xref: /openbmc/qemu/hw/ipmi/ipmi_bmc_sim.c (revision 60e58bd9f08a3b91a35850f7501a0a1bcf912b6f)
1 /*
2  * IPMI BMC emulation
3  *
4  * Copyright (c) 2015 Corey Minyard, MontaVista Software, LLC
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23  */
24 
25 #include "qemu/osdep.h"
26 #include "sysemu/sysemu.h"
27 #include "qemu/timer.h"
28 #include "hw/ipmi/ipmi.h"
29 #include "qemu/error-report.h"
30 #include "hw/loader.h"
31 
32 #define IPMI_NETFN_CHASSIS            0x00
33 
34 #define IPMI_CMD_GET_CHASSIS_CAPABILITIES 0x00
35 #define IPMI_CMD_GET_CHASSIS_STATUS       0x01
36 #define IPMI_CMD_CHASSIS_CONTROL          0x02
37 #define IPMI_CMD_GET_SYS_RESTART_CAUSE    0x09
38 
39 #define IPMI_NETFN_SENSOR_EVENT       0x04
40 
41 #define IPMI_CMD_SET_SENSOR_EVT_ENABLE    0x28
42 #define IPMI_CMD_GET_SENSOR_EVT_ENABLE    0x29
43 #define IPMI_CMD_REARM_SENSOR_EVTS        0x2a
44 #define IPMI_CMD_GET_SENSOR_EVT_STATUS    0x2b
45 #define IPMI_CMD_GET_SENSOR_READING       0x2d
46 #define IPMI_CMD_SET_SENSOR_TYPE          0x2e
47 #define IPMI_CMD_GET_SENSOR_TYPE          0x2f
48 
49 /* #define IPMI_NETFN_APP             0x06 In ipmi.h */
50 
51 #define IPMI_CMD_GET_DEVICE_ID            0x01
52 #define IPMI_CMD_COLD_RESET               0x02
53 #define IPMI_CMD_WARM_RESET               0x03
54 #define IPMI_CMD_SET_ACPI_POWER_STATE     0x06
55 #define IPMI_CMD_GET_ACPI_POWER_STATE     0x07
56 #define IPMI_CMD_GET_DEVICE_GUID          0x08
57 #define IPMI_CMD_RESET_WATCHDOG_TIMER     0x22
58 #define IPMI_CMD_SET_WATCHDOG_TIMER       0x24
59 #define IPMI_CMD_GET_WATCHDOG_TIMER       0x25
60 #define IPMI_CMD_SET_BMC_GLOBAL_ENABLES   0x2e
61 #define IPMI_CMD_GET_BMC_GLOBAL_ENABLES   0x2f
62 #define IPMI_CMD_CLR_MSG_FLAGS            0x30
63 #define IPMI_CMD_GET_MSG_FLAGS            0x31
64 #define IPMI_CMD_GET_MSG                  0x33
65 #define IPMI_CMD_SEND_MSG                 0x34
66 #define IPMI_CMD_READ_EVT_MSG_BUF         0x35
67 
68 #define IPMI_NETFN_STORAGE            0x0a
69 
70 #define IPMI_CMD_GET_SDR_REP_INFO         0x20
71 #define IPMI_CMD_GET_SDR_REP_ALLOC_INFO   0x21
72 #define IPMI_CMD_RESERVE_SDR_REP          0x22
73 #define IPMI_CMD_GET_SDR                  0x23
74 #define IPMI_CMD_ADD_SDR                  0x24
75 #define IPMI_CMD_PARTIAL_ADD_SDR          0x25
76 #define IPMI_CMD_DELETE_SDR               0x26
77 #define IPMI_CMD_CLEAR_SDR_REP            0x27
78 #define IPMI_CMD_GET_SDR_REP_TIME         0x28
79 #define IPMI_CMD_SET_SDR_REP_TIME         0x29
80 #define IPMI_CMD_ENTER_SDR_REP_UPD_MODE   0x2A
81 #define IPMI_CMD_EXIT_SDR_REP_UPD_MODE    0x2B
82 #define IPMI_CMD_RUN_INIT_AGENT           0x2C
83 #define IPMI_CMD_GET_FRU_AREA_INFO        0x10
84 #define IPMI_CMD_READ_FRU_DATA            0x11
85 #define IPMI_CMD_WRITE_FRU_DATA           0x12
86 #define IPMI_CMD_GET_SEL_INFO             0x40
87 #define IPMI_CMD_GET_SEL_ALLOC_INFO       0x41
88 #define IPMI_CMD_RESERVE_SEL              0x42
89 #define IPMI_CMD_GET_SEL_ENTRY            0x43
90 #define IPMI_CMD_ADD_SEL_ENTRY            0x44
91 #define IPMI_CMD_PARTIAL_ADD_SEL_ENTRY    0x45
92 #define IPMI_CMD_DELETE_SEL_ENTRY         0x46
93 #define IPMI_CMD_CLEAR_SEL                0x47
94 #define IPMI_CMD_GET_SEL_TIME             0x48
95 #define IPMI_CMD_SET_SEL_TIME             0x49
96 
97 
98 /* Same as a timespec struct. */
99 struct ipmi_time {
100     long tv_sec;
101     long tv_nsec;
102 };
103 
104 #define MAX_SEL_SIZE 128
105 
106 typedef struct IPMISel {
107     uint8_t sel[MAX_SEL_SIZE][16];
108     unsigned int next_free;
109     long time_offset;
110     uint16_t reservation;
111     uint8_t last_addition[4];
112     uint8_t last_clear[4];
113     uint8_t overflow;
114 } IPMISel;
115 
116 #define MAX_SDR_SIZE 16384
117 
118 typedef struct IPMISdr {
119     uint8_t sdr[MAX_SDR_SIZE];
120     unsigned int next_free;
121     uint16_t next_rec_id;
122     uint16_t reservation;
123     uint8_t last_addition[4];
124     uint8_t last_clear[4];
125     uint8_t overflow;
126 } IPMISdr;
127 
128 typedef struct IPMIFru {
129     char *filename;
130     unsigned int nentries;
131     uint16_t areasize;
132     uint8_t *data;
133 } IPMIFru;
134 
135 typedef struct IPMISensor {
136     uint8_t status;
137     uint8_t reading;
138     uint16_t states_suppt;
139     uint16_t assert_suppt;
140     uint16_t deassert_suppt;
141     uint16_t states;
142     uint16_t assert_states;
143     uint16_t deassert_states;
144     uint16_t assert_enable;
145     uint16_t deassert_enable;
146     uint8_t  sensor_type;
147     uint8_t  evt_reading_type_code;
148 } IPMISensor;
149 #define IPMI_SENSOR_GET_PRESENT(s)       ((s)->status & 0x01)
150 #define IPMI_SENSOR_SET_PRESENT(s, v)    ((s)->status = (s->status & ~0x01) | \
151                                              !!(v))
152 #define IPMI_SENSOR_GET_SCAN_ON(s)       ((s)->status & 0x40)
153 #define IPMI_SENSOR_SET_SCAN_ON(s, v)    ((s)->status = (s->status & ~0x40) | \
154                                              ((!!(v)) << 6))
155 #define IPMI_SENSOR_GET_EVENTS_ON(s)     ((s)->status & 0x80)
156 #define IPMI_SENSOR_SET_EVENTS_ON(s, v)  ((s)->status = (s->status & ~0x80) | \
157                                              ((!!(v)) << 7))
158 #define IPMI_SENSOR_GET_RET_STATUS(s)    ((s)->status & 0xc0)
159 #define IPMI_SENSOR_SET_RET_STATUS(s, v) ((s)->status = (s->status & ~0xc0) | \
160                                              (v & 0xc0))
161 #define IPMI_SENSOR_IS_DISCRETE(s) ((s)->evt_reading_type_code != 1)
162 
163 #define MAX_SENSORS 20
164 #define IPMI_WATCHDOG_SENSOR 0
165 
166 typedef struct IPMIBmcSim IPMIBmcSim;
167 typedef struct RspBuffer RspBuffer;
168 
169 #define MAX_NETFNS 64
170 
171 typedef struct IPMICmdHandler {
172     void (*cmd_handler)(IPMIBmcSim *s,
173                         uint8_t *cmd, unsigned int cmd_len,
174                         RspBuffer *rsp);
175     unsigned int cmd_len_min;
176 } IPMICmdHandler;
177 
178 typedef struct IPMINetfn {
179     unsigned int cmd_nums;
180     const IPMICmdHandler *cmd_handlers;
181 } IPMINetfn;
182 
183 typedef struct IPMIRcvBufEntry {
184     QTAILQ_ENTRY(IPMIRcvBufEntry) entry;
185     uint8_t len;
186     uint8_t buf[MAX_IPMI_MSG_SIZE];
187 } IPMIRcvBufEntry;
188 
189 #define TYPE_IPMI_BMC_SIMULATOR "ipmi-bmc-sim"
190 #define IPMI_BMC_SIMULATOR(obj) OBJECT_CHECK(IPMIBmcSim, (obj), \
191                                         TYPE_IPMI_BMC_SIMULATOR)
192 struct IPMIBmcSim {
193     IPMIBmc parent;
194 
195     QEMUTimer *timer;
196 
197     uint8_t bmc_global_enables;
198     uint8_t msg_flags;
199 
200     bool     watchdog_initialized;
201     uint8_t  watchdog_use;
202     uint8_t  watchdog_action;
203     uint8_t  watchdog_pretimeout; /* In seconds */
204     bool     watchdog_expired;
205     uint16_t watchdog_timeout; /* in 100's of milliseconds */
206 
207     bool     watchdog_running;
208     bool     watchdog_preaction_ran;
209     int64_t  watchdog_expiry;
210 
211     uint8_t device_id;
212     uint8_t ipmi_version;
213     uint8_t device_rev;
214     uint8_t fwrev1;
215     uint8_t fwrev2;
216     uint8_t mfg_id[3];
217     uint8_t product_id[2];
218 
219     uint8_t restart_cause;
220 
221     uint8_t acpi_power_state[2];
222     uint8_t uuid[16];
223 
224     IPMISel sel;
225     IPMISdr sdr;
226     IPMIFru fru;
227     IPMISensor sensors[MAX_SENSORS];
228     char *sdr_filename;
229 
230     /* Odd netfns are for responses, so we only need the even ones. */
231     const IPMINetfn *netfns[MAX_NETFNS / 2];
232 
233     /* We allow one event in the buffer */
234     uint8_t evtbuf[16];
235 
236     QTAILQ_HEAD(, IPMIRcvBufEntry) rcvbufs;
237 };
238 
239 #define IPMI_BMC_MSG_FLAG_WATCHDOG_TIMEOUT_MASK        (1 << 3)
240 #define IPMI_BMC_MSG_FLAG_EVT_BUF_FULL                 (1 << 1)
241 #define IPMI_BMC_MSG_FLAG_RCV_MSG_QUEUE                (1 << 0)
242 #define IPMI_BMC_MSG_FLAG_WATCHDOG_TIMEOUT_MASK_SET(s) \
243     (IPMI_BMC_MSG_FLAG_WATCHDOG_TIMEOUT_MASK & (s)->msg_flags)
244 #define IPMI_BMC_MSG_FLAG_EVT_BUF_FULL_SET(s) \
245     (IPMI_BMC_MSG_FLAG_EVT_BUF_FULL & (s)->msg_flags)
246 #define IPMI_BMC_MSG_FLAG_RCV_MSG_QUEUE_SET(s) \
247     (IPMI_BMC_MSG_FLAG_RCV_MSG_QUEUE & (s)->msg_flags)
248 
249 #define IPMI_BMC_RCV_MSG_QUEUE_INT_BIT    0
250 #define IPMI_BMC_EVBUF_FULL_INT_BIT       1
251 #define IPMI_BMC_EVENT_MSG_BUF_BIT        2
252 #define IPMI_BMC_EVENT_LOG_BIT            3
253 #define IPMI_BMC_MSG_INTS_ON(s) ((s)->bmc_global_enables & \
254                                  (1 << IPMI_BMC_RCV_MSG_QUEUE_INT_BIT))
255 #define IPMI_BMC_EVBUF_FULL_INT_ENABLED(s) ((s)->bmc_global_enables & \
256                                         (1 << IPMI_BMC_EVBUF_FULL_INT_BIT))
257 #define IPMI_BMC_EVENT_LOG_ENABLED(s) ((s)->bmc_global_enables & \
258                                        (1 << IPMI_BMC_EVENT_LOG_BIT))
259 #define IPMI_BMC_EVENT_MSG_BUF_ENABLED(s) ((s)->bmc_global_enables & \
260                                            (1 << IPMI_BMC_EVENT_MSG_BUF_BIT))
261 
262 #define IPMI_BMC_WATCHDOG_USE_MASK 0xc7
263 #define IPMI_BMC_WATCHDOG_ACTION_MASK 0x77
264 #define IPMI_BMC_WATCHDOG_GET_USE(s) ((s)->watchdog_use & 0x7)
265 #define IPMI_BMC_WATCHDOG_GET_DONT_LOG(s) (((s)->watchdog_use >> 7) & 0x1)
266 #define IPMI_BMC_WATCHDOG_GET_DONT_STOP(s) (((s)->watchdog_use >> 6) & 0x1)
267 #define IPMI_BMC_WATCHDOG_GET_PRE_ACTION(s) (((s)->watchdog_action >> 4) & 0x7)
268 #define IPMI_BMC_WATCHDOG_PRE_NONE               0
269 #define IPMI_BMC_WATCHDOG_PRE_SMI                1
270 #define IPMI_BMC_WATCHDOG_PRE_NMI                2
271 #define IPMI_BMC_WATCHDOG_PRE_MSG_INT            3
272 #define IPMI_BMC_WATCHDOG_GET_ACTION(s) ((s)->watchdog_action & 0x7)
273 #define IPMI_BMC_WATCHDOG_ACTION_NONE            0
274 #define IPMI_BMC_WATCHDOG_ACTION_RESET           1
275 #define IPMI_BMC_WATCHDOG_ACTION_POWER_DOWN      2
276 #define IPMI_BMC_WATCHDOG_ACTION_POWER_CYCLE     3
277 
278 struct RspBuffer {
279     uint8_t buffer[MAX_IPMI_MSG_SIZE];
280     unsigned int len;
281 };
282 
283 #define RSP_BUFFER_INITIALIZER { }
284 
285 static inline void rsp_buffer_set_error(RspBuffer *rsp, uint8_t byte)
286 {
287     rsp->buffer[2] = byte;
288 }
289 
290 /* Add a byte to the response. */
291 static inline void rsp_buffer_push(RspBuffer *rsp, uint8_t byte)
292 {
293     if (rsp->len >= sizeof(rsp->buffer)) {
294         rsp_buffer_set_error(rsp, IPMI_CC_REQUEST_DATA_TRUNCATED);
295         return;
296     }
297     rsp->buffer[rsp->len++] = byte;
298 }
299 
300 static inline void rsp_buffer_pushmore(RspBuffer *rsp, uint8_t *bytes,
301                                        unsigned int n)
302 {
303     if (rsp->len + n >= sizeof(rsp->buffer)) {
304         rsp_buffer_set_error(rsp, IPMI_CC_REQUEST_DATA_TRUNCATED);
305         return;
306     }
307 
308     memcpy(&rsp->buffer[rsp->len], bytes, n);
309     rsp->len += n;
310 }
311 
312 static void ipmi_sim_handle_timeout(IPMIBmcSim *ibs);
313 
314 static void ipmi_gettime(struct ipmi_time *time)
315 {
316     int64_t stime;
317 
318     stime = qemu_clock_get_ns(QEMU_CLOCK_HOST);
319     time->tv_sec = stime / 1000000000LL;
320     time->tv_nsec = stime % 1000000000LL;
321 }
322 
323 static int64_t ipmi_getmonotime(void)
324 {
325     return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
326 }
327 
328 static void ipmi_timeout(void *opaque)
329 {
330     IPMIBmcSim *ibs = opaque;
331 
332     ipmi_sim_handle_timeout(ibs);
333 }
334 
335 static void set_timestamp(IPMIBmcSim *ibs, uint8_t *ts)
336 {
337     unsigned int val;
338     struct ipmi_time now;
339 
340     ipmi_gettime(&now);
341     val = now.tv_sec + ibs->sel.time_offset;
342     ts[0] = val & 0xff;
343     ts[1] = (val >> 8) & 0xff;
344     ts[2] = (val >> 16) & 0xff;
345     ts[3] = (val >> 24) & 0xff;
346 }
347 
348 static void sdr_inc_reservation(IPMISdr *sdr)
349 {
350     sdr->reservation++;
351     if (sdr->reservation == 0) {
352         sdr->reservation = 1;
353     }
354 }
355 
356 static int sdr_add_entry(IPMIBmcSim *ibs,
357                          const struct ipmi_sdr_header *sdrh_entry,
358                          unsigned int len, uint16_t *recid)
359 {
360     struct ipmi_sdr_header *sdrh =
361         (struct ipmi_sdr_header *) &ibs->sdr.sdr[ibs->sdr.next_free];
362 
363     if ((len < IPMI_SDR_HEADER_SIZE) || (len > 255)) {
364         return 1;
365     }
366 
367     if (ipmi_sdr_length(sdrh_entry) != len) {
368         return 1;
369     }
370 
371     if (ibs->sdr.next_free + len > MAX_SDR_SIZE) {
372         ibs->sdr.overflow = 1;
373         return 1;
374     }
375 
376     memcpy(sdrh, sdrh_entry, len);
377     sdrh->rec_id[0] = ibs->sdr.next_rec_id & 0xff;
378     sdrh->rec_id[1] = (ibs->sdr.next_rec_id >> 8) & 0xff;
379     sdrh->sdr_version = 0x51; /* Conform to IPMI 1.5 spec */
380 
381     if (recid) {
382         *recid = ibs->sdr.next_rec_id;
383     }
384     ibs->sdr.next_rec_id++;
385     set_timestamp(ibs, ibs->sdr.last_addition);
386     ibs->sdr.next_free += len;
387     sdr_inc_reservation(&ibs->sdr);
388     return 0;
389 }
390 
391 static int sdr_find_entry(IPMISdr *sdr, uint16_t recid,
392                           unsigned int *retpos, uint16_t *nextrec)
393 {
394     unsigned int pos = *retpos;
395 
396     while (pos < sdr->next_free) {
397         struct ipmi_sdr_header *sdrh =
398             (struct ipmi_sdr_header *) &sdr->sdr[pos];
399         uint16_t trec = ipmi_sdr_recid(sdrh);
400         unsigned int nextpos = pos + ipmi_sdr_length(sdrh);
401 
402         if (trec == recid) {
403             if (nextrec) {
404                 if (nextpos >= sdr->next_free) {
405                     *nextrec = 0xffff;
406                 } else {
407                     *nextrec = (sdr->sdr[nextpos] |
408                                 (sdr->sdr[nextpos + 1] << 8));
409                 }
410             }
411             *retpos = pos;
412             return 0;
413         }
414         pos = nextpos;
415     }
416     return 1;
417 }
418 
419 int ipmi_bmc_sdr_find(IPMIBmc *b, uint16_t recid,
420                       const struct ipmi_sdr_compact **sdr, uint16_t *nextrec)
421 
422 {
423     IPMIBmcSim *ibs = IPMI_BMC_SIMULATOR(b);
424     unsigned int pos;
425 
426     pos = 0;
427     if (sdr_find_entry(&ibs->sdr, recid, &pos, nextrec)) {
428         return -1;
429     }
430 
431     *sdr = (const struct ipmi_sdr_compact *) &ibs->sdr.sdr[pos];
432     return 0;
433 }
434 
435 static void sel_inc_reservation(IPMISel *sel)
436 {
437     sel->reservation++;
438     if (sel->reservation == 0) {
439         sel->reservation = 1;
440     }
441 }
442 
443 /* Returns 1 if the SEL is full and can't hold the event. */
444 static int sel_add_event(IPMIBmcSim *ibs, uint8_t *event)
445 {
446     event[0] = 0xff;
447     event[1] = 0xff;
448     set_timestamp(ibs, event + 3);
449     if (ibs->sel.next_free == MAX_SEL_SIZE) {
450         ibs->sel.overflow = 1;
451         return 1;
452     }
453     event[0] = ibs->sel.next_free & 0xff;
454     event[1] = (ibs->sel.next_free >> 8) & 0xff;
455     memcpy(ibs->sel.last_addition, event + 3, 4);
456     memcpy(ibs->sel.sel[ibs->sel.next_free], event, 16);
457     ibs->sel.next_free++;
458     sel_inc_reservation(&ibs->sel);
459     return 0;
460 }
461 
462 static int attn_set(IPMIBmcSim *ibs)
463 {
464     return IPMI_BMC_MSG_FLAG_RCV_MSG_QUEUE_SET(ibs)
465         || IPMI_BMC_MSG_FLAG_EVT_BUF_FULL_SET(ibs)
466         || IPMI_BMC_MSG_FLAG_WATCHDOG_TIMEOUT_MASK_SET(ibs);
467 }
468 
469 static int attn_irq_enabled(IPMIBmcSim *ibs)
470 {
471     return (IPMI_BMC_MSG_INTS_ON(ibs) && IPMI_BMC_MSG_FLAG_RCV_MSG_QUEUE_SET(ibs))
472         || (IPMI_BMC_EVBUF_FULL_INT_ENABLED(ibs) &&
473             IPMI_BMC_MSG_FLAG_EVT_BUF_FULL_SET(ibs));
474 }
475 
476 void ipmi_bmc_gen_event(IPMIBmc *b, uint8_t *evt, bool log)
477 {
478     IPMIBmcSim *ibs = IPMI_BMC_SIMULATOR(b);
479     IPMIInterface *s = ibs->parent.intf;
480     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
481 
482     if (!IPMI_BMC_EVENT_MSG_BUF_ENABLED(ibs)) {
483         return;
484     }
485 
486     if (log && IPMI_BMC_EVENT_LOG_ENABLED(ibs)) {
487         sel_add_event(ibs, evt);
488     }
489 
490     if (ibs->msg_flags & IPMI_BMC_MSG_FLAG_EVT_BUF_FULL) {
491         goto out;
492     }
493 
494     memcpy(ibs->evtbuf, evt, 16);
495     ibs->msg_flags |= IPMI_BMC_MSG_FLAG_EVT_BUF_FULL;
496     k->set_atn(s, 1, attn_irq_enabled(ibs));
497  out:
498     return;
499 }
500 static void gen_event(IPMIBmcSim *ibs, unsigned int sens_num, uint8_t deassert,
501                       uint8_t evd1, uint8_t evd2, uint8_t evd3)
502 {
503     IPMIInterface *s = ibs->parent.intf;
504     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
505     uint8_t evt[16];
506     IPMISensor *sens = ibs->sensors + sens_num;
507 
508     if (!IPMI_BMC_EVENT_MSG_BUF_ENABLED(ibs)) {
509         return;
510     }
511     if (!IPMI_SENSOR_GET_EVENTS_ON(sens)) {
512         return;
513     }
514 
515     evt[2] = 0x2; /* System event record */
516     evt[7] = ibs->parent.slave_addr;
517     evt[8] = 0;
518     evt[9] = 0x04; /* Format version */
519     evt[10] = sens->sensor_type;
520     evt[11] = sens_num;
521     evt[12] = sens->evt_reading_type_code | (!!deassert << 7);
522     evt[13] = evd1;
523     evt[14] = evd2;
524     evt[15] = evd3;
525 
526     if (IPMI_BMC_EVENT_LOG_ENABLED(ibs)) {
527         sel_add_event(ibs, evt);
528     }
529 
530     if (ibs->msg_flags & IPMI_BMC_MSG_FLAG_EVT_BUF_FULL) {
531         return;
532     }
533 
534     memcpy(ibs->evtbuf, evt, 16);
535     ibs->msg_flags |= IPMI_BMC_MSG_FLAG_EVT_BUF_FULL;
536     k->set_atn(s, 1, attn_irq_enabled(ibs));
537 }
538 
539 static void sensor_set_discrete_bit(IPMIBmcSim *ibs, unsigned int sensor,
540                                     unsigned int bit, unsigned int val,
541                                     uint8_t evd1, uint8_t evd2, uint8_t evd3)
542 {
543     IPMISensor *sens;
544     uint16_t mask;
545 
546     if (sensor >= MAX_SENSORS) {
547         return;
548     }
549     if (bit >= 16) {
550         return;
551     }
552 
553     mask = (1 << bit);
554     sens = ibs->sensors + sensor;
555     if (val) {
556         sens->states |= mask & sens->states_suppt;
557         if (sens->assert_states & mask) {
558             return; /* Already asserted */
559         }
560         sens->assert_states |= mask & sens->assert_suppt;
561         if (sens->assert_enable & mask & sens->assert_states) {
562             /* Send an event on assert */
563             gen_event(ibs, sensor, 0, evd1, evd2, evd3);
564         }
565     } else {
566         sens->states &= ~(mask & sens->states_suppt);
567         if (sens->deassert_states & mask) {
568             return; /* Already deasserted */
569         }
570         sens->deassert_states |= mask & sens->deassert_suppt;
571         if (sens->deassert_enable & mask & sens->deassert_states) {
572             /* Send an event on deassert */
573             gen_event(ibs, sensor, 1, evd1, evd2, evd3);
574         }
575     }
576 }
577 
578 static void ipmi_init_sensors_from_sdrs(IPMIBmcSim *s)
579 {
580     unsigned int i, pos;
581     IPMISensor *sens;
582 
583     for (i = 0; i < MAX_SENSORS; i++) {
584         memset(s->sensors + i, 0, sizeof(*sens));
585     }
586 
587     pos = 0;
588     for (i = 0; !sdr_find_entry(&s->sdr, i, &pos, NULL); i++) {
589         struct ipmi_sdr_compact *sdr =
590             (struct ipmi_sdr_compact *) &s->sdr.sdr[pos];
591         unsigned int len = sdr->header.rec_length;
592 
593         if (len < 20) {
594             continue;
595         }
596         if (sdr->header.rec_type != IPMI_SDR_COMPACT_TYPE) {
597             continue; /* Not a sensor SDR we set from */
598         }
599 
600         if (sdr->sensor_owner_number >= MAX_SENSORS) {
601             continue;
602         }
603         sens = s->sensors + sdr->sensor_owner_number;
604 
605         IPMI_SENSOR_SET_PRESENT(sens, 1);
606         IPMI_SENSOR_SET_SCAN_ON(sens, (sdr->sensor_init >> 6) & 1);
607         IPMI_SENSOR_SET_EVENTS_ON(sens, (sdr->sensor_init >> 5) & 1);
608         sens->assert_suppt = sdr->assert_mask[0] | (sdr->assert_mask[1] << 8);
609         sens->deassert_suppt =
610             sdr->deassert_mask[0] | (sdr->deassert_mask[1] << 8);
611         sens->states_suppt =
612             sdr->discrete_mask[0] | (sdr->discrete_mask[1] << 8);
613         sens->sensor_type = sdr->sensor_type;
614         sens->evt_reading_type_code = sdr->reading_type & 0x7f;
615 
616         /* Enable all the events that are supported. */
617         sens->assert_enable = sens->assert_suppt;
618         sens->deassert_enable = sens->deassert_suppt;
619     }
620 }
621 
622 static int ipmi_register_netfn(IPMIBmcSim *s, unsigned int netfn,
623                                const IPMINetfn *netfnd)
624 {
625     if ((netfn & 1) || (netfn >= MAX_NETFNS) || (s->netfns[netfn / 2])) {
626         return -1;
627     }
628     s->netfns[netfn / 2] = netfnd;
629     return 0;
630 }
631 
632 static const IPMICmdHandler *ipmi_get_handler(IPMIBmcSim *ibs,
633                                               unsigned int netfn,
634                                               unsigned int cmd)
635 {
636     const IPMICmdHandler *hdl;
637 
638     if (netfn & 1 || netfn >= MAX_NETFNS || !ibs->netfns[netfn / 2]) {
639         return NULL;
640     }
641 
642     if (cmd >= ibs->netfns[netfn / 2]->cmd_nums) {
643         return NULL;
644     }
645 
646     hdl = &ibs->netfns[netfn / 2]->cmd_handlers[cmd];
647     if (!hdl->cmd_handler) {
648         return NULL;
649     }
650 
651     return hdl;
652 }
653 
654 static void next_timeout(IPMIBmcSim *ibs)
655 {
656     int64_t next;
657     if (ibs->watchdog_running) {
658         next = ibs->watchdog_expiry;
659     } else {
660         /* Wait a minute */
661         next = ipmi_getmonotime() + 60 * 1000000000LL;
662     }
663     timer_mod_ns(ibs->timer, next);
664 }
665 
666 static void ipmi_sim_handle_command(IPMIBmc *b,
667                                     uint8_t *cmd, unsigned int cmd_len,
668                                     unsigned int max_cmd_len,
669                                     uint8_t msg_id)
670 {
671     IPMIBmcSim *ibs = IPMI_BMC_SIMULATOR(b);
672     IPMIInterface *s = ibs->parent.intf;
673     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
674     const IPMICmdHandler *hdl;
675     RspBuffer rsp = RSP_BUFFER_INITIALIZER;
676 
677     /* Set up the response, set the low bit of NETFN. */
678     /* Note that max_rsp_len must be at least 3 */
679     if (sizeof(rsp.buffer) < 3) {
680         rsp_buffer_set_error(&rsp, IPMI_CC_REQUEST_DATA_TRUNCATED);
681         goto out;
682     }
683 
684     rsp_buffer_push(&rsp, cmd[0] | 0x04);
685     rsp_buffer_push(&rsp, cmd[1]);
686     rsp_buffer_push(&rsp, 0); /* Assume success */
687 
688     /* If it's too short or it was truncated, return an error. */
689     if (cmd_len < 2) {
690         rsp_buffer_set_error(&rsp, IPMI_CC_REQUEST_DATA_LENGTH_INVALID);
691         goto out;
692     }
693     if (cmd_len > max_cmd_len) {
694         rsp_buffer_set_error(&rsp, IPMI_CC_REQUEST_DATA_TRUNCATED);
695         goto out;
696     }
697 
698     if ((cmd[0] & 0x03) != 0) {
699         /* Only have stuff on LUN 0 */
700         rsp_buffer_set_error(&rsp, IPMI_CC_COMMAND_INVALID_FOR_LUN);
701         goto out;
702     }
703 
704     hdl = ipmi_get_handler(ibs, cmd[0] >> 2, cmd[1]);
705     if (!hdl) {
706         rsp_buffer_set_error(&rsp, IPMI_CC_INVALID_CMD);
707         goto out;
708     }
709 
710     if (cmd_len < hdl->cmd_len_min) {
711         rsp_buffer_set_error(&rsp, IPMI_CC_REQUEST_DATA_LENGTH_INVALID);
712         goto out;
713     }
714 
715     hdl->cmd_handler(ibs, cmd, cmd_len, &rsp);
716 
717  out:
718     k->handle_rsp(s, msg_id, rsp.buffer, rsp.len);
719 
720     next_timeout(ibs);
721 }
722 
723 static void ipmi_sim_handle_timeout(IPMIBmcSim *ibs)
724 {
725     IPMIInterface *s = ibs->parent.intf;
726     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
727 
728     if (!ibs->watchdog_running) {
729         goto out;
730     }
731 
732     if (!ibs->watchdog_preaction_ran) {
733         switch (IPMI_BMC_WATCHDOG_GET_PRE_ACTION(ibs)) {
734         case IPMI_BMC_WATCHDOG_PRE_NMI:
735             ibs->msg_flags |= IPMI_BMC_MSG_FLAG_WATCHDOG_TIMEOUT_MASK;
736             k->do_hw_op(s, IPMI_SEND_NMI, 0);
737             sensor_set_discrete_bit(ibs, IPMI_WATCHDOG_SENSOR, 8, 1,
738                                     0xc8, (2 << 4) | 0xf, 0xff);
739             break;
740 
741         case IPMI_BMC_WATCHDOG_PRE_MSG_INT:
742             ibs->msg_flags |= IPMI_BMC_MSG_FLAG_WATCHDOG_TIMEOUT_MASK;
743             k->set_atn(s, 1, attn_irq_enabled(ibs));
744             sensor_set_discrete_bit(ibs, IPMI_WATCHDOG_SENSOR, 8, 1,
745                                     0xc8, (3 << 4) | 0xf, 0xff);
746             break;
747 
748         default:
749             goto do_full_expiry;
750         }
751 
752         ibs->watchdog_preaction_ran = 1;
753         /* Issued the pretimeout, do the rest of the timeout now. */
754         ibs->watchdog_expiry = ipmi_getmonotime();
755         ibs->watchdog_expiry += ibs->watchdog_pretimeout * 1000000000LL;
756         goto out;
757     }
758 
759  do_full_expiry:
760     ibs->watchdog_running = 0; /* Stop the watchdog on a timeout */
761     ibs->watchdog_expired |= (1 << IPMI_BMC_WATCHDOG_GET_USE(ibs));
762     switch (IPMI_BMC_WATCHDOG_GET_ACTION(ibs)) {
763     case IPMI_BMC_WATCHDOG_ACTION_NONE:
764         sensor_set_discrete_bit(ibs, IPMI_WATCHDOG_SENSOR, 0, 1,
765                                 0xc0, ibs->watchdog_use & 0xf, 0xff);
766         break;
767 
768     case IPMI_BMC_WATCHDOG_ACTION_RESET:
769         sensor_set_discrete_bit(ibs, IPMI_WATCHDOG_SENSOR, 1, 1,
770                                 0xc1, ibs->watchdog_use & 0xf, 0xff);
771         k->do_hw_op(s, IPMI_RESET_CHASSIS, 0);
772         break;
773 
774     case IPMI_BMC_WATCHDOG_ACTION_POWER_DOWN:
775         sensor_set_discrete_bit(ibs, IPMI_WATCHDOG_SENSOR, 2, 1,
776                                 0xc2, ibs->watchdog_use & 0xf, 0xff);
777         k->do_hw_op(s, IPMI_POWEROFF_CHASSIS, 0);
778         break;
779 
780     case IPMI_BMC_WATCHDOG_ACTION_POWER_CYCLE:
781         sensor_set_discrete_bit(ibs, IPMI_WATCHDOG_SENSOR, 2, 1,
782                                 0xc3, ibs->watchdog_use & 0xf, 0xff);
783         k->do_hw_op(s, IPMI_POWERCYCLE_CHASSIS, 0);
784         break;
785     }
786 
787  out:
788     next_timeout(ibs);
789 }
790 
791 static void chassis_capabilities(IPMIBmcSim *ibs,
792                                  uint8_t *cmd, unsigned int cmd_len,
793                                  RspBuffer *rsp)
794 {
795     rsp_buffer_push(rsp, 0);
796     rsp_buffer_push(rsp, ibs->parent.slave_addr);
797     rsp_buffer_push(rsp, ibs->parent.slave_addr);
798     rsp_buffer_push(rsp, ibs->parent.slave_addr);
799     rsp_buffer_push(rsp, ibs->parent.slave_addr);
800 }
801 
802 static void chassis_status(IPMIBmcSim *ibs,
803                            uint8_t *cmd, unsigned int cmd_len,
804                            RspBuffer *rsp)
805 {
806     rsp_buffer_push(rsp, 0x61); /* Unknown power restore, power is on */
807     rsp_buffer_push(rsp, 0);
808     rsp_buffer_push(rsp, 0);
809     rsp_buffer_push(rsp, 0);
810 }
811 
812 static void chassis_control(IPMIBmcSim *ibs,
813                             uint8_t *cmd, unsigned int cmd_len,
814                             RspBuffer *rsp)
815 {
816     IPMIInterface *s = ibs->parent.intf;
817     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
818 
819     switch (cmd[2] & 0xf) {
820     case 0: /* power down */
821         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_POWEROFF_CHASSIS, 0));
822         break;
823     case 1: /* power up */
824         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_POWERON_CHASSIS, 0));
825         break;
826     case 2: /* power cycle */
827         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_POWERCYCLE_CHASSIS, 0));
828         break;
829     case 3: /* hard reset */
830         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_RESET_CHASSIS, 0));
831         break;
832     case 4: /* pulse diagnostic interrupt */
833         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_PULSE_DIAG_IRQ, 0));
834         break;
835     case 5: /* soft shutdown via ACPI by overtemp emulation */
836         rsp_buffer_set_error(rsp, k->do_hw_op(s,
837                                           IPMI_SHUTDOWN_VIA_ACPI_OVERTEMP, 0));
838         break;
839     default:
840         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
841         return;
842     }
843 }
844 
845 static void chassis_get_sys_restart_cause(IPMIBmcSim *ibs,
846                            uint8_t *cmd, unsigned int cmd_len,
847                            RspBuffer *rsp)
848 
849 {
850     rsp_buffer_push(rsp, ibs->restart_cause & 0xf); /* Restart Cause */
851     rsp_buffer_push(rsp, 0);  /* Channel 0 */
852 }
853 
854 static void get_device_id(IPMIBmcSim *ibs,
855                           uint8_t *cmd, unsigned int cmd_len,
856                           RspBuffer *rsp)
857 {
858     rsp_buffer_push(rsp, ibs->device_id);
859     rsp_buffer_push(rsp, ibs->device_rev & 0xf);
860     rsp_buffer_push(rsp, ibs->fwrev1 & 0x7f);
861     rsp_buffer_push(rsp, ibs->fwrev2);
862     rsp_buffer_push(rsp, ibs->ipmi_version);
863     rsp_buffer_push(rsp, 0x07); /* sensor, SDR, and SEL. */
864     rsp_buffer_push(rsp, ibs->mfg_id[0]);
865     rsp_buffer_push(rsp, ibs->mfg_id[1]);
866     rsp_buffer_push(rsp, ibs->mfg_id[2]);
867     rsp_buffer_push(rsp, ibs->product_id[0]);
868     rsp_buffer_push(rsp, ibs->product_id[1]);
869 }
870 
871 static void set_global_enables(IPMIBmcSim *ibs, uint8_t val)
872 {
873     IPMIInterface *s = ibs->parent.intf;
874     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
875     bool irqs_on;
876 
877     ibs->bmc_global_enables = val;
878 
879     irqs_on = val & (IPMI_BMC_EVBUF_FULL_INT_BIT |
880                      IPMI_BMC_RCV_MSG_QUEUE_INT_BIT);
881 
882     k->set_irq_enable(s, irqs_on);
883 }
884 
885 static void cold_reset(IPMIBmcSim *ibs,
886                        uint8_t *cmd, unsigned int cmd_len,
887                        RspBuffer *rsp)
888 {
889     IPMIInterface *s = ibs->parent.intf;
890     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
891 
892     /* Disable all interrupts */
893     set_global_enables(ibs, 1 << IPMI_BMC_EVENT_LOG_BIT);
894 
895     if (k->reset) {
896         k->reset(s, true);
897     }
898 }
899 
900 static void warm_reset(IPMIBmcSim *ibs,
901                        uint8_t *cmd, unsigned int cmd_len,
902                        RspBuffer *rsp)
903 {
904     IPMIInterface *s = ibs->parent.intf;
905     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
906 
907     if (k->reset) {
908         k->reset(s, false);
909     }
910 }
911 static void set_acpi_power_state(IPMIBmcSim *ibs,
912                                  uint8_t *cmd, unsigned int cmd_len,
913                                  RspBuffer *rsp)
914 {
915     ibs->acpi_power_state[0] = cmd[2];
916     ibs->acpi_power_state[1] = cmd[3];
917 }
918 
919 static void get_acpi_power_state(IPMIBmcSim *ibs,
920                                  uint8_t *cmd, unsigned int cmd_len,
921                                  RspBuffer *rsp)
922 {
923     rsp_buffer_push(rsp, ibs->acpi_power_state[0]);
924     rsp_buffer_push(rsp, ibs->acpi_power_state[1]);
925 }
926 
927 static void get_device_guid(IPMIBmcSim *ibs,
928                             uint8_t *cmd, unsigned int cmd_len,
929                             RspBuffer *rsp)
930 {
931     unsigned int i;
932 
933     for (i = 0; i < 16; i++) {
934         rsp_buffer_push(rsp, ibs->uuid[i]);
935     }
936 }
937 
938 static void set_bmc_global_enables(IPMIBmcSim *ibs,
939                                    uint8_t *cmd, unsigned int cmd_len,
940                                    RspBuffer *rsp)
941 {
942     set_global_enables(ibs, cmd[2]);
943 }
944 
945 static void get_bmc_global_enables(IPMIBmcSim *ibs,
946                                    uint8_t *cmd, unsigned int cmd_len,
947                                    RspBuffer *rsp)
948 {
949     rsp_buffer_push(rsp, ibs->bmc_global_enables);
950 }
951 
952 static void clr_msg_flags(IPMIBmcSim *ibs,
953                           uint8_t *cmd, unsigned int cmd_len,
954                           RspBuffer *rsp)
955 {
956     IPMIInterface *s = ibs->parent.intf;
957     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
958 
959     ibs->msg_flags &= ~cmd[2];
960     k->set_atn(s, attn_set(ibs), attn_irq_enabled(ibs));
961 }
962 
963 static void get_msg_flags(IPMIBmcSim *ibs,
964                           uint8_t *cmd, unsigned int cmd_len,
965                           RspBuffer *rsp)
966 {
967     rsp_buffer_push(rsp, ibs->msg_flags);
968 }
969 
970 static void read_evt_msg_buf(IPMIBmcSim *ibs,
971                              uint8_t *cmd, unsigned int cmd_len,
972                              RspBuffer *rsp)
973 {
974     IPMIInterface *s = ibs->parent.intf;
975     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
976     unsigned int i;
977 
978     if (!(ibs->msg_flags & IPMI_BMC_MSG_FLAG_EVT_BUF_FULL)) {
979         rsp_buffer_set_error(rsp, 0x80);
980         return;
981     }
982     for (i = 0; i < 16; i++) {
983         rsp_buffer_push(rsp, ibs->evtbuf[i]);
984     }
985     ibs->msg_flags &= ~IPMI_BMC_MSG_FLAG_EVT_BUF_FULL;
986     k->set_atn(s, attn_set(ibs), attn_irq_enabled(ibs));
987 }
988 
989 static void get_msg(IPMIBmcSim *ibs,
990                     uint8_t *cmd, unsigned int cmd_len,
991                     RspBuffer *rsp)
992 {
993     IPMIRcvBufEntry *msg;
994 
995     if (QTAILQ_EMPTY(&ibs->rcvbufs)) {
996         rsp_buffer_set_error(rsp, 0x80); /* Queue empty */
997         goto out;
998     }
999     rsp_buffer_push(rsp, 0); /* Channel 0 */
1000     msg = QTAILQ_FIRST(&ibs->rcvbufs);
1001     rsp_buffer_pushmore(rsp, msg->buf, msg->len);
1002     QTAILQ_REMOVE(&ibs->rcvbufs, msg, entry);
1003     g_free(msg);
1004 
1005     if (QTAILQ_EMPTY(&ibs->rcvbufs)) {
1006         IPMIInterface *s = ibs->parent.intf;
1007         IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
1008 
1009         ibs->msg_flags &= ~IPMI_BMC_MSG_FLAG_RCV_MSG_QUEUE;
1010         k->set_atn(s, attn_set(ibs), attn_irq_enabled(ibs));
1011     }
1012 
1013 out:
1014     return;
1015 }
1016 
1017 static unsigned char
1018 ipmb_checksum(unsigned char *data, int size, unsigned char csum)
1019 {
1020     for (; size > 0; size--, data++) {
1021             csum += *data;
1022     }
1023 
1024     return -csum;
1025 }
1026 
1027 static void send_msg(IPMIBmcSim *ibs,
1028                      uint8_t *cmd, unsigned int cmd_len,
1029                      RspBuffer *rsp)
1030 {
1031     IPMIInterface *s = ibs->parent.intf;
1032     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
1033     IPMIRcvBufEntry *msg;
1034     uint8_t *buf;
1035     uint8_t netfn, rqLun, rsLun, rqSeq;
1036 
1037     if (cmd[2] != 0) {
1038         /* We only handle channel 0 with no options */
1039         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1040         return;
1041     }
1042 
1043     if (cmd_len < 10) {
1044         rsp_buffer_set_error(rsp, IPMI_CC_REQUEST_DATA_LENGTH_INVALID);
1045         return;
1046     }
1047 
1048     if (cmd[3] != 0x40) {
1049         /* We only emulate a MC at address 0x40. */
1050         rsp_buffer_set_error(rsp, 0x83); /* NAK on write */
1051         return;
1052     }
1053 
1054     cmd += 3; /* Skip the header. */
1055     cmd_len -= 3;
1056 
1057     /*
1058      * At this point we "send" the message successfully.  Any error will
1059      * be returned in the response.
1060      */
1061     if (ipmb_checksum(cmd, cmd_len, 0) != 0 ||
1062         cmd[3] != 0x20) { /* Improper response address */
1063         return; /* No response */
1064     }
1065 
1066     netfn = cmd[1] >> 2;
1067     rqLun = cmd[4] & 0x3;
1068     rsLun = cmd[1] & 0x3;
1069     rqSeq = cmd[4] >> 2;
1070 
1071     if (rqLun != 2) {
1072         /* We only support LUN 2 coming back to us. */
1073         return;
1074     }
1075 
1076     msg = g_malloc(sizeof(*msg));
1077     msg->buf[0] = ((netfn | 1) << 2) | rqLun; /* NetFN, and make a response */
1078     msg->buf[1] = ipmb_checksum(msg->buf, 1, 0);
1079     msg->buf[2] = cmd[0]; /* rsSA */
1080     msg->buf[3] = (rqSeq << 2) | rsLun;
1081     msg->buf[4] = cmd[5]; /* Cmd */
1082     msg->buf[5] = 0; /* Completion Code */
1083     msg->len = 6;
1084 
1085     if ((cmd[1] >> 2) != IPMI_NETFN_APP || cmd[5] != IPMI_CMD_GET_DEVICE_ID) {
1086         /* Not a command we handle. */
1087         msg->buf[5] = IPMI_CC_INVALID_CMD;
1088         goto end_msg;
1089     }
1090 
1091     buf = msg->buf + msg->len; /* After the CC */
1092     buf[0] = 0;
1093     buf[1] = 0;
1094     buf[2] = 0;
1095     buf[3] = 0;
1096     buf[4] = 0x51;
1097     buf[5] = 0;
1098     buf[6] = 0;
1099     buf[7] = 0;
1100     buf[8] = 0;
1101     buf[9] = 0;
1102     buf[10] = 0;
1103     msg->len += 11;
1104 
1105  end_msg:
1106     msg->buf[msg->len] = ipmb_checksum(msg->buf, msg->len, 0);
1107     msg->len++;
1108     QTAILQ_INSERT_TAIL(&ibs->rcvbufs, msg, entry);
1109     ibs->msg_flags |= IPMI_BMC_MSG_FLAG_RCV_MSG_QUEUE;
1110     k->set_atn(s, 1, attn_irq_enabled(ibs));
1111 }
1112 
1113 static void do_watchdog_reset(IPMIBmcSim *ibs)
1114 {
1115     if (IPMI_BMC_WATCHDOG_GET_ACTION(ibs) ==
1116         IPMI_BMC_WATCHDOG_ACTION_NONE) {
1117         ibs->watchdog_running = 0;
1118         return;
1119     }
1120     ibs->watchdog_preaction_ran = 0;
1121 
1122 
1123     /* Timeout is in tenths of a second, offset is in seconds */
1124     ibs->watchdog_expiry = ipmi_getmonotime();
1125     ibs->watchdog_expiry += ibs->watchdog_timeout * 100000000LL;
1126     if (IPMI_BMC_WATCHDOG_GET_PRE_ACTION(ibs) != IPMI_BMC_WATCHDOG_PRE_NONE) {
1127         ibs->watchdog_expiry -= ibs->watchdog_pretimeout * 1000000000LL;
1128     }
1129     ibs->watchdog_running = 1;
1130 }
1131 
1132 static void reset_watchdog_timer(IPMIBmcSim *ibs,
1133                                  uint8_t *cmd, unsigned int cmd_len,
1134                                  RspBuffer *rsp)
1135 {
1136     if (!ibs->watchdog_initialized) {
1137         rsp_buffer_set_error(rsp, 0x80);
1138         return;
1139     }
1140     do_watchdog_reset(ibs);
1141 }
1142 
1143 static void set_watchdog_timer(IPMIBmcSim *ibs,
1144                                uint8_t *cmd, unsigned int cmd_len,
1145                                RspBuffer *rsp)
1146 {
1147     IPMIInterface *s = ibs->parent.intf;
1148     IPMIInterfaceClass *k = IPMI_INTERFACE_GET_CLASS(s);
1149     unsigned int val;
1150 
1151     val = cmd[2] & 0x7; /* Validate use */
1152     if (val == 0 || val > 5) {
1153         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1154         return;
1155     }
1156     val = cmd[3] & 0x7; /* Validate action */
1157     switch (val) {
1158     case IPMI_BMC_WATCHDOG_ACTION_NONE:
1159         break;
1160 
1161     case IPMI_BMC_WATCHDOG_ACTION_RESET:
1162         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_RESET_CHASSIS, 1));
1163         break;
1164 
1165     case IPMI_BMC_WATCHDOG_ACTION_POWER_DOWN:
1166         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_POWEROFF_CHASSIS, 1));
1167         break;
1168 
1169     case IPMI_BMC_WATCHDOG_ACTION_POWER_CYCLE:
1170         rsp_buffer_set_error(rsp, k->do_hw_op(s, IPMI_POWERCYCLE_CHASSIS, 1));
1171         break;
1172 
1173     default:
1174         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1175     }
1176     if (rsp->buffer[2]) {
1177         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1178         return;
1179     }
1180 
1181     val = (cmd[3] >> 4) & 0x7; /* Validate preaction */
1182     switch (val) {
1183     case IPMI_BMC_WATCHDOG_PRE_MSG_INT:
1184     case IPMI_BMC_WATCHDOG_PRE_NONE:
1185         break;
1186 
1187     case IPMI_BMC_WATCHDOG_PRE_NMI:
1188         if (!k->do_hw_op(s, IPMI_SEND_NMI, 1)) {
1189             /* NMI not supported. */
1190             rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1191             return;
1192         }
1193         break;
1194 
1195     default:
1196         /* We don't support PRE_SMI */
1197         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1198         return;
1199     }
1200 
1201     ibs->watchdog_initialized = 1;
1202     ibs->watchdog_use = cmd[2] & IPMI_BMC_WATCHDOG_USE_MASK;
1203     ibs->watchdog_action = cmd[3] & IPMI_BMC_WATCHDOG_ACTION_MASK;
1204     ibs->watchdog_pretimeout = cmd[4];
1205     ibs->watchdog_expired &= ~cmd[5];
1206     ibs->watchdog_timeout = cmd[6] | (((uint16_t) cmd[7]) << 8);
1207     if (ibs->watchdog_running & IPMI_BMC_WATCHDOG_GET_DONT_STOP(ibs)) {
1208         do_watchdog_reset(ibs);
1209     } else {
1210         ibs->watchdog_running = 0;
1211     }
1212 }
1213 
1214 static void get_watchdog_timer(IPMIBmcSim *ibs,
1215                                uint8_t *cmd, unsigned int cmd_len,
1216                                RspBuffer *rsp)
1217 {
1218     rsp_buffer_push(rsp, ibs->watchdog_use);
1219     rsp_buffer_push(rsp, ibs->watchdog_action);
1220     rsp_buffer_push(rsp, ibs->watchdog_pretimeout);
1221     rsp_buffer_push(rsp, ibs->watchdog_expired);
1222     if (ibs->watchdog_running) {
1223         long timeout;
1224         timeout = ((ibs->watchdog_expiry - ipmi_getmonotime() + 50000000)
1225                    / 100000000);
1226         rsp_buffer_push(rsp, timeout & 0xff);
1227         rsp_buffer_push(rsp, (timeout >> 8) & 0xff);
1228     } else {
1229         rsp_buffer_push(rsp, 0);
1230         rsp_buffer_push(rsp, 0);
1231     }
1232 }
1233 
1234 static void get_sdr_rep_info(IPMIBmcSim *ibs,
1235                              uint8_t *cmd, unsigned int cmd_len,
1236                              RspBuffer *rsp)
1237 {
1238     unsigned int i;
1239 
1240     rsp_buffer_push(rsp, 0x51); /* Conform to IPMI 1.5 spec */
1241     rsp_buffer_push(rsp, ibs->sdr.next_rec_id & 0xff);
1242     rsp_buffer_push(rsp, (ibs->sdr.next_rec_id >> 8) & 0xff);
1243     rsp_buffer_push(rsp, (MAX_SDR_SIZE - ibs->sdr.next_free) & 0xff);
1244     rsp_buffer_push(rsp, ((MAX_SDR_SIZE - ibs->sdr.next_free) >> 8) & 0xff);
1245     for (i = 0; i < 4; i++) {
1246         rsp_buffer_push(rsp, ibs->sdr.last_addition[i]);
1247     }
1248     for (i = 0; i < 4; i++) {
1249         rsp_buffer_push(rsp, ibs->sdr.last_clear[i]);
1250     }
1251     /* Only modal support, reserve supported */
1252     rsp_buffer_push(rsp, (ibs->sdr.overflow << 7) | 0x22);
1253 }
1254 
1255 static void reserve_sdr_rep(IPMIBmcSim *ibs,
1256                             uint8_t *cmd, unsigned int cmd_len,
1257                             RspBuffer *rsp)
1258 {
1259     rsp_buffer_push(rsp, ibs->sdr.reservation & 0xff);
1260     rsp_buffer_push(rsp, (ibs->sdr.reservation >> 8) & 0xff);
1261 }
1262 
1263 static void get_sdr(IPMIBmcSim *ibs,
1264                     uint8_t *cmd, unsigned int cmd_len,
1265                     RspBuffer *rsp)
1266 {
1267     unsigned int pos;
1268     uint16_t nextrec;
1269     struct ipmi_sdr_header *sdrh;
1270 
1271     if (cmd[6]) {
1272         if ((cmd[2] | (cmd[3] << 8)) != ibs->sdr.reservation) {
1273             rsp_buffer_set_error(rsp, IPMI_CC_INVALID_RESERVATION);
1274             return;
1275         }
1276     }
1277 
1278     pos = 0;
1279     if (sdr_find_entry(&ibs->sdr, cmd[4] | (cmd[5] << 8),
1280                        &pos, &nextrec)) {
1281         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1282         return;
1283     }
1284 
1285     sdrh = (struct ipmi_sdr_header *) &ibs->sdr.sdr[pos];
1286 
1287     if (cmd[6] > ipmi_sdr_length(sdrh)) {
1288         rsp_buffer_set_error(rsp, IPMI_CC_PARM_OUT_OF_RANGE);
1289         return;
1290     }
1291 
1292     rsp_buffer_push(rsp, nextrec & 0xff);
1293     rsp_buffer_push(rsp, (nextrec >> 8) & 0xff);
1294 
1295     if (cmd[7] == 0xff) {
1296         cmd[7] = ipmi_sdr_length(sdrh) - cmd[6];
1297     }
1298 
1299     if ((cmd[7] + rsp->len) > sizeof(rsp->buffer)) {
1300         rsp_buffer_set_error(rsp, IPMI_CC_CANNOT_RETURN_REQ_NUM_BYTES);
1301         return;
1302     }
1303 
1304     rsp_buffer_pushmore(rsp, ibs->sdr.sdr + pos + cmd[6], cmd[7]);
1305 }
1306 
1307 static void add_sdr(IPMIBmcSim *ibs,
1308                     uint8_t *cmd, unsigned int cmd_len,
1309                     RspBuffer *rsp)
1310 {
1311     uint16_t recid;
1312     struct ipmi_sdr_header *sdrh = (struct ipmi_sdr_header *) cmd + 2;
1313 
1314     if (sdr_add_entry(ibs, sdrh, cmd_len - 2, &recid)) {
1315         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1316         return;
1317     }
1318     rsp_buffer_push(rsp, recid & 0xff);
1319     rsp_buffer_push(rsp, (recid >> 8) & 0xff);
1320 }
1321 
1322 static void clear_sdr_rep(IPMIBmcSim *ibs,
1323                           uint8_t *cmd, unsigned int cmd_len,
1324                           RspBuffer *rsp)
1325 {
1326     if ((cmd[2] | (cmd[3] << 8)) != ibs->sdr.reservation) {
1327         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_RESERVATION);
1328         return;
1329     }
1330 
1331     if (cmd[4] != 'C' || cmd[5] != 'L' || cmd[6] != 'R') {
1332         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1333         return;
1334     }
1335     if (cmd[7] == 0xaa) {
1336         ibs->sdr.next_free = 0;
1337         ibs->sdr.overflow = 0;
1338         set_timestamp(ibs, ibs->sdr.last_clear);
1339         rsp_buffer_push(rsp, 1); /* Erasure complete */
1340         sdr_inc_reservation(&ibs->sdr);
1341     } else if (cmd[7] == 0) {
1342         rsp_buffer_push(rsp, 1); /* Erasure complete */
1343     } else {
1344         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1345         return;
1346     }
1347 }
1348 
1349 static void get_sel_info(IPMIBmcSim *ibs,
1350                          uint8_t *cmd, unsigned int cmd_len,
1351                          RspBuffer *rsp)
1352 {
1353     unsigned int i, val;
1354 
1355     rsp_buffer_push(rsp, 0x51); /* Conform to IPMI 1.5 */
1356     rsp_buffer_push(rsp, ibs->sel.next_free & 0xff);
1357     rsp_buffer_push(rsp, (ibs->sel.next_free >> 8) & 0xff);
1358     val = (MAX_SEL_SIZE - ibs->sel.next_free) * 16;
1359     rsp_buffer_push(rsp, val & 0xff);
1360     rsp_buffer_push(rsp, (val >> 8) & 0xff);
1361     for (i = 0; i < 4; i++) {
1362         rsp_buffer_push(rsp, ibs->sel.last_addition[i]);
1363     }
1364     for (i = 0; i < 4; i++) {
1365         rsp_buffer_push(rsp, ibs->sel.last_clear[i]);
1366     }
1367     /* Only support Reserve SEL */
1368     rsp_buffer_push(rsp, (ibs->sel.overflow << 7) | 0x02);
1369 }
1370 
1371 static void get_fru_area_info(IPMIBmcSim *ibs,
1372                          uint8_t *cmd, unsigned int cmd_len,
1373                          RspBuffer *rsp)
1374 {
1375     uint8_t fruid;
1376     uint16_t fru_entry_size;
1377 
1378     fruid = cmd[2];
1379 
1380     if (fruid >= ibs->fru.nentries) {
1381         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1382         return;
1383     }
1384 
1385     fru_entry_size = ibs->fru.areasize;
1386 
1387     rsp_buffer_push(rsp, fru_entry_size & 0xff);
1388     rsp_buffer_push(rsp, fru_entry_size >> 8 & 0xff);
1389     rsp_buffer_push(rsp, 0x0);
1390 }
1391 
1392 static void read_fru_data(IPMIBmcSim *ibs,
1393                          uint8_t *cmd, unsigned int cmd_len,
1394                          RspBuffer *rsp)
1395 {
1396     uint8_t fruid;
1397     uint16_t offset;
1398     int i;
1399     uint8_t *fru_entry;
1400     unsigned int count;
1401 
1402     fruid = cmd[2];
1403     offset = (cmd[3] | cmd[4] << 8);
1404 
1405     if (fruid >= ibs->fru.nentries) {
1406         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1407         return;
1408     }
1409 
1410     if (offset >= ibs->fru.areasize - 1) {
1411         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1412         return;
1413     }
1414 
1415     fru_entry = &ibs->fru.data[fruid * ibs->fru.areasize];
1416 
1417     count = MIN(cmd[5], ibs->fru.areasize - offset);
1418 
1419     rsp_buffer_push(rsp, count & 0xff);
1420     for (i = 0; i < count; i++) {
1421         rsp_buffer_push(rsp, fru_entry[offset + i]);
1422     }
1423 }
1424 
1425 static void write_fru_data(IPMIBmcSim *ibs,
1426                          uint8_t *cmd, unsigned int cmd_len,
1427                          RspBuffer *rsp)
1428 {
1429     uint8_t fruid;
1430     uint16_t offset;
1431     uint8_t *fru_entry;
1432     unsigned int count;
1433 
1434     fruid = cmd[2];
1435     offset = (cmd[3] | cmd[4] << 8);
1436 
1437     if (fruid >= ibs->fru.nentries) {
1438         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1439         return;
1440     }
1441 
1442     if (offset >= ibs->fru.areasize - 1) {
1443         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1444         return;
1445     }
1446 
1447     fru_entry = &ibs->fru.data[fruid * ibs->fru.areasize];
1448 
1449     count = MIN(cmd_len - 5, ibs->fru.areasize - offset);
1450 
1451     memcpy(fru_entry + offset, cmd + 5, count);
1452 
1453     rsp_buffer_push(rsp, count & 0xff);
1454 }
1455 
1456 static void reserve_sel(IPMIBmcSim *ibs,
1457                         uint8_t *cmd, unsigned int cmd_len,
1458                         RspBuffer *rsp)
1459 {
1460     rsp_buffer_push(rsp, ibs->sel.reservation & 0xff);
1461     rsp_buffer_push(rsp, (ibs->sel.reservation >> 8) & 0xff);
1462 }
1463 
1464 static void get_sel_entry(IPMIBmcSim *ibs,
1465                           uint8_t *cmd, unsigned int cmd_len,
1466                           RspBuffer *rsp)
1467 {
1468     unsigned int val;
1469 
1470     if (cmd[6]) {
1471         if ((cmd[2] | (cmd[3] << 8)) != ibs->sel.reservation) {
1472             rsp_buffer_set_error(rsp, IPMI_CC_INVALID_RESERVATION);
1473             return;
1474         }
1475     }
1476     if (ibs->sel.next_free == 0) {
1477         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1478         return;
1479     }
1480     if (cmd[6] > 15) {
1481         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1482         return;
1483     }
1484     if (cmd[7] == 0xff) {
1485         cmd[7] = 16;
1486     } else if ((cmd[7] + cmd[6]) > 16) {
1487         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1488         return;
1489     } else {
1490         cmd[7] += cmd[6];
1491     }
1492 
1493     val = cmd[4] | (cmd[5] << 8);
1494     if (val == 0xffff) {
1495         val = ibs->sel.next_free - 1;
1496     } else if (val >= ibs->sel.next_free) {
1497         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1498         return;
1499     }
1500     if ((val + 1) == ibs->sel.next_free) {
1501         rsp_buffer_push(rsp, 0xff);
1502         rsp_buffer_push(rsp, 0xff);
1503     } else {
1504         rsp_buffer_push(rsp, (val + 1) & 0xff);
1505         rsp_buffer_push(rsp, ((val + 1) >> 8) & 0xff);
1506     }
1507     for (; cmd[6] < cmd[7]; cmd[6]++) {
1508         rsp_buffer_push(rsp, ibs->sel.sel[val][cmd[6]]);
1509     }
1510 }
1511 
1512 static void add_sel_entry(IPMIBmcSim *ibs,
1513                           uint8_t *cmd, unsigned int cmd_len,
1514                           RspBuffer *rsp)
1515 {
1516     if (sel_add_event(ibs, cmd + 2)) {
1517         rsp_buffer_set_error(rsp, IPMI_CC_OUT_OF_SPACE);
1518         return;
1519     }
1520     /* sel_add_event fills in the record number. */
1521     rsp_buffer_push(rsp, cmd[2]);
1522     rsp_buffer_push(rsp, cmd[3]);
1523 }
1524 
1525 static void clear_sel(IPMIBmcSim *ibs,
1526                       uint8_t *cmd, unsigned int cmd_len,
1527                       RspBuffer *rsp)
1528 {
1529     if ((cmd[2] | (cmd[3] << 8)) != ibs->sel.reservation) {
1530         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_RESERVATION);
1531         return;
1532     }
1533 
1534     if (cmd[4] != 'C' || cmd[5] != 'L' || cmd[6] != 'R') {
1535         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1536         return;
1537     }
1538     if (cmd[7] == 0xaa) {
1539         ibs->sel.next_free = 0;
1540         ibs->sel.overflow = 0;
1541         set_timestamp(ibs, ibs->sdr.last_clear);
1542         rsp_buffer_push(rsp, 1); /* Erasure complete */
1543         sel_inc_reservation(&ibs->sel);
1544     } else if (cmd[7] == 0) {
1545         rsp_buffer_push(rsp, 1); /* Erasure complete */
1546     } else {
1547         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1548         return;
1549     }
1550 }
1551 
1552 static void get_sel_time(IPMIBmcSim *ibs,
1553                          uint8_t *cmd, unsigned int cmd_len,
1554                          RspBuffer *rsp)
1555 {
1556     uint32_t val;
1557     struct ipmi_time now;
1558 
1559     ipmi_gettime(&now);
1560     val = now.tv_sec + ibs->sel.time_offset;
1561     rsp_buffer_push(rsp, val & 0xff);
1562     rsp_buffer_push(rsp, (val >> 8) & 0xff);
1563     rsp_buffer_push(rsp, (val >> 16) & 0xff);
1564     rsp_buffer_push(rsp, (val >> 24) & 0xff);
1565 }
1566 
1567 static void set_sel_time(IPMIBmcSim *ibs,
1568                          uint8_t *cmd, unsigned int cmd_len,
1569                          RspBuffer *rsp)
1570 {
1571     uint32_t val;
1572     struct ipmi_time now;
1573 
1574     val = cmd[2] | (cmd[3] << 8) | (cmd[4] << 16) | (cmd[5] << 24);
1575     ipmi_gettime(&now);
1576     ibs->sel.time_offset = now.tv_sec - ((long) val);
1577 }
1578 
1579 static void set_sensor_evt_enable(IPMIBmcSim *ibs,
1580                                   uint8_t *cmd, unsigned int cmd_len,
1581                                   RspBuffer *rsp)
1582 {
1583     IPMISensor *sens;
1584 
1585     if ((cmd[2] >= MAX_SENSORS) ||
1586             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
1587         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1588         return;
1589     }
1590     sens = ibs->sensors + cmd[2];
1591     switch ((cmd[3] >> 4) & 0x3) {
1592     case 0: /* Do not change */
1593         break;
1594     case 1: /* Enable bits */
1595         if (cmd_len > 4) {
1596             sens->assert_enable |= cmd[4];
1597         }
1598         if (cmd_len > 5) {
1599             sens->assert_enable |= cmd[5] << 8;
1600         }
1601         if (cmd_len > 6) {
1602             sens->deassert_enable |= cmd[6];
1603         }
1604         if (cmd_len > 7) {
1605             sens->deassert_enable |= cmd[7] << 8;
1606         }
1607         break;
1608     case 2: /* Disable bits */
1609         if (cmd_len > 4) {
1610             sens->assert_enable &= ~cmd[4];
1611         }
1612         if (cmd_len > 5) {
1613             sens->assert_enable &= ~(cmd[5] << 8);
1614         }
1615         if (cmd_len > 6) {
1616             sens->deassert_enable &= ~cmd[6];
1617         }
1618         if (cmd_len > 7) {
1619             sens->deassert_enable &= ~(cmd[7] << 8);
1620         }
1621         break;
1622     case 3:
1623         rsp_buffer_set_error(rsp, IPMI_CC_INVALID_DATA_FIELD);
1624         return;
1625     }
1626     IPMI_SENSOR_SET_RET_STATUS(sens, cmd[3]);
1627 }
1628 
1629 static void get_sensor_evt_enable(IPMIBmcSim *ibs,
1630                                   uint8_t *cmd, unsigned int cmd_len,
1631                                   RspBuffer *rsp)
1632 {
1633     IPMISensor *sens;
1634 
1635     if ((cmd[2] >= MAX_SENSORS) ||
1636         !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
1637         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1638         return;
1639     }
1640     sens = ibs->sensors + cmd[2];
1641     rsp_buffer_push(rsp, IPMI_SENSOR_GET_RET_STATUS(sens));
1642     rsp_buffer_push(rsp, sens->assert_enable & 0xff);
1643     rsp_buffer_push(rsp, (sens->assert_enable >> 8) & 0xff);
1644     rsp_buffer_push(rsp, sens->deassert_enable & 0xff);
1645     rsp_buffer_push(rsp, (sens->deassert_enable >> 8) & 0xff);
1646 }
1647 
1648 static void rearm_sensor_evts(IPMIBmcSim *ibs,
1649                               uint8_t *cmd, unsigned int cmd_len,
1650                               RspBuffer *rsp)
1651 {
1652     IPMISensor *sens;
1653 
1654     if ((cmd[2] >= MAX_SENSORS) ||
1655         !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
1656         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1657         return;
1658     }
1659     sens = ibs->sensors + cmd[2];
1660 
1661     if ((cmd[3] & 0x80) == 0) {
1662         /* Just clear everything */
1663         sens->states = 0;
1664         return;
1665     }
1666 }
1667 
1668 static void get_sensor_evt_status(IPMIBmcSim *ibs,
1669                                   uint8_t *cmd, unsigned int cmd_len,
1670                                   RspBuffer *rsp)
1671 {
1672     IPMISensor *sens;
1673 
1674     if ((cmd[2] >= MAX_SENSORS) ||
1675         !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
1676         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1677         return;
1678     }
1679     sens = ibs->sensors + cmd[2];
1680     rsp_buffer_push(rsp, sens->reading);
1681     rsp_buffer_push(rsp, IPMI_SENSOR_GET_RET_STATUS(sens));
1682     rsp_buffer_push(rsp, sens->assert_states & 0xff);
1683     rsp_buffer_push(rsp, (sens->assert_states >> 8) & 0xff);
1684     rsp_buffer_push(rsp, sens->deassert_states & 0xff);
1685     rsp_buffer_push(rsp, (sens->deassert_states >> 8) & 0xff);
1686 }
1687 
1688 static void get_sensor_reading(IPMIBmcSim *ibs,
1689                                uint8_t *cmd, unsigned int cmd_len,
1690                                RspBuffer *rsp)
1691 {
1692     IPMISensor *sens;
1693 
1694     if ((cmd[2] >= MAX_SENSORS) ||
1695             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
1696         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1697         return;
1698     }
1699     sens = ibs->sensors + cmd[2];
1700     rsp_buffer_push(rsp, sens->reading);
1701     rsp_buffer_push(rsp, IPMI_SENSOR_GET_RET_STATUS(sens));
1702     rsp_buffer_push(rsp, sens->states & 0xff);
1703     if (IPMI_SENSOR_IS_DISCRETE(sens)) {
1704         rsp_buffer_push(rsp, (sens->states >> 8) & 0xff);
1705     }
1706 }
1707 
1708 static void set_sensor_type(IPMIBmcSim *ibs,
1709                             uint8_t *cmd, unsigned int cmd_len,
1710                             RspBuffer *rsp)
1711 {
1712     IPMISensor *sens;
1713 
1714 
1715     if ((cmd[2] >= MAX_SENSORS) ||
1716             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
1717         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1718         return;
1719     }
1720     sens = ibs->sensors + cmd[2];
1721     sens->sensor_type = cmd[3];
1722     sens->evt_reading_type_code = cmd[4] & 0x7f;
1723 }
1724 
1725 static void get_sensor_type(IPMIBmcSim *ibs,
1726                             uint8_t *cmd, unsigned int cmd_len,
1727                             RspBuffer *rsp)
1728 {
1729     IPMISensor *sens;
1730 
1731 
1732     if ((cmd[2] >= MAX_SENSORS) ||
1733             !IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
1734         rsp_buffer_set_error(rsp, IPMI_CC_REQ_ENTRY_NOT_PRESENT);
1735         return;
1736     }
1737     sens = ibs->sensors + cmd[2];
1738     rsp_buffer_push(rsp, sens->sensor_type);
1739     rsp_buffer_push(rsp, sens->evt_reading_type_code);
1740 }
1741 
1742 
1743 static const IPMICmdHandler chassis_cmds[] = {
1744     [IPMI_CMD_GET_CHASSIS_CAPABILITIES] = { chassis_capabilities },
1745     [IPMI_CMD_GET_CHASSIS_STATUS] = { chassis_status },
1746     [IPMI_CMD_CHASSIS_CONTROL] = { chassis_control, 3 },
1747     [IPMI_CMD_GET_SYS_RESTART_CAUSE] = { chassis_get_sys_restart_cause }
1748 };
1749 static const IPMINetfn chassis_netfn = {
1750     .cmd_nums = ARRAY_SIZE(chassis_cmds),
1751     .cmd_handlers = chassis_cmds
1752 };
1753 
1754 static const IPMICmdHandler sensor_event_cmds[] = {
1755     [IPMI_CMD_SET_SENSOR_EVT_ENABLE] = { set_sensor_evt_enable, 4 },
1756     [IPMI_CMD_GET_SENSOR_EVT_ENABLE] = { get_sensor_evt_enable, 3 },
1757     [IPMI_CMD_REARM_SENSOR_EVTS] = { rearm_sensor_evts, 4 },
1758     [IPMI_CMD_GET_SENSOR_EVT_STATUS] = { get_sensor_evt_status, 3 },
1759     [IPMI_CMD_GET_SENSOR_READING] = { get_sensor_reading, 3 },
1760     [IPMI_CMD_SET_SENSOR_TYPE] = { set_sensor_type, 5 },
1761     [IPMI_CMD_GET_SENSOR_TYPE] = { get_sensor_type, 3 },
1762 };
1763 static const IPMINetfn sensor_event_netfn = {
1764     .cmd_nums = ARRAY_SIZE(sensor_event_cmds),
1765     .cmd_handlers = sensor_event_cmds
1766 };
1767 
1768 static const IPMICmdHandler app_cmds[] = {
1769     [IPMI_CMD_GET_DEVICE_ID] = { get_device_id },
1770     [IPMI_CMD_COLD_RESET] = { cold_reset },
1771     [IPMI_CMD_WARM_RESET] = { warm_reset },
1772     [IPMI_CMD_SET_ACPI_POWER_STATE] = { set_acpi_power_state, 4 },
1773     [IPMI_CMD_GET_ACPI_POWER_STATE] = { get_acpi_power_state },
1774     [IPMI_CMD_GET_DEVICE_GUID] = { get_device_guid },
1775     [IPMI_CMD_SET_BMC_GLOBAL_ENABLES] = { set_bmc_global_enables, 3 },
1776     [IPMI_CMD_GET_BMC_GLOBAL_ENABLES] = { get_bmc_global_enables },
1777     [IPMI_CMD_CLR_MSG_FLAGS] = { clr_msg_flags, 3 },
1778     [IPMI_CMD_GET_MSG_FLAGS] = { get_msg_flags },
1779     [IPMI_CMD_GET_MSG] = { get_msg },
1780     [IPMI_CMD_SEND_MSG] = { send_msg, 3 },
1781     [IPMI_CMD_READ_EVT_MSG_BUF] = { read_evt_msg_buf },
1782     [IPMI_CMD_RESET_WATCHDOG_TIMER] = { reset_watchdog_timer },
1783     [IPMI_CMD_SET_WATCHDOG_TIMER] = { set_watchdog_timer, 8 },
1784     [IPMI_CMD_GET_WATCHDOG_TIMER] = { get_watchdog_timer },
1785 };
1786 static const IPMINetfn app_netfn = {
1787     .cmd_nums = ARRAY_SIZE(app_cmds),
1788     .cmd_handlers = app_cmds
1789 };
1790 
1791 static const IPMICmdHandler storage_cmds[] = {
1792     [IPMI_CMD_GET_FRU_AREA_INFO] = { get_fru_area_info, 3 },
1793     [IPMI_CMD_READ_FRU_DATA] = { read_fru_data, 5 },
1794     [IPMI_CMD_WRITE_FRU_DATA] = { write_fru_data, 5 },
1795     [IPMI_CMD_GET_SDR_REP_INFO] = { get_sdr_rep_info },
1796     [IPMI_CMD_RESERVE_SDR_REP] = { reserve_sdr_rep },
1797     [IPMI_CMD_GET_SDR] = { get_sdr, 8 },
1798     [IPMI_CMD_ADD_SDR] = { add_sdr },
1799     [IPMI_CMD_CLEAR_SDR_REP] = { clear_sdr_rep, 8 },
1800     [IPMI_CMD_GET_SEL_INFO] = { get_sel_info },
1801     [IPMI_CMD_RESERVE_SEL] = { reserve_sel },
1802     [IPMI_CMD_GET_SEL_ENTRY] = { get_sel_entry, 8 },
1803     [IPMI_CMD_ADD_SEL_ENTRY] = { add_sel_entry, 18 },
1804     [IPMI_CMD_CLEAR_SEL] = { clear_sel, 8 },
1805     [IPMI_CMD_GET_SEL_TIME] = { get_sel_time, 6 },
1806     [IPMI_CMD_SET_SEL_TIME] = { set_sel_time },
1807 };
1808 
1809 static const IPMINetfn storage_netfn = {
1810     .cmd_nums = ARRAY_SIZE(storage_cmds),
1811     .cmd_handlers = storage_cmds
1812 };
1813 
1814 static void register_cmds(IPMIBmcSim *s)
1815 {
1816     ipmi_register_netfn(s, IPMI_NETFN_CHASSIS, &chassis_netfn);
1817     ipmi_register_netfn(s, IPMI_NETFN_SENSOR_EVENT, &sensor_event_netfn);
1818     ipmi_register_netfn(s, IPMI_NETFN_APP, &app_netfn);
1819     ipmi_register_netfn(s, IPMI_NETFN_STORAGE, &storage_netfn);
1820 }
1821 
1822 static uint8_t init_sdrs[] = {
1823     /* Watchdog device */
1824     0x00, 0x00, 0x51, 0x02,   35, 0x20, 0x00, 0x00,
1825     0x23, 0x01, 0x63, 0x00, 0x23, 0x6f, 0x0f, 0x01,
1826     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1827     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc8,
1828     'W',  'a',  't',  'c',  'h',  'd',  'o',  'g',
1829 };
1830 
1831 static void ipmi_sdr_init(IPMIBmcSim *ibs)
1832 {
1833     unsigned int i;
1834     int len;
1835     size_t sdrs_size;
1836     uint8_t *sdrs;
1837 
1838     sdrs_size = sizeof(init_sdrs);
1839     sdrs = init_sdrs;
1840     if (ibs->sdr_filename &&
1841         !g_file_get_contents(ibs->sdr_filename, (gchar **) &sdrs, &sdrs_size,
1842                              NULL)) {
1843         error_report("failed to load sdr file '%s'", ibs->sdr_filename);
1844         sdrs_size = sizeof(init_sdrs);
1845         sdrs = init_sdrs;
1846     }
1847 
1848     for (i = 0; i < sdrs_size; i += len) {
1849         struct ipmi_sdr_header *sdrh;
1850 
1851         if (i + IPMI_SDR_HEADER_SIZE > sdrs_size) {
1852             error_report("Problem with recid 0x%4.4x", i);
1853             break;
1854         }
1855         sdrh = (struct ipmi_sdr_header *) &sdrs[i];
1856         len = ipmi_sdr_length(sdrh);
1857         if (i + len > sdrs_size) {
1858             error_report("Problem with recid 0x%4.4x", i);
1859             break;
1860         }
1861         sdr_add_entry(ibs, sdrh, len, NULL);
1862     }
1863 
1864     if (sdrs != init_sdrs) {
1865         g_free(sdrs);
1866     }
1867 }
1868 
1869 static const VMStateDescription vmstate_ipmi_sim = {
1870     .name = TYPE_IPMI_BMC_SIMULATOR,
1871     .version_id = 1,
1872     .minimum_version_id = 1,
1873     .fields      = (VMStateField[]) {
1874         VMSTATE_UINT8(bmc_global_enables, IPMIBmcSim),
1875         VMSTATE_UINT8(msg_flags, IPMIBmcSim),
1876         VMSTATE_BOOL(watchdog_initialized, IPMIBmcSim),
1877         VMSTATE_UINT8(watchdog_use, IPMIBmcSim),
1878         VMSTATE_UINT8(watchdog_action, IPMIBmcSim),
1879         VMSTATE_UINT8(watchdog_pretimeout, IPMIBmcSim),
1880         VMSTATE_BOOL(watchdog_expired, IPMIBmcSim),
1881         VMSTATE_UINT16(watchdog_timeout, IPMIBmcSim),
1882         VMSTATE_BOOL(watchdog_running, IPMIBmcSim),
1883         VMSTATE_BOOL(watchdog_preaction_ran, IPMIBmcSim),
1884         VMSTATE_INT64(watchdog_expiry, IPMIBmcSim),
1885         VMSTATE_UINT8_ARRAY(evtbuf, IPMIBmcSim, 16),
1886         VMSTATE_UINT8(sensors[IPMI_WATCHDOG_SENSOR].status, IPMIBmcSim),
1887         VMSTATE_UINT8(sensors[IPMI_WATCHDOG_SENSOR].reading, IPMIBmcSim),
1888         VMSTATE_UINT16(sensors[IPMI_WATCHDOG_SENSOR].states, IPMIBmcSim),
1889         VMSTATE_UINT16(sensors[IPMI_WATCHDOG_SENSOR].assert_states, IPMIBmcSim),
1890         VMSTATE_UINT16(sensors[IPMI_WATCHDOG_SENSOR].deassert_states,
1891                        IPMIBmcSim),
1892         VMSTATE_UINT16(sensors[IPMI_WATCHDOG_SENSOR].assert_enable, IPMIBmcSim),
1893         VMSTATE_END_OF_LIST()
1894     }
1895 };
1896 
1897 static void ipmi_fru_init(IPMIFru *fru)
1898 {
1899     int fsize;
1900     int size = 0;
1901 
1902     if (!fru->filename) {
1903         goto out;
1904     }
1905 
1906     fsize = get_image_size(fru->filename);
1907     if (fsize > 0) {
1908         size = QEMU_ALIGN_UP(fsize, fru->areasize);
1909         fru->data = g_malloc0(size);
1910         if (load_image_size(fru->filename, fru->data, fsize) != fsize) {
1911             error_report("Could not load file '%s'", fru->filename);
1912             g_free(fru->data);
1913             fru->data = NULL;
1914         }
1915     }
1916 
1917 out:
1918     if (!fru->data) {
1919         /* give one default FRU */
1920         size = fru->areasize;
1921         fru->data = g_malloc0(size);
1922     }
1923 
1924     fru->nentries = size / fru->areasize;
1925 }
1926 
1927 static void ipmi_sim_realize(DeviceState *dev, Error **errp)
1928 {
1929     IPMIBmc *b = IPMI_BMC(dev);
1930     unsigned int i;
1931     IPMIBmcSim *ibs = IPMI_BMC_SIMULATOR(b);
1932 
1933     QTAILQ_INIT(&ibs->rcvbufs);
1934 
1935     ibs->bmc_global_enables = (1 << IPMI_BMC_EVENT_LOG_BIT);
1936     ibs->device_id = 0x20;
1937     ibs->ipmi_version = 0x02; /* IPMI 2.0 */
1938     ibs->restart_cause = 0;
1939     for (i = 0; i < 4; i++) {
1940         ibs->sel.last_addition[i] = 0xff;
1941         ibs->sel.last_clear[i] = 0xff;
1942         ibs->sdr.last_addition[i] = 0xff;
1943         ibs->sdr.last_clear[i] = 0xff;
1944     }
1945 
1946     ipmi_sdr_init(ibs);
1947 
1948     ipmi_fru_init(&ibs->fru);
1949 
1950     ibs->acpi_power_state[0] = 0;
1951     ibs->acpi_power_state[1] = 0;
1952 
1953     if (qemu_uuid_set) {
1954         memcpy(&ibs->uuid, &qemu_uuid, 16);
1955     } else {
1956         memset(&ibs->uuid, 0, 16);
1957     }
1958 
1959     ipmi_init_sensors_from_sdrs(ibs);
1960     register_cmds(ibs);
1961 
1962     ibs->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ipmi_timeout, ibs);
1963 
1964     vmstate_register(NULL, 0, &vmstate_ipmi_sim, ibs);
1965 }
1966 
1967 static Property ipmi_sim_properties[] = {
1968     DEFINE_PROP_UINT16("fruareasize", IPMIBmcSim, fru.areasize, 1024),
1969     DEFINE_PROP_STRING("frudatafile", IPMIBmcSim, fru.filename),
1970     DEFINE_PROP_STRING("sdrfile", IPMIBmcSim, sdr_filename),
1971     DEFINE_PROP_END_OF_LIST(),
1972 };
1973 
1974 static void ipmi_sim_class_init(ObjectClass *oc, void *data)
1975 {
1976     DeviceClass *dc = DEVICE_CLASS(oc);
1977     IPMIBmcClass *bk = IPMI_BMC_CLASS(oc);
1978 
1979     dc->hotpluggable = false;
1980     dc->realize = ipmi_sim_realize;
1981     dc->props = ipmi_sim_properties;
1982     bk->handle_command = ipmi_sim_handle_command;
1983 }
1984 
1985 static const TypeInfo ipmi_sim_type = {
1986     .name          = TYPE_IPMI_BMC_SIMULATOR,
1987     .parent        = TYPE_IPMI_BMC,
1988     .instance_size = sizeof(IPMIBmcSim),
1989     .class_init    = ipmi_sim_class_init,
1990 };
1991 
1992 static void ipmi_sim_register_types(void)
1993 {
1994     type_register_static(&ipmi_sim_type);
1995 }
1996 
1997 type_init(ipmi_sim_register_types)
1998