1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "qemu/osdep.h" 34 #include "qemu/units.h" 35 #include "qemu/cutils.h" 36 #include "hw/irq.h" 37 #include "hw/registerfields.h" 38 #include "sysemu/block-backend.h" 39 #include "hw/sd/sd.h" 40 #include "hw/sd/sdcard_legacy.h" 41 #include "migration/vmstate.h" 42 #include "qapi/error.h" 43 #include "qemu/bitmap.h" 44 #include "hw/qdev-properties.h" 45 #include "hw/qdev-properties-system.h" 46 #include "qemu/error-report.h" 47 #include "qemu/timer.h" 48 #include "qemu/log.h" 49 #include "qemu/module.h" 50 #include "sdmmc-internal.h" 51 #include "trace.h" 52 53 //#define DEBUG_SD 1 54 55 #define SDSC_MAX_CAPACITY (2 * GiB) 56 57 #define INVALID_ADDRESS UINT32_MAX 58 59 typedef enum { 60 sd_r0 = 0, /* no response */ 61 sd_r1, /* normal response command */ 62 sd_r2_i, /* CID register */ 63 sd_r2_s, /* CSD register */ 64 sd_r3, /* OCR register */ 65 sd_r6 = 6, /* Published RCA response */ 66 sd_r7, /* Operating voltage */ 67 sd_r1b = -1, 68 sd_illegal = -2, 69 } sd_rsp_type_t; 70 71 enum SDCardModes { 72 sd_inactive, 73 sd_card_identification_mode, 74 sd_data_transfer_mode, 75 }; 76 77 enum SDCardStates { 78 sd_inactive_state = -1, 79 sd_idle_state = 0, 80 sd_ready_state, 81 sd_identification_state, 82 sd_standby_state, 83 sd_transfer_state, 84 sd_sendingdata_state, 85 sd_receivingdata_state, 86 sd_programming_state, 87 sd_disconnect_state, 88 }; 89 90 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req); 91 92 typedef struct SDProto { 93 const char *name; 94 sd_cmd_handler cmd[SDMMC_CMD_MAX]; 95 sd_cmd_handler acmd[SDMMC_CMD_MAX]; 96 } SDProto; 97 98 struct SDState { 99 DeviceState parent_obj; 100 101 /* If true, created by sd_init() for a non-qdevified caller */ 102 /* TODO purge them with fire */ 103 bool me_no_qdev_me_kill_mammoth_with_rocks; 104 105 /* SD Memory Card Registers */ 106 uint32_t ocr; 107 uint8_t scr[8]; 108 uint8_t cid[16]; 109 uint8_t csd[16]; 110 uint16_t rca; 111 uint32_t card_status; 112 uint8_t sd_status[64]; 113 114 /* Static properties */ 115 116 uint8_t spec_version; 117 BlockBackend *blk; 118 uint8_t boot_config; 119 120 /* Runtime changeables */ 121 122 uint32_t mode; /* current card mode, one of SDCardModes */ 123 int32_t state; /* current card state, one of SDCardStates */ 124 uint32_t vhs; 125 bool wp_switch; 126 unsigned long *wp_group_bmap; 127 int32_t wp_group_bits; 128 uint64_t size; 129 uint32_t blk_len; 130 uint32_t multi_blk_cnt; 131 uint32_t erase_start; 132 uint32_t erase_end; 133 uint8_t pwd[16]; 134 uint32_t pwd_len; 135 uint8_t function_group[6]; 136 uint8_t current_cmd; 137 /* True if we will handle the next command as an ACMD. Note that this does 138 * *not* track the APP_CMD status bit! 139 */ 140 bool expecting_acmd; 141 uint32_t blk_written; 142 uint64_t data_start; 143 uint32_t data_offset; 144 uint8_t data[512]; 145 uint8_t ext_csd[512]; 146 qemu_irq readonly_cb; 147 qemu_irq inserted_cb; 148 QEMUTimer *ocr_power_timer; 149 bool enable; 150 uint8_t dat_lines; 151 bool cmd_line; 152 }; 153 154 static void sd_realize(DeviceState *dev, Error **errp); 155 156 static const struct SDProto *sd_proto(SDState *sd) 157 { 158 SDCardClass *sc = SD_CARD_GET_CLASS(sd); 159 160 return sc->proto; 161 } 162 163 static const SDProto sd_proto_spi; 164 165 static bool sd_is_spi(SDState *sd) 166 { 167 return sd_proto(sd) == &sd_proto_spi; 168 } 169 170 static const char *sd_version_str(enum SDPhySpecificationVersion version) 171 { 172 static const char *sdphy_version[] = { 173 [SD_PHY_SPECv1_10_VERS] = "v1.10", 174 [SD_PHY_SPECv2_00_VERS] = "v2.00", 175 [SD_PHY_SPECv3_01_VERS] = "v3.01", 176 }; 177 if (version >= ARRAY_SIZE(sdphy_version)) { 178 return "unsupported version"; 179 } 180 return sdphy_version[version]; 181 } 182 183 static const char *sd_state_name(enum SDCardStates state) 184 { 185 static const char *state_name[] = { 186 [sd_idle_state] = "idle", 187 [sd_ready_state] = "ready", 188 [sd_identification_state] = "identification", 189 [sd_standby_state] = "standby", 190 [sd_transfer_state] = "transfer", 191 [sd_sendingdata_state] = "sendingdata", 192 [sd_receivingdata_state] = "receivingdata", 193 [sd_programming_state] = "programming", 194 [sd_disconnect_state] = "disconnect", 195 }; 196 if (state == sd_inactive_state) { 197 return "inactive"; 198 } 199 assert(state < ARRAY_SIZE(state_name)); 200 return state_name[state]; 201 } 202 203 static const char *sd_response_name(sd_rsp_type_t rsp) 204 { 205 static const char *response_name[] = { 206 [sd_r0] = "RESP#0 (no response)", 207 [sd_r1] = "RESP#1 (normal cmd)", 208 [sd_r2_i] = "RESP#2 (CID reg)", 209 [sd_r2_s] = "RESP#2 (CSD reg)", 210 [sd_r3] = "RESP#3 (OCR reg)", 211 [sd_r6] = "RESP#6 (RCA)", 212 [sd_r7] = "RESP#7 (operating voltage)", 213 }; 214 if (rsp == sd_illegal) { 215 return "ILLEGAL RESP"; 216 } 217 if (rsp == sd_r1b) { 218 rsp = sd_r1; 219 } 220 assert(rsp < ARRAY_SIZE(response_name)); 221 return response_name[rsp]; 222 } 223 224 static uint8_t sd_get_dat_lines(SDState *sd) 225 { 226 return sd->enable ? sd->dat_lines : 0; 227 } 228 229 static bool sd_get_cmd_line(SDState *sd) 230 { 231 return sd->enable ? sd->cmd_line : false; 232 } 233 234 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 235 { 236 trace_sdcard_set_voltage(millivolts); 237 238 switch (millivolts) { 239 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 240 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 241 break; 242 default: 243 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 244 millivolts / 1000.f); 245 } 246 } 247 248 static void sd_set_mode(SDState *sd) 249 { 250 switch (sd->state) { 251 case sd_inactive_state: 252 sd->mode = sd_inactive; 253 break; 254 255 case sd_idle_state: 256 case sd_ready_state: 257 case sd_identification_state: 258 sd->mode = sd_card_identification_mode; 259 break; 260 261 case sd_standby_state: 262 case sd_transfer_state: 263 case sd_sendingdata_state: 264 case sd_receivingdata_state: 265 case sd_programming_state: 266 case sd_disconnect_state: 267 sd->mode = sd_data_transfer_mode; 268 break; 269 } 270 } 271 272 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = { 273 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 274 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 275 /* 16 */ 276 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 277 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 278 /* 32 */ 279 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 280 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 281 /* 48 */ 282 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 283 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 284 }; 285 286 static const int sd_cmd_class[SDMMC_CMD_MAX] = { 287 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 288 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 289 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 290 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 291 }; 292 293 static uint8_t sd_crc7(const void *message, size_t width) 294 { 295 int i, bit; 296 uint8_t shift_reg = 0x00; 297 const uint8_t *msg = (const uint8_t *)message; 298 299 for (i = 0; i < width; i ++, msg ++) 300 for (bit = 7; bit >= 0; bit --) { 301 shift_reg <<= 1; 302 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 303 shift_reg ^= 0x89; 304 } 305 306 return shift_reg; 307 } 308 309 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 310 311 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 312 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 313 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 314 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 315 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 316 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 317 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 318 FIELD(OCR, CARD_POWER_UP, 31, 1) 319 320 #define ACMD41_ENQUIRY_MASK 0x00ffffff 321 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 322 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 323 | R_OCR_UHS_II_CARD_MASK \ 324 | R_OCR_CARD_CAPACITY_MASK \ 325 | R_OCR_CARD_POWER_UP_MASK) 326 327 static void sd_ocr_powerup(void *opaque) 328 { 329 SDState *sd = opaque; 330 331 trace_sdcard_powerup(); 332 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 333 334 /* card power-up OK */ 335 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 336 337 if (sd->size > SDSC_MAX_CAPACITY) { 338 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 339 } 340 } 341 342 static void sd_set_ocr(SDState *sd) 343 { 344 /* All voltages OK */ 345 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 346 347 if (sd_is_spi(sd)) { 348 /* 349 * We don't need to emulate power up sequence in SPI-mode. 350 * Thus, the card's power up status bit should be set to 1 when reset. 351 * The card's capacity status bit should also be set if SD card size 352 * is larger than 2GB for SDHC support. 353 */ 354 sd_ocr_powerup(sd); 355 } 356 } 357 358 static void sd_set_scr(SDState *sd) 359 { 360 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 361 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 362 sd->scr[0] |= 1; /* Spec Version 1.10 */ 363 } else { 364 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 365 } 366 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 367 | 0b0101; /* 1-bit or 4-bit width bus modes */ 368 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 369 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 370 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 371 } 372 sd->scr[3] = 0x00; 373 /* reserved for manufacturer usage */ 374 sd->scr[4] = 0x00; 375 sd->scr[5] = 0x00; 376 sd->scr[6] = 0x00; 377 sd->scr[7] = 0x00; 378 } 379 380 #define MID 0xaa 381 #define OID "XY" 382 #define PNM "QEMU!" 383 #define PRV 0x01 384 #define MDT_YR 2006 385 #define MDT_MON 2 386 387 static void sd_set_cid(SDState *sd) 388 { 389 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 390 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 391 sd->cid[2] = OID[1]; 392 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 393 sd->cid[4] = PNM[1]; 394 sd->cid[5] = PNM[2]; 395 sd->cid[6] = PNM[3]; 396 sd->cid[7] = PNM[4]; 397 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 398 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 399 sd->cid[10] = 0xad; 400 sd->cid[11] = 0xbe; 401 sd->cid[12] = 0xef; 402 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 403 ((MDT_YR - 2000) / 10); 404 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 405 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 406 } 407 408 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 409 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 410 #define WPGROUP_SHIFT 7 /* 2 megs */ 411 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 412 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 413 414 static const uint8_t sd_csd_rw_mask[16] = { 415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 417 }; 418 419 static void mmc_set_ext_csd(SDState *sd, uint64_t size) 420 { 421 uint32_t sectcount = size >> HWBLOCK_SHIFT; 422 423 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); 424 425 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0x1; /* supported command sets */ 426 sd->ext_csd[EXT_CSD_HPI_FEATURES] = 0x3; /* HPI features */ 427 sd->ext_csd[EXT_CSD_BKOPS_SUPPORT] = 0x1; /* Background operations */ 428 sd->ext_csd[241] = 0xA; /* 1st initialization time after partitioning */ 429 sd->ext_csd[EXT_CSD_TRIM_MULT] = 0x1; /* Trim multiplier */ 430 sd->ext_csd[EXT_CSD_SEC_FEATURE_SUPPORT] = 0x15; /* Secure feature */ 431 sd->ext_csd[EXT_CSD_SEC_ERASE_MULT] = 0x96; /* Secure erase support */ 432 sd->ext_csd[EXT_CSD_SEC_TRIM_MULT] = 0x96; /* Secure TRIM multiplier */ 433 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x7; /* Boot information */ 434 sd->ext_csd[EXT_CSD_BOOT_MULT] = 0x8; /* Boot partition size. 128KB unit */ 435 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x6; /* Access size */ 436 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x4; /* HC Erase unit size */ 437 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x1; /* HC erase timeout */ 438 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */ 439 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x4; /* HC write protect group size */ 440 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x8; /* Sleep current VCC */ 441 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x7; /* Sleep current VCCQ */ 442 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x11; /* Sleep/Awake timeout */ 443 sd->ext_csd[215] = (sectcount >> 24) & 0xff; /* Sector count */ 444 sd->ext_csd[214] = (sectcount >> 16) & 0xff; /* ... */ 445 sd->ext_csd[213] = (sectcount >> 8) & 0xff; /* ... */ 446 sd->ext_csd[EXT_CSD_SEC_CNT] = (sectcount & 0xff); /* ... */ 447 sd->ext_csd[210] = 0xa; /* Min write perf for 8bit@52Mhz */ 448 sd->ext_csd[209] = 0xa; /* Min read perf for 8bit@52Mhz */ 449 sd->ext_csd[208] = 0xa; /* Min write perf for 4bit@52Mhz */ 450 sd->ext_csd[207] = 0xa; /* Min read perf for 4bit@52Mhz */ 451 sd->ext_csd[206] = 0xa; /* Min write perf for 4bit@26Mhz */ 452 sd->ext_csd[205] = 0xa; /* Min read perf for 4bit@26Mhz */ 453 sd->ext_csd[EXT_CSD_PART_SWITCH_TIME] = 0x1; 454 sd->ext_csd[EXT_CSD_OUT_OF_INTERRUPT_TIME] = 0x1; 455 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0x7; 456 sd->ext_csd[EXT_CSD_STRUCTURE] = 0x2; 457 sd->ext_csd[EXT_CSD_REV] = 0x5; 458 sd->ext_csd[EXT_CSD_RPMB_MULT] = 0x1; /* RPMB size */ 459 sd->ext_csd[EXT_CSD_PARTITION_SUPPORT] = 0x3; 460 sd->ext_csd[159] = 0x00; /* Max enhanced area size */ 461 sd->ext_csd[158] = 0x00; /* ... */ 462 sd->ext_csd[157] = 0xEC; /* ... */ 463 464 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config; 465 } 466 467 static void sd_emmc_set_csd(SDState *sd, uint64_t size) 468 { 469 sd->csd[0] = 0xd0; 470 sd->csd[1] = 0x0f; 471 sd->csd[2] = 0x00; 472 sd->csd[3] = 0x32; 473 sd->csd[4] = 0x0f; 474 if (size <= 2 * GiB) { 475 /* use 1k blocks */ 476 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1; 477 sd->csd[5] = 0x5a; 478 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf); 479 sd->csd[7] = (csize1k >> 2) & 0xff; 480 } else { /* >= 2GB : size stored in ext CSD, block addressing */ 481 sd->csd[5] = 0x59; 482 sd->csd[6] = 0x8f; 483 sd->csd[7] = 0xff; 484 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 485 } 486 sd->csd[8] = 0xff; 487 sd->csd[9] = 0xff; 488 sd->csd[10] = 0xf7; 489 sd->csd[11] = 0xfe; 490 sd->csd[12] = 0x49; 491 sd->csd[13] = 0x10; 492 sd->csd[14] = 0x00; 493 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 494 mmc_set_ext_csd(sd, size); 495 } 496 497 static void sd_set_csd(SDState *sd, uint64_t size) 498 { 499 SDCardClass *sc = SD_CARD_GET_CLASS(sd); 500 int hwblock_shift = HWBLOCK_SHIFT; 501 uint32_t csize; 502 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 503 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 504 505 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */ 506 if (size == SDSC_MAX_CAPACITY) { 507 hwblock_shift += 1; 508 } 509 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1; 510 511 if (sc->set_csd) { 512 sc->set_csd(sd, size); 513 } else if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */ 514 sd->csd[0] = 0x00; /* CSD structure */ 515 sd->csd[1] = 0x26; /* Data read access-time-1 */ 516 sd->csd[2] = 0x00; /* Data read access-time-2 */ 517 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 518 sd->csd[4] = 0x5f; /* Card Command Classes */ 519 sd->csd[5] = 0x50 | /* Max. read data block length */ 520 hwblock_shift; 521 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 522 ((csize >> 10) & 0x03); 523 sd->csd[7] = 0x00 | /* Device size */ 524 ((csize >> 2) & 0xff); 525 sd->csd[8] = 0x3f | /* Max. read current */ 526 ((csize << 6) & 0xc0); 527 sd->csd[9] = 0xfc | /* Max. write current */ 528 ((CMULT_SHIFT - 2) >> 1); 529 sd->csd[10] = 0x40 | /* Erase sector size */ 530 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 531 sd->csd[11] = 0x00 | /* Write protect group size */ 532 ((sectsize << 7) & 0x80) | wpsize; 533 sd->csd[12] = 0x90 | /* Write speed factor */ 534 (hwblock_shift >> 2); 535 sd->csd[13] = 0x20 | /* Max. write data block length */ 536 ((hwblock_shift << 6) & 0xc0); 537 sd->csd[14] = 0x00; /* File format group */ 538 } else { /* SDHC */ 539 size /= 512 * KiB; 540 size -= 1; 541 sd->csd[0] = 0x40; 542 sd->csd[1] = 0x0e; 543 sd->csd[2] = 0x00; 544 sd->csd[3] = 0x32; 545 sd->csd[4] = 0x5b; 546 sd->csd[5] = 0x59; 547 sd->csd[6] = 0x00; 548 sd->csd[7] = (size >> 16) & 0xff; 549 sd->csd[8] = (size >> 8) & 0xff; 550 sd->csd[9] = (size & 0xff); 551 sd->csd[10] = 0x7f; 552 sd->csd[11] = 0x80; 553 sd->csd[12] = 0x0a; 554 sd->csd[13] = 0x40; 555 sd->csd[14] = 0x00; 556 } 557 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 558 } 559 560 static void sd_set_rca(SDState *sd) 561 { 562 sd->rca += 0x4567; 563 } 564 565 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 566 FIELD(CSR, APP_CMD, 5, 1) 567 FIELD(CSR, FX_EVENT, 6, 1) 568 FIELD(CSR, SWITCH_ERROR, 7, 1) 569 FIELD(CSR, READY_FOR_DATA, 8, 1) 570 FIELD(CSR, CURRENT_STATE, 9, 4) 571 FIELD(CSR, ERASE_RESET, 13, 1) 572 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 573 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 574 FIELD(CSR, CSD_OVERWRITE, 16, 1) 575 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 576 FIELD(CSR, ERROR, 19, 1) 577 FIELD(CSR, CC_ERROR, 20, 1) 578 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 579 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 580 FIELD(CSR, COM_CRC_ERROR, 23, 1) 581 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 582 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 583 FIELD(CSR, WP_VIOLATION, 26, 1) 584 FIELD(CSR, ERASE_PARAM, 27, 1) 585 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 586 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 587 FIELD(CSR, ADDRESS_ERROR, 30, 1) 588 FIELD(CSR, OUT_OF_RANGE, 31, 1) 589 590 /* Card status bits, split by clear condition: 591 * A : According to the card current state 592 * B : Always related to the previous command 593 * C : Cleared by read 594 */ 595 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 596 | R_CSR_CARD_ECC_DISABLED_MASK \ 597 | R_CSR_CARD_IS_LOCKED_MASK) 598 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 599 | R_CSR_ILLEGAL_COMMAND_MASK \ 600 | R_CSR_COM_CRC_ERROR_MASK) 601 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 602 | R_CSR_APP_CMD_MASK \ 603 | R_CSR_ERASE_RESET_MASK \ 604 | R_CSR_WP_ERASE_SKIP_MASK \ 605 | R_CSR_CSD_OVERWRITE_MASK \ 606 | R_CSR_ERROR_MASK \ 607 | R_CSR_CC_ERROR_MASK \ 608 | R_CSR_CARD_ECC_FAILED_MASK \ 609 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 610 | R_CSR_WP_VIOLATION_MASK \ 611 | R_CSR_ERASE_PARAM_MASK \ 612 | R_CSR_ERASE_SEQ_ERROR_MASK \ 613 | R_CSR_BLOCK_LEN_ERROR_MASK \ 614 | R_CSR_ADDRESS_ERROR_MASK \ 615 | R_CSR_OUT_OF_RANGE_MASK) 616 617 static void sd_set_cardstatus(SDState *sd) 618 { 619 sd->card_status = 0x00000100; 620 } 621 622 static void sd_set_sdstatus(SDState *sd) 623 { 624 memset(sd->sd_status, 0, 64); 625 } 626 627 static int sd_req_crc_validate(SDRequest *req) 628 { 629 uint8_t buffer[5]; 630 buffer[0] = 0x40 | req->cmd; 631 stl_be_p(&buffer[1], req->arg); 632 return 0; 633 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 634 } 635 636 static void sd_response_r1_make(SDState *sd, uint8_t *response) 637 { 638 stl_be_p(response, sd->card_status); 639 640 /* Clear the "clear on read" status bits */ 641 sd->card_status &= ~CARD_STATUS_C; 642 } 643 644 static void sd_response_r3_make(SDState *sd, uint8_t *response) 645 { 646 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 647 } 648 649 static void sd_response_r6_make(SDState *sd, uint8_t *response) 650 { 651 uint16_t status; 652 653 status = ((sd->card_status >> 8) & 0xc000) | 654 ((sd->card_status >> 6) & 0x2000) | 655 (sd->card_status & 0x1fff); 656 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 657 stw_be_p(response + 0, sd->rca); 658 stw_be_p(response + 2, status); 659 } 660 661 static void sd_response_r7_make(SDState *sd, uint8_t *response) 662 { 663 stl_be_p(response, sd->vhs); 664 } 665 666 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 667 { 668 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 669 } 670 671 672 static unsigned sd_boot_capacity_bytes(SDState *sd) 673 { 674 return sd->ext_csd[EXT_CSD_BOOT_MULT] << 17; 675 } 676 677 static void sd_reset(DeviceState *dev) 678 { 679 SDState *sd = SD_CARD(dev); 680 SDCardClass *sc = SD_CARD_GET_CLASS(sd); 681 uint64_t size; 682 uint64_t sect; 683 684 trace_sdcard_reset(); 685 if (sd->blk) { 686 blk_get_geometry(sd->blk, §); 687 } else { 688 sect = 0; 689 } 690 size = sect << 9; 691 692 if (sc->bootpart_offset) { 693 size -= sd_boot_capacity_bytes(sd) * 2; 694 } 695 696 sect = sd_addr_to_wpnum(size) + 1; 697 698 sd->state = sd_idle_state; 699 sd->rca = 0x0000; 700 sd->size = size; 701 sd_set_ocr(sd); 702 sd_set_scr(sd); 703 sd_set_cid(sd); 704 sd_set_csd(sd, size); 705 sd_set_cardstatus(sd); 706 sd_set_sdstatus(sd); 707 708 g_free(sd->wp_group_bmap); 709 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false; 710 sd->wp_group_bits = sect; 711 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits); 712 memset(sd->function_group, 0, sizeof(sd->function_group)); 713 sd->erase_start = INVALID_ADDRESS; 714 sd->erase_end = INVALID_ADDRESS; 715 sd->blk_len = 0x200; 716 sd->pwd_len = 0; 717 sd->expecting_acmd = false; 718 sd->dat_lines = 0xf; 719 sd->cmd_line = true; 720 sd->multi_blk_cnt = 0; 721 } 722 723 static bool sd_get_inserted(SDState *sd) 724 { 725 return sd->blk && blk_is_inserted(sd->blk); 726 } 727 728 static bool sd_get_readonly(SDState *sd) 729 { 730 return sd->wp_switch; 731 } 732 733 static void sd_cardchange(void *opaque, bool load, Error **errp) 734 { 735 SDState *sd = opaque; 736 DeviceState *dev = DEVICE(sd); 737 SDBus *sdbus; 738 bool inserted = sd_get_inserted(sd); 739 bool readonly = sd_get_readonly(sd); 740 741 if (inserted) { 742 trace_sdcard_inserted(readonly); 743 sd_reset(dev); 744 } else { 745 trace_sdcard_ejected(); 746 } 747 748 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) { 749 qemu_set_irq(sd->inserted_cb, inserted); 750 if (inserted) { 751 qemu_set_irq(sd->readonly_cb, readonly); 752 } 753 } else { 754 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 755 sdbus_set_inserted(sdbus, inserted); 756 if (inserted) { 757 sdbus_set_readonly(sdbus, readonly); 758 } 759 } 760 } 761 762 static const BlockDevOps sd_block_ops = { 763 .change_media_cb = sd_cardchange, 764 }; 765 766 static bool sd_ocr_vmstate_needed(void *opaque) 767 { 768 SDState *sd = opaque; 769 770 /* Include the OCR state (and timer) if it is not yet powered up */ 771 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 772 } 773 774 static const VMStateDescription sd_ocr_vmstate = { 775 .name = "sd-card/ocr-state", 776 .version_id = 1, 777 .minimum_version_id = 1, 778 .needed = sd_ocr_vmstate_needed, 779 .fields = (VMStateField[]) { 780 VMSTATE_UINT32(ocr, SDState), 781 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 782 VMSTATE_END_OF_LIST() 783 }, 784 }; 785 786 static int sd_vmstate_pre_load(void *opaque) 787 { 788 SDState *sd = opaque; 789 790 /* If the OCR state is not included (prior versions, or not 791 * needed), then the OCR must be set as powered up. If the OCR state 792 * is included, this will be replaced by the state restore. 793 */ 794 sd_ocr_powerup(sd); 795 796 return 0; 797 } 798 799 static const VMStateDescription sd_vmstate = { 800 .name = "sd-card", 801 .version_id = 2, 802 .minimum_version_id = 2, 803 .pre_load = sd_vmstate_pre_load, 804 .fields = (VMStateField[]) { 805 VMSTATE_UINT32(mode, SDState), 806 VMSTATE_INT32(state, SDState), 807 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 808 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 809 VMSTATE_UINT16(rca, SDState), 810 VMSTATE_UINT32(card_status, SDState), 811 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 812 VMSTATE_UINT32(vhs, SDState), 813 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits), 814 VMSTATE_UINT32(blk_len, SDState), 815 VMSTATE_UINT32(multi_blk_cnt, SDState), 816 VMSTATE_UINT32(erase_start, SDState), 817 VMSTATE_UINT32(erase_end, SDState), 818 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 819 VMSTATE_UINT32(pwd_len, SDState), 820 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 821 VMSTATE_UINT8(current_cmd, SDState), 822 VMSTATE_BOOL(expecting_acmd, SDState), 823 VMSTATE_UINT32(blk_written, SDState), 824 VMSTATE_UINT64(data_start, SDState), 825 VMSTATE_UINT32(data_offset, SDState), 826 VMSTATE_UINT8_ARRAY(data, SDState, 512), 827 VMSTATE_UNUSED_V(1, 512), 828 VMSTATE_BOOL(enable, SDState), 829 VMSTATE_END_OF_LIST() 830 }, 831 .subsections = (const VMStateDescription*[]) { 832 &sd_ocr_vmstate, 833 NULL 834 }, 835 }; 836 837 /* Legacy initialization function for use by non-qdevified callers */ 838 SDState *sd_init(BlockBackend *blk, bool is_spi) 839 { 840 Object *obj; 841 DeviceState *dev; 842 SDState *sd; 843 Error *err = NULL; 844 845 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD); 846 dev = DEVICE(obj); 847 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) { 848 error_reportf_err(err, "sd_init failed: "); 849 return NULL; 850 } 851 852 /* 853 * Realizing the device properly would put it into the QOM 854 * composition tree even though it is not plugged into an 855 * appropriate bus. That's a no-no. Hide the device from 856 * QOM/qdev, and call its qdev realize callback directly. 857 */ 858 object_ref(obj); 859 object_unparent(obj); 860 sd_realize(dev, &err); 861 if (err) { 862 error_reportf_err(err, "sd_init failed: "); 863 return NULL; 864 } 865 866 sd = SD_CARD(dev); 867 sd->me_no_qdev_me_kill_mammoth_with_rocks = true; 868 return sd; 869 } 870 871 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 872 { 873 sd->readonly_cb = readonly; 874 sd->inserted_cb = insert; 875 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0); 876 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 877 } 878 879 /* 880 * This requires a disk image that has two boot partitions inserted at the 881 * beginning of it. The size of the boot partitions are configured in the 882 * ext_csd structure, which is hardcoded in qemu. They are currently set to 883 * 1MB each. 884 */ 885 static uint32_t sd_emmc_bootpart_offset(SDState *sd) 886 { 887 unsigned int access = sd->ext_csd[EXT_CSD_PART_CONFIG] & 888 EXT_CSD_PART_CONFIG_ACC_MASK; 889 unsigned int enable = sd->ext_csd[EXT_CSD_PART_CONFIG] & 890 EXT_CSD_PART_CONFIG_EN_MASK; 891 unsigned int boot_capacity = sd_boot_capacity_bytes(sd); 892 893 if (!enable) { 894 return 0; 895 } 896 897 switch (access) { 898 case EXT_CSD_PART_CONFIG_ACC_DEFAULT: 899 return boot_capacity * 2; 900 case EXT_CSD_PART_CONFIG_ACC_BOOT0: 901 return 0; 902 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1: 903 return boot_capacity * 1; 904 default: 905 g_assert_not_reached(); 906 } 907 } 908 909 static uint32_t sd_bootpart_offset(SDState *sd) 910 { 911 SDCardClass *sc = SD_CARD_GET_CLASS(sd); 912 return sc->bootpart_offset ? sc->bootpart_offset(sd) : 0; 913 } 914 915 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 916 { 917 trace_sdcard_read_block(addr, len); 918 addr += sd_bootpart_offset(sd); 919 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) { 920 fprintf(stderr, "sd_blk_read: read error on host side\n"); 921 } 922 } 923 924 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 925 { 926 trace_sdcard_write_block(addr, len); 927 addr += sd_bootpart_offset(sd); 928 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) { 929 fprintf(stderr, "sd_blk_write: write error on host side\n"); 930 } 931 } 932 933 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 934 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 935 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 936 #define APP_WRITE_BLOCK(a, len) 937 938 static void sd_erase(SDState *sd) 939 { 940 uint64_t erase_start = sd->erase_start; 941 uint64_t erase_end = sd->erase_end; 942 bool sdsc = true; 943 uint64_t wpnum; 944 uint64_t erase_addr; 945 int erase_len = 1 << HWBLOCK_SHIFT; 946 947 trace_sdcard_erase(sd->erase_start, sd->erase_end); 948 if (sd->erase_start == INVALID_ADDRESS 949 || sd->erase_end == INVALID_ADDRESS) { 950 sd->card_status |= ERASE_SEQ_ERROR; 951 sd->erase_start = INVALID_ADDRESS; 952 sd->erase_end = INVALID_ADDRESS; 953 return; 954 } 955 956 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 957 /* High capacity memory card: erase units are 512 byte blocks */ 958 erase_start *= 512; 959 erase_end *= 512; 960 sdsc = false; 961 } 962 963 if (erase_start > sd->size || erase_end > sd->size) { 964 sd->card_status |= OUT_OF_RANGE; 965 sd->erase_start = INVALID_ADDRESS; 966 sd->erase_end = INVALID_ADDRESS; 967 return; 968 } 969 970 sd->erase_start = INVALID_ADDRESS; 971 sd->erase_end = INVALID_ADDRESS; 972 sd->csd[14] |= 0x40; 973 974 memset(sd->data, 0xff, erase_len); 975 for (erase_addr = erase_start; erase_addr <= erase_end; 976 erase_addr += erase_len) { 977 if (sdsc) { 978 /* Only SDSC cards support write protect groups */ 979 wpnum = sd_addr_to_wpnum(erase_addr); 980 assert(wpnum < sd->wp_group_bits); 981 if (test_bit(wpnum, sd->wp_group_bmap)) { 982 sd->card_status |= WP_ERASE_SKIP; 983 continue; 984 } 985 } 986 BLK_WRITE_BLOCK(erase_addr, erase_len); 987 } 988 } 989 990 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 991 { 992 uint32_t i, wpnum; 993 uint32_t ret = 0; 994 995 wpnum = sd_addr_to_wpnum(addr); 996 997 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 998 if (addr >= sd->size) { 999 /* 1000 * If the addresses of the last groups are outside the valid range, 1001 * then the corresponding write protection bits shall be set to 0. 1002 */ 1003 continue; 1004 } 1005 assert(wpnum < sd->wp_group_bits); 1006 if (test_bit(wpnum, sd->wp_group_bmap)) { 1007 ret |= (1 << i); 1008 } 1009 } 1010 1011 return ret; 1012 } 1013 1014 enum { 1015 MMC_CMD6_ACCESS_COMMAND_SET = 0, 1016 MMC_CMD6_ACCESS_SET_BITS, 1017 MMC_CMD6_ACCESS_CLEAR_BITS, 1018 MMC_CMD6_ACCESS_WRITE_BYTE, 1019 }; 1020 1021 static void mmc_function_switch(SDState *sd, uint32_t arg) 1022 { 1023 uint32_t access = extract32(arg, 24, 2); 1024 uint32_t index = extract32(arg, 16, 8); 1025 uint32_t value = extract32(arg, 8, 8); 1026 uint8_t b = sd->ext_csd[index]; 1027 1028 switch (access) { 1029 case MMC_CMD6_ACCESS_COMMAND_SET: 1030 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n"); 1031 return; 1032 case MMC_CMD6_ACCESS_SET_BITS: 1033 b |= value; 1034 break; 1035 case MMC_CMD6_ACCESS_CLEAR_BITS: 1036 b &= ~value; 1037 break; 1038 case MMC_CMD6_ACCESS_WRITE_BYTE: 1039 b = value; 1040 break; 1041 } 1042 1043 if (index >= 192) { 1044 sd->card_status |= R_CSR_SWITCH_ERROR_MASK; 1045 return; 1046 } 1047 1048 sd->ext_csd[index] = b; 1049 } 1050 1051 static void sd_function_switch(SDState *sd, uint32_t arg) 1052 { 1053 int i, mode, new_func; 1054 mode = !!(arg & 0x80000000); 1055 1056 sd->data[0] = 0x00; /* Maximum current consumption */ 1057 sd->data[1] = 0x01; 1058 sd->data[2] = 0x80; /* Supported group 6 functions */ 1059 sd->data[3] = 0x01; 1060 sd->data[4] = 0x80; /* Supported group 5 functions */ 1061 sd->data[5] = 0x01; 1062 sd->data[6] = 0x80; /* Supported group 4 functions */ 1063 sd->data[7] = 0x01; 1064 sd->data[8] = 0x80; /* Supported group 3 functions */ 1065 sd->data[9] = 0x01; 1066 sd->data[10] = 0x80; /* Supported group 2 functions */ 1067 sd->data[11] = 0x43; 1068 sd->data[12] = 0x80; /* Supported group 1 functions */ 1069 sd->data[13] = 0x03; 1070 1071 memset(&sd->data[14], 0, 3); 1072 for (i = 0; i < 6; i ++) { 1073 new_func = (arg >> (i * 4)) & 0x0f; 1074 if (mode && new_func != 0x0f) 1075 sd->function_group[i] = new_func; 1076 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4); 1077 } 1078 memset(&sd->data[17], 0, 47); 1079 } 1080 1081 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 1082 { 1083 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1084 } 1085 1086 static void sd_lock_command(SDState *sd) 1087 { 1088 int erase, lock, clr_pwd, set_pwd, pwd_len; 1089 erase = !!(sd->data[0] & 0x08); 1090 lock = sd->data[0] & 0x04; 1091 clr_pwd = sd->data[0] & 0x02; 1092 set_pwd = sd->data[0] & 0x01; 1093 1094 if (sd->blk_len > 1) 1095 pwd_len = sd->data[1]; 1096 else 1097 pwd_len = 0; 1098 1099 if (lock) { 1100 trace_sdcard_lock(); 1101 } else { 1102 trace_sdcard_unlock(); 1103 } 1104 if (erase) { 1105 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 1106 set_pwd || clr_pwd || lock || sd->wp_switch || 1107 (sd->csd[14] & 0x20)) { 1108 sd->card_status |= LOCK_UNLOCK_FAILED; 1109 return; 1110 } 1111 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits); 1112 sd->csd[14] &= ~0x10; 1113 sd->card_status &= ~CARD_IS_LOCKED; 1114 sd->pwd_len = 0; 1115 /* Erasing the entire card here! */ 1116 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 1117 return; 1118 } 1119 1120 if (sd->blk_len < 2 + pwd_len || 1121 pwd_len <= sd->pwd_len || 1122 pwd_len > sd->pwd_len + 16) { 1123 sd->card_status |= LOCK_UNLOCK_FAILED; 1124 return; 1125 } 1126 1127 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 1128 sd->card_status |= LOCK_UNLOCK_FAILED; 1129 return; 1130 } 1131 1132 pwd_len -= sd->pwd_len; 1133 if ((pwd_len && !set_pwd) || 1134 (clr_pwd && (set_pwd || lock)) || 1135 (lock && !sd->pwd_len && !set_pwd) || 1136 (!set_pwd && !clr_pwd && 1137 (((sd->card_status & CARD_IS_LOCKED) && lock) || 1138 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 1139 sd->card_status |= LOCK_UNLOCK_FAILED; 1140 return; 1141 } 1142 1143 if (set_pwd) { 1144 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 1145 sd->pwd_len = pwd_len; 1146 } 1147 1148 if (clr_pwd) { 1149 sd->pwd_len = 0; 1150 } 1151 1152 if (lock) 1153 sd->card_status |= CARD_IS_LOCKED; 1154 else 1155 sd->card_status &= ~CARD_IS_LOCKED; 1156 } 1157 1158 static bool address_in_range(SDState *sd, const char *desc, 1159 uint64_t addr, uint32_t length) 1160 { 1161 if (addr + length > sd->size) { 1162 qemu_log_mask(LOG_GUEST_ERROR, 1163 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n", 1164 desc, addr, sd->size, length); 1165 sd->card_status |= ADDRESS_ERROR; 1166 return false; 1167 } 1168 return true; 1169 } 1170 1171 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req) 1172 { 1173 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n", 1174 sd_proto(sd)->name, req.cmd, sd_state_name(sd->state), 1175 sd_version_str(sd->spec_version)); 1176 1177 return sd_illegal; 1178 } 1179 1180 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req) 1181 { 1182 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n", 1183 sd_proto(sd)->name, req.cmd, 1184 sd_version_str(sd->spec_version)); 1185 1186 return sd_illegal; 1187 } 1188 1189 /* Commands that are recognised but not yet implemented. */ 1190 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req) 1191 { 1192 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n", 1193 sd_proto(sd)->name, req.cmd); 1194 1195 return sd_illegal; 1196 } 1197 1198 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req) 1199 { 1200 if (sd->state != sd_inactive_state) { 1201 sd->state = sd_idle_state; 1202 sd_reset(DEVICE(sd)); 1203 } 1204 1205 return sd_is_spi(sd) ? sd_r1 : sd_r0; 1206 } 1207 1208 static sd_rsp_type_t sd_cmd_SEND_OP_CMD(SDState *sd, SDRequest req) 1209 { 1210 sd->state = sd_transfer_state; 1211 1212 return sd_r1; 1213 } 1214 1215 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 1216 { 1217 if (sd->state != sd_ready_state) { 1218 return sd_invalid_state_for_cmd(sd, req); 1219 } 1220 1221 sd->state = sd_identification_state; 1222 1223 return sd_r2_i; 1224 } 1225 1226 static void sd_emmc_set_rca(SDState *sd, uint16_t value) 1227 { 1228 sd->rca = value; 1229 } 1230 1231 static sd_rsp_type_t emmc_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1232 { 1233 switch (sd->state) { 1234 case sd_identification_state: 1235 case sd_standby_state: 1236 sd->state = sd_standby_state; 1237 sd_emmc_set_rca(sd, req.arg >> 16); 1238 return sd_r1; 1239 1240 default: 1241 return sd_invalid_state_for_cmd(sd, req); 1242 } 1243 } 1244 1245 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1246 { 1247 switch (sd->state) { 1248 case sd_identification_state: 1249 case sd_standby_state: 1250 sd->state = sd_standby_state; 1251 sd_set_rca(sd); 1252 return sd_r6; 1253 1254 default: 1255 return sd_invalid_state_for_cmd(sd, req); 1256 } 1257 } 1258 1259 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 1260 { 1261 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1262 return sd_cmd_illegal(sd, req); 1263 } 1264 1265 if (sd->state != sd_transfer_state) { 1266 return sd_invalid_state_for_cmd(sd, req); 1267 } 1268 1269 sd->state = sd_sendingdata_state; 1270 sd->data_offset = 0; 1271 1272 return sd_r1; 1273 } 1274 1275 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req) 1276 { 1277 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1278 return sd_cmd_illegal(sd, req); 1279 } 1280 1281 if (sd->state != sd_transfer_state) { 1282 return sd_invalid_state_for_cmd(sd, req); 1283 } 1284 1285 sd->multi_blk_cnt = req.arg & 0xFFFF; 1286 1287 return sd_r1; 1288 } 1289 1290 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 1291 { 1292 uint32_t rca = 0x0000; 1293 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 1294 1295 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 1296 * However there is no ACMD55, so we want to trace this particular case. 1297 */ 1298 if (req.cmd != 55 || sd->expecting_acmd) { 1299 trace_sdcard_normal_command(sd_proto(sd)->name, 1300 sd_cmd_name(req.cmd), req.cmd, 1301 req.arg, sd_state_name(sd->state)); 1302 } 1303 1304 /* Not interpreting this as an app command */ 1305 sd->card_status &= ~APP_CMD; 1306 1307 if (sd_cmd_type[req.cmd] == sd_ac 1308 || sd_cmd_type[req.cmd] == sd_adtc) { 1309 rca = req.arg >> 16; 1310 } 1311 1312 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 1313 * if not, its effects are cancelled */ 1314 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 1315 sd->multi_blk_cnt = 0; 1316 } 1317 1318 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 1319 /* Only Standard Capacity cards support class 6 commands */ 1320 return sd_illegal; 1321 } 1322 1323 if (sd_proto(sd)->cmd[req.cmd]) { 1324 return sd_proto(sd)->cmd[req.cmd](sd, req); 1325 } 1326 1327 switch (req.cmd) { 1328 /* Basic commands (Class 0 and Class 1) */ 1329 case 4: /* CMD4: SEND_DSR */ 1330 switch (sd->state) { 1331 case sd_standby_state: 1332 break; 1333 1334 default: 1335 break; 1336 } 1337 break; 1338 1339 case 6: /* CMD6: SWITCH_FUNCTION */ 1340 switch (sd->mode) { 1341 case sd_data_transfer_mode: 1342 sd_function_switch(sd, req.arg); 1343 sd->state = sd_sendingdata_state; 1344 sd->data_start = 0; 1345 sd->data_offset = 0; 1346 return sd_r1; 1347 1348 default: 1349 break; 1350 } 1351 break; 1352 1353 case 7: /* CMD7: SELECT/DESELECT_CARD */ 1354 switch (sd->state) { 1355 case sd_standby_state: 1356 if (sd->rca != rca) 1357 return sd_r0; 1358 1359 sd->state = sd_transfer_state; 1360 return sd_r1b; 1361 1362 case sd_transfer_state: 1363 case sd_sendingdata_state: 1364 if (sd->rca == rca) 1365 break; 1366 1367 sd->state = sd_standby_state; 1368 return sd_r1b; 1369 1370 case sd_disconnect_state: 1371 if (sd->rca != rca) 1372 return sd_r0; 1373 1374 sd->state = sd_programming_state; 1375 return sd_r1b; 1376 1377 case sd_programming_state: 1378 if (sd->rca == rca) 1379 break; 1380 1381 sd->state = sd_disconnect_state; 1382 return sd_r1b; 1383 1384 default: 1385 break; 1386 } 1387 break; 1388 1389 case 8: /* CMD8: SEND_IF_COND */ 1390 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1391 break; 1392 } 1393 if (sd->state != sd_idle_state) { 1394 break; 1395 } 1396 sd->vhs = 0; 1397 1398 /* No response if not exactly one VHS bit is set. */ 1399 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1400 return sd_is_spi(sd) ? sd_r7 : sd_r0; 1401 } 1402 1403 /* Accept. */ 1404 sd->vhs = req.arg; 1405 return sd_r7; 1406 1407 case 9: /* CMD9: SEND_CSD */ 1408 switch (sd->state) { 1409 case sd_standby_state: 1410 if (sd->rca != rca) 1411 return sd_r0; 1412 1413 return sd_r2_s; 1414 1415 case sd_transfer_state: 1416 if (!sd_is_spi(sd)) { 1417 break; 1418 } 1419 sd->state = sd_sendingdata_state; 1420 memcpy(sd->data, sd->csd, 16); 1421 sd->data_start = addr; 1422 sd->data_offset = 0; 1423 return sd_r1; 1424 1425 default: 1426 break; 1427 } 1428 break; 1429 1430 case 10: /* CMD10: SEND_CID */ 1431 switch (sd->state) { 1432 case sd_standby_state: 1433 if (sd->rca != rca) 1434 return sd_r0; 1435 1436 return sd_r2_i; 1437 1438 case sd_transfer_state: 1439 if (!sd_is_spi(sd)) { 1440 break; 1441 } 1442 sd->state = sd_sendingdata_state; 1443 memcpy(sd->data, sd->cid, 16); 1444 sd->data_start = addr; 1445 sd->data_offset = 0; 1446 return sd_r1; 1447 1448 default: 1449 break; 1450 } 1451 break; 1452 1453 case 12: /* CMD12: STOP_TRANSMISSION */ 1454 switch (sd->state) { 1455 case sd_sendingdata_state: 1456 sd->state = sd_transfer_state; 1457 return sd_r1b; 1458 1459 case sd_receivingdata_state: 1460 sd->state = sd_programming_state; 1461 /* Bzzzzzzztt .... Operation complete. */ 1462 sd->state = sd_transfer_state; 1463 return sd_r1b; 1464 1465 default: 1466 break; 1467 } 1468 break; 1469 1470 case 13: /* CMD13: SEND_STATUS */ 1471 switch (sd->mode) { 1472 case sd_data_transfer_mode: 1473 if (!sd_is_spi(sd) && sd->rca != rca) { 1474 return sd_r0; 1475 } 1476 1477 return sd_r1; 1478 1479 default: 1480 break; 1481 } 1482 break; 1483 1484 case 15: /* CMD15: GO_INACTIVE_STATE */ 1485 switch (sd->mode) { 1486 case sd_data_transfer_mode: 1487 if (sd->rca != rca) 1488 return sd_r0; 1489 1490 sd->state = sd_inactive_state; 1491 return sd_r0; 1492 1493 default: 1494 break; 1495 } 1496 break; 1497 1498 /* Block read commands (Class 2) */ 1499 case 16: /* CMD16: SET_BLOCKLEN */ 1500 switch (sd->state) { 1501 case sd_transfer_state: 1502 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1503 sd->card_status |= BLOCK_LEN_ERROR; 1504 } else { 1505 trace_sdcard_set_blocklen(req.arg); 1506 sd->blk_len = req.arg; 1507 } 1508 1509 return sd_r1; 1510 1511 default: 1512 break; 1513 } 1514 break; 1515 1516 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1517 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1518 switch (sd->state) { 1519 case sd_transfer_state: 1520 1521 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { 1522 return sd_r1; 1523 } 1524 1525 sd->state = sd_sendingdata_state; 1526 sd->data_start = addr; 1527 sd->data_offset = 0; 1528 return sd_r1; 1529 1530 default: 1531 break; 1532 } 1533 break; 1534 1535 /* Block write commands (Class 4) */ 1536 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1537 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1538 switch (sd->state) { 1539 case sd_transfer_state: 1540 1541 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { 1542 return sd_r1; 1543 } 1544 1545 sd->state = sd_receivingdata_state; 1546 sd->data_start = addr; 1547 sd->data_offset = 0; 1548 sd->blk_written = 0; 1549 1550 if (sd->size <= SDSC_MAX_CAPACITY) { 1551 if (sd_wp_addr(sd, sd->data_start)) { 1552 sd->card_status |= WP_VIOLATION; 1553 } 1554 } 1555 if (sd->csd[14] & 0x30) { 1556 sd->card_status |= WP_VIOLATION; 1557 } 1558 return sd_r1; 1559 1560 default: 1561 break; 1562 } 1563 break; 1564 1565 case 26: /* CMD26: PROGRAM_CID */ 1566 switch (sd->state) { 1567 case sd_transfer_state: 1568 sd->state = sd_receivingdata_state; 1569 sd->data_start = 0; 1570 sd->data_offset = 0; 1571 return sd_r1; 1572 1573 default: 1574 break; 1575 } 1576 break; 1577 1578 case 27: /* CMD27: PROGRAM_CSD */ 1579 switch (sd->state) { 1580 case sd_transfer_state: 1581 sd->state = sd_receivingdata_state; 1582 sd->data_start = 0; 1583 sd->data_offset = 0; 1584 return sd_r1; 1585 1586 default: 1587 break; 1588 } 1589 break; 1590 1591 /* Write protection (Class 6) */ 1592 case 28: /* CMD28: SET_WRITE_PROT */ 1593 if (sd->size > SDSC_MAX_CAPACITY) { 1594 return sd_illegal; 1595 } 1596 1597 switch (sd->state) { 1598 case sd_transfer_state: 1599 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) { 1600 return sd_r1b; 1601 } 1602 1603 sd->state = sd_programming_state; 1604 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1605 /* Bzzzzzzztt .... Operation complete. */ 1606 sd->state = sd_transfer_state; 1607 return sd_r1b; 1608 1609 default: 1610 break; 1611 } 1612 break; 1613 1614 case 29: /* CMD29: CLR_WRITE_PROT */ 1615 if (sd->size > SDSC_MAX_CAPACITY) { 1616 return sd_illegal; 1617 } 1618 1619 switch (sd->state) { 1620 case sd_transfer_state: 1621 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) { 1622 return sd_r1b; 1623 } 1624 1625 sd->state = sd_programming_state; 1626 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1627 /* Bzzzzzzztt .... Operation complete. */ 1628 sd->state = sd_transfer_state; 1629 return sd_r1b; 1630 1631 default: 1632 break; 1633 } 1634 break; 1635 1636 case 30: /* CMD30: SEND_WRITE_PROT */ 1637 if (sd->size > SDSC_MAX_CAPACITY) { 1638 return sd_illegal; 1639 } 1640 1641 switch (sd->state) { 1642 case sd_transfer_state: 1643 if (!address_in_range(sd, "SEND_WRITE_PROT", 1644 req.arg, sd->blk_len)) { 1645 return sd_r1; 1646 } 1647 1648 sd->state = sd_sendingdata_state; 1649 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1650 sd->data_start = addr; 1651 sd->data_offset = 0; 1652 return sd_r1; 1653 1654 default: 1655 break; 1656 } 1657 break; 1658 1659 /* Erase commands (Class 5) */ 1660 case 32: /* CMD32: ERASE_WR_BLK_START */ 1661 switch (sd->state) { 1662 case sd_transfer_state: 1663 sd->erase_start = req.arg; 1664 return sd_r1; 1665 1666 default: 1667 break; 1668 } 1669 break; 1670 1671 case 33: /* CMD33: ERASE_WR_BLK_END */ 1672 switch (sd->state) { 1673 case sd_transfer_state: 1674 sd->erase_end = req.arg; 1675 return sd_r1; 1676 1677 default: 1678 break; 1679 } 1680 break; 1681 1682 case 38: /* CMD38: ERASE */ 1683 switch (sd->state) { 1684 case sd_transfer_state: 1685 if (sd->csd[14] & 0x30) { 1686 sd->card_status |= WP_VIOLATION; 1687 return sd_r1b; 1688 } 1689 1690 sd->state = sd_programming_state; 1691 sd_erase(sd); 1692 /* Bzzzzzzztt .... Operation complete. */ 1693 sd->state = sd_transfer_state; 1694 return sd_r1b; 1695 1696 default: 1697 break; 1698 } 1699 break; 1700 1701 /* Lock card commands (Class 7) */ 1702 case 42: /* CMD42: LOCK_UNLOCK */ 1703 switch (sd->state) { 1704 case sd_transfer_state: 1705 sd->state = sd_receivingdata_state; 1706 sd->data_start = 0; 1707 sd->data_offset = 0; 1708 return sd_r1; 1709 1710 default: 1711 break; 1712 } 1713 break; 1714 1715 /* Application specific commands (Class 8) */ 1716 case 55: /* CMD55: APP_CMD */ 1717 switch (sd->state) { 1718 case sd_ready_state: 1719 case sd_identification_state: 1720 case sd_inactive_state: 1721 return sd_illegal; 1722 case sd_idle_state: 1723 if (rca) { 1724 qemu_log_mask(LOG_GUEST_ERROR, 1725 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1726 } 1727 default: 1728 break; 1729 } 1730 if (!sd_is_spi(sd)) { 1731 if (sd->rca != rca) { 1732 return sd_r0; 1733 } 1734 } 1735 sd->expecting_acmd = true; 1736 sd->card_status |= APP_CMD; 1737 return sd_r1; 1738 1739 case 56: /* CMD56: GEN_CMD */ 1740 switch (sd->state) { 1741 case sd_transfer_state: 1742 sd->data_offset = 0; 1743 if (req.arg & 1) 1744 sd->state = sd_sendingdata_state; 1745 else 1746 sd->state = sd_receivingdata_state; 1747 return sd_r1; 1748 1749 default: 1750 break; 1751 } 1752 break; 1753 1754 case 58: /* CMD58: READ_OCR (SPI) */ 1755 return sd_r3; 1756 1757 case 59: /* CMD59: CRC_ON_OFF (SPI) */ 1758 return sd_r1; 1759 1760 default: 1761 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1762 return sd_illegal; 1763 } 1764 1765 return sd_invalid_state_for_cmd(sd, req); 1766 } 1767 1768 static sd_rsp_type_t sd_app_command(SDState *sd, 1769 SDRequest req) 1770 { 1771 trace_sdcard_app_command(sd_proto(sd)->name, sd_acmd_name(req.cmd), 1772 req.cmd, req.arg, sd_state_name(sd->state)); 1773 sd->card_status |= APP_CMD; 1774 1775 if (sd_proto(sd)->acmd[req.cmd]) { 1776 return sd_proto(sd)->acmd[req.cmd](sd, req); 1777 } 1778 1779 switch (req.cmd) { 1780 case 6: /* ACMD6: SET_BUS_WIDTH */ 1781 switch (sd->state) { 1782 case sd_transfer_state: 1783 sd->sd_status[0] &= 0x3f; 1784 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1785 return sd_r1; 1786 1787 default: 1788 break; 1789 } 1790 break; 1791 1792 case 13: /* ACMD13: SD_STATUS */ 1793 switch (sd->state) { 1794 case sd_transfer_state: 1795 sd->state = sd_sendingdata_state; 1796 sd->data_start = 0; 1797 sd->data_offset = 0; 1798 return sd_r1; 1799 1800 default: 1801 break; 1802 } 1803 break; 1804 1805 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1806 switch (sd->state) { 1807 case sd_transfer_state: 1808 *(uint32_t *) sd->data = sd->blk_written; 1809 1810 sd->state = sd_sendingdata_state; 1811 sd->data_start = 0; 1812 sd->data_offset = 0; 1813 return sd_r1; 1814 1815 default: 1816 break; 1817 } 1818 break; 1819 1820 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1821 switch (sd->state) { 1822 case sd_transfer_state: 1823 return sd_r1; 1824 1825 default: 1826 break; 1827 } 1828 break; 1829 1830 case 41: /* ACMD41: SD_APP_OP_COND */ 1831 if (sd->state != sd_idle_state) { 1832 break; 1833 } 1834 /* If it's the first ACMD41 since reset, we need to decide 1835 * whether to power up. If this is not an enquiry ACMD41, 1836 * we immediately report power on and proceed below to the 1837 * ready state, but if it is, we set a timer to model a 1838 * delay for power up. This works around a bug in EDK2 1839 * UEFI, which sends an initial enquiry ACMD41, but 1840 * assumes that the card is in ready state as soon as it 1841 * sees the power up bit set. */ 1842 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1843 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1844 timer_del(sd->ocr_power_timer); 1845 sd_ocr_powerup(sd); 1846 } else { 1847 trace_sdcard_inquiry_cmd41(); 1848 if (!timer_pending(sd->ocr_power_timer)) { 1849 timer_mod_ns(sd->ocr_power_timer, 1850 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1851 + OCR_POWER_DELAY_NS)); 1852 } 1853 } 1854 } 1855 1856 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1857 /* We accept any voltage. 10000 V is nothing. 1858 * 1859 * Once we're powered up, we advance straight to ready state 1860 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1861 */ 1862 sd->state = sd_ready_state; 1863 } 1864 1865 return sd_r3; 1866 1867 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1868 switch (sd->state) { 1869 case sd_transfer_state: 1870 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1871 return sd_r1; 1872 1873 default: 1874 break; 1875 } 1876 break; 1877 1878 case 51: /* ACMD51: SEND_SCR */ 1879 switch (sd->state) { 1880 case sd_transfer_state: 1881 sd->state = sd_sendingdata_state; 1882 sd->data_start = 0; 1883 sd->data_offset = 0; 1884 return sd_r1; 1885 1886 default: 1887 break; 1888 } 1889 break; 1890 1891 case 18: /* Reserved for SD security applications */ 1892 case 25: 1893 case 26: 1894 case 38: 1895 case 43 ... 49: 1896 /* Refer to the "SD Specifications Part3 Security Specification" for 1897 * information about the SD Security Features. 1898 */ 1899 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 1900 req.cmd); 1901 return sd_illegal; 1902 1903 default: 1904 /* Fall back to standard commands. */ 1905 return sd_normal_command(sd, req); 1906 } 1907 1908 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1909 return sd_illegal; 1910 } 1911 1912 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd) 1913 { 1914 /* Valid commands in locked state: 1915 * basic class (0) 1916 * lock card class (7) 1917 * CMD16 1918 * implicitly, the ACMD prefix CMD55 1919 * ACMD41 and ACMD42 1920 * Anything else provokes an "illegal command" response. 1921 */ 1922 if (sd->expecting_acmd) { 1923 return cmd == 41 || cmd == 42; 1924 } 1925 if (cmd == 16 || cmd == 55) { 1926 return 1; 1927 } 1928 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7; 1929 } 1930 1931 int sd_do_command(SDState *sd, SDRequest *req, 1932 uint8_t *response) { 1933 int last_state; 1934 sd_rsp_type_t rtype; 1935 int rsplen; 1936 1937 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1938 return 0; 1939 } 1940 1941 if (sd_req_crc_validate(req)) { 1942 sd->card_status |= COM_CRC_ERROR; 1943 rtype = sd_illegal; 1944 goto send_response; 1945 } 1946 1947 if (req->cmd >= SDMMC_CMD_MAX) { 1948 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 1949 req->cmd); 1950 req->cmd &= 0x3f; 1951 } 1952 1953 if (sd->card_status & CARD_IS_LOCKED) { 1954 if (!cmd_valid_while_locked(sd, req->cmd)) { 1955 sd->card_status |= ILLEGAL_COMMAND; 1956 sd->expecting_acmd = false; 1957 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1958 rtype = sd_illegal; 1959 goto send_response; 1960 } 1961 } 1962 1963 last_state = sd->state; 1964 sd_set_mode(sd); 1965 1966 if (sd->expecting_acmd) { 1967 sd->expecting_acmd = false; 1968 rtype = sd_app_command(sd, *req); 1969 } else { 1970 rtype = sd_normal_command(sd, *req); 1971 } 1972 1973 if (rtype == sd_illegal) { 1974 sd->card_status |= ILLEGAL_COMMAND; 1975 } else { 1976 /* Valid command, we can update the 'state before command' bits. 1977 * (Do this now so they appear in r1 responses.) 1978 */ 1979 sd->current_cmd = req->cmd; 1980 sd->card_status &= ~CURRENT_STATE; 1981 sd->card_status |= (last_state << 9); 1982 } 1983 1984 send_response: 1985 switch (rtype) { 1986 case sd_r1: 1987 case sd_r1b: 1988 sd_response_r1_make(sd, response); 1989 rsplen = 4; 1990 break; 1991 1992 case sd_r2_i: 1993 memcpy(response, sd->cid, sizeof(sd->cid)); 1994 rsplen = 16; 1995 break; 1996 1997 case sd_r2_s: 1998 memcpy(response, sd->csd, sizeof(sd->csd)); 1999 rsplen = 16; 2000 break; 2001 2002 case sd_r3: 2003 sd_response_r3_make(sd, response); 2004 rsplen = 4; 2005 break; 2006 2007 case sd_r6: 2008 sd_response_r6_make(sd, response); 2009 rsplen = 4; 2010 break; 2011 2012 case sd_r7: 2013 sd_response_r7_make(sd, response); 2014 rsplen = 4; 2015 break; 2016 2017 case sd_r0: 2018 case sd_illegal: 2019 rsplen = 0; 2020 break; 2021 default: 2022 g_assert_not_reached(); 2023 } 2024 trace_sdcard_response(sd_response_name(rtype), rsplen); 2025 2026 if (rtype != sd_illegal) { 2027 /* Clear the "clear on valid command" status bits now we've 2028 * sent any response 2029 */ 2030 sd->card_status &= ~CARD_STATUS_B; 2031 } 2032 2033 #ifdef DEBUG_SD 2034 qemu_hexdump(stderr, "Response", response, rsplen); 2035 #endif 2036 2037 return rsplen; 2038 } 2039 2040 void sd_write_byte(SDState *sd, uint8_t value) 2041 { 2042 int i; 2043 2044 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2045 return; 2046 2047 if (sd->state != sd_receivingdata_state) { 2048 qemu_log_mask(LOG_GUEST_ERROR, 2049 "%s: not in Receiving-Data state\n", __func__); 2050 return; 2051 } 2052 2053 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2054 return; 2055 2056 trace_sdcard_write_data(sd_proto(sd)->name, 2057 sd_acmd_name(sd->current_cmd), 2058 sd->current_cmd, value); 2059 switch (sd->current_cmd) { 2060 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 2061 sd->data[sd->data_offset ++] = value; 2062 if (sd->data_offset >= sd->blk_len) { 2063 /* TODO: Check CRC before committing */ 2064 sd->state = sd_programming_state; 2065 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 2066 sd->blk_written ++; 2067 sd->csd[14] |= 0x40; 2068 /* Bzzzzzzztt .... Operation complete. */ 2069 sd->state = sd_transfer_state; 2070 } 2071 break; 2072 2073 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2074 if (sd->data_offset == 0) { 2075 /* Start of the block - let's check the address is valid */ 2076 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", 2077 sd->data_start, sd->blk_len)) { 2078 break; 2079 } 2080 if (sd->size <= SDSC_MAX_CAPACITY) { 2081 if (sd_wp_addr(sd, sd->data_start)) { 2082 sd->card_status |= WP_VIOLATION; 2083 break; 2084 } 2085 } 2086 } 2087 sd->data[sd->data_offset++] = value; 2088 if (sd->data_offset >= sd->blk_len) { 2089 /* TODO: Check CRC before committing */ 2090 sd->state = sd_programming_state; 2091 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 2092 sd->blk_written++; 2093 sd->data_start += sd->blk_len; 2094 sd->data_offset = 0; 2095 sd->csd[14] |= 0x40; 2096 2097 /* Bzzzzzzztt .... Operation complete. */ 2098 if (sd->multi_blk_cnt != 0) { 2099 if (--sd->multi_blk_cnt == 0) { 2100 /* Stop! */ 2101 sd->state = sd_transfer_state; 2102 break; 2103 } 2104 } 2105 2106 sd->state = sd_receivingdata_state; 2107 } 2108 break; 2109 2110 case 26: /* CMD26: PROGRAM_CID */ 2111 sd->data[sd->data_offset ++] = value; 2112 if (sd->data_offset >= sizeof(sd->cid)) { 2113 /* TODO: Check CRC before committing */ 2114 sd->state = sd_programming_state; 2115 for (i = 0; i < sizeof(sd->cid); i ++) 2116 if ((sd->cid[i] | 0x00) != sd->data[i]) 2117 sd->card_status |= CID_CSD_OVERWRITE; 2118 2119 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2120 for (i = 0; i < sizeof(sd->cid); i ++) { 2121 sd->cid[i] |= 0x00; 2122 sd->cid[i] &= sd->data[i]; 2123 } 2124 /* Bzzzzzzztt .... Operation complete. */ 2125 sd->state = sd_transfer_state; 2126 } 2127 break; 2128 2129 case 27: /* CMD27: PROGRAM_CSD */ 2130 sd->data[sd->data_offset ++] = value; 2131 if (sd->data_offset >= sizeof(sd->csd)) { 2132 /* TODO: Check CRC before committing */ 2133 sd->state = sd_programming_state; 2134 for (i = 0; i < sizeof(sd->csd); i ++) 2135 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 2136 (sd->data[i] | sd_csd_rw_mask[i])) 2137 sd->card_status |= CID_CSD_OVERWRITE; 2138 2139 /* Copy flag (OTP) & Permanent write protect */ 2140 if (sd->csd[14] & ~sd->data[14] & 0x60) 2141 sd->card_status |= CID_CSD_OVERWRITE; 2142 2143 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2144 for (i = 0; i < sizeof(sd->csd); i ++) { 2145 sd->csd[i] |= sd_csd_rw_mask[i]; 2146 sd->csd[i] &= sd->data[i]; 2147 } 2148 /* Bzzzzzzztt .... Operation complete. */ 2149 sd->state = sd_transfer_state; 2150 } 2151 break; 2152 2153 case 42: /* CMD42: LOCK_UNLOCK */ 2154 sd->data[sd->data_offset ++] = value; 2155 if (sd->data_offset >= sd->blk_len) { 2156 /* TODO: Check CRC before committing */ 2157 sd->state = sd_programming_state; 2158 sd_lock_command(sd); 2159 /* Bzzzzzzztt .... Operation complete. */ 2160 sd->state = sd_transfer_state; 2161 } 2162 break; 2163 2164 case 56: /* CMD56: GEN_CMD */ 2165 sd->data[sd->data_offset ++] = value; 2166 if (sd->data_offset >= sd->blk_len) { 2167 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 2168 sd->state = sd_transfer_state; 2169 } 2170 break; 2171 2172 default: 2173 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__); 2174 break; 2175 } 2176 } 2177 2178 #define SD_TUNING_BLOCK_SIZE 64 2179 2180 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = { 2181 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */ 2182 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 2183 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 2184 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 2185 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 2186 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 2187 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 2188 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 2189 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde, 2190 }; 2191 2192 #define EXCSD_BUS_WIDTH_OFFSET 183 2193 #define BUS_WIDTH_8_MASK 0x4 2194 #define BUS_WIDTH_4_MASK 0x2 2195 #define MMC_TUNING_BLOCK_SIZE 128 2196 2197 static const uint8_t mmc_tuning_block_pattern[128] = { 2198 0xff, 0xff, 0x00, 0xff, 0xff, 0xff, 0x00, 0x00, 2199 0xff, 0xff, 0xcc, 0xcc, 0xcc, 0x33, 0xcc, 0xcc, 2200 0xcc, 0x33, 0x33, 0xcc, 0xcc, 0xcc, 0xff, 0xff, 2201 0xff, 0xee, 0xff, 0xff, 0xff, 0xee, 0xee, 0xff, 2202 0xff, 0xff, 0xdd, 0xff, 0xff, 0xff, 0xdd, 0xdd, 2203 0xff, 0xff, 0xff, 0xbb, 0xff, 0xff, 0xff, 0xbb, 2204 0xbb, 0xff, 0xff, 0xff, 0x77, 0xff, 0xff, 0xff, 2205 0x77, 0x77, 0xff, 0x77, 0xbb, 0xdd, 0xee, 0xff, 2206 0xff, 0xff, 0xff, 0x00, 0xff, 0xff, 0xff, 0x00, 2207 0x00, 0xff, 0xff, 0xcc, 0xcc, 0xcc, 0x33, 0xcc, 2208 0xcc, 0xcc, 0x33, 0x33, 0xcc, 0xcc, 0xcc, 0xff, 2209 0xff, 0xff, 0xee, 0xff, 0xff, 0xff, 0xee, 0xee, 2210 0xff, 0xff, 0xff, 0xdd, 0xff, 0xff, 0xff, 0xdd, 2211 0xdd, 0xff, 0xff, 0xff, 0xbb, 0xff, 0xff, 0xff, 2212 0xbb, 0xbb, 0xff, 0xff, 0xff, 0x77, 0xff, 0xff, 2213 0xff, 0x77, 0x77, 0xff, 0x77, 0xbb, 0xdd, 0xee, 2214 }; 2215 2216 uint8_t sd_read_byte(SDState *sd) 2217 { 2218 /* TODO: Append CRCs */ 2219 uint8_t ret; 2220 uint32_t io_len; 2221 2222 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2223 return 0x00; 2224 2225 if (sd->state != sd_sendingdata_state) { 2226 qemu_log_mask(LOG_GUEST_ERROR, 2227 "%s: not in Sending-Data state\n", __func__); 2228 return 0x00; 2229 } 2230 2231 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2232 return 0x00; 2233 2234 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 2235 2236 trace_sdcard_read_data(sd_proto(sd)->name, 2237 sd_acmd_name(sd->current_cmd), 2238 sd->current_cmd, io_len); 2239 switch (sd->current_cmd) { 2240 case 6: /* CMD6: SWITCH_FUNCTION */ 2241 ret = sd->data[sd->data_offset ++]; 2242 2243 if (sd->data_offset >= 64) 2244 sd->state = sd_transfer_state; 2245 break; 2246 2247 case 8: /* CMD8: SEND_EXT_CSD on MMC */ 2248 ret = sd->data[sd->data_offset++]; 2249 2250 if (sd->data_offset >= sizeof(sd->ext_csd)) { 2251 sd->state = sd_transfer_state; 2252 } 2253 break; 2254 2255 case 9: /* CMD9: SEND_CSD */ 2256 case 10: /* CMD10: SEND_CID */ 2257 ret = sd->data[sd->data_offset ++]; 2258 2259 if (sd->data_offset >= 16) 2260 sd->state = sd_transfer_state; 2261 break; 2262 2263 case 13: /* ACMD13: SD_STATUS */ 2264 ret = sd->sd_status[sd->data_offset ++]; 2265 2266 if (sd->data_offset >= sizeof(sd->sd_status)) 2267 sd->state = sd_transfer_state; 2268 break; 2269 2270 case 17: /* CMD17: READ_SINGLE_BLOCK */ 2271 if (sd->data_offset == 0) 2272 BLK_READ_BLOCK(sd->data_start, io_len); 2273 ret = sd->data[sd->data_offset ++]; 2274 2275 if (sd->data_offset >= io_len) 2276 sd->state = sd_transfer_state; 2277 break; 2278 2279 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2280 if (sd->data_offset == 0) { 2281 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", 2282 sd->data_start, io_len)) { 2283 return 0x00; 2284 } 2285 BLK_READ_BLOCK(sd->data_start, io_len); 2286 } 2287 ret = sd->data[sd->data_offset ++]; 2288 2289 if (sd->data_offset >= io_len) { 2290 sd->data_start += io_len; 2291 sd->data_offset = 0; 2292 2293 if (sd->multi_blk_cnt != 0) { 2294 if (--sd->multi_blk_cnt == 0) { 2295 /* Stop! */ 2296 sd->state = sd_transfer_state; 2297 break; 2298 } 2299 } 2300 } 2301 break; 2302 2303 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2304 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) { 2305 sd->state = sd_transfer_state; 2306 } 2307 ret = sd_tuning_block_pattern[sd->data_offset++]; 2308 break; 2309 2310 case 21: /* CMD21: SEND_TUNING_BLOCK (MMC) */ 2311 if (sd->data_offset >= MMC_TUNING_BLOCK_SIZE - 1) { 2312 sd->state = sd_transfer_state; 2313 } 2314 if (sd->ext_csd[EXCSD_BUS_WIDTH_OFFSET] & BUS_WIDTH_8_MASK) { 2315 ret = mmc_tuning_block_pattern[sd->data_offset++]; 2316 } else { 2317 /* 2318 * Return LSB Nibbles of two byte from the 8bit tuning 2319 * block for 4bit mode 2320 */ 2321 ret = mmc_tuning_block_pattern[sd->data_offset++] & 0x0F; 2322 ret |= (mmc_tuning_block_pattern[sd->data_offset++] & 0x0F) << 4; 2323 } 2324 break; 2325 2326 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2327 ret = sd->data[sd->data_offset ++]; 2328 2329 if (sd->data_offset >= 4) 2330 sd->state = sd_transfer_state; 2331 break; 2332 2333 case 30: /* CMD30: SEND_WRITE_PROT */ 2334 ret = sd->data[sd->data_offset ++]; 2335 2336 if (sd->data_offset >= 4) 2337 sd->state = sd_transfer_state; 2338 break; 2339 2340 case 51: /* ACMD51: SEND_SCR */ 2341 ret = sd->scr[sd->data_offset ++]; 2342 2343 if (sd->data_offset >= sizeof(sd->scr)) 2344 sd->state = sd_transfer_state; 2345 break; 2346 2347 case 56: /* CMD56: GEN_CMD */ 2348 if (sd->data_offset == 0) 2349 APP_READ_BLOCK(sd->data_start, sd->blk_len); 2350 ret = sd->data[sd->data_offset ++]; 2351 2352 if (sd->data_offset >= sd->blk_len) 2353 sd->state = sd_transfer_state; 2354 break; 2355 2356 default: 2357 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__); 2358 return 0x00; 2359 } 2360 2361 return ret; 2362 } 2363 2364 static bool sd_receive_ready(SDState *sd) 2365 { 2366 return sd->state == sd_receivingdata_state; 2367 } 2368 2369 static bool sd_data_ready(SDState *sd) 2370 { 2371 return sd->state == sd_sendingdata_state; 2372 } 2373 2374 void sd_enable(SDState *sd, bool enable) 2375 { 2376 sd->enable = enable; 2377 } 2378 2379 static const SDProto sd_proto_spi = { 2380 .name = "SPI", 2381 .cmd = { 2382 [0] = sd_cmd_GO_IDLE_STATE, 2383 [1] = sd_cmd_SEND_OP_CMD, 2384 [2 ... 4] = sd_cmd_illegal, 2385 [5] = sd_cmd_illegal, 2386 [7] = sd_cmd_illegal, 2387 [15] = sd_cmd_illegal, 2388 [26] = sd_cmd_illegal, 2389 [52 ... 54] = sd_cmd_illegal, 2390 }, 2391 .acmd = { 2392 [6] = sd_cmd_unimplemented, 2393 [41] = sd_cmd_SEND_OP_CMD, 2394 }, 2395 }; 2396 2397 static const SDProto sd_proto_sd = { 2398 .name = "SD", 2399 .cmd = { 2400 [0] = sd_cmd_GO_IDLE_STATE, 2401 [1] = sd_cmd_illegal, 2402 [2] = sd_cmd_ALL_SEND_CID, 2403 [3] = sd_cmd_SEND_RELATIVE_ADDR, 2404 [5] = sd_cmd_illegal, 2405 [19] = sd_cmd_SEND_TUNING_BLOCK, 2406 [23] = sd_cmd_SET_BLOCK_COUNT, 2407 [52 ... 54] = sd_cmd_illegal, 2408 [58] = sd_cmd_illegal, 2409 [59] = sd_cmd_illegal, 2410 }, 2411 }; 2412 2413 static sd_rsp_type_t emmc_cmd_SEND_OP_CMD(SDState *sd, SDRequest req) 2414 { 2415 sd_ocr_powerup(sd); 2416 return sd->state == sd_idle_state ? sd_r3 : sd_r0; 2417 } 2418 2419 static sd_rsp_type_t emmc_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 2420 { 2421 if (sd->state != sd_ready_state && sd->state != sd_idle_state) { 2422 return sd_invalid_state_for_cmd(sd, req); 2423 } 2424 2425 sd->state = sd_identification_state; 2426 2427 return sd_r2_i; 2428 } 2429 2430 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req) 2431 { 2432 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 2433 2434 switch (sd->state) { 2435 case sd_transfer_state: 2436 /* MMC : Sends the EXT_CSD register as a Block of data */ 2437 sd->state = sd_sendingdata_state; 2438 memcpy(sd->data, sd->ext_csd, sizeof(sd->ext_csd)); 2439 sd->data_start = addr; 2440 sd->data_offset = 0; 2441 return sd_r1; 2442 default: 2443 return sd_invalid_state_for_cmd(sd, req); 2444 } 2445 } 2446 2447 static sd_rsp_type_t emmc_cmd_APP_CMD(SDState *sd, SDRequest req) 2448 { 2449 return sd_r0; 2450 } 2451 2452 static sd_rsp_type_t emmc_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 2453 { 2454 if (sd->state != sd_transfer_state) { 2455 sd_invalid_state_for_cmd(sd, req); 2456 } 2457 2458 sd->state = sd_sendingdata_state; 2459 sd->data_offset = 0; 2460 return sd_r1; 2461 } 2462 2463 static sd_rsp_type_t emmc_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req) 2464 { 2465 switch (sd->state) { 2466 case sd_transfer_state: 2467 sd->state = sd_programming_state; 2468 mmc_function_switch(sd, req.arg); 2469 sd->state = sd_transfer_state; 2470 return sd_r1b; 2471 default: 2472 return sd_invalid_state_for_cmd(sd, req); 2473 } 2474 } 2475 2476 static const SDProto sd_proto_emmc = { 2477 .name = "eMMC", 2478 .cmd = { 2479 [0] = sd_cmd_GO_IDLE_STATE, 2480 [1] = emmc_cmd_SEND_OP_CMD, 2481 [2] = emmc_cmd_ALL_SEND_CID, 2482 [3] = emmc_cmd_SEND_RELATIVE_ADDR, 2483 [5] = sd_cmd_illegal, 2484 [6] = emmc_cmd_SWITCH_FUNCTION, 2485 [8] = emmc_cmd_SEND_EXT_CSD, 2486 [19] = sd_cmd_SEND_TUNING_BLOCK, 2487 [23] = sd_cmd_SET_BLOCK_COUNT, 2488 [21] = emmc_cmd_SEND_TUNING_BLOCK, 2489 [41] = sd_cmd_illegal, 2490 [52 ... 54] = sd_cmd_illegal, 2491 [55] = emmc_cmd_APP_CMD, 2492 [58] = sd_cmd_illegal, 2493 [59] = sd_cmd_illegal, 2494 }, 2495 }; 2496 2497 static void sd_instance_init(Object *obj) 2498 { 2499 SDState *sd = SD_CARD(obj); 2500 2501 sd->enable = true; 2502 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2503 } 2504 2505 static void sd_instance_finalize(Object *obj) 2506 { 2507 SDState *sd = SD_CARD(obj); 2508 2509 timer_free(sd->ocr_power_timer); 2510 } 2511 2512 static void sd_realize(DeviceState *dev, Error **errp) 2513 { 2514 SDState *sd = SD_CARD(dev); 2515 int ret; 2516 2517 switch (sd->spec_version) { 2518 case SD_PHY_SPECv1_10_VERS 2519 ... SD_PHY_SPECv3_01_VERS: 2520 break; 2521 default: 2522 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2523 return; 2524 } 2525 2526 if (sd->blk) { 2527 int64_t blk_size; 2528 2529 if (!blk_supports_write_perm(sd->blk)) { 2530 error_setg(errp, "Cannot use read-only drive as SD card"); 2531 return; 2532 } 2533 2534 blk_size = blk_getlength(sd->blk); 2535 if (blk_size > 0 && !is_power_of_2(blk_size)) { 2536 int64_t blk_size_aligned = pow2ceil(blk_size); 2537 char *blk_size_str; 2538 2539 blk_size_str = size_to_str(blk_size); 2540 error_setg(errp, "Invalid SD card size: %s", blk_size_str); 2541 g_free(blk_size_str); 2542 2543 blk_size_str = size_to_str(blk_size_aligned); 2544 error_append_hint(errp, 2545 "SD card size has to be a power of 2, e.g. %s.\n" 2546 "You can resize disk images with" 2547 " 'qemu-img resize <imagefile> <new-size>'\n" 2548 "(note that this will lose data if you make the" 2549 " image smaller than it currently is).\n", 2550 blk_size_str); 2551 g_free(blk_size_str); 2552 2553 return; 2554 } 2555 2556 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2557 BLK_PERM_ALL, errp); 2558 if (ret < 0) { 2559 return; 2560 } 2561 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2562 } 2563 } 2564 2565 static Property sd_properties[] = { 2566 DEFINE_PROP_UINT8("spec_version", SDState, 2567 spec_version, SD_PHY_SPECv2_00_VERS), 2568 DEFINE_PROP_DRIVE("drive", SDState, blk), 2569 /* We do not model the chip select pin, so allow the board to select 2570 * whether card should be in SSI or MMC/SD mode. It is also up to the 2571 * board to ensure that ssi transfers only occur when the chip select 2572 * is asserted. */ 2573 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0), 2574 DEFINE_PROP_END_OF_LIST() 2575 }; 2576 2577 static void sd_class_init(ObjectClass *klass, void *data) 2578 { 2579 DeviceClass *dc = DEVICE_CLASS(klass); 2580 SDCardClass *sc = SD_CARD_CLASS(klass); 2581 2582 dc->realize = sd_realize; 2583 device_class_set_props(dc, sd_properties); 2584 dc->vmsd = &sd_vmstate; 2585 dc->reset = sd_reset; 2586 dc->bus_type = TYPE_SD_BUS; 2587 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2588 2589 sc->set_voltage = sd_set_voltage; 2590 sc->get_dat_lines = sd_get_dat_lines; 2591 sc->get_cmd_line = sd_get_cmd_line; 2592 sc->do_command = sd_do_command; 2593 sc->write_byte = sd_write_byte; 2594 sc->read_byte = sd_read_byte; 2595 sc->receive_ready = sd_receive_ready; 2596 sc->data_ready = sd_data_ready; 2597 sc->enable = sd_enable; 2598 sc->get_inserted = sd_get_inserted; 2599 sc->get_readonly = sd_get_readonly; 2600 sc->proto = &sd_proto_sd; 2601 } 2602 2603 /* 2604 * We do not model the chip select pin, so allow the board to select 2605 * whether card should be in SSI or MMC/SD mode. It is also up to the 2606 * board to ensure that ssi transfers only occur when the chip select 2607 * is asserted. 2608 */ 2609 static void sd_spi_class_init(ObjectClass *klass, void *data) 2610 { 2611 DeviceClass *dc = DEVICE_CLASS(klass); 2612 SDCardClass *sc = SD_CARD_CLASS(klass); 2613 2614 dc->desc = "SD SPI"; 2615 sc->proto = &sd_proto_spi; 2616 } 2617 2618 static void emmc_realize(DeviceState *dev, Error **errp) 2619 { 2620 SDState *sd = SD_CARD(dev); 2621 2622 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 2623 error_setg(errp, "Minimum spec for eMMC is v3.01"); 2624 return; 2625 } 2626 2627 sd_realize(dev, errp); 2628 } 2629 2630 static void emmc_class_init(ObjectClass *klass, void *data) 2631 { 2632 DeviceClass *dc = DEVICE_CLASS(klass); 2633 SDCardClass *sc = SD_CARD_CLASS(klass); 2634 2635 dc->desc = "eMMC"; 2636 dc->realize = emmc_realize; 2637 sc->proto = &sd_proto_emmc; 2638 sc->set_csd = sd_emmc_set_csd; 2639 sc->bootpart_offset = sd_emmc_bootpart_offset; 2640 } 2641 2642 static const TypeInfo sd_types[] = { 2643 { 2644 .name = TYPE_SD_CARD, 2645 .parent = TYPE_DEVICE, 2646 .instance_size = sizeof(SDState), 2647 .class_size = sizeof(SDCardClass), 2648 .class_init = sd_class_init, 2649 .instance_init = sd_instance_init, 2650 .instance_finalize = sd_instance_finalize, 2651 }, 2652 { 2653 .name = TYPE_SD_CARD_SPI, 2654 .parent = TYPE_SD_CARD, 2655 .class_init = sd_spi_class_init, 2656 }, 2657 { 2658 .name = TYPE_EMMC, 2659 .parent = TYPE_SD_CARD, 2660 .class_init = emmc_class_init, 2661 }, 2662 }; 2663 2664 DEFINE_TYPES(sd_types) 2665