search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Convert LOCK_UNLOCK to generic_write_byte (CMD42)
[qemu/armbru.git] / hw / sd / sd.c
blob822debb28bf65f57103ae381165f81257abe2d9d
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state = 1,
81 sd_identification_state = 2,
82 sd_standby_state = 3,
83 sd_transfer_state = 4,
84 sd_sendingdata_state = 5,
85 sd_receivingdata_state = 6,
86 sd_programming_state = 7,
87 sd_disconnect_state = 8,
88 };
89
90 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
91
92 typedef struct SDProto {
93 const char *name;
94 sd_cmd_handler cmd[SDMMC_CMD_MAX];
95 sd_cmd_handler acmd[SDMMC_CMD_MAX];
96 } SDProto;
97
98 struct SDState {
99 DeviceState parent_obj;
100
101 /* If true, created by sd_init() for a non-qdevified caller */
102 /* TODO purge them with fire */
103 bool me_no_qdev_me_kill_mammoth_with_rocks;
104
105 /* SD Memory Card Registers */
106 uint32_t ocr;
107 uint8_t scr[8];
108 uint8_t cid[16];
109 uint8_t csd[16];
110 uint16_t rca;
111 uint32_t card_status;
112 uint8_t sd_status[64];
113
114 /* Static properties */
115
116 uint8_t spec_version;
117 BlockBackend *blk;
118
119 const SDProto *proto;
120
121 /* Runtime changeables */
122
123 uint32_t mode; /* current card mode, one of SDCardModes */
124 int32_t state; /* current card state, one of SDCardStates */
125 uint32_t vhs;
126 bool wp_switch;
127 unsigned long *wp_group_bmap;
128 int32_t wp_group_bits;
129 uint64_t size;
130 uint32_t blk_len;
131 uint32_t multi_blk_cnt;
132 uint32_t erase_start;
133 uint32_t erase_end;
134 uint8_t pwd[16];
135 uint32_t pwd_len;
136 uint8_t function_group[6];
137 uint8_t current_cmd;
138 const char *last_cmd_name;
139 /* True if we will handle the next command as an ACMD. Note that this does
140 * *not* track the APP_CMD status bit!
141 */
142 bool expecting_acmd;
143 uint32_t blk_written;
144
145 uint64_t data_start;
146 uint32_t data_offset;
147 size_t data_size;
148 uint8_t data[512];
149 qemu_irq readonly_cb;
150 qemu_irq inserted_cb;
151 QEMUTimer *ocr_power_timer;
152 bool enable;
153 uint8_t dat_lines;
154 bool cmd_line;
155 };
156
157 static void sd_realize(DeviceState *dev, Error **errp);
158
159 static const SDProto sd_proto_spi;
160
161 static bool sd_is_spi(SDState *sd)
162 {
163 return sd->proto == &sd_proto_spi;
164 }
165
166 static const char *sd_version_str(enum SDPhySpecificationVersion version)
167 {
168 static const char *sdphy_version[] = {
169 [SD_PHY_SPECv1_10_VERS] = "v1.10",
170 [SD_PHY_SPECv2_00_VERS] = "v2.00",
171 [SD_PHY_SPECv3_01_VERS] = "v3.01",
172 };
173 if (version >= ARRAY_SIZE(sdphy_version)) {
174 return "unsupported version";
175 }
176 return sdphy_version[version];
177 }
178
179 static const char *sd_mode_name(enum SDCardModes mode)
180 {
181 static const char *mode_name[] = {
182 [sd_inactive] = "inactive",
183 [sd_card_identification_mode] = "identification",
184 [sd_data_transfer_mode] = "transfer",
185 };
186 assert(mode < ARRAY_SIZE(mode_name));
187 return mode_name[mode];
188 }
189
190 static const char *sd_state_name(enum SDCardStates state)
191 {
192 static const char *state_name[] = {
193 [sd_idle_state] = "idle",
194 [sd_ready_state] = "ready",
195 [sd_identification_state] = "identification",
196 [sd_standby_state] = "standby",
197 [sd_transfer_state] = "transfer",
198 [sd_sendingdata_state] = "sendingdata",
199 [sd_receivingdata_state] = "receivingdata",
200 [sd_programming_state] = "programming",
201 [sd_disconnect_state] = "disconnect",
202 };
203 if (state == sd_inactive_state) {
204 return "inactive";
205 }
206 assert(state < ARRAY_SIZE(state_name));
207 return state_name[state];
208 }
209
210 static const char *sd_response_name(sd_rsp_type_t rsp)
211 {
212 static const char *response_name[] = {
213 [sd_r0] = "RESP#0 (no response)",
214 [sd_r1] = "RESP#1 (normal cmd)",
215 [sd_r2_i] = "RESP#2 (CID reg)",
216 [sd_r2_s] = "RESP#2 (CSD reg)",
217 [sd_r3] = "RESP#3 (OCR reg)",
218 [sd_r6] = "RESP#6 (RCA)",
219 [sd_r7] = "RESP#7 (operating voltage)",
220 };
221 if (rsp == sd_illegal) {
222 return "ILLEGAL RESP";
223 }
224 if (rsp == sd_r1b) {
225 rsp = sd_r1;
226 }
227 assert(rsp < ARRAY_SIZE(response_name));
228 return response_name[rsp];
229 }
230
231 static uint8_t sd_get_dat_lines(SDState *sd)
232 {
233 return sd->enable ? sd->dat_lines : 0;
234 }
235
236 static bool sd_get_cmd_line(SDState *sd)
237 {
238 return sd->enable ? sd->cmd_line : false;
239 }
240
241 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
242 {
243 trace_sdcard_set_voltage(millivolts);
244
245 switch (millivolts) {
246 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
247 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
248 break;
249 default:
250 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
251 millivolts / 1000.f);
252 }
253 }
254
255 static void sd_set_mode(SDState *sd)
256 {
257 switch (sd->state) {
258 case sd_inactive_state:
259 sd->mode = sd_inactive;
260 break;
261
262 case sd_idle_state:
263 case sd_ready_state:
264 case sd_identification_state:
265 sd->mode = sd_card_identification_mode;
266 break;
267
268 case sd_standby_state:
269 case sd_transfer_state:
270 case sd_sendingdata_state:
271 case sd_receivingdata_state:
272 case sd_programming_state:
273 case sd_disconnect_state:
274 sd->mode = sd_data_transfer_mode;
275 break;
276 }
277 }
278
279 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
280 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
281 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
282 /* 16 */
283 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
284 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
285 /* 32 */
286 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
287 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
288 /* 48 */
289 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
290 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
291 };
292
293 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
294 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
295 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
296 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
297 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
298 };
299
300 static uint8_t sd_crc7(const void *message, size_t width)
301 {
302 int i, bit;
303 uint8_t shift_reg = 0x00;
304 const uint8_t *msg = (const uint8_t *)message;
305
306 for (i = 0; i < width; i ++, msg ++)
307 for (bit = 7; bit >= 0; bit --) {
308 shift_reg <<= 1;
309 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
310 shift_reg ^= 0x89;
311 }
312
313 return shift_reg;
314 }
315
316 /* Operation Conditions register */
317
318 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
319
320 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
321 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
322 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
323 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
324 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
325 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
326 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
327 FIELD(OCR, CARD_POWER_UP, 31, 1)
328
329 #define ACMD41_ENQUIRY_MASK 0x00ffffff
330 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
331 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
332 | R_OCR_UHS_II_CARD_MASK \
333 | R_OCR_CARD_CAPACITY_MASK \
334 | R_OCR_CARD_POWER_UP_MASK)
335
336 static void sd_ocr_powerup(void *opaque)
337 {
338 SDState *sd = opaque;
339
340 trace_sdcard_powerup();
341 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
342
343 /* card power-up OK */
344 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
345
346 if (sd->size > SDSC_MAX_CAPACITY) {
347 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
348 }
349 }
350
351 static void sd_set_ocr(SDState *sd)
352 {
353 /* All voltages OK */
354 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
355
356 if (sd_is_spi(sd)) {
357 /*
358 * We don't need to emulate power up sequence in SPI-mode.
359 * Thus, the card's power up status bit should be set to 1 when reset.
360 * The card's capacity status bit should also be set if SD card size
361 * is larger than 2GB for SDHC support.
362 */
363 sd_ocr_powerup(sd);
364 }
365 }
366
367 /* SD Configuration register */
368
369 static void sd_set_scr(SDState *sd)
370 {
371 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
372 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
373 sd->scr[0] |= 1; /* Spec Version 1.10 */
374 } else {
375 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
376 }
377 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
378 | 0b0101; /* 1-bit or 4-bit width bus modes */
379 sd->scr[2] = 0x00; /* Extended Security is not supported. */
380 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
381 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
382 }
383 sd->scr[3] = 0x00;
384 /* reserved for manufacturer usage */
385 sd->scr[4] = 0x00;
386 sd->scr[5] = 0x00;
387 sd->scr[6] = 0x00;
388 sd->scr[7] = 0x00;
389 }
390
391 /* Card IDentification register */
392
393 #define MID 0xaa
394 #define OID "XY"
395 #define PNM "QEMU!"
396 #define PRV 0x01
397 #define MDT_YR 2006
398 #define MDT_MON 2
399
400 static void sd_set_cid(SDState *sd)
401 {
402 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
403 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
404 sd->cid[2] = OID[1];
405 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
406 sd->cid[4] = PNM[1];
407 sd->cid[5] = PNM[2];
408 sd->cid[6] = PNM[3];
409 sd->cid[7] = PNM[4];
410 sd->cid[8] = PRV; /* Fake product revision (PRV) */
411 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
412 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
413 ((MDT_YR - 2000) / 10);
414 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
415 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
416 }
417
418 /* Card-Specific Data register */
419
420 #define HWBLOCK_SHIFT 9 /* 512 bytes */
421 #define SECTOR_SHIFT 5 /* 16 kilobytes */
422 #define WPGROUP_SHIFT 7 /* 2 megs */
423 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
424 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
425
426 static const uint8_t sd_csd_rw_mask[16] = {
427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
429 };
430
431 static void sd_set_csd(SDState *sd, uint64_t size)
432 {
433 int hwblock_shift = HWBLOCK_SHIFT;
434 uint32_t csize;
435 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
436 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
437
438 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
439 if (size == SDSC_MAX_CAPACITY) {
440 hwblock_shift += 1;
441 }
442 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
443
444 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
445 sd->csd[0] = 0x00; /* CSD structure */
446 sd->csd[1] = 0x26; /* Data read access-time-1 */
447 sd->csd[2] = 0x00; /* Data read access-time-2 */
448 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
449 sd->csd[4] = 0x5f; /* Card Command Classes */
450 sd->csd[5] = 0x50 | /* Max. read data block length */
451 hwblock_shift;
452 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
453 ((csize >> 10) & 0x03);
454 sd->csd[7] = 0x00 | /* Device size */
455 ((csize >> 2) & 0xff);
456 sd->csd[8] = 0x3f | /* Max. read current */
457 ((csize << 6) & 0xc0);
458 sd->csd[9] = 0xfc | /* Max. write current */
459 ((CMULT_SHIFT - 2) >> 1);
460 sd->csd[10] = 0x40 | /* Erase sector size */
461 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
462 sd->csd[11] = 0x00 | /* Write protect group size */
463 ((sectsize << 7) & 0x80) | wpsize;
464 sd->csd[12] = 0x90 | /* Write speed factor */
465 (hwblock_shift >> 2);
466 sd->csd[13] = 0x20 | /* Max. write data block length */
467 ((hwblock_shift << 6) & 0xc0);
468 sd->csd[14] = 0x00; /* File format group */
469 } else { /* SDHC */
470 size /= 512 * KiB;
471 size -= 1;
472 sd->csd[0] = 0x40;
473 sd->csd[1] = 0x0e;
474 sd->csd[2] = 0x00;
475 sd->csd[3] = 0x32;
476 sd->csd[4] = 0x5b;
477 sd->csd[5] = 0x59;
478 sd->csd[6] = 0x00;
479 st24_be_p(&sd->csd[7], size);
480 sd->csd[10] = 0x7f;
481 sd->csd[11] = 0x80;
482 sd->csd[12] = 0x0a;
483 sd->csd[13] = 0x40;
484 sd->csd[14] = 0x00;
485 }
486 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
487 }
488
489 /* Relative Card Address register */
490
491 static void sd_set_rca(SDState *sd)
492 {
493 sd->rca += 0x4567;
494 }
495
496 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
497 {
498 if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc) {
499 return req.arg >> 16;
500 }
501 return 0;
502 }
503
504 /* Card Status register */
505
506 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
507 FIELD(CSR, APP_CMD, 5, 1)
508 FIELD(CSR, FX_EVENT, 6, 1)
509 FIELD(CSR, READY_FOR_DATA, 8, 1)
510 FIELD(CSR, CURRENT_STATE, 9, 4)
511 FIELD(CSR, ERASE_RESET, 13, 1)
512 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
513 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
514 FIELD(CSR, CSD_OVERWRITE, 16, 1)
515 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
516 FIELD(CSR, ERROR, 19, 1)
517 FIELD(CSR, CC_ERROR, 20, 1)
518 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
519 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
520 FIELD(CSR, COM_CRC_ERROR, 23, 1)
521 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
522 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
523 FIELD(CSR, WP_VIOLATION, 26, 1)
524 FIELD(CSR, ERASE_PARAM, 27, 1)
525 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
526 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
527 FIELD(CSR, ADDRESS_ERROR, 30, 1)
528 FIELD(CSR, OUT_OF_RANGE, 31, 1)
529
530 /* Card status bits, split by clear condition:
531 * A : According to the card current state
532 * B : Always related to the previous command
533 * C : Cleared by read
534 */
535 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
536 | R_CSR_CARD_ECC_DISABLED_MASK \
537 | R_CSR_CARD_IS_LOCKED_MASK)
538 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
539 | R_CSR_ILLEGAL_COMMAND_MASK \
540 | R_CSR_COM_CRC_ERROR_MASK)
541 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
542 | R_CSR_APP_CMD_MASK \
543 | R_CSR_ERASE_RESET_MASK \
544 | R_CSR_WP_ERASE_SKIP_MASK \
545 | R_CSR_CSD_OVERWRITE_MASK \
546 | R_CSR_ERROR_MASK \
547 | R_CSR_CC_ERROR_MASK \
548 | R_CSR_CARD_ECC_FAILED_MASK \
549 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
550 | R_CSR_WP_VIOLATION_MASK \
551 | R_CSR_ERASE_PARAM_MASK \
552 | R_CSR_ERASE_SEQ_ERROR_MASK \
553 | R_CSR_BLOCK_LEN_ERROR_MASK \
554 | R_CSR_ADDRESS_ERROR_MASK \
555 | R_CSR_OUT_OF_RANGE_MASK)
556
557 static void sd_set_cardstatus(SDState *sd)
558 {
559 sd->card_status = READY_FOR_DATA;
560 }
561
562 static void sd_set_sdstatus(SDState *sd)
563 {
564 memset(sd->sd_status, 0, 64);
565 }
566
567 static const uint8_t sd_tuning_block_pattern4[64] = {
568 /*
569 * See: Physical Layer Simplified Specification Version 3.01,
570 * Table 4-2.
571 */
572 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
573 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
574 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
575 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
576 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
577 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
578 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
579 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde
580 };
581
582 static int sd_req_crc_validate(SDRequest *req)
583 {
584 uint8_t buffer[5];
585 buffer[0] = 0x40 | req->cmd;
586 stl_be_p(&buffer[1], req->arg);
587 return 0;
588 return sd_crc7(buffer, 5) != req->crc; /* TODO */
589 }
590
591 static void sd_response_r1_make(SDState *sd, uint8_t *response)
592 {
593 stl_be_p(response, sd->card_status);
594
595 /* Clear the "clear on read" status bits */
596 sd->card_status &= ~CARD_STATUS_C;
597 }
598
599 static void sd_response_r3_make(SDState *sd, uint8_t *response)
600 {
601 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
602 }
603
604 static void sd_response_r6_make(SDState *sd, uint8_t *response)
605 {
606 uint16_t status;
607
608 status = ((sd->card_status >> 8) & 0xc000) |
609 ((sd->card_status >> 6) & 0x2000) |
610 (sd->card_status & 0x1fff);
611 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
612 stw_be_p(response + 0, sd->rca);
613 stw_be_p(response + 2, status);
614 }
615
616 static void sd_response_r7_make(SDState *sd, uint8_t *response)
617 {
618 stl_be_p(response, sd->vhs);
619 }
620
621 static uint32_t sd_blk_len(SDState *sd)
622 {
623 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
624 return 1 << HWBLOCK_SHIFT;
625 }
626 return sd->blk_len;
627 }
628
629 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
630 {
631 uint64_t addr;
632
633 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
634 addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
635 } else {
636 addr = req.arg;
637 }
638 trace_sdcard_req_addr(req.arg, addr);
639 return addr;
640 }
641
642 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
643 {
644 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
645 }
646
647 static void sd_reset(DeviceState *dev)
648 {
649 SDState *sd = SD_CARD(dev);
650 uint64_t size;
651 uint64_t sect;
652
653 trace_sdcard_reset();
654 if (sd->blk) {
655 blk_get_geometry(sd->blk, &sect);
656 } else {
657 sect = 0;
658 }
659 size = sect << HWBLOCK_SHIFT;
660
661 sect = sd_addr_to_wpnum(size) + 1;
662
663 sd->state = sd_idle_state;
664
665 /* card registers */
666 sd->rca = 0x0000;
667 sd->size = size;
668 sd_set_ocr(sd);
669 sd_set_scr(sd);
670 sd_set_cid(sd);
671 sd_set_csd(sd, size);
672 sd_set_cardstatus(sd);
673 sd_set_sdstatus(sd);
674
675 g_free(sd->wp_group_bmap);
676 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
677 sd->wp_group_bits = sect;
678 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
679 memset(sd->function_group, 0, sizeof(sd->function_group));
680 sd->erase_start = INVALID_ADDRESS;
681 sd->erase_end = INVALID_ADDRESS;
682 sd->blk_len = 0x200;
683 sd->pwd_len = 0;
684 sd->expecting_acmd = false;
685 sd->dat_lines = 0xf;
686 sd->cmd_line = true;
687 sd->multi_blk_cnt = 0;
688 }
689
690 static bool sd_get_inserted(SDState *sd)
691 {
692 return sd->blk && blk_is_inserted(sd->blk);
693 }
694
695 static bool sd_get_readonly(SDState *sd)
696 {
697 return sd->wp_switch;
698 }
699
700 static void sd_cardchange(void *opaque, bool load, Error **errp)
701 {
702 SDState *sd = opaque;
703 DeviceState *dev = DEVICE(sd);
704 SDBus *sdbus;
705 bool inserted = sd_get_inserted(sd);
706 bool readonly = sd_get_readonly(sd);
707
708 if (inserted) {
709 trace_sdcard_inserted(readonly);
710 sd_reset(dev);
711 } else {
712 trace_sdcard_ejected();
713 }
714
715 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
716 qemu_set_irq(sd->inserted_cb, inserted);
717 if (inserted) {
718 qemu_set_irq(sd->readonly_cb, readonly);
719 }
720 } else {
721 sdbus = SD_BUS(qdev_get_parent_bus(dev));
722 sdbus_set_inserted(sdbus, inserted);
723 if (inserted) {
724 sdbus_set_readonly(sdbus, readonly);
725 }
726 }
727 }
728
729 static const BlockDevOps sd_block_ops = {
730 .change_media_cb = sd_cardchange,
731 };
732
733 static bool sd_ocr_vmstate_needed(void *opaque)
734 {
735 SDState *sd = opaque;
736
737 /* Include the OCR state (and timer) if it is not yet powered up */
738 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
739 }
740
741 static const VMStateDescription sd_ocr_vmstate = {
742 .name = "sd-card/ocr-state",
743 .version_id = 1,
744 .minimum_version_id = 1,
745 .needed = sd_ocr_vmstate_needed,
746 .fields = (const VMStateField[]) {
747 VMSTATE_UINT32(ocr, SDState),
748 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
749 VMSTATE_END_OF_LIST()
750 },
751 };
752
753 static int sd_vmstate_pre_load(void *opaque)
754 {
755 SDState *sd = opaque;
756
757 /* If the OCR state is not included (prior versions, or not
758 * needed), then the OCR must be set as powered up. If the OCR state
759 * is included, this will be replaced by the state restore.
760 */
761 sd_ocr_powerup(sd);
762
763 return 0;
764 }
765
766 static const VMStateDescription sd_vmstate = {
767 .name = "sd-card",
768 .version_id = 2,
769 .minimum_version_id = 2,
770 .pre_load = sd_vmstate_pre_load,
771 .fields = (const VMStateField[]) {
772 VMSTATE_UINT32(mode, SDState),
773 VMSTATE_INT32(state, SDState),
774 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
775 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
776 VMSTATE_UINT16(rca, SDState),
777 VMSTATE_UINT32(card_status, SDState),
778 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
779 VMSTATE_UINT32(vhs, SDState),
780 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
781 VMSTATE_UINT32(blk_len, SDState),
782 VMSTATE_UINT32(multi_blk_cnt, SDState),
783 VMSTATE_UINT32(erase_start, SDState),
784 VMSTATE_UINT32(erase_end, SDState),
785 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
786 VMSTATE_UINT32(pwd_len, SDState),
787 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
788 VMSTATE_UINT8(current_cmd, SDState),
789 VMSTATE_BOOL(expecting_acmd, SDState),
790 VMSTATE_UINT32(blk_written, SDState),
791 VMSTATE_UINT64(data_start, SDState),
792 VMSTATE_UINT32(data_offset, SDState),
793 VMSTATE_UINT8_ARRAY(data, SDState, 512),
794 VMSTATE_UNUSED_V(1, 512),
795 VMSTATE_BOOL(enable, SDState),
796 VMSTATE_END_OF_LIST()
797 },
798 .subsections = (const VMStateDescription * const []) {
799 &sd_ocr_vmstate,
800 NULL
801 },
802 };
803
804 /* Legacy initialization function for use by non-qdevified callers */
805 SDState *sd_init(BlockBackend *blk, bool is_spi)
806 {
807 Object *obj;
808 DeviceState *dev;
809 SDState *sd;
810 Error *err = NULL;
811
812 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
813 dev = DEVICE(obj);
814 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
815 error_reportf_err(err, "sd_init failed: ");
816 return NULL;
817 }
818
819 /*
820 * Realizing the device properly would put it into the QOM
821 * composition tree even though it is not plugged into an
822 * appropriate bus. That's a no-no. Hide the device from
823 * QOM/qdev, and call its qdev realize callback directly.
824 */
825 object_ref(obj);
826 object_unparent(obj);
827 sd_realize(dev, &err);
828 if (err) {
829 error_reportf_err(err, "sd_init failed: ");
830 return NULL;
831 }
832
833 sd = SD_CARD(dev);
834 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
835 return sd;
836 }
837
838 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
839 {
840 sd->readonly_cb = readonly;
841 sd->inserted_cb = insert;
842 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
843 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
844 }
845
846 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
847 {
848 trace_sdcard_read_block(addr, len);
849 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
850 fprintf(stderr, "sd_blk_read: read error on host side\n");
851 }
852 }
853
854 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
855 {
856 trace_sdcard_write_block(addr, len);
857 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
858 fprintf(stderr, "sd_blk_write: write error on host side\n");
859 }
860 }
861
862 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
863 #define APP_WRITE_BLOCK(a, len)
864
865 static void sd_erase(SDState *sd)
866 {
867 uint64_t erase_start = sd->erase_start;
868 uint64_t erase_end = sd->erase_end;
869 bool sdsc = true;
870 uint64_t wpnum;
871 uint64_t erase_addr;
872 int erase_len = 1 << HWBLOCK_SHIFT;
873
874 trace_sdcard_erase(sd->erase_start, sd->erase_end);
875 if (sd->erase_start == INVALID_ADDRESS
876 || sd->erase_end == INVALID_ADDRESS) {
877 sd->card_status |= ERASE_SEQ_ERROR;
878 sd->erase_start = INVALID_ADDRESS;
879 sd->erase_end = INVALID_ADDRESS;
880 return;
881 }
882
883 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
884 /* High capacity memory card: erase units are 512 byte blocks */
885 erase_start <<= HWBLOCK_SHIFT;
886 erase_end <<= HWBLOCK_SHIFT;
887 sdsc = false;
888 }
889
890 if (erase_start > sd->size || erase_end > sd->size) {
891 sd->card_status |= OUT_OF_RANGE;
892 sd->erase_start = INVALID_ADDRESS;
893 sd->erase_end = INVALID_ADDRESS;
894 return;
895 }
896
897 sd->erase_start = INVALID_ADDRESS;
898 sd->erase_end = INVALID_ADDRESS;
899 sd->csd[14] |= 0x40;
900
901 memset(sd->data, 0xff, erase_len);
902 for (erase_addr = erase_start; erase_addr <= erase_end;
903 erase_addr += erase_len) {
904 if (sdsc) {
905 /* Only SDSC cards support write protect groups */
906 wpnum = sd_addr_to_wpnum(erase_addr);
907 assert(wpnum < sd->wp_group_bits);
908 if (test_bit(wpnum, sd->wp_group_bmap)) {
909 sd->card_status |= WP_ERASE_SKIP;
910 continue;
911 }
912 }
913 sd_blk_write(sd, erase_addr, erase_len);
914 }
915 }
916
917 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
918 {
919 uint32_t i, wpnum;
920 uint32_t ret = 0;
921
922 wpnum = sd_addr_to_wpnum(addr);
923
924 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
925 if (addr >= sd->size) {
926 /*
927 * If the addresses of the last groups are outside the valid range,
928 * then the corresponding write protection bits shall be set to 0.
929 */
930 continue;
931 }
932 assert(wpnum < sd->wp_group_bits);
933 if (test_bit(wpnum, sd->wp_group_bmap)) {
934 ret |= (1 << i);
935 }
936 }
937
938 return ret;
939 }
940
941 static void sd_function_switch(SDState *sd, uint32_t arg)
942 {
943 int i, mode, new_func;
944 mode = !!(arg & 0x80000000);
945
946 sd->data[0] = 0x00; /* Maximum current consumption */
947 sd->data[1] = 0x01;
948 sd->data[2] = 0x80; /* Supported group 6 functions */
949 sd->data[3] = 0x01;
950 sd->data[4] = 0x80; /* Supported group 5 functions */
951 sd->data[5] = 0x01;
952 sd->data[6] = 0x80; /* Supported group 4 functions */
953 sd->data[7] = 0x01;
954 sd->data[8] = 0x80; /* Supported group 3 functions */
955 sd->data[9] = 0x01;
956 sd->data[10] = 0x80; /* Supported group 2 functions */
957 sd->data[11] = 0x43;
958 sd->data[12] = 0x80; /* Supported group 1 functions */
959 sd->data[13] = 0x03;
960
961 memset(&sd->data[14], 0, 3);
962 for (i = 0; i < 6; i ++) {
963 new_func = (arg >> (i * 4)) & 0x0f;
964 if (mode && new_func != 0x0f)
965 sd->function_group[i] = new_func;
966 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
967 }
968 memset(&sd->data[17], 0, 47);
969 }
970
971 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
972 {
973 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
974 }
975
976 static void sd_lock_command(SDState *sd)
977 {
978 int erase, lock, clr_pwd, set_pwd, pwd_len;
979 erase = !!(sd->data[0] & 0x08);
980 lock = sd->data[0] & 0x04;
981 clr_pwd = sd->data[0] & 0x02;
982 set_pwd = sd->data[0] & 0x01;
983
984 if (sd->blk_len > 1)
985 pwd_len = sd->data[1];
986 else
987 pwd_len = 0;
988
989 if (lock) {
990 trace_sdcard_lock();
991 } else {
992 trace_sdcard_unlock();
993 }
994 if (erase) {
995 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
996 set_pwd || clr_pwd || lock || sd->wp_switch ||
997 (sd->csd[14] & 0x20)) {
998 sd->card_status |= LOCK_UNLOCK_FAILED;
999 return;
1000 }
1001 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1002 sd->csd[14] &= ~0x10;
1003 sd->card_status &= ~CARD_IS_LOCKED;
1004 sd->pwd_len = 0;
1005 /* Erasing the entire card here! */
1006 fprintf(stderr, "SD: Card force-erased by CMD42\n");
1007 return;
1008 }
1009
1010 if (sd->blk_len < 2 + pwd_len ||
1011 pwd_len <= sd->pwd_len ||
1012 pwd_len > sd->pwd_len + 16) {
1013 sd->card_status |= LOCK_UNLOCK_FAILED;
1014 return;
1015 }
1016
1017 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1018 sd->card_status |= LOCK_UNLOCK_FAILED;
1019 return;
1020 }
1021
1022 pwd_len -= sd->pwd_len;
1023 if ((pwd_len && !set_pwd) ||
1024 (clr_pwd && (set_pwd || lock)) ||
1025 (lock && !sd->pwd_len && !set_pwd) ||
1026 (!set_pwd && !clr_pwd &&
1027 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1028 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1029 sd->card_status |= LOCK_UNLOCK_FAILED;
1030 return;
1031 }
1032
1033 if (set_pwd) {
1034 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1035 sd->pwd_len = pwd_len;
1036 }
1037
1038 if (clr_pwd) {
1039 sd->pwd_len = 0;
1040 }
1041
1042 if (lock)
1043 sd->card_status |= CARD_IS_LOCKED;
1044 else
1045 sd->card_status &= ~CARD_IS_LOCKED;
1046 }
1047
1048 static bool address_in_range(SDState *sd, const char *desc,
1049 uint64_t addr, uint32_t length)
1050 {
1051 if (addr + length > sd->size) {
1052 qemu_log_mask(LOG_GUEST_ERROR,
1053 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1054 desc, addr, sd->size, length);
1055 sd->card_status |= ADDRESS_ERROR;
1056 return false;
1057 }
1058 return true;
1059 }
1060
1061 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1062 {
1063 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1064 sd->proto->name, req.cmd, sd_state_name(sd->state),
1065 sd_version_str(sd->spec_version));
1066
1067 return sd_illegal;
1068 }
1069
1070 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1071 {
1072 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1073 sd->proto->name, req.cmd, sd_mode_name(sd->mode),
1074 sd_version_str(sd->spec_version));
1075
1076 return sd_illegal;
1077 }
1078
1079 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1080 {
1081 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1082 sd->proto->name, req.cmd,
1083 sd_version_str(sd->spec_version));
1084
1085 return sd_illegal;
1086 }
1087
1088 /* Commands that are recognised but not yet implemented. */
1089 __attribute__((unused))
1090 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1091 {
1092 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1093 sd->proto->name, req.cmd);
1094
1095 return sd_illegal;
1096 }
1097
1098 /* Configure fields for following sd_generic_write_byte() calls */
1099 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
1100 uint64_t start, size_t size)
1101 {
1102 if (sd->state != sd_transfer_state) {
1103 return sd_invalid_state_for_cmd(sd, req);
1104 }
1105 sd->state = sd_receivingdata_state;
1106 sd->data_start = start;
1107 sd->data_offset = 0;
1108 /* sd->data[] used as receive buffer */
1109 sd->data_size = size ?: sizeof(sd->data);
1110 return sd_r1;
1111 }
1112
1113 /* Configure fields for following sd_generic_read_byte() calls */
1114 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1115 uint64_t start,
1116 const void *data, size_t size)
1117 {
1118 if (sd->state != sd_transfer_state) {
1119 sd_invalid_state_for_cmd(sd, req);
1120 }
1121
1122 sd->state = sd_sendingdata_state;
1123 sd->data_start = start;
1124 sd->data_offset = 0;
1125 if (data) {
1126 assert(size > 0 && size <= sizeof(sd->data));
1127 memcpy(sd->data, data, size);
1128 }
1129 if (size) {
1130 sd->data_size = size;
1131 }
1132 return sd_r1;
1133 }
1134
1135 /* CMD0 */
1136 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1137 {
1138 sd->state = sd_idle_state;
1139 sd_reset(DEVICE(sd));
1140
1141 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1142 }
1143
1144 /* CMD1 */
1145 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1146 {
1147 sd->state = sd_transfer_state;
1148
1149 return sd_r1;
1150 }
1151
1152 /* CMD2 */
1153 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1154 {
1155 switch (sd->state) {
1156 case sd_ready_state:
1157 sd->state = sd_identification_state;
1158 return sd_r2_i;
1159 default:
1160 return sd_invalid_state_for_cmd(sd, req);
1161 }
1162 }
1163
1164 /* CMD3 */
1165 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1166 {
1167 switch (sd->state) {
1168 case sd_identification_state:
1169 case sd_standby_state:
1170 sd->state = sd_standby_state;
1171 sd_set_rca(sd);
1172 return sd_r6;
1173
1174 default:
1175 return sd_invalid_state_for_cmd(sd, req);
1176 }
1177 }
1178
1179 /* CMD19 */
1180 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1181 {
1182 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1183 return sd_cmd_illegal(sd, req);
1184 }
1185
1186 return sd_cmd_to_sendingdata(sd, req, 0,
1187 sd_tuning_block_pattern4,
1188 sizeof(sd_tuning_block_pattern4));
1189 }
1190
1191 /* CMD23 */
1192 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1193 {
1194 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1195 return sd_cmd_illegal(sd, req);
1196 }
1197
1198 if (sd->state != sd_transfer_state) {
1199 return sd_invalid_state_for_cmd(sd, req);
1200 }
1201
1202 sd->multi_blk_cnt = req.arg;
1203 trace_sdcard_set_block_count(sd->multi_blk_cnt);
1204
1205 return sd_r1;
1206 }
1207
1208 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1209 {
1210 uint16_t rca;
1211 uint64_t addr;
1212 uint32_t data;
1213
1214 sd->last_cmd_name = sd_cmd_name(req.cmd);
1215 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1216 * However there is no ACMD55, so we want to trace this particular case.
1217 */
1218 if (req.cmd != 55 || sd->expecting_acmd) {
1219 trace_sdcard_normal_command(sd->proto->name,
1220 sd->last_cmd_name, req.cmd,
1221 req.arg, sd_state_name(sd->state));
1222 }
1223
1224 /* Not interpreting this as an app command */
1225 sd->card_status &= ~APP_CMD;
1226
1227 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1228 * if not, its effects are cancelled */
1229 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1230 sd->multi_blk_cnt = 0;
1231 }
1232
1233 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1234 /* Only Standard Capacity cards support class 6 commands */
1235 return sd_illegal;
1236 }
1237
1238 if (sd->proto->cmd[req.cmd]) {
1239 return sd->proto->cmd[req.cmd](sd, req);
1240 }
1241
1242 switch (req.cmd) {
1243 /* Basic commands (Class 0 and Class 1) */
1244 case 4: /* CMD4: SEND_DSR */
1245 switch (sd->state) {
1246 case sd_standby_state:
1247 break;
1248
1249 default:
1250 break;
1251 }
1252 break;
1253
1254 case 6: /* CMD6: SWITCH_FUNCTION */
1255 if (sd->mode != sd_data_transfer_mode) {
1256 return sd_invalid_mode_for_cmd(sd, req);
1257 }
1258 if (sd->state != sd_transfer_state) {
1259 return sd_invalid_state_for_cmd(sd, req);
1260 }
1261
1262 sd_function_switch(sd, req.arg);
1263 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1264
1265 case 7: /* CMD7: SELECT/DESELECT_CARD */
1266 rca = sd_req_get_rca(sd, req);
1267 switch (sd->state) {
1268 case sd_standby_state:
1269 if (sd->rca != rca)
1270 return sd_r0;
1271
1272 sd->state = sd_transfer_state;
1273 return sd_r1b;
1274
1275 case sd_transfer_state:
1276 case sd_sendingdata_state:
1277 if (sd->rca == rca)
1278 break;
1279
1280 sd->state = sd_standby_state;
1281 return sd_r1b;
1282
1283 case sd_disconnect_state:
1284 if (sd->rca != rca)
1285 return sd_r0;
1286
1287 sd->state = sd_programming_state;
1288 return sd_r1b;
1289
1290 case sd_programming_state:
1291 if (sd->rca == rca)
1292 break;
1293
1294 sd->state = sd_disconnect_state;
1295 return sd_r1b;
1296
1297 default:
1298 break;
1299 }
1300 break;
1301
1302 case 8: /* CMD8: SEND_IF_COND */
1303 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1304 break;
1305 }
1306 if (sd->state != sd_idle_state) {
1307 break;
1308 }
1309 sd->vhs = 0;
1310
1311 /* No response if not exactly one VHS bit is set. */
1312 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1313 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1314 }
1315
1316 /* Accept. */
1317 sd->vhs = req.arg;
1318 return sd_r7;
1319
1320 case 9: /* CMD9: SEND_CSD */
1321 rca = sd_req_get_rca(sd, req);
1322 switch (sd->state) {
1323 case sd_standby_state:
1324 if (sd->rca != rca)
1325 return sd_r0;
1326
1327 return sd_r2_s;
1328
1329 case sd_transfer_state:
1330 if (!sd_is_spi(sd)) {
1331 break;
1332 }
1333 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1334 sd->csd, 16);
1335
1336 default:
1337 break;
1338 }
1339 break;
1340
1341 case 10: /* CMD10: SEND_CID */
1342 rca = sd_req_get_rca(sd, req);
1343 switch (sd->state) {
1344 case sd_standby_state:
1345 if (sd->rca != rca)
1346 return sd_r0;
1347
1348 return sd_r2_i;
1349
1350 case sd_transfer_state:
1351 if (!sd_is_spi(sd)) {
1352 break;
1353 }
1354 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1355 sd->cid, 16);
1356
1357 default:
1358 break;
1359 }
1360 break;
1361
1362 case 12: /* CMD12: STOP_TRANSMISSION */
1363 switch (sd->state) {
1364 case sd_sendingdata_state:
1365 sd->state = sd_transfer_state;
1366 return sd_r1b;
1367
1368 case sd_receivingdata_state:
1369 sd->state = sd_programming_state;
1370 /* Bzzzzzzztt .... Operation complete. */
1371 sd->state = sd_transfer_state;
1372 return sd_r1b;
1373
1374 default:
1375 break;
1376 }
1377 break;
1378
1379 case 13: /* CMD13: SEND_STATUS */
1380 rca = sd_req_get_rca(sd, req);
1381 if (sd->mode != sd_data_transfer_mode) {
1382 return sd_invalid_mode_for_cmd(sd, req);
1383 }
1384 if (!sd_is_spi(sd) && sd->rca != rca) {
1385 return sd_r0;
1386 }
1387
1388 return sd_r1;
1389
1390 case 15: /* CMD15: GO_INACTIVE_STATE */
1391 if (sd->mode != sd_data_transfer_mode) {
1392 return sd_invalid_mode_for_cmd(sd, req);
1393 }
1394 rca = sd_req_get_rca(sd, req);
1395 if (sd->rca == rca) {
1396 sd->state = sd_inactive_state;
1397 }
1398 return sd_r0;
1399
1400 /* Block read commands (Class 2) */
1401 case 16: /* CMD16: SET_BLOCKLEN */
1402 switch (sd->state) {
1403 case sd_transfer_state:
1404 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1405 sd->card_status |= BLOCK_LEN_ERROR;
1406 } else {
1407 trace_sdcard_set_blocklen(req.arg);
1408 sd->blk_len = req.arg;
1409 }
1410
1411 return sd_r1;
1412
1413 default:
1414 break;
1415 }
1416 break;
1417
1418 case 17: /* CMD17: READ_SINGLE_BLOCK */
1419 addr = sd_req_get_address(sd, req);
1420 switch (sd->state) {
1421 case sd_transfer_state:
1422
1423 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1424 return sd_r1;
1425 }
1426 sd_blk_read(sd, addr, sd->blk_len);
1427 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1428
1429 default:
1430 break;
1431 }
1432 break;
1433
1434 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1435 addr = sd_req_get_address(sd, req);
1436 switch (sd->state) {
1437 case sd_transfer_state:
1438
1439 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1440 return sd_r1;
1441 }
1442
1443 sd->state = sd_sendingdata_state;
1444 sd->data_start = addr;
1445 sd->data_offset = 0;
1446 return sd_r1;
1447
1448 default:
1449 break;
1450 }
1451 break;
1452
1453 /* Block write commands (Class 4) */
1454 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1455 addr = sd_req_get_address(sd, req);
1456 switch (sd->state) {
1457 case sd_transfer_state:
1458
1459 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr,
1460 sd->blk_len)) {
1461 return sd_r1;
1462 }
1463
1464 if (sd->size <= SDSC_MAX_CAPACITY) {
1465 if (sd_wp_addr(sd, sd->data_start)) {
1466 sd->card_status |= WP_VIOLATION;
1467 }
1468 }
1469 if (sd->csd[14] & 0x30) {
1470 sd->card_status |= WP_VIOLATION;
1471 }
1472 sd->blk_written = 0;
1473 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len);
1474
1475 default:
1476 break;
1477 }
1478 break;
1479
1480 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1481 addr = sd_req_get_address(sd, req);
1482 switch (sd->state) {
1483 case sd_transfer_state:
1484
1485 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1486 return sd_r1;
1487 }
1488
1489 sd->state = sd_receivingdata_state;
1490 sd->data_start = addr;
1491 sd->data_offset = 0;
1492 sd->blk_written = 0;
1493
1494 if (sd->size <= SDSC_MAX_CAPACITY) {
1495 if (sd_wp_addr(sd, sd->data_start)) {
1496 sd->card_status |= WP_VIOLATION;
1497 }
1498 }
1499 if (sd->csd[14] & 0x30) {
1500 sd->card_status |= WP_VIOLATION;
1501 }
1502 return sd_r1;
1503
1504 default:
1505 break;
1506 }
1507 break;
1508
1509 case 26: /* CMD26: PROGRAM_CID */
1510 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid));
1511
1512 case 27: /* CMD27: PROGRAM_CSD */
1513 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd));
1514
1515 /* Write protection (Class 6) */
1516 case 28: /* CMD28: SET_WRITE_PROT */
1517 if (sd->size > SDSC_MAX_CAPACITY) {
1518 return sd_illegal;
1519 }
1520 addr = sd_req_get_address(sd, req);
1521 switch (sd->state) {
1522 case sd_transfer_state:
1523 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1524 return sd_r1b;
1525 }
1526
1527 sd->state = sd_programming_state;
1528 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1529 /* Bzzzzzzztt .... Operation complete. */
1530 sd->state = sd_transfer_state;
1531 return sd_r1b;
1532
1533 default:
1534 break;
1535 }
1536 break;
1537
1538 case 29: /* CMD29: CLR_WRITE_PROT */
1539 if (sd->size > SDSC_MAX_CAPACITY) {
1540 return sd_illegal;
1541 }
1542 addr = sd_req_get_address(sd, req);
1543 switch (sd->state) {
1544 case sd_transfer_state:
1545 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1546 return sd_r1b;
1547 }
1548
1549 sd->state = sd_programming_state;
1550 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1551 /* Bzzzzzzztt .... Operation complete. */
1552 sd->state = sd_transfer_state;
1553 return sd_r1b;
1554
1555 default:
1556 break;
1557 }
1558 break;
1559
1560 case 30: /* CMD30: SEND_WRITE_PROT */
1561 if (sd->size > SDSC_MAX_CAPACITY) {
1562 return sd_illegal;
1563 }
1564 addr = sd_req_get_address(sd, req);
1565 switch (sd->state) {
1566 case sd_transfer_state:
1567 if (!address_in_range(sd, "SEND_WRITE_PROT",
1568 req.arg, sd->blk_len)) {
1569 return sd_r1;
1570 }
1571 data = sd_wpbits(sd, req.arg);
1572 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1573
1574 default:
1575 break;
1576 }
1577 break;
1578
1579 /* Erase commands (Class 5) */
1580 case 32: /* CMD32: ERASE_WR_BLK_START */
1581 switch (sd->state) {
1582 case sd_transfer_state:
1583 sd->erase_start = req.arg;
1584 return sd_r1;
1585
1586 default:
1587 break;
1588 }
1589 break;
1590
1591 case 33: /* CMD33: ERASE_WR_BLK_END */
1592 switch (sd->state) {
1593 case sd_transfer_state:
1594 sd->erase_end = req.arg;
1595 return sd_r1;
1596
1597 default:
1598 break;
1599 }
1600 break;
1601
1602 case 38: /* CMD38: ERASE */
1603 switch (sd->state) {
1604 case sd_transfer_state:
1605 if (sd->csd[14] & 0x30) {
1606 sd->card_status |= WP_VIOLATION;
1607 return sd_r1b;
1608 }
1609
1610 sd->state = sd_programming_state;
1611 sd_erase(sd);
1612 /* Bzzzzzzztt .... Operation complete. */
1613 sd->state = sd_transfer_state;
1614 return sd_r1b;
1615
1616 default:
1617 break;
1618 }
1619 break;
1620
1621 /* Lock card commands (Class 7) */
1622 case 42: /* CMD42: LOCK_UNLOCK */
1623 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1624
1625 /* Application specific commands (Class 8) */
1626 case 55: /* CMD55: APP_CMD */
1627 rca = sd_req_get_rca(sd, req);
1628 switch (sd->state) {
1629 case sd_ready_state:
1630 case sd_identification_state:
1631 return sd_illegal;
1632 case sd_idle_state:
1633 if (rca) {
1634 qemu_log_mask(LOG_GUEST_ERROR,
1635 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1636 }
1637 default:
1638 break;
1639 }
1640 if (!sd_is_spi(sd)) {
1641 if (sd->rca != rca) {
1642 return sd_r0;
1643 }
1644 }
1645 sd->expecting_acmd = true;
1646 sd->card_status |= APP_CMD;
1647 return sd_r1;
1648
1649 case 56: /* CMD56: GEN_CMD */
1650 switch (sd->state) {
1651 case sd_transfer_state:
1652 sd->data_offset = 0;
1653 if (req.arg & 1)
1654 sd->state = sd_sendingdata_state;
1655 else
1656 sd->state = sd_receivingdata_state;
1657 return sd_r1;
1658
1659 default:
1660 break;
1661 }
1662 break;
1663
1664 case 58: /* CMD58: READ_OCR (SPI) */
1665 return sd_r3;
1666
1667 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1668 return sd_r1;
1669
1670 default:
1671 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1672 return sd_illegal;
1673 }
1674
1675 return sd_invalid_state_for_cmd(sd, req);
1676 }
1677
1678 static sd_rsp_type_t sd_app_command(SDState *sd,
1679 SDRequest req)
1680 {
1681 sd->last_cmd_name = sd_acmd_name(req.cmd);
1682 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
1683 req.cmd, req.arg, sd_state_name(sd->state));
1684 sd->card_status |= APP_CMD;
1685
1686 if (sd->proto->acmd[req.cmd]) {
1687 return sd->proto->acmd[req.cmd](sd, req);
1688 }
1689
1690 switch (req.cmd) {
1691 case 6: /* ACMD6: SET_BUS_WIDTH */
1692 switch (sd->state) {
1693 case sd_transfer_state:
1694 sd->sd_status[0] &= 0x3f;
1695 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1696 return sd_r1;
1697
1698 default:
1699 break;
1700 }
1701 break;
1702
1703 case 13: /* ACMD13: SD_STATUS */
1704 switch (sd->state) {
1705 case sd_transfer_state:
1706 return sd_cmd_to_sendingdata(sd, req, 0,
1707 sd->sd_status,
1708 sizeof(sd->sd_status));
1709
1710 default:
1711 break;
1712 }
1713 break;
1714
1715 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1716 switch (sd->state) {
1717 case sd_transfer_state:
1718 return sd_cmd_to_sendingdata(sd, req, 0,
1719 &sd->blk_written,
1720 sizeof(sd->blk_written));
1721
1722 default:
1723 break;
1724 }
1725 break;
1726
1727 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1728 switch (sd->state) {
1729 case sd_transfer_state:
1730 return sd_r1;
1731
1732 default:
1733 break;
1734 }
1735 break;
1736
1737 case 41: /* ACMD41: SD_APP_OP_COND */
1738 if (sd->state != sd_idle_state) {
1739 break;
1740 }
1741 /* If it's the first ACMD41 since reset, we need to decide
1742 * whether to power up. If this is not an enquiry ACMD41,
1743 * we immediately report power on and proceed below to the
1744 * ready state, but if it is, we set a timer to model a
1745 * delay for power up. This works around a bug in EDK2
1746 * UEFI, which sends an initial enquiry ACMD41, but
1747 * assumes that the card is in ready state as soon as it
1748 * sees the power up bit set. */
1749 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1750 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1751 timer_del(sd->ocr_power_timer);
1752 sd_ocr_powerup(sd);
1753 } else {
1754 trace_sdcard_inquiry_cmd41();
1755 if (!timer_pending(sd->ocr_power_timer)) {
1756 timer_mod_ns(sd->ocr_power_timer,
1757 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1758 + OCR_POWER_DELAY_NS));
1759 }
1760 }
1761 }
1762
1763 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1764 /* We accept any voltage. 10000 V is nothing.
1765 *
1766 * Once we're powered up, we advance straight to ready state
1767 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1768 */
1769 sd->state = sd_ready_state;
1770 }
1771
1772 return sd_r3;
1773
1774 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1775 switch (sd->state) {
1776 case sd_transfer_state:
1777 /* Bringing in the 50KOhm pull-up resistor... Done. */
1778 return sd_r1;
1779
1780 default:
1781 break;
1782 }
1783 break;
1784
1785 case 51: /* ACMD51: SEND_SCR */
1786 switch (sd->state) {
1787 case sd_transfer_state:
1788 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
1789
1790 default:
1791 break;
1792 }
1793 break;
1794
1795 case 18: /* Reserved for SD security applications */
1796 case 25:
1797 case 26:
1798 case 38:
1799 case 43 ... 49:
1800 /* Refer to the "SD Specifications Part3 Security Specification" for
1801 * information about the SD Security Features.
1802 */
1803 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1804 req.cmd);
1805 return sd_illegal;
1806
1807 default:
1808 /* Fall back to standard commands. */
1809 return sd_normal_command(sd, req);
1810 }
1811
1812 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1813 return sd_illegal;
1814 }
1815
1816 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
1817 {
1818 /* Valid commands in locked state:
1819 * basic class (0)
1820 * lock card class (7)
1821 * CMD16
1822 * implicitly, the ACMD prefix CMD55
1823 * ACMD41 and ACMD42
1824 * Anything else provokes an "illegal command" response.
1825 */
1826 if (sd->expecting_acmd) {
1827 return cmd == 41 || cmd == 42;
1828 }
1829 if (cmd == 16 || cmd == 55) {
1830 return true;
1831 }
1832 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1833 }
1834
1835 int sd_do_command(SDState *sd, SDRequest *req,
1836 uint8_t *response) {
1837 int last_state;
1838 sd_rsp_type_t rtype;
1839 int rsplen;
1840
1841 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1842 return 0;
1843 }
1844
1845 if (sd->state == sd_inactive_state) {
1846 rtype = sd_illegal;
1847 goto send_response;
1848 }
1849
1850 if (sd_req_crc_validate(req)) {
1851 sd->card_status |= COM_CRC_ERROR;
1852 rtype = sd_illegal;
1853 goto send_response;
1854 }
1855
1856 if (req->cmd >= SDMMC_CMD_MAX) {
1857 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1858 req->cmd);
1859 req->cmd &= 0x3f;
1860 }
1861
1862 if (sd->card_status & CARD_IS_LOCKED) {
1863 if (!cmd_valid_while_locked(sd, req->cmd)) {
1864 sd->card_status |= ILLEGAL_COMMAND;
1865 sd->expecting_acmd = false;
1866 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1867 rtype = sd_illegal;
1868 goto send_response;
1869 }
1870 }
1871
1872 last_state = sd->state;
1873 sd_set_mode(sd);
1874
1875 if (sd->expecting_acmd) {
1876 sd->expecting_acmd = false;
1877 rtype = sd_app_command(sd, *req);
1878 } else {
1879 rtype = sd_normal_command(sd, *req);
1880 }
1881
1882 if (rtype == sd_illegal) {
1883 sd->card_status |= ILLEGAL_COMMAND;
1884 } else {
1885 /* Valid command, we can update the 'state before command' bits.
1886 * (Do this now so they appear in r1 responses.)
1887 */
1888 sd->current_cmd = req->cmd;
1889 sd->card_status = FIELD_DP32(sd->card_status, CSR,
1890 CURRENT_STATE, last_state);
1891 }
1892
1893 send_response:
1894 switch (rtype) {
1895 case sd_r1:
1896 case sd_r1b:
1897 sd_response_r1_make(sd, response);
1898 rsplen = 4;
1899 break;
1900
1901 case sd_r2_i:
1902 memcpy(response, sd->cid, sizeof(sd->cid));
1903 rsplen = 16;
1904 break;
1905
1906 case sd_r2_s:
1907 memcpy(response, sd->csd, sizeof(sd->csd));
1908 rsplen = 16;
1909 break;
1910
1911 case sd_r3:
1912 sd_response_r3_make(sd, response);
1913 rsplen = 4;
1914 break;
1915
1916 case sd_r6:
1917 sd_response_r6_make(sd, response);
1918 rsplen = 4;
1919 break;
1920
1921 case sd_r7:
1922 sd_response_r7_make(sd, response);
1923 rsplen = 4;
1924 break;
1925
1926 case sd_r0:
1927 /*
1928 * Invalid state transition, reset implementation
1929 * fields to avoid OOB abuse.
1930 */
1931 sd->data_start = 0;
1932 sd->data_offset = 0;
1933 /* fall-through */
1934 case sd_illegal:
1935 rsplen = 0;
1936 break;
1937 default:
1938 g_assert_not_reached();
1939 }
1940 trace_sdcard_response(sd_response_name(rtype), rsplen);
1941
1942 if (rtype != sd_illegal) {
1943 /* Clear the "clear on valid command" status bits now we've
1944 * sent any response
1945 */
1946 sd->card_status &= ~CARD_STATUS_B;
1947 }
1948
1949 #ifdef DEBUG_SD
1950 qemu_hexdump(stderr, "Response", response, rsplen);
1951 #endif
1952
1953 return rsplen;
1954 }
1955
1956 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
1957 static bool sd_generic_write_byte(SDState *sd, uint8_t value)
1958 {
1959 sd->data[sd->data_offset] = value;
1960
1961 if (++sd->data_offset >= sd->data_size) {
1962 sd->state = sd_transfer_state;
1963 return true;
1964 }
1965 return false;
1966 }
1967
1968 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
1969 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
1970 {
1971 *value = sd->data[sd->data_offset];
1972
1973 if (++sd->data_offset >= sd->data_size) {
1974 sd->state = sd_transfer_state;
1975 return true;
1976 }
1977
1978 return false;
1979 }
1980
1981 void sd_write_byte(SDState *sd, uint8_t value)
1982 {
1983 int i;
1984
1985 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1986 return;
1987
1988 if (sd->state != sd_receivingdata_state) {
1989 qemu_log_mask(LOG_GUEST_ERROR,
1990 "%s: not in Receiving-Data state\n", __func__);
1991 return;
1992 }
1993
1994 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1995 return;
1996
1997 trace_sdcard_write_data(sd->proto->name,
1998 sd->last_cmd_name,
1999 sd->current_cmd, sd->data_offset, value);
2000 switch (sd->current_cmd) {
2001 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
2002 if (sd_generic_write_byte(sd, value)) {
2003 /* TODO: Check CRC before committing */
2004 sd->state = sd_programming_state;
2005 sd_blk_write(sd, sd->data_start, sd->data_offset);
2006 sd->blk_written ++;
2007 sd->csd[14] |= 0x40;
2008 /* Bzzzzzzztt .... Operation complete. */
2009 sd->state = sd_transfer_state;
2010 }
2011 break;
2012
2013 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2014 if (sd->data_offset == 0) {
2015 /* Start of the block - let's check the address is valid */
2016 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2017 sd->data_start, sd->blk_len)) {
2018 break;
2019 }
2020 if (sd->size <= SDSC_MAX_CAPACITY) {
2021 if (sd_wp_addr(sd, sd->data_start)) {
2022 sd->card_status |= WP_VIOLATION;
2023 break;
2024 }
2025 }
2026 }
2027 sd->data[sd->data_offset++] = value;
2028 if (sd->data_offset >= sd->blk_len) {
2029 /* TODO: Check CRC before committing */
2030 sd->state = sd_programming_state;
2031 sd_blk_write(sd, sd->data_start, sd->data_offset);
2032 sd->blk_written++;
2033 sd->data_start += sd->blk_len;
2034 sd->data_offset = 0;
2035 sd->csd[14] |= 0x40;
2036
2037 /* Bzzzzzzztt .... Operation complete. */
2038 if (sd->multi_blk_cnt != 0) {
2039 if (--sd->multi_blk_cnt == 0) {
2040 /* Stop! */
2041 sd->state = sd_transfer_state;
2042 break;
2043 }
2044 }
2045
2046 sd->state = sd_receivingdata_state;
2047 }
2048 break;
2049
2050 case 26: /* CMD26: PROGRAM_CID */
2051 if (sd_generic_write_byte(sd, value)) {
2052 /* TODO: Check CRC before committing */
2053 sd->state = sd_programming_state;
2054 for (i = 0; i < sizeof(sd->cid); i ++)
2055 if ((sd->cid[i] | 0x00) != sd->data[i])
2056 sd->card_status |= CID_CSD_OVERWRITE;
2057
2058 if (!(sd->card_status & CID_CSD_OVERWRITE))
2059 for (i = 0; i < sizeof(sd->cid); i ++) {
2060 sd->cid[i] |= 0x00;
2061 sd->cid[i] &= sd->data[i];
2062 }
2063 /* Bzzzzzzztt .... Operation complete. */
2064 sd->state = sd_transfer_state;
2065 }
2066 break;
2067
2068 case 27: /* CMD27: PROGRAM_CSD */
2069 if (sd_generic_write_byte(sd, value)) {
2070 /* TODO: Check CRC before committing */
2071 sd->state = sd_programming_state;
2072 for (i = 0; i < sizeof(sd->csd); i ++)
2073 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2074 (sd->data[i] | sd_csd_rw_mask[i]))
2075 sd->card_status |= CID_CSD_OVERWRITE;
2076
2077 /* Copy flag (OTP) & Permanent write protect */
2078 if (sd->csd[14] & ~sd->data[14] & 0x60)
2079 sd->card_status |= CID_CSD_OVERWRITE;
2080
2081 if (!(sd->card_status & CID_CSD_OVERWRITE))
2082 for (i = 0; i < sizeof(sd->csd); i ++) {
2083 sd->csd[i] |= sd_csd_rw_mask[i];
2084 sd->csd[i] &= sd->data[i];
2085 }
2086 /* Bzzzzzzztt .... Operation complete. */
2087 sd->state = sd_transfer_state;
2088 }
2089 break;
2090
2091 case 42: /* CMD42: LOCK_UNLOCK */
2092 if (sd_generic_write_byte(sd, value)) {
2093 /* TODO: Check CRC before committing */
2094 sd->state = sd_programming_state;
2095 sd_lock_command(sd);
2096 /* Bzzzzzzztt .... Operation complete. */
2097 sd->state = sd_transfer_state;
2098 }
2099 break;
2100
2101 case 56: /* CMD56: GEN_CMD */
2102 sd->data[sd->data_offset ++] = value;
2103 if (sd->data_offset >= sd->blk_len) {
2104 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
2105 sd->state = sd_transfer_state;
2106 }
2107 break;
2108
2109 default:
2110 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2111 break;
2112 }
2113 }
2114
2115 uint8_t sd_read_byte(SDState *sd)
2116 {
2117 /* TODO: Append CRCs */
2118 uint8_t ret;
2119 uint32_t io_len;
2120
2121 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2122 return 0x00;
2123
2124 if (sd->state != sd_sendingdata_state) {
2125 qemu_log_mask(LOG_GUEST_ERROR,
2126 "%s: not in Sending-Data state\n", __func__);
2127 return 0x00;
2128 }
2129
2130 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2131 return 0x00;
2132
2133 io_len = sd_blk_len(sd);
2134
2135 trace_sdcard_read_data(sd->proto->name,
2136 sd->last_cmd_name,
2137 sd->current_cmd, sd->data_offset, io_len);
2138 switch (sd->current_cmd) {
2139 case 6: /* CMD6: SWITCH_FUNCTION */
2140 case 9: /* CMD9: SEND_CSD */
2141 case 10: /* CMD10: SEND_CID */
2142 case 13: /* ACMD13: SD_STATUS */
2143 case 17: /* CMD17: READ_SINGLE_BLOCK */
2144 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2145 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2146 case 30: /* CMD30: SEND_WRITE_PROT */
2147 case 51: /* ACMD51: SEND_SCR */
2148 sd_generic_read_byte(sd, &ret);
2149 break;
2150
2151 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2152 if (sd->data_offset == 0) {
2153 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2154 sd->data_start, io_len)) {
2155 return 0x00;
2156 }
2157 sd_blk_read(sd, sd->data_start, io_len);
2158 }
2159 ret = sd->data[sd->data_offset ++];
2160
2161 if (sd->data_offset >= io_len) {
2162 sd->data_start += io_len;
2163 sd->data_offset = 0;
2164
2165 if (sd->multi_blk_cnt != 0) {
2166 if (--sd->multi_blk_cnt == 0) {
2167 /* Stop! */
2168 sd->state = sd_transfer_state;
2169 break;
2170 }
2171 }
2172 }
2173 break;
2174
2175 case 56: /* CMD56: GEN_CMD */
2176 if (sd->data_offset == 0)
2177 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2178 ret = sd->data[sd->data_offset ++];
2179
2180 if (sd->data_offset >= sd->blk_len)
2181 sd->state = sd_transfer_state;
2182 break;
2183
2184 default:
2185 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2186 return 0x00;
2187 }
2188
2189 return ret;
2190 }
2191
2192 static bool sd_receive_ready(SDState *sd)
2193 {
2194 return sd->state == sd_receivingdata_state;
2195 }
2196
2197 static bool sd_data_ready(SDState *sd)
2198 {
2199 return sd->state == sd_sendingdata_state;
2200 }
2201
2202 void sd_enable(SDState *sd, bool enable)
2203 {
2204 sd->enable = enable;
2205 }
2206
2207 static const SDProto sd_proto_spi = {
2208 .name = "SPI",
2209 .cmd = {
2210 [0] = sd_cmd_GO_IDLE_STATE,
2211 [1] = spi_cmd_SEND_OP_COND,
2212 },
2213 .acmd = {
2214 [41] = spi_cmd_SEND_OP_COND,
2215 },
2216 };
2217
2218 static const SDProto sd_proto_sd = {
2219 .name = "SD",
2220 .cmd = {
2221 [0] = sd_cmd_GO_IDLE_STATE,
2222 [2] = sd_cmd_ALL_SEND_CID,
2223 [3] = sd_cmd_SEND_RELATIVE_ADDR,
2224 [19] = sd_cmd_SEND_TUNING_BLOCK,
2225 [23] = sd_cmd_SET_BLOCK_COUNT,
2226 },
2227 };
2228
2229 static void sd_instance_init(Object *obj)
2230 {
2231 SDState *sd = SD_CARD(obj);
2232 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
2233
2234 sd->proto = sc->proto;
2235 sd->last_cmd_name = "UNSET";
2236 sd->enable = true;
2237 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2238 }
2239
2240 static void sd_instance_finalize(Object *obj)
2241 {
2242 SDState *sd = SD_CARD(obj);
2243
2244 timer_free(sd->ocr_power_timer);
2245 }
2246
2247 static void sd_realize(DeviceState *dev, Error **errp)
2248 {
2249 SDState *sd = SD_CARD(dev);
2250 int ret;
2251
2252 switch (sd->spec_version) {
2253 case SD_PHY_SPECv1_10_VERS
2254 ... SD_PHY_SPECv3_01_VERS:
2255 break;
2256 default:
2257 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2258 return;
2259 }
2260
2261 if (sd->blk) {
2262 int64_t blk_size;
2263
2264 if (!blk_supports_write_perm(sd->blk)) {
2265 error_setg(errp, "Cannot use read-only drive as SD card");
2266 return;
2267 }
2268
2269 blk_size = blk_getlength(sd->blk);
2270 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2271 int64_t blk_size_aligned = pow2ceil(blk_size);
2272 char *blk_size_str;
2273
2274 blk_size_str = size_to_str(blk_size);
2275 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2276 g_free(blk_size_str);
2277
2278 blk_size_str = size_to_str(blk_size_aligned);
2279 error_append_hint(errp,
2280 "SD card size has to be a power of 2, e.g. %s.\n"
2281 "You can resize disk images with"
2282 " 'qemu-img resize <imagefile> <new-size>'\n"
2283 "(note that this will lose data if you make the"
2284 " image smaller than it currently is).\n",
2285 blk_size_str);
2286 g_free(blk_size_str);
2287
2288 return;
2289 }
2290
2291 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2292 BLK_PERM_ALL, errp);
2293 if (ret < 0) {
2294 return;
2295 }
2296 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2297 }
2298 }
2299
2300 static Property sd_properties[] = {
2301 DEFINE_PROP_UINT8("spec_version", SDState,
2302 spec_version, SD_PHY_SPECv2_00_VERS),
2303 DEFINE_PROP_DRIVE("drive", SDState, blk),
2304 /* We do not model the chip select pin, so allow the board to select
2305 * whether card should be in SSI or MMC/SD mode. It is also up to the
2306 * board to ensure that ssi transfers only occur when the chip select
2307 * is asserted. */
2308 DEFINE_PROP_END_OF_LIST()
2309 };
2310
2311 static void sd_class_init(ObjectClass *klass, void *data)
2312 {
2313 DeviceClass *dc = DEVICE_CLASS(klass);
2314 SDCardClass *sc = SD_CARD_CLASS(klass);
2315
2316 dc->realize = sd_realize;
2317 device_class_set_props(dc, sd_properties);
2318 dc->vmsd = &sd_vmstate;
2319 dc->reset = sd_reset;
2320 dc->bus_type = TYPE_SD_BUS;
2321 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2322
2323 sc->set_voltage = sd_set_voltage;
2324 sc->get_dat_lines = sd_get_dat_lines;
2325 sc->get_cmd_line = sd_get_cmd_line;
2326 sc->do_command = sd_do_command;
2327 sc->write_byte = sd_write_byte;
2328 sc->read_byte = sd_read_byte;
2329 sc->receive_ready = sd_receive_ready;
2330 sc->data_ready = sd_data_ready;
2331 sc->enable = sd_enable;
2332 sc->get_inserted = sd_get_inserted;
2333 sc->get_readonly = sd_get_readonly;
2334 sc->proto = &sd_proto_sd;
2335 }
2336
2337 /*
2338 * We do not model the chip select pin, so allow the board to select
2339 * whether card should be in SSI or MMC/SD mode. It is also up to the
2340 * board to ensure that ssi transfers only occur when the chip select
2341 * is asserted.
2342 */
2343 static void sd_spi_class_init(ObjectClass *klass, void *data)
2344 {
2345 DeviceClass *dc = DEVICE_CLASS(klass);
2346 SDCardClass *sc = SD_CARD_CLASS(klass);
2347
2348 dc->desc = "SD SPI";
2349 sc->proto = &sd_proto_spi;
2350 }
2351
2352 static const TypeInfo sd_types[] = {
2353 {
2354 .name = TYPE_SD_CARD,
2355 .parent = TYPE_DEVICE,
2356 .instance_size = sizeof(SDState),
2357 .class_size = sizeof(SDCardClass),
2358 .class_init = sd_class_init,
2359 .instance_init = sd_instance_init,
2360 .instance_finalize = sd_instance_finalize,
2361 },
2362 {
2363 .name = TYPE_SD_CARD_SPI,
2364 .parent = TYPE_SD_CARD,
2365 .class_init = sd_spi_class_init,
2366 },
2367 };
2368
2369 DEFINE_TYPES(sd_types)
armbru's QEMU hackery