1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * eMMC emulation defined in "JEDEC Standard No. 84-A43"
6 *
7 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
8 * Copyright (c) 2007 CodeSourcery
9 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 *
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in
19 * the documentation and/or other materials provided with the
20 * distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
23 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
25 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
26 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
29 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
30 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35 #include "qemu/osdep.h"
36 #include "qemu/units.h"
37 #include "qemu/cutils.h"
38 #include "hw/irq.h"
39 #include "hw/registerfields.h"
40 #include "system/block-backend.h"
41 #include "hw/sd/sd.h"
42 #include "migration/vmstate.h"
43 #include "qapi/error.h"
44 #include "qemu/bitmap.h"
45 #include "hw/qdev-properties.h"
46 #include "hw/qdev-properties-system.h"
47 #include "qemu/error-report.h"
48 #include "qemu/timer.h"
49 #include "qemu/log.h"
50 #include "qemu/guest-random.h"
51 #include "qemu/module.h"
52 #include "sdmmc-internal.h"
53 #include "trace.h"
54
55 //#define DEBUG_SD 1
56
57 #define SDSC_MAX_CAPACITY (2 * GiB)
58
59 #define INVALID_ADDRESS UINT32_MAX
60
61 typedef enum {
62 sd_r0 = 0, /* no response */
63 sd_r1, /* normal response command */
64 spi_r2, /* STATUS */
65 sd_r2_i, /* CID register */
66 sd_r2_s, /* CSD register */
67 sd_r3, /* OCR register */
68 sd_r6 = 6, /* Published RCA response */
69 sd_r7, /* Operating voltage */
70 sd_r1b = -1,
71 sd_illegal = -2,
72 } sd_rsp_type_t;
73
74 typedef enum {
75 sd_spi,
76 sd_bc, /* broadcast -- no response */
77 sd_bcr, /* broadcast with response */
78 sd_ac, /* addressed -- no data transfer */
79 sd_adtc, /* addressed with data transfer */
80 } sd_cmd_type_t;
81
82 enum SDCardModes {
83 sd_inactive,
84 sd_card_identification_mode,
85 sd_data_transfer_mode,
86 };
87
88 enum SDCardStates {
89 sd_waitirq_state = -2, /* emmc */
90 sd_inactive_state = -1,
91
92 sd_idle_state = 0,
93 sd_ready_state = 1,
94 sd_identification_state = 2,
95 sd_standby_state = 3,
96 sd_transfer_state = 4,
97 sd_sendingdata_state = 5,
98 sd_receivingdata_state = 6,
99 sd_programming_state = 7,
100 sd_disconnect_state = 8,
101 sd_bus_test_state = 9, /* emmc */
102 sd_sleep_state = 10, /* emmc */
103 sd_io_state = 15 /* sd */
104 };
105
106 #define SDMMC_CMD_MAX 64
107
108 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
109
110 typedef struct SDProto {
111 const char *name;
112 struct {
113 const unsigned class;
114 const sd_cmd_type_t type;
115 const char *name;
116 sd_cmd_handler handler;
117 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX];
118 } SDProto;
119
120 struct SDState {
121 DeviceState parent_obj;
122
123 /* SD Memory Card Registers */
124 uint32_t ocr;
125 uint8_t scr[8];
126 uint8_t cid[16];
127 uint8_t csd[16];
128 uint16_t rca;
129 uint32_t card_status;
130 uint8_t sd_status[64];
131 union {
132 uint8_t ext_csd[512];
133 struct {
134 uint8_t ext_csd_rw[192]; /* Modes segment */
135 uint8_t ext_csd_ro[320]; /* Properties segment */
136 };
137 };
138
139 /* Static properties */
140
141 uint8_t spec_version;
142 uint64_t boot_part_size;
143 BlockBackend *blk;
144 uint8_t boot_config;
145
146 const SDProto *proto;
147
148 /* Runtime changeables */
149
150 int32_t state; /* current card state, one of SDCardStates */
151 uint32_t vhs;
152 bool wp_switch;
153 unsigned long *wp_group_bmap;
154 int32_t wp_group_bits;
155 uint64_t size;
156 uint32_t blk_len;
157 uint32_t multi_blk_cnt;
158 uint32_t erase_start;
159 uint32_t erase_end;
160 uint8_t pwd[16];
161 uint32_t pwd_len;
162 uint8_t function_group[6];
163 uint8_t current_cmd;
164 const char *last_cmd_name;
165 /* True if we will handle the next command as an ACMD. Note that this does
166 * *not* track the APP_CMD status bit!
167 */
168 bool expecting_acmd;
169 uint32_t blk_written;
170
171 uint64_t data_start;
172 uint32_t data_offset;
173 size_t data_size;
174 uint8_t data[512];
175 QEMUTimer *ocr_power_timer;
176 uint8_t dat_lines;
177 bool cmd_line;
178 };
179
180 static void sd_realize(DeviceState *dev, Error **errp);
181
182 static const SDProto sd_proto_spi;
183 static const SDProto sd_proto_emmc;
184
sd_is_spi(SDState * sd)185 static bool sd_is_spi(SDState *sd)
186 {
187 return sd->proto == &sd_proto_spi;
188 }
189
sd_is_emmc(SDState * sd)190 static bool sd_is_emmc(SDState *sd)
191 {
192 return sd->proto == &sd_proto_emmc;
193 }
194
sd_version_str(enum SDPhySpecificationVersion version)195 static const char *sd_version_str(enum SDPhySpecificationVersion version)
196 {
197 static const char *sdphy_version[] = {
198 [SD_PHY_SPECv1_10_VERS] = "v1.10",
199 [SD_PHY_SPECv2_00_VERS] = "v2.00",
200 [SD_PHY_SPECv3_01_VERS] = "v3.01",
201 };
202 if (version >= ARRAY_SIZE(sdphy_version)) {
203 return "unsupported version";
204 }
205 return sdphy_version[version];
206 }
207
sd_mode_name(enum SDCardModes mode)208 static const char *sd_mode_name(enum SDCardModes mode)
209 {
210 static const char *mode_name[] = {
211 [sd_inactive] = "inactive",
212 [sd_card_identification_mode] = "identification",
213 [sd_data_transfer_mode] = "transfer",
214 };
215 assert(mode < ARRAY_SIZE(mode_name));
216 return mode_name[mode];
217 }
218
sd_state_name(enum SDCardStates state)219 static const char *sd_state_name(enum SDCardStates state)
220 {
221 static const char *state_name[] = {
222 [sd_idle_state] = "idle",
223 [sd_ready_state] = "ready",
224 [sd_identification_state] = "identification",
225 [sd_standby_state] = "standby",
226 [sd_transfer_state] = "transfer",
227 [sd_sendingdata_state] = "sendingdata",
228 [sd_bus_test_state] = "bus-test",
229 [sd_receivingdata_state] = "receivingdata",
230 [sd_programming_state] = "programming",
231 [sd_disconnect_state] = "disconnect",
232 [sd_sleep_state] = "sleep",
233 [sd_io_state] = "i/o"
234 };
235 if (state == sd_inactive_state) {
236 return "inactive";
237 }
238 if (state == sd_waitirq_state) {
239 return "wait-irq";
240 }
241 assert(state < ARRAY_SIZE(state_name));
242 return state_name[state];
243 }
244
sd_response_name(sd_rsp_type_t rsp)245 static const char *sd_response_name(sd_rsp_type_t rsp)
246 {
247 static const char *response_name[] = {
248 [sd_r0] = "RESP#0 (no response)",
249 [sd_r1] = "RESP#1 (normal cmd)",
250 [spi_r2] = "RESP#2 (STATUS reg)",
251 [sd_r2_i] = "RESP#2 (CID reg)",
252 [sd_r2_s] = "RESP#2 (CSD reg)",
253 [sd_r3] = "RESP#3 (OCR reg)",
254 [sd_r6] = "RESP#6 (RCA)",
255 [sd_r7] = "RESP#7 (operating voltage)",
256 };
257 if (rsp == sd_illegal) {
258 return "ILLEGAL RESP";
259 }
260 if (rsp == sd_r1b) {
261 rsp = sd_r1;
262 }
263 assert(rsp < ARRAY_SIZE(response_name));
264 return response_name[rsp];
265 }
266
sd_cmd_name(SDState * sd,uint8_t cmd)267 static const char *sd_cmd_name(SDState *sd, uint8_t cmd)
268 {
269 static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
270 [18] = "READ_MULTIPLE_BLOCK",
271 [25] = "WRITE_MULTIPLE_BLOCK",
272 };
273 const SDProto *sdp = sd->proto;
274
275 if (sdp->cmd[cmd].handler) {
276 assert(!cmd_abbrev[cmd]);
277 return sdp->cmd[cmd].name;
278 }
279 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
280 }
281
sd_acmd_name(SDState * sd,uint8_t cmd)282 static const char *sd_acmd_name(SDState *sd, uint8_t cmd)
283 {
284 const SDProto *sdp = sd->proto;
285
286 if (sdp->acmd[cmd].handler) {
287 return sdp->acmd[cmd].name;
288 }
289
290 return "UNKNOWN_ACMD";
291 }
292
sd_get_dat_lines(SDState * sd)293 static uint8_t sd_get_dat_lines(SDState *sd)
294 {
295 return sd->dat_lines;
296 }
297
sd_get_cmd_line(SDState * sd)298 static bool sd_get_cmd_line(SDState *sd)
299 {
300 return sd->cmd_line;
301 }
302
sd_set_voltage(SDState * sd,uint16_t millivolts)303 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
304 {
305 trace_sdcard_set_voltage(millivolts);
306
307 switch (millivolts) {
308 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
309 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
310 break;
311 default:
312 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
313 millivolts / 1000.f);
314 }
315 }
316
sd_mode(SDState * sd)317 static enum SDCardModes sd_mode(SDState *sd)
318 {
319 switch (sd->state) {
320 case sd_inactive_state:
321 return sd_inactive;
322 case sd_idle_state:
323 case sd_ready_state:
324 case sd_identification_state:
325 return sd_card_identification_mode;
326 case sd_standby_state:
327 case sd_transfer_state:
328 case sd_sendingdata_state:
329 case sd_receivingdata_state:
330 case sd_programming_state:
331 case sd_disconnect_state:
332 return sd_data_transfer_mode;
333 default:
334 g_assert_not_reached();
335 }
336 }
337
sd_crc7(const void * message,size_t width)338 static uint8_t sd_crc7(const void *message, size_t width)
339 {
340 int i, bit;
341 uint8_t shift_reg = 0x00;
342 const uint8_t *msg = (const uint8_t *)message;
343
344 for (i = 0; i < width; i ++, msg ++)
345 for (bit = 7; bit >= 0; bit --) {
346 shift_reg <<= 1;
347 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
348 shift_reg ^= 0x89;
349 }
350
351 return shift_reg;
352 }
353
354 /* Operation Conditions register */
355
356 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
357
358 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
359 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
360 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
361 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
362 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
363 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
364 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
365 FIELD(OCR, CARD_POWER_UP, 31, 1)
366
367 #define ACMD41_ENQUIRY_MASK 0x00ffffff
368 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
369 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
370 | R_OCR_UHS_II_CARD_MASK \
371 | R_OCR_CARD_CAPACITY_MASK \
372 | R_OCR_CARD_POWER_UP_MASK)
373
sd_ocr_powerup(void * opaque)374 static void sd_ocr_powerup(void *opaque)
375 {
376 SDState *sd = opaque;
377
378 trace_sdcard_powerup();
379 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
380
381 /* card power-up OK */
382 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
383
384 if (sd->size > SDSC_MAX_CAPACITY) {
385 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
386 }
387 }
388
sd_set_ocr(SDState * sd)389 static void sd_set_ocr(SDState *sd)
390 {
391 /* All voltages OK */
392 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
393
394 if (sd_is_spi(sd)) {
395 /*
396 * We don't need to emulate power up sequence in SPI-mode.
397 * Thus, the card's power up status bit should be set to 1 when reset.
398 * The card's capacity status bit should also be set if SD card size
399 * is larger than 2GB for SDHC support.
400 */
401 sd_ocr_powerup(sd);
402 }
403 }
404
405 /* SD Configuration register */
406
sd_set_scr(SDState * sd)407 static void sd_set_scr(SDState *sd)
408 {
409 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
410 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
411 sd->scr[0] |= 1; /* Spec Version 1.10 */
412 } else {
413 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
414 }
415 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
416 | 0b0101; /* 1-bit or 4-bit width bus modes */
417 sd->scr[2] = 0x00; /* Extended Security is not supported. */
418 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
419 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
420 }
421 sd->scr[3] = 0x00;
422 /* reserved for manufacturer usage */
423 sd->scr[4] = 0x00;
424 sd->scr[5] = 0x00;
425 sd->scr[6] = 0x00;
426 sd->scr[7] = 0x00;
427 }
428
429 /* Card IDentification register */
430
431 #define MID 0xaa
432 #define OID "XY"
433 #define PNM "QEMU!"
434 #define PRV 0x01
435 #define MDT_YR 2006
436 #define MDT_MON 2
437
sd_set_cid(SDState * sd)438 static void sd_set_cid(SDState *sd)
439 {
440 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
441 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
442 sd->cid[2] = OID[1];
443 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
444 sd->cid[4] = PNM[1];
445 sd->cid[5] = PNM[2];
446 sd->cid[6] = PNM[3];
447 sd->cid[7] = PNM[4];
448 sd->cid[8] = PRV; /* Fake product revision (PRV) */
449 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
450 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
451 ((MDT_YR - 2000) / 10);
452 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
453 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
454 }
455
emmc_set_cid(SDState * sd)456 static void emmc_set_cid(SDState *sd)
457 {
458 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
459 sd->cid[1] = 0b01; /* CBX: soldered BGA */
460 sd->cid[2] = OID[0]; /* OEM/Application ID (OID) */
461 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
462 sd->cid[4] = PNM[1];
463 sd->cid[5] = PNM[2];
464 sd->cid[6] = PNM[3];
465 sd->cid[7] = PNM[4];
466 sd->cid[8] = PNM[4];
467 sd->cid[9] = PRV; /* Fake product revision (PRV) */
468 stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */
469 sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */
470 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
471 }
472
473 /* Card-Specific Data register */
474
475 #define HWBLOCK_SHIFT 9 /* 512 bytes */
476 #define SECTOR_SHIFT 5 /* 16 kilobytes */
477 #define WPGROUP_SHIFT 7 /* 2 megs */
478 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
479 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
480
481 static const uint8_t sd_csd_rw_mask[16] = {
482 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
484 };
485
emmc_set_ext_csd(SDState * sd,uint64_t size)486 static void emmc_set_ext_csd(SDState *sd, uint64_t size)
487 {
488 uint32_t sectcount = size >> HWBLOCK_SHIFT;
489
490 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */
491
492 /* Properties segment (RO) */
493 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */
494 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */
495 /* Boot partition size. 128KB unit */
496 sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB);
497 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */
498 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */
499 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */
500 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */
501 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */
502 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC */
503 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */
504 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */
505 stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */
506 sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */
507 sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz */
508 sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */
509 sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */
510 sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */
511 sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */
512 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11;
513 sd->ext_csd[EXT_CSD_STRUCTURE] = 2;
514 sd->ext_csd[EXT_CSD_REV] = 3;
515
516 /* Mode segment (RW) */
517 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config;
518 }
519
emmc_set_csd(SDState * sd,uint64_t size)520 static void emmc_set_csd(SDState *sd, uint64_t size)
521 {
522 int hwblock_shift = HWBLOCK_SHIFT;
523 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
524 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
525
526 sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */
527 sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */
528 sd->csd[2] = 0x00;
529 sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */
530 sd->csd[4] = 0x0f;
531 if (size <= 2 * GiB) {
532 /* use 1k blocks */
533 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1;
534 sd->csd[5] = 0x5a;
535 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf);
536 sd->csd[7] = (csize1k >> 2) & 0xff;
537 } else { /* >= 2GB : size stored in ext CSD, block addressing */
538 sd->csd[5] = 0x59;
539 sd->csd[6] = 0x8f;
540 sd->csd[7] = 0xff;
541 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
542 }
543 sd->csd[8] = 0xff;
544 sd->csd[9] = 0xfc | /* Max. write current */
545 ((CMULT_SHIFT - 2) >> 1);
546 sd->csd[10] = 0x40 | /* Erase sector size */
547 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
548 sd->csd[11] = 0x00 | /* Write protect group size */
549 ((sectsize << 7) & 0x80) | wpsize;
550 sd->csd[12] = 0x90 | /* Write speed factor */
551 (hwblock_shift >> 2);
552 sd->csd[13] = 0x20 | /* Max. write data block length */
553 ((hwblock_shift << 6) & 0xc0);
554 sd->csd[14] = 0x00;
555 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
556 emmc_set_ext_csd(sd, size);
557 }
558
sd_set_csd(SDState * sd,uint64_t size)559 static void sd_set_csd(SDState *sd, uint64_t size)
560 {
561 int hwblock_shift = HWBLOCK_SHIFT;
562 uint32_t csize;
563 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
564 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
565
566 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
567 if (size == SDSC_MAX_CAPACITY) {
568 hwblock_shift += 1;
569 }
570 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
571
572 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
573 sd->csd[0] = 0x00; /* CSD structure */
574 sd->csd[1] = 0x26; /* Data read access-time-1 */
575 sd->csd[2] = 0x00; /* Data read access-time-2 */
576 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
577 sd->csd[4] = 0x5f; /* Card Command Classes */
578 sd->csd[5] = 0x50 | /* Max. read data block length */
579 hwblock_shift;
580 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
581 ((csize >> 10) & 0x03);
582 sd->csd[7] = 0x00 | /* Device size */
583 ((csize >> 2) & 0xff);
584 sd->csd[8] = 0x3f | /* Max. read current */
585 ((csize << 6) & 0xc0);
586 sd->csd[9] = 0xfc | /* Max. write current */
587 ((CMULT_SHIFT - 2) >> 1);
588 sd->csd[10] = 0x40 | /* Erase sector size */
589 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
590 sd->csd[11] = 0x00 | /* Write protect group size */
591 ((sectsize << 7) & 0x80) | wpsize;
592 sd->csd[12] = 0x90 | /* Write speed factor */
593 (hwblock_shift >> 2);
594 sd->csd[13] = 0x20 | /* Max. write data block length */
595 ((hwblock_shift << 6) & 0xc0);
596 sd->csd[14] = 0x00; /* File format group */
597 } else { /* SDHC */
598 size /= 512 * KiB;
599 size -= 1;
600 sd->csd[0] = 0x40;
601 sd->csd[1] = 0x0e;
602 sd->csd[2] = 0x00;
603 sd->csd[3] = 0x32;
604 sd->csd[4] = 0x5b;
605 sd->csd[5] = 0x59;
606 sd->csd[6] = 0x00;
607 st24_be_p(&sd->csd[7], size);
608 sd->csd[10] = 0x7f;
609 sd->csd[11] = 0x80;
610 sd->csd[12] = 0x0a;
611 sd->csd[13] = 0x40;
612 sd->csd[14] = 0x00;
613 }
614 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
615 }
616
617 /* Relative Card Address register */
618
sd_set_rca(SDState * sd,uint16_t value)619 static void sd_set_rca(SDState *sd, uint16_t value)
620 {
621 trace_sdcard_set_rca(value);
622 sd->rca = value;
623 }
624
sd_req_get_rca(SDState * s,SDRequest req)625 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
626 {
627 switch (s->proto->cmd[req.cmd].type) {
628 case sd_ac:
629 case sd_adtc:
630 return req.arg >> 16;
631 case sd_spi:
632 default:
633 g_assert_not_reached();
634 }
635 }
636
sd_req_rca_same(SDState * s,SDRequest req)637 static bool sd_req_rca_same(SDState *s, SDRequest req)
638 {
639 return sd_req_get_rca(s, req) == s->rca;
640 }
641
642 /* Card Status register */
643
644 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
645 FIELD(CSR, APP_CMD, 5, 1)
646 FIELD(CSR, FX_EVENT, 6, 1)
647 FIELD(CSR, SWITCH_ERROR, 7, 1)
648 FIELD(CSR, READY_FOR_DATA, 8, 1)
649 FIELD(CSR, CURRENT_STATE, 9, 4)
650 FIELD(CSR, ERASE_RESET, 13, 1)
651 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
652 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
653 FIELD(CSR, CSD_OVERWRITE, 16, 1)
654 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
655 FIELD(CSR, ERROR, 19, 1)
656 FIELD(CSR, CC_ERROR, 20, 1)
657 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
658 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
659 FIELD(CSR, COM_CRC_ERROR, 23, 1)
660 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
661 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
662 FIELD(CSR, WP_VIOLATION, 26, 1)
663 FIELD(CSR, ERASE_PARAM, 27, 1)
664 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
665 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
666 FIELD(CSR, ADDRESS_ERROR, 30, 1)
667 FIELD(CSR, OUT_OF_RANGE, 31, 1)
668
669 /* Card status bits, split by clear condition:
670 * A : According to the card current state
671 * B : Always related to the previous command
672 * C : Cleared by read
673 */
674 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
675 | R_CSR_CARD_ECC_DISABLED_MASK \
676 | R_CSR_CARD_IS_LOCKED_MASK)
677 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
678 | R_CSR_ILLEGAL_COMMAND_MASK \
679 | R_CSR_COM_CRC_ERROR_MASK)
680 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
681 | R_CSR_APP_CMD_MASK \
682 | R_CSR_ERASE_RESET_MASK \
683 | R_CSR_WP_ERASE_SKIP_MASK \
684 | R_CSR_CSD_OVERWRITE_MASK \
685 | R_CSR_ERROR_MASK \
686 | R_CSR_CC_ERROR_MASK \
687 | R_CSR_CARD_ECC_FAILED_MASK \
688 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
689 | R_CSR_WP_VIOLATION_MASK \
690 | R_CSR_ERASE_PARAM_MASK \
691 | R_CSR_ERASE_SEQ_ERROR_MASK \
692 | R_CSR_BLOCK_LEN_ERROR_MASK \
693 | R_CSR_ADDRESS_ERROR_MASK \
694 | R_CSR_OUT_OF_RANGE_MASK)
695
sd_set_cardstatus(SDState * sd)696 static void sd_set_cardstatus(SDState *sd)
697 {
698 sd->card_status = READY_FOR_DATA;
699 }
700
sd_set_sdstatus(SDState * sd)701 static void sd_set_sdstatus(SDState *sd)
702 {
703 memset(sd->sd_status, 0, 64);
704 }
705
706 static const uint8_t sd_tuning_block_pattern4[64] = {
707 /*
708 * See: Physical Layer Simplified Specification Version 3.01,
709 * Table 4-2.
710 */
711 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
712 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
713 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
714 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
715 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
716 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
717 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
718 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde
719 };
720
sd_req_crc_validate(SDRequest * req)721 static int sd_req_crc_validate(SDRequest *req)
722 {
723 uint8_t buffer[5];
724 buffer[0] = 0x40 | req->cmd;
725 stl_be_p(&buffer[1], req->arg);
726 return 0;
727 return sd_crc7(buffer, 5) != req->crc; /* TODO */
728 }
729
sd_response_size(SDState * sd,sd_rsp_type_t rtype)730 static size_t sd_response_size(SDState *sd, sd_rsp_type_t rtype)
731 {
732 switch (rtype) {
733 case sd_r1:
734 case sd_r1b:
735 return sd_is_spi(sd) ? 1 : 4;
736
737 case spi_r2:
738 assert(sd_is_spi(sd));
739 return 2;
740
741 case sd_r2_i:
742 case sd_r2_s:
743 assert(!sd_is_spi(sd));
744 return 16;
745
746 case sd_r3:
747 case sd_r7:
748 return sd_is_spi(sd) ? 5 : 4;
749
750 case sd_r6:
751 assert(!sd_is_spi(sd));
752 return 4;
753
754 case sd_r0:
755 case sd_illegal:
756 return sd_is_spi(sd) ? 1 : 0;
757
758 default:
759 g_assert_not_reached();
760 }
761 }
762
sd_response_r1_make(SDState * sd,uint8_t * response)763 static void sd_response_r1_make(SDState *sd, uint8_t *response)
764 {
765 if (sd_is_spi(sd)) {
766 response[0] = sd->state == sd_idle_state
767 && !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
768 response[0] |= FIELD_EX32(sd->card_status, CSR, ERASE_RESET) << 1;
769 response[0] |= FIELD_EX32(sd->card_status, CSR, ILLEGAL_COMMAND) << 2;
770 response[0] |= FIELD_EX32(sd->card_status, CSR, COM_CRC_ERROR) << 3;
771 response[0] |= FIELD_EX32(sd->card_status, CSR, ERASE_SEQ_ERROR) << 4;
772 response[0] |= FIELD_EX32(sd->card_status, CSR, ADDRESS_ERROR) << 5;
773 response[0] |= FIELD_EX32(sd->card_status, CSR, BLOCK_LEN_ERROR) << 6;
774 response[0] |= 0 << 7;
775 } else {
776 stl_be_p(response, sd->card_status);
777 }
778
779 /* Clear the "clear on read" status bits */
780 sd->card_status &= ~CARD_STATUS_C;
781 }
782
spi_response_r2_make(SDState * sd,uint8_t * resp)783 static void spi_response_r2_make(SDState *sd, uint8_t *resp)
784 {
785 /* Prepend R1 */
786 sd_response_r1_make(sd, resp);
787
788 resp[1] = FIELD_EX32(sd->card_status, CSR, CARD_IS_LOCKED) << 0;
789 resp[1] |= (FIELD_EX32(sd->card_status, CSR, LOCK_UNLOCK_FAILED)
790 || FIELD_EX32(sd->card_status, CSR, WP_ERASE_SKIP)) << 1;
791 resp[1] |= FIELD_EX32(sd->card_status, CSR, ERROR) << 2;
792 resp[1] |= FIELD_EX32(sd->card_status, CSR, CC_ERROR) << 3;
793 resp[1] |= FIELD_EX32(sd->card_status, CSR, CARD_ECC_FAILED) << 4;
794 resp[1] |= FIELD_EX32(sd->card_status, CSR, WP_VIOLATION) << 5;
795 resp[1] |= FIELD_EX32(sd->card_status, CSR, ERASE_PARAM) << 6;
796 resp[1] |= FIELD_EX32(sd->card_status, CSR, OUT_OF_RANGE) << 7;
797 }
798
sd_response_r3_make(SDState * sd,uint8_t * response)799 static void sd_response_r3_make(SDState *sd, uint8_t *response)
800 {
801 if (sd_is_spi(sd)) {
802 /* Prepend R1 */
803 sd_response_r1_make(sd, response);
804 response++;
805 }
806 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
807 }
808
sd_response_r6_make(SDState * sd,uint8_t * response)809 static void sd_response_r6_make(SDState *sd, uint8_t *response)
810 {
811 uint16_t status;
812
813 status = ((sd->card_status >> 8) & 0xc000) |
814 ((sd->card_status >> 6) & 0x2000) |
815 (sd->card_status & 0x1fff);
816 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
817 stw_be_p(response + 0, sd->rca);
818 stw_be_p(response + 2, status);
819 }
820
sd_response_r7_make(SDState * sd,uint8_t * response)821 static void sd_response_r7_make(SDState *sd, uint8_t *response)
822 {
823 if (sd_is_spi(sd)) {
824 /* Prepend R1 */
825 sd_response_r1_make(sd, response);
826 response++;
827 }
828 stl_be_p(response, sd->vhs);
829 }
830
sd_blk_len(SDState * sd)831 static uint32_t sd_blk_len(SDState *sd)
832 {
833 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
834 return 1 << HWBLOCK_SHIFT;
835 }
836 return sd->blk_len;
837 }
838
839 /*
840 * This requires a disk image that has two boot partitions inserted at the
841 * beginning of it. The size of the boot partitions is the "boot-size"
842 * property.
843 */
sd_bootpart_offset(SDState * sd)844 static uint32_t sd_bootpart_offset(SDState *sd)
845 {
846 unsigned partition_access;
847
848 if (!sd->boot_part_size || !sd_is_emmc(sd)) {
849 return 0;
850 }
851
852 partition_access = sd->ext_csd[EXT_CSD_PART_CONFIG]
853 & EXT_CSD_PART_CONFIG_ACC_MASK;
854 switch (partition_access) {
855 case EXT_CSD_PART_CONFIG_ACC_DEFAULT:
856 return sd->boot_part_size * 2;
857 case EXT_CSD_PART_CONFIG_ACC_BOOT0:
858 return 0;
859 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1:
860 return sd->boot_part_size * 1;
861 default:
862 g_assert_not_reached();
863 }
864 }
865
sd_req_get_address(SDState * sd,SDRequest req)866 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
867 {
868 uint64_t addr;
869
870 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
871 addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
872 } else {
873 addr = req.arg;
874 }
875 trace_sdcard_req_addr(req.arg, addr);
876 return addr;
877 }
878
sd_addr_to_wpnum(uint64_t addr)879 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
880 {
881 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
882 }
883
sd_reset(DeviceState * dev)884 static void sd_reset(DeviceState *dev)
885 {
886 SDState *sd = SDMMC_COMMON(dev);
887 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
888 uint64_t size;
889 uint64_t sect;
890
891 trace_sdcard_reset();
892 if (sd->blk) {
893 blk_get_geometry(sd->blk, §);
894 } else {
895 sect = 0;
896 }
897 size = sect << HWBLOCK_SHIFT;
898 if (sd_is_emmc(sd)) {
899 size -= sd->boot_part_size * 2;
900 }
901
902 sect = sd_addr_to_wpnum(size) + 1;
903
904 sd->state = sd_idle_state;
905
906 /* card registers */
907 sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000;
908 sd->size = size;
909 sd_set_ocr(sd);
910 sd_set_scr(sd);
911 sc->set_cid(sd);
912 sc->set_csd(sd, size);
913 sd_set_cardstatus(sd);
914 sd_set_sdstatus(sd);
915
916 g_free(sd->wp_group_bmap);
917 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
918 sd->wp_group_bits = sect;
919 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
920 memset(sd->function_group, 0, sizeof(sd->function_group));
921 sd->erase_start = INVALID_ADDRESS;
922 sd->erase_end = INVALID_ADDRESS;
923 sd->blk_len = 0x200;
924 sd->pwd_len = 0;
925 sd->expecting_acmd = false;
926 sd->dat_lines = 0xf;
927 sd->cmd_line = true;
928 sd->multi_blk_cnt = 0;
929 }
930
sd_get_inserted(SDState * sd)931 static bool sd_get_inserted(SDState *sd)
932 {
933 return sd->blk && blk_is_inserted(sd->blk);
934 }
935
sd_get_readonly(SDState * sd)936 static bool sd_get_readonly(SDState *sd)
937 {
938 return sd->wp_switch;
939 }
940
sd_cardchange(void * opaque,bool load,Error ** errp)941 static void sd_cardchange(void *opaque, bool load, Error **errp)
942 {
943 SDState *sd = opaque;
944 DeviceState *dev = DEVICE(sd);
945 SDBus *sdbus;
946 bool inserted = sd_get_inserted(sd);
947 bool readonly = sd_get_readonly(sd);
948
949 if (inserted) {
950 trace_sdcard_inserted(readonly);
951 sd_reset(dev);
952 } else {
953 trace_sdcard_ejected();
954 }
955
956 sdbus = SD_BUS(qdev_get_parent_bus(dev));
957 sdbus_set_inserted(sdbus, inserted);
958 if (inserted) {
959 sdbus_set_readonly(sdbus, readonly);
960 }
961 }
962
963 static const BlockDevOps sd_block_ops = {
964 .change_media_cb = sd_cardchange,
965 };
966
sd_ocr_vmstate_needed(void * opaque)967 static bool sd_ocr_vmstate_needed(void *opaque)
968 {
969 SDState *sd = opaque;
970
971 /* Include the OCR state (and timer) if it is not yet powered up */
972 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
973 }
974
975 static const VMStateDescription sd_ocr_vmstate = {
976 .name = "sd-card/ocr-state",
977 .version_id = 1,
978 .minimum_version_id = 1,
979 .needed = sd_ocr_vmstate_needed,
980 .fields = (const VMStateField[]) {
981 VMSTATE_UINT32(ocr, SDState),
982 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
983 VMSTATE_END_OF_LIST()
984 },
985 };
986
vmstate_needed_for_emmc(void * opaque)987 static bool vmstate_needed_for_emmc(void *opaque)
988 {
989 SDState *sd = opaque;
990
991 return sd_is_emmc(sd);
992 }
993
994 static const VMStateDescription emmc_extcsd_vmstate = {
995 .name = "sd-card/ext_csd_modes-state",
996 .version_id = 1,
997 .minimum_version_id = 1,
998 .needed = vmstate_needed_for_emmc,
999 .fields = (const VMStateField[]) {
1000 VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192),
1001 VMSTATE_END_OF_LIST()
1002 },
1003 };
1004
sd_vmstate_pre_load(void * opaque)1005 static int sd_vmstate_pre_load(void *opaque)
1006 {
1007 SDState *sd = opaque;
1008
1009 /* If the OCR state is not included (prior versions, or not
1010 * needed), then the OCR must be set as powered up. If the OCR state
1011 * is included, this will be replaced by the state restore.
1012 */
1013 sd_ocr_powerup(sd);
1014
1015 return 0;
1016 }
1017
1018 static const VMStateDescription sd_vmstate = {
1019 .name = "sd-card",
1020 .version_id = 2,
1021 .minimum_version_id = 2,
1022 .pre_load = sd_vmstate_pre_load,
1023 .fields = (const VMStateField[]) {
1024 VMSTATE_UNUSED(4),
1025 VMSTATE_INT32(state, SDState),
1026 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
1027 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
1028 VMSTATE_UINT16(rca, SDState),
1029 VMSTATE_UINT32(card_status, SDState),
1030 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
1031 VMSTATE_UINT32(vhs, SDState),
1032 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
1033 VMSTATE_UINT32(blk_len, SDState),
1034 VMSTATE_UINT32(multi_blk_cnt, SDState),
1035 VMSTATE_UINT32(erase_start, SDState),
1036 VMSTATE_UINT32(erase_end, SDState),
1037 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
1038 VMSTATE_UINT32(pwd_len, SDState),
1039 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
1040 VMSTATE_UINT8(current_cmd, SDState),
1041 VMSTATE_BOOL(expecting_acmd, SDState),
1042 VMSTATE_UINT32(blk_written, SDState),
1043 VMSTATE_UINT64(data_start, SDState),
1044 VMSTATE_UINT32(data_offset, SDState),
1045 VMSTATE_UINT8_ARRAY(data, SDState, 512),
1046 VMSTATE_UNUSED_V(1, 512),
1047 VMSTATE_UNUSED(1),
1048 VMSTATE_END_OF_LIST()
1049 },
1050 .subsections = (const VMStateDescription * const []) {
1051 &sd_ocr_vmstate,
1052 &emmc_extcsd_vmstate,
1053 NULL
1054 },
1055 };
1056
sd_blk_read(SDState * sd,uint64_t addr,uint32_t len)1057 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1058 {
1059 trace_sdcard_read_block(addr, len);
1060 addr += sd_bootpart_offset(sd);
1061 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
1062 fprintf(stderr, "sd_blk_read: read error on host side\n");
1063 }
1064 }
1065
sd_blk_write(SDState * sd,uint64_t addr,uint32_t len)1066 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1067 {
1068 trace_sdcard_write_block(addr, len);
1069 addr += sd_bootpart_offset(sd);
1070 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
1071 fprintf(stderr, "sd_blk_write: write error on host side\n");
1072 }
1073 }
1074
sd_erase(SDState * sd)1075 static void sd_erase(SDState *sd)
1076 {
1077 uint64_t erase_start = sd->erase_start;
1078 uint64_t erase_end = sd->erase_end;
1079 bool sdsc = true;
1080 uint64_t wpnum;
1081 uint64_t erase_addr;
1082 int erase_len = 1 << HWBLOCK_SHIFT;
1083
1084 trace_sdcard_erase(sd->erase_start, sd->erase_end);
1085 if (sd->erase_start == INVALID_ADDRESS
1086 || sd->erase_end == INVALID_ADDRESS) {
1087 sd->card_status |= ERASE_SEQ_ERROR;
1088 sd->erase_start = INVALID_ADDRESS;
1089 sd->erase_end = INVALID_ADDRESS;
1090 return;
1091 }
1092
1093 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1094 /* High capacity memory card: erase units are 512 byte blocks */
1095 erase_start <<= HWBLOCK_SHIFT;
1096 erase_end <<= HWBLOCK_SHIFT;
1097 sdsc = false;
1098 }
1099
1100 if (erase_start > sd->size || erase_end > sd->size) {
1101 sd->card_status |= OUT_OF_RANGE;
1102 sd->erase_start = INVALID_ADDRESS;
1103 sd->erase_end = INVALID_ADDRESS;
1104 return;
1105 }
1106
1107 sd->erase_start = INVALID_ADDRESS;
1108 sd->erase_end = INVALID_ADDRESS;
1109 sd->csd[14] |= 0x40;
1110
1111 memset(sd->data, 0xff, erase_len);
1112 for (erase_addr = erase_start; erase_addr <= erase_end;
1113 erase_addr += erase_len) {
1114 if (sdsc) {
1115 /* Only SDSC cards support write protect groups */
1116 wpnum = sd_addr_to_wpnum(erase_addr);
1117 assert(wpnum < sd->wp_group_bits);
1118 if (test_bit(wpnum, sd->wp_group_bmap)) {
1119 sd->card_status |= WP_ERASE_SKIP;
1120 continue;
1121 }
1122 }
1123 sd_blk_write(sd, erase_addr, erase_len);
1124 }
1125 }
1126
sd_wpbits(SDState * sd,uint64_t addr)1127 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
1128 {
1129 uint32_t i, wpnum;
1130 uint32_t ret = 0;
1131
1132 wpnum = sd_addr_to_wpnum(addr);
1133
1134 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
1135 if (addr >= sd->size) {
1136 /*
1137 * If the addresses of the last groups are outside the valid range,
1138 * then the corresponding write protection bits shall be set to 0.
1139 */
1140 continue;
1141 }
1142 assert(wpnum < sd->wp_group_bits);
1143 if (test_bit(wpnum, sd->wp_group_bmap)) {
1144 ret |= (1 << i);
1145 }
1146 }
1147
1148 return ret;
1149 }
1150
1151 enum ExtCsdAccessMode {
1152 EXT_CSD_ACCESS_MODE_COMMAND_SET = 0,
1153 EXT_CSD_ACCESS_MODE_SET_BITS = 1,
1154 EXT_CSD_ACCESS_MODE_CLEAR_BITS = 2,
1155 EXT_CSD_ACCESS_MODE_WRITE_BYTE = 3
1156 };
1157
emmc_function_switch(SDState * sd,uint32_t arg)1158 static void emmc_function_switch(SDState *sd, uint32_t arg)
1159 {
1160 uint8_t access = extract32(arg, 24, 2);
1161 uint8_t index = extract32(arg, 16, 8);
1162 uint8_t value = extract32(arg, 8, 8);
1163 uint8_t b = sd->ext_csd[index];
1164
1165 trace_sdcard_switch(access, index, value, extract32(arg, 0, 2));
1166
1167 if (index >= 192) {
1168 qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n");
1169 sd->card_status |= R_CSR_SWITCH_ERROR_MASK;
1170 return;
1171 }
1172
1173 switch (access) {
1174 case EXT_CSD_ACCESS_MODE_COMMAND_SET:
1175 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n");
1176 return;
1177 case EXT_CSD_ACCESS_MODE_SET_BITS:
1178 b |= value;
1179 break;
1180 case EXT_CSD_ACCESS_MODE_CLEAR_BITS:
1181 b &= ~value;
1182 break;
1183 case EXT_CSD_ACCESS_MODE_WRITE_BYTE:
1184 b = value;
1185 break;
1186 }
1187
1188 trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b);
1189 sd->ext_csd[index] = b;
1190 }
1191
sd_function_switch(SDState * sd,uint32_t arg)1192 static void sd_function_switch(SDState *sd, uint32_t arg)
1193 {
1194 int i, mode, new_func;
1195 mode = !!(arg & 0x80000000);
1196
1197 sd->data[0] = 0x00; /* Maximum current consumption */
1198 sd->data[1] = 0x01;
1199 sd->data[2] = 0x80; /* Supported group 6 functions */
1200 sd->data[3] = 0x01;
1201 sd->data[4] = 0x80; /* Supported group 5 functions */
1202 sd->data[5] = 0x01;
1203 sd->data[6] = 0x80; /* Supported group 4 functions */
1204 sd->data[7] = 0x01;
1205 sd->data[8] = 0x80; /* Supported group 3 functions */
1206 sd->data[9] = 0x01;
1207 sd->data[10] = 0x80; /* Supported group 2 functions */
1208 sd->data[11] = 0x43;
1209 sd->data[12] = 0x80; /* Supported group 1 functions */
1210 sd->data[13] = 0x03;
1211
1212 memset(&sd->data[14], 0, 3);
1213 for (i = 0; i < 6; i ++) {
1214 new_func = (arg >> (i * 4)) & 0x0f;
1215 if (mode && new_func != 0x0f)
1216 sd->function_group[i] = new_func;
1217 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
1218 }
1219 memset(&sd->data[17], 0, 47);
1220 }
1221
sd_wp_addr(SDState * sd,uint64_t addr)1222 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
1223 {
1224 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1225 }
1226
sd_lock_command(SDState * sd)1227 static void sd_lock_command(SDState *sd)
1228 {
1229 int erase, lock, clr_pwd, set_pwd, pwd_len;
1230 erase = !!(sd->data[0] & 0x08);
1231 lock = sd->data[0] & 0x04;
1232 clr_pwd = sd->data[0] & 0x02;
1233 set_pwd = sd->data[0] & 0x01;
1234
1235 if (sd->blk_len > 1)
1236 pwd_len = sd->data[1];
1237 else
1238 pwd_len = 0;
1239
1240 if (lock) {
1241 trace_sdcard_lock();
1242 } else {
1243 trace_sdcard_unlock();
1244 }
1245 if (erase) {
1246 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
1247 set_pwd || clr_pwd || lock || sd->wp_switch ||
1248 (sd->csd[14] & 0x20)) {
1249 sd->card_status |= LOCK_UNLOCK_FAILED;
1250 return;
1251 }
1252 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1253 sd->csd[14] &= ~0x10;
1254 sd->card_status &= ~CARD_IS_LOCKED;
1255 sd->pwd_len = 0;
1256 /* Erasing the entire card here! */
1257 fprintf(stderr, "SD: Card force-erased by CMD42\n");
1258 return;
1259 }
1260
1261 if (sd->blk_len < 2 + pwd_len ||
1262 pwd_len <= sd->pwd_len ||
1263 pwd_len > sd->pwd_len + 16) {
1264 sd->card_status |= LOCK_UNLOCK_FAILED;
1265 return;
1266 }
1267
1268 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1269 sd->card_status |= LOCK_UNLOCK_FAILED;
1270 return;
1271 }
1272
1273 pwd_len -= sd->pwd_len;
1274 if ((pwd_len && !set_pwd) ||
1275 (clr_pwd && (set_pwd || lock)) ||
1276 (lock && !sd->pwd_len && !set_pwd) ||
1277 (!set_pwd && !clr_pwd &&
1278 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1279 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1280 sd->card_status |= LOCK_UNLOCK_FAILED;
1281 return;
1282 }
1283
1284 if (set_pwd) {
1285 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1286 sd->pwd_len = pwd_len;
1287 }
1288
1289 if (clr_pwd) {
1290 sd->pwd_len = 0;
1291 }
1292
1293 if (lock)
1294 sd->card_status |= CARD_IS_LOCKED;
1295 else
1296 sd->card_status &= ~CARD_IS_LOCKED;
1297 }
1298
address_in_range(SDState * sd,const char * desc,uint64_t addr,uint32_t length)1299 static bool address_in_range(SDState *sd, const char *desc,
1300 uint64_t addr, uint32_t length)
1301 {
1302 if (addr + length > sd->size) {
1303 qemu_log_mask(LOG_GUEST_ERROR,
1304 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1305 desc, addr, sd->size, length);
1306 sd->card_status |= ADDRESS_ERROR;
1307 return false;
1308 }
1309 return true;
1310 }
1311
sd_invalid_state_for_cmd(SDState * sd,SDRequest req)1312 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1313 {
1314 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1315 sd->proto->name, req.cmd, sd_state_name(sd->state),
1316 sd_version_str(sd->spec_version));
1317
1318 return sd_illegal;
1319 }
1320
sd_invalid_mode_for_cmd(SDState * sd,SDRequest req)1321 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1322 {
1323 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1324 sd->proto->name, req.cmd, sd_mode_name(sd_mode(sd)),
1325 sd_version_str(sd->spec_version));
1326
1327 return sd_illegal;
1328 }
1329
sd_cmd_illegal(SDState * sd,SDRequest req)1330 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1331 {
1332 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1333 sd->proto->name, req.cmd,
1334 sd_version_str(sd->spec_version));
1335
1336 return sd_illegal;
1337 }
1338
1339 /* Commands that are recognised but not yet implemented. */
sd_cmd_unimplemented(SDState * sd,SDRequest req)1340 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1341 {
1342 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1343 sd->proto->name, req.cmd);
1344
1345 return sd_illegal;
1346 }
1347
sd_cmd_optional(SDState * sd,SDRequest req)1348 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req)
1349 {
1350 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n",
1351 sd->proto->name, req.cmd);
1352
1353 return sd_illegal;
1354 }
1355
1356 /* Configure fields for following sd_generic_write_byte() calls */
sd_cmd_to_receivingdata(SDState * sd,SDRequest req,uint64_t start,size_t size)1357 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
1358 uint64_t start, size_t size)
1359 {
1360 if (sd->state != sd_transfer_state) {
1361 return sd_invalid_state_for_cmd(sd, req);
1362 }
1363 sd->state = sd_receivingdata_state;
1364 sd->data_start = start;
1365 sd->data_offset = 0;
1366 /* sd->data[] used as receive buffer */
1367 sd->data_size = size ?: sizeof(sd->data);
1368 return sd_r1;
1369 }
1370
1371 /* Configure fields for following sd_generic_read_byte() calls */
sd_cmd_to_sendingdata(SDState * sd,SDRequest req,uint64_t start,const void * data,size_t size)1372 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1373 uint64_t start,
1374 const void *data, size_t size)
1375 {
1376 if (sd->state != sd_transfer_state) {
1377 return sd_invalid_state_for_cmd(sd, req);
1378 }
1379
1380 sd->state = sd_sendingdata_state;
1381 sd->data_start = start;
1382 sd->data_offset = 0;
1383 if (data) {
1384 assert(size > 0 && size <= sizeof(sd->data));
1385 memcpy(sd->data, data, size);
1386 }
1387 if (size) {
1388 sd->data_size = size;
1389 }
1390 return sd_r1;
1391 }
1392
1393 /* CMD0 */
sd_cmd_GO_IDLE_STATE(SDState * sd,SDRequest req)1394 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1395 {
1396 if (sd->state == sd_sleep_state) {
1397 switch (req.arg) {
1398 case 0x00000000:
1399 case 0xf0f0f0f0:
1400 break;
1401 default:
1402 return sd_r0;
1403 }
1404 }
1405 if (sd->state != sd_inactive_state) {
1406 sd->state = sd_idle_state;
1407 sd_reset(DEVICE(sd));
1408 }
1409
1410 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1411 }
1412
1413 /* CMD2 */
sd_cmd_ALL_SEND_CID(SDState * sd,SDRequest req)1414 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1415 {
1416 switch (sd->state) {
1417 case sd_ready_state:
1418 sd->state = sd_identification_state;
1419 return sd_r2_i;
1420 default:
1421 return sd_invalid_state_for_cmd(sd, req);
1422 }
1423 }
1424
1425 /* CMD3 */
sd_cmd_SEND_RELATIVE_ADDR(SDState * sd,SDRequest req)1426 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1427 {
1428 uint16_t random_rca;
1429
1430 switch (sd->state) {
1431 case sd_identification_state:
1432 case sd_standby_state:
1433 sd->state = sd_standby_state;
1434 qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca));
1435 sd_set_rca(sd, random_rca);
1436 return sd_r6;
1437
1438 default:
1439 return sd_invalid_state_for_cmd(sd, req);
1440 }
1441 }
1442
emmc_cmd_SET_RELATIVE_ADDR(SDState * sd,SDRequest req)1443 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req)
1444 {
1445 switch (sd->state) {
1446 case sd_identification_state:
1447 case sd_standby_state:
1448 sd->state = sd_standby_state;
1449 sd_set_rca(sd, req.arg >> 16);
1450 return sd_r1;
1451
1452 default:
1453 return sd_invalid_state_for_cmd(sd, req);
1454 }
1455 }
1456
1457 /* CMD5 */
emmc_cmd_sleep_awake(SDState * sd,SDRequest req)1458 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req)
1459 {
1460 bool do_sleep = extract32(req.arg, 15, 1);
1461
1462 switch (sd->state) {
1463 case sd_sleep_state:
1464 if (!do_sleep) {
1465 /* Awake */
1466 sd->state = sd_standby_state;
1467 }
1468 return sd_r1b;
1469
1470 case sd_standby_state:
1471 if (do_sleep) {
1472 sd->state = sd_sleep_state;
1473 }
1474 return sd_r1b;
1475
1476 default:
1477 return sd_invalid_state_for_cmd(sd, req);
1478 }
1479 }
1480
1481 /* CMD6 */
sd_cmd_SWITCH_FUNCTION(SDState * sd,SDRequest req)1482 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req)
1483 {
1484 if (sd_mode(sd) != sd_data_transfer_mode) {
1485 return sd_invalid_mode_for_cmd(sd, req);
1486 }
1487 if (sd_is_spi(sd)) {
1488 if (sd->state == sd_idle_state) {
1489 return sd_invalid_state_for_cmd(sd, req);
1490 }
1491 } else {
1492 if (sd->state != sd_transfer_state) {
1493 return sd_invalid_state_for_cmd(sd, req);
1494 }
1495 }
1496
1497 sd_function_switch(sd, req.arg);
1498 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1499 }
1500
emmc_cmd_SWITCH(SDState * sd,SDRequest req)1501 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req)
1502 {
1503 switch (sd->state) {
1504 case sd_transfer_state:
1505 sd->state = sd_programming_state;
1506 emmc_function_switch(sd, req.arg);
1507 sd->state = sd_transfer_state;
1508 return sd_r1b;
1509 default:
1510 return sd_invalid_state_for_cmd(sd, req);
1511 }
1512 }
1513
1514 /* CMD7 */
sd_cmd_DE_SELECT_CARD(SDState * sd,SDRequest req)1515 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req)
1516 {
1517 bool same_rca = sd_req_rca_same(sd, req);
1518
1519 switch (sd->state) {
1520 case sd_standby_state:
1521 if (!same_rca) {
1522 return sd_r0;
1523 }
1524 sd->state = sd_transfer_state;
1525 return sd_r1b;
1526
1527 case sd_transfer_state:
1528 case sd_sendingdata_state:
1529 if (same_rca) {
1530 break;
1531 }
1532 sd->state = sd_standby_state;
1533 return sd_r1b;
1534
1535 case sd_disconnect_state:
1536 if (!same_rca) {
1537 return sd_r0;
1538 }
1539 sd->state = sd_programming_state;
1540 return sd_r1b;
1541
1542 case sd_programming_state:
1543 if (same_rca) {
1544 break;
1545 }
1546 sd->state = sd_disconnect_state;
1547 return sd_r1b;
1548
1549 default:
1550 break;
1551 }
1552 return sd_invalid_state_for_cmd(sd, req);
1553 }
1554
1555 /* CMD8 */
sd_cmd_SEND_IF_COND(SDState * sd,SDRequest req)1556 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req)
1557 {
1558 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1559 return sd_cmd_illegal(sd, req);
1560 }
1561 if (sd->state != sd_idle_state) {
1562 return sd_invalid_state_for_cmd(sd, req);
1563 }
1564 sd->vhs = 0;
1565
1566 /* No response if not exactly one VHS bit is set. */
1567 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1568 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1569 }
1570
1571 /* Accept. */
1572 sd->vhs = req.arg;
1573 return sd_r7;
1574 }
1575
1576 /* CMD8 */
emmc_cmd_SEND_EXT_CSD(SDState * sd,SDRequest req)1577 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req)
1578 {
1579 if (sd->state != sd_transfer_state) {
1580 return sd_invalid_state_for_cmd(sd, req);
1581 }
1582
1583 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1584 sd->ext_csd, sizeof(sd->ext_csd));
1585 }
1586
spi_cmd_SEND_CxD(SDState * sd,SDRequest req,const void * data,size_t size)1587 static sd_rsp_type_t spi_cmd_SEND_CxD(SDState *sd, SDRequest req,
1588 const void *data, size_t size)
1589 {
1590 /*
1591 * XXX as of v10.1.0-rc1 command is reached in sd_idle_state,
1592 * so disable this check.
1593 if (sd->state != sd_standby_state) {
1594 return sd_invalid_state_for_cmd(sd, req);
1595 }
1596 */
1597
1598 /*
1599 * Since SPI returns CSD and CID on the DAT lines,
1600 * switch to sd_transfer_state.
1601 */
1602 sd->state = sd_transfer_state;
1603
1604 return sd_cmd_to_sendingdata(sd, req, 0, data, size);
1605 }
1606
1607 /* CMD9 */
spi_cmd_SEND_CSD(SDState * sd,SDRequest req)1608 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req)
1609 {
1610 return spi_cmd_SEND_CxD(sd, req, sd->csd, sizeof(sd->csd));
1611 }
1612
sd_cmd_SEND_CSD(SDState * sd,SDRequest req)1613 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req)
1614 {
1615 if (sd->state != sd_standby_state) {
1616 return sd_invalid_state_for_cmd(sd, req);
1617 }
1618
1619 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0;
1620 }
1621
1622 /* CMD10 */
spi_cmd_SEND_CID(SDState * sd,SDRequest req)1623 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req)
1624 {
1625 return spi_cmd_SEND_CxD(sd, req, sd->cid, sizeof(sd->cid));
1626 }
1627
sd_cmd_SEND_CID(SDState * sd,SDRequest req)1628 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req)
1629 {
1630 if (sd->state != sd_standby_state) {
1631 return sd_invalid_state_for_cmd(sd, req);
1632 }
1633
1634 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0;
1635 }
1636
1637 /* CMD12 */
sd_cmd_STOP_TRANSMISSION(SDState * sd,SDRequest req)1638 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req)
1639 {
1640 switch (sd->state) {
1641 case sd_sendingdata_state:
1642 sd->state = sd_transfer_state;
1643 return sd_r1b;
1644 case sd_receivingdata_state:
1645 sd->state = sd_programming_state;
1646 /* Bzzzzzzztt .... Operation complete. */
1647 sd->state = sd_transfer_state;
1648 return sd_r1;
1649 default:
1650 return sd_invalid_state_for_cmd(sd, req);
1651 }
1652 }
1653
1654 /* CMD13 */
sd_cmd_SEND_STATUS(SDState * sd,SDRequest req)1655 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req)
1656 {
1657 if (sd_mode(sd) != sd_data_transfer_mode) {
1658 return sd_invalid_mode_for_cmd(sd, req);
1659 }
1660
1661 switch (sd->state) {
1662 case sd_standby_state:
1663 case sd_transfer_state:
1664 case sd_sendingdata_state:
1665 case sd_receivingdata_state:
1666 case sd_programming_state:
1667 case sd_disconnect_state:
1668 break;
1669 default:
1670 return sd_invalid_state_for_cmd(sd, req);
1671 }
1672
1673 if (sd_is_spi(sd)) {
1674 return spi_r2;
1675 }
1676
1677 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0;
1678 }
1679
1680 /* CMD15 */
sd_cmd_GO_INACTIVE_STATE(SDState * sd,SDRequest req)1681 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req)
1682 {
1683 if (sd_mode(sd) != sd_data_transfer_mode) {
1684 return sd_invalid_mode_for_cmd(sd, req);
1685 }
1686 switch (sd->state) {
1687 case sd_standby_state:
1688 case sd_transfer_state:
1689 case sd_sendingdata_state:
1690 case sd_receivingdata_state:
1691 case sd_programming_state:
1692 case sd_disconnect_state:
1693 break;
1694 default:
1695 return sd_invalid_state_for_cmd(sd, req);
1696 }
1697 if (sd_req_rca_same(sd, req)) {
1698 sd->state = sd_inactive_state;
1699 }
1700
1701 return sd_r0;
1702 }
1703
1704 /* CMD16 */
sd_cmd_SET_BLOCKLEN(SDState * sd,SDRequest req)1705 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req)
1706 {
1707 if (sd->state != sd_transfer_state) {
1708 return sd_invalid_state_for_cmd(sd, req);
1709 }
1710 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1711 sd->card_status |= BLOCK_LEN_ERROR;
1712 } else {
1713 trace_sdcard_set_blocklen(req.arg);
1714 sd->blk_len = req.arg;
1715 }
1716
1717 return sd_r1;
1718 }
1719
1720 /* CMD17 */
sd_cmd_READ_SINGLE_BLOCK(SDState * sd,SDRequest req)1721 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req)
1722 {
1723 uint64_t addr;
1724
1725 if (sd->state != sd_transfer_state) {
1726 return sd_invalid_state_for_cmd(sd, req);
1727 }
1728
1729 addr = sd_req_get_address(sd, req);
1730 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1731 return sd_r1;
1732 }
1733
1734 sd_blk_read(sd, addr, sd->blk_len);
1735 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1736 }
1737
1738 /* CMD19 */
sd_cmd_SEND_TUNING_BLOCK(SDState * sd,SDRequest req)1739 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1740 {
1741 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1742 return sd_cmd_illegal(sd, req);
1743 }
1744
1745 return sd_cmd_to_sendingdata(sd, req, 0,
1746 sd_tuning_block_pattern4,
1747 sizeof(sd_tuning_block_pattern4));
1748 }
1749
1750 /* CMD23 */
sd_cmd_SET_BLOCK_COUNT(SDState * sd,SDRequest req)1751 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1752 {
1753 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1754 return sd_cmd_illegal(sd, req);
1755 }
1756
1757 if (sd->state != sd_transfer_state) {
1758 return sd_invalid_state_for_cmd(sd, req);
1759 }
1760
1761 sd->multi_blk_cnt = req.arg;
1762 if (sd_is_emmc(sd)) {
1763 sd->multi_blk_cnt &= 0xffff;
1764 }
1765 trace_sdcard_set_block_count(sd->multi_blk_cnt);
1766
1767 return sd_r1;
1768 }
1769
1770 /* CMD24 */
sd_cmd_WRITE_SINGLE_BLOCK(SDState * sd,SDRequest req)1771 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req)
1772 {
1773 uint64_t addr;
1774
1775 if (sd->state != sd_transfer_state) {
1776 return sd_invalid_state_for_cmd(sd, req);
1777 }
1778
1779 addr = sd_req_get_address(sd, req);
1780 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) {
1781 return sd_r1;
1782 }
1783
1784 if (sd->size <= SDSC_MAX_CAPACITY) {
1785 if (sd_wp_addr(sd, addr)) {
1786 sd->card_status |= WP_VIOLATION;
1787 }
1788 }
1789 if (sd->csd[14] & 0x30) {
1790 sd->card_status |= WP_VIOLATION;
1791 }
1792
1793 sd->blk_written = 0;
1794 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len);
1795 }
1796
1797 /* CMD26 */
emmc_cmd_PROGRAM_CID(SDState * sd,SDRequest req)1798 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req)
1799 {
1800 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid));
1801 }
1802
1803 /* CMD27 */
sd_cmd_PROGRAM_CSD(SDState * sd,SDRequest req)1804 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req)
1805 {
1806 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd));
1807 }
1808
sd_cmd_SET_CLR_WRITE_PROT(SDState * sd,SDRequest req,bool is_write)1809 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req,
1810 bool is_write)
1811 {
1812 uint64_t addr;
1813
1814 if (sd->size > SDSC_MAX_CAPACITY) {
1815 return sd_illegal;
1816 }
1817
1818 if (sd->state != sd_transfer_state) {
1819 return sd_invalid_state_for_cmd(sd, req);
1820 }
1821
1822 addr = sd_req_get_address(sd, req);
1823 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT",
1824 addr, 1)) {
1825 return sd_r1b;
1826 }
1827
1828 sd->state = sd_programming_state;
1829 if (is_write) {
1830 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1831 } else {
1832 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1833 }
1834 /* Bzzzzzzztt .... Operation complete. */
1835 sd->state = sd_transfer_state;
1836 return sd_r1;
1837 }
1838
1839 /* CMD28 */
sd_cmd_SET_WRITE_PROT(SDState * sd,SDRequest req)1840 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req)
1841 {
1842 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true);
1843 }
1844
1845 /* CMD29 */
sd_cmd_CLR_WRITE_PROT(SDState * sd,SDRequest req)1846 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req)
1847 {
1848 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false);
1849 }
1850
1851 /* CMD30 */
sd_cmd_SEND_WRITE_PROT(SDState * sd,SDRequest req)1852 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req)
1853 {
1854 uint64_t addr;
1855 uint32_t data;
1856
1857 if (sd->size > SDSC_MAX_CAPACITY) {
1858 return sd_illegal;
1859 }
1860
1861 if (sd->state != sd_transfer_state) {
1862 return sd_invalid_state_for_cmd(sd, req);
1863 }
1864
1865 addr = sd_req_get_address(sd, req);
1866 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) {
1867 return sd_r1;
1868 }
1869
1870 data = sd_wpbits(sd, req.arg);
1871 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1872 }
1873
1874 /* CMD32 */
sd_cmd_ERASE_WR_BLK_START(SDState * sd,SDRequest req)1875 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req)
1876 {
1877 if (sd->state != sd_transfer_state) {
1878 return sd_invalid_state_for_cmd(sd, req);
1879 }
1880 sd->erase_start = req.arg;
1881 return sd_r1;
1882 }
1883
1884 /* CMD33 */
sd_cmd_ERASE_WR_BLK_END(SDState * sd,SDRequest req)1885 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req)
1886 {
1887 if (sd->state != sd_transfer_state) {
1888 return sd_invalid_state_for_cmd(sd, req);
1889 }
1890 sd->erase_end = req.arg;
1891 return sd_r1;
1892 }
1893
1894 /* CMD38 */
sd_cmd_ERASE(SDState * sd,SDRequest req)1895 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req)
1896 {
1897 if (sd->state != sd_transfer_state) {
1898 return sd_invalid_state_for_cmd(sd, req);
1899 }
1900 if (sd->csd[14] & 0x30) {
1901 sd->card_status |= WP_VIOLATION;
1902 return sd_r1b;
1903 }
1904
1905 sd->state = sd_programming_state;
1906 sd_erase(sd);
1907 /* Bzzzzzzztt .... Operation complete. */
1908 sd->state = sd_transfer_state;
1909 return sd_r1b;
1910 }
1911
1912 /* CMD42 */
sd_cmd_LOCK_UNLOCK(SDState * sd,SDRequest req)1913 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req)
1914 {
1915 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1916 }
1917
1918 /* CMD55 */
sd_cmd_APP_CMD(SDState * sd,SDRequest req)1919 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req)
1920 {
1921 switch (sd->state) {
1922 case sd_ready_state:
1923 case sd_identification_state:
1924 case sd_inactive_state:
1925 case sd_sleep_state:
1926 return sd_invalid_state_for_cmd(sd, req);
1927 case sd_idle_state:
1928 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) {
1929 qemu_log_mask(LOG_GUEST_ERROR,
1930 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1931 }
1932 /* fall-through */
1933 default:
1934 break;
1935 }
1936 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) {
1937 return sd_r0;
1938 }
1939 sd->expecting_acmd = true;
1940 sd->card_status |= APP_CMD;
1941
1942 return sd_r1;
1943 }
1944
1945 /* CMD56 */
sd_cmd_GEN_CMD(SDState * sd,SDRequest req)1946 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req)
1947 {
1948 if (sd->state != sd_transfer_state) {
1949 return sd_invalid_state_for_cmd(sd, req);
1950 }
1951
1952 /* Vendor specific command: our model is RAZ/WI */
1953 if (req.arg & 1) {
1954 memset(sd->data, 0, sizeof(sd->data));
1955 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0);
1956 } else {
1957 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1958 }
1959 }
1960
1961 /* CMD58 */
spi_cmd_READ_OCR(SDState * sd,SDRequest req)1962 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req)
1963 {
1964 return sd_r3;
1965 }
1966
1967 /* CMD59 */
spi_cmd_CRC_ON_OFF(SDState * sd,SDRequest req)1968 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req)
1969 {
1970 return sd_r1;
1971 }
1972
1973 /* ACMD6 */
sd_acmd_SET_BUS_WIDTH(SDState * sd,SDRequest req)1974 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req)
1975 {
1976 if (sd->state != sd_transfer_state) {
1977 return sd_invalid_state_for_cmd(sd, req);
1978 }
1979
1980 sd->sd_status[0] &= 0x3f;
1981 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1982 return sd_r1;
1983 }
1984
1985 /* ACMD13 */
sd_acmd_SD_STATUS(SDState * sd,SDRequest req)1986 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req)
1987 {
1988 sd_rsp_type_t rsp;
1989
1990 rsp = sd_cmd_to_sendingdata(sd, req, 0,
1991 sd->sd_status, sizeof(sd->sd_status));
1992 if (sd_is_spi(sd) && rsp != sd_illegal) {
1993 return spi_r2;
1994 }
1995 return rsp;
1996 }
1997
1998 /* ACMD22 */
sd_acmd_SEND_NUM_WR_BLOCKS(SDState * sd,SDRequest req)1999 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req)
2000 {
2001 return sd_cmd_to_sendingdata(sd, req, 0,
2002 &sd->blk_written, sizeof(sd->blk_written));
2003 }
2004
2005 /* ACMD23 */
sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState * sd,SDRequest req)2006 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req)
2007 {
2008 if (sd->state != sd_transfer_state) {
2009 return sd_invalid_state_for_cmd(sd, req);
2010 }
2011 return sd_r1;
2012 }
2013
2014 /* ACMD41 */
sd_cmd_SEND_OP_COND(SDState * sd,SDRequest req)2015 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
2016 {
2017 if (sd->state != sd_idle_state) {
2018 return sd_invalid_state_for_cmd(sd, req);
2019 }
2020
2021 /*
2022 * If it's the first ACMD41 since reset, we need to decide
2023 * whether to power up. If this is not an enquiry ACMD41,
2024 * we immediately report power on and proceed below to the
2025 * ready state, but if it is, we set a timer to model a
2026 * delay for power up. This works around a bug in EDK2
2027 * UEFI, which sends an initial enquiry ACMD41, but
2028 * assumes that the card is in ready state as soon as it
2029 * sees the power up bit set.
2030 */
2031 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
2032 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
2033 timer_del(sd->ocr_power_timer);
2034 sd_ocr_powerup(sd);
2035 } else {
2036 trace_sdcard_inquiry_cmd41();
2037 if (!timer_pending(sd->ocr_power_timer)) {
2038 timer_mod_ns(sd->ocr_power_timer,
2039 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
2040 + OCR_POWER_DELAY_NS));
2041 }
2042 }
2043 }
2044
2045 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
2046 /*
2047 * We accept any voltage. 10000 V is nothing.
2048 *
2049 * Once we're powered up, we advance straight to ready state
2050 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
2051 */
2052 sd->state = sd_ready_state;
2053 }
2054
2055 if (sd_is_spi(sd)) {
2056 return sd_r1;
2057 }
2058 return sd_r3;
2059 }
2060
2061 /* ACMD42 */
sd_acmd_SET_CLR_CARD_DETECT(SDState * sd,SDRequest req)2062 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req)
2063 {
2064 if (sd->state != sd_transfer_state) {
2065 return sd_invalid_state_for_cmd(sd, req);
2066 }
2067
2068 /* Bringing in the 50KOhm pull-up resistor... Done. */
2069 return sd_r1;
2070 }
2071
2072 /* ACMD51 */
sd_acmd_SEND_SCR(SDState * sd,SDRequest req)2073 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req)
2074 {
2075 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
2076 }
2077
sd_normal_command(SDState * sd,SDRequest req)2078 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
2079 {
2080 uint64_t addr;
2081
2082 sd->last_cmd_name = sd_cmd_name(sd, req.cmd);
2083 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
2084 * However there is no ACMD55, so we want to trace this particular case.
2085 */
2086 if (req.cmd != 55 || sd->expecting_acmd) {
2087 trace_sdcard_normal_command(sd->proto->name,
2088 sd->last_cmd_name, req.cmd,
2089 req.arg,
2090 sd_mode_name(sd_mode(sd)),
2091 sd_state_name(sd->state));
2092 }
2093
2094 /* Not interpreting this as an app command */
2095 sd->card_status &= ~APP_CMD;
2096
2097 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
2098 * if not, its effects are cancelled */
2099 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
2100 sd->multi_blk_cnt = 0;
2101 }
2102
2103 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR,
2104 CARD_CAPACITY)) {
2105 /* Only Standard Capacity cards support class 6 commands */
2106 return sd_illegal;
2107 }
2108
2109 if (sd->proto->cmd[req.cmd].handler) {
2110 return sd->proto->cmd[req.cmd].handler(sd, req);
2111 }
2112
2113 switch (req.cmd) {
2114 /* Block read commands (Class 2) */
2115 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2116 addr = sd_req_get_address(sd, req);
2117 switch (sd->state) {
2118 case sd_transfer_state:
2119
2120 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
2121 return sd_r1;
2122 }
2123
2124 sd->state = sd_sendingdata_state;
2125 sd->data_start = addr;
2126 sd->data_offset = 0;
2127 return sd_r1;
2128
2129 default:
2130 break;
2131 }
2132 break;
2133
2134 /* Block write commands (Class 4) */
2135 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2136 addr = sd_req_get_address(sd, req);
2137 switch (sd->state) {
2138 case sd_transfer_state:
2139
2140 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
2141 return sd_r1;
2142 }
2143
2144 sd->state = sd_receivingdata_state;
2145 sd->data_start = addr;
2146 sd->data_offset = 0;
2147 sd->blk_written = 0;
2148
2149 if (sd->size <= SDSC_MAX_CAPACITY) {
2150 if (sd_wp_addr(sd, sd->data_start)) {
2151 sd->card_status |= WP_VIOLATION;
2152 }
2153 }
2154 if (sd->csd[14] & 0x30) {
2155 sd->card_status |= WP_VIOLATION;
2156 }
2157 return sd_r1;
2158
2159 default:
2160 break;
2161 }
2162 break;
2163
2164 default:
2165 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
2166 return sd_illegal;
2167 }
2168
2169 return sd_invalid_state_for_cmd(sd, req);
2170 }
2171
sd_app_command(SDState * sd,SDRequest req)2172 static sd_rsp_type_t sd_app_command(SDState *sd,
2173 SDRequest req)
2174 {
2175 sd->last_cmd_name = sd_acmd_name(sd, req.cmd);
2176 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
2177 req.cmd, req.arg,
2178 sd_mode_name(sd_mode(sd)),
2179 sd_state_name(sd->state));
2180 sd->card_status |= APP_CMD;
2181
2182 if (sd->proto->acmd[req.cmd].handler) {
2183 return sd->proto->acmd[req.cmd].handler(sd, req);
2184 }
2185
2186 switch (req.cmd) {
2187 case 18: /* Reserved for SD security applications */
2188 case 25:
2189 case 26:
2190 case 38:
2191 case 43 ... 49:
2192 /* Refer to the "SD Specifications Part3 Security Specification" for
2193 * information about the SD Security Features.
2194 */
2195 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
2196 req.cmd);
2197 return sd_illegal;
2198
2199 default:
2200 /* Fall back to standard commands. */
2201 return sd_normal_command(sd, req);
2202 }
2203
2204 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
2205 return sd_illegal;
2206 }
2207
cmd_valid_while_locked(SDState * sd,unsigned cmd)2208 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
2209 {
2210 unsigned cmd_class;
2211
2212 /* Valid commands in locked state:
2213 * basic class (0)
2214 * lock card class (7)
2215 * CMD16
2216 * implicitly, the ACMD prefix CMD55
2217 * ACMD41 and ACMD42
2218 * Anything else provokes an "illegal command" response.
2219 */
2220 if (sd->expecting_acmd) {
2221 return cmd == 41 || cmd == 42;
2222 }
2223 if (cmd == 16 || cmd == 55) {
2224 return true;
2225 }
2226 if (!sd->proto->cmd[cmd].handler) {
2227 return false;
2228 }
2229 cmd_class = sd->proto->cmd[cmd].class;
2230
2231 return cmd_class == 0 || cmd_class == 7;
2232 }
2233
sd_do_command(SDState * sd,SDRequest * req,uint8_t * response,size_t respsz)2234 static size_t sd_do_command(SDState *sd, SDRequest *req,
2235 uint8_t *response, size_t respsz)
2236 {
2237 int last_state;
2238 sd_rsp_type_t rtype;
2239 int rsplen;
2240
2241 if (!sd->blk || !blk_is_inserted(sd->blk)) {
2242 return 0;
2243 }
2244
2245 if (sd->state == sd_inactive_state) {
2246 rtype = sd_illegal;
2247 goto send_response;
2248 }
2249
2250 if (sd_req_crc_validate(req)) {
2251 sd->card_status |= COM_CRC_ERROR;
2252 rtype = sd_illegal;
2253 goto send_response;
2254 }
2255
2256 if (req->cmd >= SDMMC_CMD_MAX) {
2257 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
2258 req->cmd);
2259 req->cmd &= 0x3f;
2260 }
2261
2262 if (sd->state == sd_sleep_state && req->cmd) {
2263 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n");
2264 rtype = sd_r0;
2265 goto send_response;
2266 }
2267
2268 if (sd->card_status & CARD_IS_LOCKED) {
2269 if (!cmd_valid_while_locked(sd, req->cmd)) {
2270 sd->card_status |= ILLEGAL_COMMAND;
2271 sd->expecting_acmd = false;
2272 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
2273 rtype = sd_illegal;
2274 goto send_response;
2275 }
2276 }
2277
2278 last_state = sd->state;
2279
2280 if (sd->expecting_acmd) {
2281 sd->expecting_acmd = false;
2282 rtype = sd_app_command(sd, *req);
2283 } else {
2284 rtype = sd_normal_command(sd, *req);
2285 }
2286
2287 if (rtype == sd_illegal) {
2288 sd->card_status |= ILLEGAL_COMMAND;
2289 } else {
2290 /* Valid command, we can update the 'state before command' bits.
2291 * (Do this now so they appear in r1 responses.)
2292 */
2293 sd->card_status = FIELD_DP32(sd->card_status, CSR,
2294 CURRENT_STATE, last_state);
2295 }
2296
2297 send_response:
2298 rsplen = sd_response_size(sd, rtype);
2299 assert(rsplen <= respsz);
2300
2301 switch (rtype) {
2302 case sd_r1:
2303 case sd_r1b:
2304 sd_response_r1_make(sd, response);
2305 break;
2306
2307 case spi_r2:
2308 spi_response_r2_make(sd, response);
2309 break;
2310
2311 case sd_r2_i:
2312 memcpy(response, sd->cid, sizeof(sd->cid));
2313 break;
2314
2315 case sd_r2_s:
2316 memcpy(response, sd->csd, sizeof(sd->csd));
2317 break;
2318
2319 case sd_r3:
2320 sd_response_r3_make(sd, response);
2321 break;
2322
2323 case sd_r6:
2324 sd_response_r6_make(sd, response);
2325 break;
2326
2327 case sd_r7:
2328 sd_response_r7_make(sd, response);
2329 break;
2330
2331 case sd_r0:
2332 /*
2333 * Invalid state transition, reset implementation
2334 * fields to avoid OOB abuse.
2335 */
2336 sd->data_start = 0;
2337 sd->data_offset = 0;
2338 /* fall-through */
2339 case sd_illegal:
2340 break;
2341 default:
2342 g_assert_not_reached();
2343 }
2344 trace_sdcard_response(sd_response_name(rtype), rsplen);
2345
2346 if (rtype != sd_illegal) {
2347 /* Clear the "clear on valid command" status bits now we've
2348 * sent any response
2349 */
2350 sd->card_status &= ~CARD_STATUS_B;
2351 }
2352
2353 #ifdef DEBUG_SD
2354 qemu_hexdump(stderr, "Response", response, rsplen);
2355 #endif
2356
2357 sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd;
2358
2359 return rsplen;
2360 }
2361
2362 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
sd_generic_write_byte(SDState * sd,uint8_t value)2363 static bool sd_generic_write_byte(SDState *sd, uint8_t value)
2364 {
2365 sd->data[sd->data_offset] = value;
2366
2367 if (++sd->data_offset >= sd->data_size) {
2368 sd->state = sd_transfer_state;
2369 return true;
2370 }
2371 return false;
2372 }
2373
2374 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
sd_generic_read_byte(SDState * sd,uint8_t * value)2375 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
2376 {
2377 *value = sd->data[sd->data_offset];
2378
2379 if (++sd->data_offset >= sd->data_size) {
2380 sd->state = sd_transfer_state;
2381 return true;
2382 }
2383
2384 return false;
2385 }
2386
sd_write_byte(SDState * sd,uint8_t value)2387 static void sd_write_byte(SDState *sd, uint8_t value)
2388 {
2389 int i;
2390
2391 if (!sd->blk || !blk_is_inserted(sd->blk)) {
2392 return;
2393 }
2394
2395 if (sd->state != sd_receivingdata_state) {
2396 qemu_log_mask(LOG_GUEST_ERROR,
2397 "%s: not in Receiving-Data state\n", __func__);
2398 return;
2399 }
2400
2401 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2402 return;
2403
2404 trace_sdcard_write_data(sd->proto->name,
2405 sd->last_cmd_name,
2406 sd->current_cmd, sd->data_offset, value);
2407 switch (sd->current_cmd) {
2408 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
2409 if (sd_generic_write_byte(sd, value)) {
2410 /* TODO: Check CRC before committing */
2411 sd->state = sd_programming_state;
2412 sd_blk_write(sd, sd->data_start, sd->data_offset);
2413 sd->blk_written ++;
2414 sd->csd[14] |= 0x40;
2415 /* Bzzzzzzztt .... Operation complete. */
2416 sd->state = sd_transfer_state;
2417 }
2418 break;
2419
2420 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2421 if (sd->data_offset == 0) {
2422 /* Start of the block - let's check the address is valid */
2423 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2424 sd->data_start, sd->blk_len)) {
2425 break;
2426 }
2427 if (sd->size <= SDSC_MAX_CAPACITY) {
2428 if (sd_wp_addr(sd, sd->data_start)) {
2429 sd->card_status |= WP_VIOLATION;
2430 break;
2431 }
2432 }
2433 }
2434 sd->data[sd->data_offset++] = value;
2435 if (sd->data_offset >= sd->blk_len) {
2436 /* TODO: Check CRC before committing */
2437 sd->state = sd_programming_state;
2438 sd_blk_write(sd, sd->data_start, sd->data_offset);
2439 sd->blk_written++;
2440 sd->data_start += sd->blk_len;
2441 sd->data_offset = 0;
2442 sd->csd[14] |= 0x40;
2443
2444 /* Bzzzzzzztt .... Operation complete. */
2445 if (sd->multi_blk_cnt != 0) {
2446 if (--sd->multi_blk_cnt == 0) {
2447 /* Stop! */
2448 sd->state = sd_transfer_state;
2449 break;
2450 }
2451 }
2452
2453 sd->state = sd_receivingdata_state;
2454 }
2455 break;
2456
2457 case 26: /* CMD26: PROGRAM_CID */
2458 if (sd_generic_write_byte(sd, value)) {
2459 /* TODO: Check CRC before committing */
2460 sd->state = sd_programming_state;
2461 for (i = 0; i < sizeof(sd->cid); i ++)
2462 if ((sd->cid[i] | 0x00) != sd->data[i])
2463 sd->card_status |= CID_CSD_OVERWRITE;
2464
2465 if (!(sd->card_status & CID_CSD_OVERWRITE))
2466 for (i = 0; i < sizeof(sd->cid); i ++) {
2467 sd->cid[i] |= 0x00;
2468 sd->cid[i] &= sd->data[i];
2469 }
2470 /* Bzzzzzzztt .... Operation complete. */
2471 sd->state = sd_transfer_state;
2472 }
2473 break;
2474
2475 case 27: /* CMD27: PROGRAM_CSD */
2476 if (sd_generic_write_byte(sd, value)) {
2477 /* TODO: Check CRC before committing */
2478 sd->state = sd_programming_state;
2479 for (i = 0; i < sizeof(sd->csd); i ++)
2480 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2481 (sd->data[i] | sd_csd_rw_mask[i]))
2482 sd->card_status |= CID_CSD_OVERWRITE;
2483
2484 /* Copy flag (OTP) & Permanent write protect */
2485 if (sd->csd[14] & ~sd->data[14] & 0x60)
2486 sd->card_status |= CID_CSD_OVERWRITE;
2487
2488 if (!(sd->card_status & CID_CSD_OVERWRITE))
2489 for (i = 0; i < sizeof(sd->csd); i ++) {
2490 sd->csd[i] |= sd_csd_rw_mask[i];
2491 sd->csd[i] &= sd->data[i];
2492 }
2493 /* Bzzzzzzztt .... Operation complete. */
2494 sd->state = sd_transfer_state;
2495 }
2496 break;
2497
2498 case 42: /* CMD42: LOCK_UNLOCK */
2499 if (sd_generic_write_byte(sd, value)) {
2500 /* TODO: Check CRC before committing */
2501 sd->state = sd_programming_state;
2502 sd_lock_command(sd);
2503 /* Bzzzzzzztt .... Operation complete. */
2504 sd->state = sd_transfer_state;
2505 }
2506 break;
2507
2508 case 56: /* CMD56: GEN_CMD */
2509 sd_generic_write_byte(sd, value);
2510 break;
2511
2512 default:
2513 g_assert_not_reached();
2514 }
2515 }
2516
sd_read_byte(SDState * sd)2517 static uint8_t sd_read_byte(SDState *sd)
2518 {
2519 /* TODO: Append CRCs */
2520 const uint8_t dummy_byte = 0x00;
2521 uint8_t ret;
2522 uint32_t io_len;
2523
2524 if (!sd->blk || !blk_is_inserted(sd->blk)) {
2525 return dummy_byte;
2526 }
2527
2528 if (sd->state != sd_sendingdata_state) {
2529 qemu_log_mask(LOG_GUEST_ERROR,
2530 "%s: not in Sending-Data state\n", __func__);
2531 return dummy_byte;
2532 }
2533
2534 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) {
2535 return dummy_byte;
2536 }
2537
2538 io_len = sd_blk_len(sd);
2539
2540 trace_sdcard_read_data(sd->proto->name,
2541 sd->last_cmd_name, sd->current_cmd,
2542 sd->data_offset, sd->data_size, io_len);
2543 switch (sd->current_cmd) {
2544 case 6: /* CMD6: SWITCH_FUNCTION */
2545 case 8: /* CMD8: SEND_EXT_CSD */
2546 case 9: /* CMD9: SEND_CSD */
2547 case 10: /* CMD10: SEND_CID */
2548 case 13: /* ACMD13: SD_STATUS */
2549 case 17: /* CMD17: READ_SINGLE_BLOCK */
2550 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2551 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2552 case 30: /* CMD30: SEND_WRITE_PROT */
2553 case 51: /* ACMD51: SEND_SCR */
2554 case 56: /* CMD56: GEN_CMD */
2555 sd_generic_read_byte(sd, &ret);
2556 break;
2557
2558 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2559 if (sd->data_offset == 0) {
2560 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2561 sd->data_start, io_len)) {
2562 return dummy_byte;
2563 }
2564 sd_blk_read(sd, sd->data_start, io_len);
2565 }
2566 ret = sd->data[sd->data_offset ++];
2567
2568 if (sd->data_offset >= io_len) {
2569 sd->data_start += io_len;
2570 sd->data_offset = 0;
2571
2572 if (sd->multi_blk_cnt != 0) {
2573 if (--sd->multi_blk_cnt == 0) {
2574 /* Stop! */
2575 sd->state = sd_transfer_state;
2576 break;
2577 }
2578 }
2579 }
2580 break;
2581
2582 default:
2583 qemu_log_mask(LOG_GUEST_ERROR, "%s: DAT read illegal for command %s\n",
2584 __func__, sd->last_cmd_name);
2585 return dummy_byte;
2586 }
2587
2588 return ret;
2589 }
2590
sd_receive_ready(SDState * sd)2591 static bool sd_receive_ready(SDState *sd)
2592 {
2593 return sd->state == sd_receivingdata_state;
2594 }
2595
sd_data_ready(SDState * sd)2596 static bool sd_data_ready(SDState *sd)
2597 {
2598 return sd->state == sd_sendingdata_state;
2599 }
2600
2601 static const SDProto sd_proto_spi = {
2602 .name = "SPI",
2603 .cmd = {
2604 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2605 [1] = {0, sd_spi, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2606 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional},
2607 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2608 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2609 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD},
2610 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID},
2611 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2612 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS},
2613 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2614 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2615 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2616 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2617 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2618 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2619 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2620 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2621 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2622 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional},
2623 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional},
2624 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional},
2625 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2626 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE},
2627 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2628 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional},
2629 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional},
2630 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional},
2631 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD},
2632 [56] = {8, sd_spi, "GEN_CMD", sd_cmd_GEN_CMD},
2633 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2634 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR},
2635 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF},
2636 },
2637 .acmd = {
2638 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS},
2639 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2640 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2641 [41] = {8, sd_spi, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2642 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2643 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR},
2644 },
2645 };
2646
2647 static const SDProto sd_proto_sd = {
2648 .name = "SD",
2649 .cmd = {
2650 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2651 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2652 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR},
2653 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented},
2654 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional},
2655 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2656 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2657 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2658 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD},
2659 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID},
2660 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional},
2661 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2662 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS},
2663 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2664 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2665 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2666 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK},
2667 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional},
2668 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2669 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2670 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2671 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2672 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2673 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2674 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2675 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2676 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional},
2677 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional},
2678 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional},
2679 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2680 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE},
2681 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2682 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional},
2683 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional},
2684 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional},
2685 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional},
2686 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional},
2687 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional},
2688 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional},
2689 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional},
2690 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional},
2691 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional},
2692 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD},
2693 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2694 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2695 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional},
2696 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional},
2697 },
2698 .acmd = {
2699 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH},
2700 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS},
2701 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2702 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2703 [41] = {8, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2704 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2705 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR},
2706 },
2707 };
2708
2709 static const SDProto sd_proto_emmc = {
2710 /* Only v4.3 is supported */
2711 .name = "eMMC",
2712 .cmd = {
2713 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2714 [1] = {0, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2715 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2716 [3] = {0, sd_ac, "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR},
2717 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented},
2718 [5] = {0, sd_ac, "SLEEP/AWAKE", emmc_cmd_sleep_awake},
2719 [6] = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH},
2720 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2721 [8] = {0, sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD},
2722 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD},
2723 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID},
2724 [11] = {1, sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2725 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2726 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS},
2727 [14] = {0, sd_adtc, "BUSTEST_R", sd_cmd_unimplemented},
2728 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2729 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2730 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2731 [19] = {0, sd_adtc, "BUSTEST_W", sd_cmd_unimplemented},
2732 [20] = {3, sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2733 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2734 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2735 [26] = {4, sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID},
2736 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2737 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2738 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2739 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2740 [31] = {6, sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented},
2741 [35] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2742 [36] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2743 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE},
2744 [39] = {9, sd_ac, "FAST_IO", sd_cmd_unimplemented},
2745 [40] = {9, sd_bcr, "GO_IRQ_STATE", sd_cmd_unimplemented},
2746 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2747 [49] = {0, sd_adtc, "SET_TIME", sd_cmd_unimplemented},
2748 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD},
2749 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2750 },
2751 };
2752
sd_instance_init(Object * obj)2753 static void sd_instance_init(Object *obj)
2754 {
2755 SDState *sd = SDMMC_COMMON(obj);
2756 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
2757
2758 sd->proto = sc->proto;
2759 sd->last_cmd_name = "UNSET";
2760 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2761 }
2762
sd_instance_finalize(Object * obj)2763 static void sd_instance_finalize(Object *obj)
2764 {
2765 SDState *sd = SDMMC_COMMON(obj);
2766
2767 timer_free(sd->ocr_power_timer);
2768 }
2769
sd_realize(DeviceState * dev,Error ** errp)2770 static void sd_realize(DeviceState *dev, Error **errp)
2771 {
2772 SDState *sd = SDMMC_COMMON(dev);
2773 int ret;
2774
2775 switch (sd->spec_version) {
2776 case SD_PHY_SPECv1_10_VERS
2777 ... SD_PHY_SPECv3_01_VERS:
2778 break;
2779 default:
2780 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2781 return;
2782 }
2783
2784 if (sd->blk) {
2785 int64_t blk_size;
2786
2787 if (!blk_supports_write_perm(sd->blk)) {
2788 error_setg(errp, "Cannot use read-only drive as SD card");
2789 return;
2790 }
2791
2792 blk_size = blk_getlength(sd->blk);
2793 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2794 int64_t blk_size_aligned = pow2ceil(blk_size);
2795 char *blk_size_str;
2796
2797 blk_size_str = size_to_str(blk_size);
2798 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2799 g_free(blk_size_str);
2800
2801 blk_size_str = size_to_str(blk_size_aligned);
2802 error_append_hint(errp,
2803 "SD card size has to be a power of 2, e.g. %s.\n"
2804 "You can resize disk images with"
2805 " 'qemu-img resize <imagefile> <new-size>'\n"
2806 "(note that this will lose data if you make the"
2807 " image smaller than it currently is).\n",
2808 blk_size_str);
2809 g_free(blk_size_str);
2810
2811 return;
2812 }
2813
2814 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2815 BLK_PERM_ALL, errp);
2816 if (ret < 0) {
2817 return;
2818 }
2819 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2820 }
2821 }
2822
emmc_realize(DeviceState * dev,Error ** errp)2823 static void emmc_realize(DeviceState *dev, Error **errp)
2824 {
2825 SDState *sd = SDMMC_COMMON(dev);
2826
2827 sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */
2828
2829 sd_realize(dev, errp);
2830 }
2831
2832 static const Property sdmmc_common_properties[] = {
2833 DEFINE_PROP_DRIVE("drive", SDState, blk),
2834 };
2835
2836 static const Property sd_properties[] = {
2837 DEFINE_PROP_UINT8("spec_version", SDState,
2838 spec_version, SD_PHY_SPECv3_01_VERS),
2839 };
2840
2841 static const Property emmc_properties[] = {
2842 DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0),
2843 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0),
2844 };
2845
sdmmc_common_class_init(ObjectClass * klass,const void * data)2846 static void sdmmc_common_class_init(ObjectClass *klass, const void *data)
2847 {
2848 DeviceClass *dc = DEVICE_CLASS(klass);
2849 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2850
2851 device_class_set_props(dc, sdmmc_common_properties);
2852 dc->vmsd = &sd_vmstate;
2853 device_class_set_legacy_reset(dc, sd_reset);
2854 dc->bus_type = TYPE_SD_BUS;
2855 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2856
2857 sc->set_voltage = sd_set_voltage;
2858 sc->get_dat_lines = sd_get_dat_lines;
2859 sc->get_cmd_line = sd_get_cmd_line;
2860 sc->do_command = sd_do_command;
2861 sc->write_byte = sd_write_byte;
2862 sc->read_byte = sd_read_byte;
2863 sc->receive_ready = sd_receive_ready;
2864 sc->data_ready = sd_data_ready;
2865 sc->get_inserted = sd_get_inserted;
2866 sc->get_readonly = sd_get_readonly;
2867 }
2868
sd_class_init(ObjectClass * klass,const void * data)2869 static void sd_class_init(ObjectClass *klass, const void *data)
2870 {
2871 DeviceClass *dc = DEVICE_CLASS(klass);
2872 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2873
2874 dc->realize = sd_realize;
2875 device_class_set_props(dc, sd_properties);
2876
2877 sc->set_cid = sd_set_cid;
2878 sc->set_csd = sd_set_csd;
2879 sc->proto = &sd_proto_sd;
2880 }
2881
2882 /*
2883 * We do not model the chip select pin, so allow the board to select
2884 * whether card should be in SSI or MMC/SD mode. It is also up to the
2885 * board to ensure that ssi transfers only occur when the chip select
2886 * is asserted.
2887 */
sd_spi_class_init(ObjectClass * klass,const void * data)2888 static void sd_spi_class_init(ObjectClass *klass, const void *data)
2889 {
2890 DeviceClass *dc = DEVICE_CLASS(klass);
2891 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2892
2893 dc->desc = "SD SPI";
2894 sc->proto = &sd_proto_spi;
2895 }
2896
emmc_class_init(ObjectClass * klass,const void * data)2897 static void emmc_class_init(ObjectClass *klass, const void *data)
2898 {
2899 DeviceClass *dc = DEVICE_CLASS(klass);
2900 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2901
2902 dc->desc = "eMMC";
2903 dc->realize = emmc_realize;
2904 device_class_set_props(dc, emmc_properties);
2905 /* Reason: Soldered on board */
2906 dc->user_creatable = false;
2907
2908 sc->proto = &sd_proto_emmc;
2909
2910 sc->set_cid = emmc_set_cid;
2911 sc->set_csd = emmc_set_csd;
2912 }
2913
2914 static const TypeInfo sd_types[] = {
2915 {
2916 .name = TYPE_SDMMC_COMMON,
2917 .parent = TYPE_DEVICE,
2918 .abstract = true,
2919 .instance_size = sizeof(SDState),
2920 .class_size = sizeof(SDCardClass),
2921 .class_init = sdmmc_common_class_init,
2922 .instance_init = sd_instance_init,
2923 .instance_finalize = sd_instance_finalize,
2924 },
2925 {
2926 .name = TYPE_SD_CARD,
2927 .parent = TYPE_SDMMC_COMMON,
2928 .class_init = sd_class_init,
2929 },
2930 {
2931 .name = TYPE_SD_CARD_SPI,
2932 .parent = TYPE_SD_CARD,
2933 .class_init = sd_spi_class_init,
2934 },
2935 {
2936 .name = TYPE_EMMC,
2937 .parent = TYPE_SDMMC_COMMON,
2938 .class_init = emmc_class_init,
2939 },
2940 };
2941
2942 DEFINE_TYPES(sd_types)
2943