search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Add mmc SWITCH function support (CMD6)
[qemu/armbru.git] / hw / sd / sd.c
blob1f16c16fd1ad251a34c526270914bb84fbde1299
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * eMMC emulation defined in "JEDEC Standard No. 84-A43"
6 *
7 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
8 * Copyright (c) 2007 CodeSourcery
9 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 *
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in
19 * the documentation and/or other materials provided with the
20 * distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
23 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
25 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
26 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
29 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
30 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35 #include "qemu/osdep.h"
36 #include "qemu/units.h"
37 #include "qemu/cutils.h"
38 #include "hw/irq.h"
39 #include "hw/registerfields.h"
40 #include "sysemu/block-backend.h"
41 #include "hw/sd/sd.h"
42 #include "hw/sd/sdcard_legacy.h"
43 #include "migration/vmstate.h"
44 #include "qapi/error.h"
45 #include "qemu/bitmap.h"
46 #include "hw/qdev-properties.h"
47 #include "hw/qdev-properties-system.h"
48 #include "qemu/error-report.h"
49 #include "qemu/timer.h"
50 #include "qemu/log.h"
51 #include "qemu/guest-random.h"
52 #include "qemu/module.h"
53 #include "sdmmc-internal.h"
54 #include "trace.h"
55
56 //#define DEBUG_SD 1
57
58 #define SDSC_MAX_CAPACITY (2 * GiB)
59
60 #define INVALID_ADDRESS UINT32_MAX
61
62 typedef enum {
63 sd_r0 = 0, /* no response */
64 sd_r1, /* normal response command */
65 sd_r2_i, /* CID register */
66 sd_r2_s, /* CSD register */
67 sd_r3, /* OCR register */
68 sd_r6 = 6, /* Published RCA response */
69 sd_r7, /* Operating voltage */
70 sd_r1b = -1,
71 sd_illegal = -2,
72 } sd_rsp_type_t;
73
74 enum SDCardModes {
75 sd_inactive,
76 sd_card_identification_mode,
77 sd_data_transfer_mode,
78 };
79
80 enum SDCardStates {
81 sd_waitirq_state = -2, /* emmc */
82 sd_inactive_state = -1,
83
84 sd_idle_state = 0,
85 sd_ready_state = 1,
86 sd_identification_state = 2,
87 sd_standby_state = 3,
88 sd_transfer_state = 4,
89 sd_sendingdata_state = 5,
90 sd_receivingdata_state = 6,
91 sd_programming_state = 7,
92 sd_disconnect_state = 8,
93 sd_bus_test_state = 9, /* emmc */
94 sd_sleep_state = 10, /* emmc */
95 sd_io_state = 15 /* sd */
96 };
97
98 #define SDMMC_CMD_MAX 64
99
100 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
101
102 typedef struct SDProto {
103 const char *name;
104 struct {
105 const unsigned class;
106 const sd_cmd_type_t type;
107 const char *name;
108 sd_cmd_handler handler;
109 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX];
110 } SDProto;
111
112 struct SDState {
113 DeviceState parent_obj;
114
115 /* If true, created by sd_init() for a non-qdevified caller */
116 /* TODO purge them with fire */
117 bool me_no_qdev_me_kill_mammoth_with_rocks;
118
119 /* SD Memory Card Registers */
120 uint32_t ocr;
121 uint8_t scr[8];
122 uint8_t cid[16];
123 uint8_t csd[16];
124 uint16_t rca;
125 uint32_t card_status;
126 uint8_t sd_status[64];
127 union {
128 uint8_t ext_csd[512];
129 struct {
130 uint8_t ext_csd_rw[192]; /* Modes segment */
131 uint8_t ext_csd_ro[320]; /* Properties segment */
132 };
133 };
134
135 /* Static properties */
136
137 uint8_t spec_version;
138 uint64_t boot_part_size;
139 BlockBackend *blk;
140
141 const SDProto *proto;
142
143 /* Runtime changeables */
144
145 uint32_t mode; /* current card mode, one of SDCardModes */
146 int32_t state; /* current card state, one of SDCardStates */
147 uint32_t vhs;
148 bool wp_switch;
149 unsigned long *wp_group_bmap;
150 int32_t wp_group_bits;
151 uint64_t size;
152 uint32_t blk_len;
153 uint32_t multi_blk_cnt;
154 uint32_t erase_start;
155 uint32_t erase_end;
156 uint8_t pwd[16];
157 uint32_t pwd_len;
158 uint8_t function_group[6];
159 uint8_t current_cmd;
160 const char *last_cmd_name;
161 /* True if we will handle the next command as an ACMD. Note that this does
162 * *not* track the APP_CMD status bit!
163 */
164 bool expecting_acmd;
165 uint32_t blk_written;
166
167 uint64_t data_start;
168 uint32_t data_offset;
169 size_t data_size;
170 uint8_t data[512];
171 qemu_irq readonly_cb;
172 qemu_irq inserted_cb;
173 QEMUTimer *ocr_power_timer;
174 bool enable;
175 uint8_t dat_lines;
176 bool cmd_line;
177 };
178
179 static void sd_realize(DeviceState *dev, Error **errp);
180
181 static const SDProto sd_proto_spi;
182 static const SDProto sd_proto_emmc;
183
184 static bool sd_is_spi(SDState *sd)
185 {
186 return sd->proto == &sd_proto_spi;
187 }
188
189 static bool sd_is_emmc(SDState *sd)
190 {
191 return sd->proto == &sd_proto_emmc;
192 }
193
194 static const char *sd_version_str(enum SDPhySpecificationVersion version)
195 {
196 static const char *sdphy_version[] = {
197 [SD_PHY_SPECv1_10_VERS] = "v1.10",
198 [SD_PHY_SPECv2_00_VERS] = "v2.00",
199 [SD_PHY_SPECv3_01_VERS] = "v3.01",
200 };
201 if (version >= ARRAY_SIZE(sdphy_version)) {
202 return "unsupported version";
203 }
204 return sdphy_version[version];
205 }
206
207 static const char *sd_mode_name(enum SDCardModes mode)
208 {
209 static const char *mode_name[] = {
210 [sd_inactive] = "inactive",
211 [sd_card_identification_mode] = "identification",
212 [sd_data_transfer_mode] = "transfer",
213 };
214 assert(mode < ARRAY_SIZE(mode_name));
215 return mode_name[mode];
216 }
217
218 static const char *sd_state_name(enum SDCardStates state)
219 {
220 static const char *state_name[] = {
221 [sd_idle_state] = "idle",
222 [sd_ready_state] = "ready",
223 [sd_identification_state] = "identification",
224 [sd_standby_state] = "standby",
225 [sd_transfer_state] = "transfer",
226 [sd_sendingdata_state] = "sendingdata",
227 [sd_bus_test_state] = "bus-test",
228 [sd_receivingdata_state] = "receivingdata",
229 [sd_programming_state] = "programming",
230 [sd_disconnect_state] = "disconnect",
231 [sd_sleep_state] = "sleep",
232 [sd_io_state] = "i/o"
233 };
234 if (state == sd_inactive_state) {
235 return "inactive";
236 }
237 if (state == sd_waitirq_state) {
238 return "wait-irq";
239 }
240 assert(state < ARRAY_SIZE(state_name));
241 return state_name[state];
242 }
243
244 static const char *sd_response_name(sd_rsp_type_t rsp)
245 {
246 static const char *response_name[] = {
247 [sd_r0] = "RESP#0 (no response)",
248 [sd_r1] = "RESP#1 (normal cmd)",
249 [sd_r2_i] = "RESP#2 (CID reg)",
250 [sd_r2_s] = "RESP#2 (CSD reg)",
251 [sd_r3] = "RESP#3 (OCR reg)",
252 [sd_r6] = "RESP#6 (RCA)",
253 [sd_r7] = "RESP#7 (operating voltage)",
254 };
255 if (rsp == sd_illegal) {
256 return "ILLEGAL RESP";
257 }
258 if (rsp == sd_r1b) {
259 rsp = sd_r1;
260 }
261 assert(rsp < ARRAY_SIZE(response_name));
262 return response_name[rsp];
263 }
264
265 static const char *sd_cmd_name(SDState *sd, uint8_t cmd)
266 {
267 static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
268 [18] = "READ_MULTIPLE_BLOCK",
269 [25] = "WRITE_MULTIPLE_BLOCK",
270 };
271 const SDProto *sdp = sd->proto;
272
273 if (sdp->cmd[cmd].handler) {
274 assert(!cmd_abbrev[cmd]);
275 return sdp->cmd[cmd].name;
276 }
277 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
278 }
279
280 static const char *sd_acmd_name(SDState *sd, uint8_t cmd)
281 {
282 const SDProto *sdp = sd->proto;
283
284 if (sdp->acmd[cmd].handler) {
285 return sdp->acmd[cmd].name;
286 }
287
288 return "UNKNOWN_ACMD";
289 }
290
291 static uint8_t sd_get_dat_lines(SDState *sd)
292 {
293 return sd->enable ? sd->dat_lines : 0;
294 }
295
296 static bool sd_get_cmd_line(SDState *sd)
297 {
298 return sd->enable ? sd->cmd_line : false;
299 }
300
301 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
302 {
303 trace_sdcard_set_voltage(millivolts);
304
305 switch (millivolts) {
306 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
307 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
308 break;
309 default:
310 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
311 millivolts / 1000.f);
312 }
313 }
314
315 static void sd_set_mode(SDState *sd)
316 {
317 switch (sd->state) {
318 case sd_inactive_state:
319 sd->mode = sd_inactive;
320 break;
321
322 case sd_idle_state:
323 case sd_ready_state:
324 case sd_identification_state:
325 sd->mode = sd_card_identification_mode;
326 break;
327
328 case sd_standby_state:
329 case sd_transfer_state:
330 case sd_sendingdata_state:
331 case sd_receivingdata_state:
332 case sd_programming_state:
333 case sd_disconnect_state:
334 sd->mode = sd_data_transfer_mode;
335 break;
336 }
337 }
338
339 static uint8_t sd_crc7(const void *message, size_t width)
340 {
341 int i, bit;
342 uint8_t shift_reg = 0x00;
343 const uint8_t *msg = (const uint8_t *)message;
344
345 for (i = 0; i < width; i ++, msg ++)
346 for (bit = 7; bit >= 0; bit --) {
347 shift_reg <<= 1;
348 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
349 shift_reg ^= 0x89;
350 }
351
352 return shift_reg;
353 }
354
355 /* Operation Conditions register */
356
357 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
358
359 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
360 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
361 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
362 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
363 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
364 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
365 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
366 FIELD(OCR, CARD_POWER_UP, 31, 1)
367
368 #define ACMD41_ENQUIRY_MASK 0x00ffffff
369 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
370 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
371 | R_OCR_UHS_II_CARD_MASK \
372 | R_OCR_CARD_CAPACITY_MASK \
373 | R_OCR_CARD_POWER_UP_MASK)
374
375 static void sd_ocr_powerup(void *opaque)
376 {
377 SDState *sd = opaque;
378
379 trace_sdcard_powerup();
380 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
381
382 /* card power-up OK */
383 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
384
385 if (sd->size > SDSC_MAX_CAPACITY) {
386 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
387 }
388 }
389
390 static void sd_set_ocr(SDState *sd)
391 {
392 /* All voltages OK */
393 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
394
395 if (sd_is_spi(sd)) {
396 /*
397 * We don't need to emulate power up sequence in SPI-mode.
398 * Thus, the card's power up status bit should be set to 1 when reset.
399 * The card's capacity status bit should also be set if SD card size
400 * is larger than 2GB for SDHC support.
401 */
402 sd_ocr_powerup(sd);
403 }
404 }
405
406 /* SD Configuration register */
407
408 static void sd_set_scr(SDState *sd)
409 {
410 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
411 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
412 sd->scr[0] |= 1; /* Spec Version 1.10 */
413 } else {
414 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
415 }
416 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
417 | 0b0101; /* 1-bit or 4-bit width bus modes */
418 sd->scr[2] = 0x00; /* Extended Security is not supported. */
419 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
420 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
421 }
422 sd->scr[3] = 0x00;
423 /* reserved for manufacturer usage */
424 sd->scr[4] = 0x00;
425 sd->scr[5] = 0x00;
426 sd->scr[6] = 0x00;
427 sd->scr[7] = 0x00;
428 }
429
430 /* Card IDentification register */
431
432 #define MID 0xaa
433 #define OID "XY"
434 #define PNM "QEMU!"
435 #define PRV 0x01
436 #define MDT_YR 2006
437 #define MDT_MON 2
438
439 static void sd_set_cid(SDState *sd)
440 {
441 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
442 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
443 sd->cid[2] = OID[1];
444 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
445 sd->cid[4] = PNM[1];
446 sd->cid[5] = PNM[2];
447 sd->cid[6] = PNM[3];
448 sd->cid[7] = PNM[4];
449 sd->cid[8] = PRV; /* Fake product revision (PRV) */
450 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
451 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
452 ((MDT_YR - 2000) / 10);
453 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
454 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
455 }
456
457 static void emmc_set_cid(SDState *sd)
458 {
459 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
460 sd->cid[1] = 0b01; /* CBX: soldered BGA */
461 sd->cid[2] = OID[0]; /* OEM/Application ID (OID) */
462 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
463 sd->cid[4] = PNM[1];
464 sd->cid[5] = PNM[2];
465 sd->cid[6] = PNM[3];
466 sd->cid[7] = PNM[4];
467 sd->cid[8] = PNM[4];
468 sd->cid[9] = PRV; /* Fake product revision (PRV) */
469 stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */
470 sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */
471 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
472 }
473
474 /* Card-Specific Data register */
475
476 #define HWBLOCK_SHIFT 9 /* 512 bytes */
477 #define SECTOR_SHIFT 5 /* 16 kilobytes */
478 #define WPGROUP_SHIFT 7 /* 2 megs */
479 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
480 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
481
482 static const uint8_t sd_csd_rw_mask[16] = {
483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
485 };
486
487 static void emmc_set_ext_csd(SDState *sd, uint64_t size)
488 {
489 uint32_t sectcount = size >> HWBLOCK_SHIFT;
490
491 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */
492
493 /* Properties segment (RO) */
494 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */
495 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */
496 /* Boot partition size. 128KB unit */
497 sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB);
498 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */
499 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */
500 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */
501 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */
502 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */
503 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC */
504 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */
505 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */
506 stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */
507 sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */
508 sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz */
509 sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */
510 sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */
511 sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */
512 sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */
513 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11;
514 sd->ext_csd[EXT_CSD_STRUCTURE] = 2;
515 sd->ext_csd[EXT_CSD_REV] = 3;
516 }
517
518 static void emmc_set_csd(SDState *sd, uint64_t size)
519 {
520 int hwblock_shift = HWBLOCK_SHIFT;
521 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
522 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
523
524 sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */
525 sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */
526 sd->csd[2] = 0x00;
527 sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */
528 sd->csd[4] = 0x0f;
529 if (size <= 2 * GiB) {
530 /* use 1k blocks */
531 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1;
532 sd->csd[5] = 0x5a;
533 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf);
534 sd->csd[7] = (csize1k >> 2) & 0xff;
535 } else { /* >= 2GB : size stored in ext CSD, block addressing */
536 sd->csd[5] = 0x59;
537 sd->csd[6] = 0x8f;
538 sd->csd[7] = 0xff;
539 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
540 }
541 sd->csd[8] = 0xff;
542 sd->csd[9] = 0xfc | /* Max. write current */
543 ((CMULT_SHIFT - 2) >> 1);
544 sd->csd[10] = 0x40 | /* Erase sector size */
545 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
546 sd->csd[11] = 0x00 | /* Write protect group size */
547 ((sectsize << 7) & 0x80) | wpsize;
548 sd->csd[12] = 0x90 | /* Write speed factor */
549 (hwblock_shift >> 2);
550 sd->csd[13] = 0x20 | /* Max. write data block length */
551 ((hwblock_shift << 6) & 0xc0);
552 sd->csd[14] = 0x00;
553 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
554 emmc_set_ext_csd(sd, size);
555 }
556
557 static void sd_set_csd(SDState *sd, uint64_t size)
558 {
559 int hwblock_shift = HWBLOCK_SHIFT;
560 uint32_t csize;
561 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
562 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
563
564 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
565 if (size == SDSC_MAX_CAPACITY) {
566 hwblock_shift += 1;
567 }
568 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
569
570 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
571 sd->csd[0] = 0x00; /* CSD structure */
572 sd->csd[1] = 0x26; /* Data read access-time-1 */
573 sd->csd[2] = 0x00; /* Data read access-time-2 */
574 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
575 sd->csd[4] = 0x5f; /* Card Command Classes */
576 sd->csd[5] = 0x50 | /* Max. read data block length */
577 hwblock_shift;
578 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
579 ((csize >> 10) & 0x03);
580 sd->csd[7] = 0x00 | /* Device size */
581 ((csize >> 2) & 0xff);
582 sd->csd[8] = 0x3f | /* Max. read current */
583 ((csize << 6) & 0xc0);
584 sd->csd[9] = 0xfc | /* Max. write current */
585 ((CMULT_SHIFT - 2) >> 1);
586 sd->csd[10] = 0x40 | /* Erase sector size */
587 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
588 sd->csd[11] = 0x00 | /* Write protect group size */
589 ((sectsize << 7) & 0x80) | wpsize;
590 sd->csd[12] = 0x90 | /* Write speed factor */
591 (hwblock_shift >> 2);
592 sd->csd[13] = 0x20 | /* Max. write data block length */
593 ((hwblock_shift << 6) & 0xc0);
594 sd->csd[14] = 0x00; /* File format group */
595 } else { /* SDHC */
596 size /= 512 * KiB;
597 size -= 1;
598 sd->csd[0] = 0x40;
599 sd->csd[1] = 0x0e;
600 sd->csd[2] = 0x00;
601 sd->csd[3] = 0x32;
602 sd->csd[4] = 0x5b;
603 sd->csd[5] = 0x59;
604 sd->csd[6] = 0x00;
605 st24_be_p(&sd->csd[7], size);
606 sd->csd[10] = 0x7f;
607 sd->csd[11] = 0x80;
608 sd->csd[12] = 0x0a;
609 sd->csd[13] = 0x40;
610 sd->csd[14] = 0x00;
611 }
612 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
613 }
614
615 /* Relative Card Address register */
616
617 static void sd_set_rca(SDState *sd, uint16_t value)
618 {
619 trace_sdcard_set_rca(value);
620 sd->rca = value;
621 }
622
623 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
624 {
625 switch (s->proto->cmd[req.cmd].type) {
626 case sd_ac:
627 case sd_adtc:
628 return req.arg >> 16;
629 case sd_spi:
630 default:
631 g_assert_not_reached();
632 }
633 }
634
635 static bool sd_req_rca_same(SDState *s, SDRequest req)
636 {
637 return sd_req_get_rca(s, req) == s->rca;
638 }
639
640 /* Card Status register */
641
642 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
643 FIELD(CSR, APP_CMD, 5, 1)
644 FIELD(CSR, FX_EVENT, 6, 1)
645 FIELD(CSR, SWITCH_ERROR, 7, 1)
646 FIELD(CSR, READY_FOR_DATA, 8, 1)
647 FIELD(CSR, CURRENT_STATE, 9, 4)
648 FIELD(CSR, ERASE_RESET, 13, 1)
649 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
650 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
651 FIELD(CSR, CSD_OVERWRITE, 16, 1)
652 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
653 FIELD(CSR, ERROR, 19, 1)
654 FIELD(CSR, CC_ERROR, 20, 1)
655 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
656 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
657 FIELD(CSR, COM_CRC_ERROR, 23, 1)
658 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
659 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
660 FIELD(CSR, WP_VIOLATION, 26, 1)
661 FIELD(CSR, ERASE_PARAM, 27, 1)
662 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
663 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
664 FIELD(CSR, ADDRESS_ERROR, 30, 1)
665 FIELD(CSR, OUT_OF_RANGE, 31, 1)
666
667 /* Card status bits, split by clear condition:
668 * A : According to the card current state
669 * B : Always related to the previous command
670 * C : Cleared by read
671 */
672 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
673 | R_CSR_CARD_ECC_DISABLED_MASK \
674 | R_CSR_CARD_IS_LOCKED_MASK)
675 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
676 | R_CSR_ILLEGAL_COMMAND_MASK \
677 | R_CSR_COM_CRC_ERROR_MASK)
678 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
679 | R_CSR_APP_CMD_MASK \
680 | R_CSR_ERASE_RESET_MASK \
681 | R_CSR_WP_ERASE_SKIP_MASK \
682 | R_CSR_CSD_OVERWRITE_MASK \
683 | R_CSR_ERROR_MASK \
684 | R_CSR_CC_ERROR_MASK \
685 | R_CSR_CARD_ECC_FAILED_MASK \
686 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
687 | R_CSR_WP_VIOLATION_MASK \
688 | R_CSR_ERASE_PARAM_MASK \
689 | R_CSR_ERASE_SEQ_ERROR_MASK \
690 | R_CSR_BLOCK_LEN_ERROR_MASK \
691 | R_CSR_ADDRESS_ERROR_MASK \
692 | R_CSR_OUT_OF_RANGE_MASK)
693
694 static void sd_set_cardstatus(SDState *sd)
695 {
696 sd->card_status = READY_FOR_DATA;
697 }
698
699 static void sd_set_sdstatus(SDState *sd)
700 {
701 memset(sd->sd_status, 0, 64);
702 }
703
704 static const uint8_t sd_tuning_block_pattern4[64] = {
705 /*
706 * See: Physical Layer Simplified Specification Version 3.01,
707 * Table 4-2.
708 */
709 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
710 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
711 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
712 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
713 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
714 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
715 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
716 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde
717 };
718
719 static int sd_req_crc_validate(SDRequest *req)
720 {
721 uint8_t buffer[5];
722 buffer[0] = 0x40 | req->cmd;
723 stl_be_p(&buffer[1], req->arg);
724 return 0;
725 return sd_crc7(buffer, 5) != req->crc; /* TODO */
726 }
727
728 static void sd_response_r1_make(SDState *sd, uint8_t *response)
729 {
730 stl_be_p(response, sd->card_status);
731
732 /* Clear the "clear on read" status bits */
733 sd->card_status &= ~CARD_STATUS_C;
734 }
735
736 static void sd_response_r3_make(SDState *sd, uint8_t *response)
737 {
738 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
739 }
740
741 static void sd_response_r6_make(SDState *sd, uint8_t *response)
742 {
743 uint16_t status;
744
745 status = ((sd->card_status >> 8) & 0xc000) |
746 ((sd->card_status >> 6) & 0x2000) |
747 (sd->card_status & 0x1fff);
748 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
749 stw_be_p(response + 0, sd->rca);
750 stw_be_p(response + 2, status);
751 }
752
753 static void sd_response_r7_make(SDState *sd, uint8_t *response)
754 {
755 stl_be_p(response, sd->vhs);
756 }
757
758 static uint32_t sd_blk_len(SDState *sd)
759 {
760 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
761 return 1 << HWBLOCK_SHIFT;
762 }
763 return sd->blk_len;
764 }
765
766 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
767 {
768 uint64_t addr;
769
770 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
771 addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
772 } else {
773 addr = req.arg;
774 }
775 trace_sdcard_req_addr(req.arg, addr);
776 return addr;
777 }
778
779 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
780 {
781 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
782 }
783
784 static void sd_reset(DeviceState *dev)
785 {
786 SDState *sd = SDMMC_COMMON(dev);
787 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
788 uint64_t size;
789 uint64_t sect;
790
791 trace_sdcard_reset();
792 if (sd->blk) {
793 blk_get_geometry(sd->blk, &sect);
794 } else {
795 sect = 0;
796 }
797 size = sect << HWBLOCK_SHIFT;
798
799 sect = sd_addr_to_wpnum(size) + 1;
800
801 sd->state = sd_idle_state;
802
803 /* card registers */
804 sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000;
805 sd->size = size;
806 sd_set_ocr(sd);
807 sd_set_scr(sd);
808 sc->set_cid(sd);
809 sc->set_csd(sd, size);
810 sd_set_cardstatus(sd);
811 sd_set_sdstatus(sd);
812
813 g_free(sd->wp_group_bmap);
814 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
815 sd->wp_group_bits = sect;
816 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
817 memset(sd->function_group, 0, sizeof(sd->function_group));
818 sd->erase_start = INVALID_ADDRESS;
819 sd->erase_end = INVALID_ADDRESS;
820 sd->blk_len = 0x200;
821 sd->pwd_len = 0;
822 sd->expecting_acmd = false;
823 sd->dat_lines = 0xf;
824 sd->cmd_line = true;
825 sd->multi_blk_cnt = 0;
826 }
827
828 static bool sd_get_inserted(SDState *sd)
829 {
830 return sd->blk && blk_is_inserted(sd->blk);
831 }
832
833 static bool sd_get_readonly(SDState *sd)
834 {
835 return sd->wp_switch;
836 }
837
838 static void sd_cardchange(void *opaque, bool load, Error **errp)
839 {
840 SDState *sd = opaque;
841 DeviceState *dev = DEVICE(sd);
842 SDBus *sdbus;
843 bool inserted = sd_get_inserted(sd);
844 bool readonly = sd_get_readonly(sd);
845
846 if (inserted) {
847 trace_sdcard_inserted(readonly);
848 sd_reset(dev);
849 } else {
850 trace_sdcard_ejected();
851 }
852
853 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
854 qemu_set_irq(sd->inserted_cb, inserted);
855 if (inserted) {
856 qemu_set_irq(sd->readonly_cb, readonly);
857 }
858 } else {
859 sdbus = SD_BUS(qdev_get_parent_bus(dev));
860 sdbus_set_inserted(sdbus, inserted);
861 if (inserted) {
862 sdbus_set_readonly(sdbus, readonly);
863 }
864 }
865 }
866
867 static const BlockDevOps sd_block_ops = {
868 .change_media_cb = sd_cardchange,
869 };
870
871 static bool sd_ocr_vmstate_needed(void *opaque)
872 {
873 SDState *sd = opaque;
874
875 /* Include the OCR state (and timer) if it is not yet powered up */
876 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
877 }
878
879 static const VMStateDescription sd_ocr_vmstate = {
880 .name = "sd-card/ocr-state",
881 .version_id = 1,
882 .minimum_version_id = 1,
883 .needed = sd_ocr_vmstate_needed,
884 .fields = (const VMStateField[]) {
885 VMSTATE_UINT32(ocr, SDState),
886 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
887 VMSTATE_END_OF_LIST()
888 },
889 };
890
891 static bool vmstate_needed_for_emmc(void *opaque)
892 {
893 SDState *sd = opaque;
894
895 return sd_is_emmc(sd);
896 }
897
898 static const VMStateDescription emmc_extcsd_vmstate = {
899 .name = "sd-card/ext_csd_modes-state",
900 .version_id = 1,
901 .minimum_version_id = 1,
902 .needed = vmstate_needed_for_emmc,
903 .fields = (const VMStateField[]) {
904 VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192),
905 VMSTATE_END_OF_LIST()
906 },
907 };
908
909 static int sd_vmstate_pre_load(void *opaque)
910 {
911 SDState *sd = opaque;
912
913 /* If the OCR state is not included (prior versions, or not
914 * needed), then the OCR must be set as powered up. If the OCR state
915 * is included, this will be replaced by the state restore.
916 */
917 sd_ocr_powerup(sd);
918
919 return 0;
920 }
921
922 static const VMStateDescription sd_vmstate = {
923 .name = "sd-card",
924 .version_id = 2,
925 .minimum_version_id = 2,
926 .pre_load = sd_vmstate_pre_load,
927 .fields = (const VMStateField[]) {
928 VMSTATE_UINT32(mode, SDState),
929 VMSTATE_INT32(state, SDState),
930 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
931 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
932 VMSTATE_UINT16(rca, SDState),
933 VMSTATE_UINT32(card_status, SDState),
934 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
935 VMSTATE_UINT32(vhs, SDState),
936 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
937 VMSTATE_UINT32(blk_len, SDState),
938 VMSTATE_UINT32(multi_blk_cnt, SDState),
939 VMSTATE_UINT32(erase_start, SDState),
940 VMSTATE_UINT32(erase_end, SDState),
941 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
942 VMSTATE_UINT32(pwd_len, SDState),
943 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
944 VMSTATE_UINT8(current_cmd, SDState),
945 VMSTATE_BOOL(expecting_acmd, SDState),
946 VMSTATE_UINT32(blk_written, SDState),
947 VMSTATE_UINT64(data_start, SDState),
948 VMSTATE_UINT32(data_offset, SDState),
949 VMSTATE_UINT8_ARRAY(data, SDState, 512),
950 VMSTATE_UNUSED_V(1, 512),
951 VMSTATE_BOOL(enable, SDState),
952 VMSTATE_END_OF_LIST()
953 },
954 .subsections = (const VMStateDescription * const []) {
955 &sd_ocr_vmstate,
956 &emmc_extcsd_vmstate,
957 NULL
958 },
959 };
960
961 /* Legacy initialization function for use by non-qdevified callers */
962 SDState *sd_init(BlockBackend *blk, bool is_spi)
963 {
964 Object *obj;
965 DeviceState *dev;
966 SDState *sd;
967 Error *err = NULL;
968
969 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
970 dev = DEVICE(obj);
971 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
972 error_reportf_err(err, "sd_init failed: ");
973 return NULL;
974 }
975
976 /*
977 * Realizing the device properly would put it into the QOM
978 * composition tree even though it is not plugged into an
979 * appropriate bus. That's a no-no. Hide the device from
980 * QOM/qdev, and call its qdev realize callback directly.
981 */
982 object_ref(obj);
983 object_unparent(obj);
984 sd_realize(dev, &err);
985 if (err) {
986 error_reportf_err(err, "sd_init failed: ");
987 return NULL;
988 }
989
990 sd = SD_CARD(dev);
991 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
992 return sd;
993 }
994
995 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
996 {
997 sd->readonly_cb = readonly;
998 sd->inserted_cb = insert;
999 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
1000 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
1001 }
1002
1003 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1004 {
1005 trace_sdcard_read_block(addr, len);
1006 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
1007 fprintf(stderr, "sd_blk_read: read error on host side\n");
1008 }
1009 }
1010
1011 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1012 {
1013 trace_sdcard_write_block(addr, len);
1014 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
1015 fprintf(stderr, "sd_blk_write: write error on host side\n");
1016 }
1017 }
1018
1019 static void sd_erase(SDState *sd)
1020 {
1021 uint64_t erase_start = sd->erase_start;
1022 uint64_t erase_end = sd->erase_end;
1023 bool sdsc = true;
1024 uint64_t wpnum;
1025 uint64_t erase_addr;
1026 int erase_len = 1 << HWBLOCK_SHIFT;
1027
1028 trace_sdcard_erase(sd->erase_start, sd->erase_end);
1029 if (sd->erase_start == INVALID_ADDRESS
1030 || sd->erase_end == INVALID_ADDRESS) {
1031 sd->card_status |= ERASE_SEQ_ERROR;
1032 sd->erase_start = INVALID_ADDRESS;
1033 sd->erase_end = INVALID_ADDRESS;
1034 return;
1035 }
1036
1037 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1038 /* High capacity memory card: erase units are 512 byte blocks */
1039 erase_start <<= HWBLOCK_SHIFT;
1040 erase_end <<= HWBLOCK_SHIFT;
1041 sdsc = false;
1042 }
1043
1044 if (erase_start > sd->size || erase_end > sd->size) {
1045 sd->card_status |= OUT_OF_RANGE;
1046 sd->erase_start = INVALID_ADDRESS;
1047 sd->erase_end = INVALID_ADDRESS;
1048 return;
1049 }
1050
1051 sd->erase_start = INVALID_ADDRESS;
1052 sd->erase_end = INVALID_ADDRESS;
1053 sd->csd[14] |= 0x40;
1054
1055 memset(sd->data, 0xff, erase_len);
1056 for (erase_addr = erase_start; erase_addr <= erase_end;
1057 erase_addr += erase_len) {
1058 if (sdsc) {
1059 /* Only SDSC cards support write protect groups */
1060 wpnum = sd_addr_to_wpnum(erase_addr);
1061 assert(wpnum < sd->wp_group_bits);
1062 if (test_bit(wpnum, sd->wp_group_bmap)) {
1063 sd->card_status |= WP_ERASE_SKIP;
1064 continue;
1065 }
1066 }
1067 sd_blk_write(sd, erase_addr, erase_len);
1068 }
1069 }
1070
1071 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
1072 {
1073 uint32_t i, wpnum;
1074 uint32_t ret = 0;
1075
1076 wpnum = sd_addr_to_wpnum(addr);
1077
1078 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
1079 if (addr >= sd->size) {
1080 /*
1081 * If the addresses of the last groups are outside the valid range,
1082 * then the corresponding write protection bits shall be set to 0.
1083 */
1084 continue;
1085 }
1086 assert(wpnum < sd->wp_group_bits);
1087 if (test_bit(wpnum, sd->wp_group_bmap)) {
1088 ret |= (1 << i);
1089 }
1090 }
1091
1092 return ret;
1093 }
1094
1095 enum ExtCsdAccessMode {
1096 EXT_CSD_ACCESS_MODE_COMMAND_SET = 0,
1097 EXT_CSD_ACCESS_MODE_SET_BITS = 1,
1098 EXT_CSD_ACCESS_MODE_CLEAR_BITS = 2,
1099 EXT_CSD_ACCESS_MODE_WRITE_BYTE = 3
1100 };
1101
1102 static void emmc_function_switch(SDState *sd, uint32_t arg)
1103 {
1104 uint8_t access = extract32(arg, 24, 2);
1105 uint8_t index = extract32(arg, 16, 8);
1106 uint8_t value = extract32(arg, 8, 8);
1107 uint8_t b = sd->ext_csd[index];
1108
1109 trace_sdcard_switch(access, index, value, extract32(arg, 0, 2));
1110
1111 if (index >= 192) {
1112 qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n");
1113 sd->card_status |= R_CSR_SWITCH_ERROR_MASK;
1114 return;
1115 }
1116
1117 switch (access) {
1118 case EXT_CSD_ACCESS_MODE_COMMAND_SET:
1119 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n");
1120 return;
1121 case EXT_CSD_ACCESS_MODE_SET_BITS:
1122 b |= value;
1123 break;
1124 case EXT_CSD_ACCESS_MODE_CLEAR_BITS:
1125 b &= ~value;
1126 break;
1127 case EXT_CSD_ACCESS_MODE_WRITE_BYTE:
1128 b = value;
1129 break;
1130 }
1131
1132 trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b);
1133 sd->ext_csd[index] = b;
1134 }
1135
1136 static void sd_function_switch(SDState *sd, uint32_t arg)
1137 {
1138 int i, mode, new_func;
1139 mode = !!(arg & 0x80000000);
1140
1141 sd->data[0] = 0x00; /* Maximum current consumption */
1142 sd->data[1] = 0x01;
1143 sd->data[2] = 0x80; /* Supported group 6 functions */
1144 sd->data[3] = 0x01;
1145 sd->data[4] = 0x80; /* Supported group 5 functions */
1146 sd->data[5] = 0x01;
1147 sd->data[6] = 0x80; /* Supported group 4 functions */
1148 sd->data[7] = 0x01;
1149 sd->data[8] = 0x80; /* Supported group 3 functions */
1150 sd->data[9] = 0x01;
1151 sd->data[10] = 0x80; /* Supported group 2 functions */
1152 sd->data[11] = 0x43;
1153 sd->data[12] = 0x80; /* Supported group 1 functions */
1154 sd->data[13] = 0x03;
1155
1156 memset(&sd->data[14], 0, 3);
1157 for (i = 0; i < 6; i ++) {
1158 new_func = (arg >> (i * 4)) & 0x0f;
1159 if (mode && new_func != 0x0f)
1160 sd->function_group[i] = new_func;
1161 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
1162 }
1163 memset(&sd->data[17], 0, 47);
1164 }
1165
1166 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
1167 {
1168 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1169 }
1170
1171 static void sd_lock_command(SDState *sd)
1172 {
1173 int erase, lock, clr_pwd, set_pwd, pwd_len;
1174 erase = !!(sd->data[0] & 0x08);
1175 lock = sd->data[0] & 0x04;
1176 clr_pwd = sd->data[0] & 0x02;
1177 set_pwd = sd->data[0] & 0x01;
1178
1179 if (sd->blk_len > 1)
1180 pwd_len = sd->data[1];
1181 else
1182 pwd_len = 0;
1183
1184 if (lock) {
1185 trace_sdcard_lock();
1186 } else {
1187 trace_sdcard_unlock();
1188 }
1189 if (erase) {
1190 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
1191 set_pwd || clr_pwd || lock || sd->wp_switch ||
1192 (sd->csd[14] & 0x20)) {
1193 sd->card_status |= LOCK_UNLOCK_FAILED;
1194 return;
1195 }
1196 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1197 sd->csd[14] &= ~0x10;
1198 sd->card_status &= ~CARD_IS_LOCKED;
1199 sd->pwd_len = 0;
1200 /* Erasing the entire card here! */
1201 fprintf(stderr, "SD: Card force-erased by CMD42\n");
1202 return;
1203 }
1204
1205 if (sd->blk_len < 2 + pwd_len ||
1206 pwd_len <= sd->pwd_len ||
1207 pwd_len > sd->pwd_len + 16) {
1208 sd->card_status |= LOCK_UNLOCK_FAILED;
1209 return;
1210 }
1211
1212 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1213 sd->card_status |= LOCK_UNLOCK_FAILED;
1214 return;
1215 }
1216
1217 pwd_len -= sd->pwd_len;
1218 if ((pwd_len && !set_pwd) ||
1219 (clr_pwd && (set_pwd || lock)) ||
1220 (lock && !sd->pwd_len && !set_pwd) ||
1221 (!set_pwd && !clr_pwd &&
1222 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1223 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1224 sd->card_status |= LOCK_UNLOCK_FAILED;
1225 return;
1226 }
1227
1228 if (set_pwd) {
1229 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1230 sd->pwd_len = pwd_len;
1231 }
1232
1233 if (clr_pwd) {
1234 sd->pwd_len = 0;
1235 }
1236
1237 if (lock)
1238 sd->card_status |= CARD_IS_LOCKED;
1239 else
1240 sd->card_status &= ~CARD_IS_LOCKED;
1241 }
1242
1243 static bool address_in_range(SDState *sd, const char *desc,
1244 uint64_t addr, uint32_t length)
1245 {
1246 if (addr + length > sd->size) {
1247 qemu_log_mask(LOG_GUEST_ERROR,
1248 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1249 desc, addr, sd->size, length);
1250 sd->card_status |= ADDRESS_ERROR;
1251 return false;
1252 }
1253 return true;
1254 }
1255
1256 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1257 {
1258 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1259 sd->proto->name, req.cmd, sd_state_name(sd->state),
1260 sd_version_str(sd->spec_version));
1261
1262 return sd_illegal;
1263 }
1264
1265 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1266 {
1267 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1268 sd->proto->name, req.cmd, sd_mode_name(sd->mode),
1269 sd_version_str(sd->spec_version));
1270
1271 return sd_illegal;
1272 }
1273
1274 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1275 {
1276 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1277 sd->proto->name, req.cmd,
1278 sd_version_str(sd->spec_version));
1279
1280 return sd_illegal;
1281 }
1282
1283 /* Commands that are recognised but not yet implemented. */
1284 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1285 {
1286 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1287 sd->proto->name, req.cmd);
1288
1289 return sd_illegal;
1290 }
1291
1292 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req)
1293 {
1294 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n",
1295 sd->proto->name, req.cmd);
1296
1297 return sd_illegal;
1298 }
1299
1300 /* Configure fields for following sd_generic_write_byte() calls */
1301 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
1302 uint64_t start, size_t size)
1303 {
1304 if (sd->state != sd_transfer_state) {
1305 return sd_invalid_state_for_cmd(sd, req);
1306 }
1307 sd->state = sd_receivingdata_state;
1308 sd->data_start = start;
1309 sd->data_offset = 0;
1310 /* sd->data[] used as receive buffer */
1311 sd->data_size = size ?: sizeof(sd->data);
1312 return sd_r1;
1313 }
1314
1315 /* Configure fields for following sd_generic_read_byte() calls */
1316 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1317 uint64_t start,
1318 const void *data, size_t size)
1319 {
1320 if (sd->state != sd_transfer_state) {
1321 sd_invalid_state_for_cmd(sd, req);
1322 }
1323
1324 sd->state = sd_sendingdata_state;
1325 sd->data_start = start;
1326 sd->data_offset = 0;
1327 if (data) {
1328 assert(size > 0 && size <= sizeof(sd->data));
1329 memcpy(sd->data, data, size);
1330 }
1331 if (size) {
1332 sd->data_size = size;
1333 }
1334 return sd_r1;
1335 }
1336
1337 /* CMD0 */
1338 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1339 {
1340 if (sd->state == sd_sleep_state) {
1341 switch (req.arg) {
1342 case 0x00000000:
1343 case 0xf0f0f0f0:
1344 break;
1345 default:
1346 return sd_r0;
1347 }
1348 }
1349 if (sd->state != sd_inactive_state) {
1350 sd->state = sd_idle_state;
1351 sd_reset(DEVICE(sd));
1352 }
1353
1354 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1355 }
1356
1357 /* CMD1 */
1358 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1359 {
1360 sd->state = sd_transfer_state;
1361
1362 return sd_r1;
1363 }
1364
1365 /* CMD2 */
1366 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1367 {
1368 switch (sd->state) {
1369 case sd_ready_state:
1370 sd->state = sd_identification_state;
1371 return sd_r2_i;
1372 default:
1373 return sd_invalid_state_for_cmd(sd, req);
1374 }
1375 }
1376
1377 /* CMD3 */
1378 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1379 {
1380 uint16_t random_rca;
1381
1382 switch (sd->state) {
1383 case sd_identification_state:
1384 case sd_standby_state:
1385 sd->state = sd_standby_state;
1386 qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca));
1387 sd_set_rca(sd, random_rca);
1388 return sd_r6;
1389
1390 default:
1391 return sd_invalid_state_for_cmd(sd, req);
1392 }
1393 }
1394
1395 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req)
1396 {
1397 switch (sd->state) {
1398 case sd_identification_state:
1399 case sd_standby_state:
1400 sd->state = sd_standby_state;
1401 sd_set_rca(sd, req.arg >> 16);
1402 return sd_r1;
1403
1404 default:
1405 return sd_invalid_state_for_cmd(sd, req);
1406 }
1407 }
1408
1409 /* CMD5 */
1410 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req)
1411 {
1412 bool do_sleep = extract32(req.arg, 15, 1);
1413
1414 switch (sd->state) {
1415 case sd_sleep_state:
1416 if (!do_sleep) {
1417 /* Awake */
1418 sd->state = sd_standby_state;
1419 }
1420 return sd_r1b;
1421
1422 case sd_standby_state:
1423 if (do_sleep) {
1424 sd->state = sd_sleep_state;
1425 }
1426 return sd_r1b;
1427
1428 default:
1429 return sd_invalid_state_for_cmd(sd, req);
1430 }
1431 }
1432
1433 /* CMD6 */
1434 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req)
1435 {
1436 if (sd->mode != sd_data_transfer_mode) {
1437 return sd_invalid_mode_for_cmd(sd, req);
1438 }
1439 if (sd->state != sd_transfer_state) {
1440 return sd_invalid_state_for_cmd(sd, req);
1441 }
1442
1443 sd_function_switch(sd, req.arg);
1444 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1445 }
1446
1447 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req)
1448 {
1449 switch (sd->state) {
1450 case sd_transfer_state:
1451 sd->state = sd_programming_state;
1452 emmc_function_switch(sd, req.arg);
1453 sd->state = sd_transfer_state;
1454 return sd_r1b;
1455 default:
1456 return sd_invalid_state_for_cmd(sd, req);
1457 }
1458 }
1459
1460 /* CMD7 */
1461 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req)
1462 {
1463 bool same_rca = sd_req_rca_same(sd, req);
1464
1465 switch (sd->state) {
1466 case sd_standby_state:
1467 if (!same_rca) {
1468 return sd_r0;
1469 }
1470 sd->state = sd_transfer_state;
1471 return sd_r1b;
1472
1473 case sd_transfer_state:
1474 case sd_sendingdata_state:
1475 if (same_rca) {
1476 break;
1477 }
1478 sd->state = sd_standby_state;
1479 return sd_r1b;
1480
1481 case sd_disconnect_state:
1482 if (!same_rca) {
1483 return sd_r0;
1484 }
1485 sd->state = sd_programming_state;
1486 return sd_r1b;
1487
1488 case sd_programming_state:
1489 if (same_rca) {
1490 break;
1491 }
1492 sd->state = sd_disconnect_state;
1493 return sd_r1b;
1494
1495 default:
1496 break;
1497 }
1498 return sd_invalid_state_for_cmd(sd, req);
1499 }
1500
1501 /* CMD8 */
1502 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req)
1503 {
1504 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1505 return sd_cmd_illegal(sd, req);
1506 }
1507 if (sd->state != sd_idle_state) {
1508 return sd_invalid_state_for_cmd(sd, req);
1509 }
1510 sd->vhs = 0;
1511
1512 /* No response if not exactly one VHS bit is set. */
1513 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1514 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1515 }
1516
1517 /* Accept. */
1518 sd->vhs = req.arg;
1519 return sd_r7;
1520 }
1521
1522 /* CMD8 */
1523 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req)
1524 {
1525 if (sd->state != sd_transfer_state) {
1526 return sd_invalid_state_for_cmd(sd, req);
1527 }
1528
1529 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1530 sd->ext_csd, sizeof(sd->ext_csd));
1531 }
1532
1533 /* CMD9 */
1534 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req)
1535 {
1536 if (sd->state != sd_standby_state) {
1537 return sd_invalid_state_for_cmd(sd, req);
1538 }
1539 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1540 sd->csd, 16);
1541 }
1542
1543 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req)
1544 {
1545 if (sd->state != sd_standby_state) {
1546 return sd_invalid_state_for_cmd(sd, req);
1547 }
1548
1549 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0;
1550 }
1551
1552 /* CMD10 */
1553 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req)
1554 {
1555 if (sd->state != sd_standby_state) {
1556 return sd_invalid_state_for_cmd(sd, req);
1557 }
1558 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1559 sd->cid, 16);
1560 }
1561
1562 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req)
1563 {
1564 if (sd->state != sd_standby_state) {
1565 return sd_invalid_state_for_cmd(sd, req);
1566 }
1567
1568 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0;
1569 }
1570
1571 /* CMD12 */
1572 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req)
1573 {
1574 switch (sd->state) {
1575 case sd_sendingdata_state:
1576 sd->state = sd_transfer_state;
1577 return sd_r1b;
1578 case sd_receivingdata_state:
1579 sd->state = sd_programming_state;
1580 /* Bzzzzzzztt .... Operation complete. */
1581 sd->state = sd_transfer_state;
1582 return sd_r1;
1583 default:
1584 return sd_invalid_state_for_cmd(sd, req);
1585 }
1586 }
1587
1588 /* CMD13 */
1589 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req)
1590 {
1591 if (sd->mode != sd_data_transfer_mode) {
1592 return sd_invalid_mode_for_cmd(sd, req);
1593 }
1594
1595 switch (sd->state) {
1596 case sd_standby_state:
1597 case sd_transfer_state:
1598 case sd_sendingdata_state:
1599 case sd_receivingdata_state:
1600 case sd_programming_state:
1601 case sd_disconnect_state:
1602 break;
1603 default:
1604 return sd_invalid_state_for_cmd(sd, req);
1605 }
1606
1607 if (sd_is_spi(sd)) {
1608 return sd_r2_s;
1609 }
1610
1611 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0;
1612 }
1613
1614 /* CMD15 */
1615 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req)
1616 {
1617 if (sd->mode != sd_data_transfer_mode) {
1618 return sd_invalid_mode_for_cmd(sd, req);
1619 }
1620 switch (sd->state) {
1621 case sd_standby_state:
1622 case sd_transfer_state:
1623 case sd_sendingdata_state:
1624 case sd_receivingdata_state:
1625 case sd_programming_state:
1626 case sd_disconnect_state:
1627 break;
1628 default:
1629 return sd_invalid_state_for_cmd(sd, req);
1630 }
1631 if (sd_req_rca_same(sd, req)) {
1632 sd->state = sd_inactive_state;
1633 }
1634
1635 return sd_r0;
1636 }
1637
1638 /* CMD16 */
1639 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req)
1640 {
1641 if (sd->state != sd_transfer_state) {
1642 return sd_invalid_state_for_cmd(sd, req);
1643 }
1644 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1645 sd->card_status |= BLOCK_LEN_ERROR;
1646 } else {
1647 trace_sdcard_set_blocklen(req.arg);
1648 sd->blk_len = req.arg;
1649 }
1650
1651 return sd_r1;
1652 }
1653
1654 /* CMD17 */
1655 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req)
1656 {
1657 uint64_t addr;
1658
1659 if (sd->state != sd_transfer_state) {
1660 return sd_invalid_state_for_cmd(sd, req);
1661 }
1662
1663 addr = sd_req_get_address(sd, req);
1664 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1665 return sd_r1;
1666 }
1667
1668 sd_blk_read(sd, addr, sd->blk_len);
1669 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1670 }
1671
1672 /* CMD19 */
1673 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1674 {
1675 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1676 return sd_cmd_illegal(sd, req);
1677 }
1678
1679 return sd_cmd_to_sendingdata(sd, req, 0,
1680 sd_tuning_block_pattern4,
1681 sizeof(sd_tuning_block_pattern4));
1682 }
1683
1684 /* CMD23 */
1685 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1686 {
1687 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1688 return sd_cmd_illegal(sd, req);
1689 }
1690
1691 if (sd->state != sd_transfer_state) {
1692 return sd_invalid_state_for_cmd(sd, req);
1693 }
1694
1695 sd->multi_blk_cnt = req.arg;
1696 if (sd_is_emmc(sd)) {
1697 sd->multi_blk_cnt &= 0xffff;
1698 }
1699 trace_sdcard_set_block_count(sd->multi_blk_cnt);
1700
1701 return sd_r1;
1702 }
1703
1704 /* CMD24 */
1705 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req)
1706 {
1707 uint64_t addr;
1708
1709 if (sd->state != sd_transfer_state) {
1710 return sd_invalid_state_for_cmd(sd, req);
1711 }
1712
1713 addr = sd_req_get_address(sd, req);
1714 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) {
1715 return sd_r1;
1716 }
1717
1718 if (sd->size <= SDSC_MAX_CAPACITY) {
1719 if (sd_wp_addr(sd, addr)) {
1720 sd->card_status |= WP_VIOLATION;
1721 }
1722 }
1723 if (sd->csd[14] & 0x30) {
1724 sd->card_status |= WP_VIOLATION;
1725 }
1726
1727 sd->blk_written = 0;
1728 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len);
1729 }
1730
1731 /* CMD26 */
1732 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req)
1733 {
1734 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid));
1735 }
1736
1737 /* CMD27 */
1738 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req)
1739 {
1740 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd));
1741 }
1742
1743 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req,
1744 bool is_write)
1745 {
1746 uint64_t addr;
1747
1748 if (sd->size > SDSC_MAX_CAPACITY) {
1749 return sd_illegal;
1750 }
1751
1752 if (sd->state != sd_transfer_state) {
1753 return sd_invalid_state_for_cmd(sd, req);
1754 }
1755
1756 addr = sd_req_get_address(sd, req);
1757 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT",
1758 addr, 1)) {
1759 return sd_r1b;
1760 }
1761
1762 sd->state = sd_programming_state;
1763 if (is_write) {
1764 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1765 } else {
1766 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1767 }
1768 /* Bzzzzzzztt .... Operation complete. */
1769 sd->state = sd_transfer_state;
1770 return sd_r1;
1771 }
1772
1773 /* CMD28 */
1774 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req)
1775 {
1776 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true);
1777 }
1778
1779 /* CMD29 */
1780 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req)
1781 {
1782 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false);
1783 }
1784
1785 /* CMD30 */
1786 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req)
1787 {
1788 uint64_t addr;
1789 uint32_t data;
1790
1791 if (sd->size > SDSC_MAX_CAPACITY) {
1792 return sd_illegal;
1793 }
1794
1795 if (sd->state != sd_transfer_state) {
1796 return sd_invalid_state_for_cmd(sd, req);
1797 }
1798
1799 addr = sd_req_get_address(sd, req);
1800 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) {
1801 return sd_r1;
1802 }
1803
1804 data = sd_wpbits(sd, req.arg);
1805 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1806 }
1807
1808 /* CMD32 */
1809 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req)
1810 {
1811 if (sd->state != sd_transfer_state) {
1812 return sd_invalid_state_for_cmd(sd, req);
1813 }
1814 sd->erase_start = req.arg;
1815 return sd_r1;
1816 }
1817
1818 /* CMD33 */
1819 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req)
1820 {
1821 if (sd->state != sd_transfer_state) {
1822 return sd_invalid_state_for_cmd(sd, req);
1823 }
1824 sd->erase_end = req.arg;
1825 return sd_r1;
1826 }
1827
1828 /* CMD38 */
1829 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req)
1830 {
1831 if (sd->state != sd_transfer_state) {
1832 return sd_invalid_state_for_cmd(sd, req);
1833 }
1834 if (sd->csd[14] & 0x30) {
1835 sd->card_status |= WP_VIOLATION;
1836 return sd_r1b;
1837 }
1838
1839 sd->state = sd_programming_state;
1840 sd_erase(sd);
1841 /* Bzzzzzzztt .... Operation complete. */
1842 sd->state = sd_transfer_state;
1843 return sd_r1b;
1844 }
1845
1846 /* CMD42 */
1847 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req)
1848 {
1849 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1850 }
1851
1852 /* CMD55 */
1853 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req)
1854 {
1855 switch (sd->state) {
1856 case sd_ready_state:
1857 case sd_identification_state:
1858 case sd_inactive_state:
1859 case sd_sleep_state:
1860 return sd_invalid_state_for_cmd(sd, req);
1861 case sd_idle_state:
1862 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) {
1863 qemu_log_mask(LOG_GUEST_ERROR,
1864 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1865 }
1866 /* fall-through */
1867 default:
1868 break;
1869 }
1870 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) {
1871 return sd_r0;
1872 }
1873 sd->expecting_acmd = true;
1874 sd->card_status |= APP_CMD;
1875
1876 return sd_r1;
1877 }
1878
1879 /* CMD56 */
1880 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req)
1881 {
1882 if (sd->state != sd_transfer_state) {
1883 return sd_invalid_state_for_cmd(sd, req);
1884 }
1885
1886 /* Vendor specific command: our model is RAZ/WI */
1887 if (req.arg & 1) {
1888 memset(sd->data, 0, sizeof(sd->data));
1889 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0);
1890 } else {
1891 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1892 }
1893 }
1894
1895 /* CMD58 */
1896 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req)
1897 {
1898 return sd_r3;
1899 }
1900
1901 /* CMD59 */
1902 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req)
1903 {
1904 return sd_r1;
1905 }
1906
1907 /* ACMD6 */
1908 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req)
1909 {
1910 if (sd->state != sd_transfer_state) {
1911 return sd_invalid_state_for_cmd(sd, req);
1912 }
1913
1914 sd->sd_status[0] &= 0x3f;
1915 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1916 return sd_r1;
1917 }
1918
1919 /* ACMD13 */
1920 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req)
1921 {
1922 return sd_cmd_to_sendingdata(sd, req, 0,
1923 sd->sd_status, sizeof(sd->sd_status));
1924 }
1925
1926 /* ACMD22 */
1927 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req)
1928 {
1929 return sd_cmd_to_sendingdata(sd, req, 0,
1930 &sd->blk_written, sizeof(sd->blk_written));
1931 }
1932
1933 /* ACMD23 */
1934 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req)
1935 {
1936 if (sd->state != sd_transfer_state) {
1937 return sd_invalid_state_for_cmd(sd, req);
1938 }
1939 return sd_r1;
1940 }
1941
1942 /* ACMD41 */
1943 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1944 {
1945 if (sd->state != sd_idle_state) {
1946 return sd_invalid_state_for_cmd(sd, req);
1947 }
1948
1949 /*
1950 * If it's the first ACMD41 since reset, we need to decide
1951 * whether to power up. If this is not an enquiry ACMD41,
1952 * we immediately report power on and proceed below to the
1953 * ready state, but if it is, we set a timer to model a
1954 * delay for power up. This works around a bug in EDK2
1955 * UEFI, which sends an initial enquiry ACMD41, but
1956 * assumes that the card is in ready state as soon as it
1957 * sees the power up bit set.
1958 */
1959 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1960 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1961 timer_del(sd->ocr_power_timer);
1962 sd_ocr_powerup(sd);
1963 } else {
1964 trace_sdcard_inquiry_cmd41();
1965 if (!timer_pending(sd->ocr_power_timer)) {
1966 timer_mod_ns(sd->ocr_power_timer,
1967 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1968 + OCR_POWER_DELAY_NS));
1969 }
1970 }
1971 }
1972
1973 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1974 /*
1975 * We accept any voltage. 10000 V is nothing.
1976 *
1977 * Once we're powered up, we advance straight to ready state
1978 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1979 */
1980 sd->state = sd_ready_state;
1981 }
1982
1983 return sd_r3;
1984 }
1985
1986 /* ACMD42 */
1987 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req)
1988 {
1989 if (sd->state != sd_transfer_state) {
1990 return sd_invalid_state_for_cmd(sd, req);
1991 }
1992
1993 /* Bringing in the 50KOhm pull-up resistor... Done. */
1994 return sd_r1;
1995 }
1996
1997 /* ACMD51 */
1998 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req)
1999 {
2000 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
2001 }
2002
2003 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
2004 {
2005 uint64_t addr;
2006
2007 sd->last_cmd_name = sd_cmd_name(sd, req.cmd);
2008 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
2009 * However there is no ACMD55, so we want to trace this particular case.
2010 */
2011 if (req.cmd != 55 || sd->expecting_acmd) {
2012 trace_sdcard_normal_command(sd->proto->name,
2013 sd->last_cmd_name, req.cmd,
2014 req.arg, sd_state_name(sd->state));
2015 }
2016
2017 /* Not interpreting this as an app command */
2018 sd->card_status &= ~APP_CMD;
2019
2020 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
2021 * if not, its effects are cancelled */
2022 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
2023 sd->multi_blk_cnt = 0;
2024 }
2025
2026 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR,
2027 CARD_CAPACITY)) {
2028 /* Only Standard Capacity cards support class 6 commands */
2029 return sd_illegal;
2030 }
2031
2032 if (sd->proto->cmd[req.cmd].handler) {
2033 return sd->proto->cmd[req.cmd].handler(sd, req);
2034 }
2035
2036 switch (req.cmd) {
2037 /* Block read commands (Class 2) */
2038 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2039 addr = sd_req_get_address(sd, req);
2040 switch (sd->state) {
2041 case sd_transfer_state:
2042
2043 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
2044 return sd_r1;
2045 }
2046
2047 sd->state = sd_sendingdata_state;
2048 sd->data_start = addr;
2049 sd->data_offset = 0;
2050 return sd_r1;
2051
2052 default:
2053 break;
2054 }
2055 break;
2056
2057 /* Block write commands (Class 4) */
2058 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2059 addr = sd_req_get_address(sd, req);
2060 switch (sd->state) {
2061 case sd_transfer_state:
2062
2063 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
2064 return sd_r1;
2065 }
2066
2067 sd->state = sd_receivingdata_state;
2068 sd->data_start = addr;
2069 sd->data_offset = 0;
2070 sd->blk_written = 0;
2071
2072 if (sd->size <= SDSC_MAX_CAPACITY) {
2073 if (sd_wp_addr(sd, sd->data_start)) {
2074 sd->card_status |= WP_VIOLATION;
2075 }
2076 }
2077 if (sd->csd[14] & 0x30) {
2078 sd->card_status |= WP_VIOLATION;
2079 }
2080 return sd_r1;
2081
2082 default:
2083 break;
2084 }
2085 break;
2086
2087 default:
2088 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
2089 return sd_illegal;
2090 }
2091
2092 return sd_invalid_state_for_cmd(sd, req);
2093 }
2094
2095 static sd_rsp_type_t sd_app_command(SDState *sd,
2096 SDRequest req)
2097 {
2098 sd->last_cmd_name = sd_acmd_name(sd, req.cmd);
2099 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
2100 req.cmd, req.arg, sd_state_name(sd->state));
2101 sd->card_status |= APP_CMD;
2102
2103 if (sd->proto->acmd[req.cmd].handler) {
2104 return sd->proto->acmd[req.cmd].handler(sd, req);
2105 }
2106
2107 switch (req.cmd) {
2108 case 18: /* Reserved for SD security applications */
2109 case 25:
2110 case 26:
2111 case 38:
2112 case 43 ... 49:
2113 /* Refer to the "SD Specifications Part3 Security Specification" for
2114 * information about the SD Security Features.
2115 */
2116 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
2117 req.cmd);
2118 return sd_illegal;
2119
2120 default:
2121 /* Fall back to standard commands. */
2122 return sd_normal_command(sd, req);
2123 }
2124
2125 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
2126 return sd_illegal;
2127 }
2128
2129 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
2130 {
2131 unsigned cmd_class;
2132
2133 /* Valid commands in locked state:
2134 * basic class (0)
2135 * lock card class (7)
2136 * CMD16
2137 * implicitly, the ACMD prefix CMD55
2138 * ACMD41 and ACMD42
2139 * Anything else provokes an "illegal command" response.
2140 */
2141 if (sd->expecting_acmd) {
2142 return cmd == 41 || cmd == 42;
2143 }
2144 if (cmd == 16 || cmd == 55) {
2145 return true;
2146 }
2147 if (!sd->proto->cmd[cmd].handler) {
2148 return false;
2149 }
2150 cmd_class = sd->proto->cmd[cmd].class;
2151
2152 return cmd_class == 0 || cmd_class == 7;
2153 }
2154
2155 int sd_do_command(SDState *sd, SDRequest *req,
2156 uint8_t *response) {
2157 int last_state;
2158 sd_rsp_type_t rtype;
2159 int rsplen;
2160
2161 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
2162 return 0;
2163 }
2164
2165 if (sd->state == sd_inactive_state) {
2166 rtype = sd_illegal;
2167 goto send_response;
2168 }
2169
2170 if (sd_req_crc_validate(req)) {
2171 sd->card_status |= COM_CRC_ERROR;
2172 rtype = sd_illegal;
2173 goto send_response;
2174 }
2175
2176 if (req->cmd >= SDMMC_CMD_MAX) {
2177 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
2178 req->cmd);
2179 req->cmd &= 0x3f;
2180 }
2181
2182 if (sd->state == sd_sleep_state && req->cmd) {
2183 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n");
2184 rtype = sd_r0;
2185 goto send_response;
2186 }
2187
2188 if (sd->card_status & CARD_IS_LOCKED) {
2189 if (!cmd_valid_while_locked(sd, req->cmd)) {
2190 sd->card_status |= ILLEGAL_COMMAND;
2191 sd->expecting_acmd = false;
2192 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
2193 rtype = sd_illegal;
2194 goto send_response;
2195 }
2196 }
2197
2198 last_state = sd->state;
2199 sd_set_mode(sd);
2200
2201 if (sd->expecting_acmd) {
2202 sd->expecting_acmd = false;
2203 rtype = sd_app_command(sd, *req);
2204 } else {
2205 rtype = sd_normal_command(sd, *req);
2206 }
2207
2208 if (rtype == sd_illegal) {
2209 sd->card_status |= ILLEGAL_COMMAND;
2210 } else {
2211 /* Valid command, we can update the 'state before command' bits.
2212 * (Do this now so they appear in r1 responses.)
2213 */
2214 sd->card_status = FIELD_DP32(sd->card_status, CSR,
2215 CURRENT_STATE, last_state);
2216 }
2217
2218 send_response:
2219 switch (rtype) {
2220 case sd_r1:
2221 case sd_r1b:
2222 sd_response_r1_make(sd, response);
2223 rsplen = 4;
2224 break;
2225
2226 case sd_r2_i:
2227 memcpy(response, sd->cid, sizeof(sd->cid));
2228 rsplen = 16;
2229 break;
2230
2231 case sd_r2_s:
2232 memcpy(response, sd->csd, sizeof(sd->csd));
2233 rsplen = 16;
2234 break;
2235
2236 case sd_r3:
2237 sd_response_r3_make(sd, response);
2238 rsplen = 4;
2239 break;
2240
2241 case sd_r6:
2242 sd_response_r6_make(sd, response);
2243 rsplen = 4;
2244 break;
2245
2246 case sd_r7:
2247 sd_response_r7_make(sd, response);
2248 rsplen = 4;
2249 break;
2250
2251 case sd_r0:
2252 /*
2253 * Invalid state transition, reset implementation
2254 * fields to avoid OOB abuse.
2255 */
2256 sd->data_start = 0;
2257 sd->data_offset = 0;
2258 /* fall-through */
2259 case sd_illegal:
2260 rsplen = 0;
2261 break;
2262 default:
2263 g_assert_not_reached();
2264 }
2265 trace_sdcard_response(sd_response_name(rtype), rsplen);
2266
2267 if (rtype != sd_illegal) {
2268 /* Clear the "clear on valid command" status bits now we've
2269 * sent any response
2270 */
2271 sd->card_status &= ~CARD_STATUS_B;
2272 }
2273
2274 #ifdef DEBUG_SD
2275 qemu_hexdump(stderr, "Response", response, rsplen);
2276 #endif
2277
2278 sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd;
2279
2280 return rsplen;
2281 }
2282
2283 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
2284 static bool sd_generic_write_byte(SDState *sd, uint8_t value)
2285 {
2286 sd->data[sd->data_offset] = value;
2287
2288 if (++sd->data_offset >= sd->data_size) {
2289 sd->state = sd_transfer_state;
2290 return true;
2291 }
2292 return false;
2293 }
2294
2295 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
2296 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
2297 {
2298 *value = sd->data[sd->data_offset];
2299
2300 if (++sd->data_offset >= sd->data_size) {
2301 sd->state = sd_transfer_state;
2302 return true;
2303 }
2304
2305 return false;
2306 }
2307
2308 void sd_write_byte(SDState *sd, uint8_t value)
2309 {
2310 int i;
2311
2312 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2313 return;
2314
2315 if (sd->state != sd_receivingdata_state) {
2316 qemu_log_mask(LOG_GUEST_ERROR,
2317 "%s: not in Receiving-Data state\n", __func__);
2318 return;
2319 }
2320
2321 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2322 return;
2323
2324 trace_sdcard_write_data(sd->proto->name,
2325 sd->last_cmd_name,
2326 sd->current_cmd, sd->data_offset, value);
2327 switch (sd->current_cmd) {
2328 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
2329 if (sd_generic_write_byte(sd, value)) {
2330 /* TODO: Check CRC before committing */
2331 sd->state = sd_programming_state;
2332 sd_blk_write(sd, sd->data_start, sd->data_offset);
2333 sd->blk_written ++;
2334 sd->csd[14] |= 0x40;
2335 /* Bzzzzzzztt .... Operation complete. */
2336 sd->state = sd_transfer_state;
2337 }
2338 break;
2339
2340 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2341 if (sd->data_offset == 0) {
2342 /* Start of the block - let's check the address is valid */
2343 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2344 sd->data_start, sd->blk_len)) {
2345 break;
2346 }
2347 if (sd->size <= SDSC_MAX_CAPACITY) {
2348 if (sd_wp_addr(sd, sd->data_start)) {
2349 sd->card_status |= WP_VIOLATION;
2350 break;
2351 }
2352 }
2353 }
2354 sd->data[sd->data_offset++] = value;
2355 if (sd->data_offset >= sd->blk_len) {
2356 /* TODO: Check CRC before committing */
2357 sd->state = sd_programming_state;
2358 sd_blk_write(sd, sd->data_start, sd->data_offset);
2359 sd->blk_written++;
2360 sd->data_start += sd->blk_len;
2361 sd->data_offset = 0;
2362 sd->csd[14] |= 0x40;
2363
2364 /* Bzzzzzzztt .... Operation complete. */
2365 if (sd->multi_blk_cnt != 0) {
2366 if (--sd->multi_blk_cnt == 0) {
2367 /* Stop! */
2368 sd->state = sd_transfer_state;
2369 break;
2370 }
2371 }
2372
2373 sd->state = sd_receivingdata_state;
2374 }
2375 break;
2376
2377 case 26: /* CMD26: PROGRAM_CID */
2378 if (sd_generic_write_byte(sd, value)) {
2379 /* TODO: Check CRC before committing */
2380 sd->state = sd_programming_state;
2381 for (i = 0; i < sizeof(sd->cid); i ++)
2382 if ((sd->cid[i] | 0x00) != sd->data[i])
2383 sd->card_status |= CID_CSD_OVERWRITE;
2384
2385 if (!(sd->card_status & CID_CSD_OVERWRITE))
2386 for (i = 0; i < sizeof(sd->cid); i ++) {
2387 sd->cid[i] |= 0x00;
2388 sd->cid[i] &= sd->data[i];
2389 }
2390 /* Bzzzzzzztt .... Operation complete. */
2391 sd->state = sd_transfer_state;
2392 }
2393 break;
2394
2395 case 27: /* CMD27: PROGRAM_CSD */
2396 if (sd_generic_write_byte(sd, value)) {
2397 /* TODO: Check CRC before committing */
2398 sd->state = sd_programming_state;
2399 for (i = 0; i < sizeof(sd->csd); i ++)
2400 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2401 (sd->data[i] | sd_csd_rw_mask[i]))
2402 sd->card_status |= CID_CSD_OVERWRITE;
2403
2404 /* Copy flag (OTP) & Permanent write protect */
2405 if (sd->csd[14] & ~sd->data[14] & 0x60)
2406 sd->card_status |= CID_CSD_OVERWRITE;
2407
2408 if (!(sd->card_status & CID_CSD_OVERWRITE))
2409 for (i = 0; i < sizeof(sd->csd); i ++) {
2410 sd->csd[i] |= sd_csd_rw_mask[i];
2411 sd->csd[i] &= sd->data[i];
2412 }
2413 /* Bzzzzzzztt .... Operation complete. */
2414 sd->state = sd_transfer_state;
2415 }
2416 break;
2417
2418 case 42: /* CMD42: LOCK_UNLOCK */
2419 if (sd_generic_write_byte(sd, value)) {
2420 /* TODO: Check CRC before committing */
2421 sd->state = sd_programming_state;
2422 sd_lock_command(sd);
2423 /* Bzzzzzzztt .... Operation complete. */
2424 sd->state = sd_transfer_state;
2425 }
2426 break;
2427
2428 case 56: /* CMD56: GEN_CMD */
2429 sd_generic_write_byte(sd, value);
2430 break;
2431
2432 default:
2433 g_assert_not_reached();
2434 }
2435 }
2436
2437 uint8_t sd_read_byte(SDState *sd)
2438 {
2439 /* TODO: Append CRCs */
2440 uint8_t ret;
2441 uint32_t io_len;
2442
2443 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2444 return 0x00;
2445
2446 if (sd->state != sd_sendingdata_state) {
2447 qemu_log_mask(LOG_GUEST_ERROR,
2448 "%s: not in Sending-Data state\n", __func__);
2449 return 0x00;
2450 }
2451
2452 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2453 return 0x00;
2454
2455 io_len = sd_blk_len(sd);
2456
2457 trace_sdcard_read_data(sd->proto->name,
2458 sd->last_cmd_name, sd->current_cmd,
2459 sd->data_offset, sd->data_size, io_len);
2460 switch (sd->current_cmd) {
2461 case 6: /* CMD6: SWITCH_FUNCTION */
2462 case 8: /* CMD8: SEND_EXT_CSD */
2463 case 9: /* CMD9: SEND_CSD */
2464 case 10: /* CMD10: SEND_CID */
2465 case 13: /* ACMD13: SD_STATUS */
2466 case 17: /* CMD17: READ_SINGLE_BLOCK */
2467 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2468 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2469 case 30: /* CMD30: SEND_WRITE_PROT */
2470 case 51: /* ACMD51: SEND_SCR */
2471 case 56: /* CMD56: GEN_CMD */
2472 sd_generic_read_byte(sd, &ret);
2473 break;
2474
2475 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2476 if (sd->data_offset == 0) {
2477 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2478 sd->data_start, io_len)) {
2479 return 0x00;
2480 }
2481 sd_blk_read(sd, sd->data_start, io_len);
2482 }
2483 ret = sd->data[sd->data_offset ++];
2484
2485 if (sd->data_offset >= io_len) {
2486 sd->data_start += io_len;
2487 sd->data_offset = 0;
2488
2489 if (sd->multi_blk_cnt != 0) {
2490 if (--sd->multi_blk_cnt == 0) {
2491 /* Stop! */
2492 sd->state = sd_transfer_state;
2493 break;
2494 }
2495 }
2496 }
2497 break;
2498
2499 default:
2500 g_assert_not_reached();
2501 }
2502
2503 return ret;
2504 }
2505
2506 static bool sd_receive_ready(SDState *sd)
2507 {
2508 return sd->state == sd_receivingdata_state;
2509 }
2510
2511 static bool sd_data_ready(SDState *sd)
2512 {
2513 return sd->state == sd_sendingdata_state;
2514 }
2515
2516 void sd_enable(SDState *sd, bool enable)
2517 {
2518 sd->enable = enable;
2519 }
2520
2521 static const SDProto sd_proto_spi = {
2522 .name = "SPI",
2523 .cmd = {
2524 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2525 [1] = {0, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2526 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional},
2527 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2528 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2529 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD},
2530 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID},
2531 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2532 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS},
2533 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2534 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2535 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2536 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2537 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2538 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2539 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2540 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2541 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2542 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional},
2543 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional},
2544 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional},
2545 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2546 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE},
2547 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2548 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional},
2549 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional},
2550 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional},
2551 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD},
2552 [56] = {8, sd_spi, "GEN_CMD", sd_cmd_GEN_CMD},
2553 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2554 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR},
2555 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF},
2556 },
2557 .acmd = {
2558 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS},
2559 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2560 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2561 [41] = {8, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2562 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2563 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR},
2564 },
2565 };
2566
2567 static const SDProto sd_proto_sd = {
2568 .name = "SD",
2569 .cmd = {
2570 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2571 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2572 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR},
2573 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented},
2574 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional},
2575 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2576 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2577 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2578 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD},
2579 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID},
2580 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional},
2581 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2582 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS},
2583 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2584 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2585 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2586 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK},
2587 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional},
2588 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2589 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2590 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2591 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2592 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2593 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2594 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2595 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2596 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional},
2597 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional},
2598 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional},
2599 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2600 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE},
2601 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2602 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional},
2603 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional},
2604 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional},
2605 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional},
2606 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional},
2607 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional},
2608 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional},
2609 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional},
2610 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional},
2611 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional},
2612 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD},
2613 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2614 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2615 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional},
2616 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional},
2617 },
2618 .acmd = {
2619 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH},
2620 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS},
2621 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2622 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2623 [41] = {8, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2624 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2625 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR},
2626 },
2627 };
2628
2629 static const SDProto sd_proto_emmc = {
2630 /* Only v4.3 is supported */
2631 .name = "eMMC",
2632 .cmd = {
2633 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2634 [1] = {0, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2635 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2636 [3] = {0, sd_ac, "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR},
2637 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented},
2638 [5] = {0, sd_ac, "SLEEP/AWAKE", emmc_cmd_sleep_awake},
2639 [6] = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH},
2640 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2641 [8] = {0, sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD},
2642 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD},
2643 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID},
2644 [11] = {1, sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2645 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2646 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS},
2647 [14] = {0, sd_adtc, "BUSTEST_R", sd_cmd_unimplemented},
2648 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2649 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2650 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2651 [19] = {0, sd_adtc, "BUSTEST_W", sd_cmd_unimplemented},
2652 [20] = {3, sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2653 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2654 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2655 [26] = {4, sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID},
2656 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2657 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2658 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2659 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2660 [31] = {6, sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented},
2661 [35] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2662 [36] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2663 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE},
2664 [39] = {9, sd_ac, "FAST_IO", sd_cmd_unimplemented},
2665 [40] = {9, sd_bcr, "GO_IRQ_STATE", sd_cmd_unimplemented},
2666 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2667 [49] = {0, sd_adtc, "SET_TIME", sd_cmd_unimplemented},
2668 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD},
2669 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2670 },
2671 };
2672
2673 static void sd_instance_init(Object *obj)
2674 {
2675 SDState *sd = SDMMC_COMMON(obj);
2676 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
2677
2678 sd->proto = sc->proto;
2679 sd->last_cmd_name = "UNSET";
2680 sd->enable = true;
2681 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2682 }
2683
2684 static void sd_instance_finalize(Object *obj)
2685 {
2686 SDState *sd = SDMMC_COMMON(obj);
2687
2688 timer_free(sd->ocr_power_timer);
2689 }
2690
2691 static void sd_realize(DeviceState *dev, Error **errp)
2692 {
2693 SDState *sd = SDMMC_COMMON(dev);
2694 int ret;
2695
2696 switch (sd->spec_version) {
2697 case SD_PHY_SPECv1_10_VERS
2698 ... SD_PHY_SPECv3_01_VERS:
2699 break;
2700 default:
2701 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2702 return;
2703 }
2704
2705 if (sd->blk) {
2706 int64_t blk_size;
2707
2708 if (!blk_supports_write_perm(sd->blk)) {
2709 error_setg(errp, "Cannot use read-only drive as SD card");
2710 return;
2711 }
2712
2713 blk_size = blk_getlength(sd->blk);
2714 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2715 int64_t blk_size_aligned = pow2ceil(blk_size);
2716 char *blk_size_str;
2717
2718 blk_size_str = size_to_str(blk_size);
2719 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2720 g_free(blk_size_str);
2721
2722 blk_size_str = size_to_str(blk_size_aligned);
2723 error_append_hint(errp,
2724 "SD card size has to be a power of 2, e.g. %s.\n"
2725 "You can resize disk images with"
2726 " 'qemu-img resize <imagefile> <new-size>'\n"
2727 "(note that this will lose data if you make the"
2728 " image smaller than it currently is).\n",
2729 blk_size_str);
2730 g_free(blk_size_str);
2731
2732 return;
2733 }
2734
2735 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2736 BLK_PERM_ALL, errp);
2737 if (ret < 0) {
2738 return;
2739 }
2740 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2741 }
2742 }
2743
2744 static void emmc_realize(DeviceState *dev, Error **errp)
2745 {
2746 SDState *sd = SDMMC_COMMON(dev);
2747
2748 sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */
2749
2750 sd_realize(dev, errp);
2751 }
2752
2753 static Property sdmmc_common_properties[] = {
2754 DEFINE_PROP_DRIVE("drive", SDState, blk),
2755 DEFINE_PROP_END_OF_LIST()
2756 };
2757
2758 static Property sd_properties[] = {
2759 DEFINE_PROP_UINT8("spec_version", SDState,
2760 spec_version, SD_PHY_SPECv3_01_VERS),
2761 DEFINE_PROP_END_OF_LIST()
2762 };
2763
2764 static Property emmc_properties[] = {
2765 DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0),
2766 DEFINE_PROP_END_OF_LIST()
2767 };
2768
2769 static void sdmmc_common_class_init(ObjectClass *klass, void *data)
2770 {
2771 DeviceClass *dc = DEVICE_CLASS(klass);
2772 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2773
2774 device_class_set_props(dc, sdmmc_common_properties);
2775 dc->vmsd = &sd_vmstate;
2776 dc->reset = sd_reset;
2777 dc->bus_type = TYPE_SD_BUS;
2778 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2779
2780 sc->set_voltage = sd_set_voltage;
2781 sc->get_dat_lines = sd_get_dat_lines;
2782 sc->get_cmd_line = sd_get_cmd_line;
2783 sc->do_command = sd_do_command;
2784 sc->write_byte = sd_write_byte;
2785 sc->read_byte = sd_read_byte;
2786 sc->receive_ready = sd_receive_ready;
2787 sc->data_ready = sd_data_ready;
2788 sc->enable = sd_enable;
2789 sc->get_inserted = sd_get_inserted;
2790 sc->get_readonly = sd_get_readonly;
2791 }
2792
2793 static void sd_class_init(ObjectClass *klass, void *data)
2794 {
2795 DeviceClass *dc = DEVICE_CLASS(klass);
2796 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2797
2798 dc->realize = sd_realize;
2799 device_class_set_props(dc, sd_properties);
2800
2801 sc->set_cid = sd_set_cid;
2802 sc->set_csd = sd_set_csd;
2803 sc->proto = &sd_proto_sd;
2804 }
2805
2806 /*
2807 * We do not model the chip select pin, so allow the board to select
2808 * whether card should be in SSI or MMC/SD mode. It is also up to the
2809 * board to ensure that ssi transfers only occur when the chip select
2810 * is asserted.
2811 */
2812 static void sd_spi_class_init(ObjectClass *klass, void *data)
2813 {
2814 DeviceClass *dc = DEVICE_CLASS(klass);
2815 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2816
2817 dc->desc = "SD SPI";
2818 sc->proto = &sd_proto_spi;
2819 }
2820
2821 static void emmc_class_init(ObjectClass *klass, void *data)
2822 {
2823 DeviceClass *dc = DEVICE_CLASS(klass);
2824 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2825
2826 dc->desc = "eMMC";
2827 dc->realize = emmc_realize;
2828 device_class_set_props(dc, emmc_properties);
2829 /* Reason: Soldered on board */
2830 dc->user_creatable = false;
2831
2832 sc->proto = &sd_proto_emmc;
2833
2834 sc->set_cid = emmc_set_cid;
2835 sc->set_csd = emmc_set_csd;
2836 }
2837
2838 static const TypeInfo sd_types[] = {
2839 {
2840 .name = TYPE_SDMMC_COMMON,
2841 .parent = TYPE_DEVICE,
2842 .abstract = true,
2843 .instance_size = sizeof(SDState),
2844 .class_size = sizeof(SDCardClass),
2845 .class_init = sdmmc_common_class_init,
2846 .instance_init = sd_instance_init,
2847 .instance_finalize = sd_instance_finalize,
2848 },
2849 {
2850 .name = TYPE_SD_CARD,
2851 .parent = TYPE_SDMMC_COMMON,
2852 .class_init = sd_class_init,
2853 },
2854 {
2855 .name = TYPE_SD_CARD_SPI,
2856 .parent = TYPE_SD_CARD,
2857 .class_init = sd_spi_class_init,
2858 },
2859 {
2860 .name = TYPE_EMMC,
2861 .parent = TYPE_SDMMC_COMMON,
2862 .class_init = emmc_class_init,
2863 },
2864 };
2865
2866 DEFINE_TYPES(sd_types)
armbru's QEMU hackery