search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
memory: Simplify memory_region_init_rom_device_nomigrate() calls
[qemu/ar7.git] / hw / sd / sd.c
blob807b5d3de321661017109232e168093868809514
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88 };
89
90 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
91
92 typedef struct SDProto {
93 const char *name;
94 sd_cmd_handler cmd[SDMMC_CMD_MAX];
95 sd_cmd_handler acmd[SDMMC_CMD_MAX];
96 } SDProto;
97
98 struct SDState {
99 DeviceState parent_obj;
100
101 /* If true, created by sd_init() for a non-qdevified caller */
102 /* TODO purge them with fire */
103 bool me_no_qdev_me_kill_mammoth_with_rocks;
104
105 /* SD Memory Card Registers */
106 uint32_t ocr;
107 uint8_t scr[8];
108 uint8_t cid[16];
109 uint8_t csd[16];
110 uint16_t rca;
111 uint32_t card_status;
112 uint8_t sd_status[64];
113
114 /* Static properties */
115
116 uint8_t spec_version;
117 BlockBackend *blk;
118
119 /* Runtime changeables */
120
121 uint32_t mode; /* current card mode, one of SDCardModes */
122 int32_t state; /* current card state, one of SDCardStates */
123 uint32_t vhs;
124 bool wp_switch;
125 unsigned long *wp_group_bmap;
126 int32_t wp_group_bits;
127 uint64_t size;
128 uint32_t blk_len;
129 uint32_t multi_blk_cnt;
130 uint32_t erase_start;
131 uint32_t erase_end;
132 uint8_t pwd[16];
133 uint32_t pwd_len;
134 uint8_t function_group[6];
135 uint8_t current_cmd;
136 /* True if we will handle the next command as an ACMD. Note that this does
137 * *not* track the APP_CMD status bit!
138 */
139 bool expecting_acmd;
140 uint32_t blk_written;
141 uint64_t data_start;
142 uint32_t data_offset;
143 uint8_t data[512];
144 qemu_irq readonly_cb;
145 qemu_irq inserted_cb;
146 QEMUTimer *ocr_power_timer;
147 bool enable;
148 uint8_t dat_lines;
149 bool cmd_line;
150 };
151
152 static void sd_realize(DeviceState *dev, Error **errp);
153
154 static const struct SDProto *sd_proto(SDState *sd)
155 {
156 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
157
158 return sc->proto;
159 }
160
161 static const SDProto sd_proto_spi;
162
163 static bool sd_is_spi(SDState *sd)
164 {
165 return sd_proto(sd) == &sd_proto_spi;
166 }
167
168 static const char *sd_version_str(enum SDPhySpecificationVersion version)
169 {
170 static const char *sdphy_version[] = {
171 [SD_PHY_SPECv1_10_VERS] = "v1.10",
172 [SD_PHY_SPECv2_00_VERS] = "v2.00",
173 [SD_PHY_SPECv3_01_VERS] = "v3.01",
174 };
175 if (version >= ARRAY_SIZE(sdphy_version)) {
176 return "unsupported version";
177 }
178 return sdphy_version[version];
179 }
180
181 static const char *sd_state_name(enum SDCardStates state)
182 {
183 static const char *state_name[] = {
184 [sd_idle_state] = "idle",
185 [sd_ready_state] = "ready",
186 [sd_identification_state] = "identification",
187 [sd_standby_state] = "standby",
188 [sd_transfer_state] = "transfer",
189 [sd_sendingdata_state] = "sendingdata",
190 [sd_receivingdata_state] = "receivingdata",
191 [sd_programming_state] = "programming",
192 [sd_disconnect_state] = "disconnect",
193 };
194 if (state == sd_inactive_state) {
195 return "inactive";
196 }
197 assert(state < ARRAY_SIZE(state_name));
198 return state_name[state];
199 }
200
201 static const char *sd_response_name(sd_rsp_type_t rsp)
202 {
203 static const char *response_name[] = {
204 [sd_r0] = "RESP#0 (no response)",
205 [sd_r1] = "RESP#1 (normal cmd)",
206 [sd_r2_i] = "RESP#2 (CID reg)",
207 [sd_r2_s] = "RESP#2 (CSD reg)",
208 [sd_r3] = "RESP#3 (OCR reg)",
209 [sd_r6] = "RESP#6 (RCA)",
210 [sd_r7] = "RESP#7 (operating voltage)",
211 };
212 if (rsp == sd_illegal) {
213 return "ILLEGAL RESP";
214 }
215 if (rsp == sd_r1b) {
216 rsp = sd_r1;
217 }
218 assert(rsp < ARRAY_SIZE(response_name));
219 return response_name[rsp];
220 }
221
222 static uint8_t sd_get_dat_lines(SDState *sd)
223 {
224 return sd->enable ? sd->dat_lines : 0;
225 }
226
227 static bool sd_get_cmd_line(SDState *sd)
228 {
229 return sd->enable ? sd->cmd_line : false;
230 }
231
232 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
233 {
234 trace_sdcard_set_voltage(millivolts);
235
236 switch (millivolts) {
237 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
238 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
239 break;
240 default:
241 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
242 millivolts / 1000.f);
243 }
244 }
245
246 static void sd_set_mode(SDState *sd)
247 {
248 switch (sd->state) {
249 case sd_inactive_state:
250 sd->mode = sd_inactive;
251 break;
252
253 case sd_idle_state:
254 case sd_ready_state:
255 case sd_identification_state:
256 sd->mode = sd_card_identification_mode;
257 break;
258
259 case sd_standby_state:
260 case sd_transfer_state:
261 case sd_sendingdata_state:
262 case sd_receivingdata_state:
263 case sd_programming_state:
264 case sd_disconnect_state:
265 sd->mode = sd_data_transfer_mode;
266 break;
267 }
268 }
269
270 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
271 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
272 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
273 /* 16 */
274 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
275 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
276 /* 32 */
277 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
278 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
279 /* 48 */
280 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
281 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
282 };
283
284 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
285 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
286 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
287 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
288 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
289 };
290
291 static uint8_t sd_crc7(const void *message, size_t width)
292 {
293 int i, bit;
294 uint8_t shift_reg = 0x00;
295 const uint8_t *msg = (const uint8_t *)message;
296
297 for (i = 0; i < width; i ++, msg ++)
298 for (bit = 7; bit >= 0; bit --) {
299 shift_reg <<= 1;
300 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
301 shift_reg ^= 0x89;
302 }
303
304 return shift_reg;
305 }
306
307 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
308
309 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
310 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
311 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
312 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
313 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
314 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
315 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
316 FIELD(OCR, CARD_POWER_UP, 31, 1)
317
318 #define ACMD41_ENQUIRY_MASK 0x00ffffff
319 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
320 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
321 | R_OCR_UHS_II_CARD_MASK \
322 | R_OCR_CARD_CAPACITY_MASK \
323 | R_OCR_CARD_POWER_UP_MASK)
324
325 static void sd_ocr_powerup(void *opaque)
326 {
327 SDState *sd = opaque;
328
329 trace_sdcard_powerup();
330 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
331
332 /* card power-up OK */
333 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
334
335 if (sd->size > SDSC_MAX_CAPACITY) {
336 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
337 }
338 }
339
340 static void sd_set_ocr(SDState *sd)
341 {
342 /* All voltages OK */
343 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
344
345 if (sd_is_spi(sd)) {
346 /*
347 * We don't need to emulate power up sequence in SPI-mode.
348 * Thus, the card's power up status bit should be set to 1 when reset.
349 * The card's capacity status bit should also be set if SD card size
350 * is larger than 2GB for SDHC support.
351 */
352 sd_ocr_powerup(sd);
353 }
354 }
355
356 static void sd_set_scr(SDState *sd)
357 {
358 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
359 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
360 sd->scr[0] |= 1; /* Spec Version 1.10 */
361 } else {
362 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
363 }
364 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
365 | 0b0101; /* 1-bit or 4-bit width bus modes */
366 sd->scr[2] = 0x00; /* Extended Security is not supported. */
367 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
368 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
369 }
370 sd->scr[3] = 0x00;
371 /* reserved for manufacturer usage */
372 sd->scr[4] = 0x00;
373 sd->scr[5] = 0x00;
374 sd->scr[6] = 0x00;
375 sd->scr[7] = 0x00;
376 }
377
378 #define MID 0xaa
379 #define OID "XY"
380 #define PNM "QEMU!"
381 #define PRV 0x01
382 #define MDT_YR 2006
383 #define MDT_MON 2
384
385 static void sd_set_cid(SDState *sd)
386 {
387 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
388 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
389 sd->cid[2] = OID[1];
390 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
391 sd->cid[4] = PNM[1];
392 sd->cid[5] = PNM[2];
393 sd->cid[6] = PNM[3];
394 sd->cid[7] = PNM[4];
395 sd->cid[8] = PRV; /* Fake product revision (PRV) */
396 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
397 sd->cid[10] = 0xad;
398 sd->cid[11] = 0xbe;
399 sd->cid[12] = 0xef;
400 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
401 ((MDT_YR - 2000) / 10);
402 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
403 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
404 }
405
406 #define HWBLOCK_SHIFT 9 /* 512 bytes */
407 #define SECTOR_SHIFT 5 /* 16 kilobytes */
408 #define WPGROUP_SHIFT 7 /* 2 megs */
409 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
410 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
411
412 static const uint8_t sd_csd_rw_mask[16] = {
413 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
415 };
416
417 static void sd_set_csd(SDState *sd, uint64_t size)
418 {
419 int hwblock_shift = HWBLOCK_SHIFT;
420 uint32_t csize;
421 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
422 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
423
424 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
425 if (size == SDSC_MAX_CAPACITY) {
426 hwblock_shift += 1;
427 }
428 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
429
430 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
431 sd->csd[0] = 0x00; /* CSD structure */
432 sd->csd[1] = 0x26; /* Data read access-time-1 */
433 sd->csd[2] = 0x00; /* Data read access-time-2 */
434 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
435 sd->csd[4] = 0x5f; /* Card Command Classes */
436 sd->csd[5] = 0x50 | /* Max. read data block length */
437 hwblock_shift;
438 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
439 ((csize >> 10) & 0x03);
440 sd->csd[7] = 0x00 | /* Device size */
441 ((csize >> 2) & 0xff);
442 sd->csd[8] = 0x3f | /* Max. read current */
443 ((csize << 6) & 0xc0);
444 sd->csd[9] = 0xfc | /* Max. write current */
445 ((CMULT_SHIFT - 2) >> 1);
446 sd->csd[10] = 0x40 | /* Erase sector size */
447 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
448 sd->csd[11] = 0x00 | /* Write protect group size */
449 ((sectsize << 7) & 0x80) | wpsize;
450 sd->csd[12] = 0x90 | /* Write speed factor */
451 (hwblock_shift >> 2);
452 sd->csd[13] = 0x20 | /* Max. write data block length */
453 ((hwblock_shift << 6) & 0xc0);
454 sd->csd[14] = 0x00; /* File format group */
455 } else { /* SDHC */
456 size /= 512 * KiB;
457 size -= 1;
458 sd->csd[0] = 0x40;
459 sd->csd[1] = 0x0e;
460 sd->csd[2] = 0x00;
461 sd->csd[3] = 0x32;
462 sd->csd[4] = 0x5b;
463 sd->csd[5] = 0x59;
464 sd->csd[6] = 0x00;
465 sd->csd[7] = (size >> 16) & 0xff;
466 sd->csd[8] = (size >> 8) & 0xff;
467 sd->csd[9] = (size & 0xff);
468 sd->csd[10] = 0x7f;
469 sd->csd[11] = 0x80;
470 sd->csd[12] = 0x0a;
471 sd->csd[13] = 0x40;
472 sd->csd[14] = 0x00;
473 }
474 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
475 }
476
477 static void sd_set_rca(SDState *sd)
478 {
479 sd->rca += 0x4567;
480 }
481
482 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
483 FIELD(CSR, APP_CMD, 5, 1)
484 FIELD(CSR, FX_EVENT, 6, 1)
485 FIELD(CSR, READY_FOR_DATA, 8, 1)
486 FIELD(CSR, CURRENT_STATE, 9, 4)
487 FIELD(CSR, ERASE_RESET, 13, 1)
488 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
489 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
490 FIELD(CSR, CSD_OVERWRITE, 16, 1)
491 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
492 FIELD(CSR, ERROR, 19, 1)
493 FIELD(CSR, CC_ERROR, 20, 1)
494 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
495 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
496 FIELD(CSR, COM_CRC_ERROR, 23, 1)
497 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
498 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
499 FIELD(CSR, WP_VIOLATION, 26, 1)
500 FIELD(CSR, ERASE_PARAM, 27, 1)
501 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
502 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
503 FIELD(CSR, ADDRESS_ERROR, 30, 1)
504 FIELD(CSR, OUT_OF_RANGE, 31, 1)
505
506 /* Card status bits, split by clear condition:
507 * A : According to the card current state
508 * B : Always related to the previous command
509 * C : Cleared by read
510 */
511 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
512 | R_CSR_CARD_ECC_DISABLED_MASK \
513 | R_CSR_CARD_IS_LOCKED_MASK)
514 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
515 | R_CSR_ILLEGAL_COMMAND_MASK \
516 | R_CSR_COM_CRC_ERROR_MASK)
517 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
518 | R_CSR_APP_CMD_MASK \
519 | R_CSR_ERASE_RESET_MASK \
520 | R_CSR_WP_ERASE_SKIP_MASK \
521 | R_CSR_CSD_OVERWRITE_MASK \
522 | R_CSR_ERROR_MASK \
523 | R_CSR_CC_ERROR_MASK \
524 | R_CSR_CARD_ECC_FAILED_MASK \
525 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
526 | R_CSR_WP_VIOLATION_MASK \
527 | R_CSR_ERASE_PARAM_MASK \
528 | R_CSR_ERASE_SEQ_ERROR_MASK \
529 | R_CSR_BLOCK_LEN_ERROR_MASK \
530 | R_CSR_ADDRESS_ERROR_MASK \
531 | R_CSR_OUT_OF_RANGE_MASK)
532
533 static void sd_set_cardstatus(SDState *sd)
534 {
535 sd->card_status = 0x00000100;
536 }
537
538 static void sd_set_sdstatus(SDState *sd)
539 {
540 memset(sd->sd_status, 0, 64);
541 }
542
543 static int sd_req_crc_validate(SDRequest *req)
544 {
545 uint8_t buffer[5];
546 buffer[0] = 0x40 | req->cmd;
547 stl_be_p(&buffer[1], req->arg);
548 return 0;
549 return sd_crc7(buffer, 5) != req->crc; /* TODO */
550 }
551
552 static void sd_response_r1_make(SDState *sd, uint8_t *response)
553 {
554 stl_be_p(response, sd->card_status);
555
556 /* Clear the "clear on read" status bits */
557 sd->card_status &= ~CARD_STATUS_C;
558 }
559
560 static void sd_response_r3_make(SDState *sd, uint8_t *response)
561 {
562 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
563 }
564
565 static void sd_response_r6_make(SDState *sd, uint8_t *response)
566 {
567 uint16_t status;
568
569 status = ((sd->card_status >> 8) & 0xc000) |
570 ((sd->card_status >> 6) & 0x2000) |
571 (sd->card_status & 0x1fff);
572 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
573 stw_be_p(response + 0, sd->rca);
574 stw_be_p(response + 2, status);
575 }
576
577 static void sd_response_r7_make(SDState *sd, uint8_t *response)
578 {
579 stl_be_p(response, sd->vhs);
580 }
581
582 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
583 {
584 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
585 }
586
587 static void sd_reset(DeviceState *dev)
588 {
589 SDState *sd = SD_CARD(dev);
590 uint64_t size;
591 uint64_t sect;
592
593 trace_sdcard_reset();
594 if (sd->blk) {
595 blk_get_geometry(sd->blk, &sect);
596 } else {
597 sect = 0;
598 }
599 size = sect << 9;
600
601 sect = sd_addr_to_wpnum(size) + 1;
602
603 sd->state = sd_idle_state;
604 sd->rca = 0x0000;
605 sd->size = size;
606 sd_set_ocr(sd);
607 sd_set_scr(sd);
608 sd_set_cid(sd);
609 sd_set_csd(sd, size);
610 sd_set_cardstatus(sd);
611 sd_set_sdstatus(sd);
612
613 g_free(sd->wp_group_bmap);
614 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
615 sd->wp_group_bits = sect;
616 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
617 memset(sd->function_group, 0, sizeof(sd->function_group));
618 sd->erase_start = INVALID_ADDRESS;
619 sd->erase_end = INVALID_ADDRESS;
620 sd->blk_len = 0x200;
621 sd->pwd_len = 0;
622 sd->expecting_acmd = false;
623 sd->dat_lines = 0xf;
624 sd->cmd_line = true;
625 sd->multi_blk_cnt = 0;
626 }
627
628 static bool sd_get_inserted(SDState *sd)
629 {
630 return sd->blk && blk_is_inserted(sd->blk);
631 }
632
633 static bool sd_get_readonly(SDState *sd)
634 {
635 return sd->wp_switch;
636 }
637
638 static void sd_cardchange(void *opaque, bool load, Error **errp)
639 {
640 SDState *sd = opaque;
641 DeviceState *dev = DEVICE(sd);
642 SDBus *sdbus;
643 bool inserted = sd_get_inserted(sd);
644 bool readonly = sd_get_readonly(sd);
645
646 if (inserted) {
647 trace_sdcard_inserted(readonly);
648 sd_reset(dev);
649 } else {
650 trace_sdcard_ejected();
651 }
652
653 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
654 qemu_set_irq(sd->inserted_cb, inserted);
655 if (inserted) {
656 qemu_set_irq(sd->readonly_cb, readonly);
657 }
658 } else {
659 sdbus = SD_BUS(qdev_get_parent_bus(dev));
660 sdbus_set_inserted(sdbus, inserted);
661 if (inserted) {
662 sdbus_set_readonly(sdbus, readonly);
663 }
664 }
665 }
666
667 static const BlockDevOps sd_block_ops = {
668 .change_media_cb = sd_cardchange,
669 };
670
671 static bool sd_ocr_vmstate_needed(void *opaque)
672 {
673 SDState *sd = opaque;
674
675 /* Include the OCR state (and timer) if it is not yet powered up */
676 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
677 }
678
679 static const VMStateDescription sd_ocr_vmstate = {
680 .name = "sd-card/ocr-state",
681 .version_id = 1,
682 .minimum_version_id = 1,
683 .needed = sd_ocr_vmstate_needed,
684 .fields = (const VMStateField[]) {
685 VMSTATE_UINT32(ocr, SDState),
686 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
687 VMSTATE_END_OF_LIST()
688 },
689 };
690
691 static int sd_vmstate_pre_load(void *opaque)
692 {
693 SDState *sd = opaque;
694
695 /* If the OCR state is not included (prior versions, or not
696 * needed), then the OCR must be set as powered up. If the OCR state
697 * is included, this will be replaced by the state restore.
698 */
699 sd_ocr_powerup(sd);
700
701 return 0;
702 }
703
704 static const VMStateDescription sd_vmstate = {
705 .name = "sd-card",
706 .version_id = 2,
707 .minimum_version_id = 2,
708 .pre_load = sd_vmstate_pre_load,
709 .fields = (const VMStateField[]) {
710 VMSTATE_UINT32(mode, SDState),
711 VMSTATE_INT32(state, SDState),
712 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
713 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
714 VMSTATE_UINT16(rca, SDState),
715 VMSTATE_UINT32(card_status, SDState),
716 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
717 VMSTATE_UINT32(vhs, SDState),
718 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
719 VMSTATE_UINT32(blk_len, SDState),
720 VMSTATE_UINT32(multi_blk_cnt, SDState),
721 VMSTATE_UINT32(erase_start, SDState),
722 VMSTATE_UINT32(erase_end, SDState),
723 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
724 VMSTATE_UINT32(pwd_len, SDState),
725 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
726 VMSTATE_UINT8(current_cmd, SDState),
727 VMSTATE_BOOL(expecting_acmd, SDState),
728 VMSTATE_UINT32(blk_written, SDState),
729 VMSTATE_UINT64(data_start, SDState),
730 VMSTATE_UINT32(data_offset, SDState),
731 VMSTATE_UINT8_ARRAY(data, SDState, 512),
732 VMSTATE_UNUSED_V(1, 512),
733 VMSTATE_BOOL(enable, SDState),
734 VMSTATE_END_OF_LIST()
735 },
736 .subsections = (const VMStateDescription * const []) {
737 &sd_ocr_vmstate,
738 NULL
739 },
740 };
741
742 /* Legacy initialization function for use by non-qdevified callers */
743 SDState *sd_init(BlockBackend *blk, bool is_spi)
744 {
745 Object *obj;
746 DeviceState *dev;
747 SDState *sd;
748 Error *err = NULL;
749
750 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
751 dev = DEVICE(obj);
752 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
753 error_reportf_err(err, "sd_init failed: ");
754 return NULL;
755 }
756
757 /*
758 * Realizing the device properly would put it into the QOM
759 * composition tree even though it is not plugged into an
760 * appropriate bus. That's a no-no. Hide the device from
761 * QOM/qdev, and call its qdev realize callback directly.
762 */
763 object_ref(obj);
764 object_unparent(obj);
765 sd_realize(dev, &err);
766 if (err) {
767 error_reportf_err(err, "sd_init failed: ");
768 return NULL;
769 }
770
771 sd = SD_CARD(dev);
772 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
773 return sd;
774 }
775
776 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
777 {
778 sd->readonly_cb = readonly;
779 sd->inserted_cb = insert;
780 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
781 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
782 }
783
784 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
785 {
786 trace_sdcard_read_block(addr, len);
787 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
788 fprintf(stderr, "sd_blk_read: read error on host side\n");
789 }
790 }
791
792 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
793 {
794 trace_sdcard_write_block(addr, len);
795 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
796 fprintf(stderr, "sd_blk_write: write error on host side\n");
797 }
798 }
799
800 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
801 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
802 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
803 #define APP_WRITE_BLOCK(a, len)
804
805 static void sd_erase(SDState *sd)
806 {
807 uint64_t erase_start = sd->erase_start;
808 uint64_t erase_end = sd->erase_end;
809 bool sdsc = true;
810 uint64_t wpnum;
811 uint64_t erase_addr;
812 int erase_len = 1 << HWBLOCK_SHIFT;
813
814 trace_sdcard_erase(sd->erase_start, sd->erase_end);
815 if (sd->erase_start == INVALID_ADDRESS
816 || sd->erase_end == INVALID_ADDRESS) {
817 sd->card_status |= ERASE_SEQ_ERROR;
818 sd->erase_start = INVALID_ADDRESS;
819 sd->erase_end = INVALID_ADDRESS;
820 return;
821 }
822
823 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
824 /* High capacity memory card: erase units are 512 byte blocks */
825 erase_start *= 512;
826 erase_end *= 512;
827 sdsc = false;
828 }
829
830 if (erase_start > sd->size || erase_end > sd->size) {
831 sd->card_status |= OUT_OF_RANGE;
832 sd->erase_start = INVALID_ADDRESS;
833 sd->erase_end = INVALID_ADDRESS;
834 return;
835 }
836
837 sd->erase_start = INVALID_ADDRESS;
838 sd->erase_end = INVALID_ADDRESS;
839 sd->csd[14] |= 0x40;
840
841 memset(sd->data, 0xff, erase_len);
842 for (erase_addr = erase_start; erase_addr <= erase_end;
843 erase_addr += erase_len) {
844 if (sdsc) {
845 /* Only SDSC cards support write protect groups */
846 wpnum = sd_addr_to_wpnum(erase_addr);
847 assert(wpnum < sd->wp_group_bits);
848 if (test_bit(wpnum, sd->wp_group_bmap)) {
849 sd->card_status |= WP_ERASE_SKIP;
850 continue;
851 }
852 }
853 BLK_WRITE_BLOCK(erase_addr, erase_len);
854 }
855 }
856
857 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
858 {
859 uint32_t i, wpnum;
860 uint32_t ret = 0;
861
862 wpnum = sd_addr_to_wpnum(addr);
863
864 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
865 if (addr >= sd->size) {
866 /*
867 * If the addresses of the last groups are outside the valid range,
868 * then the corresponding write protection bits shall be set to 0.
869 */
870 continue;
871 }
872 assert(wpnum < sd->wp_group_bits);
873 if (test_bit(wpnum, sd->wp_group_bmap)) {
874 ret |= (1 << i);
875 }
876 }
877
878 return ret;
879 }
880
881 static void sd_function_switch(SDState *sd, uint32_t arg)
882 {
883 int i, mode, new_func;
884 mode = !!(arg & 0x80000000);
885
886 sd->data[0] = 0x00; /* Maximum current consumption */
887 sd->data[1] = 0x01;
888 sd->data[2] = 0x80; /* Supported group 6 functions */
889 sd->data[3] = 0x01;
890 sd->data[4] = 0x80; /* Supported group 5 functions */
891 sd->data[5] = 0x01;
892 sd->data[6] = 0x80; /* Supported group 4 functions */
893 sd->data[7] = 0x01;
894 sd->data[8] = 0x80; /* Supported group 3 functions */
895 sd->data[9] = 0x01;
896 sd->data[10] = 0x80; /* Supported group 2 functions */
897 sd->data[11] = 0x43;
898 sd->data[12] = 0x80; /* Supported group 1 functions */
899 sd->data[13] = 0x03;
900
901 memset(&sd->data[14], 0, 3);
902 for (i = 0; i < 6; i ++) {
903 new_func = (arg >> (i * 4)) & 0x0f;
904 if (mode && new_func != 0x0f)
905 sd->function_group[i] = new_func;
906 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
907 }
908 memset(&sd->data[17], 0, 47);
909 }
910
911 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
912 {
913 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
914 }
915
916 static void sd_lock_command(SDState *sd)
917 {
918 int erase, lock, clr_pwd, set_pwd, pwd_len;
919 erase = !!(sd->data[0] & 0x08);
920 lock = sd->data[0] & 0x04;
921 clr_pwd = sd->data[0] & 0x02;
922 set_pwd = sd->data[0] & 0x01;
923
924 if (sd->blk_len > 1)
925 pwd_len = sd->data[1];
926 else
927 pwd_len = 0;
928
929 if (lock) {
930 trace_sdcard_lock();
931 } else {
932 trace_sdcard_unlock();
933 }
934 if (erase) {
935 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
936 set_pwd || clr_pwd || lock || sd->wp_switch ||
937 (sd->csd[14] & 0x20)) {
938 sd->card_status |= LOCK_UNLOCK_FAILED;
939 return;
940 }
941 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
942 sd->csd[14] &= ~0x10;
943 sd->card_status &= ~CARD_IS_LOCKED;
944 sd->pwd_len = 0;
945 /* Erasing the entire card here! */
946 fprintf(stderr, "SD: Card force-erased by CMD42\n");
947 return;
948 }
949
950 if (sd->blk_len < 2 + pwd_len ||
951 pwd_len <= sd->pwd_len ||
952 pwd_len > sd->pwd_len + 16) {
953 sd->card_status |= LOCK_UNLOCK_FAILED;
954 return;
955 }
956
957 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
958 sd->card_status |= LOCK_UNLOCK_FAILED;
959 return;
960 }
961
962 pwd_len -= sd->pwd_len;
963 if ((pwd_len && !set_pwd) ||
964 (clr_pwd && (set_pwd || lock)) ||
965 (lock && !sd->pwd_len && !set_pwd) ||
966 (!set_pwd && !clr_pwd &&
967 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
968 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
969 sd->card_status |= LOCK_UNLOCK_FAILED;
970 return;
971 }
972
973 if (set_pwd) {
974 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
975 sd->pwd_len = pwd_len;
976 }
977
978 if (clr_pwd) {
979 sd->pwd_len = 0;
980 }
981
982 if (lock)
983 sd->card_status |= CARD_IS_LOCKED;
984 else
985 sd->card_status &= ~CARD_IS_LOCKED;
986 }
987
988 static bool address_in_range(SDState *sd, const char *desc,
989 uint64_t addr, uint32_t length)
990 {
991 if (addr + length > sd->size) {
992 qemu_log_mask(LOG_GUEST_ERROR,
993 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
994 desc, addr, sd->size, length);
995 sd->card_status |= ADDRESS_ERROR;
996 return false;
997 }
998 return true;
999 }
1000
1001 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1002 {
1003 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1004 sd_proto(sd)->name, req.cmd, sd_state_name(sd->state),
1005 sd_version_str(sd->spec_version));
1006
1007 return sd_illegal;
1008 }
1009
1010 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1011 {
1012 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1013 sd_proto(sd)->name, req.cmd,
1014 sd_version_str(sd->spec_version));
1015
1016 return sd_illegal;
1017 }
1018
1019 /* Commands that are recognised but not yet implemented. */
1020 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1021 {
1022 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1023 sd_proto(sd)->name, req.cmd);
1024
1025 return sd_illegal;
1026 }
1027
1028 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1029 {
1030 if (sd->state != sd_inactive_state) {
1031 sd->state = sd_idle_state;
1032 sd_reset(DEVICE(sd));
1033 }
1034
1035 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1036 }
1037
1038 static sd_rsp_type_t sd_cmd_SEND_OP_CMD(SDState *sd, SDRequest req)
1039 {
1040 sd->state = sd_transfer_state;
1041
1042 return sd_r1;
1043 }
1044
1045 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1046 {
1047 if (sd->state != sd_ready_state) {
1048 return sd_invalid_state_for_cmd(sd, req);
1049 }
1050
1051 sd->state = sd_identification_state;
1052
1053 return sd_r2_i;
1054 }
1055
1056 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1057 {
1058 switch (sd->state) {
1059 case sd_identification_state:
1060 case sd_standby_state:
1061 sd->state = sd_standby_state;
1062 sd_set_rca(sd);
1063 return sd_r6;
1064
1065 default:
1066 return sd_invalid_state_for_cmd(sd, req);
1067 }
1068 }
1069
1070 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1071 {
1072 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1073 return sd_cmd_illegal(sd, req);
1074 }
1075
1076 if (sd->state != sd_transfer_state) {
1077 return sd_invalid_state_for_cmd(sd, req);
1078 }
1079
1080 sd->state = sd_sendingdata_state;
1081 sd->data_offset = 0;
1082
1083 return sd_r1;
1084 }
1085
1086 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1087 {
1088 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1089 return sd_cmd_illegal(sd, req);
1090 }
1091
1092 if (sd->state != sd_transfer_state) {
1093 return sd_invalid_state_for_cmd(sd, req);
1094 }
1095
1096 sd->multi_blk_cnt = req.arg;
1097
1098 return sd_r1;
1099 }
1100
1101 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1102 {
1103 uint32_t rca = 0x0000;
1104 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
1105
1106 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1107 * However there is no ACMD55, so we want to trace this particular case.
1108 */
1109 if (req.cmd != 55 || sd->expecting_acmd) {
1110 trace_sdcard_normal_command(sd_proto(sd)->name,
1111 sd_cmd_name(req.cmd), req.cmd,
1112 req.arg, sd_state_name(sd->state));
1113 }
1114
1115 /* Not interpreting this as an app command */
1116 sd->card_status &= ~APP_CMD;
1117
1118 if (sd_cmd_type[req.cmd] == sd_ac
1119 || sd_cmd_type[req.cmd] == sd_adtc) {
1120 rca = req.arg >> 16;
1121 }
1122
1123 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1124 * if not, its effects are cancelled */
1125 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1126 sd->multi_blk_cnt = 0;
1127 }
1128
1129 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1130 /* Only Standard Capacity cards support class 6 commands */
1131 return sd_illegal;
1132 }
1133
1134 if (sd_proto(sd)->cmd[req.cmd]) {
1135 return sd_proto(sd)->cmd[req.cmd](sd, req);
1136 }
1137
1138 switch (req.cmd) {
1139 /* Basic commands (Class 0 and Class 1) */
1140 case 4: /* CMD4: SEND_DSR */
1141 switch (sd->state) {
1142 case sd_standby_state:
1143 break;
1144
1145 default:
1146 break;
1147 }
1148 break;
1149
1150 case 6: /* CMD6: SWITCH_FUNCTION */
1151 switch (sd->mode) {
1152 case sd_data_transfer_mode:
1153 sd_function_switch(sd, req.arg);
1154 sd->state = sd_sendingdata_state;
1155 sd->data_start = 0;
1156 sd->data_offset = 0;
1157 return sd_r1;
1158
1159 default:
1160 break;
1161 }
1162 break;
1163
1164 case 7: /* CMD7: SELECT/DESELECT_CARD */
1165 switch (sd->state) {
1166 case sd_standby_state:
1167 if (sd->rca != rca)
1168 return sd_r0;
1169
1170 sd->state = sd_transfer_state;
1171 return sd_r1b;
1172
1173 case sd_transfer_state:
1174 case sd_sendingdata_state:
1175 if (sd->rca == rca)
1176 break;
1177
1178 sd->state = sd_standby_state;
1179 return sd_r1b;
1180
1181 case sd_disconnect_state:
1182 if (sd->rca != rca)
1183 return sd_r0;
1184
1185 sd->state = sd_programming_state;
1186 return sd_r1b;
1187
1188 case sd_programming_state:
1189 if (sd->rca == rca)
1190 break;
1191
1192 sd->state = sd_disconnect_state;
1193 return sd_r1b;
1194
1195 default:
1196 break;
1197 }
1198 break;
1199
1200 case 8: /* CMD8: SEND_IF_COND */
1201 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1202 break;
1203 }
1204 if (sd->state != sd_idle_state) {
1205 break;
1206 }
1207 sd->vhs = 0;
1208
1209 /* No response if not exactly one VHS bit is set. */
1210 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1211 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1212 }
1213
1214 /* Accept. */
1215 sd->vhs = req.arg;
1216 return sd_r7;
1217
1218 case 9: /* CMD9: SEND_CSD */
1219 switch (sd->state) {
1220 case sd_standby_state:
1221 if (sd->rca != rca)
1222 return sd_r0;
1223
1224 return sd_r2_s;
1225
1226 case sd_transfer_state:
1227 if (!sd_is_spi(sd)) {
1228 break;
1229 }
1230 sd->state = sd_sendingdata_state;
1231 memcpy(sd->data, sd->csd, 16);
1232 sd->data_start = addr;
1233 sd->data_offset = 0;
1234 return sd_r1;
1235
1236 default:
1237 break;
1238 }
1239 break;
1240
1241 case 10: /* CMD10: SEND_CID */
1242 switch (sd->state) {
1243 case sd_standby_state:
1244 if (sd->rca != rca)
1245 return sd_r0;
1246
1247 return sd_r2_i;
1248
1249 case sd_transfer_state:
1250 if (!sd_is_spi(sd)) {
1251 break;
1252 }
1253 sd->state = sd_sendingdata_state;
1254 memcpy(sd->data, sd->cid, 16);
1255 sd->data_start = addr;
1256 sd->data_offset = 0;
1257 return sd_r1;
1258
1259 default:
1260 break;
1261 }
1262 break;
1263
1264 case 12: /* CMD12: STOP_TRANSMISSION */
1265 switch (sd->state) {
1266 case sd_sendingdata_state:
1267 sd->state = sd_transfer_state;
1268 return sd_r1b;
1269
1270 case sd_receivingdata_state:
1271 sd->state = sd_programming_state;
1272 /* Bzzzzzzztt .... Operation complete. */
1273 sd->state = sd_transfer_state;
1274 return sd_r1b;
1275
1276 default:
1277 break;
1278 }
1279 break;
1280
1281 case 13: /* CMD13: SEND_STATUS */
1282 switch (sd->mode) {
1283 case sd_data_transfer_mode:
1284 if (!sd_is_spi(sd) && sd->rca != rca) {
1285 return sd_r0;
1286 }
1287
1288 return sd_r1;
1289
1290 default:
1291 break;
1292 }
1293 break;
1294
1295 case 15: /* CMD15: GO_INACTIVE_STATE */
1296 switch (sd->mode) {
1297 case sd_data_transfer_mode:
1298 if (sd->rca != rca)
1299 return sd_r0;
1300
1301 sd->state = sd_inactive_state;
1302 return sd_r0;
1303
1304 default:
1305 break;
1306 }
1307 break;
1308
1309 /* Block read commands (Class 2) */
1310 case 16: /* CMD16: SET_BLOCKLEN */
1311 switch (sd->state) {
1312 case sd_transfer_state:
1313 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1314 sd->card_status |= BLOCK_LEN_ERROR;
1315 } else {
1316 trace_sdcard_set_blocklen(req.arg);
1317 sd->blk_len = req.arg;
1318 }
1319
1320 return sd_r1;
1321
1322 default:
1323 break;
1324 }
1325 break;
1326
1327 case 17: /* CMD17: READ_SINGLE_BLOCK */
1328 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1329 switch (sd->state) {
1330 case sd_transfer_state:
1331
1332 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1333 return sd_r1;
1334 }
1335
1336 sd->state = sd_sendingdata_state;
1337 sd->data_start = addr;
1338 sd->data_offset = 0;
1339 return sd_r1;
1340
1341 default:
1342 break;
1343 }
1344 break;
1345
1346 /* Block write commands (Class 4) */
1347 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1348 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1349 switch (sd->state) {
1350 case sd_transfer_state:
1351
1352 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1353 return sd_r1;
1354 }
1355
1356 sd->state = sd_receivingdata_state;
1357 sd->data_start = addr;
1358 sd->data_offset = 0;
1359 sd->blk_written = 0;
1360
1361 if (sd->size <= SDSC_MAX_CAPACITY) {
1362 if (sd_wp_addr(sd, sd->data_start)) {
1363 sd->card_status |= WP_VIOLATION;
1364 }
1365 }
1366 if (sd->csd[14] & 0x30) {
1367 sd->card_status |= WP_VIOLATION;
1368 }
1369 return sd_r1;
1370
1371 default:
1372 break;
1373 }
1374 break;
1375
1376 case 26: /* CMD26: PROGRAM_CID */
1377 switch (sd->state) {
1378 case sd_transfer_state:
1379 sd->state = sd_receivingdata_state;
1380 sd->data_start = 0;
1381 sd->data_offset = 0;
1382 return sd_r1;
1383
1384 default:
1385 break;
1386 }
1387 break;
1388
1389 case 27: /* CMD27: PROGRAM_CSD */
1390 switch (sd->state) {
1391 case sd_transfer_state:
1392 sd->state = sd_receivingdata_state;
1393 sd->data_start = 0;
1394 sd->data_offset = 0;
1395 return sd_r1;
1396
1397 default:
1398 break;
1399 }
1400 break;
1401
1402 /* Write protection (Class 6) */
1403 case 28: /* CMD28: SET_WRITE_PROT */
1404 if (sd->size > SDSC_MAX_CAPACITY) {
1405 return sd_illegal;
1406 }
1407
1408 switch (sd->state) {
1409 case sd_transfer_state:
1410 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1411 return sd_r1b;
1412 }
1413
1414 sd->state = sd_programming_state;
1415 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1416 /* Bzzzzzzztt .... Operation complete. */
1417 sd->state = sd_transfer_state;
1418 return sd_r1b;
1419
1420 default:
1421 break;
1422 }
1423 break;
1424
1425 case 29: /* CMD29: CLR_WRITE_PROT */
1426 if (sd->size > SDSC_MAX_CAPACITY) {
1427 return sd_illegal;
1428 }
1429
1430 switch (sd->state) {
1431 case sd_transfer_state:
1432 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1433 return sd_r1b;
1434 }
1435
1436 sd->state = sd_programming_state;
1437 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1438 /* Bzzzzzzztt .... Operation complete. */
1439 sd->state = sd_transfer_state;
1440 return sd_r1b;
1441
1442 default:
1443 break;
1444 }
1445 break;
1446
1447 case 30: /* CMD30: SEND_WRITE_PROT */
1448 if (sd->size > SDSC_MAX_CAPACITY) {
1449 return sd_illegal;
1450 }
1451
1452 switch (sd->state) {
1453 case sd_transfer_state:
1454 if (!address_in_range(sd, "SEND_WRITE_PROT",
1455 req.arg, sd->blk_len)) {
1456 return sd_r1;
1457 }
1458
1459 sd->state = sd_sendingdata_state;
1460 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1461 sd->data_start = addr;
1462 sd->data_offset = 0;
1463 return sd_r1;
1464
1465 default:
1466 break;
1467 }
1468 break;
1469
1470 /* Erase commands (Class 5) */
1471 case 32: /* CMD32: ERASE_WR_BLK_START */
1472 switch (sd->state) {
1473 case sd_transfer_state:
1474 sd->erase_start = req.arg;
1475 return sd_r1;
1476
1477 default:
1478 break;
1479 }
1480 break;
1481
1482 case 33: /* CMD33: ERASE_WR_BLK_END */
1483 switch (sd->state) {
1484 case sd_transfer_state:
1485 sd->erase_end = req.arg;
1486 return sd_r1;
1487
1488 default:
1489 break;
1490 }
1491 break;
1492
1493 case 38: /* CMD38: ERASE */
1494 switch (sd->state) {
1495 case sd_transfer_state:
1496 if (sd->csd[14] & 0x30) {
1497 sd->card_status |= WP_VIOLATION;
1498 return sd_r1b;
1499 }
1500
1501 sd->state = sd_programming_state;
1502 sd_erase(sd);
1503 /* Bzzzzzzztt .... Operation complete. */
1504 sd->state = sd_transfer_state;
1505 return sd_r1b;
1506
1507 default:
1508 break;
1509 }
1510 break;
1511
1512 /* Lock card commands (Class 7) */
1513 case 42: /* CMD42: LOCK_UNLOCK */
1514 switch (sd->state) {
1515 case sd_transfer_state:
1516 sd->state = sd_receivingdata_state;
1517 sd->data_start = 0;
1518 sd->data_offset = 0;
1519 return sd_r1;
1520
1521 default:
1522 break;
1523 }
1524 break;
1525
1526 /* Application specific commands (Class 8) */
1527 case 55: /* CMD55: APP_CMD */
1528 switch (sd->state) {
1529 case sd_ready_state:
1530 case sd_identification_state:
1531 case sd_inactive_state:
1532 return sd_illegal;
1533 case sd_idle_state:
1534 if (rca) {
1535 qemu_log_mask(LOG_GUEST_ERROR,
1536 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1537 }
1538 default:
1539 break;
1540 }
1541 if (!sd_is_spi(sd)) {
1542 if (sd->rca != rca) {
1543 return sd_r0;
1544 }
1545 }
1546 sd->expecting_acmd = true;
1547 sd->card_status |= APP_CMD;
1548 return sd_r1;
1549
1550 case 56: /* CMD56: GEN_CMD */
1551 switch (sd->state) {
1552 case sd_transfer_state:
1553 sd->data_offset = 0;
1554 if (req.arg & 1)
1555 sd->state = sd_sendingdata_state;
1556 else
1557 sd->state = sd_receivingdata_state;
1558 return sd_r1;
1559
1560 default:
1561 break;
1562 }
1563 break;
1564
1565 case 58: /* CMD58: READ_OCR (SPI) */
1566 return sd_r3;
1567
1568 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1569 return sd_r1;
1570
1571 default:
1572 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1573 return sd_illegal;
1574 }
1575
1576 return sd_invalid_state_for_cmd(sd, req);
1577 }
1578
1579 static sd_rsp_type_t sd_app_command(SDState *sd,
1580 SDRequest req)
1581 {
1582 trace_sdcard_app_command(sd_proto(sd)->name, sd_acmd_name(req.cmd),
1583 req.cmd, req.arg, sd_state_name(sd->state));
1584 sd->card_status |= APP_CMD;
1585
1586 if (sd_proto(sd)->acmd[req.cmd]) {
1587 return sd_proto(sd)->acmd[req.cmd](sd, req);
1588 }
1589
1590 switch (req.cmd) {
1591 case 6: /* ACMD6: SET_BUS_WIDTH */
1592 switch (sd->state) {
1593 case sd_transfer_state:
1594 sd->sd_status[0] &= 0x3f;
1595 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1596 return sd_r1;
1597
1598 default:
1599 break;
1600 }
1601 break;
1602
1603 case 13: /* ACMD13: SD_STATUS */
1604 switch (sd->state) {
1605 case sd_transfer_state:
1606 sd->state = sd_sendingdata_state;
1607 sd->data_start = 0;
1608 sd->data_offset = 0;
1609 return sd_r1;
1610
1611 default:
1612 break;
1613 }
1614 break;
1615
1616 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1617 switch (sd->state) {
1618 case sd_transfer_state:
1619 *(uint32_t *) sd->data = sd->blk_written;
1620
1621 sd->state = sd_sendingdata_state;
1622 sd->data_start = 0;
1623 sd->data_offset = 0;
1624 return sd_r1;
1625
1626 default:
1627 break;
1628 }
1629 break;
1630
1631 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1632 switch (sd->state) {
1633 case sd_transfer_state:
1634 return sd_r1;
1635
1636 default:
1637 break;
1638 }
1639 break;
1640
1641 case 41: /* ACMD41: SD_APP_OP_COND */
1642 if (sd->state != sd_idle_state) {
1643 break;
1644 }
1645 /* If it's the first ACMD41 since reset, we need to decide
1646 * whether to power up. If this is not an enquiry ACMD41,
1647 * we immediately report power on and proceed below to the
1648 * ready state, but if it is, we set a timer to model a
1649 * delay for power up. This works around a bug in EDK2
1650 * UEFI, which sends an initial enquiry ACMD41, but
1651 * assumes that the card is in ready state as soon as it
1652 * sees the power up bit set. */
1653 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1654 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1655 timer_del(sd->ocr_power_timer);
1656 sd_ocr_powerup(sd);
1657 } else {
1658 trace_sdcard_inquiry_cmd41();
1659 if (!timer_pending(sd->ocr_power_timer)) {
1660 timer_mod_ns(sd->ocr_power_timer,
1661 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1662 + OCR_POWER_DELAY_NS));
1663 }
1664 }
1665 }
1666
1667 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1668 /* We accept any voltage. 10000 V is nothing.
1669 *
1670 * Once we're powered up, we advance straight to ready state
1671 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1672 */
1673 sd->state = sd_ready_state;
1674 }
1675
1676 return sd_r3;
1677
1678 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1679 switch (sd->state) {
1680 case sd_transfer_state:
1681 /* Bringing in the 50KOhm pull-up resistor... Done. */
1682 return sd_r1;
1683
1684 default:
1685 break;
1686 }
1687 break;
1688
1689 case 51: /* ACMD51: SEND_SCR */
1690 switch (sd->state) {
1691 case sd_transfer_state:
1692 sd->state = sd_sendingdata_state;
1693 sd->data_start = 0;
1694 sd->data_offset = 0;
1695 return sd_r1;
1696
1697 default:
1698 break;
1699 }
1700 break;
1701
1702 case 18: /* Reserved for SD security applications */
1703 case 25:
1704 case 26:
1705 case 38:
1706 case 43 ... 49:
1707 /* Refer to the "SD Specifications Part3 Security Specification" for
1708 * information about the SD Security Features.
1709 */
1710 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1711 req.cmd);
1712 return sd_illegal;
1713
1714 default:
1715 /* Fall back to standard commands. */
1716 return sd_normal_command(sd, req);
1717 }
1718
1719 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1720 return sd_illegal;
1721 }
1722
1723 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1724 {
1725 /* Valid commands in locked state:
1726 * basic class (0)
1727 * lock card class (7)
1728 * CMD16
1729 * implicitly, the ACMD prefix CMD55
1730 * ACMD41 and ACMD42
1731 * Anything else provokes an "illegal command" response.
1732 */
1733 if (sd->expecting_acmd) {
1734 return cmd == 41 || cmd == 42;
1735 }
1736 if (cmd == 16 || cmd == 55) {
1737 return 1;
1738 }
1739 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1740 }
1741
1742 int sd_do_command(SDState *sd, SDRequest *req,
1743 uint8_t *response) {
1744 int last_state;
1745 sd_rsp_type_t rtype;
1746 int rsplen;
1747
1748 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1749 return 0;
1750 }
1751
1752 if (sd_req_crc_validate(req)) {
1753 sd->card_status |= COM_CRC_ERROR;
1754 rtype = sd_illegal;
1755 goto send_response;
1756 }
1757
1758 if (req->cmd >= SDMMC_CMD_MAX) {
1759 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1760 req->cmd);
1761 req->cmd &= 0x3f;
1762 }
1763
1764 if (sd->card_status & CARD_IS_LOCKED) {
1765 if (!cmd_valid_while_locked(sd, req->cmd)) {
1766 sd->card_status |= ILLEGAL_COMMAND;
1767 sd->expecting_acmd = false;
1768 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1769 rtype = sd_illegal;
1770 goto send_response;
1771 }
1772 }
1773
1774 last_state = sd->state;
1775 sd_set_mode(sd);
1776
1777 if (sd->expecting_acmd) {
1778 sd->expecting_acmd = false;
1779 rtype = sd_app_command(sd, *req);
1780 } else {
1781 rtype = sd_normal_command(sd, *req);
1782 }
1783
1784 if (rtype == sd_illegal) {
1785 sd->card_status |= ILLEGAL_COMMAND;
1786 } else {
1787 /* Valid command, we can update the 'state before command' bits.
1788 * (Do this now so they appear in r1 responses.)
1789 */
1790 sd->current_cmd = req->cmd;
1791 sd->card_status &= ~CURRENT_STATE;
1792 sd->card_status |= (last_state << 9);
1793 }
1794
1795 send_response:
1796 switch (rtype) {
1797 case sd_r1:
1798 case sd_r1b:
1799 sd_response_r1_make(sd, response);
1800 rsplen = 4;
1801 break;
1802
1803 case sd_r2_i:
1804 memcpy(response, sd->cid, sizeof(sd->cid));
1805 rsplen = 16;
1806 break;
1807
1808 case sd_r2_s:
1809 memcpy(response, sd->csd, sizeof(sd->csd));
1810 rsplen = 16;
1811 break;
1812
1813 case sd_r3:
1814 sd_response_r3_make(sd, response);
1815 rsplen = 4;
1816 break;
1817
1818 case sd_r6:
1819 sd_response_r6_make(sd, response);
1820 rsplen = 4;
1821 break;
1822
1823 case sd_r7:
1824 sd_response_r7_make(sd, response);
1825 rsplen = 4;
1826 break;
1827
1828 case sd_r0:
1829 case sd_illegal:
1830 rsplen = 0;
1831 break;
1832 default:
1833 g_assert_not_reached();
1834 }
1835 trace_sdcard_response(sd_response_name(rtype), rsplen);
1836
1837 if (rtype != sd_illegal) {
1838 /* Clear the "clear on valid command" status bits now we've
1839 * sent any response
1840 */
1841 sd->card_status &= ~CARD_STATUS_B;
1842 }
1843
1844 #ifdef DEBUG_SD
1845 qemu_hexdump(stderr, "Response", response, rsplen);
1846 #endif
1847
1848 return rsplen;
1849 }
1850
1851 void sd_write_byte(SDState *sd, uint8_t value)
1852 {
1853 int i;
1854
1855 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1856 return;
1857
1858 if (sd->state != sd_receivingdata_state) {
1859 qemu_log_mask(LOG_GUEST_ERROR,
1860 "%s: not in Receiving-Data state\n", __func__);
1861 return;
1862 }
1863
1864 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1865 return;
1866
1867 trace_sdcard_write_data(sd_proto(sd)->name,
1868 sd_acmd_name(sd->current_cmd),
1869 sd->current_cmd, value);
1870 switch (sd->current_cmd) {
1871 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1872 sd->data[sd->data_offset ++] = value;
1873 if (sd->data_offset >= sd->blk_len) {
1874 /* TODO: Check CRC before committing */
1875 sd->state = sd_programming_state;
1876 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1877 sd->blk_written ++;
1878 sd->csd[14] |= 0x40;
1879 /* Bzzzzzzztt .... Operation complete. */
1880 sd->state = sd_transfer_state;
1881 }
1882 break;
1883
1884 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1885 if (sd->data_offset == 0) {
1886 /* Start of the block - let's check the address is valid */
1887 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
1888 sd->data_start, sd->blk_len)) {
1889 break;
1890 }
1891 if (sd->size <= SDSC_MAX_CAPACITY) {
1892 if (sd_wp_addr(sd, sd->data_start)) {
1893 sd->card_status |= WP_VIOLATION;
1894 break;
1895 }
1896 }
1897 }
1898 sd->data[sd->data_offset++] = value;
1899 if (sd->data_offset >= sd->blk_len) {
1900 /* TODO: Check CRC before committing */
1901 sd->state = sd_programming_state;
1902 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1903 sd->blk_written++;
1904 sd->data_start += sd->blk_len;
1905 sd->data_offset = 0;
1906 sd->csd[14] |= 0x40;
1907
1908 /* Bzzzzzzztt .... Operation complete. */
1909 if (sd->multi_blk_cnt != 0) {
1910 if (--sd->multi_blk_cnt == 0) {
1911 /* Stop! */
1912 sd->state = sd_transfer_state;
1913 break;
1914 }
1915 }
1916
1917 sd->state = sd_receivingdata_state;
1918 }
1919 break;
1920
1921 case 26: /* CMD26: PROGRAM_CID */
1922 sd->data[sd->data_offset ++] = value;
1923 if (sd->data_offset >= sizeof(sd->cid)) {
1924 /* TODO: Check CRC before committing */
1925 sd->state = sd_programming_state;
1926 for (i = 0; i < sizeof(sd->cid); i ++)
1927 if ((sd->cid[i] | 0x00) != sd->data[i])
1928 sd->card_status |= CID_CSD_OVERWRITE;
1929
1930 if (!(sd->card_status & CID_CSD_OVERWRITE))
1931 for (i = 0; i < sizeof(sd->cid); i ++) {
1932 sd->cid[i] |= 0x00;
1933 sd->cid[i] &= sd->data[i];
1934 }
1935 /* Bzzzzzzztt .... Operation complete. */
1936 sd->state = sd_transfer_state;
1937 }
1938 break;
1939
1940 case 27: /* CMD27: PROGRAM_CSD */
1941 sd->data[sd->data_offset ++] = value;
1942 if (sd->data_offset >= sizeof(sd->csd)) {
1943 /* TODO: Check CRC before committing */
1944 sd->state = sd_programming_state;
1945 for (i = 0; i < sizeof(sd->csd); i ++)
1946 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1947 (sd->data[i] | sd_csd_rw_mask[i]))
1948 sd->card_status |= CID_CSD_OVERWRITE;
1949
1950 /* Copy flag (OTP) & Permanent write protect */
1951 if (sd->csd[14] & ~sd->data[14] & 0x60)
1952 sd->card_status |= CID_CSD_OVERWRITE;
1953
1954 if (!(sd->card_status & CID_CSD_OVERWRITE))
1955 for (i = 0; i < sizeof(sd->csd); i ++) {
1956 sd->csd[i] |= sd_csd_rw_mask[i];
1957 sd->csd[i] &= sd->data[i];
1958 }
1959 /* Bzzzzzzztt .... Operation complete. */
1960 sd->state = sd_transfer_state;
1961 }
1962 break;
1963
1964 case 42: /* CMD42: LOCK_UNLOCK */
1965 sd->data[sd->data_offset ++] = value;
1966 if (sd->data_offset >= sd->blk_len) {
1967 /* TODO: Check CRC before committing */
1968 sd->state = sd_programming_state;
1969 sd_lock_command(sd);
1970 /* Bzzzzzzztt .... Operation complete. */
1971 sd->state = sd_transfer_state;
1972 }
1973 break;
1974
1975 case 56: /* CMD56: GEN_CMD */
1976 sd->data[sd->data_offset ++] = value;
1977 if (sd->data_offset >= sd->blk_len) {
1978 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1979 sd->state = sd_transfer_state;
1980 }
1981 break;
1982
1983 default:
1984 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1985 break;
1986 }
1987 }
1988
1989 #define SD_TUNING_BLOCK_SIZE 64
1990
1991 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1992 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1993 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1994 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1995 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1996 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1997 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1998 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1999 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
2000 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
2001 };
2002
2003 uint8_t sd_read_byte(SDState *sd)
2004 {
2005 /* TODO: Append CRCs */
2006 uint8_t ret;
2007 uint32_t io_len;
2008
2009 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2010 return 0x00;
2011
2012 if (sd->state != sd_sendingdata_state) {
2013 qemu_log_mask(LOG_GUEST_ERROR,
2014 "%s: not in Sending-Data state\n", __func__);
2015 return 0x00;
2016 }
2017
2018 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2019 return 0x00;
2020
2021 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
2022
2023 trace_sdcard_read_data(sd_proto(sd)->name,
2024 sd_acmd_name(sd->current_cmd),
2025 sd->current_cmd, io_len);
2026 switch (sd->current_cmd) {
2027 case 6: /* CMD6: SWITCH_FUNCTION */
2028 ret = sd->data[sd->data_offset ++];
2029
2030 if (sd->data_offset >= 64)
2031 sd->state = sd_transfer_state;
2032 break;
2033
2034 case 9: /* CMD9: SEND_CSD */
2035 case 10: /* CMD10: SEND_CID */
2036 ret = sd->data[sd->data_offset ++];
2037
2038 if (sd->data_offset >= 16)
2039 sd->state = sd_transfer_state;
2040 break;
2041
2042 case 13: /* ACMD13: SD_STATUS */
2043 ret = sd->sd_status[sd->data_offset ++];
2044
2045 if (sd->data_offset >= sizeof(sd->sd_status))
2046 sd->state = sd_transfer_state;
2047 break;
2048
2049 case 17: /* CMD17: READ_SINGLE_BLOCK */
2050 if (sd->data_offset == 0)
2051 BLK_READ_BLOCK(sd->data_start, io_len);
2052 ret = sd->data[sd->data_offset ++];
2053
2054 if (sd->data_offset >= io_len)
2055 sd->state = sd_transfer_state;
2056 break;
2057
2058 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2059 if (sd->data_offset == 0) {
2060 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2061 sd->data_start, io_len)) {
2062 return 0x00;
2063 }
2064 BLK_READ_BLOCK(sd->data_start, io_len);
2065 }
2066 ret = sd->data[sd->data_offset ++];
2067
2068 if (sd->data_offset >= io_len) {
2069 sd->data_start += io_len;
2070 sd->data_offset = 0;
2071
2072 if (sd->multi_blk_cnt != 0) {
2073 if (--sd->multi_blk_cnt == 0) {
2074 /* Stop! */
2075 sd->state = sd_transfer_state;
2076 break;
2077 }
2078 }
2079 }
2080 break;
2081
2082 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2083 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2084 sd->state = sd_transfer_state;
2085 }
2086 ret = sd_tuning_block_pattern[sd->data_offset++];
2087 break;
2088
2089 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2090 ret = sd->data[sd->data_offset ++];
2091
2092 if (sd->data_offset >= 4)
2093 sd->state = sd_transfer_state;
2094 break;
2095
2096 case 30: /* CMD30: SEND_WRITE_PROT */
2097 ret = sd->data[sd->data_offset ++];
2098
2099 if (sd->data_offset >= 4)
2100 sd->state = sd_transfer_state;
2101 break;
2102
2103 case 51: /* ACMD51: SEND_SCR */
2104 ret = sd->scr[sd->data_offset ++];
2105
2106 if (sd->data_offset >= sizeof(sd->scr))
2107 sd->state = sd_transfer_state;
2108 break;
2109
2110 case 56: /* CMD56: GEN_CMD */
2111 if (sd->data_offset == 0)
2112 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2113 ret = sd->data[sd->data_offset ++];
2114
2115 if (sd->data_offset >= sd->blk_len)
2116 sd->state = sd_transfer_state;
2117 break;
2118
2119 default:
2120 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2121 return 0x00;
2122 }
2123
2124 return ret;
2125 }
2126
2127 static bool sd_receive_ready(SDState *sd)
2128 {
2129 return sd->state == sd_receivingdata_state;
2130 }
2131
2132 static bool sd_data_ready(SDState *sd)
2133 {
2134 return sd->state == sd_sendingdata_state;
2135 }
2136
2137 void sd_enable(SDState *sd, bool enable)
2138 {
2139 sd->enable = enable;
2140 }
2141
2142 static const SDProto sd_proto_spi = {
2143 .name = "SPI",
2144 .cmd = {
2145 [0] = sd_cmd_GO_IDLE_STATE,
2146 [1] = sd_cmd_SEND_OP_CMD,
2147 [2 ... 4] = sd_cmd_illegal,
2148 [5] = sd_cmd_illegal,
2149 [7] = sd_cmd_illegal,
2150 [15] = sd_cmd_illegal,
2151 [26] = sd_cmd_illegal,
2152 [52 ... 54] = sd_cmd_illegal,
2153 },
2154 .acmd = {
2155 [6] = sd_cmd_unimplemented,
2156 [41] = sd_cmd_SEND_OP_CMD,
2157 },
2158 };
2159
2160 static const SDProto sd_proto_sd = {
2161 .name = "SD",
2162 .cmd = {
2163 [0] = sd_cmd_GO_IDLE_STATE,
2164 [1] = sd_cmd_illegal,
2165 [2] = sd_cmd_ALL_SEND_CID,
2166 [3] = sd_cmd_SEND_RELATIVE_ADDR,
2167 [5] = sd_cmd_illegal,
2168 [19] = sd_cmd_SEND_TUNING_BLOCK,
2169 [23] = sd_cmd_SET_BLOCK_COUNT,
2170 [52 ... 54] = sd_cmd_illegal,
2171 [58] = sd_cmd_illegal,
2172 [59] = sd_cmd_illegal,
2173 },
2174 };
2175
2176 static void sd_instance_init(Object *obj)
2177 {
2178 SDState *sd = SD_CARD(obj);
2179
2180 sd->enable = true;
2181 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2182 }
2183
2184 static void sd_instance_finalize(Object *obj)
2185 {
2186 SDState *sd = SD_CARD(obj);
2187
2188 timer_free(sd->ocr_power_timer);
2189 }
2190
2191 static void sd_realize(DeviceState *dev, Error **errp)
2192 {
2193 SDState *sd = SD_CARD(dev);
2194 int ret;
2195
2196 switch (sd->spec_version) {
2197 case SD_PHY_SPECv1_10_VERS
2198 ... SD_PHY_SPECv3_01_VERS:
2199 break;
2200 default:
2201 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2202 return;
2203 }
2204
2205 if (sd->blk) {
2206 int64_t blk_size;
2207
2208 if (!blk_supports_write_perm(sd->blk)) {
2209 error_setg(errp, "Cannot use read-only drive as SD card");
2210 return;
2211 }
2212
2213 blk_size = blk_getlength(sd->blk);
2214 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2215 int64_t blk_size_aligned = pow2ceil(blk_size);
2216 char *blk_size_str;
2217
2218 blk_size_str = size_to_str(blk_size);
2219 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2220 g_free(blk_size_str);
2221
2222 blk_size_str = size_to_str(blk_size_aligned);
2223 error_append_hint(errp,
2224 "SD card size has to be a power of 2, e.g. %s.\n"
2225 "You can resize disk images with"
2226 " 'qemu-img resize <imagefile> <new-size>'\n"
2227 "(note that this will lose data if you make the"
2228 " image smaller than it currently is).\n",
2229 blk_size_str);
2230 g_free(blk_size_str);
2231
2232 return;
2233 }
2234
2235 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2236 BLK_PERM_ALL, errp);
2237 if (ret < 0) {
2238 return;
2239 }
2240 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2241 }
2242 }
2243
2244 static Property sd_properties[] = {
2245 DEFINE_PROP_UINT8("spec_version", SDState,
2246 spec_version, SD_PHY_SPECv2_00_VERS),
2247 DEFINE_PROP_DRIVE("drive", SDState, blk),
2248 /* We do not model the chip select pin, so allow the board to select
2249 * whether card should be in SSI or MMC/SD mode. It is also up to the
2250 * board to ensure that ssi transfers only occur when the chip select
2251 * is asserted. */
2252 DEFINE_PROP_END_OF_LIST()
2253 };
2254
2255 static void sd_class_init(ObjectClass *klass, void *data)
2256 {
2257 DeviceClass *dc = DEVICE_CLASS(klass);
2258 SDCardClass *sc = SD_CARD_CLASS(klass);
2259
2260 dc->realize = sd_realize;
2261 device_class_set_props(dc, sd_properties);
2262 dc->vmsd = &sd_vmstate;
2263 dc->reset = sd_reset;
2264 dc->bus_type = TYPE_SD_BUS;
2265 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2266
2267 sc->set_voltage = sd_set_voltage;
2268 sc->get_dat_lines = sd_get_dat_lines;
2269 sc->get_cmd_line = sd_get_cmd_line;
2270 sc->do_command = sd_do_command;
2271 sc->write_byte = sd_write_byte;
2272 sc->read_byte = sd_read_byte;
2273 sc->receive_ready = sd_receive_ready;
2274 sc->data_ready = sd_data_ready;
2275 sc->enable = sd_enable;
2276 sc->get_inserted = sd_get_inserted;
2277 sc->get_readonly = sd_get_readonly;
2278 sc->proto = &sd_proto_sd;
2279 }
2280
2281 /*
2282 * We do not model the chip select pin, so allow the board to select
2283 * whether card should be in SSI or MMC/SD mode. It is also up to the
2284 * board to ensure that ssi transfers only occur when the chip select
2285 * is asserted.
2286 */
2287 static void sd_spi_class_init(ObjectClass *klass, void *data)
2288 {
2289 DeviceClass *dc = DEVICE_CLASS(klass);
2290 SDCardClass *sc = SD_CARD_CLASS(klass);
2291
2292 dc->desc = "SD SPI";
2293 sc->proto = &sd_proto_spi;
2294 }
2295
2296 static const TypeInfo sd_types[] = {
2297 {
2298 .name = TYPE_SD_CARD,
2299 .parent = TYPE_DEVICE,
2300 .instance_size = sizeof(SDState),
2301 .class_size = sizeof(SDCardClass),
2302 .class_init = sd_class_init,
2303 .instance_init = sd_instance_init,
2304 .instance_finalize = sd_instance_finalize,
2305 },
2306 {
2307 .name = TYPE_SD_CARD_SPI,
2308 .parent = TYPE_SD_CARD,
2309 .class_init = sd_spi_class_init,
2310 },
2311 };
2312
2313 DEFINE_TYPES(sd_types)
AR7 emulation for QEMU