xref: /openbmc/qemu/hw/sd/sd.c (revision efb359346c7af62dfa86f7ae7d3717a098b239f5)
1 /*
2  * SD Memory Card emulation as defined in the "SD Memory Card Physical
3  * layer specification, Version 2.00."
4  *
5  * Copyright (c) 2006 Andrzej Zaborowski  <balrog@zabor.org>
6  * Copyright (c) 2007 CodeSourcery
7  * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR
24  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52 
53 //#define DEBUG_SD 1
54 
55 #define SDSC_MAX_CAPACITY   (2 * GiB)
56 
57 #define INVALID_ADDRESS     UINT32_MAX
58 
59 typedef enum {
60     sd_r0 = 0,    /* no response */
61     sd_r1,        /* normal response command */
62     sd_r2_i,      /* CID register */
63     sd_r2_s,      /* CSD register */
64     sd_r3,        /* OCR register */
65     sd_r6 = 6,    /* Published RCA response */
66     sd_r7,        /* Operating voltage */
67     sd_r1b = -1,
68     sd_illegal = -2,
69 } sd_rsp_type_t;
70 
71 enum SDCardModes {
72     sd_inactive,
73     sd_card_identification_mode,
74     sd_data_transfer_mode,
75 };
76 
77 enum SDCardStates {
78     sd_inactive_state = -1,
79     sd_idle_state = 0,
80     sd_ready_state,
81     sd_identification_state,
82     sd_standby_state,
83     sd_transfer_state,
84     sd_sendingdata_state,
85     sd_receivingdata_state,
86     sd_programming_state,
87     sd_disconnect_state,
88 };
89 
90 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
91 
92 typedef struct SDProto {
93     const char *name;
94     sd_cmd_handler cmd[SDMMC_CMD_MAX];
95     sd_cmd_handler acmd[SDMMC_CMD_MAX];
96 } SDProto;
97 
98 struct SDState {
99     DeviceState parent_obj;
100 
101     /* If true, created by sd_init() for a non-qdevified caller */
102     /* TODO purge them with fire */
103     bool me_no_qdev_me_kill_mammoth_with_rocks;
104 
105     /* SD Memory Card Registers */
106     uint32_t ocr;
107     uint8_t scr[8];
108     uint8_t cid[16];
109     uint8_t csd[16];
110     uint16_t rca;
111     uint32_t card_status;
112     uint8_t sd_status[64];
113 
114     /* Static properties */
115 
116     uint8_t spec_version;
117     BlockBackend *blk;
118 
119     /* Runtime changeables */
120 
121     uint32_t mode;    /* current card mode, one of SDCardModes */
122     int32_t state;    /* current card state, one of SDCardStates */
123     uint32_t vhs;
124     bool wp_switch;
125     unsigned long *wp_group_bmap;
126     int32_t wp_group_bits;
127     uint64_t size;
128     uint32_t blk_len;
129     uint32_t multi_blk_cnt;
130     uint32_t erase_start;
131     uint32_t erase_end;
132     uint8_t pwd[16];
133     uint32_t pwd_len;
134     uint8_t function_group[6];
135     uint8_t current_cmd;
136     /* True if we will handle the next command as an ACMD. Note that this does
137      * *not* track the APP_CMD status bit!
138      */
139     bool expecting_acmd;
140     uint32_t blk_written;
141     uint64_t data_start;
142     uint32_t data_offset;
143     uint8_t data[512];
144     qemu_irq readonly_cb;
145     qemu_irq inserted_cb;
146     QEMUTimer *ocr_power_timer;
147     bool enable;
148     uint8_t dat_lines;
149     bool cmd_line;
150 };
151 
152 static void sd_realize(DeviceState *dev, Error **errp);
153 
154 static const struct SDProto *sd_proto(SDState *sd)
155 {
156     SDCardClass *sc = SD_CARD_GET_CLASS(sd);
157 
158     return sc->proto;
159 }
160 
161 static const SDProto sd_proto_spi;
162 
163 static bool sd_is_spi(SDState *sd)
164 {
165     return sd_proto(sd) == &sd_proto_spi;
166 }
167 
168 static const char *sd_version_str(enum SDPhySpecificationVersion version)
169 {
170     static const char *sdphy_version[] = {
171         [SD_PHY_SPECv1_10_VERS]     = "v1.10",
172         [SD_PHY_SPECv2_00_VERS]     = "v2.00",
173         [SD_PHY_SPECv3_01_VERS]     = "v3.01",
174     };
175     if (version >= ARRAY_SIZE(sdphy_version)) {
176         return "unsupported version";
177     }
178     return sdphy_version[version];
179 }
180 
181 static const char *sd_mode_name(enum SDCardModes mode)
182 {
183     static const char *mode_name[] = {
184         [sd_inactive]                   = "inactive",
185         [sd_card_identification_mode]   = "identification",
186         [sd_data_transfer_mode]         = "transfer",
187     };
188     assert(mode < ARRAY_SIZE(mode_name));
189     return mode_name[mode];
190 }
191 
192 static const char *sd_state_name(enum SDCardStates state)
193 {
194     static const char *state_name[] = {
195         [sd_idle_state]             = "idle",
196         [sd_ready_state]            = "ready",
197         [sd_identification_state]   = "identification",
198         [sd_standby_state]          = "standby",
199         [sd_transfer_state]         = "transfer",
200         [sd_sendingdata_state]      = "sendingdata",
201         [sd_receivingdata_state]    = "receivingdata",
202         [sd_programming_state]      = "programming",
203         [sd_disconnect_state]       = "disconnect",
204     };
205     if (state == sd_inactive_state) {
206         return "inactive";
207     }
208     assert(state < ARRAY_SIZE(state_name));
209     return state_name[state];
210 }
211 
212 static const char *sd_response_name(sd_rsp_type_t rsp)
213 {
214     static const char *response_name[] = {
215         [sd_r0]     = "RESP#0 (no response)",
216         [sd_r1]     = "RESP#1 (normal cmd)",
217         [sd_r2_i]   = "RESP#2 (CID reg)",
218         [sd_r2_s]   = "RESP#2 (CSD reg)",
219         [sd_r3]     = "RESP#3 (OCR reg)",
220         [sd_r6]     = "RESP#6 (RCA)",
221         [sd_r7]     = "RESP#7 (operating voltage)",
222     };
223     if (rsp == sd_illegal) {
224         return "ILLEGAL RESP";
225     }
226     if (rsp == sd_r1b) {
227         rsp = sd_r1;
228     }
229     assert(rsp < ARRAY_SIZE(response_name));
230     return response_name[rsp];
231 }
232 
233 static uint8_t sd_get_dat_lines(SDState *sd)
234 {
235     return sd->enable ? sd->dat_lines : 0;
236 }
237 
238 static bool sd_get_cmd_line(SDState *sd)
239 {
240     return sd->enable ? sd->cmd_line : false;
241 }
242 
243 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
244 {
245     trace_sdcard_set_voltage(millivolts);
246 
247     switch (millivolts) {
248     case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
249     case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
250         break;
251     default:
252         qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
253                       millivolts / 1000.f);
254     }
255 }
256 
257 static void sd_set_mode(SDState *sd)
258 {
259     switch (sd->state) {
260     case sd_inactive_state:
261         sd->mode = sd_inactive;
262         break;
263 
264     case sd_idle_state:
265     case sd_ready_state:
266     case sd_identification_state:
267         sd->mode = sd_card_identification_mode;
268         break;
269 
270     case sd_standby_state:
271     case sd_transfer_state:
272     case sd_sendingdata_state:
273     case sd_receivingdata_state:
274     case sd_programming_state:
275     case sd_disconnect_state:
276         sd->mode = sd_data_transfer_mode;
277         break;
278     }
279 }
280 
281 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
282     sd_bc,   sd_none, sd_bcr,  sd_bcr,  sd_none, sd_none, sd_none, sd_ac,
283     sd_bcr,  sd_ac,   sd_ac,   sd_adtc, sd_ac,   sd_ac,   sd_none, sd_ac,
284     /* 16 */
285     sd_ac,   sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
286     sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac,   sd_ac,   sd_adtc, sd_none,
287     /* 32 */
288     sd_ac,   sd_ac,   sd_none, sd_none, sd_none, sd_none, sd_ac,   sd_none,
289     sd_none, sd_none, sd_bc,   sd_none, sd_none, sd_none, sd_none, sd_none,
290     /* 48 */
291     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
292     sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
293 };
294 
295 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
296     0,  0,  0,  0,  0,  9, 10,  0,  0,  0,  0,  1,  0,  0,  0,  0,
297     2,  2,  2,  2,  3,  3,  3,  3,  4,  4,  4,  4,  6,  6,  6,  6,
298     5,  5, 10, 10, 10, 10,  5,  9,  9,  9,  7,  7,  7,  7,  7,  7,
299     7,  7, 10,  7,  9,  9,  9,  8,  8, 10,  8,  8,  8,  8,  8,  8,
300 };
301 
302 static uint8_t sd_crc7(const void *message, size_t width)
303 {
304     int i, bit;
305     uint8_t shift_reg = 0x00;
306     const uint8_t *msg = (const uint8_t *)message;
307 
308     for (i = 0; i < width; i ++, msg ++)
309         for (bit = 7; bit >= 0; bit --) {
310             shift_reg <<= 1;
311             if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
312                 shift_reg ^= 0x89;
313         }
314 
315     return shift_reg;
316 }
317 
318 /* Operation Conditions register */
319 
320 #define OCR_POWER_DELAY_NS      500000 /* 0.5ms */
321 
322 FIELD(OCR, VDD_VOLTAGE_WINDOW,          0, 24)
323 FIELD(OCR, VDD_VOLTAGE_WIN_LO,          0,  8)
324 FIELD(OCR, DUAL_VOLTAGE_CARD,           7,  1)
325 FIELD(OCR, VDD_VOLTAGE_WIN_HI,          8, 16)
326 FIELD(OCR, ACCEPT_SWITCH_1V8,          24,  1) /* Only UHS-I */
327 FIELD(OCR, UHS_II_CARD,                29,  1) /* Only UHS-II */
328 FIELD(OCR, CARD_CAPACITY,              30,  1) /* 0:SDSC, 1:SDHC/SDXC */
329 FIELD(OCR, CARD_POWER_UP,              31,  1)
330 
331 #define ACMD41_ENQUIRY_MASK     0x00ffffff
332 #define ACMD41_R3_MASK          (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
333                                | R_OCR_ACCEPT_SWITCH_1V8_MASK \
334                                | R_OCR_UHS_II_CARD_MASK \
335                                | R_OCR_CARD_CAPACITY_MASK \
336                                | R_OCR_CARD_POWER_UP_MASK)
337 
338 static void sd_ocr_powerup(void *opaque)
339 {
340     SDState *sd = opaque;
341 
342     trace_sdcard_powerup();
343     assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
344 
345     /* card power-up OK */
346     sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
347 
348     if (sd->size > SDSC_MAX_CAPACITY) {
349         sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
350     }
351 }
352 
353 static void sd_set_ocr(SDState *sd)
354 {
355     /* All voltages OK */
356     sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
357 
358     if (sd_is_spi(sd)) {
359         /*
360          * We don't need to emulate power up sequence in SPI-mode.
361          * Thus, the card's power up status bit should be set to 1 when reset.
362          * The card's capacity status bit should also be set if SD card size
363          * is larger than 2GB for SDHC support.
364          */
365         sd_ocr_powerup(sd);
366     }
367 }
368 
369 /* SD Configuration register */
370 
371 static void sd_set_scr(SDState *sd)
372 {
373     sd->scr[0] = 0 << 4;        /* SCR structure version 1.0 */
374     if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
375         sd->scr[0] |= 1;        /* Spec Version 1.10 */
376     } else {
377         sd->scr[0] |= 2;        /* Spec Version 2.00 or Version 3.0X */
378     }
379     sd->scr[1] = (2 << 4)       /* SDSC Card (Security Version 1.01) */
380                  | 0b0101;      /* 1-bit or 4-bit width bus modes */
381     sd->scr[2] = 0x00;          /* Extended Security is not supported. */
382     if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
383         sd->scr[2] |= 1 << 7;   /* Spec Version 3.0X */
384     }
385     sd->scr[3] = 0x00;
386     /* reserved for manufacturer usage */
387     sd->scr[4] = 0x00;
388     sd->scr[5] = 0x00;
389     sd->scr[6] = 0x00;
390     sd->scr[7] = 0x00;
391 }
392 
393 /* Card IDentification register */
394 
395 #define MID     0xaa
396 #define OID     "XY"
397 #define PNM     "QEMU!"
398 #define PRV     0x01
399 #define MDT_YR  2006
400 #define MDT_MON 2
401 
402 static void sd_set_cid(SDState *sd)
403 {
404     sd->cid[0] = MID;       /* Fake card manufacturer ID (MID) */
405     sd->cid[1] = OID[0];    /* OEM/Application ID (OID) */
406     sd->cid[2] = OID[1];
407     sd->cid[3] = PNM[0];    /* Fake product name (PNM) */
408     sd->cid[4] = PNM[1];
409     sd->cid[5] = PNM[2];
410     sd->cid[6] = PNM[3];
411     sd->cid[7] = PNM[4];
412     sd->cid[8] = PRV;       /* Fake product revision (PRV) */
413     stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
414     sd->cid[13] = 0x00 |    /* Manufacture date (MDT) */
415         ((MDT_YR - 2000) / 10);
416     sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
417     sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
418 }
419 
420 /* Card-Specific Data register */
421 
422 #define HWBLOCK_SHIFT   9        /* 512 bytes */
423 #define SECTOR_SHIFT    5        /* 16 kilobytes */
424 #define WPGROUP_SHIFT   7        /* 2 megs */
425 #define CMULT_SHIFT     9        /* 512 times HWBLOCK_SIZE */
426 #define WPGROUP_SIZE    (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
427 
428 static const uint8_t sd_csd_rw_mask[16] = {
429     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
430     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
431 };
432 
433 static void sd_set_csd(SDState *sd, uint64_t size)
434 {
435     int hwblock_shift = HWBLOCK_SHIFT;
436     uint32_t csize;
437     uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
438     uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
439 
440     /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
441     if (size == SDSC_MAX_CAPACITY) {
442         hwblock_shift += 1;
443     }
444     csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
445 
446     if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
447         sd->csd[0] = 0x00;      /* CSD structure */
448         sd->csd[1] = 0x26;      /* Data read access-time-1 */
449         sd->csd[2] = 0x00;      /* Data read access-time-2 */
450         sd->csd[3] = 0x32;      /* Max. data transfer rate: 25 MHz */
451         sd->csd[4] = 0x5f;      /* Card Command Classes */
452         sd->csd[5] = 0x50 |     /* Max. read data block length */
453             hwblock_shift;
454         sd->csd[6] = 0xe0 |     /* Partial block for read allowed */
455             ((csize >> 10) & 0x03);
456         sd->csd[7] = 0x00 |     /* Device size */
457             ((csize >> 2) & 0xff);
458         sd->csd[8] = 0x3f |     /* Max. read current */
459             ((csize << 6) & 0xc0);
460         sd->csd[9] = 0xfc |     /* Max. write current */
461             ((CMULT_SHIFT - 2) >> 1);
462         sd->csd[10] = 0x40 |    /* Erase sector size */
463             (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
464         sd->csd[11] = 0x00 |    /* Write protect group size */
465             ((sectsize << 7) & 0x80) | wpsize;
466         sd->csd[12] = 0x90 |    /* Write speed factor */
467             (hwblock_shift >> 2);
468         sd->csd[13] = 0x20 |    /* Max. write data block length */
469             ((hwblock_shift << 6) & 0xc0);
470         sd->csd[14] = 0x00;     /* File format group */
471     } else {                    /* SDHC */
472         size /= 512 * KiB;
473         size -= 1;
474         sd->csd[0] = 0x40;
475         sd->csd[1] = 0x0e;
476         sd->csd[2] = 0x00;
477         sd->csd[3] = 0x32;
478         sd->csd[4] = 0x5b;
479         sd->csd[5] = 0x59;
480         sd->csd[6] = 0x00;
481         st24_be_p(&sd->csd[7], size);
482         sd->csd[10] = 0x7f;
483         sd->csd[11] = 0x80;
484         sd->csd[12] = 0x0a;
485         sd->csd[13] = 0x40;
486         sd->csd[14] = 0x00;
487     }
488     sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
489 }
490 
491 /* Relative Card Address register */
492 
493 static void sd_set_rca(SDState *sd)
494 {
495     sd->rca += 0x4567;
496 }
497 
498 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
499 {
500     if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc) {
501         return req.arg >> 16;
502     }
503     return 0;
504 }
505 
506 /* Card Status register */
507 
508 FIELD(CSR, AKE_SEQ_ERROR,               3,  1)
509 FIELD(CSR, APP_CMD,                     5,  1)
510 FIELD(CSR, FX_EVENT,                    6,  1)
511 FIELD(CSR, READY_FOR_DATA,              8,  1)
512 FIELD(CSR, CURRENT_STATE,               9,  4)
513 FIELD(CSR, ERASE_RESET,                13,  1)
514 FIELD(CSR, CARD_ECC_DISABLED,          14,  1)
515 FIELD(CSR, WP_ERASE_SKIP,              15,  1)
516 FIELD(CSR, CSD_OVERWRITE,              16,  1)
517 FIELD(CSR, DEFERRED_RESPONSE,          17,  1)
518 FIELD(CSR, ERROR,                      19,  1)
519 FIELD(CSR, CC_ERROR,                   20,  1)
520 FIELD(CSR, CARD_ECC_FAILED,            21,  1)
521 FIELD(CSR, ILLEGAL_COMMAND,            22,  1)
522 FIELD(CSR, COM_CRC_ERROR,              23,  1)
523 FIELD(CSR, LOCK_UNLOCK_FAILED,         24,  1)
524 FIELD(CSR, CARD_IS_LOCKED,             25,  1)
525 FIELD(CSR, WP_VIOLATION,               26,  1)
526 FIELD(CSR, ERASE_PARAM,                27,  1)
527 FIELD(CSR, ERASE_SEQ_ERROR,            28,  1)
528 FIELD(CSR, BLOCK_LEN_ERROR,            29,  1)
529 FIELD(CSR, ADDRESS_ERROR,              30,  1)
530 FIELD(CSR, OUT_OF_RANGE,               31,  1)
531 
532 /* Card status bits, split by clear condition:
533  * A : According to the card current state
534  * B : Always related to the previous command
535  * C : Cleared by read
536  */
537 #define CARD_STATUS_A           (R_CSR_READY_FOR_DATA_MASK \
538                                | R_CSR_CARD_ECC_DISABLED_MASK \
539                                | R_CSR_CARD_IS_LOCKED_MASK)
540 #define CARD_STATUS_B           (R_CSR_CURRENT_STATE_MASK \
541                                | R_CSR_ILLEGAL_COMMAND_MASK \
542                                | R_CSR_COM_CRC_ERROR_MASK)
543 #define CARD_STATUS_C           (R_CSR_AKE_SEQ_ERROR_MASK \
544                                | R_CSR_APP_CMD_MASK \
545                                | R_CSR_ERASE_RESET_MASK \
546                                | R_CSR_WP_ERASE_SKIP_MASK \
547                                | R_CSR_CSD_OVERWRITE_MASK \
548                                | R_CSR_ERROR_MASK \
549                                | R_CSR_CC_ERROR_MASK \
550                                | R_CSR_CARD_ECC_FAILED_MASK \
551                                | R_CSR_LOCK_UNLOCK_FAILED_MASK \
552                                | R_CSR_WP_VIOLATION_MASK \
553                                | R_CSR_ERASE_PARAM_MASK \
554                                | R_CSR_ERASE_SEQ_ERROR_MASK \
555                                | R_CSR_BLOCK_LEN_ERROR_MASK \
556                                | R_CSR_ADDRESS_ERROR_MASK \
557                                | R_CSR_OUT_OF_RANGE_MASK)
558 
559 static void sd_set_cardstatus(SDState *sd)
560 {
561     sd->card_status = 0x00000100;
562 }
563 
564 static void sd_set_sdstatus(SDState *sd)
565 {
566     memset(sd->sd_status, 0, 64);
567 }
568 
569 static int sd_req_crc_validate(SDRequest *req)
570 {
571     uint8_t buffer[5];
572     buffer[0] = 0x40 | req->cmd;
573     stl_be_p(&buffer[1], req->arg);
574     return 0;
575     return sd_crc7(buffer, 5) != req->crc;  /* TODO */
576 }
577 
578 static void sd_response_r1_make(SDState *sd, uint8_t *response)
579 {
580     stl_be_p(response, sd->card_status);
581 
582     /* Clear the "clear on read" status bits */
583     sd->card_status &= ~CARD_STATUS_C;
584 }
585 
586 static void sd_response_r3_make(SDState *sd, uint8_t *response)
587 {
588     stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
589 }
590 
591 static void sd_response_r6_make(SDState *sd, uint8_t *response)
592 {
593     uint16_t status;
594 
595     status = ((sd->card_status >> 8) & 0xc000) |
596              ((sd->card_status >> 6) & 0x2000) |
597               (sd->card_status & 0x1fff);
598     sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
599     stw_be_p(response + 0, sd->rca);
600     stw_be_p(response + 2, status);
601 }
602 
603 static void sd_response_r7_make(SDState *sd, uint8_t *response)
604 {
605     stl_be_p(response, sd->vhs);
606 }
607 
608 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
609 {
610     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
611         return (uint64_t) req.arg << HWBLOCK_SHIFT;
612     }
613     return req.arg;
614 }
615 
616 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
617 {
618     return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
619 }
620 
621 static void sd_reset(DeviceState *dev)
622 {
623     SDState *sd = SD_CARD(dev);
624     uint64_t size;
625     uint64_t sect;
626 
627     trace_sdcard_reset();
628     if (sd->blk) {
629         blk_get_geometry(sd->blk, &sect);
630     } else {
631         sect = 0;
632     }
633     size = sect << HWBLOCK_SHIFT;
634 
635     sect = sd_addr_to_wpnum(size) + 1;
636 
637     sd->state = sd_idle_state;
638 
639     /* card registers */
640     sd->rca = 0x0000;
641     sd->size = size;
642     sd_set_ocr(sd);
643     sd_set_scr(sd);
644     sd_set_cid(sd);
645     sd_set_csd(sd, size);
646     sd_set_cardstatus(sd);
647     sd_set_sdstatus(sd);
648 
649     g_free(sd->wp_group_bmap);
650     sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
651     sd->wp_group_bits = sect;
652     sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
653     memset(sd->function_group, 0, sizeof(sd->function_group));
654     sd->erase_start = INVALID_ADDRESS;
655     sd->erase_end = INVALID_ADDRESS;
656     sd->blk_len = 0x200;
657     sd->pwd_len = 0;
658     sd->expecting_acmd = false;
659     sd->dat_lines = 0xf;
660     sd->cmd_line = true;
661     sd->multi_blk_cnt = 0;
662 }
663 
664 static bool sd_get_inserted(SDState *sd)
665 {
666     return sd->blk && blk_is_inserted(sd->blk);
667 }
668 
669 static bool sd_get_readonly(SDState *sd)
670 {
671     return sd->wp_switch;
672 }
673 
674 static void sd_cardchange(void *opaque, bool load, Error **errp)
675 {
676     SDState *sd = opaque;
677     DeviceState *dev = DEVICE(sd);
678     SDBus *sdbus;
679     bool inserted = sd_get_inserted(sd);
680     bool readonly = sd_get_readonly(sd);
681 
682     if (inserted) {
683         trace_sdcard_inserted(readonly);
684         sd_reset(dev);
685     } else {
686         trace_sdcard_ejected();
687     }
688 
689     if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
690         qemu_set_irq(sd->inserted_cb, inserted);
691         if (inserted) {
692             qemu_set_irq(sd->readonly_cb, readonly);
693         }
694     } else {
695         sdbus = SD_BUS(qdev_get_parent_bus(dev));
696         sdbus_set_inserted(sdbus, inserted);
697         if (inserted) {
698             sdbus_set_readonly(sdbus, readonly);
699         }
700     }
701 }
702 
703 static const BlockDevOps sd_block_ops = {
704     .change_media_cb = sd_cardchange,
705 };
706 
707 static bool sd_ocr_vmstate_needed(void *opaque)
708 {
709     SDState *sd = opaque;
710 
711     /* Include the OCR state (and timer) if it is not yet powered up */
712     return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
713 }
714 
715 static const VMStateDescription sd_ocr_vmstate = {
716     .name = "sd-card/ocr-state",
717     .version_id = 1,
718     .minimum_version_id = 1,
719     .needed = sd_ocr_vmstate_needed,
720     .fields = (const VMStateField[]) {
721         VMSTATE_UINT32(ocr, SDState),
722         VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
723         VMSTATE_END_OF_LIST()
724     },
725 };
726 
727 static int sd_vmstate_pre_load(void *opaque)
728 {
729     SDState *sd = opaque;
730 
731     /* If the OCR state is not included (prior versions, or not
732      * needed), then the OCR must be set as powered up. If the OCR state
733      * is included, this will be replaced by the state restore.
734      */
735     sd_ocr_powerup(sd);
736 
737     return 0;
738 }
739 
740 static const VMStateDescription sd_vmstate = {
741     .name = "sd-card",
742     .version_id = 2,
743     .minimum_version_id = 2,
744     .pre_load = sd_vmstate_pre_load,
745     .fields = (const VMStateField[]) {
746         VMSTATE_UINT32(mode, SDState),
747         VMSTATE_INT32(state, SDState),
748         VMSTATE_UINT8_ARRAY(cid, SDState, 16),
749         VMSTATE_UINT8_ARRAY(csd, SDState, 16),
750         VMSTATE_UINT16(rca, SDState),
751         VMSTATE_UINT32(card_status, SDState),
752         VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
753         VMSTATE_UINT32(vhs, SDState),
754         VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
755         VMSTATE_UINT32(blk_len, SDState),
756         VMSTATE_UINT32(multi_blk_cnt, SDState),
757         VMSTATE_UINT32(erase_start, SDState),
758         VMSTATE_UINT32(erase_end, SDState),
759         VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
760         VMSTATE_UINT32(pwd_len, SDState),
761         VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
762         VMSTATE_UINT8(current_cmd, SDState),
763         VMSTATE_BOOL(expecting_acmd, SDState),
764         VMSTATE_UINT32(blk_written, SDState),
765         VMSTATE_UINT64(data_start, SDState),
766         VMSTATE_UINT32(data_offset, SDState),
767         VMSTATE_UINT8_ARRAY(data, SDState, 512),
768         VMSTATE_UNUSED_V(1, 512),
769         VMSTATE_BOOL(enable, SDState),
770         VMSTATE_END_OF_LIST()
771     },
772     .subsections = (const VMStateDescription * const []) {
773         &sd_ocr_vmstate,
774         NULL
775     },
776 };
777 
778 /* Legacy initialization function for use by non-qdevified callers */
779 SDState *sd_init(BlockBackend *blk, bool is_spi)
780 {
781     Object *obj;
782     DeviceState *dev;
783     SDState *sd;
784     Error *err = NULL;
785 
786     obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
787     dev = DEVICE(obj);
788     if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
789         error_reportf_err(err, "sd_init failed: ");
790         return NULL;
791     }
792 
793     /*
794      * Realizing the device properly would put it into the QOM
795      * composition tree even though it is not plugged into an
796      * appropriate bus.  That's a no-no.  Hide the device from
797      * QOM/qdev, and call its qdev realize callback directly.
798      */
799     object_ref(obj);
800     object_unparent(obj);
801     sd_realize(dev, &err);
802     if (err) {
803         error_reportf_err(err, "sd_init failed: ");
804         return NULL;
805     }
806 
807     sd = SD_CARD(dev);
808     sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
809     return sd;
810 }
811 
812 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
813 {
814     sd->readonly_cb = readonly;
815     sd->inserted_cb = insert;
816     qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
817     qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
818 }
819 
820 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
821 {
822     trace_sdcard_read_block(addr, len);
823     if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
824         fprintf(stderr, "sd_blk_read: read error on host side\n");
825     }
826 }
827 
828 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
829 {
830     trace_sdcard_write_block(addr, len);
831     if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
832         fprintf(stderr, "sd_blk_write: write error on host side\n");
833     }
834 }
835 
836 #define APP_READ_BLOCK(a, len)  memset(sd->data, 0xec, len)
837 #define APP_WRITE_BLOCK(a, len)
838 
839 static void sd_erase(SDState *sd)
840 {
841     uint64_t erase_start = sd->erase_start;
842     uint64_t erase_end = sd->erase_end;
843     bool sdsc = true;
844     uint64_t wpnum;
845     uint64_t erase_addr;
846     int erase_len = 1 << HWBLOCK_SHIFT;
847 
848     trace_sdcard_erase(sd->erase_start, sd->erase_end);
849     if (sd->erase_start == INVALID_ADDRESS
850             || sd->erase_end == INVALID_ADDRESS) {
851         sd->card_status |= ERASE_SEQ_ERROR;
852         sd->erase_start = INVALID_ADDRESS;
853         sd->erase_end = INVALID_ADDRESS;
854         return;
855     }
856 
857     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
858         /* High capacity memory card: erase units are 512 byte blocks */
859         erase_start <<= HWBLOCK_SHIFT;
860         erase_end <<= HWBLOCK_SHIFT;
861         sdsc = false;
862     }
863 
864     if (erase_start > sd->size || erase_end > sd->size) {
865         sd->card_status |= OUT_OF_RANGE;
866         sd->erase_start = INVALID_ADDRESS;
867         sd->erase_end = INVALID_ADDRESS;
868         return;
869     }
870 
871     sd->erase_start = INVALID_ADDRESS;
872     sd->erase_end = INVALID_ADDRESS;
873     sd->csd[14] |= 0x40;
874 
875     memset(sd->data, 0xff, erase_len);
876     for (erase_addr = erase_start; erase_addr <= erase_end;
877          erase_addr += erase_len) {
878         if (sdsc) {
879             /* Only SDSC cards support write protect groups */
880             wpnum = sd_addr_to_wpnum(erase_addr);
881             assert(wpnum < sd->wp_group_bits);
882             if (test_bit(wpnum, sd->wp_group_bmap)) {
883                 sd->card_status |= WP_ERASE_SKIP;
884                 continue;
885             }
886         }
887         sd_blk_write(sd, erase_addr, erase_len);
888     }
889 }
890 
891 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
892 {
893     uint32_t i, wpnum;
894     uint32_t ret = 0;
895 
896     wpnum = sd_addr_to_wpnum(addr);
897 
898     for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
899         if (addr >= sd->size) {
900             /*
901              * If the addresses of the last groups are outside the valid range,
902              * then the corresponding write protection bits shall be set to 0.
903              */
904             continue;
905         }
906         assert(wpnum < sd->wp_group_bits);
907         if (test_bit(wpnum, sd->wp_group_bmap)) {
908             ret |= (1 << i);
909         }
910     }
911 
912     return ret;
913 }
914 
915 static void sd_function_switch(SDState *sd, uint32_t arg)
916 {
917     int i, mode, new_func;
918     mode = !!(arg & 0x80000000);
919 
920     sd->data[0] = 0x00;     /* Maximum current consumption */
921     sd->data[1] = 0x01;
922     sd->data[2] = 0x80;     /* Supported group 6 functions */
923     sd->data[3] = 0x01;
924     sd->data[4] = 0x80;     /* Supported group 5 functions */
925     sd->data[5] = 0x01;
926     sd->data[6] = 0x80;     /* Supported group 4 functions */
927     sd->data[7] = 0x01;
928     sd->data[8] = 0x80;     /* Supported group 3 functions */
929     sd->data[9] = 0x01;
930     sd->data[10] = 0x80;    /* Supported group 2 functions */
931     sd->data[11] = 0x43;
932     sd->data[12] = 0x80;    /* Supported group 1 functions */
933     sd->data[13] = 0x03;
934 
935     memset(&sd->data[14], 0, 3);
936     for (i = 0; i < 6; i ++) {
937         new_func = (arg >> (i * 4)) & 0x0f;
938         if (mode && new_func != 0x0f)
939             sd->function_group[i] = new_func;
940         sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
941     }
942     memset(&sd->data[17], 0, 47);
943 }
944 
945 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
946 {
947     return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
948 }
949 
950 static void sd_lock_command(SDState *sd)
951 {
952     int erase, lock, clr_pwd, set_pwd, pwd_len;
953     erase = !!(sd->data[0] & 0x08);
954     lock = sd->data[0] & 0x04;
955     clr_pwd = sd->data[0] & 0x02;
956     set_pwd = sd->data[0] & 0x01;
957 
958     if (sd->blk_len > 1)
959         pwd_len = sd->data[1];
960     else
961         pwd_len = 0;
962 
963     if (lock) {
964         trace_sdcard_lock();
965     } else {
966         trace_sdcard_unlock();
967     }
968     if (erase) {
969         if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
970                         set_pwd || clr_pwd || lock || sd->wp_switch ||
971                         (sd->csd[14] & 0x20)) {
972             sd->card_status |= LOCK_UNLOCK_FAILED;
973             return;
974         }
975         bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
976         sd->csd[14] &= ~0x10;
977         sd->card_status &= ~CARD_IS_LOCKED;
978         sd->pwd_len = 0;
979         /* Erasing the entire card here! */
980         fprintf(stderr, "SD: Card force-erased by CMD42\n");
981         return;
982     }
983 
984     if (sd->blk_len < 2 + pwd_len ||
985                     pwd_len <= sd->pwd_len ||
986                     pwd_len > sd->pwd_len + 16) {
987         sd->card_status |= LOCK_UNLOCK_FAILED;
988         return;
989     }
990 
991     if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
992         sd->card_status |= LOCK_UNLOCK_FAILED;
993         return;
994     }
995 
996     pwd_len -= sd->pwd_len;
997     if ((pwd_len && !set_pwd) ||
998                     (clr_pwd && (set_pwd || lock)) ||
999                     (lock && !sd->pwd_len && !set_pwd) ||
1000                     (!set_pwd && !clr_pwd &&
1001                      (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1002                       (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1003         sd->card_status |= LOCK_UNLOCK_FAILED;
1004         return;
1005     }
1006 
1007     if (set_pwd) {
1008         memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1009         sd->pwd_len = pwd_len;
1010     }
1011 
1012     if (clr_pwd) {
1013         sd->pwd_len = 0;
1014     }
1015 
1016     if (lock)
1017         sd->card_status |= CARD_IS_LOCKED;
1018     else
1019         sd->card_status &= ~CARD_IS_LOCKED;
1020 }
1021 
1022 static bool address_in_range(SDState *sd, const char *desc,
1023                              uint64_t addr, uint32_t length)
1024 {
1025     if (addr + length > sd->size) {
1026         qemu_log_mask(LOG_GUEST_ERROR,
1027                       "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1028                       desc, addr, sd->size, length);
1029         sd->card_status |= ADDRESS_ERROR;
1030         return false;
1031     }
1032     return true;
1033 }
1034 
1035 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1036 {
1037     qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1038                   sd_proto(sd)->name, req.cmd, sd_state_name(sd->state),
1039                   sd_version_str(sd->spec_version));
1040 
1041     return sd_illegal;
1042 }
1043 
1044 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1045 {
1046     qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1047                   sd_proto(sd)->name, req.cmd, sd_mode_name(sd->mode),
1048                   sd_version_str(sd->spec_version));
1049 
1050     return sd_illegal;
1051 }
1052 
1053 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1054 {
1055     qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1056                   sd_proto(sd)->name, req.cmd,
1057                   sd_version_str(sd->spec_version));
1058 
1059     return sd_illegal;
1060 }
1061 
1062 /* Commands that are recognised but not yet implemented. */
1063 __attribute__((unused))
1064 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1065 {
1066     qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1067                   sd_proto(sd)->name, req.cmd);
1068 
1069     return sd_illegal;
1070 }
1071 
1072 /* CMD0 */
1073 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1074 {
1075     if (sd->state != sd_inactive_state) {
1076         sd->state = sd_idle_state;
1077         sd_reset(DEVICE(sd));
1078     }
1079 
1080     return sd_is_spi(sd) ? sd_r1 : sd_r0;
1081 }
1082 
1083 /* CMD1 */
1084 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1085 {
1086     sd->state = sd_transfer_state;
1087 
1088     return sd_r1;
1089 }
1090 
1091 /* CMD2 */
1092 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1093 {
1094     switch (sd->state) {
1095     case sd_ready_state:
1096         sd->state = sd_identification_state;
1097         return sd_r2_i;
1098     default:
1099         return sd_invalid_state_for_cmd(sd, req);
1100     }
1101 }
1102 
1103 /* CMD3 */
1104 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1105 {
1106     switch (sd->state) {
1107     case sd_identification_state:
1108     case sd_standby_state:
1109         sd->state = sd_standby_state;
1110         sd_set_rca(sd);
1111         return sd_r6;
1112 
1113     default:
1114         return sd_invalid_state_for_cmd(sd, req);
1115     }
1116 }
1117 
1118 /* CMD19 */
1119 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1120 {
1121     if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1122         return sd_cmd_illegal(sd, req);
1123     }
1124 
1125     if (sd->state != sd_transfer_state) {
1126         return sd_invalid_state_for_cmd(sd, req);
1127     }
1128 
1129     sd->state = sd_sendingdata_state;
1130     sd->data_offset = 0;
1131 
1132     return sd_r1;
1133 }
1134 
1135 /* CMD23 */
1136 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1137 {
1138     if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1139         return sd_cmd_illegal(sd, req);
1140     }
1141 
1142     if (sd->state != sd_transfer_state) {
1143         return sd_invalid_state_for_cmd(sd, req);
1144     }
1145 
1146     sd->multi_blk_cnt = req.arg;
1147     trace_sdcard_set_block_count(sd->multi_blk_cnt);
1148 
1149     return sd_r1;
1150 }
1151 
1152 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1153 {
1154     uint16_t rca;
1155     uint64_t addr;
1156 
1157     /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1158      * However there is no ACMD55, so we want to trace this particular case.
1159      */
1160     if (req.cmd != 55 || sd->expecting_acmd) {
1161         trace_sdcard_normal_command(sd_proto(sd)->name,
1162                                     sd_cmd_name(req.cmd), req.cmd,
1163                                     req.arg, sd_state_name(sd->state));
1164     }
1165 
1166     /* Not interpreting this as an app command */
1167     sd->card_status &= ~APP_CMD;
1168 
1169     /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
1170      * if not, its effects are cancelled */
1171     if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
1172         sd->multi_blk_cnt = 0;
1173     }
1174 
1175     if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1176         /* Only Standard Capacity cards support class 6 commands */
1177         return sd_illegal;
1178     }
1179 
1180     if (sd_proto(sd)->cmd[req.cmd]) {
1181         return sd_proto(sd)->cmd[req.cmd](sd, req);
1182     }
1183 
1184     switch (req.cmd) {
1185     /* Basic commands (Class 0 and Class 1) */
1186     case 4:  /* CMD4:   SEND_DSR */
1187         switch (sd->state) {
1188         case sd_standby_state:
1189             break;
1190 
1191         default:
1192             break;
1193         }
1194         break;
1195 
1196     case 6:  /* CMD6:   SWITCH_FUNCTION */
1197         if (sd->mode != sd_data_transfer_mode) {
1198             return sd_invalid_mode_for_cmd(sd, req);
1199         }
1200         sd_function_switch(sd, req.arg);
1201         sd->state = sd_sendingdata_state;
1202         sd->data_start = 0;
1203         sd->data_offset = 0;
1204         return sd_r1;
1205 
1206     case 7:  /* CMD7:   SELECT/DESELECT_CARD */
1207         rca = sd_req_get_rca(sd, req);
1208         switch (sd->state) {
1209         case sd_standby_state:
1210             if (sd->rca != rca)
1211                 return sd_r0;
1212 
1213             sd->state = sd_transfer_state;
1214             return sd_r1b;
1215 
1216         case sd_transfer_state:
1217         case sd_sendingdata_state:
1218             if (sd->rca == rca)
1219                 break;
1220 
1221             sd->state = sd_standby_state;
1222             return sd_r1b;
1223 
1224         case sd_disconnect_state:
1225             if (sd->rca != rca)
1226                 return sd_r0;
1227 
1228             sd->state = sd_programming_state;
1229             return sd_r1b;
1230 
1231         case sd_programming_state:
1232             if (sd->rca == rca)
1233                 break;
1234 
1235             sd->state = sd_disconnect_state;
1236             return sd_r1b;
1237 
1238         default:
1239             break;
1240         }
1241         break;
1242 
1243     case 8:  /* CMD8:   SEND_IF_COND */
1244         if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1245             break;
1246         }
1247         if (sd->state != sd_idle_state) {
1248             break;
1249         }
1250         sd->vhs = 0;
1251 
1252         /* No response if not exactly one VHS bit is set.  */
1253         if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1254             return sd_is_spi(sd) ? sd_r7 : sd_r0;
1255         }
1256 
1257         /* Accept.  */
1258         sd->vhs = req.arg;
1259         return sd_r7;
1260 
1261     case 9:  /* CMD9:   SEND_CSD */
1262         rca = sd_req_get_rca(sd, req);
1263         switch (sd->state) {
1264         case sd_standby_state:
1265             if (sd->rca != rca)
1266                 return sd_r0;
1267 
1268             return sd_r2_s;
1269 
1270         case sd_transfer_state:
1271             if (!sd_is_spi(sd)) {
1272                 break;
1273             }
1274             sd->state = sd_sendingdata_state;
1275             memcpy(sd->data, sd->csd, 16);
1276             sd->data_start = sd_req_get_address(sd, req);
1277             sd->data_offset = 0;
1278             return sd_r1;
1279 
1280         default:
1281             break;
1282         }
1283         break;
1284 
1285     case 10:  /* CMD10:  SEND_CID */
1286         rca = sd_req_get_rca(sd, req);
1287         switch (sd->state) {
1288         case sd_standby_state:
1289             if (sd->rca != rca)
1290                 return sd_r0;
1291 
1292             return sd_r2_i;
1293 
1294         case sd_transfer_state:
1295             if (!sd_is_spi(sd)) {
1296                 break;
1297             }
1298             sd->state = sd_sendingdata_state;
1299             memcpy(sd->data, sd->cid, 16);
1300             sd->data_start = sd_req_get_address(sd, req);
1301             sd->data_offset = 0;
1302             return sd_r1;
1303 
1304         default:
1305             break;
1306         }
1307         break;
1308 
1309     case 12:  /* CMD12:  STOP_TRANSMISSION */
1310         switch (sd->state) {
1311         case sd_sendingdata_state:
1312             sd->state = sd_transfer_state;
1313             return sd_r1b;
1314 
1315         case sd_receivingdata_state:
1316             sd->state = sd_programming_state;
1317             /* Bzzzzzzztt .... Operation complete.  */
1318             sd->state = sd_transfer_state;
1319             return sd_r1b;
1320 
1321         default:
1322             break;
1323         }
1324         break;
1325 
1326     case 13:  /* CMD13:  SEND_STATUS */
1327         rca = sd_req_get_rca(sd, req);
1328         if (sd->mode != sd_data_transfer_mode) {
1329             return sd_invalid_mode_for_cmd(sd, req);
1330         }
1331         if (!sd_is_spi(sd) && sd->rca != rca) {
1332             return sd_r0;
1333         }
1334 
1335         return sd_r1;
1336 
1337     case 15:  /* CMD15:  GO_INACTIVE_STATE */
1338         if (sd->mode != sd_data_transfer_mode) {
1339             return sd_invalid_mode_for_cmd(sd, req);
1340         }
1341         rca = sd_req_get_rca(sd, req);
1342         if (sd->rca == rca) {
1343             sd->state = sd_inactive_state;
1344         }
1345         return sd_r0;
1346 
1347     /* Block read commands (Class 2) */
1348     case 16:  /* CMD16:  SET_BLOCKLEN */
1349         switch (sd->state) {
1350         case sd_transfer_state:
1351             if (req.arg > (1 << HWBLOCK_SHIFT)) {
1352                 sd->card_status |= BLOCK_LEN_ERROR;
1353             } else {
1354                 trace_sdcard_set_blocklen(req.arg);
1355                 sd->blk_len = req.arg;
1356             }
1357 
1358             return sd_r1;
1359 
1360         default:
1361             break;
1362         }
1363         break;
1364 
1365     case 17:  /* CMD17:  READ_SINGLE_BLOCK */
1366     case 18:  /* CMD18:  READ_MULTIPLE_BLOCK */
1367         addr = sd_req_get_address(sd, req);
1368         switch (sd->state) {
1369         case sd_transfer_state:
1370 
1371             if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1372                 return sd_r1;
1373             }
1374 
1375             sd->state = sd_sendingdata_state;
1376             sd->data_start = addr;
1377             sd->data_offset = 0;
1378             return sd_r1;
1379 
1380         default:
1381             break;
1382         }
1383         break;
1384 
1385     /* Block write commands (Class 4) */
1386     case 24:  /* CMD24:  WRITE_SINGLE_BLOCK */
1387     case 25:  /* CMD25:  WRITE_MULTIPLE_BLOCK */
1388         addr = sd_req_get_address(sd, req);
1389         switch (sd->state) {
1390         case sd_transfer_state:
1391 
1392             if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1393                 return sd_r1;
1394             }
1395 
1396             sd->state = sd_receivingdata_state;
1397             sd->data_start = addr;
1398             sd->data_offset = 0;
1399             sd->blk_written = 0;
1400 
1401             if (sd->size <= SDSC_MAX_CAPACITY) {
1402                 if (sd_wp_addr(sd, sd->data_start)) {
1403                     sd->card_status |= WP_VIOLATION;
1404                 }
1405             }
1406             if (sd->csd[14] & 0x30) {
1407                 sd->card_status |= WP_VIOLATION;
1408             }
1409             return sd_r1;
1410 
1411         default:
1412             break;
1413         }
1414         break;
1415 
1416     case 26:  /* CMD26:  PROGRAM_CID */
1417         switch (sd->state) {
1418         case sd_transfer_state:
1419             sd->state = sd_receivingdata_state;
1420             sd->data_start = 0;
1421             sd->data_offset = 0;
1422             return sd_r1;
1423 
1424         default:
1425             break;
1426         }
1427         break;
1428 
1429     case 27:  /* CMD27:  PROGRAM_CSD */
1430         switch (sd->state) {
1431         case sd_transfer_state:
1432             sd->state = sd_receivingdata_state;
1433             sd->data_start = 0;
1434             sd->data_offset = 0;
1435             return sd_r1;
1436 
1437         default:
1438             break;
1439         }
1440         break;
1441 
1442     /* Write protection (Class 6) */
1443     case 28:  /* CMD28:  SET_WRITE_PROT */
1444         if (sd->size > SDSC_MAX_CAPACITY) {
1445             return sd_illegal;
1446         }
1447         addr = sd_req_get_address(sd, req);
1448         switch (sd->state) {
1449         case sd_transfer_state:
1450             if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1451                 return sd_r1b;
1452             }
1453 
1454             sd->state = sd_programming_state;
1455             set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1456             /* Bzzzzzzztt .... Operation complete.  */
1457             sd->state = sd_transfer_state;
1458             return sd_r1b;
1459 
1460         default:
1461             break;
1462         }
1463         break;
1464 
1465     case 29:  /* CMD29:  CLR_WRITE_PROT */
1466         if (sd->size > SDSC_MAX_CAPACITY) {
1467             return sd_illegal;
1468         }
1469         addr = sd_req_get_address(sd, req);
1470         switch (sd->state) {
1471         case sd_transfer_state:
1472             if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1473                 return sd_r1b;
1474             }
1475 
1476             sd->state = sd_programming_state;
1477             clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1478             /* Bzzzzzzztt .... Operation complete.  */
1479             sd->state = sd_transfer_state;
1480             return sd_r1b;
1481 
1482         default:
1483             break;
1484         }
1485         break;
1486 
1487     case 30:  /* CMD30:  SEND_WRITE_PROT */
1488         if (sd->size > SDSC_MAX_CAPACITY) {
1489             return sd_illegal;
1490         }
1491         addr = sd_req_get_address(sd, req);
1492         switch (sd->state) {
1493         case sd_transfer_state:
1494             if (!address_in_range(sd, "SEND_WRITE_PROT",
1495                                   req.arg, sd->blk_len)) {
1496                 return sd_r1;
1497             }
1498 
1499             sd->state = sd_sendingdata_state;
1500             *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1501             sd->data_start = addr;
1502             sd->data_offset = 0;
1503             return sd_r1;
1504 
1505         default:
1506             break;
1507         }
1508         break;
1509 
1510     /* Erase commands (Class 5) */
1511     case 32:  /* CMD32:  ERASE_WR_BLK_START */
1512         switch (sd->state) {
1513         case sd_transfer_state:
1514             sd->erase_start = req.arg;
1515             return sd_r1;
1516 
1517         default:
1518             break;
1519         }
1520         break;
1521 
1522     case 33:  /* CMD33:  ERASE_WR_BLK_END */
1523         switch (sd->state) {
1524         case sd_transfer_state:
1525             sd->erase_end = req.arg;
1526             return sd_r1;
1527 
1528         default:
1529             break;
1530         }
1531         break;
1532 
1533     case 38:  /* CMD38:  ERASE */
1534         switch (sd->state) {
1535         case sd_transfer_state:
1536             if (sd->csd[14] & 0x30) {
1537                 sd->card_status |= WP_VIOLATION;
1538                 return sd_r1b;
1539             }
1540 
1541             sd->state = sd_programming_state;
1542             sd_erase(sd);
1543             /* Bzzzzzzztt .... Operation complete.  */
1544             sd->state = sd_transfer_state;
1545             return sd_r1b;
1546 
1547         default:
1548             break;
1549         }
1550         break;
1551 
1552     /* Lock card commands (Class 7) */
1553     case 42:  /* CMD42:  LOCK_UNLOCK */
1554         switch (sd->state) {
1555         case sd_transfer_state:
1556             sd->state = sd_receivingdata_state;
1557             sd->data_start = 0;
1558             sd->data_offset = 0;
1559             return sd_r1;
1560 
1561         default:
1562             break;
1563         }
1564         break;
1565 
1566     /* Application specific commands (Class 8) */
1567     case 55:  /* CMD55:  APP_CMD */
1568         rca = sd_req_get_rca(sd, req);
1569         switch (sd->state) {
1570         case sd_ready_state:
1571         case sd_identification_state:
1572         case sd_inactive_state:
1573             return sd_illegal;
1574         case sd_idle_state:
1575             if (rca) {
1576                 qemu_log_mask(LOG_GUEST_ERROR,
1577                               "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1578             }
1579         default:
1580             break;
1581         }
1582         if (!sd_is_spi(sd)) {
1583             if (sd->rca != rca) {
1584                 return sd_r0;
1585             }
1586         }
1587         sd->expecting_acmd = true;
1588         sd->card_status |= APP_CMD;
1589         return sd_r1;
1590 
1591     case 56:  /* CMD56:  GEN_CMD */
1592         switch (sd->state) {
1593         case sd_transfer_state:
1594             sd->data_offset = 0;
1595             if (req.arg & 1)
1596                 sd->state = sd_sendingdata_state;
1597             else
1598                 sd->state = sd_receivingdata_state;
1599             return sd_r1;
1600 
1601         default:
1602             break;
1603         }
1604         break;
1605 
1606     case 58:    /* CMD58:   READ_OCR (SPI) */
1607         return sd_r3;
1608 
1609     case 59:    /* CMD59:   CRC_ON_OFF (SPI) */
1610         return sd_r1;
1611 
1612     default:
1613         qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1614         return sd_illegal;
1615     }
1616 
1617     return sd_invalid_state_for_cmd(sd, req);
1618 }
1619 
1620 static sd_rsp_type_t sd_app_command(SDState *sd,
1621                                     SDRequest req)
1622 {
1623     trace_sdcard_app_command(sd_proto(sd)->name, sd_acmd_name(req.cmd),
1624                              req.cmd, req.arg, sd_state_name(sd->state));
1625     sd->card_status |= APP_CMD;
1626 
1627     if (sd_proto(sd)->acmd[req.cmd]) {
1628         return sd_proto(sd)->acmd[req.cmd](sd, req);
1629     }
1630 
1631     switch (req.cmd) {
1632     case 6:  /* ACMD6:  SET_BUS_WIDTH */
1633         switch (sd->state) {
1634         case sd_transfer_state:
1635             sd->sd_status[0] &= 0x3f;
1636             sd->sd_status[0] |= (req.arg & 0x03) << 6;
1637             return sd_r1;
1638 
1639         default:
1640             break;
1641         }
1642         break;
1643 
1644     case 13:  /* ACMD13: SD_STATUS */
1645         switch (sd->state) {
1646         case sd_transfer_state:
1647             sd->state = sd_sendingdata_state;
1648             sd->data_start = 0;
1649             sd->data_offset = 0;
1650             return sd_r1;
1651 
1652         default:
1653             break;
1654         }
1655         break;
1656 
1657     case 22:  /* ACMD22: SEND_NUM_WR_BLOCKS */
1658         switch (sd->state) {
1659         case sd_transfer_state:
1660             *(uint32_t *) sd->data = sd->blk_written;
1661 
1662             sd->state = sd_sendingdata_state;
1663             sd->data_start = 0;
1664             sd->data_offset = 0;
1665             return sd_r1;
1666 
1667         default:
1668             break;
1669         }
1670         break;
1671 
1672     case 23:  /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1673         switch (sd->state) {
1674         case sd_transfer_state:
1675             return sd_r1;
1676 
1677         default:
1678             break;
1679         }
1680         break;
1681 
1682     case 41:  /* ACMD41: SD_APP_OP_COND */
1683         if (sd->state != sd_idle_state) {
1684             break;
1685         }
1686         /* If it's the first ACMD41 since reset, we need to decide
1687          * whether to power up. If this is not an enquiry ACMD41,
1688          * we immediately report power on and proceed below to the
1689          * ready state, but if it is, we set a timer to model a
1690          * delay for power up. This works around a bug in EDK2
1691          * UEFI, which sends an initial enquiry ACMD41, but
1692          * assumes that the card is in ready state as soon as it
1693          * sees the power up bit set. */
1694         if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1695             if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1696                 timer_del(sd->ocr_power_timer);
1697                 sd_ocr_powerup(sd);
1698             } else {
1699                 trace_sdcard_inquiry_cmd41();
1700                 if (!timer_pending(sd->ocr_power_timer)) {
1701                     timer_mod_ns(sd->ocr_power_timer,
1702                                  (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1703                                   + OCR_POWER_DELAY_NS));
1704                 }
1705             }
1706         }
1707 
1708         if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1709             /* We accept any voltage.  10000 V is nothing.
1710              *
1711              * Once we're powered up, we advance straight to ready state
1712              * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1713              */
1714             sd->state = sd_ready_state;
1715         }
1716 
1717         return sd_r3;
1718 
1719     case 42:  /* ACMD42: SET_CLR_CARD_DETECT */
1720         switch (sd->state) {
1721         case sd_transfer_state:
1722             /* Bringing in the 50KOhm pull-up resistor... Done.  */
1723             return sd_r1;
1724 
1725         default:
1726             break;
1727         }
1728         break;
1729 
1730     case 51:  /* ACMD51: SEND_SCR */
1731         switch (sd->state) {
1732         case sd_transfer_state:
1733             sd->state = sd_sendingdata_state;
1734             sd->data_start = 0;
1735             sd->data_offset = 0;
1736             return sd_r1;
1737 
1738         default:
1739             break;
1740         }
1741         break;
1742 
1743     case 18:    /* Reserved for SD security applications */
1744     case 25:
1745     case 26:
1746     case 38:
1747     case 43 ... 49:
1748         /* Refer to the "SD Specifications Part3 Security Specification" for
1749          * information about the SD Security Features.
1750          */
1751         qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1752                       req.cmd);
1753         return sd_illegal;
1754 
1755     default:
1756         /* Fall back to standard commands.  */
1757         return sd_normal_command(sd, req);
1758     }
1759 
1760     qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1761     return sd_illegal;
1762 }
1763 
1764 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
1765 {
1766     /* Valid commands in locked state:
1767      * basic class (0)
1768      * lock card class (7)
1769      * CMD16
1770      * implicitly, the ACMD prefix CMD55
1771      * ACMD41 and ACMD42
1772      * Anything else provokes an "illegal command" response.
1773      */
1774     if (sd->expecting_acmd) {
1775         return cmd == 41 || cmd == 42;
1776     }
1777     if (cmd == 16 || cmd == 55) {
1778         return true;
1779     }
1780     return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1781 }
1782 
1783 int sd_do_command(SDState *sd, SDRequest *req,
1784                   uint8_t *response) {
1785     int last_state;
1786     sd_rsp_type_t rtype;
1787     int rsplen;
1788 
1789     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1790         return 0;
1791     }
1792 
1793     if (sd_req_crc_validate(req)) {
1794         sd->card_status |= COM_CRC_ERROR;
1795         rtype = sd_illegal;
1796         goto send_response;
1797     }
1798 
1799     if (req->cmd >= SDMMC_CMD_MAX) {
1800         qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1801                       req->cmd);
1802         req->cmd &= 0x3f;
1803     }
1804 
1805     if (sd->card_status & CARD_IS_LOCKED) {
1806         if (!cmd_valid_while_locked(sd, req->cmd)) {
1807             sd->card_status |= ILLEGAL_COMMAND;
1808             sd->expecting_acmd = false;
1809             qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1810             rtype = sd_illegal;
1811             goto send_response;
1812         }
1813     }
1814 
1815     last_state = sd->state;
1816     sd_set_mode(sd);
1817 
1818     if (sd->expecting_acmd) {
1819         sd->expecting_acmd = false;
1820         rtype = sd_app_command(sd, *req);
1821     } else {
1822         rtype = sd_normal_command(sd, *req);
1823     }
1824 
1825     if (rtype == sd_illegal) {
1826         sd->card_status |= ILLEGAL_COMMAND;
1827     } else {
1828         /* Valid command, we can update the 'state before command' bits.
1829          * (Do this now so they appear in r1 responses.)
1830          */
1831         sd->current_cmd = req->cmd;
1832         sd->card_status = FIELD_DP32(sd->card_status, CSR,
1833                                      CURRENT_STATE, last_state);
1834     }
1835 
1836 send_response:
1837     switch (rtype) {
1838     case sd_r1:
1839     case sd_r1b:
1840         sd_response_r1_make(sd, response);
1841         rsplen = 4;
1842         break;
1843 
1844     case sd_r2_i:
1845         memcpy(response, sd->cid, sizeof(sd->cid));
1846         rsplen = 16;
1847         break;
1848 
1849     case sd_r2_s:
1850         memcpy(response, sd->csd, sizeof(sd->csd));
1851         rsplen = 16;
1852         break;
1853 
1854     case sd_r3:
1855         sd_response_r3_make(sd, response);
1856         rsplen = 4;
1857         break;
1858 
1859     case sd_r6:
1860         sd_response_r6_make(sd, response);
1861         rsplen = 4;
1862         break;
1863 
1864     case sd_r7:
1865         sd_response_r7_make(sd, response);
1866         rsplen = 4;
1867         break;
1868 
1869     case sd_r0:
1870         /*
1871          * Invalid state transition, reset implementation
1872          * fields to avoid OOB abuse.
1873          */
1874         sd->data_start = 0;
1875         sd->data_offset = 0;
1876         /* fall-through */
1877     case sd_illegal:
1878         rsplen = 0;
1879         break;
1880     default:
1881         g_assert_not_reached();
1882     }
1883     trace_sdcard_response(sd_response_name(rtype), rsplen);
1884 
1885     if (rtype != sd_illegal) {
1886         /* Clear the "clear on valid command" status bits now we've
1887          * sent any response
1888          */
1889         sd->card_status &= ~CARD_STATUS_B;
1890     }
1891 
1892 #ifdef DEBUG_SD
1893     qemu_hexdump(stderr, "Response", response, rsplen);
1894 #endif
1895 
1896     return rsplen;
1897 }
1898 
1899 void sd_write_byte(SDState *sd, uint8_t value)
1900 {
1901     int i;
1902 
1903     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1904         return;
1905 
1906     if (sd->state != sd_receivingdata_state) {
1907         qemu_log_mask(LOG_GUEST_ERROR,
1908                       "%s: not in Receiving-Data state\n", __func__);
1909         return;
1910     }
1911 
1912     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1913         return;
1914 
1915     trace_sdcard_write_data(sd_proto(sd)->name,
1916                             sd_acmd_name(sd->current_cmd),
1917                             sd->current_cmd, value);
1918     switch (sd->current_cmd) {
1919     case 24:  /* CMD24:  WRITE_SINGLE_BLOCK */
1920         sd->data[sd->data_offset ++] = value;
1921         if (sd->data_offset >= sd->blk_len) {
1922             /* TODO: Check CRC before committing */
1923             sd->state = sd_programming_state;
1924             sd_blk_write(sd, sd->data_start, sd->data_offset);
1925             sd->blk_written ++;
1926             sd->csd[14] |= 0x40;
1927             /* Bzzzzzzztt .... Operation complete.  */
1928             sd->state = sd_transfer_state;
1929         }
1930         break;
1931 
1932     case 25:  /* CMD25:  WRITE_MULTIPLE_BLOCK */
1933         if (sd->data_offset == 0) {
1934             /* Start of the block - let's check the address is valid */
1935             if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
1936                                   sd->data_start, sd->blk_len)) {
1937                 break;
1938             }
1939             if (sd->size <= SDSC_MAX_CAPACITY) {
1940                 if (sd_wp_addr(sd, sd->data_start)) {
1941                     sd->card_status |= WP_VIOLATION;
1942                     break;
1943                 }
1944             }
1945         }
1946         sd->data[sd->data_offset++] = value;
1947         if (sd->data_offset >= sd->blk_len) {
1948             /* TODO: Check CRC before committing */
1949             sd->state = sd_programming_state;
1950             sd_blk_write(sd, sd->data_start, sd->data_offset);
1951             sd->blk_written++;
1952             sd->data_start += sd->blk_len;
1953             sd->data_offset = 0;
1954             sd->csd[14] |= 0x40;
1955 
1956             /* Bzzzzzzztt .... Operation complete.  */
1957             if (sd->multi_blk_cnt != 0) {
1958                 if (--sd->multi_blk_cnt == 0) {
1959                     /* Stop! */
1960                     sd->state = sd_transfer_state;
1961                     break;
1962                 }
1963             }
1964 
1965             sd->state = sd_receivingdata_state;
1966         }
1967         break;
1968 
1969     case 26:  /* CMD26:  PROGRAM_CID */
1970         sd->data[sd->data_offset ++] = value;
1971         if (sd->data_offset >= sizeof(sd->cid)) {
1972             /* TODO: Check CRC before committing */
1973             sd->state = sd_programming_state;
1974             for (i = 0; i < sizeof(sd->cid); i ++)
1975                 if ((sd->cid[i] | 0x00) != sd->data[i])
1976                     sd->card_status |= CID_CSD_OVERWRITE;
1977 
1978             if (!(sd->card_status & CID_CSD_OVERWRITE))
1979                 for (i = 0; i < sizeof(sd->cid); i ++) {
1980                     sd->cid[i] |= 0x00;
1981                     sd->cid[i] &= sd->data[i];
1982                 }
1983             /* Bzzzzzzztt .... Operation complete.  */
1984             sd->state = sd_transfer_state;
1985         }
1986         break;
1987 
1988     case 27:  /* CMD27:  PROGRAM_CSD */
1989         sd->data[sd->data_offset ++] = value;
1990         if (sd->data_offset >= sizeof(sd->csd)) {
1991             /* TODO: Check CRC before committing */
1992             sd->state = sd_programming_state;
1993             for (i = 0; i < sizeof(sd->csd); i ++)
1994                 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1995                     (sd->data[i] | sd_csd_rw_mask[i]))
1996                     sd->card_status |= CID_CSD_OVERWRITE;
1997 
1998             /* Copy flag (OTP) & Permanent write protect */
1999             if (sd->csd[14] & ~sd->data[14] & 0x60)
2000                 sd->card_status |= CID_CSD_OVERWRITE;
2001 
2002             if (!(sd->card_status & CID_CSD_OVERWRITE))
2003                 for (i = 0; i < sizeof(sd->csd); i ++) {
2004                     sd->csd[i] |= sd_csd_rw_mask[i];
2005                     sd->csd[i] &= sd->data[i];
2006                 }
2007             /* Bzzzzzzztt .... Operation complete.  */
2008             sd->state = sd_transfer_state;
2009         }
2010         break;
2011 
2012     case 42:  /* CMD42:  LOCK_UNLOCK */
2013         sd->data[sd->data_offset ++] = value;
2014         if (sd->data_offset >= sd->blk_len) {
2015             /* TODO: Check CRC before committing */
2016             sd->state = sd_programming_state;
2017             sd_lock_command(sd);
2018             /* Bzzzzzzztt .... Operation complete.  */
2019             sd->state = sd_transfer_state;
2020         }
2021         break;
2022 
2023     case 56:  /* CMD56:  GEN_CMD */
2024         sd->data[sd->data_offset ++] = value;
2025         if (sd->data_offset >= sd->blk_len) {
2026             APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
2027             sd->state = sd_transfer_state;
2028         }
2029         break;
2030 
2031     default:
2032         qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2033         break;
2034     }
2035 }
2036 
2037 #define SD_TUNING_BLOCK_SIZE    64
2038 
2039 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
2040     /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
2041     0xff, 0x0f, 0xff, 0x00,         0x0f, 0xfc, 0xc3, 0xcc,
2042     0xc3, 0x3c, 0xcc, 0xff,         0xfe, 0xff, 0xfe, 0xef,
2043     0xff, 0xdf, 0xff, 0xdd,         0xff, 0xfb, 0xff, 0xfb,
2044     0xbf, 0xff, 0x7f, 0xff,         0x77, 0xf7, 0xbd, 0xef,
2045     0xff, 0xf0, 0xff, 0xf0,         0x0f, 0xfc, 0xcc, 0x3c,
2046     0xcc, 0x33, 0xcc, 0xcf,         0xff, 0xef, 0xff, 0xee,
2047     0xff, 0xfd, 0xff, 0xfd,         0xdf, 0xff, 0xbf, 0xff,
2048     0xbb, 0xff, 0xf7, 0xff,         0xf7, 0x7f, 0x7b, 0xde,
2049 };
2050 
2051 uint8_t sd_read_byte(SDState *sd)
2052 {
2053     /* TODO: Append CRCs */
2054     uint8_t ret;
2055     uint32_t io_len;
2056 
2057     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2058         return 0x00;
2059 
2060     if (sd->state != sd_sendingdata_state) {
2061         qemu_log_mask(LOG_GUEST_ERROR,
2062                       "%s: not in Sending-Data state\n", __func__);
2063         return 0x00;
2064     }
2065 
2066     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2067         return 0x00;
2068 
2069     io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
2070 
2071     trace_sdcard_read_data(sd_proto(sd)->name,
2072                            sd_acmd_name(sd->current_cmd),
2073                            sd->current_cmd, io_len);
2074     switch (sd->current_cmd) {
2075     case 6:  /* CMD6:   SWITCH_FUNCTION */
2076         ret = sd->data[sd->data_offset ++];
2077 
2078         if (sd->data_offset >= 64)
2079             sd->state = sd_transfer_state;
2080         break;
2081 
2082     case 9:  /* CMD9:   SEND_CSD */
2083     case 10:  /* CMD10:  SEND_CID */
2084         ret = sd->data[sd->data_offset ++];
2085 
2086         if (sd->data_offset >= 16)
2087             sd->state = sd_transfer_state;
2088         break;
2089 
2090     case 13:  /* ACMD13: SD_STATUS */
2091         ret = sd->sd_status[sd->data_offset ++];
2092 
2093         if (sd->data_offset >= sizeof(sd->sd_status))
2094             sd->state = sd_transfer_state;
2095         break;
2096 
2097     case 17:  /* CMD17:  READ_SINGLE_BLOCK */
2098         if (sd->data_offset == 0) {
2099             sd_blk_read(sd, sd->data_start, io_len);
2100         }
2101         ret = sd->data[sd->data_offset ++];
2102 
2103         if (sd->data_offset >= io_len)
2104             sd->state = sd_transfer_state;
2105         break;
2106 
2107     case 18:  /* CMD18:  READ_MULTIPLE_BLOCK */
2108         if (sd->data_offset == 0) {
2109             if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2110                                   sd->data_start, io_len)) {
2111                 return 0x00;
2112             }
2113             sd_blk_read(sd, sd->data_start, io_len);
2114         }
2115         ret = sd->data[sd->data_offset ++];
2116 
2117         if (sd->data_offset >= io_len) {
2118             sd->data_start += io_len;
2119             sd->data_offset = 0;
2120 
2121             if (sd->multi_blk_cnt != 0) {
2122                 if (--sd->multi_blk_cnt == 0) {
2123                     /* Stop! */
2124                     sd->state = sd_transfer_state;
2125                     break;
2126                 }
2127             }
2128         }
2129         break;
2130 
2131     case 19:    /* CMD19:  SEND_TUNING_BLOCK (SD) */
2132         if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2133             sd->state = sd_transfer_state;
2134         }
2135         ret = sd_tuning_block_pattern[sd->data_offset++];
2136         break;
2137 
2138     case 22:  /* ACMD22: SEND_NUM_WR_BLOCKS */
2139         ret = sd->data[sd->data_offset ++];
2140 
2141         if (sd->data_offset >= 4)
2142             sd->state = sd_transfer_state;
2143         break;
2144 
2145     case 30:  /* CMD30:  SEND_WRITE_PROT */
2146         ret = sd->data[sd->data_offset ++];
2147 
2148         if (sd->data_offset >= 4)
2149             sd->state = sd_transfer_state;
2150         break;
2151 
2152     case 51:  /* ACMD51: SEND_SCR */
2153         ret = sd->scr[sd->data_offset ++];
2154 
2155         if (sd->data_offset >= sizeof(sd->scr))
2156             sd->state = sd_transfer_state;
2157         break;
2158 
2159     case 56:  /* CMD56:  GEN_CMD */
2160         if (sd->data_offset == 0)
2161             APP_READ_BLOCK(sd->data_start, sd->blk_len);
2162         ret = sd->data[sd->data_offset ++];
2163 
2164         if (sd->data_offset >= sd->blk_len)
2165             sd->state = sd_transfer_state;
2166         break;
2167 
2168     default:
2169         qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2170         return 0x00;
2171     }
2172 
2173     return ret;
2174 }
2175 
2176 static bool sd_receive_ready(SDState *sd)
2177 {
2178     return sd->state == sd_receivingdata_state;
2179 }
2180 
2181 static bool sd_data_ready(SDState *sd)
2182 {
2183     return sd->state == sd_sendingdata_state;
2184 }
2185 
2186 void sd_enable(SDState *sd, bool enable)
2187 {
2188     sd->enable = enable;
2189 }
2190 
2191 static const SDProto sd_proto_spi = {
2192     .name = "SPI",
2193     .cmd = {
2194         [0]         = sd_cmd_GO_IDLE_STATE,
2195         [1]         = spi_cmd_SEND_OP_COND,
2196     },
2197     .acmd = {
2198         [41]        = spi_cmd_SEND_OP_COND,
2199     },
2200 };
2201 
2202 static const SDProto sd_proto_sd = {
2203     .name = "SD",
2204     .cmd = {
2205         [0]         = sd_cmd_GO_IDLE_STATE,
2206         [2]         = sd_cmd_ALL_SEND_CID,
2207         [3]         = sd_cmd_SEND_RELATIVE_ADDR,
2208         [19]        = sd_cmd_SEND_TUNING_BLOCK,
2209         [23]        = sd_cmd_SET_BLOCK_COUNT,
2210     },
2211 };
2212 
2213 static void sd_instance_init(Object *obj)
2214 {
2215     SDState *sd = SD_CARD(obj);
2216 
2217     sd->enable = true;
2218     sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2219 }
2220 
2221 static void sd_instance_finalize(Object *obj)
2222 {
2223     SDState *sd = SD_CARD(obj);
2224 
2225     timer_free(sd->ocr_power_timer);
2226 }
2227 
2228 static void sd_realize(DeviceState *dev, Error **errp)
2229 {
2230     SDState *sd = SD_CARD(dev);
2231     int ret;
2232 
2233     switch (sd->spec_version) {
2234     case SD_PHY_SPECv1_10_VERS
2235      ... SD_PHY_SPECv3_01_VERS:
2236         break;
2237     default:
2238         error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2239         return;
2240     }
2241 
2242     if (sd->blk) {
2243         int64_t blk_size;
2244 
2245         if (!blk_supports_write_perm(sd->blk)) {
2246             error_setg(errp, "Cannot use read-only drive as SD card");
2247             return;
2248         }
2249 
2250         blk_size = blk_getlength(sd->blk);
2251         if (blk_size > 0 && !is_power_of_2(blk_size)) {
2252             int64_t blk_size_aligned = pow2ceil(blk_size);
2253             char *blk_size_str;
2254 
2255             blk_size_str = size_to_str(blk_size);
2256             error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2257             g_free(blk_size_str);
2258 
2259             blk_size_str = size_to_str(blk_size_aligned);
2260             error_append_hint(errp,
2261                               "SD card size has to be a power of 2, e.g. %s.\n"
2262                               "You can resize disk images with"
2263                               " 'qemu-img resize <imagefile> <new-size>'\n"
2264                               "(note that this will lose data if you make the"
2265                               " image smaller than it currently is).\n",
2266                               blk_size_str);
2267             g_free(blk_size_str);
2268 
2269             return;
2270         }
2271 
2272         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2273                            BLK_PERM_ALL, errp);
2274         if (ret < 0) {
2275             return;
2276         }
2277         blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2278     }
2279 }
2280 
2281 static Property sd_properties[] = {
2282     DEFINE_PROP_UINT8("spec_version", SDState,
2283                       spec_version, SD_PHY_SPECv2_00_VERS),
2284     DEFINE_PROP_DRIVE("drive", SDState, blk),
2285     /* We do not model the chip select pin, so allow the board to select
2286      * whether card should be in SSI or MMC/SD mode.  It is also up to the
2287      * board to ensure that ssi transfers only occur when the chip select
2288      * is asserted.  */
2289     DEFINE_PROP_END_OF_LIST()
2290 };
2291 
2292 static void sd_class_init(ObjectClass *klass, void *data)
2293 {
2294     DeviceClass *dc = DEVICE_CLASS(klass);
2295     SDCardClass *sc = SD_CARD_CLASS(klass);
2296 
2297     dc->realize = sd_realize;
2298     device_class_set_props(dc, sd_properties);
2299     dc->vmsd = &sd_vmstate;
2300     dc->reset = sd_reset;
2301     dc->bus_type = TYPE_SD_BUS;
2302     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2303 
2304     sc->set_voltage = sd_set_voltage;
2305     sc->get_dat_lines = sd_get_dat_lines;
2306     sc->get_cmd_line = sd_get_cmd_line;
2307     sc->do_command = sd_do_command;
2308     sc->write_byte = sd_write_byte;
2309     sc->read_byte = sd_read_byte;
2310     sc->receive_ready = sd_receive_ready;
2311     sc->data_ready = sd_data_ready;
2312     sc->enable = sd_enable;
2313     sc->get_inserted = sd_get_inserted;
2314     sc->get_readonly = sd_get_readonly;
2315     sc->proto = &sd_proto_sd;
2316 }
2317 
2318 /*
2319  * We do not model the chip select pin, so allow the board to select
2320  * whether card should be in SSI or MMC/SD mode.  It is also up to the
2321  * board to ensure that ssi transfers only occur when the chip select
2322  * is asserted.
2323  */
2324 static void sd_spi_class_init(ObjectClass *klass, void *data)
2325 {
2326     DeviceClass *dc = DEVICE_CLASS(klass);
2327     SDCardClass *sc = SD_CARD_CLASS(klass);
2328 
2329     dc->desc = "SD SPI";
2330     sc->proto = &sd_proto_spi;
2331 }
2332 
2333 static const TypeInfo sd_types[] = {
2334     {
2335         .name           = TYPE_SD_CARD,
2336         .parent         = TYPE_DEVICE,
2337         .instance_size  = sizeof(SDState),
2338         .class_size     = sizeof(SDCardClass),
2339         .class_init     = sd_class_init,
2340         .instance_init  = sd_instance_init,
2341         .instance_finalize = sd_instance_finalize,
2342     },
2343     {
2344         .name           = TYPE_SD_CARD_SPI,
2345         .parent         = TYPE_SD_CARD,
2346         .class_init     = sd_spi_class_init,
2347     },
2348 };
2349 
2350 DEFINE_TYPES(sd_types)
2351