search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
crypto: skip testing of unsupported cipher algorithms
[qemu/ar7.git] / hw / sd / sd.c
blob1568057e4fa71a9e6306634fdffa703b015e27b9
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 1.10."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include "qemu/osdep.h"
33 #include "hw/qdev.h"
34 #include "hw/hw.h"
35 #include "sysemu/block-backend.h"
36 #include "hw/sd/sd.h"
37 #include "qemu/bitmap.h"
38 #include "hw/qdev-properties.h"
39 #include "qemu/error-report.h"
40 #include "qemu/timer.h"
41
42 //#define DEBUG_SD 1
43
44 #ifdef DEBUG_SD
45 #define DPRINTF(fmt, ...) \
46 do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0)
47 #else
48 #define DPRINTF(fmt, ...) do {} while(0)
49 #endif
50
51 #define ACMD41_ENQUIRY_MASK 0x00ffffff
52 #define OCR_POWER_UP 0x80000000
53 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
54
55 typedef enum {
56 sd_r0 = 0, /* no response */
57 sd_r1, /* normal response command */
58 sd_r2_i, /* CID register */
59 sd_r2_s, /* CSD register */
60 sd_r3, /* OCR register */
61 sd_r6 = 6, /* Published RCA response */
62 sd_r7, /* Operating voltage */
63 sd_r1b = -1,
64 sd_illegal = -2,
65 } sd_rsp_type_t;
66
67 enum SDCardModes {
68 sd_inactive,
69 sd_card_identification_mode,
70 sd_data_transfer_mode,
71 };
72
73 enum SDCardStates {
74 sd_inactive_state = -1,
75 sd_idle_state = 0,
76 sd_ready_state,
77 sd_identification_state,
78 sd_standby_state,
79 sd_transfer_state,
80 sd_sendingdata_state,
81 sd_receivingdata_state,
82 sd_programming_state,
83 sd_disconnect_state,
84 };
85
86 struct SDState {
87 DeviceState parent_obj;
88
89 uint32_t mode; /* current card mode, one of SDCardModes */
90 int32_t state; /* current card state, one of SDCardStates */
91 uint32_t ocr;
92 QEMUTimer *ocr_power_timer;
93 uint8_t scr[8];
94 uint8_t cid[16];
95 uint8_t csd[16];
96 uint16_t rca;
97 uint32_t card_status;
98 uint8_t sd_status[64];
99 uint32_t vhs;
100 bool wp_switch;
101 unsigned long *wp_groups;
102 int32_t wpgrps_size;
103 uint64_t size;
104 uint32_t blk_len;
105 uint32_t multi_blk_cnt;
106 uint32_t erase_start;
107 uint32_t erase_end;
108 uint8_t pwd[16];
109 uint32_t pwd_len;
110 uint8_t function_group[6];
111
112 bool spi;
113 uint8_t current_cmd;
114 /* True if we will handle the next command as an ACMD. Note that this does
115 * *not* track the APP_CMD status bit!
116 */
117 bool expecting_acmd;
118 uint32_t blk_written;
119 uint64_t data_start;
120 uint32_t data_offset;
121 uint8_t data[512];
122 qemu_irq readonly_cb;
123 qemu_irq inserted_cb;
124 BlockBackend *blk;
125 uint8_t *buf;
126
127 bool enable;
128 };
129
130 static void sd_set_mode(SDState *sd)
131 {
132 switch (sd->state) {
133 case sd_inactive_state:
134 sd->mode = sd_inactive;
135 break;
136
137 case sd_idle_state:
138 case sd_ready_state:
139 case sd_identification_state:
140 sd->mode = sd_card_identification_mode;
141 break;
142
143 case sd_standby_state:
144 case sd_transfer_state:
145 case sd_sendingdata_state:
146 case sd_receivingdata_state:
147 case sd_programming_state:
148 case sd_disconnect_state:
149 sd->mode = sd_data_transfer_mode;
150 break;
151 }
152 }
153
154 static const sd_cmd_type_t sd_cmd_type[64] = {
155 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
156 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
157 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
158 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
159 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
160 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
161 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
162 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
163 };
164
165 static const int sd_cmd_class[64] = {
166 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
167 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
168 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
169 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
170 };
171
172 static uint8_t sd_crc7(void *message, size_t width)
173 {
174 int i, bit;
175 uint8_t shift_reg = 0x00;
176 uint8_t *msg = (uint8_t *) message;
177
178 for (i = 0; i < width; i ++, msg ++)
179 for (bit = 7; bit >= 0; bit --) {
180 shift_reg <<= 1;
181 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
182 shift_reg ^= 0x89;
183 }
184
185 return shift_reg;
186 }
187
188 static uint16_t sd_crc16(void *message, size_t width)
189 {
190 int i, bit;
191 uint16_t shift_reg = 0x0000;
192 uint16_t *msg = (uint16_t *) message;
193 width <<= 1;
194
195 for (i = 0; i < width; i ++, msg ++)
196 for (bit = 15; bit >= 0; bit --) {
197 shift_reg <<= 1;
198 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
199 shift_reg ^= 0x1011;
200 }
201
202 return shift_reg;
203 }
204
205 static void sd_set_ocr(SDState *sd)
206 {
207 /* All voltages OK, Standard Capacity SD Memory Card, not yet powered up */
208 sd->ocr = 0x00ffff00;
209 }
210
211 static void sd_ocr_powerup(void *opaque)
212 {
213 SDState *sd = opaque;
214
215 /* Set powered up bit in OCR */
216 assert(!(sd->ocr & OCR_POWER_UP));
217 sd->ocr |= OCR_POWER_UP;
218 }
219
220 static void sd_set_scr(SDState *sd)
221 {
222 sd->scr[0] = 0x00; /* SCR Structure */
223 sd->scr[1] = 0x2f; /* SD Security Support */
224 sd->scr[2] = 0x00;
225 sd->scr[3] = 0x00;
226 sd->scr[4] = 0x00;
227 sd->scr[5] = 0x00;
228 sd->scr[6] = 0x00;
229 sd->scr[7] = 0x00;
230 }
231
232 #define MID 0xaa
233 #define OID "XY"
234 #define PNM "QEMU!"
235 #define PRV 0x01
236 #define MDT_YR 2006
237 #define MDT_MON 2
238
239 static void sd_set_cid(SDState *sd)
240 {
241 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
242 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
243 sd->cid[2] = OID[1];
244 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
245 sd->cid[4] = PNM[1];
246 sd->cid[5] = PNM[2];
247 sd->cid[6] = PNM[3];
248 sd->cid[7] = PNM[4];
249 sd->cid[8] = PRV; /* Fake product revision (PRV) */
250 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
251 sd->cid[10] = 0xad;
252 sd->cid[11] = 0xbe;
253 sd->cid[12] = 0xef;
254 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
255 ((MDT_YR - 2000) / 10);
256 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
257 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
258 }
259
260 #define HWBLOCK_SHIFT 9 /* 512 bytes */
261 #define SECTOR_SHIFT 5 /* 16 kilobytes */
262 #define WPGROUP_SHIFT 7 /* 2 megs */
263 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
264 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
265
266 static const uint8_t sd_csd_rw_mask[16] = {
267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
269 };
270
271 static void sd_set_csd(SDState *sd, uint64_t size)
272 {
273 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
274 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
275 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
276
277 if (size <= 0x40000000) { /* Standard Capacity SD */
278 sd->csd[0] = 0x00; /* CSD structure */
279 sd->csd[1] = 0x26; /* Data read access-time-1 */
280 sd->csd[2] = 0x00; /* Data read access-time-2 */
281 sd->csd[3] = 0x5a; /* Max. data transfer rate */
282 sd->csd[4] = 0x5f; /* Card Command Classes */
283 sd->csd[5] = 0x50 | /* Max. read data block length */
284 HWBLOCK_SHIFT;
285 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
286 ((csize >> 10) & 0x03);
287 sd->csd[7] = 0x00 | /* Device size */
288 ((csize >> 2) & 0xff);
289 sd->csd[8] = 0x3f | /* Max. read current */
290 ((csize << 6) & 0xc0);
291 sd->csd[9] = 0xfc | /* Max. write current */
292 ((CMULT_SHIFT - 2) >> 1);
293 sd->csd[10] = 0x40 | /* Erase sector size */
294 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
295 sd->csd[11] = 0x00 | /* Write protect group size */
296 ((sectsize << 7) & 0x80) | wpsize;
297 sd->csd[12] = 0x90 | /* Write speed factor */
298 (HWBLOCK_SHIFT >> 2);
299 sd->csd[13] = 0x20 | /* Max. write data block length */
300 ((HWBLOCK_SHIFT << 6) & 0xc0);
301 sd->csd[14] = 0x00; /* File format group */
302 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
303 } else { /* SDHC */
304 size /= 512 * 1024;
305 size -= 1;
306 sd->csd[0] = 0x40;
307 sd->csd[1] = 0x0e;
308 sd->csd[2] = 0x00;
309 sd->csd[3] = 0x32;
310 sd->csd[4] = 0x5b;
311 sd->csd[5] = 0x59;
312 sd->csd[6] = 0x00;
313 sd->csd[7] = (size >> 16) & 0xff;
314 sd->csd[8] = (size >> 8) & 0xff;
315 sd->csd[9] = (size & 0xff);
316 sd->csd[10] = 0x7f;
317 sd->csd[11] = 0x80;
318 sd->csd[12] = 0x0a;
319 sd->csd[13] = 0x40;
320 sd->csd[14] = 0x00;
321 sd->csd[15] = 0x00;
322 sd->ocr |= 1 << 30; /* High Capacity SD Memory Card */
323 }
324 }
325
326 static void sd_set_rca(SDState *sd)
327 {
328 sd->rca += 0x4567;
329 }
330
331 /* Card status bits, split by clear condition:
332 * A : According to the card current state
333 * B : Always related to the previous command
334 * C : Cleared by read
335 */
336 #define CARD_STATUS_A 0x02004100
337 #define CARD_STATUS_B 0x00c01e00
338 #define CARD_STATUS_C 0xfd39a028
339
340 static void sd_set_cardstatus(SDState *sd)
341 {
342 sd->card_status = 0x00000100;
343 }
344
345 static void sd_set_sdstatus(SDState *sd)
346 {
347 memset(sd->sd_status, 0, 64);
348 }
349
350 static int sd_req_crc_validate(SDRequest *req)
351 {
352 uint8_t buffer[5];
353 buffer[0] = 0x40 | req->cmd;
354 buffer[1] = (req->arg >> 24) & 0xff;
355 buffer[2] = (req->arg >> 16) & 0xff;
356 buffer[3] = (req->arg >> 8) & 0xff;
357 buffer[4] = (req->arg >> 0) & 0xff;
358 return 0;
359 return sd_crc7(buffer, 5) != req->crc; /* TODO */
360 }
361
362 static void sd_response_r1_make(SDState *sd, uint8_t *response)
363 {
364 uint32_t status = sd->card_status;
365 /* Clear the "clear on read" status bits */
366 sd->card_status &= ~CARD_STATUS_C;
367
368 response[0] = (status >> 24) & 0xff;
369 response[1] = (status >> 16) & 0xff;
370 response[2] = (status >> 8) & 0xff;
371 response[3] = (status >> 0) & 0xff;
372 }
373
374 static void sd_response_r3_make(SDState *sd, uint8_t *response)
375 {
376 response[0] = (sd->ocr >> 24) & 0xff;
377 response[1] = (sd->ocr >> 16) & 0xff;
378 response[2] = (sd->ocr >> 8) & 0xff;
379 response[3] = (sd->ocr >> 0) & 0xff;
380 }
381
382 static void sd_response_r6_make(SDState *sd, uint8_t *response)
383 {
384 uint16_t arg;
385 uint16_t status;
386
387 arg = sd->rca;
388 status = ((sd->card_status >> 8) & 0xc000) |
389 ((sd->card_status >> 6) & 0x2000) |
390 (sd->card_status & 0x1fff);
391 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
392
393 response[0] = (arg >> 8) & 0xff;
394 response[1] = arg & 0xff;
395 response[2] = (status >> 8) & 0xff;
396 response[3] = status & 0xff;
397 }
398
399 static void sd_response_r7_make(SDState *sd, uint8_t *response)
400 {
401 response[0] = (sd->vhs >> 24) & 0xff;
402 response[1] = (sd->vhs >> 16) & 0xff;
403 response[2] = (sd->vhs >> 8) & 0xff;
404 response[3] = (sd->vhs >> 0) & 0xff;
405 }
406
407 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
408 {
409 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
410 }
411
412 static void sd_reset(DeviceState *dev)
413 {
414 SDState *sd = SD_CARD(dev);
415 uint64_t size;
416 uint64_t sect;
417
418 if (sd->blk) {
419 blk_get_geometry(sd->blk, &sect);
420 } else {
421 sect = 0;
422 }
423 size = sect << 9;
424
425 sect = sd_addr_to_wpnum(size) + 1;
426
427 sd->state = sd_idle_state;
428 sd->rca = 0x0000;
429 sd_set_ocr(sd);
430 sd_set_scr(sd);
431 sd_set_cid(sd);
432 sd_set_csd(sd, size);
433 sd_set_cardstatus(sd);
434 sd_set_sdstatus(sd);
435
436 g_free(sd->wp_groups);
437 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
438 sd->wpgrps_size = sect;
439 sd->wp_groups = bitmap_new(sd->wpgrps_size);
440 memset(sd->function_group, 0, sizeof(sd->function_group));
441 sd->erase_start = 0;
442 sd->erase_end = 0;
443 sd->size = size;
444 sd->blk_len = 0x200;
445 sd->pwd_len = 0;
446 sd->expecting_acmd = false;
447 sd->multi_blk_cnt = 0;
448 }
449
450 static bool sd_get_inserted(SDState *sd)
451 {
452 return sd->blk && blk_is_inserted(sd->blk);
453 }
454
455 static bool sd_get_readonly(SDState *sd)
456 {
457 return sd->wp_switch;
458 }
459
460 static void sd_cardchange(void *opaque, bool load)
461 {
462 SDState *sd = opaque;
463 DeviceState *dev = DEVICE(sd);
464 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
465 bool inserted = sd_get_inserted(sd);
466 bool readonly = sd_get_readonly(sd);
467
468 if (inserted) {
469 sd_reset(dev);
470 }
471
472 /* The IRQ notification is for legacy non-QOM SD controller devices;
473 * QOMified controllers use the SDBus APIs.
474 */
475 if (sdbus) {
476 sdbus_set_inserted(sdbus, inserted);
477 if (inserted) {
478 sdbus_set_readonly(sdbus, readonly);
479 }
480 } else {
481 qemu_set_irq(sd->inserted_cb, inserted);
482 if (inserted) {
483 qemu_set_irq(sd->readonly_cb, readonly);
484 }
485 }
486 }
487
488 static const BlockDevOps sd_block_ops = {
489 .change_media_cb = sd_cardchange,
490 };
491
492 static bool sd_ocr_vmstate_needed(void *opaque)
493 {
494 SDState *sd = opaque;
495
496 /* Include the OCR state (and timer) if it is not yet powered up */
497 return !(sd->ocr & OCR_POWER_UP);
498 }
499
500 static const VMStateDescription sd_ocr_vmstate = {
501 .name = "sd-card/ocr-state",
502 .version_id = 1,
503 .minimum_version_id = 1,
504 .needed = sd_ocr_vmstate_needed,
505 .fields = (VMStateField[]) {
506 VMSTATE_UINT32(ocr, SDState),
507 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
508 VMSTATE_END_OF_LIST()
509 },
510 };
511
512 static int sd_vmstate_pre_load(void *opaque)
513 {
514 SDState *sd = opaque;
515
516 /* If the OCR state is not included (prior versions, or not
517 * needed), then the OCR must be set as powered up. If the OCR state
518 * is included, this will be replaced by the state restore.
519 */
520 sd_ocr_powerup(sd);
521
522 return 0;
523 }
524
525 static const VMStateDescription sd_vmstate = {
526 .name = "sd-card",
527 .version_id = 1,
528 .minimum_version_id = 1,
529 .pre_load = sd_vmstate_pre_load,
530 .fields = (VMStateField[]) {
531 VMSTATE_UINT32(mode, SDState),
532 VMSTATE_INT32(state, SDState),
533 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
534 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
535 VMSTATE_UINT16(rca, SDState),
536 VMSTATE_UINT32(card_status, SDState),
537 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
538 VMSTATE_UINT32(vhs, SDState),
539 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
540 VMSTATE_UINT32(blk_len, SDState),
541 VMSTATE_UINT32(multi_blk_cnt, SDState),
542 VMSTATE_UINT32(erase_start, SDState),
543 VMSTATE_UINT32(erase_end, SDState),
544 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
545 VMSTATE_UINT32(pwd_len, SDState),
546 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
547 VMSTATE_UINT8(current_cmd, SDState),
548 VMSTATE_BOOL(expecting_acmd, SDState),
549 VMSTATE_UINT32(blk_written, SDState),
550 VMSTATE_UINT64(data_start, SDState),
551 VMSTATE_UINT32(data_offset, SDState),
552 VMSTATE_UINT8_ARRAY(data, SDState, 512),
553 VMSTATE_BUFFER_POINTER_UNSAFE(buf, SDState, 1, 512),
554 VMSTATE_BOOL(enable, SDState),
555 VMSTATE_END_OF_LIST()
556 },
557 .subsections = (const VMStateDescription*[]) {
558 &sd_ocr_vmstate,
559 NULL
560 },
561 };
562
563 /* Legacy initialization function for use by non-qdevified callers */
564 SDState *sd_init(BlockBackend *blk, bool is_spi)
565 {
566 Object *obj;
567 DeviceState *dev;
568 Error *err = NULL;
569
570 obj = object_new(TYPE_SD_CARD);
571 dev = DEVICE(obj);
572 qdev_prop_set_drive(dev, "drive", blk, &err);
573 if (err) {
574 error_report("sd_init failed: %s", error_get_pretty(err));
575 return NULL;
576 }
577 qdev_prop_set_bit(dev, "spi", is_spi);
578 object_property_set_bool(obj, true, "realized", &err);
579 if (err) {
580 error_report("sd_init failed: %s", error_get_pretty(err));
581 return NULL;
582 }
583
584 return SD_CARD(dev);
585 }
586
587 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
588 {
589 sd->readonly_cb = readonly;
590 sd->inserted_cb = insert;
591 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
592 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
593 }
594
595 static void sd_erase(SDState *sd)
596 {
597 int i;
598 uint64_t erase_start = sd->erase_start;
599 uint64_t erase_end = sd->erase_end;
600
601 if (!sd->erase_start || !sd->erase_end) {
602 sd->card_status |= ERASE_SEQ_ERROR;
603 return;
604 }
605
606 if (extract32(sd->ocr, OCR_CCS_BITN, 1)) {
607 /* High capacity memory card: erase units are 512 byte blocks */
608 erase_start *= 512;
609 erase_end *= 512;
610 }
611
612 erase_start = sd_addr_to_wpnum(erase_start);
613 erase_end = sd_addr_to_wpnum(erase_end);
614 sd->erase_start = 0;
615 sd->erase_end = 0;
616 sd->csd[14] |= 0x40;
617
618 for (i = erase_start; i <= erase_end; i++) {
619 if (test_bit(i, sd->wp_groups)) {
620 sd->card_status |= WP_ERASE_SKIP;
621 }
622 }
623 }
624
625 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
626 {
627 uint32_t i, wpnum;
628 uint32_t ret = 0;
629
630 wpnum = sd_addr_to_wpnum(addr);
631
632 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
633 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
634 ret |= (1 << i);
635 }
636 }
637
638 return ret;
639 }
640
641 static void sd_function_switch(SDState *sd, uint32_t arg)
642 {
643 int i, mode, new_func, crc;
644 mode = !!(arg & 0x80000000);
645
646 sd->data[0] = 0x00; /* Maximum current consumption */
647 sd->data[1] = 0x01;
648 sd->data[2] = 0x80; /* Supported group 6 functions */
649 sd->data[3] = 0x01;
650 sd->data[4] = 0x80; /* Supported group 5 functions */
651 sd->data[5] = 0x01;
652 sd->data[6] = 0x80; /* Supported group 4 functions */
653 sd->data[7] = 0x01;
654 sd->data[8] = 0x80; /* Supported group 3 functions */
655 sd->data[9] = 0x01;
656 sd->data[10] = 0x80; /* Supported group 2 functions */
657 sd->data[11] = 0x43;
658 sd->data[12] = 0x80; /* Supported group 1 functions */
659 sd->data[13] = 0x03;
660 for (i = 0; i < 6; i ++) {
661 new_func = (arg >> (i * 4)) & 0x0f;
662 if (mode && new_func != 0x0f)
663 sd->function_group[i] = new_func;
664 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
665 }
666 memset(&sd->data[17], 0, 47);
667 crc = sd_crc16(sd->data, 64);
668 sd->data[65] = crc >> 8;
669 sd->data[66] = crc & 0xff;
670 }
671
672 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
673 {
674 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
675 }
676
677 static void sd_lock_command(SDState *sd)
678 {
679 int erase, lock, clr_pwd, set_pwd, pwd_len;
680 erase = !!(sd->data[0] & 0x08);
681 lock = sd->data[0] & 0x04;
682 clr_pwd = sd->data[0] & 0x02;
683 set_pwd = sd->data[0] & 0x01;
684
685 if (sd->blk_len > 1)
686 pwd_len = sd->data[1];
687 else
688 pwd_len = 0;
689
690 if (erase) {
691 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
692 set_pwd || clr_pwd || lock || sd->wp_switch ||
693 (sd->csd[14] & 0x20)) {
694 sd->card_status |= LOCK_UNLOCK_FAILED;
695 return;
696 }
697 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
698 sd->csd[14] &= ~0x10;
699 sd->card_status &= ~CARD_IS_LOCKED;
700 sd->pwd_len = 0;
701 /* Erasing the entire card here! */
702 fprintf(stderr, "SD: Card force-erased by CMD42\n");
703 return;
704 }
705
706 if (sd->blk_len < 2 + pwd_len ||
707 pwd_len <= sd->pwd_len ||
708 pwd_len > sd->pwd_len + 16) {
709 sd->card_status |= LOCK_UNLOCK_FAILED;
710 return;
711 }
712
713 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
714 sd->card_status |= LOCK_UNLOCK_FAILED;
715 return;
716 }
717
718 pwd_len -= sd->pwd_len;
719 if ((pwd_len && !set_pwd) ||
720 (clr_pwd && (set_pwd || lock)) ||
721 (lock && !sd->pwd_len && !set_pwd) ||
722 (!set_pwd && !clr_pwd &&
723 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
724 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
725 sd->card_status |= LOCK_UNLOCK_FAILED;
726 return;
727 }
728
729 if (set_pwd) {
730 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
731 sd->pwd_len = pwd_len;
732 }
733
734 if (clr_pwd) {
735 sd->pwd_len = 0;
736 }
737
738 if (lock)
739 sd->card_status |= CARD_IS_LOCKED;
740 else
741 sd->card_status &= ~CARD_IS_LOCKED;
742 }
743
744 static sd_rsp_type_t sd_normal_command(SDState *sd,
745 SDRequest req)
746 {
747 uint32_t rca = 0x0000;
748 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
749
750 /* Not interpreting this as an app command */
751 sd->card_status &= ~APP_CMD;
752
753 if (sd_cmd_type[req.cmd & 0x3F] == sd_ac
754 || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) {
755 rca = req.arg >> 16;
756 }
757
758 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
759 * if not, its effects are cancelled */
760 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
761 sd->multi_blk_cnt = 0;
762 }
763
764 DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state);
765 switch (req.cmd) {
766 /* Basic commands (Class 0 and Class 1) */
767 case 0: /* CMD0: GO_IDLE_STATE */
768 switch (sd->state) {
769 case sd_inactive_state:
770 return sd->spi ? sd_r1 : sd_r0;
771
772 default:
773 sd->state = sd_idle_state;
774 sd_reset(DEVICE(sd));
775 return sd->spi ? sd_r1 : sd_r0;
776 }
777 break;
778
779 case 1: /* CMD1: SEND_OP_CMD */
780 if (!sd->spi)
781 goto bad_cmd;
782
783 sd->state = sd_transfer_state;
784 return sd_r1;
785
786 case 2: /* CMD2: ALL_SEND_CID */
787 if (sd->spi)
788 goto bad_cmd;
789 switch (sd->state) {
790 case sd_ready_state:
791 sd->state = sd_identification_state;
792 return sd_r2_i;
793
794 default:
795 break;
796 }
797 break;
798
799 case 3: /* CMD3: SEND_RELATIVE_ADDR */
800 if (sd->spi)
801 goto bad_cmd;
802 switch (sd->state) {
803 case sd_identification_state:
804 case sd_standby_state:
805 sd->state = sd_standby_state;
806 sd_set_rca(sd);
807 return sd_r6;
808
809 default:
810 break;
811 }
812 break;
813
814 case 4: /* CMD4: SEND_DSR */
815 if (sd->spi)
816 goto bad_cmd;
817 switch (sd->state) {
818 case sd_standby_state:
819 break;
820
821 default:
822 break;
823 }
824 break;
825
826 case 5: /* CMD5: reserved for SDIO cards */
827 return sd_illegal;
828
829 case 6: /* CMD6: SWITCH_FUNCTION */
830 if (sd->spi)
831 goto bad_cmd;
832 switch (sd->mode) {
833 case sd_data_transfer_mode:
834 sd_function_switch(sd, req.arg);
835 sd->state = sd_sendingdata_state;
836 sd->data_start = 0;
837 sd->data_offset = 0;
838 return sd_r1;
839
840 default:
841 break;
842 }
843 break;
844
845 case 7: /* CMD7: SELECT/DESELECT_CARD */
846 if (sd->spi)
847 goto bad_cmd;
848 switch (sd->state) {
849 case sd_standby_state:
850 if (sd->rca != rca)
851 return sd_r0;
852
853 sd->state = sd_transfer_state;
854 return sd_r1b;
855
856 case sd_transfer_state:
857 case sd_sendingdata_state:
858 if (sd->rca == rca)
859 break;
860
861 sd->state = sd_standby_state;
862 return sd_r1b;
863
864 case sd_disconnect_state:
865 if (sd->rca != rca)
866 return sd_r0;
867
868 sd->state = sd_programming_state;
869 return sd_r1b;
870
871 case sd_programming_state:
872 if (sd->rca == rca)
873 break;
874
875 sd->state = sd_disconnect_state;
876 return sd_r1b;
877
878 default:
879 break;
880 }
881 break;
882
883 case 8: /* CMD8: SEND_IF_COND */
884 /* Physical Layer Specification Version 2.00 command */
885 switch (sd->state) {
886 case sd_idle_state:
887 sd->vhs = 0;
888
889 /* No response if not exactly one VHS bit is set. */
890 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
891 return sd->spi ? sd_r7 : sd_r0;
892 }
893
894 /* Accept. */
895 sd->vhs = req.arg;
896 return sd_r7;
897
898 default:
899 break;
900 }
901 break;
902
903 case 9: /* CMD9: SEND_CSD */
904 switch (sd->state) {
905 case sd_standby_state:
906 if (sd->rca != rca)
907 return sd_r0;
908
909 return sd_r2_s;
910
911 case sd_transfer_state:
912 if (!sd->spi)
913 break;
914 sd->state = sd_sendingdata_state;
915 memcpy(sd->data, sd->csd, 16);
916 sd->data_start = addr;
917 sd->data_offset = 0;
918 return sd_r1;
919
920 default:
921 break;
922 }
923 break;
924
925 case 10: /* CMD10: SEND_CID */
926 switch (sd->state) {
927 case sd_standby_state:
928 if (sd->rca != rca)
929 return sd_r0;
930
931 return sd_r2_i;
932
933 case sd_transfer_state:
934 if (!sd->spi)
935 break;
936 sd->state = sd_sendingdata_state;
937 memcpy(sd->data, sd->cid, 16);
938 sd->data_start = addr;
939 sd->data_offset = 0;
940 return sd_r1;
941
942 default:
943 break;
944 }
945 break;
946
947 case 11: /* CMD11: READ_DAT_UNTIL_STOP */
948 if (sd->spi)
949 goto bad_cmd;
950 switch (sd->state) {
951 case sd_transfer_state:
952 sd->state = sd_sendingdata_state;
953 sd->data_start = req.arg;
954 sd->data_offset = 0;
955
956 if (sd->data_start + sd->blk_len > sd->size)
957 sd->card_status |= ADDRESS_ERROR;
958 return sd_r0;
959
960 default:
961 break;
962 }
963 break;
964
965 case 12: /* CMD12: STOP_TRANSMISSION */
966 switch (sd->state) {
967 case sd_sendingdata_state:
968 sd->state = sd_transfer_state;
969 return sd_r1b;
970
971 case sd_receivingdata_state:
972 sd->state = sd_programming_state;
973 /* Bzzzzzzztt .... Operation complete. */
974 sd->state = sd_transfer_state;
975 return sd_r1b;
976
977 default:
978 break;
979 }
980 break;
981
982 case 13: /* CMD13: SEND_STATUS */
983 switch (sd->mode) {
984 case sd_data_transfer_mode:
985 if (sd->rca != rca)
986 return sd_r0;
987
988 return sd_r1;
989
990 default:
991 break;
992 }
993 break;
994
995 case 15: /* CMD15: GO_INACTIVE_STATE */
996 if (sd->spi)
997 goto bad_cmd;
998 switch (sd->mode) {
999 case sd_data_transfer_mode:
1000 if (sd->rca != rca)
1001 return sd_r0;
1002
1003 sd->state = sd_inactive_state;
1004 return sd_r0;
1005
1006 default:
1007 break;
1008 }
1009 break;
1010
1011 /* Block read commands (Classs 2) */
1012 case 16: /* CMD16: SET_BLOCKLEN */
1013 switch (sd->state) {
1014 case sd_transfer_state:
1015 if (req.arg > (1 << HWBLOCK_SHIFT))
1016 sd->card_status |= BLOCK_LEN_ERROR;
1017 else
1018 sd->blk_len = req.arg;
1019
1020 return sd_r1;
1021
1022 default:
1023 break;
1024 }
1025 break;
1026
1027 case 17: /* CMD17: READ_SINGLE_BLOCK */
1028 switch (sd->state) {
1029 case sd_transfer_state:
1030 sd->state = sd_sendingdata_state;
1031 sd->data_start = addr;
1032 sd->data_offset = 0;
1033
1034 if (sd->data_start + sd->blk_len > sd->size)
1035 sd->card_status |= ADDRESS_ERROR;
1036 return sd_r1;
1037
1038 default:
1039 break;
1040 }
1041 break;
1042
1043 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1044 switch (sd->state) {
1045 case sd_transfer_state:
1046 sd->state = sd_sendingdata_state;
1047 sd->data_start = addr;
1048 sd->data_offset = 0;
1049
1050 if (sd->data_start + sd->blk_len > sd->size)
1051 sd->card_status |= ADDRESS_ERROR;
1052 return sd_r1;
1053
1054 default:
1055 break;
1056 }
1057 break;
1058
1059 case 23: /* CMD23: SET_BLOCK_COUNT */
1060 switch (sd->state) {
1061 case sd_transfer_state:
1062 sd->multi_blk_cnt = req.arg;
1063 return sd_r1;
1064
1065 default:
1066 break;
1067 }
1068 break;
1069
1070 /* Block write commands (Class 4) */
1071 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1072 if (sd->spi)
1073 goto unimplemented_cmd;
1074 switch (sd->state) {
1075 case sd_transfer_state:
1076 /* Writing in SPI mode not implemented. */
1077 if (sd->spi)
1078 break;
1079 sd->state = sd_receivingdata_state;
1080 sd->data_start = addr;
1081 sd->data_offset = 0;
1082 sd->blk_written = 0;
1083
1084 if (sd->data_start + sd->blk_len > sd->size)
1085 sd->card_status |= ADDRESS_ERROR;
1086 if (sd_wp_addr(sd, sd->data_start))
1087 sd->card_status |= WP_VIOLATION;
1088 if (sd->csd[14] & 0x30)
1089 sd->card_status |= WP_VIOLATION;
1090 return sd_r1;
1091
1092 default:
1093 break;
1094 }
1095 break;
1096
1097 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1098 if (sd->spi)
1099 goto unimplemented_cmd;
1100 switch (sd->state) {
1101 case sd_transfer_state:
1102 /* Writing in SPI mode not implemented. */
1103 if (sd->spi)
1104 break;
1105 sd->state = sd_receivingdata_state;
1106 sd->data_start = addr;
1107 sd->data_offset = 0;
1108 sd->blk_written = 0;
1109
1110 if (sd->data_start + sd->blk_len > sd->size)
1111 sd->card_status |= ADDRESS_ERROR;
1112 if (sd_wp_addr(sd, sd->data_start))
1113 sd->card_status |= WP_VIOLATION;
1114 if (sd->csd[14] & 0x30)
1115 sd->card_status |= WP_VIOLATION;
1116 return sd_r1;
1117
1118 default:
1119 break;
1120 }
1121 break;
1122
1123 case 26: /* CMD26: PROGRAM_CID */
1124 if (sd->spi)
1125 goto bad_cmd;
1126 switch (sd->state) {
1127 case sd_transfer_state:
1128 sd->state = sd_receivingdata_state;
1129 sd->data_start = 0;
1130 sd->data_offset = 0;
1131 return sd_r1;
1132
1133 default:
1134 break;
1135 }
1136 break;
1137
1138 case 27: /* CMD27: PROGRAM_CSD */
1139 if (sd->spi)
1140 goto unimplemented_cmd;
1141 switch (sd->state) {
1142 case sd_transfer_state:
1143 sd->state = sd_receivingdata_state;
1144 sd->data_start = 0;
1145 sd->data_offset = 0;
1146 return sd_r1;
1147
1148 default:
1149 break;
1150 }
1151 break;
1152
1153 /* Write protection (Class 6) */
1154 case 28: /* CMD28: SET_WRITE_PROT */
1155 switch (sd->state) {
1156 case sd_transfer_state:
1157 if (addr >= sd->size) {
1158 sd->card_status |= ADDRESS_ERROR;
1159 return sd_r1b;
1160 }
1161
1162 sd->state = sd_programming_state;
1163 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1164 /* Bzzzzzzztt .... Operation complete. */
1165 sd->state = sd_transfer_state;
1166 return sd_r1b;
1167
1168 default:
1169 break;
1170 }
1171 break;
1172
1173 case 29: /* CMD29: CLR_WRITE_PROT */
1174 switch (sd->state) {
1175 case sd_transfer_state:
1176 if (addr >= sd->size) {
1177 sd->card_status |= ADDRESS_ERROR;
1178 return sd_r1b;
1179 }
1180
1181 sd->state = sd_programming_state;
1182 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1183 /* Bzzzzzzztt .... Operation complete. */
1184 sd->state = sd_transfer_state;
1185 return sd_r1b;
1186
1187 default:
1188 break;
1189 }
1190 break;
1191
1192 case 30: /* CMD30: SEND_WRITE_PROT */
1193 switch (sd->state) {
1194 case sd_transfer_state:
1195 sd->state = sd_sendingdata_state;
1196 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1197 sd->data_start = addr;
1198 sd->data_offset = 0;
1199 return sd_r1b;
1200
1201 default:
1202 break;
1203 }
1204 break;
1205
1206 /* Erase commands (Class 5) */
1207 case 32: /* CMD32: ERASE_WR_BLK_START */
1208 switch (sd->state) {
1209 case sd_transfer_state:
1210 sd->erase_start = req.arg;
1211 return sd_r1;
1212
1213 default:
1214 break;
1215 }
1216 break;
1217
1218 case 33: /* CMD33: ERASE_WR_BLK_END */
1219 switch (sd->state) {
1220 case sd_transfer_state:
1221 sd->erase_end = req.arg;
1222 return sd_r1;
1223
1224 default:
1225 break;
1226 }
1227 break;
1228
1229 case 38: /* CMD38: ERASE */
1230 switch (sd->state) {
1231 case sd_transfer_state:
1232 if (sd->csd[14] & 0x30) {
1233 sd->card_status |= WP_VIOLATION;
1234 return sd_r1b;
1235 }
1236
1237 sd->state = sd_programming_state;
1238 sd_erase(sd);
1239 /* Bzzzzzzztt .... Operation complete. */
1240 sd->state = sd_transfer_state;
1241 return sd_r1b;
1242
1243 default:
1244 break;
1245 }
1246 break;
1247
1248 /* Lock card commands (Class 7) */
1249 case 42: /* CMD42: LOCK_UNLOCK */
1250 if (sd->spi)
1251 goto unimplemented_cmd;
1252 switch (sd->state) {
1253 case sd_transfer_state:
1254 sd->state = sd_receivingdata_state;
1255 sd->data_start = 0;
1256 sd->data_offset = 0;
1257 return sd_r1;
1258
1259 default:
1260 break;
1261 }
1262 break;
1263
1264 case 52:
1265 case 53:
1266 /* CMD52, CMD53: reserved for SDIO cards
1267 * (see the SDIO Simplified Specification V2.0)
1268 * Handle as illegal command but do not complain
1269 * on stderr, as some OSes may use these in their
1270 * probing for presence of an SDIO card.
1271 */
1272 return sd_illegal;
1273
1274 /* Application specific commands (Class 8) */
1275 case 55: /* CMD55: APP_CMD */
1276 if (sd->rca != rca)
1277 return sd_r0;
1278
1279 sd->expecting_acmd = true;
1280 sd->card_status |= APP_CMD;
1281 return sd_r1;
1282
1283 case 56: /* CMD56: GEN_CMD */
1284 fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg);
1285
1286 switch (sd->state) {
1287 case sd_transfer_state:
1288 sd->data_offset = 0;
1289 if (req.arg & 1)
1290 sd->state = sd_sendingdata_state;
1291 else
1292 sd->state = sd_receivingdata_state;
1293 return sd_r1;
1294
1295 default:
1296 break;
1297 }
1298 break;
1299
1300 default:
1301 bad_cmd:
1302 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1303 return sd_illegal;
1304
1305 unimplemented_cmd:
1306 /* Commands that are recognised but not yet implemented in SPI mode. */
1307 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1308 req.cmd);
1309 return sd_illegal;
1310 }
1311
1312 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1313 return sd_illegal;
1314 }
1315
1316 static sd_rsp_type_t sd_app_command(SDState *sd,
1317 SDRequest req)
1318 {
1319 DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg);
1320 sd->card_status |= APP_CMD;
1321 switch (req.cmd) {
1322 case 6: /* ACMD6: SET_BUS_WIDTH */
1323 switch (sd->state) {
1324 case sd_transfer_state:
1325 sd->sd_status[0] &= 0x3f;
1326 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1327 return sd_r1;
1328
1329 default:
1330 break;
1331 }
1332 break;
1333
1334 case 13: /* ACMD13: SD_STATUS */
1335 switch (sd->state) {
1336 case sd_transfer_state:
1337 sd->state = sd_sendingdata_state;
1338 sd->data_start = 0;
1339 sd->data_offset = 0;
1340 return sd_r1;
1341
1342 default:
1343 break;
1344 }
1345 break;
1346
1347 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1348 switch (sd->state) {
1349 case sd_transfer_state:
1350 *(uint32_t *) sd->data = sd->blk_written;
1351
1352 sd->state = sd_sendingdata_state;
1353 sd->data_start = 0;
1354 sd->data_offset = 0;
1355 return sd_r1;
1356
1357 default:
1358 break;
1359 }
1360 break;
1361
1362 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1363 switch (sd->state) {
1364 case sd_transfer_state:
1365 return sd_r1;
1366
1367 default:
1368 break;
1369 }
1370 break;
1371
1372 case 41: /* ACMD41: SD_APP_OP_COND */
1373 if (sd->spi) {
1374 /* SEND_OP_CMD */
1375 sd->state = sd_transfer_state;
1376 return sd_r1;
1377 }
1378 switch (sd->state) {
1379 case sd_idle_state:
1380 /* If it's the first ACMD41 since reset, we need to decide
1381 * whether to power up. If this is not an enquiry ACMD41,
1382 * we immediately report power on and proceed below to the
1383 * ready state, but if it is, we set a timer to model a
1384 * delay for power up. This works around a bug in EDK2
1385 * UEFI, which sends an initial enquiry ACMD41, but
1386 * assumes that the card is in ready state as soon as it
1387 * sees the power up bit set. */
1388 if (!(sd->ocr & OCR_POWER_UP)) {
1389 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1390 timer_del(sd->ocr_power_timer);
1391 sd_ocr_powerup(sd);
1392 } else if (!timer_pending(sd->ocr_power_timer)) {
1393 timer_mod_ns(sd->ocr_power_timer,
1394 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1395 + OCR_POWER_DELAY_NS));
1396 }
1397 }
1398
1399 /* We accept any voltage. 10000 V is nothing.
1400 *
1401 * Once we're powered up, we advance straight to ready state
1402 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1403 */
1404 if (req.arg & ACMD41_ENQUIRY_MASK) {
1405 sd->state = sd_ready_state;
1406 }
1407
1408 return sd_r3;
1409
1410 default:
1411 break;
1412 }
1413 break;
1414
1415 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1416 switch (sd->state) {
1417 case sd_transfer_state:
1418 /* Bringing in the 50KOhm pull-up resistor... Done. */
1419 return sd_r1;
1420
1421 default:
1422 break;
1423 }
1424 break;
1425
1426 case 51: /* ACMD51: SEND_SCR */
1427 switch (sd->state) {
1428 case sd_transfer_state:
1429 sd->state = sd_sendingdata_state;
1430 sd->data_start = 0;
1431 sd->data_offset = 0;
1432 return sd_r1;
1433
1434 default:
1435 break;
1436 }
1437 break;
1438
1439 default:
1440 /* Fall back to standard commands. */
1441 return sd_normal_command(sd, req);
1442 }
1443
1444 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1445 return sd_illegal;
1446 }
1447
1448 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1449 {
1450 /* Valid commands in locked state:
1451 * basic class (0)
1452 * lock card class (7)
1453 * CMD16
1454 * implicitly, the ACMD prefix CMD55
1455 * ACMD41 and ACMD42
1456 * Anything else provokes an "illegal command" response.
1457 */
1458 if (sd->expecting_acmd) {
1459 return req->cmd == 41 || req->cmd == 42;
1460 }
1461 if (req->cmd == 16 || req->cmd == 55) {
1462 return 1;
1463 }
1464 return sd_cmd_class[req->cmd & 0x3F] == 0
1465 || sd_cmd_class[req->cmd & 0x3F] == 7;
1466 }
1467
1468 int sd_do_command(SDState *sd, SDRequest *req,
1469 uint8_t *response) {
1470 int last_state;
1471 sd_rsp_type_t rtype;
1472 int rsplen;
1473
1474 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1475 return 0;
1476 }
1477
1478 if (sd_req_crc_validate(req)) {
1479 sd->card_status |= COM_CRC_ERROR;
1480 rtype = sd_illegal;
1481 goto send_response;
1482 }
1483
1484 if (sd->card_status & CARD_IS_LOCKED) {
1485 if (!cmd_valid_while_locked(sd, req)) {
1486 sd->card_status |= ILLEGAL_COMMAND;
1487 sd->expecting_acmd = false;
1488 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1489 rtype = sd_illegal;
1490 goto send_response;
1491 }
1492 }
1493
1494 last_state = sd->state;
1495 sd_set_mode(sd);
1496
1497 if (sd->expecting_acmd) {
1498 sd->expecting_acmd = false;
1499 rtype = sd_app_command(sd, *req);
1500 } else {
1501 rtype = sd_normal_command(sd, *req);
1502 }
1503
1504 if (rtype == sd_illegal) {
1505 sd->card_status |= ILLEGAL_COMMAND;
1506 } else {
1507 /* Valid command, we can update the 'state before command' bits.
1508 * (Do this now so they appear in r1 responses.)
1509 */
1510 sd->current_cmd = req->cmd;
1511 sd->card_status &= ~CURRENT_STATE;
1512 sd->card_status |= (last_state << 9);
1513 }
1514
1515 send_response:
1516 switch (rtype) {
1517 case sd_r1:
1518 case sd_r1b:
1519 sd_response_r1_make(sd, response);
1520 rsplen = 4;
1521 break;
1522
1523 case sd_r2_i:
1524 memcpy(response, sd->cid, sizeof(sd->cid));
1525 rsplen = 16;
1526 break;
1527
1528 case sd_r2_s:
1529 memcpy(response, sd->csd, sizeof(sd->csd));
1530 rsplen = 16;
1531 break;
1532
1533 case sd_r3:
1534 sd_response_r3_make(sd, response);
1535 rsplen = 4;
1536 break;
1537
1538 case sd_r6:
1539 sd_response_r6_make(sd, response);
1540 rsplen = 4;
1541 break;
1542
1543 case sd_r7:
1544 sd_response_r7_make(sd, response);
1545 rsplen = 4;
1546 break;
1547
1548 case sd_r0:
1549 case sd_illegal:
1550 default:
1551 rsplen = 0;
1552 break;
1553 }
1554
1555 if (rtype != sd_illegal) {
1556 /* Clear the "clear on valid command" status bits now we've
1557 * sent any response
1558 */
1559 sd->card_status &= ~CARD_STATUS_B;
1560 }
1561
1562 #ifdef DEBUG_SD
1563 if (rsplen) {
1564 int i;
1565 DPRINTF("Response:");
1566 for (i = 0; i < rsplen; i++)
1567 fprintf(stderr, " %02x", response[i]);
1568 fprintf(stderr, " state %d\n", sd->state);
1569 } else {
1570 DPRINTF("No response %d\n", sd->state);
1571 }
1572 #endif
1573
1574 return rsplen;
1575 }
1576
1577 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1578 {
1579 uint64_t end = addr + len;
1580
1581 DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n",
1582 (unsigned long long) addr, len);
1583 if (!sd->blk || blk_read(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1584 fprintf(stderr, "sd_blk_read: read error on host side\n");
1585 return;
1586 }
1587
1588 if (end > (addr & ~511) + 512) {
1589 memcpy(sd->data, sd->buf + (addr & 511), 512 - (addr & 511));
1590
1591 if (blk_read(sd->blk, end >> 9, sd->buf, 1) < 0) {
1592 fprintf(stderr, "sd_blk_read: read error on host side\n");
1593 return;
1594 }
1595 memcpy(sd->data + 512 - (addr & 511), sd->buf, end & 511);
1596 } else
1597 memcpy(sd->data, sd->buf + (addr & 511), len);
1598 }
1599
1600 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1601 {
1602 uint64_t end = addr + len;
1603
1604 if ((addr & 511) || len < 512)
1605 if (!sd->blk || blk_read(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1606 fprintf(stderr, "sd_blk_write: read error on host side\n");
1607 return;
1608 }
1609
1610 if (end > (addr & ~511) + 512) {
1611 memcpy(sd->buf + (addr & 511), sd->data, 512 - (addr & 511));
1612 if (blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1613 fprintf(stderr, "sd_blk_write: write error on host side\n");
1614 return;
1615 }
1616
1617 if (blk_read(sd->blk, end >> 9, sd->buf, 1) < 0) {
1618 fprintf(stderr, "sd_blk_write: read error on host side\n");
1619 return;
1620 }
1621 memcpy(sd->buf, sd->data + 512 - (addr & 511), end & 511);
1622 if (blk_write(sd->blk, end >> 9, sd->buf, 1) < 0) {
1623 fprintf(stderr, "sd_blk_write: write error on host side\n");
1624 }
1625 } else {
1626 memcpy(sd->buf + (addr & 511), sd->data, len);
1627 if (!sd->blk || blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1628 fprintf(stderr, "sd_blk_write: write error on host side\n");
1629 }
1630 }
1631 }
1632
1633 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1634 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1635 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1636 #define APP_WRITE_BLOCK(a, len)
1637
1638 void sd_write_data(SDState *sd, uint8_t value)
1639 {
1640 int i;
1641
1642 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1643 return;
1644
1645 if (sd->state != sd_receivingdata_state) {
1646 qemu_log_mask(LOG_GUEST_ERROR,
1647 "sd_write_data: not in Receiving-Data state\n");
1648 return;
1649 }
1650
1651 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1652 return;
1653
1654 switch (sd->current_cmd) {
1655 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1656 sd->data[sd->data_offset ++] = value;
1657 if (sd->data_offset >= sd->blk_len) {
1658 /* TODO: Check CRC before committing */
1659 sd->state = sd_programming_state;
1660 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1661 sd->blk_written ++;
1662 sd->csd[14] |= 0x40;
1663 /* Bzzzzzzztt .... Operation complete. */
1664 sd->state = sd_transfer_state;
1665 }
1666 break;
1667
1668 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1669 if (sd->data_offset == 0) {
1670 /* Start of the block - let's check the address is valid */
1671 if (sd->data_start + sd->blk_len > sd->size) {
1672 sd->card_status |= ADDRESS_ERROR;
1673 break;
1674 }
1675 if (sd_wp_addr(sd, sd->data_start)) {
1676 sd->card_status |= WP_VIOLATION;
1677 break;
1678 }
1679 }
1680 sd->data[sd->data_offset++] = value;
1681 if (sd->data_offset >= sd->blk_len) {
1682 /* TODO: Check CRC before committing */
1683 sd->state = sd_programming_state;
1684 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1685 sd->blk_written++;
1686 sd->data_start += sd->blk_len;
1687 sd->data_offset = 0;
1688 sd->csd[14] |= 0x40;
1689
1690 /* Bzzzzzzztt .... Operation complete. */
1691 if (sd->multi_blk_cnt != 0) {
1692 if (--sd->multi_blk_cnt == 0) {
1693 /* Stop! */
1694 sd->state = sd_transfer_state;
1695 break;
1696 }
1697 }
1698
1699 sd->state = sd_receivingdata_state;
1700 }
1701 break;
1702
1703 case 26: /* CMD26: PROGRAM_CID */
1704 sd->data[sd->data_offset ++] = value;
1705 if (sd->data_offset >= sizeof(sd->cid)) {
1706 /* TODO: Check CRC before committing */
1707 sd->state = sd_programming_state;
1708 for (i = 0; i < sizeof(sd->cid); i ++)
1709 if ((sd->cid[i] | 0x00) != sd->data[i])
1710 sd->card_status |= CID_CSD_OVERWRITE;
1711
1712 if (!(sd->card_status & CID_CSD_OVERWRITE))
1713 for (i = 0; i < sizeof(sd->cid); i ++) {
1714 sd->cid[i] |= 0x00;
1715 sd->cid[i] &= sd->data[i];
1716 }
1717 /* Bzzzzzzztt .... Operation complete. */
1718 sd->state = sd_transfer_state;
1719 }
1720 break;
1721
1722 case 27: /* CMD27: PROGRAM_CSD */
1723 sd->data[sd->data_offset ++] = value;
1724 if (sd->data_offset >= sizeof(sd->csd)) {
1725 /* TODO: Check CRC before committing */
1726 sd->state = sd_programming_state;
1727 for (i = 0; i < sizeof(sd->csd); i ++)
1728 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1729 (sd->data[i] | sd_csd_rw_mask[i]))
1730 sd->card_status |= CID_CSD_OVERWRITE;
1731
1732 /* Copy flag (OTP) & Permanent write protect */
1733 if (sd->csd[14] & ~sd->data[14] & 0x60)
1734 sd->card_status |= CID_CSD_OVERWRITE;
1735
1736 if (!(sd->card_status & CID_CSD_OVERWRITE))
1737 for (i = 0; i < sizeof(sd->csd); i ++) {
1738 sd->csd[i] |= sd_csd_rw_mask[i];
1739 sd->csd[i] &= sd->data[i];
1740 }
1741 /* Bzzzzzzztt .... Operation complete. */
1742 sd->state = sd_transfer_state;
1743 }
1744 break;
1745
1746 case 42: /* CMD42: LOCK_UNLOCK */
1747 sd->data[sd->data_offset ++] = value;
1748 if (sd->data_offset >= sd->blk_len) {
1749 /* TODO: Check CRC before committing */
1750 sd->state = sd_programming_state;
1751 sd_lock_command(sd);
1752 /* Bzzzzzzztt .... Operation complete. */
1753 sd->state = sd_transfer_state;
1754 }
1755 break;
1756
1757 case 56: /* CMD56: GEN_CMD */
1758 sd->data[sd->data_offset ++] = value;
1759 if (sd->data_offset >= sd->blk_len) {
1760 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1761 sd->state = sd_transfer_state;
1762 }
1763 break;
1764
1765 default:
1766 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1767 break;
1768 }
1769 }
1770
1771 uint8_t sd_read_data(SDState *sd)
1772 {
1773 /* TODO: Append CRCs */
1774 uint8_t ret;
1775 int io_len;
1776
1777 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1778 return 0x00;
1779
1780 if (sd->state != sd_sendingdata_state) {
1781 qemu_log_mask(LOG_GUEST_ERROR,
1782 "sd_read_data: not in Sending-Data state\n");
1783 return 0x00;
1784 }
1785
1786 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1787 return 0x00;
1788
1789 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1790
1791 switch (sd->current_cmd) {
1792 case 6: /* CMD6: SWITCH_FUNCTION */
1793 ret = sd->data[sd->data_offset ++];
1794
1795 if (sd->data_offset >= 64)
1796 sd->state = sd_transfer_state;
1797 break;
1798
1799 case 9: /* CMD9: SEND_CSD */
1800 case 10: /* CMD10: SEND_CID */
1801 ret = sd->data[sd->data_offset ++];
1802
1803 if (sd->data_offset >= 16)
1804 sd->state = sd_transfer_state;
1805 break;
1806
1807 case 11: /* CMD11: READ_DAT_UNTIL_STOP */
1808 if (sd->data_offset == 0)
1809 BLK_READ_BLOCK(sd->data_start, io_len);
1810 ret = sd->data[sd->data_offset ++];
1811
1812 if (sd->data_offset >= io_len) {
1813 sd->data_start += io_len;
1814 sd->data_offset = 0;
1815 if (sd->data_start + io_len > sd->size) {
1816 sd->card_status |= ADDRESS_ERROR;
1817 break;
1818 }
1819 }
1820 break;
1821
1822 case 13: /* ACMD13: SD_STATUS */
1823 ret = sd->sd_status[sd->data_offset ++];
1824
1825 if (sd->data_offset >= sizeof(sd->sd_status))
1826 sd->state = sd_transfer_state;
1827 break;
1828
1829 case 17: /* CMD17: READ_SINGLE_BLOCK */
1830 if (sd->data_offset == 0)
1831 BLK_READ_BLOCK(sd->data_start, io_len);
1832 ret = sd->data[sd->data_offset ++];
1833
1834 if (sd->data_offset >= io_len)
1835 sd->state = sd_transfer_state;
1836 break;
1837
1838 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1839 if (sd->data_offset == 0)
1840 BLK_READ_BLOCK(sd->data_start, io_len);
1841 ret = sd->data[sd->data_offset ++];
1842
1843 if (sd->data_offset >= io_len) {
1844 sd->data_start += io_len;
1845 sd->data_offset = 0;
1846
1847 if (sd->multi_blk_cnt != 0) {
1848 if (--sd->multi_blk_cnt == 0) {
1849 /* Stop! */
1850 sd->state = sd_transfer_state;
1851 break;
1852 }
1853 }
1854
1855 if (sd->data_start + io_len > sd->size) {
1856 sd->card_status |= ADDRESS_ERROR;
1857 break;
1858 }
1859 }
1860 break;
1861
1862 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1863 ret = sd->data[sd->data_offset ++];
1864
1865 if (sd->data_offset >= 4)
1866 sd->state = sd_transfer_state;
1867 break;
1868
1869 case 30: /* CMD30: SEND_WRITE_PROT */
1870 ret = sd->data[sd->data_offset ++];
1871
1872 if (sd->data_offset >= 4)
1873 sd->state = sd_transfer_state;
1874 break;
1875
1876 case 51: /* ACMD51: SEND_SCR */
1877 ret = sd->scr[sd->data_offset ++];
1878
1879 if (sd->data_offset >= sizeof(sd->scr))
1880 sd->state = sd_transfer_state;
1881 break;
1882
1883 case 56: /* CMD56: GEN_CMD */
1884 if (sd->data_offset == 0)
1885 APP_READ_BLOCK(sd->data_start, sd->blk_len);
1886 ret = sd->data[sd->data_offset ++];
1887
1888 if (sd->data_offset >= sd->blk_len)
1889 sd->state = sd_transfer_state;
1890 break;
1891
1892 default:
1893 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
1894 return 0x00;
1895 }
1896
1897 return ret;
1898 }
1899
1900 bool sd_data_ready(SDState *sd)
1901 {
1902 return sd->state == sd_sendingdata_state;
1903 }
1904
1905 void sd_enable(SDState *sd, bool enable)
1906 {
1907 sd->enable = enable;
1908 }
1909
1910 static void sd_instance_init(Object *obj)
1911 {
1912 SDState *sd = SD_CARD(obj);
1913
1914 sd->enable = true;
1915 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
1916 }
1917
1918 static void sd_realize(DeviceState *dev, Error **errp)
1919 {
1920 SDState *sd = SD_CARD(dev);
1921
1922 if (sd->blk && blk_is_read_only(sd->blk)) {
1923 error_setg(errp, "Cannot use read-only drive as SD card");
1924 return;
1925 }
1926
1927 sd->buf = blk_blockalign(sd->blk, 512);
1928
1929 if (sd->blk) {
1930 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
1931 }
1932 }
1933
1934 static Property sd_properties[] = {
1935 DEFINE_PROP_DRIVE("drive", SDState, blk),
1936 /* We do not model the chip select pin, so allow the board to select
1937 * whether card should be in SSI or MMC/SD mode. It is also up to the
1938 * board to ensure that ssi transfers only occur when the chip select
1939 * is asserted. */
1940 DEFINE_PROP_BOOL("spi", SDState, spi, false),
1941 DEFINE_PROP_END_OF_LIST()
1942 };
1943
1944 static void sd_class_init(ObjectClass *klass, void *data)
1945 {
1946 DeviceClass *dc = DEVICE_CLASS(klass);
1947 SDCardClass *sc = SD_CARD_CLASS(klass);
1948
1949 dc->realize = sd_realize;
1950 dc->props = sd_properties;
1951 dc->vmsd = &sd_vmstate;
1952 dc->reset = sd_reset;
1953 dc->bus_type = TYPE_SD_BUS;
1954
1955 sc->do_command = sd_do_command;
1956 sc->write_data = sd_write_data;
1957 sc->read_data = sd_read_data;
1958 sc->data_ready = sd_data_ready;
1959 sc->enable = sd_enable;
1960 sc->get_inserted = sd_get_inserted;
1961 sc->get_readonly = sd_get_readonly;
1962 }
1963
1964 static const TypeInfo sd_info = {
1965 .name = TYPE_SD_CARD,
1966 .parent = TYPE_DEVICE,
1967 .instance_size = sizeof(SDState),
1968 .class_size = sizeof(SDCardClass),
1969 .class_init = sd_class_init,
1970 .instance_init = sd_instance_init,
1971 };
1972
1973 static void sd_register_types(void)
1974 {
1975 type_register_static(&sd_info);
1976 }
1977
1978 type_init(sd_register_types)
AR7 emulation for QEMU