xref: /openbmc/qemu/hw/sd/sd.c (revision 5241b759bcf1e9952a5a5503bc802d76409b4ac6) 
1 /*
2  * SD Memory Card emulation as defined in the "SD Memory Card Physical
3  * layer specification, Version 2.00."
4  *
5  * Copyright (c) 2006 Andrzej Zaborowski  <balrog@zabor.org>
6  * Copyright (c) 2007 CodeSourcery
7  * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR
24  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/guest-random.h"
50 #include "qemu/module.h"
51 #include "sdmmc-internal.h"
52 #include "trace.h"
53 
54 //#define DEBUG_SD 1
55 
56 #define SDSC_MAX_CAPACITY   (2 * GiB)
57 
58 #define INVALID_ADDRESS     UINT32_MAX
59 
60 typedef enum {
61     sd_r0 = 0,    /* no response */
62     sd_r1,        /* normal response command */
63     sd_r2_i,      /* CID register */
64     sd_r2_s,      /* CSD register */
65     sd_r3,        /* OCR register */
66     sd_r6 = 6,    /* Published RCA response */
67     sd_r7,        /* Operating voltage */
68     sd_r1b = -1,
69     sd_illegal = -2,
70 } sd_rsp_type_t;
71 
72 enum SDCardModes {
73     sd_inactive,
74     sd_card_identification_mode,
75     sd_data_transfer_mode,
76 };
77 
78 enum SDCardStates {
79     sd_waitirq_state        = -2, /* emmc */
80     sd_inactive_state       = -1,
81 
82     sd_idle_state           = 0,
83     sd_ready_state          = 1,
84     sd_identification_state = 2,
85     sd_standby_state        = 3,
86     sd_transfer_state       = 4,
87     sd_sendingdata_state    = 5,
88     sd_receivingdata_state  = 6,
89     sd_programming_state    = 7,
90     sd_disconnect_state     = 8,
91     sd_bus_test_state       = 9,  /* emmc */
92     sd_sleep_state          = 10, /* emmc */
93     sd_io_state             = 15  /* sd */
94 };
95 
96 #define SDMMC_CMD_MAX 64
97 
98 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
99 
100 typedef struct SDProto {
101     const char *name;
102     struct {
103         const unsigned class;
104         const sd_cmd_type_t type;
105         const char *name;
106         sd_cmd_handler handler;
107     } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX];
108 } SDProto;
109 
110 struct SDState {
111     DeviceState parent_obj;
112 
113     /* If true, created by sd_init() for a non-qdevified caller */
114     /* TODO purge them with fire */
115     bool me_no_qdev_me_kill_mammoth_with_rocks;
116 
117     /* SD Memory Card Registers */
118     uint32_t ocr;
119     uint8_t scr[8];
120     uint8_t cid[16];
121     uint8_t csd[16];
122     uint16_t rca;
123     uint32_t card_status;
124     uint8_t sd_status[64];
125 
126     /* Static properties */
127 
128     uint8_t spec_version;
129     BlockBackend *blk;
130 
131     const SDProto *proto;
132 
133     /* Runtime changeables */
134 
135     uint32_t mode;    /* current card mode, one of SDCardModes */
136     int32_t state;    /* current card state, one of SDCardStates */
137     uint32_t vhs;
138     bool wp_switch;
139     unsigned long *wp_group_bmap;
140     int32_t wp_group_bits;
141     uint64_t size;
142     uint32_t blk_len;
143     uint32_t multi_blk_cnt;
144     uint32_t erase_start;
145     uint32_t erase_end;
146     uint8_t pwd[16];
147     uint32_t pwd_len;
148     uint8_t function_group[6];
149     uint8_t current_cmd;
150     const char *last_cmd_name;
151     /* True if we will handle the next command as an ACMD. Note that this does
152      * *not* track the APP_CMD status bit!
153      */
154     bool expecting_acmd;
155     uint32_t blk_written;
156 
157     uint64_t data_start;
158     uint32_t data_offset;
159     size_t data_size;
160     uint8_t data[512];
161     qemu_irq readonly_cb;
162     qemu_irq inserted_cb;
163     QEMUTimer *ocr_power_timer;
164     bool enable;
165     uint8_t dat_lines;
166     bool cmd_line;
167 };
168 
169 static void sd_realize(DeviceState *dev, Error **errp);
170 
171 static const SDProto sd_proto_spi;
172 
173 static bool sd_is_spi(SDState *sd)
174 {
175     return sd->proto == &sd_proto_spi;
176 }
177 
178 static const char *sd_version_str(enum SDPhySpecificationVersion version)
179 {
180     static const char *sdphy_version[] = {
181         [SD_PHY_SPECv1_10_VERS]     = "v1.10",
182         [SD_PHY_SPECv2_00_VERS]     = "v2.00",
183         [SD_PHY_SPECv3_01_VERS]     = "v3.01",
184     };
185     if (version >= ARRAY_SIZE(sdphy_version)) {
186         return "unsupported version";
187     }
188     return sdphy_version[version];
189 }
190 
191 static const char *sd_mode_name(enum SDCardModes mode)
192 {
193     static const char *mode_name[] = {
194         [sd_inactive]                   = "inactive",
195         [sd_card_identification_mode]   = "identification",
196         [sd_data_transfer_mode]         = "transfer",
197     };
198     assert(mode < ARRAY_SIZE(mode_name));
199     return mode_name[mode];
200 }
201 
202 static const char *sd_state_name(enum SDCardStates state)
203 {
204     static const char *state_name[] = {
205         [sd_idle_state]             = "idle",
206         [sd_ready_state]            = "ready",
207         [sd_identification_state]   = "identification",
208         [sd_standby_state]          = "standby",
209         [sd_transfer_state]         = "transfer",
210         [sd_sendingdata_state]      = "sendingdata",
211         [sd_bus_test_state]         = "bus-test",
212         [sd_receivingdata_state]    = "receivingdata",
213         [sd_programming_state]      = "programming",
214         [sd_disconnect_state]       = "disconnect",
215         [sd_sleep_state]            = "sleep",
216         [sd_io_state]               = "i/o"
217     };
218     if (state == sd_inactive_state) {
219         return "inactive";
220     }
221     if (state == sd_waitirq_state) {
222         return "wait-irq";
223     }
224     assert(state < ARRAY_SIZE(state_name));
225     return state_name[state];
226 }
227 
228 static const char *sd_response_name(sd_rsp_type_t rsp)
229 {
230     static const char *response_name[] = {
231         [sd_r0]     = "RESP#0 (no response)",
232         [sd_r1]     = "RESP#1 (normal cmd)",
233         [sd_r2_i]   = "RESP#2 (CID reg)",
234         [sd_r2_s]   = "RESP#2 (CSD reg)",
235         [sd_r3]     = "RESP#3 (OCR reg)",
236         [sd_r6]     = "RESP#6 (RCA)",
237         [sd_r7]     = "RESP#7 (operating voltage)",
238     };
239     if (rsp == sd_illegal) {
240         return "ILLEGAL RESP";
241     }
242     if (rsp == sd_r1b) {
243         rsp = sd_r1;
244     }
245     assert(rsp < ARRAY_SIZE(response_name));
246     return response_name[rsp];
247 }
248 
249 static const char *sd_cmd_name(SDState *sd, uint8_t cmd)
250 {
251     static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
252         [18]    = "READ_MULTIPLE_BLOCK",
253                                             [25]    = "WRITE_MULTIPLE_BLOCK",
254     };
255     const SDProto *sdp = sd->proto;
256 
257     if (sdp->cmd[cmd].handler) {
258         assert(!cmd_abbrev[cmd]);
259         return sdp->cmd[cmd].name;
260     }
261     return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
262 }
263 
264 static const char *sd_acmd_name(SDState *sd, uint8_t cmd)
265 {
266     const SDProto *sdp = sd->proto;
267 
268     if (sdp->acmd[cmd].handler) {
269         return sdp->acmd[cmd].name;
270     }
271 
272     return "UNKNOWN_ACMD";
273 }
274 
275 static uint8_t sd_get_dat_lines(SDState *sd)
276 {
277     return sd->enable ? sd->dat_lines : 0;
278 }
279 
280 static bool sd_get_cmd_line(SDState *sd)
281 {
282     return sd->enable ? sd->cmd_line : false;
283 }
284 
285 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
286 {
287     trace_sdcard_set_voltage(millivolts);
288 
289     switch (millivolts) {
290     case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
291     case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
292         break;
293     default:
294         qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
295                       millivolts / 1000.f);
296     }
297 }
298 
299 static void sd_set_mode(SDState *sd)
300 {
301     switch (sd->state) {
302     case sd_inactive_state:
303         sd->mode = sd_inactive;
304         break;
305 
306     case sd_idle_state:
307     case sd_ready_state:
308     case sd_identification_state:
309         sd->mode = sd_card_identification_mode;
310         break;
311 
312     case sd_standby_state:
313     case sd_transfer_state:
314     case sd_sendingdata_state:
315     case sd_receivingdata_state:
316     case sd_programming_state:
317     case sd_disconnect_state:
318         sd->mode = sd_data_transfer_mode;
319         break;
320     }
321 }
322 
323 static uint8_t sd_crc7(const void *message, size_t width)
324 {
325     int i, bit;
326     uint8_t shift_reg = 0x00;
327     const uint8_t *msg = (const uint8_t *)message;
328 
329     for (i = 0; i < width; i ++, msg ++)
330         for (bit = 7; bit >= 0; bit --) {
331             shift_reg <<= 1;
332             if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
333                 shift_reg ^= 0x89;
334         }
335 
336     return shift_reg;
337 }
338 
339 /* Operation Conditions register */
340 
341 #define OCR_POWER_DELAY_NS      500000 /* 0.5ms */
342 
343 FIELD(OCR, VDD_VOLTAGE_WINDOW,          0, 24)
344 FIELD(OCR, VDD_VOLTAGE_WIN_LO,          0,  8)
345 FIELD(OCR, DUAL_VOLTAGE_CARD,           7,  1)
346 FIELD(OCR, VDD_VOLTAGE_WIN_HI,          8, 16)
347 FIELD(OCR, ACCEPT_SWITCH_1V8,          24,  1) /* Only UHS-I */
348 FIELD(OCR, UHS_II_CARD,                29,  1) /* Only UHS-II */
349 FIELD(OCR, CARD_CAPACITY,              30,  1) /* 0:SDSC, 1:SDHC/SDXC */
350 FIELD(OCR, CARD_POWER_UP,              31,  1)
351 
352 #define ACMD41_ENQUIRY_MASK     0x00ffffff
353 #define ACMD41_R3_MASK          (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
354                                | R_OCR_ACCEPT_SWITCH_1V8_MASK \
355                                | R_OCR_UHS_II_CARD_MASK \
356                                | R_OCR_CARD_CAPACITY_MASK \
357                                | R_OCR_CARD_POWER_UP_MASK)
358 
359 static void sd_ocr_powerup(void *opaque)
360 {
361     SDState *sd = opaque;
362 
363     trace_sdcard_powerup();
364     assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
365 
366     /* card power-up OK */
367     sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
368 
369     if (sd->size > SDSC_MAX_CAPACITY) {
370         sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
371     }
372 }
373 
374 static void sd_set_ocr(SDState *sd)
375 {
376     /* All voltages OK */
377     sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
378 
379     if (sd_is_spi(sd)) {
380         /*
381          * We don't need to emulate power up sequence in SPI-mode.
382          * Thus, the card's power up status bit should be set to 1 when reset.
383          * The card's capacity status bit should also be set if SD card size
384          * is larger than 2GB for SDHC support.
385          */
386         sd_ocr_powerup(sd);
387     }
388 }
389 
390 /* SD Configuration register */
391 
392 static void sd_set_scr(SDState *sd)
393 {
394     sd->scr[0] = 0 << 4;        /* SCR structure version 1.0 */
395     if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
396         sd->scr[0] |= 1;        /* Spec Version 1.10 */
397     } else {
398         sd->scr[0] |= 2;        /* Spec Version 2.00 or Version 3.0X */
399     }
400     sd->scr[1] = (2 << 4)       /* SDSC Card (Security Version 1.01) */
401                  | 0b0101;      /* 1-bit or 4-bit width bus modes */
402     sd->scr[2] = 0x00;          /* Extended Security is not supported. */
403     if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
404         sd->scr[2] |= 1 << 7;   /* Spec Version 3.0X */
405     }
406     sd->scr[3] = 0x00;
407     /* reserved for manufacturer usage */
408     sd->scr[4] = 0x00;
409     sd->scr[5] = 0x00;
410     sd->scr[6] = 0x00;
411     sd->scr[7] = 0x00;
412 }
413 
414 /* Card IDentification register */
415 
416 #define MID     0xaa
417 #define OID     "XY"
418 #define PNM     "QEMU!"
419 #define PRV     0x01
420 #define MDT_YR  2006
421 #define MDT_MON 2
422 
423 static void sd_set_cid(SDState *sd)
424 {
425     sd->cid[0] = MID;       /* Fake card manufacturer ID (MID) */
426     sd->cid[1] = OID[0];    /* OEM/Application ID (OID) */
427     sd->cid[2] = OID[1];
428     sd->cid[3] = PNM[0];    /* Fake product name (PNM) */
429     sd->cid[4] = PNM[1];
430     sd->cid[5] = PNM[2];
431     sd->cid[6] = PNM[3];
432     sd->cid[7] = PNM[4];
433     sd->cid[8] = PRV;       /* Fake product revision (PRV) */
434     stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
435     sd->cid[13] = 0x00 |    /* Manufacture date (MDT) */
436         ((MDT_YR - 2000) / 10);
437     sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
438     sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
439 }
440 
441 /* Card-Specific Data register */
442 
443 #define HWBLOCK_SHIFT   9        /* 512 bytes */
444 #define SECTOR_SHIFT    5        /* 16 kilobytes */
445 #define WPGROUP_SHIFT   7        /* 2 megs */
446 #define CMULT_SHIFT     9        /* 512 times HWBLOCK_SIZE */
447 #define WPGROUP_SIZE    (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
448 
449 static const uint8_t sd_csd_rw_mask[16] = {
450     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
451     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
452 };
453 
454 static void sd_set_csd(SDState *sd, uint64_t size)
455 {
456     int hwblock_shift = HWBLOCK_SHIFT;
457     uint32_t csize;
458     uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
459     uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
460 
461     /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
462     if (size == SDSC_MAX_CAPACITY) {
463         hwblock_shift += 1;
464     }
465     csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
466 
467     if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
468         sd->csd[0] = 0x00;      /* CSD structure */
469         sd->csd[1] = 0x26;      /* Data read access-time-1 */
470         sd->csd[2] = 0x00;      /* Data read access-time-2 */
471         sd->csd[3] = 0x32;      /* Max. data transfer rate: 25 MHz */
472         sd->csd[4] = 0x5f;      /* Card Command Classes */
473         sd->csd[5] = 0x50 |     /* Max. read data block length */
474             hwblock_shift;
475         sd->csd[6] = 0xe0 |     /* Partial block for read allowed */
476             ((csize >> 10) & 0x03);
477         sd->csd[7] = 0x00 |     /* Device size */
478             ((csize >> 2) & 0xff);
479         sd->csd[8] = 0x3f |     /* Max. read current */
480             ((csize << 6) & 0xc0);
481         sd->csd[9] = 0xfc |     /* Max. write current */
482             ((CMULT_SHIFT - 2) >> 1);
483         sd->csd[10] = 0x40 |    /* Erase sector size */
484             (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
485         sd->csd[11] = 0x00 |    /* Write protect group size */
486             ((sectsize << 7) & 0x80) | wpsize;
487         sd->csd[12] = 0x90 |    /* Write speed factor */
488             (hwblock_shift >> 2);
489         sd->csd[13] = 0x20 |    /* Max. write data block length */
490             ((hwblock_shift << 6) & 0xc0);
491         sd->csd[14] = 0x00;     /* File format group */
492     } else {                    /* SDHC */
493         size /= 512 * KiB;
494         size -= 1;
495         sd->csd[0] = 0x40;
496         sd->csd[1] = 0x0e;
497         sd->csd[2] = 0x00;
498         sd->csd[3] = 0x32;
499         sd->csd[4] = 0x5b;
500         sd->csd[5] = 0x59;
501         sd->csd[6] = 0x00;
502         st24_be_p(&sd->csd[7], size);
503         sd->csd[10] = 0x7f;
504         sd->csd[11] = 0x80;
505         sd->csd[12] = 0x0a;
506         sd->csd[13] = 0x40;
507         sd->csd[14] = 0x00;
508     }
509     sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
510 }
511 
512 /* Relative Card Address register */
513 
514 static void sd_set_rca(SDState *sd, uint16_t value)
515 {
516     trace_sdcard_set_rca(value);
517     sd->rca = value;
518 }
519 
520 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
521 {
522     switch (s->proto->cmd[req.cmd].type) {
523     case sd_ac:
524     case sd_adtc:
525         return req.arg >> 16;
526     case sd_spi:
527     default:
528         g_assert_not_reached();
529     }
530 }
531 
532 static bool sd_req_rca_same(SDState *s, SDRequest req)
533 {
534     return sd_req_get_rca(s, req) == s->rca;
535 }
536 
537 /* Card Status register */
538 
539 FIELD(CSR, AKE_SEQ_ERROR,               3,  1)
540 FIELD(CSR, APP_CMD,                     5,  1)
541 FIELD(CSR, FX_EVENT,                    6,  1)
542 FIELD(CSR, READY_FOR_DATA,              8,  1)
543 FIELD(CSR, CURRENT_STATE,               9,  4)
544 FIELD(CSR, ERASE_RESET,                13,  1)
545 FIELD(CSR, CARD_ECC_DISABLED,          14,  1)
546 FIELD(CSR, WP_ERASE_SKIP,              15,  1)
547 FIELD(CSR, CSD_OVERWRITE,              16,  1)
548 FIELD(CSR, DEFERRED_RESPONSE,          17,  1)
549 FIELD(CSR, ERROR,                      19,  1)
550 FIELD(CSR, CC_ERROR,                   20,  1)
551 FIELD(CSR, CARD_ECC_FAILED,            21,  1)
552 FIELD(CSR, ILLEGAL_COMMAND,            22,  1)
553 FIELD(CSR, COM_CRC_ERROR,              23,  1)
554 FIELD(CSR, LOCK_UNLOCK_FAILED,         24,  1)
555 FIELD(CSR, CARD_IS_LOCKED,             25,  1)
556 FIELD(CSR, WP_VIOLATION,               26,  1)
557 FIELD(CSR, ERASE_PARAM,                27,  1)
558 FIELD(CSR, ERASE_SEQ_ERROR,            28,  1)
559 FIELD(CSR, BLOCK_LEN_ERROR,            29,  1)
560 FIELD(CSR, ADDRESS_ERROR,              30,  1)
561 FIELD(CSR, OUT_OF_RANGE,               31,  1)
562 
563 /* Card status bits, split by clear condition:
564  * A : According to the card current state
565  * B : Always related to the previous command
566  * C : Cleared by read
567  */
568 #define CARD_STATUS_A           (R_CSR_READY_FOR_DATA_MASK \
569                                | R_CSR_CARD_ECC_DISABLED_MASK \
570                                | R_CSR_CARD_IS_LOCKED_MASK)
571 #define CARD_STATUS_B           (R_CSR_CURRENT_STATE_MASK \
572                                | R_CSR_ILLEGAL_COMMAND_MASK \
573                                | R_CSR_COM_CRC_ERROR_MASK)
574 #define CARD_STATUS_C           (R_CSR_AKE_SEQ_ERROR_MASK \
575                                | R_CSR_APP_CMD_MASK \
576                                | R_CSR_ERASE_RESET_MASK \
577                                | R_CSR_WP_ERASE_SKIP_MASK \
578                                | R_CSR_CSD_OVERWRITE_MASK \
579                                | R_CSR_ERROR_MASK \
580                                | R_CSR_CC_ERROR_MASK \
581                                | R_CSR_CARD_ECC_FAILED_MASK \
582                                | R_CSR_LOCK_UNLOCK_FAILED_MASK \
583                                | R_CSR_WP_VIOLATION_MASK \
584                                | R_CSR_ERASE_PARAM_MASK \
585                                | R_CSR_ERASE_SEQ_ERROR_MASK \
586                                | R_CSR_BLOCK_LEN_ERROR_MASK \
587                                | R_CSR_ADDRESS_ERROR_MASK \
588                                | R_CSR_OUT_OF_RANGE_MASK)
589 
590 static void sd_set_cardstatus(SDState *sd)
591 {
592     sd->card_status = READY_FOR_DATA;
593 }
594 
595 static void sd_set_sdstatus(SDState *sd)
596 {
597     memset(sd->sd_status, 0, 64);
598 }
599 
600 static const uint8_t sd_tuning_block_pattern4[64] = {
601     /*
602      * See: Physical Layer Simplified Specification Version 3.01,
603      * Table 4-2.
604      */
605     0xff, 0x0f, 0xff, 0x00,     0x0f, 0xfc, 0xc3, 0xcc,
606     0xc3, 0x3c, 0xcc, 0xff,     0xfe, 0xff, 0xfe, 0xef,
607     0xff, 0xdf, 0xff, 0xdd,     0xff, 0xfb, 0xff, 0xfb,
608     0xbf, 0xff, 0x7f, 0xff,     0x77, 0xf7, 0xbd, 0xef,
609     0xff, 0xf0, 0xff, 0xf0,     0x0f, 0xfc, 0xcc, 0x3c,
610     0xcc, 0x33, 0xcc, 0xcf,     0xff, 0xef, 0xff, 0xee,
611     0xff, 0xfd, 0xff, 0xfd,     0xdf, 0xff, 0xbf, 0xff,
612     0xbb, 0xff, 0xf7, 0xff,     0xf7, 0x7f, 0x7b, 0xde
613 };
614 
615 static int sd_req_crc_validate(SDRequest *req)
616 {
617     uint8_t buffer[5];
618     buffer[0] = 0x40 | req->cmd;
619     stl_be_p(&buffer[1], req->arg);
620     return 0;
621     return sd_crc7(buffer, 5) != req->crc;  /* TODO */
622 }
623 
624 static void sd_response_r1_make(SDState *sd, uint8_t *response)
625 {
626     stl_be_p(response, sd->card_status);
627 
628     /* Clear the "clear on read" status bits */
629     sd->card_status &= ~CARD_STATUS_C;
630 }
631 
632 static void sd_response_r3_make(SDState *sd, uint8_t *response)
633 {
634     stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
635 }
636 
637 static void sd_response_r6_make(SDState *sd, uint8_t *response)
638 {
639     uint16_t status;
640 
641     status = ((sd->card_status >> 8) & 0xc000) |
642              ((sd->card_status >> 6) & 0x2000) |
643               (sd->card_status & 0x1fff);
644     sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
645     stw_be_p(response + 0, sd->rca);
646     stw_be_p(response + 2, status);
647 }
648 
649 static void sd_response_r7_make(SDState *sd, uint8_t *response)
650 {
651     stl_be_p(response, sd->vhs);
652 }
653 
654 static uint32_t sd_blk_len(SDState *sd)
655 {
656     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
657         return 1 << HWBLOCK_SHIFT;
658     }
659     return sd->blk_len;
660 }
661 
662 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
663 {
664     uint64_t addr;
665 
666     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
667         addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
668     } else {
669         addr = req.arg;
670     }
671     trace_sdcard_req_addr(req.arg, addr);
672     return addr;
673 }
674 
675 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
676 {
677     return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
678 }
679 
680 static void sd_reset(DeviceState *dev)
681 {
682     SDState *sd = SD_CARD(dev);
683     SDCardClass *sc = SD_CARD_GET_CLASS(sd);
684     uint64_t size;
685     uint64_t sect;
686 
687     trace_sdcard_reset();
688     if (sd->blk) {
689         blk_get_geometry(sd->blk, &sect);
690     } else {
691         sect = 0;
692     }
693     size = sect << HWBLOCK_SHIFT;
694 
695     sect = sd_addr_to_wpnum(size) + 1;
696 
697     sd->state = sd_idle_state;
698 
699     /* card registers */
700     sd->rca = 0x0000;
701     sd->size = size;
702     sd_set_ocr(sd);
703     sd_set_scr(sd);
704     sc->set_cid(sd);
705     sc->set_csd(sd, size);
706     sd_set_cardstatus(sd);
707     sd_set_sdstatus(sd);
708 
709     g_free(sd->wp_group_bmap);
710     sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
711     sd->wp_group_bits = sect;
712     sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
713     memset(sd->function_group, 0, sizeof(sd->function_group));
714     sd->erase_start = INVALID_ADDRESS;
715     sd->erase_end = INVALID_ADDRESS;
716     sd->blk_len = 0x200;
717     sd->pwd_len = 0;
718     sd->expecting_acmd = false;
719     sd->dat_lines = 0xf;
720     sd->cmd_line = true;
721     sd->multi_blk_cnt = 0;
722 }
723 
724 static bool sd_get_inserted(SDState *sd)
725 {
726     return sd->blk && blk_is_inserted(sd->blk);
727 }
728 
729 static bool sd_get_readonly(SDState *sd)
730 {
731     return sd->wp_switch;
732 }
733 
734 static void sd_cardchange(void *opaque, bool load, Error **errp)
735 {
736     SDState *sd = opaque;
737     DeviceState *dev = DEVICE(sd);
738     SDBus *sdbus;
739     bool inserted = sd_get_inserted(sd);
740     bool readonly = sd_get_readonly(sd);
741 
742     if (inserted) {
743         trace_sdcard_inserted(readonly);
744         sd_reset(dev);
745     } else {
746         trace_sdcard_ejected();
747     }
748 
749     if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
750         qemu_set_irq(sd->inserted_cb, inserted);
751         if (inserted) {
752             qemu_set_irq(sd->readonly_cb, readonly);
753         }
754     } else {
755         sdbus = SD_BUS(qdev_get_parent_bus(dev));
756         sdbus_set_inserted(sdbus, inserted);
757         if (inserted) {
758             sdbus_set_readonly(sdbus, readonly);
759         }
760     }
761 }
762 
763 static const BlockDevOps sd_block_ops = {
764     .change_media_cb = sd_cardchange,
765 };
766 
767 static bool sd_ocr_vmstate_needed(void *opaque)
768 {
769     SDState *sd = opaque;
770 
771     /* Include the OCR state (and timer) if it is not yet powered up */
772     return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
773 }
774 
775 static const VMStateDescription sd_ocr_vmstate = {
776     .name = "sd-card/ocr-state",
777     .version_id = 1,
778     .minimum_version_id = 1,
779     .needed = sd_ocr_vmstate_needed,
780     .fields = (const VMStateField[]) {
781         VMSTATE_UINT32(ocr, SDState),
782         VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
783         VMSTATE_END_OF_LIST()
784     },
785 };
786 
787 static int sd_vmstate_pre_load(void *opaque)
788 {
789     SDState *sd = opaque;
790 
791     /* If the OCR state is not included (prior versions, or not
792      * needed), then the OCR must be set as powered up. If the OCR state
793      * is included, this will be replaced by the state restore.
794      */
795     sd_ocr_powerup(sd);
796 
797     return 0;
798 }
799 
800 static const VMStateDescription sd_vmstate = {
801     .name = "sd-card",
802     .version_id = 2,
803     .minimum_version_id = 2,
804     .pre_load = sd_vmstate_pre_load,
805     .fields = (const VMStateField[]) {
806         VMSTATE_UINT32(mode, SDState),
807         VMSTATE_INT32(state, SDState),
808         VMSTATE_UINT8_ARRAY(cid, SDState, 16),
809         VMSTATE_UINT8_ARRAY(csd, SDState, 16),
810         VMSTATE_UINT16(rca, SDState),
811         VMSTATE_UINT32(card_status, SDState),
812         VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
813         VMSTATE_UINT32(vhs, SDState),
814         VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
815         VMSTATE_UINT32(blk_len, SDState),
816         VMSTATE_UINT32(multi_blk_cnt, SDState),
817         VMSTATE_UINT32(erase_start, SDState),
818         VMSTATE_UINT32(erase_end, SDState),
819         VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
820         VMSTATE_UINT32(pwd_len, SDState),
821         VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
822         VMSTATE_UINT8(current_cmd, SDState),
823         VMSTATE_BOOL(expecting_acmd, SDState),
824         VMSTATE_UINT32(blk_written, SDState),
825         VMSTATE_UINT64(data_start, SDState),
826         VMSTATE_UINT32(data_offset, SDState),
827         VMSTATE_UINT8_ARRAY(data, SDState, 512),
828         VMSTATE_UNUSED_V(1, 512),
829         VMSTATE_BOOL(enable, SDState),
830         VMSTATE_END_OF_LIST()
831     },
832     .subsections = (const VMStateDescription * const []) {
833         &sd_ocr_vmstate,
834         NULL
835     },
836 };
837 
838 /* Legacy initialization function for use by non-qdevified callers */
839 SDState *sd_init(BlockBackend *blk, bool is_spi)
840 {
841     Object *obj;
842     DeviceState *dev;
843     SDState *sd;
844     Error *err = NULL;
845 
846     obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
847     dev = DEVICE(obj);
848     if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
849         error_reportf_err(err, "sd_init failed: ");
850         return NULL;
851     }
852 
853     /*
854      * Realizing the device properly would put it into the QOM
855      * composition tree even though it is not plugged into an
856      * appropriate bus.  That's a no-no.  Hide the device from
857      * QOM/qdev, and call its qdev realize callback directly.
858      */
859     object_ref(obj);
860     object_unparent(obj);
861     sd_realize(dev, &err);
862     if (err) {
863         error_reportf_err(err, "sd_init failed: ");
864         return NULL;
865     }
866 
867     sd = SD_CARD(dev);
868     sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
869     return sd;
870 }
871 
872 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
873 {
874     sd->readonly_cb = readonly;
875     sd->inserted_cb = insert;
876     qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
877     qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
878 }
879 
880 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
881 {
882     trace_sdcard_read_block(addr, len);
883     if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
884         fprintf(stderr, "sd_blk_read: read error on host side\n");
885     }
886 }
887 
888 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
889 {
890     trace_sdcard_write_block(addr, len);
891     if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
892         fprintf(stderr, "sd_blk_write: write error on host side\n");
893     }
894 }
895 
896 static void sd_erase(SDState *sd)
897 {
898     uint64_t erase_start = sd->erase_start;
899     uint64_t erase_end = sd->erase_end;
900     bool sdsc = true;
901     uint64_t wpnum;
902     uint64_t erase_addr;
903     int erase_len = 1 << HWBLOCK_SHIFT;
904 
905     trace_sdcard_erase(sd->erase_start, sd->erase_end);
906     if (sd->erase_start == INVALID_ADDRESS
907             || sd->erase_end == INVALID_ADDRESS) {
908         sd->card_status |= ERASE_SEQ_ERROR;
909         sd->erase_start = INVALID_ADDRESS;
910         sd->erase_end = INVALID_ADDRESS;
911         return;
912     }
913 
914     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
915         /* High capacity memory card: erase units are 512 byte blocks */
916         erase_start <<= HWBLOCK_SHIFT;
917         erase_end <<= HWBLOCK_SHIFT;
918         sdsc = false;
919     }
920 
921     if (erase_start > sd->size || erase_end > sd->size) {
922         sd->card_status |= OUT_OF_RANGE;
923         sd->erase_start = INVALID_ADDRESS;
924         sd->erase_end = INVALID_ADDRESS;
925         return;
926     }
927 
928     sd->erase_start = INVALID_ADDRESS;
929     sd->erase_end = INVALID_ADDRESS;
930     sd->csd[14] |= 0x40;
931 
932     memset(sd->data, 0xff, erase_len);
933     for (erase_addr = erase_start; erase_addr <= erase_end;
934          erase_addr += erase_len) {
935         if (sdsc) {
936             /* Only SDSC cards support write protect groups */
937             wpnum = sd_addr_to_wpnum(erase_addr);
938             assert(wpnum < sd->wp_group_bits);
939             if (test_bit(wpnum, sd->wp_group_bmap)) {
940                 sd->card_status |= WP_ERASE_SKIP;
941                 continue;
942             }
943         }
944         sd_blk_write(sd, erase_addr, erase_len);
945     }
946 }
947 
948 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
949 {
950     uint32_t i, wpnum;
951     uint32_t ret = 0;
952 
953     wpnum = sd_addr_to_wpnum(addr);
954 
955     for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
956         if (addr >= sd->size) {
957             /*
958              * If the addresses of the last groups are outside the valid range,
959              * then the corresponding write protection bits shall be set to 0.
960              */
961             continue;
962         }
963         assert(wpnum < sd->wp_group_bits);
964         if (test_bit(wpnum, sd->wp_group_bmap)) {
965             ret |= (1 << i);
966         }
967     }
968 
969     return ret;
970 }
971 
972 static void sd_function_switch(SDState *sd, uint32_t arg)
973 {
974     int i, mode, new_func;
975     mode = !!(arg & 0x80000000);
976 
977     sd->data[0] = 0x00;     /* Maximum current consumption */
978     sd->data[1] = 0x01;
979     sd->data[2] = 0x80;     /* Supported group 6 functions */
980     sd->data[3] = 0x01;
981     sd->data[4] = 0x80;     /* Supported group 5 functions */
982     sd->data[5] = 0x01;
983     sd->data[6] = 0x80;     /* Supported group 4 functions */
984     sd->data[7] = 0x01;
985     sd->data[8] = 0x80;     /* Supported group 3 functions */
986     sd->data[9] = 0x01;
987     sd->data[10] = 0x80;    /* Supported group 2 functions */
988     sd->data[11] = 0x43;
989     sd->data[12] = 0x80;    /* Supported group 1 functions */
990     sd->data[13] = 0x03;
991 
992     memset(&sd->data[14], 0, 3);
993     for (i = 0; i < 6; i ++) {
994         new_func = (arg >> (i * 4)) & 0x0f;
995         if (mode && new_func != 0x0f)
996             sd->function_group[i] = new_func;
997         sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
998     }
999     memset(&sd->data[17], 0, 47);
1000 }
1001 
1002 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
1003 {
1004     return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1005 }
1006 
1007 static void sd_lock_command(SDState *sd)
1008 {
1009     int erase, lock, clr_pwd, set_pwd, pwd_len;
1010     erase = !!(sd->data[0] & 0x08);
1011     lock = sd->data[0] & 0x04;
1012     clr_pwd = sd->data[0] & 0x02;
1013     set_pwd = sd->data[0] & 0x01;
1014 
1015     if (sd->blk_len > 1)
1016         pwd_len = sd->data[1];
1017     else
1018         pwd_len = 0;
1019 
1020     if (lock) {
1021         trace_sdcard_lock();
1022     } else {
1023         trace_sdcard_unlock();
1024     }
1025     if (erase) {
1026         if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
1027                         set_pwd || clr_pwd || lock || sd->wp_switch ||
1028                         (sd->csd[14] & 0x20)) {
1029             sd->card_status |= LOCK_UNLOCK_FAILED;
1030             return;
1031         }
1032         bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1033         sd->csd[14] &= ~0x10;
1034         sd->card_status &= ~CARD_IS_LOCKED;
1035         sd->pwd_len = 0;
1036         /* Erasing the entire card here! */
1037         fprintf(stderr, "SD: Card force-erased by CMD42\n");
1038         return;
1039     }
1040 
1041     if (sd->blk_len < 2 + pwd_len ||
1042                     pwd_len <= sd->pwd_len ||
1043                     pwd_len > sd->pwd_len + 16) {
1044         sd->card_status |= LOCK_UNLOCK_FAILED;
1045         return;
1046     }
1047 
1048     if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1049         sd->card_status |= LOCK_UNLOCK_FAILED;
1050         return;
1051     }
1052 
1053     pwd_len -= sd->pwd_len;
1054     if ((pwd_len && !set_pwd) ||
1055                     (clr_pwd && (set_pwd || lock)) ||
1056                     (lock && !sd->pwd_len && !set_pwd) ||
1057                     (!set_pwd && !clr_pwd &&
1058                      (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1059                       (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1060         sd->card_status |= LOCK_UNLOCK_FAILED;
1061         return;
1062     }
1063 
1064     if (set_pwd) {
1065         memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1066         sd->pwd_len = pwd_len;
1067     }
1068 
1069     if (clr_pwd) {
1070         sd->pwd_len = 0;
1071     }
1072 
1073     if (lock)
1074         sd->card_status |= CARD_IS_LOCKED;
1075     else
1076         sd->card_status &= ~CARD_IS_LOCKED;
1077 }
1078 
1079 static bool address_in_range(SDState *sd, const char *desc,
1080                              uint64_t addr, uint32_t length)
1081 {
1082     if (addr + length > sd->size) {
1083         qemu_log_mask(LOG_GUEST_ERROR,
1084                       "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1085                       desc, addr, sd->size, length);
1086         sd->card_status |= ADDRESS_ERROR;
1087         return false;
1088     }
1089     return true;
1090 }
1091 
1092 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1093 {
1094     qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1095                   sd->proto->name, req.cmd, sd_state_name(sd->state),
1096                   sd_version_str(sd->spec_version));
1097 
1098     return sd_illegal;
1099 }
1100 
1101 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1102 {
1103     qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1104                   sd->proto->name, req.cmd, sd_mode_name(sd->mode),
1105                   sd_version_str(sd->spec_version));
1106 
1107     return sd_illegal;
1108 }
1109 
1110 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1111 {
1112     qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1113                   sd->proto->name, req.cmd,
1114                   sd_version_str(sd->spec_version));
1115 
1116     return sd_illegal;
1117 }
1118 
1119 /* Commands that are recognised but not yet implemented. */
1120 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1121 {
1122     qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1123                   sd->proto->name, req.cmd);
1124 
1125     return sd_illegal;
1126 }
1127 
1128 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req)
1129 {
1130     qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n",
1131                   sd->proto->name, req.cmd);
1132 
1133     return sd_illegal;
1134 }
1135 
1136 /* Configure fields for following sd_generic_write_byte() calls */
1137 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
1138                                              uint64_t start, size_t size)
1139 {
1140     if (sd->state != sd_transfer_state) {
1141         return sd_invalid_state_for_cmd(sd, req);
1142     }
1143     sd->state = sd_receivingdata_state;
1144     sd->data_start = start;
1145     sd->data_offset = 0;
1146     /* sd->data[] used as receive buffer */
1147     sd->data_size = size ?: sizeof(sd->data);
1148     return sd_r1;
1149 }
1150 
1151 /* Configure fields for following sd_generic_read_byte() calls */
1152 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1153                                            uint64_t start,
1154                                            const void *data, size_t size)
1155 {
1156     if (sd->state != sd_transfer_state) {
1157         sd_invalid_state_for_cmd(sd, req);
1158     }
1159 
1160     sd->state = sd_sendingdata_state;
1161     sd->data_start = start;
1162     sd->data_offset = 0;
1163     if (data) {
1164         assert(size > 0 && size <= sizeof(sd->data));
1165         memcpy(sd->data, data, size);
1166     }
1167     if (size) {
1168         sd->data_size = size;
1169     }
1170     return sd_r1;
1171 }
1172 
1173 /* CMD0 */
1174 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1175 {
1176     sd->state = sd_idle_state;
1177     sd_reset(DEVICE(sd));
1178 
1179     return sd_is_spi(sd) ? sd_r1 : sd_r0;
1180 }
1181 
1182 /* CMD1 */
1183 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1184 {
1185     sd->state = sd_transfer_state;
1186 
1187     return sd_r1;
1188 }
1189 
1190 /* CMD2 */
1191 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1192 {
1193     switch (sd->state) {
1194     case sd_ready_state:
1195         sd->state = sd_identification_state;
1196         return sd_r2_i;
1197     default:
1198         return sd_invalid_state_for_cmd(sd, req);
1199     }
1200 }
1201 
1202 /* CMD3 */
1203 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1204 {
1205     uint16_t random_rca;
1206 
1207     switch (sd->state) {
1208     case sd_identification_state:
1209     case sd_standby_state:
1210         sd->state = sd_standby_state;
1211         qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca));
1212         sd_set_rca(sd, random_rca);
1213         return sd_r6;
1214 
1215     default:
1216         return sd_invalid_state_for_cmd(sd, req);
1217     }
1218 }
1219 
1220 /* CMD6 */
1221 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req)
1222 {
1223     if (sd->mode != sd_data_transfer_mode) {
1224         return sd_invalid_mode_for_cmd(sd, req);
1225     }
1226     if (sd->state != sd_transfer_state) {
1227         return sd_invalid_state_for_cmd(sd, req);
1228     }
1229 
1230     sd_function_switch(sd, req.arg);
1231     return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1232 }
1233 
1234 /* CMD7 */
1235 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req)
1236 {
1237     bool same_rca = sd_req_rca_same(sd, req);
1238 
1239     switch (sd->state) {
1240     case sd_standby_state:
1241         if (!same_rca) {
1242             return sd_r0;
1243         }
1244         sd->state = sd_transfer_state;
1245         return sd_r1b;
1246 
1247     case sd_transfer_state:
1248     case sd_sendingdata_state:
1249         if (same_rca) {
1250             break;
1251         }
1252         sd->state = sd_standby_state;
1253         return sd_r1b;
1254 
1255     case sd_disconnect_state:
1256         if (!same_rca) {
1257             return sd_r0;
1258         }
1259         sd->state = sd_programming_state;
1260         return sd_r1b;
1261 
1262     case sd_programming_state:
1263         if (same_rca) {
1264             break;
1265         }
1266         sd->state = sd_disconnect_state;
1267         return sd_r1b;
1268 
1269     default:
1270         break;
1271     }
1272     return sd_invalid_state_for_cmd(sd, req);
1273 }
1274 
1275 /* CMD8 */
1276 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req)
1277 {
1278     if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1279         return sd_cmd_illegal(sd, req);
1280     }
1281     if (sd->state != sd_idle_state) {
1282         return sd_invalid_state_for_cmd(sd, req);
1283     }
1284     sd->vhs = 0;
1285 
1286     /* No response if not exactly one VHS bit is set.  */
1287     if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1288         return sd_is_spi(sd) ? sd_r7 : sd_r0;
1289     }
1290 
1291     /* Accept.  */
1292     sd->vhs = req.arg;
1293     return sd_r7;
1294 }
1295 
1296 /* CMD9 */
1297 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req)
1298 {
1299     if (sd->state != sd_standby_state) {
1300         return sd_invalid_state_for_cmd(sd, req);
1301     }
1302     return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1303                                  sd->csd, 16);
1304 }
1305 
1306 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req)
1307 {
1308     if (sd->state != sd_standby_state) {
1309         return sd_invalid_state_for_cmd(sd, req);
1310     }
1311 
1312     return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0;
1313 }
1314 
1315 /* CMD10 */
1316 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req)
1317 {
1318     if (sd->state != sd_standby_state) {
1319         return sd_invalid_state_for_cmd(sd, req);
1320     }
1321     return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1322                                  sd->cid, 16);
1323 }
1324 
1325 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req)
1326 {
1327     if (sd->state != sd_standby_state) {
1328         return sd_invalid_state_for_cmd(sd, req);
1329     }
1330 
1331     return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0;
1332 }
1333 
1334 /* CMD12 */
1335 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req)
1336 {
1337     switch (sd->state) {
1338     case sd_sendingdata_state:
1339         sd->state = sd_transfer_state;
1340         return sd_r1b;
1341     case sd_receivingdata_state:
1342         sd->state = sd_programming_state;
1343         /* Bzzzzzzztt .... Operation complete.  */
1344         sd->state = sd_transfer_state;
1345         return sd_r1;
1346     default:
1347         return sd_invalid_state_for_cmd(sd, req);
1348     }
1349 }
1350 
1351 /* CMD13 */
1352 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req)
1353 {
1354     if (sd->mode != sd_data_transfer_mode) {
1355         return sd_invalid_mode_for_cmd(sd, req);
1356     }
1357 
1358     switch (sd->state) {
1359     case sd_standby_state:
1360     case sd_transfer_state:
1361     case sd_sendingdata_state:
1362     case sd_receivingdata_state:
1363     case sd_programming_state:
1364     case sd_disconnect_state:
1365         break;
1366     default:
1367         return sd_invalid_state_for_cmd(sd, req);
1368     }
1369 
1370     if (sd_is_spi(sd)) {
1371         return sd_r2_s;
1372     }
1373 
1374     return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0;
1375 }
1376 
1377 /* CMD15 */
1378 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req)
1379 {
1380     if (sd->mode != sd_data_transfer_mode) {
1381         return sd_invalid_mode_for_cmd(sd, req);
1382     }
1383     switch (sd->state) {
1384     case sd_standby_state:
1385     case sd_transfer_state:
1386     case sd_sendingdata_state:
1387     case sd_receivingdata_state:
1388     case sd_programming_state:
1389     case sd_disconnect_state:
1390         break;
1391     default:
1392         return sd_invalid_state_for_cmd(sd, req);
1393     }
1394     if (sd_req_rca_same(sd, req)) {
1395         sd->state = sd_inactive_state;
1396     }
1397 
1398     return sd_r0;
1399 }
1400 
1401 /* CMD16 */
1402 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req)
1403 {
1404     if (sd->state != sd_transfer_state) {
1405         return sd_invalid_state_for_cmd(sd, req);
1406     }
1407     if (req.arg > (1 << HWBLOCK_SHIFT)) {
1408         sd->card_status |= BLOCK_LEN_ERROR;
1409     } else {
1410         trace_sdcard_set_blocklen(req.arg);
1411         sd->blk_len = req.arg;
1412     }
1413 
1414     return sd_r1;
1415 }
1416 
1417 /* CMD17 */
1418 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req)
1419 {
1420     uint64_t addr;
1421 
1422     if (sd->state != sd_transfer_state) {
1423         return sd_invalid_state_for_cmd(sd, req);
1424     }
1425 
1426     addr = sd_req_get_address(sd, req);
1427     if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1428         return sd_r1;
1429     }
1430 
1431     sd_blk_read(sd, addr, sd->blk_len);
1432     return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1433 }
1434 
1435 /* CMD19 */
1436 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1437 {
1438     if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1439         return sd_cmd_illegal(sd, req);
1440     }
1441 
1442     return sd_cmd_to_sendingdata(sd, req, 0,
1443                                  sd_tuning_block_pattern4,
1444                                  sizeof(sd_tuning_block_pattern4));
1445 }
1446 
1447 /* CMD23 */
1448 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1449 {
1450     if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1451         return sd_cmd_illegal(sd, req);
1452     }
1453 
1454     if (sd->state != sd_transfer_state) {
1455         return sd_invalid_state_for_cmd(sd, req);
1456     }
1457 
1458     sd->multi_blk_cnt = req.arg;
1459     trace_sdcard_set_block_count(sd->multi_blk_cnt);
1460 
1461     return sd_r1;
1462 }
1463 
1464 /* CMD24 */
1465 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req)
1466 {
1467     uint64_t addr;
1468 
1469     if (sd->state != sd_transfer_state) {
1470         return sd_invalid_state_for_cmd(sd, req);
1471     }
1472 
1473     addr = sd_req_get_address(sd, req);
1474     if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) {
1475         return sd_r1;
1476     }
1477 
1478     if (sd->size <= SDSC_MAX_CAPACITY) {
1479         if (sd_wp_addr(sd, addr)) {
1480             sd->card_status |= WP_VIOLATION;
1481         }
1482     }
1483     if (sd->csd[14] & 0x30) {
1484         sd->card_status |= WP_VIOLATION;
1485     }
1486 
1487     sd->blk_written = 0;
1488     return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len);
1489 }
1490 
1491 /* CMD27 */
1492 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req)
1493 {
1494     return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd));
1495 }
1496 
1497 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req,
1498                                                bool is_write)
1499 {
1500     uint64_t addr;
1501 
1502     if (sd->size > SDSC_MAX_CAPACITY) {
1503         return sd_illegal;
1504     }
1505 
1506     if (sd->state != sd_transfer_state) {
1507         return sd_invalid_state_for_cmd(sd, req);
1508     }
1509 
1510     addr = sd_req_get_address(sd, req);
1511     if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT",
1512                           addr, 1)) {
1513         return sd_r1b;
1514     }
1515 
1516     sd->state = sd_programming_state;
1517     if (is_write) {
1518         set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1519     } else {
1520         clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1521     }
1522     /* Bzzzzzzztt .... Operation complete.  */
1523     sd->state = sd_transfer_state;
1524     return sd_r1;
1525 }
1526 
1527 /* CMD28 */
1528 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req)
1529 {
1530     return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true);
1531 }
1532 
1533 /* CMD29 */
1534 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req)
1535 {
1536     return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false);
1537 }
1538 
1539 /* CMD30 */
1540 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req)
1541 {
1542     uint64_t addr;
1543     uint32_t data;
1544 
1545     if (sd->size > SDSC_MAX_CAPACITY) {
1546         return sd_illegal;
1547     }
1548 
1549     if (sd->state != sd_transfer_state) {
1550         return sd_invalid_state_for_cmd(sd, req);
1551     }
1552 
1553     addr = sd_req_get_address(sd, req);
1554     if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) {
1555         return sd_r1;
1556     }
1557 
1558     data = sd_wpbits(sd, req.arg);
1559     return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1560 }
1561 
1562 /* CMD32 */
1563 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req)
1564 {
1565     if (sd->state != sd_transfer_state) {
1566         return sd_invalid_state_for_cmd(sd, req);
1567     }
1568     sd->erase_start = req.arg;
1569     return sd_r1;
1570 }
1571 
1572 /* CMD33 */
1573 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req)
1574 {
1575     if (sd->state != sd_transfer_state) {
1576         return sd_invalid_state_for_cmd(sd, req);
1577     }
1578     sd->erase_end = req.arg;
1579     return sd_r1;
1580 }
1581 
1582 /* CMD38 */
1583 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req)
1584 {
1585     if (sd->state != sd_transfer_state) {
1586         return sd_invalid_state_for_cmd(sd, req);
1587     }
1588     if (sd->csd[14] & 0x30) {
1589         sd->card_status |= WP_VIOLATION;
1590         return sd_r1b;
1591     }
1592 
1593     sd->state = sd_programming_state;
1594     sd_erase(sd);
1595     /* Bzzzzzzztt .... Operation complete.  */
1596     sd->state = sd_transfer_state;
1597     return sd_r1b;
1598 }
1599 
1600 /* CMD42 */
1601 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req)
1602 {
1603     return sd_cmd_to_receivingdata(sd, req, 0, 0);
1604 }
1605 
1606 /* CMD55 */
1607 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req)
1608 {
1609     switch (sd->state) {
1610     case sd_ready_state:
1611     case sd_identification_state:
1612     case sd_inactive_state:
1613         return sd_invalid_state_for_cmd(sd, req);
1614     case sd_idle_state:
1615         if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) {
1616             qemu_log_mask(LOG_GUEST_ERROR,
1617                           "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1618         }
1619         /* fall-through */
1620     default:
1621         break;
1622     }
1623     if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) {
1624         return sd_r0;
1625     }
1626     sd->expecting_acmd = true;
1627     sd->card_status |= APP_CMD;
1628 
1629     return sd_r1;
1630 }
1631 
1632 /* CMD56 */
1633 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req)
1634 {
1635     if (sd->state != sd_transfer_state) {
1636         return sd_invalid_state_for_cmd(sd, req);
1637     }
1638 
1639     /* Vendor specific command: our model is RAZ/WI */
1640     if (req.arg & 1) {
1641         memset(sd->data, 0, sizeof(sd->data));
1642         return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0);
1643     } else {
1644         return sd_cmd_to_receivingdata(sd, req, 0, 0);
1645     }
1646 }
1647 
1648 /* CMD58 */
1649 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req)
1650 {
1651     return sd_r3;
1652 }
1653 
1654 /* CMD59 */
1655 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req)
1656 {
1657     return sd_r1;
1658 }
1659 
1660 /* ACMD6 */
1661 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req)
1662 {
1663     if (sd->state != sd_transfer_state) {
1664         return sd_invalid_state_for_cmd(sd, req);
1665     }
1666 
1667     sd->sd_status[0] &= 0x3f;
1668     sd->sd_status[0] |= (req.arg & 0x03) << 6;
1669     return sd_r1;
1670 }
1671 
1672 /* ACMD13 */
1673 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req)
1674 {
1675     return sd_cmd_to_sendingdata(sd, req, 0,
1676                                  sd->sd_status, sizeof(sd->sd_status));
1677 }
1678 
1679 /* ACMD22 */
1680 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req)
1681 {
1682     return sd_cmd_to_sendingdata(sd, req, 0,
1683                                  &sd->blk_written, sizeof(sd->blk_written));
1684 }
1685 
1686 /* ACMD23 */
1687 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req)
1688 {
1689     if (sd->state != sd_transfer_state) {
1690         return sd_invalid_state_for_cmd(sd, req);
1691     }
1692     return sd_r1;
1693 }
1694 
1695 /* ACMD41 */
1696 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1697 {
1698     if (sd->state != sd_idle_state) {
1699         return sd_invalid_state_for_cmd(sd, req);
1700     }
1701 
1702     /*
1703      * If it's the first ACMD41 since reset, we need to decide
1704      * whether to power up. If this is not an enquiry ACMD41,
1705      * we immediately report power on and proceed below to the
1706      * ready state, but if it is, we set a timer to model a
1707      * delay for power up. This works around a bug in EDK2
1708      * UEFI, which sends an initial enquiry ACMD41, but
1709      * assumes that the card is in ready state as soon as it
1710      * sees the power up bit set.
1711      */
1712     if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1713         if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1714             timer_del(sd->ocr_power_timer);
1715             sd_ocr_powerup(sd);
1716         } else {
1717             trace_sdcard_inquiry_cmd41();
1718             if (!timer_pending(sd->ocr_power_timer)) {
1719                 timer_mod_ns(sd->ocr_power_timer,
1720                              (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1721                               + OCR_POWER_DELAY_NS));
1722             }
1723         }
1724     }
1725 
1726     if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1727         /*
1728          * We accept any voltage.  10000 V is nothing.
1729          *
1730          * Once we're powered up, we advance straight to ready state
1731          * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1732          */
1733         sd->state = sd_ready_state;
1734     }
1735 
1736     return sd_r3;
1737 }
1738 
1739 /* ACMD42 */
1740 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req)
1741 {
1742     if (sd->state != sd_transfer_state) {
1743         return sd_invalid_state_for_cmd(sd, req);
1744     }
1745 
1746     /* Bringing in the 50KOhm pull-up resistor... Done.  */
1747     return sd_r1;
1748 }
1749 
1750 /* ACMD51 */
1751 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req)
1752 {
1753     return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
1754 }
1755 
1756 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1757 {
1758     uint64_t addr;
1759 
1760     sd->last_cmd_name = sd_cmd_name(sd, req.cmd);
1761     /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1762      * However there is no ACMD55, so we want to trace this particular case.
1763      */
1764     if (req.cmd != 55 || sd->expecting_acmd) {
1765         trace_sdcard_normal_command(sd->proto->name,
1766                                     sd->last_cmd_name, req.cmd,
1767                                     req.arg, sd_state_name(sd->state));
1768     }
1769 
1770     /* Not interpreting this as an app command */
1771     sd->card_status &= ~APP_CMD;
1772 
1773     /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1774      * if not, its effects are cancelled */
1775     if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1776         sd->multi_blk_cnt = 0;
1777     }
1778 
1779     if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR,
1780                                                          CARD_CAPACITY)) {
1781         /* Only Standard Capacity cards support class 6 commands */
1782         return sd_illegal;
1783     }
1784 
1785     if (sd->proto->cmd[req.cmd].handler) {
1786         return sd->proto->cmd[req.cmd].handler(sd, req);
1787     }
1788 
1789     switch (req.cmd) {
1790     /* Block read commands (Class 2) */
1791     case 18:  /* CMD18:  READ_MULTIPLE_BLOCK */
1792         addr = sd_req_get_address(sd, req);
1793         switch (sd->state) {
1794         case sd_transfer_state:
1795 
1796             if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1797                 return sd_r1;
1798             }
1799 
1800             sd->state = sd_sendingdata_state;
1801             sd->data_start = addr;
1802             sd->data_offset = 0;
1803             return sd_r1;
1804 
1805         default:
1806             break;
1807         }
1808         break;
1809 
1810     /* Block write commands (Class 4) */
1811     case 25:  /* CMD25:  WRITE_MULTIPLE_BLOCK */
1812         addr = sd_req_get_address(sd, req);
1813         switch (sd->state) {
1814         case sd_transfer_state:
1815 
1816             if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1817                 return sd_r1;
1818             }
1819 
1820             sd->state = sd_receivingdata_state;
1821             sd->data_start = addr;
1822             sd->data_offset = 0;
1823             sd->blk_written = 0;
1824 
1825             if (sd->size <= SDSC_MAX_CAPACITY) {
1826                 if (sd_wp_addr(sd, sd->data_start)) {
1827                     sd->card_status |= WP_VIOLATION;
1828                 }
1829             }
1830             if (sd->csd[14] & 0x30) {
1831                 sd->card_status |= WP_VIOLATION;
1832             }
1833             return sd_r1;
1834 
1835         default:
1836             break;
1837         }
1838         break;
1839 
1840     case 26:  /* CMD26:  PROGRAM_CID */
1841         return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid));
1842 
1843     default:
1844         qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1845         return sd_illegal;
1846     }
1847 
1848     return sd_invalid_state_for_cmd(sd, req);
1849 }
1850 
1851 static sd_rsp_type_t sd_app_command(SDState *sd,
1852                                     SDRequest req)
1853 {
1854     sd->last_cmd_name = sd_acmd_name(sd, req.cmd);
1855     trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
1856                              req.cmd, req.arg, sd_state_name(sd->state));
1857     sd->card_status |= APP_CMD;
1858 
1859     if (sd->proto->acmd[req.cmd].handler) {
1860         return sd->proto->acmd[req.cmd].handler(sd, req);
1861     }
1862 
1863     switch (req.cmd) {
1864     case 18:    /* Reserved for SD security applications */
1865     case 25:
1866     case 26:
1867     case 38:
1868     case 43 ... 49:
1869         /* Refer to the "SD Specifications Part3 Security Specification" for
1870          * information about the SD Security Features.
1871          */
1872         qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1873                       req.cmd);
1874         return sd_illegal;
1875 
1876     default:
1877         /* Fall back to standard commands.  */
1878         return sd_normal_command(sd, req);
1879     }
1880 
1881     qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1882     return sd_illegal;
1883 }
1884 
1885 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
1886 {
1887     unsigned cmd_class;
1888 
1889     /* Valid commands in locked state:
1890      * basic class (0)
1891      * lock card class (7)
1892      * CMD16
1893      * implicitly, the ACMD prefix CMD55
1894      * ACMD41 and ACMD42
1895      * Anything else provokes an "illegal command" response.
1896      */
1897     if (sd->expecting_acmd) {
1898         return cmd == 41 || cmd == 42;
1899     }
1900     if (cmd == 16 || cmd == 55) {
1901         return true;
1902     }
1903     if (!sd->proto->cmd[cmd].handler) {
1904         return false;
1905     }
1906     cmd_class = sd->proto->cmd[cmd].class;
1907 
1908     return cmd_class == 0 || cmd_class == 7;
1909 }
1910 
1911 int sd_do_command(SDState *sd, SDRequest *req,
1912                   uint8_t *response) {
1913     int last_state;
1914     sd_rsp_type_t rtype;
1915     int rsplen;
1916 
1917     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1918         return 0;
1919     }
1920 
1921     if (sd->state == sd_inactive_state) {
1922         rtype = sd_illegal;
1923         goto send_response;
1924     }
1925 
1926     if (sd_req_crc_validate(req)) {
1927         sd->card_status |= COM_CRC_ERROR;
1928         rtype = sd_illegal;
1929         goto send_response;
1930     }
1931 
1932     if (req->cmd >= SDMMC_CMD_MAX) {
1933         qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1934                       req->cmd);
1935         req->cmd &= 0x3f;
1936     }
1937 
1938     if (sd->card_status & CARD_IS_LOCKED) {
1939         if (!cmd_valid_while_locked(sd, req->cmd)) {
1940             sd->card_status |= ILLEGAL_COMMAND;
1941             sd->expecting_acmd = false;
1942             qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1943             rtype = sd_illegal;
1944             goto send_response;
1945         }
1946     }
1947 
1948     last_state = sd->state;
1949     sd_set_mode(sd);
1950 
1951     if (sd->expecting_acmd) {
1952         sd->expecting_acmd = false;
1953         rtype = sd_app_command(sd, *req);
1954     } else {
1955         rtype = sd_normal_command(sd, *req);
1956     }
1957 
1958     if (rtype == sd_illegal) {
1959         sd->card_status |= ILLEGAL_COMMAND;
1960     } else {
1961         /* Valid command, we can update the 'state before command' bits.
1962          * (Do this now so they appear in r1 responses.)
1963          */
1964         sd->card_status = FIELD_DP32(sd->card_status, CSR,
1965                                      CURRENT_STATE, last_state);
1966     }
1967 
1968 send_response:
1969     switch (rtype) {
1970     case sd_r1:
1971     case sd_r1b:
1972         sd_response_r1_make(sd, response);
1973         rsplen = 4;
1974         break;
1975 
1976     case sd_r2_i:
1977         memcpy(response, sd->cid, sizeof(sd->cid));
1978         rsplen = 16;
1979         break;
1980 
1981     case sd_r2_s:
1982         memcpy(response, sd->csd, sizeof(sd->csd));
1983         rsplen = 16;
1984         break;
1985 
1986     case sd_r3:
1987         sd_response_r3_make(sd, response);
1988         rsplen = 4;
1989         break;
1990 
1991     case sd_r6:
1992         sd_response_r6_make(sd, response);
1993         rsplen = 4;
1994         break;
1995 
1996     case sd_r7:
1997         sd_response_r7_make(sd, response);
1998         rsplen = 4;
1999         break;
2000 
2001     case sd_r0:
2002         /*
2003          * Invalid state transition, reset implementation
2004          * fields to avoid OOB abuse.
2005          */
2006         sd->data_start = 0;
2007         sd->data_offset = 0;
2008         /* fall-through */
2009     case sd_illegal:
2010         rsplen = 0;
2011         break;
2012     default:
2013         g_assert_not_reached();
2014     }
2015     trace_sdcard_response(sd_response_name(rtype), rsplen);
2016 
2017     if (rtype != sd_illegal) {
2018         /* Clear the "clear on valid command" status bits now we've
2019          * sent any response
2020          */
2021         sd->card_status &= ~CARD_STATUS_B;
2022     }
2023 
2024 #ifdef DEBUG_SD
2025     qemu_hexdump(stderr, "Response", response, rsplen);
2026 #endif
2027 
2028     sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd;
2029 
2030     return rsplen;
2031 }
2032 
2033 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
2034 static bool sd_generic_write_byte(SDState *sd, uint8_t value)
2035 {
2036     sd->data[sd->data_offset] = value;
2037 
2038     if (++sd->data_offset >= sd->data_size) {
2039         sd->state = sd_transfer_state;
2040         return true;
2041     }
2042     return false;
2043 }
2044 
2045 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
2046 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
2047 {
2048     *value = sd->data[sd->data_offset];
2049 
2050     if (++sd->data_offset >= sd->data_size) {
2051         sd->state = sd_transfer_state;
2052         return true;
2053     }
2054 
2055     return false;
2056 }
2057 
2058 void sd_write_byte(SDState *sd, uint8_t value)
2059 {
2060     int i;
2061 
2062     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2063         return;
2064 
2065     if (sd->state != sd_receivingdata_state) {
2066         qemu_log_mask(LOG_GUEST_ERROR,
2067                       "%s: not in Receiving-Data state\n", __func__);
2068         return;
2069     }
2070 
2071     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2072         return;
2073 
2074     trace_sdcard_write_data(sd->proto->name,
2075                             sd->last_cmd_name,
2076                             sd->current_cmd, sd->data_offset, value);
2077     switch (sd->current_cmd) {
2078     case 24:  /* CMD24:  WRITE_SINGLE_BLOCK */
2079         if (sd_generic_write_byte(sd, value)) {
2080             /* TODO: Check CRC before committing */
2081             sd->state = sd_programming_state;
2082             sd_blk_write(sd, sd->data_start, sd->data_offset);
2083             sd->blk_written ++;
2084             sd->csd[14] |= 0x40;
2085             /* Bzzzzzzztt .... Operation complete.  */
2086             sd->state = sd_transfer_state;
2087         }
2088         break;
2089 
2090     case 25:  /* CMD25:  WRITE_MULTIPLE_BLOCK */
2091         if (sd->data_offset == 0) {
2092             /* Start of the block - let's check the address is valid */
2093             if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2094                                   sd->data_start, sd->blk_len)) {
2095                 break;
2096             }
2097             if (sd->size <= SDSC_MAX_CAPACITY) {
2098                 if (sd_wp_addr(sd, sd->data_start)) {
2099                     sd->card_status |= WP_VIOLATION;
2100                     break;
2101                 }
2102             }
2103         }
2104         sd->data[sd->data_offset++] = value;
2105         if (sd->data_offset >= sd->blk_len) {
2106             /* TODO: Check CRC before committing */
2107             sd->state = sd_programming_state;
2108             sd_blk_write(sd, sd->data_start, sd->data_offset);
2109             sd->blk_written++;
2110             sd->data_start += sd->blk_len;
2111             sd->data_offset = 0;
2112             sd->csd[14] |= 0x40;
2113 
2114             /* Bzzzzzzztt .... Operation complete.  */
2115             if (sd->multi_blk_cnt != 0) {
2116                 if (--sd->multi_blk_cnt == 0) {
2117                     /* Stop! */
2118                     sd->state = sd_transfer_state;
2119                     break;
2120                 }
2121             }
2122 
2123             sd->state = sd_receivingdata_state;
2124         }
2125         break;
2126 
2127     case 26:  /* CMD26:  PROGRAM_CID */
2128         if (sd_generic_write_byte(sd, value)) {
2129             /* TODO: Check CRC before committing */
2130             sd->state = sd_programming_state;
2131             for (i = 0; i < sizeof(sd->cid); i ++)
2132                 if ((sd->cid[i] | 0x00) != sd->data[i])
2133                     sd->card_status |= CID_CSD_OVERWRITE;
2134 
2135             if (!(sd->card_status & CID_CSD_OVERWRITE))
2136                 for (i = 0; i < sizeof(sd->cid); i ++) {
2137                     sd->cid[i] |= 0x00;
2138                     sd->cid[i] &= sd->data[i];
2139                 }
2140             /* Bzzzzzzztt .... Operation complete.  */
2141             sd->state = sd_transfer_state;
2142         }
2143         break;
2144 
2145     case 27:  /* CMD27:  PROGRAM_CSD */
2146         if (sd_generic_write_byte(sd, value)) {
2147             /* TODO: Check CRC before committing */
2148             sd->state = sd_programming_state;
2149             for (i = 0; i < sizeof(sd->csd); i ++)
2150                 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2151                     (sd->data[i] | sd_csd_rw_mask[i]))
2152                     sd->card_status |= CID_CSD_OVERWRITE;
2153 
2154             /* Copy flag (OTP) & Permanent write protect */
2155             if (sd->csd[14] & ~sd->data[14] & 0x60)
2156                 sd->card_status |= CID_CSD_OVERWRITE;
2157 
2158             if (!(sd->card_status & CID_CSD_OVERWRITE))
2159                 for (i = 0; i < sizeof(sd->csd); i ++) {
2160                     sd->csd[i] |= sd_csd_rw_mask[i];
2161                     sd->csd[i] &= sd->data[i];
2162                 }
2163             /* Bzzzzzzztt .... Operation complete.  */
2164             sd->state = sd_transfer_state;
2165         }
2166         break;
2167 
2168     case 42:  /* CMD42:  LOCK_UNLOCK */
2169         if (sd_generic_write_byte(sd, value)) {
2170             /* TODO: Check CRC before committing */
2171             sd->state = sd_programming_state;
2172             sd_lock_command(sd);
2173             /* Bzzzzzzztt .... Operation complete.  */
2174             sd->state = sd_transfer_state;
2175         }
2176         break;
2177 
2178     case 56:  /* CMD56:  GEN_CMD */
2179         sd_generic_write_byte(sd, value);
2180         break;
2181 
2182     default:
2183         g_assert_not_reached();
2184     }
2185 }
2186 
2187 uint8_t sd_read_byte(SDState *sd)
2188 {
2189     /* TODO: Append CRCs */
2190     uint8_t ret;
2191     uint32_t io_len;
2192 
2193     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2194         return 0x00;
2195 
2196     if (sd->state != sd_sendingdata_state) {
2197         qemu_log_mask(LOG_GUEST_ERROR,
2198                       "%s: not in Sending-Data state\n", __func__);
2199         return 0x00;
2200     }
2201 
2202     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2203         return 0x00;
2204 
2205     io_len = sd_blk_len(sd);
2206 
2207     trace_sdcard_read_data(sd->proto->name,
2208                            sd->last_cmd_name, sd->current_cmd,
2209                            sd->data_offset, sd->data_size, io_len);
2210     switch (sd->current_cmd) {
2211     case 6:  /* CMD6:   SWITCH_FUNCTION */
2212     case 9:  /* CMD9:   SEND_CSD */
2213     case 10: /* CMD10:  SEND_CID */
2214     case 13: /* ACMD13: SD_STATUS */
2215     case 17: /* CMD17:  READ_SINGLE_BLOCK */
2216     case 19: /* CMD19:  SEND_TUNING_BLOCK (SD) */
2217     case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2218     case 30: /* CMD30:  SEND_WRITE_PROT */
2219     case 51: /* ACMD51: SEND_SCR */
2220     case 56: /* CMD56:  GEN_CMD */
2221         sd_generic_read_byte(sd, &ret);
2222         break;
2223 
2224     case 18:  /* CMD18:  READ_MULTIPLE_BLOCK */
2225         if (sd->data_offset == 0) {
2226             if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2227                                   sd->data_start, io_len)) {
2228                 return 0x00;
2229             }
2230             sd_blk_read(sd, sd->data_start, io_len);
2231         }
2232         ret = sd->data[sd->data_offset ++];
2233 
2234         if (sd->data_offset >= io_len) {
2235             sd->data_start += io_len;
2236             sd->data_offset = 0;
2237 
2238             if (sd->multi_blk_cnt != 0) {
2239                 if (--sd->multi_blk_cnt == 0) {
2240                     /* Stop! */
2241                     sd->state = sd_transfer_state;
2242                     break;
2243                 }
2244             }
2245         }
2246         break;
2247 
2248     default:
2249         g_assert_not_reached();
2250     }
2251 
2252     return ret;
2253 }
2254 
2255 static bool sd_receive_ready(SDState *sd)
2256 {
2257     return sd->state == sd_receivingdata_state;
2258 }
2259 
2260 static bool sd_data_ready(SDState *sd)
2261 {
2262     return sd->state == sd_sendingdata_state;
2263 }
2264 
2265 void sd_enable(SDState *sd, bool enable)
2266 {
2267     sd->enable = enable;
2268 }
2269 
2270 static const SDProto sd_proto_spi = {
2271     .name = "SPI",
2272     .cmd = {
2273         [0]  = {0,  sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2274         [1]  = {0,  sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2275         [5]  = {9,  sd_spi, "IO_SEND_OP_COND", sd_cmd_optional},
2276         [6]  = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2277         [8]  = {0,  sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2278         [9]  = {0,  sd_spi, "SEND_CSD", spi_cmd_SEND_CSD},
2279         [10] = {0,  sd_spi, "SEND_CID", spi_cmd_SEND_CID},
2280         [12] = {0,  sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2281         [13] = {0,  sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS},
2282         [16] = {2,  sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2283         [17] = {2,  sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2284         [24] = {4,  sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2285         [27] = {4,  sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2286         [28] = {6,  sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2287         [29] = {6,  sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2288         [30] = {6,  sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2289         [32] = {5,  sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2290         [33] = {5,  sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2291         [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional},
2292         [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional},
2293         [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional},
2294         [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2295         [38] = {5,  sd_spi, "ERASE", sd_cmd_ERASE},
2296         [42] = {7,  sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2297         [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional},
2298         [52] = {9,  sd_spi, "IO_RW_DIRECT", sd_cmd_optional},
2299         [53] = {9,  sd_spi, "IO_RW_EXTENDED", sd_cmd_optional},
2300         [55] = {8,  sd_spi, "APP_CMD", sd_cmd_APP_CMD},
2301         [56] = {8,  sd_spi, "GEN_CMD", sd_cmd_GEN_CMD},
2302         [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2303         [58] = {0,  sd_spi, "READ_OCR", spi_cmd_READ_OCR},
2304         [59] = {0,  sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF},
2305     },
2306     .acmd = {
2307         [13] = {8,  sd_spi, "SD_STATUS", sd_acmd_SD_STATUS},
2308         [22] = {8,  sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2309         [23] = {8,  sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2310         [41] = {8,  sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2311         [42] = {8,  sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2312         [51] = {8,  sd_spi, "SEND_SCR", sd_acmd_SEND_SCR},
2313     },
2314 };
2315 
2316 static const SDProto sd_proto_sd = {
2317     .name = "SD",
2318     .cmd = {
2319         [0]  = {0,  sd_bc,   "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2320         [2]  = {0,  sd_bcr,  "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2321         [3]  = {0,  sd_bcr,  "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR},
2322         [4]  = {0,  sd_bc,   "SEND_DSR", sd_cmd_unimplemented},
2323         [5]  = {9,  sd_bc,   "IO_SEND_OP_COND", sd_cmd_optional},
2324         [6]  = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2325         [7]  = {0,  sd_ac,   "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2326         [8]  = {0,  sd_bcr,  "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2327         [9]  = {0,  sd_ac,   "SEND_CSD", sd_cmd_SEND_CSD},
2328         [10] = {0,  sd_ac,   "SEND_CID", sd_cmd_SEND_CID},
2329         [11] = {0,  sd_ac,   "VOLTAGE_SWITCH", sd_cmd_optional},
2330         [12] = {0,  sd_ac,   "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2331         [13] = {0,  sd_ac,   "SEND_STATUS", sd_cmd_SEND_STATUS},
2332         [15] = {0,  sd_ac,   "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2333         [16] = {2,  sd_ac,   "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2334         [17] = {2,  sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2335         [19] = {2,  sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK},
2336         [20] = {2,  sd_ac,   "SPEED_CLASS_CONTROL", sd_cmd_optional},
2337         [23] = {2,  sd_ac,   "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2338         [24] = {4,  sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2339         [27] = {4,  sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2340         [28] = {6,  sd_ac,   "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2341         [29] = {6,  sd_ac,   "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2342         [30] = {6,  sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2343         [32] = {5,  sd_ac,   "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2344         [33] = {5,  sd_ac,   "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2345         [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional},
2346         [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional},
2347         [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional},
2348         [37] = {10, sd_ac,   "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2349         [38] = {5,  sd_ac,   "ERASE", sd_cmd_ERASE},
2350         [42] = {7,  sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2351         [43] = {1,  sd_ac,   "Q_MANAGEMENT", sd_cmd_optional},
2352         [44] = {1,  sd_ac,   "Q_TASK_INFO_A", sd_cmd_optional},
2353         [45] = {1,  sd_ac,   "Q_TASK_INFO_B", sd_cmd_optional},
2354         [46] = {1,  sd_adtc, "Q_RD_TASK", sd_cmd_optional},
2355         [47] = {1,  sd_adtc, "Q_WR_TASK", sd_cmd_optional},
2356         [48] = {1,  sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional},
2357         [49] = {1,  sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional},
2358         [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional},
2359         [52] = {9,  sd_bc,   "IO_RW_DIRECT", sd_cmd_optional},
2360         [53] = {9,  sd_bc,   "IO_RW_EXTENDED", sd_cmd_optional},
2361         [55] = {8,  sd_ac,   "APP_CMD", sd_cmd_APP_CMD},
2362         [56] = {8,  sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2363         [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2364         [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional},
2365         [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional},
2366     },
2367     .acmd = {
2368         [6]  = {8,  sd_ac,   "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH},
2369         [13] = {8,  sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS},
2370         [22] = {8,  sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2371         [23] = {8,  sd_ac,   "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2372         [41] = {8,  sd_bcr,  "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2373         [42] = {8,  sd_ac,   "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2374         [51] = {8,  sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR},
2375     },
2376 };
2377 
2378 static void sd_instance_init(Object *obj)
2379 {
2380     SDState *sd = SD_CARD(obj);
2381     SDCardClass *sc = SD_CARD_GET_CLASS(sd);
2382 
2383     sd->proto = sc->proto;
2384     sd->last_cmd_name = "UNSET";
2385     sd->enable = true;
2386     sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2387 }
2388 
2389 static void sd_instance_finalize(Object *obj)
2390 {
2391     SDState *sd = SD_CARD(obj);
2392 
2393     timer_free(sd->ocr_power_timer);
2394 }
2395 
2396 static void sd_realize(DeviceState *dev, Error **errp)
2397 {
2398     SDState *sd = SD_CARD(dev);
2399     int ret;
2400 
2401     switch (sd->spec_version) {
2402     case SD_PHY_SPECv1_10_VERS
2403      ... SD_PHY_SPECv3_01_VERS:
2404         break;
2405     default:
2406         error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2407         return;
2408     }
2409 
2410     if (sd->blk) {
2411         int64_t blk_size;
2412 
2413         if (!blk_supports_write_perm(sd->blk)) {
2414             error_setg(errp, "Cannot use read-only drive as SD card");
2415             return;
2416         }
2417 
2418         blk_size = blk_getlength(sd->blk);
2419         if (blk_size > 0 && !is_power_of_2(blk_size)) {
2420             int64_t blk_size_aligned = pow2ceil(blk_size);
2421             char *blk_size_str;
2422 
2423             blk_size_str = size_to_str(blk_size);
2424             error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2425             g_free(blk_size_str);
2426 
2427             blk_size_str = size_to_str(blk_size_aligned);
2428             error_append_hint(errp,
2429                               "SD card size has to be a power of 2, e.g. %s.\n"
2430                               "You can resize disk images with"
2431                               " 'qemu-img resize <imagefile> <new-size>'\n"
2432                               "(note that this will lose data if you make the"
2433                               " image smaller than it currently is).\n",
2434                               blk_size_str);
2435             g_free(blk_size_str);
2436 
2437             return;
2438         }
2439 
2440         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2441                            BLK_PERM_ALL, errp);
2442         if (ret < 0) {
2443             return;
2444         }
2445         blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2446     }
2447 }
2448 
2449 static Property sd_properties[] = {
2450     DEFINE_PROP_UINT8("spec_version", SDState,
2451                       spec_version, SD_PHY_SPECv3_01_VERS),
2452     DEFINE_PROP_DRIVE("drive", SDState, blk),
2453     DEFINE_PROP_END_OF_LIST()
2454 };
2455 
2456 static void sd_class_init(ObjectClass *klass, void *data)
2457 {
2458     DeviceClass *dc = DEVICE_CLASS(klass);
2459     SDCardClass *sc = SD_CARD_CLASS(klass);
2460 
2461     dc->realize = sd_realize;
2462     device_class_set_props(dc, sd_properties);
2463     dc->vmsd = &sd_vmstate;
2464     dc->reset = sd_reset;
2465     dc->bus_type = TYPE_SD_BUS;
2466     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2467 
2468     sc->set_voltage = sd_set_voltage;
2469     sc->get_dat_lines = sd_get_dat_lines;
2470     sc->get_cmd_line = sd_get_cmd_line;
2471     sc->do_command = sd_do_command;
2472     sc->write_byte = sd_write_byte;
2473     sc->read_byte = sd_read_byte;
2474     sc->receive_ready = sd_receive_ready;
2475     sc->data_ready = sd_data_ready;
2476     sc->enable = sd_enable;
2477     sc->get_inserted = sd_get_inserted;
2478     sc->get_readonly = sd_get_readonly;
2479     sc->set_cid = sd_set_cid;
2480     sc->set_csd = sd_set_csd;
2481     sc->proto = &sd_proto_sd;
2482 }
2483 
2484 /*
2485  * We do not model the chip select pin, so allow the board to select
2486  * whether card should be in SSI or MMC/SD mode.  It is also up to the
2487  * board to ensure that ssi transfers only occur when the chip select
2488  * is asserted.
2489  */
2490 static void sd_spi_class_init(ObjectClass *klass, void *data)
2491 {
2492     DeviceClass *dc = DEVICE_CLASS(klass);
2493     SDCardClass *sc = SD_CARD_CLASS(klass);
2494 
2495     dc->desc = "SD SPI";
2496     sc->proto = &sd_proto_spi;
2497 }
2498 
2499 static const TypeInfo sd_types[] = {
2500     {
2501         .name           = TYPE_SD_CARD,
2502         .parent         = TYPE_DEVICE,
2503         .instance_size  = sizeof(SDState),
2504         .class_size     = sizeof(SDCardClass),
2505         .class_init     = sd_class_init,
2506         .instance_init  = sd_instance_init,
2507         .instance_finalize = sd_instance_finalize,
2508     },
2509     {
2510         .name           = TYPE_SD_CARD_SPI,
2511         .parent         = TYPE_SD_CARD,
2512         .class_init     = sd_spi_class_init,
2513     },
2514 };
2515 
2516 DEFINE_TYPES(sd_types)
2517