1 /* 2 * CFI parallel flash with AMD command set emulation 3 * 4 * Copyright (c) 2005 Jocelyn Mayer 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 /* 21 * For now, this code can emulate flashes of 1, 2 or 4 bytes width. 22 * Supported commands/modes are: 23 * - flash read 24 * - flash write 25 * - flash ID read 26 * - sector erase 27 * - chip erase 28 * - unlock bypass command 29 * - CFI queries 30 * 31 * It does not support flash interleaving. 32 * It does not implement software data protection as found in many real chips 33 */ 34 35 #include "qemu/osdep.h" 36 #include "hw/block/block.h" 37 #include "hw/block/flash.h" 38 #include "hw/qdev-properties.h" 39 #include "qapi/error.h" 40 #include "qemu/error-report.h" 41 #include "qemu/bitmap.h" 42 #include "qemu/timer.h" 43 #include "sysemu/block-backend.h" 44 #include "qemu/host-utils.h" 45 #include "qemu/module.h" 46 #include "hw/sysbus.h" 47 #include "migration/vmstate.h" 48 #include "trace.h" 49 50 #define PFLASH_DEBUG false 51 #define DPRINTF(fmt, ...) \ 52 do { \ 53 if (PFLASH_DEBUG) { \ 54 fprintf(stderr, "PFLASH: " fmt, ## __VA_ARGS__); \ 55 } \ 56 } while (0) 57 58 #define PFLASH_LAZY_ROMD_THRESHOLD 42 59 60 /* 61 * The size of the cfi_table indirectly depends on this and the start of the 62 * PRI table directly depends on it. 4 is the maximum size (and also what 63 * seems common) without changing the PRT table address. 64 */ 65 #define PFLASH_MAX_ERASE_REGIONS 4 66 67 /* Special write cycles for CFI queries. */ 68 enum { 69 WCYCLE_CFI = 7, 70 WCYCLE_AUTOSELECT_CFI = 8, 71 }; 72 73 struct PFlashCFI02 { 74 /*< private >*/ 75 SysBusDevice parent_obj; 76 /*< public >*/ 77 78 BlockBackend *blk; 79 uint32_t uniform_nb_blocs; 80 uint32_t uniform_sector_len; 81 uint32_t total_sectors; 82 uint32_t nb_blocs[PFLASH_MAX_ERASE_REGIONS]; 83 uint32_t sector_len[PFLASH_MAX_ERASE_REGIONS]; 84 uint32_t chip_len; 85 uint8_t mappings; 86 uint8_t width; 87 uint8_t be; 88 int wcycle; /* if 0, the flash is read normally */ 89 int bypass; 90 int ro; 91 uint8_t cmd; 92 uint8_t status; 93 /* FIXME: implement array device properties */ 94 uint16_t ident0; 95 uint16_t ident1; 96 uint16_t ident2; 97 uint16_t ident3; 98 uint16_t unlock_addr0; 99 uint16_t unlock_addr1; 100 uint8_t cfi_table[0x4d]; 101 QEMUTimer timer; 102 /* The device replicates the flash memory across its memory space. Emulate 103 * that by having a container (.mem) filled with an array of aliases 104 * (.mem_mappings) pointing to the flash memory (.orig_mem). 105 */ 106 MemoryRegion mem; 107 MemoryRegion *mem_mappings; /* array; one per mapping */ 108 MemoryRegion orig_mem; 109 int rom_mode; 110 int read_counter; /* used for lazy switch-back to rom mode */ 111 int sectors_to_erase; 112 uint64_t erase_time_remaining; 113 unsigned long *sector_erase_map; 114 char *name; 115 void *storage; 116 }; 117 118 /* 119 * Toggle status bit DQ7. 120 */ 121 static inline void toggle_dq7(PFlashCFI02 *pfl) 122 { 123 pfl->status ^= 0x80; 124 } 125 126 /* 127 * Set status bit DQ7 to bit 7 of value. 128 */ 129 static inline void set_dq7(PFlashCFI02 *pfl, uint8_t value) 130 { 131 pfl->status &= 0x7F; 132 pfl->status |= value & 0x80; 133 } 134 135 /* 136 * Toggle status bit DQ6. 137 */ 138 static inline void toggle_dq6(PFlashCFI02 *pfl) 139 { 140 pfl->status ^= 0x40; 141 } 142 143 /* 144 * Turn on DQ3. 145 */ 146 static inline void assert_dq3(PFlashCFI02 *pfl) 147 { 148 pfl->status |= 0x08; 149 } 150 151 /* 152 * Turn off DQ3. 153 */ 154 static inline void reset_dq3(PFlashCFI02 *pfl) 155 { 156 pfl->status &= ~0x08; 157 } 158 159 /* 160 * Toggle status bit DQ2. 161 */ 162 static inline void toggle_dq2(PFlashCFI02 *pfl) 163 { 164 pfl->status ^= 0x04; 165 } 166 167 /* 168 * Set up replicated mappings of the same region. 169 */ 170 static void pflash_setup_mappings(PFlashCFI02 *pfl) 171 { 172 unsigned i; 173 hwaddr size = memory_region_size(&pfl->orig_mem); 174 175 memory_region_init(&pfl->mem, OBJECT(pfl), "pflash", pfl->mappings * size); 176 pfl->mem_mappings = g_new(MemoryRegion, pfl->mappings); 177 for (i = 0; i < pfl->mappings; ++i) { 178 memory_region_init_alias(&pfl->mem_mappings[i], OBJECT(pfl), 179 "pflash-alias", &pfl->orig_mem, 0, size); 180 memory_region_add_subregion(&pfl->mem, i * size, &pfl->mem_mappings[i]); 181 } 182 } 183 184 static void pflash_register_memory(PFlashCFI02 *pfl, int rom_mode) 185 { 186 memory_region_rom_device_set_romd(&pfl->orig_mem, rom_mode); 187 pfl->rom_mode = rom_mode; 188 } 189 190 static size_t pflash_regions_count(PFlashCFI02 *pfl) 191 { 192 return pfl->cfi_table[0x2c]; 193 } 194 195 /* 196 * Returns the time it takes to erase the number of sectors scheduled for 197 * erasure based on CFI address 0x21 which is "Typical timeout per individual 198 * block erase 2^N ms." 199 */ 200 static uint64_t pflash_erase_time(PFlashCFI02 *pfl) 201 { 202 /* 203 * If there are no sectors to erase (which can happen if all of the sectors 204 * to be erased are protected), then erase takes 100 us. Protected sectors 205 * aren't supported so this should never happen. 206 */ 207 return ((1ULL << pfl->cfi_table[0x21]) * pfl->sectors_to_erase) * SCALE_US; 208 } 209 210 /* 211 * Returns true if the device is currently in erase suspend mode. 212 */ 213 static inline bool pflash_erase_suspend_mode(PFlashCFI02 *pfl) 214 { 215 return pfl->erase_time_remaining > 0; 216 } 217 218 static void pflash_timer(void *opaque) 219 { 220 PFlashCFI02 *pfl = opaque; 221 222 trace_pflash_timer_expired(pfl->cmd); 223 if (pfl->cmd == 0x30) { 224 /* 225 * Sector erase. If DQ3 is 0 when the timer expires, then the 50 226 * us erase timeout has expired so we need to start the timer for the 227 * sector erase algorithm. Otherwise, the erase completed and we should 228 * go back to read array mode. 229 */ 230 if ((pfl->status & 0x08) == 0) { 231 assert_dq3(pfl); 232 uint64_t timeout = pflash_erase_time(pfl); 233 timer_mod(&pfl->timer, 234 qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + timeout); 235 DPRINTF("%s: erase timeout fired; erasing %d sectors\n", 236 __func__, pfl->sectors_to_erase); 237 return; 238 } 239 DPRINTF("%s: sector erase complete\n", __func__); 240 bitmap_zero(pfl->sector_erase_map, pfl->total_sectors); 241 pfl->sectors_to_erase = 0; 242 reset_dq3(pfl); 243 } 244 245 /* Reset flash */ 246 toggle_dq7(pfl); 247 if (pfl->bypass) { 248 pfl->wcycle = 2; 249 } else { 250 pflash_register_memory(pfl, 1); 251 pfl->wcycle = 0; 252 } 253 pfl->cmd = 0; 254 } 255 256 /* 257 * Read data from flash. 258 */ 259 static uint64_t pflash_data_read(PFlashCFI02 *pfl, hwaddr offset, 260 unsigned int width) 261 { 262 uint8_t *p = (uint8_t *)pfl->storage + offset; 263 uint64_t ret = pfl->be ? ldn_be_p(p, width) : ldn_le_p(p, width); 264 trace_pflash_data_read(offset, width, ret); 265 return ret; 266 } 267 268 typedef struct { 269 uint32_t len; 270 uint32_t num; 271 } SectorInfo; 272 273 /* 274 * offset should be a byte offset of the QEMU device and _not_ a device 275 * offset. 276 */ 277 static SectorInfo pflash_sector_info(PFlashCFI02 *pfl, hwaddr offset) 278 { 279 assert(offset < pfl->chip_len); 280 hwaddr addr = 0; 281 uint32_t sector_num = 0; 282 for (int i = 0; i < pflash_regions_count(pfl); ++i) { 283 uint64_t region_size = (uint64_t)pfl->nb_blocs[i] * pfl->sector_len[i]; 284 if (addr <= offset && offset < addr + region_size) { 285 return (SectorInfo) { 286 .len = pfl->sector_len[i], 287 .num = sector_num + (offset - addr) / pfl->sector_len[i], 288 }; 289 } 290 sector_num += pfl->nb_blocs[i]; 291 addr += region_size; 292 } 293 abort(); 294 } 295 296 /* 297 * Returns true if the offset refers to a flash sector that is currently being 298 * erased. 299 */ 300 static bool pflash_sector_is_erasing(PFlashCFI02 *pfl, hwaddr offset) 301 { 302 long sector_num = pflash_sector_info(pfl, offset).num; 303 return test_bit(sector_num, pfl->sector_erase_map); 304 } 305 306 static uint64_t pflash_read(void *opaque, hwaddr offset, unsigned int width) 307 { 308 PFlashCFI02 *pfl = opaque; 309 hwaddr boff; 310 uint64_t ret; 311 312 /* Lazy reset to ROMD mode after a certain amount of read accesses */ 313 if (!pfl->rom_mode && pfl->wcycle == 0 && 314 ++pfl->read_counter > PFLASH_LAZY_ROMD_THRESHOLD) { 315 pflash_register_memory(pfl, 1); 316 } 317 offset &= pfl->chip_len - 1; 318 boff = offset & 0xFF; 319 if (pfl->width == 2) { 320 boff = boff >> 1; 321 } else if (pfl->width == 4) { 322 boff = boff >> 2; 323 } 324 switch (pfl->cmd) { 325 default: 326 /* This should never happen : reset state & treat it as a read*/ 327 DPRINTF("%s: unknown command state: %x\n", __func__, pfl->cmd); 328 pfl->wcycle = 0; 329 pfl->cmd = 0; 330 /* fall through to the read code */ 331 case 0x80: /* Erase (unlock) */ 332 /* We accept reads during second unlock sequence... */ 333 case 0x00: 334 if (pflash_erase_suspend_mode(pfl) && 335 pflash_sector_is_erasing(pfl, offset)) { 336 /* Toggle bit 2, but not 6. */ 337 toggle_dq2(pfl); 338 /* Status register read */ 339 ret = pfl->status; 340 DPRINTF("%s: status %" PRIx64 "\n", __func__, ret); 341 break; 342 } 343 /* Flash area read */ 344 ret = pflash_data_read(pfl, offset, width); 345 break; 346 case 0x90: /* flash ID read */ 347 switch (boff) { 348 case 0x00: 349 case 0x01: 350 ret = boff & 0x01 ? pfl->ident1 : pfl->ident0; 351 break; 352 case 0x02: 353 ret = 0x00; /* Pretend all sectors are unprotected */ 354 break; 355 case 0x0E: 356 case 0x0F: 357 ret = boff & 0x01 ? pfl->ident3 : pfl->ident2; 358 if (ret != (uint8_t)-1) { 359 break; 360 } 361 /* Fall through to data read. */ 362 default: 363 ret = pflash_data_read(pfl, offset, width); 364 } 365 DPRINTF("%s: ID " TARGET_FMT_plx " %" PRIx64 "\n", __func__, boff, ret); 366 break; 367 case 0x10: /* Chip Erase */ 368 case 0x30: /* Sector Erase */ 369 /* Toggle bit 2 during erase, but not program. */ 370 toggle_dq2(pfl); 371 /* fall through */ 372 case 0xA0: /* Program */ 373 /* Toggle bit 6 */ 374 toggle_dq6(pfl); 375 /* Status register read */ 376 ret = pfl->status; 377 DPRINTF("%s: status %" PRIx64 "\n", __func__, ret); 378 break; 379 case 0x98: 380 /* CFI query mode */ 381 if (boff < sizeof(pfl->cfi_table)) { 382 ret = pfl->cfi_table[boff]; 383 } else { 384 ret = 0; 385 } 386 break; 387 } 388 trace_pflash_io_read(offset, width, ret, pfl->cmd, pfl->wcycle); 389 390 return ret; 391 } 392 393 /* update flash content on disk */ 394 static void pflash_update(PFlashCFI02 *pfl, int offset, int size) 395 { 396 int offset_end; 397 int ret; 398 if (pfl->blk) { 399 offset_end = offset + size; 400 /* widen to sector boundaries */ 401 offset = QEMU_ALIGN_DOWN(offset, BDRV_SECTOR_SIZE); 402 offset_end = QEMU_ALIGN_UP(offset_end, BDRV_SECTOR_SIZE); 403 ret = blk_pwrite(pfl->blk, offset, pfl->storage + offset, 404 offset_end - offset, 0); 405 if (ret < 0) { 406 /* TODO set error bit in status */ 407 error_report("Could not update PFLASH: %s", strerror(-ret)); 408 } 409 } 410 } 411 412 static void pflash_sector_erase(PFlashCFI02 *pfl, hwaddr offset) 413 { 414 SectorInfo sector_info = pflash_sector_info(pfl, offset); 415 uint64_t sector_len = sector_info.len; 416 offset &= ~(sector_len - 1); 417 DPRINTF("%s: start sector erase at %0*" PRIx64 "-%0*" PRIx64 "\n", 418 __func__, pfl->width * 2, offset, 419 pfl->width * 2, offset + sector_len - 1); 420 if (!pfl->ro) { 421 uint8_t *p = pfl->storage; 422 memset(p + offset, 0xff, sector_len); 423 pflash_update(pfl, offset, sector_len); 424 } 425 set_dq7(pfl, 0x00); 426 ++pfl->sectors_to_erase; 427 set_bit(sector_info.num, pfl->sector_erase_map); 428 /* Set (or reset) the 50 us timer for additional erase commands. */ 429 timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 50000); 430 } 431 432 static void pflash_write(void *opaque, hwaddr offset, uint64_t value, 433 unsigned int width) 434 { 435 PFlashCFI02 *pfl = opaque; 436 hwaddr boff; 437 uint8_t *p; 438 uint8_t cmd; 439 440 trace_pflash_io_write(offset, width, value, pfl->wcycle); 441 cmd = value; 442 if (pfl->cmd != 0xA0) { 443 /* Reset does nothing during chip erase and sector erase. */ 444 if (cmd == 0xF0 && pfl->cmd != 0x10 && pfl->cmd != 0x30) { 445 if (pfl->wcycle == WCYCLE_AUTOSELECT_CFI) { 446 /* Return to autoselect mode. */ 447 pfl->wcycle = 3; 448 pfl->cmd = 0x90; 449 return; 450 } 451 goto reset_flash; 452 } 453 } 454 offset &= pfl->chip_len - 1; 455 456 boff = offset; 457 if (pfl->width == 2) { 458 boff = boff >> 1; 459 } else if (pfl->width == 4) { 460 boff = boff >> 2; 461 } 462 /* Only the least-significant 11 bits are used in most cases. */ 463 boff &= 0x7FF; 464 switch (pfl->wcycle) { 465 case 0: 466 /* Set the device in I/O access mode if required */ 467 if (pfl->rom_mode) 468 pflash_register_memory(pfl, 0); 469 pfl->read_counter = 0; 470 /* We're in read mode */ 471 check_unlock0: 472 if (boff == 0x55 && cmd == 0x98) { 473 /* Enter CFI query mode */ 474 pfl->wcycle = WCYCLE_CFI; 475 pfl->cmd = 0x98; 476 return; 477 } 478 /* Handle erase resume in erase suspend mode, otherwise reset. */ 479 if (cmd == 0x30) { /* Erase Resume */ 480 if (pflash_erase_suspend_mode(pfl)) { 481 /* Resume the erase. */ 482 timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 483 pfl->erase_time_remaining); 484 pfl->erase_time_remaining = 0; 485 pfl->wcycle = 6; 486 pfl->cmd = 0x30; 487 set_dq7(pfl, 0x00); 488 assert_dq3(pfl); 489 return; 490 } 491 goto reset_flash; 492 } 493 /* Ignore erase suspend. */ 494 if (cmd == 0xB0) { /* Erase Suspend */ 495 return; 496 } 497 if (boff != pfl->unlock_addr0 || cmd != 0xAA) { 498 DPRINTF("%s: unlock0 failed " TARGET_FMT_plx " %02x %04x\n", 499 __func__, boff, cmd, pfl->unlock_addr0); 500 goto reset_flash; 501 } 502 DPRINTF("%s: unlock sequence started\n", __func__); 503 break; 504 case 1: 505 /* We started an unlock sequence */ 506 check_unlock1: 507 if (boff != pfl->unlock_addr1 || cmd != 0x55) { 508 DPRINTF("%s: unlock1 failed " TARGET_FMT_plx " %02x\n", __func__, 509 boff, cmd); 510 goto reset_flash; 511 } 512 DPRINTF("%s: unlock sequence done\n", __func__); 513 break; 514 case 2: 515 /* We finished an unlock sequence */ 516 if (!pfl->bypass && boff != pfl->unlock_addr0) { 517 DPRINTF("%s: command failed " TARGET_FMT_plx " %02x\n", __func__, 518 boff, cmd); 519 goto reset_flash; 520 } 521 switch (cmd) { 522 case 0x20: 523 pfl->bypass = 1; 524 goto do_bypass; 525 case 0x80: /* Erase */ 526 case 0x90: /* Autoselect */ 527 case 0xA0: /* Program */ 528 pfl->cmd = cmd; 529 DPRINTF("%s: starting command %02x\n", __func__, cmd); 530 break; 531 default: 532 DPRINTF("%s: unknown command %02x\n", __func__, cmd); 533 goto reset_flash; 534 } 535 break; 536 case 3: 537 switch (pfl->cmd) { 538 case 0x80: /* Erase */ 539 /* We need another unlock sequence */ 540 goto check_unlock0; 541 case 0xA0: /* Program */ 542 if (pflash_erase_suspend_mode(pfl) && 543 pflash_sector_is_erasing(pfl, offset)) { 544 /* Ignore writes to erasing sectors. */ 545 if (pfl->bypass) { 546 goto do_bypass; 547 } 548 goto reset_flash; 549 } 550 trace_pflash_data_write(offset, width, value, 0); 551 if (!pfl->ro) { 552 p = (uint8_t *)pfl->storage + offset; 553 if (pfl->be) { 554 uint64_t current = ldn_be_p(p, width); 555 stn_be_p(p, width, current & value); 556 } else { 557 uint64_t current = ldn_le_p(p, width); 558 stn_le_p(p, width, current & value); 559 } 560 pflash_update(pfl, offset, width); 561 } 562 /* 563 * While programming, status bit DQ7 should hold the opposite 564 * value from how it was programmed. 565 */ 566 set_dq7(pfl, ~value); 567 /* Let's pretend write is immediate */ 568 if (pfl->bypass) 569 goto do_bypass; 570 goto reset_flash; 571 case 0x90: /* Autoselect */ 572 if (pfl->bypass && cmd == 0x00) { 573 /* Unlock bypass reset */ 574 goto reset_flash; 575 } 576 /* 577 * We can enter CFI query mode from autoselect mode, but we must 578 * return to autoselect mode after a reset. 579 */ 580 if (boff == 0x55 && cmd == 0x98) { 581 /* Enter autoselect CFI query mode */ 582 pfl->wcycle = WCYCLE_AUTOSELECT_CFI; 583 pfl->cmd = 0x98; 584 return; 585 } 586 /* fall through */ 587 default: 588 DPRINTF("%s: invalid write for command %02x\n", 589 __func__, pfl->cmd); 590 goto reset_flash; 591 } 592 case 4: 593 switch (pfl->cmd) { 594 case 0xA0: /* Program */ 595 /* Ignore writes while flash data write is occurring */ 596 /* As we suppose write is immediate, this should never happen */ 597 return; 598 case 0x80: /* Erase */ 599 goto check_unlock1; 600 default: 601 /* Should never happen */ 602 DPRINTF("%s: invalid command state %02x (wc 4)\n", 603 __func__, pfl->cmd); 604 goto reset_flash; 605 } 606 break; 607 case 5: 608 if (pflash_erase_suspend_mode(pfl)) { 609 /* Erasing is not supported in erase suspend mode. */ 610 goto reset_flash; 611 } 612 switch (cmd) { 613 case 0x10: /* Chip Erase */ 614 if (boff != pfl->unlock_addr0) { 615 DPRINTF("%s: chip erase: invalid address " TARGET_FMT_plx "\n", 616 __func__, offset); 617 goto reset_flash; 618 } 619 /* Chip erase */ 620 DPRINTF("%s: start chip erase\n", __func__); 621 if (!pfl->ro) { 622 memset(pfl->storage, 0xff, pfl->chip_len); 623 pflash_update(pfl, 0, pfl->chip_len); 624 } 625 set_dq7(pfl, 0x00); 626 /* Wait the time specified at CFI address 0x22. */ 627 timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 628 (1ULL << pfl->cfi_table[0x22]) * SCALE_MS); 629 break; 630 case 0x30: /* Sector erase */ 631 pflash_sector_erase(pfl, offset); 632 break; 633 default: 634 DPRINTF("%s: invalid command %02x (wc 5)\n", __func__, cmd); 635 goto reset_flash; 636 } 637 pfl->cmd = cmd; 638 break; 639 case 6: 640 switch (pfl->cmd) { 641 case 0x10: /* Chip Erase */ 642 /* Ignore writes during chip erase */ 643 return; 644 case 0x30: /* Sector erase */ 645 if (cmd == 0xB0) { 646 /* 647 * If erase suspend happens during the erase timeout (so DQ3 is 648 * 0), then the device suspends erasing immediately. Set the 649 * remaining time to be the total time to erase. Otherwise, 650 * there is a maximum amount of time it can take to enter 651 * suspend mode. Let's ignore that and suspend immediately and 652 * set the remaining time to the actual time remaining on the 653 * timer. 654 */ 655 if ((pfl->status & 0x08) == 0) { 656 pfl->erase_time_remaining = pflash_erase_time(pfl); 657 } else { 658 int64_t delta = timer_expire_time_ns(&pfl->timer) - 659 qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 660 /* Make sure we have a positive time remaining. */ 661 pfl->erase_time_remaining = delta <= 0 ? 1 : delta; 662 } 663 reset_dq3(pfl); 664 timer_del(&pfl->timer); 665 pfl->wcycle = 0; 666 pfl->cmd = 0; 667 return; 668 } 669 /* 670 * If DQ3 is 0, additional sector erase commands can be 671 * written and anything else (other than an erase suspend) resets 672 * the device. 673 */ 674 if ((pfl->status & 0x08) == 0) { 675 if (cmd == 0x30) { 676 pflash_sector_erase(pfl, offset); 677 } else { 678 goto reset_flash; 679 } 680 } 681 /* Ignore writes during the actual erase. */ 682 return; 683 default: 684 /* Should never happen */ 685 DPRINTF("%s: invalid command state %02x (wc 6)\n", 686 __func__, pfl->cmd); 687 goto reset_flash; 688 } 689 break; 690 /* Special values for CFI queries */ 691 case WCYCLE_CFI: 692 case WCYCLE_AUTOSELECT_CFI: 693 DPRINTF("%s: invalid write in CFI query mode\n", __func__); 694 goto reset_flash; 695 default: 696 /* Should never happen */ 697 DPRINTF("%s: invalid write state (wc 7)\n", __func__); 698 goto reset_flash; 699 } 700 pfl->wcycle++; 701 702 return; 703 704 /* Reset flash */ 705 reset_flash: 706 trace_pflash_reset(); 707 pfl->bypass = 0; 708 pfl->wcycle = 0; 709 pfl->cmd = 0; 710 return; 711 712 do_bypass: 713 pfl->wcycle = 2; 714 pfl->cmd = 0; 715 } 716 717 static const MemoryRegionOps pflash_cfi02_ops = { 718 .read = pflash_read, 719 .write = pflash_write, 720 .valid.min_access_size = 1, 721 .valid.max_access_size = 4, 722 .endianness = DEVICE_NATIVE_ENDIAN, 723 }; 724 725 static void pflash_cfi02_realize(DeviceState *dev, Error **errp) 726 { 727 PFlashCFI02 *pfl = PFLASH_CFI02(dev); 728 int ret; 729 Error *local_err = NULL; 730 731 if (pfl->uniform_sector_len == 0 && pfl->sector_len[0] == 0) { 732 error_setg(errp, "attribute \"sector-length\" not specified or zero."); 733 return; 734 } 735 if (pfl->uniform_nb_blocs == 0 && pfl->nb_blocs[0] == 0) { 736 error_setg(errp, "attribute \"num-blocks\" not specified or zero."); 737 return; 738 } 739 if (pfl->name == NULL) { 740 error_setg(errp, "attribute \"name\" not specified."); 741 return; 742 } 743 744 int nb_regions; 745 pfl->chip_len = 0; 746 pfl->total_sectors = 0; 747 for (nb_regions = 0; nb_regions < PFLASH_MAX_ERASE_REGIONS; ++nb_regions) { 748 if (pfl->nb_blocs[nb_regions] == 0) { 749 break; 750 } 751 pfl->total_sectors += pfl->nb_blocs[nb_regions]; 752 uint64_t sector_len_per_device = pfl->sector_len[nb_regions]; 753 754 /* 755 * The size of each flash sector must be a power of 2 and it must be 756 * aligned at the same power of 2. 757 */ 758 if (sector_len_per_device & 0xff || 759 sector_len_per_device >= (1 << 24) || 760 !is_power_of_2(sector_len_per_device)) 761 { 762 error_setg(errp, "unsupported configuration: " 763 "sector length[%d] per device = %" PRIx64 ".", 764 nb_regions, sector_len_per_device); 765 return; 766 } 767 if (pfl->chip_len & (sector_len_per_device - 1)) { 768 error_setg(errp, "unsupported configuration: " 769 "flash region %d not correctly aligned.", 770 nb_regions); 771 return; 772 } 773 774 pfl->chip_len += (uint64_t)pfl->sector_len[nb_regions] * 775 pfl->nb_blocs[nb_regions]; 776 } 777 778 uint64_t uniform_len = (uint64_t)pfl->uniform_nb_blocs * 779 pfl->uniform_sector_len; 780 if (nb_regions == 0) { 781 nb_regions = 1; 782 pfl->nb_blocs[0] = pfl->uniform_nb_blocs; 783 pfl->sector_len[0] = pfl->uniform_sector_len; 784 pfl->chip_len = uniform_len; 785 pfl->total_sectors = pfl->uniform_nb_blocs; 786 } else if (uniform_len != 0 && uniform_len != pfl->chip_len) { 787 error_setg(errp, "\"num-blocks\"*\"sector-length\" " 788 "different from \"num-blocks0\"*\'sector-length0\" + ... + " 789 "\"num-blocks3\"*\"sector-length3\""); 790 return; 791 } 792 793 memory_region_init_rom_device(&pfl->orig_mem, OBJECT(pfl), 794 &pflash_cfi02_ops, pfl, pfl->name, 795 pfl->chip_len, &local_err); 796 if (local_err) { 797 error_propagate(errp, local_err); 798 return; 799 } 800 801 pfl->storage = memory_region_get_ram_ptr(&pfl->orig_mem); 802 803 if (pfl->blk) { 804 uint64_t perm; 805 pfl->ro = blk_is_read_only(pfl->blk); 806 perm = BLK_PERM_CONSISTENT_READ | (pfl->ro ? 0 : BLK_PERM_WRITE); 807 ret = blk_set_perm(pfl->blk, perm, BLK_PERM_ALL, errp); 808 if (ret < 0) { 809 return; 810 } 811 } else { 812 pfl->ro = 0; 813 } 814 815 if (pfl->blk) { 816 if (!blk_check_size_and_read_all(pfl->blk, pfl->storage, 817 pfl->chip_len, errp)) { 818 vmstate_unregister_ram(&pfl->orig_mem, DEVICE(pfl)); 819 return; 820 } 821 } 822 823 /* Only 11 bits are used in the comparison. */ 824 pfl->unlock_addr0 &= 0x7FF; 825 pfl->unlock_addr1 &= 0x7FF; 826 827 /* Allocate memory for a bitmap for sectors being erased. */ 828 pfl->sector_erase_map = bitmap_new(pfl->total_sectors); 829 830 pflash_setup_mappings(pfl); 831 pfl->rom_mode = 1; 832 sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem); 833 834 timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl); 835 pfl->wcycle = 0; 836 pfl->cmd = 0; 837 pfl->status = 0; 838 839 /* Hardcoded CFI table (mostly from SG29 Spansion flash) */ 840 const uint16_t pri_ofs = 0x40; 841 /* Standard "QRY" string */ 842 pfl->cfi_table[0x10] = 'Q'; 843 pfl->cfi_table[0x11] = 'R'; 844 pfl->cfi_table[0x12] = 'Y'; 845 /* Command set (AMD/Fujitsu) */ 846 pfl->cfi_table[0x13] = 0x02; 847 pfl->cfi_table[0x14] = 0x00; 848 /* Primary extended table address */ 849 pfl->cfi_table[0x15] = pri_ofs; 850 pfl->cfi_table[0x16] = pri_ofs >> 8; 851 /* Alternate command set (none) */ 852 pfl->cfi_table[0x17] = 0x00; 853 pfl->cfi_table[0x18] = 0x00; 854 /* Alternate extended table (none) */ 855 pfl->cfi_table[0x19] = 0x00; 856 pfl->cfi_table[0x1A] = 0x00; 857 /* Vcc min */ 858 pfl->cfi_table[0x1B] = 0x27; 859 /* Vcc max */ 860 pfl->cfi_table[0x1C] = 0x36; 861 /* Vpp min (no Vpp pin) */ 862 pfl->cfi_table[0x1D] = 0x00; 863 /* Vpp max (no Vpp pin) */ 864 pfl->cfi_table[0x1E] = 0x00; 865 /* Timeout per single byte/word write (128 ms) */ 866 pfl->cfi_table[0x1F] = 0x07; 867 /* Timeout for min size buffer write (NA) */ 868 pfl->cfi_table[0x20] = 0x00; 869 /* Typical timeout for block erase (512 ms) */ 870 pfl->cfi_table[0x21] = 0x09; 871 /* Typical timeout for full chip erase (4096 ms) */ 872 pfl->cfi_table[0x22] = 0x0C; 873 /* Reserved */ 874 pfl->cfi_table[0x23] = 0x01; 875 /* Max timeout for buffer write (NA) */ 876 pfl->cfi_table[0x24] = 0x00; 877 /* Max timeout for block erase */ 878 pfl->cfi_table[0x25] = 0x0A; 879 /* Max timeout for chip erase */ 880 pfl->cfi_table[0x26] = 0x0D; 881 /* Device size */ 882 pfl->cfi_table[0x27] = ctz32(pfl->chip_len); 883 /* Flash device interface (8 & 16 bits) */ 884 pfl->cfi_table[0x28] = 0x02; 885 pfl->cfi_table[0x29] = 0x00; 886 /* Max number of bytes in multi-bytes write */ 887 /* XXX: disable buffered write as it's not supported */ 888 // pfl->cfi_table[0x2A] = 0x05; 889 pfl->cfi_table[0x2A] = 0x00; 890 pfl->cfi_table[0x2B] = 0x00; 891 /* Number of erase block regions */ 892 pfl->cfi_table[0x2c] = nb_regions; 893 /* Erase block regions */ 894 for (int i = 0; i < nb_regions; ++i) { 895 uint32_t sector_len_per_device = pfl->sector_len[i]; 896 pfl->cfi_table[0x2d + 4 * i] = pfl->nb_blocs[i] - 1; 897 pfl->cfi_table[0x2e + 4 * i] = (pfl->nb_blocs[i] - 1) >> 8; 898 pfl->cfi_table[0x2f + 4 * i] = sector_len_per_device >> 8; 899 pfl->cfi_table[0x30 + 4 * i] = sector_len_per_device >> 16; 900 } 901 assert(0x2c + 4 * nb_regions < pri_ofs); 902 903 /* Extended */ 904 pfl->cfi_table[0x00 + pri_ofs] = 'P'; 905 pfl->cfi_table[0x01 + pri_ofs] = 'R'; 906 pfl->cfi_table[0x02 + pri_ofs] = 'I'; 907 908 /* Extended version 1.0 */ 909 pfl->cfi_table[0x03 + pri_ofs] = '1'; 910 pfl->cfi_table[0x04 + pri_ofs] = '0'; 911 912 /* Address sensitive unlock required. */ 913 pfl->cfi_table[0x05 + pri_ofs] = 0x00; 914 /* Erase suspend to read/write. */ 915 pfl->cfi_table[0x06 + pri_ofs] = 0x02; 916 /* Sector protect not supported. */ 917 pfl->cfi_table[0x07 + pri_ofs] = 0x00; 918 /* Temporary sector unprotect not supported. */ 919 pfl->cfi_table[0x08 + pri_ofs] = 0x00; 920 921 /* Sector protect/unprotect scheme. */ 922 pfl->cfi_table[0x09 + pri_ofs] = 0x00; 923 924 /* Simultaneous operation not supported. */ 925 pfl->cfi_table[0x0a + pri_ofs] = 0x00; 926 /* Burst mode not supported. */ 927 pfl->cfi_table[0x0b + pri_ofs] = 0x00; 928 /* Page mode not supported. */ 929 pfl->cfi_table[0x0c + pri_ofs] = 0x00; 930 assert(0x0c + pri_ofs < ARRAY_SIZE(pfl->cfi_table)); 931 } 932 933 static Property pflash_cfi02_properties[] = { 934 DEFINE_PROP_DRIVE("drive", PFlashCFI02, blk), 935 DEFINE_PROP_UINT32("num-blocks", PFlashCFI02, uniform_nb_blocs, 0), 936 DEFINE_PROP_UINT32("sector-length", PFlashCFI02, uniform_sector_len, 0), 937 DEFINE_PROP_UINT32("num-blocks0", PFlashCFI02, nb_blocs[0], 0), 938 DEFINE_PROP_UINT32("sector-length0", PFlashCFI02, sector_len[0], 0), 939 DEFINE_PROP_UINT32("num-blocks1", PFlashCFI02, nb_blocs[1], 0), 940 DEFINE_PROP_UINT32("sector-length1", PFlashCFI02, sector_len[1], 0), 941 DEFINE_PROP_UINT32("num-blocks2", PFlashCFI02, nb_blocs[2], 0), 942 DEFINE_PROP_UINT32("sector-length2", PFlashCFI02, sector_len[2], 0), 943 DEFINE_PROP_UINT32("num-blocks3", PFlashCFI02, nb_blocs[3], 0), 944 DEFINE_PROP_UINT32("sector-length3", PFlashCFI02, sector_len[3], 0), 945 DEFINE_PROP_UINT8("width", PFlashCFI02, width, 0), 946 DEFINE_PROP_UINT8("mappings", PFlashCFI02, mappings, 0), 947 DEFINE_PROP_UINT8("big-endian", PFlashCFI02, be, 0), 948 DEFINE_PROP_UINT16("id0", PFlashCFI02, ident0, 0), 949 DEFINE_PROP_UINT16("id1", PFlashCFI02, ident1, 0), 950 DEFINE_PROP_UINT16("id2", PFlashCFI02, ident2, 0), 951 DEFINE_PROP_UINT16("id3", PFlashCFI02, ident3, 0), 952 DEFINE_PROP_UINT16("unlock-addr0", PFlashCFI02, unlock_addr0, 0), 953 DEFINE_PROP_UINT16("unlock-addr1", PFlashCFI02, unlock_addr1, 0), 954 DEFINE_PROP_STRING("name", PFlashCFI02, name), 955 DEFINE_PROP_END_OF_LIST(), 956 }; 957 958 static void pflash_cfi02_unrealize(DeviceState *dev) 959 { 960 PFlashCFI02 *pfl = PFLASH_CFI02(dev); 961 timer_del(&pfl->timer); 962 g_free(pfl->sector_erase_map); 963 } 964 965 static void pflash_cfi02_class_init(ObjectClass *klass, void *data) 966 { 967 DeviceClass *dc = DEVICE_CLASS(klass); 968 969 dc->realize = pflash_cfi02_realize; 970 dc->unrealize = pflash_cfi02_unrealize; 971 device_class_set_props(dc, pflash_cfi02_properties); 972 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 973 } 974 975 static const TypeInfo pflash_cfi02_info = { 976 .name = TYPE_PFLASH_CFI02, 977 .parent = TYPE_SYS_BUS_DEVICE, 978 .instance_size = sizeof(PFlashCFI02), 979 .class_init = pflash_cfi02_class_init, 980 }; 981 982 static void pflash_cfi02_register_types(void) 983 { 984 type_register_static(&pflash_cfi02_info); 985 } 986 987 type_init(pflash_cfi02_register_types) 988 989 PFlashCFI02 *pflash_cfi02_register(hwaddr base, 990 const char *name, 991 hwaddr size, 992 BlockBackend *blk, 993 uint32_t sector_len, 994 int nb_mappings, int width, 995 uint16_t id0, uint16_t id1, 996 uint16_t id2, uint16_t id3, 997 uint16_t unlock_addr0, 998 uint16_t unlock_addr1, 999 int be) 1000 { 1001 DeviceState *dev = qdev_create(NULL, TYPE_PFLASH_CFI02); 1002 1003 if (blk) { 1004 qdev_prop_set_drive(dev, "drive", blk, &error_abort); 1005 } 1006 assert(QEMU_IS_ALIGNED(size, sector_len)); 1007 qdev_prop_set_uint32(dev, "num-blocks", size / sector_len); 1008 qdev_prop_set_uint32(dev, "sector-length", sector_len); 1009 qdev_prop_set_uint8(dev, "width", width); 1010 qdev_prop_set_uint8(dev, "mappings", nb_mappings); 1011 qdev_prop_set_uint8(dev, "big-endian", !!be); 1012 qdev_prop_set_uint16(dev, "id0", id0); 1013 qdev_prop_set_uint16(dev, "id1", id1); 1014 qdev_prop_set_uint16(dev, "id2", id2); 1015 qdev_prop_set_uint16(dev, "id3", id3); 1016 qdev_prop_set_uint16(dev, "unlock-addr0", unlock_addr0); 1017 qdev_prop_set_uint16(dev, "unlock-addr1", unlock_addr1); 1018 qdev_prop_set_string(dev, "name", name); 1019 qdev_init_nofail(dev); 1020 1021 sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base); 1022 return PFLASH_CFI02(dev); 1023 } 1024