1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88 };
89
90 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
91
92 typedef struct SDProto {
93 const char *name;
94 sd_cmd_handler cmd[SDMMC_CMD_MAX];
95 sd_cmd_handler acmd[SDMMC_CMD_MAX];
96 } SDProto;
97
98 struct SDState {
99 DeviceState parent_obj;
100
101 /* If true, created by sd_init() for a non-qdevified caller */
102 /* TODO purge them with fire */
103 bool me_no_qdev_me_kill_mammoth_with_rocks;
104
105 /* SD Memory Card Registers */
106 uint32_t ocr;
107 uint8_t scr[8];
108 uint8_t cid[16];
109 uint8_t csd[16];
110 uint16_t rca;
111 uint32_t card_status;
112 uint8_t sd_status[64];
113
114 /* Static properties */
115
116 uint8_t spec_version;
117 BlockBackend *blk;
118 uint8_t boot_config;
119
120 /* Runtime changeables */
121
122 uint32_t mode; /* current card mode, one of SDCardModes */
123 int32_t state; /* current card state, one of SDCardStates */
124 uint32_t vhs;
125 bool wp_switch;
126 unsigned long *wp_group_bmap;
127 int32_t wp_group_bits;
128 uint64_t size;
129 uint32_t blk_len;
130 uint32_t multi_blk_cnt;
131 uint32_t erase_start;
132 uint32_t erase_end;
133 uint8_t pwd[16];
134 uint32_t pwd_len;
135 uint8_t function_group[6];
136 uint8_t current_cmd;
137 /* True if we will handle the next command as an ACMD. Note that this does
138 * *not* track the APP_CMD status bit!
139 */
140 bool expecting_acmd;
141 uint32_t blk_written;
142 uint64_t data_start;
143 uint32_t data_offset;
144 uint8_t data[512];
145 uint8_t ext_csd[512];
146 qemu_irq readonly_cb;
147 qemu_irq inserted_cb;
148 QEMUTimer *ocr_power_timer;
149 bool enable;
150 uint8_t dat_lines;
151 bool cmd_line;
152 };
153
154 static void sd_realize(DeviceState *dev, Error **errp);
155
sd_proto(SDState * sd)156 static const struct SDProto *sd_proto(SDState *sd)
157 {
158 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
159
160 return sc->proto;
161 }
162
163 static const SDProto sd_proto_spi;
164
sd_is_spi(SDState * sd)165 static bool sd_is_spi(SDState *sd)
166 {
167 return sd_proto(sd) == &sd_proto_spi;
168 }
169
sd_version_str(enum SDPhySpecificationVersion version)170 static const char *sd_version_str(enum SDPhySpecificationVersion version)
171 {
172 static const char *sdphy_version[] = {
173 [SD_PHY_SPECv1_10_VERS] = "v1.10",
174 [SD_PHY_SPECv2_00_VERS] = "v2.00",
175 [SD_PHY_SPECv3_01_VERS] = "v3.01",
176 };
177 if (version >= ARRAY_SIZE(sdphy_version)) {
178 return "unsupported version";
179 }
180 return sdphy_version[version];
181 }
182
sd_state_name(enum SDCardStates state)183 static const char *sd_state_name(enum SDCardStates state)
184 {
185 static const char *state_name[] = {
186 [sd_idle_state] = "idle",
187 [sd_ready_state] = "ready",
188 [sd_identification_state] = "identification",
189 [sd_standby_state] = "standby",
190 [sd_transfer_state] = "transfer",
191 [sd_sendingdata_state] = "sendingdata",
192 [sd_receivingdata_state] = "receivingdata",
193 [sd_programming_state] = "programming",
194 [sd_disconnect_state] = "disconnect",
195 };
196 if (state == sd_inactive_state) {
197 return "inactive";
198 }
199 assert(state < ARRAY_SIZE(state_name));
200 return state_name[state];
201 }
202
sd_response_name(sd_rsp_type_t rsp)203 static const char *sd_response_name(sd_rsp_type_t rsp)
204 {
205 static const char *response_name[] = {
206 [sd_r0] = "RESP#0 (no response)",
207 [sd_r1] = "RESP#1 (normal cmd)",
208 [sd_r2_i] = "RESP#2 (CID reg)",
209 [sd_r2_s] = "RESP#2 (CSD reg)",
210 [sd_r3] = "RESP#3 (OCR reg)",
211 [sd_r6] = "RESP#6 (RCA)",
212 [sd_r7] = "RESP#7 (operating voltage)",
213 };
214 if (rsp == sd_illegal) {
215 return "ILLEGAL RESP";
216 }
217 if (rsp == sd_r1b) {
218 rsp = sd_r1;
219 }
220 assert(rsp < ARRAY_SIZE(response_name));
221 return response_name[rsp];
222 }
223
sd_get_dat_lines(SDState * sd)224 static uint8_t sd_get_dat_lines(SDState *sd)
225 {
226 return sd->enable ? sd->dat_lines : 0;
227 }
228
sd_get_cmd_line(SDState * sd)229 static bool sd_get_cmd_line(SDState *sd)
230 {
231 return sd->enable ? sd->cmd_line : false;
232 }
233
sd_set_voltage(SDState * sd,uint16_t millivolts)234 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
235 {
236 trace_sdcard_set_voltage(millivolts);
237
238 switch (millivolts) {
239 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
240 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
241 break;
242 default:
243 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
244 millivolts / 1000.f);
245 }
246 }
247
sd_set_mode(SDState * sd)248 static void sd_set_mode(SDState *sd)
249 {
250 switch (sd->state) {
251 case sd_inactive_state:
252 sd->mode = sd_inactive;
253 break;
254
255 case sd_idle_state:
256 case sd_ready_state:
257 case sd_identification_state:
258 sd->mode = sd_card_identification_mode;
259 break;
260
261 case sd_standby_state:
262 case sd_transfer_state:
263 case sd_sendingdata_state:
264 case sd_receivingdata_state:
265 case sd_programming_state:
266 case sd_disconnect_state:
267 sd->mode = sd_data_transfer_mode;
268 break;
269 }
270 }
271
272 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
273 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
274 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
275 /* 16 */
276 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
277 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
278 /* 32 */
279 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
280 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
281 /* 48 */
282 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
283 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
284 };
285
286 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
287 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
288 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
289 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
290 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
291 };
292
sd_crc7(const void * message,size_t width)293 static uint8_t sd_crc7(const void *message, size_t width)
294 {
295 int i, bit;
296 uint8_t shift_reg = 0x00;
297 const uint8_t *msg = (const uint8_t *)message;
298
299 for (i = 0; i < width; i ++, msg ++)
300 for (bit = 7; bit >= 0; bit --) {
301 shift_reg <<= 1;
302 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
303 shift_reg ^= 0x89;
304 }
305
306 return shift_reg;
307 }
308
309 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
310
311 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
312 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
313 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
314 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
315 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
316 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
317 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
318 FIELD(OCR, CARD_POWER_UP, 31, 1)
319
320 #define ACMD41_ENQUIRY_MASK 0x00ffffff
321 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
322 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
323 | R_OCR_UHS_II_CARD_MASK \
324 | R_OCR_CARD_CAPACITY_MASK \
325 | R_OCR_CARD_POWER_UP_MASK)
326
sd_ocr_powerup(void * opaque)327 static void sd_ocr_powerup(void *opaque)
328 {
329 SDState *sd = opaque;
330
331 trace_sdcard_powerup();
332 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
333
334 /* card power-up OK */
335 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
336
337 if (sd->size > SDSC_MAX_CAPACITY) {
338 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
339 }
340 }
341
sd_set_ocr(SDState * sd)342 static void sd_set_ocr(SDState *sd)
343 {
344 /* All voltages OK */
345 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
346
347 if (sd_is_spi(sd)) {
348 /*
349 * We don't need to emulate power up sequence in SPI-mode.
350 * Thus, the card's power up status bit should be set to 1 when reset.
351 * The card's capacity status bit should also be set if SD card size
352 * is larger than 2GB for SDHC support.
353 */
354 sd_ocr_powerup(sd);
355 }
356 }
357
sd_set_scr(SDState * sd)358 static void sd_set_scr(SDState *sd)
359 {
360 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
361 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
362 sd->scr[0] |= 1; /* Spec Version 1.10 */
363 } else {
364 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
365 }
366 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
367 | 0b0101; /* 1-bit or 4-bit width bus modes */
368 sd->scr[2] = 0x00; /* Extended Security is not supported. */
369 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
370 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
371 }
372 sd->scr[3] = 0x00;
373 /* reserved for manufacturer usage */
374 sd->scr[4] = 0x00;
375 sd->scr[5] = 0x00;
376 sd->scr[6] = 0x00;
377 sd->scr[7] = 0x00;
378 }
379
380 #define MID 0xaa
381 #define OID "XY"
382 #define PNM "QEMU!"
383 #define PRV 0x01
384 #define MDT_YR 2006
385 #define MDT_MON 2
386
sd_set_cid(SDState * sd)387 static void sd_set_cid(SDState *sd)
388 {
389 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
390 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
391 sd->cid[2] = OID[1];
392 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
393 sd->cid[4] = PNM[1];
394 sd->cid[5] = PNM[2];
395 sd->cid[6] = PNM[3];
396 sd->cid[7] = PNM[4];
397 sd->cid[8] = PRV; /* Fake product revision (PRV) */
398 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
399 sd->cid[10] = 0xad;
400 sd->cid[11] = 0xbe;
401 sd->cid[12] = 0xef;
402 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
403 ((MDT_YR - 2000) / 10);
404 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
405 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
406 }
407
408 #define HWBLOCK_SHIFT 9 /* 512 bytes */
409 #define SECTOR_SHIFT 5 /* 16 kilobytes */
410 #define WPGROUP_SHIFT 7 /* 2 megs */
411 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
412 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
413
414 static const uint8_t sd_csd_rw_mask[16] = {
415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
417 };
418
mmc_set_ext_csd(SDState * sd,uint64_t size)419 static void mmc_set_ext_csd(SDState *sd, uint64_t size)
420 {
421 uint32_t sectcount = size >> HWBLOCK_SHIFT;
422
423 memset(sd->ext_csd, 0, sizeof(sd->ext_csd));
424
425 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0x1; /* supported command sets */
426 sd->ext_csd[EXT_CSD_HPI_FEATURES] = 0x3; /* HPI features */
427 sd->ext_csd[EXT_CSD_BKOPS_SUPPORT] = 0x1; /* Background operations */
428 sd->ext_csd[241] = 0xA; /* 1st initialization time after partitioning */
429 sd->ext_csd[EXT_CSD_TRIM_MULT] = 0x1; /* Trim multiplier */
430 sd->ext_csd[EXT_CSD_SEC_FEATURE_SUPPORT] = 0x15; /* Secure feature */
431 sd->ext_csd[EXT_CSD_SEC_ERASE_MULT] = 0x96; /* Secure erase support */
432 sd->ext_csd[EXT_CSD_SEC_TRIM_MULT] = 0x96; /* Secure TRIM multiplier */
433 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x7; /* Boot information */
434 sd->ext_csd[EXT_CSD_BOOT_MULT] = 0x8; /* Boot partition size. 128KB unit */
435 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x6; /* Access size */
436 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x4; /* HC Erase unit size */
437 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x1; /* HC erase timeout */
438 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */
439 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x4; /* HC write protect group size */
440 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x8; /* Sleep current VCC */
441 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x7; /* Sleep current VCCQ */
442 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x11; /* Sleep/Awake timeout */
443 sd->ext_csd[215] = (sectcount >> 24) & 0xff; /* Sector count */
444 sd->ext_csd[214] = (sectcount >> 16) & 0xff; /* ... */
445 sd->ext_csd[213] = (sectcount >> 8) & 0xff; /* ... */
446 sd->ext_csd[EXT_CSD_SEC_CNT] = (sectcount & 0xff); /* ... */
447 sd->ext_csd[210] = 0xa; /* Min write perf for 8bit@52Mhz */
448 sd->ext_csd[209] = 0xa; /* Min read perf for 8bit@52Mhz */
449 sd->ext_csd[208] = 0xa; /* Min write perf for 4bit@52Mhz */
450 sd->ext_csd[207] = 0xa; /* Min read perf for 4bit@52Mhz */
451 sd->ext_csd[206] = 0xa; /* Min write perf for 4bit@26Mhz */
452 sd->ext_csd[205] = 0xa; /* Min read perf for 4bit@26Mhz */
453 sd->ext_csd[EXT_CSD_PART_SWITCH_TIME] = 0x1;
454 sd->ext_csd[EXT_CSD_OUT_OF_INTERRUPT_TIME] = 0x1;
455 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0x7;
456 sd->ext_csd[EXT_CSD_STRUCTURE] = 0x2;
457 sd->ext_csd[EXT_CSD_REV] = 0x5;
458 sd->ext_csd[EXT_CSD_RPMB_MULT] = 0x1; /* RPMB size */
459 sd->ext_csd[EXT_CSD_PARTITION_SUPPORT] = 0x3;
460 sd->ext_csd[159] = 0x00; /* Max enhanced area size */
461 sd->ext_csd[158] = 0x00; /* ... */
462 sd->ext_csd[157] = 0xEC; /* ... */
463
464 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config;
465 }
466
sd_emmc_set_csd(SDState * sd,uint64_t size)467 static void sd_emmc_set_csd(SDState *sd, uint64_t size)
468 {
469 sd->csd[0] = 0xd0;
470 sd->csd[1] = 0x0f;
471 sd->csd[2] = 0x00;
472 sd->csd[3] = 0x32;
473 sd->csd[4] = 0x0f;
474 if (size <= 2 * GiB) {
475 /* use 1k blocks */
476 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1;
477 sd->csd[5] = 0x5a;
478 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf);
479 sd->csd[7] = (csize1k >> 2) & 0xff;
480 } else { /* >= 2GB : size stored in ext CSD, block addressing */
481 sd->csd[5] = 0x59;
482 sd->csd[6] = 0x8f;
483 sd->csd[7] = 0xff;
484 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
485 }
486 sd->csd[8] = 0xff;
487 sd->csd[9] = 0xff;
488 sd->csd[10] = 0xf7;
489 sd->csd[11] = 0xfe;
490 sd->csd[12] = 0x49;
491 sd->csd[13] = 0x10;
492 sd->csd[14] = 0x00;
493 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
494 mmc_set_ext_csd(sd, size);
495 }
496
sd_set_csd(SDState * sd,uint64_t size)497 static void sd_set_csd(SDState *sd, uint64_t size)
498 {
499 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
500 int hwblock_shift = HWBLOCK_SHIFT;
501 uint32_t csize;
502 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
503 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
504
505 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
506 if (size == SDSC_MAX_CAPACITY) {
507 hwblock_shift += 1;
508 }
509 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
510
511 if (sc->set_csd) {
512 sc->set_csd(sd, size);
513 } else if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
514 sd->csd[0] = 0x00; /* CSD structure */
515 sd->csd[1] = 0x26; /* Data read access-time-1 */
516 sd->csd[2] = 0x00; /* Data read access-time-2 */
517 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
518 sd->csd[4] = 0x5f; /* Card Command Classes */
519 sd->csd[5] = 0x50 | /* Max. read data block length */
520 hwblock_shift;
521 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
522 ((csize >> 10) & 0x03);
523 sd->csd[7] = 0x00 | /* Device size */
524 ((csize >> 2) & 0xff);
525 sd->csd[8] = 0x3f | /* Max. read current */
526 ((csize << 6) & 0xc0);
527 sd->csd[9] = 0xfc | /* Max. write current */
528 ((CMULT_SHIFT - 2) >> 1);
529 sd->csd[10] = 0x40 | /* Erase sector size */
530 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
531 sd->csd[11] = 0x00 | /* Write protect group size */
532 ((sectsize << 7) & 0x80) | wpsize;
533 sd->csd[12] = 0x90 | /* Write speed factor */
534 (hwblock_shift >> 2);
535 sd->csd[13] = 0x20 | /* Max. write data block length */
536 ((hwblock_shift << 6) & 0xc0);
537 sd->csd[14] = 0x00; /* File format group */
538 } else { /* SDHC */
539 size /= 512 * KiB;
540 size -= 1;
541 sd->csd[0] = 0x40;
542 sd->csd[1] = 0x0e;
543 sd->csd[2] = 0x00;
544 sd->csd[3] = 0x32;
545 sd->csd[4] = 0x5b;
546 sd->csd[5] = 0x59;
547 sd->csd[6] = 0x00;
548 sd->csd[7] = (size >> 16) & 0xff;
549 sd->csd[8] = (size >> 8) & 0xff;
550 sd->csd[9] = (size & 0xff);
551 sd->csd[10] = 0x7f;
552 sd->csd[11] = 0x80;
553 sd->csd[12] = 0x0a;
554 sd->csd[13] = 0x40;
555 sd->csd[14] = 0x00;
556 }
557 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
558 }
559
sd_set_rca(SDState * sd)560 static void sd_set_rca(SDState *sd)
561 {
562 sd->rca += 0x4567;
563 }
564
565 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
566 FIELD(CSR, APP_CMD, 5, 1)
567 FIELD(CSR, FX_EVENT, 6, 1)
568 FIELD(CSR, SWITCH_ERROR, 7, 1)
569 FIELD(CSR, READY_FOR_DATA, 8, 1)
570 FIELD(CSR, CURRENT_STATE, 9, 4)
571 FIELD(CSR, ERASE_RESET, 13, 1)
572 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
573 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
574 FIELD(CSR, CSD_OVERWRITE, 16, 1)
575 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
576 FIELD(CSR, ERROR, 19, 1)
577 FIELD(CSR, CC_ERROR, 20, 1)
578 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
579 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
580 FIELD(CSR, COM_CRC_ERROR, 23, 1)
581 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
582 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
583 FIELD(CSR, WP_VIOLATION, 26, 1)
584 FIELD(CSR, ERASE_PARAM, 27, 1)
585 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
586 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
587 FIELD(CSR, ADDRESS_ERROR, 30, 1)
588 FIELD(CSR, OUT_OF_RANGE, 31, 1)
589
590 /* Card status bits, split by clear condition:
591 * A : According to the card current state
592 * B : Always related to the previous command
593 * C : Cleared by read
594 */
595 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
596 | R_CSR_CARD_ECC_DISABLED_MASK \
597 | R_CSR_CARD_IS_LOCKED_MASK)
598 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
599 | R_CSR_ILLEGAL_COMMAND_MASK \
600 | R_CSR_COM_CRC_ERROR_MASK)
601 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
602 | R_CSR_APP_CMD_MASK \
603 | R_CSR_ERASE_RESET_MASK \
604 | R_CSR_WP_ERASE_SKIP_MASK \
605 | R_CSR_CSD_OVERWRITE_MASK \
606 | R_CSR_ERROR_MASK \
607 | R_CSR_CC_ERROR_MASK \
608 | R_CSR_CARD_ECC_FAILED_MASK \
609 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
610 | R_CSR_WP_VIOLATION_MASK \
611 | R_CSR_ERASE_PARAM_MASK \
612 | R_CSR_ERASE_SEQ_ERROR_MASK \
613 | R_CSR_BLOCK_LEN_ERROR_MASK \
614 | R_CSR_ADDRESS_ERROR_MASK \
615 | R_CSR_OUT_OF_RANGE_MASK)
616
sd_set_cardstatus(SDState * sd)617 static void sd_set_cardstatus(SDState *sd)
618 {
619 sd->card_status = 0x00000100;
620 }
621
sd_set_sdstatus(SDState * sd)622 static void sd_set_sdstatus(SDState *sd)
623 {
624 memset(sd->sd_status, 0, 64);
625 }
626
sd_req_crc_validate(SDRequest * req)627 static int sd_req_crc_validate(SDRequest *req)
628 {
629 uint8_t buffer[5];
630 buffer[0] = 0x40 | req->cmd;
631 stl_be_p(&buffer[1], req->arg);
632 return 0;
633 return sd_crc7(buffer, 5) != req->crc; /* TODO */
634 }
635
sd_response_r1_make(SDState * sd,uint8_t * response)636 static void sd_response_r1_make(SDState *sd, uint8_t *response)
637 {
638 stl_be_p(response, sd->card_status);
639
640 /* Clear the "clear on read" status bits */
641 sd->card_status &= ~CARD_STATUS_C;
642 }
643
sd_response_r3_make(SDState * sd,uint8_t * response)644 static void sd_response_r3_make(SDState *sd, uint8_t *response)
645 {
646 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
647 }
648
sd_response_r6_make(SDState * sd,uint8_t * response)649 static void sd_response_r6_make(SDState *sd, uint8_t *response)
650 {
651 uint16_t status;
652
653 status = ((sd->card_status >> 8) & 0xc000) |
654 ((sd->card_status >> 6) & 0x2000) |
655 (sd->card_status & 0x1fff);
656 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
657 stw_be_p(response + 0, sd->rca);
658 stw_be_p(response + 2, status);
659 }
660
sd_response_r7_make(SDState * sd,uint8_t * response)661 static void sd_response_r7_make(SDState *sd, uint8_t *response)
662 {
663 stl_be_p(response, sd->vhs);
664 }
665
sd_addr_to_wpnum(uint64_t addr)666 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
667 {
668 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
669 }
670
671
sd_boot_capacity_bytes(SDState * sd)672 static unsigned sd_boot_capacity_bytes(SDState *sd)
673 {
674 return sd->ext_csd[EXT_CSD_BOOT_MULT] << 17;
675 }
676
sd_reset(DeviceState * dev)677 static void sd_reset(DeviceState *dev)
678 {
679 SDState *sd = SD_CARD(dev);
680 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
681 uint64_t size;
682 uint64_t sect;
683
684 trace_sdcard_reset();
685 if (sd->blk) {
686 blk_get_geometry(sd->blk, §);
687 } else {
688 sect = 0;
689 }
690 size = sect << 9;
691
692 if (sc->bootpart_offset) {
693 size -= sd_boot_capacity_bytes(sd) * 2;
694 }
695
696 sect = sd_addr_to_wpnum(size) + 1;
697
698 sd->state = sd_idle_state;
699 sd->rca = 0x0000;
700 sd->size = size;
701 sd_set_ocr(sd);
702 sd_set_scr(sd);
703 sd_set_cid(sd);
704 sd_set_csd(sd, size);
705 sd_set_cardstatus(sd);
706 sd_set_sdstatus(sd);
707
708 g_free(sd->wp_group_bmap);
709 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
710 sd->wp_group_bits = sect;
711 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
712 memset(sd->function_group, 0, sizeof(sd->function_group));
713 sd->erase_start = INVALID_ADDRESS;
714 sd->erase_end = INVALID_ADDRESS;
715 sd->blk_len = 0x200;
716 sd->pwd_len = 0;
717 sd->expecting_acmd = false;
718 sd->dat_lines = 0xf;
719 sd->cmd_line = true;
720 sd->multi_blk_cnt = 0;
721 }
722
sd_get_inserted(SDState * sd)723 static bool sd_get_inserted(SDState *sd)
724 {
725 return sd->blk && blk_is_inserted(sd->blk);
726 }
727
sd_get_readonly(SDState * sd)728 static bool sd_get_readonly(SDState *sd)
729 {
730 return sd->wp_switch;
731 }
732
sd_cardchange(void * opaque,bool load,Error ** errp)733 static void sd_cardchange(void *opaque, bool load, Error **errp)
734 {
735 SDState *sd = opaque;
736 DeviceState *dev = DEVICE(sd);
737 SDBus *sdbus;
738 bool inserted = sd_get_inserted(sd);
739 bool readonly = sd_get_readonly(sd);
740
741 if (inserted) {
742 trace_sdcard_inserted(readonly);
743 sd_reset(dev);
744 } else {
745 trace_sdcard_ejected();
746 }
747
748 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
749 qemu_set_irq(sd->inserted_cb, inserted);
750 if (inserted) {
751 qemu_set_irq(sd->readonly_cb, readonly);
752 }
753 } else {
754 sdbus = SD_BUS(qdev_get_parent_bus(dev));
755 sdbus_set_inserted(sdbus, inserted);
756 if (inserted) {
757 sdbus_set_readonly(sdbus, readonly);
758 }
759 }
760 }
761
762 static const BlockDevOps sd_block_ops = {
763 .change_media_cb = sd_cardchange,
764 };
765
sd_ocr_vmstate_needed(void * opaque)766 static bool sd_ocr_vmstate_needed(void *opaque)
767 {
768 SDState *sd = opaque;
769
770 /* Include the OCR state (and timer) if it is not yet powered up */
771 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
772 }
773
774 static const VMStateDescription sd_ocr_vmstate = {
775 .name = "sd-card/ocr-state",
776 .version_id = 1,
777 .minimum_version_id = 1,
778 .needed = sd_ocr_vmstate_needed,
779 .fields = (VMStateField[]) {
780 VMSTATE_UINT32(ocr, SDState),
781 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
782 VMSTATE_END_OF_LIST()
783 },
784 };
785
sd_vmstate_pre_load(void * opaque)786 static int sd_vmstate_pre_load(void *opaque)
787 {
788 SDState *sd = opaque;
789
790 /* If the OCR state is not included (prior versions, or not
791 * needed), then the OCR must be set as powered up. If the OCR state
792 * is included, this will be replaced by the state restore.
793 */
794 sd_ocr_powerup(sd);
795
796 return 0;
797 }
798
799 static const VMStateDescription sd_vmstate = {
800 .name = "sd-card",
801 .version_id = 2,
802 .minimum_version_id = 2,
803 .pre_load = sd_vmstate_pre_load,
804 .fields = (VMStateField[]) {
805 VMSTATE_UINT32(mode, SDState),
806 VMSTATE_INT32(state, SDState),
807 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
808 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
809 VMSTATE_UINT16(rca, SDState),
810 VMSTATE_UINT32(card_status, SDState),
811 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
812 VMSTATE_UINT32(vhs, SDState),
813 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
814 VMSTATE_UINT32(blk_len, SDState),
815 VMSTATE_UINT32(multi_blk_cnt, SDState),
816 VMSTATE_UINT32(erase_start, SDState),
817 VMSTATE_UINT32(erase_end, SDState),
818 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
819 VMSTATE_UINT32(pwd_len, SDState),
820 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
821 VMSTATE_UINT8(current_cmd, SDState),
822 VMSTATE_BOOL(expecting_acmd, SDState),
823 VMSTATE_UINT32(blk_written, SDState),
824 VMSTATE_UINT64(data_start, SDState),
825 VMSTATE_UINT32(data_offset, SDState),
826 VMSTATE_UINT8_ARRAY(data, SDState, 512),
827 VMSTATE_UNUSED_V(1, 512),
828 VMSTATE_BOOL(enable, SDState),
829 VMSTATE_END_OF_LIST()
830 },
831 .subsections = (const VMStateDescription*[]) {
832 &sd_ocr_vmstate,
833 NULL
834 },
835 };
836
837 /* Legacy initialization function for use by non-qdevified callers */
sd_init(BlockBackend * blk,bool is_spi)838 SDState *sd_init(BlockBackend *blk, bool is_spi)
839 {
840 Object *obj;
841 DeviceState *dev;
842 SDState *sd;
843 Error *err = NULL;
844
845 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
846 dev = DEVICE(obj);
847 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
848 error_reportf_err(err, "sd_init failed: ");
849 return NULL;
850 }
851
852 /*
853 * Realizing the device properly would put it into the QOM
854 * composition tree even though it is not plugged into an
855 * appropriate bus. That's a no-no. Hide the device from
856 * QOM/qdev, and call its qdev realize callback directly.
857 */
858 object_ref(obj);
859 object_unparent(obj);
860 sd_realize(dev, &err);
861 if (err) {
862 error_reportf_err(err, "sd_init failed: ");
863 return NULL;
864 }
865
866 sd = SD_CARD(dev);
867 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
868 return sd;
869 }
870
sd_set_cb(SDState * sd,qemu_irq readonly,qemu_irq insert)871 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
872 {
873 sd->readonly_cb = readonly;
874 sd->inserted_cb = insert;
875 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
876 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
877 }
878
879 /*
880 * This requires a disk image that has two boot partitions inserted at the
881 * beginning of it. The size of the boot partitions are configured in the
882 * ext_csd structure, which is hardcoded in qemu. They are currently set to
883 * 1MB each.
884 */
sd_emmc_bootpart_offset(SDState * sd)885 static uint32_t sd_emmc_bootpart_offset(SDState *sd)
886 {
887 unsigned int access = sd->ext_csd[EXT_CSD_PART_CONFIG] &
888 EXT_CSD_PART_CONFIG_ACC_MASK;
889 unsigned int enable = sd->ext_csd[EXT_CSD_PART_CONFIG] &
890 EXT_CSD_PART_CONFIG_EN_MASK;
891 unsigned int boot_capacity = sd_boot_capacity_bytes(sd);
892
893 if (!enable) {
894 return 0;
895 }
896
897 switch (access) {
898 case EXT_CSD_PART_CONFIG_ACC_DEFAULT:
899 return boot_capacity * 2;
900 case EXT_CSD_PART_CONFIG_ACC_BOOT0:
901 return 0;
902 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1:
903 return boot_capacity * 1;
904 default:
905 g_assert_not_reached();
906 }
907 }
908
sd_bootpart_offset(SDState * sd)909 static uint32_t sd_bootpart_offset(SDState *sd)
910 {
911 SDCardClass *sc = SD_CARD_GET_CLASS(sd);
912 return sc->bootpart_offset ? sc->bootpart_offset(sd) : 0;
913 }
914
sd_blk_read(SDState * sd,uint64_t addr,uint32_t len)915 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
916 {
917 trace_sdcard_read_block(addr, len);
918 addr += sd_bootpart_offset(sd);
919 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
920 fprintf(stderr, "sd_blk_read: read error on host side\n");
921 }
922 }
923
sd_blk_write(SDState * sd,uint64_t addr,uint32_t len)924 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
925 {
926 trace_sdcard_write_block(addr, len);
927 addr += sd_bootpart_offset(sd);
928 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
929 fprintf(stderr, "sd_blk_write: write error on host side\n");
930 }
931 }
932
933 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
934 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
935 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
936 #define APP_WRITE_BLOCK(a, len)
937
sd_erase(SDState * sd)938 static void sd_erase(SDState *sd)
939 {
940 uint64_t erase_start = sd->erase_start;
941 uint64_t erase_end = sd->erase_end;
942 bool sdsc = true;
943 uint64_t wpnum;
944 uint64_t erase_addr;
945 int erase_len = 1 << HWBLOCK_SHIFT;
946
947 trace_sdcard_erase(sd->erase_start, sd->erase_end);
948 if (sd->erase_start == INVALID_ADDRESS
949 || sd->erase_end == INVALID_ADDRESS) {
950 sd->card_status |= ERASE_SEQ_ERROR;
951 sd->erase_start = INVALID_ADDRESS;
952 sd->erase_end = INVALID_ADDRESS;
953 return;
954 }
955
956 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
957 /* High capacity memory card: erase units are 512 byte blocks */
958 erase_start *= 512;
959 erase_end *= 512;
960 sdsc = false;
961 }
962
963 if (erase_start > sd->size || erase_end > sd->size) {
964 sd->card_status |= OUT_OF_RANGE;
965 sd->erase_start = INVALID_ADDRESS;
966 sd->erase_end = INVALID_ADDRESS;
967 return;
968 }
969
970 sd->erase_start = INVALID_ADDRESS;
971 sd->erase_end = INVALID_ADDRESS;
972 sd->csd[14] |= 0x40;
973
974 memset(sd->data, 0xff, erase_len);
975 for (erase_addr = erase_start; erase_addr <= erase_end;
976 erase_addr += erase_len) {
977 if (sdsc) {
978 /* Only SDSC cards support write protect groups */
979 wpnum = sd_addr_to_wpnum(erase_addr);
980 assert(wpnum < sd->wp_group_bits);
981 if (test_bit(wpnum, sd->wp_group_bmap)) {
982 sd->card_status |= WP_ERASE_SKIP;
983 continue;
984 }
985 }
986 BLK_WRITE_BLOCK(erase_addr, erase_len);
987 }
988 }
989
sd_wpbits(SDState * sd,uint64_t addr)990 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
991 {
992 uint32_t i, wpnum;
993 uint32_t ret = 0;
994
995 wpnum = sd_addr_to_wpnum(addr);
996
997 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
998 if (addr >= sd->size) {
999 /*
1000 * If the addresses of the last groups are outside the valid range,
1001 * then the corresponding write protection bits shall be set to 0.
1002 */
1003 continue;
1004 }
1005 assert(wpnum < sd->wp_group_bits);
1006 if (test_bit(wpnum, sd->wp_group_bmap)) {
1007 ret |= (1 << i);
1008 }
1009 }
1010
1011 return ret;
1012 }
1013
1014 enum {
1015 MMC_CMD6_ACCESS_COMMAND_SET = 0,
1016 MMC_CMD6_ACCESS_SET_BITS,
1017 MMC_CMD6_ACCESS_CLEAR_BITS,
1018 MMC_CMD6_ACCESS_WRITE_BYTE,
1019 };
1020
mmc_function_switch(SDState * sd,uint32_t arg)1021 static void mmc_function_switch(SDState *sd, uint32_t arg)
1022 {
1023 uint32_t access = extract32(arg, 24, 2);
1024 uint32_t index = extract32(arg, 16, 8);
1025 uint32_t value = extract32(arg, 8, 8);
1026 uint8_t b = sd->ext_csd[index];
1027
1028 switch (access) {
1029 case MMC_CMD6_ACCESS_COMMAND_SET:
1030 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n");
1031 return;
1032 case MMC_CMD6_ACCESS_SET_BITS:
1033 b |= value;
1034 break;
1035 case MMC_CMD6_ACCESS_CLEAR_BITS:
1036 b &= ~value;
1037 break;
1038 case MMC_CMD6_ACCESS_WRITE_BYTE:
1039 b = value;
1040 break;
1041 }
1042
1043 if (index >= 192) {
1044 sd->card_status |= R_CSR_SWITCH_ERROR_MASK;
1045 return;
1046 }
1047
1048 sd->ext_csd[index] = b;
1049 }
1050
sd_function_switch(SDState * sd,uint32_t arg)1051 static void sd_function_switch(SDState *sd, uint32_t arg)
1052 {
1053 int i, mode, new_func;
1054 mode = !!(arg & 0x80000000);
1055
1056 sd->data[0] = 0x00; /* Maximum current consumption */
1057 sd->data[1] = 0x01;
1058 sd->data[2] = 0x80; /* Supported group 6 functions */
1059 sd->data[3] = 0x01;
1060 sd->data[4] = 0x80; /* Supported group 5 functions */
1061 sd->data[5] = 0x01;
1062 sd->data[6] = 0x80; /* Supported group 4 functions */
1063 sd->data[7] = 0x01;
1064 sd->data[8] = 0x80; /* Supported group 3 functions */
1065 sd->data[9] = 0x01;
1066 sd->data[10] = 0x80; /* Supported group 2 functions */
1067 sd->data[11] = 0x43;
1068 sd->data[12] = 0x80; /* Supported group 1 functions */
1069 sd->data[13] = 0x03;
1070
1071 memset(&sd->data[14], 0, 3);
1072 for (i = 0; i < 6; i ++) {
1073 new_func = (arg >> (i * 4)) & 0x0f;
1074 if (mode && new_func != 0x0f)
1075 sd->function_group[i] = new_func;
1076 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
1077 }
1078 memset(&sd->data[17], 0, 47);
1079 }
1080
sd_wp_addr(SDState * sd,uint64_t addr)1081 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
1082 {
1083 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1084 }
1085
sd_lock_command(SDState * sd)1086 static void sd_lock_command(SDState *sd)
1087 {
1088 int erase, lock, clr_pwd, set_pwd, pwd_len;
1089 erase = !!(sd->data[0] & 0x08);
1090 lock = sd->data[0] & 0x04;
1091 clr_pwd = sd->data[0] & 0x02;
1092 set_pwd = sd->data[0] & 0x01;
1093
1094 if (sd->blk_len > 1)
1095 pwd_len = sd->data[1];
1096 else
1097 pwd_len = 0;
1098
1099 if (lock) {
1100 trace_sdcard_lock();
1101 } else {
1102 trace_sdcard_unlock();
1103 }
1104 if (erase) {
1105 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
1106 set_pwd || clr_pwd || lock || sd->wp_switch ||
1107 (sd->csd[14] & 0x20)) {
1108 sd->card_status |= LOCK_UNLOCK_FAILED;
1109 return;
1110 }
1111 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1112 sd->csd[14] &= ~0x10;
1113 sd->card_status &= ~CARD_IS_LOCKED;
1114 sd->pwd_len = 0;
1115 /* Erasing the entire card here! */
1116 fprintf(stderr, "SD: Card force-erased by CMD42\n");
1117 return;
1118 }
1119
1120 if (sd->blk_len < 2 + pwd_len ||
1121 pwd_len <= sd->pwd_len ||
1122 pwd_len > sd->pwd_len + 16) {
1123 sd->card_status |= LOCK_UNLOCK_FAILED;
1124 return;
1125 }
1126
1127 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1128 sd->card_status |= LOCK_UNLOCK_FAILED;
1129 return;
1130 }
1131
1132 pwd_len -= sd->pwd_len;
1133 if ((pwd_len && !set_pwd) ||
1134 (clr_pwd && (set_pwd || lock)) ||
1135 (lock && !sd->pwd_len && !set_pwd) ||
1136 (!set_pwd && !clr_pwd &&
1137 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1138 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1139 sd->card_status |= LOCK_UNLOCK_FAILED;
1140 return;
1141 }
1142
1143 if (set_pwd) {
1144 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1145 sd->pwd_len = pwd_len;
1146 }
1147
1148 if (clr_pwd) {
1149 sd->pwd_len = 0;
1150 }
1151
1152 if (lock)
1153 sd->card_status |= CARD_IS_LOCKED;
1154 else
1155 sd->card_status &= ~CARD_IS_LOCKED;
1156 }
1157
address_in_range(SDState * sd,const char * desc,uint64_t addr,uint32_t length)1158 static bool address_in_range(SDState *sd, const char *desc,
1159 uint64_t addr, uint32_t length)
1160 {
1161 if (addr + length > sd->size) {
1162 qemu_log_mask(LOG_GUEST_ERROR,
1163 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1164 desc, addr, sd->size, length);
1165 sd->card_status |= ADDRESS_ERROR;
1166 return false;
1167 }
1168 return true;
1169 }
1170
sd_invalid_state_for_cmd(SDState * sd,SDRequest req)1171 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1172 {
1173 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1174 sd_proto(sd)->name, req.cmd, sd_state_name(sd->state),
1175 sd_version_str(sd->spec_version));
1176
1177 return sd_illegal;
1178 }
1179
sd_cmd_illegal(SDState * sd,SDRequest req)1180 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1181 {
1182 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1183 sd_proto(sd)->name, req.cmd,
1184 sd_version_str(sd->spec_version));
1185
1186 return sd_illegal;
1187 }
1188
1189 /* Commands that are recognised but not yet implemented. */
sd_cmd_unimplemented(SDState * sd,SDRequest req)1190 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1191 {
1192 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1193 sd_proto(sd)->name, req.cmd);
1194
1195 return sd_illegal;
1196 }
1197
sd_cmd_GO_IDLE_STATE(SDState * sd,SDRequest req)1198 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1199 {
1200 if (sd->state != sd_inactive_state) {
1201 sd->state = sd_idle_state;
1202 sd_reset(DEVICE(sd));
1203 }
1204
1205 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1206 }
1207
sd_cmd_SEND_OP_CMD(SDState * sd,SDRequest req)1208 static sd_rsp_type_t sd_cmd_SEND_OP_CMD(SDState *sd, SDRequest req)
1209 {
1210 sd->state = sd_transfer_state;
1211
1212 return sd_r1;
1213 }
1214
sd_cmd_ALL_SEND_CID(SDState * sd,SDRequest req)1215 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1216 {
1217 if (sd->state != sd_ready_state) {
1218 return sd_invalid_state_for_cmd(sd, req);
1219 }
1220
1221 sd->state = sd_identification_state;
1222
1223 return sd_r2_i;
1224 }
1225
sd_emmc_set_rca(SDState * sd,uint16_t value)1226 static void sd_emmc_set_rca(SDState *sd, uint16_t value)
1227 {
1228 sd->rca = value;
1229 }
1230
emmc_cmd_SEND_RELATIVE_ADDR(SDState * sd,SDRequest req)1231 static sd_rsp_type_t emmc_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1232 {
1233 switch (sd->state) {
1234 case sd_identification_state:
1235 case sd_standby_state:
1236 sd->state = sd_standby_state;
1237 sd_emmc_set_rca(sd, req.arg >> 16);
1238 return sd_r1;
1239
1240 default:
1241 return sd_invalid_state_for_cmd(sd, req);
1242 }
1243 }
1244
sd_cmd_SEND_RELATIVE_ADDR(SDState * sd,SDRequest req)1245 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1246 {
1247 switch (sd->state) {
1248 case sd_identification_state:
1249 case sd_standby_state:
1250 sd->state = sd_standby_state;
1251 sd_set_rca(sd);
1252 return sd_r6;
1253
1254 default:
1255 return sd_invalid_state_for_cmd(sd, req);
1256 }
1257 }
1258
sd_cmd_SEND_TUNING_BLOCK(SDState * sd,SDRequest req)1259 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1260 {
1261 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1262 return sd_cmd_illegal(sd, req);
1263 }
1264
1265 if (sd->state != sd_transfer_state) {
1266 return sd_invalid_state_for_cmd(sd, req);
1267 }
1268
1269 sd->state = sd_sendingdata_state;
1270 sd->data_offset = 0;
1271
1272 return sd_r1;
1273 }
1274
sd_cmd_SET_BLOCK_COUNT(SDState * sd,SDRequest req)1275 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1276 {
1277 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1278 return sd_cmd_illegal(sd, req);
1279 }
1280
1281 if (sd->state != sd_transfer_state) {
1282 return sd_invalid_state_for_cmd(sd, req);
1283 }
1284
1285 sd->multi_blk_cnt = req.arg & 0xFFFF;
1286
1287 return sd_r1;
1288 }
1289
sd_normal_command(SDState * sd,SDRequest req)1290 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1291 {
1292 uint32_t rca = 0x0000;
1293 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
1294
1295 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1296 * However there is no ACMD55, so we want to trace this particular case.
1297 */
1298 if (req.cmd != 55 || sd->expecting_acmd) {
1299 trace_sdcard_normal_command(sd_proto(sd)->name,
1300 sd_cmd_name(req.cmd), req.cmd,
1301 req.arg, sd_state_name(sd->state));
1302 }
1303
1304 /* Not interpreting this as an app command */
1305 sd->card_status &= ~APP_CMD;
1306
1307 if (sd_cmd_type[req.cmd] == sd_ac
1308 || sd_cmd_type[req.cmd] == sd_adtc) {
1309 rca = req.arg >> 16;
1310 }
1311
1312 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1313 * if not, its effects are cancelled */
1314 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1315 sd->multi_blk_cnt = 0;
1316 }
1317
1318 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1319 /* Only Standard Capacity cards support class 6 commands */
1320 return sd_illegal;
1321 }
1322
1323 if (sd_proto(sd)->cmd[req.cmd]) {
1324 return sd_proto(sd)->cmd[req.cmd](sd, req);
1325 }
1326
1327 switch (req.cmd) {
1328 /* Basic commands (Class 0 and Class 1) */
1329 case 4: /* CMD4: SEND_DSR */
1330 switch (sd->state) {
1331 case sd_standby_state:
1332 break;
1333
1334 default:
1335 break;
1336 }
1337 break;
1338
1339 case 6: /* CMD6: SWITCH_FUNCTION */
1340 switch (sd->mode) {
1341 case sd_data_transfer_mode:
1342 sd_function_switch(sd, req.arg);
1343 sd->state = sd_sendingdata_state;
1344 sd->data_start = 0;
1345 sd->data_offset = 0;
1346 return sd_r1;
1347
1348 default:
1349 break;
1350 }
1351 break;
1352
1353 case 7: /* CMD7: SELECT/DESELECT_CARD */
1354 switch (sd->state) {
1355 case sd_standby_state:
1356 if (sd->rca != rca)
1357 return sd_r0;
1358
1359 sd->state = sd_transfer_state;
1360 return sd_r1b;
1361
1362 case sd_transfer_state:
1363 case sd_sendingdata_state:
1364 if (sd->rca == rca)
1365 break;
1366
1367 sd->state = sd_standby_state;
1368 return sd_r1b;
1369
1370 case sd_disconnect_state:
1371 if (sd->rca != rca)
1372 return sd_r0;
1373
1374 sd->state = sd_programming_state;
1375 return sd_r1b;
1376
1377 case sd_programming_state:
1378 if (sd->rca == rca)
1379 break;
1380
1381 sd->state = sd_disconnect_state;
1382 return sd_r1b;
1383
1384 default:
1385 break;
1386 }
1387 break;
1388
1389 case 8: /* CMD8: SEND_IF_COND */
1390 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1391 break;
1392 }
1393 if (sd->state != sd_idle_state) {
1394 break;
1395 }
1396 sd->vhs = 0;
1397
1398 /* No response if not exactly one VHS bit is set. */
1399 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1400 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1401 }
1402
1403 /* Accept. */
1404 sd->vhs = req.arg;
1405 return sd_r7;
1406
1407 case 9: /* CMD9: SEND_CSD */
1408 switch (sd->state) {
1409 case sd_standby_state:
1410 if (sd->rca != rca)
1411 return sd_r0;
1412
1413 return sd_r2_s;
1414
1415 case sd_transfer_state:
1416 if (!sd_is_spi(sd)) {
1417 break;
1418 }
1419 sd->state = sd_sendingdata_state;
1420 memcpy(sd->data, sd->csd, 16);
1421 sd->data_start = addr;
1422 sd->data_offset = 0;
1423 return sd_r1;
1424
1425 default:
1426 break;
1427 }
1428 break;
1429
1430 case 10: /* CMD10: SEND_CID */
1431 switch (sd->state) {
1432 case sd_standby_state:
1433 if (sd->rca != rca)
1434 return sd_r0;
1435
1436 return sd_r2_i;
1437
1438 case sd_transfer_state:
1439 if (!sd_is_spi(sd)) {
1440 break;
1441 }
1442 sd->state = sd_sendingdata_state;
1443 memcpy(sd->data, sd->cid, 16);
1444 sd->data_start = addr;
1445 sd->data_offset = 0;
1446 return sd_r1;
1447
1448 default:
1449 break;
1450 }
1451 break;
1452
1453 case 12: /* CMD12: STOP_TRANSMISSION */
1454 switch (sd->state) {
1455 case sd_sendingdata_state:
1456 sd->state = sd_transfer_state;
1457 return sd_r1b;
1458
1459 case sd_receivingdata_state:
1460 sd->state = sd_programming_state;
1461 /* Bzzzzzzztt .... Operation complete. */
1462 sd->state = sd_transfer_state;
1463 return sd_r1b;
1464
1465 default:
1466 break;
1467 }
1468 break;
1469
1470 case 13: /* CMD13: SEND_STATUS */
1471 switch (sd->mode) {
1472 case sd_data_transfer_mode:
1473 if (!sd_is_spi(sd) && sd->rca != rca) {
1474 return sd_r0;
1475 }
1476
1477 return sd_r1;
1478
1479 default:
1480 break;
1481 }
1482 break;
1483
1484 case 15: /* CMD15: GO_INACTIVE_STATE */
1485 switch (sd->mode) {
1486 case sd_data_transfer_mode:
1487 if (sd->rca != rca)
1488 return sd_r0;
1489
1490 sd->state = sd_inactive_state;
1491 return sd_r0;
1492
1493 default:
1494 break;
1495 }
1496 break;
1497
1498 /* Block read commands (Class 2) */
1499 case 16: /* CMD16: SET_BLOCKLEN */
1500 switch (sd->state) {
1501 case sd_transfer_state:
1502 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1503 sd->card_status |= BLOCK_LEN_ERROR;
1504 } else {
1505 trace_sdcard_set_blocklen(req.arg);
1506 sd->blk_len = req.arg;
1507 }
1508
1509 return sd_r1;
1510
1511 default:
1512 break;
1513 }
1514 break;
1515
1516 case 17: /* CMD17: READ_SINGLE_BLOCK */
1517 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1518 switch (sd->state) {
1519 case sd_transfer_state:
1520
1521 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1522 return sd_r1;
1523 }
1524
1525 sd->state = sd_sendingdata_state;
1526 sd->data_start = addr;
1527 sd->data_offset = 0;
1528 return sd_r1;
1529
1530 default:
1531 break;
1532 }
1533 break;
1534
1535 /* Block write commands (Class 4) */
1536 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1537 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1538 switch (sd->state) {
1539 case sd_transfer_state:
1540
1541 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1542 return sd_r1;
1543 }
1544
1545 sd->state = sd_receivingdata_state;
1546 sd->data_start = addr;
1547 sd->data_offset = 0;
1548 sd->blk_written = 0;
1549
1550 if (sd->size <= SDSC_MAX_CAPACITY) {
1551 if (sd_wp_addr(sd, sd->data_start)) {
1552 sd->card_status |= WP_VIOLATION;
1553 }
1554 }
1555 if (sd->csd[14] & 0x30) {
1556 sd->card_status |= WP_VIOLATION;
1557 }
1558 return sd_r1;
1559
1560 default:
1561 break;
1562 }
1563 break;
1564
1565 case 26: /* CMD26: PROGRAM_CID */
1566 switch (sd->state) {
1567 case sd_transfer_state:
1568 sd->state = sd_receivingdata_state;
1569 sd->data_start = 0;
1570 sd->data_offset = 0;
1571 return sd_r1;
1572
1573 default:
1574 break;
1575 }
1576 break;
1577
1578 case 27: /* CMD27: PROGRAM_CSD */
1579 switch (sd->state) {
1580 case sd_transfer_state:
1581 sd->state = sd_receivingdata_state;
1582 sd->data_start = 0;
1583 sd->data_offset = 0;
1584 return sd_r1;
1585
1586 default:
1587 break;
1588 }
1589 break;
1590
1591 /* Write protection (Class 6) */
1592 case 28: /* CMD28: SET_WRITE_PROT */
1593 if (sd->size > SDSC_MAX_CAPACITY) {
1594 return sd_illegal;
1595 }
1596
1597 switch (sd->state) {
1598 case sd_transfer_state:
1599 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1600 return sd_r1b;
1601 }
1602
1603 sd->state = sd_programming_state;
1604 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1605 /* Bzzzzzzztt .... Operation complete. */
1606 sd->state = sd_transfer_state;
1607 return sd_r1b;
1608
1609 default:
1610 break;
1611 }
1612 break;
1613
1614 case 29: /* CMD29: CLR_WRITE_PROT */
1615 if (sd->size > SDSC_MAX_CAPACITY) {
1616 return sd_illegal;
1617 }
1618
1619 switch (sd->state) {
1620 case sd_transfer_state:
1621 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1622 return sd_r1b;
1623 }
1624
1625 sd->state = sd_programming_state;
1626 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1627 /* Bzzzzzzztt .... Operation complete. */
1628 sd->state = sd_transfer_state;
1629 return sd_r1b;
1630
1631 default:
1632 break;
1633 }
1634 break;
1635
1636 case 30: /* CMD30: SEND_WRITE_PROT */
1637 if (sd->size > SDSC_MAX_CAPACITY) {
1638 return sd_illegal;
1639 }
1640
1641 switch (sd->state) {
1642 case sd_transfer_state:
1643 if (!address_in_range(sd, "SEND_WRITE_PROT",
1644 req.arg, sd->blk_len)) {
1645 return sd_r1;
1646 }
1647
1648 sd->state = sd_sendingdata_state;
1649 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1650 sd->data_start = addr;
1651 sd->data_offset = 0;
1652 return sd_r1;
1653
1654 default:
1655 break;
1656 }
1657 break;
1658
1659 /* Erase commands (Class 5) */
1660 case 32: /* CMD32: ERASE_WR_BLK_START */
1661 switch (sd->state) {
1662 case sd_transfer_state:
1663 sd->erase_start = req.arg;
1664 return sd_r1;
1665
1666 default:
1667 break;
1668 }
1669 break;
1670
1671 case 33: /* CMD33: ERASE_WR_BLK_END */
1672 switch (sd->state) {
1673 case sd_transfer_state:
1674 sd->erase_end = req.arg;
1675 return sd_r1;
1676
1677 default:
1678 break;
1679 }
1680 break;
1681
1682 case 38: /* CMD38: ERASE */
1683 switch (sd->state) {
1684 case sd_transfer_state:
1685 if (sd->csd[14] & 0x30) {
1686 sd->card_status |= WP_VIOLATION;
1687 return sd_r1b;
1688 }
1689
1690 sd->state = sd_programming_state;
1691 sd_erase(sd);
1692 /* Bzzzzzzztt .... Operation complete. */
1693 sd->state = sd_transfer_state;
1694 return sd_r1b;
1695
1696 default:
1697 break;
1698 }
1699 break;
1700
1701 /* Lock card commands (Class 7) */
1702 case 42: /* CMD42: LOCK_UNLOCK */
1703 switch (sd->state) {
1704 case sd_transfer_state:
1705 sd->state = sd_receivingdata_state;
1706 sd->data_start = 0;
1707 sd->data_offset = 0;
1708 return sd_r1;
1709
1710 default:
1711 break;
1712 }
1713 break;
1714
1715 /* Application specific commands (Class 8) */
1716 case 55: /* CMD55: APP_CMD */
1717 switch (sd->state) {
1718 case sd_ready_state:
1719 case sd_identification_state:
1720 case sd_inactive_state:
1721 return sd_illegal;
1722 case sd_idle_state:
1723 if (rca) {
1724 qemu_log_mask(LOG_GUEST_ERROR,
1725 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1726 }
1727 default:
1728 break;
1729 }
1730 if (!sd_is_spi(sd)) {
1731 if (sd->rca != rca) {
1732 return sd_r0;
1733 }
1734 }
1735 sd->expecting_acmd = true;
1736 sd->card_status |= APP_CMD;
1737 return sd_r1;
1738
1739 case 56: /* CMD56: GEN_CMD */
1740 switch (sd->state) {
1741 case sd_transfer_state:
1742 sd->data_offset = 0;
1743 if (req.arg & 1)
1744 sd->state = sd_sendingdata_state;
1745 else
1746 sd->state = sd_receivingdata_state;
1747 return sd_r1;
1748
1749 default:
1750 break;
1751 }
1752 break;
1753
1754 case 58: /* CMD58: READ_OCR (SPI) */
1755 return sd_r3;
1756
1757 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1758 return sd_r1;
1759
1760 default:
1761 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1762 return sd_illegal;
1763 }
1764
1765 return sd_invalid_state_for_cmd(sd, req);
1766 }
1767
sd_app_command(SDState * sd,SDRequest req)1768 static sd_rsp_type_t sd_app_command(SDState *sd,
1769 SDRequest req)
1770 {
1771 trace_sdcard_app_command(sd_proto(sd)->name, sd_acmd_name(req.cmd),
1772 req.cmd, req.arg, sd_state_name(sd->state));
1773 sd->card_status |= APP_CMD;
1774
1775 if (sd_proto(sd)->acmd[req.cmd]) {
1776 return sd_proto(sd)->acmd[req.cmd](sd, req);
1777 }
1778
1779 switch (req.cmd) {
1780 case 6: /* ACMD6: SET_BUS_WIDTH */
1781 switch (sd->state) {
1782 case sd_transfer_state:
1783 sd->sd_status[0] &= 0x3f;
1784 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1785 return sd_r1;
1786
1787 default:
1788 break;
1789 }
1790 break;
1791
1792 case 13: /* ACMD13: SD_STATUS */
1793 switch (sd->state) {
1794 case sd_transfer_state:
1795 sd->state = sd_sendingdata_state;
1796 sd->data_start = 0;
1797 sd->data_offset = 0;
1798 return sd_r1;
1799
1800 default:
1801 break;
1802 }
1803 break;
1804
1805 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1806 switch (sd->state) {
1807 case sd_transfer_state:
1808 *(uint32_t *) sd->data = sd->blk_written;
1809
1810 sd->state = sd_sendingdata_state;
1811 sd->data_start = 0;
1812 sd->data_offset = 0;
1813 return sd_r1;
1814
1815 default:
1816 break;
1817 }
1818 break;
1819
1820 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1821 switch (sd->state) {
1822 case sd_transfer_state:
1823 return sd_r1;
1824
1825 default:
1826 break;
1827 }
1828 break;
1829
1830 case 41: /* ACMD41: SD_APP_OP_COND */
1831 if (sd->state != sd_idle_state) {
1832 break;
1833 }
1834 /* If it's the first ACMD41 since reset, we need to decide
1835 * whether to power up. If this is not an enquiry ACMD41,
1836 * we immediately report power on and proceed below to the
1837 * ready state, but if it is, we set a timer to model a
1838 * delay for power up. This works around a bug in EDK2
1839 * UEFI, which sends an initial enquiry ACMD41, but
1840 * assumes that the card is in ready state as soon as it
1841 * sees the power up bit set. */
1842 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1843 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1844 timer_del(sd->ocr_power_timer);
1845 sd_ocr_powerup(sd);
1846 } else {
1847 trace_sdcard_inquiry_cmd41();
1848 if (!timer_pending(sd->ocr_power_timer)) {
1849 timer_mod_ns(sd->ocr_power_timer,
1850 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1851 + OCR_POWER_DELAY_NS));
1852 }
1853 }
1854 }
1855
1856 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1857 /* We accept any voltage. 10000 V is nothing.
1858 *
1859 * Once we're powered up, we advance straight to ready state
1860 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1861 */
1862 sd->state = sd_ready_state;
1863 }
1864
1865 return sd_r3;
1866
1867 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1868 switch (sd->state) {
1869 case sd_transfer_state:
1870 /* Bringing in the 50KOhm pull-up resistor... Done. */
1871 return sd_r1;
1872
1873 default:
1874 break;
1875 }
1876 break;
1877
1878 case 51: /* ACMD51: SEND_SCR */
1879 switch (sd->state) {
1880 case sd_transfer_state:
1881 sd->state = sd_sendingdata_state;
1882 sd->data_start = 0;
1883 sd->data_offset = 0;
1884 return sd_r1;
1885
1886 default:
1887 break;
1888 }
1889 break;
1890
1891 case 18: /* Reserved for SD security applications */
1892 case 25:
1893 case 26:
1894 case 38:
1895 case 43 ... 49:
1896 /* Refer to the "SD Specifications Part3 Security Specification" for
1897 * information about the SD Security Features.
1898 */
1899 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1900 req.cmd);
1901 return sd_illegal;
1902
1903 default:
1904 /* Fall back to standard commands. */
1905 return sd_normal_command(sd, req);
1906 }
1907
1908 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1909 return sd_illegal;
1910 }
1911
cmd_valid_while_locked(SDState * sd,const uint8_t cmd)1912 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1913 {
1914 /* Valid commands in locked state:
1915 * basic class (0)
1916 * lock card class (7)
1917 * CMD16
1918 * implicitly, the ACMD prefix CMD55
1919 * ACMD41 and ACMD42
1920 * Anything else provokes an "illegal command" response.
1921 */
1922 if (sd->expecting_acmd) {
1923 return cmd == 41 || cmd == 42;
1924 }
1925 if (cmd == 16 || cmd == 55) {
1926 return 1;
1927 }
1928 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1929 }
1930
sd_do_command(SDState * sd,SDRequest * req,uint8_t * response)1931 int sd_do_command(SDState *sd, SDRequest *req,
1932 uint8_t *response) {
1933 int last_state;
1934 sd_rsp_type_t rtype;
1935 int rsplen;
1936
1937 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1938 return 0;
1939 }
1940
1941 if (sd_req_crc_validate(req)) {
1942 sd->card_status |= COM_CRC_ERROR;
1943 rtype = sd_illegal;
1944 goto send_response;
1945 }
1946
1947 if (req->cmd >= SDMMC_CMD_MAX) {
1948 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1949 req->cmd);
1950 req->cmd &= 0x3f;
1951 }
1952
1953 if (sd->card_status & CARD_IS_LOCKED) {
1954 if (!cmd_valid_while_locked(sd, req->cmd)) {
1955 sd->card_status |= ILLEGAL_COMMAND;
1956 sd->expecting_acmd = false;
1957 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1958 rtype = sd_illegal;
1959 goto send_response;
1960 }
1961 }
1962
1963 last_state = sd->state;
1964 sd_set_mode(sd);
1965
1966 if (sd->expecting_acmd) {
1967 sd->expecting_acmd = false;
1968 rtype = sd_app_command(sd, *req);
1969 } else {
1970 rtype = sd_normal_command(sd, *req);
1971 }
1972
1973 if (rtype == sd_illegal) {
1974 sd->card_status |= ILLEGAL_COMMAND;
1975 } else {
1976 /* Valid command, we can update the 'state before command' bits.
1977 * (Do this now so they appear in r1 responses.)
1978 */
1979 sd->current_cmd = req->cmd;
1980 sd->card_status &= ~CURRENT_STATE;
1981 sd->card_status |= (last_state << 9);
1982 }
1983
1984 send_response:
1985 switch (rtype) {
1986 case sd_r1:
1987 case sd_r1b:
1988 sd_response_r1_make(sd, response);
1989 rsplen = 4;
1990 break;
1991
1992 case sd_r2_i:
1993 memcpy(response, sd->cid, sizeof(sd->cid));
1994 rsplen = 16;
1995 break;
1996
1997 case sd_r2_s:
1998 memcpy(response, sd->csd, sizeof(sd->csd));
1999 rsplen = 16;
2000 break;
2001
2002 case sd_r3:
2003 sd_response_r3_make(sd, response);
2004 rsplen = 4;
2005 break;
2006
2007 case sd_r6:
2008 sd_response_r6_make(sd, response);
2009 rsplen = 4;
2010 break;
2011
2012 case sd_r7:
2013 sd_response_r7_make(sd, response);
2014 rsplen = 4;
2015 break;
2016
2017 case sd_r0:
2018 case sd_illegal:
2019 rsplen = 0;
2020 break;
2021 default:
2022 g_assert_not_reached();
2023 }
2024 trace_sdcard_response(sd_response_name(rtype), rsplen);
2025
2026 if (rtype != sd_illegal) {
2027 /* Clear the "clear on valid command" status bits now we've
2028 * sent any response
2029 */
2030 sd->card_status &= ~CARD_STATUS_B;
2031 }
2032
2033 #ifdef DEBUG_SD
2034 qemu_hexdump(stderr, "Response", response, rsplen);
2035 #endif
2036
2037 return rsplen;
2038 }
2039
sd_write_byte(SDState * sd,uint8_t value)2040 void sd_write_byte(SDState *sd, uint8_t value)
2041 {
2042 int i;
2043
2044 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2045 return;
2046
2047 if (sd->state != sd_receivingdata_state) {
2048 qemu_log_mask(LOG_GUEST_ERROR,
2049 "%s: not in Receiving-Data state\n", __func__);
2050 return;
2051 }
2052
2053 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2054 return;
2055
2056 trace_sdcard_write_data(sd_proto(sd)->name,
2057 sd_acmd_name(sd->current_cmd),
2058 sd->current_cmd, value);
2059 switch (sd->current_cmd) {
2060 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
2061 sd->data[sd->data_offset ++] = value;
2062 if (sd->data_offset >= sd->blk_len) {
2063 /* TODO: Check CRC before committing */
2064 sd->state = sd_programming_state;
2065 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
2066 sd->blk_written ++;
2067 sd->csd[14] |= 0x40;
2068 /* Bzzzzzzztt .... Operation complete. */
2069 sd->state = sd_transfer_state;
2070 }
2071 break;
2072
2073 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2074 if (sd->data_offset == 0) {
2075 /* Start of the block - let's check the address is valid */
2076 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2077 sd->data_start, sd->blk_len)) {
2078 break;
2079 }
2080 if (sd->size <= SDSC_MAX_CAPACITY) {
2081 if (sd_wp_addr(sd, sd->data_start)) {
2082 sd->card_status |= WP_VIOLATION;
2083 break;
2084 }
2085 }
2086 }
2087 sd->data[sd->data_offset++] = value;
2088 if (sd->data_offset >= sd->blk_len) {
2089 /* TODO: Check CRC before committing */
2090 sd->state = sd_programming_state;
2091 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
2092 sd->blk_written++;
2093 sd->data_start += sd->blk_len;
2094 sd->data_offset = 0;
2095 sd->csd[14] |= 0x40;
2096
2097 /* Bzzzzzzztt .... Operation complete. */
2098 if (sd->multi_blk_cnt != 0) {
2099 if (--sd->multi_blk_cnt == 0) {
2100 /* Stop! */
2101 sd->state = sd_transfer_state;
2102 break;
2103 }
2104 }
2105
2106 sd->state = sd_receivingdata_state;
2107 }
2108 break;
2109
2110 case 26: /* CMD26: PROGRAM_CID */
2111 sd->data[sd->data_offset ++] = value;
2112 if (sd->data_offset >= sizeof(sd->cid)) {
2113 /* TODO: Check CRC before committing */
2114 sd->state = sd_programming_state;
2115 for (i = 0; i < sizeof(sd->cid); i ++)
2116 if ((sd->cid[i] | 0x00) != sd->data[i])
2117 sd->card_status |= CID_CSD_OVERWRITE;
2118
2119 if (!(sd->card_status & CID_CSD_OVERWRITE))
2120 for (i = 0; i < sizeof(sd->cid); i ++) {
2121 sd->cid[i] |= 0x00;
2122 sd->cid[i] &= sd->data[i];
2123 }
2124 /* Bzzzzzzztt .... Operation complete. */
2125 sd->state = sd_transfer_state;
2126 }
2127 break;
2128
2129 case 27: /* CMD27: PROGRAM_CSD */
2130 sd->data[sd->data_offset ++] = value;
2131 if (sd->data_offset >= sizeof(sd->csd)) {
2132 /* TODO: Check CRC before committing */
2133 sd->state = sd_programming_state;
2134 for (i = 0; i < sizeof(sd->csd); i ++)
2135 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2136 (sd->data[i] | sd_csd_rw_mask[i]))
2137 sd->card_status |= CID_CSD_OVERWRITE;
2138
2139 /* Copy flag (OTP) & Permanent write protect */
2140 if (sd->csd[14] & ~sd->data[14] & 0x60)
2141 sd->card_status |= CID_CSD_OVERWRITE;
2142
2143 if (!(sd->card_status & CID_CSD_OVERWRITE))
2144 for (i = 0; i < sizeof(sd->csd); i ++) {
2145 sd->csd[i] |= sd_csd_rw_mask[i];
2146 sd->csd[i] &= sd->data[i];
2147 }
2148 /* Bzzzzzzztt .... Operation complete. */
2149 sd->state = sd_transfer_state;
2150 }
2151 break;
2152
2153 case 42: /* CMD42: LOCK_UNLOCK */
2154 sd->data[sd->data_offset ++] = value;
2155 if (sd->data_offset >= sd->blk_len) {
2156 /* TODO: Check CRC before committing */
2157 sd->state = sd_programming_state;
2158 sd_lock_command(sd);
2159 /* Bzzzzzzztt .... Operation complete. */
2160 sd->state = sd_transfer_state;
2161 }
2162 break;
2163
2164 case 56: /* CMD56: GEN_CMD */
2165 sd->data[sd->data_offset ++] = value;
2166 if (sd->data_offset >= sd->blk_len) {
2167 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
2168 sd->state = sd_transfer_state;
2169 }
2170 break;
2171
2172 default:
2173 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2174 break;
2175 }
2176 }
2177
2178 #define SD_TUNING_BLOCK_SIZE 64
2179
2180 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
2181 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
2182 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
2183 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
2184 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
2185 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
2186 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
2187 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
2188 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
2189 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
2190 };
2191
2192 #define EXCSD_BUS_WIDTH_OFFSET 183
2193 #define BUS_WIDTH_8_MASK 0x4
2194 #define BUS_WIDTH_4_MASK 0x2
2195 #define MMC_TUNING_BLOCK_SIZE 128
2196
2197 static const uint8_t mmc_tuning_block_pattern[128] = {
2198 0xff, 0xff, 0x00, 0xff, 0xff, 0xff, 0x00, 0x00,
2199 0xff, 0xff, 0xcc, 0xcc, 0xcc, 0x33, 0xcc, 0xcc,
2200 0xcc, 0x33, 0x33, 0xcc, 0xcc, 0xcc, 0xff, 0xff,
2201 0xff, 0xee, 0xff, 0xff, 0xff, 0xee, 0xee, 0xff,
2202 0xff, 0xff, 0xdd, 0xff, 0xff, 0xff, 0xdd, 0xdd,
2203 0xff, 0xff, 0xff, 0xbb, 0xff, 0xff, 0xff, 0xbb,
2204 0xbb, 0xff, 0xff, 0xff, 0x77, 0xff, 0xff, 0xff,
2205 0x77, 0x77, 0xff, 0x77, 0xbb, 0xdd, 0xee, 0xff,
2206 0xff, 0xff, 0xff, 0x00, 0xff, 0xff, 0xff, 0x00,
2207 0x00, 0xff, 0xff, 0xcc, 0xcc, 0xcc, 0x33, 0xcc,
2208 0xcc, 0xcc, 0x33, 0x33, 0xcc, 0xcc, 0xcc, 0xff,
2209 0xff, 0xff, 0xee, 0xff, 0xff, 0xff, 0xee, 0xee,
2210 0xff, 0xff, 0xff, 0xdd, 0xff, 0xff, 0xff, 0xdd,
2211 0xdd, 0xff, 0xff, 0xff, 0xbb, 0xff, 0xff, 0xff,
2212 0xbb, 0xbb, 0xff, 0xff, 0xff, 0x77, 0xff, 0xff,
2213 0xff, 0x77, 0x77, 0xff, 0x77, 0xbb, 0xdd, 0xee,
2214 };
2215
sd_read_byte(SDState * sd)2216 uint8_t sd_read_byte(SDState *sd)
2217 {
2218 /* TODO: Append CRCs */
2219 uint8_t ret;
2220 uint32_t io_len;
2221
2222 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2223 return 0x00;
2224
2225 if (sd->state != sd_sendingdata_state) {
2226 qemu_log_mask(LOG_GUEST_ERROR,
2227 "%s: not in Sending-Data state\n", __func__);
2228 return 0x00;
2229 }
2230
2231 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2232 return 0x00;
2233
2234 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
2235
2236 trace_sdcard_read_data(sd_proto(sd)->name,
2237 sd_acmd_name(sd->current_cmd),
2238 sd->current_cmd, io_len);
2239 switch (sd->current_cmd) {
2240 case 6: /* CMD6: SWITCH_FUNCTION */
2241 ret = sd->data[sd->data_offset ++];
2242
2243 if (sd->data_offset >= 64)
2244 sd->state = sd_transfer_state;
2245 break;
2246
2247 case 8: /* CMD8: SEND_EXT_CSD on MMC */
2248 ret = sd->data[sd->data_offset++];
2249
2250 if (sd->data_offset >= sizeof(sd->ext_csd)) {
2251 sd->state = sd_transfer_state;
2252 }
2253 break;
2254
2255 case 9: /* CMD9: SEND_CSD */
2256 case 10: /* CMD10: SEND_CID */
2257 ret = sd->data[sd->data_offset ++];
2258
2259 if (sd->data_offset >= 16)
2260 sd->state = sd_transfer_state;
2261 break;
2262
2263 case 13: /* ACMD13: SD_STATUS */
2264 ret = sd->sd_status[sd->data_offset ++];
2265
2266 if (sd->data_offset >= sizeof(sd->sd_status))
2267 sd->state = sd_transfer_state;
2268 break;
2269
2270 case 17: /* CMD17: READ_SINGLE_BLOCK */
2271 if (sd->data_offset == 0)
2272 BLK_READ_BLOCK(sd->data_start, io_len);
2273 ret = sd->data[sd->data_offset ++];
2274
2275 if (sd->data_offset >= io_len)
2276 sd->state = sd_transfer_state;
2277 break;
2278
2279 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2280 if (sd->data_offset == 0) {
2281 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2282 sd->data_start, io_len)) {
2283 return 0x00;
2284 }
2285 BLK_READ_BLOCK(sd->data_start, io_len);
2286 }
2287 ret = sd->data[sd->data_offset ++];
2288
2289 if (sd->data_offset >= io_len) {
2290 sd->data_start += io_len;
2291 sd->data_offset = 0;
2292
2293 if (sd->multi_blk_cnt != 0) {
2294 if (--sd->multi_blk_cnt == 0) {
2295 /* Stop! */
2296 sd->state = sd_transfer_state;
2297 break;
2298 }
2299 }
2300 }
2301 break;
2302
2303 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2304 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2305 sd->state = sd_transfer_state;
2306 }
2307 ret = sd_tuning_block_pattern[sd->data_offset++];
2308 break;
2309
2310 case 21: /* CMD21: SEND_TUNING_BLOCK (MMC) */
2311 if (sd->data_offset >= MMC_TUNING_BLOCK_SIZE - 1) {
2312 sd->state = sd_transfer_state;
2313 }
2314 if (sd->ext_csd[EXCSD_BUS_WIDTH_OFFSET] & BUS_WIDTH_8_MASK) {
2315 ret = mmc_tuning_block_pattern[sd->data_offset++];
2316 } else {
2317 /*
2318 * Return LSB Nibbles of two byte from the 8bit tuning
2319 * block for 4bit mode
2320 */
2321 ret = mmc_tuning_block_pattern[sd->data_offset++] & 0x0F;
2322 ret |= (mmc_tuning_block_pattern[sd->data_offset++] & 0x0F) << 4;
2323 }
2324 break;
2325
2326 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2327 ret = sd->data[sd->data_offset ++];
2328
2329 if (sd->data_offset >= 4)
2330 sd->state = sd_transfer_state;
2331 break;
2332
2333 case 30: /* CMD30: SEND_WRITE_PROT */
2334 ret = sd->data[sd->data_offset ++];
2335
2336 if (sd->data_offset >= 4)
2337 sd->state = sd_transfer_state;
2338 break;
2339
2340 case 51: /* ACMD51: SEND_SCR */
2341 ret = sd->scr[sd->data_offset ++];
2342
2343 if (sd->data_offset >= sizeof(sd->scr))
2344 sd->state = sd_transfer_state;
2345 break;
2346
2347 case 56: /* CMD56: GEN_CMD */
2348 if (sd->data_offset == 0)
2349 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2350 ret = sd->data[sd->data_offset ++];
2351
2352 if (sd->data_offset >= sd->blk_len)
2353 sd->state = sd_transfer_state;
2354 break;
2355
2356 default:
2357 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2358 return 0x00;
2359 }
2360
2361 return ret;
2362 }
2363
sd_receive_ready(SDState * sd)2364 static bool sd_receive_ready(SDState *sd)
2365 {
2366 return sd->state == sd_receivingdata_state;
2367 }
2368
sd_data_ready(SDState * sd)2369 static bool sd_data_ready(SDState *sd)
2370 {
2371 return sd->state == sd_sendingdata_state;
2372 }
2373
sd_enable(SDState * sd,bool enable)2374 void sd_enable(SDState *sd, bool enable)
2375 {
2376 sd->enable = enable;
2377 }
2378
2379 static const SDProto sd_proto_spi = {
2380 .name = "SPI",
2381 .cmd = {
2382 [0] = sd_cmd_GO_IDLE_STATE,
2383 [1] = sd_cmd_SEND_OP_CMD,
2384 [2 ... 4] = sd_cmd_illegal,
2385 [5] = sd_cmd_illegal,
2386 [7] = sd_cmd_illegal,
2387 [15] = sd_cmd_illegal,
2388 [26] = sd_cmd_illegal,
2389 [52 ... 54] = sd_cmd_illegal,
2390 },
2391 .acmd = {
2392 [6] = sd_cmd_unimplemented,
2393 [41] = sd_cmd_SEND_OP_CMD,
2394 },
2395 };
2396
2397 static const SDProto sd_proto_sd = {
2398 .name = "SD",
2399 .cmd = {
2400 [0] = sd_cmd_GO_IDLE_STATE,
2401 [1] = sd_cmd_illegal,
2402 [2] = sd_cmd_ALL_SEND_CID,
2403 [3] = sd_cmd_SEND_RELATIVE_ADDR,
2404 [5] = sd_cmd_illegal,
2405 [19] = sd_cmd_SEND_TUNING_BLOCK,
2406 [23] = sd_cmd_SET_BLOCK_COUNT,
2407 [52 ... 54] = sd_cmd_illegal,
2408 [58] = sd_cmd_illegal,
2409 [59] = sd_cmd_illegal,
2410 },
2411 };
2412
emmc_cmd_SEND_OP_CMD(SDState * sd,SDRequest req)2413 static sd_rsp_type_t emmc_cmd_SEND_OP_CMD(SDState *sd, SDRequest req)
2414 {
2415 sd_ocr_powerup(sd);
2416 return sd->state == sd_idle_state ? sd_r3 : sd_r0;
2417 }
2418
emmc_cmd_ALL_SEND_CID(SDState * sd,SDRequest req)2419 static sd_rsp_type_t emmc_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
2420 {
2421 if (sd->state != sd_ready_state && sd->state != sd_idle_state) {
2422 return sd_invalid_state_for_cmd(sd, req);
2423 }
2424
2425 sd->state = sd_identification_state;
2426
2427 return sd_r2_i;
2428 }
2429
emmc_cmd_SEND_EXT_CSD(SDState * sd,SDRequest req)2430 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req)
2431 {
2432 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
2433
2434 switch (sd->state) {
2435 case sd_transfer_state:
2436 /* MMC : Sends the EXT_CSD register as a Block of data */
2437 sd->state = sd_sendingdata_state;
2438 memcpy(sd->data, sd->ext_csd, sizeof(sd->ext_csd));
2439 sd->data_start = addr;
2440 sd->data_offset = 0;
2441 return sd_r1;
2442 default:
2443 return sd_invalid_state_for_cmd(sd, req);
2444 }
2445 }
2446
emmc_cmd_APP_CMD(SDState * sd,SDRequest req)2447 static sd_rsp_type_t emmc_cmd_APP_CMD(SDState *sd, SDRequest req)
2448 {
2449 return sd_r0;
2450 }
2451
emmc_cmd_SEND_TUNING_BLOCK(SDState * sd,SDRequest req)2452 static sd_rsp_type_t emmc_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
2453 {
2454 if (sd->state != sd_transfer_state) {
2455 sd_invalid_state_for_cmd(sd, req);
2456 }
2457
2458 sd->state = sd_sendingdata_state;
2459 sd->data_offset = 0;
2460 return sd_r1;
2461 }
2462
emmc_cmd_SWITCH_FUNCTION(SDState * sd,SDRequest req)2463 static sd_rsp_type_t emmc_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req)
2464 {
2465 switch (sd->state) {
2466 case sd_transfer_state:
2467 sd->state = sd_programming_state;
2468 mmc_function_switch(sd, req.arg);
2469 sd->state = sd_transfer_state;
2470 return sd_r1b;
2471 default:
2472 return sd_invalid_state_for_cmd(sd, req);
2473 }
2474 }
2475
2476 static const SDProto sd_proto_emmc = {
2477 .name = "eMMC",
2478 .cmd = {
2479 [0] = sd_cmd_GO_IDLE_STATE,
2480 [1] = emmc_cmd_SEND_OP_CMD,
2481 [2] = emmc_cmd_ALL_SEND_CID,
2482 [3] = emmc_cmd_SEND_RELATIVE_ADDR,
2483 [5] = sd_cmd_illegal,
2484 [6] = emmc_cmd_SWITCH_FUNCTION,
2485 [8] = emmc_cmd_SEND_EXT_CSD,
2486 [19] = sd_cmd_SEND_TUNING_BLOCK,
2487 [23] = sd_cmd_SET_BLOCK_COUNT,
2488 [21] = emmc_cmd_SEND_TUNING_BLOCK,
2489 [41] = sd_cmd_illegal,
2490 [52 ... 54] = sd_cmd_illegal,
2491 [55] = emmc_cmd_APP_CMD,
2492 [58] = sd_cmd_illegal,
2493 [59] = sd_cmd_illegal,
2494 },
2495 };
2496
sd_instance_init(Object * obj)2497 static void sd_instance_init(Object *obj)
2498 {
2499 SDState *sd = SD_CARD(obj);
2500
2501 sd->enable = true;
2502 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2503 }
2504
sd_instance_finalize(Object * obj)2505 static void sd_instance_finalize(Object *obj)
2506 {
2507 SDState *sd = SD_CARD(obj);
2508
2509 timer_free(sd->ocr_power_timer);
2510 }
2511
sd_realize(DeviceState * dev,Error ** errp)2512 static void sd_realize(DeviceState *dev, Error **errp)
2513 {
2514 SDState *sd = SD_CARD(dev);
2515 int ret;
2516
2517 switch (sd->spec_version) {
2518 case SD_PHY_SPECv1_10_VERS
2519 ... SD_PHY_SPECv3_01_VERS:
2520 break;
2521 default:
2522 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2523 return;
2524 }
2525
2526 if (sd->blk) {
2527 int64_t blk_size;
2528
2529 if (!blk_supports_write_perm(sd->blk)) {
2530 error_setg(errp, "Cannot use read-only drive as SD card");
2531 return;
2532 }
2533
2534 blk_size = blk_getlength(sd->blk);
2535 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2536 int64_t blk_size_aligned = pow2ceil(blk_size);
2537 char *blk_size_str;
2538
2539 blk_size_str = size_to_str(blk_size);
2540 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2541 g_free(blk_size_str);
2542
2543 blk_size_str = size_to_str(blk_size_aligned);
2544 error_append_hint(errp,
2545 "SD card size has to be a power of 2, e.g. %s.\n"
2546 "You can resize disk images with"
2547 " 'qemu-img resize <imagefile> <new-size>'\n"
2548 "(note that this will lose data if you make the"
2549 " image smaller than it currently is).\n",
2550 blk_size_str);
2551 g_free(blk_size_str);
2552
2553 return;
2554 }
2555
2556 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2557 BLK_PERM_ALL, errp);
2558 if (ret < 0) {
2559 return;
2560 }
2561 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2562 }
2563 }
2564
2565 static Property sd_properties[] = {
2566 DEFINE_PROP_UINT8("spec_version", SDState,
2567 spec_version, SD_PHY_SPECv2_00_VERS),
2568 DEFINE_PROP_DRIVE("drive", SDState, blk),
2569 /* We do not model the chip select pin, so allow the board to select
2570 * whether card should be in SSI or MMC/SD mode. It is also up to the
2571 * board to ensure that ssi transfers only occur when the chip select
2572 * is asserted. */
2573 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0),
2574 DEFINE_PROP_END_OF_LIST()
2575 };
2576
sd_class_init(ObjectClass * klass,void * data)2577 static void sd_class_init(ObjectClass *klass, void *data)
2578 {
2579 DeviceClass *dc = DEVICE_CLASS(klass);
2580 SDCardClass *sc = SD_CARD_CLASS(klass);
2581
2582 dc->realize = sd_realize;
2583 device_class_set_props(dc, sd_properties);
2584 dc->vmsd = &sd_vmstate;
2585 dc->reset = sd_reset;
2586 dc->bus_type = TYPE_SD_BUS;
2587 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2588
2589 sc->set_voltage = sd_set_voltage;
2590 sc->get_dat_lines = sd_get_dat_lines;
2591 sc->get_cmd_line = sd_get_cmd_line;
2592 sc->do_command = sd_do_command;
2593 sc->write_byte = sd_write_byte;
2594 sc->read_byte = sd_read_byte;
2595 sc->receive_ready = sd_receive_ready;
2596 sc->data_ready = sd_data_ready;
2597 sc->enable = sd_enable;
2598 sc->get_inserted = sd_get_inserted;
2599 sc->get_readonly = sd_get_readonly;
2600 sc->proto = &sd_proto_sd;
2601 }
2602
2603 /*
2604 * We do not model the chip select pin, so allow the board to select
2605 * whether card should be in SSI or MMC/SD mode. It is also up to the
2606 * board to ensure that ssi transfers only occur when the chip select
2607 * is asserted.
2608 */
sd_spi_class_init(ObjectClass * klass,void * data)2609 static void sd_spi_class_init(ObjectClass *klass, void *data)
2610 {
2611 DeviceClass *dc = DEVICE_CLASS(klass);
2612 SDCardClass *sc = SD_CARD_CLASS(klass);
2613
2614 dc->desc = "SD SPI";
2615 sc->proto = &sd_proto_spi;
2616 }
2617
emmc_realize(DeviceState * dev,Error ** errp)2618 static void emmc_realize(DeviceState *dev, Error **errp)
2619 {
2620 SDState *sd = SD_CARD(dev);
2621
2622 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
2623 error_setg(errp, "Minimum spec for eMMC is v3.01");
2624 return;
2625 }
2626
2627 sd_realize(dev, errp);
2628 }
2629
emmc_class_init(ObjectClass * klass,void * data)2630 static void emmc_class_init(ObjectClass *klass, void *data)
2631 {
2632 DeviceClass *dc = DEVICE_CLASS(klass);
2633 SDCardClass *sc = SD_CARD_CLASS(klass);
2634
2635 dc->desc = "eMMC";
2636 dc->realize = emmc_realize;
2637 sc->proto = &sd_proto_emmc;
2638 sc->set_csd = sd_emmc_set_csd;
2639 sc->bootpart_offset = sd_emmc_bootpart_offset;
2640 }
2641
2642 static const TypeInfo sd_types[] = {
2643 {
2644 .name = TYPE_SD_CARD,
2645 .parent = TYPE_DEVICE,
2646 .instance_size = sizeof(SDState),
2647 .class_size = sizeof(SDCardClass),
2648 .class_init = sd_class_init,
2649 .instance_init = sd_instance_init,
2650 .instance_finalize = sd_instance_finalize,
2651 },
2652 {
2653 .name = TYPE_SD_CARD_SPI,
2654 .parent = TYPE_SD_CARD,
2655 .class_init = sd_spi_class_init,
2656 },
2657 {
2658 .name = TYPE_EMMC,
2659 .parent = TYPE_SD_CARD,
2660 .class_init = emmc_class_init,
2661 },
2662 };
2663
2664 DEFINE_TYPES(sd_types)
2665