search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd: sd: Support CMD59 for SPI mode
[qemu/ar7.git] / hw / sd / sd.c
blobbfea5547d53a83e4d06a37b99b07f4c6bea236f4
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88 };
89
90 struct SDState {
91 DeviceState parent_obj;
92
93 /* If true, created by sd_init() for a non-qdevified caller */
94 /* TODO purge them with fire */
95 bool me_no_qdev_me_kill_mammoth_with_rocks;
96
97 /* SD Memory Card Registers */
98 uint32_t ocr;
99 uint8_t scr[8];
100 uint8_t cid[16];
101 uint8_t csd[16];
102 uint16_t rca;
103 uint32_t card_status;
104 uint8_t sd_status[64];
105
106 /* Static properties */
107
108 uint8_t spec_version;
109 BlockBackend *blk;
110 bool spi;
111
112 /* Runtime changeables */
113
114 uint32_t mode; /* current card mode, one of SDCardModes */
115 int32_t state; /* current card state, one of SDCardStates */
116 uint32_t vhs;
117 bool wp_switch;
118 unsigned long *wp_groups;
119 int32_t wpgrps_size;
120 uint64_t size;
121 uint32_t blk_len;
122 uint32_t multi_blk_cnt;
123 uint32_t erase_start;
124 uint32_t erase_end;
125 uint8_t pwd[16];
126 uint32_t pwd_len;
127 uint8_t function_group[6];
128 uint8_t current_cmd;
129 /* True if we will handle the next command as an ACMD. Note that this does
130 * *not* track the APP_CMD status bit!
131 */
132 bool expecting_acmd;
133 uint32_t blk_written;
134 uint64_t data_start;
135 uint32_t data_offset;
136 uint8_t data[512];
137 qemu_irq readonly_cb;
138 qemu_irq inserted_cb;
139 QEMUTimer *ocr_power_timer;
140 const char *proto_name;
141 bool enable;
142 uint8_t dat_lines;
143 bool cmd_line;
144 };
145
146 static void sd_realize(DeviceState *dev, Error **errp);
147
148 static const char *sd_state_name(enum SDCardStates state)
149 {
150 static const char *state_name[] = {
151 [sd_idle_state] = "idle",
152 [sd_ready_state] = "ready",
153 [sd_identification_state] = "identification",
154 [sd_standby_state] = "standby",
155 [sd_transfer_state] = "transfer",
156 [sd_sendingdata_state] = "sendingdata",
157 [sd_receivingdata_state] = "receivingdata",
158 [sd_programming_state] = "programming",
159 [sd_disconnect_state] = "disconnect",
160 };
161 if (state == sd_inactive_state) {
162 return "inactive";
163 }
164 assert(state < ARRAY_SIZE(state_name));
165 return state_name[state];
166 }
167
168 static const char *sd_response_name(sd_rsp_type_t rsp)
169 {
170 static const char *response_name[] = {
171 [sd_r0] = "RESP#0 (no response)",
172 [sd_r1] = "RESP#1 (normal cmd)",
173 [sd_r2_i] = "RESP#2 (CID reg)",
174 [sd_r2_s] = "RESP#2 (CSD reg)",
175 [sd_r3] = "RESP#3 (OCR reg)",
176 [sd_r6] = "RESP#6 (RCA)",
177 [sd_r7] = "RESP#7 (operating voltage)",
178 };
179 if (rsp == sd_illegal) {
180 return "ILLEGAL RESP";
181 }
182 if (rsp == sd_r1b) {
183 rsp = sd_r1;
184 }
185 assert(rsp < ARRAY_SIZE(response_name));
186 return response_name[rsp];
187 }
188
189 static uint8_t sd_get_dat_lines(SDState *sd)
190 {
191 return sd->enable ? sd->dat_lines : 0;
192 }
193
194 static bool sd_get_cmd_line(SDState *sd)
195 {
196 return sd->enable ? sd->cmd_line : false;
197 }
198
199 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
200 {
201 trace_sdcard_set_voltage(millivolts);
202
203 switch (millivolts) {
204 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
205 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
206 break;
207 default:
208 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
209 millivolts / 1000.f);
210 }
211 }
212
213 static void sd_set_mode(SDState *sd)
214 {
215 switch (sd->state) {
216 case sd_inactive_state:
217 sd->mode = sd_inactive;
218 break;
219
220 case sd_idle_state:
221 case sd_ready_state:
222 case sd_identification_state:
223 sd->mode = sd_card_identification_mode;
224 break;
225
226 case sd_standby_state:
227 case sd_transfer_state:
228 case sd_sendingdata_state:
229 case sd_receivingdata_state:
230 case sd_programming_state:
231 case sd_disconnect_state:
232 sd->mode = sd_data_transfer_mode;
233 break;
234 }
235 }
236
237 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
238 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
239 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
240 /* 16 */
241 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
242 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
243 /* 32 */
244 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
245 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
246 /* 48 */
247 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
248 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
249 };
250
251 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
252 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
253 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
254 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
255 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
256 };
257
258 static uint8_t sd_crc7(const void *message, size_t width)
259 {
260 int i, bit;
261 uint8_t shift_reg = 0x00;
262 const uint8_t *msg = (const uint8_t *)message;
263
264 for (i = 0; i < width; i ++, msg ++)
265 for (bit = 7; bit >= 0; bit --) {
266 shift_reg <<= 1;
267 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
268 shift_reg ^= 0x89;
269 }
270
271 return shift_reg;
272 }
273
274 static uint16_t sd_crc16(const void *message, size_t width)
275 {
276 int i, bit;
277 uint16_t shift_reg = 0x0000;
278 const uint16_t *msg = (const uint16_t *)message;
279 width <<= 1;
280
281 for (i = 0; i < width; i ++, msg ++)
282 for (bit = 15; bit >= 0; bit --) {
283 shift_reg <<= 1;
284 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
285 shift_reg ^= 0x1011;
286 }
287
288 return shift_reg;
289 }
290
291 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
292
293 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
294 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
295 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
296 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
297 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
298 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
299 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
300 FIELD(OCR, CARD_POWER_UP, 31, 1)
301
302 #define ACMD41_ENQUIRY_MASK 0x00ffffff
303 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
304 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
305 | R_OCR_UHS_II_CARD_MASK \
306 | R_OCR_CARD_CAPACITY_MASK \
307 | R_OCR_CARD_POWER_UP_MASK)
308
309 static void sd_set_ocr(SDState *sd)
310 {
311 /* All voltages OK */
312 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
313 }
314
315 static void sd_ocr_powerup(void *opaque)
316 {
317 SDState *sd = opaque;
318
319 trace_sdcard_powerup();
320 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
321
322 /* card power-up OK */
323 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
324
325 if (sd->size > SDSC_MAX_CAPACITY) {
326 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
327 }
328 }
329
330 static void sd_set_scr(SDState *sd)
331 {
332 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
333 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
334 sd->scr[0] |= 1; /* Spec Version 1.10 */
335 } else {
336 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
337 }
338 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
339 | 0b0101; /* 1-bit or 4-bit width bus modes */
340 sd->scr[2] = 0x00; /* Extended Security is not supported. */
341 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
342 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
343 }
344 sd->scr[3] = 0x00;
345 /* reserved for manufacturer usage */
346 sd->scr[4] = 0x00;
347 sd->scr[5] = 0x00;
348 sd->scr[6] = 0x00;
349 sd->scr[7] = 0x00;
350 }
351
352 #define MID 0xaa
353 #define OID "XY"
354 #define PNM "QEMU!"
355 #define PRV 0x01
356 #define MDT_YR 2006
357 #define MDT_MON 2
358
359 static void sd_set_cid(SDState *sd)
360 {
361 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
362 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
363 sd->cid[2] = OID[1];
364 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
365 sd->cid[4] = PNM[1];
366 sd->cid[5] = PNM[2];
367 sd->cid[6] = PNM[3];
368 sd->cid[7] = PNM[4];
369 sd->cid[8] = PRV; /* Fake product revision (PRV) */
370 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
371 sd->cid[10] = 0xad;
372 sd->cid[11] = 0xbe;
373 sd->cid[12] = 0xef;
374 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
375 ((MDT_YR - 2000) / 10);
376 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
377 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
378 }
379
380 #define HWBLOCK_SHIFT 9 /* 512 bytes */
381 #define SECTOR_SHIFT 5 /* 16 kilobytes */
382 #define WPGROUP_SHIFT 7 /* 2 megs */
383 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
384 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
385
386 static const uint8_t sd_csd_rw_mask[16] = {
387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
389 };
390
391 static void sd_set_csd(SDState *sd, uint64_t size)
392 {
393 int hwblock_shift = HWBLOCK_SHIFT;
394 uint32_t csize;
395 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
396 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
397
398 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
399 if (size == SDSC_MAX_CAPACITY) {
400 hwblock_shift += 1;
401 }
402 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
403
404 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
405 sd->csd[0] = 0x00; /* CSD structure */
406 sd->csd[1] = 0x26; /* Data read access-time-1 */
407 sd->csd[2] = 0x00; /* Data read access-time-2 */
408 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
409 sd->csd[4] = 0x5f; /* Card Command Classes */
410 sd->csd[5] = 0x50 | /* Max. read data block length */
411 hwblock_shift;
412 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
413 ((csize >> 10) & 0x03);
414 sd->csd[7] = 0x00 | /* Device size */
415 ((csize >> 2) & 0xff);
416 sd->csd[8] = 0x3f | /* Max. read current */
417 ((csize << 6) & 0xc0);
418 sd->csd[9] = 0xfc | /* Max. write current */
419 ((CMULT_SHIFT - 2) >> 1);
420 sd->csd[10] = 0x40 | /* Erase sector size */
421 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
422 sd->csd[11] = 0x00 | /* Write protect group size */
423 ((sectsize << 7) & 0x80) | wpsize;
424 sd->csd[12] = 0x90 | /* Write speed factor */
425 (hwblock_shift >> 2);
426 sd->csd[13] = 0x20 | /* Max. write data block length */
427 ((hwblock_shift << 6) & 0xc0);
428 sd->csd[14] = 0x00; /* File format group */
429 } else { /* SDHC */
430 size /= 512 * KiB;
431 size -= 1;
432 sd->csd[0] = 0x40;
433 sd->csd[1] = 0x0e;
434 sd->csd[2] = 0x00;
435 sd->csd[3] = 0x32;
436 sd->csd[4] = 0x5b;
437 sd->csd[5] = 0x59;
438 sd->csd[6] = 0x00;
439 sd->csd[7] = (size >> 16) & 0xff;
440 sd->csd[8] = (size >> 8) & 0xff;
441 sd->csd[9] = (size & 0xff);
442 sd->csd[10] = 0x7f;
443 sd->csd[11] = 0x80;
444 sd->csd[12] = 0x0a;
445 sd->csd[13] = 0x40;
446 sd->csd[14] = 0x00;
447 }
448 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
449 }
450
451 static void sd_set_rca(SDState *sd)
452 {
453 sd->rca += 0x4567;
454 }
455
456 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
457 FIELD(CSR, APP_CMD, 5, 1)
458 FIELD(CSR, FX_EVENT, 6, 1)
459 FIELD(CSR, READY_FOR_DATA, 8, 1)
460 FIELD(CSR, CURRENT_STATE, 9, 4)
461 FIELD(CSR, ERASE_RESET, 13, 1)
462 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
463 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
464 FIELD(CSR, CSD_OVERWRITE, 16, 1)
465 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
466 FIELD(CSR, ERROR, 19, 1)
467 FIELD(CSR, CC_ERROR, 20, 1)
468 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
469 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
470 FIELD(CSR, COM_CRC_ERROR, 23, 1)
471 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
472 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
473 FIELD(CSR, WP_VIOLATION, 26, 1)
474 FIELD(CSR, ERASE_PARAM, 27, 1)
475 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
476 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
477 FIELD(CSR, ADDRESS_ERROR, 30, 1)
478 FIELD(CSR, OUT_OF_RANGE, 31, 1)
479
480 /* Card status bits, split by clear condition:
481 * A : According to the card current state
482 * B : Always related to the previous command
483 * C : Cleared by read
484 */
485 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
486 | R_CSR_CARD_ECC_DISABLED_MASK \
487 | R_CSR_CARD_IS_LOCKED_MASK)
488 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
489 | R_CSR_ILLEGAL_COMMAND_MASK \
490 | R_CSR_COM_CRC_ERROR_MASK)
491 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
492 | R_CSR_APP_CMD_MASK \
493 | R_CSR_ERASE_RESET_MASK \
494 | R_CSR_WP_ERASE_SKIP_MASK \
495 | R_CSR_CSD_OVERWRITE_MASK \
496 | R_CSR_ERROR_MASK \
497 | R_CSR_CC_ERROR_MASK \
498 | R_CSR_CARD_ECC_FAILED_MASK \
499 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
500 | R_CSR_WP_VIOLATION_MASK \
501 | R_CSR_ERASE_PARAM_MASK \
502 | R_CSR_ERASE_SEQ_ERROR_MASK \
503 | R_CSR_BLOCK_LEN_ERROR_MASK \
504 | R_CSR_ADDRESS_ERROR_MASK \
505 | R_CSR_OUT_OF_RANGE_MASK)
506
507 static void sd_set_cardstatus(SDState *sd)
508 {
509 sd->card_status = 0x00000100;
510 }
511
512 static void sd_set_sdstatus(SDState *sd)
513 {
514 memset(sd->sd_status, 0, 64);
515 }
516
517 static int sd_req_crc_validate(SDRequest *req)
518 {
519 uint8_t buffer[5];
520 buffer[0] = 0x40 | req->cmd;
521 stl_be_p(&buffer[1], req->arg);
522 return 0;
523 return sd_crc7(buffer, 5) != req->crc; /* TODO */
524 }
525
526 static void sd_response_r1_make(SDState *sd, uint8_t *response)
527 {
528 stl_be_p(response, sd->card_status);
529
530 /* Clear the "clear on read" status bits */
531 sd->card_status &= ~CARD_STATUS_C;
532 }
533
534 static void sd_response_r3_make(SDState *sd, uint8_t *response)
535 {
536 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
537 }
538
539 static void sd_response_r6_make(SDState *sd, uint8_t *response)
540 {
541 uint16_t status;
542
543 status = ((sd->card_status >> 8) & 0xc000) |
544 ((sd->card_status >> 6) & 0x2000) |
545 (sd->card_status & 0x1fff);
546 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
547 stw_be_p(response + 0, sd->rca);
548 stw_be_p(response + 2, status);
549 }
550
551 static void sd_response_r7_make(SDState *sd, uint8_t *response)
552 {
553 stl_be_p(response, sd->vhs);
554 }
555
556 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
557 {
558 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
559 }
560
561 static void sd_reset(DeviceState *dev)
562 {
563 SDState *sd = SD_CARD(dev);
564 uint64_t size;
565 uint64_t sect;
566
567 trace_sdcard_reset();
568 if (sd->blk) {
569 blk_get_geometry(sd->blk, &sect);
570 } else {
571 sect = 0;
572 }
573 size = sect << 9;
574
575 sect = sd_addr_to_wpnum(size) + 1;
576
577 sd->state = sd_idle_state;
578 sd->rca = 0x0000;
579 sd_set_ocr(sd);
580 sd_set_scr(sd);
581 sd_set_cid(sd);
582 sd_set_csd(sd, size);
583 sd_set_cardstatus(sd);
584 sd_set_sdstatus(sd);
585
586 g_free(sd->wp_groups);
587 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
588 sd->wpgrps_size = sect;
589 sd->wp_groups = bitmap_new(sd->wpgrps_size);
590 memset(sd->function_group, 0, sizeof(sd->function_group));
591 sd->erase_start = INVALID_ADDRESS;
592 sd->erase_end = INVALID_ADDRESS;
593 sd->size = size;
594 sd->blk_len = 0x200;
595 sd->pwd_len = 0;
596 sd->expecting_acmd = false;
597 sd->dat_lines = 0xf;
598 sd->cmd_line = true;
599 sd->multi_blk_cnt = 0;
600 }
601
602 static bool sd_get_inserted(SDState *sd)
603 {
604 return sd->blk && blk_is_inserted(sd->blk);
605 }
606
607 static bool sd_get_readonly(SDState *sd)
608 {
609 return sd->wp_switch;
610 }
611
612 static void sd_cardchange(void *opaque, bool load, Error **errp)
613 {
614 SDState *sd = opaque;
615 DeviceState *dev = DEVICE(sd);
616 SDBus *sdbus;
617 bool inserted = sd_get_inserted(sd);
618 bool readonly = sd_get_readonly(sd);
619
620 if (inserted) {
621 trace_sdcard_inserted(readonly);
622 sd_reset(dev);
623 } else {
624 trace_sdcard_ejected();
625 }
626
627 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
628 qemu_set_irq(sd->inserted_cb, inserted);
629 if (inserted) {
630 qemu_set_irq(sd->readonly_cb, readonly);
631 }
632 } else {
633 sdbus = SD_BUS(qdev_get_parent_bus(dev));
634 sdbus_set_inserted(sdbus, inserted);
635 if (inserted) {
636 sdbus_set_readonly(sdbus, readonly);
637 }
638 }
639 }
640
641 static const BlockDevOps sd_block_ops = {
642 .change_media_cb = sd_cardchange,
643 };
644
645 static bool sd_ocr_vmstate_needed(void *opaque)
646 {
647 SDState *sd = opaque;
648
649 /* Include the OCR state (and timer) if it is not yet powered up */
650 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
651 }
652
653 static const VMStateDescription sd_ocr_vmstate = {
654 .name = "sd-card/ocr-state",
655 .version_id = 1,
656 .minimum_version_id = 1,
657 .needed = sd_ocr_vmstate_needed,
658 .fields = (VMStateField[]) {
659 VMSTATE_UINT32(ocr, SDState),
660 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
661 VMSTATE_END_OF_LIST()
662 },
663 };
664
665 static int sd_vmstate_pre_load(void *opaque)
666 {
667 SDState *sd = opaque;
668
669 /* If the OCR state is not included (prior versions, or not
670 * needed), then the OCR must be set as powered up. If the OCR state
671 * is included, this will be replaced by the state restore.
672 */
673 sd_ocr_powerup(sd);
674
675 return 0;
676 }
677
678 static const VMStateDescription sd_vmstate = {
679 .name = "sd-card",
680 .version_id = 2,
681 .minimum_version_id = 2,
682 .pre_load = sd_vmstate_pre_load,
683 .fields = (VMStateField[]) {
684 VMSTATE_UINT32(mode, SDState),
685 VMSTATE_INT32(state, SDState),
686 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
687 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
688 VMSTATE_UINT16(rca, SDState),
689 VMSTATE_UINT32(card_status, SDState),
690 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
691 VMSTATE_UINT32(vhs, SDState),
692 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
693 VMSTATE_UINT32(blk_len, SDState),
694 VMSTATE_UINT32(multi_blk_cnt, SDState),
695 VMSTATE_UINT32(erase_start, SDState),
696 VMSTATE_UINT32(erase_end, SDState),
697 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
698 VMSTATE_UINT32(pwd_len, SDState),
699 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
700 VMSTATE_UINT8(current_cmd, SDState),
701 VMSTATE_BOOL(expecting_acmd, SDState),
702 VMSTATE_UINT32(blk_written, SDState),
703 VMSTATE_UINT64(data_start, SDState),
704 VMSTATE_UINT32(data_offset, SDState),
705 VMSTATE_UINT8_ARRAY(data, SDState, 512),
706 VMSTATE_UNUSED_V(1, 512),
707 VMSTATE_BOOL(enable, SDState),
708 VMSTATE_END_OF_LIST()
709 },
710 .subsections = (const VMStateDescription*[]) {
711 &sd_ocr_vmstate,
712 NULL
713 },
714 };
715
716 /* Legacy initialization function for use by non-qdevified callers */
717 SDState *sd_init(BlockBackend *blk, bool is_spi)
718 {
719 Object *obj;
720 DeviceState *dev;
721 SDState *sd;
722 Error *err = NULL;
723
724 obj = object_new(TYPE_SD_CARD);
725 dev = DEVICE(obj);
726 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
727 error_reportf_err(err, "sd_init failed: ");
728 return NULL;
729 }
730 qdev_prop_set_bit(dev, "spi", is_spi);
731
732 /*
733 * Realizing the device properly would put it into the QOM
734 * composition tree even though it is not plugged into an
735 * appropriate bus. That's a no-no. Hide the device from
736 * QOM/qdev, and call its qdev realize callback directly.
737 */
738 object_ref(obj);
739 object_unparent(obj);
740 sd_realize(dev, &err);
741 if (err) {
742 error_reportf_err(err, "sd_init failed: ");
743 return NULL;
744 }
745
746 sd = SD_CARD(dev);
747 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
748 return sd;
749 }
750
751 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
752 {
753 sd->readonly_cb = readonly;
754 sd->inserted_cb = insert;
755 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
756 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
757 }
758
759 static void sd_erase(SDState *sd)
760 {
761 int i;
762 uint64_t erase_start = sd->erase_start;
763 uint64_t erase_end = sd->erase_end;
764
765 trace_sdcard_erase(sd->erase_start, sd->erase_end);
766 if (sd->erase_start == INVALID_ADDRESS
767 || sd->erase_end == INVALID_ADDRESS) {
768 sd->card_status |= ERASE_SEQ_ERROR;
769 sd->erase_start = INVALID_ADDRESS;
770 sd->erase_end = INVALID_ADDRESS;
771 return;
772 }
773
774 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
775 /* High capacity memory card: erase units are 512 byte blocks */
776 erase_start *= 512;
777 erase_end *= 512;
778 }
779
780 if (sd->erase_start > sd->size || sd->erase_end > sd->size) {
781 sd->card_status |= OUT_OF_RANGE;
782 sd->erase_start = INVALID_ADDRESS;
783 sd->erase_end = INVALID_ADDRESS;
784 return;
785 }
786
787 erase_start = sd_addr_to_wpnum(erase_start);
788 erase_end = sd_addr_to_wpnum(erase_end);
789 sd->erase_start = INVALID_ADDRESS;
790 sd->erase_end = INVALID_ADDRESS;
791 sd->csd[14] |= 0x40;
792
793 for (i = erase_start; i <= erase_end; i++) {
794 assert(i < sd->wpgrps_size);
795 if (test_bit(i, sd->wp_groups)) {
796 sd->card_status |= WP_ERASE_SKIP;
797 }
798 }
799 }
800
801 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
802 {
803 uint32_t i, wpnum;
804 uint32_t ret = 0;
805
806 wpnum = sd_addr_to_wpnum(addr);
807
808 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
809 assert(wpnum < sd->wpgrps_size);
810 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
811 ret |= (1 << i);
812 }
813 }
814
815 return ret;
816 }
817
818 static void sd_function_switch(SDState *sd, uint32_t arg)
819 {
820 int i, mode, new_func;
821 mode = !!(arg & 0x80000000);
822
823 sd->data[0] = 0x00; /* Maximum current consumption */
824 sd->data[1] = 0x01;
825 sd->data[2] = 0x80; /* Supported group 6 functions */
826 sd->data[3] = 0x01;
827 sd->data[4] = 0x80; /* Supported group 5 functions */
828 sd->data[5] = 0x01;
829 sd->data[6] = 0x80; /* Supported group 4 functions */
830 sd->data[7] = 0x01;
831 sd->data[8] = 0x80; /* Supported group 3 functions */
832 sd->data[9] = 0x01;
833 sd->data[10] = 0x80; /* Supported group 2 functions */
834 sd->data[11] = 0x43;
835 sd->data[12] = 0x80; /* Supported group 1 functions */
836 sd->data[13] = 0x03;
837
838 memset(&sd->data[14], 0, 3);
839 for (i = 0; i < 6; i ++) {
840 new_func = (arg >> (i * 4)) & 0x0f;
841 if (mode && new_func != 0x0f)
842 sd->function_group[i] = new_func;
843 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
844 }
845 memset(&sd->data[17], 0, 47);
846 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
847 }
848
849 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
850 {
851 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
852 }
853
854 static void sd_lock_command(SDState *sd)
855 {
856 int erase, lock, clr_pwd, set_pwd, pwd_len;
857 erase = !!(sd->data[0] & 0x08);
858 lock = sd->data[0] & 0x04;
859 clr_pwd = sd->data[0] & 0x02;
860 set_pwd = sd->data[0] & 0x01;
861
862 if (sd->blk_len > 1)
863 pwd_len = sd->data[1];
864 else
865 pwd_len = 0;
866
867 if (lock) {
868 trace_sdcard_lock();
869 } else {
870 trace_sdcard_unlock();
871 }
872 if (erase) {
873 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
874 set_pwd || clr_pwd || lock || sd->wp_switch ||
875 (sd->csd[14] & 0x20)) {
876 sd->card_status |= LOCK_UNLOCK_FAILED;
877 return;
878 }
879 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
880 sd->csd[14] &= ~0x10;
881 sd->card_status &= ~CARD_IS_LOCKED;
882 sd->pwd_len = 0;
883 /* Erasing the entire card here! */
884 fprintf(stderr, "SD: Card force-erased by CMD42\n");
885 return;
886 }
887
888 if (sd->blk_len < 2 + pwd_len ||
889 pwd_len <= sd->pwd_len ||
890 pwd_len > sd->pwd_len + 16) {
891 sd->card_status |= LOCK_UNLOCK_FAILED;
892 return;
893 }
894
895 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
896 sd->card_status |= LOCK_UNLOCK_FAILED;
897 return;
898 }
899
900 pwd_len -= sd->pwd_len;
901 if ((pwd_len && !set_pwd) ||
902 (clr_pwd && (set_pwd || lock)) ||
903 (lock && !sd->pwd_len && !set_pwd) ||
904 (!set_pwd && !clr_pwd &&
905 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
906 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
907 sd->card_status |= LOCK_UNLOCK_FAILED;
908 return;
909 }
910
911 if (set_pwd) {
912 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
913 sd->pwd_len = pwd_len;
914 }
915
916 if (clr_pwd) {
917 sd->pwd_len = 0;
918 }
919
920 if (lock)
921 sd->card_status |= CARD_IS_LOCKED;
922 else
923 sd->card_status &= ~CARD_IS_LOCKED;
924 }
925
926 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
927 {
928 uint32_t rca = 0x0000;
929 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
930
931 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
932 * However there is no ACMD55, so we want to trace this particular case.
933 */
934 if (req.cmd != 55 || sd->expecting_acmd) {
935 trace_sdcard_normal_command(sd->proto_name,
936 sd_cmd_name(req.cmd), req.cmd,
937 req.arg, sd_state_name(sd->state));
938 }
939
940 /* Not interpreting this as an app command */
941 sd->card_status &= ~APP_CMD;
942
943 if (sd_cmd_type[req.cmd] == sd_ac
944 || sd_cmd_type[req.cmd] == sd_adtc) {
945 rca = req.arg >> 16;
946 }
947
948 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
949 * if not, its effects are cancelled */
950 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
951 sd->multi_blk_cnt = 0;
952 }
953
954 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
955 /* Only Standard Capacity cards support class 6 commands */
956 return sd_illegal;
957 }
958
959 switch (req.cmd) {
960 /* Basic commands (Class 0 and Class 1) */
961 case 0: /* CMD0: GO_IDLE_STATE */
962 switch (sd->state) {
963 case sd_inactive_state:
964 return sd->spi ? sd_r1 : sd_r0;
965
966 default:
967 sd->state = sd_idle_state;
968 sd_reset(DEVICE(sd));
969 return sd->spi ? sd_r1 : sd_r0;
970 }
971 break;
972
973 case 1: /* CMD1: SEND_OP_CMD */
974 if (!sd->spi)
975 goto bad_cmd;
976
977 sd->state = sd_transfer_state;
978 return sd_r1;
979
980 case 2: /* CMD2: ALL_SEND_CID */
981 if (sd->spi)
982 goto bad_cmd;
983 switch (sd->state) {
984 case sd_ready_state:
985 sd->state = sd_identification_state;
986 return sd_r2_i;
987
988 default:
989 break;
990 }
991 break;
992
993 case 3: /* CMD3: SEND_RELATIVE_ADDR */
994 if (sd->spi)
995 goto bad_cmd;
996 switch (sd->state) {
997 case sd_identification_state:
998 case sd_standby_state:
999 sd->state = sd_standby_state;
1000 sd_set_rca(sd);
1001 return sd_r6;
1002
1003 default:
1004 break;
1005 }
1006 break;
1007
1008 case 4: /* CMD4: SEND_DSR */
1009 if (sd->spi)
1010 goto bad_cmd;
1011 switch (sd->state) {
1012 case sd_standby_state:
1013 break;
1014
1015 default:
1016 break;
1017 }
1018 break;
1019
1020 case 5: /* CMD5: reserved for SDIO cards */
1021 return sd_illegal;
1022
1023 case 6: /* CMD6: SWITCH_FUNCTION */
1024 switch (sd->mode) {
1025 case sd_data_transfer_mode:
1026 sd_function_switch(sd, req.arg);
1027 sd->state = sd_sendingdata_state;
1028 sd->data_start = 0;
1029 sd->data_offset = 0;
1030 return sd_r1;
1031
1032 default:
1033 break;
1034 }
1035 break;
1036
1037 case 7: /* CMD7: SELECT/DESELECT_CARD */
1038 if (sd->spi)
1039 goto bad_cmd;
1040 switch (sd->state) {
1041 case sd_standby_state:
1042 if (sd->rca != rca)
1043 return sd_r0;
1044
1045 sd->state = sd_transfer_state;
1046 return sd_r1b;
1047
1048 case sd_transfer_state:
1049 case sd_sendingdata_state:
1050 if (sd->rca == rca)
1051 break;
1052
1053 sd->state = sd_standby_state;
1054 return sd_r1b;
1055
1056 case sd_disconnect_state:
1057 if (sd->rca != rca)
1058 return sd_r0;
1059
1060 sd->state = sd_programming_state;
1061 return sd_r1b;
1062
1063 case sd_programming_state:
1064 if (sd->rca == rca)
1065 break;
1066
1067 sd->state = sd_disconnect_state;
1068 return sd_r1b;
1069
1070 default:
1071 break;
1072 }
1073 break;
1074
1075 case 8: /* CMD8: SEND_IF_COND */
1076 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1077 break;
1078 }
1079 if (sd->state != sd_idle_state) {
1080 break;
1081 }
1082 sd->vhs = 0;
1083
1084 /* No response if not exactly one VHS bit is set. */
1085 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1086 return sd->spi ? sd_r7 : sd_r0;
1087 }
1088
1089 /* Accept. */
1090 sd->vhs = req.arg;
1091 return sd_r7;
1092
1093 case 9: /* CMD9: SEND_CSD */
1094 switch (sd->state) {
1095 case sd_standby_state:
1096 if (sd->rca != rca)
1097 return sd_r0;
1098
1099 return sd_r2_s;
1100
1101 case sd_transfer_state:
1102 if (!sd->spi)
1103 break;
1104 sd->state = sd_sendingdata_state;
1105 memcpy(sd->data, sd->csd, 16);
1106 sd->data_start = addr;
1107 sd->data_offset = 0;
1108 return sd_r1;
1109
1110 default:
1111 break;
1112 }
1113 break;
1114
1115 case 10: /* CMD10: SEND_CID */
1116 switch (sd->state) {
1117 case sd_standby_state:
1118 if (sd->rca != rca)
1119 return sd_r0;
1120
1121 return sd_r2_i;
1122
1123 case sd_transfer_state:
1124 if (!sd->spi)
1125 break;
1126 sd->state = sd_sendingdata_state;
1127 memcpy(sd->data, sd->cid, 16);
1128 sd->data_start = addr;
1129 sd->data_offset = 0;
1130 return sd_r1;
1131
1132 default:
1133 break;
1134 }
1135 break;
1136
1137 case 12: /* CMD12: STOP_TRANSMISSION */
1138 switch (sd->state) {
1139 case sd_sendingdata_state:
1140 sd->state = sd_transfer_state;
1141 return sd_r1b;
1142
1143 case sd_receivingdata_state:
1144 sd->state = sd_programming_state;
1145 /* Bzzzzzzztt .... Operation complete. */
1146 sd->state = sd_transfer_state;
1147 return sd_r1b;
1148
1149 default:
1150 break;
1151 }
1152 break;
1153
1154 case 13: /* CMD13: SEND_STATUS */
1155 switch (sd->mode) {
1156 case sd_data_transfer_mode:
1157 if (sd->rca != rca)
1158 return sd_r0;
1159
1160 return sd_r1;
1161
1162 default:
1163 break;
1164 }
1165 break;
1166
1167 case 15: /* CMD15: GO_INACTIVE_STATE */
1168 if (sd->spi)
1169 goto bad_cmd;
1170 switch (sd->mode) {
1171 case sd_data_transfer_mode:
1172 if (sd->rca != rca)
1173 return sd_r0;
1174
1175 sd->state = sd_inactive_state;
1176 return sd_r0;
1177
1178 default:
1179 break;
1180 }
1181 break;
1182
1183 /* Block read commands (Classs 2) */
1184 case 16: /* CMD16: SET_BLOCKLEN */
1185 switch (sd->state) {
1186 case sd_transfer_state:
1187 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1188 sd->card_status |= BLOCK_LEN_ERROR;
1189 } else {
1190 trace_sdcard_set_blocklen(req.arg);
1191 sd->blk_len = req.arg;
1192 }
1193
1194 return sd_r1;
1195
1196 default:
1197 break;
1198 }
1199 break;
1200
1201 case 17: /* CMD17: READ_SINGLE_BLOCK */
1202 switch (sd->state) {
1203 case sd_transfer_state:
1204
1205 if (addr + sd->blk_len > sd->size) {
1206 sd->card_status |= ADDRESS_ERROR;
1207 return sd_r1;
1208 }
1209
1210 sd->state = sd_sendingdata_state;
1211 sd->data_start = addr;
1212 sd->data_offset = 0;
1213 return sd_r1;
1214
1215 default:
1216 break;
1217 }
1218 break;
1219
1220 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1221 switch (sd->state) {
1222 case sd_transfer_state:
1223
1224 if (addr + sd->blk_len > sd->size) {
1225 sd->card_status |= ADDRESS_ERROR;
1226 return sd_r1;
1227 }
1228
1229 sd->state = sd_sendingdata_state;
1230 sd->data_start = addr;
1231 sd->data_offset = 0;
1232 return sd_r1;
1233
1234 default:
1235 break;
1236 }
1237 break;
1238
1239 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1240 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1241 break;
1242 }
1243 if (sd->state == sd_transfer_state) {
1244 sd->state = sd_sendingdata_state;
1245 sd->data_offset = 0;
1246 return sd_r1;
1247 }
1248 break;
1249
1250 case 23: /* CMD23: SET_BLOCK_COUNT */
1251 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1252 break;
1253 }
1254 switch (sd->state) {
1255 case sd_transfer_state:
1256 sd->multi_blk_cnt = req.arg;
1257 return sd_r1;
1258
1259 default:
1260 break;
1261 }
1262 break;
1263
1264 /* Block write commands (Class 4) */
1265 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1266 switch (sd->state) {
1267 case sd_transfer_state:
1268 /* Writing in SPI mode not implemented. */
1269 if (sd->spi)
1270 break;
1271
1272 if (addr + sd->blk_len > sd->size) {
1273 sd->card_status |= ADDRESS_ERROR;
1274 return sd_r1;
1275 }
1276
1277 sd->state = sd_receivingdata_state;
1278 sd->data_start = addr;
1279 sd->data_offset = 0;
1280 sd->blk_written = 0;
1281
1282 if (sd_wp_addr(sd, sd->data_start)) {
1283 sd->card_status |= WP_VIOLATION;
1284 }
1285 if (sd->csd[14] & 0x30) {
1286 sd->card_status |= WP_VIOLATION;
1287 }
1288 return sd_r1;
1289
1290 default:
1291 break;
1292 }
1293 break;
1294
1295 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1296 switch (sd->state) {
1297 case sd_transfer_state:
1298 /* Writing in SPI mode not implemented. */
1299 if (sd->spi)
1300 break;
1301
1302 if (addr + sd->blk_len > sd->size) {
1303 sd->card_status |= ADDRESS_ERROR;
1304 return sd_r1;
1305 }
1306
1307 sd->state = sd_receivingdata_state;
1308 sd->data_start = addr;
1309 sd->data_offset = 0;
1310 sd->blk_written = 0;
1311
1312 if (sd_wp_addr(sd, sd->data_start)) {
1313 sd->card_status |= WP_VIOLATION;
1314 }
1315 if (sd->csd[14] & 0x30) {
1316 sd->card_status |= WP_VIOLATION;
1317 }
1318 return sd_r1;
1319
1320 default:
1321 break;
1322 }
1323 break;
1324
1325 case 26: /* CMD26: PROGRAM_CID */
1326 if (sd->spi)
1327 goto bad_cmd;
1328 switch (sd->state) {
1329 case sd_transfer_state:
1330 sd->state = sd_receivingdata_state;
1331 sd->data_start = 0;
1332 sd->data_offset = 0;
1333 return sd_r1;
1334
1335 default:
1336 break;
1337 }
1338 break;
1339
1340 case 27: /* CMD27: PROGRAM_CSD */
1341 switch (sd->state) {
1342 case sd_transfer_state:
1343 sd->state = sd_receivingdata_state;
1344 sd->data_start = 0;
1345 sd->data_offset = 0;
1346 return sd_r1;
1347
1348 default:
1349 break;
1350 }
1351 break;
1352
1353 /* Write protection (Class 6) */
1354 case 28: /* CMD28: SET_WRITE_PROT */
1355 switch (sd->state) {
1356 case sd_transfer_state:
1357 if (addr >= sd->size) {
1358 sd->card_status |= ADDRESS_ERROR;
1359 return sd_r1b;
1360 }
1361
1362 sd->state = sd_programming_state;
1363 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1364 /* Bzzzzzzztt .... Operation complete. */
1365 sd->state = sd_transfer_state;
1366 return sd_r1b;
1367
1368 default:
1369 break;
1370 }
1371 break;
1372
1373 case 29: /* CMD29: CLR_WRITE_PROT */
1374 switch (sd->state) {
1375 case sd_transfer_state:
1376 if (addr >= sd->size) {
1377 sd->card_status |= ADDRESS_ERROR;
1378 return sd_r1b;
1379 }
1380
1381 sd->state = sd_programming_state;
1382 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1383 /* Bzzzzzzztt .... Operation complete. */
1384 sd->state = sd_transfer_state;
1385 return sd_r1b;
1386
1387 default:
1388 break;
1389 }
1390 break;
1391
1392 case 30: /* CMD30: SEND_WRITE_PROT */
1393 switch (sd->state) {
1394 case sd_transfer_state:
1395 sd->state = sd_sendingdata_state;
1396 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1397 sd->data_start = addr;
1398 sd->data_offset = 0;
1399 return sd_r1b;
1400
1401 default:
1402 break;
1403 }
1404 break;
1405
1406 /* Erase commands (Class 5) */
1407 case 32: /* CMD32: ERASE_WR_BLK_START */
1408 switch (sd->state) {
1409 case sd_transfer_state:
1410 sd->erase_start = req.arg;
1411 return sd_r1;
1412
1413 default:
1414 break;
1415 }
1416 break;
1417
1418 case 33: /* CMD33: ERASE_WR_BLK_END */
1419 switch (sd->state) {
1420 case sd_transfer_state:
1421 sd->erase_end = req.arg;
1422 return sd_r1;
1423
1424 default:
1425 break;
1426 }
1427 break;
1428
1429 case 38: /* CMD38: ERASE */
1430 switch (sd->state) {
1431 case sd_transfer_state:
1432 if (sd->csd[14] & 0x30) {
1433 sd->card_status |= WP_VIOLATION;
1434 return sd_r1b;
1435 }
1436
1437 sd->state = sd_programming_state;
1438 sd_erase(sd);
1439 /* Bzzzzzzztt .... Operation complete. */
1440 sd->state = sd_transfer_state;
1441 return sd_r1b;
1442
1443 default:
1444 break;
1445 }
1446 break;
1447
1448 /* Lock card commands (Class 7) */
1449 case 42: /* CMD42: LOCK_UNLOCK */
1450 switch (sd->state) {
1451 case sd_transfer_state:
1452 sd->state = sd_receivingdata_state;
1453 sd->data_start = 0;
1454 sd->data_offset = 0;
1455 return sd_r1;
1456
1457 default:
1458 break;
1459 }
1460 break;
1461
1462 case 52 ... 54:
1463 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1464 * (see the SDIO Simplified Specification V2.0)
1465 * Handle as illegal command but do not complain
1466 * on stderr, as some OSes may use these in their
1467 * probing for presence of an SDIO card.
1468 */
1469 return sd_illegal;
1470
1471 /* Application specific commands (Class 8) */
1472 case 55: /* CMD55: APP_CMD */
1473 switch (sd->state) {
1474 case sd_ready_state:
1475 case sd_identification_state:
1476 case sd_inactive_state:
1477 return sd_illegal;
1478 case sd_idle_state:
1479 if (rca) {
1480 qemu_log_mask(LOG_GUEST_ERROR,
1481 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1482 }
1483 default:
1484 break;
1485 }
1486 if (!sd->spi) {
1487 if (sd->rca != rca) {
1488 return sd_r0;
1489 }
1490 }
1491 sd->expecting_acmd = true;
1492 sd->card_status |= APP_CMD;
1493 return sd_r1;
1494
1495 case 56: /* CMD56: GEN_CMD */
1496 switch (sd->state) {
1497 case sd_transfer_state:
1498 sd->data_offset = 0;
1499 if (req.arg & 1)
1500 sd->state = sd_sendingdata_state;
1501 else
1502 sd->state = sd_receivingdata_state;
1503 return sd_r1;
1504
1505 default:
1506 break;
1507 }
1508 break;
1509
1510 case 58: /* CMD58: READ_OCR (SPI) */
1511 if (!sd->spi) {
1512 goto bad_cmd;
1513 }
1514 return sd_r3;
1515
1516 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1517 if (!sd->spi) {
1518 goto bad_cmd;
1519 }
1520 return sd_r1;
1521
1522 default:
1523 bad_cmd:
1524 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1525 return sd_illegal;
1526 }
1527
1528 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1529 return sd_illegal;
1530 }
1531
1532 static sd_rsp_type_t sd_app_command(SDState *sd,
1533 SDRequest req)
1534 {
1535 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1536 req.cmd, req.arg, sd_state_name(sd->state));
1537 sd->card_status |= APP_CMD;
1538 switch (req.cmd) {
1539 case 6: /* ACMD6: SET_BUS_WIDTH */
1540 if (sd->spi) {
1541 goto unimplemented_spi_cmd;
1542 }
1543 switch (sd->state) {
1544 case sd_transfer_state:
1545 sd->sd_status[0] &= 0x3f;
1546 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1547 return sd_r1;
1548
1549 default:
1550 break;
1551 }
1552 break;
1553
1554 case 13: /* ACMD13: SD_STATUS */
1555 switch (sd->state) {
1556 case sd_transfer_state:
1557 sd->state = sd_sendingdata_state;
1558 sd->data_start = 0;
1559 sd->data_offset = 0;
1560 return sd_r1;
1561
1562 default:
1563 break;
1564 }
1565 break;
1566
1567 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1568 switch (sd->state) {
1569 case sd_transfer_state:
1570 *(uint32_t *) sd->data = sd->blk_written;
1571
1572 sd->state = sd_sendingdata_state;
1573 sd->data_start = 0;
1574 sd->data_offset = 0;
1575 return sd_r1;
1576
1577 default:
1578 break;
1579 }
1580 break;
1581
1582 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1583 switch (sd->state) {
1584 case sd_transfer_state:
1585 return sd_r1;
1586
1587 default:
1588 break;
1589 }
1590 break;
1591
1592 case 41: /* ACMD41: SD_APP_OP_COND */
1593 if (sd->spi) {
1594 /* SEND_OP_CMD */
1595 sd->state = sd_transfer_state;
1596 return sd_r1;
1597 }
1598 if (sd->state != sd_idle_state) {
1599 break;
1600 }
1601 /* If it's the first ACMD41 since reset, we need to decide
1602 * whether to power up. If this is not an enquiry ACMD41,
1603 * we immediately report power on and proceed below to the
1604 * ready state, but if it is, we set a timer to model a
1605 * delay for power up. This works around a bug in EDK2
1606 * UEFI, which sends an initial enquiry ACMD41, but
1607 * assumes that the card is in ready state as soon as it
1608 * sees the power up bit set. */
1609 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1610 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1611 timer_del(sd->ocr_power_timer);
1612 sd_ocr_powerup(sd);
1613 } else {
1614 trace_sdcard_inquiry_cmd41();
1615 if (!timer_pending(sd->ocr_power_timer)) {
1616 timer_mod_ns(sd->ocr_power_timer,
1617 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1618 + OCR_POWER_DELAY_NS));
1619 }
1620 }
1621 }
1622
1623 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1624 /* We accept any voltage. 10000 V is nothing.
1625 *
1626 * Once we're powered up, we advance straight to ready state
1627 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1628 */
1629 sd->state = sd_ready_state;
1630 }
1631
1632 return sd_r3;
1633
1634 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1635 switch (sd->state) {
1636 case sd_transfer_state:
1637 /* Bringing in the 50KOhm pull-up resistor... Done. */
1638 return sd_r1;
1639
1640 default:
1641 break;
1642 }
1643 break;
1644
1645 case 51: /* ACMD51: SEND_SCR */
1646 switch (sd->state) {
1647 case sd_transfer_state:
1648 sd->state = sd_sendingdata_state;
1649 sd->data_start = 0;
1650 sd->data_offset = 0;
1651 return sd_r1;
1652
1653 default:
1654 break;
1655 }
1656 break;
1657
1658 case 18: /* Reserved for SD security applications */
1659 case 25:
1660 case 26:
1661 case 38:
1662 case 43 ... 49:
1663 /* Refer to the "SD Specifications Part3 Security Specification" for
1664 * information about the SD Security Features.
1665 */
1666 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1667 req.cmd);
1668 return sd_illegal;
1669
1670 default:
1671 /* Fall back to standard commands. */
1672 return sd_normal_command(sd, req);
1673
1674 unimplemented_spi_cmd:
1675 /* Commands that are recognised but not yet implemented in SPI mode. */
1676 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1677 req.cmd);
1678 return sd_illegal;
1679 }
1680
1681 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1682 return sd_illegal;
1683 }
1684
1685 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1686 {
1687 /* Valid commands in locked state:
1688 * basic class (0)
1689 * lock card class (7)
1690 * CMD16
1691 * implicitly, the ACMD prefix CMD55
1692 * ACMD41 and ACMD42
1693 * Anything else provokes an "illegal command" response.
1694 */
1695 if (sd->expecting_acmd) {
1696 return cmd == 41 || cmd == 42;
1697 }
1698 if (cmd == 16 || cmd == 55) {
1699 return 1;
1700 }
1701 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1702 }
1703
1704 int sd_do_command(SDState *sd, SDRequest *req,
1705 uint8_t *response) {
1706 int last_state;
1707 sd_rsp_type_t rtype;
1708 int rsplen;
1709
1710 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1711 return 0;
1712 }
1713
1714 if (sd_req_crc_validate(req)) {
1715 sd->card_status |= COM_CRC_ERROR;
1716 rtype = sd_illegal;
1717 goto send_response;
1718 }
1719
1720 if (req->cmd >= SDMMC_CMD_MAX) {
1721 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1722 req->cmd);
1723 req->cmd &= 0x3f;
1724 }
1725
1726 if (sd->card_status & CARD_IS_LOCKED) {
1727 if (!cmd_valid_while_locked(sd, req->cmd)) {
1728 sd->card_status |= ILLEGAL_COMMAND;
1729 sd->expecting_acmd = false;
1730 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1731 rtype = sd_illegal;
1732 goto send_response;
1733 }
1734 }
1735
1736 last_state = sd->state;
1737 sd_set_mode(sd);
1738
1739 if (sd->expecting_acmd) {
1740 sd->expecting_acmd = false;
1741 rtype = sd_app_command(sd, *req);
1742 } else {
1743 rtype = sd_normal_command(sd, *req);
1744 }
1745
1746 if (rtype == sd_illegal) {
1747 sd->card_status |= ILLEGAL_COMMAND;
1748 } else {
1749 /* Valid command, we can update the 'state before command' bits.
1750 * (Do this now so they appear in r1 responses.)
1751 */
1752 sd->current_cmd = req->cmd;
1753 sd->card_status &= ~CURRENT_STATE;
1754 sd->card_status |= (last_state << 9);
1755 }
1756
1757 send_response:
1758 switch (rtype) {
1759 case sd_r1:
1760 case sd_r1b:
1761 sd_response_r1_make(sd, response);
1762 rsplen = 4;
1763 break;
1764
1765 case sd_r2_i:
1766 memcpy(response, sd->cid, sizeof(sd->cid));
1767 rsplen = 16;
1768 break;
1769
1770 case sd_r2_s:
1771 memcpy(response, sd->csd, sizeof(sd->csd));
1772 rsplen = 16;
1773 break;
1774
1775 case sd_r3:
1776 sd_response_r3_make(sd, response);
1777 rsplen = 4;
1778 break;
1779
1780 case sd_r6:
1781 sd_response_r6_make(sd, response);
1782 rsplen = 4;
1783 break;
1784
1785 case sd_r7:
1786 sd_response_r7_make(sd, response);
1787 rsplen = 4;
1788 break;
1789
1790 case sd_r0:
1791 case sd_illegal:
1792 rsplen = 0;
1793 break;
1794 default:
1795 g_assert_not_reached();
1796 }
1797 trace_sdcard_response(sd_response_name(rtype), rsplen);
1798
1799 if (rtype != sd_illegal) {
1800 /* Clear the "clear on valid command" status bits now we've
1801 * sent any response
1802 */
1803 sd->card_status &= ~CARD_STATUS_B;
1804 }
1805
1806 #ifdef DEBUG_SD
1807 qemu_hexdump(stderr, "Response", response, rsplen);
1808 #endif
1809
1810 return rsplen;
1811 }
1812
1813 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1814 {
1815 trace_sdcard_read_block(addr, len);
1816 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1817 fprintf(stderr, "sd_blk_read: read error on host side\n");
1818 }
1819 }
1820
1821 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1822 {
1823 trace_sdcard_write_block(addr, len);
1824 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1825 fprintf(stderr, "sd_blk_write: write error on host side\n");
1826 }
1827 }
1828
1829 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1830 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1831 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1832 #define APP_WRITE_BLOCK(a, len)
1833
1834 void sd_write_byte(SDState *sd, uint8_t value)
1835 {
1836 int i;
1837
1838 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1839 return;
1840
1841 if (sd->state != sd_receivingdata_state) {
1842 qemu_log_mask(LOG_GUEST_ERROR,
1843 "%s: not in Receiving-Data state\n", __func__);
1844 return;
1845 }
1846
1847 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1848 return;
1849
1850 trace_sdcard_write_data(sd->proto_name,
1851 sd_acmd_name(sd->current_cmd),
1852 sd->current_cmd, value);
1853 switch (sd->current_cmd) {
1854 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1855 sd->data[sd->data_offset ++] = value;
1856 if (sd->data_offset >= sd->blk_len) {
1857 /* TODO: Check CRC before committing */
1858 sd->state = sd_programming_state;
1859 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1860 sd->blk_written ++;
1861 sd->csd[14] |= 0x40;
1862 /* Bzzzzzzztt .... Operation complete. */
1863 sd->state = sd_transfer_state;
1864 }
1865 break;
1866
1867 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1868 if (sd->data_offset == 0) {
1869 /* Start of the block - let's check the address is valid */
1870 if (sd->data_start + sd->blk_len > sd->size) {
1871 sd->card_status |= ADDRESS_ERROR;
1872 break;
1873 }
1874 if (sd_wp_addr(sd, sd->data_start)) {
1875 sd->card_status |= WP_VIOLATION;
1876 break;
1877 }
1878 }
1879 sd->data[sd->data_offset++] = value;
1880 if (sd->data_offset >= sd->blk_len) {
1881 /* TODO: Check CRC before committing */
1882 sd->state = sd_programming_state;
1883 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1884 sd->blk_written++;
1885 sd->data_start += sd->blk_len;
1886 sd->data_offset = 0;
1887 sd->csd[14] |= 0x40;
1888
1889 /* Bzzzzzzztt .... Operation complete. */
1890 if (sd->multi_blk_cnt != 0) {
1891 if (--sd->multi_blk_cnt == 0) {
1892 /* Stop! */
1893 sd->state = sd_transfer_state;
1894 break;
1895 }
1896 }
1897
1898 sd->state = sd_receivingdata_state;
1899 }
1900 break;
1901
1902 case 26: /* CMD26: PROGRAM_CID */
1903 sd->data[sd->data_offset ++] = value;
1904 if (sd->data_offset >= sizeof(sd->cid)) {
1905 /* TODO: Check CRC before committing */
1906 sd->state = sd_programming_state;
1907 for (i = 0; i < sizeof(sd->cid); i ++)
1908 if ((sd->cid[i] | 0x00) != sd->data[i])
1909 sd->card_status |= CID_CSD_OVERWRITE;
1910
1911 if (!(sd->card_status & CID_CSD_OVERWRITE))
1912 for (i = 0; i < sizeof(sd->cid); i ++) {
1913 sd->cid[i] |= 0x00;
1914 sd->cid[i] &= sd->data[i];
1915 }
1916 /* Bzzzzzzztt .... Operation complete. */
1917 sd->state = sd_transfer_state;
1918 }
1919 break;
1920
1921 case 27: /* CMD27: PROGRAM_CSD */
1922 sd->data[sd->data_offset ++] = value;
1923 if (sd->data_offset >= sizeof(sd->csd)) {
1924 /* TODO: Check CRC before committing */
1925 sd->state = sd_programming_state;
1926 for (i = 0; i < sizeof(sd->csd); i ++)
1927 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1928 (sd->data[i] | sd_csd_rw_mask[i]))
1929 sd->card_status |= CID_CSD_OVERWRITE;
1930
1931 /* Copy flag (OTP) & Permanent write protect */
1932 if (sd->csd[14] & ~sd->data[14] & 0x60)
1933 sd->card_status |= CID_CSD_OVERWRITE;
1934
1935 if (!(sd->card_status & CID_CSD_OVERWRITE))
1936 for (i = 0; i < sizeof(sd->csd); i ++) {
1937 sd->csd[i] |= sd_csd_rw_mask[i];
1938 sd->csd[i] &= sd->data[i];
1939 }
1940 /* Bzzzzzzztt .... Operation complete. */
1941 sd->state = sd_transfer_state;
1942 }
1943 break;
1944
1945 case 42: /* CMD42: LOCK_UNLOCK */
1946 sd->data[sd->data_offset ++] = value;
1947 if (sd->data_offset >= sd->blk_len) {
1948 /* TODO: Check CRC before committing */
1949 sd->state = sd_programming_state;
1950 sd_lock_command(sd);
1951 /* Bzzzzzzztt .... Operation complete. */
1952 sd->state = sd_transfer_state;
1953 }
1954 break;
1955
1956 case 56: /* CMD56: GEN_CMD */
1957 sd->data[sd->data_offset ++] = value;
1958 if (sd->data_offset >= sd->blk_len) {
1959 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1960 sd->state = sd_transfer_state;
1961 }
1962 break;
1963
1964 default:
1965 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1966 break;
1967 }
1968 }
1969
1970 #define SD_TUNING_BLOCK_SIZE 64
1971
1972 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1973 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1974 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1975 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1976 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1977 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1978 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1979 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1980 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1981 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1982 };
1983
1984 uint8_t sd_read_byte(SDState *sd)
1985 {
1986 /* TODO: Append CRCs */
1987 uint8_t ret;
1988 uint32_t io_len;
1989
1990 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1991 return 0x00;
1992
1993 if (sd->state != sd_sendingdata_state) {
1994 qemu_log_mask(LOG_GUEST_ERROR,
1995 "%s: not in Sending-Data state\n", __func__);
1996 return 0x00;
1997 }
1998
1999 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2000 return 0x00;
2001
2002 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
2003
2004 trace_sdcard_read_data(sd->proto_name,
2005 sd_acmd_name(sd->current_cmd),
2006 sd->current_cmd, io_len);
2007 switch (sd->current_cmd) {
2008 case 6: /* CMD6: SWITCH_FUNCTION */
2009 ret = sd->data[sd->data_offset ++];
2010
2011 if (sd->data_offset >= 64)
2012 sd->state = sd_transfer_state;
2013 break;
2014
2015 case 9: /* CMD9: SEND_CSD */
2016 case 10: /* CMD10: SEND_CID */
2017 ret = sd->data[sd->data_offset ++];
2018
2019 if (sd->data_offset >= 16)
2020 sd->state = sd_transfer_state;
2021 break;
2022
2023 case 13: /* ACMD13: SD_STATUS */
2024 ret = sd->sd_status[sd->data_offset ++];
2025
2026 if (sd->data_offset >= sizeof(sd->sd_status))
2027 sd->state = sd_transfer_state;
2028 break;
2029
2030 case 17: /* CMD17: READ_SINGLE_BLOCK */
2031 if (sd->data_offset == 0)
2032 BLK_READ_BLOCK(sd->data_start, io_len);
2033 ret = sd->data[sd->data_offset ++];
2034
2035 if (sd->data_offset >= io_len)
2036 sd->state = sd_transfer_state;
2037 break;
2038
2039 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2040 if (sd->data_offset == 0) {
2041 if (sd->data_start + io_len > sd->size) {
2042 sd->card_status |= ADDRESS_ERROR;
2043 return 0x00;
2044 }
2045 BLK_READ_BLOCK(sd->data_start, io_len);
2046 }
2047 ret = sd->data[sd->data_offset ++];
2048
2049 if (sd->data_offset >= io_len) {
2050 sd->data_start += io_len;
2051 sd->data_offset = 0;
2052
2053 if (sd->multi_blk_cnt != 0) {
2054 if (--sd->multi_blk_cnt == 0) {
2055 /* Stop! */
2056 sd->state = sd_transfer_state;
2057 break;
2058 }
2059 }
2060 }
2061 break;
2062
2063 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2064 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2065 sd->state = sd_transfer_state;
2066 }
2067 ret = sd_tuning_block_pattern[sd->data_offset++];
2068 break;
2069
2070 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2071 ret = sd->data[sd->data_offset ++];
2072
2073 if (sd->data_offset >= 4)
2074 sd->state = sd_transfer_state;
2075 break;
2076
2077 case 30: /* CMD30: SEND_WRITE_PROT */
2078 ret = sd->data[sd->data_offset ++];
2079
2080 if (sd->data_offset >= 4)
2081 sd->state = sd_transfer_state;
2082 break;
2083
2084 case 51: /* ACMD51: SEND_SCR */
2085 ret = sd->scr[sd->data_offset ++];
2086
2087 if (sd->data_offset >= sizeof(sd->scr))
2088 sd->state = sd_transfer_state;
2089 break;
2090
2091 case 56: /* CMD56: GEN_CMD */
2092 if (sd->data_offset == 0)
2093 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2094 ret = sd->data[sd->data_offset ++];
2095
2096 if (sd->data_offset >= sd->blk_len)
2097 sd->state = sd_transfer_state;
2098 break;
2099
2100 default:
2101 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2102 return 0x00;
2103 }
2104
2105 return ret;
2106 }
2107
2108 static bool sd_data_ready(SDState *sd)
2109 {
2110 return sd->state == sd_sendingdata_state;
2111 }
2112
2113 void sd_enable(SDState *sd, bool enable)
2114 {
2115 sd->enable = enable;
2116 }
2117
2118 static void sd_instance_init(Object *obj)
2119 {
2120 SDState *sd = SD_CARD(obj);
2121
2122 sd->enable = true;
2123 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2124 }
2125
2126 static void sd_instance_finalize(Object *obj)
2127 {
2128 SDState *sd = SD_CARD(obj);
2129
2130 timer_free(sd->ocr_power_timer);
2131 }
2132
2133 static void sd_realize(DeviceState *dev, Error **errp)
2134 {
2135 SDState *sd = SD_CARD(dev);
2136 int ret;
2137
2138 sd->proto_name = sd->spi ? "SPI" : "SD";
2139
2140 switch (sd->spec_version) {
2141 case SD_PHY_SPECv1_10_VERS
2142 ... SD_PHY_SPECv3_01_VERS:
2143 break;
2144 default:
2145 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2146 return;
2147 }
2148
2149 if (sd->blk) {
2150 int64_t blk_size;
2151
2152 if (blk_is_read_only(sd->blk)) {
2153 error_setg(errp, "Cannot use read-only drive as SD card");
2154 return;
2155 }
2156
2157 blk_size = blk_getlength(sd->blk);
2158 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2159 int64_t blk_size_aligned = pow2ceil(blk_size);
2160 char *blk_size_str;
2161
2162 blk_size_str = size_to_str(blk_size);
2163 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2164 g_free(blk_size_str);
2165
2166 blk_size_str = size_to_str(blk_size_aligned);
2167 error_append_hint(errp,
2168 "SD card size has to be a power of 2, e.g. %s.\n"
2169 "You can resize disk images with"
2170 " 'qemu-img resize <imagefile> <new-size>'\n"
2171 "(note that this will lose data if you make the"
2172 " image smaller than it currently is).\n",
2173 blk_size_str);
2174 g_free(blk_size_str);
2175
2176 return;
2177 }
2178
2179 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2180 BLK_PERM_ALL, errp);
2181 if (ret < 0) {
2182 return;
2183 }
2184 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2185 }
2186 }
2187
2188 static Property sd_properties[] = {
2189 DEFINE_PROP_UINT8("spec_version", SDState,
2190 spec_version, SD_PHY_SPECv2_00_VERS),
2191 DEFINE_PROP_DRIVE("drive", SDState, blk),
2192 /* We do not model the chip select pin, so allow the board to select
2193 * whether card should be in SSI or MMC/SD mode. It is also up to the
2194 * board to ensure that ssi transfers only occur when the chip select
2195 * is asserted. */
2196 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2197 DEFINE_PROP_END_OF_LIST()
2198 };
2199
2200 static void sd_class_init(ObjectClass *klass, void *data)
2201 {
2202 DeviceClass *dc = DEVICE_CLASS(klass);
2203 SDCardClass *sc = SD_CARD_CLASS(klass);
2204
2205 dc->realize = sd_realize;
2206 device_class_set_props(dc, sd_properties);
2207 dc->vmsd = &sd_vmstate;
2208 dc->reset = sd_reset;
2209 dc->bus_type = TYPE_SD_BUS;
2210 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2211
2212 sc->set_voltage = sd_set_voltage;
2213 sc->get_dat_lines = sd_get_dat_lines;
2214 sc->get_cmd_line = sd_get_cmd_line;
2215 sc->do_command = sd_do_command;
2216 sc->write_byte = sd_write_byte;
2217 sc->read_byte = sd_read_byte;
2218 sc->data_ready = sd_data_ready;
2219 sc->enable = sd_enable;
2220 sc->get_inserted = sd_get_inserted;
2221 sc->get_readonly = sd_get_readonly;
2222 }
2223
2224 static const TypeInfo sd_info = {
2225 .name = TYPE_SD_CARD,
2226 .parent = TYPE_DEVICE,
2227 .instance_size = sizeof(SDState),
2228 .class_size = sizeof(SDCardClass),
2229 .class_init = sd_class_init,
2230 .instance_init = sd_instance_init,
2231 .instance_finalize = sd_instance_finalize,
2232 };
2233
2234 static void sd_register_types(void)
2235 {
2236 type_register_static(&sd_info);
2237 }
2238
2239 type_init(sd_register_types)
AR7 emulation for QEMU