xref: /openbmc/qemu/hw/sd/sd.c (revision 0807162e601c655e4f08bc736193255a1189d29d)
1 /*
2  * SD Memory Card emulation as defined in the "SD Memory Card Physical
3  * layer specification, Version 2.00."
4  *
5  * Copyright (c) 2006 Andrzej Zaborowski  <balrog@zabor.org>
6  * Copyright (c) 2007 CodeSourcery
7  * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR
24  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "qemu/error-report.h"
46 #include "qemu/timer.h"
47 #include "qemu/log.h"
48 #include "qemu/module.h"
49 #include "sdmmc-internal.h"
50 #include "trace.h"
51 
52 //#define DEBUG_SD 1
53 
54 #define SDSC_MAX_CAPACITY   (2 * GiB)
55 
56 typedef enum {
57     sd_r0 = 0,    /* no response */
58     sd_r1,        /* normal response command */
59     sd_r2_i,      /* CID register */
60     sd_r2_s,      /* CSD register */
61     sd_r3,        /* OCR register */
62     sd_r6 = 6,    /* Published RCA response */
63     sd_r7,        /* Operating voltage */
64     sd_r1b = -1,
65     sd_illegal = -2,
66 } sd_rsp_type_t;
67 
68 enum SDCardModes {
69     sd_inactive,
70     sd_card_identification_mode,
71     sd_data_transfer_mode,
72 };
73 
74 enum SDCardStates {
75     sd_inactive_state = -1,
76     sd_idle_state = 0,
77     sd_ready_state,
78     sd_identification_state,
79     sd_standby_state,
80     sd_transfer_state,
81     sd_sendingdata_state,
82     sd_receivingdata_state,
83     sd_programming_state,
84     sd_disconnect_state,
85 };
86 
87 struct SDState {
88     DeviceState parent_obj;
89 
90     /* If true, created by sd_init() for a non-qdevified caller */
91     /* TODO purge them with fire */
92     bool me_no_qdev_me_kill_mammoth_with_rocks;
93 
94     /* SD Memory Card Registers */
95     uint32_t ocr;
96     uint8_t scr[8];
97     uint8_t cid[16];
98     uint8_t csd[16];
99     uint16_t rca;
100     uint32_t card_status;
101     uint8_t sd_status[64];
102 
103     /* Configurable properties */
104     uint8_t spec_version;
105     BlockBackend *blk;
106     bool spi;
107 
108     uint32_t mode;    /* current card mode, one of SDCardModes */
109     int32_t state;    /* current card state, one of SDCardStates */
110     uint32_t vhs;
111     bool wp_switch;
112     unsigned long *wp_groups;
113     int32_t wpgrps_size;
114     uint64_t size;
115     uint32_t blk_len;
116     uint32_t multi_blk_cnt;
117     uint32_t erase_start;
118     uint32_t erase_end;
119     uint8_t pwd[16];
120     uint32_t pwd_len;
121     uint8_t function_group[6];
122     uint8_t current_cmd;
123     /* True if we will handle the next command as an ACMD. Note that this does
124      * *not* track the APP_CMD status bit!
125      */
126     bool expecting_acmd;
127     uint32_t blk_written;
128     uint64_t data_start;
129     uint32_t data_offset;
130     uint8_t data[512];
131     qemu_irq readonly_cb;
132     qemu_irq inserted_cb;
133     QEMUTimer *ocr_power_timer;
134     const char *proto_name;
135     bool enable;
136     uint8_t dat_lines;
137     bool cmd_line;
138 };
139 
140 static void sd_realize(DeviceState *dev, Error **errp);
141 
142 static const char *sd_state_name(enum SDCardStates state)
143 {
144     static const char *state_name[] = {
145         [sd_idle_state]             = "idle",
146         [sd_ready_state]            = "ready",
147         [sd_identification_state]   = "identification",
148         [sd_standby_state]          = "standby",
149         [sd_transfer_state]         = "transfer",
150         [sd_sendingdata_state]      = "sendingdata",
151         [sd_receivingdata_state]    = "receivingdata",
152         [sd_programming_state]      = "programming",
153         [sd_disconnect_state]       = "disconnect",
154     };
155     if (state == sd_inactive_state) {
156         return "inactive";
157     }
158     assert(state < ARRAY_SIZE(state_name));
159     return state_name[state];
160 }
161 
162 static const char *sd_response_name(sd_rsp_type_t rsp)
163 {
164     static const char *response_name[] = {
165         [sd_r0]     = "RESP#0 (no response)",
166         [sd_r1]     = "RESP#1 (normal cmd)",
167         [sd_r2_i]   = "RESP#2 (CID reg)",
168         [sd_r2_s]   = "RESP#2 (CSD reg)",
169         [sd_r3]     = "RESP#3 (OCR reg)",
170         [sd_r6]     = "RESP#6 (RCA)",
171         [sd_r7]     = "RESP#7 (operating voltage)",
172     };
173     if (rsp == sd_illegal) {
174         return "ILLEGAL RESP";
175     }
176     if (rsp == sd_r1b) {
177         rsp = sd_r1;
178     }
179     assert(rsp < ARRAY_SIZE(response_name));
180     return response_name[rsp];
181 }
182 
183 static uint8_t sd_get_dat_lines(SDState *sd)
184 {
185     return sd->enable ? sd->dat_lines : 0;
186 }
187 
188 static bool sd_get_cmd_line(SDState *sd)
189 {
190     return sd->enable ? sd->cmd_line : false;
191 }
192 
193 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
194 {
195     trace_sdcard_set_voltage(millivolts);
196 
197     switch (millivolts) {
198     case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
199     case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
200         break;
201     default:
202         qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
203                       millivolts / 1000.f);
204     }
205 }
206 
207 static void sd_set_mode(SDState *sd)
208 {
209     switch (sd->state) {
210     case sd_inactive_state:
211         sd->mode = sd_inactive;
212         break;
213 
214     case sd_idle_state:
215     case sd_ready_state:
216     case sd_identification_state:
217         sd->mode = sd_card_identification_mode;
218         break;
219 
220     case sd_standby_state:
221     case sd_transfer_state:
222     case sd_sendingdata_state:
223     case sd_receivingdata_state:
224     case sd_programming_state:
225     case sd_disconnect_state:
226         sd->mode = sd_data_transfer_mode;
227         break;
228     }
229 }
230 
231 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
232     sd_bc,   sd_none, sd_bcr,  sd_bcr,  sd_none, sd_none, sd_none, sd_ac,
233     sd_bcr,  sd_ac,   sd_ac,   sd_adtc, sd_ac,   sd_ac,   sd_none, sd_ac,
234     /* 16 */
235     sd_ac,   sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
236     sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac,   sd_ac,   sd_adtc, sd_none,
237     /* 32 */
238     sd_ac,   sd_ac,   sd_none, sd_none, sd_none, sd_none, sd_ac,   sd_none,
239     sd_none, sd_none, sd_bc,   sd_none, sd_none, sd_none, sd_none, sd_none,
240     /* 48 */
241     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
242     sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
243 };
244 
245 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
246     0,  0,  0,  0,  0,  9, 10,  0,  0,  0,  0,  1,  0,  0,  0,  0,
247     2,  2,  2,  2,  3,  3,  3,  3,  4,  4,  4,  4,  6,  6,  6,  6,
248     5,  5, 10, 10, 10, 10,  5,  9,  9,  9,  7,  7,  7,  7,  7,  7,
249     7,  7, 10,  7,  9,  9,  9,  8,  8, 10,  8,  8,  8,  8,  8,  8,
250 };
251 
252 static uint8_t sd_crc7(void *message, size_t width)
253 {
254     int i, bit;
255     uint8_t shift_reg = 0x00;
256     uint8_t *msg = (uint8_t *) message;
257 
258     for (i = 0; i < width; i ++, msg ++)
259         for (bit = 7; bit >= 0; bit --) {
260             shift_reg <<= 1;
261             if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
262                 shift_reg ^= 0x89;
263         }
264 
265     return shift_reg;
266 }
267 
268 static uint16_t sd_crc16(void *message, size_t width)
269 {
270     int i, bit;
271     uint16_t shift_reg = 0x0000;
272     uint16_t *msg = (uint16_t *) message;
273     width <<= 1;
274 
275     for (i = 0; i < width; i ++, msg ++)
276         for (bit = 15; bit >= 0; bit --) {
277             shift_reg <<= 1;
278             if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
279                 shift_reg ^= 0x1011;
280         }
281 
282     return shift_reg;
283 }
284 
285 #define OCR_POWER_DELAY_NS      500000 /* 0.5ms */
286 
287 FIELD(OCR, VDD_VOLTAGE_WINDOW,          0, 24)
288 FIELD(OCR, VDD_VOLTAGE_WIN_LO,          0,  8)
289 FIELD(OCR, DUAL_VOLTAGE_CARD,           7,  1)
290 FIELD(OCR, VDD_VOLTAGE_WIN_HI,          8, 16)
291 FIELD(OCR, ACCEPT_SWITCH_1V8,          24,  1) /* Only UHS-I */
292 FIELD(OCR, UHS_II_CARD,                29,  1) /* Only UHS-II */
293 FIELD(OCR, CARD_CAPACITY,              30,  1) /* 0:SDSC, 1:SDHC/SDXC */
294 FIELD(OCR, CARD_POWER_UP,              31,  1)
295 
296 #define ACMD41_ENQUIRY_MASK     0x00ffffff
297 #define ACMD41_R3_MASK          (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
298                                | R_OCR_ACCEPT_SWITCH_1V8_MASK \
299                                | R_OCR_UHS_II_CARD_MASK \
300                                | R_OCR_CARD_CAPACITY_MASK \
301                                | R_OCR_CARD_POWER_UP_MASK)
302 
303 static void sd_set_ocr(SDState *sd)
304 {
305     /* All voltages OK */
306     sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
307 }
308 
309 static void sd_ocr_powerup(void *opaque)
310 {
311     SDState *sd = opaque;
312 
313     trace_sdcard_powerup();
314     assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
315 
316     /* card power-up OK */
317     sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
318 
319     if (sd->size > SDSC_MAX_CAPACITY) {
320         sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
321     }
322 }
323 
324 static void sd_set_scr(SDState *sd)
325 {
326     sd->scr[0] = 0 << 4;        /* SCR structure version 1.0 */
327     if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
328         sd->scr[0] |= 1;        /* Spec Version 1.10 */
329     } else {
330         sd->scr[0] |= 2;        /* Spec Version 2.00 or Version 3.0X */
331     }
332     sd->scr[1] = (2 << 4)       /* SDSC Card (Security Version 1.01) */
333                  | 0b0101;      /* 1-bit or 4-bit width bus modes */
334     sd->scr[2] = 0x00;          /* Extended Security is not supported. */
335     if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
336         sd->scr[2] |= 1 << 7;   /* Spec Version 3.0X */
337     }
338     sd->scr[3] = 0x00;
339     /* reserved for manufacturer usage */
340     sd->scr[4] = 0x00;
341     sd->scr[5] = 0x00;
342     sd->scr[6] = 0x00;
343     sd->scr[7] = 0x00;
344 }
345 
346 #define MID	0xaa
347 #define OID	"XY"
348 #define PNM	"QEMU!"
349 #define PRV	0x01
350 #define MDT_YR	2006
351 #define MDT_MON	2
352 
353 static void sd_set_cid(SDState *sd)
354 {
355     sd->cid[0] = MID;		/* Fake card manufacturer ID (MID) */
356     sd->cid[1] = OID[0];	/* OEM/Application ID (OID) */
357     sd->cid[2] = OID[1];
358     sd->cid[3] = PNM[0];	/* Fake product name (PNM) */
359     sd->cid[4] = PNM[1];
360     sd->cid[5] = PNM[2];
361     sd->cid[6] = PNM[3];
362     sd->cid[7] = PNM[4];
363     sd->cid[8] = PRV;		/* Fake product revision (PRV) */
364     sd->cid[9] = 0xde;		/* Fake serial number (PSN) */
365     sd->cid[10] = 0xad;
366     sd->cid[11] = 0xbe;
367     sd->cid[12] = 0xef;
368     sd->cid[13] = 0x00 |	/* Manufacture date (MDT) */
369         ((MDT_YR - 2000) / 10);
370     sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
371     sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
372 }
373 
374 #define HWBLOCK_SHIFT	9			/* 512 bytes */
375 #define SECTOR_SHIFT	5			/* 16 kilobytes */
376 #define WPGROUP_SHIFT	7			/* 2 megs */
377 #define CMULT_SHIFT	9			/* 512 times HWBLOCK_SIZE */
378 #define WPGROUP_SIZE	(1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
379 
380 static const uint8_t sd_csd_rw_mask[16] = {
381     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
382     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
383 };
384 
385 static void sd_set_csd(SDState *sd, uint64_t size)
386 {
387     uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
388     uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
389     uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
390 
391     if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
392         sd->csd[0] = 0x00;	/* CSD structure */
393         sd->csd[1] = 0x26;	/* Data read access-time-1 */
394         sd->csd[2] = 0x00;	/* Data read access-time-2 */
395         sd->csd[3] = 0x32;      /* Max. data transfer rate: 25 MHz */
396         sd->csd[4] = 0x5f;	/* Card Command Classes */
397         sd->csd[5] = 0x50 |	/* Max. read data block length */
398             HWBLOCK_SHIFT;
399         sd->csd[6] = 0xe0 |	/* Partial block for read allowed */
400             ((csize >> 10) & 0x03);
401         sd->csd[7] = 0x00 |	/* Device size */
402             ((csize >> 2) & 0xff);
403         sd->csd[8] = 0x3f |	/* Max. read current */
404             ((csize << 6) & 0xc0);
405         sd->csd[9] = 0xfc |	/* Max. write current */
406             ((CMULT_SHIFT - 2) >> 1);
407         sd->csd[10] = 0x40 |	/* Erase sector size */
408             (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
409         sd->csd[11] = 0x00 |	/* Write protect group size */
410             ((sectsize << 7) & 0x80) | wpsize;
411         sd->csd[12] = 0x90 |	/* Write speed factor */
412             (HWBLOCK_SHIFT >> 2);
413         sd->csd[13] = 0x20 |	/* Max. write data block length */
414             ((HWBLOCK_SHIFT << 6) & 0xc0);
415         sd->csd[14] = 0x00;	/* File format group */
416     } else {			/* SDHC */
417         size /= 512 * KiB;
418         size -= 1;
419         sd->csd[0] = 0x40;
420         sd->csd[1] = 0x0e;
421         sd->csd[2] = 0x00;
422         sd->csd[3] = 0x32;
423         sd->csd[4] = 0x5b;
424         sd->csd[5] = 0x59;
425         sd->csd[6] = 0x00;
426         sd->csd[7] = (size >> 16) & 0xff;
427         sd->csd[8] = (size >> 8) & 0xff;
428         sd->csd[9] = (size & 0xff);
429         sd->csd[10] = 0x7f;
430         sd->csd[11] = 0x80;
431         sd->csd[12] = 0x0a;
432         sd->csd[13] = 0x40;
433         sd->csd[14] = 0x00;
434     }
435     sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
436 }
437 
438 static void sd_set_rca(SDState *sd)
439 {
440     sd->rca += 0x4567;
441 }
442 
443 FIELD(CSR, AKE_SEQ_ERROR,               3,  1)
444 FIELD(CSR, APP_CMD,                     5,  1)
445 FIELD(CSR, FX_EVENT,                    6,  1)
446 FIELD(CSR, READY_FOR_DATA,              8,  1)
447 FIELD(CSR, CURRENT_STATE,               9,  4)
448 FIELD(CSR, ERASE_RESET,                13,  1)
449 FIELD(CSR, CARD_ECC_DISABLED,          14,  1)
450 FIELD(CSR, WP_ERASE_SKIP,              15,  1)
451 FIELD(CSR, CSD_OVERWRITE,              16,  1)
452 FIELD(CSR, DEFERRED_RESPONSE,          17,  1)
453 FIELD(CSR, ERROR,                      19,  1)
454 FIELD(CSR, CC_ERROR,                   20,  1)
455 FIELD(CSR, CARD_ECC_FAILED,            21,  1)
456 FIELD(CSR, ILLEGAL_COMMAND,            22,  1)
457 FIELD(CSR, COM_CRC_ERROR,              23,  1)
458 FIELD(CSR, LOCK_UNLOCK_FAILED,         24,  1)
459 FIELD(CSR, CARD_IS_LOCKED,             25,  1)
460 FIELD(CSR, WP_VIOLATION,               26,  1)
461 FIELD(CSR, ERASE_PARAM,                27,  1)
462 FIELD(CSR, ERASE_SEQ_ERROR,            28,  1)
463 FIELD(CSR, BLOCK_LEN_ERROR,            29,  1)
464 FIELD(CSR, ADDRESS_ERROR,              30,  1)
465 FIELD(CSR, OUT_OF_RANGE,               31,  1)
466 
467 /* Card status bits, split by clear condition:
468  * A : According to the card current state
469  * B : Always related to the previous command
470  * C : Cleared by read
471  */
472 #define CARD_STATUS_A           (R_CSR_READY_FOR_DATA_MASK \
473                                | R_CSR_CARD_ECC_DISABLED_MASK \
474                                | R_CSR_CARD_IS_LOCKED_MASK)
475 #define CARD_STATUS_B           (R_CSR_CURRENT_STATE_MASK \
476                                | R_CSR_ILLEGAL_COMMAND_MASK \
477                                | R_CSR_COM_CRC_ERROR_MASK)
478 #define CARD_STATUS_C           (R_CSR_AKE_SEQ_ERROR_MASK \
479                                | R_CSR_APP_CMD_MASK \
480                                | R_CSR_ERASE_RESET_MASK \
481                                | R_CSR_WP_ERASE_SKIP_MASK \
482                                | R_CSR_CSD_OVERWRITE_MASK \
483                                | R_CSR_ERROR_MASK \
484                                | R_CSR_CC_ERROR_MASK \
485                                | R_CSR_CARD_ECC_FAILED_MASK \
486                                | R_CSR_LOCK_UNLOCK_FAILED_MASK \
487                                | R_CSR_WP_VIOLATION_MASK \
488                                | R_CSR_ERASE_PARAM_MASK \
489                                | R_CSR_ERASE_SEQ_ERROR_MASK \
490                                | R_CSR_BLOCK_LEN_ERROR_MASK \
491                                | R_CSR_ADDRESS_ERROR_MASK \
492                                | R_CSR_OUT_OF_RANGE_MASK)
493 
494 static void sd_set_cardstatus(SDState *sd)
495 {
496     sd->card_status = 0x00000100;
497 }
498 
499 static void sd_set_sdstatus(SDState *sd)
500 {
501     memset(sd->sd_status, 0, 64);
502 }
503 
504 static int sd_req_crc_validate(SDRequest *req)
505 {
506     uint8_t buffer[5];
507     buffer[0] = 0x40 | req->cmd;
508     stl_be_p(&buffer[1], req->arg);
509     return 0;
510     return sd_crc7(buffer, 5) != req->crc;	/* TODO */
511 }
512 
513 static void sd_response_r1_make(SDState *sd, uint8_t *response)
514 {
515     stl_be_p(response, sd->card_status);
516 
517     /* Clear the "clear on read" status bits */
518     sd->card_status &= ~CARD_STATUS_C;
519 }
520 
521 static void sd_response_r3_make(SDState *sd, uint8_t *response)
522 {
523     stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
524 }
525 
526 static void sd_response_r6_make(SDState *sd, uint8_t *response)
527 {
528     uint16_t status;
529 
530     status = ((sd->card_status >> 8) & 0xc000) |
531              ((sd->card_status >> 6) & 0x2000) |
532               (sd->card_status & 0x1fff);
533     sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
534     stw_be_p(response + 0, sd->rca);
535     stw_be_p(response + 2, status);
536 }
537 
538 static void sd_response_r7_make(SDState *sd, uint8_t *response)
539 {
540     stl_be_p(response, sd->vhs);
541 }
542 
543 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
544 {
545     return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
546 }
547 
548 static void sd_reset(DeviceState *dev)
549 {
550     SDState *sd = SD_CARD(dev);
551     uint64_t size;
552     uint64_t sect;
553 
554     trace_sdcard_reset();
555     if (sd->blk) {
556         blk_get_geometry(sd->blk, &sect);
557     } else {
558         sect = 0;
559     }
560     size = sect << 9;
561 
562     sect = sd_addr_to_wpnum(size) + 1;
563 
564     sd->state = sd_idle_state;
565     sd->rca = 0x0000;
566     sd_set_ocr(sd);
567     sd_set_scr(sd);
568     sd_set_cid(sd);
569     sd_set_csd(sd, size);
570     sd_set_cardstatus(sd);
571     sd_set_sdstatus(sd);
572 
573     g_free(sd->wp_groups);
574     sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
575     sd->wpgrps_size = sect;
576     sd->wp_groups = bitmap_new(sd->wpgrps_size);
577     memset(sd->function_group, 0, sizeof(sd->function_group));
578     sd->erase_start = 0;
579     sd->erase_end = 0;
580     sd->size = size;
581     sd->blk_len = 0x200;
582     sd->pwd_len = 0;
583     sd->expecting_acmd = false;
584     sd->dat_lines = 0xf;
585     sd->cmd_line = true;
586     sd->multi_blk_cnt = 0;
587 }
588 
589 static bool sd_get_inserted(SDState *sd)
590 {
591     return sd->blk && blk_is_inserted(sd->blk);
592 }
593 
594 static bool sd_get_readonly(SDState *sd)
595 {
596     return sd->wp_switch;
597 }
598 
599 static void sd_cardchange(void *opaque, bool load, Error **errp)
600 {
601     SDState *sd = opaque;
602     DeviceState *dev = DEVICE(sd);
603     SDBus *sdbus;
604     bool inserted = sd_get_inserted(sd);
605     bool readonly = sd_get_readonly(sd);
606 
607     if (inserted) {
608         trace_sdcard_inserted(readonly);
609         sd_reset(dev);
610     } else {
611         trace_sdcard_ejected();
612     }
613 
614     if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
615         qemu_set_irq(sd->inserted_cb, inserted);
616         if (inserted) {
617             qemu_set_irq(sd->readonly_cb, readonly);
618         }
619     } else {
620         sdbus = SD_BUS(qdev_get_parent_bus(dev));
621         sdbus_set_inserted(sdbus, inserted);
622         if (inserted) {
623             sdbus_set_readonly(sdbus, readonly);
624         }
625     }
626 }
627 
628 static const BlockDevOps sd_block_ops = {
629     .change_media_cb = sd_cardchange,
630 };
631 
632 static bool sd_ocr_vmstate_needed(void *opaque)
633 {
634     SDState *sd = opaque;
635 
636     /* Include the OCR state (and timer) if it is not yet powered up */
637     return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
638 }
639 
640 static const VMStateDescription sd_ocr_vmstate = {
641     .name = "sd-card/ocr-state",
642     .version_id = 1,
643     .minimum_version_id = 1,
644     .needed = sd_ocr_vmstate_needed,
645     .fields = (VMStateField[]) {
646         VMSTATE_UINT32(ocr, SDState),
647         VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
648         VMSTATE_END_OF_LIST()
649     },
650 };
651 
652 static int sd_vmstate_pre_load(void *opaque)
653 {
654     SDState *sd = opaque;
655 
656     /* If the OCR state is not included (prior versions, or not
657      * needed), then the OCR must be set as powered up. If the OCR state
658      * is included, this will be replaced by the state restore.
659      */
660     sd_ocr_powerup(sd);
661 
662     return 0;
663 }
664 
665 static const VMStateDescription sd_vmstate = {
666     .name = "sd-card",
667     .version_id = 1,
668     .minimum_version_id = 1,
669     .pre_load = sd_vmstate_pre_load,
670     .fields = (VMStateField[]) {
671         VMSTATE_UINT32(mode, SDState),
672         VMSTATE_INT32(state, SDState),
673         VMSTATE_UINT8_ARRAY(cid, SDState, 16),
674         VMSTATE_UINT8_ARRAY(csd, SDState, 16),
675         VMSTATE_UINT16(rca, SDState),
676         VMSTATE_UINT32(card_status, SDState),
677         VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
678         VMSTATE_UINT32(vhs, SDState),
679         VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
680         VMSTATE_UINT32(blk_len, SDState),
681         VMSTATE_UINT32(multi_blk_cnt, SDState),
682         VMSTATE_UINT32(erase_start, SDState),
683         VMSTATE_UINT32(erase_end, SDState),
684         VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
685         VMSTATE_UINT32(pwd_len, SDState),
686         VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
687         VMSTATE_UINT8(current_cmd, SDState),
688         VMSTATE_BOOL(expecting_acmd, SDState),
689         VMSTATE_UINT32(blk_written, SDState),
690         VMSTATE_UINT64(data_start, SDState),
691         VMSTATE_UINT32(data_offset, SDState),
692         VMSTATE_UINT8_ARRAY(data, SDState, 512),
693         VMSTATE_UNUSED_V(1, 512),
694         VMSTATE_BOOL(enable, SDState),
695         VMSTATE_END_OF_LIST()
696     },
697     .subsections = (const VMStateDescription*[]) {
698         &sd_ocr_vmstate,
699         NULL
700     },
701 };
702 
703 /* Legacy initialization function for use by non-qdevified callers */
704 SDState *sd_init(BlockBackend *blk, bool is_spi)
705 {
706     Object *obj;
707     DeviceState *dev;
708     SDState *sd;
709     Error *err = NULL;
710 
711     obj = object_new(TYPE_SD_CARD);
712     dev = DEVICE(obj);
713     if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
714         error_reportf_err(err, "sd_init failed: ");
715         return NULL;
716     }
717     qdev_prop_set_bit(dev, "spi", is_spi);
718 
719     /*
720      * Realizing the device properly would put it into the QOM
721      * composition tree even though it is not plugged into an
722      * appropriate bus.  That's a no-no.  Hide the device from
723      * QOM/qdev, and call its qdev realize callback directly.
724      */
725     object_ref(obj);
726     object_unparent(obj);
727     sd_realize(dev, &err);
728     if (err) {
729         error_reportf_err(err, "sd_init failed: ");
730         return NULL;
731     }
732 
733     sd = SD_CARD(dev);
734     sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
735     return sd;
736 }
737 
738 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
739 {
740     sd->readonly_cb = readonly;
741     sd->inserted_cb = insert;
742     qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
743     qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
744 }
745 
746 static void sd_erase(SDState *sd)
747 {
748     int i;
749     uint64_t erase_start = sd->erase_start;
750     uint64_t erase_end = sd->erase_end;
751 
752     trace_sdcard_erase();
753     if (!sd->erase_start || !sd->erase_end) {
754         sd->card_status |= ERASE_SEQ_ERROR;
755         return;
756     }
757 
758     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
759         /* High capacity memory card: erase units are 512 byte blocks */
760         erase_start *= 512;
761         erase_end *= 512;
762     }
763 
764     erase_start = sd_addr_to_wpnum(erase_start);
765     erase_end = sd_addr_to_wpnum(erase_end);
766     sd->erase_start = 0;
767     sd->erase_end = 0;
768     sd->csd[14] |= 0x40;
769 
770     for (i = erase_start; i <= erase_end; i++) {
771         if (test_bit(i, sd->wp_groups)) {
772             sd->card_status |= WP_ERASE_SKIP;
773         }
774     }
775 }
776 
777 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
778 {
779     uint32_t i, wpnum;
780     uint32_t ret = 0;
781 
782     wpnum = sd_addr_to_wpnum(addr);
783 
784     for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
785         if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
786             ret |= (1 << i);
787         }
788     }
789 
790     return ret;
791 }
792 
793 static void sd_function_switch(SDState *sd, uint32_t arg)
794 {
795     int i, mode, new_func;
796     mode = !!(arg & 0x80000000);
797 
798     sd->data[0] = 0x00;		/* Maximum current consumption */
799     sd->data[1] = 0x01;
800     sd->data[2] = 0x80;		/* Supported group 6 functions */
801     sd->data[3] = 0x01;
802     sd->data[4] = 0x80;		/* Supported group 5 functions */
803     sd->data[5] = 0x01;
804     sd->data[6] = 0x80;		/* Supported group 4 functions */
805     sd->data[7] = 0x01;
806     sd->data[8] = 0x80;		/* Supported group 3 functions */
807     sd->data[9] = 0x01;
808     sd->data[10] = 0x80;	/* Supported group 2 functions */
809     sd->data[11] = 0x43;
810     sd->data[12] = 0x80;	/* Supported group 1 functions */
811     sd->data[13] = 0x03;
812 
813     for (i = 0; i < 6; i ++) {
814         new_func = (arg >> (i * 4)) & 0x0f;
815         if (mode && new_func != 0x0f)
816             sd->function_group[i] = new_func;
817         sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
818     }
819     memset(&sd->data[17], 0, 47);
820     stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
821 }
822 
823 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
824 {
825     return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
826 }
827 
828 static void sd_lock_command(SDState *sd)
829 {
830     int erase, lock, clr_pwd, set_pwd, pwd_len;
831     erase = !!(sd->data[0] & 0x08);
832     lock = sd->data[0] & 0x04;
833     clr_pwd = sd->data[0] & 0x02;
834     set_pwd = sd->data[0] & 0x01;
835 
836     if (sd->blk_len > 1)
837         pwd_len = sd->data[1];
838     else
839         pwd_len = 0;
840 
841     if (lock) {
842         trace_sdcard_lock();
843     } else {
844         trace_sdcard_unlock();
845     }
846     if (erase) {
847         if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
848                         set_pwd || clr_pwd || lock || sd->wp_switch ||
849                         (sd->csd[14] & 0x20)) {
850             sd->card_status |= LOCK_UNLOCK_FAILED;
851             return;
852         }
853         bitmap_zero(sd->wp_groups, sd->wpgrps_size);
854         sd->csd[14] &= ~0x10;
855         sd->card_status &= ~CARD_IS_LOCKED;
856         sd->pwd_len = 0;
857         /* Erasing the entire card here! */
858         fprintf(stderr, "SD: Card force-erased by CMD42\n");
859         return;
860     }
861 
862     if (sd->blk_len < 2 + pwd_len ||
863                     pwd_len <= sd->pwd_len ||
864                     pwd_len > sd->pwd_len + 16) {
865         sd->card_status |= LOCK_UNLOCK_FAILED;
866         return;
867     }
868 
869     if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
870         sd->card_status |= LOCK_UNLOCK_FAILED;
871         return;
872     }
873 
874     pwd_len -= sd->pwd_len;
875     if ((pwd_len && !set_pwd) ||
876                     (clr_pwd && (set_pwd || lock)) ||
877                     (lock && !sd->pwd_len && !set_pwd) ||
878                     (!set_pwd && !clr_pwd &&
879                      (((sd->card_status & CARD_IS_LOCKED) && lock) ||
880                       (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
881         sd->card_status |= LOCK_UNLOCK_FAILED;
882         return;
883     }
884 
885     if (set_pwd) {
886         memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
887         sd->pwd_len = pwd_len;
888     }
889 
890     if (clr_pwd) {
891         sd->pwd_len = 0;
892     }
893 
894     if (lock)
895         sd->card_status |= CARD_IS_LOCKED;
896     else
897         sd->card_status &= ~CARD_IS_LOCKED;
898 }
899 
900 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
901 {
902     uint32_t rca = 0x0000;
903     uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
904 
905     /* CMD55 precedes an ACMD, so we are not interested in tracing it.
906      * However there is no ACMD55, so we want to trace this particular case.
907      */
908     if (req.cmd != 55 || sd->expecting_acmd) {
909         trace_sdcard_normal_command(sd->proto_name,
910                                     sd_cmd_name(req.cmd), req.cmd,
911                                     req.arg, sd_state_name(sd->state));
912     }
913 
914     /* Not interpreting this as an app command */
915     sd->card_status &= ~APP_CMD;
916 
917     if (sd_cmd_type[req.cmd] == sd_ac
918         || sd_cmd_type[req.cmd] == sd_adtc) {
919         rca = req.arg >> 16;
920     }
921 
922     /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
923      * if not, its effects are cancelled */
924     if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
925         sd->multi_blk_cnt = 0;
926     }
927 
928     if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
929         /* Only Standard Capacity cards support class 6 commands */
930         return sd_illegal;
931     }
932 
933     switch (req.cmd) {
934     /* Basic commands (Class 0 and Class 1) */
935     case 0:	/* CMD0:   GO_IDLE_STATE */
936         switch (sd->state) {
937         case sd_inactive_state:
938             return sd->spi ? sd_r1 : sd_r0;
939 
940         default:
941             sd->state = sd_idle_state;
942             sd_reset(DEVICE(sd));
943             return sd->spi ? sd_r1 : sd_r0;
944         }
945         break;
946 
947     case 1:	/* CMD1:   SEND_OP_CMD */
948         if (!sd->spi)
949             goto bad_cmd;
950 
951         sd->state = sd_transfer_state;
952         return sd_r1;
953 
954     case 2:	/* CMD2:   ALL_SEND_CID */
955         if (sd->spi)
956             goto bad_cmd;
957         switch (sd->state) {
958         case sd_ready_state:
959             sd->state = sd_identification_state;
960             return sd_r2_i;
961 
962         default:
963             break;
964         }
965         break;
966 
967     case 3:	/* CMD3:   SEND_RELATIVE_ADDR */
968         if (sd->spi)
969             goto bad_cmd;
970         switch (sd->state) {
971         case sd_identification_state:
972         case sd_standby_state:
973             sd->state = sd_standby_state;
974             sd_set_rca(sd);
975             return sd_r6;
976 
977         default:
978             break;
979         }
980         break;
981 
982     case 4:	/* CMD4:   SEND_DSR */
983         if (sd->spi)
984             goto bad_cmd;
985         switch (sd->state) {
986         case sd_standby_state:
987             break;
988 
989         default:
990             break;
991         }
992         break;
993 
994     case 5: /* CMD5: reserved for SDIO cards */
995         return sd_illegal;
996 
997     case 6:	/* CMD6:   SWITCH_FUNCTION */
998         switch (sd->mode) {
999         case sd_data_transfer_mode:
1000             sd_function_switch(sd, req.arg);
1001             sd->state = sd_sendingdata_state;
1002             sd->data_start = 0;
1003             sd->data_offset = 0;
1004             return sd_r1;
1005 
1006         default:
1007             break;
1008         }
1009         break;
1010 
1011     case 7:	/* CMD7:   SELECT/DESELECT_CARD */
1012         if (sd->spi)
1013             goto bad_cmd;
1014         switch (sd->state) {
1015         case sd_standby_state:
1016             if (sd->rca != rca)
1017                 return sd_r0;
1018 
1019             sd->state = sd_transfer_state;
1020             return sd_r1b;
1021 
1022         case sd_transfer_state:
1023         case sd_sendingdata_state:
1024             if (sd->rca == rca)
1025                 break;
1026 
1027             sd->state = sd_standby_state;
1028             return sd_r1b;
1029 
1030         case sd_disconnect_state:
1031             if (sd->rca != rca)
1032                 return sd_r0;
1033 
1034             sd->state = sd_programming_state;
1035             return sd_r1b;
1036 
1037         case sd_programming_state:
1038             if (sd->rca == rca)
1039                 break;
1040 
1041             sd->state = sd_disconnect_state;
1042             return sd_r1b;
1043 
1044         default:
1045             break;
1046         }
1047         break;
1048 
1049     case 8:	/* CMD8:   SEND_IF_COND */
1050         if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1051             break;
1052         }
1053         if (sd->state != sd_idle_state) {
1054             break;
1055         }
1056         sd->vhs = 0;
1057 
1058         /* No response if not exactly one VHS bit is set.  */
1059         if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1060             return sd->spi ? sd_r7 : sd_r0;
1061         }
1062 
1063         /* Accept.  */
1064         sd->vhs = req.arg;
1065         return sd_r7;
1066 
1067     case 9:	/* CMD9:   SEND_CSD */
1068         switch (sd->state) {
1069         case sd_standby_state:
1070             if (sd->rca != rca)
1071                 return sd_r0;
1072 
1073             return sd_r2_s;
1074 
1075         case sd_transfer_state:
1076             if (!sd->spi)
1077                 break;
1078             sd->state = sd_sendingdata_state;
1079             memcpy(sd->data, sd->csd, 16);
1080             sd->data_start = addr;
1081             sd->data_offset = 0;
1082             return sd_r1;
1083 
1084         default:
1085             break;
1086         }
1087         break;
1088 
1089     case 10:	/* CMD10:  SEND_CID */
1090         switch (sd->state) {
1091         case sd_standby_state:
1092             if (sd->rca != rca)
1093                 return sd_r0;
1094 
1095             return sd_r2_i;
1096 
1097         case sd_transfer_state:
1098             if (!sd->spi)
1099                 break;
1100             sd->state = sd_sendingdata_state;
1101             memcpy(sd->data, sd->cid, 16);
1102             sd->data_start = addr;
1103             sd->data_offset = 0;
1104             return sd_r1;
1105 
1106         default:
1107             break;
1108         }
1109         break;
1110 
1111     case 12:	/* CMD12:  STOP_TRANSMISSION */
1112         switch (sd->state) {
1113         case sd_sendingdata_state:
1114             sd->state = sd_transfer_state;
1115             return sd_r1b;
1116 
1117         case sd_receivingdata_state:
1118             sd->state = sd_programming_state;
1119             /* Bzzzzzzztt .... Operation complete.  */
1120             sd->state = sd_transfer_state;
1121             return sd_r1b;
1122 
1123         default:
1124             break;
1125         }
1126         break;
1127 
1128     case 13:	/* CMD13:  SEND_STATUS */
1129         switch (sd->mode) {
1130         case sd_data_transfer_mode:
1131             if (sd->rca != rca)
1132                 return sd_r0;
1133 
1134             return sd_r1;
1135 
1136         default:
1137             break;
1138         }
1139         break;
1140 
1141     case 15:	/* CMD15:  GO_INACTIVE_STATE */
1142         if (sd->spi)
1143             goto bad_cmd;
1144         switch (sd->mode) {
1145         case sd_data_transfer_mode:
1146             if (sd->rca != rca)
1147                 return sd_r0;
1148 
1149             sd->state = sd_inactive_state;
1150             return sd_r0;
1151 
1152         default:
1153             break;
1154         }
1155         break;
1156 
1157     /* Block read commands (Classs 2) */
1158     case 16:	/* CMD16:  SET_BLOCKLEN */
1159         switch (sd->state) {
1160         case sd_transfer_state:
1161             if (req.arg > (1 << HWBLOCK_SHIFT)) {
1162                 sd->card_status |= BLOCK_LEN_ERROR;
1163             } else {
1164                 trace_sdcard_set_blocklen(req.arg);
1165                 sd->blk_len = req.arg;
1166             }
1167 
1168             return sd_r1;
1169 
1170         default:
1171             break;
1172         }
1173         break;
1174 
1175     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
1176         switch (sd->state) {
1177         case sd_transfer_state:
1178 
1179             if (addr + sd->blk_len > sd->size) {
1180                 sd->card_status |= ADDRESS_ERROR;
1181                 return sd_r1;
1182             }
1183 
1184             sd->state = sd_sendingdata_state;
1185             sd->data_start = addr;
1186             sd->data_offset = 0;
1187             return sd_r1;
1188 
1189         default:
1190             break;
1191         }
1192         break;
1193 
1194     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
1195         switch (sd->state) {
1196         case sd_transfer_state:
1197 
1198             if (addr + sd->blk_len > sd->size) {
1199                 sd->card_status |= ADDRESS_ERROR;
1200                 return sd_r1;
1201             }
1202 
1203             sd->state = sd_sendingdata_state;
1204             sd->data_start = addr;
1205             sd->data_offset = 0;
1206             return sd_r1;
1207 
1208         default:
1209             break;
1210         }
1211         break;
1212 
1213     case 19:    /* CMD19: SEND_TUNING_BLOCK (SD) */
1214         if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1215             break;
1216         }
1217         if (sd->state == sd_transfer_state) {
1218             sd->state = sd_sendingdata_state;
1219             sd->data_offset = 0;
1220             return sd_r1;
1221         }
1222         break;
1223 
1224     case 23:    /* CMD23: SET_BLOCK_COUNT */
1225         if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1226             break;
1227         }
1228         switch (sd->state) {
1229         case sd_transfer_state:
1230             sd->multi_blk_cnt = req.arg;
1231             return sd_r1;
1232 
1233         default:
1234             break;
1235         }
1236         break;
1237 
1238     /* Block write commands (Class 4) */
1239     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
1240         switch (sd->state) {
1241         case sd_transfer_state:
1242             /* Writing in SPI mode not implemented.  */
1243             if (sd->spi)
1244                 break;
1245 
1246             if (addr + sd->blk_len > sd->size) {
1247                 sd->card_status |= ADDRESS_ERROR;
1248                 return sd_r1;
1249             }
1250 
1251             sd->state = sd_receivingdata_state;
1252             sd->data_start = addr;
1253             sd->data_offset = 0;
1254             sd->blk_written = 0;
1255 
1256             if (sd_wp_addr(sd, sd->data_start)) {
1257                 sd->card_status |= WP_VIOLATION;
1258             }
1259             if (sd->csd[14] & 0x30) {
1260                 sd->card_status |= WP_VIOLATION;
1261             }
1262             return sd_r1;
1263 
1264         default:
1265             break;
1266         }
1267         break;
1268 
1269     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
1270         switch (sd->state) {
1271         case sd_transfer_state:
1272             /* Writing in SPI mode not implemented.  */
1273             if (sd->spi)
1274                 break;
1275 
1276             if (addr + sd->blk_len > sd->size) {
1277                 sd->card_status |= ADDRESS_ERROR;
1278                 return sd_r1;
1279             }
1280 
1281             sd->state = sd_receivingdata_state;
1282             sd->data_start = addr;
1283             sd->data_offset = 0;
1284             sd->blk_written = 0;
1285 
1286             if (sd_wp_addr(sd, sd->data_start)) {
1287                 sd->card_status |= WP_VIOLATION;
1288             }
1289             if (sd->csd[14] & 0x30) {
1290                 sd->card_status |= WP_VIOLATION;
1291             }
1292             return sd_r1;
1293 
1294         default:
1295             break;
1296         }
1297         break;
1298 
1299     case 26:	/* CMD26:  PROGRAM_CID */
1300         if (sd->spi)
1301             goto bad_cmd;
1302         switch (sd->state) {
1303         case sd_transfer_state:
1304             sd->state = sd_receivingdata_state;
1305             sd->data_start = 0;
1306             sd->data_offset = 0;
1307             return sd_r1;
1308 
1309         default:
1310             break;
1311         }
1312         break;
1313 
1314     case 27:	/* CMD27:  PROGRAM_CSD */
1315         switch (sd->state) {
1316         case sd_transfer_state:
1317             sd->state = sd_receivingdata_state;
1318             sd->data_start = 0;
1319             sd->data_offset = 0;
1320             return sd_r1;
1321 
1322         default:
1323             break;
1324         }
1325         break;
1326 
1327     /* Write protection (Class 6) */
1328     case 28:	/* CMD28:  SET_WRITE_PROT */
1329         switch (sd->state) {
1330         case sd_transfer_state:
1331             if (addr >= sd->size) {
1332                 sd->card_status |= ADDRESS_ERROR;
1333                 return sd_r1b;
1334             }
1335 
1336             sd->state = sd_programming_state;
1337             set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1338             /* Bzzzzzzztt .... Operation complete.  */
1339             sd->state = sd_transfer_state;
1340             return sd_r1b;
1341 
1342         default:
1343             break;
1344         }
1345         break;
1346 
1347     case 29:	/* CMD29:  CLR_WRITE_PROT */
1348         switch (sd->state) {
1349         case sd_transfer_state:
1350             if (addr >= sd->size) {
1351                 sd->card_status |= ADDRESS_ERROR;
1352                 return sd_r1b;
1353             }
1354 
1355             sd->state = sd_programming_state;
1356             clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1357             /* Bzzzzzzztt .... Operation complete.  */
1358             sd->state = sd_transfer_state;
1359             return sd_r1b;
1360 
1361         default:
1362             break;
1363         }
1364         break;
1365 
1366     case 30:	/* CMD30:  SEND_WRITE_PROT */
1367         switch (sd->state) {
1368         case sd_transfer_state:
1369             sd->state = sd_sendingdata_state;
1370             *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1371             sd->data_start = addr;
1372             sd->data_offset = 0;
1373             return sd_r1b;
1374 
1375         default:
1376             break;
1377         }
1378         break;
1379 
1380     /* Erase commands (Class 5) */
1381     case 32:	/* CMD32:  ERASE_WR_BLK_START */
1382         switch (sd->state) {
1383         case sd_transfer_state:
1384             sd->erase_start = req.arg;
1385             return sd_r1;
1386 
1387         default:
1388             break;
1389         }
1390         break;
1391 
1392     case 33:	/* CMD33:  ERASE_WR_BLK_END */
1393         switch (sd->state) {
1394         case sd_transfer_state:
1395             sd->erase_end = req.arg;
1396             return sd_r1;
1397 
1398         default:
1399             break;
1400         }
1401         break;
1402 
1403     case 38:	/* CMD38:  ERASE */
1404         switch (sd->state) {
1405         case sd_transfer_state:
1406             if (sd->csd[14] & 0x30) {
1407                 sd->card_status |= WP_VIOLATION;
1408                 return sd_r1b;
1409             }
1410 
1411             sd->state = sd_programming_state;
1412             sd_erase(sd);
1413             /* Bzzzzzzztt .... Operation complete.  */
1414             sd->state = sd_transfer_state;
1415             return sd_r1b;
1416 
1417         default:
1418             break;
1419         }
1420         break;
1421 
1422     /* Lock card commands (Class 7) */
1423     case 42:	/* CMD42:  LOCK_UNLOCK */
1424         switch (sd->state) {
1425         case sd_transfer_state:
1426             sd->state = sd_receivingdata_state;
1427             sd->data_start = 0;
1428             sd->data_offset = 0;
1429             return sd_r1;
1430 
1431         default:
1432             break;
1433         }
1434         break;
1435 
1436     case 52 ... 54:
1437         /* CMD52, CMD53, CMD54: reserved for SDIO cards
1438          * (see the SDIO Simplified Specification V2.0)
1439          * Handle as illegal command but do not complain
1440          * on stderr, as some OSes may use these in their
1441          * probing for presence of an SDIO card.
1442          */
1443         return sd_illegal;
1444 
1445     /* Application specific commands (Class 8) */
1446     case 55:	/* CMD55:  APP_CMD */
1447         switch (sd->state) {
1448         case sd_ready_state:
1449         case sd_identification_state:
1450         case sd_inactive_state:
1451             return sd_illegal;
1452         case sd_idle_state:
1453             if (rca) {
1454                 qemu_log_mask(LOG_GUEST_ERROR,
1455                               "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1456             }
1457         default:
1458             break;
1459         }
1460         if (!sd->spi) {
1461             if (sd->rca != rca) {
1462                 return sd_r0;
1463             }
1464         }
1465         sd->expecting_acmd = true;
1466         sd->card_status |= APP_CMD;
1467         return sd_r1;
1468 
1469     case 56:	/* CMD56:  GEN_CMD */
1470         switch (sd->state) {
1471         case sd_transfer_state:
1472             sd->data_offset = 0;
1473             if (req.arg & 1)
1474                 sd->state = sd_sendingdata_state;
1475             else
1476                 sd->state = sd_receivingdata_state;
1477             return sd_r1;
1478 
1479         default:
1480             break;
1481         }
1482         break;
1483 
1484     case 58:    /* CMD58:   READ_OCR (SPI) */
1485         if (!sd->spi) {
1486             goto bad_cmd;
1487         }
1488         return sd_r3;
1489 
1490     case 59:    /* CMD59:   CRC_ON_OFF (SPI) */
1491         if (!sd->spi) {
1492             goto bad_cmd;
1493         }
1494         goto unimplemented_spi_cmd;
1495 
1496     default:
1497     bad_cmd:
1498         qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1499         return sd_illegal;
1500 
1501     unimplemented_spi_cmd:
1502         /* Commands that are recognised but not yet implemented in SPI mode.  */
1503         qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1504                       req.cmd);
1505         return sd_illegal;
1506     }
1507 
1508     qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1509     return sd_illegal;
1510 }
1511 
1512 static sd_rsp_type_t sd_app_command(SDState *sd,
1513                                     SDRequest req)
1514 {
1515     trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1516                              req.cmd, req.arg, sd_state_name(sd->state));
1517     sd->card_status |= APP_CMD;
1518     switch (req.cmd) {
1519     case 6:	/* ACMD6:  SET_BUS_WIDTH */
1520         if (sd->spi) {
1521             goto unimplemented_spi_cmd;
1522         }
1523         switch (sd->state) {
1524         case sd_transfer_state:
1525             sd->sd_status[0] &= 0x3f;
1526             sd->sd_status[0] |= (req.arg & 0x03) << 6;
1527             return sd_r1;
1528 
1529         default:
1530             break;
1531         }
1532         break;
1533 
1534     case 13:	/* ACMD13: SD_STATUS */
1535         switch (sd->state) {
1536         case sd_transfer_state:
1537             sd->state = sd_sendingdata_state;
1538             sd->data_start = 0;
1539             sd->data_offset = 0;
1540             return sd_r1;
1541 
1542         default:
1543             break;
1544         }
1545         break;
1546 
1547     case 22:	/* ACMD22: SEND_NUM_WR_BLOCKS */
1548         switch (sd->state) {
1549         case sd_transfer_state:
1550             *(uint32_t *) sd->data = sd->blk_written;
1551 
1552             sd->state = sd_sendingdata_state;
1553             sd->data_start = 0;
1554             sd->data_offset = 0;
1555             return sd_r1;
1556 
1557         default:
1558             break;
1559         }
1560         break;
1561 
1562     case 23:	/* ACMD23: SET_WR_BLK_ERASE_COUNT */
1563         switch (sd->state) {
1564         case sd_transfer_state:
1565             return sd_r1;
1566 
1567         default:
1568             break;
1569         }
1570         break;
1571 
1572     case 41:	/* ACMD41: SD_APP_OP_COND */
1573         if (sd->spi) {
1574             /* SEND_OP_CMD */
1575             sd->state = sd_transfer_state;
1576             return sd_r1;
1577         }
1578         if (sd->state != sd_idle_state) {
1579             break;
1580         }
1581         /* If it's the first ACMD41 since reset, we need to decide
1582          * whether to power up. If this is not an enquiry ACMD41,
1583          * we immediately report power on and proceed below to the
1584          * ready state, but if it is, we set a timer to model a
1585          * delay for power up. This works around a bug in EDK2
1586          * UEFI, which sends an initial enquiry ACMD41, but
1587          * assumes that the card is in ready state as soon as it
1588          * sees the power up bit set. */
1589         if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1590             if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1591                 timer_del(sd->ocr_power_timer);
1592                 sd_ocr_powerup(sd);
1593             } else {
1594                 trace_sdcard_inquiry_cmd41();
1595                 if (!timer_pending(sd->ocr_power_timer)) {
1596                     timer_mod_ns(sd->ocr_power_timer,
1597                                  (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1598                                   + OCR_POWER_DELAY_NS));
1599                 }
1600             }
1601         }
1602 
1603         if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1604             /* We accept any voltage.  10000 V is nothing.
1605              *
1606              * Once we're powered up, we advance straight to ready state
1607              * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1608              */
1609             sd->state = sd_ready_state;
1610         }
1611 
1612         return sd_r3;
1613 
1614     case 42:	/* ACMD42: SET_CLR_CARD_DETECT */
1615         switch (sd->state) {
1616         case sd_transfer_state:
1617             /* Bringing in the 50KOhm pull-up resistor... Done.  */
1618             return sd_r1;
1619 
1620         default:
1621             break;
1622         }
1623         break;
1624 
1625     case 51:	/* ACMD51: SEND_SCR */
1626         switch (sd->state) {
1627         case sd_transfer_state:
1628             sd->state = sd_sendingdata_state;
1629             sd->data_start = 0;
1630             sd->data_offset = 0;
1631             return sd_r1;
1632 
1633         default:
1634             break;
1635         }
1636         break;
1637 
1638     case 18:    /* Reserved for SD security applications */
1639     case 25:
1640     case 26:
1641     case 38:
1642     case 43 ... 49:
1643         /* Refer to the "SD Specifications Part3 Security Specification" for
1644          * information about the SD Security Features.
1645          */
1646         qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1647                       req.cmd);
1648         return sd_illegal;
1649 
1650     default:
1651         /* Fall back to standard commands.  */
1652         return sd_normal_command(sd, req);
1653 
1654     unimplemented_spi_cmd:
1655         /* Commands that are recognised but not yet implemented in SPI mode.  */
1656         qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1657                       req.cmd);
1658         return sd_illegal;
1659     }
1660 
1661     qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1662     return sd_illegal;
1663 }
1664 
1665 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1666 {
1667     /* Valid commands in locked state:
1668      * basic class (0)
1669      * lock card class (7)
1670      * CMD16
1671      * implicitly, the ACMD prefix CMD55
1672      * ACMD41 and ACMD42
1673      * Anything else provokes an "illegal command" response.
1674      */
1675     if (sd->expecting_acmd) {
1676         return req->cmd == 41 || req->cmd == 42;
1677     }
1678     if (req->cmd == 16 || req->cmd == 55) {
1679         return 1;
1680     }
1681     return sd_cmd_class[req->cmd] == 0
1682             || sd_cmd_class[req->cmd] == 7;
1683 }
1684 
1685 int sd_do_command(SDState *sd, SDRequest *req,
1686                   uint8_t *response) {
1687     int last_state;
1688     sd_rsp_type_t rtype;
1689     int rsplen;
1690 
1691     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1692         return 0;
1693     }
1694 
1695     if (sd_req_crc_validate(req)) {
1696         sd->card_status |= COM_CRC_ERROR;
1697         rtype = sd_illegal;
1698         goto send_response;
1699     }
1700 
1701     if (req->cmd >= SDMMC_CMD_MAX) {
1702         qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1703                       req->cmd);
1704         req->cmd &= 0x3f;
1705     }
1706 
1707     if (sd->card_status & CARD_IS_LOCKED) {
1708         if (!cmd_valid_while_locked(sd, req)) {
1709             sd->card_status |= ILLEGAL_COMMAND;
1710             sd->expecting_acmd = false;
1711             qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1712             rtype = sd_illegal;
1713             goto send_response;
1714         }
1715     }
1716 
1717     last_state = sd->state;
1718     sd_set_mode(sd);
1719 
1720     if (sd->expecting_acmd) {
1721         sd->expecting_acmd = false;
1722         rtype = sd_app_command(sd, *req);
1723     } else {
1724         rtype = sd_normal_command(sd, *req);
1725     }
1726 
1727     if (rtype == sd_illegal) {
1728         sd->card_status |= ILLEGAL_COMMAND;
1729     } else {
1730         /* Valid command, we can update the 'state before command' bits.
1731          * (Do this now so they appear in r1 responses.)
1732          */
1733         sd->current_cmd = req->cmd;
1734         sd->card_status &= ~CURRENT_STATE;
1735         sd->card_status |= (last_state << 9);
1736     }
1737 
1738 send_response:
1739     switch (rtype) {
1740     case sd_r1:
1741     case sd_r1b:
1742         sd_response_r1_make(sd, response);
1743         rsplen = 4;
1744         break;
1745 
1746     case sd_r2_i:
1747         memcpy(response, sd->cid, sizeof(sd->cid));
1748         rsplen = 16;
1749         break;
1750 
1751     case sd_r2_s:
1752         memcpy(response, sd->csd, sizeof(sd->csd));
1753         rsplen = 16;
1754         break;
1755 
1756     case sd_r3:
1757         sd_response_r3_make(sd, response);
1758         rsplen = 4;
1759         break;
1760 
1761     case sd_r6:
1762         sd_response_r6_make(sd, response);
1763         rsplen = 4;
1764         break;
1765 
1766     case sd_r7:
1767         sd_response_r7_make(sd, response);
1768         rsplen = 4;
1769         break;
1770 
1771     case sd_r0:
1772     case sd_illegal:
1773         rsplen = 0;
1774         break;
1775     default:
1776         g_assert_not_reached();
1777     }
1778     trace_sdcard_response(sd_response_name(rtype), rsplen);
1779 
1780     if (rtype != sd_illegal) {
1781         /* Clear the "clear on valid command" status bits now we've
1782          * sent any response
1783          */
1784         sd->card_status &= ~CARD_STATUS_B;
1785     }
1786 
1787 #ifdef DEBUG_SD
1788     qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1789 #endif
1790 
1791     return rsplen;
1792 }
1793 
1794 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1795 {
1796     trace_sdcard_read_block(addr, len);
1797     if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1798         fprintf(stderr, "sd_blk_read: read error on host side\n");
1799     }
1800 }
1801 
1802 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1803 {
1804     trace_sdcard_write_block(addr, len);
1805     if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1806         fprintf(stderr, "sd_blk_write: write error on host side\n");
1807     }
1808 }
1809 
1810 #define BLK_READ_BLOCK(a, len)	sd_blk_read(sd, a, len)
1811 #define BLK_WRITE_BLOCK(a, len)	sd_blk_write(sd, a, len)
1812 #define APP_READ_BLOCK(a, len)	memset(sd->data, 0xec, len)
1813 #define APP_WRITE_BLOCK(a, len)
1814 
1815 void sd_write_byte(SDState *sd, uint8_t value)
1816 {
1817     int i;
1818 
1819     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1820         return;
1821 
1822     if (sd->state != sd_receivingdata_state) {
1823         qemu_log_mask(LOG_GUEST_ERROR,
1824                       "%s: not in Receiving-Data state\n", __func__);
1825         return;
1826     }
1827 
1828     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1829         return;
1830 
1831     trace_sdcard_write_data(sd->proto_name,
1832                             sd_acmd_name(sd->current_cmd),
1833                             sd->current_cmd, value);
1834     switch (sd->current_cmd) {
1835     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
1836         sd->data[sd->data_offset ++] = value;
1837         if (sd->data_offset >= sd->blk_len) {
1838             /* TODO: Check CRC before committing */
1839             sd->state = sd_programming_state;
1840             BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1841             sd->blk_written ++;
1842             sd->csd[14] |= 0x40;
1843             /* Bzzzzzzztt .... Operation complete.  */
1844             sd->state = sd_transfer_state;
1845         }
1846         break;
1847 
1848     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
1849         if (sd->data_offset == 0) {
1850             /* Start of the block - let's check the address is valid */
1851             if (sd->data_start + sd->blk_len > sd->size) {
1852                 sd->card_status |= ADDRESS_ERROR;
1853                 break;
1854             }
1855             if (sd_wp_addr(sd, sd->data_start)) {
1856                 sd->card_status |= WP_VIOLATION;
1857                 break;
1858             }
1859         }
1860         sd->data[sd->data_offset++] = value;
1861         if (sd->data_offset >= sd->blk_len) {
1862             /* TODO: Check CRC before committing */
1863             sd->state = sd_programming_state;
1864             BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1865             sd->blk_written++;
1866             sd->data_start += sd->blk_len;
1867             sd->data_offset = 0;
1868             sd->csd[14] |= 0x40;
1869 
1870             /* Bzzzzzzztt .... Operation complete.  */
1871             if (sd->multi_blk_cnt != 0) {
1872                 if (--sd->multi_blk_cnt == 0) {
1873                     /* Stop! */
1874                     sd->state = sd_transfer_state;
1875                     break;
1876                 }
1877             }
1878 
1879             sd->state = sd_receivingdata_state;
1880         }
1881         break;
1882 
1883     case 26:	/* CMD26:  PROGRAM_CID */
1884         sd->data[sd->data_offset ++] = value;
1885         if (sd->data_offset >= sizeof(sd->cid)) {
1886             /* TODO: Check CRC before committing */
1887             sd->state = sd_programming_state;
1888             for (i = 0; i < sizeof(sd->cid); i ++)
1889                 if ((sd->cid[i] | 0x00) != sd->data[i])
1890                     sd->card_status |= CID_CSD_OVERWRITE;
1891 
1892             if (!(sd->card_status & CID_CSD_OVERWRITE))
1893                 for (i = 0; i < sizeof(sd->cid); i ++) {
1894                     sd->cid[i] |= 0x00;
1895                     sd->cid[i] &= sd->data[i];
1896                 }
1897             /* Bzzzzzzztt .... Operation complete.  */
1898             sd->state = sd_transfer_state;
1899         }
1900         break;
1901 
1902     case 27:	/* CMD27:  PROGRAM_CSD */
1903         sd->data[sd->data_offset ++] = value;
1904         if (sd->data_offset >= sizeof(sd->csd)) {
1905             /* TODO: Check CRC before committing */
1906             sd->state = sd_programming_state;
1907             for (i = 0; i < sizeof(sd->csd); i ++)
1908                 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1909                     (sd->data[i] | sd_csd_rw_mask[i]))
1910                     sd->card_status |= CID_CSD_OVERWRITE;
1911 
1912             /* Copy flag (OTP) & Permanent write protect */
1913             if (sd->csd[14] & ~sd->data[14] & 0x60)
1914                 sd->card_status |= CID_CSD_OVERWRITE;
1915 
1916             if (!(sd->card_status & CID_CSD_OVERWRITE))
1917                 for (i = 0; i < sizeof(sd->csd); i ++) {
1918                     sd->csd[i] |= sd_csd_rw_mask[i];
1919                     sd->csd[i] &= sd->data[i];
1920                 }
1921             /* Bzzzzzzztt .... Operation complete.  */
1922             sd->state = sd_transfer_state;
1923         }
1924         break;
1925 
1926     case 42:	/* CMD42:  LOCK_UNLOCK */
1927         sd->data[sd->data_offset ++] = value;
1928         if (sd->data_offset >= sd->blk_len) {
1929             /* TODO: Check CRC before committing */
1930             sd->state = sd_programming_state;
1931             sd_lock_command(sd);
1932             /* Bzzzzzzztt .... Operation complete.  */
1933             sd->state = sd_transfer_state;
1934         }
1935         break;
1936 
1937     case 56:	/* CMD56:  GEN_CMD */
1938         sd->data[sd->data_offset ++] = value;
1939         if (sd->data_offset >= sd->blk_len) {
1940             APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1941             sd->state = sd_transfer_state;
1942         }
1943         break;
1944 
1945     default:
1946         qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1947         break;
1948     }
1949 }
1950 
1951 #define SD_TUNING_BLOCK_SIZE    64
1952 
1953 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1954     /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1955     0xff, 0x0f, 0xff, 0x00,         0x0f, 0xfc, 0xc3, 0xcc,
1956     0xc3, 0x3c, 0xcc, 0xff,         0xfe, 0xff, 0xfe, 0xef,
1957     0xff, 0xdf, 0xff, 0xdd,         0xff, 0xfb, 0xff, 0xfb,
1958     0xbf, 0xff, 0x7f, 0xff,         0x77, 0xf7, 0xbd, 0xef,
1959     0xff, 0xf0, 0xff, 0xf0,         0x0f, 0xfc, 0xcc, 0x3c,
1960     0xcc, 0x33, 0xcc, 0xcf,         0xff, 0xef, 0xff, 0xee,
1961     0xff, 0xfd, 0xff, 0xfd,         0xdf, 0xff, 0xbf, 0xff,
1962     0xbb, 0xff, 0xf7, 0xff,         0xf7, 0x7f, 0x7b, 0xde,
1963 };
1964 
1965 uint8_t sd_read_byte(SDState *sd)
1966 {
1967     /* TODO: Append CRCs */
1968     uint8_t ret;
1969     int io_len;
1970 
1971     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1972         return 0x00;
1973 
1974     if (sd->state != sd_sendingdata_state) {
1975         qemu_log_mask(LOG_GUEST_ERROR,
1976                       "%s: not in Sending-Data state\n", __func__);
1977         return 0x00;
1978     }
1979 
1980     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1981         return 0x00;
1982 
1983     io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1984 
1985     trace_sdcard_read_data(sd->proto_name,
1986                            sd_acmd_name(sd->current_cmd),
1987                            sd->current_cmd, io_len);
1988     switch (sd->current_cmd) {
1989     case 6:	/* CMD6:   SWITCH_FUNCTION */
1990         ret = sd->data[sd->data_offset ++];
1991 
1992         if (sd->data_offset >= 64)
1993             sd->state = sd_transfer_state;
1994         break;
1995 
1996     case 9:	/* CMD9:   SEND_CSD */
1997     case 10:	/* CMD10:  SEND_CID */
1998         ret = sd->data[sd->data_offset ++];
1999 
2000         if (sd->data_offset >= 16)
2001             sd->state = sd_transfer_state;
2002         break;
2003 
2004     case 13:	/* ACMD13: SD_STATUS */
2005         ret = sd->sd_status[sd->data_offset ++];
2006 
2007         if (sd->data_offset >= sizeof(sd->sd_status))
2008             sd->state = sd_transfer_state;
2009         break;
2010 
2011     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
2012         if (sd->data_offset == 0)
2013             BLK_READ_BLOCK(sd->data_start, io_len);
2014         ret = sd->data[sd->data_offset ++];
2015 
2016         if (sd->data_offset >= io_len)
2017             sd->state = sd_transfer_state;
2018         break;
2019 
2020     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
2021         if (sd->data_offset == 0) {
2022             if (sd->data_start + io_len > sd->size) {
2023                 sd->card_status |= ADDRESS_ERROR;
2024                 return 0x00;
2025             }
2026             BLK_READ_BLOCK(sd->data_start, io_len);
2027         }
2028         ret = sd->data[sd->data_offset ++];
2029 
2030         if (sd->data_offset >= io_len) {
2031             sd->data_start += io_len;
2032             sd->data_offset = 0;
2033 
2034             if (sd->multi_blk_cnt != 0) {
2035                 if (--sd->multi_blk_cnt == 0) {
2036                     /* Stop! */
2037                     sd->state = sd_transfer_state;
2038                     break;
2039                 }
2040             }
2041         }
2042         break;
2043 
2044     case 19:    /* CMD19:  SEND_TUNING_BLOCK (SD) */
2045         if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2046             sd->state = sd_transfer_state;
2047         }
2048         ret = sd_tuning_block_pattern[sd->data_offset++];
2049         break;
2050 
2051     case 22:	/* ACMD22: SEND_NUM_WR_BLOCKS */
2052         ret = sd->data[sd->data_offset ++];
2053 
2054         if (sd->data_offset >= 4)
2055             sd->state = sd_transfer_state;
2056         break;
2057 
2058     case 30:	/* CMD30:  SEND_WRITE_PROT */
2059         ret = sd->data[sd->data_offset ++];
2060 
2061         if (sd->data_offset >= 4)
2062             sd->state = sd_transfer_state;
2063         break;
2064 
2065     case 51:	/* ACMD51: SEND_SCR */
2066         ret = sd->scr[sd->data_offset ++];
2067 
2068         if (sd->data_offset >= sizeof(sd->scr))
2069             sd->state = sd_transfer_state;
2070         break;
2071 
2072     case 56:	/* CMD56:  GEN_CMD */
2073         if (sd->data_offset == 0)
2074             APP_READ_BLOCK(sd->data_start, sd->blk_len);
2075         ret = sd->data[sd->data_offset ++];
2076 
2077         if (sd->data_offset >= sd->blk_len)
2078             sd->state = sd_transfer_state;
2079         break;
2080 
2081     default:
2082         qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2083         return 0x00;
2084     }
2085 
2086     return ret;
2087 }
2088 
2089 static bool sd_data_ready(SDState *sd)
2090 {
2091     return sd->state == sd_sendingdata_state;
2092 }
2093 
2094 void sd_enable(SDState *sd, bool enable)
2095 {
2096     sd->enable = enable;
2097 }
2098 
2099 static void sd_instance_init(Object *obj)
2100 {
2101     SDState *sd = SD_CARD(obj);
2102 
2103     sd->enable = true;
2104     sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2105 }
2106 
2107 static void sd_instance_finalize(Object *obj)
2108 {
2109     SDState *sd = SD_CARD(obj);
2110 
2111     timer_del(sd->ocr_power_timer);
2112     timer_free(sd->ocr_power_timer);
2113 }
2114 
2115 static void sd_realize(DeviceState *dev, Error **errp)
2116 {
2117     SDState *sd = SD_CARD(dev);
2118     int ret;
2119 
2120     sd->proto_name = sd->spi ? "SPI" : "SD";
2121 
2122     switch (sd->spec_version) {
2123     case SD_PHY_SPECv1_10_VERS
2124      ... SD_PHY_SPECv3_01_VERS:
2125         break;
2126     default:
2127         error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2128         return;
2129     }
2130 
2131     if (sd->blk) {
2132         int64_t blk_size;
2133 
2134         if (blk_is_read_only(sd->blk)) {
2135             error_setg(errp, "Cannot use read-only drive as SD card");
2136             return;
2137         }
2138 
2139         blk_size = blk_getlength(sd->blk);
2140         if (blk_size > 0 && !is_power_of_2(blk_size)) {
2141             int64_t blk_size_aligned = pow2ceil(blk_size);
2142             char *blk_size_str;
2143 
2144             blk_size_str = size_to_str(blk_size);
2145             error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2146             g_free(blk_size_str);
2147 
2148             blk_size_str = size_to_str(blk_size_aligned);
2149             error_append_hint(errp,
2150                               "SD card size has to be a power of 2, e.g. %s.\n"
2151                               "You can resize disk images with"
2152                               " 'qemu-img resize <imagefile> <new-size>'\n"
2153                               "(note that this will lose data if you make the"
2154                               " image smaller than it currently is).\n",
2155                               blk_size_str);
2156             g_free(blk_size_str);
2157 
2158             return;
2159         }
2160 
2161         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2162                            BLK_PERM_ALL, errp);
2163         if (ret < 0) {
2164             return;
2165         }
2166         blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2167     }
2168 }
2169 
2170 static Property sd_properties[] = {
2171     DEFINE_PROP_UINT8("spec_version", SDState,
2172                       spec_version, SD_PHY_SPECv2_00_VERS),
2173     DEFINE_PROP_DRIVE("drive", SDState, blk),
2174     /* We do not model the chip select pin, so allow the board to select
2175      * whether card should be in SSI or MMC/SD mode.  It is also up to the
2176      * board to ensure that ssi transfers only occur when the chip select
2177      * is asserted.  */
2178     DEFINE_PROP_BOOL("spi", SDState, spi, false),
2179     DEFINE_PROP_END_OF_LIST()
2180 };
2181 
2182 static void sd_class_init(ObjectClass *klass, void *data)
2183 {
2184     DeviceClass *dc = DEVICE_CLASS(klass);
2185     SDCardClass *sc = SD_CARD_CLASS(klass);
2186 
2187     dc->realize = sd_realize;
2188     device_class_set_props(dc, sd_properties);
2189     dc->vmsd = &sd_vmstate;
2190     dc->reset = sd_reset;
2191     dc->bus_type = TYPE_SD_BUS;
2192     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2193 
2194     sc->set_voltage = sd_set_voltage;
2195     sc->get_dat_lines = sd_get_dat_lines;
2196     sc->get_cmd_line = sd_get_cmd_line;
2197     sc->do_command = sd_do_command;
2198     sc->write_byte = sd_write_byte;
2199     sc->read_byte = sd_read_byte;
2200     sc->data_ready = sd_data_ready;
2201     sc->enable = sd_enable;
2202     sc->get_inserted = sd_get_inserted;
2203     sc->get_readonly = sd_get_readonly;
2204 }
2205 
2206 static const TypeInfo sd_info = {
2207     .name = TYPE_SD_CARD,
2208     .parent = TYPE_DEVICE,
2209     .instance_size = sizeof(SDState),
2210     .class_size = sizeof(SDCardClass),
2211     .class_init = sd_class_init,
2212     .instance_init = sd_instance_init,
2213     .instance_finalize = sd_instance_finalize,
2214 };
2215 
2216 static void sd_register_types(void)
2217 {
2218     type_register_static(&sd_info);
2219 }
2220 
2221 type_init(sd_register_types)
2222