search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Do not allow invalid SD card sizes
[qemu/ar7.git] / hw / sd / sd.c
blob76d68359a4c4aa63da05a1e2d28dbf25beb56731
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "migration/vmstate.h"
41 #include "qapi/error.h"
42 #include "qemu/bitmap.h"
43 #include "hw/qdev-properties.h"
44 #include "qemu/error-report.h"
45 #include "qemu/timer.h"
46 #include "qemu/log.h"
47 #include "qemu/module.h"
48 #include "sdmmc-internal.h"
49 #include "trace.h"
50
51 //#define DEBUG_SD 1
52
53 typedef enum {
54 sd_r0 = 0, /* no response */
55 sd_r1, /* normal response command */
56 sd_r2_i, /* CID register */
57 sd_r2_s, /* CSD register */
58 sd_r3, /* OCR register */
59 sd_r6 = 6, /* Published RCA response */
60 sd_r7, /* Operating voltage */
61 sd_r1b = -1,
62 sd_illegal = -2,
63 } sd_rsp_type_t;
64
65 enum SDCardModes {
66 sd_inactive,
67 sd_card_identification_mode,
68 sd_data_transfer_mode,
69 };
70
71 enum SDCardStates {
72 sd_inactive_state = -1,
73 sd_idle_state = 0,
74 sd_ready_state,
75 sd_identification_state,
76 sd_standby_state,
77 sd_transfer_state,
78 sd_sendingdata_state,
79 sd_receivingdata_state,
80 sd_programming_state,
81 sd_disconnect_state,
82 };
83
84 struct SDState {
85 DeviceState parent_obj;
86
87 /* If true, created by sd_init() for a non-qdevified caller */
88 /* TODO purge them with fire */
89 bool me_no_qdev_me_kill_mammoth_with_rocks;
90
91 /* SD Memory Card Registers */
92 uint32_t ocr;
93 uint8_t scr[8];
94 uint8_t cid[16];
95 uint8_t csd[16];
96 uint16_t rca;
97 uint32_t card_status;
98 uint8_t sd_status[64];
99
100 /* Configurable properties */
101 uint8_t spec_version;
102 BlockBackend *blk;
103 bool spi;
104
105 uint32_t mode; /* current card mode, one of SDCardModes */
106 int32_t state; /* current card state, one of SDCardStates */
107 uint32_t vhs;
108 bool wp_switch;
109 unsigned long *wp_groups;
110 int32_t wpgrps_size;
111 uint64_t size;
112 uint32_t blk_len;
113 uint32_t multi_blk_cnt;
114 uint32_t erase_start;
115 uint32_t erase_end;
116 uint8_t pwd[16];
117 uint32_t pwd_len;
118 uint8_t function_group[6];
119 uint8_t current_cmd;
120 /* True if we will handle the next command as an ACMD. Note that this does
121 * *not* track the APP_CMD status bit!
122 */
123 bool expecting_acmd;
124 uint32_t blk_written;
125 uint64_t data_start;
126 uint32_t data_offset;
127 uint8_t data[512];
128 qemu_irq readonly_cb;
129 qemu_irq inserted_cb;
130 QEMUTimer *ocr_power_timer;
131 const char *proto_name;
132 bool enable;
133 uint8_t dat_lines;
134 bool cmd_line;
135 };
136
137 static void sd_realize(DeviceState *dev, Error **errp);
138
139 static const char *sd_state_name(enum SDCardStates state)
140 {
141 static const char *state_name[] = {
142 [sd_idle_state] = "idle",
143 [sd_ready_state] = "ready",
144 [sd_identification_state] = "identification",
145 [sd_standby_state] = "standby",
146 [sd_transfer_state] = "transfer",
147 [sd_sendingdata_state] = "sendingdata",
148 [sd_receivingdata_state] = "receivingdata",
149 [sd_programming_state] = "programming",
150 [sd_disconnect_state] = "disconnect",
151 };
152 if (state == sd_inactive_state) {
153 return "inactive";
154 }
155 assert(state < ARRAY_SIZE(state_name));
156 return state_name[state];
157 }
158
159 static const char *sd_response_name(sd_rsp_type_t rsp)
160 {
161 static const char *response_name[] = {
162 [sd_r0] = "RESP#0 (no response)",
163 [sd_r1] = "RESP#1 (normal cmd)",
164 [sd_r2_i] = "RESP#2 (CID reg)",
165 [sd_r2_s] = "RESP#2 (CSD reg)",
166 [sd_r3] = "RESP#3 (OCR reg)",
167 [sd_r6] = "RESP#6 (RCA)",
168 [sd_r7] = "RESP#7 (operating voltage)",
169 };
170 if (rsp == sd_illegal) {
171 return "ILLEGAL RESP";
172 }
173 if (rsp == sd_r1b) {
174 rsp = sd_r1;
175 }
176 assert(rsp < ARRAY_SIZE(response_name));
177 return response_name[rsp];
178 }
179
180 static uint8_t sd_get_dat_lines(SDState *sd)
181 {
182 return sd->enable ? sd->dat_lines : 0;
183 }
184
185 static bool sd_get_cmd_line(SDState *sd)
186 {
187 return sd->enable ? sd->cmd_line : false;
188 }
189
190 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
191 {
192 trace_sdcard_set_voltage(millivolts);
193
194 switch (millivolts) {
195 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
196 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
197 break;
198 default:
199 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
200 millivolts / 1000.f);
201 }
202 }
203
204 static void sd_set_mode(SDState *sd)
205 {
206 switch (sd->state) {
207 case sd_inactive_state:
208 sd->mode = sd_inactive;
209 break;
210
211 case sd_idle_state:
212 case sd_ready_state:
213 case sd_identification_state:
214 sd->mode = sd_card_identification_mode;
215 break;
216
217 case sd_standby_state:
218 case sd_transfer_state:
219 case sd_sendingdata_state:
220 case sd_receivingdata_state:
221 case sd_programming_state:
222 case sd_disconnect_state:
223 sd->mode = sd_data_transfer_mode;
224 break;
225 }
226 }
227
228 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
229 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
230 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
231 /* 16 */
232 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
233 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
234 /* 32 */
235 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
236 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
237 /* 48 */
238 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
239 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
240 };
241
242 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
243 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
244 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
245 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
246 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
247 };
248
249 static uint8_t sd_crc7(void *message, size_t width)
250 {
251 int i, bit;
252 uint8_t shift_reg = 0x00;
253 uint8_t *msg = (uint8_t *) message;
254
255 for (i = 0; i < width; i ++, msg ++)
256 for (bit = 7; bit >= 0; bit --) {
257 shift_reg <<= 1;
258 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
259 shift_reg ^= 0x89;
260 }
261
262 return shift_reg;
263 }
264
265 static uint16_t sd_crc16(void *message, size_t width)
266 {
267 int i, bit;
268 uint16_t shift_reg = 0x0000;
269 uint16_t *msg = (uint16_t *) message;
270 width <<= 1;
271
272 for (i = 0; i < width; i ++, msg ++)
273 for (bit = 15; bit >= 0; bit --) {
274 shift_reg <<= 1;
275 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
276 shift_reg ^= 0x1011;
277 }
278
279 return shift_reg;
280 }
281
282 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
283
284 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
285 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
286 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
287 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
288 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
289 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
290 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
291 FIELD(OCR, CARD_POWER_UP, 31, 1)
292
293 #define ACMD41_ENQUIRY_MASK 0x00ffffff
294 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
295 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
296 | R_OCR_UHS_II_CARD_MASK \
297 | R_OCR_CARD_CAPACITY_MASK \
298 | R_OCR_CARD_POWER_UP_MASK)
299
300 static void sd_set_ocr(SDState *sd)
301 {
302 /* All voltages OK */
303 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
304 }
305
306 static void sd_ocr_powerup(void *opaque)
307 {
308 SDState *sd = opaque;
309
310 trace_sdcard_powerup();
311 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
312
313 /* card power-up OK */
314 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
315
316 if (sd->size > 1 * GiB) {
317 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
318 }
319 }
320
321 static void sd_set_scr(SDState *sd)
322 {
323 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
324 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
325 sd->scr[0] |= 1; /* Spec Version 1.10 */
326 } else {
327 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
328 }
329 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
330 | 0b0101; /* 1-bit or 4-bit width bus modes */
331 sd->scr[2] = 0x00; /* Extended Security is not supported. */
332 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
333 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
334 }
335 sd->scr[3] = 0x00;
336 /* reserved for manufacturer usage */
337 sd->scr[4] = 0x00;
338 sd->scr[5] = 0x00;
339 sd->scr[6] = 0x00;
340 sd->scr[7] = 0x00;
341 }
342
343 #define MID 0xaa
344 #define OID "XY"
345 #define PNM "QEMU!"
346 #define PRV 0x01
347 #define MDT_YR 2006
348 #define MDT_MON 2
349
350 static void sd_set_cid(SDState *sd)
351 {
352 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
353 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
354 sd->cid[2] = OID[1];
355 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
356 sd->cid[4] = PNM[1];
357 sd->cid[5] = PNM[2];
358 sd->cid[6] = PNM[3];
359 sd->cid[7] = PNM[4];
360 sd->cid[8] = PRV; /* Fake product revision (PRV) */
361 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
362 sd->cid[10] = 0xad;
363 sd->cid[11] = 0xbe;
364 sd->cid[12] = 0xef;
365 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
366 ((MDT_YR - 2000) / 10);
367 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
368 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
369 }
370
371 #define HWBLOCK_SHIFT 9 /* 512 bytes */
372 #define SECTOR_SHIFT 5 /* 16 kilobytes */
373 #define WPGROUP_SHIFT 7 /* 2 megs */
374 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
375 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
376
377 static const uint8_t sd_csd_rw_mask[16] = {
378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
380 };
381
382 static void sd_set_csd(SDState *sd, uint64_t size)
383 {
384 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
385 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
386 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
387
388 if (size <= 1 * GiB) { /* Standard Capacity SD */
389 sd->csd[0] = 0x00; /* CSD structure */
390 sd->csd[1] = 0x26; /* Data read access-time-1 */
391 sd->csd[2] = 0x00; /* Data read access-time-2 */
392 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
393 sd->csd[4] = 0x5f; /* Card Command Classes */
394 sd->csd[5] = 0x50 | /* Max. read data block length */
395 HWBLOCK_SHIFT;
396 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
397 ((csize >> 10) & 0x03);
398 sd->csd[7] = 0x00 | /* Device size */
399 ((csize >> 2) & 0xff);
400 sd->csd[8] = 0x3f | /* Max. read current */
401 ((csize << 6) & 0xc0);
402 sd->csd[9] = 0xfc | /* Max. write current */
403 ((CMULT_SHIFT - 2) >> 1);
404 sd->csd[10] = 0x40 | /* Erase sector size */
405 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
406 sd->csd[11] = 0x00 | /* Write protect group size */
407 ((sectsize << 7) & 0x80) | wpsize;
408 sd->csd[12] = 0x90 | /* Write speed factor */
409 (HWBLOCK_SHIFT >> 2);
410 sd->csd[13] = 0x20 | /* Max. write data block length */
411 ((HWBLOCK_SHIFT << 6) & 0xc0);
412 sd->csd[14] = 0x00; /* File format group */
413 } else { /* SDHC */
414 size /= 512 * KiB;
415 size -= 1;
416 sd->csd[0] = 0x40;
417 sd->csd[1] = 0x0e;
418 sd->csd[2] = 0x00;
419 sd->csd[3] = 0x32;
420 sd->csd[4] = 0x5b;
421 sd->csd[5] = 0x59;
422 sd->csd[6] = 0x00;
423 sd->csd[7] = (size >> 16) & 0xff;
424 sd->csd[8] = (size >> 8) & 0xff;
425 sd->csd[9] = (size & 0xff);
426 sd->csd[10] = 0x7f;
427 sd->csd[11] = 0x80;
428 sd->csd[12] = 0x0a;
429 sd->csd[13] = 0x40;
430 sd->csd[14] = 0x00;
431 }
432 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
433 }
434
435 static void sd_set_rca(SDState *sd)
436 {
437 sd->rca += 0x4567;
438 }
439
440 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
441 FIELD(CSR, APP_CMD, 5, 1)
442 FIELD(CSR, FX_EVENT, 6, 1)
443 FIELD(CSR, READY_FOR_DATA, 8, 1)
444 FIELD(CSR, CURRENT_STATE, 9, 4)
445 FIELD(CSR, ERASE_RESET, 13, 1)
446 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
447 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
448 FIELD(CSR, CSD_OVERWRITE, 16, 1)
449 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
450 FIELD(CSR, ERROR, 19, 1)
451 FIELD(CSR, CC_ERROR, 20, 1)
452 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
453 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
454 FIELD(CSR, COM_CRC_ERROR, 23, 1)
455 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
456 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
457 FIELD(CSR, WP_VIOLATION, 26, 1)
458 FIELD(CSR, ERASE_PARAM, 27, 1)
459 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
460 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
461 FIELD(CSR, ADDRESS_ERROR, 30, 1)
462 FIELD(CSR, OUT_OF_RANGE, 31, 1)
463
464 /* Card status bits, split by clear condition:
465 * A : According to the card current state
466 * B : Always related to the previous command
467 * C : Cleared by read
468 */
469 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
470 | R_CSR_CARD_ECC_DISABLED_MASK \
471 | R_CSR_CARD_IS_LOCKED_MASK)
472 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
473 | R_CSR_ILLEGAL_COMMAND_MASK \
474 | R_CSR_COM_CRC_ERROR_MASK)
475 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
476 | R_CSR_APP_CMD_MASK \
477 | R_CSR_ERASE_RESET_MASK \
478 | R_CSR_WP_ERASE_SKIP_MASK \
479 | R_CSR_CSD_OVERWRITE_MASK \
480 | R_CSR_ERROR_MASK \
481 | R_CSR_CC_ERROR_MASK \
482 | R_CSR_CARD_ECC_FAILED_MASK \
483 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
484 | R_CSR_WP_VIOLATION_MASK \
485 | R_CSR_ERASE_PARAM_MASK \
486 | R_CSR_ERASE_SEQ_ERROR_MASK \
487 | R_CSR_BLOCK_LEN_ERROR_MASK \
488 | R_CSR_ADDRESS_ERROR_MASK \
489 | R_CSR_OUT_OF_RANGE_MASK)
490
491 static void sd_set_cardstatus(SDState *sd)
492 {
493 sd->card_status = 0x00000100;
494 }
495
496 static void sd_set_sdstatus(SDState *sd)
497 {
498 memset(sd->sd_status, 0, 64);
499 }
500
501 static int sd_req_crc_validate(SDRequest *req)
502 {
503 uint8_t buffer[5];
504 buffer[0] = 0x40 | req->cmd;
505 stl_be_p(&buffer[1], req->arg);
506 return 0;
507 return sd_crc7(buffer, 5) != req->crc; /* TODO */
508 }
509
510 static void sd_response_r1_make(SDState *sd, uint8_t *response)
511 {
512 stl_be_p(response, sd->card_status);
513
514 /* Clear the "clear on read" status bits */
515 sd->card_status &= ~CARD_STATUS_C;
516 }
517
518 static void sd_response_r3_make(SDState *sd, uint8_t *response)
519 {
520 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
521 }
522
523 static void sd_response_r6_make(SDState *sd, uint8_t *response)
524 {
525 uint16_t status;
526
527 status = ((sd->card_status >> 8) & 0xc000) |
528 ((sd->card_status >> 6) & 0x2000) |
529 (sd->card_status & 0x1fff);
530 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
531 stw_be_p(response + 0, sd->rca);
532 stw_be_p(response + 2, status);
533 }
534
535 static void sd_response_r7_make(SDState *sd, uint8_t *response)
536 {
537 stl_be_p(response, sd->vhs);
538 }
539
540 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
541 {
542 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
543 }
544
545 static void sd_reset(DeviceState *dev)
546 {
547 SDState *sd = SD_CARD(dev);
548 uint64_t size;
549 uint64_t sect;
550
551 trace_sdcard_reset();
552 if (sd->blk) {
553 blk_get_geometry(sd->blk, &sect);
554 } else {
555 sect = 0;
556 }
557 size = sect << 9;
558
559 sect = sd_addr_to_wpnum(size) + 1;
560
561 sd->state = sd_idle_state;
562 sd->rca = 0x0000;
563 sd_set_ocr(sd);
564 sd_set_scr(sd);
565 sd_set_cid(sd);
566 sd_set_csd(sd, size);
567 sd_set_cardstatus(sd);
568 sd_set_sdstatus(sd);
569
570 g_free(sd->wp_groups);
571 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
572 sd->wpgrps_size = sect;
573 sd->wp_groups = bitmap_new(sd->wpgrps_size);
574 memset(sd->function_group, 0, sizeof(sd->function_group));
575 sd->erase_start = 0;
576 sd->erase_end = 0;
577 sd->size = size;
578 sd->blk_len = 0x200;
579 sd->pwd_len = 0;
580 sd->expecting_acmd = false;
581 sd->dat_lines = 0xf;
582 sd->cmd_line = true;
583 sd->multi_blk_cnt = 0;
584 }
585
586 static bool sd_get_inserted(SDState *sd)
587 {
588 return sd->blk && blk_is_inserted(sd->blk);
589 }
590
591 static bool sd_get_readonly(SDState *sd)
592 {
593 return sd->wp_switch;
594 }
595
596 static void sd_cardchange(void *opaque, bool load, Error **errp)
597 {
598 SDState *sd = opaque;
599 DeviceState *dev = DEVICE(sd);
600 SDBus *sdbus;
601 bool inserted = sd_get_inserted(sd);
602 bool readonly = sd_get_readonly(sd);
603
604 if (inserted) {
605 trace_sdcard_inserted(readonly);
606 sd_reset(dev);
607 } else {
608 trace_sdcard_ejected();
609 }
610
611 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
612 qemu_set_irq(sd->inserted_cb, inserted);
613 if (inserted) {
614 qemu_set_irq(sd->readonly_cb, readonly);
615 }
616 } else {
617 sdbus = SD_BUS(qdev_get_parent_bus(dev));
618 sdbus_set_inserted(sdbus, inserted);
619 if (inserted) {
620 sdbus_set_readonly(sdbus, readonly);
621 }
622 }
623 }
624
625 static const BlockDevOps sd_block_ops = {
626 .change_media_cb = sd_cardchange,
627 };
628
629 static bool sd_ocr_vmstate_needed(void *opaque)
630 {
631 SDState *sd = opaque;
632
633 /* Include the OCR state (and timer) if it is not yet powered up */
634 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
635 }
636
637 static const VMStateDescription sd_ocr_vmstate = {
638 .name = "sd-card/ocr-state",
639 .version_id = 1,
640 .minimum_version_id = 1,
641 .needed = sd_ocr_vmstate_needed,
642 .fields = (VMStateField[]) {
643 VMSTATE_UINT32(ocr, SDState),
644 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
645 VMSTATE_END_OF_LIST()
646 },
647 };
648
649 static int sd_vmstate_pre_load(void *opaque)
650 {
651 SDState *sd = opaque;
652
653 /* If the OCR state is not included (prior versions, or not
654 * needed), then the OCR must be set as powered up. If the OCR state
655 * is included, this will be replaced by the state restore.
656 */
657 sd_ocr_powerup(sd);
658
659 return 0;
660 }
661
662 static const VMStateDescription sd_vmstate = {
663 .name = "sd-card",
664 .version_id = 1,
665 .minimum_version_id = 1,
666 .pre_load = sd_vmstate_pre_load,
667 .fields = (VMStateField[]) {
668 VMSTATE_UINT32(mode, SDState),
669 VMSTATE_INT32(state, SDState),
670 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
671 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
672 VMSTATE_UINT16(rca, SDState),
673 VMSTATE_UINT32(card_status, SDState),
674 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
675 VMSTATE_UINT32(vhs, SDState),
676 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
677 VMSTATE_UINT32(blk_len, SDState),
678 VMSTATE_UINT32(multi_blk_cnt, SDState),
679 VMSTATE_UINT32(erase_start, SDState),
680 VMSTATE_UINT32(erase_end, SDState),
681 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
682 VMSTATE_UINT32(pwd_len, SDState),
683 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
684 VMSTATE_UINT8(current_cmd, SDState),
685 VMSTATE_BOOL(expecting_acmd, SDState),
686 VMSTATE_UINT32(blk_written, SDState),
687 VMSTATE_UINT64(data_start, SDState),
688 VMSTATE_UINT32(data_offset, SDState),
689 VMSTATE_UINT8_ARRAY(data, SDState, 512),
690 VMSTATE_UNUSED_V(1, 512),
691 VMSTATE_BOOL(enable, SDState),
692 VMSTATE_END_OF_LIST()
693 },
694 .subsections = (const VMStateDescription*[]) {
695 &sd_ocr_vmstate,
696 NULL
697 },
698 };
699
700 /* Legacy initialization function for use by non-qdevified callers */
701 SDState *sd_init(BlockBackend *blk, bool is_spi)
702 {
703 Object *obj;
704 DeviceState *dev;
705 SDState *sd;
706 Error *err = NULL;
707
708 obj = object_new(TYPE_SD_CARD);
709 dev = DEVICE(obj);
710 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
711 error_reportf_err(err, "sd_init failed: ");
712 return NULL;
713 }
714 qdev_prop_set_bit(dev, "spi", is_spi);
715
716 /*
717 * Realizing the device properly would put it into the QOM
718 * composition tree even though it is not plugged into an
719 * appropriate bus. That's a no-no. Hide the device from
720 * QOM/qdev, and call its qdev realize callback directly.
721 */
722 object_ref(obj);
723 object_unparent(obj);
724 sd_realize(dev, &err);
725 if (err) {
726 error_reportf_err(err, "sd_init failed: ");
727 return NULL;
728 }
729
730 sd = SD_CARD(dev);
731 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
732 return sd;
733 }
734
735 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
736 {
737 sd->readonly_cb = readonly;
738 sd->inserted_cb = insert;
739 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
740 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
741 }
742
743 static void sd_erase(SDState *sd)
744 {
745 int i;
746 uint64_t erase_start = sd->erase_start;
747 uint64_t erase_end = sd->erase_end;
748
749 trace_sdcard_erase();
750 if (!sd->erase_start || !sd->erase_end) {
751 sd->card_status |= ERASE_SEQ_ERROR;
752 return;
753 }
754
755 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
756 /* High capacity memory card: erase units are 512 byte blocks */
757 erase_start *= 512;
758 erase_end *= 512;
759 }
760
761 erase_start = sd_addr_to_wpnum(erase_start);
762 erase_end = sd_addr_to_wpnum(erase_end);
763 sd->erase_start = 0;
764 sd->erase_end = 0;
765 sd->csd[14] |= 0x40;
766
767 for (i = erase_start; i <= erase_end; i++) {
768 if (test_bit(i, sd->wp_groups)) {
769 sd->card_status |= WP_ERASE_SKIP;
770 }
771 }
772 }
773
774 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
775 {
776 uint32_t i, wpnum;
777 uint32_t ret = 0;
778
779 wpnum = sd_addr_to_wpnum(addr);
780
781 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
782 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
783 ret |= (1 << i);
784 }
785 }
786
787 return ret;
788 }
789
790 static void sd_function_switch(SDState *sd, uint32_t arg)
791 {
792 int i, mode, new_func;
793 mode = !!(arg & 0x80000000);
794
795 sd->data[0] = 0x00; /* Maximum current consumption */
796 sd->data[1] = 0x01;
797 sd->data[2] = 0x80; /* Supported group 6 functions */
798 sd->data[3] = 0x01;
799 sd->data[4] = 0x80; /* Supported group 5 functions */
800 sd->data[5] = 0x01;
801 sd->data[6] = 0x80; /* Supported group 4 functions */
802 sd->data[7] = 0x01;
803 sd->data[8] = 0x80; /* Supported group 3 functions */
804 sd->data[9] = 0x01;
805 sd->data[10] = 0x80; /* Supported group 2 functions */
806 sd->data[11] = 0x43;
807 sd->data[12] = 0x80; /* Supported group 1 functions */
808 sd->data[13] = 0x03;
809 for (i = 0; i < 6; i ++) {
810 new_func = (arg >> (i * 4)) & 0x0f;
811 if (mode && new_func != 0x0f)
812 sd->function_group[i] = new_func;
813 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
814 }
815 memset(&sd->data[17], 0, 47);
816 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
817 }
818
819 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
820 {
821 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
822 }
823
824 static void sd_lock_command(SDState *sd)
825 {
826 int erase, lock, clr_pwd, set_pwd, pwd_len;
827 erase = !!(sd->data[0] & 0x08);
828 lock = sd->data[0] & 0x04;
829 clr_pwd = sd->data[0] & 0x02;
830 set_pwd = sd->data[0] & 0x01;
831
832 if (sd->blk_len > 1)
833 pwd_len = sd->data[1];
834 else
835 pwd_len = 0;
836
837 if (lock) {
838 trace_sdcard_lock();
839 } else {
840 trace_sdcard_unlock();
841 }
842 if (erase) {
843 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
844 set_pwd || clr_pwd || lock || sd->wp_switch ||
845 (sd->csd[14] & 0x20)) {
846 sd->card_status |= LOCK_UNLOCK_FAILED;
847 return;
848 }
849 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
850 sd->csd[14] &= ~0x10;
851 sd->card_status &= ~CARD_IS_LOCKED;
852 sd->pwd_len = 0;
853 /* Erasing the entire card here! */
854 fprintf(stderr, "SD: Card force-erased by CMD42\n");
855 return;
856 }
857
858 if (sd->blk_len < 2 + pwd_len ||
859 pwd_len <= sd->pwd_len ||
860 pwd_len > sd->pwd_len + 16) {
861 sd->card_status |= LOCK_UNLOCK_FAILED;
862 return;
863 }
864
865 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
866 sd->card_status |= LOCK_UNLOCK_FAILED;
867 return;
868 }
869
870 pwd_len -= sd->pwd_len;
871 if ((pwd_len && !set_pwd) ||
872 (clr_pwd && (set_pwd || lock)) ||
873 (lock && !sd->pwd_len && !set_pwd) ||
874 (!set_pwd && !clr_pwd &&
875 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
876 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
877 sd->card_status |= LOCK_UNLOCK_FAILED;
878 return;
879 }
880
881 if (set_pwd) {
882 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
883 sd->pwd_len = pwd_len;
884 }
885
886 if (clr_pwd) {
887 sd->pwd_len = 0;
888 }
889
890 if (lock)
891 sd->card_status |= CARD_IS_LOCKED;
892 else
893 sd->card_status &= ~CARD_IS_LOCKED;
894 }
895
896 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
897 {
898 uint32_t rca = 0x0000;
899 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
900
901 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
902 * However there is no ACMD55, so we want to trace this particular case.
903 */
904 if (req.cmd != 55 || sd->expecting_acmd) {
905 trace_sdcard_normal_command(sd->proto_name,
906 sd_cmd_name(req.cmd), req.cmd,
907 req.arg, sd_state_name(sd->state));
908 }
909
910 /* Not interpreting this as an app command */
911 sd->card_status &= ~APP_CMD;
912
913 if (sd_cmd_type[req.cmd] == sd_ac
914 || sd_cmd_type[req.cmd] == sd_adtc) {
915 rca = req.arg >> 16;
916 }
917
918 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
919 * if not, its effects are cancelled */
920 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
921 sd->multi_blk_cnt = 0;
922 }
923
924 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
925 /* Only Standard Capacity cards support class 6 commands */
926 return sd_illegal;
927 }
928
929 switch (req.cmd) {
930 /* Basic commands (Class 0 and Class 1) */
931 case 0: /* CMD0: GO_IDLE_STATE */
932 switch (sd->state) {
933 case sd_inactive_state:
934 return sd->spi ? sd_r1 : sd_r0;
935
936 default:
937 sd->state = sd_idle_state;
938 sd_reset(DEVICE(sd));
939 return sd->spi ? sd_r1 : sd_r0;
940 }
941 break;
942
943 case 1: /* CMD1: SEND_OP_CMD */
944 if (!sd->spi)
945 goto bad_cmd;
946
947 sd->state = sd_transfer_state;
948 return sd_r1;
949
950 case 2: /* CMD2: ALL_SEND_CID */
951 if (sd->spi)
952 goto bad_cmd;
953 switch (sd->state) {
954 case sd_ready_state:
955 sd->state = sd_identification_state;
956 return sd_r2_i;
957
958 default:
959 break;
960 }
961 break;
962
963 case 3: /* CMD3: SEND_RELATIVE_ADDR */
964 if (sd->spi)
965 goto bad_cmd;
966 switch (sd->state) {
967 case sd_identification_state:
968 case sd_standby_state:
969 sd->state = sd_standby_state;
970 sd_set_rca(sd);
971 return sd_r6;
972
973 default:
974 break;
975 }
976 break;
977
978 case 4: /* CMD4: SEND_DSR */
979 if (sd->spi)
980 goto bad_cmd;
981 switch (sd->state) {
982 case sd_standby_state:
983 break;
984
985 default:
986 break;
987 }
988 break;
989
990 case 5: /* CMD5: reserved for SDIO cards */
991 return sd_illegal;
992
993 case 6: /* CMD6: SWITCH_FUNCTION */
994 switch (sd->mode) {
995 case sd_data_transfer_mode:
996 sd_function_switch(sd, req.arg);
997 sd->state = sd_sendingdata_state;
998 sd->data_start = 0;
999 sd->data_offset = 0;
1000 return sd_r1;
1001
1002 default:
1003 break;
1004 }
1005 break;
1006
1007 case 7: /* CMD7: SELECT/DESELECT_CARD */
1008 if (sd->spi)
1009 goto bad_cmd;
1010 switch (sd->state) {
1011 case sd_standby_state:
1012 if (sd->rca != rca)
1013 return sd_r0;
1014
1015 sd->state = sd_transfer_state;
1016 return sd_r1b;
1017
1018 case sd_transfer_state:
1019 case sd_sendingdata_state:
1020 if (sd->rca == rca)
1021 break;
1022
1023 sd->state = sd_standby_state;
1024 return sd_r1b;
1025
1026 case sd_disconnect_state:
1027 if (sd->rca != rca)
1028 return sd_r0;
1029
1030 sd->state = sd_programming_state;
1031 return sd_r1b;
1032
1033 case sd_programming_state:
1034 if (sd->rca == rca)
1035 break;
1036
1037 sd->state = sd_disconnect_state;
1038 return sd_r1b;
1039
1040 default:
1041 break;
1042 }
1043 break;
1044
1045 case 8: /* CMD8: SEND_IF_COND */
1046 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1047 break;
1048 }
1049 if (sd->state != sd_idle_state) {
1050 break;
1051 }
1052 sd->vhs = 0;
1053
1054 /* No response if not exactly one VHS bit is set. */
1055 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1056 return sd->spi ? sd_r7 : sd_r0;
1057 }
1058
1059 /* Accept. */
1060 sd->vhs = req.arg;
1061 return sd_r7;
1062
1063 case 9: /* CMD9: SEND_CSD */
1064 switch (sd->state) {
1065 case sd_standby_state:
1066 if (sd->rca != rca)
1067 return sd_r0;
1068
1069 return sd_r2_s;
1070
1071 case sd_transfer_state:
1072 if (!sd->spi)
1073 break;
1074 sd->state = sd_sendingdata_state;
1075 memcpy(sd->data, sd->csd, 16);
1076 sd->data_start = addr;
1077 sd->data_offset = 0;
1078 return sd_r1;
1079
1080 default:
1081 break;
1082 }
1083 break;
1084
1085 case 10: /* CMD10: SEND_CID */
1086 switch (sd->state) {
1087 case sd_standby_state:
1088 if (sd->rca != rca)
1089 return sd_r0;
1090
1091 return sd_r2_i;
1092
1093 case sd_transfer_state:
1094 if (!sd->spi)
1095 break;
1096 sd->state = sd_sendingdata_state;
1097 memcpy(sd->data, sd->cid, 16);
1098 sd->data_start = addr;
1099 sd->data_offset = 0;
1100 return sd_r1;
1101
1102 default:
1103 break;
1104 }
1105 break;
1106
1107 case 12: /* CMD12: STOP_TRANSMISSION */
1108 switch (sd->state) {
1109 case sd_sendingdata_state:
1110 sd->state = sd_transfer_state;
1111 return sd_r1b;
1112
1113 case sd_receivingdata_state:
1114 sd->state = sd_programming_state;
1115 /* Bzzzzzzztt .... Operation complete. */
1116 sd->state = sd_transfer_state;
1117 return sd_r1b;
1118
1119 default:
1120 break;
1121 }
1122 break;
1123
1124 case 13: /* CMD13: SEND_STATUS */
1125 switch (sd->mode) {
1126 case sd_data_transfer_mode:
1127 if (sd->rca != rca)
1128 return sd_r0;
1129
1130 return sd_r1;
1131
1132 default:
1133 break;
1134 }
1135 break;
1136
1137 case 15: /* CMD15: GO_INACTIVE_STATE */
1138 if (sd->spi)
1139 goto bad_cmd;
1140 switch (sd->mode) {
1141 case sd_data_transfer_mode:
1142 if (sd->rca != rca)
1143 return sd_r0;
1144
1145 sd->state = sd_inactive_state;
1146 return sd_r0;
1147
1148 default:
1149 break;
1150 }
1151 break;
1152
1153 /* Block read commands (Classs 2) */
1154 case 16: /* CMD16: SET_BLOCKLEN */
1155 switch (sd->state) {
1156 case sd_transfer_state:
1157 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1158 sd->card_status |= BLOCK_LEN_ERROR;
1159 } else {
1160 trace_sdcard_set_blocklen(req.arg);
1161 sd->blk_len = req.arg;
1162 }
1163
1164 return sd_r1;
1165
1166 default:
1167 break;
1168 }
1169 break;
1170
1171 case 17: /* CMD17: READ_SINGLE_BLOCK */
1172 switch (sd->state) {
1173 case sd_transfer_state:
1174 sd->state = sd_sendingdata_state;
1175 sd->data_start = addr;
1176 sd->data_offset = 0;
1177
1178 if (sd->data_start + sd->blk_len > sd->size)
1179 sd->card_status |= ADDRESS_ERROR;
1180 return sd_r1;
1181
1182 default:
1183 break;
1184 }
1185 break;
1186
1187 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1188 switch (sd->state) {
1189 case sd_transfer_state:
1190 sd->state = sd_sendingdata_state;
1191 sd->data_start = addr;
1192 sd->data_offset = 0;
1193
1194 if (sd->data_start + sd->blk_len > sd->size)
1195 sd->card_status |= ADDRESS_ERROR;
1196 return sd_r1;
1197
1198 default:
1199 break;
1200 }
1201 break;
1202
1203 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1204 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1205 break;
1206 }
1207 if (sd->state == sd_transfer_state) {
1208 sd->state = sd_sendingdata_state;
1209 sd->data_offset = 0;
1210 return sd_r1;
1211 }
1212 break;
1213
1214 case 23: /* CMD23: SET_BLOCK_COUNT */
1215 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1216 break;
1217 }
1218 switch (sd->state) {
1219 case sd_transfer_state:
1220 sd->multi_blk_cnt = req.arg;
1221 return sd_r1;
1222
1223 default:
1224 break;
1225 }
1226 break;
1227
1228 /* Block write commands (Class 4) */
1229 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1230 switch (sd->state) {
1231 case sd_transfer_state:
1232 /* Writing in SPI mode not implemented. */
1233 if (sd->spi)
1234 break;
1235 sd->state = sd_receivingdata_state;
1236 sd->data_start = addr;
1237 sd->data_offset = 0;
1238 sd->blk_written = 0;
1239
1240 if (sd->data_start + sd->blk_len > sd->size)
1241 sd->card_status |= ADDRESS_ERROR;
1242 if (sd_wp_addr(sd, sd->data_start))
1243 sd->card_status |= WP_VIOLATION;
1244 if (sd->csd[14] & 0x30)
1245 sd->card_status |= WP_VIOLATION;
1246 return sd_r1;
1247
1248 default:
1249 break;
1250 }
1251 break;
1252
1253 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1254 switch (sd->state) {
1255 case sd_transfer_state:
1256 /* Writing in SPI mode not implemented. */
1257 if (sd->spi)
1258 break;
1259 sd->state = sd_receivingdata_state;
1260 sd->data_start = addr;
1261 sd->data_offset = 0;
1262 sd->blk_written = 0;
1263
1264 if (sd->data_start + sd->blk_len > sd->size)
1265 sd->card_status |= ADDRESS_ERROR;
1266 if (sd_wp_addr(sd, sd->data_start))
1267 sd->card_status |= WP_VIOLATION;
1268 if (sd->csd[14] & 0x30)
1269 sd->card_status |= WP_VIOLATION;
1270 return sd_r1;
1271
1272 default:
1273 break;
1274 }
1275 break;
1276
1277 case 26: /* CMD26: PROGRAM_CID */
1278 if (sd->spi)
1279 goto bad_cmd;
1280 switch (sd->state) {
1281 case sd_transfer_state:
1282 sd->state = sd_receivingdata_state;
1283 sd->data_start = 0;
1284 sd->data_offset = 0;
1285 return sd_r1;
1286
1287 default:
1288 break;
1289 }
1290 break;
1291
1292 case 27: /* CMD27: PROGRAM_CSD */
1293 switch (sd->state) {
1294 case sd_transfer_state:
1295 sd->state = sd_receivingdata_state;
1296 sd->data_start = 0;
1297 sd->data_offset = 0;
1298 return sd_r1;
1299
1300 default:
1301 break;
1302 }
1303 break;
1304
1305 /* Write protection (Class 6) */
1306 case 28: /* CMD28: SET_WRITE_PROT */
1307 switch (sd->state) {
1308 case sd_transfer_state:
1309 if (addr >= sd->size) {
1310 sd->card_status |= ADDRESS_ERROR;
1311 return sd_r1b;
1312 }
1313
1314 sd->state = sd_programming_state;
1315 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1316 /* Bzzzzzzztt .... Operation complete. */
1317 sd->state = sd_transfer_state;
1318 return sd_r1b;
1319
1320 default:
1321 break;
1322 }
1323 break;
1324
1325 case 29: /* CMD29: CLR_WRITE_PROT */
1326 switch (sd->state) {
1327 case sd_transfer_state:
1328 if (addr >= sd->size) {
1329 sd->card_status |= ADDRESS_ERROR;
1330 return sd_r1b;
1331 }
1332
1333 sd->state = sd_programming_state;
1334 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1335 /* Bzzzzzzztt .... Operation complete. */
1336 sd->state = sd_transfer_state;
1337 return sd_r1b;
1338
1339 default:
1340 break;
1341 }
1342 break;
1343
1344 case 30: /* CMD30: SEND_WRITE_PROT */
1345 switch (sd->state) {
1346 case sd_transfer_state:
1347 sd->state = sd_sendingdata_state;
1348 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1349 sd->data_start = addr;
1350 sd->data_offset = 0;
1351 return sd_r1b;
1352
1353 default:
1354 break;
1355 }
1356 break;
1357
1358 /* Erase commands (Class 5) */
1359 case 32: /* CMD32: ERASE_WR_BLK_START */
1360 switch (sd->state) {
1361 case sd_transfer_state:
1362 sd->erase_start = req.arg;
1363 return sd_r1;
1364
1365 default:
1366 break;
1367 }
1368 break;
1369
1370 case 33: /* CMD33: ERASE_WR_BLK_END */
1371 switch (sd->state) {
1372 case sd_transfer_state:
1373 sd->erase_end = req.arg;
1374 return sd_r1;
1375
1376 default:
1377 break;
1378 }
1379 break;
1380
1381 case 38: /* CMD38: ERASE */
1382 switch (sd->state) {
1383 case sd_transfer_state:
1384 if (sd->csd[14] & 0x30) {
1385 sd->card_status |= WP_VIOLATION;
1386 return sd_r1b;
1387 }
1388
1389 sd->state = sd_programming_state;
1390 sd_erase(sd);
1391 /* Bzzzzzzztt .... Operation complete. */
1392 sd->state = sd_transfer_state;
1393 return sd_r1b;
1394
1395 default:
1396 break;
1397 }
1398 break;
1399
1400 /* Lock card commands (Class 7) */
1401 case 42: /* CMD42: LOCK_UNLOCK */
1402 switch (sd->state) {
1403 case sd_transfer_state:
1404 sd->state = sd_receivingdata_state;
1405 sd->data_start = 0;
1406 sd->data_offset = 0;
1407 return sd_r1;
1408
1409 default:
1410 break;
1411 }
1412 break;
1413
1414 case 52 ... 54:
1415 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1416 * (see the SDIO Simplified Specification V2.0)
1417 * Handle as illegal command but do not complain
1418 * on stderr, as some OSes may use these in their
1419 * probing for presence of an SDIO card.
1420 */
1421 return sd_illegal;
1422
1423 /* Application specific commands (Class 8) */
1424 case 55: /* CMD55: APP_CMD */
1425 switch (sd->state) {
1426 case sd_ready_state:
1427 case sd_identification_state:
1428 case sd_inactive_state:
1429 return sd_illegal;
1430 case sd_idle_state:
1431 if (rca) {
1432 qemu_log_mask(LOG_GUEST_ERROR,
1433 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1434 }
1435 default:
1436 break;
1437 }
1438 if (!sd->spi) {
1439 if (sd->rca != rca) {
1440 return sd_r0;
1441 }
1442 }
1443 sd->expecting_acmd = true;
1444 sd->card_status |= APP_CMD;
1445 return sd_r1;
1446
1447 case 56: /* CMD56: GEN_CMD */
1448 switch (sd->state) {
1449 case sd_transfer_state:
1450 sd->data_offset = 0;
1451 if (req.arg & 1)
1452 sd->state = sd_sendingdata_state;
1453 else
1454 sd->state = sd_receivingdata_state;
1455 return sd_r1;
1456
1457 default:
1458 break;
1459 }
1460 break;
1461
1462 case 58: /* CMD58: READ_OCR (SPI) */
1463 if (!sd->spi) {
1464 goto bad_cmd;
1465 }
1466 return sd_r3;
1467
1468 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1469 if (!sd->spi) {
1470 goto bad_cmd;
1471 }
1472 goto unimplemented_spi_cmd;
1473
1474 default:
1475 bad_cmd:
1476 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1477 return sd_illegal;
1478
1479 unimplemented_spi_cmd:
1480 /* Commands that are recognised but not yet implemented in SPI mode. */
1481 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1482 req.cmd);
1483 return sd_illegal;
1484 }
1485
1486 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1487 return sd_illegal;
1488 }
1489
1490 static sd_rsp_type_t sd_app_command(SDState *sd,
1491 SDRequest req)
1492 {
1493 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1494 req.cmd, req.arg, sd_state_name(sd->state));
1495 sd->card_status |= APP_CMD;
1496 switch (req.cmd) {
1497 case 6: /* ACMD6: SET_BUS_WIDTH */
1498 if (sd->spi) {
1499 goto unimplemented_spi_cmd;
1500 }
1501 switch (sd->state) {
1502 case sd_transfer_state:
1503 sd->sd_status[0] &= 0x3f;
1504 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1505 return sd_r1;
1506
1507 default:
1508 break;
1509 }
1510 break;
1511
1512 case 13: /* ACMD13: SD_STATUS */
1513 switch (sd->state) {
1514 case sd_transfer_state:
1515 sd->state = sd_sendingdata_state;
1516 sd->data_start = 0;
1517 sd->data_offset = 0;
1518 return sd_r1;
1519
1520 default:
1521 break;
1522 }
1523 break;
1524
1525 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1526 switch (sd->state) {
1527 case sd_transfer_state:
1528 *(uint32_t *) sd->data = sd->blk_written;
1529
1530 sd->state = sd_sendingdata_state;
1531 sd->data_start = 0;
1532 sd->data_offset = 0;
1533 return sd_r1;
1534
1535 default:
1536 break;
1537 }
1538 break;
1539
1540 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1541 switch (sd->state) {
1542 case sd_transfer_state:
1543 return sd_r1;
1544
1545 default:
1546 break;
1547 }
1548 break;
1549
1550 case 41: /* ACMD41: SD_APP_OP_COND */
1551 if (sd->spi) {
1552 /* SEND_OP_CMD */
1553 sd->state = sd_transfer_state;
1554 return sd_r1;
1555 }
1556 if (sd->state != sd_idle_state) {
1557 break;
1558 }
1559 /* If it's the first ACMD41 since reset, we need to decide
1560 * whether to power up. If this is not an enquiry ACMD41,
1561 * we immediately report power on and proceed below to the
1562 * ready state, but if it is, we set a timer to model a
1563 * delay for power up. This works around a bug in EDK2
1564 * UEFI, which sends an initial enquiry ACMD41, but
1565 * assumes that the card is in ready state as soon as it
1566 * sees the power up bit set. */
1567 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1568 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1569 timer_del(sd->ocr_power_timer);
1570 sd_ocr_powerup(sd);
1571 } else {
1572 trace_sdcard_inquiry_cmd41();
1573 if (!timer_pending(sd->ocr_power_timer)) {
1574 timer_mod_ns(sd->ocr_power_timer,
1575 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1576 + OCR_POWER_DELAY_NS));
1577 }
1578 }
1579 }
1580
1581 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1582 /* We accept any voltage. 10000 V is nothing.
1583 *
1584 * Once we're powered up, we advance straight to ready state
1585 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1586 */
1587 sd->state = sd_ready_state;
1588 }
1589
1590 return sd_r3;
1591
1592 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1593 switch (sd->state) {
1594 case sd_transfer_state:
1595 /* Bringing in the 50KOhm pull-up resistor... Done. */
1596 return sd_r1;
1597
1598 default:
1599 break;
1600 }
1601 break;
1602
1603 case 51: /* ACMD51: SEND_SCR */
1604 switch (sd->state) {
1605 case sd_transfer_state:
1606 sd->state = sd_sendingdata_state;
1607 sd->data_start = 0;
1608 sd->data_offset = 0;
1609 return sd_r1;
1610
1611 default:
1612 break;
1613 }
1614 break;
1615
1616 case 18: /* Reserved for SD security applications */
1617 case 25:
1618 case 26:
1619 case 38:
1620 case 43 ... 49:
1621 /* Refer to the "SD Specifications Part3 Security Specification" for
1622 * information about the SD Security Features.
1623 */
1624 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1625 req.cmd);
1626 return sd_illegal;
1627
1628 default:
1629 /* Fall back to standard commands. */
1630 return sd_normal_command(sd, req);
1631
1632 unimplemented_spi_cmd:
1633 /* Commands that are recognised but not yet implemented in SPI mode. */
1634 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1635 req.cmd);
1636 return sd_illegal;
1637 }
1638
1639 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1640 return sd_illegal;
1641 }
1642
1643 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1644 {
1645 /* Valid commands in locked state:
1646 * basic class (0)
1647 * lock card class (7)
1648 * CMD16
1649 * implicitly, the ACMD prefix CMD55
1650 * ACMD41 and ACMD42
1651 * Anything else provokes an "illegal command" response.
1652 */
1653 if (sd->expecting_acmd) {
1654 return req->cmd == 41 || req->cmd == 42;
1655 }
1656 if (req->cmd == 16 || req->cmd == 55) {
1657 return 1;
1658 }
1659 return sd_cmd_class[req->cmd] == 0
1660 || sd_cmd_class[req->cmd] == 7;
1661 }
1662
1663 int sd_do_command(SDState *sd, SDRequest *req,
1664 uint8_t *response) {
1665 int last_state;
1666 sd_rsp_type_t rtype;
1667 int rsplen;
1668
1669 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1670 return 0;
1671 }
1672
1673 if (sd_req_crc_validate(req)) {
1674 sd->card_status |= COM_CRC_ERROR;
1675 rtype = sd_illegal;
1676 goto send_response;
1677 }
1678
1679 if (req->cmd >= SDMMC_CMD_MAX) {
1680 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1681 req->cmd);
1682 req->cmd &= 0x3f;
1683 }
1684
1685 if (sd->card_status & CARD_IS_LOCKED) {
1686 if (!cmd_valid_while_locked(sd, req)) {
1687 sd->card_status |= ILLEGAL_COMMAND;
1688 sd->expecting_acmd = false;
1689 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1690 rtype = sd_illegal;
1691 goto send_response;
1692 }
1693 }
1694
1695 last_state = sd->state;
1696 sd_set_mode(sd);
1697
1698 if (sd->expecting_acmd) {
1699 sd->expecting_acmd = false;
1700 rtype = sd_app_command(sd, *req);
1701 } else {
1702 rtype = sd_normal_command(sd, *req);
1703 }
1704
1705 if (rtype == sd_illegal) {
1706 sd->card_status |= ILLEGAL_COMMAND;
1707 } else {
1708 /* Valid command, we can update the 'state before command' bits.
1709 * (Do this now so they appear in r1 responses.)
1710 */
1711 sd->current_cmd = req->cmd;
1712 sd->card_status &= ~CURRENT_STATE;
1713 sd->card_status |= (last_state << 9);
1714 }
1715
1716 send_response:
1717 switch (rtype) {
1718 case sd_r1:
1719 case sd_r1b:
1720 sd_response_r1_make(sd, response);
1721 rsplen = 4;
1722 break;
1723
1724 case sd_r2_i:
1725 memcpy(response, sd->cid, sizeof(sd->cid));
1726 rsplen = 16;
1727 break;
1728
1729 case sd_r2_s:
1730 memcpy(response, sd->csd, sizeof(sd->csd));
1731 rsplen = 16;
1732 break;
1733
1734 case sd_r3:
1735 sd_response_r3_make(sd, response);
1736 rsplen = 4;
1737 break;
1738
1739 case sd_r6:
1740 sd_response_r6_make(sd, response);
1741 rsplen = 4;
1742 break;
1743
1744 case sd_r7:
1745 sd_response_r7_make(sd, response);
1746 rsplen = 4;
1747 break;
1748
1749 case sd_r0:
1750 case sd_illegal:
1751 rsplen = 0;
1752 break;
1753 default:
1754 g_assert_not_reached();
1755 }
1756 trace_sdcard_response(sd_response_name(rtype), rsplen);
1757
1758 if (rtype != sd_illegal) {
1759 /* Clear the "clear on valid command" status bits now we've
1760 * sent any response
1761 */
1762 sd->card_status &= ~CARD_STATUS_B;
1763 }
1764
1765 #ifdef DEBUG_SD
1766 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1767 #endif
1768
1769 return rsplen;
1770 }
1771
1772 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1773 {
1774 trace_sdcard_read_block(addr, len);
1775 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1776 fprintf(stderr, "sd_blk_read: read error on host side\n");
1777 }
1778 }
1779
1780 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1781 {
1782 trace_sdcard_write_block(addr, len);
1783 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1784 fprintf(stderr, "sd_blk_write: write error on host side\n");
1785 }
1786 }
1787
1788 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1789 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1790 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1791 #define APP_WRITE_BLOCK(a, len)
1792
1793 void sd_write_data(SDState *sd, uint8_t value)
1794 {
1795 int i;
1796
1797 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1798 return;
1799
1800 if (sd->state != sd_receivingdata_state) {
1801 qemu_log_mask(LOG_GUEST_ERROR,
1802 "sd_write_data: not in Receiving-Data state\n");
1803 return;
1804 }
1805
1806 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1807 return;
1808
1809 trace_sdcard_write_data(sd->proto_name,
1810 sd_acmd_name(sd->current_cmd),
1811 sd->current_cmd, value);
1812 switch (sd->current_cmd) {
1813 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1814 sd->data[sd->data_offset ++] = value;
1815 if (sd->data_offset >= sd->blk_len) {
1816 /* TODO: Check CRC before committing */
1817 sd->state = sd_programming_state;
1818 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1819 sd->blk_written ++;
1820 sd->csd[14] |= 0x40;
1821 /* Bzzzzzzztt .... Operation complete. */
1822 sd->state = sd_transfer_state;
1823 }
1824 break;
1825
1826 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1827 if (sd->data_offset == 0) {
1828 /* Start of the block - let's check the address is valid */
1829 if (sd->data_start + sd->blk_len > sd->size) {
1830 sd->card_status |= ADDRESS_ERROR;
1831 break;
1832 }
1833 if (sd_wp_addr(sd, sd->data_start)) {
1834 sd->card_status |= WP_VIOLATION;
1835 break;
1836 }
1837 }
1838 sd->data[sd->data_offset++] = value;
1839 if (sd->data_offset >= sd->blk_len) {
1840 /* TODO: Check CRC before committing */
1841 sd->state = sd_programming_state;
1842 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1843 sd->blk_written++;
1844 sd->data_start += sd->blk_len;
1845 sd->data_offset = 0;
1846 sd->csd[14] |= 0x40;
1847
1848 /* Bzzzzzzztt .... Operation complete. */
1849 if (sd->multi_blk_cnt != 0) {
1850 if (--sd->multi_blk_cnt == 0) {
1851 /* Stop! */
1852 sd->state = sd_transfer_state;
1853 break;
1854 }
1855 }
1856
1857 sd->state = sd_receivingdata_state;
1858 }
1859 break;
1860
1861 case 26: /* CMD26: PROGRAM_CID */
1862 sd->data[sd->data_offset ++] = value;
1863 if (sd->data_offset >= sizeof(sd->cid)) {
1864 /* TODO: Check CRC before committing */
1865 sd->state = sd_programming_state;
1866 for (i = 0; i < sizeof(sd->cid); i ++)
1867 if ((sd->cid[i] | 0x00) != sd->data[i])
1868 sd->card_status |= CID_CSD_OVERWRITE;
1869
1870 if (!(sd->card_status & CID_CSD_OVERWRITE))
1871 for (i = 0; i < sizeof(sd->cid); i ++) {
1872 sd->cid[i] |= 0x00;
1873 sd->cid[i] &= sd->data[i];
1874 }
1875 /* Bzzzzzzztt .... Operation complete. */
1876 sd->state = sd_transfer_state;
1877 }
1878 break;
1879
1880 case 27: /* CMD27: PROGRAM_CSD */
1881 sd->data[sd->data_offset ++] = value;
1882 if (sd->data_offset >= sizeof(sd->csd)) {
1883 /* TODO: Check CRC before committing */
1884 sd->state = sd_programming_state;
1885 for (i = 0; i < sizeof(sd->csd); i ++)
1886 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1887 (sd->data[i] | sd_csd_rw_mask[i]))
1888 sd->card_status |= CID_CSD_OVERWRITE;
1889
1890 /* Copy flag (OTP) & Permanent write protect */
1891 if (sd->csd[14] & ~sd->data[14] & 0x60)
1892 sd->card_status |= CID_CSD_OVERWRITE;
1893
1894 if (!(sd->card_status & CID_CSD_OVERWRITE))
1895 for (i = 0; i < sizeof(sd->csd); i ++) {
1896 sd->csd[i] |= sd_csd_rw_mask[i];
1897 sd->csd[i] &= sd->data[i];
1898 }
1899 /* Bzzzzzzztt .... Operation complete. */
1900 sd->state = sd_transfer_state;
1901 }
1902 break;
1903
1904 case 42: /* CMD42: LOCK_UNLOCK */
1905 sd->data[sd->data_offset ++] = value;
1906 if (sd->data_offset >= sd->blk_len) {
1907 /* TODO: Check CRC before committing */
1908 sd->state = sd_programming_state;
1909 sd_lock_command(sd);
1910 /* Bzzzzzzztt .... Operation complete. */
1911 sd->state = sd_transfer_state;
1912 }
1913 break;
1914
1915 case 56: /* CMD56: GEN_CMD */
1916 sd->data[sd->data_offset ++] = value;
1917 if (sd->data_offset >= sd->blk_len) {
1918 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1919 sd->state = sd_transfer_state;
1920 }
1921 break;
1922
1923 default:
1924 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1925 break;
1926 }
1927 }
1928
1929 #define SD_TUNING_BLOCK_SIZE 64
1930
1931 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1932 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1933 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1934 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1935 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1936 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1937 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1938 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1939 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1940 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1941 };
1942
1943 uint8_t sd_read_data(SDState *sd)
1944 {
1945 /* TODO: Append CRCs */
1946 uint8_t ret;
1947 int io_len;
1948
1949 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1950 return 0x00;
1951
1952 if (sd->state != sd_sendingdata_state) {
1953 qemu_log_mask(LOG_GUEST_ERROR,
1954 "sd_read_data: not in Sending-Data state\n");
1955 return 0x00;
1956 }
1957
1958 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1959 return 0x00;
1960
1961 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1962
1963 trace_sdcard_read_data(sd->proto_name,
1964 sd_acmd_name(sd->current_cmd),
1965 sd->current_cmd, io_len);
1966 switch (sd->current_cmd) {
1967 case 6: /* CMD6: SWITCH_FUNCTION */
1968 ret = sd->data[sd->data_offset ++];
1969
1970 if (sd->data_offset >= 64)
1971 sd->state = sd_transfer_state;
1972 break;
1973
1974 case 9: /* CMD9: SEND_CSD */
1975 case 10: /* CMD10: SEND_CID */
1976 ret = sd->data[sd->data_offset ++];
1977
1978 if (sd->data_offset >= 16)
1979 sd->state = sd_transfer_state;
1980 break;
1981
1982 case 13: /* ACMD13: SD_STATUS */
1983 ret = sd->sd_status[sd->data_offset ++];
1984
1985 if (sd->data_offset >= sizeof(sd->sd_status))
1986 sd->state = sd_transfer_state;
1987 break;
1988
1989 case 17: /* CMD17: READ_SINGLE_BLOCK */
1990 if (sd->data_offset == 0)
1991 BLK_READ_BLOCK(sd->data_start, io_len);
1992 ret = sd->data[sd->data_offset ++];
1993
1994 if (sd->data_offset >= io_len)
1995 sd->state = sd_transfer_state;
1996 break;
1997
1998 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1999 if (sd->data_offset == 0) {
2000 if (sd->data_start + io_len > sd->size) {
2001 sd->card_status |= ADDRESS_ERROR;
2002 return 0x00;
2003 }
2004 BLK_READ_BLOCK(sd->data_start, io_len);
2005 }
2006 ret = sd->data[sd->data_offset ++];
2007
2008 if (sd->data_offset >= io_len) {
2009 sd->data_start += io_len;
2010 sd->data_offset = 0;
2011
2012 if (sd->multi_blk_cnt != 0) {
2013 if (--sd->multi_blk_cnt == 0) {
2014 /* Stop! */
2015 sd->state = sd_transfer_state;
2016 break;
2017 }
2018 }
2019 }
2020 break;
2021
2022 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2023 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2024 sd->state = sd_transfer_state;
2025 }
2026 ret = sd_tuning_block_pattern[sd->data_offset++];
2027 break;
2028
2029 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2030 ret = sd->data[sd->data_offset ++];
2031
2032 if (sd->data_offset >= 4)
2033 sd->state = sd_transfer_state;
2034 break;
2035
2036 case 30: /* CMD30: SEND_WRITE_PROT */
2037 ret = sd->data[sd->data_offset ++];
2038
2039 if (sd->data_offset >= 4)
2040 sd->state = sd_transfer_state;
2041 break;
2042
2043 case 51: /* ACMD51: SEND_SCR */
2044 ret = sd->scr[sd->data_offset ++];
2045
2046 if (sd->data_offset >= sizeof(sd->scr))
2047 sd->state = sd_transfer_state;
2048 break;
2049
2050 case 56: /* CMD56: GEN_CMD */
2051 if (sd->data_offset == 0)
2052 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2053 ret = sd->data[sd->data_offset ++];
2054
2055 if (sd->data_offset >= sd->blk_len)
2056 sd->state = sd_transfer_state;
2057 break;
2058
2059 default:
2060 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2061 return 0x00;
2062 }
2063
2064 return ret;
2065 }
2066
2067 bool sd_data_ready(SDState *sd)
2068 {
2069 return sd->state == sd_sendingdata_state;
2070 }
2071
2072 void sd_enable(SDState *sd, bool enable)
2073 {
2074 sd->enable = enable;
2075 }
2076
2077 static void sd_instance_init(Object *obj)
2078 {
2079 SDState *sd = SD_CARD(obj);
2080
2081 sd->enable = true;
2082 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2083 }
2084
2085 static void sd_instance_finalize(Object *obj)
2086 {
2087 SDState *sd = SD_CARD(obj);
2088
2089 timer_del(sd->ocr_power_timer);
2090 timer_free(sd->ocr_power_timer);
2091 }
2092
2093 static void sd_realize(DeviceState *dev, Error **errp)
2094 {
2095 SDState *sd = SD_CARD(dev);
2096 int ret;
2097
2098 sd->proto_name = sd->spi ? "SPI" : "SD";
2099
2100 switch (sd->spec_version) {
2101 case SD_PHY_SPECv1_10_VERS
2102 ... SD_PHY_SPECv3_01_VERS:
2103 break;
2104 default:
2105 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2106 return;
2107 }
2108
2109 if (sd->blk) {
2110 int64_t blk_size;
2111
2112 if (blk_is_read_only(sd->blk)) {
2113 error_setg(errp, "Cannot use read-only drive as SD card");
2114 return;
2115 }
2116
2117 blk_size = blk_getlength(sd->blk);
2118 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2119 int64_t blk_size_aligned = pow2ceil(blk_size);
2120 char *blk_size_str;
2121
2122 blk_size_str = size_to_str(blk_size);
2123 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2124 g_free(blk_size_str);
2125
2126 blk_size_str = size_to_str(blk_size_aligned);
2127 error_append_hint(errp,
2128 "SD card size has to be a power of 2, e.g. %s.\n"
2129 "You can resize disk images with"
2130 " 'qemu-img resize <imagefile> <new-size>'\n"
2131 "(note that this will lose data if you make the"
2132 " image smaller than it currently is).\n",
2133 blk_size_str);
2134 g_free(blk_size_str);
2135
2136 return;
2137 }
2138
2139 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2140 BLK_PERM_ALL, errp);
2141 if (ret < 0) {
2142 return;
2143 }
2144 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2145 }
2146 }
2147
2148 static Property sd_properties[] = {
2149 DEFINE_PROP_UINT8("spec_version", SDState,
2150 spec_version, SD_PHY_SPECv2_00_VERS),
2151 DEFINE_PROP_DRIVE("drive", SDState, blk),
2152 /* We do not model the chip select pin, so allow the board to select
2153 * whether card should be in SSI or MMC/SD mode. It is also up to the
2154 * board to ensure that ssi transfers only occur when the chip select
2155 * is asserted. */
2156 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2157 DEFINE_PROP_END_OF_LIST()
2158 };
2159
2160 static void sd_class_init(ObjectClass *klass, void *data)
2161 {
2162 DeviceClass *dc = DEVICE_CLASS(klass);
2163 SDCardClass *sc = SD_CARD_CLASS(klass);
2164
2165 dc->realize = sd_realize;
2166 device_class_set_props(dc, sd_properties);
2167 dc->vmsd = &sd_vmstate;
2168 dc->reset = sd_reset;
2169 dc->bus_type = TYPE_SD_BUS;
2170 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2171
2172 sc->set_voltage = sd_set_voltage;
2173 sc->get_dat_lines = sd_get_dat_lines;
2174 sc->get_cmd_line = sd_get_cmd_line;
2175 sc->do_command = sd_do_command;
2176 sc->write_data = sd_write_data;
2177 sc->read_data = sd_read_data;
2178 sc->data_ready = sd_data_ready;
2179 sc->enable = sd_enable;
2180 sc->get_inserted = sd_get_inserted;
2181 sc->get_readonly = sd_get_readonly;
2182 }
2183
2184 static const TypeInfo sd_info = {
2185 .name = TYPE_SD_CARD,
2186 .parent = TYPE_DEVICE,
2187 .instance_size = sizeof(SDState),
2188 .class_size = sizeof(SDCardClass),
2189 .class_init = sd_class_init,
2190 .instance_init = sd_instance_init,
2191 .instance_finalize = sd_instance_finalize,
2192 };
2193
2194 static void sd_register_types(void)
2195 {
2196 type_register_static(&sd_info);
2197 }
2198
2199 type_init(sd_register_types)
AR7 emulation for QEMU