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
736 {
737 sd->readonly_cb = readonly;
738 sd->inserted_cb = insert;
739 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
740 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
741 }
742
743 static void sd_erase(SDState *sd)
744 {
745 int i;
746 uint64_t erase_start = sd->erase_start;
747 uint64_t erase_end = sd->erase_end;
748
749 trace_sdcard_erase();
750 if (!sd->erase_start || !sd->erase_end) {
751 sd->card_status |= ERASE_SEQ_ERROR;
752 return;
753 }
754
755 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
756 /* High capacity memory card: erase units are 512 byte blocks */
757 erase_start *= 512;
758 erase_end *= 512;
759 }
760
761 erase_start = sd_addr_to_wpnum(erase_start);
762 erase_end = sd_addr_to_wpnum(erase_end);
763 sd->erase_start = 0;
764 sd->erase_end = 0;
765 sd->csd[14] |= 0x40;
766
767 for (i = erase_start; i <= erase_end; i++) {
768 if (test_bit(i, sd->wp_groups)) {
769 sd->card_status |= WP_ERASE_SKIP;
770 }
771 }
772 }
773
774 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
775 {
776 uint32_t i, wpnum;
777 uint32_t ret = 0;
778
779 wpnum = sd_addr_to_wpnum(addr);
780
781 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
782 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
783 ret |= (1 << i);
784 }
785 }
786
787 return ret;
788 }
789
790 static void sd_function_switch(SDState *sd, uint32_t arg)
791 {
792 int i, mode, new_func;
793 mode = !!(arg & 0x80000000);
794
795 sd->data[0] = 0x00; /* Maximum current consumption */
796 sd->data[1] = 0x01;
797 sd->data[2] = 0x80; /* Supported group 6 functions */
798 sd->data[3] = 0x01;
799 sd->data[4] = 0x80; /* Supported group 5 functions */
800 sd->data[5] = 0x01;
801 sd->data[6] = 0x80; /* Supported group 4 functions */
802 sd->data[7] = 0x01;
803 sd->data[8] = 0x80; /* Supported group 3 functions */
804 sd->data[9] = 0x01;
805 sd->data[10] = 0x80; /* Supported group 2 functions */
806 sd->data[11] = 0x43;
807 sd->data[12] = 0x80; /* Supported group 1 functions */
808 sd->data[13] = 0x03;
809 for (i = 0; i < 6; i ++) {
810 new_func = (arg >> (i * 4)) & 0x0f;
811 if (mode && new_func != 0x0f)
812 sd->function_group[i] = new_func;
813 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
814 }
815 memset(&sd->data[17], 0, 47);
816 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
817 }
818
819 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
820 {
821 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
822 }
823
824 static void sd_lock_command(SDState *sd)
825 {
826 int erase, lock, clr_pwd, set_pwd, pwd_len;
827 erase = !!(sd->data[0] & 0x08);
828 lock = sd->data[0] & 0x04;
829 clr_pwd = sd->data[0] & 0x02;
830 set_pwd = sd->data[0] & 0x01;
831
832 if (sd->blk_len > 1)
833 pwd_len = sd->data[1];
834 else
835 pwd_len = 0;
836
837 if (lock) {
838 trace_sdcard_lock();
839 } else {
840 trace_sdcard_unlock();
841 }
842 if (erase) {
843 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
844 set_pwd || clr_pwd || lock || sd->wp_switch ||
845 (sd->csd[14] & 0x20)) {
846 sd->card_status |= LOCK_UNLOCK_FAILED;
847 return;
848 }
849 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
850 sd->csd[14] &= ~0x10;
851 sd->card_status &= ~CARD_IS_LOCKED;
852 sd->pwd_len = 0;
853 /* Erasing the entire card here! */
854 fprintf(stderr, "SD: Card force-erased by CMD42\n");
855 return;
856 }
857
858 if (sd->blk_len < 2 + pwd_len ||
859 pwd_len <= sd->pwd_len ||
860 pwd_len > sd->pwd_len + 16) {
861 sd->card_status |= LOCK_UNLOCK_FAILED;
862 return;
863 }
864
865 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
866 sd->card_status |= LOCK_UNLOCK_FAILED;
867 return;
868 }
869
870 pwd_len -= sd->pwd_len;
871 if ((pwd_len && !set_pwd) ||
872 (clr_pwd && (set_pwd || lock)) ||
873 (lock && !sd->pwd_len && !set_pwd) ||
874 (!set_pwd && !clr_pwd &&
875 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
876 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
877 sd->card_status |= LOCK_UNLOCK_FAILED;
878 return;
879 }
880
881 if (set_pwd) {
882 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
883 sd->pwd_len = pwd_len;
884 }
885
886 if (clr_pwd) {
887 sd->pwd_len = 0;
888 }
889
890 if (lock)
891 sd->card_status |= CARD_IS_LOCKED;
892 else
893 sd->card_status &= ~CARD_IS_LOCKED;
894 }
895
896 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
897 {
898 uint32_t rca = 0x0000;
899 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
900
901 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
902 * However there is no ACMD55, so we want to trace this particular case.
903 */
904 if (req.cmd != 55 || sd->expecting_acmd) {
905 trace_sdcard_normal_command(sd->proto_name,
906 sd_cmd_name(req.cmd), req.cmd,
907 req.arg, sd_state_name(sd->state));
908 }
909
910 /* Not interpreting this as an app command */
911 sd->card_status &= ~APP_CMD;
912
913 if (sd_cmd_type[req.cmd] == sd_ac
914 || sd_cmd_type[req.cmd] == sd_adtc) {
915 rca = req.arg >> 16;
916 }
917
918 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
919 * if not, its effects are cancelled */
920 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
921 sd->multi_blk_cnt = 0;
922 }
923
924 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
925 /* Only Standard Capacity cards support class 6 commands */
926 return sd_illegal;
927 }
928
929 switch (req.cmd) {
930 /* Basic commands (Class 0 and Class 1) */
931 case 0: /* CMD0: GO_IDLE_STATE */
932 switch (sd->state) {
933 case sd_inactive_state:
934 return sd->spi ? sd_r1 : sd_r0;
935
936 default:
937 sd->state = sd_idle_state;
938 sd_reset(DEVICE(sd));
939 return sd->spi ? sd_r1 : sd_r0;
940 }
941 break;
942
943 case 1: /* CMD1: SEND_OP_CMD */
944 if (!sd->spi)
945 goto bad_cmd;
946
947 sd->state = sd_transfer_state;
948 return sd_r1;
949
950 case 2: /* CMD2: ALL_SEND_CID */
951 if (sd->spi)
952 goto bad_cmd;
953 switch (sd->state) {
954 case sd_ready_state:
955 sd->state = sd_identification_state;
956 return sd_r2_i;
957
958 default:
959 break;
960 }
961 break;
962
963 case 3: /* CMD3: SEND_RELATIVE_ADDR */
964 if (sd->spi)
965 goto bad_cmd;
966 switch (sd->state) {
967 case sd_identification_state:
968 case sd_standby_state:
969 sd->state = sd_standby_state;
970 sd_set_rca(sd);
971 return sd_r6;
972
973 default:
974 break;
975 }
976 break;
977
978 case 4: /* CMD4: SEND_DSR */
979 if (sd->spi)
980 goto bad_cmd;
981 switch (sd->state) {
982 case sd_standby_state:
983 break;
984
985 default:
986 break;
987 }
988 break;
989
990 case 5: /* CMD5: reserved for SDIO cards */
991 return sd_illegal;
992
993 case 6: /* CMD6: SWITCH_FUNCTION */
994 switch (sd->mode) {
995 case sd_data_transfer_mode:
996 sd_function_switch(sd, req.arg);
997 sd->state = sd_sendingdata_state;
998 sd->data_start = 0;
999 sd->data_offset = 0;
1000 return sd_r1;
1001
1002 default:
1003 break;
1004 }
1005 break;
1006
1007 case 7: /* CMD7: SELECT/DESELECT_CARD */
1008 if (sd->spi)
1009 goto bad_cmd;
1010 switch (sd->state) {
1011 case sd_standby_state:
1012 if (sd->rca != rca)
1013 return sd_r0;
1014
1015 sd->state = sd_transfer_state;
1016 return sd_r1b;
1017
1018 case sd_transfer_state:
1019 case sd_sendingdata_state:
1020 if (sd->rca == rca)
1021 break;
1022
1023 sd->state = sd_standby_state;
1024 return sd_r1b;
1025
1026 case sd_disconnect_state:
1027 if (sd->rca != rca)
1028 return sd_r0;
1029
1030 sd->state = sd_programming_state;
1031 return sd_r1b;
1032
1033 case sd_programming_state:
1034 if (sd->rca == rca)
1035 break;
1036
1037 sd->state = sd_disconnect_state;
1038 return sd_r1b;
1039
1040 default:
1041 break;
1042 }
1043 break;
1044
1045 case 8: /* CMD8: SEND_IF_COND */
1046 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1047 break;
1048 }
1049 if (sd->state != sd_idle_state) {
1050 break;
1051 }
1052 sd->vhs = 0;
1053
1054 /* No response if not exactly one VHS bit is set. */
1055 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1056 return sd->spi ? sd_r7 : sd_r0;
1057 }
1058
1059 /* Accept. */
1060 sd->vhs = req.arg;
1061 return sd_r7;
1062
1063 case 9: /* CMD9: SEND_CSD */
1064 switch (sd->state) {
1065 case sd_standby_state:
1066 if (sd->rca != rca)
1067 return sd_r0;
1068
1069 return sd_r2_s;
1070
1071 case sd_transfer_state:
1072 if (!sd->spi)
1073 break;
1074 sd->state = sd_sendingdata_state;
1075 memcpy(sd->data, sd->csd, 16);
1076 sd->data_start = addr;
1077 sd->data_offset = 0;
1078 return sd_r1;
1079
1080 default:
1081 break;
1082 }
1083 break;
1084
1085 case 10: /* CMD10: SEND_CID */
1086 switch (sd->state) {
1087 case sd_standby_state:
1088 if (sd->rca != rca)
1089 return sd_r0;
1090
1091 return sd_r2_i;
1092
1093 case sd_transfer_state:
1094 if (!sd->spi)
1095 break;
1096 sd->state = sd_sendingdata_state;
1097 memcpy(sd->data, sd->cid, 16);
1098 sd->data_start = addr;
1099 sd->data_offset = 0;
1100 return sd_r1;
1101
1102 default:
1103 break;
1104 }
1105 break;
1106
1107 case 12: /* CMD12: STOP_TRANSMISSION */
1108 switch (sd->state) {
1109 case sd_sendingdata_state:
1110 sd->state = sd_transfer_state;
1111 return sd_r1b;
1112
1113 case sd_receivingdata_state:
1114 sd->state = sd_programming_state;
1115 /* Bzzzzzzztt .... Operation complete. */
1116 sd->state = sd_transfer_state;
1117 return sd_r1b;
1118
1119 default:
1120 break;
1121 }
1122 break;
1123
1124 case 13: /* CMD13: SEND_STATUS */
1125 switch (sd->mode) {
1126 case sd_data_transfer_mode:
1127 if (sd->rca != rca)
1128 return sd_r0;
1129
1130 return sd_r1;
1131
1132 default:
1133 break;
1134 }
1135 break;
1136
1137 case 15: /* CMD15: GO_INACTIVE_STATE */
1138 if (sd->spi)
1139 goto bad_cmd;
1140 switch (sd->mode) {
1141 case sd_data_transfer_mode:
1142 if (sd->rca != rca)
1143 return sd_r0;
1144
1145 sd->state = sd_inactive_state;
1146 return sd_r0;
1147
1148 default:
1149 break;
1150 }
1151 break;
1152
1153 /* Block read commands (Classs 2) */
1154 case 16: /* CMD16: SET_BLOCKLEN */
1155 switch (sd->state) {
1156 case sd_transfer_state:
1157 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1158 sd->card_status |= BLOCK_LEN_ERROR;
1159 } else {
1160 trace_sdcard_set_blocklen(req.arg);
1161 sd->blk_len = req.arg;
1162 }
1163
1164 return sd_r1;
1165
1166 default:
1167 break;
1168 }
1169 break;
1170
1171 case 17: /* CMD17: READ_SINGLE_BLOCK */
1172 switch (sd->state) {
1173 case sd_transfer_state:
1174 sd->state = sd_sendingdata_state;
1175 sd->data_start = addr;
1176 sd->data_offset = 0;
1177
1178 if (sd->data_start + sd->blk_len > sd->size) {
1179 sd->card_status |= ADDRESS_ERROR;
1180 }
1181 return sd_r1;
1182
1183 default:
1184 break;
1185 }
1186 break;
1187
1188 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1189 switch (sd->state) {
1190 case sd_transfer_state:
1191 sd->state = sd_sendingdata_state;
1192 sd->data_start = addr;
1193 sd->data_offset = 0;
1194
1195 if (sd->data_start + sd->blk_len > sd->size) {
1196 sd->card_status |= ADDRESS_ERROR;
1197 }
1198 return sd_r1;
1199
1200 default:
1201 break;
1202 }
1203 break;
1204
1205 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1206 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1207 break;
1208 }
1209 if (sd->state == sd_transfer_state) {
1210 sd->state = sd_sendingdata_state;
1211 sd->data_offset = 0;
1212 return sd_r1;
1213 }
1214 break;
1215
1216 case 23: /* CMD23: SET_BLOCK_COUNT */
1217 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1218 break;
1219 }
1220 switch (sd->state) {
1221 case sd_transfer_state:
1222 sd->multi_blk_cnt = req.arg;
1223 return sd_r1;
1224
1225 default:
1226 break;
1227 }
1228 break;
1229
1230 /* Block write commands (Class 4) */
1231 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1232 switch (sd->state) {
1233 case sd_transfer_state:
1234 /* Writing in SPI mode not implemented. */
1235 if (sd->spi)
1236 break;
1237 sd->state = sd_receivingdata_state;
1238 sd->data_start = addr;
1239 sd->data_offset = 0;
1240 sd->blk_written = 0;
1241
1242 if (sd->data_start + sd->blk_len > sd->size) {
1243 sd->card_status |= ADDRESS_ERROR;
1244 }
1245 if (sd_wp_addr(sd, sd->data_start)) {
1246 sd->card_status |= WP_VIOLATION;
1247 }
1248 if (sd->csd[14] & 0x30) {
1249 sd->card_status |= WP_VIOLATION;
1250 }
1251 return sd_r1;
1252
1253 default:
1254 break;
1255 }
1256 break;
1257
1258 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1259 switch (sd->state) {
1260 case sd_transfer_state:
1261 /* Writing in SPI mode not implemented. */
1262 if (sd->spi)
1263 break;
1264 sd->state = sd_receivingdata_state;
1265 sd->data_start = addr;
1266 sd->data_offset = 0;
1267 sd->blk_written = 0;
1268
1269 if (sd->data_start + sd->blk_len > sd->size) {
1270 sd->card_status |= ADDRESS_ERROR;
1271 }
1272 if (sd_wp_addr(sd, sd->data_start)) {
1273 sd->card_status |= WP_VIOLATION;
1274 }
1275 if (sd->csd[14] & 0x30) {
1276 sd->card_status |= WP_VIOLATION;
1277 }
1278 return sd_r1;
1279
1280 default:
1281 break;
1282 }
1283 break;
1284
1285 case 26: /* CMD26: PROGRAM_CID */
1286 if (sd->spi)
1287 goto bad_cmd;
1288 switch (sd->state) {
1289 case sd_transfer_state:
1290 sd->state = sd_receivingdata_state;
1291 sd->data_start = 0;
1292 sd->data_offset = 0;
1293 return sd_r1;
1294
1295 default:
1296 break;
1297 }
1298 break;
1299
1300 case 27: /* CMD27: PROGRAM_CSD */
1301 switch (sd->state) {
1302 case sd_transfer_state:
1303 sd->state = sd_receivingdata_state;
1304 sd->data_start = 0;
1305 sd->data_offset = 0;
1306 return sd_r1;
1307
1308 default:
1309 break;
1310 }
1311 break;
1312
1313 /* Write protection (Class 6) */
1314 case 28: /* CMD28: SET_WRITE_PROT */
1315 switch (sd->state) {
1316 case sd_transfer_state:
1317 if (addr >= sd->size) {
1318 sd->card_status |= ADDRESS_ERROR;
1319 return sd_r1b;
1320 }
1321
1322 sd->state = sd_programming_state;
1323 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1324 /* Bzzzzzzztt .... Operation complete. */
1325 sd->state = sd_transfer_state;
1326 return sd_r1b;
1327
1328 default:
1329 break;
1330 }
1331 break;
1332
1333 case 29: /* CMD29: CLR_WRITE_PROT */
1334 switch (sd->state) {
1335 case sd_transfer_state:
1336 if (addr >= sd->size) {
1337 sd->card_status |= ADDRESS_ERROR;
1338 return sd_r1b;
1339 }
1340
1341 sd->state = sd_programming_state;
1342 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1343 /* Bzzzzzzztt .... Operation complete. */
1344 sd->state = sd_transfer_state;
1345 return sd_r1b;
1346
1347 default:
1348 break;
1349 }
1350 break;
1351
1352 case 30: /* CMD30: SEND_WRITE_PROT */
1353 switch (sd->state) {
1354 case sd_transfer_state:
1355 sd->state = sd_sendingdata_state;
1356 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1357 sd->data_start = addr;
1358 sd->data_offset = 0;
1359 return sd_r1b;
1360
1361 default:
1362 break;
1363 }
1364 break;
1365
1366 /* Erase commands (Class 5) */
1367 case 32: /* CMD32: ERASE_WR_BLK_START */
1368 switch (sd->state) {
1369 case sd_transfer_state:
1370 sd->erase_start = req.arg;
1371 return sd_r1;
1372
1373 default:
1374 break;
1375 }
1376 break;
1377
1378 case 33: /* CMD33: ERASE_WR_BLK_END */
1379 switch (sd->state) {
1380 case sd_transfer_state:
1381 sd->erase_end = req.arg;
1382 return sd_r1;
1383
1384 default:
1385 break;
1386 }
1387 break;
1388
1389 case 38: /* CMD38: ERASE */
1390 switch (sd->state) {
1391 case sd_transfer_state:
1392 if (sd->csd[14] & 0x30) {
1393 sd->card_status |= WP_VIOLATION;
1394 return sd_r1b;
1395 }
1396
1397 sd->state = sd_programming_state;
1398 sd_erase(sd);
1399 /* Bzzzzzzztt .... Operation complete. */
1400 sd->state = sd_transfer_state;
1401 return sd_r1b;
1402
1403 default:
1404 break;
1405 }
1406 break;
1407
1408 /* Lock card commands (Class 7) */
1409 case 42: /* CMD42: LOCK_UNLOCK */
1410 switch (sd->state) {
1411 case sd_transfer_state:
1412 sd->state = sd_receivingdata_state;
1413 sd->data_start = 0;
1414 sd->data_offset = 0;
1415 return sd_r1;
1416
1417 default:
1418 break;
1419 }
1420 break;
1421
1422 case 52 ... 54:
1423 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1424 * (see the SDIO Simplified Specification V2.0)
1425 * Handle as illegal command but do not complain
1426 * on stderr, as some OSes may use these in their
1427 * probing for presence of an SDIO card.
1428 */
1429 return sd_illegal;
1430
1431 /* Application specific commands (Class 8) */
1432 case 55: /* CMD55: APP_CMD */
1433 switch (sd->state) {
1434 case sd_ready_state:
1435 case sd_identification_state:
1436 case sd_inactive_state:
1437 return sd_illegal;
1438 case sd_idle_state:
1439 if (rca) {
1440 qemu_log_mask(LOG_GUEST_ERROR,
1441 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1442 }
1443 default:
1444 break;
1445 }
1446 if (!sd->spi) {
1447 if (sd->rca != rca) {
1448 return sd_r0;
1449 }
1450 }
1451 sd->expecting_acmd = true;
1452 sd->card_status |= APP_CMD;
1453 return sd_r1;
1454
1455 case 56: /* CMD56: GEN_CMD */
1456 switch (sd->state) {
1457 case sd_transfer_state:
1458 sd->data_offset = 0;
1459 if (req.arg & 1)
1460 sd->state = sd_sendingdata_state;
1461 else
1462 sd->state = sd_receivingdata_state;
1463 return sd_r1;
1464
1465 default:
1466 break;
1467 }
1468 break;
1469
1470 case 58: /* CMD58: READ_OCR (SPI) */
1471 if (!sd->spi) {
1472 goto bad_cmd;
1473 }
1474 return sd_r3;
1475
1476 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1477 if (!sd->spi) {
1478 goto bad_cmd;
1479 }
1480 goto unimplemented_spi_cmd;
1481
1482 default:
1483 bad_cmd:
1484 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1485 return sd_illegal;
1486
1487 unimplemented_spi_cmd:
1488 /* Commands that are recognised but not yet implemented in SPI mode. */
1489 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1490 req.cmd);
1491 return sd_illegal;
1492 }
1493
1494 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1495 return sd_illegal;
1496 }
1497
1498 static sd_rsp_type_t sd_app_command(SDState *sd,
1499 SDRequest req)
1500 {
1501 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1502 req.cmd, req.arg, sd_state_name(sd->state));
1503 sd->card_status |= APP_CMD;
1504 switch (req.cmd) {
1505 case 6: /* ACMD6: SET_BUS_WIDTH */
1506 if (sd->spi) {
1507 goto unimplemented_spi_cmd;
1508 }
1509 switch (sd->state) {
1510 case sd_transfer_state:
1511 sd->sd_status[0] &= 0x3f;
1512 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1513 return sd_r1;
1514
1515 default:
1516 break;
1517 }
1518 break;
1519
1520 case 13: /* ACMD13: SD_STATUS */
1521 switch (sd->state) {
1522 case sd_transfer_state:
1523 sd->state = sd_sendingdata_state;
1524 sd->data_start = 0;
1525 sd->data_offset = 0;
1526 return sd_r1;
1527
1528 default:
1529 break;
1530 }
1531 break;
1532
1533 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1534 switch (sd->state) {
1535 case sd_transfer_state:
1536 *(uint32_t *) sd->data = sd->blk_written;
1537
1538 sd->state = sd_sendingdata_state;
1539 sd->data_start = 0;
1540 sd->data_offset = 0;
1541 return sd_r1;
1542
1543 default:
1544 break;
1545 }
1546 break;
1547
1548 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1549 switch (sd->state) {
1550 case sd_transfer_state:
1551 return sd_r1;
1552
1553 default:
1554 break;
1555 }
1556 break;
1557
1558 case 41: /* ACMD41: SD_APP_OP_COND */
1559 if (sd->spi) {
1560 /* SEND_OP_CMD */
1561 sd->state = sd_transfer_state;
1562 return sd_r1;
1563 }
1564 if (sd->state != sd_idle_state) {
1565 break;
1566 }
1567 /* If it's the first ACMD41 since reset, we need to decide
1568 * whether to power up. If this is not an enquiry ACMD41,
1569 * we immediately report power on and proceed below to the
1570 * ready state, but if it is, we set a timer to model a
1571 * delay for power up. This works around a bug in EDK2
1572 * UEFI, which sends an initial enquiry ACMD41, but
1573 * assumes that the card is in ready state as soon as it
1574 * sees the power up bit set. */
1575 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1576 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1577 timer_del(sd->ocr_power_timer);
1578 sd_ocr_powerup(sd);
1579 } else {
1580 trace_sdcard_inquiry_cmd41();
1581 if (!timer_pending(sd->ocr_power_timer)) {
1582 timer_mod_ns(sd->ocr_power_timer,
1583 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1584 + OCR_POWER_DELAY_NS));
1585 }
1586 }
1587 }
1588
1589 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1590 /* We accept any voltage. 10000 V is nothing.
1591 *
1592 * Once we're powered up, we advance straight to ready state
1593 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1594 */
1595 sd->state = sd_ready_state;
1596 }
1597
1598 return sd_r3;
1599
1600 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1601 switch (sd->state) {
1602 case sd_transfer_state:
1603 /* Bringing in the 50KOhm pull-up resistor... Done. */
1604 return sd_r1;
1605
1606 default:
1607 break;
1608 }
1609 break;
1610
1611 case 51: /* ACMD51: SEND_SCR */
1612 switch (sd->state) {
1613 case sd_transfer_state:
1614 sd->state = sd_sendingdata_state;
1615 sd->data_start = 0;
1616 sd->data_offset = 0;
1617 return sd_r1;
1618
1619 default:
1620 break;
1621 }
1622 break;
1623
1624 case 18: /* Reserved for SD security applications */
1625 case 25:
1626 case 26:
1627 case 38:
1628 case 43 ... 49:
1629 /* Refer to the "SD Specifications Part3 Security Specification" for
1630 * information about the SD Security Features.
1631 */
1632 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1633 req.cmd);
1634 return sd_illegal;
1635
1636 default:
1637 /* Fall back to standard commands. */
1638 return sd_normal_command(sd, req);
1639
1640 unimplemented_spi_cmd:
1641 /* Commands that are recognised but not yet implemented in SPI mode. */
1642 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1643 req.cmd);
1644 return sd_illegal;
1645 }
1646
1647 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1648 return sd_illegal;
1649 }
1650
1651 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1652 {
1653 /* Valid commands in locked state:
1654 * basic class (0)
1655 * lock card class (7)
1656 * CMD16
1657 * implicitly, the ACMD prefix CMD55
1658 * ACMD41 and ACMD42
1659 * Anything else provokes an "illegal command" response.
1660 */
1661 if (sd->expecting_acmd) {
1662 return req->cmd == 41 || req->cmd == 42;
1663 }
1664 if (req->cmd == 16 || req->cmd == 55) {
1665 return 1;
1666 }
1667 return sd_cmd_class[req->cmd] == 0
1668 || sd_cmd_class[req->cmd] == 7;
1669 }
1670
1671 int sd_do_command(SDState *sd, SDRequest *req,
1672 uint8_t *response) {
1673 int last_state;
1674 sd_rsp_type_t rtype;
1675 int rsplen;
1676
1677 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1678 return 0;
1679 }
1680
1681 if (sd_req_crc_validate(req)) {
1682 sd->card_status |= COM_CRC_ERROR;
1683 rtype = sd_illegal;
1684 goto send_response;
1685 }
1686
1687 if (req->cmd >= SDMMC_CMD_MAX) {
1688 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1689 req->cmd);
1690 req->cmd &= 0x3f;
1691 }
1692
1693 if (sd->card_status & CARD_IS_LOCKED) {
1694 if (!cmd_valid_while_locked(sd, req)) {
1695 sd->card_status |= ILLEGAL_COMMAND;
1696 sd->expecting_acmd = false;
1697 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1698 rtype = sd_illegal;
1699 goto send_response;
1700 }
1701 }
1702
1703 last_state = sd->state;
1704 sd_set_mode(sd);
1705
1706 if (sd->expecting_acmd) {
1707 sd->expecting_acmd = false;
1708 rtype = sd_app_command(sd, *req);
1709 } else {
1710 rtype = sd_normal_command(sd, *req);
1711 }
1712
1713 if (rtype == sd_illegal) {
1714 sd->card_status |= ILLEGAL_COMMAND;
1715 } else {
1716 /* Valid command, we can update the 'state before command' bits.
1717 * (Do this now so they appear in r1 responses.)
1718 */
1719 sd->current_cmd = req->cmd;
1720 sd->card_status &= ~CURRENT_STATE;
1721 sd->card_status |= (last_state << 9);
1722 }
1723
1724 send_response:
1725 switch (rtype) {
1726 case sd_r1:
1727 case sd_r1b:
1728 sd_response_r1_make(sd, response);
1729 rsplen = 4;
1730 break;
1731
1732 case sd_r2_i:
1733 memcpy(response, sd->cid, sizeof(sd->cid));
1734 rsplen = 16;
1735 break;
1736
1737 case sd_r2_s:
1738 memcpy(response, sd->csd, sizeof(sd->csd));
1739 rsplen = 16;
1740 break;
1741
1742 case sd_r3:
1743 sd_response_r3_make(sd, response);
1744 rsplen = 4;
1745 break;
1746
1747 case sd_r6:
1748 sd_response_r6_make(sd, response);
1749 rsplen = 4;
1750 break;
1751
1752 case sd_r7:
1753 sd_response_r7_make(sd, response);
1754 rsplen = 4;
1755 break;
1756
1757 case sd_r0:
1758 case sd_illegal:
1759 rsplen = 0;
1760 break;
1761 default:
1762 g_assert_not_reached();
1763 }
1764 trace_sdcard_response(sd_response_name(rtype), rsplen);
1765
1766 if (rtype != sd_illegal) {
1767 /* Clear the "clear on valid command" status bits now we've
1768 * sent any response
1769 */
1770 sd->card_status &= ~CARD_STATUS_B;
1771 }
1772
1773 #ifdef DEBUG_SD
1774 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1775 #endif
1776
1777 return rsplen;
1778 }
1779
1780 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1781 {
1782 trace_sdcard_read_block(addr, len);
1783 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1784 fprintf(stderr, "sd_blk_read: read error on host side\n");
1785 }
1786 }
1787
1788 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1789 {
1790 trace_sdcard_write_block(addr, len);
1791 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1792 fprintf(stderr, "sd_blk_write: write error on host side\n");
1793 }
1794 }
1795
1796 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1797 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1798 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1799 #define APP_WRITE_BLOCK(a, len)
1800
1801 void sd_write_data(SDState *sd, uint8_t value)
1802 {
1803 int i;
1804
1805 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1806 return;
1807
1808 if (sd->state != sd_receivingdata_state) {
1809 qemu_log_mask(LOG_GUEST_ERROR,
1810 "sd_write_data: not in Receiving-Data state\n");
1811 return;
1812 }
1813
1814 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1815 return;
1816
1817 trace_sdcard_write_data(sd->proto_name,
1818 sd_acmd_name(sd->current_cmd),
1819 sd->current_cmd, value);
1820 switch (sd->current_cmd) {
1821 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1822 sd->data[sd->data_offset ++] = value;
1823 if (sd->data_offset >= sd->blk_len) {
1824 /* TODO: Check CRC before committing */
1825 sd->state = sd_programming_state;
1826 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1827 sd->blk_written ++;
1828 sd->csd[14] |= 0x40;
1829 /* Bzzzzzzztt .... Operation complete. */
1830 sd->state = sd_transfer_state;
1831 }
1832 break;
1833
1834 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1835 if (sd->data_offset == 0) {
1836 /* Start of the block - let's check the address is valid */
1837 if (sd->data_start + sd->blk_len > sd->size) {
1838 sd->card_status |= ADDRESS_ERROR;
1839 break;
1840 }
1841 if (sd_wp_addr(sd, sd->data_start)) {
1842 sd->card_status |= WP_VIOLATION;
1843 break;
1844 }
1845 }
1846 sd->data[sd->data_offset++] = value;
1847 if (sd->data_offset >= sd->blk_len) {
1848 /* TODO: Check CRC before committing */
1849 sd->state = sd_programming_state;
1850 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1851 sd->blk_written++;
1852 sd->data_start += sd->blk_len;
1853 sd->data_offset = 0;
1854 sd->csd[14] |= 0x40;
1855
1856 /* Bzzzzzzztt .... Operation complete. */
1857 if (sd->multi_blk_cnt != 0) {
1858 if (--sd->multi_blk_cnt == 0) {
1859 /* Stop! */
1860 sd->state = sd_transfer_state;
1861 break;
1862 }
1863 }
1864
1865 sd->state = sd_receivingdata_state;
1866 }
1867 break;
1868
1869 case 26: /* CMD26: PROGRAM_CID */
1870 sd->data[sd->data_offset ++] = value;
1871 if (sd->data_offset >= sizeof(sd->cid)) {
1872 /* TODO: Check CRC before committing */
1873 sd->state = sd_programming_state;
1874 for (i = 0; i < sizeof(sd->cid); i ++)
1875 if ((sd->cid[i] | 0x00) != sd->data[i])
1876 sd->card_status |= CID_CSD_OVERWRITE;
1877
1878 if (!(sd->card_status & CID_CSD_OVERWRITE))
1879 for (i = 0; i < sizeof(sd->cid); i ++) {
1880 sd->cid[i] |= 0x00;
1881 sd->cid[i] &= sd->data[i];
1882 }
1883 /* Bzzzzzzztt .... Operation complete. */
1884 sd->state = sd_transfer_state;
1885 }
1886 break;
1887
1888 case 27: /* CMD27: PROGRAM_CSD */
1889 sd->data[sd->data_offset ++] = value;
1890 if (sd->data_offset >= sizeof(sd->csd)) {
1891 /* TODO: Check CRC before committing */
1892 sd->state = sd_programming_state;
1893 for (i = 0; i < sizeof(sd->csd); i ++)
1894 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1895 (sd->data[i] | sd_csd_rw_mask[i]))
1896 sd->card_status |= CID_CSD_OVERWRITE;
1897
1898 /* Copy flag (OTP) & Permanent write protect */
1899 if (sd->csd[14] & ~sd->data[14] & 0x60)
1900 sd->card_status |= CID_CSD_OVERWRITE;
1901
1902 if (!(sd->card_status & CID_CSD_OVERWRITE))
1903 for (i = 0; i < sizeof(sd->csd); i ++) {
1904 sd->csd[i] |= sd_csd_rw_mask[i];
1905 sd->csd[i] &= sd->data[i];
1906 }
1907 /* Bzzzzzzztt .... Operation complete. */
1908 sd->state = sd_transfer_state;
1909 }
1910 break;
1911
1912 case 42: /* CMD42: LOCK_UNLOCK */
1913 sd->data[sd->data_offset ++] = value;
1914 if (sd->data_offset >= sd->blk_len) {
1915 /* TODO: Check CRC before committing */
1916 sd->state = sd_programming_state;
1917 sd_lock_command(sd);
1918 /* Bzzzzzzztt .... Operation complete. */
1919 sd->state = sd_transfer_state;
1920 }
1921 break;
1922
1923 case 56: /* CMD56: GEN_CMD */
1924 sd->data[sd->data_offset ++] = value;
1925 if (sd->data_offset >= sd->blk_len) {
1926 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1927 sd->state = sd_transfer_state;
1928 }
1929 break;
1930
1931 default:
1932 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1933 break;
1934 }
1935 }
1936
1937 #define SD_TUNING_BLOCK_SIZE 64
1938
1939 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1940 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1941 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1942 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1943 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1944 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1945 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1946 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1947 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1948 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1949 };
1950
1951 uint8_t sd_read_data(SDState *sd)
1952 {
1953 /* TODO: Append CRCs */
1954 uint8_t ret;
1955 int io_len;
1956
1957 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1958 return 0x00;
1959
1960 if (sd->state != sd_sendingdata_state) {
1961 qemu_log_mask(LOG_GUEST_ERROR,
1962 "sd_read_data: not in Sending-Data state\n");
1963 return 0x00;
1964 }
1965
1966 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1967 return 0x00;
1968
1969 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1970
1971 trace_sdcard_read_data(sd->proto_name,
1972 sd_acmd_name(sd->current_cmd),
1973 sd->current_cmd, io_len);
1974 switch (sd->current_cmd) {
1975 case 6: /* CMD6: SWITCH_FUNCTION */
1976 ret = sd->data[sd->data_offset ++];
1977
1978 if (sd->data_offset >= 64)
1979 sd->state = sd_transfer_state;
1980 break;
1981
1982 case 9: /* CMD9: SEND_CSD */
1983 case 10: /* CMD10: SEND_CID */
1984 ret = sd->data[sd->data_offset ++];
1985
1986 if (sd->data_offset >= 16)
1987 sd->state = sd_transfer_state;
1988 break;
1989
1990 case 13: /* ACMD13: SD_STATUS */
1991 ret = sd->sd_status[sd->data_offset ++];
1992
1993 if (sd->data_offset >= sizeof(sd->sd_status))
1994 sd->state = sd_transfer_state;
1995 break;
1996
1997 case 17: /* CMD17: READ_SINGLE_BLOCK */
1998 if (sd->data_offset == 0)
1999 BLK_READ_BLOCK(sd->data_start, io_len);
2000 ret = sd->data[sd->data_offset ++];
2001
2002 if (sd->data_offset >= io_len)
2003 sd->state = sd_transfer_state;
2004 break;
2005
2006 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2007 if (sd->data_offset == 0) {
2008 if (sd->data_start + io_len > sd->size) {
2009 sd->card_status |= ADDRESS_ERROR;
2010 return 0x00;
2011 }
2012 BLK_READ_BLOCK(sd->data_start, io_len);
2013 }
2014 ret = sd->data[sd->data_offset ++];
2015
2016 if (sd->data_offset >= io_len) {
2017 sd->data_start += io_len;
2018 sd->data_offset = 0;
2019
2020 if (sd->multi_blk_cnt != 0) {
2021 if (--sd->multi_blk_cnt == 0) {
2022 /* Stop! */
2023 sd->state = sd_transfer_state;
2024 break;
2025 }
2026 }
2027 }
2028 break;
2029
2030 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2031 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2032 sd->state = sd_transfer_state;
2033 }
2034 ret = sd_tuning_block_pattern[sd->data_offset++];
2035 break;
2036
2037 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2038 ret = sd->data[sd->data_offset ++];
2039
2040 if (sd->data_offset >= 4)
2041 sd->state = sd_transfer_state;
2042 break;
2043
2044 case 30: /* CMD30: SEND_WRITE_PROT */
2045 ret = sd->data[sd->data_offset ++];
2046
2047 if (sd->data_offset >= 4)
2048 sd->state = sd_transfer_state;
2049 break;
2050
2051 case 51: /* ACMD51: SEND_SCR */
2052 ret = sd->scr[sd->data_offset ++];
2053
2054 if (sd->data_offset >= sizeof(sd->scr))
2055 sd->state = sd_transfer_state;
2056 break;
2057
2058 case 56: /* CMD56: GEN_CMD */
2059 if (sd->data_offset == 0)
2060 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2061 ret = sd->data[sd->data_offset ++];
2062
2063 if (sd->data_offset >= sd->blk_len)
2064 sd->state = sd_transfer_state;
2065 break;
2066
2067 default:
2068 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2069 return 0x00;
2070 }
2071
2072 return ret;
2073 }
2074
2075 bool sd_data_ready(SDState *sd)
2076 {
2077 return sd->state == sd_sendingdata_state;
2078 }
2079
2080 void sd_enable(SDState *sd, bool enable)
2081 {
2082 sd->enable = enable;
2083 }
2084
2085 static void sd_instance_init(Object *obj)
2086 {
2087 SDState *sd = SD_CARD(obj);
2088
2089 sd->enable = true;
2090 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2091 }
2092
2093 static void sd_instance_finalize(Object *obj)
2094 {
2095 SDState *sd = SD_CARD(obj);
2096
2097 timer_del(sd->ocr_power_timer);
2098 timer_free(sd->ocr_power_timer);
2099 }
2100
2101 static void sd_realize(DeviceState *dev, Error **errp)
2102 {
2103 SDState *sd = SD_CARD(dev);
2104 int ret;
2105
2106 sd->proto_name = sd->spi ? "SPI" : "SD";
2107
2108 switch (sd->spec_version) {
2109 case SD_PHY_SPECv1_10_VERS
2110 ... SD_PHY_SPECv3_01_VERS:
2111 break;
2112 default:
2113 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2114 return;
2115 }
2116
2117 if (sd->blk) {
2118 int64_t blk_size;
2119
2120 if (blk_is_read_only(sd->blk)) {
2121 error_setg(errp, "Cannot use read-only drive as SD card");
2122 return;
2123 }
2124
2125 blk_size = blk_getlength(sd->blk);
2126 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2127 int64_t blk_size_aligned = pow2ceil(blk_size);
2128 char *blk_size_str;
2129
2130 blk_size_str = size_to_str(blk_size);
2131 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2132 g_free(blk_size_str);
2133
2134 blk_size_str = size_to_str(blk_size_aligned);
2135 error_append_hint(errp,
2136 "SD card size has to be a power of 2, e.g. %s.\n"
2137 "You can resize disk images with"
2138 " 'qemu-img resize <imagefile> <new-size>'\n"
2139 "(note that this will lose data if you make the"
2140 " image smaller than it currently is).\n",
2141 blk_size_str);
2142 g_free(blk_size_str);
2143
2144 return;
2145 }
2146
2147 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2148 BLK_PERM_ALL, errp);
2149 if (ret < 0) {
2150 return;
2151 }
2152 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2153 }
2154 }
2155
2156 static Property sd_properties[] = {
2157 DEFINE_PROP_UINT8("spec_version", SDState,
2158 spec_version, SD_PHY_SPECv2_00_VERS),
2159 DEFINE_PROP_DRIVE("drive", SDState, blk),
2160 /* We do not model the chip select pin, so allow the board to select
2161 * whether card should be in SSI or MMC/SD mode. It is also up to the
2162 * board to ensure that ssi transfers only occur when the chip select
2163 * is asserted. */
2164 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2165 DEFINE_PROP_END_OF_LIST()
2166 };
2167
2168 static void sd_class_init(ObjectClass *klass, void *data)
2169 {
2170 DeviceClass *dc = DEVICE_CLASS(klass);
2171 SDCardClass *sc = SD_CARD_CLASS(klass);
2172
2173 dc->realize = sd_realize;
2174 device_class_set_props(dc, sd_properties);
2175 dc->vmsd = &sd_vmstate;
2176 dc->reset = sd_reset;
2177 dc->bus_type = TYPE_SD_BUS;
2178 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2179
2180 sc->set_voltage = sd_set_voltage;
2181 sc->get_dat_lines = sd_get_dat_lines;
2182 sc->get_cmd_line = sd_get_cmd_line;
2183 sc->do_command = sd_do_command;
2184 sc->write_data = sd_write_data;
2185 sc->read_data = sd_read_data;
2186 sc->data_ready = sd_data_ready;
2187 sc->enable = sd_enable;
2188 sc->get_inserted = sd_get_inserted;
2189 sc->get_readonly = sd_get_readonly;
2190 }
2191
2192 static const TypeInfo sd_info = {
2193 .name = TYPE_SD_CARD,
2194 .parent = TYPE_DEVICE,
2195 .instance_size = sizeof(SDState),
2196 .class_size = sizeof(SDCardClass),
2197 .class_init = sd_class_init,
2198 .instance_init = sd_instance_init,
2199 .instance_finalize = sd_instance_finalize,
2200 };
2201
2202 static void sd_register_types(void)
2203 {
2204 type_register_static(&sd_info);
2205 }
2206
2207 type_init(sd_register_types)
AR7 emulation for QEMU