xref: /openbmc/qemu/hw/block/pflash_cfi01.c (revision afb81fe8)
1 /*
2  *  CFI parallel flash with Intel command set emulation
3  *
4  *  Copyright (c) 2006 Thorsten Zitterell
5  *  Copyright (c) 2005 Jocelyn Mayer
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  */
20 
21 /*
22  * For now, this code can emulate flashes of 1, 2 or 4 bytes width.
23  * Supported commands/modes are:
24  * - flash read
25  * - flash write
26  * - flash ID read
27  * - sector erase
28  * - CFI queries
29  *
30  * It does not support timings
31  * It does not support flash interleaving
32  * It does not implement software data protection as found in many real chips
33  * It does not implement erase suspend/resume commands
34  * It does not implement multiple sectors erase
35  *
36  * It does not implement much more ...
37  */
38 
39 #include "qemu/osdep.h"
40 #include "hw/block/block.h"
41 #include "hw/block/flash.h"
42 #include "hw/qdev-properties.h"
43 #include "hw/qdev-properties-system.h"
44 #include "sysemu/block-backend.h"
45 #include "qapi/error.h"
46 #include "qemu/error-report.h"
47 #include "qemu/bitops.h"
48 #include "qemu/host-utils.h"
49 #include "qemu/log.h"
50 #include "qemu/module.h"
51 #include "qemu/option.h"
52 #include "hw/sysbus.h"
53 #include "migration/vmstate.h"
54 #include "sysemu/blockdev.h"
55 #include "sysemu/runstate.h"
56 #include "trace.h"
57 
58 #define PFLASH_BE          0
59 #define PFLASH_SECURE      1
60 
61 struct PFlashCFI01 {
62     /*< private >*/
63     SysBusDevice parent_obj;
64     /*< public >*/
65 
66     BlockBackend *blk;
67     uint32_t nb_blocs;
68     uint64_t sector_len;
69     uint8_t bank_width;
70     uint8_t device_width; /* If 0, device width not specified. */
71     uint8_t max_device_width;  /* max device width in bytes */
72     uint32_t features;
73     uint8_t wcycle; /* if 0, the flash is read normally */
74     bool ro;
75     uint8_t cmd;
76     uint8_t status;
77     uint16_t ident0;
78     uint16_t ident1;
79     uint16_t ident2;
80     uint16_t ident3;
81     uint8_t cfi_table[0x52];
82     uint64_t counter;
83     unsigned int writeblock_size;
84     MemoryRegion mem;
85     char *name;
86     void *storage;
87     VMChangeStateEntry *vmstate;
88     bool old_multiple_chip_handling;
89 };
90 
91 static int pflash_post_load(void *opaque, int version_id);
92 
93 static const VMStateDescription vmstate_pflash = {
94     .name = "pflash_cfi01",
95     .version_id = 1,
96     .minimum_version_id = 1,
97     .post_load = pflash_post_load,
98     .fields = (VMStateField[]) {
99         VMSTATE_UINT8(wcycle, PFlashCFI01),
100         VMSTATE_UINT8(cmd, PFlashCFI01),
101         VMSTATE_UINT8(status, PFlashCFI01),
102         VMSTATE_UINT64(counter, PFlashCFI01),
103         VMSTATE_END_OF_LIST()
104     }
105 };
106 
107 /*
108  * Perform a CFI query based on the bank width of the flash.
109  * If this code is called we know we have a device_width set for
110  * this flash.
111  */
112 static uint32_t pflash_cfi_query(PFlashCFI01 *pfl, hwaddr offset)
113 {
114     int i;
115     uint32_t resp = 0;
116     hwaddr boff;
117 
118     /*
119      * Adjust incoming offset to match expected device-width
120      * addressing. CFI query addresses are always specified in terms of
121      * the maximum supported width of the device.  This means that x8
122      * devices and x8/x16 devices in x8 mode behave differently.  For
123      * devices that are not used at their max width, we will be
124      * provided with addresses that use higher address bits than
125      * expected (based on the max width), so we will shift them lower
126      * so that they will match the addresses used when
127      * device_width==max_device_width.
128      */
129     boff = offset >> (ctz32(pfl->bank_width) +
130                       ctz32(pfl->max_device_width) - ctz32(pfl->device_width));
131 
132     if (boff >= sizeof(pfl->cfi_table)) {
133         return 0;
134     }
135     /*
136      * Now we will construct the CFI response generated by a single
137      * device, then replicate that for all devices that make up the
138      * bus.  For wide parts used in x8 mode, CFI query responses
139      * are different than native byte-wide parts.
140      */
141     resp = pfl->cfi_table[boff];
142     if (pfl->device_width != pfl->max_device_width) {
143         /* The only case currently supported is x8 mode for a
144          * wider part.
145          */
146         if (pfl->device_width != 1 || pfl->bank_width > 4) {
147             trace_pflash_unsupported_device_configuration(pfl->name,
148                                     pfl->device_width, pfl->max_device_width);
149             return 0;
150         }
151         /* CFI query data is repeated, rather than zero padded for
152          * wide devices used in x8 mode.
153          */
154         for (i = 1; i < pfl->max_device_width; i++) {
155             resp = deposit32(resp, 8 * i, 8, pfl->cfi_table[boff]);
156         }
157     }
158     /* Replicate responses for each device in bank. */
159     if (pfl->device_width < pfl->bank_width) {
160         for (i = pfl->device_width;
161              i < pfl->bank_width; i += pfl->device_width) {
162             resp = deposit32(resp, 8 * i, 8 * pfl->device_width, resp);
163         }
164     }
165 
166     return resp;
167 }
168 
169 
170 
171 /* Perform a device id query based on the bank width of the flash. */
172 static uint32_t pflash_devid_query(PFlashCFI01 *pfl, hwaddr offset)
173 {
174     int i;
175     uint32_t resp;
176     hwaddr boff;
177 
178     /*
179      * Adjust incoming offset to match expected device-width
180      * addressing. Device ID read addresses are always specified in
181      * terms of the maximum supported width of the device.  This means
182      * that x8 devices and x8/x16 devices in x8 mode behave
183      * differently. For devices that are not used at their max width,
184      * we will be provided with addresses that use higher address bits
185      * than expected (based on the max width), so we will shift them
186      * lower so that they will match the addresses used when
187      * device_width==max_device_width.
188      */
189     boff = offset >> (ctz32(pfl->bank_width) +
190                       ctz32(pfl->max_device_width) - ctz32(pfl->device_width));
191 
192     /*
193      * Mask off upper bits which may be used in to query block
194      * or sector lock status at other addresses.
195      * Offsets 2/3 are block lock status, is not emulated.
196      */
197     switch (boff & 0xFF) {
198     case 0:
199         resp = pfl->ident0;
200         trace_pflash_manufacturer_id(pfl->name, resp);
201         break;
202     case 1:
203         resp = pfl->ident1;
204         trace_pflash_device_id(pfl->name, resp);
205         break;
206     default:
207         trace_pflash_device_info(pfl->name, offset);
208         return 0;
209     }
210     /* Replicate responses for each device in bank. */
211     if (pfl->device_width < pfl->bank_width) {
212         for (i = pfl->device_width;
213               i < pfl->bank_width; i += pfl->device_width) {
214             resp = deposit32(resp, 8 * i, 8 * pfl->device_width, resp);
215         }
216     }
217 
218     return resp;
219 }
220 
221 static uint32_t pflash_data_read(PFlashCFI01 *pfl, hwaddr offset,
222                                  int width, int be)
223 {
224     uint8_t *p;
225     uint32_t ret;
226 
227     p = pfl->storage;
228     switch (width) {
229     case 1:
230         ret = p[offset];
231         break;
232     case 2:
233         if (be) {
234             ret = p[offset] << 8;
235             ret |= p[offset + 1];
236         } else {
237             ret = p[offset];
238             ret |= p[offset + 1] << 8;
239         }
240         break;
241     case 4:
242         if (be) {
243             ret = p[offset] << 24;
244             ret |= p[offset + 1] << 16;
245             ret |= p[offset + 2] << 8;
246             ret |= p[offset + 3];
247         } else {
248             ret = p[offset];
249             ret |= p[offset + 1] << 8;
250             ret |= p[offset + 2] << 16;
251             ret |= p[offset + 3] << 24;
252         }
253         break;
254     default:
255         abort();
256     }
257     trace_pflash_data_read(pfl->name, offset, width, ret);
258     return ret;
259 }
260 
261 static uint32_t pflash_read(PFlashCFI01 *pfl, hwaddr offset,
262                             int width, int be)
263 {
264     hwaddr boff;
265     uint32_t ret;
266 
267     ret = -1;
268     switch (pfl->cmd) {
269     default:
270         /* This should never happen : reset state & treat it as a read */
271         trace_pflash_read_unknown_state(pfl->name, pfl->cmd);
272         pfl->wcycle = 0;
273         /*
274          * The command 0x00 is not assigned by the CFI open standard,
275          * but QEMU historically uses it for the READ_ARRAY command (0xff).
276          */
277         pfl->cmd = 0x00;
278         /* fall through to read code */
279     case 0x00: /* This model reset value for READ_ARRAY (not CFI compliant) */
280         /* Flash area read */
281         ret = pflash_data_read(pfl, offset, width, be);
282         break;
283     case 0x10: /* Single byte program */
284     case 0x20: /* Block erase */
285     case 0x28: /* Block erase */
286     case 0x40: /* single byte program */
287     case 0x50: /* Clear status register */
288     case 0x60: /* Block /un)lock */
289     case 0x70: /* Status Register */
290     case 0xe8: /* Write block */
291         /*
292          * Status register read.  Return status from each device in
293          * bank.
294          */
295         ret = pfl->status;
296         if (pfl->device_width && width > pfl->device_width) {
297             int shift = pfl->device_width * 8;
298             while (shift + pfl->device_width * 8 <= width * 8) {
299                 ret |= pfl->status << shift;
300                 shift += pfl->device_width * 8;
301             }
302         } else if (!pfl->device_width && width > 2) {
303             /*
304              * Handle 32 bit flash cases where device width is not
305              * set. (Existing behavior before device width added.)
306              */
307             ret |= pfl->status << 16;
308         }
309         trace_pflash_read_status(pfl->name, ret);
310         break;
311     case 0x90:
312         if (!pfl->device_width) {
313             /* Preserve old behavior if device width not specified */
314             boff = offset & 0xFF;
315             if (pfl->bank_width == 2) {
316                 boff = boff >> 1;
317             } else if (pfl->bank_width == 4) {
318                 boff = boff >> 2;
319             }
320 
321             switch (boff) {
322             case 0:
323                 ret = pfl->ident0 << 8 | pfl->ident1;
324                 trace_pflash_manufacturer_id(pfl->name, ret);
325                 break;
326             case 1:
327                 ret = pfl->ident2 << 8 | pfl->ident3;
328                 trace_pflash_device_id(pfl->name, ret);
329                 break;
330             default:
331                 trace_pflash_device_info(pfl->name, boff);
332                 ret = 0;
333                 break;
334             }
335         } else {
336             /*
337              * If we have a read larger than the bank_width, combine multiple
338              * manufacturer/device ID queries into a single response.
339              */
340             int i;
341             for (i = 0; i < width; i += pfl->bank_width) {
342                 ret = deposit32(ret, i * 8, pfl->bank_width * 8,
343                                 pflash_devid_query(pfl,
344                                                  offset + i * pfl->bank_width));
345             }
346         }
347         break;
348     case 0x98: /* Query mode */
349         if (!pfl->device_width) {
350             /* Preserve old behavior if device width not specified */
351             boff = offset & 0xFF;
352             if (pfl->bank_width == 2) {
353                 boff = boff >> 1;
354             } else if (pfl->bank_width == 4) {
355                 boff = boff >> 2;
356             }
357 
358             if (boff < sizeof(pfl->cfi_table)) {
359                 ret = pfl->cfi_table[boff];
360             } else {
361                 ret = 0;
362             }
363         } else {
364             /*
365              * If we have a read larger than the bank_width, combine multiple
366              * CFI queries into a single response.
367              */
368             int i;
369             for (i = 0; i < width; i += pfl->bank_width) {
370                 ret = deposit32(ret, i * 8, pfl->bank_width * 8,
371                                 pflash_cfi_query(pfl,
372                                                  offset + i * pfl->bank_width));
373             }
374         }
375 
376         break;
377     }
378     trace_pflash_io_read(pfl->name, offset, width, ret, pfl->cmd, pfl->wcycle);
379 
380     return ret;
381 }
382 
383 /* update flash content on disk */
384 static void pflash_update(PFlashCFI01 *pfl, int offset,
385                           int size)
386 {
387     int offset_end;
388     int ret;
389     if (pfl->blk) {
390         offset_end = offset + size;
391         /* widen to sector boundaries */
392         offset = QEMU_ALIGN_DOWN(offset, BDRV_SECTOR_SIZE);
393         offset_end = QEMU_ALIGN_UP(offset_end, BDRV_SECTOR_SIZE);
394         ret = blk_pwrite(pfl->blk, offset, offset_end - offset,
395                          pfl->storage + offset, 0);
396         if (ret < 0) {
397             /* TODO set error bit in status */
398             error_report("Could not update PFLASH: %s", strerror(-ret));
399         }
400     }
401 }
402 
403 static inline void pflash_data_write(PFlashCFI01 *pfl, hwaddr offset,
404                                      uint32_t value, int width, int be)
405 {
406     uint8_t *p = pfl->storage;
407 
408     trace_pflash_data_write(pfl->name, offset, width, value, pfl->counter);
409     switch (width) {
410     case 1:
411         p[offset] = value;
412         break;
413     case 2:
414         if (be) {
415             p[offset] = value >> 8;
416             p[offset + 1] = value;
417         } else {
418             p[offset] = value;
419             p[offset + 1] = value >> 8;
420         }
421         break;
422     case 4:
423         if (be) {
424             p[offset] = value >> 24;
425             p[offset + 1] = value >> 16;
426             p[offset + 2] = value >> 8;
427             p[offset + 3] = value;
428         } else {
429             p[offset] = value;
430             p[offset + 1] = value >> 8;
431             p[offset + 2] = value >> 16;
432             p[offset + 3] = value >> 24;
433         }
434         break;
435     }
436 
437 }
438 
439 static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
440                          uint32_t value, int width, int be)
441 {
442     uint8_t *p;
443     uint8_t cmd;
444 
445     cmd = value;
446 
447     trace_pflash_io_write(pfl->name, offset, width, value, pfl->wcycle);
448     if (!pfl->wcycle) {
449         /* Set the device in I/O access mode */
450         memory_region_rom_device_set_romd(&pfl->mem, false);
451     }
452 
453     switch (pfl->wcycle) {
454     case 0:
455         /* read mode */
456         switch (cmd) {
457         case 0x00: /* This model reset value for READ_ARRAY (not CFI) */
458             goto mode_read_array;
459         case 0x10: /* Single Byte Program */
460         case 0x40: /* Single Byte Program */
461             trace_pflash_write(pfl->name, "single byte program (0)");
462             break;
463         case 0x20: /* Block erase */
464             p = pfl->storage;
465             offset &= ~(pfl->sector_len - 1);
466 
467             trace_pflash_write_block_erase(pfl->name, offset, pfl->sector_len);
468 
469             if (!pfl->ro) {
470                 memset(p + offset, 0xff, pfl->sector_len);
471                 pflash_update(pfl, offset, pfl->sector_len);
472             } else {
473                 pfl->status |= 0x20; /* Block erase error */
474             }
475             pfl->status |= 0x80; /* Ready! */
476             break;
477         case 0x50: /* Clear status bits */
478             trace_pflash_write(pfl->name, "clear status bits");
479             pfl->status = 0x0;
480             goto mode_read_array;
481         case 0x60: /* Block (un)lock */
482             trace_pflash_write(pfl->name, "block unlock");
483             break;
484         case 0x70: /* Status Register */
485             trace_pflash_write(pfl->name, "read status register");
486             pfl->cmd = cmd;
487             return;
488         case 0x90: /* Read Device ID */
489             trace_pflash_write(pfl->name, "read device information");
490             pfl->cmd = cmd;
491             return;
492         case 0x98: /* CFI query */
493             trace_pflash_write(pfl->name, "CFI query");
494             break;
495         case 0xe8: /* Write to buffer */
496             trace_pflash_write(pfl->name, "write to buffer");
497             /* FIXME should save @offset, @width for case 1+ */
498             qemu_log_mask(LOG_UNIMP,
499                           "%s: Write to buffer emulation is flawed\n",
500                           __func__);
501             pfl->status |= 0x80; /* Ready! */
502             break;
503         case 0xf0: /* Probe for AMD flash */
504             trace_pflash_write(pfl->name, "probe for AMD flash");
505             goto mode_read_array;
506         case 0xff: /* Read Array */
507             trace_pflash_write(pfl->name, "read array mode");
508             goto mode_read_array;
509         default:
510             goto error_flash;
511         }
512         pfl->wcycle++;
513         pfl->cmd = cmd;
514         break;
515     case 1:
516         switch (pfl->cmd) {
517         case 0x10: /* Single Byte Program */
518         case 0x40: /* Single Byte Program */
519             trace_pflash_write(pfl->name, "single byte program (1)");
520             if (!pfl->ro) {
521                 pflash_data_write(pfl, offset, value, width, be);
522                 pflash_update(pfl, offset, width);
523             } else {
524                 pfl->status |= 0x10; /* Programming error */
525             }
526             pfl->status |= 0x80; /* Ready! */
527             pfl->wcycle = 0;
528         break;
529         case 0x20: /* Block erase */
530         case 0x28:
531             if (cmd == 0xd0) { /* confirm */
532                 pfl->wcycle = 0;
533                 pfl->status |= 0x80;
534             } else if (cmd == 0xff) { /* Read Array */
535                 goto mode_read_array;
536             } else
537                 goto error_flash;
538 
539             break;
540         case 0xe8:
541             /*
542              * Mask writeblock size based on device width, or bank width if
543              * device width not specified.
544              */
545             /* FIXME check @offset, @width */
546             if (pfl->device_width) {
547                 value = extract32(value, 0, pfl->device_width * 8);
548             } else {
549                 value = extract32(value, 0, pfl->bank_width * 8);
550             }
551             trace_pflash_write_block(pfl->name, value);
552             pfl->counter = value;
553             pfl->wcycle++;
554             break;
555         case 0x60:
556             if (cmd == 0xd0) {
557                 pfl->wcycle = 0;
558                 pfl->status |= 0x80;
559             } else if (cmd == 0x01) {
560                 pfl->wcycle = 0;
561                 pfl->status |= 0x80;
562             } else if (cmd == 0xff) { /* Read Array */
563                 goto mode_read_array;
564             } else {
565                 trace_pflash_write(pfl->name, "unknown (un)locking command");
566                 goto mode_read_array;
567             }
568             break;
569         case 0x98:
570             if (cmd == 0xff) { /* Read Array */
571                 goto mode_read_array;
572             } else {
573                 trace_pflash_write(pfl->name, "leaving query mode");
574             }
575             break;
576         default:
577             goto error_flash;
578         }
579         break;
580     case 2:
581         switch (pfl->cmd) {
582         case 0xe8: /* Block write */
583             /* FIXME check @offset, @width */
584             if (!pfl->ro) {
585                 /*
586                  * FIXME writing straight to memory is *wrong*.  We
587                  * should write to a buffer, and flush it to memory
588                  * only on confirm command (see below).
589                  */
590                 pflash_data_write(pfl, offset, value, width, be);
591             } else {
592                 pfl->status |= 0x10; /* Programming error */
593             }
594 
595             pfl->status |= 0x80;
596 
597             if (!pfl->counter) {
598                 hwaddr mask = pfl->writeblock_size - 1;
599                 mask = ~mask;
600 
601                 trace_pflash_write(pfl->name, "block write finished");
602                 pfl->wcycle++;
603                 if (!pfl->ro) {
604                     /* Flush the entire write buffer onto backing storage.  */
605                     /* FIXME premature! */
606                     pflash_update(pfl, offset & mask, pfl->writeblock_size);
607                 } else {
608                     pfl->status |= 0x10; /* Programming error */
609                 }
610             }
611 
612             pfl->counter--;
613             break;
614         default:
615             goto error_flash;
616         }
617         break;
618     case 3: /* Confirm mode */
619         switch (pfl->cmd) {
620         case 0xe8: /* Block write */
621             if (cmd == 0xd0) {
622                 /* FIXME this is where we should write out the buffer */
623                 pfl->wcycle = 0;
624                 pfl->status |= 0x80;
625             } else {
626                 qemu_log_mask(LOG_UNIMP,
627                     "%s: Aborting write to buffer not implemented,"
628                     " the data is already written to storage!\n"
629                     "Flash device reset into READ mode.\n",
630                     __func__);
631                 goto mode_read_array;
632             }
633             break;
634         default:
635             goto error_flash;
636         }
637         break;
638     default:
639         /* Should never happen */
640         trace_pflash_write(pfl->name, "invalid write state");
641         goto mode_read_array;
642     }
643     return;
644 
645  error_flash:
646     qemu_log_mask(LOG_UNIMP, "%s: Unimplemented flash cmd sequence "
647                   "(offset " HWADDR_FMT_plx ", wcycle 0x%x cmd 0x%x value 0x%x)"
648                   "\n", __func__, offset, pfl->wcycle, pfl->cmd, value);
649 
650  mode_read_array:
651     trace_pflash_mode_read_array(pfl->name);
652     memory_region_rom_device_set_romd(&pfl->mem, true);
653     pfl->wcycle = 0;
654     pfl->cmd = 0x00; /* This model reset value for READ_ARRAY (not CFI) */
655 }
656 
657 
658 static MemTxResult pflash_mem_read_with_attrs(void *opaque, hwaddr addr, uint64_t *value,
659                                               unsigned len, MemTxAttrs attrs)
660 {
661     PFlashCFI01 *pfl = opaque;
662     bool be = !!(pfl->features & (1 << PFLASH_BE));
663 
664     if ((pfl->features & (1 << PFLASH_SECURE)) && !attrs.secure) {
665         *value = pflash_data_read(opaque, addr, len, be);
666     } else {
667         *value = pflash_read(opaque, addr, len, be);
668     }
669     return MEMTX_OK;
670 }
671 
672 static MemTxResult pflash_mem_write_with_attrs(void *opaque, hwaddr addr, uint64_t value,
673                                                unsigned len, MemTxAttrs attrs)
674 {
675     PFlashCFI01 *pfl = opaque;
676     bool be = !!(pfl->features & (1 << PFLASH_BE));
677 
678     if ((pfl->features & (1 << PFLASH_SECURE)) && !attrs.secure) {
679         return MEMTX_ERROR;
680     } else {
681         pflash_write(opaque, addr, value, len, be);
682         return MEMTX_OK;
683     }
684 }
685 
686 static const MemoryRegionOps pflash_cfi01_ops = {
687     .read_with_attrs = pflash_mem_read_with_attrs,
688     .write_with_attrs = pflash_mem_write_with_attrs,
689     .endianness = DEVICE_NATIVE_ENDIAN,
690 };
691 
692 static void pflash_cfi01_fill_cfi_table(PFlashCFI01 *pfl)
693 {
694     uint64_t blocks_per_device, sector_len_per_device, device_len;
695     int num_devices;
696 
697     /*
698      * These are only used to expose the parameters of each device
699      * in the cfi_table[].
700      */
701     num_devices = pfl->device_width ? (pfl->bank_width / pfl->device_width) : 1;
702     if (pfl->old_multiple_chip_handling) {
703         blocks_per_device = pfl->nb_blocs / num_devices;
704         sector_len_per_device = pfl->sector_len;
705     } else {
706         blocks_per_device = pfl->nb_blocs;
707         sector_len_per_device = pfl->sector_len / num_devices;
708     }
709     device_len = sector_len_per_device * blocks_per_device;
710 
711     /* Hardcoded CFI table */
712     /* Standard "QRY" string */
713     pfl->cfi_table[0x10] = 'Q';
714     pfl->cfi_table[0x11] = 'R';
715     pfl->cfi_table[0x12] = 'Y';
716     /* Command set (Intel) */
717     pfl->cfi_table[0x13] = 0x01;
718     pfl->cfi_table[0x14] = 0x00;
719     /* Primary extended table address (none) */
720     pfl->cfi_table[0x15] = 0x31;
721     pfl->cfi_table[0x16] = 0x00;
722     /* Alternate command set (none) */
723     pfl->cfi_table[0x17] = 0x00;
724     pfl->cfi_table[0x18] = 0x00;
725     /* Alternate extended table (none) */
726     pfl->cfi_table[0x19] = 0x00;
727     pfl->cfi_table[0x1A] = 0x00;
728     /* Vcc min */
729     pfl->cfi_table[0x1B] = 0x45;
730     /* Vcc max */
731     pfl->cfi_table[0x1C] = 0x55;
732     /* Vpp min (no Vpp pin) */
733     pfl->cfi_table[0x1D] = 0x00;
734     /* Vpp max (no Vpp pin) */
735     pfl->cfi_table[0x1E] = 0x00;
736     /* Reserved */
737     pfl->cfi_table[0x1F] = 0x07;
738     /* Timeout for min size buffer write */
739     pfl->cfi_table[0x20] = 0x07;
740     /* Typical timeout for block erase */
741     pfl->cfi_table[0x21] = 0x0a;
742     /* Typical timeout for full chip erase (4096 ms) */
743     pfl->cfi_table[0x22] = 0x00;
744     /* Reserved */
745     pfl->cfi_table[0x23] = 0x04;
746     /* Max timeout for buffer write */
747     pfl->cfi_table[0x24] = 0x04;
748     /* Max timeout for block erase */
749     pfl->cfi_table[0x25] = 0x04;
750     /* Max timeout for chip erase */
751     pfl->cfi_table[0x26] = 0x00;
752     /* Device size */
753     pfl->cfi_table[0x27] = ctz32(device_len); /* + 1; */
754     /* Flash device interface (8 & 16 bits) */
755     pfl->cfi_table[0x28] = 0x02;
756     pfl->cfi_table[0x29] = 0x00;
757     /* Max number of bytes in multi-bytes write */
758     if (pfl->bank_width == 1) {
759         pfl->cfi_table[0x2A] = 0x08;
760     } else {
761         pfl->cfi_table[0x2A] = 0x0B;
762     }
763     pfl->writeblock_size = 1 << pfl->cfi_table[0x2A];
764     if (!pfl->old_multiple_chip_handling && num_devices > 1) {
765         pfl->writeblock_size *= num_devices;
766     }
767 
768     pfl->cfi_table[0x2B] = 0x00;
769     /* Number of erase block regions (uniform) */
770     pfl->cfi_table[0x2C] = 0x01;
771     /* Erase block region 1 */
772     pfl->cfi_table[0x2D] = blocks_per_device - 1;
773     pfl->cfi_table[0x2E] = (blocks_per_device - 1) >> 8;
774     pfl->cfi_table[0x2F] = sector_len_per_device >> 8;
775     pfl->cfi_table[0x30] = sector_len_per_device >> 16;
776 
777     /* Extended */
778     pfl->cfi_table[0x31] = 'P';
779     pfl->cfi_table[0x32] = 'R';
780     pfl->cfi_table[0x33] = 'I';
781 
782     pfl->cfi_table[0x34] = '1';
783     pfl->cfi_table[0x35] = '0';
784 
785     pfl->cfi_table[0x36] = 0x00;
786     pfl->cfi_table[0x37] = 0x00;
787     pfl->cfi_table[0x38] = 0x00;
788     pfl->cfi_table[0x39] = 0x00;
789 
790     pfl->cfi_table[0x3a] = 0x00;
791 
792     pfl->cfi_table[0x3b] = 0x00;
793     pfl->cfi_table[0x3c] = 0x00;
794 
795     pfl->cfi_table[0x3f] = 0x01; /* Number of protection fields */
796 }
797 
798 static void pflash_cfi01_realize(DeviceState *dev, Error **errp)
799 {
800     ERRP_GUARD();
801     PFlashCFI01 *pfl = PFLASH_CFI01(dev);
802     uint64_t total_len;
803     int ret;
804 
805     if (pfl->sector_len == 0) {
806         error_setg(errp, "attribute \"sector-length\" not specified or zero.");
807         return;
808     }
809     if (pfl->nb_blocs == 0) {
810         error_setg(errp, "attribute \"num-blocks\" not specified or zero.");
811         return;
812     }
813     if (pfl->name == NULL) {
814         error_setg(errp, "attribute \"name\" not specified.");
815         return;
816     }
817 
818     total_len = pfl->sector_len * pfl->nb_blocs;
819 
820     memory_region_init_rom_device(
821         &pfl->mem, OBJECT(dev),
822         &pflash_cfi01_ops,
823         pfl,
824         pfl->name, total_len, errp);
825     if (*errp) {
826         return;
827     }
828 
829     pfl->storage = memory_region_get_ram_ptr(&pfl->mem);
830     sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
831 
832     if (pfl->blk) {
833         uint64_t perm;
834         pfl->ro = !blk_supports_write_perm(pfl->blk);
835         perm = BLK_PERM_CONSISTENT_READ | (pfl->ro ? 0 : BLK_PERM_WRITE);
836         ret = blk_set_perm(pfl->blk, perm, BLK_PERM_ALL, errp);
837         if (ret < 0) {
838             return;
839         }
840     } else {
841         pfl->ro = false;
842     }
843 
844     if (pfl->blk) {
845         if (!blk_check_size_and_read_all(pfl->blk, pfl->storage, total_len,
846                                          errp)) {
847             vmstate_unregister_ram(&pfl->mem, DEVICE(pfl));
848             return;
849         }
850     }
851 
852     /*
853      * Default to devices being used at their maximum device width. This was
854      * assumed before the device_width support was added.
855      */
856     if (!pfl->max_device_width) {
857         pfl->max_device_width = pfl->device_width;
858     }
859 
860     pfl->wcycle = 0;
861     /*
862      * The command 0x00 is not assigned by the CFI open standard,
863      * but QEMU historically uses it for the READ_ARRAY command (0xff).
864      */
865     pfl->cmd = 0x00;
866     pfl->status = 0x80; /* WSM ready */
867     pflash_cfi01_fill_cfi_table(pfl);
868 }
869 
870 static void pflash_cfi01_system_reset(DeviceState *dev)
871 {
872     PFlashCFI01 *pfl = PFLASH_CFI01(dev);
873 
874     trace_pflash_reset(pfl->name);
875     /*
876      * The command 0x00 is not assigned by the CFI open standard,
877      * but QEMU historically uses it for the READ_ARRAY command (0xff).
878      */
879     pfl->cmd = 0x00;
880     pfl->wcycle = 0;
881     memory_region_rom_device_set_romd(&pfl->mem, true);
882     /*
883      * The WSM ready timer occurs at most 150ns after system reset.
884      * This model deliberately ignores this delay.
885      */
886     pfl->status = 0x80;
887 }
888 
889 static Property pflash_cfi01_properties[] = {
890     DEFINE_PROP_DRIVE("drive", PFlashCFI01, blk),
891     /* num-blocks is the number of blocks actually visible to the guest,
892      * ie the total size of the device divided by the sector length.
893      * If we're emulating flash devices wired in parallel the actual
894      * number of blocks per individual device will differ.
895      */
896     DEFINE_PROP_UINT32("num-blocks", PFlashCFI01, nb_blocs, 0),
897     DEFINE_PROP_UINT64("sector-length", PFlashCFI01, sector_len, 0),
898     /* width here is the overall width of this QEMU device in bytes.
899      * The QEMU device may be emulating a number of flash devices
900      * wired up in parallel; the width of each individual flash
901      * device should be specified via device-width. If the individual
902      * devices have a maximum width which is greater than the width
903      * they are being used for, this maximum width should be set via
904      * max-device-width (which otherwise defaults to device-width).
905      * So for instance a 32-bit wide QEMU flash device made from four
906      * 16-bit flash devices used in 8-bit wide mode would be configured
907      * with width = 4, device-width = 1, max-device-width = 2.
908      *
909      * If device-width is not specified we default to backwards
910      * compatible behaviour which is a bad emulation of two
911      * 16 bit devices making up a 32 bit wide QEMU device. This
912      * is deprecated for new uses of this device.
913      */
914     DEFINE_PROP_UINT8("width", PFlashCFI01, bank_width, 0),
915     DEFINE_PROP_UINT8("device-width", PFlashCFI01, device_width, 0),
916     DEFINE_PROP_UINT8("max-device-width", PFlashCFI01, max_device_width, 0),
917     DEFINE_PROP_BIT("big-endian", PFlashCFI01, features, PFLASH_BE, 0),
918     DEFINE_PROP_BIT("secure", PFlashCFI01, features, PFLASH_SECURE, 0),
919     DEFINE_PROP_UINT16("id0", PFlashCFI01, ident0, 0),
920     DEFINE_PROP_UINT16("id1", PFlashCFI01, ident1, 0),
921     DEFINE_PROP_UINT16("id2", PFlashCFI01, ident2, 0),
922     DEFINE_PROP_UINT16("id3", PFlashCFI01, ident3, 0),
923     DEFINE_PROP_STRING("name", PFlashCFI01, name),
924     DEFINE_PROP_BOOL("old-multiple-chip-handling", PFlashCFI01,
925                      old_multiple_chip_handling, false),
926     DEFINE_PROP_END_OF_LIST(),
927 };
928 
929 static void pflash_cfi01_class_init(ObjectClass *klass, void *data)
930 {
931     DeviceClass *dc = DEVICE_CLASS(klass);
932 
933     dc->reset = pflash_cfi01_system_reset;
934     dc->realize = pflash_cfi01_realize;
935     device_class_set_props(dc, pflash_cfi01_properties);
936     dc->vmsd = &vmstate_pflash;
937     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
938 }
939 
940 
941 static const TypeInfo pflash_cfi01_info = {
942     .name           = TYPE_PFLASH_CFI01,
943     .parent         = TYPE_SYS_BUS_DEVICE,
944     .instance_size  = sizeof(PFlashCFI01),
945     .class_init     = pflash_cfi01_class_init,
946 };
947 
948 static void pflash_cfi01_register_types(void)
949 {
950     type_register_static(&pflash_cfi01_info);
951 }
952 
953 type_init(pflash_cfi01_register_types)
954 
955 PFlashCFI01 *pflash_cfi01_register(hwaddr base,
956                                    const char *name,
957                                    hwaddr size,
958                                    BlockBackend *blk,
959                                    uint32_t sector_len,
960                                    int bank_width,
961                                    uint16_t id0, uint16_t id1,
962                                    uint16_t id2, uint16_t id3,
963                                    int be)
964 {
965     DeviceState *dev = qdev_new(TYPE_PFLASH_CFI01);
966 
967     if (blk) {
968         qdev_prop_set_drive(dev, "drive", blk);
969     }
970     assert(QEMU_IS_ALIGNED(size, sector_len));
971     qdev_prop_set_uint32(dev, "num-blocks", size / sector_len);
972     qdev_prop_set_uint64(dev, "sector-length", sector_len);
973     qdev_prop_set_uint8(dev, "width", bank_width);
974     qdev_prop_set_bit(dev, "big-endian", !!be);
975     qdev_prop_set_uint16(dev, "id0", id0);
976     qdev_prop_set_uint16(dev, "id1", id1);
977     qdev_prop_set_uint16(dev, "id2", id2);
978     qdev_prop_set_uint16(dev, "id3", id3);
979     qdev_prop_set_string(dev, "name", name);
980     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
981 
982     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
983     return PFLASH_CFI01(dev);
984 }
985 
986 BlockBackend *pflash_cfi01_get_blk(PFlashCFI01 *fl)
987 {
988     return fl->blk;
989 }
990 
991 MemoryRegion *pflash_cfi01_get_memory(PFlashCFI01 *fl)
992 {
993     return &fl->mem;
994 }
995 
996 /*
997  * Handle -drive if=pflash for machines that use properties.
998  * If @dinfo is null, do nothing.
999  * Else if @fl's property "drive" is already set, fatal error.
1000  * Else set it to the BlockBackend with @dinfo.
1001  */
1002 void pflash_cfi01_legacy_drive(PFlashCFI01 *fl, DriveInfo *dinfo)
1003 {
1004     Location loc;
1005 
1006     if (!dinfo) {
1007         return;
1008     }
1009 
1010     loc_push_none(&loc);
1011     qemu_opts_loc_restore(dinfo->opts);
1012     if (fl->blk) {
1013         error_report("clashes with -machine");
1014         exit(1);
1015     }
1016     qdev_prop_set_drive_err(DEVICE(fl), "drive", blk_by_legacy_dinfo(dinfo),
1017                             &error_fatal);
1018     loc_pop(&loc);
1019 }
1020 
1021 static void postload_update_cb(void *opaque, bool running, RunState state)
1022 {
1023     PFlashCFI01 *pfl = opaque;
1024 
1025     /* This is called after bdrv_activate_all.  */
1026     qemu_del_vm_change_state_handler(pfl->vmstate);
1027     pfl->vmstate = NULL;
1028 
1029     trace_pflash_postload_cb(pfl->name);
1030     pflash_update(pfl, 0, pfl->sector_len * pfl->nb_blocs);
1031 }
1032 
1033 static int pflash_post_load(void *opaque, int version_id)
1034 {
1035     PFlashCFI01 *pfl = opaque;
1036 
1037     if (!pfl->ro) {
1038         pfl->vmstate = qemu_add_vm_change_state_handler(postload_update_cb,
1039                                                         pfl);
1040     }
1041     return 0;
1042 }
1043