xref: /openbmc/qemu/hw/sd/sd.c (revision d2d08975fc01e4898ab43eae0d03d53e689048cd)
1 /*
2  * SD Memory Card emulation as defined in the "SD Memory Card Physical
3  * layer specification, Version 2.00."
4  *
5  * eMMC emulation defined in "JEDEC Standard No. 84-A43"
6  *
7  * Copyright (c) 2006 Andrzej Zaborowski  <balrog@zabor.org>
8  * Copyright (c) 2007 CodeSourcery
9  * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  *
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in
19  *    the documentation and/or other materials provided with the
20  *    distribution.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
23  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
25  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR
26  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
29  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
30  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 #include "qemu/osdep.h"
36 #include "qemu/units.h"
37 #include "qemu/cutils.h"
38 #include "hw/irq.h"
39 #include "hw/registerfields.h"
40 #include "system/block-backend.h"
41 #include "hw/sd/sd.h"
42 #include "migration/vmstate.h"
43 #include "qapi/error.h"
44 #include "qemu/bitmap.h"
45 #include "hw/qdev-properties.h"
46 #include "hw/qdev-properties-system.h"
47 #include "qemu/error-report.h"
48 #include "qemu/timer.h"
49 #include "qemu/log.h"
50 #include "qemu/guest-random.h"
51 #include "qemu/module.h"
52 #include "sdmmc-internal.h"
53 #include "trace.h"
54 
55 //#define DEBUG_SD 1
56 
57 #define SDSC_MAX_CAPACITY   (2 * GiB)
58 
59 #define INVALID_ADDRESS     UINT32_MAX
60 
61 typedef enum {
62     sd_r0 = 0,    /* no response */
63     sd_r1,        /* normal response command */
64     spi_r2,       /* STATUS */
65     sd_r2_i,      /* CID register */
66     sd_r2_s,      /* CSD register */
67     sd_r3,        /* OCR register */
68     sd_r6 = 6,    /* Published RCA response */
69     sd_r7,        /* Operating voltage */
70     sd_r1b = -1,
71     sd_illegal = -2,
72 } sd_rsp_type_t;
73 
74 typedef enum {
75     sd_spi,
76     sd_bc,     /* broadcast -- no response */
77     sd_bcr,    /* broadcast with response */
78     sd_ac,     /* addressed -- no data transfer */
79     sd_adtc,   /* addressed with data transfer */
80 } sd_cmd_type_t;
81 
82 enum SDCardModes {
83     sd_inactive,
84     sd_card_identification_mode,
85     sd_data_transfer_mode,
86 };
87 
88 enum SDCardStates {
89     sd_waitirq_state        = -2, /* emmc */
90     sd_inactive_state       = -1,
91 
92     sd_idle_state           = 0,
93     sd_ready_state          = 1,
94     sd_identification_state = 2,
95     sd_standby_state        = 3,
96     sd_transfer_state       = 4,
97     sd_sendingdata_state    = 5,
98     sd_receivingdata_state  = 6,
99     sd_programming_state    = 7,
100     sd_disconnect_state     = 8,
101     sd_bus_test_state       = 9,  /* emmc */
102     sd_sleep_state          = 10, /* emmc */
103     sd_io_state             = 15  /* sd */
104 };
105 
106 #define SDMMC_CMD_MAX 64
107 
108 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
109 
110 typedef struct SDProto {
111     const char *name;
112     struct {
113         const unsigned class;
114         const sd_cmd_type_t type;
115         const char *name;
116         sd_cmd_handler handler;
117     } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX];
118 } SDProto;
119 
120 struct SDState {
121     DeviceState parent_obj;
122 
123     /* SD Memory Card Registers */
124     uint32_t ocr;
125     uint8_t scr[8];
126     uint8_t cid[16];
127     uint8_t csd[16];
128     uint16_t rca;
129     uint32_t card_status;
130     uint8_t sd_status[64];
131     union {
132         uint8_t ext_csd[512];
133         struct {
134             uint8_t ext_csd_rw[192]; /* Modes segment */
135             uint8_t ext_csd_ro[320]; /* Properties segment */
136         };
137     };
138 
139     /* Static properties */
140 
141     uint8_t spec_version;
142     uint64_t boot_part_size;
143     BlockBackend *blk;
144     uint8_t boot_config;
145 
146     const SDProto *proto;
147 
148     /* Runtime changeables */
149 
150     int32_t state;    /* current card state, one of SDCardStates */
151     uint32_t vhs;
152     bool wp_switch;
153     unsigned long *wp_group_bmap;
154     int32_t wp_group_bits;
155     uint64_t size;
156     uint32_t blk_len;
157     uint32_t multi_blk_cnt;
158     uint32_t erase_start;
159     uint32_t erase_end;
160     uint8_t pwd[16];
161     uint32_t pwd_len;
162     uint8_t function_group[6];
163     uint8_t current_cmd;
164     const char *last_cmd_name;
165     /* True if we will handle the next command as an ACMD. Note that this does
166      * *not* track the APP_CMD status bit!
167      */
168     bool expecting_acmd;
169     uint32_t blk_written;
170 
171     uint64_t data_start;
172     uint32_t data_offset;
173     size_t data_size;
174     uint8_t data[512];
175     QEMUTimer *ocr_power_timer;
176     uint8_t dat_lines;
177     bool cmd_line;
178 };
179 
180 static void sd_realize(DeviceState *dev, Error **errp);
181 
182 static const SDProto sd_proto_spi;
183 static const SDProto sd_proto_emmc;
184 
sd_is_spi(SDState * sd)185 static bool sd_is_spi(SDState *sd)
186 {
187     return sd->proto == &sd_proto_spi;
188 }
189 
sd_is_emmc(SDState * sd)190 static bool sd_is_emmc(SDState *sd)
191 {
192     return sd->proto == &sd_proto_emmc;
193 }
194 
sd_version_str(enum SDPhySpecificationVersion version)195 static const char *sd_version_str(enum SDPhySpecificationVersion version)
196 {
197     static const char *sdphy_version[] = {
198         [SD_PHY_SPECv1_10_VERS]     = "v1.10",
199         [SD_PHY_SPECv2_00_VERS]     = "v2.00",
200         [SD_PHY_SPECv3_01_VERS]     = "v3.01",
201     };
202     if (version >= ARRAY_SIZE(sdphy_version)) {
203         return "unsupported version";
204     }
205     return sdphy_version[version];
206 }
207 
sd_mode_name(enum SDCardModes mode)208 static const char *sd_mode_name(enum SDCardModes mode)
209 {
210     static const char *mode_name[] = {
211         [sd_inactive]                   = "inactive",
212         [sd_card_identification_mode]   = "identification",
213         [sd_data_transfer_mode]         = "transfer",
214     };
215     assert(mode < ARRAY_SIZE(mode_name));
216     return mode_name[mode];
217 }
218 
sd_state_name(enum SDCardStates state)219 static const char *sd_state_name(enum SDCardStates state)
220 {
221     static const char *state_name[] = {
222         [sd_idle_state]             = "idle",
223         [sd_ready_state]            = "ready",
224         [sd_identification_state]   = "identification",
225         [sd_standby_state]          = "standby",
226         [sd_transfer_state]         = "transfer",
227         [sd_sendingdata_state]      = "sendingdata",
228         [sd_bus_test_state]         = "bus-test",
229         [sd_receivingdata_state]    = "receivingdata",
230         [sd_programming_state]      = "programming",
231         [sd_disconnect_state]       = "disconnect",
232         [sd_sleep_state]            = "sleep",
233         [sd_io_state]               = "i/o"
234     };
235     if (state == sd_inactive_state) {
236         return "inactive";
237     }
238     if (state == sd_waitirq_state) {
239         return "wait-irq";
240     }
241     assert(state < ARRAY_SIZE(state_name));
242     return state_name[state];
243 }
244 
sd_response_name(sd_rsp_type_t rsp)245 static const char *sd_response_name(sd_rsp_type_t rsp)
246 {
247     static const char *response_name[] = {
248         [sd_r0]     = "RESP#0 (no response)",
249         [sd_r1]     = "RESP#1 (normal cmd)",
250         [spi_r2]    = "RESP#2 (STATUS reg)",
251         [sd_r2_i]   = "RESP#2 (CID reg)",
252         [sd_r2_s]   = "RESP#2 (CSD reg)",
253         [sd_r3]     = "RESP#3 (OCR reg)",
254         [sd_r6]     = "RESP#6 (RCA)",
255         [sd_r7]     = "RESP#7 (operating voltage)",
256     };
257     if (rsp == sd_illegal) {
258         return "ILLEGAL RESP";
259     }
260     if (rsp == sd_r1b) {
261         rsp = sd_r1;
262     }
263     assert(rsp < ARRAY_SIZE(response_name));
264     return response_name[rsp];
265 }
266 
sd_cmd_name(SDState * sd,uint8_t cmd)267 static const char *sd_cmd_name(SDState *sd, uint8_t cmd)
268 {
269     static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
270         [18]    = "READ_MULTIPLE_BLOCK",
271                                             [25]    = "WRITE_MULTIPLE_BLOCK",
272     };
273     const SDProto *sdp = sd->proto;
274 
275     if (sdp->cmd[cmd].handler) {
276         assert(!cmd_abbrev[cmd]);
277         return sdp->cmd[cmd].name;
278     }
279     return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
280 }
281 
sd_acmd_name(SDState * sd,uint8_t cmd)282 static const char *sd_acmd_name(SDState *sd, uint8_t cmd)
283 {
284     const SDProto *sdp = sd->proto;
285 
286     if (sdp->acmd[cmd].handler) {
287         return sdp->acmd[cmd].name;
288     }
289 
290     return "UNKNOWN_ACMD";
291 }
292 
sd_get_dat_lines(SDState * sd)293 static uint8_t sd_get_dat_lines(SDState *sd)
294 {
295     return sd->dat_lines;
296 }
297 
sd_get_cmd_line(SDState * sd)298 static bool sd_get_cmd_line(SDState *sd)
299 {
300     return sd->cmd_line;
301 }
302 
sd_set_voltage(SDState * sd,uint16_t millivolts)303 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
304 {
305     trace_sdcard_set_voltage(millivolts);
306 
307     switch (millivolts) {
308     case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
309     case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
310         break;
311     default:
312         qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
313                       millivolts / 1000.f);
314     }
315 }
316 
sd_mode(SDState * sd)317 static enum SDCardModes sd_mode(SDState *sd)
318 {
319     switch (sd->state) {
320     case sd_inactive_state:
321         return sd_inactive;
322     case sd_idle_state:
323     case sd_ready_state:
324     case sd_identification_state:
325         return sd_card_identification_mode;
326     case sd_standby_state:
327     case sd_transfer_state:
328     case sd_sendingdata_state:
329     case sd_receivingdata_state:
330     case sd_programming_state:
331     case sd_disconnect_state:
332         return sd_data_transfer_mode;
333     default:
334         g_assert_not_reached();
335     }
336 }
337 
sd_crc7(const void * message,size_t width)338 static uint8_t sd_crc7(const void *message, size_t width)
339 {
340     int i, bit;
341     uint8_t shift_reg = 0x00;
342     const uint8_t *msg = (const uint8_t *)message;
343 
344     for (i = 0; i < width; i ++, msg ++)
345         for (bit = 7; bit >= 0; bit --) {
346             shift_reg <<= 1;
347             if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
348                 shift_reg ^= 0x89;
349         }
350 
351     return shift_reg;
352 }
353 
354 /* Operation Conditions register */
355 
356 #define OCR_POWER_DELAY_NS      500000 /* 0.5ms */
357 
358 FIELD(OCR, VDD_VOLTAGE_WINDOW,          0, 24)
359 FIELD(OCR, VDD_VOLTAGE_WIN_LO,          0,  8)
360 FIELD(OCR, DUAL_VOLTAGE_CARD,           7,  1)
361 FIELD(OCR, VDD_VOLTAGE_WIN_HI,          8, 16)
362 FIELD(OCR, ACCEPT_SWITCH_1V8,          24,  1) /* Only UHS-I */
363 FIELD(OCR, UHS_II_CARD,                29,  1) /* Only UHS-II */
364 FIELD(OCR, CARD_CAPACITY,              30,  1) /* 0:SDSC, 1:SDHC/SDXC */
365 FIELD(OCR, CARD_POWER_UP,              31,  1)
366 
367 #define ACMD41_ENQUIRY_MASK     0x00ffffff
368 #define ACMD41_R3_MASK          (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
369                                | R_OCR_ACCEPT_SWITCH_1V8_MASK \
370                                | R_OCR_UHS_II_CARD_MASK \
371                                | R_OCR_CARD_CAPACITY_MASK \
372                                | R_OCR_CARD_POWER_UP_MASK)
373 
sd_ocr_powerup(void * opaque)374 static void sd_ocr_powerup(void *opaque)
375 {
376     SDState *sd = opaque;
377 
378     trace_sdcard_powerup();
379     assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
380 
381     /* card power-up OK */
382     sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
383 
384     if (sd->size > SDSC_MAX_CAPACITY) {
385         sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
386     }
387 }
388 
sd_set_ocr(SDState * sd)389 static void sd_set_ocr(SDState *sd)
390 {
391     /* All voltages OK */
392     sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
393 
394     if (sd_is_spi(sd)) {
395         /*
396          * We don't need to emulate power up sequence in SPI-mode.
397          * Thus, the card's power up status bit should be set to 1 when reset.
398          * The card's capacity status bit should also be set if SD card size
399          * is larger than 2GB for SDHC support.
400          */
401         sd_ocr_powerup(sd);
402     }
403 }
404 
405 /* SD Configuration register */
406 
sd_set_scr(SDState * sd)407 static void sd_set_scr(SDState *sd)
408 {
409     sd->scr[0] = 0 << 4;        /* SCR structure version 1.0 */
410     if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
411         sd->scr[0] |= 1;        /* Spec Version 1.10 */
412     } else {
413         sd->scr[0] |= 2;        /* Spec Version 2.00 or Version 3.0X */
414     }
415     sd->scr[1] = (2 << 4)       /* SDSC Card (Security Version 1.01) */
416                  | 0b0101;      /* 1-bit or 4-bit width bus modes */
417     sd->scr[2] = 0x00;          /* Extended Security is not supported. */
418     if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
419         sd->scr[2] |= 1 << 7;   /* Spec Version 3.0X */
420     }
421     sd->scr[3] = 0x00;
422     /* reserved for manufacturer usage */
423     sd->scr[4] = 0x00;
424     sd->scr[5] = 0x00;
425     sd->scr[6] = 0x00;
426     sd->scr[7] = 0x00;
427 }
428 
429 /* Card IDentification register */
430 
431 #define MID     0xaa
432 #define OID     "XY"
433 #define PNM     "QEMU!"
434 #define PRV     0x01
435 #define MDT_YR  2006
436 #define MDT_MON 2
437 
sd_set_cid(SDState * sd)438 static void sd_set_cid(SDState *sd)
439 {
440     sd->cid[0] = MID;       /* Fake card manufacturer ID (MID) */
441     sd->cid[1] = OID[0];    /* OEM/Application ID (OID) */
442     sd->cid[2] = OID[1];
443     sd->cid[3] = PNM[0];    /* Fake product name (PNM) */
444     sd->cid[4] = PNM[1];
445     sd->cid[5] = PNM[2];
446     sd->cid[6] = PNM[3];
447     sd->cid[7] = PNM[4];
448     sd->cid[8] = PRV;       /* Fake product revision (PRV) */
449     stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
450     sd->cid[13] = 0x00 |    /* Manufacture date (MDT) */
451         ((MDT_YR - 2000) / 10);
452     sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
453     sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
454 }
455 
emmc_set_cid(SDState * sd)456 static void emmc_set_cid(SDState *sd)
457 {
458     sd->cid[0] = MID;       /* Fake card manufacturer ID (MID) */
459     sd->cid[1] = 0b01;      /* CBX: soldered BGA */
460     sd->cid[2] = OID[0];    /* OEM/Application ID (OID) */
461     sd->cid[3] = PNM[0];    /* Fake product name (PNM) */
462     sd->cid[4] = PNM[1];
463     sd->cid[5] = PNM[2];
464     sd->cid[6] = PNM[3];
465     sd->cid[7] = PNM[4];
466     sd->cid[8] = PNM[4];
467     sd->cid[9] = PRV;       /* Fake product revision (PRV) */
468     stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */
469     sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */
470     sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
471 }
472 
473 /* Card-Specific Data register */
474 
475 #define HWBLOCK_SHIFT   9        /* 512 bytes */
476 #define SECTOR_SHIFT    5        /* 16 kilobytes */
477 #define WPGROUP_SHIFT   7        /* 2 megs */
478 #define CMULT_SHIFT     9        /* 512 times HWBLOCK_SIZE */
479 #define WPGROUP_SIZE    (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
480 
481 static const uint8_t sd_csd_rw_mask[16] = {
482     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
483     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
484 };
485 
emmc_set_ext_csd(SDState * sd,uint64_t size)486 static void emmc_set_ext_csd(SDState *sd, uint64_t size)
487 {
488     uint32_t sectcount = size >> HWBLOCK_SHIFT;
489 
490     memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */
491 
492     /* Properties segment (RO) */
493     sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */
494     sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */
495                                      /* Boot partition size. 128KB unit */
496     sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB);
497     sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */
498     sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */
499     sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */
500     sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */
501     sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */
502     sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC  */
503     sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */
504     sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */
505     stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */
506     sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */
507     sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz  */
508     sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */
509     sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */
510     sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */
511     sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */
512     sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11;
513     sd->ext_csd[EXT_CSD_STRUCTURE] = 2;
514     sd->ext_csd[EXT_CSD_REV] = 3;
515 
516     /* Mode segment (RW) */
517     sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config;
518 }
519 
emmc_set_csd(SDState * sd,uint64_t size)520 static void emmc_set_csd(SDState *sd, uint64_t size)
521 {
522     int hwblock_shift = HWBLOCK_SHIFT;
523     uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
524     uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
525 
526     sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */
527     sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */
528     sd->csd[2] = 0x00;
529     sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */
530     sd->csd[4] = 0x0f;
531     if (size <= 2 * GiB) {
532         /* use 1k blocks */
533         uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1;
534         sd->csd[5] = 0x5a;
535         sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf);
536         sd->csd[7] = (csize1k >> 2) & 0xff;
537     } else { /* >= 2GB : size stored in ext CSD, block addressing */
538         sd->csd[5] = 0x59;
539         sd->csd[6] = 0x8f;
540         sd->csd[7] = 0xff;
541         sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
542     }
543     sd->csd[8] = 0xff;
544     sd->csd[9] = 0xfc |     /* Max. write current */
545         ((CMULT_SHIFT - 2) >> 1);
546     sd->csd[10] = 0x40 |    /* Erase sector size */
547         (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
548     sd->csd[11] = 0x00 |    /* Write protect group size */
549         ((sectsize << 7) & 0x80) | wpsize;
550     sd->csd[12] = 0x90 |    /* Write speed factor */
551         (hwblock_shift >> 2);
552     sd->csd[13] = 0x20 |    /* Max. write data block length */
553         ((hwblock_shift << 6) & 0xc0);
554     sd->csd[14] = 0x00;
555     sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
556     emmc_set_ext_csd(sd, size);
557 }
558 
sd_set_csd(SDState * sd,uint64_t size)559 static void sd_set_csd(SDState *sd, uint64_t size)
560 {
561     int hwblock_shift = HWBLOCK_SHIFT;
562     uint32_t csize;
563     uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
564     uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
565 
566     /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
567     if (size == SDSC_MAX_CAPACITY) {
568         hwblock_shift += 1;
569     }
570     csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
571 
572     if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
573         sd->csd[0] = 0x00;      /* CSD structure */
574         sd->csd[1] = 0x26;      /* Data read access-time-1 */
575         sd->csd[2] = 0x00;      /* Data read access-time-2 */
576         sd->csd[3] = 0x32;      /* Max. data transfer rate: 25 MHz */
577         sd->csd[4] = 0x5f;      /* Card Command Classes */
578         sd->csd[5] = 0x50 |     /* Max. read data block length */
579             hwblock_shift;
580         sd->csd[6] = 0xe0 |     /* Partial block for read allowed */
581             ((csize >> 10) & 0x03);
582         sd->csd[7] = 0x00 |     /* Device size */
583             ((csize >> 2) & 0xff);
584         sd->csd[8] = 0x3f |     /* Max. read current */
585             ((csize << 6) & 0xc0);
586         sd->csd[9] = 0xfc |     /* Max. write current */
587             ((CMULT_SHIFT - 2) >> 1);
588         sd->csd[10] = 0x40 |    /* Erase sector size */
589             (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
590         sd->csd[11] = 0x00 |    /* Write protect group size */
591             ((sectsize << 7) & 0x80) | wpsize;
592         sd->csd[12] = 0x90 |    /* Write speed factor */
593             (hwblock_shift >> 2);
594         sd->csd[13] = 0x20 |    /* Max. write data block length */
595             ((hwblock_shift << 6) & 0xc0);
596         sd->csd[14] = 0x00;     /* File format group */
597     } else {                    /* SDHC */
598         size /= 512 * KiB;
599         size -= 1;
600         sd->csd[0] = 0x40;
601         sd->csd[1] = 0x0e;
602         sd->csd[2] = 0x00;
603         sd->csd[3] = 0x32;
604         sd->csd[4] = 0x5b;
605         sd->csd[5] = 0x59;
606         sd->csd[6] = 0x00;
607         st24_be_p(&sd->csd[7], size);
608         sd->csd[10] = 0x7f;
609         sd->csd[11] = 0x80;
610         sd->csd[12] = 0x0a;
611         sd->csd[13] = 0x40;
612         sd->csd[14] = 0x00;
613     }
614     sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
615 }
616 
617 /* Relative Card Address register */
618 
sd_set_rca(SDState * sd,uint16_t value)619 static void sd_set_rca(SDState *sd, uint16_t value)
620 {
621     trace_sdcard_set_rca(value);
622     sd->rca = value;
623 }
624 
sd_req_get_rca(SDState * s,SDRequest req)625 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
626 {
627     switch (s->proto->cmd[req.cmd].type) {
628     case sd_ac:
629     case sd_adtc:
630         return req.arg >> 16;
631     case sd_spi:
632     default:
633         g_assert_not_reached();
634     }
635 }
636 
sd_req_rca_same(SDState * s,SDRequest req)637 static bool sd_req_rca_same(SDState *s, SDRequest req)
638 {
639     return sd_req_get_rca(s, req) == s->rca;
640 }
641 
642 /* Card Status register */
643 
644 FIELD(CSR, AKE_SEQ_ERROR,               3,  1)
645 FIELD(CSR, APP_CMD,                     5,  1)
646 FIELD(CSR, FX_EVENT,                    6,  1)
647 FIELD(CSR, SWITCH_ERROR,                7,  1)
648 FIELD(CSR, READY_FOR_DATA,              8,  1)
649 FIELD(CSR, CURRENT_STATE,               9,  4)
650 FIELD(CSR, ERASE_RESET,                13,  1)
651 FIELD(CSR, CARD_ECC_DISABLED,          14,  1)
652 FIELD(CSR, WP_ERASE_SKIP,              15,  1)
653 FIELD(CSR, CSD_OVERWRITE,              16,  1)
654 FIELD(CSR, DEFERRED_RESPONSE,          17,  1)
655 FIELD(CSR, ERROR,                      19,  1)
656 FIELD(CSR, CC_ERROR,                   20,  1)
657 FIELD(CSR, CARD_ECC_FAILED,            21,  1)
658 FIELD(CSR, ILLEGAL_COMMAND,            22,  1)
659 FIELD(CSR, COM_CRC_ERROR,              23,  1)
660 FIELD(CSR, LOCK_UNLOCK_FAILED,         24,  1)
661 FIELD(CSR, CARD_IS_LOCKED,             25,  1)
662 FIELD(CSR, WP_VIOLATION,               26,  1)
663 FIELD(CSR, ERASE_PARAM,                27,  1)
664 FIELD(CSR, ERASE_SEQ_ERROR,            28,  1)
665 FIELD(CSR, BLOCK_LEN_ERROR,            29,  1)
666 FIELD(CSR, ADDRESS_ERROR,              30,  1)
667 FIELD(CSR, OUT_OF_RANGE,               31,  1)
668 
669 /* Card status bits, split by clear condition:
670  * A : According to the card current state
671  * B : Always related to the previous command
672  * C : Cleared by read
673  */
674 #define CARD_STATUS_A           (R_CSR_READY_FOR_DATA_MASK \
675                                | R_CSR_CARD_ECC_DISABLED_MASK \
676                                | R_CSR_CARD_IS_LOCKED_MASK)
677 #define CARD_STATUS_B           (R_CSR_CURRENT_STATE_MASK \
678                                | R_CSR_ILLEGAL_COMMAND_MASK \
679                                | R_CSR_COM_CRC_ERROR_MASK)
680 #define CARD_STATUS_C           (R_CSR_AKE_SEQ_ERROR_MASK \
681                                | R_CSR_APP_CMD_MASK \
682                                | R_CSR_ERASE_RESET_MASK \
683                                | R_CSR_WP_ERASE_SKIP_MASK \
684                                | R_CSR_CSD_OVERWRITE_MASK \
685                                | R_CSR_ERROR_MASK \
686                                | R_CSR_CC_ERROR_MASK \
687                                | R_CSR_CARD_ECC_FAILED_MASK \
688                                | R_CSR_LOCK_UNLOCK_FAILED_MASK \
689                                | R_CSR_WP_VIOLATION_MASK \
690                                | R_CSR_ERASE_PARAM_MASK \
691                                | R_CSR_ERASE_SEQ_ERROR_MASK \
692                                | R_CSR_BLOCK_LEN_ERROR_MASK \
693                                | R_CSR_ADDRESS_ERROR_MASK \
694                                | R_CSR_OUT_OF_RANGE_MASK)
695 
sd_set_cardstatus(SDState * sd)696 static void sd_set_cardstatus(SDState *sd)
697 {
698     sd->card_status = READY_FOR_DATA;
699 }
700 
sd_set_sdstatus(SDState * sd)701 static void sd_set_sdstatus(SDState *sd)
702 {
703     memset(sd->sd_status, 0, 64);
704 }
705 
706 static const uint8_t sd_tuning_block_pattern4[64] = {
707     /*
708      * See: Physical Layer Simplified Specification Version 3.01,
709      * Table 4-2.
710      */
711     0xff, 0x0f, 0xff, 0x00,     0x0f, 0xfc, 0xc3, 0xcc,
712     0xc3, 0x3c, 0xcc, 0xff,     0xfe, 0xff, 0xfe, 0xef,
713     0xff, 0xdf, 0xff, 0xdd,     0xff, 0xfb, 0xff, 0xfb,
714     0xbf, 0xff, 0x7f, 0xff,     0x77, 0xf7, 0xbd, 0xef,
715     0xff, 0xf0, 0xff, 0xf0,     0x0f, 0xfc, 0xcc, 0x3c,
716     0xcc, 0x33, 0xcc, 0xcf,     0xff, 0xef, 0xff, 0xee,
717     0xff, 0xfd, 0xff, 0xfd,     0xdf, 0xff, 0xbf, 0xff,
718     0xbb, 0xff, 0xf7, 0xff,     0xf7, 0x7f, 0x7b, 0xde
719 };
720 
sd_req_crc_validate(SDRequest * req)721 static int sd_req_crc_validate(SDRequest *req)
722 {
723     uint8_t buffer[5];
724     buffer[0] = 0x40 | req->cmd;
725     stl_be_p(&buffer[1], req->arg);
726     return 0;
727     return sd_crc7(buffer, 5) != req->crc;  /* TODO */
728 }
729 
sd_response_size(SDState * sd,sd_rsp_type_t rtype)730 static size_t sd_response_size(SDState *sd, sd_rsp_type_t rtype)
731 {
732     switch (rtype) {
733     case sd_r1:
734     case sd_r1b:
735         return sd_is_spi(sd) ? 1 : 4;
736 
737     case spi_r2:
738         assert(sd_is_spi(sd));
739         return 2;
740 
741     case sd_r2_i:
742     case sd_r2_s:
743         assert(!sd_is_spi(sd));
744         return 16;
745 
746     case sd_r3:
747     case sd_r7:
748         return sd_is_spi(sd) ? 5 : 4;
749 
750     case sd_r6:
751         assert(!sd_is_spi(sd));
752         return 4;
753 
754     case sd_r0:
755     case sd_illegal:
756         return sd_is_spi(sd) ? 1 : 0;
757 
758     default:
759         g_assert_not_reached();
760     }
761 }
762 
sd_response_r1_make(SDState * sd,uint8_t * response)763 static void sd_response_r1_make(SDState *sd, uint8_t *response)
764 {
765     if (sd_is_spi(sd)) {
766         response[0] = sd->state == sd_idle_state
767                    && !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
768         response[0] |= FIELD_EX32(sd->card_status, CSR, ERASE_RESET) << 1;
769         response[0] |= FIELD_EX32(sd->card_status, CSR, ILLEGAL_COMMAND) << 2;
770         response[0] |= FIELD_EX32(sd->card_status, CSR, COM_CRC_ERROR) << 3;
771         response[0] |= FIELD_EX32(sd->card_status, CSR, ERASE_SEQ_ERROR) << 4;
772         response[0] |= FIELD_EX32(sd->card_status, CSR, ADDRESS_ERROR) << 5;
773         response[0] |= FIELD_EX32(sd->card_status, CSR, BLOCK_LEN_ERROR) << 6;
774         response[0] |= 0 << 7;
775     } else {
776         stl_be_p(response, sd->card_status);
777     }
778 
779     /* Clear the "clear on read" status bits */
780     sd->card_status &= ~CARD_STATUS_C;
781 }
782 
spi_response_r2_make(SDState * sd,uint8_t * resp)783 static void spi_response_r2_make(SDState *sd, uint8_t *resp)
784 {
785     /* Prepend R1 */
786     sd_response_r1_make(sd, resp);
787 
788     resp[1]  = FIELD_EX32(sd->card_status, CSR, CARD_IS_LOCKED) << 0;
789     resp[1] |= (FIELD_EX32(sd->card_status, CSR, LOCK_UNLOCK_FAILED)
790                 || FIELD_EX32(sd->card_status, CSR, WP_ERASE_SKIP)) << 1;
791     resp[1] |= FIELD_EX32(sd->card_status, CSR, ERROR) << 2;
792     resp[1] |= FIELD_EX32(sd->card_status, CSR, CC_ERROR) << 3;
793     resp[1] |= FIELD_EX32(sd->card_status, CSR, CARD_ECC_FAILED) << 4;
794     resp[1] |= FIELD_EX32(sd->card_status, CSR, WP_VIOLATION) << 5;
795     resp[1] |= FIELD_EX32(sd->card_status, CSR, ERASE_PARAM) << 6;
796     resp[1] |= FIELD_EX32(sd->card_status, CSR, OUT_OF_RANGE) << 7;
797 }
798 
sd_response_r3_make(SDState * sd,uint8_t * response)799 static void sd_response_r3_make(SDState *sd, uint8_t *response)
800 {
801     if (sd_is_spi(sd)) {
802         /* Prepend R1 */
803         sd_response_r1_make(sd, response);
804         response++;
805     }
806     stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
807 }
808 
sd_response_r6_make(SDState * sd,uint8_t * response)809 static void sd_response_r6_make(SDState *sd, uint8_t *response)
810 {
811     uint16_t status;
812 
813     status = ((sd->card_status >> 8) & 0xc000) |
814              ((sd->card_status >> 6) & 0x2000) |
815               (sd->card_status & 0x1fff);
816     sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
817     stw_be_p(response + 0, sd->rca);
818     stw_be_p(response + 2, status);
819 }
820 
sd_response_r7_make(SDState * sd,uint8_t * response)821 static void sd_response_r7_make(SDState *sd, uint8_t *response)
822 {
823     if (sd_is_spi(sd)) {
824         /* Prepend R1 */
825         sd_response_r1_make(sd, response);
826         response++;
827     }
828     stl_be_p(response, sd->vhs);
829 }
830 
sd_blk_len(SDState * sd)831 static uint32_t sd_blk_len(SDState *sd)
832 {
833     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
834         return 1 << HWBLOCK_SHIFT;
835     }
836     return sd->blk_len;
837 }
838 
839 /*
840  * This requires a disk image that has two boot partitions inserted at the
841  * beginning of it. The size of the boot partitions is the "boot-size"
842  * property.
843  */
sd_bootpart_offset(SDState * sd)844 static uint32_t sd_bootpart_offset(SDState *sd)
845 {
846     unsigned partition_access;
847 
848     if (!sd->boot_part_size || !sd_is_emmc(sd)) {
849         return 0;
850     }
851 
852     partition_access = sd->ext_csd[EXT_CSD_PART_CONFIG]
853                                  & EXT_CSD_PART_CONFIG_ACC_MASK;
854     switch (partition_access) {
855     case EXT_CSD_PART_CONFIG_ACC_DEFAULT:
856         return sd->boot_part_size * 2;
857     case EXT_CSD_PART_CONFIG_ACC_BOOT0:
858         return 0;
859     case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1:
860         return sd->boot_part_size * 1;
861     default:
862          g_assert_not_reached();
863     }
864 }
865 
sd_req_get_address(SDState * sd,SDRequest req)866 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
867 {
868     uint64_t addr;
869 
870     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
871         addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
872     } else {
873         addr = req.arg;
874     }
875     trace_sdcard_req_addr(req.arg, addr);
876     return addr;
877 }
878 
sd_addr_to_wpnum(uint64_t addr)879 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
880 {
881     return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
882 }
883 
sd_reset(DeviceState * dev)884 static void sd_reset(DeviceState *dev)
885 {
886     SDState *sd = SDMMC_COMMON(dev);
887     SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
888     uint64_t size;
889     uint64_t sect;
890 
891     trace_sdcard_reset();
892     if (sd->blk) {
893         blk_get_geometry(sd->blk, &sect);
894     } else {
895         sect = 0;
896     }
897     size = sect << HWBLOCK_SHIFT;
898     if (sd_is_emmc(sd)) {
899         size -= sd->boot_part_size * 2;
900     }
901 
902     sect = sd_addr_to_wpnum(size) + 1;
903 
904     sd->state = sd_idle_state;
905 
906     /* card registers */
907     sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000;
908     sd->size = size;
909     sd_set_ocr(sd);
910     sd_set_scr(sd);
911     sc->set_cid(sd);
912     sc->set_csd(sd, size);
913     sd_set_cardstatus(sd);
914     sd_set_sdstatus(sd);
915 
916     g_free(sd->wp_group_bmap);
917     sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
918     sd->wp_group_bits = sect;
919     sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
920     memset(sd->function_group, 0, sizeof(sd->function_group));
921     sd->erase_start = INVALID_ADDRESS;
922     sd->erase_end = INVALID_ADDRESS;
923     sd->blk_len = 0x200;
924     sd->pwd_len = 0;
925     sd->expecting_acmd = false;
926     sd->dat_lines = 0xf;
927     sd->cmd_line = true;
928     sd->multi_blk_cnt = 0;
929 }
930 
sd_get_inserted(SDState * sd)931 static bool sd_get_inserted(SDState *sd)
932 {
933     return sd->blk && blk_is_inserted(sd->blk);
934 }
935 
sd_get_readonly(SDState * sd)936 static bool sd_get_readonly(SDState *sd)
937 {
938     return sd->wp_switch;
939 }
940 
sd_cardchange(void * opaque,bool load,Error ** errp)941 static void sd_cardchange(void *opaque, bool load, Error **errp)
942 {
943     SDState *sd = opaque;
944     DeviceState *dev = DEVICE(sd);
945     SDBus *sdbus;
946     bool inserted = sd_get_inserted(sd);
947     bool readonly = sd_get_readonly(sd);
948 
949     if (inserted) {
950         trace_sdcard_inserted(readonly);
951         sd_reset(dev);
952     } else {
953         trace_sdcard_ejected();
954     }
955 
956     sdbus = SD_BUS(qdev_get_parent_bus(dev));
957     sdbus_set_inserted(sdbus, inserted);
958     if (inserted) {
959         sdbus_set_readonly(sdbus, readonly);
960     }
961 }
962 
963 static const BlockDevOps sd_block_ops = {
964     .change_media_cb = sd_cardchange,
965 };
966 
sd_ocr_vmstate_needed(void * opaque)967 static bool sd_ocr_vmstate_needed(void *opaque)
968 {
969     SDState *sd = opaque;
970 
971     /* Include the OCR state (and timer) if it is not yet powered up */
972     return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
973 }
974 
975 static const VMStateDescription sd_ocr_vmstate = {
976     .name = "sd-card/ocr-state",
977     .version_id = 1,
978     .minimum_version_id = 1,
979     .needed = sd_ocr_vmstate_needed,
980     .fields = (const VMStateField[]) {
981         VMSTATE_UINT32(ocr, SDState),
982         VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
983         VMSTATE_END_OF_LIST()
984     },
985 };
986 
vmstate_needed_for_emmc(void * opaque)987 static bool vmstate_needed_for_emmc(void *opaque)
988 {
989     SDState *sd = opaque;
990 
991     return sd_is_emmc(sd);
992 }
993 
994 static const VMStateDescription emmc_extcsd_vmstate = {
995     .name = "sd-card/ext_csd_modes-state",
996     .version_id = 1,
997     .minimum_version_id = 1,
998     .needed = vmstate_needed_for_emmc,
999     .fields = (const VMStateField[]) {
1000         VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192),
1001         VMSTATE_END_OF_LIST()
1002     },
1003 };
1004 
sd_vmstate_pre_load(void * opaque)1005 static int sd_vmstate_pre_load(void *opaque)
1006 {
1007     SDState *sd = opaque;
1008 
1009     /* If the OCR state is not included (prior versions, or not
1010      * needed), then the OCR must be set as powered up. If the OCR state
1011      * is included, this will be replaced by the state restore.
1012      */
1013     sd_ocr_powerup(sd);
1014 
1015     return 0;
1016 }
1017 
1018 static const VMStateDescription sd_vmstate = {
1019     .name = "sd-card",
1020     .version_id = 2,
1021     .minimum_version_id = 2,
1022     .pre_load = sd_vmstate_pre_load,
1023     .fields = (const VMStateField[]) {
1024         VMSTATE_UNUSED(4),
1025         VMSTATE_INT32(state, SDState),
1026         VMSTATE_UINT8_ARRAY(cid, SDState, 16),
1027         VMSTATE_UINT8_ARRAY(csd, SDState, 16),
1028         VMSTATE_UINT16(rca, SDState),
1029         VMSTATE_UINT32(card_status, SDState),
1030         VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
1031         VMSTATE_UINT32(vhs, SDState),
1032         VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
1033         VMSTATE_UINT32(blk_len, SDState),
1034         VMSTATE_UINT32(multi_blk_cnt, SDState),
1035         VMSTATE_UINT32(erase_start, SDState),
1036         VMSTATE_UINT32(erase_end, SDState),
1037         VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
1038         VMSTATE_UINT32(pwd_len, SDState),
1039         VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
1040         VMSTATE_UINT8(current_cmd, SDState),
1041         VMSTATE_BOOL(expecting_acmd, SDState),
1042         VMSTATE_UINT32(blk_written, SDState),
1043         VMSTATE_UINT64(data_start, SDState),
1044         VMSTATE_UINT32(data_offset, SDState),
1045         VMSTATE_UINT8_ARRAY(data, SDState, 512),
1046         VMSTATE_UNUSED_V(1, 512),
1047         VMSTATE_UNUSED(1),
1048         VMSTATE_END_OF_LIST()
1049     },
1050     .subsections = (const VMStateDescription * const []) {
1051         &sd_ocr_vmstate,
1052         &emmc_extcsd_vmstate,
1053         NULL
1054     },
1055 };
1056 
sd_blk_read(SDState * sd,uint64_t addr,uint32_t len)1057 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1058 {
1059     trace_sdcard_read_block(addr, len);
1060     addr += sd_bootpart_offset(sd);
1061     if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
1062         fprintf(stderr, "sd_blk_read: read error on host side\n");
1063     }
1064 }
1065 
sd_blk_write(SDState * sd,uint64_t addr,uint32_t len)1066 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1067 {
1068     trace_sdcard_write_block(addr, len);
1069     addr += sd_bootpart_offset(sd);
1070     if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
1071         fprintf(stderr, "sd_blk_write: write error on host side\n");
1072     }
1073 }
1074 
sd_erase(SDState * sd)1075 static void sd_erase(SDState *sd)
1076 {
1077     uint64_t erase_start = sd->erase_start;
1078     uint64_t erase_end = sd->erase_end;
1079     bool sdsc = true;
1080     uint64_t wpnum;
1081     uint64_t erase_addr;
1082     int erase_len = 1 << HWBLOCK_SHIFT;
1083 
1084     trace_sdcard_erase(sd->erase_start, sd->erase_end);
1085     if (sd->erase_start == INVALID_ADDRESS
1086             || sd->erase_end == INVALID_ADDRESS) {
1087         sd->card_status |= ERASE_SEQ_ERROR;
1088         sd->erase_start = INVALID_ADDRESS;
1089         sd->erase_end = INVALID_ADDRESS;
1090         return;
1091     }
1092 
1093     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1094         /* High capacity memory card: erase units are 512 byte blocks */
1095         erase_start <<= HWBLOCK_SHIFT;
1096         erase_end <<= HWBLOCK_SHIFT;
1097         sdsc = false;
1098     }
1099 
1100     if (erase_start > sd->size || erase_end > sd->size) {
1101         sd->card_status |= OUT_OF_RANGE;
1102         sd->erase_start = INVALID_ADDRESS;
1103         sd->erase_end = INVALID_ADDRESS;
1104         return;
1105     }
1106 
1107     sd->erase_start = INVALID_ADDRESS;
1108     sd->erase_end = INVALID_ADDRESS;
1109     sd->csd[14] |= 0x40;
1110 
1111     memset(sd->data, 0xff, erase_len);
1112     for (erase_addr = erase_start; erase_addr <= erase_end;
1113          erase_addr += erase_len) {
1114         if (sdsc) {
1115             /* Only SDSC cards support write protect groups */
1116             wpnum = sd_addr_to_wpnum(erase_addr);
1117             assert(wpnum < sd->wp_group_bits);
1118             if (test_bit(wpnum, sd->wp_group_bmap)) {
1119                 sd->card_status |= WP_ERASE_SKIP;
1120                 continue;
1121             }
1122         }
1123         sd_blk_write(sd, erase_addr, erase_len);
1124     }
1125 }
1126 
sd_wpbits(SDState * sd,uint64_t addr)1127 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
1128 {
1129     uint32_t i, wpnum;
1130     uint32_t ret = 0;
1131 
1132     wpnum = sd_addr_to_wpnum(addr);
1133 
1134     for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
1135         if (addr >= sd->size) {
1136             /*
1137              * If the addresses of the last groups are outside the valid range,
1138              * then the corresponding write protection bits shall be set to 0.
1139              */
1140             continue;
1141         }
1142         assert(wpnum < sd->wp_group_bits);
1143         if (test_bit(wpnum, sd->wp_group_bmap)) {
1144             ret |= (1 << i);
1145         }
1146     }
1147 
1148     return ret;
1149 }
1150 
1151 enum ExtCsdAccessMode {
1152     EXT_CSD_ACCESS_MODE_COMMAND_SET = 0,
1153     EXT_CSD_ACCESS_MODE_SET_BITS    = 1,
1154     EXT_CSD_ACCESS_MODE_CLEAR_BITS  = 2,
1155     EXT_CSD_ACCESS_MODE_WRITE_BYTE  = 3
1156 };
1157 
emmc_function_switch(SDState * sd,uint32_t arg)1158 static void emmc_function_switch(SDState *sd, uint32_t arg)
1159 {
1160     uint8_t access = extract32(arg, 24, 2);
1161     uint8_t index = extract32(arg, 16, 8);
1162     uint8_t value = extract32(arg, 8, 8);
1163     uint8_t b = sd->ext_csd[index];
1164 
1165     trace_sdcard_switch(access, index, value, extract32(arg, 0, 2));
1166 
1167     if (index >= 192) {
1168         qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n");
1169         sd->card_status |= R_CSR_SWITCH_ERROR_MASK;
1170         return;
1171     }
1172 
1173     switch (access) {
1174     case EXT_CSD_ACCESS_MODE_COMMAND_SET:
1175         qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n");
1176         return;
1177     case EXT_CSD_ACCESS_MODE_SET_BITS:
1178         b |= value;
1179         break;
1180     case EXT_CSD_ACCESS_MODE_CLEAR_BITS:
1181         b &= ~value;
1182         break;
1183     case EXT_CSD_ACCESS_MODE_WRITE_BYTE:
1184         b = value;
1185         break;
1186     }
1187 
1188     trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b);
1189     sd->ext_csd[index] = b;
1190 }
1191 
sd_function_switch(SDState * sd,uint32_t arg)1192 static void sd_function_switch(SDState *sd, uint32_t arg)
1193 {
1194     int i, mode, new_func;
1195     mode = !!(arg & 0x80000000);
1196 
1197     sd->data[0] = 0x00;     /* Maximum current consumption */
1198     sd->data[1] = 0x01;
1199     sd->data[2] = 0x80;     /* Supported group 6 functions */
1200     sd->data[3] = 0x01;
1201     sd->data[4] = 0x80;     /* Supported group 5 functions */
1202     sd->data[5] = 0x01;
1203     sd->data[6] = 0x80;     /* Supported group 4 functions */
1204     sd->data[7] = 0x01;
1205     sd->data[8] = 0x80;     /* Supported group 3 functions */
1206     sd->data[9] = 0x01;
1207     sd->data[10] = 0x80;    /* Supported group 2 functions */
1208     sd->data[11] = 0x43;
1209     sd->data[12] = 0x80;    /* Supported group 1 functions */
1210     sd->data[13] = 0x03;
1211 
1212     memset(&sd->data[14], 0, 3);
1213     for (i = 0; i < 6; i ++) {
1214         new_func = (arg >> (i * 4)) & 0x0f;
1215         if (mode && new_func != 0x0f)
1216             sd->function_group[i] = new_func;
1217         sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
1218     }
1219     memset(&sd->data[17], 0, 47);
1220 }
1221 
sd_wp_addr(SDState * sd,uint64_t addr)1222 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
1223 {
1224     return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1225 }
1226 
sd_lock_command(SDState * sd)1227 static void sd_lock_command(SDState *sd)
1228 {
1229     int erase, lock, clr_pwd, set_pwd, pwd_len;
1230     erase = !!(sd->data[0] & 0x08);
1231     lock = sd->data[0] & 0x04;
1232     clr_pwd = sd->data[0] & 0x02;
1233     set_pwd = sd->data[0] & 0x01;
1234 
1235     if (sd->blk_len > 1)
1236         pwd_len = sd->data[1];
1237     else
1238         pwd_len = 0;
1239 
1240     if (lock) {
1241         trace_sdcard_lock();
1242     } else {
1243         trace_sdcard_unlock();
1244     }
1245     if (erase) {
1246         if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
1247                         set_pwd || clr_pwd || lock || sd->wp_switch ||
1248                         (sd->csd[14] & 0x20)) {
1249             sd->card_status |= LOCK_UNLOCK_FAILED;
1250             return;
1251         }
1252         bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1253         sd->csd[14] &= ~0x10;
1254         sd->card_status &= ~CARD_IS_LOCKED;
1255         sd->pwd_len = 0;
1256         /* Erasing the entire card here! */
1257         fprintf(stderr, "SD: Card force-erased by CMD42\n");
1258         return;
1259     }
1260 
1261     if (sd->blk_len < 2 + pwd_len ||
1262                     pwd_len <= sd->pwd_len ||
1263                     pwd_len > sd->pwd_len + 16) {
1264         sd->card_status |= LOCK_UNLOCK_FAILED;
1265         return;
1266     }
1267 
1268     if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1269         sd->card_status |= LOCK_UNLOCK_FAILED;
1270         return;
1271     }
1272 
1273     pwd_len -= sd->pwd_len;
1274     if ((pwd_len && !set_pwd) ||
1275                     (clr_pwd && (set_pwd || lock)) ||
1276                     (lock && !sd->pwd_len && !set_pwd) ||
1277                     (!set_pwd && !clr_pwd &&
1278                      (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1279                       (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1280         sd->card_status |= LOCK_UNLOCK_FAILED;
1281         return;
1282     }
1283 
1284     if (set_pwd) {
1285         memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1286         sd->pwd_len = pwd_len;
1287     }
1288 
1289     if (clr_pwd) {
1290         sd->pwd_len = 0;
1291     }
1292 
1293     if (lock)
1294         sd->card_status |= CARD_IS_LOCKED;
1295     else
1296         sd->card_status &= ~CARD_IS_LOCKED;
1297 }
1298 
address_in_range(SDState * sd,const char * desc,uint64_t addr,uint32_t length)1299 static bool address_in_range(SDState *sd, const char *desc,
1300                              uint64_t addr, uint32_t length)
1301 {
1302     if (addr + length > sd->size) {
1303         qemu_log_mask(LOG_GUEST_ERROR,
1304                       "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1305                       desc, addr, sd->size, length);
1306         sd->card_status |= ADDRESS_ERROR;
1307         return false;
1308     }
1309     return true;
1310 }
1311 
sd_invalid_state_for_cmd(SDState * sd,SDRequest req)1312 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1313 {
1314     qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1315                   sd->proto->name, req.cmd, sd_state_name(sd->state),
1316                   sd_version_str(sd->spec_version));
1317 
1318     return sd_illegal;
1319 }
1320 
sd_invalid_mode_for_cmd(SDState * sd,SDRequest req)1321 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1322 {
1323     qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1324                   sd->proto->name, req.cmd, sd_mode_name(sd_mode(sd)),
1325                   sd_version_str(sd->spec_version));
1326 
1327     return sd_illegal;
1328 }
1329 
sd_cmd_illegal(SDState * sd,SDRequest req)1330 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1331 {
1332     qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1333                   sd->proto->name, req.cmd,
1334                   sd_version_str(sd->spec_version));
1335 
1336     return sd_illegal;
1337 }
1338 
1339 /* Commands that are recognised but not yet implemented. */
sd_cmd_unimplemented(SDState * sd,SDRequest req)1340 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1341 {
1342     qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1343                   sd->proto->name, req.cmd);
1344 
1345     return sd_illegal;
1346 }
1347 
sd_cmd_optional(SDState * sd,SDRequest req)1348 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req)
1349 {
1350     qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n",
1351                   sd->proto->name, req.cmd);
1352 
1353     return sd_illegal;
1354 }
1355 
1356 /* Configure fields for following sd_generic_write_byte() calls */
sd_cmd_to_receivingdata(SDState * sd,SDRequest req,uint64_t start,size_t size)1357 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
1358                                              uint64_t start, size_t size)
1359 {
1360     if (sd->state != sd_transfer_state) {
1361         return sd_invalid_state_for_cmd(sd, req);
1362     }
1363     sd->state = sd_receivingdata_state;
1364     sd->data_start = start;
1365     sd->data_offset = 0;
1366     /* sd->data[] used as receive buffer */
1367     sd->data_size = size ?: sizeof(sd->data);
1368     return sd_r1;
1369 }
1370 
1371 /* Configure fields for following sd_generic_read_byte() calls */
sd_cmd_to_sendingdata(SDState * sd,SDRequest req,uint64_t start,const void * data,size_t size)1372 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1373                                            uint64_t start,
1374                                            const void *data, size_t size)
1375 {
1376     if (sd->state != sd_transfer_state) {
1377         return sd_invalid_state_for_cmd(sd, req);
1378     }
1379 
1380     sd->state = sd_sendingdata_state;
1381     sd->data_start = start;
1382     sd->data_offset = 0;
1383     if (data) {
1384         assert(size > 0 && size <= sizeof(sd->data));
1385         memcpy(sd->data, data, size);
1386     }
1387     if (size) {
1388         sd->data_size = size;
1389     }
1390     return sd_r1;
1391 }
1392 
1393 /* CMD0 */
sd_cmd_GO_IDLE_STATE(SDState * sd,SDRequest req)1394 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1395 {
1396     if (sd->state == sd_sleep_state) {
1397         switch (req.arg) {
1398         case 0x00000000:
1399         case 0xf0f0f0f0:
1400             break;
1401         default:
1402             return sd_r0;
1403         }
1404     }
1405     if (sd->state != sd_inactive_state) {
1406         sd->state = sd_idle_state;
1407         sd_reset(DEVICE(sd));
1408     }
1409 
1410     return sd_is_spi(sd) ? sd_r1 : sd_r0;
1411 }
1412 
1413 /* CMD2 */
sd_cmd_ALL_SEND_CID(SDState * sd,SDRequest req)1414 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1415 {
1416     switch (sd->state) {
1417     case sd_ready_state:
1418         sd->state = sd_identification_state;
1419         return sd_r2_i;
1420     default:
1421         return sd_invalid_state_for_cmd(sd, req);
1422     }
1423 }
1424 
1425 /* CMD3 */
sd_cmd_SEND_RELATIVE_ADDR(SDState * sd,SDRequest req)1426 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1427 {
1428     uint16_t random_rca;
1429 
1430     switch (sd->state) {
1431     case sd_identification_state:
1432     case sd_standby_state:
1433         sd->state = sd_standby_state;
1434         qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca));
1435         sd_set_rca(sd, random_rca);
1436         return sd_r6;
1437 
1438     default:
1439         return sd_invalid_state_for_cmd(sd, req);
1440     }
1441 }
1442 
emmc_cmd_SET_RELATIVE_ADDR(SDState * sd,SDRequest req)1443 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req)
1444 {
1445     switch (sd->state) {
1446     case sd_identification_state:
1447     case sd_standby_state:
1448         sd->state = sd_standby_state;
1449         sd_set_rca(sd, req.arg >> 16);
1450         return sd_r1;
1451 
1452     default:
1453         return sd_invalid_state_for_cmd(sd, req);
1454     }
1455 }
1456 
1457 /* CMD5 */
emmc_cmd_sleep_awake(SDState * sd,SDRequest req)1458 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req)
1459 {
1460     bool do_sleep = extract32(req.arg, 15, 1);
1461 
1462     switch (sd->state) {
1463     case sd_sleep_state:
1464         if (!do_sleep) {
1465             /* Awake */
1466             sd->state = sd_standby_state;
1467         }
1468         return sd_r1b;
1469 
1470     case sd_standby_state:
1471         if (do_sleep) {
1472             sd->state = sd_sleep_state;
1473         }
1474         return sd_r1b;
1475 
1476     default:
1477         return sd_invalid_state_for_cmd(sd, req);
1478     }
1479 }
1480 
1481 /* CMD6 */
sd_cmd_SWITCH_FUNCTION(SDState * sd,SDRequest req)1482 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req)
1483 {
1484     if (sd_mode(sd) != sd_data_transfer_mode) {
1485         return sd_invalid_mode_for_cmd(sd, req);
1486     }
1487     if (sd_is_spi(sd)) {
1488         if (sd->state == sd_idle_state) {
1489             return sd_invalid_state_for_cmd(sd, req);
1490         }
1491     } else {
1492         if (sd->state != sd_transfer_state) {
1493             return sd_invalid_state_for_cmd(sd, req);
1494         }
1495     }
1496 
1497     sd_function_switch(sd, req.arg);
1498     return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1499 }
1500 
emmc_cmd_SWITCH(SDState * sd,SDRequest req)1501 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req)
1502 {
1503     switch (sd->state) {
1504     case sd_transfer_state:
1505         sd->state = sd_programming_state;
1506         emmc_function_switch(sd, req.arg);
1507         sd->state = sd_transfer_state;
1508         return sd_r1b;
1509     default:
1510         return sd_invalid_state_for_cmd(sd, req);
1511     }
1512 }
1513 
1514 /* CMD7 */
sd_cmd_DE_SELECT_CARD(SDState * sd,SDRequest req)1515 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req)
1516 {
1517     bool same_rca = sd_req_rca_same(sd, req);
1518 
1519     switch (sd->state) {
1520     case sd_standby_state:
1521         if (!same_rca) {
1522             return sd_r0;
1523         }
1524         sd->state = sd_transfer_state;
1525         return sd_r1b;
1526 
1527     case sd_transfer_state:
1528     case sd_sendingdata_state:
1529         if (same_rca) {
1530             break;
1531         }
1532         sd->state = sd_standby_state;
1533         return sd_r1b;
1534 
1535     case sd_disconnect_state:
1536         if (!same_rca) {
1537             return sd_r0;
1538         }
1539         sd->state = sd_programming_state;
1540         return sd_r1b;
1541 
1542     case sd_programming_state:
1543         if (same_rca) {
1544             break;
1545         }
1546         sd->state = sd_disconnect_state;
1547         return sd_r1b;
1548 
1549     default:
1550         break;
1551     }
1552     return sd_invalid_state_for_cmd(sd, req);
1553 }
1554 
1555 /* CMD8 */
sd_cmd_SEND_IF_COND(SDState * sd,SDRequest req)1556 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req)
1557 {
1558     if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1559         return sd_cmd_illegal(sd, req);
1560     }
1561     if (sd->state != sd_idle_state) {
1562         return sd_invalid_state_for_cmd(sd, req);
1563     }
1564     sd->vhs = 0;
1565 
1566     /* No response if not exactly one VHS bit is set.  */
1567     if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1568         return sd_is_spi(sd) ? sd_r7 : sd_r0;
1569     }
1570 
1571     /* Accept.  */
1572     sd->vhs = req.arg;
1573     return sd_r7;
1574 }
1575 
1576 /* CMD8 */
emmc_cmd_SEND_EXT_CSD(SDState * sd,SDRequest req)1577 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req)
1578 {
1579     if (sd->state != sd_transfer_state) {
1580         return sd_invalid_state_for_cmd(sd, req);
1581     }
1582 
1583     return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1584                                  sd->ext_csd, sizeof(sd->ext_csd));
1585 }
1586 
spi_cmd_SEND_CxD(SDState * sd,SDRequest req,const void * data,size_t size)1587 static sd_rsp_type_t spi_cmd_SEND_CxD(SDState *sd, SDRequest req,
1588                                       const void *data, size_t size)
1589 {
1590     /*
1591      * XXX as of v10.1.0-rc1 command is reached in sd_idle_state,
1592      * so disable this check.
1593     if (sd->state != sd_standby_state) {
1594         return sd_invalid_state_for_cmd(sd, req);
1595     }
1596     */
1597 
1598     /*
1599      * Since SPI returns CSD and CID on the DAT lines,
1600      * switch to sd_transfer_state.
1601      */
1602     sd->state = sd_transfer_state;
1603 
1604     return sd_cmd_to_sendingdata(sd, req, 0, data, size);
1605 }
1606 
1607 /* CMD9 */
spi_cmd_SEND_CSD(SDState * sd,SDRequest req)1608 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req)
1609 {
1610     return spi_cmd_SEND_CxD(sd, req, sd->csd, sizeof(sd->csd));
1611 }
1612 
sd_cmd_SEND_CSD(SDState * sd,SDRequest req)1613 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req)
1614 {
1615     if (sd->state != sd_standby_state) {
1616         return sd_invalid_state_for_cmd(sd, req);
1617     }
1618 
1619     return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0;
1620 }
1621 
1622 /* CMD10 */
spi_cmd_SEND_CID(SDState * sd,SDRequest req)1623 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req)
1624 {
1625     return spi_cmd_SEND_CxD(sd, req, sd->cid, sizeof(sd->cid));
1626 }
1627 
sd_cmd_SEND_CID(SDState * sd,SDRequest req)1628 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req)
1629 {
1630     if (sd->state != sd_standby_state) {
1631         return sd_invalid_state_for_cmd(sd, req);
1632     }
1633 
1634     return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0;
1635 }
1636 
1637 /* CMD12 */
sd_cmd_STOP_TRANSMISSION(SDState * sd,SDRequest req)1638 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req)
1639 {
1640     switch (sd->state) {
1641     case sd_sendingdata_state:
1642         sd->state = sd_transfer_state;
1643         return sd_r1b;
1644     case sd_receivingdata_state:
1645         sd->state = sd_programming_state;
1646         /* Bzzzzzzztt .... Operation complete.  */
1647         sd->state = sd_transfer_state;
1648         return sd_r1;
1649     default:
1650         return sd_invalid_state_for_cmd(sd, req);
1651     }
1652 }
1653 
1654 /* CMD13 */
sd_cmd_SEND_STATUS(SDState * sd,SDRequest req)1655 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req)
1656 {
1657     if (sd_mode(sd) != sd_data_transfer_mode) {
1658         return sd_invalid_mode_for_cmd(sd, req);
1659     }
1660 
1661     switch (sd->state) {
1662     case sd_standby_state:
1663     case sd_transfer_state:
1664     case sd_sendingdata_state:
1665     case sd_receivingdata_state:
1666     case sd_programming_state:
1667     case sd_disconnect_state:
1668         break;
1669     default:
1670         return sd_invalid_state_for_cmd(sd, req);
1671     }
1672 
1673     if (sd_is_spi(sd)) {
1674         return spi_r2;
1675     }
1676 
1677     return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0;
1678 }
1679 
1680 /* CMD15 */
sd_cmd_GO_INACTIVE_STATE(SDState * sd,SDRequest req)1681 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req)
1682 {
1683     if (sd_mode(sd) != sd_data_transfer_mode) {
1684         return sd_invalid_mode_for_cmd(sd, req);
1685     }
1686     switch (sd->state) {
1687     case sd_standby_state:
1688     case sd_transfer_state:
1689     case sd_sendingdata_state:
1690     case sd_receivingdata_state:
1691     case sd_programming_state:
1692     case sd_disconnect_state:
1693         break;
1694     default:
1695         return sd_invalid_state_for_cmd(sd, req);
1696     }
1697     if (sd_req_rca_same(sd, req)) {
1698         sd->state = sd_inactive_state;
1699     }
1700 
1701     return sd_r0;
1702 }
1703 
1704 /* CMD16 */
sd_cmd_SET_BLOCKLEN(SDState * sd,SDRequest req)1705 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req)
1706 {
1707     if (sd->state != sd_transfer_state) {
1708         return sd_invalid_state_for_cmd(sd, req);
1709     }
1710     if (req.arg > (1 << HWBLOCK_SHIFT)) {
1711         sd->card_status |= BLOCK_LEN_ERROR;
1712     } else {
1713         trace_sdcard_set_blocklen(req.arg);
1714         sd->blk_len = req.arg;
1715     }
1716 
1717     return sd_r1;
1718 }
1719 
1720 /* CMD17 */
sd_cmd_READ_SINGLE_BLOCK(SDState * sd,SDRequest req)1721 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req)
1722 {
1723     uint64_t addr;
1724 
1725     if (sd->state != sd_transfer_state) {
1726         return sd_invalid_state_for_cmd(sd, req);
1727     }
1728 
1729     addr = sd_req_get_address(sd, req);
1730     if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1731         return sd_r1;
1732     }
1733 
1734     sd_blk_read(sd, addr, sd->blk_len);
1735     return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1736 }
1737 
1738 /* CMD19 */
sd_cmd_SEND_TUNING_BLOCK(SDState * sd,SDRequest req)1739 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1740 {
1741     if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1742         return sd_cmd_illegal(sd, req);
1743     }
1744 
1745     return sd_cmd_to_sendingdata(sd, req, 0,
1746                                  sd_tuning_block_pattern4,
1747                                  sizeof(sd_tuning_block_pattern4));
1748 }
1749 
1750 /* CMD23 */
sd_cmd_SET_BLOCK_COUNT(SDState * sd,SDRequest req)1751 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1752 {
1753     if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1754         return sd_cmd_illegal(sd, req);
1755     }
1756 
1757     if (sd->state != sd_transfer_state) {
1758         return sd_invalid_state_for_cmd(sd, req);
1759     }
1760 
1761     sd->multi_blk_cnt = req.arg;
1762     if (sd_is_emmc(sd)) {
1763         sd->multi_blk_cnt &= 0xffff;
1764     }
1765     trace_sdcard_set_block_count(sd->multi_blk_cnt);
1766 
1767     return sd_r1;
1768 }
1769 
1770 /* CMD24 */
sd_cmd_WRITE_SINGLE_BLOCK(SDState * sd,SDRequest req)1771 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req)
1772 {
1773     uint64_t addr;
1774 
1775     if (sd->state != sd_transfer_state) {
1776         return sd_invalid_state_for_cmd(sd, req);
1777     }
1778 
1779     addr = sd_req_get_address(sd, req);
1780     if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) {
1781         return sd_r1;
1782     }
1783 
1784     if (sd->size <= SDSC_MAX_CAPACITY) {
1785         if (sd_wp_addr(sd, addr)) {
1786             sd->card_status |= WP_VIOLATION;
1787         }
1788     }
1789     if (sd->csd[14] & 0x30) {
1790         sd->card_status |= WP_VIOLATION;
1791     }
1792 
1793     sd->blk_written = 0;
1794     return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len);
1795 }
1796 
1797 /* CMD26 */
emmc_cmd_PROGRAM_CID(SDState * sd,SDRequest req)1798 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req)
1799 {
1800     return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid));
1801 }
1802 
1803 /* CMD27 */
sd_cmd_PROGRAM_CSD(SDState * sd,SDRequest req)1804 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req)
1805 {
1806     return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd));
1807 }
1808 
sd_cmd_SET_CLR_WRITE_PROT(SDState * sd,SDRequest req,bool is_write)1809 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req,
1810                                                bool is_write)
1811 {
1812     uint64_t addr;
1813 
1814     if (sd->size > SDSC_MAX_CAPACITY) {
1815         return sd_illegal;
1816     }
1817 
1818     if (sd->state != sd_transfer_state) {
1819         return sd_invalid_state_for_cmd(sd, req);
1820     }
1821 
1822     addr = sd_req_get_address(sd, req);
1823     if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT",
1824                           addr, 1)) {
1825         return sd_r1b;
1826     }
1827 
1828     sd->state = sd_programming_state;
1829     if (is_write) {
1830         set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1831     } else {
1832         clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1833     }
1834     /* Bzzzzzzztt .... Operation complete.  */
1835     sd->state = sd_transfer_state;
1836     return sd_r1;
1837 }
1838 
1839 /* CMD28 */
sd_cmd_SET_WRITE_PROT(SDState * sd,SDRequest req)1840 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req)
1841 {
1842     return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true);
1843 }
1844 
1845 /* CMD29 */
sd_cmd_CLR_WRITE_PROT(SDState * sd,SDRequest req)1846 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req)
1847 {
1848     return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false);
1849 }
1850 
1851 /* CMD30 */
sd_cmd_SEND_WRITE_PROT(SDState * sd,SDRequest req)1852 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req)
1853 {
1854     uint64_t addr;
1855     uint32_t data;
1856 
1857     if (sd->size > SDSC_MAX_CAPACITY) {
1858         return sd_illegal;
1859     }
1860 
1861     if (sd->state != sd_transfer_state) {
1862         return sd_invalid_state_for_cmd(sd, req);
1863     }
1864 
1865     addr = sd_req_get_address(sd, req);
1866     if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) {
1867         return sd_r1;
1868     }
1869 
1870     data = sd_wpbits(sd, req.arg);
1871     return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1872 }
1873 
1874 /* CMD32 */
sd_cmd_ERASE_WR_BLK_START(SDState * sd,SDRequest req)1875 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req)
1876 {
1877     if (sd->state != sd_transfer_state) {
1878         return sd_invalid_state_for_cmd(sd, req);
1879     }
1880     sd->erase_start = req.arg;
1881     return sd_r1;
1882 }
1883 
1884 /* CMD33 */
sd_cmd_ERASE_WR_BLK_END(SDState * sd,SDRequest req)1885 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req)
1886 {
1887     if (sd->state != sd_transfer_state) {
1888         return sd_invalid_state_for_cmd(sd, req);
1889     }
1890     sd->erase_end = req.arg;
1891     return sd_r1;
1892 }
1893 
1894 /* CMD38 */
sd_cmd_ERASE(SDState * sd,SDRequest req)1895 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req)
1896 {
1897     if (sd->state != sd_transfer_state) {
1898         return sd_invalid_state_for_cmd(sd, req);
1899     }
1900     if (sd->csd[14] & 0x30) {
1901         sd->card_status |= WP_VIOLATION;
1902         return sd_r1b;
1903     }
1904 
1905     sd->state = sd_programming_state;
1906     sd_erase(sd);
1907     /* Bzzzzzzztt .... Operation complete.  */
1908     sd->state = sd_transfer_state;
1909     return sd_r1b;
1910 }
1911 
1912 /* CMD42 */
sd_cmd_LOCK_UNLOCK(SDState * sd,SDRequest req)1913 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req)
1914 {
1915     return sd_cmd_to_receivingdata(sd, req, 0, 0);
1916 }
1917 
1918 /* CMD55 */
sd_cmd_APP_CMD(SDState * sd,SDRequest req)1919 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req)
1920 {
1921     switch (sd->state) {
1922     case sd_ready_state:
1923     case sd_identification_state:
1924     case sd_inactive_state:
1925     case sd_sleep_state:
1926         return sd_invalid_state_for_cmd(sd, req);
1927     case sd_idle_state:
1928         if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) {
1929             qemu_log_mask(LOG_GUEST_ERROR,
1930                           "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1931         }
1932         /* fall-through */
1933     default:
1934         break;
1935     }
1936     if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) {
1937         return sd_r0;
1938     }
1939     sd->expecting_acmd = true;
1940     sd->card_status |= APP_CMD;
1941 
1942     return sd_r1;
1943 }
1944 
1945 /* CMD56 */
sd_cmd_GEN_CMD(SDState * sd,SDRequest req)1946 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req)
1947 {
1948     if (sd->state != sd_transfer_state) {
1949         return sd_invalid_state_for_cmd(sd, req);
1950     }
1951 
1952     /* Vendor specific command: our model is RAZ/WI */
1953     if (req.arg & 1) {
1954         memset(sd->data, 0, sizeof(sd->data));
1955         return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0);
1956     } else {
1957         return sd_cmd_to_receivingdata(sd, req, 0, 0);
1958     }
1959 }
1960 
1961 /* CMD58 */
spi_cmd_READ_OCR(SDState * sd,SDRequest req)1962 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req)
1963 {
1964     return sd_r3;
1965 }
1966 
1967 /* CMD59 */
spi_cmd_CRC_ON_OFF(SDState * sd,SDRequest req)1968 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req)
1969 {
1970     return sd_r1;
1971 }
1972 
1973 /* ACMD6 */
sd_acmd_SET_BUS_WIDTH(SDState * sd,SDRequest req)1974 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req)
1975 {
1976     if (sd->state != sd_transfer_state) {
1977         return sd_invalid_state_for_cmd(sd, req);
1978     }
1979 
1980     sd->sd_status[0] &= 0x3f;
1981     sd->sd_status[0] |= (req.arg & 0x03) << 6;
1982     return sd_r1;
1983 }
1984 
1985 /* ACMD13 */
sd_acmd_SD_STATUS(SDState * sd,SDRequest req)1986 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req)
1987 {
1988     sd_rsp_type_t rsp;
1989 
1990     rsp = sd_cmd_to_sendingdata(sd, req, 0,
1991                                 sd->sd_status, sizeof(sd->sd_status));
1992     if (sd_is_spi(sd) && rsp != sd_illegal) {
1993         return spi_r2;
1994     }
1995     return rsp;
1996 }
1997 
1998 /* ACMD22 */
sd_acmd_SEND_NUM_WR_BLOCKS(SDState * sd,SDRequest req)1999 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req)
2000 {
2001     return sd_cmd_to_sendingdata(sd, req, 0,
2002                                  &sd->blk_written, sizeof(sd->blk_written));
2003 }
2004 
2005 /* ACMD23 */
sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState * sd,SDRequest req)2006 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req)
2007 {
2008     if (sd->state != sd_transfer_state) {
2009         return sd_invalid_state_for_cmd(sd, req);
2010     }
2011     return sd_r1;
2012 }
2013 
2014 /* ACMD41 */
sd_cmd_SEND_OP_COND(SDState * sd,SDRequest req)2015 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
2016 {
2017     if (sd->state != sd_idle_state) {
2018         return sd_invalid_state_for_cmd(sd, req);
2019     }
2020 
2021     /*
2022      * If it's the first ACMD41 since reset, we need to decide
2023      * whether to power up. If this is not an enquiry ACMD41,
2024      * we immediately report power on and proceed below to the
2025      * ready state, but if it is, we set a timer to model a
2026      * delay for power up. This works around a bug in EDK2
2027      * UEFI, which sends an initial enquiry ACMD41, but
2028      * assumes that the card is in ready state as soon as it
2029      * sees the power up bit set.
2030      */
2031     if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
2032         if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
2033             timer_del(sd->ocr_power_timer);
2034             sd_ocr_powerup(sd);
2035         } else {
2036             trace_sdcard_inquiry_cmd41();
2037             if (!timer_pending(sd->ocr_power_timer)) {
2038                 timer_mod_ns(sd->ocr_power_timer,
2039                              (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
2040                               + OCR_POWER_DELAY_NS));
2041             }
2042         }
2043     }
2044 
2045     if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
2046         /*
2047          * We accept any voltage.  10000 V is nothing.
2048          *
2049          * Once we're powered up, we advance straight to ready state
2050          * unless it's an enquiry ACMD41 (bits 23:0 == 0).
2051          */
2052         sd->state = sd_ready_state;
2053     }
2054 
2055     if (sd_is_spi(sd)) {
2056         return sd_r1;
2057     }
2058     return sd_r3;
2059 }
2060 
2061 /* ACMD42 */
sd_acmd_SET_CLR_CARD_DETECT(SDState * sd,SDRequest req)2062 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req)
2063 {
2064     if (sd->state != sd_transfer_state) {
2065         return sd_invalid_state_for_cmd(sd, req);
2066     }
2067 
2068     /* Bringing in the 50KOhm pull-up resistor... Done.  */
2069     return sd_r1;
2070 }
2071 
2072 /* ACMD51 */
sd_acmd_SEND_SCR(SDState * sd,SDRequest req)2073 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req)
2074 {
2075     return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
2076 }
2077 
sd_normal_command(SDState * sd,SDRequest req)2078 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
2079 {
2080     uint64_t addr;
2081 
2082     sd->last_cmd_name = sd_cmd_name(sd, req.cmd);
2083     /* CMD55 precedes an ACMD, so we are not interested in tracing it.
2084      * However there is no ACMD55, so we want to trace this particular case.
2085      */
2086     if (req.cmd != 55 || sd->expecting_acmd) {
2087         trace_sdcard_normal_command(sd->proto->name,
2088                                     sd->last_cmd_name, req.cmd,
2089                                     req.arg,
2090                                     sd_mode_name(sd_mode(sd)),
2091                                     sd_state_name(sd->state));
2092     }
2093 
2094     /* Not interpreting this as an app command */
2095     sd->card_status &= ~APP_CMD;
2096 
2097     /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
2098      * if not, its effects are cancelled */
2099     if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
2100         sd->multi_blk_cnt = 0;
2101     }
2102 
2103     if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR,
2104                                                          CARD_CAPACITY)) {
2105         /* Only Standard Capacity cards support class 6 commands */
2106         return sd_illegal;
2107     }
2108 
2109     if (sd->proto->cmd[req.cmd].handler) {
2110         return sd->proto->cmd[req.cmd].handler(sd, req);
2111     }
2112 
2113     switch (req.cmd) {
2114     /* Block read commands (Class 2) */
2115     case 18:  /* CMD18:  READ_MULTIPLE_BLOCK */
2116         addr = sd_req_get_address(sd, req);
2117         switch (sd->state) {
2118         case sd_transfer_state:
2119 
2120             if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
2121                 return sd_r1;
2122             }
2123 
2124             sd->state = sd_sendingdata_state;
2125             sd->data_start = addr;
2126             sd->data_offset = 0;
2127             return sd_r1;
2128 
2129         default:
2130             break;
2131         }
2132         break;
2133 
2134     /* Block write commands (Class 4) */
2135     case 25:  /* CMD25:  WRITE_MULTIPLE_BLOCK */
2136         addr = sd_req_get_address(sd, req);
2137         switch (sd->state) {
2138         case sd_transfer_state:
2139 
2140             if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
2141                 return sd_r1;
2142             }
2143 
2144             sd->state = sd_receivingdata_state;
2145             sd->data_start = addr;
2146             sd->data_offset = 0;
2147             sd->blk_written = 0;
2148 
2149             if (sd->size <= SDSC_MAX_CAPACITY) {
2150                 if (sd_wp_addr(sd, sd->data_start)) {
2151                     sd->card_status |= WP_VIOLATION;
2152                 }
2153             }
2154             if (sd->csd[14] & 0x30) {
2155                 sd->card_status |= WP_VIOLATION;
2156             }
2157             return sd_r1;
2158 
2159         default:
2160             break;
2161         }
2162         break;
2163 
2164     default:
2165         qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
2166         return sd_illegal;
2167     }
2168 
2169     return sd_invalid_state_for_cmd(sd, req);
2170 }
2171 
sd_app_command(SDState * sd,SDRequest req)2172 static sd_rsp_type_t sd_app_command(SDState *sd,
2173                                     SDRequest req)
2174 {
2175     sd->last_cmd_name = sd_acmd_name(sd, req.cmd);
2176     trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
2177                              req.cmd, req.arg,
2178                              sd_mode_name(sd_mode(sd)),
2179                              sd_state_name(sd->state));
2180     sd->card_status |= APP_CMD;
2181 
2182     if (sd->proto->acmd[req.cmd].handler) {
2183         return sd->proto->acmd[req.cmd].handler(sd, req);
2184     }
2185 
2186     switch (req.cmd) {
2187     case 18:    /* Reserved for SD security applications */
2188     case 25:
2189     case 26:
2190     case 38:
2191     case 43 ... 49:
2192         /* Refer to the "SD Specifications Part3 Security Specification" for
2193          * information about the SD Security Features.
2194          */
2195         qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
2196                       req.cmd);
2197         return sd_illegal;
2198 
2199     default:
2200         /* Fall back to standard commands.  */
2201         return sd_normal_command(sd, req);
2202     }
2203 
2204     qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
2205     return sd_illegal;
2206 }
2207 
cmd_valid_while_locked(SDState * sd,unsigned cmd)2208 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
2209 {
2210     unsigned cmd_class;
2211 
2212     /* Valid commands in locked state:
2213      * basic class (0)
2214      * lock card class (7)
2215      * CMD16
2216      * implicitly, the ACMD prefix CMD55
2217      * ACMD41 and ACMD42
2218      * Anything else provokes an "illegal command" response.
2219      */
2220     if (sd->expecting_acmd) {
2221         return cmd == 41 || cmd == 42;
2222     }
2223     if (cmd == 16 || cmd == 55) {
2224         return true;
2225     }
2226     if (!sd->proto->cmd[cmd].handler) {
2227         return false;
2228     }
2229     cmd_class = sd->proto->cmd[cmd].class;
2230 
2231     return cmd_class == 0 || cmd_class == 7;
2232 }
2233 
sd_do_command(SDState * sd,SDRequest * req,uint8_t * response,size_t respsz)2234 static size_t sd_do_command(SDState *sd, SDRequest *req,
2235                             uint8_t *response, size_t respsz)
2236 {
2237     int last_state;
2238     sd_rsp_type_t rtype;
2239     int rsplen;
2240 
2241     if (!sd->blk || !blk_is_inserted(sd->blk)) {
2242         return 0;
2243     }
2244 
2245     if (sd->state == sd_inactive_state) {
2246         rtype = sd_illegal;
2247         goto send_response;
2248     }
2249 
2250     if (sd_req_crc_validate(req)) {
2251         sd->card_status |= COM_CRC_ERROR;
2252         rtype = sd_illegal;
2253         goto send_response;
2254     }
2255 
2256     if (req->cmd >= SDMMC_CMD_MAX) {
2257         qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
2258                       req->cmd);
2259         req->cmd &= 0x3f;
2260     }
2261 
2262     if (sd->state == sd_sleep_state && req->cmd) {
2263         qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n");
2264         rtype = sd_r0;
2265         goto send_response;
2266     }
2267 
2268     if (sd->card_status & CARD_IS_LOCKED) {
2269         if (!cmd_valid_while_locked(sd, req->cmd)) {
2270             sd->card_status |= ILLEGAL_COMMAND;
2271             sd->expecting_acmd = false;
2272             qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
2273             rtype = sd_illegal;
2274             goto send_response;
2275         }
2276     }
2277 
2278     last_state = sd->state;
2279 
2280     if (sd->expecting_acmd) {
2281         sd->expecting_acmd = false;
2282         rtype = sd_app_command(sd, *req);
2283     } else {
2284         rtype = sd_normal_command(sd, *req);
2285     }
2286 
2287     if (rtype == sd_illegal) {
2288         sd->card_status |= ILLEGAL_COMMAND;
2289     } else {
2290         /* Valid command, we can update the 'state before command' bits.
2291          * (Do this now so they appear in r1 responses.)
2292          */
2293         sd->card_status = FIELD_DP32(sd->card_status, CSR,
2294                                      CURRENT_STATE, last_state);
2295     }
2296 
2297 send_response:
2298     rsplen = sd_response_size(sd, rtype);
2299     assert(rsplen <= respsz);
2300 
2301     switch (rtype) {
2302     case sd_r1:
2303     case sd_r1b:
2304         sd_response_r1_make(sd, response);
2305         break;
2306 
2307     case spi_r2:
2308         spi_response_r2_make(sd, response);
2309         break;
2310 
2311     case sd_r2_i:
2312         memcpy(response, sd->cid, sizeof(sd->cid));
2313         break;
2314 
2315     case sd_r2_s:
2316         memcpy(response, sd->csd, sizeof(sd->csd));
2317         break;
2318 
2319     case sd_r3:
2320         sd_response_r3_make(sd, response);
2321         break;
2322 
2323     case sd_r6:
2324         sd_response_r6_make(sd, response);
2325         break;
2326 
2327     case sd_r7:
2328         sd_response_r7_make(sd, response);
2329         break;
2330 
2331     case sd_r0:
2332         /*
2333          * Invalid state transition, reset implementation
2334          * fields to avoid OOB abuse.
2335          */
2336         sd->data_start = 0;
2337         sd->data_offset = 0;
2338         /* fall-through */
2339     case sd_illegal:
2340         break;
2341     default:
2342         g_assert_not_reached();
2343     }
2344     trace_sdcard_response(sd_response_name(rtype), rsplen);
2345 
2346     if (rtype != sd_illegal) {
2347         /* Clear the "clear on valid command" status bits now we've
2348          * sent any response
2349          */
2350         sd->card_status &= ~CARD_STATUS_B;
2351     }
2352 
2353 #ifdef DEBUG_SD
2354     qemu_hexdump(stderr, "Response", response, rsplen);
2355 #endif
2356 
2357     sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd;
2358 
2359     return rsplen;
2360 }
2361 
2362 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
sd_generic_write_byte(SDState * sd,uint8_t value)2363 static bool sd_generic_write_byte(SDState *sd, uint8_t value)
2364 {
2365     sd->data[sd->data_offset] = value;
2366 
2367     if (++sd->data_offset >= sd->data_size) {
2368         sd->state = sd_transfer_state;
2369         return true;
2370     }
2371     return false;
2372 }
2373 
2374 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
sd_generic_read_byte(SDState * sd,uint8_t * value)2375 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
2376 {
2377     *value = sd->data[sd->data_offset];
2378 
2379     if (++sd->data_offset >= sd->data_size) {
2380         sd->state = sd_transfer_state;
2381         return true;
2382     }
2383 
2384     return false;
2385 }
2386 
sd_write_byte(SDState * sd,uint8_t value)2387 static void sd_write_byte(SDState *sd, uint8_t value)
2388 {
2389     int i;
2390 
2391     if (!sd->blk || !blk_is_inserted(sd->blk)) {
2392         return;
2393     }
2394 
2395     if (sd->state != sd_receivingdata_state) {
2396         qemu_log_mask(LOG_GUEST_ERROR,
2397                       "%s: not in Receiving-Data state\n", __func__);
2398         return;
2399     }
2400 
2401     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2402         return;
2403 
2404     trace_sdcard_write_data(sd->proto->name,
2405                             sd->last_cmd_name,
2406                             sd->current_cmd, sd->data_offset, value);
2407     switch (sd->current_cmd) {
2408     case 24:  /* CMD24:  WRITE_SINGLE_BLOCK */
2409         if (sd_generic_write_byte(sd, value)) {
2410             /* TODO: Check CRC before committing */
2411             sd->state = sd_programming_state;
2412             sd_blk_write(sd, sd->data_start, sd->data_offset);
2413             sd->blk_written ++;
2414             sd->csd[14] |= 0x40;
2415             /* Bzzzzzzztt .... Operation complete.  */
2416             sd->state = sd_transfer_state;
2417         }
2418         break;
2419 
2420     case 25:  /* CMD25:  WRITE_MULTIPLE_BLOCK */
2421         if (sd->data_offset == 0) {
2422             /* Start of the block - let's check the address is valid */
2423             if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2424                                   sd->data_start, sd->blk_len)) {
2425                 break;
2426             }
2427             if (sd->size <= SDSC_MAX_CAPACITY) {
2428                 if (sd_wp_addr(sd, sd->data_start)) {
2429                     sd->card_status |= WP_VIOLATION;
2430                     break;
2431                 }
2432             }
2433         }
2434         sd->data[sd->data_offset++] = value;
2435         if (sd->data_offset >= sd->blk_len) {
2436             /* TODO: Check CRC before committing */
2437             sd->state = sd_programming_state;
2438             sd_blk_write(sd, sd->data_start, sd->data_offset);
2439             sd->blk_written++;
2440             sd->data_start += sd->blk_len;
2441             sd->data_offset = 0;
2442             sd->csd[14] |= 0x40;
2443 
2444             /* Bzzzzzzztt .... Operation complete.  */
2445             if (sd->multi_blk_cnt != 0) {
2446                 if (--sd->multi_blk_cnt == 0) {
2447                     /* Stop! */
2448                     sd->state = sd_transfer_state;
2449                     break;
2450                 }
2451             }
2452 
2453             sd->state = sd_receivingdata_state;
2454         }
2455         break;
2456 
2457     case 26:  /* CMD26:  PROGRAM_CID */
2458         if (sd_generic_write_byte(sd, value)) {
2459             /* TODO: Check CRC before committing */
2460             sd->state = sd_programming_state;
2461             for (i = 0; i < sizeof(sd->cid); i ++)
2462                 if ((sd->cid[i] | 0x00) != sd->data[i])
2463                     sd->card_status |= CID_CSD_OVERWRITE;
2464 
2465             if (!(sd->card_status & CID_CSD_OVERWRITE))
2466                 for (i = 0; i < sizeof(sd->cid); i ++) {
2467                     sd->cid[i] |= 0x00;
2468                     sd->cid[i] &= sd->data[i];
2469                 }
2470             /* Bzzzzzzztt .... Operation complete.  */
2471             sd->state = sd_transfer_state;
2472         }
2473         break;
2474 
2475     case 27:  /* CMD27:  PROGRAM_CSD */
2476         if (sd_generic_write_byte(sd, value)) {
2477             /* TODO: Check CRC before committing */
2478             sd->state = sd_programming_state;
2479             for (i = 0; i < sizeof(sd->csd); i ++)
2480                 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2481                     (sd->data[i] | sd_csd_rw_mask[i]))
2482                     sd->card_status |= CID_CSD_OVERWRITE;
2483 
2484             /* Copy flag (OTP) & Permanent write protect */
2485             if (sd->csd[14] & ~sd->data[14] & 0x60)
2486                 sd->card_status |= CID_CSD_OVERWRITE;
2487 
2488             if (!(sd->card_status & CID_CSD_OVERWRITE))
2489                 for (i = 0; i < sizeof(sd->csd); i ++) {
2490                     sd->csd[i] |= sd_csd_rw_mask[i];
2491                     sd->csd[i] &= sd->data[i];
2492                 }
2493             /* Bzzzzzzztt .... Operation complete.  */
2494             sd->state = sd_transfer_state;
2495         }
2496         break;
2497 
2498     case 42:  /* CMD42:  LOCK_UNLOCK */
2499         if (sd_generic_write_byte(sd, value)) {
2500             /* TODO: Check CRC before committing */
2501             sd->state = sd_programming_state;
2502             sd_lock_command(sd);
2503             /* Bzzzzzzztt .... Operation complete.  */
2504             sd->state = sd_transfer_state;
2505         }
2506         break;
2507 
2508     case 56:  /* CMD56:  GEN_CMD */
2509         sd_generic_write_byte(sd, value);
2510         break;
2511 
2512     default:
2513         g_assert_not_reached();
2514     }
2515 }
2516 
sd_read_byte(SDState * sd)2517 static uint8_t sd_read_byte(SDState *sd)
2518 {
2519     /* TODO: Append CRCs */
2520     const uint8_t dummy_byte = 0x00;
2521     uint8_t ret;
2522     uint32_t io_len;
2523 
2524     if (!sd->blk || !blk_is_inserted(sd->blk)) {
2525         return dummy_byte;
2526     }
2527 
2528     if (sd->state != sd_sendingdata_state) {
2529         qemu_log_mask(LOG_GUEST_ERROR,
2530                       "%s: not in Sending-Data state\n", __func__);
2531         return dummy_byte;
2532     }
2533 
2534     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) {
2535         return dummy_byte;
2536     }
2537 
2538     io_len = sd_blk_len(sd);
2539 
2540     trace_sdcard_read_data(sd->proto->name,
2541                            sd->last_cmd_name, sd->current_cmd,
2542                            sd->data_offset, sd->data_size, io_len);
2543     switch (sd->current_cmd) {
2544     case 6:  /* CMD6:   SWITCH_FUNCTION */
2545     case 8:  /* CMD8:   SEND_EXT_CSD */
2546     case 9:  /* CMD9:   SEND_CSD */
2547     case 10: /* CMD10:  SEND_CID */
2548     case 13: /* ACMD13: SD_STATUS */
2549     case 17: /* CMD17:  READ_SINGLE_BLOCK */
2550     case 19: /* CMD19:  SEND_TUNING_BLOCK (SD) */
2551     case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2552     case 30: /* CMD30:  SEND_WRITE_PROT */
2553     case 51: /* ACMD51: SEND_SCR */
2554     case 56: /* CMD56:  GEN_CMD */
2555         sd_generic_read_byte(sd, &ret);
2556         break;
2557 
2558     case 18:  /* CMD18:  READ_MULTIPLE_BLOCK */
2559         if (sd->data_offset == 0) {
2560             if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2561                                   sd->data_start, io_len)) {
2562                 return dummy_byte;
2563             }
2564             sd_blk_read(sd, sd->data_start, io_len);
2565         }
2566         ret = sd->data[sd->data_offset ++];
2567 
2568         if (sd->data_offset >= io_len) {
2569             sd->data_start += io_len;
2570             sd->data_offset = 0;
2571 
2572             if (sd->multi_blk_cnt != 0) {
2573                 if (--sd->multi_blk_cnt == 0) {
2574                     /* Stop! */
2575                     sd->state = sd_transfer_state;
2576                     break;
2577                 }
2578             }
2579         }
2580         break;
2581 
2582     default:
2583         qemu_log_mask(LOG_GUEST_ERROR, "%s: DAT read illegal for command %s\n",
2584                                        __func__, sd->last_cmd_name);
2585         return dummy_byte;
2586     }
2587 
2588     return ret;
2589 }
2590 
sd_receive_ready(SDState * sd)2591 static bool sd_receive_ready(SDState *sd)
2592 {
2593     return sd->state == sd_receivingdata_state;
2594 }
2595 
sd_data_ready(SDState * sd)2596 static bool sd_data_ready(SDState *sd)
2597 {
2598     return sd->state == sd_sendingdata_state;
2599 }
2600 
2601 static const SDProto sd_proto_spi = {
2602     .name = "SPI",
2603     .cmd = {
2604         [0]  = {0,  sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2605         [1]  = {0,  sd_spi, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2606         [5]  = {9,  sd_spi, "IO_SEND_OP_COND", sd_cmd_optional},
2607         [6]  = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2608         [8]  = {0,  sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2609         [9]  = {0,  sd_spi, "SEND_CSD", spi_cmd_SEND_CSD},
2610         [10] = {0,  sd_spi, "SEND_CID", spi_cmd_SEND_CID},
2611         [12] = {0,  sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2612         [13] = {0,  sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS},
2613         [16] = {2,  sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2614         [17] = {2,  sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2615         [24] = {4,  sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2616         [27] = {4,  sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2617         [28] = {6,  sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2618         [29] = {6,  sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2619         [30] = {6,  sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2620         [32] = {5,  sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2621         [33] = {5,  sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2622         [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional},
2623         [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional},
2624         [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional},
2625         [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2626         [38] = {5,  sd_spi, "ERASE", sd_cmd_ERASE},
2627         [42] = {7,  sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2628         [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional},
2629         [52] = {9,  sd_spi, "IO_RW_DIRECT", sd_cmd_optional},
2630         [53] = {9,  sd_spi, "IO_RW_EXTENDED", sd_cmd_optional},
2631         [55] = {8,  sd_spi, "APP_CMD", sd_cmd_APP_CMD},
2632         [56] = {8,  sd_spi, "GEN_CMD", sd_cmd_GEN_CMD},
2633         [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2634         [58] = {0,  sd_spi, "READ_OCR", spi_cmd_READ_OCR},
2635         [59] = {0,  sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF},
2636     },
2637     .acmd = {
2638         [13] = {8,  sd_spi, "SD_STATUS", sd_acmd_SD_STATUS},
2639         [22] = {8,  sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2640         [23] = {8,  sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2641         [41] = {8,  sd_spi, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2642         [42] = {8,  sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2643         [51] = {8,  sd_spi, "SEND_SCR", sd_acmd_SEND_SCR},
2644     },
2645 };
2646 
2647 static const SDProto sd_proto_sd = {
2648     .name = "SD",
2649     .cmd = {
2650         [0]  = {0,  sd_bc,   "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2651         [2]  = {0,  sd_bcr,  "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2652         [3]  = {0,  sd_bcr,  "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR},
2653         [4]  = {0,  sd_bc,   "SEND_DSR", sd_cmd_unimplemented},
2654         [5]  = {9,  sd_bc,   "IO_SEND_OP_COND", sd_cmd_optional},
2655         [6]  = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2656         [7]  = {0,  sd_ac,   "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2657         [8]  = {0,  sd_bcr,  "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2658         [9]  = {0,  sd_ac,   "SEND_CSD", sd_cmd_SEND_CSD},
2659         [10] = {0,  sd_ac,   "SEND_CID", sd_cmd_SEND_CID},
2660         [11] = {0,  sd_ac,   "VOLTAGE_SWITCH", sd_cmd_optional},
2661         [12] = {0,  sd_ac,   "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2662         [13] = {0,  sd_ac,   "SEND_STATUS", sd_cmd_SEND_STATUS},
2663         [15] = {0,  sd_ac,   "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2664         [16] = {2,  sd_ac,   "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2665         [17] = {2,  sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2666         [19] = {2,  sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK},
2667         [20] = {2,  sd_ac,   "SPEED_CLASS_CONTROL", sd_cmd_optional},
2668         [23] = {2,  sd_ac,   "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2669         [24] = {4,  sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2670         [27] = {4,  sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2671         [28] = {6,  sd_ac,   "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2672         [29] = {6,  sd_ac,   "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2673         [30] = {6,  sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2674         [32] = {5,  sd_ac,   "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2675         [33] = {5,  sd_ac,   "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2676         [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional},
2677         [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional},
2678         [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional},
2679         [37] = {10, sd_ac,   "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2680         [38] = {5,  sd_ac,   "ERASE", sd_cmd_ERASE},
2681         [42] = {7,  sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2682         [43] = {1,  sd_ac,   "Q_MANAGEMENT", sd_cmd_optional},
2683         [44] = {1,  sd_ac,   "Q_TASK_INFO_A", sd_cmd_optional},
2684         [45] = {1,  sd_ac,   "Q_TASK_INFO_B", sd_cmd_optional},
2685         [46] = {1,  sd_adtc, "Q_RD_TASK", sd_cmd_optional},
2686         [47] = {1,  sd_adtc, "Q_WR_TASK", sd_cmd_optional},
2687         [48] = {1,  sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional},
2688         [49] = {1,  sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional},
2689         [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional},
2690         [52] = {9,  sd_bc,   "IO_RW_DIRECT", sd_cmd_optional},
2691         [53] = {9,  sd_bc,   "IO_RW_EXTENDED", sd_cmd_optional},
2692         [55] = {8,  sd_ac,   "APP_CMD", sd_cmd_APP_CMD},
2693         [56] = {8,  sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2694         [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2695         [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional},
2696         [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional},
2697     },
2698     .acmd = {
2699         [6]  = {8,  sd_ac,   "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH},
2700         [13] = {8,  sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS},
2701         [22] = {8,  sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2702         [23] = {8,  sd_ac,   "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2703         [41] = {8,  sd_bcr,  "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2704         [42] = {8,  sd_ac,   "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2705         [51] = {8,  sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR},
2706     },
2707 };
2708 
2709 static const SDProto sd_proto_emmc = {
2710     /* Only v4.3 is supported */
2711     .name = "eMMC",
2712     .cmd = {
2713         [0]  = {0,  sd_bc,   "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2714         [1]  = {0,  sd_bcr,  "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2715         [2]  = {0,  sd_bcr,  "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2716         [3]  = {0,  sd_ac,   "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR},
2717         [4]  = {0,  sd_bc,   "SEND_DSR", sd_cmd_unimplemented},
2718         [5]  = {0,  sd_ac,   "SLEEP/AWAKE", emmc_cmd_sleep_awake},
2719         [6]  = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH},
2720         [7]  = {0,  sd_ac,   "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2721         [8]  = {0,  sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD},
2722         [9]  = {0,  sd_ac,   "SEND_CSD", sd_cmd_SEND_CSD},
2723         [10] = {0,  sd_ac,   "SEND_CID", sd_cmd_SEND_CID},
2724         [11] = {1,  sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2725         [12] = {0,  sd_ac,   "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2726         [13] = {0,  sd_ac,   "SEND_STATUS", sd_cmd_SEND_STATUS},
2727         [14] = {0,  sd_adtc, "BUSTEST_R", sd_cmd_unimplemented},
2728         [15] = {0,  sd_ac,   "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2729         [16] = {2,  sd_ac,   "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2730         [17] = {2,  sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2731         [19] = {0,  sd_adtc, "BUSTEST_W", sd_cmd_unimplemented},
2732         [20] = {3,  sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2733         [23] = {2,  sd_ac,   "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2734         [24] = {4,  sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2735         [26] = {4,  sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID},
2736         [27] = {4,  sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2737         [28] = {6,  sd_ac,   "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2738         [29] = {6,  sd_ac,   "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2739         [30] = {6,  sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2740         [31] = {6,  sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented},
2741         [35] = {5,  sd_ac,   "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2742         [36] = {5,  sd_ac,   "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2743         [38] = {5,  sd_ac,   "ERASE", sd_cmd_ERASE},
2744         [39] = {9,  sd_ac,   "FAST_IO", sd_cmd_unimplemented},
2745         [40] = {9,  sd_bcr,  "GO_IRQ_STATE", sd_cmd_unimplemented},
2746         [42] = {7,  sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2747         [49] = {0,  sd_adtc, "SET_TIME", sd_cmd_unimplemented},
2748         [55] = {8,  sd_ac,   "APP_CMD", sd_cmd_APP_CMD},
2749         [56] = {8,  sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2750     },
2751 };
2752 
sd_instance_init(Object * obj)2753 static void sd_instance_init(Object *obj)
2754 {
2755     SDState *sd = SDMMC_COMMON(obj);
2756     SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
2757 
2758     sd->proto = sc->proto;
2759     sd->last_cmd_name = "UNSET";
2760     sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2761 }
2762 
sd_instance_finalize(Object * obj)2763 static void sd_instance_finalize(Object *obj)
2764 {
2765     SDState *sd = SDMMC_COMMON(obj);
2766 
2767     timer_free(sd->ocr_power_timer);
2768 }
2769 
sd_realize(DeviceState * dev,Error ** errp)2770 static void sd_realize(DeviceState *dev, Error **errp)
2771 {
2772     SDState *sd = SDMMC_COMMON(dev);
2773     int ret;
2774 
2775     switch (sd->spec_version) {
2776     case SD_PHY_SPECv1_10_VERS
2777      ... SD_PHY_SPECv3_01_VERS:
2778         break;
2779     default:
2780         error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2781         return;
2782     }
2783 
2784     if (sd->blk) {
2785         int64_t blk_size;
2786 
2787         if (!blk_supports_write_perm(sd->blk)) {
2788             error_setg(errp, "Cannot use read-only drive as SD card");
2789             return;
2790         }
2791 
2792         blk_size = blk_getlength(sd->blk);
2793         if (blk_size > 0 && !is_power_of_2(blk_size)) {
2794             int64_t blk_size_aligned = pow2ceil(blk_size);
2795             char *blk_size_str;
2796 
2797             blk_size_str = size_to_str(blk_size);
2798             error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2799             g_free(blk_size_str);
2800 
2801             blk_size_str = size_to_str(blk_size_aligned);
2802             error_append_hint(errp,
2803                               "SD card size has to be a power of 2, e.g. %s.\n"
2804                               "You can resize disk images with"
2805                               " 'qemu-img resize <imagefile> <new-size>'\n"
2806                               "(note that this will lose data if you make the"
2807                               " image smaller than it currently is).\n",
2808                               blk_size_str);
2809             g_free(blk_size_str);
2810 
2811             return;
2812         }
2813 
2814         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2815                            BLK_PERM_ALL, errp);
2816         if (ret < 0) {
2817             return;
2818         }
2819         blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2820     }
2821 }
2822 
emmc_realize(DeviceState * dev,Error ** errp)2823 static void emmc_realize(DeviceState *dev, Error **errp)
2824 {
2825     SDState *sd = SDMMC_COMMON(dev);
2826 
2827     sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */
2828 
2829     sd_realize(dev, errp);
2830 }
2831 
2832 static const Property sdmmc_common_properties[] = {
2833     DEFINE_PROP_DRIVE("drive", SDState, blk),
2834 };
2835 
2836 static const Property sd_properties[] = {
2837     DEFINE_PROP_UINT8("spec_version", SDState,
2838                       spec_version, SD_PHY_SPECv3_01_VERS),
2839 };
2840 
2841 static const Property emmc_properties[] = {
2842     DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0),
2843     DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0),
2844 };
2845 
sdmmc_common_class_init(ObjectClass * klass,const void * data)2846 static void sdmmc_common_class_init(ObjectClass *klass, const void *data)
2847 {
2848     DeviceClass *dc = DEVICE_CLASS(klass);
2849     SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2850 
2851     device_class_set_props(dc, sdmmc_common_properties);
2852     dc->vmsd = &sd_vmstate;
2853     device_class_set_legacy_reset(dc, sd_reset);
2854     dc->bus_type = TYPE_SD_BUS;
2855     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2856 
2857     sc->set_voltage = sd_set_voltage;
2858     sc->get_dat_lines = sd_get_dat_lines;
2859     sc->get_cmd_line = sd_get_cmd_line;
2860     sc->do_command = sd_do_command;
2861     sc->write_byte = sd_write_byte;
2862     sc->read_byte = sd_read_byte;
2863     sc->receive_ready = sd_receive_ready;
2864     sc->data_ready = sd_data_ready;
2865     sc->get_inserted = sd_get_inserted;
2866     sc->get_readonly = sd_get_readonly;
2867 }
2868 
sd_class_init(ObjectClass * klass,const void * data)2869 static void sd_class_init(ObjectClass *klass, const void *data)
2870 {
2871     DeviceClass *dc = DEVICE_CLASS(klass);
2872     SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2873 
2874     dc->realize = sd_realize;
2875     device_class_set_props(dc, sd_properties);
2876 
2877     sc->set_cid = sd_set_cid;
2878     sc->set_csd = sd_set_csd;
2879     sc->proto = &sd_proto_sd;
2880 }
2881 
2882 /*
2883  * We do not model the chip select pin, so allow the board to select
2884  * whether card should be in SSI or MMC/SD mode.  It is also up to the
2885  * board to ensure that ssi transfers only occur when the chip select
2886  * is asserted.
2887  */
sd_spi_class_init(ObjectClass * klass,const void * data)2888 static void sd_spi_class_init(ObjectClass *klass, const void *data)
2889 {
2890     DeviceClass *dc = DEVICE_CLASS(klass);
2891     SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2892 
2893     dc->desc = "SD SPI";
2894     sc->proto = &sd_proto_spi;
2895 }
2896 
emmc_class_init(ObjectClass * klass,const void * data)2897 static void emmc_class_init(ObjectClass *klass, const void *data)
2898 {
2899     DeviceClass *dc = DEVICE_CLASS(klass);
2900     SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2901 
2902     dc->desc = "eMMC";
2903     dc->realize = emmc_realize;
2904     device_class_set_props(dc, emmc_properties);
2905     /* Reason: Soldered on board */
2906     dc->user_creatable = false;
2907 
2908     sc->proto = &sd_proto_emmc;
2909 
2910     sc->set_cid = emmc_set_cid;
2911     sc->set_csd = emmc_set_csd;
2912 }
2913 
2914 static const TypeInfo sd_types[] = {
2915     {
2916         .name           = TYPE_SDMMC_COMMON,
2917         .parent         = TYPE_DEVICE,
2918         .abstract       = true,
2919         .instance_size  = sizeof(SDState),
2920         .class_size     = sizeof(SDCardClass),
2921         .class_init     = sdmmc_common_class_init,
2922         .instance_init  = sd_instance_init,
2923         .instance_finalize = sd_instance_finalize,
2924     },
2925     {
2926         .name           = TYPE_SD_CARD,
2927         .parent         = TYPE_SDMMC_COMMON,
2928         .class_init     = sd_class_init,
2929     },
2930     {
2931         .name           = TYPE_SD_CARD_SPI,
2932         .parent         = TYPE_SD_CARD,
2933         .class_init     = sd_spi_class_init,
2934     },
2935     {
2936         .name           = TYPE_EMMC,
2937         .parent         = TYPE_SDMMC_COMMON,
2938         .class_init     = emmc_class_init,
2939     },
2940 };
2941 
2942 DEFINE_TYPES(sd_types)
2943