1 /* 2 * ST M25P80 emulator. Emulate all SPI flash devices based on the m25p80 command 3 * set. Known devices table current as of Jun/2012 and taken from linux. 4 * See drivers/mtd/devices/m25p80.c. 5 * 6 * Copyright (C) 2011 Edgar E. Iglesias <edgar.iglesias@gmail.com> 7 * Copyright (C) 2012 Peter A. G. Crosthwaite <peter.crosthwaite@petalogix.com> 8 * Copyright (C) 2012 PetaLogix 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation; either version 2 or 13 * (at your option) a later version of the License. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License along 21 * with this program; if not, see <http://www.gnu.org/licenses/>. 22 */ 23 24 #include "qemu/osdep.h" 25 #include "qemu/units.h" 26 #include "sysemu/block-backend.h" 27 #include "hw/qdev-properties.h" 28 #include "hw/qdev-properties-system.h" 29 #include "hw/ssi/ssi.h" 30 #include "migration/vmstate.h" 31 #include "qemu/bitops.h" 32 #include "qemu/log.h" 33 #include "qemu/module.h" 34 #include "qemu/error-report.h" 35 #include "qapi/error.h" 36 #include "trace.h" 37 #include "qom/object.h" 38 39 /* 16 MiB max in 3 byte address mode */ 40 #define MAX_3BYTES_SIZE 0x1000000 41 #define SPI_NOR_MAX_ID_LEN 6 42 43 /* Fields for FlashPartInfo->flags */ 44 enum spi_flash_option_flags { 45 ER_4K = BIT(0), 46 ER_32K = BIT(1), 47 EEPROM = BIT(2), 48 HAS_SR_TB = BIT(3), 49 HAS_SR_BP3_BIT6 = BIT(4), 50 }; 51 52 typedef struct FlashPartInfo { 53 const char *part_name; 54 /* 55 * This array stores the ID bytes. 56 * The first three bytes are the JEDIC ID. 57 * JEDEC ID zero means "no ID" (mostly older chips). 58 */ 59 uint8_t id[SPI_NOR_MAX_ID_LEN]; 60 uint8_t id_len; 61 /* there is confusion between manufacturers as to what a sector is. In this 62 * device model, a "sector" is the size that is erased by the ERASE_SECTOR 63 * command (opcode 0xd8). 64 */ 65 uint32_t sector_size; 66 uint32_t n_sectors; 67 uint32_t page_size; 68 uint16_t flags; 69 /* 70 * Big sized spi nor are often stacked devices, thus sometime 71 * replace chip erase with die erase. 72 * This field inform how many die is in the chip. 73 */ 74 uint8_t die_cnt; 75 } FlashPartInfo; 76 77 /* adapted from linux */ 78 /* Used when the "_ext_id" is two bytes at most */ 79 #define INFO(_part_name, _jedec_id, _ext_id, _sector_size, _n_sectors, _flags)\ 80 .part_name = _part_name,\ 81 .id = {\ 82 ((_jedec_id) >> 16) & 0xff,\ 83 ((_jedec_id) >> 8) & 0xff,\ 84 (_jedec_id) & 0xff,\ 85 ((_ext_id) >> 8) & 0xff,\ 86 (_ext_id) & 0xff,\ 87 },\ 88 .id_len = (!(_jedec_id) ? 0 : (3 + ((_ext_id) ? 2 : 0))),\ 89 .sector_size = (_sector_size),\ 90 .n_sectors = (_n_sectors),\ 91 .page_size = 256,\ 92 .flags = (_flags),\ 93 .die_cnt = 0 94 95 #define INFO6(_part_name, _jedec_id, _ext_id, _sector_size, _n_sectors, _flags)\ 96 .part_name = _part_name,\ 97 .id = {\ 98 ((_jedec_id) >> 16) & 0xff,\ 99 ((_jedec_id) >> 8) & 0xff,\ 100 (_jedec_id) & 0xff,\ 101 ((_ext_id) >> 16) & 0xff,\ 102 ((_ext_id) >> 8) & 0xff,\ 103 (_ext_id) & 0xff,\ 104 },\ 105 .id_len = 6,\ 106 .sector_size = (_sector_size),\ 107 .n_sectors = (_n_sectors),\ 108 .page_size = 256,\ 109 .flags = (_flags),\ 110 .die_cnt = 0 111 112 #define INFO_STACKED(_part_name, _jedec_id, _ext_id, _sector_size, _n_sectors,\ 113 _flags, _die_cnt)\ 114 .part_name = _part_name,\ 115 .id = {\ 116 ((_jedec_id) >> 16) & 0xff,\ 117 ((_jedec_id) >> 8) & 0xff,\ 118 (_jedec_id) & 0xff,\ 119 ((_ext_id) >> 8) & 0xff,\ 120 (_ext_id) & 0xff,\ 121 },\ 122 .id_len = (!(_jedec_id) ? 0 : (3 + ((_ext_id) ? 2 : 0))),\ 123 .sector_size = (_sector_size),\ 124 .n_sectors = (_n_sectors),\ 125 .page_size = 256,\ 126 .flags = (_flags),\ 127 .die_cnt = _die_cnt 128 129 #define JEDEC_NUMONYX 0x20 130 #define JEDEC_WINBOND 0xEF 131 #define JEDEC_SPANSION 0x01 132 133 /* Numonyx (Micron) Configuration register macros */ 134 #define VCFG_DUMMY 0x1 135 #define VCFG_WRAP_SEQUENTIAL 0x2 136 #define NVCFG_XIP_MODE_DISABLED (7 << 9) 137 #define NVCFG_XIP_MODE_MASK (7 << 9) 138 #define VCFG_XIP_MODE_DISABLED (1 << 3) 139 #define CFG_DUMMY_CLK_LEN 4 140 #define NVCFG_DUMMY_CLK_POS 12 141 #define VCFG_DUMMY_CLK_POS 4 142 #define EVCFG_OUT_DRIVER_STRENGTH_DEF 7 143 #define EVCFG_VPP_ACCELERATOR (1 << 3) 144 #define EVCFG_RESET_HOLD_ENABLED (1 << 4) 145 #define NVCFG_DUAL_IO_MASK (1 << 2) 146 #define EVCFG_DUAL_IO_DISABLED (1 << 6) 147 #define NVCFG_QUAD_IO_MASK (1 << 3) 148 #define EVCFG_QUAD_IO_DISABLED (1 << 7) 149 #define NVCFG_4BYTE_ADDR_MASK (1 << 0) 150 #define NVCFG_LOWER_SEGMENT_MASK (1 << 1) 151 152 /* Numonyx (Micron) Flag Status Register macros */ 153 #define FSR_4BYTE_ADDR_MODE_ENABLED 0x1 154 #define FSR_FLASH_READY (1 << 7) 155 156 /* Spansion configuration registers macros. */ 157 #define SPANSION_QUAD_CFG_POS 0 158 #define SPANSION_QUAD_CFG_LEN 1 159 #define SPANSION_DUMMY_CLK_POS 0 160 #define SPANSION_DUMMY_CLK_LEN 4 161 #define SPANSION_ADDR_LEN_POS 7 162 #define SPANSION_ADDR_LEN_LEN 1 163 164 /* 165 * Spansion read mode command length in bytes, 166 * the mode is currently not supported. 167 */ 168 169 #define SPANSION_CONTINUOUS_READ_MODE_CMD_LEN 1 170 #define WINBOND_CONTINUOUS_READ_MODE_CMD_LEN 1 171 172 static const FlashPartInfo known_devices[] = { 173 /* Atmel -- some are (confusingly) marketed as "DataFlash" */ 174 { INFO("at25fs010", 0x1f6601, 0, 32 << 10, 4, ER_4K) }, 175 { INFO("at25fs040", 0x1f6604, 0, 64 << 10, 8, ER_4K) }, 176 177 { INFO("at25df041a", 0x1f4401, 0, 64 << 10, 8, ER_4K) }, 178 { INFO("at25df321a", 0x1f4701, 0, 64 << 10, 64, ER_4K) }, 179 { INFO("at25df641", 0x1f4800, 0, 64 << 10, 128, ER_4K) }, 180 181 { INFO("at26f004", 0x1f0400, 0, 64 << 10, 8, ER_4K) }, 182 { INFO("at26df081a", 0x1f4501, 0, 64 << 10, 16, ER_4K) }, 183 { INFO("at26df161a", 0x1f4601, 0, 64 << 10, 32, ER_4K) }, 184 { INFO("at26df321", 0x1f4700, 0, 64 << 10, 64, ER_4K) }, 185 186 { INFO("at45db081d", 0x1f2500, 0, 64 << 10, 16, ER_4K) }, 187 188 /* Atmel EEPROMS - it is assumed, that don't care bit in command 189 * is set to 0. Block protection is not supported. 190 */ 191 { INFO("at25128a-nonjedec", 0x0, 0, 1, 131072, EEPROM) }, 192 { INFO("at25256a-nonjedec", 0x0, 0, 1, 262144, EEPROM) }, 193 194 /* EON -- en25xxx */ 195 { INFO("en25f32", 0x1c3116, 0, 64 << 10, 64, ER_4K) }, 196 { INFO("en25p32", 0x1c2016, 0, 64 << 10, 64, 0) }, 197 { INFO("en25q32b", 0x1c3016, 0, 64 << 10, 64, 0) }, 198 { INFO("en25p64", 0x1c2017, 0, 64 << 10, 128, 0) }, 199 { INFO("en25q64", 0x1c3017, 0, 64 << 10, 128, ER_4K) }, 200 201 /* GigaDevice */ 202 { INFO("gd25q32", 0xc84016, 0, 64 << 10, 64, ER_4K) }, 203 { INFO("gd25q64", 0xc84017, 0, 64 << 10, 128, ER_4K) }, 204 205 /* Intel/Numonyx -- xxxs33b */ 206 { INFO("160s33b", 0x898911, 0, 64 << 10, 32, 0) }, 207 { INFO("320s33b", 0x898912, 0, 64 << 10, 64, 0) }, 208 { INFO("640s33b", 0x898913, 0, 64 << 10, 128, 0) }, 209 { INFO("n25q064", 0x20ba17, 0, 64 << 10, 128, 0) }, 210 211 /* ISSI */ 212 { INFO("is25lq040b", 0x9d4013, 0, 64 << 10, 8, ER_4K) }, 213 { INFO("is25lp080d", 0x9d6014, 0, 64 << 10, 16, ER_4K) }, 214 { INFO("is25lp016d", 0x9d6015, 0, 64 << 10, 32, ER_4K) }, 215 { INFO("is25lp032", 0x9d6016, 0, 64 << 10, 64, ER_4K) }, 216 { INFO("is25lp064", 0x9d6017, 0, 64 << 10, 128, ER_4K) }, 217 { INFO("is25lp128", 0x9d6018, 0, 64 << 10, 256, ER_4K) }, 218 { INFO("is25lp256", 0x9d6019, 0, 64 << 10, 512, ER_4K) }, 219 { INFO("is25wp032", 0x9d7016, 0, 64 << 10, 64, ER_4K) }, 220 { INFO("is25wp064", 0x9d7017, 0, 64 << 10, 128, ER_4K) }, 221 { INFO("is25wp128", 0x9d7018, 0, 64 << 10, 256, ER_4K) }, 222 { INFO("is25wp256", 0x9d7019, 0, 64 << 10, 512, ER_4K) }, 223 224 /* Macronix */ 225 { INFO("mx25l2005a", 0xc22012, 0, 64 << 10, 4, ER_4K) }, 226 { INFO("mx25l4005a", 0xc22013, 0, 64 << 10, 8, ER_4K) }, 227 { INFO("mx25l8005", 0xc22014, 0, 64 << 10, 16, 0) }, 228 { INFO("mx25l1606e", 0xc22015, 0, 64 << 10, 32, ER_4K) }, 229 { INFO("mx25l3205d", 0xc22016, 0, 64 << 10, 64, 0) }, 230 { INFO("mx25l6405d", 0xc22017, 0, 64 << 10, 128, 0) }, 231 { INFO("mx25l12805d", 0xc22018, 0, 64 << 10, 256, 0) }, 232 { INFO("mx25l12855e", 0xc22618, 0, 64 << 10, 256, 0) }, 233 { INFO6("mx25l25635e", 0xc22019, 0xc22019, 64 << 10, 512, 0) }, 234 { INFO("mx25l25655e", 0xc22619, 0, 64 << 10, 512, 0) }, 235 { INFO("mx66l51235f", 0xc2201a, 0, 64 << 10, 1024, ER_4K | ER_32K) }, 236 { INFO("mx66u51235f", 0xc2253a, 0, 64 << 10, 1024, ER_4K | ER_32K) }, 237 { INFO("mx66u1g45g", 0xc2253b, 0, 64 << 10, 2048, ER_4K | ER_32K) }, 238 { INFO("mx66l1g45g", 0xc2201b, 0, 64 << 10, 2048, ER_4K | ER_32K) }, 239 240 /* Micron */ 241 { INFO("n25q032a11", 0x20bb16, 0, 64 << 10, 64, ER_4K) }, 242 { INFO("n25q032a13", 0x20ba16, 0, 64 << 10, 64, ER_4K) }, 243 { INFO("n25q064a11", 0x20bb17, 0, 64 << 10, 128, ER_4K) }, 244 { INFO("n25q064a13", 0x20ba17, 0, 64 << 10, 128, ER_4K) }, 245 { INFO("n25q128a11", 0x20bb18, 0, 64 << 10, 256, ER_4K) }, 246 { INFO("n25q128a13", 0x20ba18, 0, 64 << 10, 256, ER_4K) }, 247 { INFO("n25q256a11", 0x20bb19, 0, 64 << 10, 512, ER_4K) }, 248 { INFO("n25q256a13", 0x20ba19, 0, 64 << 10, 512, ER_4K) }, 249 { INFO("n25q512a11", 0x20bb20, 0, 64 << 10, 1024, ER_4K) }, 250 { INFO("n25q512a13", 0x20ba20, 0, 64 << 10, 1024, ER_4K) }, 251 { INFO("n25q128", 0x20ba18, 0, 64 << 10, 256, 0) }, 252 { INFO("n25q256a", 0x20ba19, 0, 64 << 10, 512, 253 ER_4K | HAS_SR_BP3_BIT6 | HAS_SR_TB) }, 254 { INFO("n25q512a", 0x20ba20, 0, 64 << 10, 1024, ER_4K) }, 255 { INFO("n25q512ax3", 0x20ba20, 0x1000, 64 << 10, 1024, ER_4K) }, 256 { INFO("mt25ql512ab", 0x20ba20, 0x1044, 64 << 10, 1024, ER_4K | ER_32K) }, 257 { INFO_STACKED("mt35xu01g", 0x2c5b1b, 0x104100, 128 << 10, 1024, 258 ER_4K | ER_32K, 2) }, 259 { INFO_STACKED("n25q00", 0x20ba21, 0x1000, 64 << 10, 2048, ER_4K, 4) }, 260 { INFO_STACKED("n25q00a", 0x20bb21, 0x1000, 64 << 10, 2048, ER_4K, 4) }, 261 { INFO_STACKED("mt25ql01g", 0x20ba21, 0x1040, 64 << 10, 2048, ER_4K, 2) }, 262 { INFO_STACKED("mt25qu01g", 0x20bb21, 0x1040, 64 << 10, 2048, ER_4K, 2) }, 263 { INFO_STACKED("mt25ql02g", 0x20ba22, 0x1040, 64 << 10, 4096, ER_4K | ER_32K, 2) }, 264 { INFO_STACKED("mt25qu02g", 0x20bb22, 0x1040, 64 << 10, 4096, ER_4K | ER_32K, 2) }, 265 266 /* Spansion -- single (large) sector size only, at least 267 * for the chips listed here (without boot sectors). 268 */ 269 { INFO("s25sl032p", 0x010215, 0x4d00, 64 << 10, 64, ER_4K) }, 270 { INFO("s25sl064p", 0x010216, 0x4d00, 64 << 10, 128, ER_4K) }, 271 { INFO("s25fl256s0", 0x010219, 0x4d00, 256 << 10, 128, 0) }, 272 { INFO("s25fl256s1", 0x010219, 0x4d01, 64 << 10, 512, 0) }, 273 { INFO6("s25fl512s", 0x010220, 0x4d0080, 256 << 10, 256, 0) }, 274 { INFO6("s70fl01gs", 0x010221, 0x4d0080, 256 << 10, 512, 0) }, 275 { INFO("s25sl12800", 0x012018, 0x0300, 256 << 10, 64, 0) }, 276 { INFO("s25sl12801", 0x012018, 0x0301, 64 << 10, 256, 0) }, 277 { INFO("s25fl129p0", 0x012018, 0x4d00, 256 << 10, 64, 0) }, 278 { INFO("s25fl129p1", 0x012018, 0x4d01, 64 << 10, 256, 0) }, 279 { INFO("s25sl004a", 0x010212, 0, 64 << 10, 8, 0) }, 280 { INFO("s25sl008a", 0x010213, 0, 64 << 10, 16, 0) }, 281 { INFO("s25sl016a", 0x010214, 0, 64 << 10, 32, 0) }, 282 { INFO("s25sl032a", 0x010215, 0, 64 << 10, 64, 0) }, 283 { INFO("s25sl064a", 0x010216, 0, 64 << 10, 128, 0) }, 284 { INFO("s25fl016k", 0xef4015, 0, 64 << 10, 32, ER_4K | ER_32K) }, 285 { INFO("s25fl064k", 0xef4017, 0, 64 << 10, 128, ER_4K | ER_32K) }, 286 287 /* Spansion -- boot sectors support */ 288 { INFO6("s25fs512s", 0x010220, 0x4d0081, 256 << 10, 256, 0) }, 289 { INFO6("s70fs01gs", 0x010221, 0x4d0081, 256 << 10, 512, 0) }, 290 291 /* SST -- large erase sizes are "overlays", "sectors" are 4<< 10 */ 292 { INFO("sst25vf040b", 0xbf258d, 0, 64 << 10, 8, ER_4K) }, 293 { INFO("sst25vf080b", 0xbf258e, 0, 64 << 10, 16, ER_4K) }, 294 { INFO("sst25vf016b", 0xbf2541, 0, 64 << 10, 32, ER_4K) }, 295 { INFO("sst25vf032b", 0xbf254a, 0, 64 << 10, 64, ER_4K) }, 296 { INFO("sst25wf512", 0xbf2501, 0, 64 << 10, 1, ER_4K) }, 297 { INFO("sst25wf010", 0xbf2502, 0, 64 << 10, 2, ER_4K) }, 298 { INFO("sst25wf020", 0xbf2503, 0, 64 << 10, 4, ER_4K) }, 299 { INFO("sst25wf040", 0xbf2504, 0, 64 << 10, 8, ER_4K) }, 300 { INFO("sst25wf080", 0xbf2505, 0, 64 << 10, 16, ER_4K) }, 301 302 /* ST Microelectronics -- newer production may have feature updates */ 303 { INFO("m25p05", 0x202010, 0, 32 << 10, 2, 0) }, 304 { INFO("m25p10", 0x202011, 0, 32 << 10, 4, 0) }, 305 { INFO("m25p20", 0x202012, 0, 64 << 10, 4, 0) }, 306 { INFO("m25p40", 0x202013, 0, 64 << 10, 8, 0) }, 307 { INFO("m25p80", 0x202014, 0, 64 << 10, 16, 0) }, 308 { INFO("m25p16", 0x202015, 0, 64 << 10, 32, 0) }, 309 { INFO("m25p32", 0x202016, 0, 64 << 10, 64, 0) }, 310 { INFO("m25p64", 0x202017, 0, 64 << 10, 128, 0) }, 311 { INFO("m25p128", 0x202018, 0, 256 << 10, 64, 0) }, 312 { INFO("n25q032", 0x20ba16, 0, 64 << 10, 64, 0) }, 313 314 { INFO("m45pe10", 0x204011, 0, 64 << 10, 2, 0) }, 315 { INFO("m45pe80", 0x204014, 0, 64 << 10, 16, 0) }, 316 { INFO("m45pe16", 0x204015, 0, 64 << 10, 32, 0) }, 317 318 { INFO("m25pe20", 0x208012, 0, 64 << 10, 4, 0) }, 319 { INFO("m25pe80", 0x208014, 0, 64 << 10, 16, 0) }, 320 { INFO("m25pe16", 0x208015, 0, 64 << 10, 32, ER_4K) }, 321 322 { INFO("m25px32", 0x207116, 0, 64 << 10, 64, ER_4K) }, 323 { INFO("m25px32-s0", 0x207316, 0, 64 << 10, 64, ER_4K) }, 324 { INFO("m25px32-s1", 0x206316, 0, 64 << 10, 64, ER_4K) }, 325 { INFO("m25px64", 0x207117, 0, 64 << 10, 128, 0) }, 326 327 /* Winbond -- w25x "blocks" are 64k, "sectors" are 4KiB */ 328 { INFO("w25x10", 0xef3011, 0, 64 << 10, 2, ER_4K) }, 329 { INFO("w25x20", 0xef3012, 0, 64 << 10, 4, ER_4K) }, 330 { INFO("w25x40", 0xef3013, 0, 64 << 10, 8, ER_4K) }, 331 { INFO("w25x80", 0xef3014, 0, 64 << 10, 16, ER_4K) }, 332 { INFO("w25x16", 0xef3015, 0, 64 << 10, 32, ER_4K) }, 333 { INFO("w25x32", 0xef3016, 0, 64 << 10, 64, ER_4K) }, 334 { INFO("w25q32", 0xef4016, 0, 64 << 10, 64, ER_4K) }, 335 { INFO("w25q32dw", 0xef6016, 0, 64 << 10, 64, ER_4K) }, 336 { INFO("w25x64", 0xef3017, 0, 64 << 10, 128, ER_4K) }, 337 { INFO("w25q64", 0xef4017, 0, 64 << 10, 128, ER_4K) }, 338 { INFO("w25q80", 0xef5014, 0, 64 << 10, 16, ER_4K) }, 339 { INFO("w25q80bl", 0xef4014, 0, 64 << 10, 16, ER_4K) }, 340 { INFO("w25q256", 0xef4019, 0, 64 << 10, 512, ER_4K) }, 341 { INFO("w25q512jv", 0xef4020, 0, 64 << 10, 1024, ER_4K) }, 342 { INFO("w25q01jvq", 0xef4021, 0, 64 << 10, 2048, ER_4K) }, 343 }; 344 345 typedef enum { 346 NOP = 0, 347 WRSR = 0x1, 348 WRDI = 0x4, 349 RDSR = 0x5, 350 WREN = 0x6, 351 BRRD = 0x16, 352 BRWR = 0x17, 353 JEDEC_READ = 0x9f, 354 BULK_ERASE_60 = 0x60, 355 BULK_ERASE = 0xc7, 356 READ_FSR = 0x70, 357 RDCR = 0x15, 358 359 READ = 0x03, 360 READ4 = 0x13, 361 FAST_READ = 0x0b, 362 FAST_READ4 = 0x0c, 363 DOR = 0x3b, 364 DOR4 = 0x3c, 365 QOR = 0x6b, 366 QOR4 = 0x6c, 367 DIOR = 0xbb, 368 DIOR4 = 0xbc, 369 QIOR = 0xeb, 370 QIOR4 = 0xec, 371 372 PP = 0x02, 373 PP4 = 0x12, 374 PP4_4 = 0x3e, 375 DPP = 0xa2, 376 QPP = 0x32, 377 QPP_4 = 0x34, 378 RDID_90 = 0x90, 379 RDID_AB = 0xab, 380 AAI_WP = 0xad, 381 382 ERASE_4K = 0x20, 383 ERASE4_4K = 0x21, 384 ERASE_32K = 0x52, 385 ERASE4_32K = 0x5c, 386 ERASE_SECTOR = 0xd8, 387 ERASE4_SECTOR = 0xdc, 388 389 EN_4BYTE_ADDR = 0xB7, 390 EX_4BYTE_ADDR = 0xE9, 391 392 EXTEND_ADDR_READ = 0xC8, 393 EXTEND_ADDR_WRITE = 0xC5, 394 395 RESET_ENABLE = 0x66, 396 RESET_MEMORY = 0x99, 397 398 /* 399 * Micron: 0x35 - enable QPI 400 * Spansion: 0x35 - read control register 401 */ 402 RDCR_EQIO = 0x35, 403 RSTQIO = 0xf5, 404 405 RNVCR = 0xB5, 406 WNVCR = 0xB1, 407 408 RVCR = 0x85, 409 WVCR = 0x81, 410 411 REVCR = 0x65, 412 WEVCR = 0x61, 413 414 DIE_ERASE = 0xC4, 415 } FlashCMD; 416 417 typedef enum { 418 STATE_IDLE, 419 STATE_PAGE_PROGRAM, 420 STATE_READ, 421 STATE_COLLECTING_DATA, 422 STATE_COLLECTING_VAR_LEN_DATA, 423 STATE_READING_DATA, 424 } CMDState; 425 426 typedef enum { 427 MAN_SPANSION, 428 MAN_MACRONIX, 429 MAN_NUMONYX, 430 MAN_WINBOND, 431 MAN_SST, 432 MAN_ISSI, 433 MAN_GENERIC, 434 } Manufacturer; 435 436 typedef enum { 437 MODE_STD = 0, 438 MODE_DIO = 1, 439 MODE_QIO = 2 440 } SPIMode; 441 442 #define M25P80_INTERNAL_DATA_BUFFER_SZ 16 443 444 struct Flash { 445 SSIPeripheral parent_obj; 446 447 BlockBackend *blk; 448 449 uint8_t *storage; 450 uint32_t size; 451 int page_size; 452 453 uint8_t state; 454 uint8_t data[M25P80_INTERNAL_DATA_BUFFER_SZ]; 455 uint32_t len; 456 uint32_t pos; 457 bool data_read_loop; 458 uint8_t needed_bytes; 459 uint8_t cmd_in_progress; 460 uint32_t cur_addr; 461 uint32_t nonvolatile_cfg; 462 /* Configuration register for Macronix */ 463 uint32_t volatile_cfg; 464 uint32_t enh_volatile_cfg; 465 /* Spansion cfg registers. */ 466 uint8_t spansion_cr1nv; 467 uint8_t spansion_cr2nv; 468 uint8_t spansion_cr3nv; 469 uint8_t spansion_cr4nv; 470 uint8_t spansion_cr1v; 471 uint8_t spansion_cr2v; 472 uint8_t spansion_cr3v; 473 uint8_t spansion_cr4v; 474 bool wp_level; 475 bool write_enable; 476 bool four_bytes_address_mode; 477 bool reset_enable; 478 bool quad_enable; 479 bool aai_enable; 480 bool block_protect0; 481 bool block_protect1; 482 bool block_protect2; 483 bool block_protect3; 484 bool top_bottom_bit; 485 bool status_register_write_disabled; 486 uint8_t ear; 487 488 int64_t dirty_page; 489 490 const FlashPartInfo *pi; 491 492 }; 493 494 struct M25P80Class { 495 SSIPeripheralClass parent_class; 496 FlashPartInfo *pi; 497 }; 498 499 #define TYPE_M25P80 "m25p80-generic" 500 OBJECT_DECLARE_TYPE(Flash, M25P80Class, M25P80) 501 502 static inline Manufacturer get_man(Flash *s) 503 { 504 switch (s->pi->id[0]) { 505 case 0x20: 506 return MAN_NUMONYX; 507 case 0xEF: 508 return MAN_WINBOND; 509 case 0x01: 510 return MAN_SPANSION; 511 case 0xC2: 512 return MAN_MACRONIX; 513 case 0xBF: 514 return MAN_SST; 515 case 0x9D: 516 return MAN_ISSI; 517 default: 518 return MAN_GENERIC; 519 } 520 } 521 522 static void blk_sync_complete(void *opaque, int ret) 523 { 524 QEMUIOVector *iov = opaque; 525 526 qemu_iovec_destroy(iov); 527 g_free(iov); 528 529 /* do nothing. Masters do not directly interact with the backing store, 530 * only the working copy so no mutexing required. 531 */ 532 } 533 534 static void flash_sync_page(Flash *s, int page) 535 { 536 QEMUIOVector *iov; 537 538 if (!s->blk || !blk_is_writable(s->blk)) { 539 return; 540 } 541 542 iov = g_new(QEMUIOVector, 1); 543 qemu_iovec_init(iov, 1); 544 qemu_iovec_add(iov, s->storage + page * s->pi->page_size, 545 s->pi->page_size); 546 blk_aio_pwritev(s->blk, page * s->pi->page_size, iov, 0, 547 blk_sync_complete, iov); 548 } 549 550 static inline void flash_sync_area(Flash *s, int64_t off, int64_t len) 551 { 552 QEMUIOVector *iov; 553 554 if (!s->blk || !blk_is_writable(s->blk)) { 555 return; 556 } 557 558 assert(!(len % BDRV_SECTOR_SIZE)); 559 iov = g_new(QEMUIOVector, 1); 560 qemu_iovec_init(iov, 1); 561 qemu_iovec_add(iov, s->storage + off, len); 562 blk_aio_pwritev(s->blk, off, iov, 0, blk_sync_complete, iov); 563 } 564 565 static void flash_erase(Flash *s, int offset, FlashCMD cmd) 566 { 567 uint32_t len; 568 uint8_t capa_to_assert = 0; 569 570 switch (cmd) { 571 case ERASE_4K: 572 case ERASE4_4K: 573 len = 4 * KiB; 574 capa_to_assert = ER_4K; 575 break; 576 case ERASE_32K: 577 case ERASE4_32K: 578 len = 32 * KiB; 579 capa_to_assert = ER_32K; 580 break; 581 case ERASE_SECTOR: 582 case ERASE4_SECTOR: 583 len = s->pi->sector_size; 584 break; 585 case BULK_ERASE: 586 len = s->size; 587 break; 588 case DIE_ERASE: 589 if (s->pi->die_cnt) { 590 len = s->size / s->pi->die_cnt; 591 offset = offset & (~(len - 1)); 592 } else { 593 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: die erase is not supported" 594 " by device\n"); 595 return; 596 } 597 break; 598 default: 599 abort(); 600 } 601 602 trace_m25p80_flash_erase(s, offset, len); 603 604 if ((s->pi->flags & capa_to_assert) != capa_to_assert) { 605 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: %d erase size not supported by" 606 " device\n", len); 607 } 608 609 if (!s->write_enable) { 610 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n"); 611 return; 612 } 613 memset(s->storage + offset, 0xff, len); 614 flash_sync_area(s, offset, len); 615 } 616 617 static inline void flash_sync_dirty(Flash *s, int64_t newpage) 618 { 619 if (s->dirty_page >= 0 && s->dirty_page != newpage) { 620 flash_sync_page(s, s->dirty_page); 621 s->dirty_page = newpage; 622 } 623 } 624 625 static inline 626 void flash_write8(Flash *s, uint32_t addr, uint8_t data) 627 { 628 uint32_t page = addr / s->pi->page_size; 629 uint8_t prev = s->storage[s->cur_addr]; 630 uint32_t block_protect_value = (s->block_protect3 << 3) | 631 (s->block_protect2 << 2) | 632 (s->block_protect1 << 1) | 633 (s->block_protect0 << 0); 634 635 if (!s->write_enable) { 636 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: write with write protect!\n"); 637 return; 638 } 639 640 if (block_protect_value > 0) { 641 uint32_t num_protected_sectors = 1 << (block_protect_value - 1); 642 uint32_t sector = addr / s->pi->sector_size; 643 644 /* top_bottom_bit == 0 means TOP */ 645 if (!s->top_bottom_bit) { 646 if (s->pi->n_sectors <= sector + num_protected_sectors) { 647 qemu_log_mask(LOG_GUEST_ERROR, 648 "M25P80: write with write protect!\n"); 649 return; 650 } 651 } else { 652 if (sector < num_protected_sectors) { 653 qemu_log_mask(LOG_GUEST_ERROR, 654 "M25P80: write with write protect!\n"); 655 return; 656 } 657 } 658 } 659 660 if ((prev ^ data) & data) { 661 trace_m25p80_programming_zero_to_one(s, addr, prev, data); 662 } 663 664 if (s->pi->flags & EEPROM) { 665 s->storage[s->cur_addr] = data; 666 } else { 667 s->storage[s->cur_addr] &= data; 668 } 669 670 flash_sync_dirty(s, page); 671 s->dirty_page = page; 672 } 673 674 static inline int get_addr_length(Flash *s) 675 { 676 /* check if eeprom is in use */ 677 if (s->pi->flags == EEPROM) { 678 return 2; 679 } 680 681 switch (s->cmd_in_progress) { 682 case PP4: 683 case PP4_4: 684 case QPP_4: 685 case READ4: 686 case QIOR4: 687 case ERASE4_4K: 688 case ERASE4_32K: 689 case ERASE4_SECTOR: 690 case FAST_READ4: 691 case DOR4: 692 case QOR4: 693 case DIOR4: 694 return 4; 695 default: 696 return s->four_bytes_address_mode ? 4 : 3; 697 } 698 } 699 700 static void complete_collecting_data(Flash *s) 701 { 702 int i, n; 703 704 n = get_addr_length(s); 705 s->cur_addr = (n == 3 ? s->ear : 0); 706 for (i = 0; i < n; ++i) { 707 s->cur_addr <<= 8; 708 s->cur_addr |= s->data[i]; 709 } 710 711 s->cur_addr &= s->size - 1; 712 713 s->state = STATE_IDLE; 714 715 trace_m25p80_complete_collecting(s, s->cmd_in_progress, n, s->ear, 716 s->cur_addr); 717 718 switch (s->cmd_in_progress) { 719 case DPP: 720 case QPP: 721 case QPP_4: 722 case PP: 723 case PP4: 724 case PP4_4: 725 s->state = STATE_PAGE_PROGRAM; 726 break; 727 case AAI_WP: 728 /* AAI programming starts from the even address */ 729 s->cur_addr &= ~BIT(0); 730 s->state = STATE_PAGE_PROGRAM; 731 break; 732 case READ: 733 case READ4: 734 case FAST_READ: 735 case FAST_READ4: 736 case DOR: 737 case DOR4: 738 case QOR: 739 case QOR4: 740 case DIOR: 741 case DIOR4: 742 case QIOR: 743 case QIOR4: 744 s->state = STATE_READ; 745 break; 746 case ERASE_4K: 747 case ERASE4_4K: 748 case ERASE_32K: 749 case ERASE4_32K: 750 case ERASE_SECTOR: 751 case ERASE4_SECTOR: 752 case DIE_ERASE: 753 flash_erase(s, s->cur_addr, s->cmd_in_progress); 754 break; 755 case WRSR: 756 s->status_register_write_disabled = extract32(s->data[0], 7, 1); 757 s->block_protect0 = extract32(s->data[0], 2, 1); 758 s->block_protect1 = extract32(s->data[0], 3, 1); 759 s->block_protect2 = extract32(s->data[0], 4, 1); 760 if (s->pi->flags & HAS_SR_TB) { 761 s->top_bottom_bit = extract32(s->data[0], 5, 1); 762 } 763 if (s->pi->flags & HAS_SR_BP3_BIT6) { 764 s->block_protect3 = extract32(s->data[0], 6, 1); 765 } 766 767 switch (get_man(s)) { 768 case MAN_SPANSION: 769 s->quad_enable = !!(s->data[1] & 0x02); 770 break; 771 case MAN_ISSI: 772 s->quad_enable = extract32(s->data[0], 6, 1); 773 break; 774 case MAN_MACRONIX: 775 s->quad_enable = extract32(s->data[0], 6, 1); 776 if (s->len > 1) { 777 s->volatile_cfg = s->data[1]; 778 s->four_bytes_address_mode = extract32(s->data[1], 5, 1); 779 } 780 break; 781 default: 782 break; 783 } 784 if (s->write_enable) { 785 s->write_enable = false; 786 } 787 break; 788 case BRWR: 789 case EXTEND_ADDR_WRITE: 790 s->ear = s->data[0]; 791 break; 792 case WNVCR: 793 s->nonvolatile_cfg = s->data[0] | (s->data[1] << 8); 794 break; 795 case WVCR: 796 s->volatile_cfg = s->data[0]; 797 break; 798 case WEVCR: 799 s->enh_volatile_cfg = s->data[0]; 800 break; 801 case RDID_90: 802 case RDID_AB: 803 if (get_man(s) == MAN_SST) { 804 if (s->cur_addr <= 1) { 805 if (s->cur_addr) { 806 s->data[0] = s->pi->id[2]; 807 s->data[1] = s->pi->id[0]; 808 } else { 809 s->data[0] = s->pi->id[0]; 810 s->data[1] = s->pi->id[2]; 811 } 812 s->pos = 0; 813 s->len = 2; 814 s->data_read_loop = true; 815 s->state = STATE_READING_DATA; 816 } else { 817 qemu_log_mask(LOG_GUEST_ERROR, 818 "M25P80: Invalid read id address\n"); 819 } 820 } else { 821 qemu_log_mask(LOG_GUEST_ERROR, 822 "M25P80: Read id (command 0x90/0xAB) is not supported" 823 " by device\n"); 824 } 825 break; 826 default: 827 break; 828 } 829 } 830 831 static void reset_memory(Flash *s) 832 { 833 s->cmd_in_progress = NOP; 834 s->cur_addr = 0; 835 s->ear = 0; 836 s->four_bytes_address_mode = false; 837 s->len = 0; 838 s->needed_bytes = 0; 839 s->pos = 0; 840 s->state = STATE_IDLE; 841 s->write_enable = false; 842 s->reset_enable = false; 843 s->quad_enable = false; 844 s->aai_enable = false; 845 846 switch (get_man(s)) { 847 case MAN_NUMONYX: 848 s->volatile_cfg = 0; 849 s->volatile_cfg |= VCFG_DUMMY; 850 s->volatile_cfg |= VCFG_WRAP_SEQUENTIAL; 851 if ((s->nonvolatile_cfg & NVCFG_XIP_MODE_MASK) 852 == NVCFG_XIP_MODE_DISABLED) { 853 s->volatile_cfg |= VCFG_XIP_MODE_DISABLED; 854 } 855 s->volatile_cfg |= deposit32(s->volatile_cfg, 856 VCFG_DUMMY_CLK_POS, 857 CFG_DUMMY_CLK_LEN, 858 extract32(s->nonvolatile_cfg, 859 NVCFG_DUMMY_CLK_POS, 860 CFG_DUMMY_CLK_LEN) 861 ); 862 863 s->enh_volatile_cfg = 0; 864 s->enh_volatile_cfg |= EVCFG_OUT_DRIVER_STRENGTH_DEF; 865 s->enh_volatile_cfg |= EVCFG_VPP_ACCELERATOR; 866 s->enh_volatile_cfg |= EVCFG_RESET_HOLD_ENABLED; 867 if (s->nonvolatile_cfg & NVCFG_DUAL_IO_MASK) { 868 s->enh_volatile_cfg |= EVCFG_DUAL_IO_DISABLED; 869 } 870 if (s->nonvolatile_cfg & NVCFG_QUAD_IO_MASK) { 871 s->enh_volatile_cfg |= EVCFG_QUAD_IO_DISABLED; 872 } 873 if (!(s->nonvolatile_cfg & NVCFG_4BYTE_ADDR_MASK)) { 874 s->four_bytes_address_mode = true; 875 } 876 if (!(s->nonvolatile_cfg & NVCFG_LOWER_SEGMENT_MASK)) { 877 s->ear = s->size / MAX_3BYTES_SIZE - 1; 878 } 879 break; 880 case MAN_MACRONIX: 881 s->volatile_cfg = 0x7; 882 break; 883 case MAN_SPANSION: 884 s->spansion_cr1v = s->spansion_cr1nv; 885 s->spansion_cr2v = s->spansion_cr2nv; 886 s->spansion_cr3v = s->spansion_cr3nv; 887 s->spansion_cr4v = s->spansion_cr4nv; 888 s->quad_enable = extract32(s->spansion_cr1v, 889 SPANSION_QUAD_CFG_POS, 890 SPANSION_QUAD_CFG_LEN 891 ); 892 s->four_bytes_address_mode = extract32(s->spansion_cr2v, 893 SPANSION_ADDR_LEN_POS, 894 SPANSION_ADDR_LEN_LEN 895 ); 896 break; 897 default: 898 break; 899 } 900 901 trace_m25p80_reset_done(s); 902 } 903 904 static uint8_t numonyx_mode(Flash *s) 905 { 906 if (!(s->enh_volatile_cfg & EVCFG_QUAD_IO_DISABLED)) { 907 return MODE_QIO; 908 } else if (!(s->enh_volatile_cfg & EVCFG_DUAL_IO_DISABLED)) { 909 return MODE_DIO; 910 } else { 911 return MODE_STD; 912 } 913 } 914 915 static uint8_t numonyx_extract_cfg_num_dummies(Flash *s) 916 { 917 uint8_t num_dummies; 918 uint8_t mode; 919 assert(get_man(s) == MAN_NUMONYX); 920 921 mode = numonyx_mode(s); 922 num_dummies = extract32(s->volatile_cfg, 4, 4); 923 924 if (num_dummies == 0x0 || num_dummies == 0xf) { 925 switch (s->cmd_in_progress) { 926 case QIOR: 927 case QIOR4: 928 num_dummies = 10; 929 break; 930 default: 931 num_dummies = (mode == MODE_QIO) ? 10 : 8; 932 break; 933 } 934 } 935 936 return num_dummies; 937 } 938 939 static void decode_fast_read_cmd(Flash *s) 940 { 941 s->needed_bytes = get_addr_length(s); 942 switch (get_man(s)) { 943 /* Dummy cycles - modeled with bytes writes instead of bits */ 944 case MAN_SST: 945 s->needed_bytes += 1; 946 break; 947 case MAN_WINBOND: 948 s->needed_bytes += 8; 949 break; 950 case MAN_NUMONYX: 951 s->needed_bytes += numonyx_extract_cfg_num_dummies(s); 952 break; 953 case MAN_MACRONIX: 954 if (extract32(s->volatile_cfg, 6, 2) == 1) { 955 s->needed_bytes += 6; 956 } else { 957 s->needed_bytes += 8; 958 } 959 break; 960 case MAN_SPANSION: 961 s->needed_bytes += extract32(s->spansion_cr2v, 962 SPANSION_DUMMY_CLK_POS, 963 SPANSION_DUMMY_CLK_LEN 964 ); 965 break; 966 case MAN_ISSI: 967 /* 968 * The Fast Read instruction code is followed by address bytes and 969 * dummy cycles, transmitted via the SI line. 970 * 971 * The number of dummy cycles is configurable but this is currently 972 * unmodeled, hence the default value 8 is used. 973 * 974 * QPI (Quad Peripheral Interface) mode has different default value 975 * of dummy cycles, but this is unsupported at the time being. 976 */ 977 s->needed_bytes += 1; 978 break; 979 default: 980 break; 981 } 982 s->pos = 0; 983 s->len = 0; 984 s->state = STATE_COLLECTING_DATA; 985 } 986 987 static void decode_dio_read_cmd(Flash *s) 988 { 989 s->needed_bytes = get_addr_length(s); 990 /* Dummy cycles modeled with bytes writes instead of bits */ 991 switch (get_man(s)) { 992 case MAN_WINBOND: 993 s->needed_bytes += WINBOND_CONTINUOUS_READ_MODE_CMD_LEN; 994 break; 995 case MAN_SPANSION: 996 s->needed_bytes += SPANSION_CONTINUOUS_READ_MODE_CMD_LEN; 997 s->needed_bytes += extract32(s->spansion_cr2v, 998 SPANSION_DUMMY_CLK_POS, 999 SPANSION_DUMMY_CLK_LEN 1000 ); 1001 break; 1002 case MAN_NUMONYX: 1003 s->needed_bytes += numonyx_extract_cfg_num_dummies(s); 1004 break; 1005 case MAN_MACRONIX: 1006 switch (extract32(s->volatile_cfg, 6, 2)) { 1007 case 1: 1008 s->needed_bytes += 6; 1009 break; 1010 case 2: 1011 s->needed_bytes += 8; 1012 break; 1013 default: 1014 s->needed_bytes += 4; 1015 break; 1016 } 1017 break; 1018 case MAN_ISSI: 1019 /* 1020 * The Fast Read Dual I/O instruction code is followed by address bytes 1021 * and dummy cycles, transmitted via the IO1 and IO0 line. 1022 * 1023 * The number of dummy cycles is configurable but this is currently 1024 * unmodeled, hence the default value 4 is used. 1025 */ 1026 s->needed_bytes += 1; 1027 break; 1028 default: 1029 break; 1030 } 1031 s->pos = 0; 1032 s->len = 0; 1033 s->state = STATE_COLLECTING_DATA; 1034 } 1035 1036 static void decode_qio_read_cmd(Flash *s) 1037 { 1038 s->needed_bytes = get_addr_length(s); 1039 /* Dummy cycles modeled with bytes writes instead of bits */ 1040 switch (get_man(s)) { 1041 case MAN_WINBOND: 1042 s->needed_bytes += WINBOND_CONTINUOUS_READ_MODE_CMD_LEN; 1043 s->needed_bytes += 4; 1044 break; 1045 case MAN_SPANSION: 1046 s->needed_bytes += SPANSION_CONTINUOUS_READ_MODE_CMD_LEN; 1047 s->needed_bytes += extract32(s->spansion_cr2v, 1048 SPANSION_DUMMY_CLK_POS, 1049 SPANSION_DUMMY_CLK_LEN 1050 ); 1051 break; 1052 case MAN_NUMONYX: 1053 s->needed_bytes += numonyx_extract_cfg_num_dummies(s); 1054 break; 1055 case MAN_MACRONIX: 1056 switch (extract32(s->volatile_cfg, 6, 2)) { 1057 case 1: 1058 s->needed_bytes += 4; 1059 break; 1060 case 2: 1061 s->needed_bytes += 8; 1062 break; 1063 default: 1064 s->needed_bytes += 6; 1065 break; 1066 } 1067 break; 1068 case MAN_ISSI: 1069 /* 1070 * The Fast Read Quad I/O instruction code is followed by address bytes 1071 * and dummy cycles, transmitted via the IO3, IO2, IO1 and IO0 line. 1072 * 1073 * The number of dummy cycles is configurable but this is currently 1074 * unmodeled, hence the default value 6 is used. 1075 * 1076 * QPI (Quad Peripheral Interface) mode has different default value 1077 * of dummy cycles, but this is unsupported at the time being. 1078 */ 1079 s->needed_bytes += 3; 1080 break; 1081 default: 1082 break; 1083 } 1084 s->pos = 0; 1085 s->len = 0; 1086 s->state = STATE_COLLECTING_DATA; 1087 } 1088 1089 static bool is_valid_aai_cmd(uint32_t cmd) 1090 { 1091 return cmd == AAI_WP || cmd == WRDI || cmd == RDSR; 1092 } 1093 1094 static void decode_new_cmd(Flash *s, uint32_t value) 1095 { 1096 int i; 1097 1098 s->cmd_in_progress = value; 1099 trace_m25p80_command_decoded(s, value); 1100 1101 if (value != RESET_MEMORY) { 1102 s->reset_enable = false; 1103 } 1104 1105 if (get_man(s) == MAN_SST && s->aai_enable && !is_valid_aai_cmd(value)) { 1106 qemu_log_mask(LOG_GUEST_ERROR, 1107 "M25P80: Invalid cmd within AAI programming sequence"); 1108 } 1109 1110 switch (value) { 1111 1112 case ERASE_4K: 1113 case ERASE4_4K: 1114 case ERASE_32K: 1115 case ERASE4_32K: 1116 case ERASE_SECTOR: 1117 case ERASE4_SECTOR: 1118 case PP: 1119 case PP4: 1120 case DIE_ERASE: 1121 case RDID_90: 1122 case RDID_AB: 1123 s->needed_bytes = get_addr_length(s); 1124 s->pos = 0; 1125 s->len = 0; 1126 s->state = STATE_COLLECTING_DATA; 1127 break; 1128 case READ: 1129 case READ4: 1130 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) == MODE_STD) { 1131 s->needed_bytes = get_addr_length(s); 1132 s->pos = 0; 1133 s->len = 0; 1134 s->state = STATE_COLLECTING_DATA; 1135 } else { 1136 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in " 1137 "DIO or QIO mode\n", s->cmd_in_progress); 1138 } 1139 break; 1140 case DPP: 1141 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) { 1142 s->needed_bytes = get_addr_length(s); 1143 s->pos = 0; 1144 s->len = 0; 1145 s->state = STATE_COLLECTING_DATA; 1146 } else { 1147 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in " 1148 "QIO mode\n", s->cmd_in_progress); 1149 } 1150 break; 1151 case QPP: 1152 case QPP_4: 1153 case PP4_4: 1154 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) { 1155 s->needed_bytes = get_addr_length(s); 1156 s->pos = 0; 1157 s->len = 0; 1158 s->state = STATE_COLLECTING_DATA; 1159 } else { 1160 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in " 1161 "DIO mode\n", s->cmd_in_progress); 1162 } 1163 break; 1164 1165 case FAST_READ: 1166 case FAST_READ4: 1167 decode_fast_read_cmd(s); 1168 break; 1169 case DOR: 1170 case DOR4: 1171 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) { 1172 decode_fast_read_cmd(s); 1173 } else { 1174 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in " 1175 "QIO mode\n", s->cmd_in_progress); 1176 } 1177 break; 1178 case QOR: 1179 case QOR4: 1180 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) { 1181 decode_fast_read_cmd(s); 1182 } else { 1183 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in " 1184 "DIO mode\n", s->cmd_in_progress); 1185 } 1186 break; 1187 1188 case DIOR: 1189 case DIOR4: 1190 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) { 1191 decode_dio_read_cmd(s); 1192 } else { 1193 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in " 1194 "QIO mode\n", s->cmd_in_progress); 1195 } 1196 break; 1197 1198 case QIOR: 1199 case QIOR4: 1200 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) { 1201 decode_qio_read_cmd(s); 1202 } else { 1203 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in " 1204 "DIO mode\n", s->cmd_in_progress); 1205 } 1206 break; 1207 1208 case WRSR: 1209 /* 1210 * If WP# is low and status_register_write_disabled is high, 1211 * status register writes are disabled. 1212 * This is also called "hardware protected mode" (HPM). All other 1213 * combinations of the two states are called "software protected mode" 1214 * (SPM), and status register writes are permitted. 1215 */ 1216 if ((s->wp_level == 0 && s->status_register_write_disabled) 1217 || !s->write_enable) { 1218 qemu_log_mask(LOG_GUEST_ERROR, 1219 "M25P80: Status register write is disabled!\n"); 1220 break; 1221 } 1222 1223 switch (get_man(s)) { 1224 case MAN_SPANSION: 1225 s->needed_bytes = 2; 1226 s->state = STATE_COLLECTING_DATA; 1227 break; 1228 case MAN_MACRONIX: 1229 s->needed_bytes = 2; 1230 s->state = STATE_COLLECTING_VAR_LEN_DATA; 1231 break; 1232 default: 1233 s->needed_bytes = 1; 1234 s->state = STATE_COLLECTING_DATA; 1235 } 1236 s->pos = 0; 1237 break; 1238 1239 case WRDI: 1240 s->write_enable = false; 1241 if (get_man(s) == MAN_SST) { 1242 s->aai_enable = false; 1243 } 1244 break; 1245 case WREN: 1246 s->write_enable = true; 1247 break; 1248 1249 case RDSR: 1250 s->data[0] = (!!s->write_enable) << 1; 1251 s->data[0] |= (!!s->status_register_write_disabled) << 7; 1252 s->data[0] |= (!!s->block_protect0) << 2; 1253 s->data[0] |= (!!s->block_protect1) << 3; 1254 s->data[0] |= (!!s->block_protect2) << 4; 1255 if (s->pi->flags & HAS_SR_TB) { 1256 s->data[0] |= (!!s->top_bottom_bit) << 5; 1257 } 1258 if (s->pi->flags & HAS_SR_BP3_BIT6) { 1259 s->data[0] |= (!!s->block_protect3) << 6; 1260 } 1261 1262 if (get_man(s) == MAN_MACRONIX || get_man(s) == MAN_ISSI) { 1263 s->data[0] |= (!!s->quad_enable) << 6; 1264 } 1265 if (get_man(s) == MAN_SST) { 1266 s->data[0] |= (!!s->aai_enable) << 6; 1267 } 1268 1269 s->pos = 0; 1270 s->len = 1; 1271 s->data_read_loop = true; 1272 s->state = STATE_READING_DATA; 1273 break; 1274 1275 case READ_FSR: 1276 s->data[0] = FSR_FLASH_READY; 1277 if (s->four_bytes_address_mode) { 1278 s->data[0] |= FSR_4BYTE_ADDR_MODE_ENABLED; 1279 } 1280 s->pos = 0; 1281 s->len = 1; 1282 s->data_read_loop = true; 1283 s->state = STATE_READING_DATA; 1284 break; 1285 1286 case JEDEC_READ: 1287 if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) == MODE_STD) { 1288 trace_m25p80_populated_jedec(s); 1289 for (i = 0; i < s->pi->id_len; i++) { 1290 s->data[i] = s->pi->id[i]; 1291 } 1292 for (; i < SPI_NOR_MAX_ID_LEN; i++) { 1293 s->data[i] = 0; 1294 } 1295 1296 s->len = SPI_NOR_MAX_ID_LEN; 1297 s->pos = 0; 1298 s->state = STATE_READING_DATA; 1299 } else { 1300 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute JEDEC read " 1301 "in DIO or QIO mode\n"); 1302 } 1303 break; 1304 1305 case RDCR: 1306 s->data[0] = s->volatile_cfg & 0xFF; 1307 s->data[0] |= (!!s->four_bytes_address_mode) << 5; 1308 s->pos = 0; 1309 s->len = 1; 1310 s->state = STATE_READING_DATA; 1311 break; 1312 1313 case BULK_ERASE_60: 1314 case BULK_ERASE: 1315 if (s->write_enable) { 1316 trace_m25p80_chip_erase(s); 1317 flash_erase(s, 0, BULK_ERASE); 1318 } else { 1319 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: chip erase with write " 1320 "protect!\n"); 1321 } 1322 break; 1323 case NOP: 1324 break; 1325 case EN_4BYTE_ADDR: 1326 s->four_bytes_address_mode = true; 1327 break; 1328 case EX_4BYTE_ADDR: 1329 s->four_bytes_address_mode = false; 1330 break; 1331 case BRRD: 1332 case EXTEND_ADDR_READ: 1333 s->data[0] = s->ear; 1334 s->pos = 0; 1335 s->len = 1; 1336 s->state = STATE_READING_DATA; 1337 break; 1338 case BRWR: 1339 case EXTEND_ADDR_WRITE: 1340 if (s->write_enable) { 1341 s->needed_bytes = 1; 1342 s->pos = 0; 1343 s->len = 0; 1344 s->state = STATE_COLLECTING_DATA; 1345 } 1346 break; 1347 case RNVCR: 1348 s->data[0] = s->nonvolatile_cfg & 0xFF; 1349 s->data[1] = (s->nonvolatile_cfg >> 8) & 0xFF; 1350 s->pos = 0; 1351 s->len = 2; 1352 s->state = STATE_READING_DATA; 1353 break; 1354 case WNVCR: 1355 if (s->write_enable && get_man(s) == MAN_NUMONYX) { 1356 s->needed_bytes = 2; 1357 s->pos = 0; 1358 s->len = 0; 1359 s->state = STATE_COLLECTING_DATA; 1360 } 1361 break; 1362 case RVCR: 1363 s->data[0] = s->volatile_cfg & 0xFF; 1364 s->pos = 0; 1365 s->len = 1; 1366 s->state = STATE_READING_DATA; 1367 break; 1368 case WVCR: 1369 if (s->write_enable) { 1370 s->needed_bytes = 1; 1371 s->pos = 0; 1372 s->len = 0; 1373 s->state = STATE_COLLECTING_DATA; 1374 } 1375 break; 1376 case REVCR: 1377 s->data[0] = s->enh_volatile_cfg & 0xFF; 1378 s->pos = 0; 1379 s->len = 1; 1380 s->state = STATE_READING_DATA; 1381 break; 1382 case WEVCR: 1383 if (s->write_enable) { 1384 s->needed_bytes = 1; 1385 s->pos = 0; 1386 s->len = 0; 1387 s->state = STATE_COLLECTING_DATA; 1388 } 1389 break; 1390 case RESET_ENABLE: 1391 s->reset_enable = true; 1392 break; 1393 case RESET_MEMORY: 1394 if (s->reset_enable) { 1395 reset_memory(s); 1396 } 1397 break; 1398 case RDCR_EQIO: 1399 switch (get_man(s)) { 1400 case MAN_SPANSION: 1401 s->data[0] = (!!s->quad_enable) << 1; 1402 s->pos = 0; 1403 s->len = 1; 1404 s->state = STATE_READING_DATA; 1405 break; 1406 case MAN_MACRONIX: 1407 s->quad_enable = true; 1408 break; 1409 default: 1410 break; 1411 } 1412 break; 1413 case RSTQIO: 1414 s->quad_enable = false; 1415 break; 1416 case AAI_WP: 1417 if (get_man(s) == MAN_SST) { 1418 if (s->write_enable) { 1419 if (s->aai_enable) { 1420 s->state = STATE_PAGE_PROGRAM; 1421 } else { 1422 s->aai_enable = true; 1423 s->needed_bytes = get_addr_length(s); 1424 s->state = STATE_COLLECTING_DATA; 1425 } 1426 } else { 1427 qemu_log_mask(LOG_GUEST_ERROR, 1428 "M25P80: AAI_WP with write protect\n"); 1429 } 1430 } else { 1431 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Unknown cmd %x\n", value); 1432 } 1433 break; 1434 default: 1435 s->pos = 0; 1436 s->len = 1; 1437 s->state = STATE_READING_DATA; 1438 s->data_read_loop = true; 1439 s->data[0] = 0; 1440 qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Unknown cmd %x\n", value); 1441 break; 1442 } 1443 } 1444 1445 static int m25p80_cs(SSIPeripheral *ss, bool select) 1446 { 1447 Flash *s = M25P80(ss); 1448 1449 if (select) { 1450 if (s->state == STATE_COLLECTING_VAR_LEN_DATA) { 1451 complete_collecting_data(s); 1452 } 1453 s->len = 0; 1454 s->pos = 0; 1455 s->state = STATE_IDLE; 1456 flash_sync_dirty(s, -1); 1457 s->data_read_loop = false; 1458 } 1459 1460 trace_m25p80_select(s, select ? "de" : ""); 1461 1462 return 0; 1463 } 1464 1465 static uint32_t m25p80_transfer8(SSIPeripheral *ss, uint32_t tx) 1466 { 1467 Flash *s = M25P80(ss); 1468 uint32_t r = 0; 1469 1470 trace_m25p80_transfer(s, s->state, s->len, s->needed_bytes, s->pos, 1471 s->cur_addr, (uint8_t)tx); 1472 1473 switch (s->state) { 1474 1475 case STATE_PAGE_PROGRAM: 1476 trace_m25p80_page_program(s, s->cur_addr, (uint8_t)tx); 1477 flash_write8(s, s->cur_addr, (uint8_t)tx); 1478 s->cur_addr = (s->cur_addr + 1) & (s->size - 1); 1479 1480 if (get_man(s) == MAN_SST && s->aai_enable && s->cur_addr == 0) { 1481 /* 1482 * There is no wrap mode during AAI programming once the highest 1483 * unprotected memory address is reached. The Write-Enable-Latch 1484 * bit is automatically reset, and AAI programming mode aborts. 1485 */ 1486 s->write_enable = false; 1487 s->aai_enable = false; 1488 } 1489 1490 break; 1491 1492 case STATE_READ: 1493 r = s->storage[s->cur_addr]; 1494 trace_m25p80_read_byte(s, s->cur_addr, (uint8_t)r); 1495 s->cur_addr = (s->cur_addr + 1) & (s->size - 1); 1496 break; 1497 1498 case STATE_COLLECTING_DATA: 1499 case STATE_COLLECTING_VAR_LEN_DATA: 1500 1501 if (s->len >= M25P80_INTERNAL_DATA_BUFFER_SZ) { 1502 qemu_log_mask(LOG_GUEST_ERROR, 1503 "M25P80: Write overrun internal data buffer. " 1504 "SPI controller (QEMU emulator or guest driver) " 1505 "is misbehaving\n"); 1506 s->len = s->pos = 0; 1507 s->state = STATE_IDLE; 1508 break; 1509 } 1510 1511 s->data[s->len] = (uint8_t)tx; 1512 s->len++; 1513 1514 if (s->len == s->needed_bytes) { 1515 complete_collecting_data(s); 1516 } 1517 break; 1518 1519 case STATE_READING_DATA: 1520 1521 if (s->pos >= M25P80_INTERNAL_DATA_BUFFER_SZ) { 1522 qemu_log_mask(LOG_GUEST_ERROR, 1523 "M25P80: Read overrun internal data buffer. " 1524 "SPI controller (QEMU emulator or guest driver) " 1525 "is misbehaving\n"); 1526 s->len = s->pos = 0; 1527 s->state = STATE_IDLE; 1528 break; 1529 } 1530 1531 r = s->data[s->pos]; 1532 trace_m25p80_read_data(s, s->pos, (uint8_t)r); 1533 s->pos++; 1534 if (s->pos == s->len) { 1535 s->pos = 0; 1536 if (!s->data_read_loop) { 1537 s->state = STATE_IDLE; 1538 } 1539 } 1540 break; 1541 1542 default: 1543 case STATE_IDLE: 1544 decode_new_cmd(s, (uint8_t)tx); 1545 break; 1546 } 1547 1548 return r; 1549 } 1550 1551 static void m25p80_write_protect_pin_irq_handler(void *opaque, int n, int level) 1552 { 1553 Flash *s = M25P80(opaque); 1554 /* WP# is just a single pin. */ 1555 assert(n == 0); 1556 s->wp_level = !!level; 1557 } 1558 1559 static void m25p80_realize(SSIPeripheral *ss, Error **errp) 1560 { 1561 Flash *s = M25P80(ss); 1562 M25P80Class *mc = M25P80_GET_CLASS(s); 1563 int ret; 1564 1565 s->pi = mc->pi; 1566 1567 s->size = s->pi->sector_size * s->pi->n_sectors; 1568 s->dirty_page = -1; 1569 1570 if (s->blk) { 1571 uint64_t perm = BLK_PERM_CONSISTENT_READ | 1572 (blk_supports_write_perm(s->blk) ? BLK_PERM_WRITE : 0); 1573 ret = blk_set_perm(s->blk, perm, BLK_PERM_ALL, errp); 1574 if (ret < 0) { 1575 return; 1576 } 1577 1578 trace_m25p80_binding(s); 1579 s->storage = blk_blockalign(s->blk, s->size); 1580 1581 if (blk_pread(s->blk, 0, s->size, s->storage, 0) < 0) { 1582 error_setg(errp, "failed to read the initial flash content"); 1583 return; 1584 } 1585 } else { 1586 trace_m25p80_binding_no_bdrv(s); 1587 s->storage = blk_blockalign(NULL, s->size); 1588 memset(s->storage, 0xFF, s->size); 1589 } 1590 1591 qdev_init_gpio_in_named(DEVICE(s), 1592 m25p80_write_protect_pin_irq_handler, "WP#", 1); 1593 } 1594 1595 static void m25p80_reset(DeviceState *d) 1596 { 1597 Flash *s = M25P80(d); 1598 1599 s->wp_level = true; 1600 s->status_register_write_disabled = false; 1601 s->block_protect0 = false; 1602 s->block_protect1 = false; 1603 s->block_protect2 = false; 1604 s->block_protect3 = false; 1605 s->top_bottom_bit = false; 1606 1607 reset_memory(s); 1608 } 1609 1610 static int m25p80_pre_save(void *opaque) 1611 { 1612 flash_sync_dirty((Flash *)opaque, -1); 1613 1614 return 0; 1615 } 1616 1617 static Property m25p80_properties[] = { 1618 /* This is default value for Micron flash */ 1619 DEFINE_PROP_BOOL("write-enable", Flash, write_enable, false), 1620 DEFINE_PROP_UINT32("nonvolatile-cfg", Flash, nonvolatile_cfg, 0x8FFF), 1621 DEFINE_PROP_UINT8("spansion-cr1nv", Flash, spansion_cr1nv, 0x0), 1622 DEFINE_PROP_UINT8("spansion-cr2nv", Flash, spansion_cr2nv, 0x8), 1623 DEFINE_PROP_UINT8("spansion-cr3nv", Flash, spansion_cr3nv, 0x2), 1624 DEFINE_PROP_UINT8("spansion-cr4nv", Flash, spansion_cr4nv, 0x10), 1625 DEFINE_PROP_DRIVE("drive", Flash, blk), 1626 DEFINE_PROP_END_OF_LIST(), 1627 }; 1628 1629 static int m25p80_pre_load(void *opaque) 1630 { 1631 Flash *s = (Flash *)opaque; 1632 1633 s->data_read_loop = false; 1634 return 0; 1635 } 1636 1637 static bool m25p80_data_read_loop_needed(void *opaque) 1638 { 1639 Flash *s = (Flash *)opaque; 1640 1641 return s->data_read_loop; 1642 } 1643 1644 static const VMStateDescription vmstate_m25p80_data_read_loop = { 1645 .name = "m25p80/data_read_loop", 1646 .version_id = 1, 1647 .minimum_version_id = 1, 1648 .needed = m25p80_data_read_loop_needed, 1649 .fields = (VMStateField[]) { 1650 VMSTATE_BOOL(data_read_loop, Flash), 1651 VMSTATE_END_OF_LIST() 1652 } 1653 }; 1654 1655 static bool m25p80_aai_enable_needed(void *opaque) 1656 { 1657 Flash *s = (Flash *)opaque; 1658 1659 return s->aai_enable; 1660 } 1661 1662 static const VMStateDescription vmstate_m25p80_aai_enable = { 1663 .name = "m25p80/aai_enable", 1664 .version_id = 1, 1665 .minimum_version_id = 1, 1666 .needed = m25p80_aai_enable_needed, 1667 .fields = (VMStateField[]) { 1668 VMSTATE_BOOL(aai_enable, Flash), 1669 VMSTATE_END_OF_LIST() 1670 } 1671 }; 1672 1673 static bool m25p80_wp_level_srwd_needed(void *opaque) 1674 { 1675 Flash *s = (Flash *)opaque; 1676 1677 return !s->wp_level || s->status_register_write_disabled; 1678 } 1679 1680 static const VMStateDescription vmstate_m25p80_write_protect = { 1681 .name = "m25p80/write_protect", 1682 .version_id = 1, 1683 .minimum_version_id = 1, 1684 .needed = m25p80_wp_level_srwd_needed, 1685 .fields = (VMStateField[]) { 1686 VMSTATE_BOOL(wp_level, Flash), 1687 VMSTATE_BOOL(status_register_write_disabled, Flash), 1688 VMSTATE_END_OF_LIST() 1689 } 1690 }; 1691 1692 static bool m25p80_block_protect_needed(void *opaque) 1693 { 1694 Flash *s = (Flash *)opaque; 1695 1696 return s->block_protect0 || 1697 s->block_protect1 || 1698 s->block_protect2 || 1699 s->block_protect3 || 1700 s->top_bottom_bit; 1701 } 1702 1703 static const VMStateDescription vmstate_m25p80_block_protect = { 1704 .name = "m25p80/block_protect", 1705 .version_id = 1, 1706 .minimum_version_id = 1, 1707 .needed = m25p80_block_protect_needed, 1708 .fields = (VMStateField[]) { 1709 VMSTATE_BOOL(block_protect0, Flash), 1710 VMSTATE_BOOL(block_protect1, Flash), 1711 VMSTATE_BOOL(block_protect2, Flash), 1712 VMSTATE_BOOL(block_protect3, Flash), 1713 VMSTATE_BOOL(top_bottom_bit, Flash), 1714 VMSTATE_END_OF_LIST() 1715 } 1716 }; 1717 1718 static const VMStateDescription vmstate_m25p80 = { 1719 .name = "m25p80", 1720 .version_id = 0, 1721 .minimum_version_id = 0, 1722 .pre_save = m25p80_pre_save, 1723 .pre_load = m25p80_pre_load, 1724 .fields = (VMStateField[]) { 1725 VMSTATE_UINT8(state, Flash), 1726 VMSTATE_UINT8_ARRAY(data, Flash, M25P80_INTERNAL_DATA_BUFFER_SZ), 1727 VMSTATE_UINT32(len, Flash), 1728 VMSTATE_UINT32(pos, Flash), 1729 VMSTATE_UINT8(needed_bytes, Flash), 1730 VMSTATE_UINT8(cmd_in_progress, Flash), 1731 VMSTATE_UINT32(cur_addr, Flash), 1732 VMSTATE_BOOL(write_enable, Flash), 1733 VMSTATE_BOOL(reset_enable, Flash), 1734 VMSTATE_UINT8(ear, Flash), 1735 VMSTATE_BOOL(four_bytes_address_mode, Flash), 1736 VMSTATE_UINT32(nonvolatile_cfg, Flash), 1737 VMSTATE_UINT32(volatile_cfg, Flash), 1738 VMSTATE_UINT32(enh_volatile_cfg, Flash), 1739 VMSTATE_BOOL(quad_enable, Flash), 1740 VMSTATE_UINT8(spansion_cr1nv, Flash), 1741 VMSTATE_UINT8(spansion_cr2nv, Flash), 1742 VMSTATE_UINT8(spansion_cr3nv, Flash), 1743 VMSTATE_UINT8(spansion_cr4nv, Flash), 1744 VMSTATE_END_OF_LIST() 1745 }, 1746 .subsections = (const VMStateDescription * []) { 1747 &vmstate_m25p80_data_read_loop, 1748 &vmstate_m25p80_aai_enable, 1749 &vmstate_m25p80_write_protect, 1750 &vmstate_m25p80_block_protect, 1751 NULL 1752 } 1753 }; 1754 1755 static void m25p80_class_init(ObjectClass *klass, void *data) 1756 { 1757 DeviceClass *dc = DEVICE_CLASS(klass); 1758 SSIPeripheralClass *k = SSI_PERIPHERAL_CLASS(klass); 1759 M25P80Class *mc = M25P80_CLASS(klass); 1760 1761 k->realize = m25p80_realize; 1762 k->transfer = m25p80_transfer8; 1763 k->set_cs = m25p80_cs; 1764 k->cs_polarity = SSI_CS_LOW; 1765 dc->vmsd = &vmstate_m25p80; 1766 device_class_set_props(dc, m25p80_properties); 1767 dc->reset = m25p80_reset; 1768 mc->pi = data; 1769 } 1770 1771 static const TypeInfo m25p80_info = { 1772 .name = TYPE_M25P80, 1773 .parent = TYPE_SSI_PERIPHERAL, 1774 .instance_size = sizeof(Flash), 1775 .class_size = sizeof(M25P80Class), 1776 .abstract = true, 1777 }; 1778 1779 static void m25p80_register_types(void) 1780 { 1781 int i; 1782 1783 type_register_static(&m25p80_info); 1784 for (i = 0; i < ARRAY_SIZE(known_devices); ++i) { 1785 TypeInfo ti = { 1786 .name = known_devices[i].part_name, 1787 .parent = TYPE_M25P80, 1788 .class_init = m25p80_class_init, 1789 .class_data = (void *)&known_devices[i], 1790 }; 1791 type_register(&ti); 1792 } 1793 } 1794 1795 type_init(m25p80_register_types) 1796