search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Only call sd_req_get_address() where address is used
[qemu/armbru.git] / hw / sd / sd.c
blob3e4eb656e12089102bc48936cb3034438d57d91e
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88 };
89
90 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
91
92 typedef struct SDProto {
93 const char *name;
94 sd_cmd_handler cmd[SDMMC_CMD_MAX];
95 sd_cmd_handler acmd[SDMMC_CMD_MAX];
96 } SDProto;
97
98 struct SDState {
99 DeviceState parent_obj;
100
101 /* If true, created by sd_init() for a non-qdevified caller */
102 /* TODO purge them with fire */
103 bool me_no_qdev_me_kill_mammoth_with_rocks;
104
105 /* SD Memory Card Registers */
106 uint32_t ocr;
107 uint8_t scr[8];
108 uint8_t cid[16];
109 uint8_t csd[16];
110 uint16_t rca;
111 uint32_t card_status;
112 uint8_t sd_status[64];
113
114 /* Static properties */
115
116 uint8_t spec_version;
117 BlockBackend *blk;
118
119 /* Runtime changeables */
120
121 uint32_t mode; /* current card mode, one of SDCardModes */
122 int32_t state; /* current card state, one of SDCardStates */
123 uint32_t vhs;
124 bool wp_switch;
125 unsigned long *wp_group_bmap;
126 int32_t wp_group_bits;
127 uint64_t size;
128 uint32_t blk_len;
129 uint32_t multi_blk_cnt;
130 uint32_t erase_start;
131 uint32_t erase_end;
132 uint8_t pwd[16];
133 uint32_t pwd_len;
134 uint8_t function_group[6];
135 uint8_t current_cmd;
136 /* True if we will handle the next command as an ACMD. Note that this does
137 * *not* track the APP_CMD status bit!
138 */
139 bool expecting_acmd;
140 uint32_t blk_written;
141 uint64_t data_start;
142 uint32_t data_offset;
143 uint8_t data[512];
144 qemu_irq readonly_cb;
145 qemu_irq inserted_cb;
146 QEMUTimer *ocr_power_timer;
147 bool enable;
148 uint8_t dat_lines;
149 bool cmd_line;
150 };
151
152 static void sd_realize(DeviceState *dev, Error **errp);
153
154 static const struct SDProto *sd_proto(SDState *sd)
155 {
156 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
157
158 return sc->proto;
159 }
160
161 static const SDProto sd_proto_spi;
162
163 static bool sd_is_spi(SDState *sd)
164 {
165 return sd_proto(sd) == &sd_proto_spi;
166 }
167
168 static const char *sd_version_str(enum SDPhySpecificationVersion version)
169 {
170 static const char *sdphy_version[] = {
171 [SD_PHY_SPECv1_10_VERS] = "v1.10",
172 [SD_PHY_SPECv2_00_VERS] = "v2.00",
173 [SD_PHY_SPECv3_01_VERS] = "v3.01",
174 };
175 if (version >= ARRAY_SIZE(sdphy_version)) {
176 return "unsupported version";
177 }
178 return sdphy_version[version];
179 }
180
181 static const char *sd_state_name(enum SDCardStates state)
182 {
183 static const char *state_name[] = {
184 [sd_idle_state] = "idle",
185 [sd_ready_state] = "ready",
186 [sd_identification_state] = "identification",
187 [sd_standby_state] = "standby",
188 [sd_transfer_state] = "transfer",
189 [sd_sendingdata_state] = "sendingdata",
190 [sd_receivingdata_state] = "receivingdata",
191 [sd_programming_state] = "programming",
192 [sd_disconnect_state] = "disconnect",
193 };
194 if (state == sd_inactive_state) {
195 return "inactive";
196 }
197 assert(state < ARRAY_SIZE(state_name));
198 return state_name[state];
199 }
200
201 static const char *sd_response_name(sd_rsp_type_t rsp)
202 {
203 static const char *response_name[] = {
204 [sd_r0] = "RESP#0 (no response)",
205 [sd_r1] = "RESP#1 (normal cmd)",
206 [sd_r2_i] = "RESP#2 (CID reg)",
207 [sd_r2_s] = "RESP#2 (CSD reg)",
208 [sd_r3] = "RESP#3 (OCR reg)",
209 [sd_r6] = "RESP#6 (RCA)",
210 [sd_r7] = "RESP#7 (operating voltage)",
211 };
212 if (rsp == sd_illegal) {
213 return "ILLEGAL RESP";
214 }
215 if (rsp == sd_r1b) {
216 rsp = sd_r1;
217 }
218 assert(rsp < ARRAY_SIZE(response_name));
219 return response_name[rsp];
220 }
221
222 static uint8_t sd_get_dat_lines(SDState *sd)
223 {
224 return sd->enable ? sd->dat_lines : 0;
225 }
226
227 static bool sd_get_cmd_line(SDState *sd)
228 {
229 return sd->enable ? sd->cmd_line : false;
230 }
231
232 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
233 {
234 trace_sdcard_set_voltage(millivolts);
235
236 switch (millivolts) {
237 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
238 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
239 break;
240 default:
241 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
242 millivolts / 1000.f);
243 }
244 }
245
246 static void sd_set_mode(SDState *sd)
247 {
248 switch (sd->state) {
249 case sd_inactive_state:
250 sd->mode = sd_inactive;
251 break;
252
253 case sd_idle_state:
254 case sd_ready_state:
255 case sd_identification_state:
256 sd->mode = sd_card_identification_mode;
257 break;
258
259 case sd_standby_state:
260 case sd_transfer_state:
261 case sd_sendingdata_state:
262 case sd_receivingdata_state:
263 case sd_programming_state:
264 case sd_disconnect_state:
265 sd->mode = sd_data_transfer_mode;
266 break;
267 }
268 }
269
270 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
271 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
272 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
273 /* 16 */
274 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
275 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
276 /* 32 */
277 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
278 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
279 /* 48 */
280 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
281 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
282 };
283
284 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
285 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
286 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
287 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
288 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
289 };
290
291 static uint8_t sd_crc7(const void *message, size_t width)
292 {
293 int i, bit;
294 uint8_t shift_reg = 0x00;
295 const uint8_t *msg = (const uint8_t *)message;
296
297 for (i = 0; i < width; i ++, msg ++)
298 for (bit = 7; bit >= 0; bit --) {
299 shift_reg <<= 1;
300 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
301 shift_reg ^= 0x89;
302 }
303
304 return shift_reg;
305 }
306
307 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
308
309 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
310 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
311 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
312 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
313 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
314 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
315 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
316 FIELD(OCR, CARD_POWER_UP, 31, 1)
317
318 #define ACMD41_ENQUIRY_MASK 0x00ffffff
319 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
320 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
321 | R_OCR_UHS_II_CARD_MASK \
322 | R_OCR_CARD_CAPACITY_MASK \
323 | R_OCR_CARD_POWER_UP_MASK)
324
325 static void sd_ocr_powerup(void *opaque)
326 {
327 SDState *sd = opaque;
328
329 trace_sdcard_powerup();
330 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
331
332 /* card power-up OK */
333 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
334
335 if (sd->size > SDSC_MAX_CAPACITY) {
336 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
337 }
338 }
339
340 static void sd_set_ocr(SDState *sd)
341 {
342 /* All voltages OK */
343 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
344
345 if (sd_is_spi(sd)) {
346 /*
347 * We don't need to emulate power up sequence in SPI-mode.
348 * Thus, the card's power up status bit should be set to 1 when reset.
349 * The card's capacity status bit should also be set if SD card size
350 * is larger than 2GB for SDHC support.
351 */
352 sd_ocr_powerup(sd);
353 }
354 }
355
356 static void sd_set_scr(SDState *sd)
357 {
358 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
359 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
360 sd->scr[0] |= 1; /* Spec Version 1.10 */
361 } else {
362 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
363 }
364 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
365 | 0b0101; /* 1-bit or 4-bit width bus modes */
366 sd->scr[2] = 0x00; /* Extended Security is not supported. */
367 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
368 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
369 }
370 sd->scr[3] = 0x00;
371 /* reserved for manufacturer usage */
372 sd->scr[4] = 0x00;
373 sd->scr[5] = 0x00;
374 sd->scr[6] = 0x00;
375 sd->scr[7] = 0x00;
376 }
377
378 #define MID 0xaa
379 #define OID "XY"
380 #define PNM "QEMU!"
381 #define PRV 0x01
382 #define MDT_YR 2006
383 #define MDT_MON 2
384
385 static void sd_set_cid(SDState *sd)
386 {
387 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
388 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
389 sd->cid[2] = OID[1];
390 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
391 sd->cid[4] = PNM[1];
392 sd->cid[5] = PNM[2];
393 sd->cid[6] = PNM[3];
394 sd->cid[7] = PNM[4];
395 sd->cid[8] = PRV; /* Fake product revision (PRV) */
396 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
397 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
398 ((MDT_YR - 2000) / 10);
399 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
400 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
401 }
402
403 #define HWBLOCK_SHIFT 9 /* 512 bytes */
404 #define SECTOR_SHIFT 5 /* 16 kilobytes */
405 #define WPGROUP_SHIFT 7 /* 2 megs */
406 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
407 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
408
409 static const uint8_t sd_csd_rw_mask[16] = {
410 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
412 };
413
414 static void sd_set_csd(SDState *sd, uint64_t size)
415 {
416 int hwblock_shift = HWBLOCK_SHIFT;
417 uint32_t csize;
418 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
419 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
420
421 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
422 if (size == SDSC_MAX_CAPACITY) {
423 hwblock_shift += 1;
424 }
425 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
426
427 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
428 sd->csd[0] = 0x00; /* CSD structure */
429 sd->csd[1] = 0x26; /* Data read access-time-1 */
430 sd->csd[2] = 0x00; /* Data read access-time-2 */
431 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
432 sd->csd[4] = 0x5f; /* Card Command Classes */
433 sd->csd[5] = 0x50 | /* Max. read data block length */
434 hwblock_shift;
435 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
436 ((csize >> 10) & 0x03);
437 sd->csd[7] = 0x00 | /* Device size */
438 ((csize >> 2) & 0xff);
439 sd->csd[8] = 0x3f | /* Max. read current */
440 ((csize << 6) & 0xc0);
441 sd->csd[9] = 0xfc | /* Max. write current */
442 ((CMULT_SHIFT - 2) >> 1);
443 sd->csd[10] = 0x40 | /* Erase sector size */
444 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
445 sd->csd[11] = 0x00 | /* Write protect group size */
446 ((sectsize << 7) & 0x80) | wpsize;
447 sd->csd[12] = 0x90 | /* Write speed factor */
448 (hwblock_shift >> 2);
449 sd->csd[13] = 0x20 | /* Max. write data block length */
450 ((hwblock_shift << 6) & 0xc0);
451 sd->csd[14] = 0x00; /* File format group */
452 } else { /* SDHC */
453 size /= 512 * KiB;
454 size -= 1;
455 sd->csd[0] = 0x40;
456 sd->csd[1] = 0x0e;
457 sd->csd[2] = 0x00;
458 sd->csd[3] = 0x32;
459 sd->csd[4] = 0x5b;
460 sd->csd[5] = 0x59;
461 sd->csd[6] = 0x00;
462 st24_be_p(&sd->csd[7], size);
463 sd->csd[10] = 0x7f;
464 sd->csd[11] = 0x80;
465 sd->csd[12] = 0x0a;
466 sd->csd[13] = 0x40;
467 sd->csd[14] = 0x00;
468 }
469 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
470 }
471
472 static void sd_set_rca(SDState *sd)
473 {
474 sd->rca += 0x4567;
475 }
476
477 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
478 {
479 if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc) {
480 return req.arg >> 16;
481 }
482 return 0;
483 }
484
485 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
486 FIELD(CSR, APP_CMD, 5, 1)
487 FIELD(CSR, FX_EVENT, 6, 1)
488 FIELD(CSR, READY_FOR_DATA, 8, 1)
489 FIELD(CSR, CURRENT_STATE, 9, 4)
490 FIELD(CSR, ERASE_RESET, 13, 1)
491 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
492 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
493 FIELD(CSR, CSD_OVERWRITE, 16, 1)
494 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
495 FIELD(CSR, ERROR, 19, 1)
496 FIELD(CSR, CC_ERROR, 20, 1)
497 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
498 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
499 FIELD(CSR, COM_CRC_ERROR, 23, 1)
500 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
501 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
502 FIELD(CSR, WP_VIOLATION, 26, 1)
503 FIELD(CSR, ERASE_PARAM, 27, 1)
504 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
505 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
506 FIELD(CSR, ADDRESS_ERROR, 30, 1)
507 FIELD(CSR, OUT_OF_RANGE, 31, 1)
508
509 /* Card status bits, split by clear condition:
510 * A : According to the card current state
511 * B : Always related to the previous command
512 * C : Cleared by read
513 */
514 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
515 | R_CSR_CARD_ECC_DISABLED_MASK \
516 | R_CSR_CARD_IS_LOCKED_MASK)
517 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
518 | R_CSR_ILLEGAL_COMMAND_MASK \
519 | R_CSR_COM_CRC_ERROR_MASK)
520 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
521 | R_CSR_APP_CMD_MASK \
522 | R_CSR_ERASE_RESET_MASK \
523 | R_CSR_WP_ERASE_SKIP_MASK \
524 | R_CSR_CSD_OVERWRITE_MASK \
525 | R_CSR_ERROR_MASK \
526 | R_CSR_CC_ERROR_MASK \
527 | R_CSR_CARD_ECC_FAILED_MASK \
528 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
529 | R_CSR_WP_VIOLATION_MASK \
530 | R_CSR_ERASE_PARAM_MASK \
531 | R_CSR_ERASE_SEQ_ERROR_MASK \
532 | R_CSR_BLOCK_LEN_ERROR_MASK \
533 | R_CSR_ADDRESS_ERROR_MASK \
534 | R_CSR_OUT_OF_RANGE_MASK)
535
536 static void sd_set_cardstatus(SDState *sd)
537 {
538 sd->card_status = 0x00000100;
539 }
540
541 static void sd_set_sdstatus(SDState *sd)
542 {
543 memset(sd->sd_status, 0, 64);
544 }
545
546 static int sd_req_crc_validate(SDRequest *req)
547 {
548 uint8_t buffer[5];
549 buffer[0] = 0x40 | req->cmd;
550 stl_be_p(&buffer[1], req->arg);
551 return 0;
552 return sd_crc7(buffer, 5) != req->crc; /* TODO */
553 }
554
555 static void sd_response_r1_make(SDState *sd, uint8_t *response)
556 {
557 stl_be_p(response, sd->card_status);
558
559 /* Clear the "clear on read" status bits */
560 sd->card_status &= ~CARD_STATUS_C;
561 }
562
563 static void sd_response_r3_make(SDState *sd, uint8_t *response)
564 {
565 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
566 }
567
568 static void sd_response_r6_make(SDState *sd, uint8_t *response)
569 {
570 uint16_t status;
571
572 status = ((sd->card_status >> 8) & 0xc000) |
573 ((sd->card_status >> 6) & 0x2000) |
574 (sd->card_status & 0x1fff);
575 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
576 stw_be_p(response + 0, sd->rca);
577 stw_be_p(response + 2, status);
578 }
579
580 static void sd_response_r7_make(SDState *sd, uint8_t *response)
581 {
582 stl_be_p(response, sd->vhs);
583 }
584
585 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
586 {
587 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
588 return (uint64_t) req.arg << HWBLOCK_SHIFT;
589 }
590 return req.arg;
591 }
592
593 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
594 {
595 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
596 }
597
598 static void sd_reset(DeviceState *dev)
599 {
600 SDState *sd = SD_CARD(dev);
601 uint64_t size;
602 uint64_t sect;
603
604 trace_sdcard_reset();
605 if (sd->blk) {
606 blk_get_geometry(sd->blk, &sect);
607 } else {
608 sect = 0;
609 }
610 size = sect << HWBLOCK_SHIFT;
611
612 sect = sd_addr_to_wpnum(size) + 1;
613
614 sd->state = sd_idle_state;
615 sd->rca = 0x0000;
616 sd->size = size;
617 sd_set_ocr(sd);
618 sd_set_scr(sd);
619 sd_set_cid(sd);
620 sd_set_csd(sd, size);
621 sd_set_cardstatus(sd);
622 sd_set_sdstatus(sd);
623
624 g_free(sd->wp_group_bmap);
625 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
626 sd->wp_group_bits = sect;
627 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
628 memset(sd->function_group, 0, sizeof(sd->function_group));
629 sd->erase_start = INVALID_ADDRESS;
630 sd->erase_end = INVALID_ADDRESS;
631 sd->blk_len = 0x200;
632 sd->pwd_len = 0;
633 sd->expecting_acmd = false;
634 sd->dat_lines = 0xf;
635 sd->cmd_line = true;
636 sd->multi_blk_cnt = 0;
637 }
638
639 static bool sd_get_inserted(SDState *sd)
640 {
641 return sd->blk && blk_is_inserted(sd->blk);
642 }
643
644 static bool sd_get_readonly(SDState *sd)
645 {
646 return sd->wp_switch;
647 }
648
649 static void sd_cardchange(void *opaque, bool load, Error **errp)
650 {
651 SDState *sd = opaque;
652 DeviceState *dev = DEVICE(sd);
653 SDBus *sdbus;
654 bool inserted = sd_get_inserted(sd);
655 bool readonly = sd_get_readonly(sd);
656
657 if (inserted) {
658 trace_sdcard_inserted(readonly);
659 sd_reset(dev);
660 } else {
661 trace_sdcard_ejected();
662 }
663
664 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
665 qemu_set_irq(sd->inserted_cb, inserted);
666 if (inserted) {
667 qemu_set_irq(sd->readonly_cb, readonly);
668 }
669 } else {
670 sdbus = SD_BUS(qdev_get_parent_bus(dev));
671 sdbus_set_inserted(sdbus, inserted);
672 if (inserted) {
673 sdbus_set_readonly(sdbus, readonly);
674 }
675 }
676 }
677
678 static const BlockDevOps sd_block_ops = {
679 .change_media_cb = sd_cardchange,
680 };
681
682 static bool sd_ocr_vmstate_needed(void *opaque)
683 {
684 SDState *sd = opaque;
685
686 /* Include the OCR state (and timer) if it is not yet powered up */
687 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
688 }
689
690 static const VMStateDescription sd_ocr_vmstate = {
691 .name = "sd-card/ocr-state",
692 .version_id = 1,
693 .minimum_version_id = 1,
694 .needed = sd_ocr_vmstate_needed,
695 .fields = (const VMStateField[]) {
696 VMSTATE_UINT32(ocr, SDState),
697 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
698 VMSTATE_END_OF_LIST()
699 },
700 };
701
702 static int sd_vmstate_pre_load(void *opaque)
703 {
704 SDState *sd = opaque;
705
706 /* If the OCR state is not included (prior versions, or not
707 * needed), then the OCR must be set as powered up. If the OCR state
708 * is included, this will be replaced by the state restore.
709 */
710 sd_ocr_powerup(sd);
711
712 return 0;
713 }
714
715 static const VMStateDescription sd_vmstate = {
716 .name = "sd-card",
717 .version_id = 2,
718 .minimum_version_id = 2,
719 .pre_load = sd_vmstate_pre_load,
720 .fields = (const VMStateField[]) {
721 VMSTATE_UINT32(mode, SDState),
722 VMSTATE_INT32(state, SDState),
723 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
724 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
725 VMSTATE_UINT16(rca, SDState),
726 VMSTATE_UINT32(card_status, SDState),
727 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
728 VMSTATE_UINT32(vhs, SDState),
729 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
730 VMSTATE_UINT32(blk_len, SDState),
731 VMSTATE_UINT32(multi_blk_cnt, SDState),
732 VMSTATE_UINT32(erase_start, SDState),
733 VMSTATE_UINT32(erase_end, SDState),
734 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
735 VMSTATE_UINT32(pwd_len, SDState),
736 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
737 VMSTATE_UINT8(current_cmd, SDState),
738 VMSTATE_BOOL(expecting_acmd, SDState),
739 VMSTATE_UINT32(blk_written, SDState),
740 VMSTATE_UINT64(data_start, SDState),
741 VMSTATE_UINT32(data_offset, SDState),
742 VMSTATE_UINT8_ARRAY(data, SDState, 512),
743 VMSTATE_UNUSED_V(1, 512),
744 VMSTATE_BOOL(enable, SDState),
745 VMSTATE_END_OF_LIST()
746 },
747 .subsections = (const VMStateDescription * const []) {
748 &sd_ocr_vmstate,
749 NULL
750 },
751 };
752
753 /* Legacy initialization function for use by non-qdevified callers */
754 SDState *sd_init(BlockBackend *blk, bool is_spi)
755 {
756 Object *obj;
757 DeviceState *dev;
758 SDState *sd;
759 Error *err = NULL;
760
761 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
762 dev = DEVICE(obj);
763 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
764 error_reportf_err(err, "sd_init failed: ");
765 return NULL;
766 }
767
768 /*
769 * Realizing the device properly would put it into the QOM
770 * composition tree even though it is not plugged into an
771 * appropriate bus. That's a no-no. Hide the device from
772 * QOM/qdev, and call its qdev realize callback directly.
773 */
774 object_ref(obj);
775 object_unparent(obj);
776 sd_realize(dev, &err);
777 if (err) {
778 error_reportf_err(err, "sd_init failed: ");
779 return NULL;
780 }
781
782 sd = SD_CARD(dev);
783 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
784 return sd;
785 }
786
787 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
788 {
789 sd->readonly_cb = readonly;
790 sd->inserted_cb = insert;
791 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
792 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
793 }
794
795 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
796 {
797 trace_sdcard_read_block(addr, len);
798 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
799 fprintf(stderr, "sd_blk_read: read error on host side\n");
800 }
801 }
802
803 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
804 {
805 trace_sdcard_write_block(addr, len);
806 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
807 fprintf(stderr, "sd_blk_write: write error on host side\n");
808 }
809 }
810
811 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
812 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
813 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
814 #define APP_WRITE_BLOCK(a, len)
815
816 static void sd_erase(SDState *sd)
817 {
818 uint64_t erase_start = sd->erase_start;
819 uint64_t erase_end = sd->erase_end;
820 bool sdsc = true;
821 uint64_t wpnum;
822 uint64_t erase_addr;
823 int erase_len = 1 << HWBLOCK_SHIFT;
824
825 trace_sdcard_erase(sd->erase_start, sd->erase_end);
826 if (sd->erase_start == INVALID_ADDRESS
827 || sd->erase_end == INVALID_ADDRESS) {
828 sd->card_status |= ERASE_SEQ_ERROR;
829 sd->erase_start = INVALID_ADDRESS;
830 sd->erase_end = INVALID_ADDRESS;
831 return;
832 }
833
834 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
835 /* High capacity memory card: erase units are 512 byte blocks */
836 erase_start <<= HWBLOCK_SHIFT;
837 erase_end <<= HWBLOCK_SHIFT;
838 sdsc = false;
839 }
840
841 if (erase_start > sd->size || erase_end > sd->size) {
842 sd->card_status |= OUT_OF_RANGE;
843 sd->erase_start = INVALID_ADDRESS;
844 sd->erase_end = INVALID_ADDRESS;
845 return;
846 }
847
848 sd->erase_start = INVALID_ADDRESS;
849 sd->erase_end = INVALID_ADDRESS;
850 sd->csd[14] |= 0x40;
851
852 memset(sd->data, 0xff, erase_len);
853 for (erase_addr = erase_start; erase_addr <= erase_end;
854 erase_addr += erase_len) {
855 if (sdsc) {
856 /* Only SDSC cards support write protect groups */
857 wpnum = sd_addr_to_wpnum(erase_addr);
858 assert(wpnum < sd->wp_group_bits);
859 if (test_bit(wpnum, sd->wp_group_bmap)) {
860 sd->card_status |= WP_ERASE_SKIP;
861 continue;
862 }
863 }
864 BLK_WRITE_BLOCK(erase_addr, erase_len);
865 }
866 }
867
868 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
869 {
870 uint32_t i, wpnum;
871 uint32_t ret = 0;
872
873 wpnum = sd_addr_to_wpnum(addr);
874
875 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
876 if (addr >= sd->size) {
877 /*
878 * If the addresses of the last groups are outside the valid range,
879 * then the corresponding write protection bits shall be set to 0.
880 */
881 continue;
882 }
883 assert(wpnum < sd->wp_group_bits);
884 if (test_bit(wpnum, sd->wp_group_bmap)) {
885 ret |= (1 << i);
886 }
887 }
888
889 return ret;
890 }
891
892 static void sd_function_switch(SDState *sd, uint32_t arg)
893 {
894 int i, mode, new_func;
895 mode = !!(arg & 0x80000000);
896
897 sd->data[0] = 0x00; /* Maximum current consumption */
898 sd->data[1] = 0x01;
899 sd->data[2] = 0x80; /* Supported group 6 functions */
900 sd->data[3] = 0x01;
901 sd->data[4] = 0x80; /* Supported group 5 functions */
902 sd->data[5] = 0x01;
903 sd->data[6] = 0x80; /* Supported group 4 functions */
904 sd->data[7] = 0x01;
905 sd->data[8] = 0x80; /* Supported group 3 functions */
906 sd->data[9] = 0x01;
907 sd->data[10] = 0x80; /* Supported group 2 functions */
908 sd->data[11] = 0x43;
909 sd->data[12] = 0x80; /* Supported group 1 functions */
910 sd->data[13] = 0x03;
911
912 memset(&sd->data[14], 0, 3);
913 for (i = 0; i < 6; i ++) {
914 new_func = (arg >> (i * 4)) & 0x0f;
915 if (mode && new_func != 0x0f)
916 sd->function_group[i] = new_func;
917 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
918 }
919 memset(&sd->data[17], 0, 47);
920 }
921
922 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
923 {
924 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
925 }
926
927 static void sd_lock_command(SDState *sd)
928 {
929 int erase, lock, clr_pwd, set_pwd, pwd_len;
930 erase = !!(sd->data[0] & 0x08);
931 lock = sd->data[0] & 0x04;
932 clr_pwd = sd->data[0] & 0x02;
933 set_pwd = sd->data[0] & 0x01;
934
935 if (sd->blk_len > 1)
936 pwd_len = sd->data[1];
937 else
938 pwd_len = 0;
939
940 if (lock) {
941 trace_sdcard_lock();
942 } else {
943 trace_sdcard_unlock();
944 }
945 if (erase) {
946 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
947 set_pwd || clr_pwd || lock || sd->wp_switch ||
948 (sd->csd[14] & 0x20)) {
949 sd->card_status |= LOCK_UNLOCK_FAILED;
950 return;
951 }
952 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
953 sd->csd[14] &= ~0x10;
954 sd->card_status &= ~CARD_IS_LOCKED;
955 sd->pwd_len = 0;
956 /* Erasing the entire card here! */
957 fprintf(stderr, "SD: Card force-erased by CMD42\n");
958 return;
959 }
960
961 if (sd->blk_len < 2 + pwd_len ||
962 pwd_len <= sd->pwd_len ||
963 pwd_len > sd->pwd_len + 16) {
964 sd->card_status |= LOCK_UNLOCK_FAILED;
965 return;
966 }
967
968 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
969 sd->card_status |= LOCK_UNLOCK_FAILED;
970 return;
971 }
972
973 pwd_len -= sd->pwd_len;
974 if ((pwd_len && !set_pwd) ||
975 (clr_pwd && (set_pwd || lock)) ||
976 (lock && !sd->pwd_len && !set_pwd) ||
977 (!set_pwd && !clr_pwd &&
978 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
979 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
980 sd->card_status |= LOCK_UNLOCK_FAILED;
981 return;
982 }
983
984 if (set_pwd) {
985 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
986 sd->pwd_len = pwd_len;
987 }
988
989 if (clr_pwd) {
990 sd->pwd_len = 0;
991 }
992
993 if (lock)
994 sd->card_status |= CARD_IS_LOCKED;
995 else
996 sd->card_status &= ~CARD_IS_LOCKED;
997 }
998
999 static bool address_in_range(SDState *sd, const char *desc,
1000 uint64_t addr, uint32_t length)
1001 {
1002 if (addr + length > sd->size) {
1003 qemu_log_mask(LOG_GUEST_ERROR,
1004 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1005 desc, addr, sd->size, length);
1006 sd->card_status |= ADDRESS_ERROR;
1007 return false;
1008 }
1009 return true;
1010 }
1011
1012 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1013 {
1014 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1015 sd_proto(sd)->name, req.cmd, sd_state_name(sd->state),
1016 sd_version_str(sd->spec_version));
1017
1018 return sd_illegal;
1019 }
1020
1021 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1022 {
1023 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1024 sd_proto(sd)->name, req.cmd,
1025 sd_version_str(sd->spec_version));
1026
1027 return sd_illegal;
1028 }
1029
1030 /* Commands that are recognised but not yet implemented. */
1031 __attribute__((unused))
1032 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1033 {
1034 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1035 sd_proto(sd)->name, req.cmd);
1036
1037 return sd_illegal;
1038 }
1039
1040 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1041 {
1042 if (sd->state != sd_inactive_state) {
1043 sd->state = sd_idle_state;
1044 sd_reset(DEVICE(sd));
1045 }
1046
1047 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1048 }
1049
1050 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1051 {
1052 sd->state = sd_transfer_state;
1053
1054 return sd_r1;
1055 }
1056
1057 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1058 {
1059 switch (sd->state) {
1060 case sd_ready_state:
1061 sd->state = sd_identification_state;
1062 return sd_r2_i;
1063 default:
1064 return sd_invalid_state_for_cmd(sd, req);
1065 }
1066 }
1067
1068 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1069 {
1070 switch (sd->state) {
1071 case sd_identification_state:
1072 case sd_standby_state:
1073 sd->state = sd_standby_state;
1074 sd_set_rca(sd);
1075 return sd_r6;
1076
1077 default:
1078 return sd_invalid_state_for_cmd(sd, req);
1079 }
1080 }
1081
1082 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1083 {
1084 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1085 return sd_cmd_illegal(sd, req);
1086 }
1087
1088 if (sd->state != sd_transfer_state) {
1089 return sd_invalid_state_for_cmd(sd, req);
1090 }
1091
1092 sd->state = sd_sendingdata_state;
1093 sd->data_offset = 0;
1094
1095 return sd_r1;
1096 }
1097
1098 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1099 {
1100 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1101 return sd_cmd_illegal(sd, req);
1102 }
1103
1104 if (sd->state != sd_transfer_state) {
1105 return sd_invalid_state_for_cmd(sd, req);
1106 }
1107
1108 sd->multi_blk_cnt = req.arg;
1109 trace_sdcard_set_block_count(sd->multi_blk_cnt);
1110
1111 return sd_r1;
1112 }
1113
1114 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1115 {
1116 uint16_t rca;
1117 uint64_t addr;
1118
1119 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1120 * However there is no ACMD55, so we want to trace this particular case.
1121 */
1122 if (req.cmd != 55 || sd->expecting_acmd) {
1123 trace_sdcard_normal_command(sd_proto(sd)->name,
1124 sd_cmd_name(req.cmd), req.cmd,
1125 req.arg, sd_state_name(sd->state));
1126 }
1127
1128 /* Not interpreting this as an app command */
1129 sd->card_status &= ~APP_CMD;
1130
1131 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1132 * if not, its effects are cancelled */
1133 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1134 sd->multi_blk_cnt = 0;
1135 }
1136
1137 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1138 /* Only Standard Capacity cards support class 6 commands */
1139 return sd_illegal;
1140 }
1141
1142 if (sd_proto(sd)->cmd[req.cmd]) {
1143 return sd_proto(sd)->cmd[req.cmd](sd, req);
1144 }
1145
1146 switch (req.cmd) {
1147 /* Basic commands (Class 0 and Class 1) */
1148 case 4: /* CMD4: SEND_DSR */
1149 switch (sd->state) {
1150 case sd_standby_state:
1151 break;
1152
1153 default:
1154 break;
1155 }
1156 break;
1157
1158 case 6: /* CMD6: SWITCH_FUNCTION */
1159 switch (sd->mode) {
1160 case sd_data_transfer_mode:
1161 sd_function_switch(sd, req.arg);
1162 sd->state = sd_sendingdata_state;
1163 sd->data_start = 0;
1164 sd->data_offset = 0;
1165 return sd_r1;
1166
1167 default:
1168 break;
1169 }
1170 break;
1171
1172 case 7: /* CMD7: SELECT/DESELECT_CARD */
1173 rca = sd_req_get_rca(sd, req);
1174 switch (sd->state) {
1175 case sd_standby_state:
1176 if (sd->rca != rca)
1177 return sd_r0;
1178
1179 sd->state = sd_transfer_state;
1180 return sd_r1b;
1181
1182 case sd_transfer_state:
1183 case sd_sendingdata_state:
1184 if (sd->rca == rca)
1185 break;
1186
1187 sd->state = sd_standby_state;
1188 return sd_r1b;
1189
1190 case sd_disconnect_state:
1191 if (sd->rca != rca)
1192 return sd_r0;
1193
1194 sd->state = sd_programming_state;
1195 return sd_r1b;
1196
1197 case sd_programming_state:
1198 if (sd->rca == rca)
1199 break;
1200
1201 sd->state = sd_disconnect_state;
1202 return sd_r1b;
1203
1204 default:
1205 break;
1206 }
1207 break;
1208
1209 case 8: /* CMD8: SEND_IF_COND */
1210 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1211 break;
1212 }
1213 if (sd->state != sd_idle_state) {
1214 break;
1215 }
1216 sd->vhs = 0;
1217
1218 /* No response if not exactly one VHS bit is set. */
1219 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1220 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1221 }
1222
1223 /* Accept. */
1224 sd->vhs = req.arg;
1225 return sd_r7;
1226
1227 case 9: /* CMD9: SEND_CSD */
1228 rca = sd_req_get_rca(sd, req);
1229 switch (sd->state) {
1230 case sd_standby_state:
1231 if (sd->rca != rca)
1232 return sd_r0;
1233
1234 return sd_r2_s;
1235
1236 case sd_transfer_state:
1237 if (!sd_is_spi(sd)) {
1238 break;
1239 }
1240 sd->state = sd_sendingdata_state;
1241 memcpy(sd->data, sd->csd, 16);
1242 sd->data_start = sd_req_get_address(sd, req);
1243 sd->data_offset = 0;
1244 return sd_r1;
1245
1246 default:
1247 break;
1248 }
1249 break;
1250
1251 case 10: /* CMD10: SEND_CID */
1252 rca = sd_req_get_rca(sd, req);
1253 switch (sd->state) {
1254 case sd_standby_state:
1255 if (sd->rca != rca)
1256 return sd_r0;
1257
1258 return sd_r2_i;
1259
1260 case sd_transfer_state:
1261 if (!sd_is_spi(sd)) {
1262 break;
1263 }
1264 sd->state = sd_sendingdata_state;
1265 memcpy(sd->data, sd->cid, 16);
1266 sd->data_start = sd_req_get_address(sd, req);
1267 sd->data_offset = 0;
1268 return sd_r1;
1269
1270 default:
1271 break;
1272 }
1273 break;
1274
1275 case 12: /* CMD12: STOP_TRANSMISSION */
1276 switch (sd->state) {
1277 case sd_sendingdata_state:
1278 sd->state = sd_transfer_state;
1279 return sd_r1b;
1280
1281 case sd_receivingdata_state:
1282 sd->state = sd_programming_state;
1283 /* Bzzzzzzztt .... Operation complete. */
1284 sd->state = sd_transfer_state;
1285 return sd_r1b;
1286
1287 default:
1288 break;
1289 }
1290 break;
1291
1292 case 13: /* CMD13: SEND_STATUS */
1293 rca = sd_req_get_rca(sd, req);
1294 switch (sd->mode) {
1295 case sd_data_transfer_mode:
1296 if (!sd_is_spi(sd) && sd->rca != rca) {
1297 return sd_r0;
1298 }
1299
1300 return sd_r1;
1301
1302 default:
1303 break;
1304 }
1305 break;
1306
1307 case 15: /* CMD15: GO_INACTIVE_STATE */
1308 rca = sd_req_get_rca(sd, req);
1309 switch (sd->mode) {
1310 case sd_data_transfer_mode:
1311 if (sd->rca != rca)
1312 return sd_r0;
1313
1314 sd->state = sd_inactive_state;
1315 return sd_r0;
1316
1317 default:
1318 break;
1319 }
1320 break;
1321
1322 /* Block read commands (Class 2) */
1323 case 16: /* CMD16: SET_BLOCKLEN */
1324 switch (sd->state) {
1325 case sd_transfer_state:
1326 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1327 sd->card_status |= BLOCK_LEN_ERROR;
1328 } else {
1329 trace_sdcard_set_blocklen(req.arg);
1330 sd->blk_len = req.arg;
1331 }
1332
1333 return sd_r1;
1334
1335 default:
1336 break;
1337 }
1338 break;
1339
1340 case 17: /* CMD17: READ_SINGLE_BLOCK */
1341 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1342 addr = sd_req_get_address(sd, req);
1343 switch (sd->state) {
1344 case sd_transfer_state:
1345
1346 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1347 return sd_r1;
1348 }
1349
1350 sd->state = sd_sendingdata_state;
1351 sd->data_start = addr;
1352 sd->data_offset = 0;
1353 return sd_r1;
1354
1355 default:
1356 break;
1357 }
1358 break;
1359
1360 /* Block write commands (Class 4) */
1361 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1362 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1363 addr = sd_req_get_address(sd, req);
1364 switch (sd->state) {
1365 case sd_transfer_state:
1366
1367 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1368 return sd_r1;
1369 }
1370
1371 sd->state = sd_receivingdata_state;
1372 sd->data_start = addr;
1373 sd->data_offset = 0;
1374 sd->blk_written = 0;
1375
1376 if (sd->size <= SDSC_MAX_CAPACITY) {
1377 if (sd_wp_addr(sd, sd->data_start)) {
1378 sd->card_status |= WP_VIOLATION;
1379 }
1380 }
1381 if (sd->csd[14] & 0x30) {
1382 sd->card_status |= WP_VIOLATION;
1383 }
1384 return sd_r1;
1385
1386 default:
1387 break;
1388 }
1389 break;
1390
1391 case 26: /* CMD26: PROGRAM_CID */
1392 switch (sd->state) {
1393 case sd_transfer_state:
1394 sd->state = sd_receivingdata_state;
1395 sd->data_start = 0;
1396 sd->data_offset = 0;
1397 return sd_r1;
1398
1399 default:
1400 break;
1401 }
1402 break;
1403
1404 case 27: /* CMD27: PROGRAM_CSD */
1405 switch (sd->state) {
1406 case sd_transfer_state:
1407 sd->state = sd_receivingdata_state;
1408 sd->data_start = 0;
1409 sd->data_offset = 0;
1410 return sd_r1;
1411
1412 default:
1413 break;
1414 }
1415 break;
1416
1417 /* Write protection (Class 6) */
1418 case 28: /* CMD28: SET_WRITE_PROT */
1419 if (sd->size > SDSC_MAX_CAPACITY) {
1420 return sd_illegal;
1421 }
1422 addr = sd_req_get_address(sd, req);
1423 switch (sd->state) {
1424 case sd_transfer_state:
1425 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1426 return sd_r1b;
1427 }
1428
1429 sd->state = sd_programming_state;
1430 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1431 /* Bzzzzzzztt .... Operation complete. */
1432 sd->state = sd_transfer_state;
1433 return sd_r1b;
1434
1435 default:
1436 break;
1437 }
1438 break;
1439
1440 case 29: /* CMD29: CLR_WRITE_PROT */
1441 if (sd->size > SDSC_MAX_CAPACITY) {
1442 return sd_illegal;
1443 }
1444 addr = sd_req_get_address(sd, req);
1445 switch (sd->state) {
1446 case sd_transfer_state:
1447 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1448 return sd_r1b;
1449 }
1450
1451 sd->state = sd_programming_state;
1452 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1453 /* Bzzzzzzztt .... Operation complete. */
1454 sd->state = sd_transfer_state;
1455 return sd_r1b;
1456
1457 default:
1458 break;
1459 }
1460 break;
1461
1462 case 30: /* CMD30: SEND_WRITE_PROT */
1463 if (sd->size > SDSC_MAX_CAPACITY) {
1464 return sd_illegal;
1465 }
1466 addr = sd_req_get_address(sd, req);
1467 switch (sd->state) {
1468 case sd_transfer_state:
1469 if (!address_in_range(sd, "SEND_WRITE_PROT",
1470 req.arg, sd->blk_len)) {
1471 return sd_r1;
1472 }
1473
1474 sd->state = sd_sendingdata_state;
1475 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1476 sd->data_start = addr;
1477 sd->data_offset = 0;
1478 return sd_r1;
1479
1480 default:
1481 break;
1482 }
1483 break;
1484
1485 /* Erase commands (Class 5) */
1486 case 32: /* CMD32: ERASE_WR_BLK_START */
1487 switch (sd->state) {
1488 case sd_transfer_state:
1489 sd->erase_start = req.arg;
1490 return sd_r1;
1491
1492 default:
1493 break;
1494 }
1495 break;
1496
1497 case 33: /* CMD33: ERASE_WR_BLK_END */
1498 switch (sd->state) {
1499 case sd_transfer_state:
1500 sd->erase_end = req.arg;
1501 return sd_r1;
1502
1503 default:
1504 break;
1505 }
1506 break;
1507
1508 case 38: /* CMD38: ERASE */
1509 switch (sd->state) {
1510 case sd_transfer_state:
1511 if (sd->csd[14] & 0x30) {
1512 sd->card_status |= WP_VIOLATION;
1513 return sd_r1b;
1514 }
1515
1516 sd->state = sd_programming_state;
1517 sd_erase(sd);
1518 /* Bzzzzzzztt .... Operation complete. */
1519 sd->state = sd_transfer_state;
1520 return sd_r1b;
1521
1522 default:
1523 break;
1524 }
1525 break;
1526
1527 /* Lock card commands (Class 7) */
1528 case 42: /* CMD42: LOCK_UNLOCK */
1529 switch (sd->state) {
1530 case sd_transfer_state:
1531 sd->state = sd_receivingdata_state;
1532 sd->data_start = 0;
1533 sd->data_offset = 0;
1534 return sd_r1;
1535
1536 default:
1537 break;
1538 }
1539 break;
1540
1541 /* Application specific commands (Class 8) */
1542 case 55: /* CMD55: APP_CMD */
1543 rca = sd_req_get_rca(sd, req);
1544 switch (sd->state) {
1545 case sd_ready_state:
1546 case sd_identification_state:
1547 case sd_inactive_state:
1548 return sd_illegal;
1549 case sd_idle_state:
1550 if (rca) {
1551 qemu_log_mask(LOG_GUEST_ERROR,
1552 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1553 }
1554 default:
1555 break;
1556 }
1557 if (!sd_is_spi(sd)) {
1558 if (sd->rca != rca) {
1559 return sd_r0;
1560 }
1561 }
1562 sd->expecting_acmd = true;
1563 sd->card_status |= APP_CMD;
1564 return sd_r1;
1565
1566 case 56: /* CMD56: GEN_CMD */
1567 switch (sd->state) {
1568 case sd_transfer_state:
1569 sd->data_offset = 0;
1570 if (req.arg & 1)
1571 sd->state = sd_sendingdata_state;
1572 else
1573 sd->state = sd_receivingdata_state;
1574 return sd_r1;
1575
1576 default:
1577 break;
1578 }
1579 break;
1580
1581 case 58: /* CMD58: READ_OCR (SPI) */
1582 return sd_r3;
1583
1584 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1585 return sd_r1;
1586
1587 default:
1588 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1589 return sd_illegal;
1590 }
1591
1592 return sd_invalid_state_for_cmd(sd, req);
1593 }
1594
1595 static sd_rsp_type_t sd_app_command(SDState *sd,
1596 SDRequest req)
1597 {
1598 trace_sdcard_app_command(sd_proto(sd)->name, sd_acmd_name(req.cmd),
1599 req.cmd, req.arg, sd_state_name(sd->state));
1600 sd->card_status |= APP_CMD;
1601
1602 if (sd_proto(sd)->acmd[req.cmd]) {
1603 return sd_proto(sd)->acmd[req.cmd](sd, req);
1604 }
1605
1606 switch (req.cmd) {
1607 case 6: /* ACMD6: SET_BUS_WIDTH */
1608 switch (sd->state) {
1609 case sd_transfer_state:
1610 sd->sd_status[0] &= 0x3f;
1611 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1612 return sd_r1;
1613
1614 default:
1615 break;
1616 }
1617 break;
1618
1619 case 13: /* ACMD13: SD_STATUS */
1620 switch (sd->state) {
1621 case sd_transfer_state:
1622 sd->state = sd_sendingdata_state;
1623 sd->data_start = 0;
1624 sd->data_offset = 0;
1625 return sd_r1;
1626
1627 default:
1628 break;
1629 }
1630 break;
1631
1632 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1633 switch (sd->state) {
1634 case sd_transfer_state:
1635 *(uint32_t *) sd->data = sd->blk_written;
1636
1637 sd->state = sd_sendingdata_state;
1638 sd->data_start = 0;
1639 sd->data_offset = 0;
1640 return sd_r1;
1641
1642 default:
1643 break;
1644 }
1645 break;
1646
1647 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1648 switch (sd->state) {
1649 case sd_transfer_state:
1650 return sd_r1;
1651
1652 default:
1653 break;
1654 }
1655 break;
1656
1657 case 41: /* ACMD41: SD_APP_OP_COND */
1658 if (sd->state != sd_idle_state) {
1659 break;
1660 }
1661 /* If it's the first ACMD41 since reset, we need to decide
1662 * whether to power up. If this is not an enquiry ACMD41,
1663 * we immediately report power on and proceed below to the
1664 * ready state, but if it is, we set a timer to model a
1665 * delay for power up. This works around a bug in EDK2
1666 * UEFI, which sends an initial enquiry ACMD41, but
1667 * assumes that the card is in ready state as soon as it
1668 * sees the power up bit set. */
1669 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1670 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1671 timer_del(sd->ocr_power_timer);
1672 sd_ocr_powerup(sd);
1673 } else {
1674 trace_sdcard_inquiry_cmd41();
1675 if (!timer_pending(sd->ocr_power_timer)) {
1676 timer_mod_ns(sd->ocr_power_timer,
1677 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1678 + OCR_POWER_DELAY_NS));
1679 }
1680 }
1681 }
1682
1683 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1684 /* We accept any voltage. 10000 V is nothing.
1685 *
1686 * Once we're powered up, we advance straight to ready state
1687 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1688 */
1689 sd->state = sd_ready_state;
1690 }
1691
1692 return sd_r3;
1693
1694 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1695 switch (sd->state) {
1696 case sd_transfer_state:
1697 /* Bringing in the 50KOhm pull-up resistor... Done. */
1698 return sd_r1;
1699
1700 default:
1701 break;
1702 }
1703 break;
1704
1705 case 51: /* ACMD51: SEND_SCR */
1706 switch (sd->state) {
1707 case sd_transfer_state:
1708 sd->state = sd_sendingdata_state;
1709 sd->data_start = 0;
1710 sd->data_offset = 0;
1711 return sd_r1;
1712
1713 default:
1714 break;
1715 }
1716 break;
1717
1718 case 18: /* Reserved for SD security applications */
1719 case 25:
1720 case 26:
1721 case 38:
1722 case 43 ... 49:
1723 /* Refer to the "SD Specifications Part3 Security Specification" for
1724 * information about the SD Security Features.
1725 */
1726 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1727 req.cmd);
1728 return sd_illegal;
1729
1730 default:
1731 /* Fall back to standard commands. */
1732 return sd_normal_command(sd, req);
1733 }
1734
1735 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1736 return sd_illegal;
1737 }
1738
1739 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
1740 {
1741 /* Valid commands in locked state:
1742 * basic class (0)
1743 * lock card class (7)
1744 * CMD16
1745 * implicitly, the ACMD prefix CMD55
1746 * ACMD41 and ACMD42
1747 * Anything else provokes an "illegal command" response.
1748 */
1749 if (sd->expecting_acmd) {
1750 return cmd == 41 || cmd == 42;
1751 }
1752 if (cmd == 16 || cmd == 55) {
1753 return true;
1754 }
1755 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1756 }
1757
1758 int sd_do_command(SDState *sd, SDRequest *req,
1759 uint8_t *response) {
1760 int last_state;
1761 sd_rsp_type_t rtype;
1762 int rsplen;
1763
1764 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1765 return 0;
1766 }
1767
1768 if (sd_req_crc_validate(req)) {
1769 sd->card_status |= COM_CRC_ERROR;
1770 rtype = sd_illegal;
1771 goto send_response;
1772 }
1773
1774 if (req->cmd >= SDMMC_CMD_MAX) {
1775 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1776 req->cmd);
1777 req->cmd &= 0x3f;
1778 }
1779
1780 if (sd->card_status & CARD_IS_LOCKED) {
1781 if (!cmd_valid_while_locked(sd, req->cmd)) {
1782 sd->card_status |= ILLEGAL_COMMAND;
1783 sd->expecting_acmd = false;
1784 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1785 rtype = sd_illegal;
1786 goto send_response;
1787 }
1788 }
1789
1790 last_state = sd->state;
1791 sd_set_mode(sd);
1792
1793 if (sd->expecting_acmd) {
1794 sd->expecting_acmd = false;
1795 rtype = sd_app_command(sd, *req);
1796 } else {
1797 rtype = sd_normal_command(sd, *req);
1798 }
1799
1800 if (rtype == sd_illegal) {
1801 sd->card_status |= ILLEGAL_COMMAND;
1802 } else {
1803 /* Valid command, we can update the 'state before command' bits.
1804 * (Do this now so they appear in r1 responses.)
1805 */
1806 sd->current_cmd = req->cmd;
1807 sd->card_status = FIELD_DP32(sd->card_status, CSR,
1808 CURRENT_STATE, last_state);
1809 }
1810
1811 send_response:
1812 switch (rtype) {
1813 case sd_r1:
1814 case sd_r1b:
1815 sd_response_r1_make(sd, response);
1816 rsplen = 4;
1817 break;
1818
1819 case sd_r2_i:
1820 memcpy(response, sd->cid, sizeof(sd->cid));
1821 rsplen = 16;
1822 break;
1823
1824 case sd_r2_s:
1825 memcpy(response, sd->csd, sizeof(sd->csd));
1826 rsplen = 16;
1827 break;
1828
1829 case sd_r3:
1830 sd_response_r3_make(sd, response);
1831 rsplen = 4;
1832 break;
1833
1834 case sd_r6:
1835 sd_response_r6_make(sd, response);
1836 rsplen = 4;
1837 break;
1838
1839 case sd_r7:
1840 sd_response_r7_make(sd, response);
1841 rsplen = 4;
1842 break;
1843
1844 case sd_r0:
1845 /*
1846 * Invalid state transition, reset implementation
1847 * fields to avoid OOB abuse.
1848 */
1849 sd->data_start = 0;
1850 sd->data_offset = 0;
1851 /* fall-through */
1852 case sd_illegal:
1853 rsplen = 0;
1854 break;
1855 default:
1856 g_assert_not_reached();
1857 }
1858 trace_sdcard_response(sd_response_name(rtype), rsplen);
1859
1860 if (rtype != sd_illegal) {
1861 /* Clear the "clear on valid command" status bits now we've
1862 * sent any response
1863 */
1864 sd->card_status &= ~CARD_STATUS_B;
1865 }
1866
1867 #ifdef DEBUG_SD
1868 qemu_hexdump(stderr, "Response", response, rsplen);
1869 #endif
1870
1871 return rsplen;
1872 }
1873
1874 void sd_write_byte(SDState *sd, uint8_t value)
1875 {
1876 int i;
1877
1878 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1879 return;
1880
1881 if (sd->state != sd_receivingdata_state) {
1882 qemu_log_mask(LOG_GUEST_ERROR,
1883 "%s: not in Receiving-Data state\n", __func__);
1884 return;
1885 }
1886
1887 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1888 return;
1889
1890 trace_sdcard_write_data(sd_proto(sd)->name,
1891 sd_acmd_name(sd->current_cmd),
1892 sd->current_cmd, value);
1893 switch (sd->current_cmd) {
1894 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1895 sd->data[sd->data_offset ++] = value;
1896 if (sd->data_offset >= sd->blk_len) {
1897 /* TODO: Check CRC before committing */
1898 sd->state = sd_programming_state;
1899 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1900 sd->blk_written ++;
1901 sd->csd[14] |= 0x40;
1902 /* Bzzzzzzztt .... Operation complete. */
1903 sd->state = sd_transfer_state;
1904 }
1905 break;
1906
1907 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1908 if (sd->data_offset == 0) {
1909 /* Start of the block - let's check the address is valid */
1910 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
1911 sd->data_start, sd->blk_len)) {
1912 break;
1913 }
1914 if (sd->size <= SDSC_MAX_CAPACITY) {
1915 if (sd_wp_addr(sd, sd->data_start)) {
1916 sd->card_status |= WP_VIOLATION;
1917 break;
1918 }
1919 }
1920 }
1921 sd->data[sd->data_offset++] = value;
1922 if (sd->data_offset >= sd->blk_len) {
1923 /* TODO: Check CRC before committing */
1924 sd->state = sd_programming_state;
1925 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1926 sd->blk_written++;
1927 sd->data_start += sd->blk_len;
1928 sd->data_offset = 0;
1929 sd->csd[14] |= 0x40;
1930
1931 /* Bzzzzzzztt .... Operation complete. */
1932 if (sd->multi_blk_cnt != 0) {
1933 if (--sd->multi_blk_cnt == 0) {
1934 /* Stop! */
1935 sd->state = sd_transfer_state;
1936 break;
1937 }
1938 }
1939
1940 sd->state = sd_receivingdata_state;
1941 }
1942 break;
1943
1944 case 26: /* CMD26: PROGRAM_CID */
1945 sd->data[sd->data_offset ++] = value;
1946 if (sd->data_offset >= sizeof(sd->cid)) {
1947 /* TODO: Check CRC before committing */
1948 sd->state = sd_programming_state;
1949 for (i = 0; i < sizeof(sd->cid); i ++)
1950 if ((sd->cid[i] | 0x00) != sd->data[i])
1951 sd->card_status |= CID_CSD_OVERWRITE;
1952
1953 if (!(sd->card_status & CID_CSD_OVERWRITE))
1954 for (i = 0; i < sizeof(sd->cid); i ++) {
1955 sd->cid[i] |= 0x00;
1956 sd->cid[i] &= sd->data[i];
1957 }
1958 /* Bzzzzzzztt .... Operation complete. */
1959 sd->state = sd_transfer_state;
1960 }
1961 break;
1962
1963 case 27: /* CMD27: PROGRAM_CSD */
1964 sd->data[sd->data_offset ++] = value;
1965 if (sd->data_offset >= sizeof(sd->csd)) {
1966 /* TODO: Check CRC before committing */
1967 sd->state = sd_programming_state;
1968 for (i = 0; i < sizeof(sd->csd); i ++)
1969 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1970 (sd->data[i] | sd_csd_rw_mask[i]))
1971 sd->card_status |= CID_CSD_OVERWRITE;
1972
1973 /* Copy flag (OTP) & Permanent write protect */
1974 if (sd->csd[14] & ~sd->data[14] & 0x60)
1975 sd->card_status |= CID_CSD_OVERWRITE;
1976
1977 if (!(sd->card_status & CID_CSD_OVERWRITE))
1978 for (i = 0; i < sizeof(sd->csd); i ++) {
1979 sd->csd[i] |= sd_csd_rw_mask[i];
1980 sd->csd[i] &= sd->data[i];
1981 }
1982 /* Bzzzzzzztt .... Operation complete. */
1983 sd->state = sd_transfer_state;
1984 }
1985 break;
1986
1987 case 42: /* CMD42: LOCK_UNLOCK */
1988 sd->data[sd->data_offset ++] = value;
1989 if (sd->data_offset >= sd->blk_len) {
1990 /* TODO: Check CRC before committing */
1991 sd->state = sd_programming_state;
1992 sd_lock_command(sd);
1993 /* Bzzzzzzztt .... Operation complete. */
1994 sd->state = sd_transfer_state;
1995 }
1996 break;
1997
1998 case 56: /* CMD56: GEN_CMD */
1999 sd->data[sd->data_offset ++] = value;
2000 if (sd->data_offset >= sd->blk_len) {
2001 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
2002 sd->state = sd_transfer_state;
2003 }
2004 break;
2005
2006 default:
2007 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2008 break;
2009 }
2010 }
2011
2012 #define SD_TUNING_BLOCK_SIZE 64
2013
2014 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
2015 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
2016 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
2017 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
2018 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
2019 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
2020 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
2021 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
2022 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
2023 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
2024 };
2025
2026 uint8_t sd_read_byte(SDState *sd)
2027 {
2028 /* TODO: Append CRCs */
2029 uint8_t ret;
2030 uint32_t io_len;
2031
2032 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2033 return 0x00;
2034
2035 if (sd->state != sd_sendingdata_state) {
2036 qemu_log_mask(LOG_GUEST_ERROR,
2037 "%s: not in Sending-Data state\n", __func__);
2038 return 0x00;
2039 }
2040
2041 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2042 return 0x00;
2043
2044 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
2045
2046 trace_sdcard_read_data(sd_proto(sd)->name,
2047 sd_acmd_name(sd->current_cmd),
2048 sd->current_cmd, io_len);
2049 switch (sd->current_cmd) {
2050 case 6: /* CMD6: SWITCH_FUNCTION */
2051 ret = sd->data[sd->data_offset ++];
2052
2053 if (sd->data_offset >= 64)
2054 sd->state = sd_transfer_state;
2055 break;
2056
2057 case 9: /* CMD9: SEND_CSD */
2058 case 10: /* CMD10: SEND_CID */
2059 ret = sd->data[sd->data_offset ++];
2060
2061 if (sd->data_offset >= 16)
2062 sd->state = sd_transfer_state;
2063 break;
2064
2065 case 13: /* ACMD13: SD_STATUS */
2066 ret = sd->sd_status[sd->data_offset ++];
2067
2068 if (sd->data_offset >= sizeof(sd->sd_status))
2069 sd->state = sd_transfer_state;
2070 break;
2071
2072 case 17: /* CMD17: READ_SINGLE_BLOCK */
2073 if (sd->data_offset == 0)
2074 BLK_READ_BLOCK(sd->data_start, io_len);
2075 ret = sd->data[sd->data_offset ++];
2076
2077 if (sd->data_offset >= io_len)
2078 sd->state = sd_transfer_state;
2079 break;
2080
2081 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2082 if (sd->data_offset == 0) {
2083 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2084 sd->data_start, io_len)) {
2085 return 0x00;
2086 }
2087 BLK_READ_BLOCK(sd->data_start, io_len);
2088 }
2089 ret = sd->data[sd->data_offset ++];
2090
2091 if (sd->data_offset >= io_len) {
2092 sd->data_start += io_len;
2093 sd->data_offset = 0;
2094
2095 if (sd->multi_blk_cnt != 0) {
2096 if (--sd->multi_blk_cnt == 0) {
2097 /* Stop! */
2098 sd->state = sd_transfer_state;
2099 break;
2100 }
2101 }
2102 }
2103 break;
2104
2105 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2106 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2107 sd->state = sd_transfer_state;
2108 }
2109 ret = sd_tuning_block_pattern[sd->data_offset++];
2110 break;
2111
2112 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2113 ret = sd->data[sd->data_offset ++];
2114
2115 if (sd->data_offset >= 4)
2116 sd->state = sd_transfer_state;
2117 break;
2118
2119 case 30: /* CMD30: SEND_WRITE_PROT */
2120 ret = sd->data[sd->data_offset ++];
2121
2122 if (sd->data_offset >= 4)
2123 sd->state = sd_transfer_state;
2124 break;
2125
2126 case 51: /* ACMD51: SEND_SCR */
2127 ret = sd->scr[sd->data_offset ++];
2128
2129 if (sd->data_offset >= sizeof(sd->scr))
2130 sd->state = sd_transfer_state;
2131 break;
2132
2133 case 56: /* CMD56: GEN_CMD */
2134 if (sd->data_offset == 0)
2135 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2136 ret = sd->data[sd->data_offset ++];
2137
2138 if (sd->data_offset >= sd->blk_len)
2139 sd->state = sd_transfer_state;
2140 break;
2141
2142 default:
2143 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2144 return 0x00;
2145 }
2146
2147 return ret;
2148 }
2149
2150 static bool sd_receive_ready(SDState *sd)
2151 {
2152 return sd->state == sd_receivingdata_state;
2153 }
2154
2155 static bool sd_data_ready(SDState *sd)
2156 {
2157 return sd->state == sd_sendingdata_state;
2158 }
2159
2160 void sd_enable(SDState *sd, bool enable)
2161 {
2162 sd->enable = enable;
2163 }
2164
2165 static const SDProto sd_proto_spi = {
2166 .name = "SPI",
2167 .cmd = {
2168 [0] = sd_cmd_GO_IDLE_STATE,
2169 [1] = spi_cmd_SEND_OP_COND,
2170 },
2171 .acmd = {
2172 [41] = spi_cmd_SEND_OP_COND,
2173 },
2174 };
2175
2176 static const SDProto sd_proto_sd = {
2177 .name = "SD",
2178 .cmd = {
2179 [0] = sd_cmd_GO_IDLE_STATE,
2180 [2] = sd_cmd_ALL_SEND_CID,
2181 [3] = sd_cmd_SEND_RELATIVE_ADDR,
2182 [19] = sd_cmd_SEND_TUNING_BLOCK,
2183 [23] = sd_cmd_SET_BLOCK_COUNT,
2184 },
2185 };
2186
2187 static void sd_instance_init(Object *obj)
2188 {
2189 SDState *sd = SD_CARD(obj);
2190
2191 sd->enable = true;
2192 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2193 }
2194
2195 static void sd_instance_finalize(Object *obj)
2196 {
2197 SDState *sd = SD_CARD(obj);
2198
2199 timer_free(sd->ocr_power_timer);
2200 }
2201
2202 static void sd_realize(DeviceState *dev, Error **errp)
2203 {
2204 SDState *sd = SD_CARD(dev);
2205 int ret;
2206
2207 switch (sd->spec_version) {
2208 case SD_PHY_SPECv1_10_VERS
2209 ... SD_PHY_SPECv3_01_VERS:
2210 break;
2211 default:
2212 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2213 return;
2214 }
2215
2216 if (sd->blk) {
2217 int64_t blk_size;
2218
2219 if (!blk_supports_write_perm(sd->blk)) {
2220 error_setg(errp, "Cannot use read-only drive as SD card");
2221 return;
2222 }
2223
2224 blk_size = blk_getlength(sd->blk);
2225 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2226 int64_t blk_size_aligned = pow2ceil(blk_size);
2227 char *blk_size_str;
2228
2229 blk_size_str = size_to_str(blk_size);
2230 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2231 g_free(blk_size_str);
2232
2233 blk_size_str = size_to_str(blk_size_aligned);
2234 error_append_hint(errp,
2235 "SD card size has to be a power of 2, e.g. %s.\n"
2236 "You can resize disk images with"
2237 " 'qemu-img resize <imagefile> <new-size>'\n"
2238 "(note that this will lose data if you make the"
2239 " image smaller than it currently is).\n",
2240 blk_size_str);
2241 g_free(blk_size_str);
2242
2243 return;
2244 }
2245
2246 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2247 BLK_PERM_ALL, errp);
2248 if (ret < 0) {
2249 return;
2250 }
2251 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2252 }
2253 }
2254
2255 static Property sd_properties[] = {
2256 DEFINE_PROP_UINT8("spec_version", SDState,
2257 spec_version, SD_PHY_SPECv2_00_VERS),
2258 DEFINE_PROP_DRIVE("drive", SDState, blk),
2259 /* We do not model the chip select pin, so allow the board to select
2260 * whether card should be in SSI or MMC/SD mode. It is also up to the
2261 * board to ensure that ssi transfers only occur when the chip select
2262 * is asserted. */
2263 DEFINE_PROP_END_OF_LIST()
2264 };
2265
2266 static void sd_class_init(ObjectClass *klass, void *data)
2267 {
2268 DeviceClass *dc = DEVICE_CLASS(klass);
2269 SDCardClass *sc = SD_CARD_CLASS(klass);
2270
2271 dc->realize = sd_realize;
2272 device_class_set_props(dc, sd_properties);
2273 dc->vmsd = &sd_vmstate;
2274 dc->reset = sd_reset;
2275 dc->bus_type = TYPE_SD_BUS;
2276 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2277
2278 sc->set_voltage = sd_set_voltage;
2279 sc->get_dat_lines = sd_get_dat_lines;
2280 sc->get_cmd_line = sd_get_cmd_line;
2281 sc->do_command = sd_do_command;
2282 sc->write_byte = sd_write_byte;
2283 sc->read_byte = sd_read_byte;
2284 sc->receive_ready = sd_receive_ready;
2285 sc->data_ready = sd_data_ready;
2286 sc->enable = sd_enable;
2287 sc->get_inserted = sd_get_inserted;
2288 sc->get_readonly = sd_get_readonly;
2289 sc->proto = &sd_proto_sd;
2290 }
2291
2292 /*
2293 * We do not model the chip select pin, so allow the board to select
2294 * whether card should be in SSI or MMC/SD mode. It is also up to the
2295 * board to ensure that ssi transfers only occur when the chip select
2296 * is asserted.
2297 */
2298 static void sd_spi_class_init(ObjectClass *klass, void *data)
2299 {
2300 DeviceClass *dc = DEVICE_CLASS(klass);
2301 SDCardClass *sc = SD_CARD_CLASS(klass);
2302
2303 dc->desc = "SD SPI";
2304 sc->proto = &sd_proto_spi;
2305 }
2306
2307 static const TypeInfo sd_types[] = {
2308 {
2309 .name = TYPE_SD_CARD,
2310 .parent = TYPE_DEVICE,
2311 .instance_size = sizeof(SDState),
2312 .class_size = sizeof(SDCardClass),
2313 .class_init = sd_class_init,
2314 .instance_init = sd_instance_init,
2315 .instance_finalize = sd_instance_finalize,
2316 },
2317 {
2318 .name = TYPE_SD_CARD_SPI,
2319 .parent = TYPE_SD_CARD,
2320 .class_init = sd_spi_class_init,
2321 },
2322 };
2323
2324 DEFINE_TYPES(sd_types)
armbru's QEMU hackery