1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "qemu/osdep.h" 34 #include "qemu/units.h" 35 #include "qemu/cutils.h" 36 #include "hw/irq.h" 37 #include "hw/registerfields.h" 38 #include "sysemu/block-backend.h" 39 #include "hw/sd/sd.h" 40 #include "hw/sd/sdcard_legacy.h" 41 #include "migration/vmstate.h" 42 #include "qapi/error.h" 43 #include "qemu/bitmap.h" 44 #include "hw/qdev-properties.h" 45 #include "hw/qdev-properties-system.h" 46 #include "qemu/error-report.h" 47 #include "qemu/timer.h" 48 #include "qemu/log.h" 49 #include "qemu/module.h" 50 #include "sdmmc-internal.h" 51 #include "trace.h" 52 53 //#define DEBUG_SD 1 54 55 #define SDSC_MAX_CAPACITY (2 * GiB) 56 57 #define INVALID_ADDRESS UINT32_MAX 58 59 typedef enum { 60 sd_r0 = 0, /* no response */ 61 sd_r1, /* normal response command */ 62 sd_r2_i, /* CID register */ 63 sd_r2_s, /* CSD register */ 64 sd_r3, /* OCR register */ 65 sd_r6 = 6, /* Published RCA response */ 66 sd_r7, /* Operating voltage */ 67 sd_r1b = -1, 68 sd_illegal = -2, 69 } sd_rsp_type_t; 70 71 enum SDCardModes { 72 sd_inactive, 73 sd_card_identification_mode, 74 sd_data_transfer_mode, 75 }; 76 77 enum SDCardStates { 78 sd_inactive_state = -1, 79 sd_idle_state = 0, 80 sd_ready_state = 1, 81 sd_identification_state = 2, 82 sd_standby_state = 3, 83 sd_transfer_state = 4, 84 sd_sendingdata_state = 5, 85 sd_receivingdata_state = 6, 86 sd_programming_state = 7, 87 sd_disconnect_state = 8, 88 }; 89 90 #define SDMMC_CMD_MAX 64 91 92 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req); 93 94 typedef struct SDProto { 95 const char *name; 96 struct { 97 const sd_cmd_type_t type; 98 const char *name; 99 sd_cmd_handler handler; 100 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX]; 101 } SDProto; 102 103 struct SDState { 104 DeviceState parent_obj; 105 106 /* If true, created by sd_init() for a non-qdevified caller */ 107 /* TODO purge them with fire */ 108 bool me_no_qdev_me_kill_mammoth_with_rocks; 109 110 /* SD Memory Card Registers */ 111 uint32_t ocr; 112 uint8_t scr[8]; 113 uint8_t cid[16]; 114 uint8_t csd[16]; 115 uint16_t rca; 116 uint32_t card_status; 117 uint8_t sd_status[64]; 118 119 /* Static properties */ 120 121 uint8_t spec_version; 122 BlockBackend *blk; 123 124 const SDProto *proto; 125 126 /* Runtime changeables */ 127 128 uint32_t mode; /* current card mode, one of SDCardModes */ 129 int32_t state; /* current card state, one of SDCardStates */ 130 uint32_t vhs; 131 bool wp_switch; 132 unsigned long *wp_group_bmap; 133 int32_t wp_group_bits; 134 uint64_t size; 135 uint32_t blk_len; 136 uint32_t multi_blk_cnt; 137 uint32_t erase_start; 138 uint32_t erase_end; 139 uint8_t pwd[16]; 140 uint32_t pwd_len; 141 uint8_t function_group[6]; 142 uint8_t current_cmd; 143 const char *last_cmd_name; 144 /* True if we will handle the next command as an ACMD. Note that this does 145 * *not* track the APP_CMD status bit! 146 */ 147 bool expecting_acmd; 148 uint32_t blk_written; 149 150 uint64_t data_start; 151 uint32_t data_offset; 152 size_t data_size; 153 uint8_t data[512]; 154 qemu_irq readonly_cb; 155 qemu_irq inserted_cb; 156 QEMUTimer *ocr_power_timer; 157 bool enable; 158 uint8_t dat_lines; 159 bool cmd_line; 160 }; 161 162 static void sd_realize(DeviceState *dev, Error **errp); 163 164 static const SDProto sd_proto_spi; 165 166 static bool sd_is_spi(SDState *sd) 167 { 168 return sd->proto == &sd_proto_spi; 169 } 170 171 static const char *sd_version_str(enum SDPhySpecificationVersion version) 172 { 173 static const char *sdphy_version[] = { 174 [SD_PHY_SPECv1_10_VERS] = "v1.10", 175 [SD_PHY_SPECv2_00_VERS] = "v2.00", 176 [SD_PHY_SPECv3_01_VERS] = "v3.01", 177 }; 178 if (version >= ARRAY_SIZE(sdphy_version)) { 179 return "unsupported version"; 180 } 181 return sdphy_version[version]; 182 } 183 184 static const char *sd_mode_name(enum SDCardModes mode) 185 { 186 static const char *mode_name[] = { 187 [sd_inactive] = "inactive", 188 [sd_card_identification_mode] = "identification", 189 [sd_data_transfer_mode] = "transfer", 190 }; 191 assert(mode < ARRAY_SIZE(mode_name)); 192 return mode_name[mode]; 193 } 194 195 static const char *sd_state_name(enum SDCardStates state) 196 { 197 static const char *state_name[] = { 198 [sd_idle_state] = "idle", 199 [sd_ready_state] = "ready", 200 [sd_identification_state] = "identification", 201 [sd_standby_state] = "standby", 202 [sd_transfer_state] = "transfer", 203 [sd_sendingdata_state] = "sendingdata", 204 [sd_receivingdata_state] = "receivingdata", 205 [sd_programming_state] = "programming", 206 [sd_disconnect_state] = "disconnect", 207 }; 208 if (state == sd_inactive_state) { 209 return "inactive"; 210 } 211 assert(state < ARRAY_SIZE(state_name)); 212 return state_name[state]; 213 } 214 215 static const char *sd_response_name(sd_rsp_type_t rsp) 216 { 217 static const char *response_name[] = { 218 [sd_r0] = "RESP#0 (no response)", 219 [sd_r1] = "RESP#1 (normal cmd)", 220 [sd_r2_i] = "RESP#2 (CID reg)", 221 [sd_r2_s] = "RESP#2 (CSD reg)", 222 [sd_r3] = "RESP#3 (OCR reg)", 223 [sd_r6] = "RESP#6 (RCA)", 224 [sd_r7] = "RESP#7 (operating voltage)", 225 }; 226 if (rsp == sd_illegal) { 227 return "ILLEGAL RESP"; 228 } 229 if (rsp == sd_r1b) { 230 rsp = sd_r1; 231 } 232 assert(rsp < ARRAY_SIZE(response_name)); 233 return response_name[rsp]; 234 } 235 236 static const char *sd_cmd_name(SDState *sd, uint8_t cmd) 237 { 238 static const char *cmd_abbrev[SDMMC_CMD_MAX] = { 239 [4] = "SET_DSR", [5] = "IO_SEND_OP_COND", 240 [6] = "SWITCH_FUNC", [7] = "SELECT/DESELECT_CARD", 241 [8] = "SEND_IF_COND", [9] = "SEND_CSD", 242 [10] = "SEND_CID", [11] = "VOLTAGE_SWITCH", 243 [12] = "STOP_TRANSMISSION", [13] = "SEND_STATUS", 244 [15] = "GO_INACTIVE_STATE", 245 [16] = "SET_BLOCKLEN", [17] = "READ_SINGLE_BLOCK", 246 [18] = "READ_MULTIPLE_BLOCK", 247 [20] = "SPEED_CLASS_CONTROL", [21] = "DPS_spec", 248 [24] = "WRITE_BLOCK", [25] = "WRITE_MULTIPLE_BLOCK", 249 [26] = "MANUF_RSVD", [27] = "PROGRAM_CSD", 250 [28] = "SET_WRITE_PROT", [29] = "CLR_WRITE_PROT", 251 [30] = "SEND_WRITE_PROT", 252 [32] = "ERASE_WR_BLK_START", [33] = "ERASE_WR_BLK_END", 253 [34] = "SW_FUNC_RSVD", [35] = "SW_FUNC_RSVD", 254 [36] = "SW_FUNC_RSVD", [37] = "SW_FUNC_RSVD", 255 [38] = "ERASE", 256 [40] = "DPS_spec", 257 [42] = "LOCK_UNLOCK", [43] = "Q_MANAGEMENT", 258 [44] = "Q_TASK_INFO_A", [45] = "Q_TASK_INFO_B", 259 [46] = "Q_RD_TASK", [47] = "Q_WR_TASK", 260 [48] = "READ_EXTR_SINGLE", [49] = "WRITE_EXTR_SINGLE", 261 [50] = "SW_FUNC_RSVD", 262 [52] = "IO_RW_DIRECT", [53] = "IO_RW_EXTENDED", 263 [54] = "SDIO_RSVD", [55] = "APP_CMD", 264 [56] = "GEN_CMD", [57] = "SW_FUNC_RSVD", 265 [58] = "READ_EXTR_MULTI", [59] = "WRITE_EXTR_MULTI", 266 [60] = "MANUF_RSVD", [61] = "MANUF_RSVD", 267 [62] = "MANUF_RSVD", [63] = "MANUF_RSVD", 268 }; 269 const SDProto *sdp = sd->proto; 270 271 if (sdp->cmd[cmd].handler) { 272 assert(!cmd_abbrev[cmd]); 273 return sdp->cmd[cmd].name; 274 } 275 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD"; 276 } 277 278 static const char *sd_acmd_name(SDState *sd, uint8_t cmd) 279 { 280 static const char *acmd_abbrev[SDMMC_CMD_MAX] = { 281 [6] = "SET_BUS_WIDTH", 282 [13] = "SD_STATUS", 283 [14] = "DPS_spec", [15] = "DPS_spec", 284 [16] = "DPS_spec", 285 [18] = "SECU_spec", 286 [22] = "SEND_NUM_WR_BLOCKS", [23] = "SET_WR_BLK_ERASE_COUNT", 287 [42] = "SET_CLR_CARD_DETECT", 288 [51] = "SEND_SCR", 289 [52] = "SECU_spec", [53] = "SECU_spec", 290 [54] = "SECU_spec", 291 [56] = "SECU_spec", [57] = "SECU_spec", 292 [58] = "SECU_spec", [59] = "SECU_spec", 293 }; 294 const SDProto *sdp = sd->proto; 295 296 if (sdp->acmd[cmd].handler) { 297 assert(!acmd_abbrev[cmd]); 298 return sdp->acmd[cmd].name; 299 } 300 301 return acmd_abbrev[cmd] ? acmd_abbrev[cmd] : "UNKNOWN_ACMD"; 302 } 303 304 static uint8_t sd_get_dat_lines(SDState *sd) 305 { 306 return sd->enable ? sd->dat_lines : 0; 307 } 308 309 static bool sd_get_cmd_line(SDState *sd) 310 { 311 return sd->enable ? sd->cmd_line : false; 312 } 313 314 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 315 { 316 trace_sdcard_set_voltage(millivolts); 317 318 switch (millivolts) { 319 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 320 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 321 break; 322 default: 323 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 324 millivolts / 1000.f); 325 } 326 } 327 328 static void sd_set_mode(SDState *sd) 329 { 330 switch (sd->state) { 331 case sd_inactive_state: 332 sd->mode = sd_inactive; 333 break; 334 335 case sd_idle_state: 336 case sd_ready_state: 337 case sd_identification_state: 338 sd->mode = sd_card_identification_mode; 339 break; 340 341 case sd_standby_state: 342 case sd_transfer_state: 343 case sd_sendingdata_state: 344 case sd_receivingdata_state: 345 case sd_programming_state: 346 case sd_disconnect_state: 347 sd->mode = sd_data_transfer_mode; 348 break; 349 } 350 } 351 352 static const int sd_cmd_class[SDMMC_CMD_MAX] = { 353 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 354 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 355 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 356 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 357 }; 358 359 static uint8_t sd_crc7(const void *message, size_t width) 360 { 361 int i, bit; 362 uint8_t shift_reg = 0x00; 363 const uint8_t *msg = (const uint8_t *)message; 364 365 for (i = 0; i < width; i ++, msg ++) 366 for (bit = 7; bit >= 0; bit --) { 367 shift_reg <<= 1; 368 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 369 shift_reg ^= 0x89; 370 } 371 372 return shift_reg; 373 } 374 375 /* Operation Conditions register */ 376 377 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 378 379 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 380 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 381 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 382 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 383 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 384 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 385 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 386 FIELD(OCR, CARD_POWER_UP, 31, 1) 387 388 #define ACMD41_ENQUIRY_MASK 0x00ffffff 389 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 390 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 391 | R_OCR_UHS_II_CARD_MASK \ 392 | R_OCR_CARD_CAPACITY_MASK \ 393 | R_OCR_CARD_POWER_UP_MASK) 394 395 static void sd_ocr_powerup(void *opaque) 396 { 397 SDState *sd = opaque; 398 399 trace_sdcard_powerup(); 400 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 401 402 /* card power-up OK */ 403 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 404 405 if (sd->size > SDSC_MAX_CAPACITY) { 406 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 407 } 408 } 409 410 static void sd_set_ocr(SDState *sd) 411 { 412 /* All voltages OK */ 413 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 414 415 if (sd_is_spi(sd)) { 416 /* 417 * We don't need to emulate power up sequence in SPI-mode. 418 * Thus, the card's power up status bit should be set to 1 when reset. 419 * The card's capacity status bit should also be set if SD card size 420 * is larger than 2GB for SDHC support. 421 */ 422 sd_ocr_powerup(sd); 423 } 424 } 425 426 /* SD Configuration register */ 427 428 static void sd_set_scr(SDState *sd) 429 { 430 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 431 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 432 sd->scr[0] |= 1; /* Spec Version 1.10 */ 433 } else { 434 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 435 } 436 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 437 | 0b0101; /* 1-bit or 4-bit width bus modes */ 438 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 439 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 440 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 441 } 442 sd->scr[3] = 0x00; 443 /* reserved for manufacturer usage */ 444 sd->scr[4] = 0x00; 445 sd->scr[5] = 0x00; 446 sd->scr[6] = 0x00; 447 sd->scr[7] = 0x00; 448 } 449 450 /* Card IDentification register */ 451 452 #define MID 0xaa 453 #define OID "XY" 454 #define PNM "QEMU!" 455 #define PRV 0x01 456 #define MDT_YR 2006 457 #define MDT_MON 2 458 459 static void sd_set_cid(SDState *sd) 460 { 461 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 462 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 463 sd->cid[2] = OID[1]; 464 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 465 sd->cid[4] = PNM[1]; 466 sd->cid[5] = PNM[2]; 467 sd->cid[6] = PNM[3]; 468 sd->cid[7] = PNM[4]; 469 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 470 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */ 471 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 472 ((MDT_YR - 2000) / 10); 473 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 474 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 475 } 476 477 /* Card-Specific Data register */ 478 479 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 480 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 481 #define WPGROUP_SHIFT 7 /* 2 megs */ 482 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 483 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 484 485 static const uint8_t sd_csd_rw_mask[16] = { 486 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 488 }; 489 490 static void sd_set_csd(SDState *sd, uint64_t size) 491 { 492 int hwblock_shift = HWBLOCK_SHIFT; 493 uint32_t csize; 494 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 495 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 496 497 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */ 498 if (size == SDSC_MAX_CAPACITY) { 499 hwblock_shift += 1; 500 } 501 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1; 502 503 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */ 504 sd->csd[0] = 0x00; /* CSD structure */ 505 sd->csd[1] = 0x26; /* Data read access-time-1 */ 506 sd->csd[2] = 0x00; /* Data read access-time-2 */ 507 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 508 sd->csd[4] = 0x5f; /* Card Command Classes */ 509 sd->csd[5] = 0x50 | /* Max. read data block length */ 510 hwblock_shift; 511 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 512 ((csize >> 10) & 0x03); 513 sd->csd[7] = 0x00 | /* Device size */ 514 ((csize >> 2) & 0xff); 515 sd->csd[8] = 0x3f | /* Max. read current */ 516 ((csize << 6) & 0xc0); 517 sd->csd[9] = 0xfc | /* Max. write current */ 518 ((CMULT_SHIFT - 2) >> 1); 519 sd->csd[10] = 0x40 | /* Erase sector size */ 520 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 521 sd->csd[11] = 0x00 | /* Write protect group size */ 522 ((sectsize << 7) & 0x80) | wpsize; 523 sd->csd[12] = 0x90 | /* Write speed factor */ 524 (hwblock_shift >> 2); 525 sd->csd[13] = 0x20 | /* Max. write data block length */ 526 ((hwblock_shift << 6) & 0xc0); 527 sd->csd[14] = 0x00; /* File format group */ 528 } else { /* SDHC */ 529 size /= 512 * KiB; 530 size -= 1; 531 sd->csd[0] = 0x40; 532 sd->csd[1] = 0x0e; 533 sd->csd[2] = 0x00; 534 sd->csd[3] = 0x32; 535 sd->csd[4] = 0x5b; 536 sd->csd[5] = 0x59; 537 sd->csd[6] = 0x00; 538 st24_be_p(&sd->csd[7], size); 539 sd->csd[10] = 0x7f; 540 sd->csd[11] = 0x80; 541 sd->csd[12] = 0x0a; 542 sd->csd[13] = 0x40; 543 sd->csd[14] = 0x00; 544 } 545 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 546 } 547 548 /* Relative Card Address register */ 549 550 static void sd_set_rca(SDState *sd) 551 { 552 sd->rca += 0x4567; 553 } 554 555 static uint16_t sd_req_get_rca(SDState *s, SDRequest req) 556 { 557 switch (s->proto->cmd[req.cmd].type) { 558 case sd_none: 559 /* Called from legacy code not ported to SDProto array */ 560 assert(!s->proto->cmd[req.cmd].handler); 561 /* fall-through */ 562 case sd_ac: 563 case sd_adtc: 564 return req.arg >> 16; 565 case sd_spi: 566 g_assert_not_reached(); 567 default: 568 return 0; 569 } 570 } 571 572 /* Card Status register */ 573 574 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 575 FIELD(CSR, APP_CMD, 5, 1) 576 FIELD(CSR, FX_EVENT, 6, 1) 577 FIELD(CSR, READY_FOR_DATA, 8, 1) 578 FIELD(CSR, CURRENT_STATE, 9, 4) 579 FIELD(CSR, ERASE_RESET, 13, 1) 580 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 581 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 582 FIELD(CSR, CSD_OVERWRITE, 16, 1) 583 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 584 FIELD(CSR, ERROR, 19, 1) 585 FIELD(CSR, CC_ERROR, 20, 1) 586 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 587 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 588 FIELD(CSR, COM_CRC_ERROR, 23, 1) 589 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 590 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 591 FIELD(CSR, WP_VIOLATION, 26, 1) 592 FIELD(CSR, ERASE_PARAM, 27, 1) 593 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 594 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 595 FIELD(CSR, ADDRESS_ERROR, 30, 1) 596 FIELD(CSR, OUT_OF_RANGE, 31, 1) 597 598 /* Card status bits, split by clear condition: 599 * A : According to the card current state 600 * B : Always related to the previous command 601 * C : Cleared by read 602 */ 603 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 604 | R_CSR_CARD_ECC_DISABLED_MASK \ 605 | R_CSR_CARD_IS_LOCKED_MASK) 606 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 607 | R_CSR_ILLEGAL_COMMAND_MASK \ 608 | R_CSR_COM_CRC_ERROR_MASK) 609 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 610 | R_CSR_APP_CMD_MASK \ 611 | R_CSR_ERASE_RESET_MASK \ 612 | R_CSR_WP_ERASE_SKIP_MASK \ 613 | R_CSR_CSD_OVERWRITE_MASK \ 614 | R_CSR_ERROR_MASK \ 615 | R_CSR_CC_ERROR_MASK \ 616 | R_CSR_CARD_ECC_FAILED_MASK \ 617 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 618 | R_CSR_WP_VIOLATION_MASK \ 619 | R_CSR_ERASE_PARAM_MASK \ 620 | R_CSR_ERASE_SEQ_ERROR_MASK \ 621 | R_CSR_BLOCK_LEN_ERROR_MASK \ 622 | R_CSR_ADDRESS_ERROR_MASK \ 623 | R_CSR_OUT_OF_RANGE_MASK) 624 625 static void sd_set_cardstatus(SDState *sd) 626 { 627 sd->card_status = READY_FOR_DATA; 628 } 629 630 static void sd_set_sdstatus(SDState *sd) 631 { 632 memset(sd->sd_status, 0, 64); 633 } 634 635 static const uint8_t sd_tuning_block_pattern4[64] = { 636 /* 637 * See: Physical Layer Simplified Specification Version 3.01, 638 * Table 4-2. 639 */ 640 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 641 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 642 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 643 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 644 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 645 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 646 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 647 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde 648 }; 649 650 static int sd_req_crc_validate(SDRequest *req) 651 { 652 uint8_t buffer[5]; 653 buffer[0] = 0x40 | req->cmd; 654 stl_be_p(&buffer[1], req->arg); 655 return 0; 656 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 657 } 658 659 static void sd_response_r1_make(SDState *sd, uint8_t *response) 660 { 661 stl_be_p(response, sd->card_status); 662 663 /* Clear the "clear on read" status bits */ 664 sd->card_status &= ~CARD_STATUS_C; 665 } 666 667 static void sd_response_r3_make(SDState *sd, uint8_t *response) 668 { 669 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 670 } 671 672 static void sd_response_r6_make(SDState *sd, uint8_t *response) 673 { 674 uint16_t status; 675 676 status = ((sd->card_status >> 8) & 0xc000) | 677 ((sd->card_status >> 6) & 0x2000) | 678 (sd->card_status & 0x1fff); 679 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 680 stw_be_p(response + 0, sd->rca); 681 stw_be_p(response + 2, status); 682 } 683 684 static void sd_response_r7_make(SDState *sd, uint8_t *response) 685 { 686 stl_be_p(response, sd->vhs); 687 } 688 689 static uint32_t sd_blk_len(SDState *sd) 690 { 691 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 692 return 1 << HWBLOCK_SHIFT; 693 } 694 return sd->blk_len; 695 } 696 697 static uint64_t sd_req_get_address(SDState *sd, SDRequest req) 698 { 699 uint64_t addr; 700 701 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 702 addr = (uint64_t) req.arg << HWBLOCK_SHIFT; 703 } else { 704 addr = req.arg; 705 } 706 trace_sdcard_req_addr(req.arg, addr); 707 return addr; 708 } 709 710 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 711 { 712 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 713 } 714 715 static void sd_reset(DeviceState *dev) 716 { 717 SDState *sd = SD_CARD(dev); 718 uint64_t size; 719 uint64_t sect; 720 721 trace_sdcard_reset(); 722 if (sd->blk) { 723 blk_get_geometry(sd->blk, §); 724 } else { 725 sect = 0; 726 } 727 size = sect << HWBLOCK_SHIFT; 728 729 sect = sd_addr_to_wpnum(size) + 1; 730 731 sd->state = sd_idle_state; 732 733 /* card registers */ 734 sd->rca = 0x0000; 735 sd->size = size; 736 sd_set_ocr(sd); 737 sd_set_scr(sd); 738 sd_set_cid(sd); 739 sd_set_csd(sd, size); 740 sd_set_cardstatus(sd); 741 sd_set_sdstatus(sd); 742 743 g_free(sd->wp_group_bmap); 744 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false; 745 sd->wp_group_bits = sect; 746 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits); 747 memset(sd->function_group, 0, sizeof(sd->function_group)); 748 sd->erase_start = INVALID_ADDRESS; 749 sd->erase_end = INVALID_ADDRESS; 750 sd->blk_len = 0x200; 751 sd->pwd_len = 0; 752 sd->expecting_acmd = false; 753 sd->dat_lines = 0xf; 754 sd->cmd_line = true; 755 sd->multi_blk_cnt = 0; 756 } 757 758 static bool sd_get_inserted(SDState *sd) 759 { 760 return sd->blk && blk_is_inserted(sd->blk); 761 } 762 763 static bool sd_get_readonly(SDState *sd) 764 { 765 return sd->wp_switch; 766 } 767 768 static void sd_cardchange(void *opaque, bool load, Error **errp) 769 { 770 SDState *sd = opaque; 771 DeviceState *dev = DEVICE(sd); 772 SDBus *sdbus; 773 bool inserted = sd_get_inserted(sd); 774 bool readonly = sd_get_readonly(sd); 775 776 if (inserted) { 777 trace_sdcard_inserted(readonly); 778 sd_reset(dev); 779 } else { 780 trace_sdcard_ejected(); 781 } 782 783 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) { 784 qemu_set_irq(sd->inserted_cb, inserted); 785 if (inserted) { 786 qemu_set_irq(sd->readonly_cb, readonly); 787 } 788 } else { 789 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 790 sdbus_set_inserted(sdbus, inserted); 791 if (inserted) { 792 sdbus_set_readonly(sdbus, readonly); 793 } 794 } 795 } 796 797 static const BlockDevOps sd_block_ops = { 798 .change_media_cb = sd_cardchange, 799 }; 800 801 static bool sd_ocr_vmstate_needed(void *opaque) 802 { 803 SDState *sd = opaque; 804 805 /* Include the OCR state (and timer) if it is not yet powered up */ 806 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 807 } 808 809 static const VMStateDescription sd_ocr_vmstate = { 810 .name = "sd-card/ocr-state", 811 .version_id = 1, 812 .minimum_version_id = 1, 813 .needed = sd_ocr_vmstate_needed, 814 .fields = (const VMStateField[]) { 815 VMSTATE_UINT32(ocr, SDState), 816 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 817 VMSTATE_END_OF_LIST() 818 }, 819 }; 820 821 static int sd_vmstate_pre_load(void *opaque) 822 { 823 SDState *sd = opaque; 824 825 /* If the OCR state is not included (prior versions, or not 826 * needed), then the OCR must be set as powered up. If the OCR state 827 * is included, this will be replaced by the state restore. 828 */ 829 sd_ocr_powerup(sd); 830 831 return 0; 832 } 833 834 static const VMStateDescription sd_vmstate = { 835 .name = "sd-card", 836 .version_id = 2, 837 .minimum_version_id = 2, 838 .pre_load = sd_vmstate_pre_load, 839 .fields = (const VMStateField[]) { 840 VMSTATE_UINT32(mode, SDState), 841 VMSTATE_INT32(state, SDState), 842 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 843 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 844 VMSTATE_UINT16(rca, SDState), 845 VMSTATE_UINT32(card_status, SDState), 846 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 847 VMSTATE_UINT32(vhs, SDState), 848 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits), 849 VMSTATE_UINT32(blk_len, SDState), 850 VMSTATE_UINT32(multi_blk_cnt, SDState), 851 VMSTATE_UINT32(erase_start, SDState), 852 VMSTATE_UINT32(erase_end, SDState), 853 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 854 VMSTATE_UINT32(pwd_len, SDState), 855 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 856 VMSTATE_UINT8(current_cmd, SDState), 857 VMSTATE_BOOL(expecting_acmd, SDState), 858 VMSTATE_UINT32(blk_written, SDState), 859 VMSTATE_UINT64(data_start, SDState), 860 VMSTATE_UINT32(data_offset, SDState), 861 VMSTATE_UINT8_ARRAY(data, SDState, 512), 862 VMSTATE_UNUSED_V(1, 512), 863 VMSTATE_BOOL(enable, SDState), 864 VMSTATE_END_OF_LIST() 865 }, 866 .subsections = (const VMStateDescription * const []) { 867 &sd_ocr_vmstate, 868 NULL 869 }, 870 }; 871 872 /* Legacy initialization function for use by non-qdevified callers */ 873 SDState *sd_init(BlockBackend *blk, bool is_spi) 874 { 875 Object *obj; 876 DeviceState *dev; 877 SDState *sd; 878 Error *err = NULL; 879 880 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD); 881 dev = DEVICE(obj); 882 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) { 883 error_reportf_err(err, "sd_init failed: "); 884 return NULL; 885 } 886 887 /* 888 * Realizing the device properly would put it into the QOM 889 * composition tree even though it is not plugged into an 890 * appropriate bus. That's a no-no. Hide the device from 891 * QOM/qdev, and call its qdev realize callback directly. 892 */ 893 object_ref(obj); 894 object_unparent(obj); 895 sd_realize(dev, &err); 896 if (err) { 897 error_reportf_err(err, "sd_init failed: "); 898 return NULL; 899 } 900 901 sd = SD_CARD(dev); 902 sd->me_no_qdev_me_kill_mammoth_with_rocks = true; 903 return sd; 904 } 905 906 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 907 { 908 sd->readonly_cb = readonly; 909 sd->inserted_cb = insert; 910 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0); 911 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 912 } 913 914 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 915 { 916 trace_sdcard_read_block(addr, len); 917 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) { 918 fprintf(stderr, "sd_blk_read: read error on host side\n"); 919 } 920 } 921 922 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 923 { 924 trace_sdcard_write_block(addr, len); 925 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) { 926 fprintf(stderr, "sd_blk_write: write error on host side\n"); 927 } 928 } 929 930 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 931 #define APP_WRITE_BLOCK(a, len) 932 933 static void sd_erase(SDState *sd) 934 { 935 uint64_t erase_start = sd->erase_start; 936 uint64_t erase_end = sd->erase_end; 937 bool sdsc = true; 938 uint64_t wpnum; 939 uint64_t erase_addr; 940 int erase_len = 1 << HWBLOCK_SHIFT; 941 942 trace_sdcard_erase(sd->erase_start, sd->erase_end); 943 if (sd->erase_start == INVALID_ADDRESS 944 || sd->erase_end == INVALID_ADDRESS) { 945 sd->card_status |= ERASE_SEQ_ERROR; 946 sd->erase_start = INVALID_ADDRESS; 947 sd->erase_end = INVALID_ADDRESS; 948 return; 949 } 950 951 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 952 /* High capacity memory card: erase units are 512 byte blocks */ 953 erase_start <<= HWBLOCK_SHIFT; 954 erase_end <<= HWBLOCK_SHIFT; 955 sdsc = false; 956 } 957 958 if (erase_start > sd->size || erase_end > sd->size) { 959 sd->card_status |= OUT_OF_RANGE; 960 sd->erase_start = INVALID_ADDRESS; 961 sd->erase_end = INVALID_ADDRESS; 962 return; 963 } 964 965 sd->erase_start = INVALID_ADDRESS; 966 sd->erase_end = INVALID_ADDRESS; 967 sd->csd[14] |= 0x40; 968 969 memset(sd->data, 0xff, erase_len); 970 for (erase_addr = erase_start; erase_addr <= erase_end; 971 erase_addr += erase_len) { 972 if (sdsc) { 973 /* Only SDSC cards support write protect groups */ 974 wpnum = sd_addr_to_wpnum(erase_addr); 975 assert(wpnum < sd->wp_group_bits); 976 if (test_bit(wpnum, sd->wp_group_bmap)) { 977 sd->card_status |= WP_ERASE_SKIP; 978 continue; 979 } 980 } 981 sd_blk_write(sd, erase_addr, erase_len); 982 } 983 } 984 985 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 986 { 987 uint32_t i, wpnum; 988 uint32_t ret = 0; 989 990 wpnum = sd_addr_to_wpnum(addr); 991 992 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 993 if (addr >= sd->size) { 994 /* 995 * If the addresses of the last groups are outside the valid range, 996 * then the corresponding write protection bits shall be set to 0. 997 */ 998 continue; 999 } 1000 assert(wpnum < sd->wp_group_bits); 1001 if (test_bit(wpnum, sd->wp_group_bmap)) { 1002 ret |= (1 << i); 1003 } 1004 } 1005 1006 return ret; 1007 } 1008 1009 static void sd_function_switch(SDState *sd, uint32_t arg) 1010 { 1011 int i, mode, new_func; 1012 mode = !!(arg & 0x80000000); 1013 1014 sd->data[0] = 0x00; /* Maximum current consumption */ 1015 sd->data[1] = 0x01; 1016 sd->data[2] = 0x80; /* Supported group 6 functions */ 1017 sd->data[3] = 0x01; 1018 sd->data[4] = 0x80; /* Supported group 5 functions */ 1019 sd->data[5] = 0x01; 1020 sd->data[6] = 0x80; /* Supported group 4 functions */ 1021 sd->data[7] = 0x01; 1022 sd->data[8] = 0x80; /* Supported group 3 functions */ 1023 sd->data[9] = 0x01; 1024 sd->data[10] = 0x80; /* Supported group 2 functions */ 1025 sd->data[11] = 0x43; 1026 sd->data[12] = 0x80; /* Supported group 1 functions */ 1027 sd->data[13] = 0x03; 1028 1029 memset(&sd->data[14], 0, 3); 1030 for (i = 0; i < 6; i ++) { 1031 new_func = (arg >> (i * 4)) & 0x0f; 1032 if (mode && new_func != 0x0f) 1033 sd->function_group[i] = new_func; 1034 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4); 1035 } 1036 memset(&sd->data[17], 0, 47); 1037 } 1038 1039 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 1040 { 1041 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1042 } 1043 1044 static void sd_lock_command(SDState *sd) 1045 { 1046 int erase, lock, clr_pwd, set_pwd, pwd_len; 1047 erase = !!(sd->data[0] & 0x08); 1048 lock = sd->data[0] & 0x04; 1049 clr_pwd = sd->data[0] & 0x02; 1050 set_pwd = sd->data[0] & 0x01; 1051 1052 if (sd->blk_len > 1) 1053 pwd_len = sd->data[1]; 1054 else 1055 pwd_len = 0; 1056 1057 if (lock) { 1058 trace_sdcard_lock(); 1059 } else { 1060 trace_sdcard_unlock(); 1061 } 1062 if (erase) { 1063 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 1064 set_pwd || clr_pwd || lock || sd->wp_switch || 1065 (sd->csd[14] & 0x20)) { 1066 sd->card_status |= LOCK_UNLOCK_FAILED; 1067 return; 1068 } 1069 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits); 1070 sd->csd[14] &= ~0x10; 1071 sd->card_status &= ~CARD_IS_LOCKED; 1072 sd->pwd_len = 0; 1073 /* Erasing the entire card here! */ 1074 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 1075 return; 1076 } 1077 1078 if (sd->blk_len < 2 + pwd_len || 1079 pwd_len <= sd->pwd_len || 1080 pwd_len > sd->pwd_len + 16) { 1081 sd->card_status |= LOCK_UNLOCK_FAILED; 1082 return; 1083 } 1084 1085 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 1086 sd->card_status |= LOCK_UNLOCK_FAILED; 1087 return; 1088 } 1089 1090 pwd_len -= sd->pwd_len; 1091 if ((pwd_len && !set_pwd) || 1092 (clr_pwd && (set_pwd || lock)) || 1093 (lock && !sd->pwd_len && !set_pwd) || 1094 (!set_pwd && !clr_pwd && 1095 (((sd->card_status & CARD_IS_LOCKED) && lock) || 1096 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 1097 sd->card_status |= LOCK_UNLOCK_FAILED; 1098 return; 1099 } 1100 1101 if (set_pwd) { 1102 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 1103 sd->pwd_len = pwd_len; 1104 } 1105 1106 if (clr_pwd) { 1107 sd->pwd_len = 0; 1108 } 1109 1110 if (lock) 1111 sd->card_status |= CARD_IS_LOCKED; 1112 else 1113 sd->card_status &= ~CARD_IS_LOCKED; 1114 } 1115 1116 static bool address_in_range(SDState *sd, const char *desc, 1117 uint64_t addr, uint32_t length) 1118 { 1119 if (addr + length > sd->size) { 1120 qemu_log_mask(LOG_GUEST_ERROR, 1121 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n", 1122 desc, addr, sd->size, length); 1123 sd->card_status |= ADDRESS_ERROR; 1124 return false; 1125 } 1126 return true; 1127 } 1128 1129 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req) 1130 { 1131 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n", 1132 sd->proto->name, req.cmd, sd_state_name(sd->state), 1133 sd_version_str(sd->spec_version)); 1134 1135 return sd_illegal; 1136 } 1137 1138 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req) 1139 { 1140 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n", 1141 sd->proto->name, req.cmd, sd_mode_name(sd->mode), 1142 sd_version_str(sd->spec_version)); 1143 1144 return sd_illegal; 1145 } 1146 1147 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req) 1148 { 1149 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n", 1150 sd->proto->name, req.cmd, 1151 sd_version_str(sd->spec_version)); 1152 1153 return sd_illegal; 1154 } 1155 1156 /* Commands that are recognised but not yet implemented. */ 1157 __attribute__((unused)) 1158 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req) 1159 { 1160 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n", 1161 sd->proto->name, req.cmd); 1162 1163 return sd_illegal; 1164 } 1165 1166 /* Configure fields for following sd_generic_write_byte() calls */ 1167 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req, 1168 uint64_t start, size_t size) 1169 { 1170 if (sd->state != sd_transfer_state) { 1171 return sd_invalid_state_for_cmd(sd, req); 1172 } 1173 sd->state = sd_receivingdata_state; 1174 sd->data_start = start; 1175 sd->data_offset = 0; 1176 /* sd->data[] used as receive buffer */ 1177 sd->data_size = size ?: sizeof(sd->data); 1178 return sd_r1; 1179 } 1180 1181 /* Configure fields for following sd_generic_read_byte() calls */ 1182 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req, 1183 uint64_t start, 1184 const void *data, size_t size) 1185 { 1186 if (sd->state != sd_transfer_state) { 1187 sd_invalid_state_for_cmd(sd, req); 1188 } 1189 1190 sd->state = sd_sendingdata_state; 1191 sd->data_start = start; 1192 sd->data_offset = 0; 1193 if (data) { 1194 assert(size > 0 && size <= sizeof(sd->data)); 1195 memcpy(sd->data, data, size); 1196 } 1197 if (size) { 1198 sd->data_size = size; 1199 } 1200 return sd_r1; 1201 } 1202 1203 /* CMD0 */ 1204 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req) 1205 { 1206 sd->state = sd_idle_state; 1207 sd_reset(DEVICE(sd)); 1208 1209 return sd_is_spi(sd) ? sd_r1 : sd_r0; 1210 } 1211 1212 /* CMD1 */ 1213 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1214 { 1215 sd->state = sd_transfer_state; 1216 1217 return sd_r1; 1218 } 1219 1220 /* CMD2 */ 1221 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 1222 { 1223 switch (sd->state) { 1224 case sd_ready_state: 1225 sd->state = sd_identification_state; 1226 return sd_r2_i; 1227 default: 1228 return sd_invalid_state_for_cmd(sd, req); 1229 } 1230 } 1231 1232 /* CMD3 */ 1233 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1234 { 1235 switch (sd->state) { 1236 case sd_identification_state: 1237 case sd_standby_state: 1238 sd->state = sd_standby_state; 1239 sd_set_rca(sd); 1240 return sd_r6; 1241 1242 default: 1243 return sd_invalid_state_for_cmd(sd, req); 1244 } 1245 } 1246 1247 /* CMD19 */ 1248 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 1249 { 1250 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1251 return sd_cmd_illegal(sd, req); 1252 } 1253 1254 return sd_cmd_to_sendingdata(sd, req, 0, 1255 sd_tuning_block_pattern4, 1256 sizeof(sd_tuning_block_pattern4)); 1257 } 1258 1259 /* CMD23 */ 1260 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req) 1261 { 1262 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1263 return sd_cmd_illegal(sd, req); 1264 } 1265 1266 if (sd->state != sd_transfer_state) { 1267 return sd_invalid_state_for_cmd(sd, req); 1268 } 1269 1270 sd->multi_blk_cnt = req.arg; 1271 trace_sdcard_set_block_count(sd->multi_blk_cnt); 1272 1273 return sd_r1; 1274 } 1275 1276 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 1277 { 1278 uint16_t rca; 1279 uint64_t addr; 1280 uint32_t data; 1281 1282 sd->last_cmd_name = sd_cmd_name(sd, req.cmd); 1283 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 1284 * However there is no ACMD55, so we want to trace this particular case. 1285 */ 1286 if (req.cmd != 55 || sd->expecting_acmd) { 1287 trace_sdcard_normal_command(sd->proto->name, 1288 sd->last_cmd_name, req.cmd, 1289 req.arg, sd_state_name(sd->state)); 1290 } 1291 1292 /* Not interpreting this as an app command */ 1293 sd->card_status &= ~APP_CMD; 1294 1295 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 1296 * if not, its effects are cancelled */ 1297 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 1298 sd->multi_blk_cnt = 0; 1299 } 1300 1301 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 1302 /* Only Standard Capacity cards support class 6 commands */ 1303 return sd_illegal; 1304 } 1305 1306 if (sd->proto->cmd[req.cmd].handler) { 1307 return sd->proto->cmd[req.cmd].handler(sd, req); 1308 } 1309 1310 switch (req.cmd) { 1311 /* Basic commands (Class 0 and Class 1) */ 1312 case 4: /* CMD4: SEND_DSR */ 1313 switch (sd->state) { 1314 case sd_standby_state: 1315 break; 1316 1317 default: 1318 break; 1319 } 1320 break; 1321 1322 case 6: /* CMD6: SWITCH_FUNCTION */ 1323 if (sd->mode != sd_data_transfer_mode) { 1324 return sd_invalid_mode_for_cmd(sd, req); 1325 } 1326 if (sd->state != sd_transfer_state) { 1327 return sd_invalid_state_for_cmd(sd, req); 1328 } 1329 1330 sd_function_switch(sd, req.arg); 1331 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64); 1332 1333 case 7: /* CMD7: SELECT/DESELECT_CARD */ 1334 rca = sd_req_get_rca(sd, req); 1335 switch (sd->state) { 1336 case sd_standby_state: 1337 if (sd->rca != rca) 1338 return sd_r0; 1339 1340 sd->state = sd_transfer_state; 1341 return sd_r1b; 1342 1343 case sd_transfer_state: 1344 case sd_sendingdata_state: 1345 if (sd->rca == rca) 1346 break; 1347 1348 sd->state = sd_standby_state; 1349 return sd_r1b; 1350 1351 case sd_disconnect_state: 1352 if (sd->rca != rca) 1353 return sd_r0; 1354 1355 sd->state = sd_programming_state; 1356 return sd_r1b; 1357 1358 case sd_programming_state: 1359 if (sd->rca == rca) 1360 break; 1361 1362 sd->state = sd_disconnect_state; 1363 return sd_r1b; 1364 1365 default: 1366 break; 1367 } 1368 break; 1369 1370 case 8: /* CMD8: SEND_IF_COND */ 1371 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1372 break; 1373 } 1374 if (sd->state != sd_idle_state) { 1375 break; 1376 } 1377 sd->vhs = 0; 1378 1379 /* No response if not exactly one VHS bit is set. */ 1380 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1381 return sd_is_spi(sd) ? sd_r7 : sd_r0; 1382 } 1383 1384 /* Accept. */ 1385 sd->vhs = req.arg; 1386 return sd_r7; 1387 1388 case 9: /* CMD9: SEND_CSD */ 1389 rca = sd_req_get_rca(sd, req); 1390 switch (sd->state) { 1391 case sd_standby_state: 1392 if (sd->rca != rca) 1393 return sd_r0; 1394 1395 return sd_r2_s; 1396 1397 case sd_transfer_state: 1398 if (!sd_is_spi(sd)) { 1399 break; 1400 } 1401 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1402 sd->csd, 16); 1403 1404 default: 1405 break; 1406 } 1407 break; 1408 1409 case 10: /* CMD10: SEND_CID */ 1410 rca = sd_req_get_rca(sd, req); 1411 switch (sd->state) { 1412 case sd_standby_state: 1413 if (sd->rca != rca) 1414 return sd_r0; 1415 1416 return sd_r2_i; 1417 1418 case sd_transfer_state: 1419 if (!sd_is_spi(sd)) { 1420 break; 1421 } 1422 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1423 sd->cid, 16); 1424 1425 default: 1426 break; 1427 } 1428 break; 1429 1430 case 12: /* CMD12: STOP_TRANSMISSION */ 1431 switch (sd->state) { 1432 case sd_sendingdata_state: 1433 sd->state = sd_transfer_state; 1434 return sd_r1b; 1435 1436 case sd_receivingdata_state: 1437 sd->state = sd_programming_state; 1438 /* Bzzzzzzztt .... Operation complete. */ 1439 sd->state = sd_transfer_state; 1440 return sd_r1b; 1441 1442 default: 1443 break; 1444 } 1445 break; 1446 1447 case 13: /* CMD13: SEND_STATUS */ 1448 rca = sd_req_get_rca(sd, req); 1449 if (sd->mode != sd_data_transfer_mode) { 1450 return sd_invalid_mode_for_cmd(sd, req); 1451 } 1452 if (!sd_is_spi(sd) && sd->rca != rca) { 1453 return sd_r0; 1454 } 1455 1456 return sd_r1; 1457 1458 case 15: /* CMD15: GO_INACTIVE_STATE */ 1459 if (sd->mode != sd_data_transfer_mode) { 1460 return sd_invalid_mode_for_cmd(sd, req); 1461 } 1462 rca = sd_req_get_rca(sd, req); 1463 if (sd->rca == rca) { 1464 sd->state = sd_inactive_state; 1465 } 1466 return sd_r0; 1467 1468 /* Block read commands (Class 2) */ 1469 case 16: /* CMD16: SET_BLOCKLEN */ 1470 switch (sd->state) { 1471 case sd_transfer_state: 1472 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1473 sd->card_status |= BLOCK_LEN_ERROR; 1474 } else { 1475 trace_sdcard_set_blocklen(req.arg); 1476 sd->blk_len = req.arg; 1477 } 1478 1479 return sd_r1; 1480 1481 default: 1482 break; 1483 } 1484 break; 1485 1486 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1487 addr = sd_req_get_address(sd, req); 1488 switch (sd->state) { 1489 case sd_transfer_state: 1490 1491 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) { 1492 return sd_r1; 1493 } 1494 sd_blk_read(sd, addr, sd->blk_len); 1495 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len); 1496 1497 default: 1498 break; 1499 } 1500 break; 1501 1502 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1503 addr = sd_req_get_address(sd, req); 1504 switch (sd->state) { 1505 case sd_transfer_state: 1506 1507 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { 1508 return sd_r1; 1509 } 1510 1511 sd->state = sd_sendingdata_state; 1512 sd->data_start = addr; 1513 sd->data_offset = 0; 1514 return sd_r1; 1515 1516 default: 1517 break; 1518 } 1519 break; 1520 1521 /* Block write commands (Class 4) */ 1522 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1523 addr = sd_req_get_address(sd, req); 1524 switch (sd->state) { 1525 case sd_transfer_state: 1526 1527 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, 1528 sd->blk_len)) { 1529 return sd_r1; 1530 } 1531 1532 if (sd->size <= SDSC_MAX_CAPACITY) { 1533 if (sd_wp_addr(sd, sd->data_start)) { 1534 sd->card_status |= WP_VIOLATION; 1535 } 1536 } 1537 if (sd->csd[14] & 0x30) { 1538 sd->card_status |= WP_VIOLATION; 1539 } 1540 sd->blk_written = 0; 1541 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len); 1542 1543 default: 1544 break; 1545 } 1546 break; 1547 1548 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1549 addr = sd_req_get_address(sd, req); 1550 switch (sd->state) { 1551 case sd_transfer_state: 1552 1553 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { 1554 return sd_r1; 1555 } 1556 1557 sd->state = sd_receivingdata_state; 1558 sd->data_start = addr; 1559 sd->data_offset = 0; 1560 sd->blk_written = 0; 1561 1562 if (sd->size <= SDSC_MAX_CAPACITY) { 1563 if (sd_wp_addr(sd, sd->data_start)) { 1564 sd->card_status |= WP_VIOLATION; 1565 } 1566 } 1567 if (sd->csd[14] & 0x30) { 1568 sd->card_status |= WP_VIOLATION; 1569 } 1570 return sd_r1; 1571 1572 default: 1573 break; 1574 } 1575 break; 1576 1577 case 26: /* CMD26: PROGRAM_CID */ 1578 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid)); 1579 1580 case 27: /* CMD27: PROGRAM_CSD */ 1581 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd)); 1582 1583 /* Write protection (Class 6) */ 1584 case 28: /* CMD28: SET_WRITE_PROT */ 1585 if (sd->size > SDSC_MAX_CAPACITY) { 1586 return sd_illegal; 1587 } 1588 addr = sd_req_get_address(sd, req); 1589 switch (sd->state) { 1590 case sd_transfer_state: 1591 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) { 1592 return sd_r1b; 1593 } 1594 1595 sd->state = sd_programming_state; 1596 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1597 /* Bzzzzzzztt .... Operation complete. */ 1598 sd->state = sd_transfer_state; 1599 return sd_r1b; 1600 1601 default: 1602 break; 1603 } 1604 break; 1605 1606 case 29: /* CMD29: CLR_WRITE_PROT */ 1607 if (sd->size > SDSC_MAX_CAPACITY) { 1608 return sd_illegal; 1609 } 1610 addr = sd_req_get_address(sd, req); 1611 switch (sd->state) { 1612 case sd_transfer_state: 1613 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) { 1614 return sd_r1b; 1615 } 1616 1617 sd->state = sd_programming_state; 1618 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1619 /* Bzzzzzzztt .... Operation complete. */ 1620 sd->state = sd_transfer_state; 1621 return sd_r1b; 1622 1623 default: 1624 break; 1625 } 1626 break; 1627 1628 case 30: /* CMD30: SEND_WRITE_PROT */ 1629 if (sd->size > SDSC_MAX_CAPACITY) { 1630 return sd_illegal; 1631 } 1632 addr = sd_req_get_address(sd, req); 1633 switch (sd->state) { 1634 case sd_transfer_state: 1635 if (!address_in_range(sd, "SEND_WRITE_PROT", 1636 req.arg, sd->blk_len)) { 1637 return sd_r1; 1638 } 1639 data = sd_wpbits(sd, req.arg); 1640 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data)); 1641 1642 default: 1643 break; 1644 } 1645 break; 1646 1647 /* Erase commands (Class 5) */ 1648 case 32: /* CMD32: ERASE_WR_BLK_START */ 1649 switch (sd->state) { 1650 case sd_transfer_state: 1651 sd->erase_start = req.arg; 1652 return sd_r1; 1653 1654 default: 1655 break; 1656 } 1657 break; 1658 1659 case 33: /* CMD33: ERASE_WR_BLK_END */ 1660 switch (sd->state) { 1661 case sd_transfer_state: 1662 sd->erase_end = req.arg; 1663 return sd_r1; 1664 1665 default: 1666 break; 1667 } 1668 break; 1669 1670 case 38: /* CMD38: ERASE */ 1671 switch (sd->state) { 1672 case sd_transfer_state: 1673 if (sd->csd[14] & 0x30) { 1674 sd->card_status |= WP_VIOLATION; 1675 return sd_r1b; 1676 } 1677 1678 sd->state = sd_programming_state; 1679 sd_erase(sd); 1680 /* Bzzzzzzztt .... Operation complete. */ 1681 sd->state = sd_transfer_state; 1682 return sd_r1b; 1683 1684 default: 1685 break; 1686 } 1687 break; 1688 1689 /* Lock card commands (Class 7) */ 1690 case 42: /* CMD42: LOCK_UNLOCK */ 1691 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1692 1693 /* Application specific commands (Class 8) */ 1694 case 55: /* CMD55: APP_CMD */ 1695 rca = sd_req_get_rca(sd, req); 1696 switch (sd->state) { 1697 case sd_ready_state: 1698 case sd_identification_state: 1699 return sd_illegal; 1700 case sd_idle_state: 1701 if (rca) { 1702 qemu_log_mask(LOG_GUEST_ERROR, 1703 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1704 } 1705 default: 1706 break; 1707 } 1708 if (!sd_is_spi(sd)) { 1709 if (sd->rca != rca) { 1710 return sd_r0; 1711 } 1712 } 1713 sd->expecting_acmd = true; 1714 sd->card_status |= APP_CMD; 1715 return sd_r1; 1716 1717 case 56: /* CMD56: GEN_CMD */ 1718 switch (sd->state) { 1719 case sd_transfer_state: 1720 sd->data_offset = 0; 1721 if (req.arg & 1) 1722 sd->state = sd_sendingdata_state; 1723 else 1724 sd->state = sd_receivingdata_state; 1725 return sd_r1; 1726 1727 default: 1728 break; 1729 } 1730 break; 1731 1732 case 58: /* CMD58: READ_OCR (SPI) */ 1733 return sd_r3; 1734 1735 case 59: /* CMD59: CRC_ON_OFF (SPI) */ 1736 return sd_r1; 1737 1738 default: 1739 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1740 return sd_illegal; 1741 } 1742 1743 return sd_invalid_state_for_cmd(sd, req); 1744 } 1745 1746 static sd_rsp_type_t sd_app_command(SDState *sd, 1747 SDRequest req) 1748 { 1749 sd->last_cmd_name = sd_acmd_name(sd, req.cmd); 1750 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name, 1751 req.cmd, req.arg, sd_state_name(sd->state)); 1752 sd->card_status |= APP_CMD; 1753 1754 if (sd->proto->acmd[req.cmd].handler) { 1755 return sd->proto->acmd[req.cmd].handler(sd, req); 1756 } 1757 1758 switch (req.cmd) { 1759 case 6: /* ACMD6: SET_BUS_WIDTH */ 1760 switch (sd->state) { 1761 case sd_transfer_state: 1762 sd->sd_status[0] &= 0x3f; 1763 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1764 return sd_r1; 1765 1766 default: 1767 break; 1768 } 1769 break; 1770 1771 case 13: /* ACMD13: SD_STATUS */ 1772 switch (sd->state) { 1773 case sd_transfer_state: 1774 return sd_cmd_to_sendingdata(sd, req, 0, 1775 sd->sd_status, 1776 sizeof(sd->sd_status)); 1777 1778 default: 1779 break; 1780 } 1781 break; 1782 1783 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1784 switch (sd->state) { 1785 case sd_transfer_state: 1786 return sd_cmd_to_sendingdata(sd, req, 0, 1787 &sd->blk_written, 1788 sizeof(sd->blk_written)); 1789 1790 default: 1791 break; 1792 } 1793 break; 1794 1795 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1796 switch (sd->state) { 1797 case sd_transfer_state: 1798 return sd_r1; 1799 1800 default: 1801 break; 1802 } 1803 break; 1804 1805 case 41: /* ACMD41: SD_APP_OP_COND */ 1806 if (sd->state != sd_idle_state) { 1807 break; 1808 } 1809 /* If it's the first ACMD41 since reset, we need to decide 1810 * whether to power up. If this is not an enquiry ACMD41, 1811 * we immediately report power on and proceed below to the 1812 * ready state, but if it is, we set a timer to model a 1813 * delay for power up. This works around a bug in EDK2 1814 * UEFI, which sends an initial enquiry ACMD41, but 1815 * assumes that the card is in ready state as soon as it 1816 * sees the power up bit set. */ 1817 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1818 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1819 timer_del(sd->ocr_power_timer); 1820 sd_ocr_powerup(sd); 1821 } else { 1822 trace_sdcard_inquiry_cmd41(); 1823 if (!timer_pending(sd->ocr_power_timer)) { 1824 timer_mod_ns(sd->ocr_power_timer, 1825 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1826 + OCR_POWER_DELAY_NS)); 1827 } 1828 } 1829 } 1830 1831 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1832 /* We accept any voltage. 10000 V is nothing. 1833 * 1834 * Once we're powered up, we advance straight to ready state 1835 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1836 */ 1837 sd->state = sd_ready_state; 1838 } 1839 1840 return sd_r3; 1841 1842 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1843 switch (sd->state) { 1844 case sd_transfer_state: 1845 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1846 return sd_r1; 1847 1848 default: 1849 break; 1850 } 1851 break; 1852 1853 case 51: /* ACMD51: SEND_SCR */ 1854 switch (sd->state) { 1855 case sd_transfer_state: 1856 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr)); 1857 1858 default: 1859 break; 1860 } 1861 break; 1862 1863 case 18: /* Reserved for SD security applications */ 1864 case 25: 1865 case 26: 1866 case 38: 1867 case 43 ... 49: 1868 /* Refer to the "SD Specifications Part3 Security Specification" for 1869 * information about the SD Security Features. 1870 */ 1871 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 1872 req.cmd); 1873 return sd_illegal; 1874 1875 default: 1876 /* Fall back to standard commands. */ 1877 return sd_normal_command(sd, req); 1878 } 1879 1880 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1881 return sd_illegal; 1882 } 1883 1884 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd) 1885 { 1886 /* Valid commands in locked state: 1887 * basic class (0) 1888 * lock card class (7) 1889 * CMD16 1890 * implicitly, the ACMD prefix CMD55 1891 * ACMD41 and ACMD42 1892 * Anything else provokes an "illegal command" response. 1893 */ 1894 if (sd->expecting_acmd) { 1895 return cmd == 41 || cmd == 42; 1896 } 1897 if (cmd == 16 || cmd == 55) { 1898 return true; 1899 } 1900 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7; 1901 } 1902 1903 int sd_do_command(SDState *sd, SDRequest *req, 1904 uint8_t *response) { 1905 int last_state; 1906 sd_rsp_type_t rtype; 1907 int rsplen; 1908 1909 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1910 return 0; 1911 } 1912 1913 if (sd->state == sd_inactive_state) { 1914 rtype = sd_illegal; 1915 goto send_response; 1916 } 1917 1918 if (sd_req_crc_validate(req)) { 1919 sd->card_status |= COM_CRC_ERROR; 1920 rtype = sd_illegal; 1921 goto send_response; 1922 } 1923 1924 if (req->cmd >= SDMMC_CMD_MAX) { 1925 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 1926 req->cmd); 1927 req->cmd &= 0x3f; 1928 } 1929 1930 if (sd->card_status & CARD_IS_LOCKED) { 1931 if (!cmd_valid_while_locked(sd, req->cmd)) { 1932 sd->card_status |= ILLEGAL_COMMAND; 1933 sd->expecting_acmd = false; 1934 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1935 rtype = sd_illegal; 1936 goto send_response; 1937 } 1938 } 1939 1940 last_state = sd->state; 1941 sd_set_mode(sd); 1942 1943 if (sd->expecting_acmd) { 1944 sd->expecting_acmd = false; 1945 rtype = sd_app_command(sd, *req); 1946 } else { 1947 rtype = sd_normal_command(sd, *req); 1948 } 1949 1950 if (rtype == sd_illegal) { 1951 sd->card_status |= ILLEGAL_COMMAND; 1952 } else { 1953 /* Valid command, we can update the 'state before command' bits. 1954 * (Do this now so they appear in r1 responses.) 1955 */ 1956 sd->current_cmd = req->cmd; 1957 sd->card_status = FIELD_DP32(sd->card_status, CSR, 1958 CURRENT_STATE, last_state); 1959 } 1960 1961 send_response: 1962 switch (rtype) { 1963 case sd_r1: 1964 case sd_r1b: 1965 sd_response_r1_make(sd, response); 1966 rsplen = 4; 1967 break; 1968 1969 case sd_r2_i: 1970 memcpy(response, sd->cid, sizeof(sd->cid)); 1971 rsplen = 16; 1972 break; 1973 1974 case sd_r2_s: 1975 memcpy(response, sd->csd, sizeof(sd->csd)); 1976 rsplen = 16; 1977 break; 1978 1979 case sd_r3: 1980 sd_response_r3_make(sd, response); 1981 rsplen = 4; 1982 break; 1983 1984 case sd_r6: 1985 sd_response_r6_make(sd, response); 1986 rsplen = 4; 1987 break; 1988 1989 case sd_r7: 1990 sd_response_r7_make(sd, response); 1991 rsplen = 4; 1992 break; 1993 1994 case sd_r0: 1995 /* 1996 * Invalid state transition, reset implementation 1997 * fields to avoid OOB abuse. 1998 */ 1999 sd->data_start = 0; 2000 sd->data_offset = 0; 2001 /* fall-through */ 2002 case sd_illegal: 2003 rsplen = 0; 2004 break; 2005 default: 2006 g_assert_not_reached(); 2007 } 2008 trace_sdcard_response(sd_response_name(rtype), rsplen); 2009 2010 if (rtype != sd_illegal) { 2011 /* Clear the "clear on valid command" status bits now we've 2012 * sent any response 2013 */ 2014 sd->card_status &= ~CARD_STATUS_B; 2015 } 2016 2017 #ifdef DEBUG_SD 2018 qemu_hexdump(stderr, "Response", response, rsplen); 2019 #endif 2020 2021 return rsplen; 2022 } 2023 2024 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */ 2025 static bool sd_generic_write_byte(SDState *sd, uint8_t value) 2026 { 2027 sd->data[sd->data_offset] = value; 2028 2029 if (++sd->data_offset >= sd->data_size) { 2030 sd->state = sd_transfer_state; 2031 return true; 2032 } 2033 return false; 2034 } 2035 2036 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */ 2037 static bool sd_generic_read_byte(SDState *sd, uint8_t *value) 2038 { 2039 *value = sd->data[sd->data_offset]; 2040 2041 if (++sd->data_offset >= sd->data_size) { 2042 sd->state = sd_transfer_state; 2043 return true; 2044 } 2045 2046 return false; 2047 } 2048 2049 void sd_write_byte(SDState *sd, uint8_t value) 2050 { 2051 int i; 2052 2053 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2054 return; 2055 2056 if (sd->state != sd_receivingdata_state) { 2057 qemu_log_mask(LOG_GUEST_ERROR, 2058 "%s: not in Receiving-Data state\n", __func__); 2059 return; 2060 } 2061 2062 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2063 return; 2064 2065 trace_sdcard_write_data(sd->proto->name, 2066 sd->last_cmd_name, 2067 sd->current_cmd, sd->data_offset, value); 2068 switch (sd->current_cmd) { 2069 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 2070 if (sd_generic_write_byte(sd, value)) { 2071 /* TODO: Check CRC before committing */ 2072 sd->state = sd_programming_state; 2073 sd_blk_write(sd, sd->data_start, sd->data_offset); 2074 sd->blk_written ++; 2075 sd->csd[14] |= 0x40; 2076 /* Bzzzzzzztt .... Operation complete. */ 2077 sd->state = sd_transfer_state; 2078 } 2079 break; 2080 2081 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2082 if (sd->data_offset == 0) { 2083 /* Start of the block - let's check the address is valid */ 2084 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", 2085 sd->data_start, sd->blk_len)) { 2086 break; 2087 } 2088 if (sd->size <= SDSC_MAX_CAPACITY) { 2089 if (sd_wp_addr(sd, sd->data_start)) { 2090 sd->card_status |= WP_VIOLATION; 2091 break; 2092 } 2093 } 2094 } 2095 sd->data[sd->data_offset++] = value; 2096 if (sd->data_offset >= sd->blk_len) { 2097 /* TODO: Check CRC before committing */ 2098 sd->state = sd_programming_state; 2099 sd_blk_write(sd, sd->data_start, sd->data_offset); 2100 sd->blk_written++; 2101 sd->data_start += sd->blk_len; 2102 sd->data_offset = 0; 2103 sd->csd[14] |= 0x40; 2104 2105 /* Bzzzzzzztt .... Operation complete. */ 2106 if (sd->multi_blk_cnt != 0) { 2107 if (--sd->multi_blk_cnt == 0) { 2108 /* Stop! */ 2109 sd->state = sd_transfer_state; 2110 break; 2111 } 2112 } 2113 2114 sd->state = sd_receivingdata_state; 2115 } 2116 break; 2117 2118 case 26: /* CMD26: PROGRAM_CID */ 2119 if (sd_generic_write_byte(sd, value)) { 2120 /* TODO: Check CRC before committing */ 2121 sd->state = sd_programming_state; 2122 for (i = 0; i < sizeof(sd->cid); i ++) 2123 if ((sd->cid[i] | 0x00) != sd->data[i]) 2124 sd->card_status |= CID_CSD_OVERWRITE; 2125 2126 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2127 for (i = 0; i < sizeof(sd->cid); i ++) { 2128 sd->cid[i] |= 0x00; 2129 sd->cid[i] &= sd->data[i]; 2130 } 2131 /* Bzzzzzzztt .... Operation complete. */ 2132 sd->state = sd_transfer_state; 2133 } 2134 break; 2135 2136 case 27: /* CMD27: PROGRAM_CSD */ 2137 if (sd_generic_write_byte(sd, value)) { 2138 /* TODO: Check CRC before committing */ 2139 sd->state = sd_programming_state; 2140 for (i = 0; i < sizeof(sd->csd); i ++) 2141 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 2142 (sd->data[i] | sd_csd_rw_mask[i])) 2143 sd->card_status |= CID_CSD_OVERWRITE; 2144 2145 /* Copy flag (OTP) & Permanent write protect */ 2146 if (sd->csd[14] & ~sd->data[14] & 0x60) 2147 sd->card_status |= CID_CSD_OVERWRITE; 2148 2149 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2150 for (i = 0; i < sizeof(sd->csd); i ++) { 2151 sd->csd[i] |= sd_csd_rw_mask[i]; 2152 sd->csd[i] &= sd->data[i]; 2153 } 2154 /* Bzzzzzzztt .... Operation complete. */ 2155 sd->state = sd_transfer_state; 2156 } 2157 break; 2158 2159 case 42: /* CMD42: LOCK_UNLOCK */ 2160 if (sd_generic_write_byte(sd, value)) { 2161 /* TODO: Check CRC before committing */ 2162 sd->state = sd_programming_state; 2163 sd_lock_command(sd); 2164 /* Bzzzzzzztt .... Operation complete. */ 2165 sd->state = sd_transfer_state; 2166 } 2167 break; 2168 2169 case 56: /* CMD56: GEN_CMD */ 2170 sd->data[sd->data_offset ++] = value; 2171 if (sd->data_offset >= sd->blk_len) { 2172 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 2173 sd->state = sd_transfer_state; 2174 } 2175 break; 2176 2177 default: 2178 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__); 2179 break; 2180 } 2181 } 2182 2183 uint8_t sd_read_byte(SDState *sd) 2184 { 2185 /* TODO: Append CRCs */ 2186 uint8_t ret; 2187 uint32_t io_len; 2188 2189 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2190 return 0x00; 2191 2192 if (sd->state != sd_sendingdata_state) { 2193 qemu_log_mask(LOG_GUEST_ERROR, 2194 "%s: not in Sending-Data state\n", __func__); 2195 return 0x00; 2196 } 2197 2198 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2199 return 0x00; 2200 2201 io_len = sd_blk_len(sd); 2202 2203 trace_sdcard_read_data(sd->proto->name, 2204 sd->last_cmd_name, 2205 sd->current_cmd, sd->data_offset, io_len); 2206 switch (sd->current_cmd) { 2207 case 6: /* CMD6: SWITCH_FUNCTION */ 2208 case 9: /* CMD9: SEND_CSD */ 2209 case 10: /* CMD10: SEND_CID */ 2210 case 13: /* ACMD13: SD_STATUS */ 2211 case 17: /* CMD17: READ_SINGLE_BLOCK */ 2212 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2213 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2214 case 30: /* CMD30: SEND_WRITE_PROT */ 2215 case 51: /* ACMD51: SEND_SCR */ 2216 sd_generic_read_byte(sd, &ret); 2217 break; 2218 2219 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2220 if (sd->data_offset == 0) { 2221 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", 2222 sd->data_start, io_len)) { 2223 return 0x00; 2224 } 2225 sd_blk_read(sd, sd->data_start, io_len); 2226 } 2227 ret = sd->data[sd->data_offset ++]; 2228 2229 if (sd->data_offset >= io_len) { 2230 sd->data_start += io_len; 2231 sd->data_offset = 0; 2232 2233 if (sd->multi_blk_cnt != 0) { 2234 if (--sd->multi_blk_cnt == 0) { 2235 /* Stop! */ 2236 sd->state = sd_transfer_state; 2237 break; 2238 } 2239 } 2240 } 2241 break; 2242 2243 case 56: /* CMD56: GEN_CMD */ 2244 if (sd->data_offset == 0) 2245 APP_READ_BLOCK(sd->data_start, sd->blk_len); 2246 ret = sd->data[sd->data_offset ++]; 2247 2248 if (sd->data_offset >= sd->blk_len) 2249 sd->state = sd_transfer_state; 2250 break; 2251 2252 default: 2253 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__); 2254 return 0x00; 2255 } 2256 2257 return ret; 2258 } 2259 2260 static bool sd_receive_ready(SDState *sd) 2261 { 2262 return sd->state == sd_receivingdata_state; 2263 } 2264 2265 static bool sd_data_ready(SDState *sd) 2266 { 2267 return sd->state == sd_sendingdata_state; 2268 } 2269 2270 void sd_enable(SDState *sd, bool enable) 2271 { 2272 sd->enable = enable; 2273 } 2274 2275 static const SDProto sd_proto_spi = { 2276 .name = "SPI", 2277 .cmd = { 2278 [0] = { sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2279 [1] = { sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2280 }, 2281 .acmd = { 2282 [41] = { sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2283 }, 2284 }; 2285 2286 static const SDProto sd_proto_sd = { 2287 .name = "SD", 2288 .cmd = { 2289 [0] = { sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2290 [2] = { sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2291 [3] = { sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR}, 2292 [19] = { sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK}, 2293 [23] = { sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2294 }, 2295 }; 2296 2297 static void sd_instance_init(Object *obj) 2298 { 2299 SDState *sd = SD_CARD(obj); 2300 SDCardClass *sc = SD_CARD_GET_CLASS(sd); 2301 2302 sd->proto = sc->proto; 2303 sd->last_cmd_name = "UNSET"; 2304 sd->enable = true; 2305 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2306 } 2307 2308 static void sd_instance_finalize(Object *obj) 2309 { 2310 SDState *sd = SD_CARD(obj); 2311 2312 timer_free(sd->ocr_power_timer); 2313 } 2314 2315 static void sd_realize(DeviceState *dev, Error **errp) 2316 { 2317 SDState *sd = SD_CARD(dev); 2318 int ret; 2319 2320 switch (sd->spec_version) { 2321 case SD_PHY_SPECv1_10_VERS 2322 ... SD_PHY_SPECv3_01_VERS: 2323 break; 2324 default: 2325 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2326 return; 2327 } 2328 2329 if (sd->blk) { 2330 int64_t blk_size; 2331 2332 if (!blk_supports_write_perm(sd->blk)) { 2333 error_setg(errp, "Cannot use read-only drive as SD card"); 2334 return; 2335 } 2336 2337 blk_size = blk_getlength(sd->blk); 2338 if (blk_size > 0 && !is_power_of_2(blk_size)) { 2339 int64_t blk_size_aligned = pow2ceil(blk_size); 2340 char *blk_size_str; 2341 2342 blk_size_str = size_to_str(blk_size); 2343 error_setg(errp, "Invalid SD card size: %s", blk_size_str); 2344 g_free(blk_size_str); 2345 2346 blk_size_str = size_to_str(blk_size_aligned); 2347 error_append_hint(errp, 2348 "SD card size has to be a power of 2, e.g. %s.\n" 2349 "You can resize disk images with" 2350 " 'qemu-img resize <imagefile> <new-size>'\n" 2351 "(note that this will lose data if you make the" 2352 " image smaller than it currently is).\n", 2353 blk_size_str); 2354 g_free(blk_size_str); 2355 2356 return; 2357 } 2358 2359 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2360 BLK_PERM_ALL, errp); 2361 if (ret < 0) { 2362 return; 2363 } 2364 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2365 } 2366 } 2367 2368 static Property sd_properties[] = { 2369 DEFINE_PROP_UINT8("spec_version", SDState, 2370 spec_version, SD_PHY_SPECv2_00_VERS), 2371 DEFINE_PROP_DRIVE("drive", SDState, blk), 2372 /* We do not model the chip select pin, so allow the board to select 2373 * whether card should be in SSI or MMC/SD mode. It is also up to the 2374 * board to ensure that ssi transfers only occur when the chip select 2375 * is asserted. */ 2376 DEFINE_PROP_END_OF_LIST() 2377 }; 2378 2379 static void sd_class_init(ObjectClass *klass, void *data) 2380 { 2381 DeviceClass *dc = DEVICE_CLASS(klass); 2382 SDCardClass *sc = SD_CARD_CLASS(klass); 2383 2384 dc->realize = sd_realize; 2385 device_class_set_props(dc, sd_properties); 2386 dc->vmsd = &sd_vmstate; 2387 dc->reset = sd_reset; 2388 dc->bus_type = TYPE_SD_BUS; 2389 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2390 2391 sc->set_voltage = sd_set_voltage; 2392 sc->get_dat_lines = sd_get_dat_lines; 2393 sc->get_cmd_line = sd_get_cmd_line; 2394 sc->do_command = sd_do_command; 2395 sc->write_byte = sd_write_byte; 2396 sc->read_byte = sd_read_byte; 2397 sc->receive_ready = sd_receive_ready; 2398 sc->data_ready = sd_data_ready; 2399 sc->enable = sd_enable; 2400 sc->get_inserted = sd_get_inserted; 2401 sc->get_readonly = sd_get_readonly; 2402 sc->proto = &sd_proto_sd; 2403 } 2404 2405 /* 2406 * We do not model the chip select pin, so allow the board to select 2407 * whether card should be in SSI or MMC/SD mode. It is also up to the 2408 * board to ensure that ssi transfers only occur when the chip select 2409 * is asserted. 2410 */ 2411 static void sd_spi_class_init(ObjectClass *klass, void *data) 2412 { 2413 DeviceClass *dc = DEVICE_CLASS(klass); 2414 SDCardClass *sc = SD_CARD_CLASS(klass); 2415 2416 dc->desc = "SD SPI"; 2417 sc->proto = &sd_proto_spi; 2418 } 2419 2420 static const TypeInfo sd_types[] = { 2421 { 2422 .name = TYPE_SD_CARD, 2423 .parent = TYPE_DEVICE, 2424 .instance_size = sizeof(SDState), 2425 .class_size = sizeof(SDCardClass), 2426 .class_init = sd_class_init, 2427 .instance_init = sd_instance_init, 2428 .instance_finalize = sd_instance_finalize, 2429 }, 2430 { 2431 .name = TYPE_SD_CARD_SPI, 2432 .parent = TYPE_SD_CARD, 2433 .class_init = sd_spi_class_init, 2434 }, 2435 }; 2436 2437 DEFINE_TYPES(sd_types) 2438