search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Store command name in SDProto
[qemu/armbru.git] / hw / sd / sd.c
blob2cfba6ff6090bc74223173440e0e1b50b3c3de1a
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state = 1,
81 sd_identification_state = 2,
82 sd_standby_state = 3,
83 sd_transfer_state = 4,
84 sd_sendingdata_state = 5,
85 sd_receivingdata_state = 6,
86 sd_programming_state = 7,
87 sd_disconnect_state = 8,
88 };
89
90 #define SDMMC_CMD_MAX 64
91
92 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
93
94 typedef struct SDProto {
95 const char *name;
96 struct {
97 const char *name;
98 sd_cmd_handler handler;
99 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX];
100 } SDProto;
101
102 struct SDState {
103 DeviceState parent_obj;
104
105 /* If true, created by sd_init() for a non-qdevified caller */
106 /* TODO purge them with fire */
107 bool me_no_qdev_me_kill_mammoth_with_rocks;
108
109 /* SD Memory Card Registers */
110 uint32_t ocr;
111 uint8_t scr[8];
112 uint8_t cid[16];
113 uint8_t csd[16];
114 uint16_t rca;
115 uint32_t card_status;
116 uint8_t sd_status[64];
117
118 /* Static properties */
119
120 uint8_t spec_version;
121 BlockBackend *blk;
122
123 const SDProto *proto;
124
125 /* Runtime changeables */
126
127 uint32_t mode; /* current card mode, one of SDCardModes */
128 int32_t state; /* current card state, one of SDCardStates */
129 uint32_t vhs;
130 bool wp_switch;
131 unsigned long *wp_group_bmap;
132 int32_t wp_group_bits;
133 uint64_t size;
134 uint32_t blk_len;
135 uint32_t multi_blk_cnt;
136 uint32_t erase_start;
137 uint32_t erase_end;
138 uint8_t pwd[16];
139 uint32_t pwd_len;
140 uint8_t function_group[6];
141 uint8_t current_cmd;
142 const char *last_cmd_name;
143 /* True if we will handle the next command as an ACMD. Note that this does
144 * *not* track the APP_CMD status bit!
145 */
146 bool expecting_acmd;
147 uint32_t blk_written;
148
149 uint64_t data_start;
150 uint32_t data_offset;
151 size_t data_size;
152 uint8_t data[512];
153 qemu_irq readonly_cb;
154 qemu_irq inserted_cb;
155 QEMUTimer *ocr_power_timer;
156 bool enable;
157 uint8_t dat_lines;
158 bool cmd_line;
159 };
160
161 static void sd_realize(DeviceState *dev, Error **errp);
162
163 static const SDProto sd_proto_spi;
164
165 static bool sd_is_spi(SDState *sd)
166 {
167 return sd->proto == &sd_proto_spi;
168 }
169
170 static const char *sd_version_str(enum SDPhySpecificationVersion version)
171 {
172 static const char *sdphy_version[] = {
173 [SD_PHY_SPECv1_10_VERS] = "v1.10",
174 [SD_PHY_SPECv2_00_VERS] = "v2.00",
175 [SD_PHY_SPECv3_01_VERS] = "v3.01",
176 };
177 if (version >= ARRAY_SIZE(sdphy_version)) {
178 return "unsupported version";
179 }
180 return sdphy_version[version];
181 }
182
183 static const char *sd_mode_name(enum SDCardModes mode)
184 {
185 static const char *mode_name[] = {
186 [sd_inactive] = "inactive",
187 [sd_card_identification_mode] = "identification",
188 [sd_data_transfer_mode] = "transfer",
189 };
190 assert(mode < ARRAY_SIZE(mode_name));
191 return mode_name[mode];
192 }
193
194 static const char *sd_state_name(enum SDCardStates state)
195 {
196 static const char *state_name[] = {
197 [sd_idle_state] = "idle",
198 [sd_ready_state] = "ready",
199 [sd_identification_state] = "identification",
200 [sd_standby_state] = "standby",
201 [sd_transfer_state] = "transfer",
202 [sd_sendingdata_state] = "sendingdata",
203 [sd_receivingdata_state] = "receivingdata",
204 [sd_programming_state] = "programming",
205 [sd_disconnect_state] = "disconnect",
206 };
207 if (state == sd_inactive_state) {
208 return "inactive";
209 }
210 assert(state < ARRAY_SIZE(state_name));
211 return state_name[state];
212 }
213
214 static const char *sd_response_name(sd_rsp_type_t rsp)
215 {
216 static const char *response_name[] = {
217 [sd_r0] = "RESP#0 (no response)",
218 [sd_r1] = "RESP#1 (normal cmd)",
219 [sd_r2_i] = "RESP#2 (CID reg)",
220 [sd_r2_s] = "RESP#2 (CSD reg)",
221 [sd_r3] = "RESP#3 (OCR reg)",
222 [sd_r6] = "RESP#6 (RCA)",
223 [sd_r7] = "RESP#7 (operating voltage)",
224 };
225 if (rsp == sd_illegal) {
226 return "ILLEGAL RESP";
227 }
228 if (rsp == sd_r1b) {
229 rsp = sd_r1;
230 }
231 assert(rsp < ARRAY_SIZE(response_name));
232 return response_name[rsp];
233 }
234
235 static const char *sd_cmd_name(SDState *sd, uint8_t cmd)
236 {
237 static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
238 [4] = "SET_DSR", [5] = "IO_SEND_OP_COND",
239 [6] = "SWITCH_FUNC", [7] = "SELECT/DESELECT_CARD",
240 [8] = "SEND_IF_COND", [9] = "SEND_CSD",
241 [10] = "SEND_CID", [11] = "VOLTAGE_SWITCH",
242 [12] = "STOP_TRANSMISSION", [13] = "SEND_STATUS",
243 [15] = "GO_INACTIVE_STATE",
244 [16] = "SET_BLOCKLEN", [17] = "READ_SINGLE_BLOCK",
245 [18] = "READ_MULTIPLE_BLOCK",
246 [20] = "SPEED_CLASS_CONTROL", [21] = "DPS_spec",
247 [24] = "WRITE_BLOCK", [25] = "WRITE_MULTIPLE_BLOCK",
248 [26] = "MANUF_RSVD", [27] = "PROGRAM_CSD",
249 [28] = "SET_WRITE_PROT", [29] = "CLR_WRITE_PROT",
250 [30] = "SEND_WRITE_PROT",
251 [32] = "ERASE_WR_BLK_START", [33] = "ERASE_WR_BLK_END",
252 [34] = "SW_FUNC_RSVD", [35] = "SW_FUNC_RSVD",
253 [36] = "SW_FUNC_RSVD", [37] = "SW_FUNC_RSVD",
254 [38] = "ERASE",
255 [40] = "DPS_spec",
256 [42] = "LOCK_UNLOCK", [43] = "Q_MANAGEMENT",
257 [44] = "Q_TASK_INFO_A", [45] = "Q_TASK_INFO_B",
258 [46] = "Q_RD_TASK", [47] = "Q_WR_TASK",
259 [48] = "READ_EXTR_SINGLE", [49] = "WRITE_EXTR_SINGLE",
260 [50] = "SW_FUNC_RSVD",
261 [52] = "IO_RW_DIRECT", [53] = "IO_RW_EXTENDED",
262 [54] = "SDIO_RSVD", [55] = "APP_CMD",
263 [56] = "GEN_CMD", [57] = "SW_FUNC_RSVD",
264 [58] = "READ_EXTR_MULTI", [59] = "WRITE_EXTR_MULTI",
265 [60] = "MANUF_RSVD", [61] = "MANUF_RSVD",
266 [62] = "MANUF_RSVD", [63] = "MANUF_RSVD",
267 };
268 const SDProto *sdp = sd->proto;
269
270 if (sdp->cmd[cmd].handler) {
271 assert(!cmd_abbrev[cmd]);
272 return sdp->cmd[cmd].name;
273 }
274 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
275 }
276
277 static const char *sd_acmd_name(SDState *sd, uint8_t cmd)
278 {
279 static const char *acmd_abbrev[SDMMC_CMD_MAX] = {
280 [6] = "SET_BUS_WIDTH",
281 [13] = "SD_STATUS",
282 [14] = "DPS_spec", [15] = "DPS_spec",
283 [16] = "DPS_spec",
284 [18] = "SECU_spec",
285 [22] = "SEND_NUM_WR_BLOCKS", [23] = "SET_WR_BLK_ERASE_COUNT",
286 [42] = "SET_CLR_CARD_DETECT",
287 [51] = "SEND_SCR",
288 [52] = "SECU_spec", [53] = "SECU_spec",
289 [54] = "SECU_spec",
290 [56] = "SECU_spec", [57] = "SECU_spec",
291 [58] = "SECU_spec", [59] = "SECU_spec",
292 };
293 const SDProto *sdp = sd->proto;
294
295 if (sdp->acmd[cmd].handler) {
296 assert(!acmd_abbrev[cmd]);
297 return sdp->acmd[cmd].name;
298 }
299
300 return acmd_abbrev[cmd] ? acmd_abbrev[cmd] : "UNKNOWN_ACMD";
301 }
302
303 static uint8_t sd_get_dat_lines(SDState *sd)
304 {
305 return sd->enable ? sd->dat_lines : 0;
306 }
307
308 static bool sd_get_cmd_line(SDState *sd)
309 {
310 return sd->enable ? sd->cmd_line : false;
311 }
312
313 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
314 {
315 trace_sdcard_set_voltage(millivolts);
316
317 switch (millivolts) {
318 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
319 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
320 break;
321 default:
322 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
323 millivolts / 1000.f);
324 }
325 }
326
327 static void sd_set_mode(SDState *sd)
328 {
329 switch (sd->state) {
330 case sd_inactive_state:
331 sd->mode = sd_inactive;
332 break;
333
334 case sd_idle_state:
335 case sd_ready_state:
336 case sd_identification_state:
337 sd->mode = sd_card_identification_mode;
338 break;
339
340 case sd_standby_state:
341 case sd_transfer_state:
342 case sd_sendingdata_state:
343 case sd_receivingdata_state:
344 case sd_programming_state:
345 case sd_disconnect_state:
346 sd->mode = sd_data_transfer_mode;
347 break;
348 }
349 }
350
351 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
352 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
353 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
354 /* 16 */
355 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
356 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
357 /* 32 */
358 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
359 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
360 /* 48 */
361 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
362 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
363 };
364
365 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
366 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
367 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
368 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
369 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
370 };
371
372 static uint8_t sd_crc7(const void *message, size_t width)
373 {
374 int i, bit;
375 uint8_t shift_reg = 0x00;
376 const uint8_t *msg = (const uint8_t *)message;
377
378 for (i = 0; i < width; i ++, msg ++)
379 for (bit = 7; bit >= 0; bit --) {
380 shift_reg <<= 1;
381 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
382 shift_reg ^= 0x89;
383 }
384
385 return shift_reg;
386 }
387
388 /* Operation Conditions register */
389
390 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
391
392 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
393 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
394 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
395 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
396 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
397 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
398 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
399 FIELD(OCR, CARD_POWER_UP, 31, 1)
400
401 #define ACMD41_ENQUIRY_MASK 0x00ffffff
402 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
403 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
404 | R_OCR_UHS_II_CARD_MASK \
405 | R_OCR_CARD_CAPACITY_MASK \
406 | R_OCR_CARD_POWER_UP_MASK)
407
408 static void sd_ocr_powerup(void *opaque)
409 {
410 SDState *sd = opaque;
411
412 trace_sdcard_powerup();
413 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
414
415 /* card power-up OK */
416 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
417
418 if (sd->size > SDSC_MAX_CAPACITY) {
419 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
420 }
421 }
422
423 static void sd_set_ocr(SDState *sd)
424 {
425 /* All voltages OK */
426 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
427
428 if (sd_is_spi(sd)) {
429 /*
430 * We don't need to emulate power up sequence in SPI-mode.
431 * Thus, the card's power up status bit should be set to 1 when reset.
432 * The card's capacity status bit should also be set if SD card size
433 * is larger than 2GB for SDHC support.
434 */
435 sd_ocr_powerup(sd);
436 }
437 }
438
439 /* SD Configuration register */
440
441 static void sd_set_scr(SDState *sd)
442 {
443 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
444 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
445 sd->scr[0] |= 1; /* Spec Version 1.10 */
446 } else {
447 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
448 }
449 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
450 | 0b0101; /* 1-bit or 4-bit width bus modes */
451 sd->scr[2] = 0x00; /* Extended Security is not supported. */
452 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
453 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
454 }
455 sd->scr[3] = 0x00;
456 /* reserved for manufacturer usage */
457 sd->scr[4] = 0x00;
458 sd->scr[5] = 0x00;
459 sd->scr[6] = 0x00;
460 sd->scr[7] = 0x00;
461 }
462
463 /* Card IDentification register */
464
465 #define MID 0xaa
466 #define OID "XY"
467 #define PNM "QEMU!"
468 #define PRV 0x01
469 #define MDT_YR 2006
470 #define MDT_MON 2
471
472 static void sd_set_cid(SDState *sd)
473 {
474 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
475 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
476 sd->cid[2] = OID[1];
477 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
478 sd->cid[4] = PNM[1];
479 sd->cid[5] = PNM[2];
480 sd->cid[6] = PNM[3];
481 sd->cid[7] = PNM[4];
482 sd->cid[8] = PRV; /* Fake product revision (PRV) */
483 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
484 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
485 ((MDT_YR - 2000) / 10);
486 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
487 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
488 }
489
490 /* Card-Specific Data register */
491
492 #define HWBLOCK_SHIFT 9 /* 512 bytes */
493 #define SECTOR_SHIFT 5 /* 16 kilobytes */
494 #define WPGROUP_SHIFT 7 /* 2 megs */
495 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
496 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
497
498 static const uint8_t sd_csd_rw_mask[16] = {
499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
501 };
502
503 static void sd_set_csd(SDState *sd, uint64_t size)
504 {
505 int hwblock_shift = HWBLOCK_SHIFT;
506 uint32_t csize;
507 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
508 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
509
510 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
511 if (size == SDSC_MAX_CAPACITY) {
512 hwblock_shift += 1;
513 }
514 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
515
516 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
517 sd->csd[0] = 0x00; /* CSD structure */
518 sd->csd[1] = 0x26; /* Data read access-time-1 */
519 sd->csd[2] = 0x00; /* Data read access-time-2 */
520 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
521 sd->csd[4] = 0x5f; /* Card Command Classes */
522 sd->csd[5] = 0x50 | /* Max. read data block length */
523 hwblock_shift;
524 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
525 ((csize >> 10) & 0x03);
526 sd->csd[7] = 0x00 | /* Device size */
527 ((csize >> 2) & 0xff);
528 sd->csd[8] = 0x3f | /* Max. read current */
529 ((csize << 6) & 0xc0);
530 sd->csd[9] = 0xfc | /* Max. write current */
531 ((CMULT_SHIFT - 2) >> 1);
532 sd->csd[10] = 0x40 | /* Erase sector size */
533 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
534 sd->csd[11] = 0x00 | /* Write protect group size */
535 ((sectsize << 7) & 0x80) | wpsize;
536 sd->csd[12] = 0x90 | /* Write speed factor */
537 (hwblock_shift >> 2);
538 sd->csd[13] = 0x20 | /* Max. write data block length */
539 ((hwblock_shift << 6) & 0xc0);
540 sd->csd[14] = 0x00; /* File format group */
541 } else { /* SDHC */
542 size /= 512 * KiB;
543 size -= 1;
544 sd->csd[0] = 0x40;
545 sd->csd[1] = 0x0e;
546 sd->csd[2] = 0x00;
547 sd->csd[3] = 0x32;
548 sd->csd[4] = 0x5b;
549 sd->csd[5] = 0x59;
550 sd->csd[6] = 0x00;
551 st24_be_p(&sd->csd[7], size);
552 sd->csd[10] = 0x7f;
553 sd->csd[11] = 0x80;
554 sd->csd[12] = 0x0a;
555 sd->csd[13] = 0x40;
556 sd->csd[14] = 0x00;
557 }
558 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
559 }
560
561 /* Relative Card Address register */
562
563 static void sd_set_rca(SDState *sd)
564 {
565 sd->rca += 0x4567;
566 }
567
568 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
569 {
570 if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc) {
571 return req.arg >> 16;
572 }
573 return 0;
574 }
575
576 /* Card Status register */
577
578 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
579 FIELD(CSR, APP_CMD, 5, 1)
580 FIELD(CSR, FX_EVENT, 6, 1)
581 FIELD(CSR, READY_FOR_DATA, 8, 1)
582 FIELD(CSR, CURRENT_STATE, 9, 4)
583 FIELD(CSR, ERASE_RESET, 13, 1)
584 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
585 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
586 FIELD(CSR, CSD_OVERWRITE, 16, 1)
587 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
588 FIELD(CSR, ERROR, 19, 1)
589 FIELD(CSR, CC_ERROR, 20, 1)
590 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
591 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
592 FIELD(CSR, COM_CRC_ERROR, 23, 1)
593 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
594 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
595 FIELD(CSR, WP_VIOLATION, 26, 1)
596 FIELD(CSR, ERASE_PARAM, 27, 1)
597 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
598 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
599 FIELD(CSR, ADDRESS_ERROR, 30, 1)
600 FIELD(CSR, OUT_OF_RANGE, 31, 1)
601
602 /* Card status bits, split by clear condition:
603 * A : According to the card current state
604 * B : Always related to the previous command
605 * C : Cleared by read
606 */
607 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
608 | R_CSR_CARD_ECC_DISABLED_MASK \
609 | R_CSR_CARD_IS_LOCKED_MASK)
610 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
611 | R_CSR_ILLEGAL_COMMAND_MASK \
612 | R_CSR_COM_CRC_ERROR_MASK)
613 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
614 | R_CSR_APP_CMD_MASK \
615 | R_CSR_ERASE_RESET_MASK \
616 | R_CSR_WP_ERASE_SKIP_MASK \
617 | R_CSR_CSD_OVERWRITE_MASK \
618 | R_CSR_ERROR_MASK \
619 | R_CSR_CC_ERROR_MASK \
620 | R_CSR_CARD_ECC_FAILED_MASK \
621 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
622 | R_CSR_WP_VIOLATION_MASK \
623 | R_CSR_ERASE_PARAM_MASK \
624 | R_CSR_ERASE_SEQ_ERROR_MASK \
625 | R_CSR_BLOCK_LEN_ERROR_MASK \
626 | R_CSR_ADDRESS_ERROR_MASK \
627 | R_CSR_OUT_OF_RANGE_MASK)
628
629 static void sd_set_cardstatus(SDState *sd)
630 {
631 sd->card_status = READY_FOR_DATA;
632 }
633
634 static void sd_set_sdstatus(SDState *sd)
635 {
636 memset(sd->sd_status, 0, 64);
637 }
638
639 static const uint8_t sd_tuning_block_pattern4[64] = {
640 /*
641 * See: Physical Layer Simplified Specification Version 3.01,
642 * Table 4-2.
643 */
644 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
645 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
646 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
647 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
648 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
649 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
650 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
651 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde
652 };
653
654 static int sd_req_crc_validate(SDRequest *req)
655 {
656 uint8_t buffer[5];
657 buffer[0] = 0x40 | req->cmd;
658 stl_be_p(&buffer[1], req->arg);
659 return 0;
660 return sd_crc7(buffer, 5) != req->crc; /* TODO */
661 }
662
663 static void sd_response_r1_make(SDState *sd, uint8_t *response)
664 {
665 stl_be_p(response, sd->card_status);
666
667 /* Clear the "clear on read" status bits */
668 sd->card_status &= ~CARD_STATUS_C;
669 }
670
671 static void sd_response_r3_make(SDState *sd, uint8_t *response)
672 {
673 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
674 }
675
676 static void sd_response_r6_make(SDState *sd, uint8_t *response)
677 {
678 uint16_t status;
679
680 status = ((sd->card_status >> 8) & 0xc000) |
681 ((sd->card_status >> 6) & 0x2000) |
682 (sd->card_status & 0x1fff);
683 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
684 stw_be_p(response + 0, sd->rca);
685 stw_be_p(response + 2, status);
686 }
687
688 static void sd_response_r7_make(SDState *sd, uint8_t *response)
689 {
690 stl_be_p(response, sd->vhs);
691 }
692
693 static uint32_t sd_blk_len(SDState *sd)
694 {
695 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
696 return 1 << HWBLOCK_SHIFT;
697 }
698 return sd->blk_len;
699 }
700
701 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
702 {
703 uint64_t addr;
704
705 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
706 addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
707 } else {
708 addr = req.arg;
709 }
710 trace_sdcard_req_addr(req.arg, addr);
711 return addr;
712 }
713
714 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
715 {
716 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
717 }
718
719 static void sd_reset(DeviceState *dev)
720 {
721 SDState *sd = SD_CARD(dev);
722 uint64_t size;
723 uint64_t sect;
724
725 trace_sdcard_reset();
726 if (sd->blk) {
727 blk_get_geometry(sd->blk, &sect);
728 } else {
729 sect = 0;
730 }
731 size = sect << HWBLOCK_SHIFT;
732
733 sect = sd_addr_to_wpnum(size) + 1;
734
735 sd->state = sd_idle_state;
736
737 /* card registers */
738 sd->rca = 0x0000;
739 sd->size = size;
740 sd_set_ocr(sd);
741 sd_set_scr(sd);
742 sd_set_cid(sd);
743 sd_set_csd(sd, size);
744 sd_set_cardstatus(sd);
745 sd_set_sdstatus(sd);
746
747 g_free(sd->wp_group_bmap);
748 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
749 sd->wp_group_bits = sect;
750 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
751 memset(sd->function_group, 0, sizeof(sd->function_group));
752 sd->erase_start = INVALID_ADDRESS;
753 sd->erase_end = INVALID_ADDRESS;
754 sd->blk_len = 0x200;
755 sd->pwd_len = 0;
756 sd->expecting_acmd = false;
757 sd->dat_lines = 0xf;
758 sd->cmd_line = true;
759 sd->multi_blk_cnt = 0;
760 }
761
762 static bool sd_get_inserted(SDState *sd)
763 {
764 return sd->blk && blk_is_inserted(sd->blk);
765 }
766
767 static bool sd_get_readonly(SDState *sd)
768 {
769 return sd->wp_switch;
770 }
771
772 static void sd_cardchange(void *opaque, bool load, Error **errp)
773 {
774 SDState *sd = opaque;
775 DeviceState *dev = DEVICE(sd);
776 SDBus *sdbus;
777 bool inserted = sd_get_inserted(sd);
778 bool readonly = sd_get_readonly(sd);
779
780 if (inserted) {
781 trace_sdcard_inserted(readonly);
782 sd_reset(dev);
783 } else {
784 trace_sdcard_ejected();
785 }
786
787 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
788 qemu_set_irq(sd->inserted_cb, inserted);
789 if (inserted) {
790 qemu_set_irq(sd->readonly_cb, readonly);
791 }
792 } else {
793 sdbus = SD_BUS(qdev_get_parent_bus(dev));
794 sdbus_set_inserted(sdbus, inserted);
795 if (inserted) {
796 sdbus_set_readonly(sdbus, readonly);
797 }
798 }
799 }
800
801 static const BlockDevOps sd_block_ops = {
802 .change_media_cb = sd_cardchange,
803 };
804
805 static bool sd_ocr_vmstate_needed(void *opaque)
806 {
807 SDState *sd = opaque;
808
809 /* Include the OCR state (and timer) if it is not yet powered up */
810 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
811 }
812
813 static const VMStateDescription sd_ocr_vmstate = {
814 .name = "sd-card/ocr-state",
815 .version_id = 1,
816 .minimum_version_id = 1,
817 .needed = sd_ocr_vmstate_needed,
818 .fields = (const VMStateField[]) {
819 VMSTATE_UINT32(ocr, SDState),
820 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
821 VMSTATE_END_OF_LIST()
822 },
823 };
824
825 static int sd_vmstate_pre_load(void *opaque)
826 {
827 SDState *sd = opaque;
828
829 /* If the OCR state is not included (prior versions, or not
830 * needed), then the OCR must be set as powered up. If the OCR state
831 * is included, this will be replaced by the state restore.
832 */
833 sd_ocr_powerup(sd);
834
835 return 0;
836 }
837
838 static const VMStateDescription sd_vmstate = {
839 .name = "sd-card",
840 .version_id = 2,
841 .minimum_version_id = 2,
842 .pre_load = sd_vmstate_pre_load,
843 .fields = (const VMStateField[]) {
844 VMSTATE_UINT32(mode, SDState),
845 VMSTATE_INT32(state, SDState),
846 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
847 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
848 VMSTATE_UINT16(rca, SDState),
849 VMSTATE_UINT32(card_status, SDState),
850 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
851 VMSTATE_UINT32(vhs, SDState),
852 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
853 VMSTATE_UINT32(blk_len, SDState),
854 VMSTATE_UINT32(multi_blk_cnt, SDState),
855 VMSTATE_UINT32(erase_start, SDState),
856 VMSTATE_UINT32(erase_end, SDState),
857 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
858 VMSTATE_UINT32(pwd_len, SDState),
859 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
860 VMSTATE_UINT8(current_cmd, SDState),
861 VMSTATE_BOOL(expecting_acmd, SDState),
862 VMSTATE_UINT32(blk_written, SDState),
863 VMSTATE_UINT64(data_start, SDState),
864 VMSTATE_UINT32(data_offset, SDState),
865 VMSTATE_UINT8_ARRAY(data, SDState, 512),
866 VMSTATE_UNUSED_V(1, 512),
867 VMSTATE_BOOL(enable, SDState),
868 VMSTATE_END_OF_LIST()
869 },
870 .subsections = (const VMStateDescription * const []) {
871 &sd_ocr_vmstate,
872 NULL
873 },
874 };
875
876 /* Legacy initialization function for use by non-qdevified callers */
877 SDState *sd_init(BlockBackend *blk, bool is_spi)
878 {
879 Object *obj;
880 DeviceState *dev;
881 SDState *sd;
882 Error *err = NULL;
883
884 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
885 dev = DEVICE(obj);
886 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
887 error_reportf_err(err, "sd_init failed: ");
888 return NULL;
889 }
890
891 /*
892 * Realizing the device properly would put it into the QOM
893 * composition tree even though it is not plugged into an
894 * appropriate bus. That's a no-no. Hide the device from
895 * QOM/qdev, and call its qdev realize callback directly.
896 */
897 object_ref(obj);
898 object_unparent(obj);
899 sd_realize(dev, &err);
900 if (err) {
901 error_reportf_err(err, "sd_init failed: ");
902 return NULL;
903 }
904
905 sd = SD_CARD(dev);
906 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
907 return sd;
908 }
909
910 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
911 {
912 sd->readonly_cb = readonly;
913 sd->inserted_cb = insert;
914 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
915 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
916 }
917
918 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
919 {
920 trace_sdcard_read_block(addr, len);
921 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
922 fprintf(stderr, "sd_blk_read: read error on host side\n");
923 }
924 }
925
926 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
927 {
928 trace_sdcard_write_block(addr, len);
929 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
930 fprintf(stderr, "sd_blk_write: write error on host side\n");
931 }
932 }
933
934 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
935 #define APP_WRITE_BLOCK(a, len)
936
937 static void sd_erase(SDState *sd)
938 {
939 uint64_t erase_start = sd->erase_start;
940 uint64_t erase_end = sd->erase_end;
941 bool sdsc = true;
942 uint64_t wpnum;
943 uint64_t erase_addr;
944 int erase_len = 1 << HWBLOCK_SHIFT;
945
946 trace_sdcard_erase(sd->erase_start, sd->erase_end);
947 if (sd->erase_start == INVALID_ADDRESS
948 || sd->erase_end == INVALID_ADDRESS) {
949 sd->card_status |= ERASE_SEQ_ERROR;
950 sd->erase_start = INVALID_ADDRESS;
951 sd->erase_end = INVALID_ADDRESS;
952 return;
953 }
954
955 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
956 /* High capacity memory card: erase units are 512 byte blocks */
957 erase_start <<= HWBLOCK_SHIFT;
958 erase_end <<= HWBLOCK_SHIFT;
959 sdsc = false;
960 }
961
962 if (erase_start > sd->size || erase_end > sd->size) {
963 sd->card_status |= OUT_OF_RANGE;
964 sd->erase_start = INVALID_ADDRESS;
965 sd->erase_end = INVALID_ADDRESS;
966 return;
967 }
968
969 sd->erase_start = INVALID_ADDRESS;
970 sd->erase_end = INVALID_ADDRESS;
971 sd->csd[14] |= 0x40;
972
973 memset(sd->data, 0xff, erase_len);
974 for (erase_addr = erase_start; erase_addr <= erase_end;
975 erase_addr += erase_len) {
976 if (sdsc) {
977 /* Only SDSC cards support write protect groups */
978 wpnum = sd_addr_to_wpnum(erase_addr);
979 assert(wpnum < sd->wp_group_bits);
980 if (test_bit(wpnum, sd->wp_group_bmap)) {
981 sd->card_status |= WP_ERASE_SKIP;
982 continue;
983 }
984 }
985 sd_blk_write(sd, erase_addr, erase_len);
986 }
987 }
988
989 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
990 {
991 uint32_t i, wpnum;
992 uint32_t ret = 0;
993
994 wpnum = sd_addr_to_wpnum(addr);
995
996 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
997 if (addr >= sd->size) {
998 /*
999 * If the addresses of the last groups are outside the valid range,
1000 * then the corresponding write protection bits shall be set to 0.
1001 */
1002 continue;
1003 }
1004 assert(wpnum < sd->wp_group_bits);
1005 if (test_bit(wpnum, sd->wp_group_bmap)) {
1006 ret |= (1 << i);
1007 }
1008 }
1009
1010 return ret;
1011 }
1012
1013 static void sd_function_switch(SDState *sd, uint32_t arg)
1014 {
1015 int i, mode, new_func;
1016 mode = !!(arg & 0x80000000);
1017
1018 sd->data[0] = 0x00; /* Maximum current consumption */
1019 sd->data[1] = 0x01;
1020 sd->data[2] = 0x80; /* Supported group 6 functions */
1021 sd->data[3] = 0x01;
1022 sd->data[4] = 0x80; /* Supported group 5 functions */
1023 sd->data[5] = 0x01;
1024 sd->data[6] = 0x80; /* Supported group 4 functions */
1025 sd->data[7] = 0x01;
1026 sd->data[8] = 0x80; /* Supported group 3 functions */
1027 sd->data[9] = 0x01;
1028 sd->data[10] = 0x80; /* Supported group 2 functions */
1029 sd->data[11] = 0x43;
1030 sd->data[12] = 0x80; /* Supported group 1 functions */
1031 sd->data[13] = 0x03;
1032
1033 memset(&sd->data[14], 0, 3);
1034 for (i = 0; i < 6; i ++) {
1035 new_func = (arg >> (i * 4)) & 0x0f;
1036 if (mode && new_func != 0x0f)
1037 sd->function_group[i] = new_func;
1038 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
1039 }
1040 memset(&sd->data[17], 0, 47);
1041 }
1042
1043 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
1044 {
1045 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1046 }
1047
1048 static void sd_lock_command(SDState *sd)
1049 {
1050 int erase, lock, clr_pwd, set_pwd, pwd_len;
1051 erase = !!(sd->data[0] & 0x08);
1052 lock = sd->data[0] & 0x04;
1053 clr_pwd = sd->data[0] & 0x02;
1054 set_pwd = sd->data[0] & 0x01;
1055
1056 if (sd->blk_len > 1)
1057 pwd_len = sd->data[1];
1058 else
1059 pwd_len = 0;
1060
1061 if (lock) {
1062 trace_sdcard_lock();
1063 } else {
1064 trace_sdcard_unlock();
1065 }
1066 if (erase) {
1067 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
1068 set_pwd || clr_pwd || lock || sd->wp_switch ||
1069 (sd->csd[14] & 0x20)) {
1070 sd->card_status |= LOCK_UNLOCK_FAILED;
1071 return;
1072 }
1073 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1074 sd->csd[14] &= ~0x10;
1075 sd->card_status &= ~CARD_IS_LOCKED;
1076 sd->pwd_len = 0;
1077 /* Erasing the entire card here! */
1078 fprintf(stderr, "SD: Card force-erased by CMD42\n");
1079 return;
1080 }
1081
1082 if (sd->blk_len < 2 + pwd_len ||
1083 pwd_len <= sd->pwd_len ||
1084 pwd_len > sd->pwd_len + 16) {
1085 sd->card_status |= LOCK_UNLOCK_FAILED;
1086 return;
1087 }
1088
1089 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1090 sd->card_status |= LOCK_UNLOCK_FAILED;
1091 return;
1092 }
1093
1094 pwd_len -= sd->pwd_len;
1095 if ((pwd_len && !set_pwd) ||
1096 (clr_pwd && (set_pwd || lock)) ||
1097 (lock && !sd->pwd_len && !set_pwd) ||
1098 (!set_pwd && !clr_pwd &&
1099 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1100 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1101 sd->card_status |= LOCK_UNLOCK_FAILED;
1102 return;
1103 }
1104
1105 if (set_pwd) {
1106 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1107 sd->pwd_len = pwd_len;
1108 }
1109
1110 if (clr_pwd) {
1111 sd->pwd_len = 0;
1112 }
1113
1114 if (lock)
1115 sd->card_status |= CARD_IS_LOCKED;
1116 else
1117 sd->card_status &= ~CARD_IS_LOCKED;
1118 }
1119
1120 static bool address_in_range(SDState *sd, const char *desc,
1121 uint64_t addr, uint32_t length)
1122 {
1123 if (addr + length > sd->size) {
1124 qemu_log_mask(LOG_GUEST_ERROR,
1125 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1126 desc, addr, sd->size, length);
1127 sd->card_status |= ADDRESS_ERROR;
1128 return false;
1129 }
1130 return true;
1131 }
1132
1133 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1134 {
1135 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1136 sd->proto->name, req.cmd, sd_state_name(sd->state),
1137 sd_version_str(sd->spec_version));
1138
1139 return sd_illegal;
1140 }
1141
1142 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1143 {
1144 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1145 sd->proto->name, req.cmd, sd_mode_name(sd->mode),
1146 sd_version_str(sd->spec_version));
1147
1148 return sd_illegal;
1149 }
1150
1151 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1152 {
1153 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1154 sd->proto->name, req.cmd,
1155 sd_version_str(sd->spec_version));
1156
1157 return sd_illegal;
1158 }
1159
1160 /* Commands that are recognised but not yet implemented. */
1161 __attribute__((unused))
1162 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1163 {
1164 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1165 sd->proto->name, req.cmd);
1166
1167 return sd_illegal;
1168 }
1169
1170 /* Configure fields for following sd_generic_write_byte() calls */
1171 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
1172 uint64_t start, size_t size)
1173 {
1174 if (sd->state != sd_transfer_state) {
1175 return sd_invalid_state_for_cmd(sd, req);
1176 }
1177 sd->state = sd_receivingdata_state;
1178 sd->data_start = start;
1179 sd->data_offset = 0;
1180 /* sd->data[] used as receive buffer */
1181 sd->data_size = size ?: sizeof(sd->data);
1182 return sd_r1;
1183 }
1184
1185 /* Configure fields for following sd_generic_read_byte() calls */
1186 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1187 uint64_t start,
1188 const void *data, size_t size)
1189 {
1190 if (sd->state != sd_transfer_state) {
1191 sd_invalid_state_for_cmd(sd, req);
1192 }
1193
1194 sd->state = sd_sendingdata_state;
1195 sd->data_start = start;
1196 sd->data_offset = 0;
1197 if (data) {
1198 assert(size > 0 && size <= sizeof(sd->data));
1199 memcpy(sd->data, data, size);
1200 }
1201 if (size) {
1202 sd->data_size = size;
1203 }
1204 return sd_r1;
1205 }
1206
1207 /* CMD0 */
1208 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1209 {
1210 sd->state = sd_idle_state;
1211 sd_reset(DEVICE(sd));
1212
1213 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1214 }
1215
1216 /* CMD1 */
1217 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1218 {
1219 sd->state = sd_transfer_state;
1220
1221 return sd_r1;
1222 }
1223
1224 /* CMD2 */
1225 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1226 {
1227 switch (sd->state) {
1228 case sd_ready_state:
1229 sd->state = sd_identification_state;
1230 return sd_r2_i;
1231 default:
1232 return sd_invalid_state_for_cmd(sd, req);
1233 }
1234 }
1235
1236 /* CMD3 */
1237 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1238 {
1239 switch (sd->state) {
1240 case sd_identification_state:
1241 case sd_standby_state:
1242 sd->state = sd_standby_state;
1243 sd_set_rca(sd);
1244 return sd_r6;
1245
1246 default:
1247 return sd_invalid_state_for_cmd(sd, req);
1248 }
1249 }
1250
1251 /* CMD19 */
1252 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1253 {
1254 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1255 return sd_cmd_illegal(sd, req);
1256 }
1257
1258 return sd_cmd_to_sendingdata(sd, req, 0,
1259 sd_tuning_block_pattern4,
1260 sizeof(sd_tuning_block_pattern4));
1261 }
1262
1263 /* CMD23 */
1264 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1265 {
1266 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1267 return sd_cmd_illegal(sd, req);
1268 }
1269
1270 if (sd->state != sd_transfer_state) {
1271 return sd_invalid_state_for_cmd(sd, req);
1272 }
1273
1274 sd->multi_blk_cnt = req.arg;
1275 trace_sdcard_set_block_count(sd->multi_blk_cnt);
1276
1277 return sd_r1;
1278 }
1279
1280 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1281 {
1282 uint16_t rca;
1283 uint64_t addr;
1284 uint32_t data;
1285
1286 sd->last_cmd_name = sd_cmd_name(sd, req.cmd);
1287 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1288 * However there is no ACMD55, so we want to trace this particular case.
1289 */
1290 if (req.cmd != 55 || sd->expecting_acmd) {
1291 trace_sdcard_normal_command(sd->proto->name,
1292 sd->last_cmd_name, req.cmd,
1293 req.arg, sd_state_name(sd->state));
1294 }
1295
1296 /* Not interpreting this as an app command */
1297 sd->card_status &= ~APP_CMD;
1298
1299 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1300 * if not, its effects are cancelled */
1301 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1302 sd->multi_blk_cnt = 0;
1303 }
1304
1305 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1306 /* Only Standard Capacity cards support class 6 commands */
1307 return sd_illegal;
1308 }
1309
1310 if (sd->proto->cmd[req.cmd].handler) {
1311 return sd->proto->cmd[req.cmd].handler(sd, req);
1312 }
1313
1314 switch (req.cmd) {
1315 /* Basic commands (Class 0 and Class 1) */
1316 case 4: /* CMD4: SEND_DSR */
1317 switch (sd->state) {
1318 case sd_standby_state:
1319 break;
1320
1321 default:
1322 break;
1323 }
1324 break;
1325
1326 case 6: /* CMD6: SWITCH_FUNCTION */
1327 if (sd->mode != sd_data_transfer_mode) {
1328 return sd_invalid_mode_for_cmd(sd, req);
1329 }
1330 if (sd->state != sd_transfer_state) {
1331 return sd_invalid_state_for_cmd(sd, req);
1332 }
1333
1334 sd_function_switch(sd, req.arg);
1335 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1336
1337 case 7: /* CMD7: SELECT/DESELECT_CARD */
1338 rca = sd_req_get_rca(sd, req);
1339 switch (sd->state) {
1340 case sd_standby_state:
1341 if (sd->rca != rca)
1342 return sd_r0;
1343
1344 sd->state = sd_transfer_state;
1345 return sd_r1b;
1346
1347 case sd_transfer_state:
1348 case sd_sendingdata_state:
1349 if (sd->rca == rca)
1350 break;
1351
1352 sd->state = sd_standby_state;
1353 return sd_r1b;
1354
1355 case sd_disconnect_state:
1356 if (sd->rca != rca)
1357 return sd_r0;
1358
1359 sd->state = sd_programming_state;
1360 return sd_r1b;
1361
1362 case sd_programming_state:
1363 if (sd->rca == rca)
1364 break;
1365
1366 sd->state = sd_disconnect_state;
1367 return sd_r1b;
1368
1369 default:
1370 break;
1371 }
1372 break;
1373
1374 case 8: /* CMD8: SEND_IF_COND */
1375 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1376 break;
1377 }
1378 if (sd->state != sd_idle_state) {
1379 break;
1380 }
1381 sd->vhs = 0;
1382
1383 /* No response if not exactly one VHS bit is set. */
1384 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1385 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1386 }
1387
1388 /* Accept. */
1389 sd->vhs = req.arg;
1390 return sd_r7;
1391
1392 case 9: /* CMD9: SEND_CSD */
1393 rca = sd_req_get_rca(sd, req);
1394 switch (sd->state) {
1395 case sd_standby_state:
1396 if (sd->rca != rca)
1397 return sd_r0;
1398
1399 return sd_r2_s;
1400
1401 case sd_transfer_state:
1402 if (!sd_is_spi(sd)) {
1403 break;
1404 }
1405 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1406 sd->csd, 16);
1407
1408 default:
1409 break;
1410 }
1411 break;
1412
1413 case 10: /* CMD10: SEND_CID */
1414 rca = sd_req_get_rca(sd, req);
1415 switch (sd->state) {
1416 case sd_standby_state:
1417 if (sd->rca != rca)
1418 return sd_r0;
1419
1420 return sd_r2_i;
1421
1422 case sd_transfer_state:
1423 if (!sd_is_spi(sd)) {
1424 break;
1425 }
1426 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1427 sd->cid, 16);
1428
1429 default:
1430 break;
1431 }
1432 break;
1433
1434 case 12: /* CMD12: STOP_TRANSMISSION */
1435 switch (sd->state) {
1436 case sd_sendingdata_state:
1437 sd->state = sd_transfer_state;
1438 return sd_r1b;
1439
1440 case sd_receivingdata_state:
1441 sd->state = sd_programming_state;
1442 /* Bzzzzzzztt .... Operation complete. */
1443 sd->state = sd_transfer_state;
1444 return sd_r1b;
1445
1446 default:
1447 break;
1448 }
1449 break;
1450
1451 case 13: /* CMD13: SEND_STATUS */
1452 rca = sd_req_get_rca(sd, req);
1453 if (sd->mode != sd_data_transfer_mode) {
1454 return sd_invalid_mode_for_cmd(sd, req);
1455 }
1456 if (!sd_is_spi(sd) && sd->rca != rca) {
1457 return sd_r0;
1458 }
1459
1460 return sd_r1;
1461
1462 case 15: /* CMD15: GO_INACTIVE_STATE */
1463 if (sd->mode != sd_data_transfer_mode) {
1464 return sd_invalid_mode_for_cmd(sd, req);
1465 }
1466 rca = sd_req_get_rca(sd, req);
1467 if (sd->rca == rca) {
1468 sd->state = sd_inactive_state;
1469 }
1470 return sd_r0;
1471
1472 /* Block read commands (Class 2) */
1473 case 16: /* CMD16: SET_BLOCKLEN */
1474 switch (sd->state) {
1475 case sd_transfer_state:
1476 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1477 sd->card_status |= BLOCK_LEN_ERROR;
1478 } else {
1479 trace_sdcard_set_blocklen(req.arg);
1480 sd->blk_len = req.arg;
1481 }
1482
1483 return sd_r1;
1484
1485 default:
1486 break;
1487 }
1488 break;
1489
1490 case 17: /* CMD17: READ_SINGLE_BLOCK */
1491 addr = sd_req_get_address(sd, req);
1492 switch (sd->state) {
1493 case sd_transfer_state:
1494
1495 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1496 return sd_r1;
1497 }
1498 sd_blk_read(sd, addr, sd->blk_len);
1499 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1500
1501 default:
1502 break;
1503 }
1504 break;
1505
1506 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1507 addr = sd_req_get_address(sd, req);
1508 switch (sd->state) {
1509 case sd_transfer_state:
1510
1511 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1512 return sd_r1;
1513 }
1514
1515 sd->state = sd_sendingdata_state;
1516 sd->data_start = addr;
1517 sd->data_offset = 0;
1518 return sd_r1;
1519
1520 default:
1521 break;
1522 }
1523 break;
1524
1525 /* Block write commands (Class 4) */
1526 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1527 addr = sd_req_get_address(sd, req);
1528 switch (sd->state) {
1529 case sd_transfer_state:
1530
1531 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr,
1532 sd->blk_len)) {
1533 return sd_r1;
1534 }
1535
1536 if (sd->size <= SDSC_MAX_CAPACITY) {
1537 if (sd_wp_addr(sd, sd->data_start)) {
1538 sd->card_status |= WP_VIOLATION;
1539 }
1540 }
1541 if (sd->csd[14] & 0x30) {
1542 sd->card_status |= WP_VIOLATION;
1543 }
1544 sd->blk_written = 0;
1545 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len);
1546
1547 default:
1548 break;
1549 }
1550 break;
1551
1552 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1553 addr = sd_req_get_address(sd, req);
1554 switch (sd->state) {
1555 case sd_transfer_state:
1556
1557 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1558 return sd_r1;
1559 }
1560
1561 sd->state = sd_receivingdata_state;
1562 sd->data_start = addr;
1563 sd->data_offset = 0;
1564 sd->blk_written = 0;
1565
1566 if (sd->size <= SDSC_MAX_CAPACITY) {
1567 if (sd_wp_addr(sd, sd->data_start)) {
1568 sd->card_status |= WP_VIOLATION;
1569 }
1570 }
1571 if (sd->csd[14] & 0x30) {
1572 sd->card_status |= WP_VIOLATION;
1573 }
1574 return sd_r1;
1575
1576 default:
1577 break;
1578 }
1579 break;
1580
1581 case 26: /* CMD26: PROGRAM_CID */
1582 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid));
1583
1584 case 27: /* CMD27: PROGRAM_CSD */
1585 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd));
1586
1587 /* Write protection (Class 6) */
1588 case 28: /* CMD28: SET_WRITE_PROT */
1589 if (sd->size > SDSC_MAX_CAPACITY) {
1590 return sd_illegal;
1591 }
1592 addr = sd_req_get_address(sd, req);
1593 switch (sd->state) {
1594 case sd_transfer_state:
1595 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1596 return sd_r1b;
1597 }
1598
1599 sd->state = sd_programming_state;
1600 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1601 /* Bzzzzzzztt .... Operation complete. */
1602 sd->state = sd_transfer_state;
1603 return sd_r1b;
1604
1605 default:
1606 break;
1607 }
1608 break;
1609
1610 case 29: /* CMD29: CLR_WRITE_PROT */
1611 if (sd->size > SDSC_MAX_CAPACITY) {
1612 return sd_illegal;
1613 }
1614 addr = sd_req_get_address(sd, req);
1615 switch (sd->state) {
1616 case sd_transfer_state:
1617 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1618 return sd_r1b;
1619 }
1620
1621 sd->state = sd_programming_state;
1622 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1623 /* Bzzzzzzztt .... Operation complete. */
1624 sd->state = sd_transfer_state;
1625 return sd_r1b;
1626
1627 default:
1628 break;
1629 }
1630 break;
1631
1632 case 30: /* CMD30: SEND_WRITE_PROT */
1633 if (sd->size > SDSC_MAX_CAPACITY) {
1634 return sd_illegal;
1635 }
1636 addr = sd_req_get_address(sd, req);
1637 switch (sd->state) {
1638 case sd_transfer_state:
1639 if (!address_in_range(sd, "SEND_WRITE_PROT",
1640 req.arg, sd->blk_len)) {
1641 return sd_r1;
1642 }
1643 data = sd_wpbits(sd, req.arg);
1644 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1645
1646 default:
1647 break;
1648 }
1649 break;
1650
1651 /* Erase commands (Class 5) */
1652 case 32: /* CMD32: ERASE_WR_BLK_START */
1653 switch (sd->state) {
1654 case sd_transfer_state:
1655 sd->erase_start = req.arg;
1656 return sd_r1;
1657
1658 default:
1659 break;
1660 }
1661 break;
1662
1663 case 33: /* CMD33: ERASE_WR_BLK_END */
1664 switch (sd->state) {
1665 case sd_transfer_state:
1666 sd->erase_end = req.arg;
1667 return sd_r1;
1668
1669 default:
1670 break;
1671 }
1672 break;
1673
1674 case 38: /* CMD38: ERASE */
1675 switch (sd->state) {
1676 case sd_transfer_state:
1677 if (sd->csd[14] & 0x30) {
1678 sd->card_status |= WP_VIOLATION;
1679 return sd_r1b;
1680 }
1681
1682 sd->state = sd_programming_state;
1683 sd_erase(sd);
1684 /* Bzzzzzzztt .... Operation complete. */
1685 sd->state = sd_transfer_state;
1686 return sd_r1b;
1687
1688 default:
1689 break;
1690 }
1691 break;
1692
1693 /* Lock card commands (Class 7) */
1694 case 42: /* CMD42: LOCK_UNLOCK */
1695 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1696
1697 /* Application specific commands (Class 8) */
1698 case 55: /* CMD55: APP_CMD */
1699 rca = sd_req_get_rca(sd, req);
1700 switch (sd->state) {
1701 case sd_ready_state:
1702 case sd_identification_state:
1703 return sd_illegal;
1704 case sd_idle_state:
1705 if (rca) {
1706 qemu_log_mask(LOG_GUEST_ERROR,
1707 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1708 }
1709 default:
1710 break;
1711 }
1712 if (!sd_is_spi(sd)) {
1713 if (sd->rca != rca) {
1714 return sd_r0;
1715 }
1716 }
1717 sd->expecting_acmd = true;
1718 sd->card_status |= APP_CMD;
1719 return sd_r1;
1720
1721 case 56: /* CMD56: GEN_CMD */
1722 switch (sd->state) {
1723 case sd_transfer_state:
1724 sd->data_offset = 0;
1725 if (req.arg & 1)
1726 sd->state = sd_sendingdata_state;
1727 else
1728 sd->state = sd_receivingdata_state;
1729 return sd_r1;
1730
1731 default:
1732 break;
1733 }
1734 break;
1735
1736 case 58: /* CMD58: READ_OCR (SPI) */
1737 return sd_r3;
1738
1739 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1740 return sd_r1;
1741
1742 default:
1743 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1744 return sd_illegal;
1745 }
1746
1747 return sd_invalid_state_for_cmd(sd, req);
1748 }
1749
1750 static sd_rsp_type_t sd_app_command(SDState *sd,
1751 SDRequest req)
1752 {
1753 sd->last_cmd_name = sd_acmd_name(sd, req.cmd);
1754 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
1755 req.cmd, req.arg, sd_state_name(sd->state));
1756 sd->card_status |= APP_CMD;
1757
1758 if (sd->proto->acmd[req.cmd].handler) {
1759 return sd->proto->acmd[req.cmd].handler(sd, req);
1760 }
1761
1762 switch (req.cmd) {
1763 case 6: /* ACMD6: SET_BUS_WIDTH */
1764 switch (sd->state) {
1765 case sd_transfer_state:
1766 sd->sd_status[0] &= 0x3f;
1767 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1768 return sd_r1;
1769
1770 default:
1771 break;
1772 }
1773 break;
1774
1775 case 13: /* ACMD13: SD_STATUS */
1776 switch (sd->state) {
1777 case sd_transfer_state:
1778 return sd_cmd_to_sendingdata(sd, req, 0,
1779 sd->sd_status,
1780 sizeof(sd->sd_status));
1781
1782 default:
1783 break;
1784 }
1785 break;
1786
1787 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1788 switch (sd->state) {
1789 case sd_transfer_state:
1790 return sd_cmd_to_sendingdata(sd, req, 0,
1791 &sd->blk_written,
1792 sizeof(sd->blk_written));
1793
1794 default:
1795 break;
1796 }
1797 break;
1798
1799 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1800 switch (sd->state) {
1801 case sd_transfer_state:
1802 return sd_r1;
1803
1804 default:
1805 break;
1806 }
1807 break;
1808
1809 case 41: /* ACMD41: SD_APP_OP_COND */
1810 if (sd->state != sd_idle_state) {
1811 break;
1812 }
1813 /* If it's the first ACMD41 since reset, we need to decide
1814 * whether to power up. If this is not an enquiry ACMD41,
1815 * we immediately report power on and proceed below to the
1816 * ready state, but if it is, we set a timer to model a
1817 * delay for power up. This works around a bug in EDK2
1818 * UEFI, which sends an initial enquiry ACMD41, but
1819 * assumes that the card is in ready state as soon as it
1820 * sees the power up bit set. */
1821 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1822 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1823 timer_del(sd->ocr_power_timer);
1824 sd_ocr_powerup(sd);
1825 } else {
1826 trace_sdcard_inquiry_cmd41();
1827 if (!timer_pending(sd->ocr_power_timer)) {
1828 timer_mod_ns(sd->ocr_power_timer,
1829 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1830 + OCR_POWER_DELAY_NS));
1831 }
1832 }
1833 }
1834
1835 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1836 /* We accept any voltage. 10000 V is nothing.
1837 *
1838 * Once we're powered up, we advance straight to ready state
1839 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1840 */
1841 sd->state = sd_ready_state;
1842 }
1843
1844 return sd_r3;
1845
1846 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1847 switch (sd->state) {
1848 case sd_transfer_state:
1849 /* Bringing in the 50KOhm pull-up resistor... Done. */
1850 return sd_r1;
1851
1852 default:
1853 break;
1854 }
1855 break;
1856
1857 case 51: /* ACMD51: SEND_SCR */
1858 switch (sd->state) {
1859 case sd_transfer_state:
1860 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
1861
1862 default:
1863 break;
1864 }
1865 break;
1866
1867 case 18: /* Reserved for SD security applications */
1868 case 25:
1869 case 26:
1870 case 38:
1871 case 43 ... 49:
1872 /* Refer to the "SD Specifications Part3 Security Specification" for
1873 * information about the SD Security Features.
1874 */
1875 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1876 req.cmd);
1877 return sd_illegal;
1878
1879 default:
1880 /* Fall back to standard commands. */
1881 return sd_normal_command(sd, req);
1882 }
1883
1884 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1885 return sd_illegal;
1886 }
1887
1888 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
1889 {
1890 /* Valid commands in locked state:
1891 * basic class (0)
1892 * lock card class (7)
1893 * CMD16
1894 * implicitly, the ACMD prefix CMD55
1895 * ACMD41 and ACMD42
1896 * Anything else provokes an "illegal command" response.
1897 */
1898 if (sd->expecting_acmd) {
1899 return cmd == 41 || cmd == 42;
1900 }
1901 if (cmd == 16 || cmd == 55) {
1902 return true;
1903 }
1904 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1905 }
1906
1907 int sd_do_command(SDState *sd, SDRequest *req,
1908 uint8_t *response) {
1909 int last_state;
1910 sd_rsp_type_t rtype;
1911 int rsplen;
1912
1913 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1914 return 0;
1915 }
1916
1917 if (sd->state == sd_inactive_state) {
1918 rtype = sd_illegal;
1919 goto send_response;
1920 }
1921
1922 if (sd_req_crc_validate(req)) {
1923 sd->card_status |= COM_CRC_ERROR;
1924 rtype = sd_illegal;
1925 goto send_response;
1926 }
1927
1928 if (req->cmd >= SDMMC_CMD_MAX) {
1929 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1930 req->cmd);
1931 req->cmd &= 0x3f;
1932 }
1933
1934 if (sd->card_status & CARD_IS_LOCKED) {
1935 if (!cmd_valid_while_locked(sd, req->cmd)) {
1936 sd->card_status |= ILLEGAL_COMMAND;
1937 sd->expecting_acmd = false;
1938 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1939 rtype = sd_illegal;
1940 goto send_response;
1941 }
1942 }
1943
1944 last_state = sd->state;
1945 sd_set_mode(sd);
1946
1947 if (sd->expecting_acmd) {
1948 sd->expecting_acmd = false;
1949 rtype = sd_app_command(sd, *req);
1950 } else {
1951 rtype = sd_normal_command(sd, *req);
1952 }
1953
1954 if (rtype == sd_illegal) {
1955 sd->card_status |= ILLEGAL_COMMAND;
1956 } else {
1957 /* Valid command, we can update the 'state before command' bits.
1958 * (Do this now so they appear in r1 responses.)
1959 */
1960 sd->current_cmd = req->cmd;
1961 sd->card_status = FIELD_DP32(sd->card_status, CSR,
1962 CURRENT_STATE, last_state);
1963 }
1964
1965 send_response:
1966 switch (rtype) {
1967 case sd_r1:
1968 case sd_r1b:
1969 sd_response_r1_make(sd, response);
1970 rsplen = 4;
1971 break;
1972
1973 case sd_r2_i:
1974 memcpy(response, sd->cid, sizeof(sd->cid));
1975 rsplen = 16;
1976 break;
1977
1978 case sd_r2_s:
1979 memcpy(response, sd->csd, sizeof(sd->csd));
1980 rsplen = 16;
1981 break;
1982
1983 case sd_r3:
1984 sd_response_r3_make(sd, response);
1985 rsplen = 4;
1986 break;
1987
1988 case sd_r6:
1989 sd_response_r6_make(sd, response);
1990 rsplen = 4;
1991 break;
1992
1993 case sd_r7:
1994 sd_response_r7_make(sd, response);
1995 rsplen = 4;
1996 break;
1997
1998 case sd_r0:
1999 /*
2000 * Invalid state transition, reset implementation
2001 * fields to avoid OOB abuse.
2002 */
2003 sd->data_start = 0;
2004 sd->data_offset = 0;
2005 /* fall-through */
2006 case sd_illegal:
2007 rsplen = 0;
2008 break;
2009 default:
2010 g_assert_not_reached();
2011 }
2012 trace_sdcard_response(sd_response_name(rtype), rsplen);
2013
2014 if (rtype != sd_illegal) {
2015 /* Clear the "clear on valid command" status bits now we've
2016 * sent any response
2017 */
2018 sd->card_status &= ~CARD_STATUS_B;
2019 }
2020
2021 #ifdef DEBUG_SD
2022 qemu_hexdump(stderr, "Response", response, rsplen);
2023 #endif
2024
2025 return rsplen;
2026 }
2027
2028 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
2029 static bool sd_generic_write_byte(SDState *sd, uint8_t value)
2030 {
2031 sd->data[sd->data_offset] = value;
2032
2033 if (++sd->data_offset >= sd->data_size) {
2034 sd->state = sd_transfer_state;
2035 return true;
2036 }
2037 return false;
2038 }
2039
2040 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
2041 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
2042 {
2043 *value = sd->data[sd->data_offset];
2044
2045 if (++sd->data_offset >= sd->data_size) {
2046 sd->state = sd_transfer_state;
2047 return true;
2048 }
2049
2050 return false;
2051 }
2052
2053 void sd_write_byte(SDState *sd, uint8_t value)
2054 {
2055 int i;
2056
2057 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2058 return;
2059
2060 if (sd->state != sd_receivingdata_state) {
2061 qemu_log_mask(LOG_GUEST_ERROR,
2062 "%s: not in Receiving-Data state\n", __func__);
2063 return;
2064 }
2065
2066 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2067 return;
2068
2069 trace_sdcard_write_data(sd->proto->name,
2070 sd->last_cmd_name,
2071 sd->current_cmd, sd->data_offset, value);
2072 switch (sd->current_cmd) {
2073 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
2074 if (sd_generic_write_byte(sd, value)) {
2075 /* TODO: Check CRC before committing */
2076 sd->state = sd_programming_state;
2077 sd_blk_write(sd, sd->data_start, sd->data_offset);
2078 sd->blk_written ++;
2079 sd->csd[14] |= 0x40;
2080 /* Bzzzzzzztt .... Operation complete. */
2081 sd->state = sd_transfer_state;
2082 }
2083 break;
2084
2085 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2086 if (sd->data_offset == 0) {
2087 /* Start of the block - let's check the address is valid */
2088 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2089 sd->data_start, sd->blk_len)) {
2090 break;
2091 }
2092 if (sd->size <= SDSC_MAX_CAPACITY) {
2093 if (sd_wp_addr(sd, sd->data_start)) {
2094 sd->card_status |= WP_VIOLATION;
2095 break;
2096 }
2097 }
2098 }
2099 sd->data[sd->data_offset++] = value;
2100 if (sd->data_offset >= sd->blk_len) {
2101 /* TODO: Check CRC before committing */
2102 sd->state = sd_programming_state;
2103 sd_blk_write(sd, sd->data_start, sd->data_offset);
2104 sd->blk_written++;
2105 sd->data_start += sd->blk_len;
2106 sd->data_offset = 0;
2107 sd->csd[14] |= 0x40;
2108
2109 /* Bzzzzzzztt .... Operation complete. */
2110 if (sd->multi_blk_cnt != 0) {
2111 if (--sd->multi_blk_cnt == 0) {
2112 /* Stop! */
2113 sd->state = sd_transfer_state;
2114 break;
2115 }
2116 }
2117
2118 sd->state = sd_receivingdata_state;
2119 }
2120 break;
2121
2122 case 26: /* CMD26: PROGRAM_CID */
2123 if (sd_generic_write_byte(sd, value)) {
2124 /* TODO: Check CRC before committing */
2125 sd->state = sd_programming_state;
2126 for (i = 0; i < sizeof(sd->cid); i ++)
2127 if ((sd->cid[i] | 0x00) != sd->data[i])
2128 sd->card_status |= CID_CSD_OVERWRITE;
2129
2130 if (!(sd->card_status & CID_CSD_OVERWRITE))
2131 for (i = 0; i < sizeof(sd->cid); i ++) {
2132 sd->cid[i] |= 0x00;
2133 sd->cid[i] &= sd->data[i];
2134 }
2135 /* Bzzzzzzztt .... Operation complete. */
2136 sd->state = sd_transfer_state;
2137 }
2138 break;
2139
2140 case 27: /* CMD27: PROGRAM_CSD */
2141 if (sd_generic_write_byte(sd, value)) {
2142 /* TODO: Check CRC before committing */
2143 sd->state = sd_programming_state;
2144 for (i = 0; i < sizeof(sd->csd); i ++)
2145 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2146 (sd->data[i] | sd_csd_rw_mask[i]))
2147 sd->card_status |= CID_CSD_OVERWRITE;
2148
2149 /* Copy flag (OTP) & Permanent write protect */
2150 if (sd->csd[14] & ~sd->data[14] & 0x60)
2151 sd->card_status |= CID_CSD_OVERWRITE;
2152
2153 if (!(sd->card_status & CID_CSD_OVERWRITE))
2154 for (i = 0; i < sizeof(sd->csd); i ++) {
2155 sd->csd[i] |= sd_csd_rw_mask[i];
2156 sd->csd[i] &= sd->data[i];
2157 }
2158 /* Bzzzzzzztt .... Operation complete. */
2159 sd->state = sd_transfer_state;
2160 }
2161 break;
2162
2163 case 42: /* CMD42: LOCK_UNLOCK */
2164 if (sd_generic_write_byte(sd, value)) {
2165 /* TODO: Check CRC before committing */
2166 sd->state = sd_programming_state;
2167 sd_lock_command(sd);
2168 /* Bzzzzzzztt .... Operation complete. */
2169 sd->state = sd_transfer_state;
2170 }
2171 break;
2172
2173 case 56: /* CMD56: GEN_CMD */
2174 sd->data[sd->data_offset ++] = value;
2175 if (sd->data_offset >= sd->blk_len) {
2176 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
2177 sd->state = sd_transfer_state;
2178 }
2179 break;
2180
2181 default:
2182 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2183 break;
2184 }
2185 }
2186
2187 uint8_t sd_read_byte(SDState *sd)
2188 {
2189 /* TODO: Append CRCs */
2190 uint8_t ret;
2191 uint32_t io_len;
2192
2193 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2194 return 0x00;
2195
2196 if (sd->state != sd_sendingdata_state) {
2197 qemu_log_mask(LOG_GUEST_ERROR,
2198 "%s: not in Sending-Data state\n", __func__);
2199 return 0x00;
2200 }
2201
2202 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2203 return 0x00;
2204
2205 io_len = sd_blk_len(sd);
2206
2207 trace_sdcard_read_data(sd->proto->name,
2208 sd->last_cmd_name,
2209 sd->current_cmd, sd->data_offset, io_len);
2210 switch (sd->current_cmd) {
2211 case 6: /* CMD6: SWITCH_FUNCTION */
2212 case 9: /* CMD9: SEND_CSD */
2213 case 10: /* CMD10: SEND_CID */
2214 case 13: /* ACMD13: SD_STATUS */
2215 case 17: /* CMD17: READ_SINGLE_BLOCK */
2216 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2217 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2218 case 30: /* CMD30: SEND_WRITE_PROT */
2219 case 51: /* ACMD51: SEND_SCR */
2220 sd_generic_read_byte(sd, &ret);
2221 break;
2222
2223 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2224 if (sd->data_offset == 0) {
2225 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2226 sd->data_start, io_len)) {
2227 return 0x00;
2228 }
2229 sd_blk_read(sd, sd->data_start, io_len);
2230 }
2231 ret = sd->data[sd->data_offset ++];
2232
2233 if (sd->data_offset >= io_len) {
2234 sd->data_start += io_len;
2235 sd->data_offset = 0;
2236
2237 if (sd->multi_blk_cnt != 0) {
2238 if (--sd->multi_blk_cnt == 0) {
2239 /* Stop! */
2240 sd->state = sd_transfer_state;
2241 break;
2242 }
2243 }
2244 }
2245 break;
2246
2247 case 56: /* CMD56: GEN_CMD */
2248 if (sd->data_offset == 0)
2249 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2250 ret = sd->data[sd->data_offset ++];
2251
2252 if (sd->data_offset >= sd->blk_len)
2253 sd->state = sd_transfer_state;
2254 break;
2255
2256 default:
2257 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2258 return 0x00;
2259 }
2260
2261 return ret;
2262 }
2263
2264 static bool sd_receive_ready(SDState *sd)
2265 {
2266 return sd->state == sd_receivingdata_state;
2267 }
2268
2269 static bool sd_data_ready(SDState *sd)
2270 {
2271 return sd->state == sd_sendingdata_state;
2272 }
2273
2274 void sd_enable(SDState *sd, bool enable)
2275 {
2276 sd->enable = enable;
2277 }
2278
2279 static const SDProto sd_proto_spi = {
2280 .name = "SPI",
2281 .cmd = {
2282 [0] = { "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2283 [1] = { "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2284 },
2285 .acmd = {
2286 [41] = { "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2287 },
2288 };
2289
2290 static const SDProto sd_proto_sd = {
2291 .name = "SD",
2292 .cmd = {
2293 [0] = { "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2294 [2] = { "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2295 [3] = { "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR},
2296 [19] = { "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK},
2297 [23] = { "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2298 },
2299 };
2300
2301 static void sd_instance_init(Object *obj)
2302 {
2303 SDState *sd = SD_CARD(obj);
2304 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
2305
2306 sd->proto = sc->proto;
2307 sd->last_cmd_name = "UNSET";
2308 sd->enable = true;
2309 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2310 }
2311
2312 static void sd_instance_finalize(Object *obj)
2313 {
2314 SDState *sd = SD_CARD(obj);
2315
2316 timer_free(sd->ocr_power_timer);
2317 }
2318
2319 static void sd_realize(DeviceState *dev, Error **errp)
2320 {
2321 SDState *sd = SD_CARD(dev);
2322 int ret;
2323
2324 switch (sd->spec_version) {
2325 case SD_PHY_SPECv1_10_VERS
2326 ... SD_PHY_SPECv3_01_VERS:
2327 break;
2328 default:
2329 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2330 return;
2331 }
2332
2333 if (sd->blk) {
2334 int64_t blk_size;
2335
2336 if (!blk_supports_write_perm(sd->blk)) {
2337 error_setg(errp, "Cannot use read-only drive as SD card");
2338 return;
2339 }
2340
2341 blk_size = blk_getlength(sd->blk);
2342 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2343 int64_t blk_size_aligned = pow2ceil(blk_size);
2344 char *blk_size_str;
2345
2346 blk_size_str = size_to_str(blk_size);
2347 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2348 g_free(blk_size_str);
2349
2350 blk_size_str = size_to_str(blk_size_aligned);
2351 error_append_hint(errp,
2352 "SD card size has to be a power of 2, e.g. %s.\n"
2353 "You can resize disk images with"
2354 " 'qemu-img resize <imagefile> <new-size>'\n"
2355 "(note that this will lose data if you make the"
2356 " image smaller than it currently is).\n",
2357 blk_size_str);
2358 g_free(blk_size_str);
2359
2360 return;
2361 }
2362
2363 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2364 BLK_PERM_ALL, errp);
2365 if (ret < 0) {
2366 return;
2367 }
2368 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2369 }
2370 }
2371
2372 static Property sd_properties[] = {
2373 DEFINE_PROP_UINT8("spec_version", SDState,
2374 spec_version, SD_PHY_SPECv2_00_VERS),
2375 DEFINE_PROP_DRIVE("drive", SDState, blk),
2376 /* We do not model the chip select pin, so allow the board to select
2377 * whether card should be in SSI or MMC/SD mode. It is also up to the
2378 * board to ensure that ssi transfers only occur when the chip select
2379 * is asserted. */
2380 DEFINE_PROP_END_OF_LIST()
2381 };
2382
2383 static void sd_class_init(ObjectClass *klass, void *data)
2384 {
2385 DeviceClass *dc = DEVICE_CLASS(klass);
2386 SDCardClass *sc = SD_CARD_CLASS(klass);
2387
2388 dc->realize = sd_realize;
2389 device_class_set_props(dc, sd_properties);
2390 dc->vmsd = &sd_vmstate;
2391 dc->reset = sd_reset;
2392 dc->bus_type = TYPE_SD_BUS;
2393 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2394
2395 sc->set_voltage = sd_set_voltage;
2396 sc->get_dat_lines = sd_get_dat_lines;
2397 sc->get_cmd_line = sd_get_cmd_line;
2398 sc->do_command = sd_do_command;
2399 sc->write_byte = sd_write_byte;
2400 sc->read_byte = sd_read_byte;
2401 sc->receive_ready = sd_receive_ready;
2402 sc->data_ready = sd_data_ready;
2403 sc->enable = sd_enable;
2404 sc->get_inserted = sd_get_inserted;
2405 sc->get_readonly = sd_get_readonly;
2406 sc->proto = &sd_proto_sd;
2407 }
2408
2409 /*
2410 * We do not model the chip select pin, so allow the board to select
2411 * whether card should be in SSI or MMC/SD mode. It is also up to the
2412 * board to ensure that ssi transfers only occur when the chip select
2413 * is asserted.
2414 */
2415 static void sd_spi_class_init(ObjectClass *klass, void *data)
2416 {
2417 DeviceClass *dc = DEVICE_CLASS(klass);
2418 SDCardClass *sc = SD_CARD_CLASS(klass);
2419
2420 dc->desc = "SD SPI";
2421 sc->proto = &sd_proto_spi;
2422 }
2423
2424 static const TypeInfo sd_types[] = {
2425 {
2426 .name = TYPE_SD_CARD,
2427 .parent = TYPE_DEVICE,
2428 .instance_size = sizeof(SDState),
2429 .class_size = sizeof(SDCardClass),
2430 .class_init = sd_class_init,
2431 .instance_init = sd_instance_init,
2432 .instance_finalize = sd_instance_finalize,
2433 },
2434 {
2435 .name = TYPE_SD_CARD_SPI,
2436 .parent = TYPE_SD_CARD,
2437 .class_init = sd_spi_class_init,
2438 },
2439 };
2440
2441 DEFINE_TYPES(sd_types)
armbru's QEMU hackery