search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Introduce the INVALID_ADDRESS definition
[qemu/ar7.git] / hw / sd / sd.c
blob30ae435d6693c9ed15670ae8c92c561ffce69b14
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "qemu/error-report.h"
46 #include "qemu/timer.h"
47 #include "qemu/log.h"
48 #include "qemu/module.h"
49 #include "sdmmc-internal.h"
50 #include "trace.h"
51
52 //#define DEBUG_SD 1
53
54 #define SDSC_MAX_CAPACITY (2 * GiB)
55
56 #define INVALID_ADDRESS 0
57
58 typedef enum {
59 sd_r0 = 0, /* no response */
60 sd_r1, /* normal response command */
61 sd_r2_i, /* CID register */
62 sd_r2_s, /* CSD register */
63 sd_r3, /* OCR register */
64 sd_r6 = 6, /* Published RCA response */
65 sd_r7, /* Operating voltage */
66 sd_r1b = -1,
67 sd_illegal = -2,
68 } sd_rsp_type_t;
69
70 enum SDCardModes {
71 sd_inactive,
72 sd_card_identification_mode,
73 sd_data_transfer_mode,
74 };
75
76 enum SDCardStates {
77 sd_inactive_state = -1,
78 sd_idle_state = 0,
79 sd_ready_state,
80 sd_identification_state,
81 sd_standby_state,
82 sd_transfer_state,
83 sd_sendingdata_state,
84 sd_receivingdata_state,
85 sd_programming_state,
86 sd_disconnect_state,
87 };
88
89 struct SDState {
90 DeviceState parent_obj;
91
92 /* If true, created by sd_init() for a non-qdevified caller */
93 /* TODO purge them with fire */
94 bool me_no_qdev_me_kill_mammoth_with_rocks;
95
96 /* SD Memory Card Registers */
97 uint32_t ocr;
98 uint8_t scr[8];
99 uint8_t cid[16];
100 uint8_t csd[16];
101 uint16_t rca;
102 uint32_t card_status;
103 uint8_t sd_status[64];
104
105 /* Configurable properties */
106 uint8_t spec_version;
107 BlockBackend *blk;
108 bool spi;
109
110 uint32_t mode; /* current card mode, one of SDCardModes */
111 int32_t state; /* current card state, one of SDCardStates */
112 uint32_t vhs;
113 bool wp_switch;
114 unsigned long *wp_groups;
115 int32_t wpgrps_size;
116 uint64_t size;
117 uint32_t blk_len;
118 uint32_t multi_blk_cnt;
119 uint32_t erase_start;
120 uint32_t erase_end;
121 uint8_t pwd[16];
122 uint32_t pwd_len;
123 uint8_t function_group[6];
124 uint8_t current_cmd;
125 /* True if we will handle the next command as an ACMD. Note that this does
126 * *not* track the APP_CMD status bit!
127 */
128 bool expecting_acmd;
129 uint32_t blk_written;
130 uint64_t data_start;
131 uint32_t data_offset;
132 uint8_t data[512];
133 qemu_irq readonly_cb;
134 qemu_irq inserted_cb;
135 QEMUTimer *ocr_power_timer;
136 const char *proto_name;
137 bool enable;
138 uint8_t dat_lines;
139 bool cmd_line;
140 };
141
142 static void sd_realize(DeviceState *dev, Error **errp);
143
144 static const char *sd_state_name(enum SDCardStates state)
145 {
146 static const char *state_name[] = {
147 [sd_idle_state] = "idle",
148 [sd_ready_state] = "ready",
149 [sd_identification_state] = "identification",
150 [sd_standby_state] = "standby",
151 [sd_transfer_state] = "transfer",
152 [sd_sendingdata_state] = "sendingdata",
153 [sd_receivingdata_state] = "receivingdata",
154 [sd_programming_state] = "programming",
155 [sd_disconnect_state] = "disconnect",
156 };
157 if (state == sd_inactive_state) {
158 return "inactive";
159 }
160 assert(state < ARRAY_SIZE(state_name));
161 return state_name[state];
162 }
163
164 static const char *sd_response_name(sd_rsp_type_t rsp)
165 {
166 static const char *response_name[] = {
167 [sd_r0] = "RESP#0 (no response)",
168 [sd_r1] = "RESP#1 (normal cmd)",
169 [sd_r2_i] = "RESP#2 (CID reg)",
170 [sd_r2_s] = "RESP#2 (CSD reg)",
171 [sd_r3] = "RESP#3 (OCR reg)",
172 [sd_r6] = "RESP#6 (RCA)",
173 [sd_r7] = "RESP#7 (operating voltage)",
174 };
175 if (rsp == sd_illegal) {
176 return "ILLEGAL RESP";
177 }
178 if (rsp == sd_r1b) {
179 rsp = sd_r1;
180 }
181 assert(rsp < ARRAY_SIZE(response_name));
182 return response_name[rsp];
183 }
184
185 static uint8_t sd_get_dat_lines(SDState *sd)
186 {
187 return sd->enable ? sd->dat_lines : 0;
188 }
189
190 static bool sd_get_cmd_line(SDState *sd)
191 {
192 return sd->enable ? sd->cmd_line : false;
193 }
194
195 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
196 {
197 trace_sdcard_set_voltage(millivolts);
198
199 switch (millivolts) {
200 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
201 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
202 break;
203 default:
204 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
205 millivolts / 1000.f);
206 }
207 }
208
209 static void sd_set_mode(SDState *sd)
210 {
211 switch (sd->state) {
212 case sd_inactive_state:
213 sd->mode = sd_inactive;
214 break;
215
216 case sd_idle_state:
217 case sd_ready_state:
218 case sd_identification_state:
219 sd->mode = sd_card_identification_mode;
220 break;
221
222 case sd_standby_state:
223 case sd_transfer_state:
224 case sd_sendingdata_state:
225 case sd_receivingdata_state:
226 case sd_programming_state:
227 case sd_disconnect_state:
228 sd->mode = sd_data_transfer_mode;
229 break;
230 }
231 }
232
233 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
234 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
235 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
236 /* 16 */
237 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
238 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
239 /* 32 */
240 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
241 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
242 /* 48 */
243 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
244 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
245 };
246
247 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
248 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
249 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
250 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
251 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
252 };
253
254 static uint8_t sd_crc7(void *message, size_t width)
255 {
256 int i, bit;
257 uint8_t shift_reg = 0x00;
258 uint8_t *msg = (uint8_t *) message;
259
260 for (i = 0; i < width; i ++, msg ++)
261 for (bit = 7; bit >= 0; bit --) {
262 shift_reg <<= 1;
263 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
264 shift_reg ^= 0x89;
265 }
266
267 return shift_reg;
268 }
269
270 static uint16_t sd_crc16(void *message, size_t width)
271 {
272 int i, bit;
273 uint16_t shift_reg = 0x0000;
274 uint16_t *msg = (uint16_t *) message;
275 width <<= 1;
276
277 for (i = 0; i < width; i ++, msg ++)
278 for (bit = 15; bit >= 0; bit --) {
279 shift_reg <<= 1;
280 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
281 shift_reg ^= 0x1011;
282 }
283
284 return shift_reg;
285 }
286
287 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
288
289 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
290 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
291 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
292 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
293 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
294 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
295 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
296 FIELD(OCR, CARD_POWER_UP, 31, 1)
297
298 #define ACMD41_ENQUIRY_MASK 0x00ffffff
299 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
300 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
301 | R_OCR_UHS_II_CARD_MASK \
302 | R_OCR_CARD_CAPACITY_MASK \
303 | R_OCR_CARD_POWER_UP_MASK)
304
305 static void sd_set_ocr(SDState *sd)
306 {
307 /* All voltages OK */
308 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
309 }
310
311 static void sd_ocr_powerup(void *opaque)
312 {
313 SDState *sd = opaque;
314
315 trace_sdcard_powerup();
316 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
317
318 /* card power-up OK */
319 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
320
321 if (sd->size > SDSC_MAX_CAPACITY) {
322 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
323 }
324 }
325
326 static void sd_set_scr(SDState *sd)
327 {
328 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
329 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
330 sd->scr[0] |= 1; /* Spec Version 1.10 */
331 } else {
332 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
333 }
334 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
335 | 0b0101; /* 1-bit or 4-bit width bus modes */
336 sd->scr[2] = 0x00; /* Extended Security is not supported. */
337 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
338 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
339 }
340 sd->scr[3] = 0x00;
341 /* reserved for manufacturer usage */
342 sd->scr[4] = 0x00;
343 sd->scr[5] = 0x00;
344 sd->scr[6] = 0x00;
345 sd->scr[7] = 0x00;
346 }
347
348 #define MID 0xaa
349 #define OID "XY"
350 #define PNM "QEMU!"
351 #define PRV 0x01
352 #define MDT_YR 2006
353 #define MDT_MON 2
354
355 static void sd_set_cid(SDState *sd)
356 {
357 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
358 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
359 sd->cid[2] = OID[1];
360 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
361 sd->cid[4] = PNM[1];
362 sd->cid[5] = PNM[2];
363 sd->cid[6] = PNM[3];
364 sd->cid[7] = PNM[4];
365 sd->cid[8] = PRV; /* Fake product revision (PRV) */
366 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
367 sd->cid[10] = 0xad;
368 sd->cid[11] = 0xbe;
369 sd->cid[12] = 0xef;
370 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
371 ((MDT_YR - 2000) / 10);
372 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
373 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
374 }
375
376 #define HWBLOCK_SHIFT 9 /* 512 bytes */
377 #define SECTOR_SHIFT 5 /* 16 kilobytes */
378 #define WPGROUP_SHIFT 7 /* 2 megs */
379 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
380 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
381
382 static const uint8_t sd_csd_rw_mask[16] = {
383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
385 };
386
387 static void sd_set_csd(SDState *sd, uint64_t size)
388 {
389 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
390 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
391 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
392
393 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
394 sd->csd[0] = 0x00; /* CSD structure */
395 sd->csd[1] = 0x26; /* Data read access-time-1 */
396 sd->csd[2] = 0x00; /* Data read access-time-2 */
397 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
398 sd->csd[4] = 0x5f; /* Card Command Classes */
399 sd->csd[5] = 0x50 | /* Max. read data block length */
400 HWBLOCK_SHIFT;
401 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
402 ((csize >> 10) & 0x03);
403 sd->csd[7] = 0x00 | /* Device size */
404 ((csize >> 2) & 0xff);
405 sd->csd[8] = 0x3f | /* Max. read current */
406 ((csize << 6) & 0xc0);
407 sd->csd[9] = 0xfc | /* Max. write current */
408 ((CMULT_SHIFT - 2) >> 1);
409 sd->csd[10] = 0x40 | /* Erase sector size */
410 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
411 sd->csd[11] = 0x00 | /* Write protect group size */
412 ((sectsize << 7) & 0x80) | wpsize;
413 sd->csd[12] = 0x90 | /* Write speed factor */
414 (HWBLOCK_SHIFT >> 2);
415 sd->csd[13] = 0x20 | /* Max. write data block length */
416 ((HWBLOCK_SHIFT << 6) & 0xc0);
417 sd->csd[14] = 0x00; /* File format group */
418 } else { /* SDHC */
419 size /= 512 * KiB;
420 size -= 1;
421 sd->csd[0] = 0x40;
422 sd->csd[1] = 0x0e;
423 sd->csd[2] = 0x00;
424 sd->csd[3] = 0x32;
425 sd->csd[4] = 0x5b;
426 sd->csd[5] = 0x59;
427 sd->csd[6] = 0x00;
428 sd->csd[7] = (size >> 16) & 0xff;
429 sd->csd[8] = (size >> 8) & 0xff;
430 sd->csd[9] = (size & 0xff);
431 sd->csd[10] = 0x7f;
432 sd->csd[11] = 0x80;
433 sd->csd[12] = 0x0a;
434 sd->csd[13] = 0x40;
435 sd->csd[14] = 0x00;
436 }
437 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
438 }
439
440 static void sd_set_rca(SDState *sd)
441 {
442 sd->rca += 0x4567;
443 }
444
445 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
446 FIELD(CSR, APP_CMD, 5, 1)
447 FIELD(CSR, FX_EVENT, 6, 1)
448 FIELD(CSR, READY_FOR_DATA, 8, 1)
449 FIELD(CSR, CURRENT_STATE, 9, 4)
450 FIELD(CSR, ERASE_RESET, 13, 1)
451 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
452 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
453 FIELD(CSR, CSD_OVERWRITE, 16, 1)
454 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
455 FIELD(CSR, ERROR, 19, 1)
456 FIELD(CSR, CC_ERROR, 20, 1)
457 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
458 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
459 FIELD(CSR, COM_CRC_ERROR, 23, 1)
460 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
461 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
462 FIELD(CSR, WP_VIOLATION, 26, 1)
463 FIELD(CSR, ERASE_PARAM, 27, 1)
464 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
465 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
466 FIELD(CSR, ADDRESS_ERROR, 30, 1)
467 FIELD(CSR, OUT_OF_RANGE, 31, 1)
468
469 /* Card status bits, split by clear condition:
470 * A : According to the card current state
471 * B : Always related to the previous command
472 * C : Cleared by read
473 */
474 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
475 | R_CSR_CARD_ECC_DISABLED_MASK \
476 | R_CSR_CARD_IS_LOCKED_MASK)
477 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
478 | R_CSR_ILLEGAL_COMMAND_MASK \
479 | R_CSR_COM_CRC_ERROR_MASK)
480 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
481 | R_CSR_APP_CMD_MASK \
482 | R_CSR_ERASE_RESET_MASK \
483 | R_CSR_WP_ERASE_SKIP_MASK \
484 | R_CSR_CSD_OVERWRITE_MASK \
485 | R_CSR_ERROR_MASK \
486 | R_CSR_CC_ERROR_MASK \
487 | R_CSR_CARD_ECC_FAILED_MASK \
488 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
489 | R_CSR_WP_VIOLATION_MASK \
490 | R_CSR_ERASE_PARAM_MASK \
491 | R_CSR_ERASE_SEQ_ERROR_MASK \
492 | R_CSR_BLOCK_LEN_ERROR_MASK \
493 | R_CSR_ADDRESS_ERROR_MASK \
494 | R_CSR_OUT_OF_RANGE_MASK)
495
496 static void sd_set_cardstatus(SDState *sd)
497 {
498 sd->card_status = 0x00000100;
499 }
500
501 static void sd_set_sdstatus(SDState *sd)
502 {
503 memset(sd->sd_status, 0, 64);
504 }
505
506 static int sd_req_crc_validate(SDRequest *req)
507 {
508 uint8_t buffer[5];
509 buffer[0] = 0x40 | req->cmd;
510 stl_be_p(&buffer[1], req->arg);
511 return 0;
512 return sd_crc7(buffer, 5) != req->crc; /* TODO */
513 }
514
515 static void sd_response_r1_make(SDState *sd, uint8_t *response)
516 {
517 stl_be_p(response, sd->card_status);
518
519 /* Clear the "clear on read" status bits */
520 sd->card_status &= ~CARD_STATUS_C;
521 }
522
523 static void sd_response_r3_make(SDState *sd, uint8_t *response)
524 {
525 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
526 }
527
528 static void sd_response_r6_make(SDState *sd, uint8_t *response)
529 {
530 uint16_t status;
531
532 status = ((sd->card_status >> 8) & 0xc000) |
533 ((sd->card_status >> 6) & 0x2000) |
534 (sd->card_status & 0x1fff);
535 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
536 stw_be_p(response + 0, sd->rca);
537 stw_be_p(response + 2, status);
538 }
539
540 static void sd_response_r7_make(SDState *sd, uint8_t *response)
541 {
542 stl_be_p(response, sd->vhs);
543 }
544
545 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
546 {
547 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
548 }
549
550 static void sd_reset(DeviceState *dev)
551 {
552 SDState *sd = SD_CARD(dev);
553 uint64_t size;
554 uint64_t sect;
555
556 trace_sdcard_reset();
557 if (sd->blk) {
558 blk_get_geometry(sd->blk, &sect);
559 } else {
560 sect = 0;
561 }
562 size = sect << 9;
563
564 sect = sd_addr_to_wpnum(size) + 1;
565
566 sd->state = sd_idle_state;
567 sd->rca = 0x0000;
568 sd_set_ocr(sd);
569 sd_set_scr(sd);
570 sd_set_cid(sd);
571 sd_set_csd(sd, size);
572 sd_set_cardstatus(sd);
573 sd_set_sdstatus(sd);
574
575 g_free(sd->wp_groups);
576 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
577 sd->wpgrps_size = sect;
578 sd->wp_groups = bitmap_new(sd->wpgrps_size);
579 memset(sd->function_group, 0, sizeof(sd->function_group));
580 sd->erase_start = INVALID_ADDRESS;
581 sd->erase_end = INVALID_ADDRESS;
582 sd->size = size;
583 sd->blk_len = 0x200;
584 sd->pwd_len = 0;
585 sd->expecting_acmd = false;
586 sd->dat_lines = 0xf;
587 sd->cmd_line = true;
588 sd->multi_blk_cnt = 0;
589 }
590
591 static bool sd_get_inserted(SDState *sd)
592 {
593 return sd->blk && blk_is_inserted(sd->blk);
594 }
595
596 static bool sd_get_readonly(SDState *sd)
597 {
598 return sd->wp_switch;
599 }
600
601 static void sd_cardchange(void *opaque, bool load, Error **errp)
602 {
603 SDState *sd = opaque;
604 DeviceState *dev = DEVICE(sd);
605 SDBus *sdbus;
606 bool inserted = sd_get_inserted(sd);
607 bool readonly = sd_get_readonly(sd);
608
609 if (inserted) {
610 trace_sdcard_inserted(readonly);
611 sd_reset(dev);
612 } else {
613 trace_sdcard_ejected();
614 }
615
616 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
617 qemu_set_irq(sd->inserted_cb, inserted);
618 if (inserted) {
619 qemu_set_irq(sd->readonly_cb, readonly);
620 }
621 } else {
622 sdbus = SD_BUS(qdev_get_parent_bus(dev));
623 sdbus_set_inserted(sdbus, inserted);
624 if (inserted) {
625 sdbus_set_readonly(sdbus, readonly);
626 }
627 }
628 }
629
630 static const BlockDevOps sd_block_ops = {
631 .change_media_cb = sd_cardchange,
632 };
633
634 static bool sd_ocr_vmstate_needed(void *opaque)
635 {
636 SDState *sd = opaque;
637
638 /* Include the OCR state (and timer) if it is not yet powered up */
639 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
640 }
641
642 static const VMStateDescription sd_ocr_vmstate = {
643 .name = "sd-card/ocr-state",
644 .version_id = 1,
645 .minimum_version_id = 1,
646 .needed = sd_ocr_vmstate_needed,
647 .fields = (VMStateField[]) {
648 VMSTATE_UINT32(ocr, SDState),
649 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
650 VMSTATE_END_OF_LIST()
651 },
652 };
653
654 static int sd_vmstate_pre_load(void *opaque)
655 {
656 SDState *sd = opaque;
657
658 /* If the OCR state is not included (prior versions, or not
659 * needed), then the OCR must be set as powered up. If the OCR state
660 * is included, this will be replaced by the state restore.
661 */
662 sd_ocr_powerup(sd);
663
664 return 0;
665 }
666
667 static const VMStateDescription sd_vmstate = {
668 .name = "sd-card",
669 .version_id = 1,
670 .minimum_version_id = 1,
671 .pre_load = sd_vmstate_pre_load,
672 .fields = (VMStateField[]) {
673 VMSTATE_UINT32(mode, SDState),
674 VMSTATE_INT32(state, SDState),
675 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
676 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
677 VMSTATE_UINT16(rca, SDState),
678 VMSTATE_UINT32(card_status, SDState),
679 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
680 VMSTATE_UINT32(vhs, SDState),
681 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
682 VMSTATE_UINT32(blk_len, SDState),
683 VMSTATE_UINT32(multi_blk_cnt, SDState),
684 VMSTATE_UINT32(erase_start, SDState),
685 VMSTATE_UINT32(erase_end, SDState),
686 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
687 VMSTATE_UINT32(pwd_len, SDState),
688 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
689 VMSTATE_UINT8(current_cmd, SDState),
690 VMSTATE_BOOL(expecting_acmd, SDState),
691 VMSTATE_UINT32(blk_written, SDState),
692 VMSTATE_UINT64(data_start, SDState),
693 VMSTATE_UINT32(data_offset, SDState),
694 VMSTATE_UINT8_ARRAY(data, SDState, 512),
695 VMSTATE_UNUSED_V(1, 512),
696 VMSTATE_BOOL(enable, SDState),
697 VMSTATE_END_OF_LIST()
698 },
699 .subsections = (const VMStateDescription*[]) {
700 &sd_ocr_vmstate,
701 NULL
702 },
703 };
704
705 /* Legacy initialization function for use by non-qdevified callers */
706 SDState *sd_init(BlockBackend *blk, bool is_spi)
707 {
708 Object *obj;
709 DeviceState *dev;
710 SDState *sd;
711 Error *err = NULL;
712
713 obj = object_new(TYPE_SD_CARD);
714 dev = DEVICE(obj);
715 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
716 error_reportf_err(err, "sd_init failed: ");
717 return NULL;
718 }
719 qdev_prop_set_bit(dev, "spi", is_spi);
720
721 /*
722 * Realizing the device properly would put it into the QOM
723 * composition tree even though it is not plugged into an
724 * appropriate bus. That's a no-no. Hide the device from
725 * QOM/qdev, and call its qdev realize callback directly.
726 */
727 object_ref(obj);
728 object_unparent(obj);
729 sd_realize(dev, &err);
730 if (err) {
731 error_reportf_err(err, "sd_init failed: ");
732 return NULL;
733 }
734
735 sd = SD_CARD(dev);
736 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
737 return sd;
738 }
739
740 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
741 {
742 sd->readonly_cb = readonly;
743 sd->inserted_cb = insert;
744 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
745 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
746 }
747
748 static void sd_erase(SDState *sd)
749 {
750 int i;
751 uint64_t erase_start = sd->erase_start;
752 uint64_t erase_end = sd->erase_end;
753
754 trace_sdcard_erase(sd->erase_start, sd->erase_end);
755 if (sd->erase_start == INVALID_ADDRESS
756 || sd->erase_end == INVALID_ADDRESS) {
757 sd->card_status |= ERASE_SEQ_ERROR;
758 return;
759 }
760
761 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
762 /* High capacity memory card: erase units are 512 byte blocks */
763 erase_start *= 512;
764 erase_end *= 512;
765 }
766
767 erase_start = sd_addr_to_wpnum(erase_start);
768 erase_end = sd_addr_to_wpnum(erase_end);
769 sd->erase_start = INVALID_ADDRESS;
770 sd->erase_end = INVALID_ADDRESS;
771 sd->csd[14] |= 0x40;
772
773 for (i = erase_start; i <= erase_end; i++) {
774 if (test_bit(i, sd->wp_groups)) {
775 sd->card_status |= WP_ERASE_SKIP;
776 }
777 }
778 }
779
780 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
781 {
782 uint32_t i, wpnum;
783 uint32_t ret = 0;
784
785 wpnum = sd_addr_to_wpnum(addr);
786
787 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
788 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
789 ret |= (1 << i);
790 }
791 }
792
793 return ret;
794 }
795
796 static void sd_function_switch(SDState *sd, uint32_t arg)
797 {
798 int i, mode, new_func;
799 mode = !!(arg & 0x80000000);
800
801 sd->data[0] = 0x00; /* Maximum current consumption */
802 sd->data[1] = 0x01;
803 sd->data[2] = 0x80; /* Supported group 6 functions */
804 sd->data[3] = 0x01;
805 sd->data[4] = 0x80; /* Supported group 5 functions */
806 sd->data[5] = 0x01;
807 sd->data[6] = 0x80; /* Supported group 4 functions */
808 sd->data[7] = 0x01;
809 sd->data[8] = 0x80; /* Supported group 3 functions */
810 sd->data[9] = 0x01;
811 sd->data[10] = 0x80; /* Supported group 2 functions */
812 sd->data[11] = 0x43;
813 sd->data[12] = 0x80; /* Supported group 1 functions */
814 sd->data[13] = 0x03;
815
816 for (i = 0; i < 6; i ++) {
817 new_func = (arg >> (i * 4)) & 0x0f;
818 if (mode && new_func != 0x0f)
819 sd->function_group[i] = new_func;
820 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
821 }
822 memset(&sd->data[17], 0, 47);
823 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
824 }
825
826 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
827 {
828 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
829 }
830
831 static void sd_lock_command(SDState *sd)
832 {
833 int erase, lock, clr_pwd, set_pwd, pwd_len;
834 erase = !!(sd->data[0] & 0x08);
835 lock = sd->data[0] & 0x04;
836 clr_pwd = sd->data[0] & 0x02;
837 set_pwd = sd->data[0] & 0x01;
838
839 if (sd->blk_len > 1)
840 pwd_len = sd->data[1];
841 else
842 pwd_len = 0;
843
844 if (lock) {
845 trace_sdcard_lock();
846 } else {
847 trace_sdcard_unlock();
848 }
849 if (erase) {
850 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
851 set_pwd || clr_pwd || lock || sd->wp_switch ||
852 (sd->csd[14] & 0x20)) {
853 sd->card_status |= LOCK_UNLOCK_FAILED;
854 return;
855 }
856 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
857 sd->csd[14] &= ~0x10;
858 sd->card_status &= ~CARD_IS_LOCKED;
859 sd->pwd_len = 0;
860 /* Erasing the entire card here! */
861 fprintf(stderr, "SD: Card force-erased by CMD42\n");
862 return;
863 }
864
865 if (sd->blk_len < 2 + pwd_len ||
866 pwd_len <= sd->pwd_len ||
867 pwd_len > sd->pwd_len + 16) {
868 sd->card_status |= LOCK_UNLOCK_FAILED;
869 return;
870 }
871
872 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
873 sd->card_status |= LOCK_UNLOCK_FAILED;
874 return;
875 }
876
877 pwd_len -= sd->pwd_len;
878 if ((pwd_len && !set_pwd) ||
879 (clr_pwd && (set_pwd || lock)) ||
880 (lock && !sd->pwd_len && !set_pwd) ||
881 (!set_pwd && !clr_pwd &&
882 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
883 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
884 sd->card_status |= LOCK_UNLOCK_FAILED;
885 return;
886 }
887
888 if (set_pwd) {
889 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
890 sd->pwd_len = pwd_len;
891 }
892
893 if (clr_pwd) {
894 sd->pwd_len = 0;
895 }
896
897 if (lock)
898 sd->card_status |= CARD_IS_LOCKED;
899 else
900 sd->card_status &= ~CARD_IS_LOCKED;
901 }
902
903 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
904 {
905 uint32_t rca = 0x0000;
906 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
907
908 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
909 * However there is no ACMD55, so we want to trace this particular case.
910 */
911 if (req.cmd != 55 || sd->expecting_acmd) {
912 trace_sdcard_normal_command(sd->proto_name,
913 sd_cmd_name(req.cmd), req.cmd,
914 req.arg, sd_state_name(sd->state));
915 }
916
917 /* Not interpreting this as an app command */
918 sd->card_status &= ~APP_CMD;
919
920 if (sd_cmd_type[req.cmd] == sd_ac
921 || sd_cmd_type[req.cmd] == sd_adtc) {
922 rca = req.arg >> 16;
923 }
924
925 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
926 * if not, its effects are cancelled */
927 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
928 sd->multi_blk_cnt = 0;
929 }
930
931 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
932 /* Only Standard Capacity cards support class 6 commands */
933 return sd_illegal;
934 }
935
936 switch (req.cmd) {
937 /* Basic commands (Class 0 and Class 1) */
938 case 0: /* CMD0: GO_IDLE_STATE */
939 switch (sd->state) {
940 case sd_inactive_state:
941 return sd->spi ? sd_r1 : sd_r0;
942
943 default:
944 sd->state = sd_idle_state;
945 sd_reset(DEVICE(sd));
946 return sd->spi ? sd_r1 : sd_r0;
947 }
948 break;
949
950 case 1: /* CMD1: SEND_OP_CMD */
951 if (!sd->spi)
952 goto bad_cmd;
953
954 sd->state = sd_transfer_state;
955 return sd_r1;
956
957 case 2: /* CMD2: ALL_SEND_CID */
958 if (sd->spi)
959 goto bad_cmd;
960 switch (sd->state) {
961 case sd_ready_state:
962 sd->state = sd_identification_state;
963 return sd_r2_i;
964
965 default:
966 break;
967 }
968 break;
969
970 case 3: /* CMD3: SEND_RELATIVE_ADDR */
971 if (sd->spi)
972 goto bad_cmd;
973 switch (sd->state) {
974 case sd_identification_state:
975 case sd_standby_state:
976 sd->state = sd_standby_state;
977 sd_set_rca(sd);
978 return sd_r6;
979
980 default:
981 break;
982 }
983 break;
984
985 case 4: /* CMD4: SEND_DSR */
986 if (sd->spi)
987 goto bad_cmd;
988 switch (sd->state) {
989 case sd_standby_state:
990 break;
991
992 default:
993 break;
994 }
995 break;
996
997 case 5: /* CMD5: reserved for SDIO cards */
998 return sd_illegal;
999
1000 case 6: /* CMD6: SWITCH_FUNCTION */
1001 switch (sd->mode) {
1002 case sd_data_transfer_mode:
1003 sd_function_switch(sd, req.arg);
1004 sd->state = sd_sendingdata_state;
1005 sd->data_start = 0;
1006 sd->data_offset = 0;
1007 return sd_r1;
1008
1009 default:
1010 break;
1011 }
1012 break;
1013
1014 case 7: /* CMD7: SELECT/DESELECT_CARD */
1015 if (sd->spi)
1016 goto bad_cmd;
1017 switch (sd->state) {
1018 case sd_standby_state:
1019 if (sd->rca != rca)
1020 return sd_r0;
1021
1022 sd->state = sd_transfer_state;
1023 return sd_r1b;
1024
1025 case sd_transfer_state:
1026 case sd_sendingdata_state:
1027 if (sd->rca == rca)
1028 break;
1029
1030 sd->state = sd_standby_state;
1031 return sd_r1b;
1032
1033 case sd_disconnect_state:
1034 if (sd->rca != rca)
1035 return sd_r0;
1036
1037 sd->state = sd_programming_state;
1038 return sd_r1b;
1039
1040 case sd_programming_state:
1041 if (sd->rca == rca)
1042 break;
1043
1044 sd->state = sd_disconnect_state;
1045 return sd_r1b;
1046
1047 default:
1048 break;
1049 }
1050 break;
1051
1052 case 8: /* CMD8: SEND_IF_COND */
1053 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1054 break;
1055 }
1056 if (sd->state != sd_idle_state) {
1057 break;
1058 }
1059 sd->vhs = 0;
1060
1061 /* No response if not exactly one VHS bit is set. */
1062 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1063 return sd->spi ? sd_r7 : sd_r0;
1064 }
1065
1066 /* Accept. */
1067 sd->vhs = req.arg;
1068 return sd_r7;
1069
1070 case 9: /* CMD9: SEND_CSD */
1071 switch (sd->state) {
1072 case sd_standby_state:
1073 if (sd->rca != rca)
1074 return sd_r0;
1075
1076 return sd_r2_s;
1077
1078 case sd_transfer_state:
1079 if (!sd->spi)
1080 break;
1081 sd->state = sd_sendingdata_state;
1082 memcpy(sd->data, sd->csd, 16);
1083 sd->data_start = addr;
1084 sd->data_offset = 0;
1085 return sd_r1;
1086
1087 default:
1088 break;
1089 }
1090 break;
1091
1092 case 10: /* CMD10: SEND_CID */
1093 switch (sd->state) {
1094 case sd_standby_state:
1095 if (sd->rca != rca)
1096 return sd_r0;
1097
1098 return sd_r2_i;
1099
1100 case sd_transfer_state:
1101 if (!sd->spi)
1102 break;
1103 sd->state = sd_sendingdata_state;
1104 memcpy(sd->data, sd->cid, 16);
1105 sd->data_start = addr;
1106 sd->data_offset = 0;
1107 return sd_r1;
1108
1109 default:
1110 break;
1111 }
1112 break;
1113
1114 case 12: /* CMD12: STOP_TRANSMISSION */
1115 switch (sd->state) {
1116 case sd_sendingdata_state:
1117 sd->state = sd_transfer_state;
1118 return sd_r1b;
1119
1120 case sd_receivingdata_state:
1121 sd->state = sd_programming_state;
1122 /* Bzzzzzzztt .... Operation complete. */
1123 sd->state = sd_transfer_state;
1124 return sd_r1b;
1125
1126 default:
1127 break;
1128 }
1129 break;
1130
1131 case 13: /* CMD13: SEND_STATUS */
1132 switch (sd->mode) {
1133 case sd_data_transfer_mode:
1134 if (sd->rca != rca)
1135 return sd_r0;
1136
1137 return sd_r1;
1138
1139 default:
1140 break;
1141 }
1142 break;
1143
1144 case 15: /* CMD15: GO_INACTIVE_STATE */
1145 if (sd->spi)
1146 goto bad_cmd;
1147 switch (sd->mode) {
1148 case sd_data_transfer_mode:
1149 if (sd->rca != rca)
1150 return sd_r0;
1151
1152 sd->state = sd_inactive_state;
1153 return sd_r0;
1154
1155 default:
1156 break;
1157 }
1158 break;
1159
1160 /* Block read commands (Classs 2) */
1161 case 16: /* CMD16: SET_BLOCKLEN */
1162 switch (sd->state) {
1163 case sd_transfer_state:
1164 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1165 sd->card_status |= BLOCK_LEN_ERROR;
1166 } else {
1167 trace_sdcard_set_blocklen(req.arg);
1168 sd->blk_len = req.arg;
1169 }
1170
1171 return sd_r1;
1172
1173 default:
1174 break;
1175 }
1176 break;
1177
1178 case 17: /* CMD17: READ_SINGLE_BLOCK */
1179 switch (sd->state) {
1180 case sd_transfer_state:
1181
1182 if (addr + sd->blk_len > sd->size) {
1183 sd->card_status |= ADDRESS_ERROR;
1184 return sd_r1;
1185 }
1186
1187 sd->state = sd_sendingdata_state;
1188 sd->data_start = addr;
1189 sd->data_offset = 0;
1190 return sd_r1;
1191
1192 default:
1193 break;
1194 }
1195 break;
1196
1197 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1198 switch (sd->state) {
1199 case sd_transfer_state:
1200
1201 if (addr + sd->blk_len > sd->size) {
1202 sd->card_status |= ADDRESS_ERROR;
1203 return sd_r1;
1204 }
1205
1206 sd->state = sd_sendingdata_state;
1207 sd->data_start = addr;
1208 sd->data_offset = 0;
1209 return sd_r1;
1210
1211 default:
1212 break;
1213 }
1214 break;
1215
1216 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1217 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1218 break;
1219 }
1220 if (sd->state == sd_transfer_state) {
1221 sd->state = sd_sendingdata_state;
1222 sd->data_offset = 0;
1223 return sd_r1;
1224 }
1225 break;
1226
1227 case 23: /* CMD23: SET_BLOCK_COUNT */
1228 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1229 break;
1230 }
1231 switch (sd->state) {
1232 case sd_transfer_state:
1233 sd->multi_blk_cnt = req.arg;
1234 return sd_r1;
1235
1236 default:
1237 break;
1238 }
1239 break;
1240
1241 /* Block write commands (Class 4) */
1242 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1243 switch (sd->state) {
1244 case sd_transfer_state:
1245 /* Writing in SPI mode not implemented. */
1246 if (sd->spi)
1247 break;
1248
1249 if (addr + sd->blk_len > sd->size) {
1250 sd->card_status |= ADDRESS_ERROR;
1251 return sd_r1;
1252 }
1253
1254 sd->state = sd_receivingdata_state;
1255 sd->data_start = addr;
1256 sd->data_offset = 0;
1257 sd->blk_written = 0;
1258
1259 if (sd_wp_addr(sd, sd->data_start)) {
1260 sd->card_status |= WP_VIOLATION;
1261 }
1262 if (sd->csd[14] & 0x30) {
1263 sd->card_status |= WP_VIOLATION;
1264 }
1265 return sd_r1;
1266
1267 default:
1268 break;
1269 }
1270 break;
1271
1272 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1273 switch (sd->state) {
1274 case sd_transfer_state:
1275 /* Writing in SPI mode not implemented. */
1276 if (sd->spi)
1277 break;
1278
1279 if (addr + sd->blk_len > sd->size) {
1280 sd->card_status |= ADDRESS_ERROR;
1281 return sd_r1;
1282 }
1283
1284 sd->state = sd_receivingdata_state;
1285 sd->data_start = addr;
1286 sd->data_offset = 0;
1287 sd->blk_written = 0;
1288
1289 if (sd_wp_addr(sd, sd->data_start)) {
1290 sd->card_status |= WP_VIOLATION;
1291 }
1292 if (sd->csd[14] & 0x30) {
1293 sd->card_status |= WP_VIOLATION;
1294 }
1295 return sd_r1;
1296
1297 default:
1298 break;
1299 }
1300 break;
1301
1302 case 26: /* CMD26: PROGRAM_CID */
1303 if (sd->spi)
1304 goto bad_cmd;
1305 switch (sd->state) {
1306 case sd_transfer_state:
1307 sd->state = sd_receivingdata_state;
1308 sd->data_start = 0;
1309 sd->data_offset = 0;
1310 return sd_r1;
1311
1312 default:
1313 break;
1314 }
1315 break;
1316
1317 case 27: /* CMD27: PROGRAM_CSD */
1318 switch (sd->state) {
1319 case sd_transfer_state:
1320 sd->state = sd_receivingdata_state;
1321 sd->data_start = 0;
1322 sd->data_offset = 0;
1323 return sd_r1;
1324
1325 default:
1326 break;
1327 }
1328 break;
1329
1330 /* Write protection (Class 6) */
1331 case 28: /* CMD28: SET_WRITE_PROT */
1332 switch (sd->state) {
1333 case sd_transfer_state:
1334 if (addr >= sd->size) {
1335 sd->card_status |= ADDRESS_ERROR;
1336 return sd_r1b;
1337 }
1338
1339 sd->state = sd_programming_state;
1340 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1341 /* Bzzzzzzztt .... Operation complete. */
1342 sd->state = sd_transfer_state;
1343 return sd_r1b;
1344
1345 default:
1346 break;
1347 }
1348 break;
1349
1350 case 29: /* CMD29: CLR_WRITE_PROT */
1351 switch (sd->state) {
1352 case sd_transfer_state:
1353 if (addr >= sd->size) {
1354 sd->card_status |= ADDRESS_ERROR;
1355 return sd_r1b;
1356 }
1357
1358 sd->state = sd_programming_state;
1359 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1360 /* Bzzzzzzztt .... Operation complete. */
1361 sd->state = sd_transfer_state;
1362 return sd_r1b;
1363
1364 default:
1365 break;
1366 }
1367 break;
1368
1369 case 30: /* CMD30: SEND_WRITE_PROT */
1370 switch (sd->state) {
1371 case sd_transfer_state:
1372 sd->state = sd_sendingdata_state;
1373 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1374 sd->data_start = addr;
1375 sd->data_offset = 0;
1376 return sd_r1b;
1377
1378 default:
1379 break;
1380 }
1381 break;
1382
1383 /* Erase commands (Class 5) */
1384 case 32: /* CMD32: ERASE_WR_BLK_START */
1385 switch (sd->state) {
1386 case sd_transfer_state:
1387 sd->erase_start = req.arg;
1388 return sd_r1;
1389
1390 default:
1391 break;
1392 }
1393 break;
1394
1395 case 33: /* CMD33: ERASE_WR_BLK_END */
1396 switch (sd->state) {
1397 case sd_transfer_state:
1398 sd->erase_end = req.arg;
1399 return sd_r1;
1400
1401 default:
1402 break;
1403 }
1404 break;
1405
1406 case 38: /* CMD38: ERASE */
1407 switch (sd->state) {
1408 case sd_transfer_state:
1409 if (sd->csd[14] & 0x30) {
1410 sd->card_status |= WP_VIOLATION;
1411 return sd_r1b;
1412 }
1413
1414 sd->state = sd_programming_state;
1415 sd_erase(sd);
1416 /* Bzzzzzzztt .... Operation complete. */
1417 sd->state = sd_transfer_state;
1418 return sd_r1b;
1419
1420 default:
1421 break;
1422 }
1423 break;
1424
1425 /* Lock card commands (Class 7) */
1426 case 42: /* CMD42: LOCK_UNLOCK */
1427 switch (sd->state) {
1428 case sd_transfer_state:
1429 sd->state = sd_receivingdata_state;
1430 sd->data_start = 0;
1431 sd->data_offset = 0;
1432 return sd_r1;
1433
1434 default:
1435 break;
1436 }
1437 break;
1438
1439 case 52 ... 54:
1440 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1441 * (see the SDIO Simplified Specification V2.0)
1442 * Handle as illegal command but do not complain
1443 * on stderr, as some OSes may use these in their
1444 * probing for presence of an SDIO card.
1445 */
1446 return sd_illegal;
1447
1448 /* Application specific commands (Class 8) */
1449 case 55: /* CMD55: APP_CMD */
1450 switch (sd->state) {
1451 case sd_ready_state:
1452 case sd_identification_state:
1453 case sd_inactive_state:
1454 return sd_illegal;
1455 case sd_idle_state:
1456 if (rca) {
1457 qemu_log_mask(LOG_GUEST_ERROR,
1458 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1459 }
1460 default:
1461 break;
1462 }
1463 if (!sd->spi) {
1464 if (sd->rca != rca) {
1465 return sd_r0;
1466 }
1467 }
1468 sd->expecting_acmd = true;
1469 sd->card_status |= APP_CMD;
1470 return sd_r1;
1471
1472 case 56: /* CMD56: GEN_CMD */
1473 switch (sd->state) {
1474 case sd_transfer_state:
1475 sd->data_offset = 0;
1476 if (req.arg & 1)
1477 sd->state = sd_sendingdata_state;
1478 else
1479 sd->state = sd_receivingdata_state;
1480 return sd_r1;
1481
1482 default:
1483 break;
1484 }
1485 break;
1486
1487 case 58: /* CMD58: READ_OCR (SPI) */
1488 if (!sd->spi) {
1489 goto bad_cmd;
1490 }
1491 return sd_r3;
1492
1493 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1494 if (!sd->spi) {
1495 goto bad_cmd;
1496 }
1497 goto unimplemented_spi_cmd;
1498
1499 default:
1500 bad_cmd:
1501 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1502 return sd_illegal;
1503
1504 unimplemented_spi_cmd:
1505 /* Commands that are recognised but not yet implemented in SPI mode. */
1506 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1507 req.cmd);
1508 return sd_illegal;
1509 }
1510
1511 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1512 return sd_illegal;
1513 }
1514
1515 static sd_rsp_type_t sd_app_command(SDState *sd,
1516 SDRequest req)
1517 {
1518 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1519 req.cmd, req.arg, sd_state_name(sd->state));
1520 sd->card_status |= APP_CMD;
1521 switch (req.cmd) {
1522 case 6: /* ACMD6: SET_BUS_WIDTH */
1523 if (sd->spi) {
1524 goto unimplemented_spi_cmd;
1525 }
1526 switch (sd->state) {
1527 case sd_transfer_state:
1528 sd->sd_status[0] &= 0x3f;
1529 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1530 return sd_r1;
1531
1532 default:
1533 break;
1534 }
1535 break;
1536
1537 case 13: /* ACMD13: SD_STATUS */
1538 switch (sd->state) {
1539 case sd_transfer_state:
1540 sd->state = sd_sendingdata_state;
1541 sd->data_start = 0;
1542 sd->data_offset = 0;
1543 return sd_r1;
1544
1545 default:
1546 break;
1547 }
1548 break;
1549
1550 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1551 switch (sd->state) {
1552 case sd_transfer_state:
1553 *(uint32_t *) sd->data = sd->blk_written;
1554
1555 sd->state = sd_sendingdata_state;
1556 sd->data_start = 0;
1557 sd->data_offset = 0;
1558 return sd_r1;
1559
1560 default:
1561 break;
1562 }
1563 break;
1564
1565 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1566 switch (sd->state) {
1567 case sd_transfer_state:
1568 return sd_r1;
1569
1570 default:
1571 break;
1572 }
1573 break;
1574
1575 case 41: /* ACMD41: SD_APP_OP_COND */
1576 if (sd->spi) {
1577 /* SEND_OP_CMD */
1578 sd->state = sd_transfer_state;
1579 return sd_r1;
1580 }
1581 if (sd->state != sd_idle_state) {
1582 break;
1583 }
1584 /* If it's the first ACMD41 since reset, we need to decide
1585 * whether to power up. If this is not an enquiry ACMD41,
1586 * we immediately report power on and proceed below to the
1587 * ready state, but if it is, we set a timer to model a
1588 * delay for power up. This works around a bug in EDK2
1589 * UEFI, which sends an initial enquiry ACMD41, but
1590 * assumes that the card is in ready state as soon as it
1591 * sees the power up bit set. */
1592 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1593 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1594 timer_del(sd->ocr_power_timer);
1595 sd_ocr_powerup(sd);
1596 } else {
1597 trace_sdcard_inquiry_cmd41();
1598 if (!timer_pending(sd->ocr_power_timer)) {
1599 timer_mod_ns(sd->ocr_power_timer,
1600 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1601 + OCR_POWER_DELAY_NS));
1602 }
1603 }
1604 }
1605
1606 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1607 /* We accept any voltage. 10000 V is nothing.
1608 *
1609 * Once we're powered up, we advance straight to ready state
1610 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1611 */
1612 sd->state = sd_ready_state;
1613 }
1614
1615 return sd_r3;
1616
1617 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1618 switch (sd->state) {
1619 case sd_transfer_state:
1620 /* Bringing in the 50KOhm pull-up resistor... Done. */
1621 return sd_r1;
1622
1623 default:
1624 break;
1625 }
1626 break;
1627
1628 case 51: /* ACMD51: SEND_SCR */
1629 switch (sd->state) {
1630 case sd_transfer_state:
1631 sd->state = sd_sendingdata_state;
1632 sd->data_start = 0;
1633 sd->data_offset = 0;
1634 return sd_r1;
1635
1636 default:
1637 break;
1638 }
1639 break;
1640
1641 case 18: /* Reserved for SD security applications */
1642 case 25:
1643 case 26:
1644 case 38:
1645 case 43 ... 49:
1646 /* Refer to the "SD Specifications Part3 Security Specification" for
1647 * information about the SD Security Features.
1648 */
1649 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1650 req.cmd);
1651 return sd_illegal;
1652
1653 default:
1654 /* Fall back to standard commands. */
1655 return sd_normal_command(sd, req);
1656
1657 unimplemented_spi_cmd:
1658 /* Commands that are recognised but not yet implemented in SPI mode. */
1659 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1660 req.cmd);
1661 return sd_illegal;
1662 }
1663
1664 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1665 return sd_illegal;
1666 }
1667
1668 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1669 {
1670 /* Valid commands in locked state:
1671 * basic class (0)
1672 * lock card class (7)
1673 * CMD16
1674 * implicitly, the ACMD prefix CMD55
1675 * ACMD41 and ACMD42
1676 * Anything else provokes an "illegal command" response.
1677 */
1678 if (sd->expecting_acmd) {
1679 return req->cmd == 41 || req->cmd == 42;
1680 }
1681 if (req->cmd == 16 || req->cmd == 55) {
1682 return 1;
1683 }
1684 return sd_cmd_class[req->cmd] == 0
1685 || sd_cmd_class[req->cmd] == 7;
1686 }
1687
1688 int sd_do_command(SDState *sd, SDRequest *req,
1689 uint8_t *response) {
1690 int last_state;
1691 sd_rsp_type_t rtype;
1692 int rsplen;
1693
1694 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1695 return 0;
1696 }
1697
1698 if (sd_req_crc_validate(req)) {
1699 sd->card_status |= COM_CRC_ERROR;
1700 rtype = sd_illegal;
1701 goto send_response;
1702 }
1703
1704 if (req->cmd >= SDMMC_CMD_MAX) {
1705 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1706 req->cmd);
1707 req->cmd &= 0x3f;
1708 }
1709
1710 if (sd->card_status & CARD_IS_LOCKED) {
1711 if (!cmd_valid_while_locked(sd, req)) {
1712 sd->card_status |= ILLEGAL_COMMAND;
1713 sd->expecting_acmd = false;
1714 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1715 rtype = sd_illegal;
1716 goto send_response;
1717 }
1718 }
1719
1720 last_state = sd->state;
1721 sd_set_mode(sd);
1722
1723 if (sd->expecting_acmd) {
1724 sd->expecting_acmd = false;
1725 rtype = sd_app_command(sd, *req);
1726 } else {
1727 rtype = sd_normal_command(sd, *req);
1728 }
1729
1730 if (rtype == sd_illegal) {
1731 sd->card_status |= ILLEGAL_COMMAND;
1732 } else {
1733 /* Valid command, we can update the 'state before command' bits.
1734 * (Do this now so they appear in r1 responses.)
1735 */
1736 sd->current_cmd = req->cmd;
1737 sd->card_status &= ~CURRENT_STATE;
1738 sd->card_status |= (last_state << 9);
1739 }
1740
1741 send_response:
1742 switch (rtype) {
1743 case sd_r1:
1744 case sd_r1b:
1745 sd_response_r1_make(sd, response);
1746 rsplen = 4;
1747 break;
1748
1749 case sd_r2_i:
1750 memcpy(response, sd->cid, sizeof(sd->cid));
1751 rsplen = 16;
1752 break;
1753
1754 case sd_r2_s:
1755 memcpy(response, sd->csd, sizeof(sd->csd));
1756 rsplen = 16;
1757 break;
1758
1759 case sd_r3:
1760 sd_response_r3_make(sd, response);
1761 rsplen = 4;
1762 break;
1763
1764 case sd_r6:
1765 sd_response_r6_make(sd, response);
1766 rsplen = 4;
1767 break;
1768
1769 case sd_r7:
1770 sd_response_r7_make(sd, response);
1771 rsplen = 4;
1772 break;
1773
1774 case sd_r0:
1775 case sd_illegal:
1776 rsplen = 0;
1777 break;
1778 default:
1779 g_assert_not_reached();
1780 }
1781 trace_sdcard_response(sd_response_name(rtype), rsplen);
1782
1783 if (rtype != sd_illegal) {
1784 /* Clear the "clear on valid command" status bits now we've
1785 * sent any response
1786 */
1787 sd->card_status &= ~CARD_STATUS_B;
1788 }
1789
1790 #ifdef DEBUG_SD
1791 qemu_hexdump(stderr, "Response", response, rsplen);
1792 #endif
1793
1794 return rsplen;
1795 }
1796
1797 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1798 {
1799 trace_sdcard_read_block(addr, len);
1800 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1801 fprintf(stderr, "sd_blk_read: read error on host side\n");
1802 }
1803 }
1804
1805 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1806 {
1807 trace_sdcard_write_block(addr, len);
1808 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1809 fprintf(stderr, "sd_blk_write: write error on host side\n");
1810 }
1811 }
1812
1813 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1814 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1815 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1816 #define APP_WRITE_BLOCK(a, len)
1817
1818 void sd_write_byte(SDState *sd, uint8_t value)
1819 {
1820 int i;
1821
1822 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1823 return;
1824
1825 if (sd->state != sd_receivingdata_state) {
1826 qemu_log_mask(LOG_GUEST_ERROR,
1827 "%s: not in Receiving-Data state\n", __func__);
1828 return;
1829 }
1830
1831 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1832 return;
1833
1834 trace_sdcard_write_data(sd->proto_name,
1835 sd_acmd_name(sd->current_cmd),
1836 sd->current_cmd, value);
1837 switch (sd->current_cmd) {
1838 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1839 sd->data[sd->data_offset ++] = value;
1840 if (sd->data_offset >= sd->blk_len) {
1841 /* TODO: Check CRC before committing */
1842 sd->state = sd_programming_state;
1843 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1844 sd->blk_written ++;
1845 sd->csd[14] |= 0x40;
1846 /* Bzzzzzzztt .... Operation complete. */
1847 sd->state = sd_transfer_state;
1848 }
1849 break;
1850
1851 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1852 if (sd->data_offset == 0) {
1853 /* Start of the block - let's check the address is valid */
1854 if (sd->data_start + sd->blk_len > sd->size) {
1855 sd->card_status |= ADDRESS_ERROR;
1856 break;
1857 }
1858 if (sd_wp_addr(sd, sd->data_start)) {
1859 sd->card_status |= WP_VIOLATION;
1860 break;
1861 }
1862 }
1863 sd->data[sd->data_offset++] = value;
1864 if (sd->data_offset >= sd->blk_len) {
1865 /* TODO: Check CRC before committing */
1866 sd->state = sd_programming_state;
1867 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1868 sd->blk_written++;
1869 sd->data_start += sd->blk_len;
1870 sd->data_offset = 0;
1871 sd->csd[14] |= 0x40;
1872
1873 /* Bzzzzzzztt .... Operation complete. */
1874 if (sd->multi_blk_cnt != 0) {
1875 if (--sd->multi_blk_cnt == 0) {
1876 /* Stop! */
1877 sd->state = sd_transfer_state;
1878 break;
1879 }
1880 }
1881
1882 sd->state = sd_receivingdata_state;
1883 }
1884 break;
1885
1886 case 26: /* CMD26: PROGRAM_CID */
1887 sd->data[sd->data_offset ++] = value;
1888 if (sd->data_offset >= sizeof(sd->cid)) {
1889 /* TODO: Check CRC before committing */
1890 sd->state = sd_programming_state;
1891 for (i = 0; i < sizeof(sd->cid); i ++)
1892 if ((sd->cid[i] | 0x00) != sd->data[i])
1893 sd->card_status |= CID_CSD_OVERWRITE;
1894
1895 if (!(sd->card_status & CID_CSD_OVERWRITE))
1896 for (i = 0; i < sizeof(sd->cid); i ++) {
1897 sd->cid[i] |= 0x00;
1898 sd->cid[i] &= sd->data[i];
1899 }
1900 /* Bzzzzzzztt .... Operation complete. */
1901 sd->state = sd_transfer_state;
1902 }
1903 break;
1904
1905 case 27: /* CMD27: PROGRAM_CSD */
1906 sd->data[sd->data_offset ++] = value;
1907 if (sd->data_offset >= sizeof(sd->csd)) {
1908 /* TODO: Check CRC before committing */
1909 sd->state = sd_programming_state;
1910 for (i = 0; i < sizeof(sd->csd); i ++)
1911 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1912 (sd->data[i] | sd_csd_rw_mask[i]))
1913 sd->card_status |= CID_CSD_OVERWRITE;
1914
1915 /* Copy flag (OTP) & Permanent write protect */
1916 if (sd->csd[14] & ~sd->data[14] & 0x60)
1917 sd->card_status |= CID_CSD_OVERWRITE;
1918
1919 if (!(sd->card_status & CID_CSD_OVERWRITE))
1920 for (i = 0; i < sizeof(sd->csd); i ++) {
1921 sd->csd[i] |= sd_csd_rw_mask[i];
1922 sd->csd[i] &= sd->data[i];
1923 }
1924 /* Bzzzzzzztt .... Operation complete. */
1925 sd->state = sd_transfer_state;
1926 }
1927 break;
1928
1929 case 42: /* CMD42: LOCK_UNLOCK */
1930 sd->data[sd->data_offset ++] = value;
1931 if (sd->data_offset >= sd->blk_len) {
1932 /* TODO: Check CRC before committing */
1933 sd->state = sd_programming_state;
1934 sd_lock_command(sd);
1935 /* Bzzzzzzztt .... Operation complete. */
1936 sd->state = sd_transfer_state;
1937 }
1938 break;
1939
1940 case 56: /* CMD56: GEN_CMD */
1941 sd->data[sd->data_offset ++] = value;
1942 if (sd->data_offset >= sd->blk_len) {
1943 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1944 sd->state = sd_transfer_state;
1945 }
1946 break;
1947
1948 default:
1949 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1950 break;
1951 }
1952 }
1953
1954 #define SD_TUNING_BLOCK_SIZE 64
1955
1956 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1957 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1958 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1959 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1960 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1961 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1962 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1963 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1964 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1965 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1966 };
1967
1968 uint8_t sd_read_byte(SDState *sd)
1969 {
1970 /* TODO: Append CRCs */
1971 uint8_t ret;
1972 int io_len;
1973
1974 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1975 return 0x00;
1976
1977 if (sd->state != sd_sendingdata_state) {
1978 qemu_log_mask(LOG_GUEST_ERROR,
1979 "%s: not in Sending-Data state\n", __func__);
1980 return 0x00;
1981 }
1982
1983 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1984 return 0x00;
1985
1986 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1987
1988 trace_sdcard_read_data(sd->proto_name,
1989 sd_acmd_name(sd->current_cmd),
1990 sd->current_cmd, io_len);
1991 switch (sd->current_cmd) {
1992 case 6: /* CMD6: SWITCH_FUNCTION */
1993 ret = sd->data[sd->data_offset ++];
1994
1995 if (sd->data_offset >= 64)
1996 sd->state = sd_transfer_state;
1997 break;
1998
1999 case 9: /* CMD9: SEND_CSD */
2000 case 10: /* CMD10: SEND_CID */
2001 ret = sd->data[sd->data_offset ++];
2002
2003 if (sd->data_offset >= 16)
2004 sd->state = sd_transfer_state;
2005 break;
2006
2007 case 13: /* ACMD13: SD_STATUS */
2008 ret = sd->sd_status[sd->data_offset ++];
2009
2010 if (sd->data_offset >= sizeof(sd->sd_status))
2011 sd->state = sd_transfer_state;
2012 break;
2013
2014 case 17: /* CMD17: READ_SINGLE_BLOCK */
2015 if (sd->data_offset == 0)
2016 BLK_READ_BLOCK(sd->data_start, io_len);
2017 ret = sd->data[sd->data_offset ++];
2018
2019 if (sd->data_offset >= io_len)
2020 sd->state = sd_transfer_state;
2021 break;
2022
2023 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2024 if (sd->data_offset == 0) {
2025 if (sd->data_start + io_len > sd->size) {
2026 sd->card_status |= ADDRESS_ERROR;
2027 return 0x00;
2028 }
2029 BLK_READ_BLOCK(sd->data_start, io_len);
2030 }
2031 ret = sd->data[sd->data_offset ++];
2032
2033 if (sd->data_offset >= io_len) {
2034 sd->data_start += io_len;
2035 sd->data_offset = 0;
2036
2037 if (sd->multi_blk_cnt != 0) {
2038 if (--sd->multi_blk_cnt == 0) {
2039 /* Stop! */
2040 sd->state = sd_transfer_state;
2041 break;
2042 }
2043 }
2044 }
2045 break;
2046
2047 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2048 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2049 sd->state = sd_transfer_state;
2050 }
2051 ret = sd_tuning_block_pattern[sd->data_offset++];
2052 break;
2053
2054 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2055 ret = sd->data[sd->data_offset ++];
2056
2057 if (sd->data_offset >= 4)
2058 sd->state = sd_transfer_state;
2059 break;
2060
2061 case 30: /* CMD30: SEND_WRITE_PROT */
2062 ret = sd->data[sd->data_offset ++];
2063
2064 if (sd->data_offset >= 4)
2065 sd->state = sd_transfer_state;
2066 break;
2067
2068 case 51: /* ACMD51: SEND_SCR */
2069 ret = sd->scr[sd->data_offset ++];
2070
2071 if (sd->data_offset >= sizeof(sd->scr))
2072 sd->state = sd_transfer_state;
2073 break;
2074
2075 case 56: /* CMD56: GEN_CMD */
2076 if (sd->data_offset == 0)
2077 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2078 ret = sd->data[sd->data_offset ++];
2079
2080 if (sd->data_offset >= sd->blk_len)
2081 sd->state = sd_transfer_state;
2082 break;
2083
2084 default:
2085 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2086 return 0x00;
2087 }
2088
2089 return ret;
2090 }
2091
2092 static bool sd_data_ready(SDState *sd)
2093 {
2094 return sd->state == sd_sendingdata_state;
2095 }
2096
2097 void sd_enable(SDState *sd, bool enable)
2098 {
2099 sd->enable = enable;
2100 }
2101
2102 static void sd_instance_init(Object *obj)
2103 {
2104 SDState *sd = SD_CARD(obj);
2105
2106 sd->enable = true;
2107 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2108 }
2109
2110 static void sd_instance_finalize(Object *obj)
2111 {
2112 SDState *sd = SD_CARD(obj);
2113
2114 timer_del(sd->ocr_power_timer);
2115 timer_free(sd->ocr_power_timer);
2116 }
2117
2118 static void sd_realize(DeviceState *dev, Error **errp)
2119 {
2120 SDState *sd = SD_CARD(dev);
2121 int ret;
2122
2123 sd->proto_name = sd->spi ? "SPI" : "SD";
2124
2125 switch (sd->spec_version) {
2126 case SD_PHY_SPECv1_10_VERS
2127 ... SD_PHY_SPECv3_01_VERS:
2128 break;
2129 default:
2130 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2131 return;
2132 }
2133
2134 if (sd->blk) {
2135 int64_t blk_size;
2136
2137 if (blk_is_read_only(sd->blk)) {
2138 error_setg(errp, "Cannot use read-only drive as SD card");
2139 return;
2140 }
2141
2142 blk_size = blk_getlength(sd->blk);
2143 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2144 int64_t blk_size_aligned = pow2ceil(blk_size);
2145 char *blk_size_str;
2146
2147 blk_size_str = size_to_str(blk_size);
2148 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2149 g_free(blk_size_str);
2150
2151 blk_size_str = size_to_str(blk_size_aligned);
2152 error_append_hint(errp,
2153 "SD card size has to be a power of 2, e.g. %s.\n"
2154 "You can resize disk images with"
2155 " 'qemu-img resize <imagefile> <new-size>'\n"
2156 "(note that this will lose data if you make the"
2157 " image smaller than it currently is).\n",
2158 blk_size_str);
2159 g_free(blk_size_str);
2160
2161 return;
2162 }
2163
2164 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2165 BLK_PERM_ALL, errp);
2166 if (ret < 0) {
2167 return;
2168 }
2169 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2170 }
2171 }
2172
2173 static Property sd_properties[] = {
2174 DEFINE_PROP_UINT8("spec_version", SDState,
2175 spec_version, SD_PHY_SPECv2_00_VERS),
2176 DEFINE_PROP_DRIVE("drive", SDState, blk),
2177 /* We do not model the chip select pin, so allow the board to select
2178 * whether card should be in SSI or MMC/SD mode. It is also up to the
2179 * board to ensure that ssi transfers only occur when the chip select
2180 * is asserted. */
2181 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2182 DEFINE_PROP_END_OF_LIST()
2183 };
2184
2185 static void sd_class_init(ObjectClass *klass, void *data)
2186 {
2187 DeviceClass *dc = DEVICE_CLASS(klass);
2188 SDCardClass *sc = SD_CARD_CLASS(klass);
2189
2190 dc->realize = sd_realize;
2191 device_class_set_props(dc, sd_properties);
2192 dc->vmsd = &sd_vmstate;
2193 dc->reset = sd_reset;
2194 dc->bus_type = TYPE_SD_BUS;
2195 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2196
2197 sc->set_voltage = sd_set_voltage;
2198 sc->get_dat_lines = sd_get_dat_lines;
2199 sc->get_cmd_line = sd_get_cmd_line;
2200 sc->do_command = sd_do_command;
2201 sc->write_byte = sd_write_byte;
2202 sc->read_byte = sd_read_byte;
2203 sc->data_ready = sd_data_ready;
2204 sc->enable = sd_enable;
2205 sc->get_inserted = sd_get_inserted;
2206 sc->get_readonly = sd_get_readonly;
2207 }
2208
2209 static const TypeInfo sd_info = {
2210 .name = TYPE_SD_CARD,
2211 .parent = TYPE_DEVICE,
2212 .instance_size = sizeof(SDState),
2213 .class_size = sizeof(SDCardClass),
2214 .class_init = sd_class_init,
2215 .instance_init = sd_instance_init,
2216 .instance_finalize = sd_instance_finalize,
2217 };
2218
2219 static void sd_register_types(void)
2220 {
2221 type_register_static(&sd_info);
2222 }
2223
2224 type_init(sd_register_types)
AR7 emulation for QEMU