xref: /openbmc/qemu/hw/i3c/aspeed_i3c.c (revision 66ae8f22)
1 /*
2  * ASPEED I3C Controller
3  *
4  * Copyright (C) 2021 ASPEED Technology Inc.
5  * Copyright (C) 2023 Google LLC
6  *
7  * This code is licensed under the GPL version 2 or later.  See
8  * the COPYING file in the top-level directory.
9  */
10 
11 #include "qemu/osdep.h"
12 #include "qemu/log.h"
13 #include "qemu/error-report.h"
14 #include "hw/i3c/aspeed_i3c.h"
15 #include "hw/registerfields.h"
16 #include "hw/qdev-properties.h"
17 #include "qapi/error.h"
18 #include "migration/vmstate.h"
19 #include "trace.h"
20 #include "hw/i3c/i3c.h"
21 #include "hw/irq.h"
22 
23 /*
24  * Disable event command values. sent along with a DISEC CCC to disable certain
25  * events on targets.
26  */
27 #define DISEC_HJ 0x08
28 #define DISEC_CR 0x02
29 #define DISEC_INT 0x01
30 
31 /* I3C Controller Registers */
32 REG32(I3C1_REG0, 0x10)
33 REG32(I3C1_REG1, 0x14)
34     FIELD(I3C1_REG1, I2C_MODE,      0,  1)
35     FIELD(I3C1_REG1, SLV_TEST_MODE, 1,  1)
36     FIELD(I3C1_REG1, ACT_MODE,      2,  2)
37     FIELD(I3C1_REG1, PENDING_INT,   4,  4)
38     FIELD(I3C1_REG1, SA,            8,  7)
39     FIELD(I3C1_REG1, SA_EN,         15, 1)
40     FIELD(I3C1_REG1, INST_ID,       16, 4)
41 REG32(I3C2_REG0, 0x20)
42 REG32(I3C2_REG1, 0x24)
43     FIELD(I3C2_REG1, I2C_MODE,      0,  1)
44     FIELD(I3C2_REG1, SLV_TEST_MODE, 1,  1)
45     FIELD(I3C2_REG1, ACT_MODE,      2,  2)
46     FIELD(I3C2_REG1, PENDING_INT,   4,  4)
47     FIELD(I3C2_REG1, SA,            8,  7)
48     FIELD(I3C2_REG1, SA_EN,         15, 1)
49     FIELD(I3C2_REG1, INST_ID,       16, 4)
50 REG32(I3C3_REG0, 0x30)
51 REG32(I3C3_REG1, 0x34)
52     FIELD(I3C3_REG1, I2C_MODE,      0,  1)
53     FIELD(I3C3_REG1, SLV_TEST_MODE, 1,  1)
54     FIELD(I3C3_REG1, ACT_MODE,      2,  2)
55     FIELD(I3C3_REG1, PENDING_INT,   4,  4)
56     FIELD(I3C3_REG1, SA,            8,  7)
57     FIELD(I3C3_REG1, SA_EN,         15, 1)
58     FIELD(I3C3_REG1, INST_ID,       16, 4)
59 REG32(I3C4_REG0, 0x40)
60 REG32(I3C4_REG1, 0x44)
61     FIELD(I3C4_REG1, I2C_MODE,      0,  1)
62     FIELD(I3C4_REG1, SLV_TEST_MODE, 1,  1)
63     FIELD(I3C4_REG1, ACT_MODE,      2,  2)
64     FIELD(I3C4_REG1, PENDING_INT,   4,  4)
65     FIELD(I3C4_REG1, SA,            8,  7)
66     FIELD(I3C4_REG1, SA_EN,         15, 1)
67     FIELD(I3C4_REG1, INST_ID,       16, 4)
68 REG32(I3C5_REG0, 0x50)
69 REG32(I3C5_REG1, 0x54)
70     FIELD(I3C5_REG1, I2C_MODE,      0,  1)
71     FIELD(I3C5_REG1, SLV_TEST_MODE, 1,  1)
72     FIELD(I3C5_REG1, ACT_MODE,      2,  2)
73     FIELD(I3C5_REG1, PENDING_INT,   4,  4)
74     FIELD(I3C5_REG1, SA,            8,  7)
75     FIELD(I3C5_REG1, SA_EN,         15, 1)
76     FIELD(I3C5_REG1, INST_ID,       16, 4)
77 REG32(I3C6_REG0, 0x60)
78 REG32(I3C6_REG1, 0x64)
79     FIELD(I3C6_REG1, I2C_MODE,      0,  1)
80     FIELD(I3C6_REG1, SLV_TEST_MODE, 1,  1)
81     FIELD(I3C6_REG1, ACT_MODE,      2,  2)
82     FIELD(I3C6_REG1, PENDING_INT,   4,  4)
83     FIELD(I3C6_REG1, SA,            8,  7)
84     FIELD(I3C6_REG1, SA_EN,         15, 1)
85     FIELD(I3C6_REG1, INST_ID,       16, 4)
86 
87 /* I3C Device Registers */
88 REG32(DEVICE_CTRL,                  0x00)
89     FIELD(DEVICE_CTRL, I3C_BROADCAST_ADDR_INC,    0, 1)
90     FIELD(DEVICE_CTRL, I2C_SLAVE_PRESENT,         7, 1)
91     FIELD(DEVICE_CTRL, HOT_JOIN_ACK_NACK_CTRL,    8, 1)
92     FIELD(DEVICE_CTRL, IDLE_CNT_MULTIPLIER,       24, 2)
93     FIELD(DEVICE_CTRL, SLV_ADAPT_TO_I2C_I3C_MODE, 27, 1)
94     FIELD(DEVICE_CTRL, DMA_HANDSHAKE_EN,          28, 1)
95     FIELD(DEVICE_CTRL, I3C_ABORT,                 29, 1)
96     FIELD(DEVICE_CTRL, I3C_RESUME,                30, 1)
97     FIELD(DEVICE_CTRL, I3C_EN,                    31, 1)
98 REG32(DEVICE_ADDR,                  0x04)
99     FIELD(DEVICE_ADDR, STATIC_ADDR,         0, 7)
100     FIELD(DEVICE_ADDR, STATIC_ADDR_VALID,   15, 1)
101     FIELD(DEVICE_ADDR, DYNAMIC_ADDR,        16, 7)
102     FIELD(DEVICE_ADDR, DYNAMIC_ADDR_VALID,  15, 1)
103 REG32(HW_CAPABILITY,                0x08)
104     FIELD(HW_CAPABILITY, ENTDAA,  0, 1)
105     FIELD(HW_CAPABILITY, HDR_DDR, 3, 1)
106     FIELD(HW_CAPABILITY, HDR_TS,  4, 1)
107 REG32(COMMAND_QUEUE_PORT,           0x0c)
108     FIELD(COMMAND_QUEUE_PORT, CMD_ATTR, 0, 3)
109     /* Transfer command structure */
110     FIELD(COMMAND_QUEUE_PORT, TID, 3, 4)
111     FIELD(COMMAND_QUEUE_PORT, CMD, 7, 8)
112     FIELD(COMMAND_QUEUE_PORT, CP, 15, 1)
113     FIELD(COMMAND_QUEUE_PORT, DEV_INDEX, 16, 5)
114     FIELD(COMMAND_QUEUE_PORT, SPEED, 21, 3)
115     FIELD(COMMAND_QUEUE_PORT, ROC, 26, 1)
116     FIELD(COMMAND_QUEUE_PORT, SDAP, 27, 1)
117     FIELD(COMMAND_QUEUE_PORT, RNW, 28, 1)
118     FIELD(COMMAND_QUEUE_PORT, TOC, 30, 1)
119     FIELD(COMMAND_QUEUE_PORT, PEC, 31, 1)
120     /* Transfer argument data structure */
121     FIELD(COMMAND_QUEUE_PORT, DB, 8, 8)
122     FIELD(COMMAND_QUEUE_PORT, DL, 16, 16)
123     /* Short data argument data structure */
124     FIELD(COMMAND_QUEUE_PORT, BYTE_STRB, 3, 3)
125     FIELD(COMMAND_QUEUE_PORT, BYTE0, 8, 8)
126     FIELD(COMMAND_QUEUE_PORT, BYTE1, 16, 8)
127     FIELD(COMMAND_QUEUE_PORT, BYTE2, 24, 8)
128     /* Address assignment command structure */
129     /*
130      * bits 3..21 and 26..31 are the same as the transfer command structure, or
131      * marked as reserved.
132      */
133     FIELD(COMMAND_QUEUE_PORT, DEV_COUNT, 21, 3)
134 REG32(RESPONSE_QUEUE_PORT,          0x10)
135     FIELD(RESPONSE_QUEUE_PORT, DL, 0, 16)
136     FIELD(RESPONSE_QUEUE_PORT, CCCT, 16, 8)
137     FIELD(RESPONSE_QUEUE_PORT, TID, 24, 4)
138     FIELD(RESPONSE_QUEUE_PORT, ERR_STATUS, 28, 4)
139 REG32(RX_TX_DATA_PORT,              0x14)
140 REG32(IBI_QUEUE_STATUS,             0x18)
141     FIELD(IBI_QUEUE_STATUS, IBI_DATA_LEN,   0, 8)
142     FIELD(IBI_QUEUE_STATUS, IBI_ID,         8, 8)
143     FIELD(IBI_QUEUE_STATUS, LAST_STATUS,  24, 1)
144     FIELD(IBI_QUEUE_STATUS, ERROR,  30, 1)
145     FIELD(IBI_QUEUE_STATUS, IBI_STATUS,  31, 1)
146 REG32(IBI_QUEUE_DATA,               0x18)
147 REG32(QUEUE_THLD_CTRL,              0x1c)
148     FIELD(QUEUE_THLD_CTRL, CMD_BUF_EMPTY_THLD,  0, 8);
149     FIELD(QUEUE_THLD_CTRL, RESP_BUF_THLD, 8, 8);
150     FIELD(QUEUE_THLD_CTRL, IBI_DATA_THLD, 16, 8);
151     FIELD(QUEUE_THLD_CTRL, IBI_STATUS_THLD,     24, 8);
152 REG32(DATA_BUFFER_THLD_CTRL,        0x20)
153     FIELD(DATA_BUFFER_THLD_CTRL, TX_BUF_THLD,   0, 3)
154     FIELD(DATA_BUFFER_THLD_CTRL, RX_BUF_THLD,   10, 3)
155     FIELD(DATA_BUFFER_THLD_CTRL, TX_START_THLD, 16, 3)
156     FIELD(DATA_BUFFER_THLD_CTRL, RX_START_THLD, 24, 3)
157 REG32(IBI_QUEUE_CTRL,               0x24)
158     FIELD(IBI_QUEUE_CTRL, NOTIFY_REJECTED_HOT_JOIN,   0, 1)
159     FIELD(IBI_QUEUE_CTRL, NOTIFY_REJECTED_MASTER_REQ, 1, 1)
160     FIELD(IBI_QUEUE_CTRL, NOTIFY_REJECTED_SLAVE_IRQ,  3, 1)
161 REG32(IBI_MR_REQ_REJECT,            0x2c)
162 REG32(IBI_SIR_REQ_REJECT,           0x30)
163 REG32(RESET_CTRL,                   0x34)
164     FIELD(RESET_CTRL, CORE_RESET,       0, 1)
165     FIELD(RESET_CTRL, CMD_QUEUE_RESET,  1, 1)
166     FIELD(RESET_CTRL, RESP_QUEUE_RESET, 2, 1)
167     FIELD(RESET_CTRL, TX_BUF_RESET,     3, 1)
168     FIELD(RESET_CTRL, RX_BUF_RESET,     4, 1)
169     FIELD(RESET_CTRL, IBI_QUEUE_RESET,  5, 1)
170 REG32(SLV_EVENT_CTRL,               0x38)
171     FIELD(SLV_EVENT_CTRL, SLV_INTERRUPT,      0, 1)
172     FIELD(SLV_EVENT_CTRL, MASTER_INTERRUPT,   1, 1)
173     FIELD(SLV_EVENT_CTRL, HOT_JOIN_INTERRUPT, 3, 1)
174     FIELD(SLV_EVENT_CTRL, ACTIVITY_STATE,     4, 2)
175     FIELD(SLV_EVENT_CTRL, MRL_UPDATED,        6, 1)
176     FIELD(SLV_EVENT_CTRL, MWL_UPDATED,        7, 1)
177 REG32(INTR_STATUS,                  0x3c)
178     FIELD(INTR_STATUS, TX_THLD,           0, 1)
179     FIELD(INTR_STATUS, RX_THLD,           1, 1)
180     FIELD(INTR_STATUS, IBI_THLD,          2, 1)
181     FIELD(INTR_STATUS, CMD_QUEUE_RDY,     3, 1)
182     FIELD(INTR_STATUS, RESP_RDY,          4, 1)
183     FIELD(INTR_STATUS, TRANSFER_ABORT,    5, 1)
184     FIELD(INTR_STATUS, CCC_UPDATED,       6, 1)
185     FIELD(INTR_STATUS, DYN_ADDR_ASSGN,    8, 1)
186     FIELD(INTR_STATUS, TRANSFER_ERR,      9, 1)
187     FIELD(INTR_STATUS, DEFSLV,            10, 1)
188     FIELD(INTR_STATUS, READ_REQ_RECV,     11, 1)
189     FIELD(INTR_STATUS, IBI_UPDATED,       12, 1)
190     FIELD(INTR_STATUS, BUSOWNER_UPDATED,  13, 1)
191 REG32(INTR_STATUS_EN,               0x40)
192     FIELD(INTR_STATUS_EN, TX_THLD,          0, 1)
193     FIELD(INTR_STATUS_EN, RX_THLD,          1, 1)
194     FIELD(INTR_STATUS_EN, IBI_THLD,         2, 1)
195     FIELD(INTR_STATUS_EN, CMD_QUEUE_RDY,    3, 1)
196     FIELD(INTR_STATUS_EN, RESP_RDY,         4, 1)
197     FIELD(INTR_STATUS_EN, TRANSFER_ABORT,   5, 1)
198     FIELD(INTR_STATUS_EN, CCC_UPDATED,      6, 1)
199     FIELD(INTR_STATUS_EN, DYN_ADDR_ASSGN,   8, 1)
200     FIELD(INTR_STATUS_EN, TRANSFER_ERR,     9, 1)
201     FIELD(INTR_STATUS_EN, DEFSLV,           10, 1)
202     FIELD(INTR_STATUS_EN, READ_REQ_RECV,    11, 1)
203     FIELD(INTR_STATUS_EN, IBI_UPDATED,      12, 1)
204     FIELD(INTR_STATUS_EN, BUSOWNER_UPDATED, 13, 1)
205 REG32(INTR_SIGNAL_EN,               0x44)
206     FIELD(INTR_SIGNAL_EN, TX_THLD,          0, 1)
207     FIELD(INTR_SIGNAL_EN, RX_THLD,          1, 1)
208     FIELD(INTR_SIGNAL_EN, IBI_THLD,         2, 1)
209     FIELD(INTR_SIGNAL_EN, CMD_QUEUE_RDY,    3, 1)
210     FIELD(INTR_SIGNAL_EN, RESP_RDY,         4, 1)
211     FIELD(INTR_SIGNAL_EN, TRANSFER_ABORT,   5, 1)
212     FIELD(INTR_SIGNAL_EN, CCC_UPDATED,      6, 1)
213     FIELD(INTR_SIGNAL_EN, DYN_ADDR_ASSGN,   8, 1)
214     FIELD(INTR_SIGNAL_EN, TRANSFER_ERR,     9, 1)
215     FIELD(INTR_SIGNAL_EN, DEFSLV,           10, 1)
216     FIELD(INTR_SIGNAL_EN, READ_REQ_RECV,    11, 1)
217     FIELD(INTR_SIGNAL_EN, IBI_UPDATED,      12, 1)
218     FIELD(INTR_SIGNAL_EN, BUSOWNER_UPDATED, 13, 1)
219 REG32(INTR_FORCE,                   0x48)
220     FIELD(INTR_FORCE, TX_THLD,          0, 1)
221     FIELD(INTR_FORCE, RX_THLD,          1, 1)
222     FIELD(INTR_FORCE, IBI_THLD,         2, 1)
223     FIELD(INTR_FORCE, CMD_QUEUE_RDY,    3, 1)
224     FIELD(INTR_FORCE, RESP_RDY,         4, 1)
225     FIELD(INTR_FORCE, TRANSFER_ABORT,   5, 1)
226     FIELD(INTR_FORCE, CCC_UPDATED,      6, 1)
227     FIELD(INTR_FORCE, DYN_ADDR_ASSGN,   8, 1)
228     FIELD(INTR_FORCE, TRANSFER_ERR,     9, 1)
229     FIELD(INTR_FORCE, DEFSLV,           10, 1)
230     FIELD(INTR_FORCE, READ_REQ_RECV,    11, 1)
231     FIELD(INTR_FORCE, IBI_UPDATED,      12, 1)
232     FIELD(INTR_FORCE, BUSOWNER_UPDATED, 13, 1)
233 REG32(QUEUE_STATUS_LEVEL,           0x4c)
234     FIELD(QUEUE_STATUS_LEVEL, CMD_QUEUE_EMPTY_LOC,  0, 8)
235     FIELD(QUEUE_STATUS_LEVEL, RESP_BUF_BLR,         8, 8)
236     FIELD(QUEUE_STATUS_LEVEL, IBI_BUF_BLR,          16, 8)
237     FIELD(QUEUE_STATUS_LEVEL, IBI_STATUS_CNT,       24, 5)
238 REG32(DATA_BUFFER_STATUS_LEVEL,     0x50)
239     FIELD(DATA_BUFFER_STATUS_LEVEL, TX_BUF_EMPTY_LOC, 0, 8)
240     FIELD(DATA_BUFFER_STATUS_LEVEL, RX_BUF_BLR,       16, 8)
241 REG32(PRESENT_STATE,                0x54)
242     FIELD(PRESENT_STATE, SCL_LINE_SIGNAL_LEVEL, 0, 1)
243     FIELD(PRESENT_STATE, SDA_LINE_SIGNAL_LEVEL, 1, 1)
244     FIELD(PRESENT_STATE, CURRENT_MASTER,        2, 1)
245     FIELD(PRESENT_STATE, CM_TFR_STATUS,         8, 6)
246     FIELD(PRESENT_STATE, CM_TFR_ST_STATUS,      16, 6)
247     FIELD(PRESENT_STATE, CMD_TID,               24, 4)
248 REG32(CCC_DEVICE_STATUS,            0x58)
249     FIELD(CCC_DEVICE_STATUS, PENDING_INTR,      0, 4)
250     FIELD(CCC_DEVICE_STATUS, PROTOCOL_ERR,      4, 2)
251     FIELD(CCC_DEVICE_STATUS, ACTIVITY_MODE,     6, 2)
252     FIELD(CCC_DEVICE_STATUS, UNDER_ERR,         8, 1)
253     FIELD(CCC_DEVICE_STATUS, SLV_BUSY,          9, 1)
254     FIELD(CCC_DEVICE_STATUS, OVERFLOW_ERR,      10, 1)
255     FIELD(CCC_DEVICE_STATUS, DATA_NOT_READY,    11, 1)
256     FIELD(CCC_DEVICE_STATUS, BUFFER_NOT_AVAIL,  12, 1)
257 REG32(DEVICE_ADDR_TABLE_POINTER,    0x5c)
258     FIELD(DEVICE_ADDR_TABLE_POINTER, DEPTH, 16, 16)
259     FIELD(DEVICE_ADDR_TABLE_POINTER, ADDR,  0,  16)
260 REG32(DEV_CHAR_TABLE_POINTER,       0x60)
261     FIELD(DEV_CHAR_TABLE_POINTER, P_DEV_CHAR_TABLE_START_ADDR,  0, 12)
262     FIELD(DEV_CHAR_TABLE_POINTER, DEV_CHAR_TABLE_DEPTH,         12, 7)
263     FIELD(DEV_CHAR_TABLE_POINTER, PRESENT_DEV_CHAR_TABLE_INDEX, 19, 3)
264 REG32(VENDOR_SPECIFIC_REG_POINTER,  0x6c)
265     FIELD(VENDOR_SPECIFIC_REG_POINTER, P_VENDOR_REG_START_ADDR, 0, 16)
266 REG32(SLV_MIPI_PID_VALUE,           0x70)
267 REG32(SLV_PID_VALUE,                0x74)
268     FIELD(SLV_PID_VALUE, SLV_PID_DCR, 0, 12)
269     FIELD(SLV_PID_VALUE, SLV_INST_ID, 12, 4)
270     FIELD(SLV_PID_VALUE, SLV_PART_ID, 16, 16)
271 REG32(SLV_CHAR_CTRL,                0x78)
272     FIELD(SLV_CHAR_CTRL, BCR,     0, 8)
273     FIELD(SLV_CHAR_CTRL, DCR,     8, 8)
274     FIELD(SLV_CHAR_CTRL, HDR_CAP, 16, 8)
275 REG32(SLV_MAX_LEN,                  0x7c)
276     FIELD(SLV_MAX_LEN, MWL, 0, 16)
277     FIELD(SLV_MAX_LEN, MRL, 16, 16)
278 REG32(MAX_READ_TURNAROUND,          0x80)
279 REG32(MAX_DATA_SPEED,               0x84)
280 REG32(SLV_DEBUG_STATUS,             0x88)
281 REG32(SLV_INTR_REQ,                 0x8c)
282     FIELD(SLV_INTR_REQ, SIR,      0, 1)
283     FIELD(SLV_INTR_REQ, SIR_CTRL, 1, 2)
284     FIELD(SLV_INTR_REQ, MIR,      3, 1)
285     FIELD(SLV_INTR_REQ, IBI_STS,  8, 2)
286 REG32(SLV_TSX_SYMBL_TIMING,         0x90)
287     FIELD(SLV_TSX_SYMBL_TIMING, SLV_TSX_SYMBL_CNT, 0, 6)
288 REG32(DEVICE_CTRL_EXTENDED,         0xb0)
289     FIELD(DEVICE_CTRL_EXTENDED, MODE, 0, 2)
290     FIELD(DEVICE_CTRL_EXTENDED, REQMST_ACK_CTRL, 3, 1)
291 REG32(SCL_I3C_OD_TIMING,            0xb4)
292     FIELD(SCL_I3C_OD_TIMING, I3C_OD_LCNT, 0, 8)
293     FIELD(SCL_I3C_OD_TIMING, I3C_OD_HCNT, 16, 8)
294 REG32(SCL_I3C_PP_TIMING,            0xb8)
295     FIELD(SCL_I3C_PP_TIMING, I3C_PP_LCNT, 0, 8)
296     FIELD(SCL_I3C_PP_TIMING, I3C_PP_HCNT, 16, 8)
297 REG32(SCL_I2C_FM_TIMING,            0xbc)
298 REG32(SCL_I2C_FMP_TIMING,           0xc0)
299     FIELD(SCL_I2C_FMP_TIMING, I2C_FMP_LCNT, 0, 16)
300     FIELD(SCL_I2C_FMP_TIMING, I2C_FMP_HCNT, 16, 8)
301 REG32(SCL_EXT_LCNT_TIMING,          0xc8)
302 REG32(SCL_EXT_TERMN_LCNT_TIMING,    0xcc)
303 REG32(BUS_FREE_TIMING,              0xd4)
304 REG32(BUS_IDLE_TIMING,              0xd8)
305     FIELD(BUS_IDLE_TIMING, BUS_IDLE_TIME, 0, 20)
306 REG32(I3C_VER_ID,                   0xe0)
307 REG32(I3C_VER_TYPE,                 0xe4)
308 REG32(EXTENDED_CAPABILITY,          0xe8)
309     FIELD(EXTENDED_CAPABILITY, APP_IF_MODE,       0, 2)
310     FIELD(EXTENDED_CAPABILITY, APP_IF_DATA_WIDTH, 2, 2)
311     FIELD(EXTENDED_CAPABILITY, OPERATION_MODE,    4, 2)
312     FIELD(EXTENDED_CAPABILITY, CLK_PERIOD,        8, 6)
313 REG32(SLAVE_CONFIG,                 0xec)
314     FIELD(SLAVE_CONFIG, DMA_EN,     0, 1)
315     FIELD(SLAVE_CONFIG, HJ_CAP,     0, 1)
316     FIELD(SLAVE_CONFIG, CLK_PERIOD, 2, 14)
317 /* Device characteristic table fields */
318 REG32(DEVICE_CHARACTERISTIC_TABLE_LOC1, 0x200)
319 REG32(DEVICE_CHARACTERISTIC_TABLE_LOC_SECONDARY, 0x200)
320     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC_SECONDARY, DYNAMIC_ADDR, 0, 8)
321     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC_SECONDARY, DCR, 8, 8)
322     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC_SECONDARY, BCR, 16, 8)
323     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC_SECONDARY, STATIC_ADDR, 24, 8)
324 REG32(DEVICE_CHARACTERISTIC_TABLE_LOC2, 0x204)
325     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC2, MSB_PID, 0, 16)
326 REG32(DEVICE_CHARACTERISTIC_TABLE_LOC3, 0x208)
327     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC3, DCR, 0, 8)
328     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC3, BCR, 8, 8)
329 REG32(DEVICE_CHARACTERISTIC_TABLE_LOC4, 0x20c)
330     FIELD(DEVICE_CHARACTERISTIC_TABLE_LOC4, DEV_DYNAMIC_ADDR, 0, 8)
331 /* Dev addr table fields */
332 REG32(DEVICE_ADDR_TABLE_LOC1, 0x280)
333     FIELD(DEVICE_ADDR_TABLE_LOC1, DEV_STATIC_ADDR, 0, 7)
334     FIELD(DEVICE_ADDR_TABLE_LOC1, IBI_PEC_EN, 11, 1)
335     FIELD(DEVICE_ADDR_TABLE_LOC1, IBI_WITH_DATA, 12, 1)
336     FIELD(DEVICE_ADDR_TABLE_LOC1, SIR_REJECT, 13, 1)
337     FIELD(DEVICE_ADDR_TABLE_LOC1, MR_REJECT, 14, 1)
338     FIELD(DEVICE_ADDR_TABLE_LOC1, DEV_DYNAMIC_ADDR, 16, 8)
339     FIELD(DEVICE_ADDR_TABLE_LOC1, IBI_ADDR_MASK, 24, 2)
340     FIELD(DEVICE_ADDR_TABLE_LOC1, DEV_NACK_RETRY_CNT, 29, 2)
341     FIELD(DEVICE_ADDR_TABLE_LOC1, LEGACY_I2C_DEVICE, 31, 1)
342 
343 static void aspeed_i3c_device_cmd_queue_execute(AspeedI3CDevice *s);
344 
345 static const uint32_t ast2600_i3c_controller_ro[ASPEED_I3C_DEVICE_NR_REGS] = {
346     [R_I3C1_REG0]                   = 0xfc000000,
347     [R_I3C1_REG1]                   = 0xfff00000,
348     [R_I3C2_REG0]                   = 0xfc000000,
349     [R_I3C2_REG1]                   = 0xfff00000,
350     [R_I3C3_REG0]                   = 0xfc000000,
351     [R_I3C3_REG1]                   = 0xfff00000,
352     [R_I3C4_REG0]                   = 0xfc000000,
353     [R_I3C4_REG1]                   = 0xfff00000,
354     [R_I3C5_REG0]                   = 0xfc000000,
355     [R_I3C5_REG1]                   = 0xfff00000,
356     [R_I3C6_REG0]                   = 0xfc000000,
357     [R_I3C6_REG1]                   = 0xfff00000,
358 };
359 
360 static const uint32_t ast2600_i3c_device_resets[ASPEED_I3C_DEVICE_NR_REGS] = {
361     [R_HW_CAPABILITY]               = 0x000e00bf,
362     [R_QUEUE_THLD_CTRL]             = 0x01000101,
363     [R_DATA_BUFFER_THLD_CTRL]       = 0x01010100,
364     [R_SLV_EVENT_CTRL]              = 0x0000000b,
365     [R_QUEUE_STATUS_LEVEL]          = 0x00000002,
366     [R_DATA_BUFFER_STATUS_LEVEL]    = 0x00000010,
367     [R_PRESENT_STATE]               = 0x00000003,
368     [R_I3C_VER_ID]                  = 0x3130302a,
369     [R_I3C_VER_TYPE]                = 0x6c633033,
370     [R_DEVICE_ADDR_TABLE_POINTER]   = 0x00080280,
371     [R_DEV_CHAR_TABLE_POINTER]      = 0x00020200,
372     [R_SLV_CHAR_CTRL]               = 0x00010000,
373     [A_VENDOR_SPECIFIC_REG_POINTER] = 0x000000b0,
374     [R_SLV_MAX_LEN]                 = 0x00ff00ff,
375     [R_SLV_TSX_SYMBL_TIMING]        = 0x0000003f,
376     [R_SCL_I3C_OD_TIMING]           = 0x000a0010,
377     [R_SCL_I3C_PP_TIMING]           = 0x000a000a,
378     [R_SCL_I2C_FM_TIMING]           = 0x00100010,
379     [R_SCL_I2C_FMP_TIMING]          = 0x00100010,
380     [R_SCL_EXT_LCNT_TIMING]         = 0x20202020,
381     [R_SCL_EXT_TERMN_LCNT_TIMING]   = 0x00300000,
382     [R_BUS_FREE_TIMING]             = 0x00200020,
383     [R_BUS_IDLE_TIMING]             = 0x00000020,
384     [R_EXTENDED_CAPABILITY]         = 0x00000239,
385     [R_SLAVE_CONFIG]                = 0x00000023,
386 };
387 
388 static const uint32_t ast2600_i3c_device_ro[ASPEED_I3C_DEVICE_NR_REGS] = {
389     [R_DEVICE_CTRL]                 = 0x04fffe00,
390     [R_DEVICE_ADDR]                 = 0x7f807f80,
391     [R_HW_CAPABILITY]               = 0xffffffff,
392     [R_IBI_QUEUE_STATUS]            = 0xffffffff,
393     [R_DATA_BUFFER_THLD_CTRL]       = 0xf8f8f8f8,
394     [R_IBI_QUEUE_CTRL]              = 0xfffffff0,
395     [R_RESET_CTRL]                  = 0xffffffc0,
396     [R_SLV_EVENT_CTRL]              = 0xffffff3f,
397     [R_INTR_STATUS]                 = 0xffff809f,
398     [R_INTR_STATUS_EN]              = 0xffff8080,
399     [R_INTR_SIGNAL_EN]              = 0xffff8080,
400     [R_INTR_FORCE]                  = 0xffff8000,
401     [R_QUEUE_STATUS_LEVEL]          = 0xffffffff,
402     [R_DATA_BUFFER_STATUS_LEVEL]    = 0xffffffff,
403     [R_PRESENT_STATE]               = 0xffffffff,
404     [R_CCC_DEVICE_STATUS]           = 0xffffffff,
405     [R_I3C_VER_ID]                  = 0xffffffff,
406     [R_I3C_VER_TYPE]                = 0xffffffff,
407     [R_DEVICE_ADDR_TABLE_POINTER]   = 0xffffffff,
408     [R_DEV_CHAR_TABLE_POINTER]      = 0xffcbffff,
409     [R_SLV_PID_VALUE]               = 0xffff0fff,
410     [R_SLV_CHAR_CTRL]               = 0xffffffff,
411     [A_VENDOR_SPECIFIC_REG_POINTER] = 0xffffffff,
412     [R_SLV_MAX_LEN]                 = 0xffffffff,
413     [R_MAX_READ_TURNAROUND]         = 0xffffffff,
414     [R_MAX_DATA_SPEED]              = 0xffffffff,
415     [R_SLV_INTR_REQ]                = 0xfffffff0,
416     [R_SLV_TSX_SYMBL_TIMING]        = 0xffffffc0,
417     [R_DEVICE_CTRL_EXTENDED]        = 0xfffffff8,
418     [R_SCL_I3C_OD_TIMING]           = 0xff00ff00,
419     [R_SCL_I3C_PP_TIMING]           = 0xff00ff00,
420     [R_SCL_I2C_FMP_TIMING]          = 0xff000000,
421     [R_SCL_EXT_TERMN_LCNT_TIMING]   = 0x0000fff0,
422     [R_BUS_IDLE_TIMING]             = 0xfff00000,
423     [R_EXTENDED_CAPABILITY]         = 0xffffffff,
424     [R_SLAVE_CONFIG]                = 0xffffffff,
425 };
426 
427 static inline bool aspeed_i3c_device_has_entdaa(AspeedI3CDevice *s)
428 {
429     return ARRAY_FIELD_EX32(s->regs, HW_CAPABILITY, ENTDAA);
430 }
431 
432 static inline bool aspeed_i3c_device_has_hdr_ts(AspeedI3CDevice *s)
433 {
434     return ARRAY_FIELD_EX32(s->regs, HW_CAPABILITY, HDR_TS);
435 }
436 
437 static inline bool aspeed_i3c_device_has_hdr_ddr(AspeedI3CDevice *s)
438 {
439     return ARRAY_FIELD_EX32(s->regs, HW_CAPABILITY, HDR_DDR);
440 }
441 
442 static inline bool aspeed_i3c_device_can_transmit(AspeedI3CDevice *s)
443 {
444     /*
445      * We can only transmit if we're enabled and the resume bit is cleared.
446      * The resume bit is set on a transaction error, and software must clear it.
447      */
448     return ARRAY_FIELD_EX32(s->regs, DEVICE_CTRL, I3C_EN) &&
449            !ARRAY_FIELD_EX32(s->regs, DEVICE_CTRL, I3C_RESUME);
450 }
451 
452 static inline uint8_t aspeed_i3c_device_fifo_threshold_from_reg(uint8_t regval)
453 {
454     return regval = regval ? (2 << regval) : 1;
455 }
456 
457 static inline uint8_t aspeed_i3c_device_ibi_slice_size(AspeedI3CDevice *s)
458 {
459     uint8_t ibi_slice_size = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
460                                               IBI_DATA_THLD);
461     /* The minimum supported slice size is 4 bytes. */
462     if (ibi_slice_size == 0) {
463         ibi_slice_size = 1;
464     }
465     ibi_slice_size *= sizeof(uint32_t);
466     /* maximum supported size is 63 bytes. */
467     if (ibi_slice_size >= 64) {
468         ibi_slice_size = 63;
469     }
470 
471     return ibi_slice_size;
472 }
473 
474 static void aspeed_i3c_device_update_irq(AspeedI3CDevice *s)
475 {
476     bool level = !!(s->regs[R_INTR_SIGNAL_EN] & s->regs[R_INTR_STATUS]);
477     qemu_set_irq(s->irq, level);
478 }
479 
480 static void aspeed_i3c_device_end_transfer(AspeedI3CDevice *s, bool is_i2c)
481 {
482     if (is_i2c) {
483         legacy_i2c_end_transfer(s->bus);
484     } else {
485         i3c_end_transfer(s->bus);
486     }
487 }
488 
489 static int aspeed_i3c_device_send_start(AspeedI3CDevice *s, uint8_t addr,
490                                         bool is_recv, bool is_i2c)
491 {
492     int ret;
493 
494     if (is_i2c) {
495         ret = legacy_i2c_start_transfer(s->bus, addr, is_recv);
496     } else {
497         ret = i3c_start_transfer(s->bus, addr, is_recv);
498     }
499     if (ret) {
500         qemu_log_mask(LOG_GUEST_ERROR, "%s: NACKed on TX with addr 0x%.2x\n",
501                       object_get_canonical_path(OBJECT(s)), addr);
502         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
503                          ASPEED_I3C_TRANSFER_STATE_HALT);
504         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_STATUS,
505                          ASPEED_I3C_TRANSFER_STATUS_HALT);
506         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, TRANSFER_ERR, 1);
507         ARRAY_FIELD_DP32(s->regs, DEVICE_CTRL, I3C_RESUME, 1);
508     }
509 
510     return ret;
511 }
512 
513 static int aspeed_i3c_device_send(AspeedI3CDevice *s, const uint8_t *data,
514                                   uint32_t num_to_send, uint32_t *num_sent,
515                                   bool is_i2c)
516 {
517     int ret;
518     uint32_t i;
519 
520     *num_sent = 0;
521     if (is_i2c) {
522         /* Legacy I2C must be byte-by-byte. */
523         for (i = 0; i < num_to_send; i++) {
524             ret = legacy_i2c_send(s->bus, data[i]);
525             if (ret) {
526                 break;
527             }
528             (*num_sent)++;
529         }
530     } else {
531         ret = i3c_send(s->bus, data, num_to_send, num_sent);
532     }
533     if (ret) {
534         qemu_log_mask(LOG_GUEST_ERROR, "%s: NACKed sending byte 0x%.2x\n",
535                       object_get_canonical_path(OBJECT(s)), data[*num_sent]);
536         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
537                          ASPEED_I3C_TRANSFER_STATE_HALT);
538         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_STATUS,
539                          ASPEED_I3C_TRANSFER_STATUS_HALT);
540         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, TRANSFER_ERR, 1);
541         ARRAY_FIELD_DP32(s->regs, DEVICE_CTRL, I3C_RESUME, 1);
542     }
543 
544     trace_aspeed_i3c_device_send(s->id, *num_sent);
545 
546     return ret;
547 }
548 
549 static int aspeed_i3c_device_send_byte(AspeedI3CDevice *s, uint8_t byte,
550                                        bool is_i2c)
551 {
552     /*
553      * Ignored, the caller will know if we sent 0 or 1 bytes depending on if
554      * we were ACKed/NACKed.
555      */
556     uint32_t num_sent;
557     return aspeed_i3c_device_send(s, &byte, 1, &num_sent, is_i2c);
558 }
559 
560 static int aspeed_i3c_device_recv_data(AspeedI3CDevice *s, bool is_i2c,
561                                        uint8_t *data, uint16_t num_to_read,
562                                        uint32_t *num_read)
563 {
564     int ret;
565 
566     if (is_i2c) {
567         for (uint16_t i = 0; i < num_to_read; i++) {
568             data[i] = legacy_i2c_recv(s->bus);
569         }
570         /* I2C devices can neither NACK a read, nor end transfers early. */
571         *num_read = num_to_read;
572         trace_aspeed_i3c_device_recv_data(s->id, *num_read);
573         return 0;
574     }
575     /* I3C devices can NACK if the controller sends an unsupported CCC. */
576     ret = i3c_recv(s->bus, data, num_to_read, num_read);
577     if (ret) {
578         qemu_log_mask(LOG_GUEST_ERROR, "%s: NACKed receiving byte\n",
579                       object_get_canonical_path(OBJECT(s)));
580         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
581                          ASPEED_I3C_TRANSFER_STATE_HALT);
582         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_STATUS,
583                          ASPEED_I3C_TRANSFER_STATUS_HALT);
584         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, TRANSFER_ERR, 1);
585         ARRAY_FIELD_DP32(s->regs, DEVICE_CTRL, I3C_RESUME, 1);
586     }
587 
588     trace_aspeed_i3c_device_recv_data(s->id, *num_read);
589 
590     return ret;
591 }
592 
593 static inline void aspeed_i3c_device_ctrl_w(AspeedI3CDevice *s,
594                                                    uint32_t val)
595 {
596     /*
597      * If the user is setting I3C_RESUME, the controller was halted.
598      * Try and resume execution and leave the bit cleared.
599      */
600     if (FIELD_EX32(val, DEVICE_CTRL, I3C_RESUME)) {
601         aspeed_i3c_device_cmd_queue_execute(s);
602         val = FIELD_DP32(val, DEVICE_CTRL, I3C_RESUME, 0);
603     }
604     /*
605      * I3C_ABORT being set sends an I3C STOP. It's cleared when the STOP is
606      * sent.
607      */
608     if (FIELD_EX32(val, DEVICE_CTRL, I3C_ABORT)) {
609         aspeed_i3c_device_end_transfer(s, /*is_i2c=*/true);
610         aspeed_i3c_device_end_transfer(s, /*is_i2c=*/false);
611         val = FIELD_DP32(val, DEVICE_CTRL, I3C_ABORT, 0);
612         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, TRANSFER_ABORT, 1);
613         aspeed_i3c_device_update_irq(s);
614     }
615     /* Update present state. */
616     ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
617                      ASPEED_I3C_TRANSFER_STATE_IDLE);
618     ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_STATUS,
619                      ASPEED_I3C_TRANSFER_STATUS_IDLE);
620 
621     s->regs[R_DEVICE_CTRL] = val;
622 }
623 
624 static inline bool aspeed_i3c_device_target_is_i2c(AspeedI3CDevice *s,
625                                                    uint16_t offset)
626 {
627     uint16_t dev_index = R_DEVICE_ADDR_TABLE_LOC1 + offset;
628     return FIELD_EX32(s->regs[dev_index], DEVICE_ADDR_TABLE_LOC1,
629                    LEGACY_I2C_DEVICE);
630 }
631 
632 static uint8_t aspeed_i3c_device_target_addr(AspeedI3CDevice *s,
633                                              uint16_t offset)
634 {
635     if (offset > ASPEED_I3C_NR_DEVICES) {
636         qemu_log_mask(LOG_GUEST_ERROR, "%s: Device addr table offset %d out of "
637                       "bounds\n", object_get_canonical_path(OBJECT(s)), offset);
638         /* If we're out of bounds, return an address of 0. */
639         return 0;
640     }
641 
642     uint16_t dev_index = R_DEVICE_ADDR_TABLE_LOC1 + offset;
643     /* I2C devices use a static address. */
644     if (aspeed_i3c_device_target_is_i2c(s, offset)) {
645         return FIELD_EX32(s->regs[dev_index], DEVICE_ADDR_TABLE_LOC1,
646                           DEV_STATIC_ADDR);
647     }
648     return FIELD_EX32(s->regs[dev_index], DEVICE_ADDR_TABLE_LOC1,
649                       DEV_DYNAMIC_ADDR);
650 }
651 
652 static int aspeed_i3c_device_addr_table_index_from_addr(AspeedI3CDevice *s,
653                                                         uint8_t addr)
654 {
655     uint8_t table_size = ARRAY_FIELD_EX32(s->regs, DEVICE_ADDR_TABLE_POINTER,
656                                           DEPTH);
657     for (uint8_t i = 0; i < table_size; i++) {
658         if (aspeed_i3c_device_target_addr(s, i) == addr) {
659             return i;
660         }
661     }
662     return -1;
663 }
664 
665 static void aspeed_i3c_device_send_disec(AspeedI3CDevice *s)
666 {
667     uint8_t ccc = I3C_CCC_DISEC;
668     if (s->ibi_data.send_direct_disec) {
669         ccc = I3C_CCCD_DISEC;
670     }
671 
672     aspeed_i3c_device_send_start(s, I3C_BROADCAST, /*is_recv=*/false,
673                                  /*is_i2c=*/false);
674     aspeed_i3c_device_send_byte(s, ccc, /*is_i2c=*/false);
675     if (s->ibi_data.send_direct_disec) {
676         aspeed_i3c_device_send_start(s, s->ibi_data.disec_addr,
677                                      /*is_recv=*/false, /*is_i2c=*/false);
678     }
679     aspeed_i3c_device_send_byte(s, s->ibi_data.disec_byte, /*is_i2c=*/false);
680 }
681 
682 static int aspeed_i3c_device_handle_hj(AspeedI3CDevice *s)
683 {
684     if (ARRAY_FIELD_EX32(s->regs, IBI_QUEUE_CTRL, NOTIFY_REJECTED_HOT_JOIN)) {
685         s->ibi_data.notify_ibi_nack = true;
686     }
687 
688     bool nack_and_disable = ARRAY_FIELD_EX32(s->regs, DEVICE_CTRL,
689                                              HOT_JOIN_ACK_NACK_CTRL);
690     if (nack_and_disable) {
691         s->ibi_data.ibi_queue_status = FIELD_DP32(s->ibi_data.ibi_queue_status,
692                                                   IBI_QUEUE_STATUS,
693                                                   IBI_STATUS, 1);
694         s->ibi_data.ibi_nacked = true;
695         s->ibi_data.disec_byte = DISEC_HJ;
696         return -1;
697     }
698     return 0;
699 }
700 
701 static int aspeed_i3c_device_handle_ctlr_req(AspeedI3CDevice *s, uint8_t addr)
702 {
703     if (ARRAY_FIELD_EX32(s->regs, IBI_QUEUE_CTRL, NOTIFY_REJECTED_MASTER_REQ)) {
704         s->ibi_data.notify_ibi_nack = true;
705     }
706 
707     int table_offset = aspeed_i3c_device_addr_table_index_from_addr(s, addr);
708     /* Doesn't exist in the table, NACK it, don't DISEC. */
709     if (table_offset < 0) {
710         return -1;
711     }
712 
713     table_offset += R_DEVICE_ADDR_TABLE_LOC1;
714     if (FIELD_EX32(s->regs[table_offset], DEVICE_ADDR_TABLE_LOC1, MR_REJECT)) {
715         s->ibi_data.ibi_queue_status = FIELD_DP32(s->ibi_data.ibi_queue_status,
716                                                   IBI_QUEUE_STATUS,
717                                                   IBI_STATUS, 1);
718         s->ibi_data.ibi_nacked = true;
719         s->ibi_data.disec_addr = addr;
720         /* Tell the requester to disable controller role requests. */
721         s->ibi_data.disec_byte = DISEC_CR;
722         s->ibi_data.send_direct_disec = true;
723         return -1;
724     }
725     return 0;
726 }
727 
728 static int aspeed_i3c_device_handle_targ_irq(AspeedI3CDevice *s, uint8_t addr)
729 {
730     if (ARRAY_FIELD_EX32(s->regs, IBI_QUEUE_CTRL, NOTIFY_REJECTED_SLAVE_IRQ)) {
731         s->ibi_data.notify_ibi_nack = true;
732     }
733 
734     int table_offset = aspeed_i3c_device_addr_table_index_from_addr(s, addr);
735     /* Doesn't exist in the table, NACK it, don't DISEC. */
736     if (table_offset < 0) {
737         return -1;
738     }
739 
740     table_offset += R_DEVICE_ADDR_TABLE_LOC1;
741     if (FIELD_EX32(s->regs[table_offset], DEVICE_ADDR_TABLE_LOC1, SIR_REJECT)) {
742         s->ibi_data.ibi_queue_status = FIELD_DP32(s->ibi_data.ibi_queue_status,
743                                                   IBI_QUEUE_STATUS,
744                                                   IBI_STATUS, 1);
745         s->ibi_data.ibi_nacked = true;
746         s->ibi_data.disec_addr = addr;
747         /* Tell the requester to disable interrupts. */
748         s->ibi_data.disec_byte = DISEC_INT;
749         s->ibi_data.send_direct_disec = true;
750         return -1;
751     }
752     return 0;
753 }
754 
755 static int aspeed_i3c_device_ibi_handle(I3CBus *bus, I3CTarget *target,
756                                         uint8_t addr, bool is_recv)
757 {
758     AspeedI3CDevice *s = ASPEED_I3C_DEVICE(bus->qbus.parent);
759 
760     trace_aspeed_i3c_device_ibi_handle(s->id, addr, is_recv);
761     s->ibi_data.ibi_queue_status = FIELD_DP32(s->ibi_data.ibi_queue_status,
762                                               IBI_QUEUE_STATUS, IBI_ID,
763                                               (addr << 1) | is_recv);
764     /* Is this a hot join request? */
765     if (addr == I3C_HJ_ADDR) {
766         return aspeed_i3c_device_handle_hj(s);
767     }
768     /* Is secondary controller requesting access? */
769     if (addr == target->address && !is_recv) {
770         return aspeed_i3c_device_handle_ctlr_req(s, addr);
771     }
772     /* Is this a target IRQ? */
773     if (addr == target->address && is_recv) {
774         return aspeed_i3c_device_handle_targ_irq(s, addr);
775     }
776 
777     /* Not sure what this is, NACK it. */
778     return -1;
779 }
780 
781 static int aspeed_i3c_device_ibi_recv(I3CBus *bus, uint8_t data)
782 {
783     AspeedI3CDevice *s = ASPEED_I3C_DEVICE(bus->qbus.parent);
784     if (fifo8_is_full(&s->ibi_data.ibi_intermediate_queue)) {
785         return -1;
786     }
787 
788     fifo8_push(&s->ibi_data.ibi_intermediate_queue, data);
789     trace_aspeed_i3c_device_ibi_recv(s->id, data);
790     return 0;
791 }
792 
793 static void aspeed_i3c_device_ibi_queue_push(AspeedI3CDevice *s)
794 {
795     /* Stored value is in 32-bit chunks, convert it to byte chunks. */
796     uint8_t ibi_slice_size = aspeed_i3c_device_ibi_slice_size(s);
797     uint8_t num_slices = fifo8_num_used(&s->ibi_data.ibi_intermediate_queue) /
798                          ibi_slice_size;
799     uint8_t ibi_status_count = num_slices;
800     union {
801         uint8_t b[sizeof(uint32_t)];
802         uint32_t val32;
803     } ibi_data = {
804         .val32 = 0
805     };
806 
807     /* The report was suppressed, do nothing. */
808     if (s->ibi_data.ibi_nacked && !s->ibi_data.notify_ibi_nack) {
809         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
810                          ASPEED_I3C_TRANSFER_STATE_IDLE);
811         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_STATUS,
812                          ASPEED_I3C_TRANSFER_STATUS_IDLE);
813         return;
814     }
815 
816     /* If we don't have any slices to push, just push the status. */
817     if (num_slices == 0) {
818         s->ibi_data.ibi_queue_status =
819              FIELD_DP32(s->ibi_data.ibi_queue_status, IBI_QUEUE_STATUS,
820                         LAST_STATUS, 1);
821         fifo32_push(&s->ibi_queue, s->ibi_data.ibi_queue_status);
822         ibi_status_count = 1;
823     }
824 
825     for (uint8_t i = 0; i < num_slices; i++) {
826         /* If this is the last slice, set LAST_STATUS. */
827         if (fifo8_num_used(&s->ibi_data.ibi_intermediate_queue) <
828             ibi_slice_size) {
829             s->ibi_data.ibi_queue_status =
830                 FIELD_DP32(s->ibi_data.ibi_queue_status, IBI_QUEUE_STATUS,
831                            IBI_DATA_LEN,
832                            fifo8_num_used(&s->ibi_data.ibi_intermediate_queue));
833             s->ibi_data.ibi_queue_status =
834                 FIELD_DP32(s->ibi_data.ibi_queue_status, IBI_QUEUE_STATUS,
835                            LAST_STATUS, 1);
836         } else {
837             s->ibi_data.ibi_queue_status =
838                 FIELD_DP32(s->ibi_data.ibi_queue_status, IBI_QUEUE_STATUS,
839                            IBI_DATA_LEN, ibi_slice_size);
840         }
841 
842         /* Push the IBI status header. */
843         fifo32_push(&s->ibi_queue, s->ibi_data.ibi_queue_status);
844         /* Move each IBI byte into a 32-bit word and push it into the queue. */
845         for (uint8_t j = 0; j < ibi_slice_size; ++j) {
846             if (fifo8_is_empty(&s->ibi_data.ibi_intermediate_queue)) {
847                 break;
848             }
849 
850             ibi_data.b[j & 3] = fifo8_pop(&s->ibi_data.ibi_intermediate_queue);
851             /* We have 32-bits, push it to the IBI FIFO. */
852             if ((j & 0x03) == 0x03) {
853                 fifo32_push(&s->ibi_queue, ibi_data.val32);
854                 ibi_data.val32 = 0;
855             }
856         }
857         /* If the data isn't 32-bit aligned, push the leftover bytes. */
858         if (ibi_slice_size & 0x03) {
859             fifo32_push(&s->ibi_queue, ibi_data.val32);
860         }
861 
862         /* Clear out the data length for the next iteration. */
863         s->ibi_data.ibi_queue_status = FIELD_DP32(s->ibi_data.ibi_queue_status,
864                                          IBI_QUEUE_STATUS, IBI_DATA_LEN, 0);
865     }
866 
867     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, IBI_BUF_BLR,
868                      fifo32_num_used(&s->ibi_queue));
869     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, IBI_STATUS_CNT,
870                      ibi_status_count);
871     /* Threshold is the register value + 1. */
872     uint8_t threshold = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
873                                          IBI_STATUS_THLD) + 1;
874     if (fifo32_num_used(&s->ibi_queue) >= threshold) {
875         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, IBI_THLD, 1);
876         aspeed_i3c_device_update_irq(s);
877     }
878 
879     /* State update. */
880     ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
881                      ASPEED_I3C_TRANSFER_STATE_IDLE);
882     ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_STATUS,
883                      ASPEED_I3C_TRANSFER_STATUS_IDLE);
884 }
885 
886 static int aspeed_i3c_device_ibi_finish(I3CBus *bus)
887 {
888     AspeedI3CDevice *s = ASPEED_I3C_DEVICE(bus->qbus.parent);
889     bool nack_and_disable_hj = ARRAY_FIELD_EX32(s->regs, DEVICE_CTRL,
890                                                 HOT_JOIN_ACK_NACK_CTRL);
891     if (nack_and_disable_hj || s->ibi_data.send_direct_disec) {
892         aspeed_i3c_device_send_disec(s);
893     }
894     aspeed_i3c_device_ibi_queue_push(s);
895 
896     /* Clear out the intermediate values. */
897     s->ibi_data.ibi_queue_status = 0;
898     s->ibi_data.disec_addr = 0;
899     s->ibi_data.disec_byte = 0;
900     s->ibi_data.send_direct_disec = false;
901     s->ibi_data.notify_ibi_nack = false;
902     s->ibi_data.ibi_nacked = false;
903 
904     return 0;
905 }
906 
907 static uint32_t aspeed_i3c_device_intr_status_r(AspeedI3CDevice *s)
908 {
909     /* Only return the status whose corresponding EN bits are set. */
910     return s->regs[R_INTR_STATUS] & s->regs[R_INTR_STATUS_EN];
911 }
912 
913 static void aspeed_i3c_device_intr_status_w(AspeedI3CDevice *s, uint32_t val)
914 {
915     /* INTR_STATUS[13:5] is w1c, other bits are RO. */
916     val &= 0x3fe0;
917     s->regs[R_INTR_STATUS] &= ~val;
918 
919     aspeed_i3c_device_update_irq(s);
920 }
921 
922 static void aspeed_i3c_device_intr_status_en_w(AspeedI3CDevice *s, uint32_t val)
923 {
924     s->regs[R_INTR_STATUS_EN] = val;
925     aspeed_i3c_device_update_irq(s);
926 }
927 
928 static void aspeed_i3c_device_intr_signal_en_w(AspeedI3CDevice *s, uint32_t val)
929 {
930     s->regs[R_INTR_SIGNAL_EN] = val;
931     aspeed_i3c_device_update_irq(s);
932 }
933 
934 static void aspeed_i3c_device_intr_force_w(AspeedI3CDevice *s, uint32_t val)
935 {
936     /* INTR_FORCE is WO, just set the corresponding INTR_STATUS bits. */
937     s->regs[R_INTR_STATUS] = val;
938     aspeed_i3c_device_update_irq(s);
939 }
940 
941 static void aspeed_i3c_device_cmd_queue_reset(AspeedI3CDevice *s)
942 {
943     fifo32_reset(&s->cmd_queue);
944 
945     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, CMD_QUEUE_EMPTY_LOC,
946                      fifo32_num_free(&s->cmd_queue));
947     uint8_t empty_threshold = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
948                                                CMD_BUF_EMPTY_THLD);
949     if (fifo32_num_free(&s->cmd_queue) >= empty_threshold) {
950         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, CMD_QUEUE_RDY, 1);
951         aspeed_i3c_device_update_irq(s);
952     };
953 }
954 
955 static void aspeed_i3c_device_resp_queue_reset(AspeedI3CDevice *s)
956 {
957     fifo32_reset(&s->resp_queue);
958 
959     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, RESP_BUF_BLR,
960                      fifo32_num_used(&s->resp_queue));
961     /*
962      * This interrupt will always be cleared because the threshold is a minimum
963      * of 1 and the queue size is 0.
964      */
965     ARRAY_FIELD_DP32(s->regs, INTR_STATUS, RESP_RDY, 0);
966     aspeed_i3c_device_update_irq(s);
967 }
968 
969 static void aspeed_i3c_device_ibi_queue_reset(AspeedI3CDevice *s)
970 {
971     fifo32_reset(&s->ibi_queue);
972 
973     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, IBI_BUF_BLR,
974                      fifo32_num_used(&s->resp_queue));
975     /*
976      * This interrupt will always be cleared because the threshold is a minimum
977      * of 1 and the queue size is 0.
978      */
979     ARRAY_FIELD_DP32(s->regs, INTR_STATUS, IBI_THLD, 0);
980     aspeed_i3c_device_update_irq(s);
981 }
982 
983 static void aspeed_i3c_device_tx_queue_reset(AspeedI3CDevice *s)
984 {
985     fifo32_reset(&s->tx_queue);
986 
987     ARRAY_FIELD_DP32(s->regs, DATA_BUFFER_STATUS_LEVEL, TX_BUF_EMPTY_LOC,
988                      fifo32_num_free(&s->tx_queue));
989     /* TX buf is empty, so this interrupt will always be set. */
990     ARRAY_FIELD_DP32(s->regs, INTR_STATUS, TX_THLD, 1);
991     aspeed_i3c_device_update_irq(s);
992 }
993 
994 static void aspeed_i3c_device_rx_queue_reset(AspeedI3CDevice *s)
995 {
996     fifo32_reset(&s->rx_queue);
997 
998     ARRAY_FIELD_DP32(s->regs, DATA_BUFFER_STATUS_LEVEL, RX_BUF_BLR,
999                      fifo32_num_used(&s->resp_queue));
1000     /*
1001      * This interrupt will always be cleared because the threshold is a minimum
1002      * of 1 and the queue size is 0.
1003      */
1004     ARRAY_FIELD_DP32(s->regs, INTR_STATUS, RX_THLD, 0);
1005     aspeed_i3c_device_update_irq(s);
1006 }
1007 
1008 static void aspeed_i3c_device_reset(DeviceState *dev)
1009 {
1010     AspeedI3CDevice *s = ASPEED_I3C_DEVICE(dev);
1011     trace_aspeed_i3c_device_reset(s->id);
1012 
1013     memcpy(s->regs, ast2600_i3c_device_resets, sizeof(s->regs));
1014     aspeed_i3c_device_cmd_queue_reset(s);
1015     aspeed_i3c_device_resp_queue_reset(s);
1016     aspeed_i3c_device_ibi_queue_reset(s);
1017     aspeed_i3c_device_tx_queue_reset(s);
1018     aspeed_i3c_device_rx_queue_reset(s);
1019 }
1020 
1021 static void aspeed_i3c_device_reset_ctrl_w(AspeedI3CDevice *s, uint32_t val)
1022 {
1023     if (FIELD_EX32(val, RESET_CTRL, CORE_RESET)) {
1024         aspeed_i3c_device_reset(DEVICE(s));
1025     }
1026     if (FIELD_EX32(val, RESET_CTRL, CMD_QUEUE_RESET)) {
1027         aspeed_i3c_device_cmd_queue_reset(s);
1028     }
1029     if (FIELD_EX32(val, RESET_CTRL, RESP_QUEUE_RESET)) {
1030         aspeed_i3c_device_resp_queue_reset(s);
1031     }
1032     if (FIELD_EX32(val, RESET_CTRL, TX_BUF_RESET)) {
1033         aspeed_i3c_device_tx_queue_reset(s);
1034     }
1035     if (FIELD_EX32(val, RESET_CTRL, RX_BUF_RESET)) {
1036         aspeed_i3c_device_rx_queue_reset(s);
1037     }
1038     if (FIELD_EX32(val, RESET_CTRL, IBI_QUEUE_RESET)) {
1039         aspeed_i3c_device_ibi_queue_reset(s);
1040     }
1041 }
1042 
1043 static uint32_t aspeed_i3c_device_pop_rx(AspeedI3CDevice *s)
1044 {
1045     if (fifo32_is_empty(&s->rx_queue)) {
1046         qemu_log_mask(LOG_GUEST_ERROR, "%s: Tried to read RX FIFO when empty\n",
1047                       object_get_canonical_path(OBJECT(s)));
1048         return 0;
1049     }
1050 
1051     uint32_t val = fifo32_pop(&s->rx_queue);
1052     ARRAY_FIELD_DP32(s->regs, DATA_BUFFER_STATUS_LEVEL, RX_BUF_BLR,
1053                      fifo32_num_used(&s->rx_queue));
1054 
1055     /* Threshold is 2^RX_BUF_THLD. */
1056     uint8_t threshold = ARRAY_FIELD_EX32(s->regs, DATA_BUFFER_THLD_CTRL,
1057                                          RX_BUF_THLD);
1058     threshold = aspeed_i3c_device_fifo_threshold_from_reg(threshold);
1059     if (fifo32_num_used(&s->rx_queue) < threshold) {
1060         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, RX_THLD, 0);
1061         aspeed_i3c_device_update_irq(s);
1062     }
1063 
1064     trace_aspeed_i3c_device_pop_rx(s->id, val);
1065     return val;
1066 }
1067 
1068 static uint32_t aspeed_i3c_device_ibi_queue_r(AspeedI3CDevice *s)
1069 {
1070     if (fifo32_is_empty(&s->ibi_queue)) {
1071         return 0;
1072     }
1073 
1074     uint32_t val = fifo32_pop(&s->ibi_queue);
1075     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, IBI_BUF_BLR,
1076                      fifo32_num_used(&s->ibi_queue));
1077     /* Threshold is the register value + 1. */
1078     uint8_t threshold = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
1079                                          IBI_STATUS_THLD) + 1;
1080     if (fifo32_num_used(&s->ibi_queue) < threshold) {
1081         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, IBI_THLD, 0);
1082         aspeed_i3c_device_update_irq(s);
1083     }
1084     return val;
1085 }
1086 
1087 static uint32_t aspeed_i3c_device_resp_queue_port_r(AspeedI3CDevice *s)
1088 {
1089     if (fifo32_is_empty(&s->resp_queue)) {
1090         qemu_log_mask(LOG_GUEST_ERROR, "%s: Tried to read response FIFO when "
1091                       "empty\n", object_get_canonical_path(OBJECT(s)));
1092         return 0;
1093     }
1094 
1095     uint32_t val = fifo32_pop(&s->resp_queue);
1096     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, RESP_BUF_BLR,
1097                      fifo32_num_used(&s->resp_queue));
1098 
1099     /* Threshold is the register value + 1. */
1100     uint8_t threshold = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
1101                                          RESP_BUF_THLD) + 1;
1102     if (fifo32_num_used(&s->resp_queue) < threshold) {
1103         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, RESP_RDY, 0);
1104         aspeed_i3c_device_update_irq(s);
1105     }
1106 
1107     return val;
1108 }
1109 
1110 static uint64_t aspeed_i3c_device_read(void *opaque, hwaddr offset,
1111                                        unsigned size)
1112 {
1113     AspeedI3CDevice *s = ASPEED_I3C_DEVICE(opaque);
1114     uint32_t addr = offset >> 2;
1115     uint64_t value;
1116 
1117     switch (addr) {
1118     /* RAZ */
1119     case R_COMMAND_QUEUE_PORT:
1120     case R_RESET_CTRL:
1121     case R_INTR_FORCE:
1122         value = 0;
1123         break;
1124     case R_IBI_QUEUE_DATA:
1125         value = aspeed_i3c_device_ibi_queue_r(s);
1126         break;
1127     case R_INTR_STATUS:
1128         value = aspeed_i3c_device_intr_status_r(s);
1129         break;
1130     case R_RX_TX_DATA_PORT:
1131         value = aspeed_i3c_device_pop_rx(s);
1132         break;
1133     case R_RESPONSE_QUEUE_PORT:
1134         value = aspeed_i3c_device_resp_queue_port_r(s);
1135         break;
1136     default:
1137         value = s->regs[addr];
1138         break;
1139     }
1140 
1141     trace_aspeed_i3c_device_read(s->id, offset, value);
1142 
1143     return value;
1144 }
1145 
1146 static void aspeed_i3c_device_resp_queue_push(AspeedI3CDevice *s,
1147                                               uint8_t err, uint8_t tid,
1148                                               uint8_t ccc_type,
1149                                               uint16_t data_len)
1150 {
1151     uint32_t val = 0;
1152     val = FIELD_DP32(val, RESPONSE_QUEUE_PORT, ERR_STATUS, err);
1153     val = FIELD_DP32(val, RESPONSE_QUEUE_PORT, TID, tid);
1154     val = FIELD_DP32(val, RESPONSE_QUEUE_PORT, CCCT, ccc_type);
1155     val = FIELD_DP32(val, RESPONSE_QUEUE_PORT, DL, data_len);
1156     if (!fifo32_is_full(&s->resp_queue)) {
1157         trace_aspeed_i3c_device_resp_queue_push(s->id, val);
1158         fifo32_push(&s->resp_queue, val);
1159     }
1160 
1161     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, RESP_BUF_BLR,
1162                      fifo32_num_used(&s->resp_queue));
1163     /* Threshold is the register value + 1. */
1164     uint8_t threshold = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
1165                                          RESP_BUF_THLD) + 1;
1166     if (fifo32_num_used(&s->resp_queue) >= threshold) {
1167         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, RESP_RDY, 1);
1168         aspeed_i3c_device_update_irq(s);
1169     }
1170 }
1171 
1172 static void aspeed_i3c_device_push_tx(AspeedI3CDevice *s, uint32_t val)
1173 {
1174     if (fifo32_is_full(&s->tx_queue)) {
1175         qemu_log_mask(LOG_GUEST_ERROR, "%s: Tried to push to TX FIFO when "
1176                       "full\n", object_get_canonical_path(OBJECT(s)));
1177         return;
1178     }
1179 
1180     trace_aspeed_i3c_device_push_tx(s->id, val);
1181     fifo32_push(&s->tx_queue, val);
1182     ARRAY_FIELD_DP32(s->regs, DATA_BUFFER_STATUS_LEVEL, TX_BUF_EMPTY_LOC,
1183                      fifo32_num_free(&s->tx_queue));
1184 
1185     /* Threshold is 2^TX_BUF_THLD. */
1186     uint8_t empty_threshold = ARRAY_FIELD_EX32(s->regs, DATA_BUFFER_THLD_CTRL,
1187                                                TX_BUF_THLD);
1188     empty_threshold =
1189         aspeed_i3c_device_fifo_threshold_from_reg(empty_threshold);
1190     if (fifo32_num_free(&s->tx_queue) < empty_threshold) {
1191         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, TX_THLD, 0);
1192         aspeed_i3c_device_update_irq(s);
1193     }
1194 }
1195 
1196 static uint32_t aspeed_i3c_device_pop_tx(AspeedI3CDevice *s)
1197 {
1198     if (fifo32_is_empty(&s->tx_queue)) {
1199         qemu_log_mask(LOG_GUEST_ERROR, "%s: Tried to pop from TX FIFO when "
1200                       "empty\n", object_get_canonical_path(OBJECT(s)));
1201         return 0;
1202     }
1203 
1204     uint32_t val = fifo32_pop(&s->tx_queue);
1205     trace_aspeed_i3c_device_pop_tx(s->id, val);
1206     ARRAY_FIELD_DP32(s->regs, DATA_BUFFER_STATUS_LEVEL, TX_BUF_EMPTY_LOC,
1207                      fifo32_num_free(&s->tx_queue));
1208 
1209     /* Threshold is 2^TX_BUF_THLD. */
1210     uint8_t empty_threshold = ARRAY_FIELD_EX32(s->regs, DATA_BUFFER_THLD_CTRL,
1211                                                TX_BUF_THLD);
1212     empty_threshold =
1213         aspeed_i3c_device_fifo_threshold_from_reg(empty_threshold);
1214     if (fifo32_num_free(&s->tx_queue) >= empty_threshold) {
1215         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, TX_THLD, 1);
1216         aspeed_i3c_device_update_irq(s);
1217     }
1218     return val;
1219 }
1220 
1221 static void aspeed_i3c_device_push_rx(AspeedI3CDevice *s, uint32_t val)
1222 {
1223     if (fifo32_is_full(&s->rx_queue)) {
1224         qemu_log_mask(LOG_GUEST_ERROR, "%s: Tried to push to RX FIFO when "
1225                       "full\n", object_get_canonical_path(OBJECT(s)));
1226         return;
1227     }
1228     trace_aspeed_i3c_device_push_rx(s->id, val);
1229     fifo32_push(&s->rx_queue, val);
1230 
1231     ARRAY_FIELD_DP32(s->regs, DATA_BUFFER_STATUS_LEVEL, RX_BUF_BLR,
1232                      fifo32_num_used(&s->rx_queue));
1233     /* Threshold is 2^RX_BUF_THLD. */
1234     uint8_t threshold = ARRAY_FIELD_EX32(s->regs, DATA_BUFFER_THLD_CTRL,
1235                                          RX_BUF_THLD);
1236     threshold = aspeed_i3c_device_fifo_threshold_from_reg(threshold);
1237     if (fifo32_num_used(&s->rx_queue) >= threshold) {
1238         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, RX_THLD, 1);
1239         aspeed_i3c_device_update_irq(s);
1240     }
1241 }
1242 
1243 static void aspeed_i3c_device_short_transfer(AspeedI3CDevice *s,
1244                                              AspeedI3CTransferCmd cmd,
1245                                              AspeedI3CShortArg arg)
1246 {
1247     uint8_t err = ASPEED_I3C_RESP_QUEUE_ERR_NONE;
1248     uint8_t addr = aspeed_i3c_device_target_addr(s, cmd.dev_index);
1249     bool is_i2c = aspeed_i3c_device_target_is_i2c(s, cmd.dev_index);
1250     uint8_t data[4]; /* Max we can send on a short transfer is 4 bytes. */
1251     uint8_t len = 0;
1252     uint32_t bytes_sent; /* Ignored on short transfers. */
1253 
1254     /* Can't do reads on a short transfer. */
1255     if (cmd.rnw) {
1256         qemu_log_mask(LOG_GUEST_ERROR, "%s: Cannot do a read on a short "
1257                       "transfer\n", object_get_canonical_path(OBJECT(s)));
1258         return;
1259     }
1260 
1261     if (aspeed_i3c_device_send_start(s, addr, /*is_recv=*/false, is_i2c)) {
1262         err = ASPEED_I3C_RESP_QUEUE_ERR_I2C_NACK;
1263         goto transfer_done;
1264     }
1265 
1266     /* Are we sending a command? */
1267     if (cmd.cp) {
1268         data[len] = cmd.cmd;
1269         len++;
1270         /*
1271          * byte0 is the defining byte for a command, and is only sent if a
1272          * command is present and if the command has a defining byte present.
1273          * (byte_strb & 0x01) is always treated as set by the controller, and is
1274          * ignored.
1275          */
1276         if (cmd.dbp) {
1277             data[len] += arg.byte0;
1278             len++;
1279         }
1280     }
1281 
1282     /* Send the bytes passed in the argument. */
1283     if (arg.byte_strb & 0x02) {
1284         data[len] = arg.byte1;
1285         len++;
1286     }
1287     if (arg.byte_strb & 0x04) {
1288         data[len] = arg.byte2;
1289         len++;
1290     }
1291 
1292     if (aspeed_i3c_device_send(s, data, len, &bytes_sent, is_i2c)) {
1293         err = ASPEED_I3C_RESP_QUEUE_ERR_I2C_NACK;
1294     } else {
1295         /* Only go to an idle state on a successful transfer. */
1296         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
1297                          ASPEED_I3C_TRANSFER_STATE_IDLE);
1298     }
1299 
1300 transfer_done:
1301     if (cmd.toc) {
1302         aspeed_i3c_device_end_transfer(s, is_i2c);
1303     }
1304     if (cmd.roc) {
1305         /*
1306          * ccc_type is always 0 in controller mode, data_len is 0 in short
1307          * transfers.
1308          */
1309         aspeed_i3c_device_resp_queue_push(s, err, cmd.tid, /*ccc_type=*/0,
1310                                           /*data_len=*/0);
1311     }
1312 }
1313 
1314 /* Returns number of bytes transmitted. */
1315 static uint16_t aspeed_i3c_device_tx(AspeedI3CDevice *s, uint16_t num,
1316                                      bool is_i2c)
1317 {
1318     uint16_t bytes_sent = 0;
1319     union {
1320         uint8_t b[sizeof(uint32_t)];
1321         uint32_t val;
1322     } val32;
1323 
1324     while (bytes_sent < num) {
1325         val32.val = aspeed_i3c_device_pop_tx(s);
1326         for (uint8_t i = 0; i < sizeof(val32.val); i++) {
1327             if (aspeed_i3c_device_send_byte(s, val32.b[i], is_i2c)) {
1328                 return bytes_sent;
1329             }
1330             bytes_sent++;
1331 
1332             /* We're not sending the full 32-bits, break early. */
1333             if (bytes_sent >= num) {
1334                 break;
1335             }
1336         }
1337     }
1338 
1339     return bytes_sent;
1340 }
1341 
1342 /* Returns number of bytes received. */
1343 static uint16_t aspeed_i3c_device_rx(AspeedI3CDevice *s, uint16_t num,
1344                                      bool is_i2c)
1345 {
1346     /*
1347      * Allocate a temporary buffer to read data from the target.
1348      * Zero it and word-align it as well in case we're reading unaligned data.
1349      */
1350     g_autofree uint8_t *data = g_new0(uint8_t, num + (num & 0x03));
1351     uint32_t *data32 = (uint32_t *)data;
1352     /*
1353      * 32-bits since the I3C API wants a 32-bit number, even though the
1354      * controller can only do 16-bit transfers.
1355      */
1356     uint32_t num_read = 0;
1357 
1358     /* Can NACK if the target receives an unsupported CCC. */
1359     if (aspeed_i3c_device_recv_data(s, is_i2c, data, num, &num_read)) {
1360         return 0;
1361     }
1362 
1363     for (uint16_t i = 0; i < num_read / 4; i++) {
1364         aspeed_i3c_device_push_rx(s, *data32);
1365         data32++;
1366     }
1367     /*
1368      * If we're pushing data that isn't 32-bit aligned, push what's left.
1369      * It's software's responsibility to know what bits are valid in the partial
1370      * data.
1371      */
1372     if (num_read & 0x03) {
1373         aspeed_i3c_device_push_rx(s, *data32);
1374     }
1375 
1376     return num_read;
1377 }
1378 
1379 static int aspeed_i3c_device_transfer_ccc(AspeedI3CDevice *s,
1380                                            AspeedI3CTransferCmd cmd,
1381                                            AspeedI3CTransferArg arg)
1382 {
1383     /* CCC start is always a write. CCCs cannot be done on I2C devices. */
1384     if (aspeed_i3c_device_send_start(s, I3C_BROADCAST, /*is_recv=*/false,
1385                                      /*is_i2c=*/false)) {
1386         return ASPEED_I3C_RESP_QUEUE_ERR_BROADCAST_NACK;
1387     }
1388     trace_aspeed_i3c_device_transfer_ccc(s->id, cmd.cmd);
1389     if (aspeed_i3c_device_send_byte(s, cmd.cmd, /*is_i2c=*/false)) {
1390         return ASPEED_I3C_RESP_QUEUE_ERR_I2C_NACK;
1391     }
1392 
1393     /* On a direct CCC, we do a restart and then send the target's address. */
1394     if (CCC_IS_DIRECT(cmd.cmd)) {
1395         bool is_recv = cmd.rnw;
1396         uint8_t addr = aspeed_i3c_device_target_addr(s, cmd.dev_index);
1397         if (aspeed_i3c_device_send_start(s, addr, is_recv, /*is_i2c=*/false)) {
1398             return ASPEED_I3C_RESP_QUEUE_ERR_BROADCAST_NACK;
1399         }
1400     }
1401 
1402     return ASPEED_I3C_RESP_QUEUE_ERR_NONE;
1403 }
1404 
1405 static void aspeed_i3c_device_transfer(AspeedI3CDevice *s,
1406                                        AspeedI3CTransferCmd cmd,
1407                                        AspeedI3CTransferArg arg)
1408 {
1409     bool is_recv = cmd.rnw;
1410     uint8_t err = ASPEED_I3C_RESP_QUEUE_ERR_NONE;
1411     uint8_t addr = aspeed_i3c_device_target_addr(s, cmd.dev_index);
1412     bool is_i2c = aspeed_i3c_device_target_is_i2c(s, cmd.dev_index);
1413     uint16_t bytes_transferred = 0;
1414 
1415     if (cmd.cp) {
1416         /* We're sending a CCC. */
1417         err = aspeed_i3c_device_transfer_ccc(s, cmd, arg);
1418         if (err != ASPEED_I3C_RESP_QUEUE_ERR_NONE) {
1419             goto transfer_done;
1420         }
1421     } else {
1422         if (ARRAY_FIELD_EX32(s->regs, DEVICE_CTRL, I3C_BROADCAST_ADDR_INC) &&
1423             is_i2c == false) {
1424             if (aspeed_i3c_device_send_start(s, I3C_BROADCAST,
1425                                              /*is_recv=*/false, is_i2c)) {
1426                 err = ASPEED_I3C_RESP_QUEUE_ERR_I2C_NACK;
1427                 goto transfer_done;
1428             }
1429         }
1430         /* Otherwise we're doing a private transfer. */
1431         if (aspeed_i3c_device_send_start(s, addr, is_recv, is_i2c)) {
1432             err = ASPEED_I3C_RESP_QUEUE_ERR_I2C_NACK;
1433             goto transfer_done;
1434         }
1435     }
1436 
1437     if (is_recv) {
1438         bytes_transferred = aspeed_i3c_device_rx(s, arg.data_len, is_i2c);
1439     } else {
1440         bytes_transferred = aspeed_i3c_device_tx(s, arg.data_len, is_i2c);
1441     }
1442 
1443     ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
1444                      ASPEED_I3C_TRANSFER_STATE_IDLE);
1445 
1446 transfer_done:
1447     if (cmd.toc) {
1448         aspeed_i3c_device_end_transfer(s, is_i2c);
1449     }
1450     if (cmd.roc) {
1451         /*
1452          * data_len is the number of bytes that still need to be TX'd, or the
1453          * number of bytes RX'd.
1454          */
1455         uint16_t data_len = is_recv ? bytes_transferred : arg.data_len -
1456                                                           bytes_transferred;
1457         /* CCCT is always 0 in controller mode. */
1458         aspeed_i3c_device_resp_queue_push(s, err, cmd.tid, /*ccc_type=*/0,
1459                                           data_len);
1460     }
1461 
1462     aspeed_i3c_device_update_irq(s);
1463 }
1464 
1465 static void aspeed_i3c_device_transfer_cmd(AspeedI3CDevice *s,
1466                                            AspeedI3CTransferCmd cmd,
1467                                            AspeedI3CCmdQueueData arg)
1468 {
1469     uint8_t arg_attr = FIELD_EX32(arg.word, COMMAND_QUEUE_PORT, CMD_ATTR);
1470 
1471     ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CMD_TID, cmd.tid);
1472 
1473     /* User is trying to do HDR transfers, see if we can do them. */
1474     if (cmd.speed == 0x06 && !aspeed_i3c_device_has_hdr_ddr(s)) {
1475         qemu_log_mask(LOG_GUEST_ERROR, "%s: HDR DDR is not supported\n",
1476                       object_get_canonical_path(OBJECT(s)));
1477         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
1478                          ASPEED_I3C_TRANSFER_STATE_HALT);
1479         return;
1480     }
1481     if (cmd.speed == 0x05 && !aspeed_i3c_device_has_hdr_ts(s)) {
1482         qemu_log_mask(LOG_GUEST_ERROR, "%s: HDR TS is not supported\n",
1483                       object_get_canonical_path(OBJECT(s)));
1484         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
1485                          ASPEED_I3C_TRANSFER_STATE_HALT);
1486         return;
1487     }
1488 
1489     if (arg_attr == ASPEED_I3C_CMD_ATTR_TRANSFER_ARG) {
1490         aspeed_i3c_device_transfer(s, cmd, arg.transfer_arg);
1491     } else if (arg_attr == ASPEED_I3C_CMD_ATTR_SHORT_DATA_ARG) {
1492         aspeed_i3c_device_short_transfer(s, cmd, arg.short_arg);
1493     } else {
1494         qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown command queue cmd_attr 0x%x"
1495                       "\n", object_get_canonical_path(OBJECT(s)), arg_attr);
1496         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
1497                          ASPEED_I3C_TRANSFER_STATE_HALT);
1498     }
1499 }
1500 
1501 static void aspeed_i3c_device_update_char_table(AspeedI3CDevice *s,
1502                                                 uint8_t offset, uint64_t pid,
1503                                                 uint8_t bcr, uint8_t dcr,
1504                                                 uint8_t addr)
1505 {
1506     if (offset > ASPEED_I3C_NR_DEVICES) {
1507         qemu_log_mask(LOG_GUEST_ERROR, "%s: Device char table offset %d out of "
1508                       "bounds\n", object_get_canonical_path(OBJECT(s)), offset);
1509         /* If we're out of bounds, do nothing. */
1510         return;
1511     }
1512 
1513     /* Each char table index is 128 bits apart. */
1514     uint16_t dev_index = R_DEVICE_CHARACTERISTIC_TABLE_LOC1 + offset *
1515                                                             sizeof(uint32_t);
1516     s->regs[dev_index] = pid & 0xffffffff;
1517     pid >>= 32;
1518     s->regs[dev_index + 1] = FIELD_DP32(s->regs[dev_index + 1],
1519                                         DEVICE_CHARACTERISTIC_TABLE_LOC2,
1520                                         MSB_PID, pid);
1521     s->regs[dev_index + 2] = FIELD_DP32(s->regs[dev_index + 2],
1522                                         DEVICE_CHARACTERISTIC_TABLE_LOC3, DCR,
1523                                         dcr);
1524     s->regs[dev_index + 2] = FIELD_DP32(s->regs[dev_index + 2],
1525                                         DEVICE_CHARACTERISTIC_TABLE_LOC3, BCR,
1526                                         bcr);
1527     s->regs[dev_index + 3] = FIELD_DP32(s->regs[dev_index + 3],
1528                                         DEVICE_CHARACTERISTIC_TABLE_LOC4,
1529                                         DEV_DYNAMIC_ADDR, addr);
1530 
1531     /* Increment PRESENT_DEV_CHAR_TABLE_INDEX. */
1532     uint8_t idx = ARRAY_FIELD_EX32(s->regs, DEV_CHAR_TABLE_POINTER,
1533                      PRESENT_DEV_CHAR_TABLE_INDEX);
1534     /* Increment and rollover. */
1535     idx++;
1536     if (idx >= ARRAY_FIELD_EX32(s->regs, DEV_CHAR_TABLE_POINTER,
1537                                DEV_CHAR_TABLE_DEPTH) / 4) {
1538         idx = 0;
1539     }
1540     ARRAY_FIELD_DP32(s->regs, DEV_CHAR_TABLE_POINTER,
1541                      PRESENT_DEV_CHAR_TABLE_INDEX, idx);
1542 }
1543 
1544 static void aspeed_i3c_device_addr_assign_cmd(AspeedI3CDevice *s,
1545                                               AspeedI3CAddrAssignCmd cmd)
1546 {
1547     uint8_t i = 0;
1548     uint8_t err = ASPEED_I3C_RESP_QUEUE_ERR_NONE;
1549 
1550     if (!aspeed_i3c_device_has_entdaa(s)) {
1551         qemu_log_mask(LOG_GUEST_ERROR, "%s: ENTDAA is not supported\n",
1552                       object_get_canonical_path(OBJECT(s)));
1553         return;
1554     }
1555 
1556     /* Tell everyone to ENTDAA. If these error, no one is on the bus. */
1557     if (aspeed_i3c_device_send_start(s, I3C_BROADCAST, /*is_recv=*/false,
1558                                      /*is_i2c=*/false)) {
1559         err = ASPEED_I3C_RESP_QUEUE_ERR_BROADCAST_NACK;
1560         goto transfer_done;
1561     }
1562     if (aspeed_i3c_device_send_byte(s, cmd.cmd, /*is_i2c=*/false)) {
1563         err = ASPEED_I3C_RESP_QUEUE_ERR_BROADCAST_NACK;
1564         goto transfer_done;
1565     }
1566 
1567     /* Go through each device in the table and assign it an address. */
1568     for (i = 0; i < cmd.dev_count; i++) {
1569         uint8_t addr = aspeed_i3c_device_target_addr(s, cmd.dev_index + i);
1570         union {
1571             uint64_t pid:48;
1572             uint8_t bcr;
1573             uint8_t dcr;
1574             uint32_t w[2];
1575             uint8_t b[8];
1576         } target_info;
1577 
1578         /* If this fails, there was no one left to ENTDAA. */
1579         if (aspeed_i3c_device_send_start(s, I3C_BROADCAST, /*is_recv=*/false,
1580                                          /*is_i2c=*/false)) {
1581             err = ASPEED_I3C_RESP_QUEUE_ERR_BROADCAST_NACK;
1582             break;
1583         }
1584 
1585         /*
1586          * In ENTDAA, we read 8 bytes from the target, which will be the
1587          * target's PID, BCR, and DCR. After that, we send it the dynamic
1588          * address.
1589          * Don't bother checking the number of bytes received, it must send 8
1590          * bytes during ENTDAA.
1591          */
1592         uint32_t num_read;
1593         if (aspeed_i3c_device_recv_data(s, /*is_i2c=*/false, target_info.b,
1594                                         I3C_ENTDAA_SIZE, &num_read)) {
1595             qemu_log_mask(LOG_GUEST_ERROR, "%s: Target NACKed ENTDAA CCC\n",
1596                           object_get_canonical_path(OBJECT(s)));
1597             err = ASPEED_I3C_RESP_QUEUE_ERR_DAA_NACK;
1598             goto transfer_done;
1599         }
1600         if (aspeed_i3c_device_send_byte(s, addr, /*is_i2c=*/false)) {
1601             qemu_log_mask(LOG_GUEST_ERROR, "%s: Target NACKed addr 0x%.2x "
1602                           "during ENTDAA\n",
1603                           object_get_canonical_path(OBJECT(s)), addr);
1604             err = ASPEED_I3C_RESP_QUEUE_ERR_DAA_NACK;
1605             break;
1606         }
1607         aspeed_i3c_device_update_char_table(s, cmd.dev_index + i,
1608                                             target_info.pid, target_info.bcr,
1609                                             target_info.dcr, addr);
1610 
1611         /* Push the PID, BCR, and DCR to the RX queue. */
1612         aspeed_i3c_device_push_rx(s, target_info.w[0]);
1613         aspeed_i3c_device_push_rx(s, target_info.w[1]);
1614     }
1615 
1616 transfer_done:
1617     /* Do we send a STOP? */
1618     if (cmd.toc) {
1619         aspeed_i3c_device_end_transfer(s, /*is_i2c=*/false);
1620     }
1621     /*
1622      * For addr assign commands, the length field is the number of devices
1623      * left to assign. CCCT is always 0 in controller mode.
1624      */
1625     if (cmd.roc) {
1626         aspeed_i3c_device_resp_queue_push(s, err, cmd.tid, /*ccc_type=*/0,
1627                                          cmd.dev_count - i);
1628     }
1629 }
1630 
1631 static uint32_t aspeed_i3c_device_cmd_queue_pop(AspeedI3CDevice *s)
1632 {
1633     if (fifo32_is_empty(&s->cmd_queue)) {
1634         qemu_log_mask(LOG_GUEST_ERROR, "%s: Tried to dequeue command queue "
1635                       "when it was empty\n",
1636                       object_get_canonical_path(OBJECT(s)));
1637         return 0;
1638     }
1639     uint32_t val = fifo32_pop(&s->cmd_queue);
1640 
1641     uint8_t empty_threshold = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
1642                                                CMD_BUF_EMPTY_THLD);
1643     uint8_t cmd_queue_empty_loc = ARRAY_FIELD_EX32(s->regs,
1644                                                    QUEUE_STATUS_LEVEL,
1645                                                    CMD_QUEUE_EMPTY_LOC);
1646     cmd_queue_empty_loc++;
1647     ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, CMD_QUEUE_EMPTY_LOC,
1648                      cmd_queue_empty_loc);
1649     if (cmd_queue_empty_loc >= empty_threshold) {
1650         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, CMD_QUEUE_RDY, 1);
1651         aspeed_i3c_device_update_irq(s);
1652     }
1653 
1654     return val;
1655 }
1656 
1657 static void aspeed_i3c_device_cmd_queue_execute(AspeedI3CDevice *s)
1658 {
1659     ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
1660                      ASPEED_I3C_TRANSFER_STATE_IDLE);
1661     if (!aspeed_i3c_device_can_transmit(s)) {
1662         return;
1663     }
1664 
1665     /*
1666      * We only start executing when a command is passed into the FIFO.
1667      * We expect there to be a multiple of 2 items in the queue. The first item
1668      * should be an argument to a command, and the command should be the second
1669      * item.
1670      */
1671     if (fifo32_num_used(&s->cmd_queue) & 1) {
1672         return;
1673     }
1674 
1675     while (!fifo32_is_empty(&s->cmd_queue)) {
1676         AspeedI3CCmdQueueData arg;
1677         arg.word = aspeed_i3c_device_cmd_queue_pop(s);
1678         AspeedI3CCmdQueueData cmd;
1679         cmd.word = aspeed_i3c_device_cmd_queue_pop(s);
1680         trace_aspeed_i3c_device_cmd_queue_execute(s->id, cmd.word, arg.word);
1681 
1682         uint8_t cmd_attr = FIELD_EX32(cmd.word, COMMAND_QUEUE_PORT, CMD_ATTR);
1683         switch (cmd_attr) {
1684         case ASPEED_I3C_CMD_ATTR_TRANSFER_CMD:
1685             aspeed_i3c_device_transfer_cmd(s, cmd.transfer_cmd, arg);
1686             break;
1687         case ASPEED_I3C_CMD_ATTR_ADDR_ASSIGN_CMD:
1688             /* Arg is discarded for addr assign commands. */
1689             aspeed_i3c_device_addr_assign_cmd(s, cmd.addr_assign_cmd);
1690             break;
1691         case ASPEED_I3C_CMD_ATTR_TRANSFER_ARG:
1692         case ASPEED_I3C_CMD_ATTR_SHORT_DATA_ARG:
1693             qemu_log_mask(LOG_GUEST_ERROR, "%s: Command queue received argument"
1694                           " packet when it expected a command packet\n",
1695                           object_get_canonical_path(OBJECT(s)));
1696             break;
1697         default:
1698             /*
1699              * The caller's check before queueing an item should prevent this
1700              * from happening.
1701              */
1702             g_assert_not_reached();
1703             break;
1704         }
1705     }
1706 }
1707 
1708 static void aspeed_i3c_device_cmd_queue_push(AspeedI3CDevice *s, uint32_t val)
1709 {
1710     if (fifo32_is_full(&s->cmd_queue)) {
1711         qemu_log_mask(LOG_GUEST_ERROR, "%s: Command queue received packet when "
1712                       "already full\n", object_get_canonical_path(OBJECT(s)));
1713         return;
1714     }
1715     trace_aspeed_i3c_device_cmd_queue_push(s->id, val);
1716     fifo32_push(&s->cmd_queue, val);
1717 
1718     uint8_t empty_threshold = ARRAY_FIELD_EX32(s->regs, QUEUE_THLD_CTRL,
1719                                                CMD_BUF_EMPTY_THLD);
1720     uint8_t cmd_queue_empty_loc = ARRAY_FIELD_EX32(s->regs,
1721                                                    QUEUE_STATUS_LEVEL,
1722                                                    CMD_QUEUE_EMPTY_LOC);
1723     if (cmd_queue_empty_loc) {
1724         cmd_queue_empty_loc--;
1725         ARRAY_FIELD_DP32(s->regs, QUEUE_STATUS_LEVEL, CMD_QUEUE_EMPTY_LOC,
1726                          cmd_queue_empty_loc);
1727     }
1728     if (cmd_queue_empty_loc < empty_threshold) {
1729         ARRAY_FIELD_DP32(s->regs, INTR_STATUS, CMD_QUEUE_RDY, 0);
1730         aspeed_i3c_device_update_irq(s);
1731     }
1732 }
1733 
1734 static void aspeed_i3c_device_cmd_queue_port_w(AspeedI3CDevice *s, uint32_t val)
1735 {
1736     uint8_t cmd_attr = FIELD_EX32(val, COMMAND_QUEUE_PORT, CMD_ATTR);
1737 
1738     switch (cmd_attr) {
1739     /* If a command is received we can start executing it. */
1740     case ASPEED_I3C_CMD_ATTR_TRANSFER_CMD:
1741     case ASPEED_I3C_CMD_ATTR_ADDR_ASSIGN_CMD:
1742         aspeed_i3c_device_cmd_queue_push(s, val);
1743         aspeed_i3c_device_cmd_queue_execute(s);
1744         break;
1745     /* If we get an argument just push it. */
1746     case ASPEED_I3C_CMD_ATTR_TRANSFER_ARG:
1747     case ASPEED_I3C_CMD_ATTR_SHORT_DATA_ARG:
1748         aspeed_i3c_device_cmd_queue_push(s, val);
1749         break;
1750     default:
1751         qemu_log_mask(LOG_GUEST_ERROR, "%s: Command queue received packet with "
1752                       "unknown cmd attr 0x%x\n",
1753                       object_get_canonical_path(OBJECT(s)), cmd_attr);
1754         break;
1755     }
1756 }
1757 
1758 static void aspeed_i3c_device_write(void *opaque, hwaddr offset,
1759                                     uint64_t value, unsigned size)
1760 {
1761     AspeedI3CDevice *s = ASPEED_I3C_DEVICE(opaque);
1762     uint32_t addr = offset >> 2;
1763     uint32_t val32 = (uint32_t)value;
1764 
1765     trace_aspeed_i3c_device_write(s->id, offset, value);
1766 
1767     val32 &= ~ast2600_i3c_device_ro[addr];
1768     switch (addr) {
1769     case R_HW_CAPABILITY:
1770     case R_RESPONSE_QUEUE_PORT:
1771     case R_IBI_QUEUE_DATA:
1772     case R_QUEUE_STATUS_LEVEL:
1773     case R_PRESENT_STATE:
1774     case R_CCC_DEVICE_STATUS:
1775     case R_DEVICE_ADDR_TABLE_POINTER:
1776     case R_VENDOR_SPECIFIC_REG_POINTER:
1777     case R_SLV_CHAR_CTRL:
1778     case R_SLV_MAX_LEN:
1779     case R_MAX_READ_TURNAROUND:
1780     case R_I3C_VER_ID:
1781     case R_I3C_VER_TYPE:
1782     case R_EXTENDED_CAPABILITY:
1783         qemu_log_mask(LOG_GUEST_ERROR,
1784                       "%s: write to readonly register[0x%02" HWADDR_PRIx
1785                       "] = 0x%08" PRIx64 "\n",
1786                       __func__, offset, value);
1787         break;
1788     case R_DEVICE_CTRL:
1789         aspeed_i3c_device_ctrl_w(s, val32);
1790         break;
1791     case R_RX_TX_DATA_PORT:
1792         aspeed_i3c_device_push_tx(s, val32);
1793         break;
1794     case R_COMMAND_QUEUE_PORT:
1795         aspeed_i3c_device_cmd_queue_port_w(s, val32);
1796         break;
1797     case R_RESET_CTRL:
1798         aspeed_i3c_device_reset_ctrl_w(s, val32);
1799         break;
1800     case R_INTR_STATUS:
1801         aspeed_i3c_device_intr_status_w(s, val32);
1802         break;
1803     case R_INTR_STATUS_EN:
1804         aspeed_i3c_device_intr_status_en_w(s, val32);
1805         break;
1806     case R_INTR_SIGNAL_EN:
1807         aspeed_i3c_device_intr_signal_en_w(s, val32);
1808         break;
1809     case R_INTR_FORCE:
1810         aspeed_i3c_device_intr_force_w(s, val32);
1811         break;
1812     default:
1813         s->regs[addr] = val32;
1814         break;
1815     }
1816 }
1817 
1818 static const VMStateDescription aspeed_i3c_device_vmstate = {
1819     .name = TYPE_ASPEED_I3C,
1820     .version_id = 1,
1821     .minimum_version_id = 1,
1822     .fields = (const VMStateField[]){
1823         VMSTATE_UINT32_ARRAY(regs, AspeedI3CDevice, ASPEED_I3C_DEVICE_NR_REGS),
1824         VMSTATE_END_OF_LIST(),
1825     }
1826 };
1827 
1828 static const MemoryRegionOps aspeed_i3c_device_ops = {
1829     .read = aspeed_i3c_device_read,
1830     .write = aspeed_i3c_device_write,
1831     .endianness = DEVICE_LITTLE_ENDIAN,
1832 };
1833 
1834 static void aspeed_i3c_device_realize(DeviceState *dev, Error **errp)
1835 {
1836     AspeedI3CDevice *s = ASPEED_I3C_DEVICE(dev);
1837     g_autofree char *name = g_strdup_printf(TYPE_ASPEED_I3C_DEVICE ".%d",
1838                                             s->id);
1839 
1840     sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
1841 
1842     memory_region_init_io(&s->mr, OBJECT(s), &aspeed_i3c_device_ops,
1843                           s, name, ASPEED_I3C_DEVICE_NR_REGS << 2);
1844 
1845     fifo32_create(&s->cmd_queue, ASPEED_I3C_CMD_QUEUE_CAPACITY);
1846     fifo32_create(&s->resp_queue, ASPEED_I3C_RESP_QUEUE_CAPACITY);
1847     fifo32_create(&s->tx_queue, ASPEED_I3C_TX_QUEUE_CAPACITY);
1848     fifo32_create(&s->rx_queue, ASPEED_I3C_RX_QUEUE_CAPACITY);
1849     fifo32_create(&s->ibi_queue, ASPEED_I3C_IBI_QUEUE_CAPACITY);
1850     /* Arbitrarily large enough to not be an issue. */
1851     fifo8_create(&s->ibi_data.ibi_intermediate_queue,
1852                   ASPEED_I3C_IBI_QUEUE_CAPACITY * 8);
1853 
1854     s->bus = i3c_init_bus(DEVICE(s), name);
1855     I3CBusClass *bc = I3C_BUS_GET_CLASS(s->bus);
1856     bc->ibi_handle = aspeed_i3c_device_ibi_handle;
1857     bc->ibi_recv = aspeed_i3c_device_ibi_recv;
1858     bc->ibi_finish = aspeed_i3c_device_ibi_finish;
1859 }
1860 
1861 static uint64_t aspeed_i3c_read(void *opaque, hwaddr addr, unsigned int size)
1862 {
1863     AspeedI3CState *s = ASPEED_I3C(opaque);
1864     uint64_t val = 0;
1865 
1866     val = s->regs[addr >> 2];
1867 
1868     trace_aspeed_i3c_read(addr, val);
1869 
1870     return val;
1871 }
1872 
1873 static void aspeed_i3c_write(void *opaque,
1874                              hwaddr addr,
1875                              uint64_t data,
1876                              unsigned int size)
1877 {
1878     AspeedI3CState *s = ASPEED_I3C(opaque);
1879 
1880     trace_aspeed_i3c_write(addr, data);
1881 
1882     addr >>= 2;
1883 
1884     data &= ~ast2600_i3c_controller_ro[addr];
1885     /* I3C controller register */
1886     switch (addr) {
1887     case R_I3C1_REG1:
1888     case R_I3C2_REG1:
1889     case R_I3C3_REG1:
1890     case R_I3C4_REG1:
1891     case R_I3C5_REG1:
1892     case R_I3C6_REG1:
1893         if (data & R_I3C1_REG1_I2C_MODE_MASK) {
1894             qemu_log_mask(LOG_UNIMP,
1895                           "%s: Unsupported I2C mode [0x%08" HWADDR_PRIx
1896                           "]=%08" PRIx64 "\n",
1897                           __func__, addr << 2, data);
1898             break;
1899         }
1900         if (data & R_I3C1_REG1_SA_EN_MASK) {
1901             qemu_log_mask(LOG_UNIMP,
1902                           "%s: Unsupported slave mode [%08" HWADDR_PRIx
1903                           "]=0x%08" PRIx64 "\n",
1904                           __func__, addr << 2, data);
1905             break;
1906         }
1907         s->regs[addr] = data;
1908         break;
1909     default:
1910         s->regs[addr] = data;
1911         break;
1912     }
1913 }
1914 
1915 static const MemoryRegionOps aspeed_i3c_ops = {
1916     .read = aspeed_i3c_read,
1917     .write = aspeed_i3c_write,
1918     .endianness = DEVICE_LITTLE_ENDIAN,
1919     .valid = {
1920         .min_access_size = 1,
1921         .max_access_size = 4,
1922     }
1923 };
1924 
1925 static void aspeed_i3c_reset(DeviceState *dev)
1926 {
1927     AspeedI3CState *s = ASPEED_I3C(dev);
1928     memset(s->regs, 0, sizeof(s->regs));
1929 }
1930 
1931 static void aspeed_i3c_instance_init(Object *obj)
1932 {
1933     AspeedI3CState *s = ASPEED_I3C(obj);
1934     int i;
1935 
1936     for (i = 0; i < ASPEED_I3C_NR_DEVICES; ++i) {
1937         object_initialize_child(obj, "device[*]", &s->devices[i],
1938                 TYPE_ASPEED_I3C_DEVICE);
1939     }
1940 }
1941 
1942 static void aspeed_i3c_realize(DeviceState *dev, Error **errp)
1943 {
1944     int i;
1945     AspeedI3CState *s = ASPEED_I3C(dev);
1946     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1947 
1948     memory_region_init(&s->iomem_container, OBJECT(s),
1949             TYPE_ASPEED_I3C ".container", 0x8000);
1950 
1951     sysbus_init_mmio(sbd, &s->iomem_container);
1952 
1953     memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_i3c_ops, s,
1954             TYPE_ASPEED_I3C ".regs", ASPEED_I3C_NR_REGS << 2);
1955 
1956     memory_region_add_subregion(&s->iomem_container, 0x0, &s->iomem);
1957 
1958     for (i = 0; i < ASPEED_I3C_NR_DEVICES; ++i) {
1959         Object *i3c_dev = OBJECT(&s->devices[i]);
1960 
1961         if (!object_property_set_uint(i3c_dev, "device-id", i, errp)) {
1962             return;
1963         }
1964 
1965         if (!sysbus_realize(SYS_BUS_DEVICE(i3c_dev), errp)) {
1966             return;
1967         }
1968 
1969         /*
1970          * Register Address of I3CX Device =
1971          *     (Base Address of Global Register) + (Offset of I3CX) + Offset
1972          * X = 0, 1, 2, 3, 4, 5
1973          * Offset of I3C0 = 0x2000
1974          * Offset of I3C1 = 0x3000
1975          * Offset of I3C2 = 0x4000
1976          * Offset of I3C3 = 0x5000
1977          * Offset of I3C4 = 0x6000
1978          * Offset of I3C5 = 0x7000
1979          */
1980         memory_region_add_subregion(&s->iomem_container,
1981                 0x2000 + i * 0x1000, &s->devices[i].mr);
1982     }
1983 
1984 }
1985 
1986 static Property aspeed_i3c_device_properties[] = {
1987     DEFINE_PROP_UINT8("device-id", AspeedI3CDevice, id, 0),
1988     DEFINE_PROP_END_OF_LIST(),
1989 };
1990 
1991 static void aspeed_i3c_device_class_init(ObjectClass *klass, void *data)
1992 {
1993     DeviceClass *dc = DEVICE_CLASS(klass);
1994 
1995     dc->desc = "Aspeed I3C Device";
1996     dc->realize = aspeed_i3c_device_realize;
1997     device_class_set_legacy_reset(dc, aspeed_i3c_device_reset);
1998     device_class_set_props(dc, aspeed_i3c_device_properties);
1999 }
2000 
2001 static const TypeInfo aspeed_i3c_device_info = {
2002     .name = TYPE_ASPEED_I3C_DEVICE,
2003     .parent = TYPE_SYS_BUS_DEVICE,
2004     .instance_size = sizeof(AspeedI3CDevice),
2005     .class_init = aspeed_i3c_device_class_init,
2006 };
2007 
2008 static const VMStateDescription vmstate_aspeed_i3c = {
2009     .name = TYPE_ASPEED_I3C,
2010     .version_id = 1,
2011     .minimum_version_id = 1,
2012     .fields = (const VMStateField[]) {
2013         VMSTATE_UINT32_ARRAY(regs, AspeedI3CState, ASPEED_I3C_NR_REGS),
2014         VMSTATE_STRUCT_ARRAY(devices, AspeedI3CState, ASPEED_I3C_NR_DEVICES, 1,
2015                              aspeed_i3c_device_vmstate, AspeedI3CDevice),
2016         VMSTATE_END_OF_LIST(),
2017     }
2018 };
2019 
2020 static void aspeed_i3c_class_init(ObjectClass *klass, void *data)
2021 {
2022     DeviceClass *dc = DEVICE_CLASS(klass);
2023 
2024     dc->realize = aspeed_i3c_realize;
2025     device_class_set_legacy_reset(dc, aspeed_i3c_reset);
2026     dc->desc = "Aspeed I3C Controller";
2027     dc->vmsd = &vmstate_aspeed_i3c;
2028 }
2029 
2030 static const TypeInfo aspeed_i3c_info = {
2031     .name = TYPE_ASPEED_I3C,
2032     .parent = TYPE_SYS_BUS_DEVICE,
2033     .instance_init = aspeed_i3c_instance_init,
2034     .instance_size = sizeof(AspeedI3CState),
2035     .class_init = aspeed_i3c_class_init,
2036 };
2037 
2038 static void aspeed_i3c_register_types(void)
2039 {
2040     type_register_static(&aspeed_i3c_device_info);
2041     type_register_static(&aspeed_i3c_info);
2042 }
2043 
2044 type_init(aspeed_i3c_register_types);
2045