search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/sd/sdcard: Convert SD_STATUS to generic_read_byte (ACMD13)
[qemu/armbru.git] / hw / sd / sd.c
blob0a65bd5a768e9117fe702002cc20bf9e8e9e1f6d
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state = 1,
81 sd_identification_state = 2,
82 sd_standby_state = 3,
83 sd_transfer_state = 4,
84 sd_sendingdata_state = 5,
85 sd_receivingdata_state = 6,
86 sd_programming_state = 7,
87 sd_disconnect_state = 8,
88 };
89
90 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
91
92 typedef struct SDProto {
93 const char *name;
94 sd_cmd_handler cmd[SDMMC_CMD_MAX];
95 sd_cmd_handler acmd[SDMMC_CMD_MAX];
96 } SDProto;
97
98 struct SDState {
99 DeviceState parent_obj;
100
101 /* If true, created by sd_init() for a non-qdevified caller */
102 /* TODO purge them with fire */
103 bool me_no_qdev_me_kill_mammoth_with_rocks;
104
105 /* SD Memory Card Registers */
106 uint32_t ocr;
107 uint8_t scr[8];
108 uint8_t cid[16];
109 uint8_t csd[16];
110 uint16_t rca;
111 uint32_t card_status;
112 uint8_t sd_status[64];
113
114 /* Static properties */
115
116 uint8_t spec_version;
117 BlockBackend *blk;
118
119 const SDProto *proto;
120
121 /* Runtime changeables */
122
123 uint32_t mode; /* current card mode, one of SDCardModes */
124 int32_t state; /* current card state, one of SDCardStates */
125 uint32_t vhs;
126 bool wp_switch;
127 unsigned long *wp_group_bmap;
128 int32_t wp_group_bits;
129 uint64_t size;
130 uint32_t blk_len;
131 uint32_t multi_blk_cnt;
132 uint32_t erase_start;
133 uint32_t erase_end;
134 uint8_t pwd[16];
135 uint32_t pwd_len;
136 uint8_t function_group[6];
137 uint8_t current_cmd;
138 const char *last_cmd_name;
139 /* True if we will handle the next command as an ACMD. Note that this does
140 * *not* track the APP_CMD status bit!
141 */
142 bool expecting_acmd;
143 uint32_t blk_written;
144
145 uint64_t data_start;
146 uint32_t data_offset;
147 size_t data_size;
148 uint8_t data[512];
149 qemu_irq readonly_cb;
150 qemu_irq inserted_cb;
151 QEMUTimer *ocr_power_timer;
152 bool enable;
153 uint8_t dat_lines;
154 bool cmd_line;
155 };
156
157 static void sd_realize(DeviceState *dev, Error **errp);
158
159 static const SDProto sd_proto_spi;
160
161 static bool sd_is_spi(SDState *sd)
162 {
163 return sd->proto == &sd_proto_spi;
164 }
165
166 static const char *sd_version_str(enum SDPhySpecificationVersion version)
167 {
168 static const char *sdphy_version[] = {
169 [SD_PHY_SPECv1_10_VERS] = "v1.10",
170 [SD_PHY_SPECv2_00_VERS] = "v2.00",
171 [SD_PHY_SPECv3_01_VERS] = "v3.01",
172 };
173 if (version >= ARRAY_SIZE(sdphy_version)) {
174 return "unsupported version";
175 }
176 return sdphy_version[version];
177 }
178
179 static const char *sd_mode_name(enum SDCardModes mode)
180 {
181 static const char *mode_name[] = {
182 [sd_inactive] = "inactive",
183 [sd_card_identification_mode] = "identification",
184 [sd_data_transfer_mode] = "transfer",
185 };
186 assert(mode < ARRAY_SIZE(mode_name));
187 return mode_name[mode];
188 }
189
190 static const char *sd_state_name(enum SDCardStates state)
191 {
192 static const char *state_name[] = {
193 [sd_idle_state] = "idle",
194 [sd_ready_state] = "ready",
195 [sd_identification_state] = "identification",
196 [sd_standby_state] = "standby",
197 [sd_transfer_state] = "transfer",
198 [sd_sendingdata_state] = "sendingdata",
199 [sd_receivingdata_state] = "receivingdata",
200 [sd_programming_state] = "programming",
201 [sd_disconnect_state] = "disconnect",
202 };
203 if (state == sd_inactive_state) {
204 return "inactive";
205 }
206 assert(state < ARRAY_SIZE(state_name));
207 return state_name[state];
208 }
209
210 static const char *sd_response_name(sd_rsp_type_t rsp)
211 {
212 static const char *response_name[] = {
213 [sd_r0] = "RESP#0 (no response)",
214 [sd_r1] = "RESP#1 (normal cmd)",
215 [sd_r2_i] = "RESP#2 (CID reg)",
216 [sd_r2_s] = "RESP#2 (CSD reg)",
217 [sd_r3] = "RESP#3 (OCR reg)",
218 [sd_r6] = "RESP#6 (RCA)",
219 [sd_r7] = "RESP#7 (operating voltage)",
220 };
221 if (rsp == sd_illegal) {
222 return "ILLEGAL RESP";
223 }
224 if (rsp == sd_r1b) {
225 rsp = sd_r1;
226 }
227 assert(rsp < ARRAY_SIZE(response_name));
228 return response_name[rsp];
229 }
230
231 static uint8_t sd_get_dat_lines(SDState *sd)
232 {
233 return sd->enable ? sd->dat_lines : 0;
234 }
235
236 static bool sd_get_cmd_line(SDState *sd)
237 {
238 return sd->enable ? sd->cmd_line : false;
239 }
240
241 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
242 {
243 trace_sdcard_set_voltage(millivolts);
244
245 switch (millivolts) {
246 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
247 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
248 break;
249 default:
250 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
251 millivolts / 1000.f);
252 }
253 }
254
255 static void sd_set_mode(SDState *sd)
256 {
257 switch (sd->state) {
258 case sd_inactive_state:
259 sd->mode = sd_inactive;
260 break;
261
262 case sd_idle_state:
263 case sd_ready_state:
264 case sd_identification_state:
265 sd->mode = sd_card_identification_mode;
266 break;
267
268 case sd_standby_state:
269 case sd_transfer_state:
270 case sd_sendingdata_state:
271 case sd_receivingdata_state:
272 case sd_programming_state:
273 case sd_disconnect_state:
274 sd->mode = sd_data_transfer_mode;
275 break;
276 }
277 }
278
279 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
280 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
281 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
282 /* 16 */
283 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
284 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
285 /* 32 */
286 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
287 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
288 /* 48 */
289 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
290 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
291 };
292
293 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
294 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
295 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
296 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
297 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
298 };
299
300 static uint8_t sd_crc7(const void *message, size_t width)
301 {
302 int i, bit;
303 uint8_t shift_reg = 0x00;
304 const uint8_t *msg = (const uint8_t *)message;
305
306 for (i = 0; i < width; i ++, msg ++)
307 for (bit = 7; bit >= 0; bit --) {
308 shift_reg <<= 1;
309 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
310 shift_reg ^= 0x89;
311 }
312
313 return shift_reg;
314 }
315
316 /* Operation Conditions register */
317
318 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
319
320 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
321 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
322 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
323 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
324 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
325 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
326 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
327 FIELD(OCR, CARD_POWER_UP, 31, 1)
328
329 #define ACMD41_ENQUIRY_MASK 0x00ffffff
330 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
331 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
332 | R_OCR_UHS_II_CARD_MASK \
333 | R_OCR_CARD_CAPACITY_MASK \
334 | R_OCR_CARD_POWER_UP_MASK)
335
336 static void sd_ocr_powerup(void *opaque)
337 {
338 SDState *sd = opaque;
339
340 trace_sdcard_powerup();
341 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
342
343 /* card power-up OK */
344 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
345
346 if (sd->size > SDSC_MAX_CAPACITY) {
347 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
348 }
349 }
350
351 static void sd_set_ocr(SDState *sd)
352 {
353 /* All voltages OK */
354 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
355
356 if (sd_is_spi(sd)) {
357 /*
358 * We don't need to emulate power up sequence in SPI-mode.
359 * Thus, the card's power up status bit should be set to 1 when reset.
360 * The card's capacity status bit should also be set if SD card size
361 * is larger than 2GB for SDHC support.
362 */
363 sd_ocr_powerup(sd);
364 }
365 }
366
367 /* SD Configuration register */
368
369 static void sd_set_scr(SDState *sd)
370 {
371 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
372 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
373 sd->scr[0] |= 1; /* Spec Version 1.10 */
374 } else {
375 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
376 }
377 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
378 | 0b0101; /* 1-bit or 4-bit width bus modes */
379 sd->scr[2] = 0x00; /* Extended Security is not supported. */
380 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
381 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
382 }
383 sd->scr[3] = 0x00;
384 /* reserved for manufacturer usage */
385 sd->scr[4] = 0x00;
386 sd->scr[5] = 0x00;
387 sd->scr[6] = 0x00;
388 sd->scr[7] = 0x00;
389 }
390
391 /* Card IDentification register */
392
393 #define MID 0xaa
394 #define OID "XY"
395 #define PNM "QEMU!"
396 #define PRV 0x01
397 #define MDT_YR 2006
398 #define MDT_MON 2
399
400 static void sd_set_cid(SDState *sd)
401 {
402 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
403 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
404 sd->cid[2] = OID[1];
405 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
406 sd->cid[4] = PNM[1];
407 sd->cid[5] = PNM[2];
408 sd->cid[6] = PNM[3];
409 sd->cid[7] = PNM[4];
410 sd->cid[8] = PRV; /* Fake product revision (PRV) */
411 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
412 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
413 ((MDT_YR - 2000) / 10);
414 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
415 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
416 }
417
418 /* Card-Specific Data register */
419
420 #define HWBLOCK_SHIFT 9 /* 512 bytes */
421 #define SECTOR_SHIFT 5 /* 16 kilobytes */
422 #define WPGROUP_SHIFT 7 /* 2 megs */
423 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
424 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
425
426 static const uint8_t sd_csd_rw_mask[16] = {
427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
428 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
429 };
430
431 static void sd_set_csd(SDState *sd, uint64_t size)
432 {
433 int hwblock_shift = HWBLOCK_SHIFT;
434 uint32_t csize;
435 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
436 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
437
438 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
439 if (size == SDSC_MAX_CAPACITY) {
440 hwblock_shift += 1;
441 }
442 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
443
444 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
445 sd->csd[0] = 0x00; /* CSD structure */
446 sd->csd[1] = 0x26; /* Data read access-time-1 */
447 sd->csd[2] = 0x00; /* Data read access-time-2 */
448 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
449 sd->csd[4] = 0x5f; /* Card Command Classes */
450 sd->csd[5] = 0x50 | /* Max. read data block length */
451 hwblock_shift;
452 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
453 ((csize >> 10) & 0x03);
454 sd->csd[7] = 0x00 | /* Device size */
455 ((csize >> 2) & 0xff);
456 sd->csd[8] = 0x3f | /* Max. read current */
457 ((csize << 6) & 0xc0);
458 sd->csd[9] = 0xfc | /* Max. write current */
459 ((CMULT_SHIFT - 2) >> 1);
460 sd->csd[10] = 0x40 | /* Erase sector size */
461 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
462 sd->csd[11] = 0x00 | /* Write protect group size */
463 ((sectsize << 7) & 0x80) | wpsize;
464 sd->csd[12] = 0x90 | /* Write speed factor */
465 (hwblock_shift >> 2);
466 sd->csd[13] = 0x20 | /* Max. write data block length */
467 ((hwblock_shift << 6) & 0xc0);
468 sd->csd[14] = 0x00; /* File format group */
469 } else { /* SDHC */
470 size /= 512 * KiB;
471 size -= 1;
472 sd->csd[0] = 0x40;
473 sd->csd[1] = 0x0e;
474 sd->csd[2] = 0x00;
475 sd->csd[3] = 0x32;
476 sd->csd[4] = 0x5b;
477 sd->csd[5] = 0x59;
478 sd->csd[6] = 0x00;
479 st24_be_p(&sd->csd[7], size);
480 sd->csd[10] = 0x7f;
481 sd->csd[11] = 0x80;
482 sd->csd[12] = 0x0a;
483 sd->csd[13] = 0x40;
484 sd->csd[14] = 0x00;
485 }
486 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
487 }
488
489 /* Relative Card Address register */
490
491 static void sd_set_rca(SDState *sd)
492 {
493 sd->rca += 0x4567;
494 }
495
496 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
497 {
498 if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc) {
499 return req.arg >> 16;
500 }
501 return 0;
502 }
503
504 /* Card Status register */
505
506 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
507 FIELD(CSR, APP_CMD, 5, 1)
508 FIELD(CSR, FX_EVENT, 6, 1)
509 FIELD(CSR, READY_FOR_DATA, 8, 1)
510 FIELD(CSR, CURRENT_STATE, 9, 4)
511 FIELD(CSR, ERASE_RESET, 13, 1)
512 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
513 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
514 FIELD(CSR, CSD_OVERWRITE, 16, 1)
515 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
516 FIELD(CSR, ERROR, 19, 1)
517 FIELD(CSR, CC_ERROR, 20, 1)
518 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
519 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
520 FIELD(CSR, COM_CRC_ERROR, 23, 1)
521 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
522 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
523 FIELD(CSR, WP_VIOLATION, 26, 1)
524 FIELD(CSR, ERASE_PARAM, 27, 1)
525 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
526 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
527 FIELD(CSR, ADDRESS_ERROR, 30, 1)
528 FIELD(CSR, OUT_OF_RANGE, 31, 1)
529
530 /* Card status bits, split by clear condition:
531 * A : According to the card current state
532 * B : Always related to the previous command
533 * C : Cleared by read
534 */
535 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
536 | R_CSR_CARD_ECC_DISABLED_MASK \
537 | R_CSR_CARD_IS_LOCKED_MASK)
538 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
539 | R_CSR_ILLEGAL_COMMAND_MASK \
540 | R_CSR_COM_CRC_ERROR_MASK)
541 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
542 | R_CSR_APP_CMD_MASK \
543 | R_CSR_ERASE_RESET_MASK \
544 | R_CSR_WP_ERASE_SKIP_MASK \
545 | R_CSR_CSD_OVERWRITE_MASK \
546 | R_CSR_ERROR_MASK \
547 | R_CSR_CC_ERROR_MASK \
548 | R_CSR_CARD_ECC_FAILED_MASK \
549 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
550 | R_CSR_WP_VIOLATION_MASK \
551 | R_CSR_ERASE_PARAM_MASK \
552 | R_CSR_ERASE_SEQ_ERROR_MASK \
553 | R_CSR_BLOCK_LEN_ERROR_MASK \
554 | R_CSR_ADDRESS_ERROR_MASK \
555 | R_CSR_OUT_OF_RANGE_MASK)
556
557 static void sd_set_cardstatus(SDState *sd)
558 {
559 sd->card_status = READY_FOR_DATA;
560 }
561
562 static void sd_set_sdstatus(SDState *sd)
563 {
564 memset(sd->sd_status, 0, 64);
565 }
566
567 static const uint8_t sd_tuning_block_pattern4[64] = {
568 /*
569 * See: Physical Layer Simplified Specification Version 3.01,
570 * Table 4-2.
571 */
572 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
573 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
574 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
575 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
576 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
577 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
578 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
579 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde
580 };
581
582 static int sd_req_crc_validate(SDRequest *req)
583 {
584 uint8_t buffer[5];
585 buffer[0] = 0x40 | req->cmd;
586 stl_be_p(&buffer[1], req->arg);
587 return 0;
588 return sd_crc7(buffer, 5) != req->crc; /* TODO */
589 }
590
591 static void sd_response_r1_make(SDState *sd, uint8_t *response)
592 {
593 stl_be_p(response, sd->card_status);
594
595 /* Clear the "clear on read" status bits */
596 sd->card_status &= ~CARD_STATUS_C;
597 }
598
599 static void sd_response_r3_make(SDState *sd, uint8_t *response)
600 {
601 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
602 }
603
604 static void sd_response_r6_make(SDState *sd, uint8_t *response)
605 {
606 uint16_t status;
607
608 status = ((sd->card_status >> 8) & 0xc000) |
609 ((sd->card_status >> 6) & 0x2000) |
610 (sd->card_status & 0x1fff);
611 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
612 stw_be_p(response + 0, sd->rca);
613 stw_be_p(response + 2, status);
614 }
615
616 static void sd_response_r7_make(SDState *sd, uint8_t *response)
617 {
618 stl_be_p(response, sd->vhs);
619 }
620
621 static uint32_t sd_blk_len(SDState *sd)
622 {
623 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
624 return 1 << HWBLOCK_SHIFT;
625 }
626 return sd->blk_len;
627 }
628
629 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
630 {
631 uint64_t addr;
632
633 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
634 addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
635 } else {
636 addr = req.arg;
637 }
638 trace_sdcard_req_addr(req.arg, addr);
639 return addr;
640 }
641
642 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
643 {
644 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
645 }
646
647 static void sd_reset(DeviceState *dev)
648 {
649 SDState *sd = SD_CARD(dev);
650 uint64_t size;
651 uint64_t sect;
652
653 trace_sdcard_reset();
654 if (sd->blk) {
655 blk_get_geometry(sd->blk, &sect);
656 } else {
657 sect = 0;
658 }
659 size = sect << HWBLOCK_SHIFT;
660
661 sect = sd_addr_to_wpnum(size) + 1;
662
663 sd->state = sd_idle_state;
664
665 /* card registers */
666 sd->rca = 0x0000;
667 sd->size = size;
668 sd_set_ocr(sd);
669 sd_set_scr(sd);
670 sd_set_cid(sd);
671 sd_set_csd(sd, size);
672 sd_set_cardstatus(sd);
673 sd_set_sdstatus(sd);
674
675 g_free(sd->wp_group_bmap);
676 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
677 sd->wp_group_bits = sect;
678 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
679 memset(sd->function_group, 0, sizeof(sd->function_group));
680 sd->erase_start = INVALID_ADDRESS;
681 sd->erase_end = INVALID_ADDRESS;
682 sd->blk_len = 0x200;
683 sd->pwd_len = 0;
684 sd->expecting_acmd = false;
685 sd->dat_lines = 0xf;
686 sd->cmd_line = true;
687 sd->multi_blk_cnt = 0;
688 }
689
690 static bool sd_get_inserted(SDState *sd)
691 {
692 return sd->blk && blk_is_inserted(sd->blk);
693 }
694
695 static bool sd_get_readonly(SDState *sd)
696 {
697 return sd->wp_switch;
698 }
699
700 static void sd_cardchange(void *opaque, bool load, Error **errp)
701 {
702 SDState *sd = opaque;
703 DeviceState *dev = DEVICE(sd);
704 SDBus *sdbus;
705 bool inserted = sd_get_inserted(sd);
706 bool readonly = sd_get_readonly(sd);
707
708 if (inserted) {
709 trace_sdcard_inserted(readonly);
710 sd_reset(dev);
711 } else {
712 trace_sdcard_ejected();
713 }
714
715 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
716 qemu_set_irq(sd->inserted_cb, inserted);
717 if (inserted) {
718 qemu_set_irq(sd->readonly_cb, readonly);
719 }
720 } else {
721 sdbus = SD_BUS(qdev_get_parent_bus(dev));
722 sdbus_set_inserted(sdbus, inserted);
723 if (inserted) {
724 sdbus_set_readonly(sdbus, readonly);
725 }
726 }
727 }
728
729 static const BlockDevOps sd_block_ops = {
730 .change_media_cb = sd_cardchange,
731 };
732
733 static bool sd_ocr_vmstate_needed(void *opaque)
734 {
735 SDState *sd = opaque;
736
737 /* Include the OCR state (and timer) if it is not yet powered up */
738 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
739 }
740
741 static const VMStateDescription sd_ocr_vmstate = {
742 .name = "sd-card/ocr-state",
743 .version_id = 1,
744 .minimum_version_id = 1,
745 .needed = sd_ocr_vmstate_needed,
746 .fields = (const VMStateField[]) {
747 VMSTATE_UINT32(ocr, SDState),
748 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
749 VMSTATE_END_OF_LIST()
750 },
751 };
752
753 static int sd_vmstate_pre_load(void *opaque)
754 {
755 SDState *sd = opaque;
756
757 /* If the OCR state is not included (prior versions, or not
758 * needed), then the OCR must be set as powered up. If the OCR state
759 * is included, this will be replaced by the state restore.
760 */
761 sd_ocr_powerup(sd);
762
763 return 0;
764 }
765
766 static const VMStateDescription sd_vmstate = {
767 .name = "sd-card",
768 .version_id = 2,
769 .minimum_version_id = 2,
770 .pre_load = sd_vmstate_pre_load,
771 .fields = (const VMStateField[]) {
772 VMSTATE_UINT32(mode, SDState),
773 VMSTATE_INT32(state, SDState),
774 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
775 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
776 VMSTATE_UINT16(rca, SDState),
777 VMSTATE_UINT32(card_status, SDState),
778 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
779 VMSTATE_UINT32(vhs, SDState),
780 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
781 VMSTATE_UINT32(blk_len, SDState),
782 VMSTATE_UINT32(multi_blk_cnt, SDState),
783 VMSTATE_UINT32(erase_start, SDState),
784 VMSTATE_UINT32(erase_end, SDState),
785 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
786 VMSTATE_UINT32(pwd_len, SDState),
787 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
788 VMSTATE_UINT8(current_cmd, SDState),
789 VMSTATE_BOOL(expecting_acmd, SDState),
790 VMSTATE_UINT32(blk_written, SDState),
791 VMSTATE_UINT64(data_start, SDState),
792 VMSTATE_UINT32(data_offset, SDState),
793 VMSTATE_UINT8_ARRAY(data, SDState, 512),
794 VMSTATE_UNUSED_V(1, 512),
795 VMSTATE_BOOL(enable, SDState),
796 VMSTATE_END_OF_LIST()
797 },
798 .subsections = (const VMStateDescription * const []) {
799 &sd_ocr_vmstate,
800 NULL
801 },
802 };
803
804 /* Legacy initialization function for use by non-qdevified callers */
805 SDState *sd_init(BlockBackend *blk, bool is_spi)
806 {
807 Object *obj;
808 DeviceState *dev;
809 SDState *sd;
810 Error *err = NULL;
811
812 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
813 dev = DEVICE(obj);
814 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
815 error_reportf_err(err, "sd_init failed: ");
816 return NULL;
817 }
818
819 /*
820 * Realizing the device properly would put it into the QOM
821 * composition tree even though it is not plugged into an
822 * appropriate bus. That's a no-no. Hide the device from
823 * QOM/qdev, and call its qdev realize callback directly.
824 */
825 object_ref(obj);
826 object_unparent(obj);
827 sd_realize(dev, &err);
828 if (err) {
829 error_reportf_err(err, "sd_init failed: ");
830 return NULL;
831 }
832
833 sd = SD_CARD(dev);
834 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
835 return sd;
836 }
837
838 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
839 {
840 sd->readonly_cb = readonly;
841 sd->inserted_cb = insert;
842 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
843 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
844 }
845
846 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
847 {
848 trace_sdcard_read_block(addr, len);
849 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
850 fprintf(stderr, "sd_blk_read: read error on host side\n");
851 }
852 }
853
854 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
855 {
856 trace_sdcard_write_block(addr, len);
857 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
858 fprintf(stderr, "sd_blk_write: write error on host side\n");
859 }
860 }
861
862 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
863 #define APP_WRITE_BLOCK(a, len)
864
865 static void sd_erase(SDState *sd)
866 {
867 uint64_t erase_start = sd->erase_start;
868 uint64_t erase_end = sd->erase_end;
869 bool sdsc = true;
870 uint64_t wpnum;
871 uint64_t erase_addr;
872 int erase_len = 1 << HWBLOCK_SHIFT;
873
874 trace_sdcard_erase(sd->erase_start, sd->erase_end);
875 if (sd->erase_start == INVALID_ADDRESS
876 || sd->erase_end == INVALID_ADDRESS) {
877 sd->card_status |= ERASE_SEQ_ERROR;
878 sd->erase_start = INVALID_ADDRESS;
879 sd->erase_end = INVALID_ADDRESS;
880 return;
881 }
882
883 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
884 /* High capacity memory card: erase units are 512 byte blocks */
885 erase_start <<= HWBLOCK_SHIFT;
886 erase_end <<= HWBLOCK_SHIFT;
887 sdsc = false;
888 }
889
890 if (erase_start > sd->size || erase_end > sd->size) {
891 sd->card_status |= OUT_OF_RANGE;
892 sd->erase_start = INVALID_ADDRESS;
893 sd->erase_end = INVALID_ADDRESS;
894 return;
895 }
896
897 sd->erase_start = INVALID_ADDRESS;
898 sd->erase_end = INVALID_ADDRESS;
899 sd->csd[14] |= 0x40;
900
901 memset(sd->data, 0xff, erase_len);
902 for (erase_addr = erase_start; erase_addr <= erase_end;
903 erase_addr += erase_len) {
904 if (sdsc) {
905 /* Only SDSC cards support write protect groups */
906 wpnum = sd_addr_to_wpnum(erase_addr);
907 assert(wpnum < sd->wp_group_bits);
908 if (test_bit(wpnum, sd->wp_group_bmap)) {
909 sd->card_status |= WP_ERASE_SKIP;
910 continue;
911 }
912 }
913 sd_blk_write(sd, erase_addr, erase_len);
914 }
915 }
916
917 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
918 {
919 uint32_t i, wpnum;
920 uint32_t ret = 0;
921
922 wpnum = sd_addr_to_wpnum(addr);
923
924 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
925 if (addr >= sd->size) {
926 /*
927 * If the addresses of the last groups are outside the valid range,
928 * then the corresponding write protection bits shall be set to 0.
929 */
930 continue;
931 }
932 assert(wpnum < sd->wp_group_bits);
933 if (test_bit(wpnum, sd->wp_group_bmap)) {
934 ret |= (1 << i);
935 }
936 }
937
938 return ret;
939 }
940
941 static void sd_function_switch(SDState *sd, uint32_t arg)
942 {
943 int i, mode, new_func;
944 mode = !!(arg & 0x80000000);
945
946 sd->data[0] = 0x00; /* Maximum current consumption */
947 sd->data[1] = 0x01;
948 sd->data[2] = 0x80; /* Supported group 6 functions */
949 sd->data[3] = 0x01;
950 sd->data[4] = 0x80; /* Supported group 5 functions */
951 sd->data[5] = 0x01;
952 sd->data[6] = 0x80; /* Supported group 4 functions */
953 sd->data[7] = 0x01;
954 sd->data[8] = 0x80; /* Supported group 3 functions */
955 sd->data[9] = 0x01;
956 sd->data[10] = 0x80; /* Supported group 2 functions */
957 sd->data[11] = 0x43;
958 sd->data[12] = 0x80; /* Supported group 1 functions */
959 sd->data[13] = 0x03;
960
961 memset(&sd->data[14], 0, 3);
962 for (i = 0; i < 6; i ++) {
963 new_func = (arg >> (i * 4)) & 0x0f;
964 if (mode && new_func != 0x0f)
965 sd->function_group[i] = new_func;
966 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
967 }
968 memset(&sd->data[17], 0, 47);
969 }
970
971 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
972 {
973 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
974 }
975
976 static void sd_lock_command(SDState *sd)
977 {
978 int erase, lock, clr_pwd, set_pwd, pwd_len;
979 erase = !!(sd->data[0] & 0x08);
980 lock = sd->data[0] & 0x04;
981 clr_pwd = sd->data[0] & 0x02;
982 set_pwd = sd->data[0] & 0x01;
983
984 if (sd->blk_len > 1)
985 pwd_len = sd->data[1];
986 else
987 pwd_len = 0;
988
989 if (lock) {
990 trace_sdcard_lock();
991 } else {
992 trace_sdcard_unlock();
993 }
994 if (erase) {
995 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
996 set_pwd || clr_pwd || lock || sd->wp_switch ||
997 (sd->csd[14] & 0x20)) {
998 sd->card_status |= LOCK_UNLOCK_FAILED;
999 return;
1000 }
1001 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1002 sd->csd[14] &= ~0x10;
1003 sd->card_status &= ~CARD_IS_LOCKED;
1004 sd->pwd_len = 0;
1005 /* Erasing the entire card here! */
1006 fprintf(stderr, "SD: Card force-erased by CMD42\n");
1007 return;
1008 }
1009
1010 if (sd->blk_len < 2 + pwd_len ||
1011 pwd_len <= sd->pwd_len ||
1012 pwd_len > sd->pwd_len + 16) {
1013 sd->card_status |= LOCK_UNLOCK_FAILED;
1014 return;
1015 }
1016
1017 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1018 sd->card_status |= LOCK_UNLOCK_FAILED;
1019 return;
1020 }
1021
1022 pwd_len -= sd->pwd_len;
1023 if ((pwd_len && !set_pwd) ||
1024 (clr_pwd && (set_pwd || lock)) ||
1025 (lock && !sd->pwd_len && !set_pwd) ||
1026 (!set_pwd && !clr_pwd &&
1027 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1028 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1029 sd->card_status |= LOCK_UNLOCK_FAILED;
1030 return;
1031 }
1032
1033 if (set_pwd) {
1034 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1035 sd->pwd_len = pwd_len;
1036 }
1037
1038 if (clr_pwd) {
1039 sd->pwd_len = 0;
1040 }
1041
1042 if (lock)
1043 sd->card_status |= CARD_IS_LOCKED;
1044 else
1045 sd->card_status &= ~CARD_IS_LOCKED;
1046 }
1047
1048 static bool address_in_range(SDState *sd, const char *desc,
1049 uint64_t addr, uint32_t length)
1050 {
1051 if (addr + length > sd->size) {
1052 qemu_log_mask(LOG_GUEST_ERROR,
1053 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1054 desc, addr, sd->size, length);
1055 sd->card_status |= ADDRESS_ERROR;
1056 return false;
1057 }
1058 return true;
1059 }
1060
1061 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1062 {
1063 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1064 sd->proto->name, req.cmd, sd_state_name(sd->state),
1065 sd_version_str(sd->spec_version));
1066
1067 return sd_illegal;
1068 }
1069
1070 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1071 {
1072 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1073 sd->proto->name, req.cmd, sd_mode_name(sd->mode),
1074 sd_version_str(sd->spec_version));
1075
1076 return sd_illegal;
1077 }
1078
1079 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1080 {
1081 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1082 sd->proto->name, req.cmd,
1083 sd_version_str(sd->spec_version));
1084
1085 return sd_illegal;
1086 }
1087
1088 /* Commands that are recognised but not yet implemented. */
1089 __attribute__((unused))
1090 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1091 {
1092 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1093 sd->proto->name, req.cmd);
1094
1095 return sd_illegal;
1096 }
1097
1098 /* Configure fields for following sd_generic_read_byte() calls */
1099 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1100 uint64_t start,
1101 const void *data, size_t size)
1102 {
1103 if (sd->state != sd_transfer_state) {
1104 sd_invalid_state_for_cmd(sd, req);
1105 }
1106
1107 sd->state = sd_sendingdata_state;
1108 sd->data_start = start;
1109 sd->data_offset = 0;
1110 if (data) {
1111 assert(size > 0 && size <= sizeof(sd->data));
1112 memcpy(sd->data, data, size);
1113 }
1114 if (size) {
1115 sd->data_size = size;
1116 }
1117 return sd_r1;
1118 }
1119
1120 /* CMD0 */
1121 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1122 {
1123 sd->state = sd_idle_state;
1124 sd_reset(DEVICE(sd));
1125
1126 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1127 }
1128
1129 /* CMD1 */
1130 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1131 {
1132 sd->state = sd_transfer_state;
1133
1134 return sd_r1;
1135 }
1136
1137 /* CMD2 */
1138 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1139 {
1140 switch (sd->state) {
1141 case sd_ready_state:
1142 sd->state = sd_identification_state;
1143 return sd_r2_i;
1144 default:
1145 return sd_invalid_state_for_cmd(sd, req);
1146 }
1147 }
1148
1149 /* CMD3 */
1150 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1151 {
1152 switch (sd->state) {
1153 case sd_identification_state:
1154 case sd_standby_state:
1155 sd->state = sd_standby_state;
1156 sd_set_rca(sd);
1157 return sd_r6;
1158
1159 default:
1160 return sd_invalid_state_for_cmd(sd, req);
1161 }
1162 }
1163
1164 /* CMD19 */
1165 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1166 {
1167 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1168 return sd_cmd_illegal(sd, req);
1169 }
1170
1171 return sd_cmd_to_sendingdata(sd, req, 0,
1172 sd_tuning_block_pattern4,
1173 sizeof(sd_tuning_block_pattern4));
1174 }
1175
1176 /* CMD23 */
1177 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1178 {
1179 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1180 return sd_cmd_illegal(sd, req);
1181 }
1182
1183 if (sd->state != sd_transfer_state) {
1184 return sd_invalid_state_for_cmd(sd, req);
1185 }
1186
1187 sd->multi_blk_cnt = req.arg;
1188 trace_sdcard_set_block_count(sd->multi_blk_cnt);
1189
1190 return sd_r1;
1191 }
1192
1193 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1194 {
1195 uint16_t rca;
1196 uint64_t addr;
1197 uint32_t data;
1198
1199 sd->last_cmd_name = sd_cmd_name(req.cmd);
1200 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1201 * However there is no ACMD55, so we want to trace this particular case.
1202 */
1203 if (req.cmd != 55 || sd->expecting_acmd) {
1204 trace_sdcard_normal_command(sd->proto->name,
1205 sd->last_cmd_name, req.cmd,
1206 req.arg, sd_state_name(sd->state));
1207 }
1208
1209 /* Not interpreting this as an app command */
1210 sd->card_status &= ~APP_CMD;
1211
1212 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1213 * if not, its effects are cancelled */
1214 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1215 sd->multi_blk_cnt = 0;
1216 }
1217
1218 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1219 /* Only Standard Capacity cards support class 6 commands */
1220 return sd_illegal;
1221 }
1222
1223 if (sd->proto->cmd[req.cmd]) {
1224 return sd->proto->cmd[req.cmd](sd, req);
1225 }
1226
1227 switch (req.cmd) {
1228 /* Basic commands (Class 0 and Class 1) */
1229 case 4: /* CMD4: SEND_DSR */
1230 switch (sd->state) {
1231 case sd_standby_state:
1232 break;
1233
1234 default:
1235 break;
1236 }
1237 break;
1238
1239 case 6: /* CMD6: SWITCH_FUNCTION */
1240 if (sd->mode != sd_data_transfer_mode) {
1241 return sd_invalid_mode_for_cmd(sd, req);
1242 }
1243 if (sd->state != sd_transfer_state) {
1244 return sd_invalid_state_for_cmd(sd, req);
1245 }
1246
1247 sd_function_switch(sd, req.arg);
1248 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1249
1250 case 7: /* CMD7: SELECT/DESELECT_CARD */
1251 rca = sd_req_get_rca(sd, req);
1252 switch (sd->state) {
1253 case sd_standby_state:
1254 if (sd->rca != rca)
1255 return sd_r0;
1256
1257 sd->state = sd_transfer_state;
1258 return sd_r1b;
1259
1260 case sd_transfer_state:
1261 case sd_sendingdata_state:
1262 if (sd->rca == rca)
1263 break;
1264
1265 sd->state = sd_standby_state;
1266 return sd_r1b;
1267
1268 case sd_disconnect_state:
1269 if (sd->rca != rca)
1270 return sd_r0;
1271
1272 sd->state = sd_programming_state;
1273 return sd_r1b;
1274
1275 case sd_programming_state:
1276 if (sd->rca == rca)
1277 break;
1278
1279 sd->state = sd_disconnect_state;
1280 return sd_r1b;
1281
1282 default:
1283 break;
1284 }
1285 break;
1286
1287 case 8: /* CMD8: SEND_IF_COND */
1288 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1289 break;
1290 }
1291 if (sd->state != sd_idle_state) {
1292 break;
1293 }
1294 sd->vhs = 0;
1295
1296 /* No response if not exactly one VHS bit is set. */
1297 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1298 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1299 }
1300
1301 /* Accept. */
1302 sd->vhs = req.arg;
1303 return sd_r7;
1304
1305 case 9: /* CMD9: SEND_CSD */
1306 rca = sd_req_get_rca(sd, req);
1307 switch (sd->state) {
1308 case sd_standby_state:
1309 if (sd->rca != rca)
1310 return sd_r0;
1311
1312 return sd_r2_s;
1313
1314 case sd_transfer_state:
1315 if (!sd_is_spi(sd)) {
1316 break;
1317 }
1318 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1319 sd->csd, 16);
1320
1321 default:
1322 break;
1323 }
1324 break;
1325
1326 case 10: /* CMD10: SEND_CID */
1327 rca = sd_req_get_rca(sd, req);
1328 switch (sd->state) {
1329 case sd_standby_state:
1330 if (sd->rca != rca)
1331 return sd_r0;
1332
1333 return sd_r2_i;
1334
1335 case sd_transfer_state:
1336 if (!sd_is_spi(sd)) {
1337 break;
1338 }
1339 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1340 sd->cid, 16);
1341
1342 default:
1343 break;
1344 }
1345 break;
1346
1347 case 12: /* CMD12: STOP_TRANSMISSION */
1348 switch (sd->state) {
1349 case sd_sendingdata_state:
1350 sd->state = sd_transfer_state;
1351 return sd_r1b;
1352
1353 case sd_receivingdata_state:
1354 sd->state = sd_programming_state;
1355 /* Bzzzzzzztt .... Operation complete. */
1356 sd->state = sd_transfer_state;
1357 return sd_r1b;
1358
1359 default:
1360 break;
1361 }
1362 break;
1363
1364 case 13: /* CMD13: SEND_STATUS */
1365 rca = sd_req_get_rca(sd, req);
1366 if (sd->mode != sd_data_transfer_mode) {
1367 return sd_invalid_mode_for_cmd(sd, req);
1368 }
1369 if (!sd_is_spi(sd) && sd->rca != rca) {
1370 return sd_r0;
1371 }
1372
1373 return sd_r1;
1374
1375 case 15: /* CMD15: GO_INACTIVE_STATE */
1376 if (sd->mode != sd_data_transfer_mode) {
1377 return sd_invalid_mode_for_cmd(sd, req);
1378 }
1379 rca = sd_req_get_rca(sd, req);
1380 if (sd->rca == rca) {
1381 sd->state = sd_inactive_state;
1382 }
1383 return sd_r0;
1384
1385 /* Block read commands (Class 2) */
1386 case 16: /* CMD16: SET_BLOCKLEN */
1387 switch (sd->state) {
1388 case sd_transfer_state:
1389 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1390 sd->card_status |= BLOCK_LEN_ERROR;
1391 } else {
1392 trace_sdcard_set_blocklen(req.arg);
1393 sd->blk_len = req.arg;
1394 }
1395
1396 return sd_r1;
1397
1398 default:
1399 break;
1400 }
1401 break;
1402
1403 case 17: /* CMD17: READ_SINGLE_BLOCK */
1404 addr = sd_req_get_address(sd, req);
1405 switch (sd->state) {
1406 case sd_transfer_state:
1407
1408 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1409 return sd_r1;
1410 }
1411 sd_blk_read(sd, addr, sd->blk_len);
1412 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1413
1414 default:
1415 break;
1416 }
1417 break;
1418
1419 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1420 addr = sd_req_get_address(sd, req);
1421 switch (sd->state) {
1422 case sd_transfer_state:
1423
1424 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1425 return sd_r1;
1426 }
1427
1428 sd->state = sd_sendingdata_state;
1429 sd->data_start = addr;
1430 sd->data_offset = 0;
1431 return sd_r1;
1432
1433 default:
1434 break;
1435 }
1436 break;
1437
1438 /* Block write commands (Class 4) */
1439 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1440 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1441 addr = sd_req_get_address(sd, req);
1442 switch (sd->state) {
1443 case sd_transfer_state:
1444
1445 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1446 return sd_r1;
1447 }
1448
1449 sd->state = sd_receivingdata_state;
1450 sd->data_start = addr;
1451 sd->data_offset = 0;
1452 sd->blk_written = 0;
1453
1454 if (sd->size <= SDSC_MAX_CAPACITY) {
1455 if (sd_wp_addr(sd, sd->data_start)) {
1456 sd->card_status |= WP_VIOLATION;
1457 }
1458 }
1459 if (sd->csd[14] & 0x30) {
1460 sd->card_status |= WP_VIOLATION;
1461 }
1462 return sd_r1;
1463
1464 default:
1465 break;
1466 }
1467 break;
1468
1469 case 26: /* CMD26: PROGRAM_CID */
1470 switch (sd->state) {
1471 case sd_transfer_state:
1472 sd->state = sd_receivingdata_state;
1473 sd->data_start = 0;
1474 sd->data_offset = 0;
1475 return sd_r1;
1476
1477 default:
1478 break;
1479 }
1480 break;
1481
1482 case 27: /* CMD27: PROGRAM_CSD */
1483 switch (sd->state) {
1484 case sd_transfer_state:
1485 sd->state = sd_receivingdata_state;
1486 sd->data_start = 0;
1487 sd->data_offset = 0;
1488 return sd_r1;
1489
1490 default:
1491 break;
1492 }
1493 break;
1494
1495 /* Write protection (Class 6) */
1496 case 28: /* CMD28: SET_WRITE_PROT */
1497 if (sd->size > SDSC_MAX_CAPACITY) {
1498 return sd_illegal;
1499 }
1500 addr = sd_req_get_address(sd, req);
1501 switch (sd->state) {
1502 case sd_transfer_state:
1503 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1504 return sd_r1b;
1505 }
1506
1507 sd->state = sd_programming_state;
1508 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1509 /* Bzzzzzzztt .... Operation complete. */
1510 sd->state = sd_transfer_state;
1511 return sd_r1b;
1512
1513 default:
1514 break;
1515 }
1516 break;
1517
1518 case 29: /* CMD29: CLR_WRITE_PROT */
1519 if (sd->size > SDSC_MAX_CAPACITY) {
1520 return sd_illegal;
1521 }
1522 addr = sd_req_get_address(sd, req);
1523 switch (sd->state) {
1524 case sd_transfer_state:
1525 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1526 return sd_r1b;
1527 }
1528
1529 sd->state = sd_programming_state;
1530 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1531 /* Bzzzzzzztt .... Operation complete. */
1532 sd->state = sd_transfer_state;
1533 return sd_r1b;
1534
1535 default:
1536 break;
1537 }
1538 break;
1539
1540 case 30: /* CMD30: SEND_WRITE_PROT */
1541 if (sd->size > SDSC_MAX_CAPACITY) {
1542 return sd_illegal;
1543 }
1544 addr = sd_req_get_address(sd, req);
1545 switch (sd->state) {
1546 case sd_transfer_state:
1547 if (!address_in_range(sd, "SEND_WRITE_PROT",
1548 req.arg, sd->blk_len)) {
1549 return sd_r1;
1550 }
1551 data = sd_wpbits(sd, req.arg);
1552 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1553
1554 default:
1555 break;
1556 }
1557 break;
1558
1559 /* Erase commands (Class 5) */
1560 case 32: /* CMD32: ERASE_WR_BLK_START */
1561 switch (sd->state) {
1562 case sd_transfer_state:
1563 sd->erase_start = req.arg;
1564 return sd_r1;
1565
1566 default:
1567 break;
1568 }
1569 break;
1570
1571 case 33: /* CMD33: ERASE_WR_BLK_END */
1572 switch (sd->state) {
1573 case sd_transfer_state:
1574 sd->erase_end = req.arg;
1575 return sd_r1;
1576
1577 default:
1578 break;
1579 }
1580 break;
1581
1582 case 38: /* CMD38: ERASE */
1583 switch (sd->state) {
1584 case sd_transfer_state:
1585 if (sd->csd[14] & 0x30) {
1586 sd->card_status |= WP_VIOLATION;
1587 return sd_r1b;
1588 }
1589
1590 sd->state = sd_programming_state;
1591 sd_erase(sd);
1592 /* Bzzzzzzztt .... Operation complete. */
1593 sd->state = sd_transfer_state;
1594 return sd_r1b;
1595
1596 default:
1597 break;
1598 }
1599 break;
1600
1601 /* Lock card commands (Class 7) */
1602 case 42: /* CMD42: LOCK_UNLOCK */
1603 switch (sd->state) {
1604 case sd_transfer_state:
1605 sd->state = sd_receivingdata_state;
1606 sd->data_start = 0;
1607 sd->data_offset = 0;
1608 return sd_r1;
1609
1610 default:
1611 break;
1612 }
1613 break;
1614
1615 /* Application specific commands (Class 8) */
1616 case 55: /* CMD55: APP_CMD */
1617 rca = sd_req_get_rca(sd, req);
1618 switch (sd->state) {
1619 case sd_ready_state:
1620 case sd_identification_state:
1621 return sd_illegal;
1622 case sd_idle_state:
1623 if (rca) {
1624 qemu_log_mask(LOG_GUEST_ERROR,
1625 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1626 }
1627 default:
1628 break;
1629 }
1630 if (!sd_is_spi(sd)) {
1631 if (sd->rca != rca) {
1632 return sd_r0;
1633 }
1634 }
1635 sd->expecting_acmd = true;
1636 sd->card_status |= APP_CMD;
1637 return sd_r1;
1638
1639 case 56: /* CMD56: GEN_CMD */
1640 switch (sd->state) {
1641 case sd_transfer_state:
1642 sd->data_offset = 0;
1643 if (req.arg & 1)
1644 sd->state = sd_sendingdata_state;
1645 else
1646 sd->state = sd_receivingdata_state;
1647 return sd_r1;
1648
1649 default:
1650 break;
1651 }
1652 break;
1653
1654 case 58: /* CMD58: READ_OCR (SPI) */
1655 return sd_r3;
1656
1657 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1658 return sd_r1;
1659
1660 default:
1661 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1662 return sd_illegal;
1663 }
1664
1665 return sd_invalid_state_for_cmd(sd, req);
1666 }
1667
1668 static sd_rsp_type_t sd_app_command(SDState *sd,
1669 SDRequest req)
1670 {
1671 sd->last_cmd_name = sd_acmd_name(req.cmd);
1672 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
1673 req.cmd, req.arg, sd_state_name(sd->state));
1674 sd->card_status |= APP_CMD;
1675
1676 if (sd->proto->acmd[req.cmd]) {
1677 return sd->proto->acmd[req.cmd](sd, req);
1678 }
1679
1680 switch (req.cmd) {
1681 case 6: /* ACMD6: SET_BUS_WIDTH */
1682 switch (sd->state) {
1683 case sd_transfer_state:
1684 sd->sd_status[0] &= 0x3f;
1685 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1686 return sd_r1;
1687
1688 default:
1689 break;
1690 }
1691 break;
1692
1693 case 13: /* ACMD13: SD_STATUS */
1694 switch (sd->state) {
1695 case sd_transfer_state:
1696 return sd_cmd_to_sendingdata(sd, req, 0,
1697 sd->sd_status,
1698 sizeof(sd->sd_status));
1699
1700 default:
1701 break;
1702 }
1703 break;
1704
1705 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1706 switch (sd->state) {
1707 case sd_transfer_state:
1708 stl_be_p(sd->data, sd->blk_written);
1709 sd->state = sd_sendingdata_state;
1710 sd->data_start = 0;
1711 sd->data_offset = 0;
1712 return sd_r1;
1713
1714 default:
1715 break;
1716 }
1717 break;
1718
1719 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1720 switch (sd->state) {
1721 case sd_transfer_state:
1722 return sd_r1;
1723
1724 default:
1725 break;
1726 }
1727 break;
1728
1729 case 41: /* ACMD41: SD_APP_OP_COND */
1730 if (sd->state != sd_idle_state) {
1731 break;
1732 }
1733 /* If it's the first ACMD41 since reset, we need to decide
1734 * whether to power up. If this is not an enquiry ACMD41,
1735 * we immediately report power on and proceed below to the
1736 * ready state, but if it is, we set a timer to model a
1737 * delay for power up. This works around a bug in EDK2
1738 * UEFI, which sends an initial enquiry ACMD41, but
1739 * assumes that the card is in ready state as soon as it
1740 * sees the power up bit set. */
1741 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1742 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1743 timer_del(sd->ocr_power_timer);
1744 sd_ocr_powerup(sd);
1745 } else {
1746 trace_sdcard_inquiry_cmd41();
1747 if (!timer_pending(sd->ocr_power_timer)) {
1748 timer_mod_ns(sd->ocr_power_timer,
1749 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1750 + OCR_POWER_DELAY_NS));
1751 }
1752 }
1753 }
1754
1755 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1756 /* We accept any voltage. 10000 V is nothing.
1757 *
1758 * Once we're powered up, we advance straight to ready state
1759 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1760 */
1761 sd->state = sd_ready_state;
1762 }
1763
1764 return sd_r3;
1765
1766 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1767 switch (sd->state) {
1768 case sd_transfer_state:
1769 /* Bringing in the 50KOhm pull-up resistor... Done. */
1770 return sd_r1;
1771
1772 default:
1773 break;
1774 }
1775 break;
1776
1777 case 51: /* ACMD51: SEND_SCR */
1778 switch (sd->state) {
1779 case sd_transfer_state:
1780 sd->state = sd_sendingdata_state;
1781 sd->data_start = 0;
1782 sd->data_offset = 0;
1783 return sd_r1;
1784
1785 default:
1786 break;
1787 }
1788 break;
1789
1790 case 18: /* Reserved for SD security applications */
1791 case 25:
1792 case 26:
1793 case 38:
1794 case 43 ... 49:
1795 /* Refer to the "SD Specifications Part3 Security Specification" for
1796 * information about the SD Security Features.
1797 */
1798 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1799 req.cmd);
1800 return sd_illegal;
1801
1802 default:
1803 /* Fall back to standard commands. */
1804 return sd_normal_command(sd, req);
1805 }
1806
1807 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1808 return sd_illegal;
1809 }
1810
1811 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
1812 {
1813 /* Valid commands in locked state:
1814 * basic class (0)
1815 * lock card class (7)
1816 * CMD16
1817 * implicitly, the ACMD prefix CMD55
1818 * ACMD41 and ACMD42
1819 * Anything else provokes an "illegal command" response.
1820 */
1821 if (sd->expecting_acmd) {
1822 return cmd == 41 || cmd == 42;
1823 }
1824 if (cmd == 16 || cmd == 55) {
1825 return true;
1826 }
1827 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1828 }
1829
1830 int sd_do_command(SDState *sd, SDRequest *req,
1831 uint8_t *response) {
1832 int last_state;
1833 sd_rsp_type_t rtype;
1834 int rsplen;
1835
1836 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1837 return 0;
1838 }
1839
1840 if (sd->state == sd_inactive_state) {
1841 rtype = sd_illegal;
1842 goto send_response;
1843 }
1844
1845 if (sd_req_crc_validate(req)) {
1846 sd->card_status |= COM_CRC_ERROR;
1847 rtype = sd_illegal;
1848 goto send_response;
1849 }
1850
1851 if (req->cmd >= SDMMC_CMD_MAX) {
1852 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1853 req->cmd);
1854 req->cmd &= 0x3f;
1855 }
1856
1857 if (sd->card_status & CARD_IS_LOCKED) {
1858 if (!cmd_valid_while_locked(sd, req->cmd)) {
1859 sd->card_status |= ILLEGAL_COMMAND;
1860 sd->expecting_acmd = false;
1861 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1862 rtype = sd_illegal;
1863 goto send_response;
1864 }
1865 }
1866
1867 last_state = sd->state;
1868 sd_set_mode(sd);
1869
1870 if (sd->expecting_acmd) {
1871 sd->expecting_acmd = false;
1872 rtype = sd_app_command(sd, *req);
1873 } else {
1874 rtype = sd_normal_command(sd, *req);
1875 }
1876
1877 if (rtype == sd_illegal) {
1878 sd->card_status |= ILLEGAL_COMMAND;
1879 } else {
1880 /* Valid command, we can update the 'state before command' bits.
1881 * (Do this now so they appear in r1 responses.)
1882 */
1883 sd->current_cmd = req->cmd;
1884 sd->card_status = FIELD_DP32(sd->card_status, CSR,
1885 CURRENT_STATE, last_state);
1886 }
1887
1888 send_response:
1889 switch (rtype) {
1890 case sd_r1:
1891 case sd_r1b:
1892 sd_response_r1_make(sd, response);
1893 rsplen = 4;
1894 break;
1895
1896 case sd_r2_i:
1897 memcpy(response, sd->cid, sizeof(sd->cid));
1898 rsplen = 16;
1899 break;
1900
1901 case sd_r2_s:
1902 memcpy(response, sd->csd, sizeof(sd->csd));
1903 rsplen = 16;
1904 break;
1905
1906 case sd_r3:
1907 sd_response_r3_make(sd, response);
1908 rsplen = 4;
1909 break;
1910
1911 case sd_r6:
1912 sd_response_r6_make(sd, response);
1913 rsplen = 4;
1914 break;
1915
1916 case sd_r7:
1917 sd_response_r7_make(sd, response);
1918 rsplen = 4;
1919 break;
1920
1921 case sd_r0:
1922 /*
1923 * Invalid state transition, reset implementation
1924 * fields to avoid OOB abuse.
1925 */
1926 sd->data_start = 0;
1927 sd->data_offset = 0;
1928 /* fall-through */
1929 case sd_illegal:
1930 rsplen = 0;
1931 break;
1932 default:
1933 g_assert_not_reached();
1934 }
1935 trace_sdcard_response(sd_response_name(rtype), rsplen);
1936
1937 if (rtype != sd_illegal) {
1938 /* Clear the "clear on valid command" status bits now we've
1939 * sent any response
1940 */
1941 sd->card_status &= ~CARD_STATUS_B;
1942 }
1943
1944 #ifdef DEBUG_SD
1945 qemu_hexdump(stderr, "Response", response, rsplen);
1946 #endif
1947
1948 return rsplen;
1949 }
1950
1951 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
1952 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
1953 {
1954 *value = sd->data[sd->data_offset];
1955
1956 if (++sd->data_offset >= sd->data_size) {
1957 sd->state = sd_transfer_state;
1958 return true;
1959 }
1960
1961 return false;
1962 }
1963
1964 void sd_write_byte(SDState *sd, uint8_t value)
1965 {
1966 int i;
1967
1968 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1969 return;
1970
1971 if (sd->state != sd_receivingdata_state) {
1972 qemu_log_mask(LOG_GUEST_ERROR,
1973 "%s: not in Receiving-Data state\n", __func__);
1974 return;
1975 }
1976
1977 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1978 return;
1979
1980 trace_sdcard_write_data(sd->proto->name,
1981 sd->last_cmd_name,
1982 sd->current_cmd, sd->data_offset, value);
1983 switch (sd->current_cmd) {
1984 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1985 sd->data[sd->data_offset ++] = value;
1986 if (sd->data_offset >= sd->blk_len) {
1987 /* TODO: Check CRC before committing */
1988 sd->state = sd_programming_state;
1989 sd_blk_write(sd, sd->data_start, sd->data_offset);
1990 sd->blk_written ++;
1991 sd->csd[14] |= 0x40;
1992 /* Bzzzzzzztt .... Operation complete. */
1993 sd->state = sd_transfer_state;
1994 }
1995 break;
1996
1997 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1998 if (sd->data_offset == 0) {
1999 /* Start of the block - let's check the address is valid */
2000 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2001 sd->data_start, sd->blk_len)) {
2002 break;
2003 }
2004 if (sd->size <= SDSC_MAX_CAPACITY) {
2005 if (sd_wp_addr(sd, sd->data_start)) {
2006 sd->card_status |= WP_VIOLATION;
2007 break;
2008 }
2009 }
2010 }
2011 sd->data[sd->data_offset++] = value;
2012 if (sd->data_offset >= sd->blk_len) {
2013 /* TODO: Check CRC before committing */
2014 sd->state = sd_programming_state;
2015 sd_blk_write(sd, sd->data_start, sd->data_offset);
2016 sd->blk_written++;
2017 sd->data_start += sd->blk_len;
2018 sd->data_offset = 0;
2019 sd->csd[14] |= 0x40;
2020
2021 /* Bzzzzzzztt .... Operation complete. */
2022 if (sd->multi_blk_cnt != 0) {
2023 if (--sd->multi_blk_cnt == 0) {
2024 /* Stop! */
2025 sd->state = sd_transfer_state;
2026 break;
2027 }
2028 }
2029
2030 sd->state = sd_receivingdata_state;
2031 }
2032 break;
2033
2034 case 26: /* CMD26: PROGRAM_CID */
2035 sd->data[sd->data_offset ++] = value;
2036 if (sd->data_offset >= sizeof(sd->cid)) {
2037 /* TODO: Check CRC before committing */
2038 sd->state = sd_programming_state;
2039 for (i = 0; i < sizeof(sd->cid); i ++)
2040 if ((sd->cid[i] | 0x00) != sd->data[i])
2041 sd->card_status |= CID_CSD_OVERWRITE;
2042
2043 if (!(sd->card_status & CID_CSD_OVERWRITE))
2044 for (i = 0; i < sizeof(sd->cid); i ++) {
2045 sd->cid[i] |= 0x00;
2046 sd->cid[i] &= sd->data[i];
2047 }
2048 /* Bzzzzzzztt .... Operation complete. */
2049 sd->state = sd_transfer_state;
2050 }
2051 break;
2052
2053 case 27: /* CMD27: PROGRAM_CSD */
2054 sd->data[sd->data_offset ++] = value;
2055 if (sd->data_offset >= sizeof(sd->csd)) {
2056 /* TODO: Check CRC before committing */
2057 sd->state = sd_programming_state;
2058 for (i = 0; i < sizeof(sd->csd); i ++)
2059 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2060 (sd->data[i] | sd_csd_rw_mask[i]))
2061 sd->card_status |= CID_CSD_OVERWRITE;
2062
2063 /* Copy flag (OTP) & Permanent write protect */
2064 if (sd->csd[14] & ~sd->data[14] & 0x60)
2065 sd->card_status |= CID_CSD_OVERWRITE;
2066
2067 if (!(sd->card_status & CID_CSD_OVERWRITE))
2068 for (i = 0; i < sizeof(sd->csd); i ++) {
2069 sd->csd[i] |= sd_csd_rw_mask[i];
2070 sd->csd[i] &= sd->data[i];
2071 }
2072 /* Bzzzzzzztt .... Operation complete. */
2073 sd->state = sd_transfer_state;
2074 }
2075 break;
2076
2077 case 42: /* CMD42: LOCK_UNLOCK */
2078 sd->data[sd->data_offset ++] = value;
2079 if (sd->data_offset >= sd->blk_len) {
2080 /* TODO: Check CRC before committing */
2081 sd->state = sd_programming_state;
2082 sd_lock_command(sd);
2083 /* Bzzzzzzztt .... Operation complete. */
2084 sd->state = sd_transfer_state;
2085 }
2086 break;
2087
2088 case 56: /* CMD56: GEN_CMD */
2089 sd->data[sd->data_offset ++] = value;
2090 if (sd->data_offset >= sd->blk_len) {
2091 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
2092 sd->state = sd_transfer_state;
2093 }
2094 break;
2095
2096 default:
2097 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2098 break;
2099 }
2100 }
2101
2102 uint8_t sd_read_byte(SDState *sd)
2103 {
2104 /* TODO: Append CRCs */
2105 uint8_t ret;
2106 uint32_t io_len;
2107
2108 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2109 return 0x00;
2110
2111 if (sd->state != sd_sendingdata_state) {
2112 qemu_log_mask(LOG_GUEST_ERROR,
2113 "%s: not in Sending-Data state\n", __func__);
2114 return 0x00;
2115 }
2116
2117 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2118 return 0x00;
2119
2120 io_len = sd_blk_len(sd);
2121
2122 trace_sdcard_read_data(sd->proto->name,
2123 sd->last_cmd_name,
2124 sd->current_cmd, sd->data_offset, io_len);
2125 switch (sd->current_cmd) {
2126 case 6: /* CMD6: SWITCH_FUNCTION */
2127 case 9: /* CMD9: SEND_CSD */
2128 case 10: /* CMD10: SEND_CID */
2129 case 13: /* ACMD13: SD_STATUS */
2130 case 17: /* CMD17: READ_SINGLE_BLOCK */
2131 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2132 case 30: /* CMD30: SEND_WRITE_PROT */
2133 sd_generic_read_byte(sd, &ret);
2134 break;
2135
2136 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2137 if (sd->data_offset == 0) {
2138 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2139 sd->data_start, io_len)) {
2140 return 0x00;
2141 }
2142 sd_blk_read(sd, sd->data_start, io_len);
2143 }
2144 ret = sd->data[sd->data_offset ++];
2145
2146 if (sd->data_offset >= io_len) {
2147 sd->data_start += io_len;
2148 sd->data_offset = 0;
2149
2150 if (sd->multi_blk_cnt != 0) {
2151 if (--sd->multi_blk_cnt == 0) {
2152 /* Stop! */
2153 sd->state = sd_transfer_state;
2154 break;
2155 }
2156 }
2157 }
2158 break;
2159
2160 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2161 ret = sd->data[sd->data_offset ++];
2162
2163 if (sd->data_offset >= 4)
2164 sd->state = sd_transfer_state;
2165 break;
2166
2167 case 51: /* ACMD51: SEND_SCR */
2168 ret = sd->scr[sd->data_offset ++];
2169
2170 if (sd->data_offset >= sizeof(sd->scr))
2171 sd->state = sd_transfer_state;
2172 break;
2173
2174 case 56: /* CMD56: GEN_CMD */
2175 if (sd->data_offset == 0)
2176 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2177 ret = sd->data[sd->data_offset ++];
2178
2179 if (sd->data_offset >= sd->blk_len)
2180 sd->state = sd_transfer_state;
2181 break;
2182
2183 default:
2184 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2185 return 0x00;
2186 }
2187
2188 return ret;
2189 }
2190
2191 static bool sd_receive_ready(SDState *sd)
2192 {
2193 return sd->state == sd_receivingdata_state;
2194 }
2195
2196 static bool sd_data_ready(SDState *sd)
2197 {
2198 return sd->state == sd_sendingdata_state;
2199 }
2200
2201 void sd_enable(SDState *sd, bool enable)
2202 {
2203 sd->enable = enable;
2204 }
2205
2206 static const SDProto sd_proto_spi = {
2207 .name = "SPI",
2208 .cmd = {
2209 [0] = sd_cmd_GO_IDLE_STATE,
2210 [1] = spi_cmd_SEND_OP_COND,
2211 },
2212 .acmd = {
2213 [41] = spi_cmd_SEND_OP_COND,
2214 },
2215 };
2216
2217 static const SDProto sd_proto_sd = {
2218 .name = "SD",
2219 .cmd = {
2220 [0] = sd_cmd_GO_IDLE_STATE,
2221 [2] = sd_cmd_ALL_SEND_CID,
2222 [3] = sd_cmd_SEND_RELATIVE_ADDR,
2223 [19] = sd_cmd_SEND_TUNING_BLOCK,
2224 [23] = sd_cmd_SET_BLOCK_COUNT,
2225 },
2226 };
2227
2228 static void sd_instance_init(Object *obj)
2229 {
2230 SDState *sd = SD_CARD(obj);
2231 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
2232
2233 sd->proto = sc->proto;
2234 sd->last_cmd_name = "UNSET";
2235 sd->enable = true;
2236 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2237 }
2238
2239 static void sd_instance_finalize(Object *obj)
2240 {
2241 SDState *sd = SD_CARD(obj);
2242
2243 timer_free(sd->ocr_power_timer);
2244 }
2245
2246 static void sd_realize(DeviceState *dev, Error **errp)
2247 {
2248 SDState *sd = SD_CARD(dev);
2249 int ret;
2250
2251 switch (sd->spec_version) {
2252 case SD_PHY_SPECv1_10_VERS
2253 ... SD_PHY_SPECv3_01_VERS:
2254 break;
2255 default:
2256 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2257 return;
2258 }
2259
2260 if (sd->blk) {
2261 int64_t blk_size;
2262
2263 if (!blk_supports_write_perm(sd->blk)) {
2264 error_setg(errp, "Cannot use read-only drive as SD card");
2265 return;
2266 }
2267
2268 blk_size = blk_getlength(sd->blk);
2269 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2270 int64_t blk_size_aligned = pow2ceil(blk_size);
2271 char *blk_size_str;
2272
2273 blk_size_str = size_to_str(blk_size);
2274 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2275 g_free(blk_size_str);
2276
2277 blk_size_str = size_to_str(blk_size_aligned);
2278 error_append_hint(errp,
2279 "SD card size has to be a power of 2, e.g. %s.\n"
2280 "You can resize disk images with"
2281 " 'qemu-img resize <imagefile> <new-size>'\n"
2282 "(note that this will lose data if you make the"
2283 " image smaller than it currently is).\n",
2284 blk_size_str);
2285 g_free(blk_size_str);
2286
2287 return;
2288 }
2289
2290 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2291 BLK_PERM_ALL, errp);
2292 if (ret < 0) {
2293 return;
2294 }
2295 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2296 }
2297 }
2298
2299 static Property sd_properties[] = {
2300 DEFINE_PROP_UINT8("spec_version", SDState,
2301 spec_version, SD_PHY_SPECv2_00_VERS),
2302 DEFINE_PROP_DRIVE("drive", SDState, blk),
2303 /* We do not model the chip select pin, so allow the board to select
2304 * whether card should be in SSI or MMC/SD mode. It is also up to the
2305 * board to ensure that ssi transfers only occur when the chip select
2306 * is asserted. */
2307 DEFINE_PROP_END_OF_LIST()
2308 };
2309
2310 static void sd_class_init(ObjectClass *klass, void *data)
2311 {
2312 DeviceClass *dc = DEVICE_CLASS(klass);
2313 SDCardClass *sc = SD_CARD_CLASS(klass);
2314
2315 dc->realize = sd_realize;
2316 device_class_set_props(dc, sd_properties);
2317 dc->vmsd = &sd_vmstate;
2318 dc->reset = sd_reset;
2319 dc->bus_type = TYPE_SD_BUS;
2320 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2321
2322 sc->set_voltage = sd_set_voltage;
2323 sc->get_dat_lines = sd_get_dat_lines;
2324 sc->get_cmd_line = sd_get_cmd_line;
2325 sc->do_command = sd_do_command;
2326 sc->write_byte = sd_write_byte;
2327 sc->read_byte = sd_read_byte;
2328 sc->receive_ready = sd_receive_ready;
2329 sc->data_ready = sd_data_ready;
2330 sc->enable = sd_enable;
2331 sc->get_inserted = sd_get_inserted;
2332 sc->get_readonly = sd_get_readonly;
2333 sc->proto = &sd_proto_sd;
2334 }
2335
2336 /*
2337 * We do not model the chip select pin, so allow the board to select
2338 * whether card should be in SSI or MMC/SD mode. It is also up to the
2339 * board to ensure that ssi transfers only occur when the chip select
2340 * is asserted.
2341 */
2342 static void sd_spi_class_init(ObjectClass *klass, void *data)
2343 {
2344 DeviceClass *dc = DEVICE_CLASS(klass);
2345 SDCardClass *sc = SD_CARD_CLASS(klass);
2346
2347 dc->desc = "SD SPI";
2348 sc->proto = &sd_proto_spi;
2349 }
2350
2351 static const TypeInfo sd_types[] = {
2352 {
2353 .name = TYPE_SD_CARD,
2354 .parent = TYPE_DEVICE,
2355 .instance_size = sizeof(SDState),
2356 .class_size = sizeof(SDCardClass),
2357 .class_init = sd_class_init,
2358 .instance_init = sd_instance_init,
2359 .instance_finalize = sd_instance_finalize,
2360 },
2361 {
2362 .name = TYPE_SD_CARD_SPI,
2363 .parent = TYPE_SD_CARD,
2364 .class_init = sd_spi_class_init,
2365 },
2366 };
2367
2368 DEFINE_TYPES(sd_types)
armbru's QEMU hackery