1 /* 2 * CFI parallel flash with AMD command set emulation 3 * 4 * Copyright (c) 2005 Jocelyn Mayer 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 /* 21 * For now, this code can emulate flashes of 1, 2 or 4 bytes width. 22 * Supported commands/modes are: 23 * - flash read 24 * - flash write 25 * - flash ID read 26 * - sector erase 27 * - chip erase 28 * - unlock bypass command 29 * - CFI queries 30 * 31 * It does not support flash interleaving. 32 * It does not implement software data protection as found in many real chips 33 */ 34 35 #include "qemu/osdep.h" 36 #include "hw/block/block.h" 37 #include "hw/block/flash.h" 38 #include "hw/qdev-properties.h" 39 #include "hw/qdev-properties-system.h" 40 #include "qapi/error.h" 41 #include "qemu/error-report.h" 42 #include "qemu/bitmap.h" 43 #include "qemu/timer.h" 44 #include "sysemu/block-backend.h" 45 #include "qemu/host-utils.h" 46 #include "qemu/module.h" 47 #include "hw/sysbus.h" 48 #include "migration/vmstate.h" 49 #include "trace.h" 50 51 #define PFLASH_LAZY_ROMD_THRESHOLD 42 52 53 /* 54 * The size of the cfi_table indirectly depends on this and the start of the 55 * PRI table directly depends on it. 4 is the maximum size (and also what 56 * seems common) without changing the PRT table address. 57 */ 58 #define PFLASH_MAX_ERASE_REGIONS 4 59 60 /* Special write cycles for CFI queries. */ 61 enum { 62 WCYCLE_CFI = 7, 63 WCYCLE_AUTOSELECT_CFI = 8, 64 }; 65 66 struct PFlashCFI02 { 67 /*< private >*/ 68 SysBusDevice parent_obj; 69 /*< public >*/ 70 71 BlockBackend *blk; 72 uint32_t uniform_nb_blocs; 73 uint32_t uniform_sector_len; 74 uint32_t total_sectors; 75 uint32_t nb_blocs[PFLASH_MAX_ERASE_REGIONS]; 76 uint32_t sector_len[PFLASH_MAX_ERASE_REGIONS]; 77 uint32_t chip_len; 78 uint8_t mappings; 79 uint8_t width; 80 uint8_t be; 81 int wcycle; /* if 0, the flash is read normally */ 82 int bypass; 83 int ro; 84 uint8_t cmd; 85 uint8_t status; 86 /* FIXME: implement array device properties */ 87 uint16_t ident0; 88 uint16_t ident1; 89 uint16_t ident2; 90 uint16_t ident3; 91 uint16_t unlock_addr0; 92 uint16_t unlock_addr1; 93 uint8_t cfi_table[0x4d]; 94 QEMUTimer timer; 95 /* 96 * The device replicates the flash memory across its memory space. Emulate 97 * that by having a container (.mem) filled with an array of aliases 98 * (.mem_mappings) pointing to the flash memory (.orig_mem). 99 */ 100 MemoryRegion mem; 101 MemoryRegion *mem_mappings; /* array; one per mapping */ 102 MemoryRegion orig_mem; 103 bool rom_mode; 104 int read_counter; /* used for lazy switch-back to rom mode */ 105 int sectors_to_erase; 106 uint64_t erase_time_remaining; 107 unsigned long *sector_erase_map; 108 char *name; 109 void *storage; 110 }; 111 112 /* 113 * Toggle status bit DQ7. 114 */ 115 static inline void toggle_dq7(PFlashCFI02 *pfl) 116 { 117 pfl->status ^= 0x80; 118 } 119 120 /* 121 * Set status bit DQ7 to bit 7 of value. 122 */ 123 static inline void set_dq7(PFlashCFI02 *pfl, uint8_t value) 124 { 125 pfl->status &= 0x7F; 126 pfl->status |= value & 0x80; 127 } 128 129 /* 130 * Toggle status bit DQ6. 131 */ 132 static inline void toggle_dq6(PFlashCFI02 *pfl) 133 { 134 pfl->status ^= 0x40; 135 } 136 137 /* 138 * Turn on DQ3. 139 */ 140 static inline void assert_dq3(PFlashCFI02 *pfl) 141 { 142 pfl->status |= 0x08; 143 } 144 145 /* 146 * Turn off DQ3. 147 */ 148 static inline void reset_dq3(PFlashCFI02 *pfl) 149 { 150 pfl->status &= ~0x08; 151 } 152 153 /* 154 * Toggle status bit DQ2. 155 */ 156 static inline void toggle_dq2(PFlashCFI02 *pfl) 157 { 158 pfl->status ^= 0x04; 159 } 160 161 /* 162 * Set up replicated mappings of the same region. 163 */ 164 static void pflash_setup_mappings(PFlashCFI02 *pfl) 165 { 166 unsigned i; 167 hwaddr size = memory_region_size(&pfl->orig_mem); 168 169 memory_region_init(&pfl->mem, OBJECT(pfl), "pflash", pfl->mappings * size); 170 pfl->mem_mappings = g_new(MemoryRegion, pfl->mappings); 171 for (i = 0; i < pfl->mappings; ++i) { 172 memory_region_init_alias(&pfl->mem_mappings[i], OBJECT(pfl), 173 "pflash-alias", &pfl->orig_mem, 0, size); 174 memory_region_add_subregion(&pfl->mem, i * size, &pfl->mem_mappings[i]); 175 } 176 pfl->rom_mode = true; 177 } 178 179 static void pflash_reset_state_machine(PFlashCFI02 *pfl) 180 { 181 trace_pflash_reset(pfl->name); 182 pfl->cmd = 0x00; 183 pfl->wcycle = 0; 184 } 185 186 static void pflash_mode_read_array(PFlashCFI02 *pfl) 187 { 188 trace_pflash_mode_read_array(pfl->name); 189 pflash_reset_state_machine(pfl); 190 pfl->rom_mode = true; 191 memory_region_rom_device_set_romd(&pfl->orig_mem, true); 192 } 193 194 static size_t pflash_regions_count(PFlashCFI02 *pfl) 195 { 196 return pfl->cfi_table[0x2c]; 197 } 198 199 /* 200 * Returns the time it takes to erase the number of sectors scheduled for 201 * erasure based on CFI address 0x21 which is "Typical timeout per individual 202 * block erase 2^N ms." 203 */ 204 static uint64_t pflash_erase_time(PFlashCFI02 *pfl) 205 { 206 /* 207 * If there are no sectors to erase (which can happen if all of the sectors 208 * to be erased are protected), then erase takes 100 us. Protected sectors 209 * aren't supported so this should never happen. 210 */ 211 return ((1ULL << pfl->cfi_table[0x21]) * pfl->sectors_to_erase) * SCALE_US; 212 } 213 214 /* 215 * Returns true if the device is currently in erase suspend mode. 216 */ 217 static inline bool pflash_erase_suspend_mode(PFlashCFI02 *pfl) 218 { 219 return pfl->erase_time_remaining > 0; 220 } 221 222 static void pflash_timer(void *opaque) 223 { 224 PFlashCFI02 *pfl = opaque; 225 226 trace_pflash_timer_expired(pfl->name, pfl->cmd); 227 if (pfl->cmd == 0x30) { 228 /* 229 * Sector erase. If DQ3 is 0 when the timer expires, then the 50 230 * us erase timeout has expired so we need to start the timer for the 231 * sector erase algorithm. Otherwise, the erase completed and we should 232 * go back to read array mode. 233 */ 234 if ((pfl->status & 0x08) == 0) { 235 assert_dq3(pfl); 236 uint64_t timeout = pflash_erase_time(pfl); 237 timer_mod(&pfl->timer, 238 qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + timeout); 239 trace_pflash_erase_timeout(pfl->name, pfl->sectors_to_erase); 240 return; 241 } 242 trace_pflash_erase_complete(pfl->name); 243 bitmap_zero(pfl->sector_erase_map, pfl->total_sectors); 244 pfl->sectors_to_erase = 0; 245 reset_dq3(pfl); 246 } 247 248 /* Reset flash */ 249 toggle_dq7(pfl); 250 if (pfl->bypass) { 251 pfl->wcycle = 2; 252 pfl->cmd = 0; 253 } else { 254 pflash_mode_read_array(pfl); 255 } 256 } 257 258 /* 259 * Read data from flash. 260 */ 261 static uint64_t pflash_data_read(PFlashCFI02 *pfl, hwaddr offset, 262 unsigned int width) 263 { 264 uint8_t *p = (uint8_t *)pfl->storage + offset; 265 uint64_t ret = pfl->be ? ldn_be_p(p, width) : ldn_le_p(p, width); 266 trace_pflash_data_read(pfl->name, offset, width, ret); 267 return ret; 268 } 269 270 typedef struct { 271 uint32_t len; 272 uint32_t num; 273 } SectorInfo; 274 275 /* 276 * offset should be a byte offset of the QEMU device and _not_ a device 277 * offset. 278 */ 279 static SectorInfo pflash_sector_info(PFlashCFI02 *pfl, hwaddr offset) 280 { 281 assert(offset < pfl->chip_len); 282 hwaddr addr = 0; 283 uint32_t sector_num = 0; 284 for (int i = 0; i < pflash_regions_count(pfl); ++i) { 285 uint64_t region_size = (uint64_t)pfl->nb_blocs[i] * pfl->sector_len[i]; 286 if (addr <= offset && offset < addr + region_size) { 287 return (SectorInfo) { 288 .len = pfl->sector_len[i], 289 .num = sector_num + (offset - addr) / pfl->sector_len[i], 290 }; 291 } 292 sector_num += pfl->nb_blocs[i]; 293 addr += region_size; 294 } 295 abort(); 296 } 297 298 /* 299 * Returns true if the offset refers to a flash sector that is currently being 300 * erased. 301 */ 302 static bool pflash_sector_is_erasing(PFlashCFI02 *pfl, hwaddr offset) 303 { 304 long sector_num = pflash_sector_info(pfl, offset).num; 305 return test_bit(sector_num, pfl->sector_erase_map); 306 } 307 308 static uint64_t pflash_read(void *opaque, hwaddr offset, unsigned int width) 309 { 310 PFlashCFI02 *pfl = opaque; 311 hwaddr boff; 312 uint64_t ret; 313 314 /* Lazy reset to ROMD mode after a certain amount of read accesses */ 315 if (!pfl->rom_mode && pfl->wcycle == 0 && 316 ++pfl->read_counter > PFLASH_LAZY_ROMD_THRESHOLD) { 317 pflash_mode_read_array(pfl); 318 } 319 offset &= pfl->chip_len - 1; 320 boff = offset & 0xFF; 321 if (pfl->width == 2) { 322 boff = boff >> 1; 323 } else if (pfl->width == 4) { 324 boff = boff >> 2; 325 } 326 switch (pfl->cmd) { 327 default: 328 /* This should never happen : reset state & treat it as a read*/ 329 trace_pflash_read_unknown_state(pfl->name, pfl->cmd); 330 pflash_reset_state_machine(pfl); 331 /* fall through to the read code */ 332 case 0x80: /* Erase (unlock) */ 333 /* We accept reads during second unlock sequence... */ 334 case 0x00: 335 if (pflash_erase_suspend_mode(pfl) && 336 pflash_sector_is_erasing(pfl, offset)) { 337 /* Toggle bit 2, but not 6. */ 338 toggle_dq2(pfl); 339 /* Status register read */ 340 ret = pfl->status; 341 trace_pflash_read_status(pfl->name, ret); 342 break; 343 } 344 /* Flash area read */ 345 ret = pflash_data_read(pfl, offset, width); 346 break; 347 case 0x90: /* flash ID read */ 348 switch (boff) { 349 case 0x00: 350 case 0x01: 351 ret = boff & 0x01 ? pfl->ident1 : pfl->ident0; 352 break; 353 case 0x02: 354 ret = 0x00; /* Pretend all sectors are unprotected */ 355 break; 356 case 0x0E: 357 case 0x0F: 358 ret = boff & 0x01 ? pfl->ident3 : pfl->ident2; 359 if (ret != (uint8_t)-1) { 360 break; 361 } 362 /* Fall through to data read. */ 363 default: 364 ret = pflash_data_read(pfl, offset, width); 365 } 366 trace_pflash_read_done(pfl->name, boff, ret); 367 break; 368 case 0x10: /* Chip Erase */ 369 case 0x30: /* Sector Erase */ 370 /* Toggle bit 2 during erase, but not program. */ 371 toggle_dq2(pfl); 372 /* fall through */ 373 case 0xA0: /* Program */ 374 /* Toggle bit 6 */ 375 toggle_dq6(pfl); 376 /* Status register read */ 377 ret = pfl->status; 378 trace_pflash_read_status(pfl->name, ret); 379 break; 380 case 0x98: 381 /* CFI query mode */ 382 if (boff < sizeof(pfl->cfi_table)) { 383 ret = pfl->cfi_table[boff]; 384 } else { 385 ret = 0; 386 } 387 break; 388 } 389 trace_pflash_io_read(pfl->name, offset, width, ret, pfl->cmd, pfl->wcycle); 390 391 return ret; 392 } 393 394 /* update flash content on disk */ 395 static void pflash_update(PFlashCFI02 *pfl, int offset, int size) 396 { 397 int offset_end; 398 int ret; 399 if (pfl->blk) { 400 offset_end = offset + size; 401 /* widen to sector boundaries */ 402 offset = QEMU_ALIGN_DOWN(offset, BDRV_SECTOR_SIZE); 403 offset_end = QEMU_ALIGN_UP(offset_end, BDRV_SECTOR_SIZE); 404 ret = blk_pwrite(pfl->blk, offset, pfl->storage + offset, 405 offset_end - offset, 0); 406 if (ret < 0) { 407 /* TODO set error bit in status */ 408 error_report("Could not update PFLASH: %s", strerror(-ret)); 409 } 410 } 411 } 412 413 static void pflash_sector_erase(PFlashCFI02 *pfl, hwaddr offset) 414 { 415 SectorInfo sector_info = pflash_sector_info(pfl, offset); 416 uint64_t sector_len = sector_info.len; 417 offset &= ~(sector_len - 1); 418 trace_pflash_sector_erase_start(pfl->name, pfl->width * 2, offset, 419 pfl->width * 2, offset + sector_len - 1); 420 if (!pfl->ro) { 421 uint8_t *p = pfl->storage; 422 memset(p + offset, 0xff, sector_len); 423 pflash_update(pfl, offset, sector_len); 424 } 425 set_dq7(pfl, 0x00); 426 ++pfl->sectors_to_erase; 427 set_bit(sector_info.num, pfl->sector_erase_map); 428 /* Set (or reset) the 50 us timer for additional erase commands. */ 429 timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 50000); 430 } 431 432 static void pflash_write(void *opaque, hwaddr offset, uint64_t value, 433 unsigned int width) 434 { 435 PFlashCFI02 *pfl = opaque; 436 hwaddr boff; 437 uint8_t *p; 438 uint8_t cmd; 439 440 trace_pflash_io_write(pfl->name, offset, width, value, pfl->wcycle); 441 cmd = value; 442 if (pfl->cmd != 0xA0) { 443 /* Reset does nothing during chip erase and sector erase. */ 444 if (cmd == 0xF0 && pfl->cmd != 0x10 && pfl->cmd != 0x30) { 445 if (pfl->wcycle == WCYCLE_AUTOSELECT_CFI) { 446 /* Return to autoselect mode. */ 447 pfl->wcycle = 3; 448 pfl->cmd = 0x90; 449 return; 450 } 451 goto reset_flash; 452 } 453 } 454 offset &= pfl->chip_len - 1; 455 456 boff = offset; 457 if (pfl->width == 2) { 458 boff = boff >> 1; 459 } else if (pfl->width == 4) { 460 boff = boff >> 2; 461 } 462 /* Only the least-significant 11 bits are used in most cases. */ 463 boff &= 0x7FF; 464 switch (pfl->wcycle) { 465 case 0: 466 /* Set the device in I/O access mode if required */ 467 if (pfl->rom_mode) { 468 pfl->rom_mode = false; 469 memory_region_rom_device_set_romd(&pfl->orig_mem, false); 470 } 471 pfl->read_counter = 0; 472 /* We're in read mode */ 473 check_unlock0: 474 if (boff == 0x55 && cmd == 0x98) { 475 /* Enter CFI query mode */ 476 pfl->wcycle = WCYCLE_CFI; 477 pfl->cmd = 0x98; 478 return; 479 } 480 /* Handle erase resume in erase suspend mode, otherwise reset. */ 481 if (cmd == 0x30) { /* Erase Resume */ 482 if (pflash_erase_suspend_mode(pfl)) { 483 /* Resume the erase. */ 484 timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 485 pfl->erase_time_remaining); 486 pfl->erase_time_remaining = 0; 487 pfl->wcycle = 6; 488 pfl->cmd = 0x30; 489 set_dq7(pfl, 0x00); 490 assert_dq3(pfl); 491 return; 492 } 493 goto reset_flash; 494 } 495 /* Ignore erase suspend. */ 496 if (cmd == 0xB0) { /* Erase Suspend */ 497 return; 498 } 499 if (boff != pfl->unlock_addr0 || cmd != 0xAA) { 500 trace_pflash_unlock0_failed(pfl->name, boff, 501 cmd, pfl->unlock_addr0); 502 goto reset_flash; 503 } 504 trace_pflash_write(pfl->name, "unlock sequence started"); 505 break; 506 case 1: 507 /* We started an unlock sequence */ 508 check_unlock1: 509 if (boff != pfl->unlock_addr1 || cmd != 0x55) { 510 trace_pflash_unlock1_failed(pfl->name, boff, cmd); 511 goto reset_flash; 512 } 513 trace_pflash_write(pfl->name, "unlock sequence done"); 514 break; 515 case 2: 516 /* We finished an unlock sequence */ 517 if (!pfl->bypass && boff != pfl->unlock_addr0) { 518 trace_pflash_write_failed(pfl->name, boff, cmd); 519 goto reset_flash; 520 } 521 switch (cmd) { 522 case 0x20: 523 pfl->bypass = 1; 524 goto do_bypass; 525 case 0x80: /* Erase */ 526 case 0x90: /* Autoselect */ 527 case 0xA0: /* Program */ 528 pfl->cmd = cmd; 529 trace_pflash_write_start(pfl->name, cmd); 530 break; 531 default: 532 trace_pflash_write_unknown(pfl->name, cmd); 533 goto reset_flash; 534 } 535 break; 536 case 3: 537 switch (pfl->cmd) { 538 case 0x80: /* Erase */ 539 /* We need another unlock sequence */ 540 goto check_unlock0; 541 case 0xA0: /* Program */ 542 if (pflash_erase_suspend_mode(pfl) && 543 pflash_sector_is_erasing(pfl, offset)) { 544 /* Ignore writes to erasing sectors. */ 545 if (pfl->bypass) { 546 goto do_bypass; 547 } 548 goto reset_flash; 549 } 550 trace_pflash_data_write(pfl->name, offset, width, value, 0); 551 if (!pfl->ro) { 552 p = (uint8_t *)pfl->storage + offset; 553 if (pfl->be) { 554 uint64_t current = ldn_be_p(p, width); 555 stn_be_p(p, width, current & value); 556 } else { 557 uint64_t current = ldn_le_p(p, width); 558 stn_le_p(p, width, current & value); 559 } 560 pflash_update(pfl, offset, width); 561 } 562 /* 563 * While programming, status bit DQ7 should hold the opposite 564 * value from how it was programmed. 565 */ 566 set_dq7(pfl, ~value); 567 /* Let's pretend write is immediate */ 568 if (pfl->bypass) 569 goto do_bypass; 570 goto reset_flash; 571 case 0x90: /* Autoselect */ 572 if (pfl->bypass && cmd == 0x00) { 573 /* Unlock bypass reset */ 574 goto reset_flash; 575 } 576 /* 577 * We can enter CFI query mode from autoselect mode, but we must 578 * return to autoselect mode after a reset. 579 */ 580 if (boff == 0x55 && cmd == 0x98) { 581 /* Enter autoselect CFI query mode */ 582 pfl->wcycle = WCYCLE_AUTOSELECT_CFI; 583 pfl->cmd = 0x98; 584 return; 585 } 586 /* fall through */ 587 default: 588 trace_pflash_write_invalid(pfl->name, pfl->cmd); 589 goto reset_flash; 590 } 591 case 4: 592 switch (pfl->cmd) { 593 case 0xA0: /* Program */ 594 /* Ignore writes while flash data write is occurring */ 595 /* As we suppose write is immediate, this should never happen */ 596 return; 597 case 0x80: /* Erase */ 598 goto check_unlock1; 599 default: 600 /* Should never happen */ 601 trace_pflash_write_invalid_state(pfl->name, pfl->cmd, 5); 602 goto reset_flash; 603 } 604 break; 605 case 5: 606 if (pflash_erase_suspend_mode(pfl)) { 607 /* Erasing is not supported in erase suspend mode. */ 608 goto reset_flash; 609 } 610 switch (cmd) { 611 case 0x10: /* Chip Erase */ 612 if (boff != pfl->unlock_addr0) { 613 trace_pflash_chip_erase_invalid(pfl->name, offset); 614 goto reset_flash; 615 } 616 /* Chip erase */ 617 trace_pflash_chip_erase_start(pfl->name); 618 if (!pfl->ro) { 619 memset(pfl->storage, 0xff, pfl->chip_len); 620 pflash_update(pfl, 0, pfl->chip_len); 621 } 622 set_dq7(pfl, 0x00); 623 /* Wait the time specified at CFI address 0x22. */ 624 timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 625 (1ULL << pfl->cfi_table[0x22]) * SCALE_MS); 626 break; 627 case 0x30: /* Sector erase */ 628 pflash_sector_erase(pfl, offset); 629 break; 630 default: 631 trace_pflash_write_invalid_command(pfl->name, cmd); 632 goto reset_flash; 633 } 634 pfl->cmd = cmd; 635 break; 636 case 6: 637 switch (pfl->cmd) { 638 case 0x10: /* Chip Erase */ 639 /* Ignore writes during chip erase */ 640 return; 641 case 0x30: /* Sector erase */ 642 if (cmd == 0xB0) { 643 /* 644 * If erase suspend happens during the erase timeout (so DQ3 is 645 * 0), then the device suspends erasing immediately. Set the 646 * remaining time to be the total time to erase. Otherwise, 647 * there is a maximum amount of time it can take to enter 648 * suspend mode. Let's ignore that and suspend immediately and 649 * set the remaining time to the actual time remaining on the 650 * timer. 651 */ 652 if ((pfl->status & 0x08) == 0) { 653 pfl->erase_time_remaining = pflash_erase_time(pfl); 654 } else { 655 int64_t delta = timer_expire_time_ns(&pfl->timer) - 656 qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 657 /* Make sure we have a positive time remaining. */ 658 pfl->erase_time_remaining = delta <= 0 ? 1 : delta; 659 } 660 reset_dq3(pfl); 661 timer_del(&pfl->timer); 662 pflash_reset_state_machine(pfl); 663 return; 664 } 665 /* 666 * If DQ3 is 0, additional sector erase commands can be 667 * written and anything else (other than an erase suspend) resets 668 * the device. 669 */ 670 if ((pfl->status & 0x08) == 0) { 671 if (cmd == 0x30) { 672 pflash_sector_erase(pfl, offset); 673 } else { 674 goto reset_flash; 675 } 676 } 677 /* Ignore writes during the actual erase. */ 678 return; 679 default: 680 /* Should never happen */ 681 trace_pflash_write_invalid_state(pfl->name, pfl->cmd, 6); 682 goto reset_flash; 683 } 684 break; 685 /* Special values for CFI queries */ 686 case WCYCLE_CFI: 687 case WCYCLE_AUTOSELECT_CFI: 688 trace_pflash_write(pfl->name, "invalid write in CFI query mode"); 689 goto reset_flash; 690 default: 691 /* Should never happen */ 692 trace_pflash_write(pfl->name, "invalid write state (wc 7)"); 693 goto reset_flash; 694 } 695 pfl->wcycle++; 696 697 return; 698 699 /* Reset flash */ 700 reset_flash: 701 pfl->bypass = 0; 702 pflash_reset_state_machine(pfl); 703 return; 704 705 do_bypass: 706 pfl->wcycle = 2; 707 pfl->cmd = 0; 708 } 709 710 static const MemoryRegionOps pflash_cfi02_ops = { 711 .read = pflash_read, 712 .write = pflash_write, 713 .valid.min_access_size = 1, 714 .valid.max_access_size = 4, 715 .endianness = DEVICE_NATIVE_ENDIAN, 716 }; 717 718 static void pflash_cfi02_fill_cfi_table(PFlashCFI02 *pfl, int nb_regions) 719 { 720 /* Hardcoded CFI table (mostly from SG29 Spansion flash) */ 721 const uint16_t pri_ofs = 0x40; 722 /* Standard "QRY" string */ 723 pfl->cfi_table[0x10] = 'Q'; 724 pfl->cfi_table[0x11] = 'R'; 725 pfl->cfi_table[0x12] = 'Y'; 726 /* Command set (AMD/Fujitsu) */ 727 pfl->cfi_table[0x13] = 0x02; 728 pfl->cfi_table[0x14] = 0x00; 729 /* Primary extended table address */ 730 pfl->cfi_table[0x15] = pri_ofs; 731 pfl->cfi_table[0x16] = pri_ofs >> 8; 732 /* Alternate command set (none) */ 733 pfl->cfi_table[0x17] = 0x00; 734 pfl->cfi_table[0x18] = 0x00; 735 /* Alternate extended table (none) */ 736 pfl->cfi_table[0x19] = 0x00; 737 pfl->cfi_table[0x1A] = 0x00; 738 /* Vcc min */ 739 pfl->cfi_table[0x1B] = 0x27; 740 /* Vcc max */ 741 pfl->cfi_table[0x1C] = 0x36; 742 /* Vpp min (no Vpp pin) */ 743 pfl->cfi_table[0x1D] = 0x00; 744 /* Vpp max (no Vpp pin) */ 745 pfl->cfi_table[0x1E] = 0x00; 746 /* Timeout per single byte/word write (128 ms) */ 747 pfl->cfi_table[0x1F] = 0x07; 748 /* Timeout for min size buffer write (NA) */ 749 pfl->cfi_table[0x20] = 0x00; 750 /* Typical timeout for block erase (512 ms) */ 751 pfl->cfi_table[0x21] = 0x09; 752 /* Typical timeout for full chip erase (4096 ms) */ 753 pfl->cfi_table[0x22] = 0x0C; 754 /* Reserved */ 755 pfl->cfi_table[0x23] = 0x01; 756 /* Max timeout for buffer write (NA) */ 757 pfl->cfi_table[0x24] = 0x00; 758 /* Max timeout for block erase */ 759 pfl->cfi_table[0x25] = 0x0A; 760 /* Max timeout for chip erase */ 761 pfl->cfi_table[0x26] = 0x0D; 762 /* Device size */ 763 pfl->cfi_table[0x27] = ctz32(pfl->chip_len); 764 /* Flash device interface (8 & 16 bits) */ 765 pfl->cfi_table[0x28] = 0x02; 766 pfl->cfi_table[0x29] = 0x00; 767 /* Max number of bytes in multi-bytes write */ 768 /* 769 * XXX: disable buffered write as it's not supported 770 * pfl->cfi_table[0x2A] = 0x05; 771 */ 772 pfl->cfi_table[0x2A] = 0x00; 773 pfl->cfi_table[0x2B] = 0x00; 774 /* Number of erase block regions */ 775 pfl->cfi_table[0x2c] = nb_regions; 776 /* Erase block regions */ 777 for (int i = 0; i < nb_regions; ++i) { 778 uint32_t sector_len_per_device = pfl->sector_len[i]; 779 pfl->cfi_table[0x2d + 4 * i] = pfl->nb_blocs[i] - 1; 780 pfl->cfi_table[0x2e + 4 * i] = (pfl->nb_blocs[i] - 1) >> 8; 781 pfl->cfi_table[0x2f + 4 * i] = sector_len_per_device >> 8; 782 pfl->cfi_table[0x30 + 4 * i] = sector_len_per_device >> 16; 783 } 784 assert(0x2c + 4 * nb_regions < pri_ofs); 785 786 /* Extended */ 787 pfl->cfi_table[0x00 + pri_ofs] = 'P'; 788 pfl->cfi_table[0x01 + pri_ofs] = 'R'; 789 pfl->cfi_table[0x02 + pri_ofs] = 'I'; 790 791 /* Extended version 1.0 */ 792 pfl->cfi_table[0x03 + pri_ofs] = '1'; 793 pfl->cfi_table[0x04 + pri_ofs] = '0'; 794 795 /* Address sensitive unlock required. */ 796 pfl->cfi_table[0x05 + pri_ofs] = 0x00; 797 /* Erase suspend to read/write. */ 798 pfl->cfi_table[0x06 + pri_ofs] = 0x02; 799 /* Sector protect not supported. */ 800 pfl->cfi_table[0x07 + pri_ofs] = 0x00; 801 /* Temporary sector unprotect not supported. */ 802 pfl->cfi_table[0x08 + pri_ofs] = 0x00; 803 804 /* Sector protect/unprotect scheme. */ 805 pfl->cfi_table[0x09 + pri_ofs] = 0x00; 806 807 /* Simultaneous operation not supported. */ 808 pfl->cfi_table[0x0a + pri_ofs] = 0x00; 809 /* Burst mode not supported. */ 810 pfl->cfi_table[0x0b + pri_ofs] = 0x00; 811 /* Page mode not supported. */ 812 pfl->cfi_table[0x0c + pri_ofs] = 0x00; 813 assert(0x0c + pri_ofs < ARRAY_SIZE(pfl->cfi_table)); 814 } 815 816 static void pflash_cfi02_realize(DeviceState *dev, Error **errp) 817 { 818 ERRP_GUARD(); 819 PFlashCFI02 *pfl = PFLASH_CFI02(dev); 820 int ret; 821 822 if (pfl->uniform_sector_len == 0 && pfl->sector_len[0] == 0) { 823 error_setg(errp, "attribute \"sector-length\" not specified or zero."); 824 return; 825 } 826 if (pfl->uniform_nb_blocs == 0 && pfl->nb_blocs[0] == 0) { 827 error_setg(errp, "attribute \"num-blocks\" not specified or zero."); 828 return; 829 } 830 if (pfl->name == NULL) { 831 error_setg(errp, "attribute \"name\" not specified."); 832 return; 833 } 834 835 int nb_regions; 836 pfl->chip_len = 0; 837 pfl->total_sectors = 0; 838 for (nb_regions = 0; nb_regions < PFLASH_MAX_ERASE_REGIONS; ++nb_regions) { 839 if (pfl->nb_blocs[nb_regions] == 0) { 840 break; 841 } 842 pfl->total_sectors += pfl->nb_blocs[nb_regions]; 843 uint64_t sector_len_per_device = pfl->sector_len[nb_regions]; 844 845 /* 846 * The size of each flash sector must be a power of 2 and it must be 847 * aligned at the same power of 2. 848 */ 849 if (sector_len_per_device & 0xff || 850 sector_len_per_device >= (1 << 24) || 851 !is_power_of_2(sector_len_per_device)) 852 { 853 error_setg(errp, "unsupported configuration: " 854 "sector length[%d] per device = %" PRIx64 ".", 855 nb_regions, sector_len_per_device); 856 return; 857 } 858 if (pfl->chip_len & (sector_len_per_device - 1)) { 859 error_setg(errp, "unsupported configuration: " 860 "flash region %d not correctly aligned.", 861 nb_regions); 862 return; 863 } 864 865 pfl->chip_len += (uint64_t)pfl->sector_len[nb_regions] * 866 pfl->nb_blocs[nb_regions]; 867 } 868 869 uint64_t uniform_len = (uint64_t)pfl->uniform_nb_blocs * 870 pfl->uniform_sector_len; 871 if (nb_regions == 0) { 872 nb_regions = 1; 873 pfl->nb_blocs[0] = pfl->uniform_nb_blocs; 874 pfl->sector_len[0] = pfl->uniform_sector_len; 875 pfl->chip_len = uniform_len; 876 pfl->total_sectors = pfl->uniform_nb_blocs; 877 } else if (uniform_len != 0 && uniform_len != pfl->chip_len) { 878 error_setg(errp, "\"num-blocks\"*\"sector-length\" " 879 "different from \"num-blocks0\"*\'sector-length0\" + ... + " 880 "\"num-blocks3\"*\"sector-length3\""); 881 return; 882 } 883 884 memory_region_init_rom_device(&pfl->orig_mem, OBJECT(pfl), 885 &pflash_cfi02_ops, pfl, pfl->name, 886 pfl->chip_len, errp); 887 if (*errp) { 888 return; 889 } 890 891 pfl->storage = memory_region_get_ram_ptr(&pfl->orig_mem); 892 893 if (pfl->blk) { 894 uint64_t perm; 895 pfl->ro = !blk_supports_write_perm(pfl->blk); 896 perm = BLK_PERM_CONSISTENT_READ | (pfl->ro ? 0 : BLK_PERM_WRITE); 897 ret = blk_set_perm(pfl->blk, perm, BLK_PERM_ALL, errp); 898 if (ret < 0) { 899 return; 900 } 901 } else { 902 pfl->ro = 0; 903 } 904 905 if (pfl->blk) { 906 if (!blk_check_size_and_read_all(pfl->blk, pfl->storage, 907 pfl->chip_len, errp)) { 908 vmstate_unregister_ram(&pfl->orig_mem, DEVICE(pfl)); 909 return; 910 } 911 } 912 913 /* Only 11 bits are used in the comparison. */ 914 pfl->unlock_addr0 &= 0x7FF; 915 pfl->unlock_addr1 &= 0x7FF; 916 917 /* Allocate memory for a bitmap for sectors being erased. */ 918 pfl->sector_erase_map = bitmap_new(pfl->total_sectors); 919 920 pflash_setup_mappings(pfl); 921 sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem); 922 923 timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl); 924 pfl->status = 0; 925 926 pflash_cfi02_fill_cfi_table(pfl, nb_regions); 927 } 928 929 static void pflash_cfi02_reset(DeviceState *dev) 930 { 931 PFlashCFI02 *pfl = PFLASH_CFI02(dev); 932 933 pflash_reset_state_machine(pfl); 934 } 935 936 static Property pflash_cfi02_properties[] = { 937 DEFINE_PROP_DRIVE("drive", PFlashCFI02, blk), 938 DEFINE_PROP_UINT32("num-blocks", PFlashCFI02, uniform_nb_blocs, 0), 939 DEFINE_PROP_UINT32("sector-length", PFlashCFI02, uniform_sector_len, 0), 940 DEFINE_PROP_UINT32("num-blocks0", PFlashCFI02, nb_blocs[0], 0), 941 DEFINE_PROP_UINT32("sector-length0", PFlashCFI02, sector_len[0], 0), 942 DEFINE_PROP_UINT32("num-blocks1", PFlashCFI02, nb_blocs[1], 0), 943 DEFINE_PROP_UINT32("sector-length1", PFlashCFI02, sector_len[1], 0), 944 DEFINE_PROP_UINT32("num-blocks2", PFlashCFI02, nb_blocs[2], 0), 945 DEFINE_PROP_UINT32("sector-length2", PFlashCFI02, sector_len[2], 0), 946 DEFINE_PROP_UINT32("num-blocks3", PFlashCFI02, nb_blocs[3], 0), 947 DEFINE_PROP_UINT32("sector-length3", PFlashCFI02, sector_len[3], 0), 948 DEFINE_PROP_UINT8("width", PFlashCFI02, width, 0), 949 DEFINE_PROP_UINT8("mappings", PFlashCFI02, mappings, 0), 950 DEFINE_PROP_UINT8("big-endian", PFlashCFI02, be, 0), 951 DEFINE_PROP_UINT16("id0", PFlashCFI02, ident0, 0), 952 DEFINE_PROP_UINT16("id1", PFlashCFI02, ident1, 0), 953 DEFINE_PROP_UINT16("id2", PFlashCFI02, ident2, 0), 954 DEFINE_PROP_UINT16("id3", PFlashCFI02, ident3, 0), 955 DEFINE_PROP_UINT16("unlock-addr0", PFlashCFI02, unlock_addr0, 0), 956 DEFINE_PROP_UINT16("unlock-addr1", PFlashCFI02, unlock_addr1, 0), 957 DEFINE_PROP_STRING("name", PFlashCFI02, name), 958 DEFINE_PROP_END_OF_LIST(), 959 }; 960 961 static void pflash_cfi02_unrealize(DeviceState *dev) 962 { 963 PFlashCFI02 *pfl = PFLASH_CFI02(dev); 964 timer_del(&pfl->timer); 965 g_free(pfl->sector_erase_map); 966 } 967 968 static void pflash_cfi02_class_init(ObjectClass *klass, void *data) 969 { 970 DeviceClass *dc = DEVICE_CLASS(klass); 971 972 dc->realize = pflash_cfi02_realize; 973 dc->reset = pflash_cfi02_reset; 974 dc->unrealize = pflash_cfi02_unrealize; 975 device_class_set_props(dc, pflash_cfi02_properties); 976 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 977 } 978 979 static const TypeInfo pflash_cfi02_info = { 980 .name = TYPE_PFLASH_CFI02, 981 .parent = TYPE_SYS_BUS_DEVICE, 982 .instance_size = sizeof(PFlashCFI02), 983 .class_init = pflash_cfi02_class_init, 984 }; 985 986 static void pflash_cfi02_register_types(void) 987 { 988 type_register_static(&pflash_cfi02_info); 989 } 990 991 type_init(pflash_cfi02_register_types) 992 993 PFlashCFI02 *pflash_cfi02_register(hwaddr base, 994 const char *name, 995 hwaddr size, 996 BlockBackend *blk, 997 uint32_t sector_len, 998 int nb_mappings, int width, 999 uint16_t id0, uint16_t id1, 1000 uint16_t id2, uint16_t id3, 1001 uint16_t unlock_addr0, 1002 uint16_t unlock_addr1, 1003 int be) 1004 { 1005 DeviceState *dev = qdev_new(TYPE_PFLASH_CFI02); 1006 1007 if (blk) { 1008 qdev_prop_set_drive(dev, "drive", blk); 1009 } 1010 assert(QEMU_IS_ALIGNED(size, sector_len)); 1011 qdev_prop_set_uint32(dev, "num-blocks", size / sector_len); 1012 qdev_prop_set_uint32(dev, "sector-length", sector_len); 1013 qdev_prop_set_uint8(dev, "width", width); 1014 qdev_prop_set_uint8(dev, "mappings", nb_mappings); 1015 qdev_prop_set_uint8(dev, "big-endian", !!be); 1016 qdev_prop_set_uint16(dev, "id0", id0); 1017 qdev_prop_set_uint16(dev, "id1", id1); 1018 qdev_prop_set_uint16(dev, "id2", id2); 1019 qdev_prop_set_uint16(dev, "id3", id3); 1020 qdev_prop_set_uint16(dev, "unlock-addr0", unlock_addr0); 1021 qdev_prop_set_uint16(dev, "unlock-addr1", unlock_addr1); 1022 qdev_prop_set_string(dev, "name", name); 1023 sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); 1024 1025 sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base); 1026 return PFLASH_CFI02(dev); 1027 } 1028