1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "qemu/osdep.h" 34 #include "qemu/units.h" 35 #include "qemu/cutils.h" 36 #include "hw/irq.h" 37 #include "hw/registerfields.h" 38 #include "sysemu/block-backend.h" 39 #include "hw/sd/sd.h" 40 #include "hw/sd/sdcard_legacy.h" 41 #include "migration/vmstate.h" 42 #include "qapi/error.h" 43 #include "qemu/bitmap.h" 44 #include "hw/qdev-properties.h" 45 #include "hw/qdev-properties-system.h" 46 #include "qemu/error-report.h" 47 #include "qemu/timer.h" 48 #include "qemu/log.h" 49 #include "qemu/module.h" 50 #include "sdmmc-internal.h" 51 #include "trace.h" 52 53 //#define DEBUG_SD 1 54 55 #define SDSC_MAX_CAPACITY (2 * GiB) 56 57 #define INVALID_ADDRESS UINT32_MAX 58 59 typedef enum { 60 sd_r0 = 0, /* no response */ 61 sd_r1, /* normal response command */ 62 sd_r2_i, /* CID register */ 63 sd_r2_s, /* CSD register */ 64 sd_r3, /* OCR register */ 65 sd_r6 = 6, /* Published RCA response */ 66 sd_r7, /* Operating voltage */ 67 sd_r1b = -1, 68 sd_illegal = -2, 69 } sd_rsp_type_t; 70 71 enum SDCardModes { 72 sd_inactive, 73 sd_card_identification_mode, 74 sd_data_transfer_mode, 75 }; 76 77 enum SDCardStates { 78 sd_inactive_state = -1, 79 sd_idle_state = 0, 80 sd_ready_state = 1, 81 sd_identification_state = 2, 82 sd_standby_state = 3, 83 sd_transfer_state = 4, 84 sd_sendingdata_state = 5, 85 sd_receivingdata_state = 6, 86 sd_programming_state = 7, 87 sd_disconnect_state = 8, 88 }; 89 90 #define SDMMC_CMD_MAX 64 91 92 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req); 93 94 typedef struct SDProto { 95 const char *name; 96 struct { 97 const unsigned class; 98 const sd_cmd_type_t type; 99 const char *name; 100 sd_cmd_handler handler; 101 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX]; 102 } SDProto; 103 104 struct SDState { 105 DeviceState parent_obj; 106 107 /* If true, created by sd_init() for a non-qdevified caller */ 108 /* TODO purge them with fire */ 109 bool me_no_qdev_me_kill_mammoth_with_rocks; 110 111 /* SD Memory Card Registers */ 112 uint32_t ocr; 113 uint8_t scr[8]; 114 uint8_t cid[16]; 115 uint8_t csd[16]; 116 uint16_t rca; 117 uint32_t card_status; 118 uint8_t sd_status[64]; 119 120 /* Static properties */ 121 122 uint8_t spec_version; 123 BlockBackend *blk; 124 125 const SDProto *proto; 126 127 /* Runtime changeables */ 128 129 uint32_t mode; /* current card mode, one of SDCardModes */ 130 int32_t state; /* current card state, one of SDCardStates */ 131 uint32_t vhs; 132 bool wp_switch; 133 unsigned long *wp_group_bmap; 134 int32_t wp_group_bits; 135 uint64_t size; 136 uint32_t blk_len; 137 uint32_t multi_blk_cnt; 138 uint32_t erase_start; 139 uint32_t erase_end; 140 uint8_t pwd[16]; 141 uint32_t pwd_len; 142 uint8_t function_group[6]; 143 uint8_t current_cmd; 144 const char *last_cmd_name; 145 /* True if we will handle the next command as an ACMD. Note that this does 146 * *not* track the APP_CMD status bit! 147 */ 148 bool expecting_acmd; 149 uint32_t blk_written; 150 151 uint64_t data_start; 152 uint32_t data_offset; 153 size_t data_size; 154 uint8_t data[512]; 155 qemu_irq readonly_cb; 156 qemu_irq inserted_cb; 157 QEMUTimer *ocr_power_timer; 158 bool enable; 159 uint8_t dat_lines; 160 bool cmd_line; 161 }; 162 163 static void sd_realize(DeviceState *dev, Error **errp); 164 165 static const SDProto sd_proto_spi; 166 167 static bool sd_is_spi(SDState *sd) 168 { 169 return sd->proto == &sd_proto_spi; 170 } 171 172 static const char *sd_version_str(enum SDPhySpecificationVersion version) 173 { 174 static const char *sdphy_version[] = { 175 [SD_PHY_SPECv1_10_VERS] = "v1.10", 176 [SD_PHY_SPECv2_00_VERS] = "v2.00", 177 [SD_PHY_SPECv3_01_VERS] = "v3.01", 178 }; 179 if (version >= ARRAY_SIZE(sdphy_version)) { 180 return "unsupported version"; 181 } 182 return sdphy_version[version]; 183 } 184 185 static const char *sd_mode_name(enum SDCardModes mode) 186 { 187 static const char *mode_name[] = { 188 [sd_inactive] = "inactive", 189 [sd_card_identification_mode] = "identification", 190 [sd_data_transfer_mode] = "transfer", 191 }; 192 assert(mode < ARRAY_SIZE(mode_name)); 193 return mode_name[mode]; 194 } 195 196 static const char *sd_state_name(enum SDCardStates state) 197 { 198 static const char *state_name[] = { 199 [sd_idle_state] = "idle", 200 [sd_ready_state] = "ready", 201 [sd_identification_state] = "identification", 202 [sd_standby_state] = "standby", 203 [sd_transfer_state] = "transfer", 204 [sd_sendingdata_state] = "sendingdata", 205 [sd_receivingdata_state] = "receivingdata", 206 [sd_programming_state] = "programming", 207 [sd_disconnect_state] = "disconnect", 208 }; 209 if (state == sd_inactive_state) { 210 return "inactive"; 211 } 212 assert(state < ARRAY_SIZE(state_name)); 213 return state_name[state]; 214 } 215 216 static const char *sd_response_name(sd_rsp_type_t rsp) 217 { 218 static const char *response_name[] = { 219 [sd_r0] = "RESP#0 (no response)", 220 [sd_r1] = "RESP#1 (normal cmd)", 221 [sd_r2_i] = "RESP#2 (CID reg)", 222 [sd_r2_s] = "RESP#2 (CSD reg)", 223 [sd_r3] = "RESP#3 (OCR reg)", 224 [sd_r6] = "RESP#6 (RCA)", 225 [sd_r7] = "RESP#7 (operating voltage)", 226 }; 227 if (rsp == sd_illegal) { 228 return "ILLEGAL RESP"; 229 } 230 if (rsp == sd_r1b) { 231 rsp = sd_r1; 232 } 233 assert(rsp < ARRAY_SIZE(response_name)); 234 return response_name[rsp]; 235 } 236 237 static const char *sd_cmd_name(SDState *sd, uint8_t cmd) 238 { 239 static const char *cmd_abbrev[SDMMC_CMD_MAX] = { 240 [18] = "READ_MULTIPLE_BLOCK", 241 [21] = "DPS_spec", 242 [25] = "WRITE_MULTIPLE_BLOCK", 243 [26] = "MANUF_RSVD", 244 [40] = "DPS_spec", 245 [56] = "GEN_CMD", 246 [60] = "MANUF_RSVD", [61] = "MANUF_RSVD", 247 [62] = "MANUF_RSVD", [63] = "MANUF_RSVD", 248 }; 249 const SDProto *sdp = sd->proto; 250 251 if (sdp->cmd[cmd].handler) { 252 assert(!cmd_abbrev[cmd]); 253 return sdp->cmd[cmd].name; 254 } 255 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD"; 256 } 257 258 static const char *sd_acmd_name(SDState *sd, uint8_t cmd) 259 { 260 static const char *acmd_abbrev[SDMMC_CMD_MAX] = { 261 [14] = "DPS_spec", [15] = "DPS_spec", 262 [16] = "DPS_spec", 263 [18] = "SECU_spec", 264 [52] = "SECU_spec", [53] = "SECU_spec", 265 [54] = "SECU_spec", 266 [56] = "SECU_spec", [57] = "SECU_spec", 267 [58] = "SECU_spec", [59] = "SECU_spec", 268 }; 269 const SDProto *sdp = sd->proto; 270 271 if (sdp->acmd[cmd].handler) { 272 assert(!acmd_abbrev[cmd]); 273 return sdp->acmd[cmd].name; 274 } 275 276 return acmd_abbrev[cmd] ? acmd_abbrev[cmd] : "UNKNOWN_ACMD"; 277 } 278 279 static uint8_t sd_get_dat_lines(SDState *sd) 280 { 281 return sd->enable ? sd->dat_lines : 0; 282 } 283 284 static bool sd_get_cmd_line(SDState *sd) 285 { 286 return sd->enable ? sd->cmd_line : false; 287 } 288 289 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 290 { 291 trace_sdcard_set_voltage(millivolts); 292 293 switch (millivolts) { 294 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 295 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 296 break; 297 default: 298 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 299 millivolts / 1000.f); 300 } 301 } 302 303 static void sd_set_mode(SDState *sd) 304 { 305 switch (sd->state) { 306 case sd_inactive_state: 307 sd->mode = sd_inactive; 308 break; 309 310 case sd_idle_state: 311 case sd_ready_state: 312 case sd_identification_state: 313 sd->mode = sd_card_identification_mode; 314 break; 315 316 case sd_standby_state: 317 case sd_transfer_state: 318 case sd_sendingdata_state: 319 case sd_receivingdata_state: 320 case sd_programming_state: 321 case sd_disconnect_state: 322 sd->mode = sd_data_transfer_mode; 323 break; 324 } 325 } 326 327 static uint8_t sd_crc7(const void *message, size_t width) 328 { 329 int i, bit; 330 uint8_t shift_reg = 0x00; 331 const uint8_t *msg = (const uint8_t *)message; 332 333 for (i = 0; i < width; i ++, msg ++) 334 for (bit = 7; bit >= 0; bit --) { 335 shift_reg <<= 1; 336 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 337 shift_reg ^= 0x89; 338 } 339 340 return shift_reg; 341 } 342 343 /* Operation Conditions register */ 344 345 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 346 347 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 348 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 349 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 350 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 351 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 352 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 353 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 354 FIELD(OCR, CARD_POWER_UP, 31, 1) 355 356 #define ACMD41_ENQUIRY_MASK 0x00ffffff 357 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 358 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 359 | R_OCR_UHS_II_CARD_MASK \ 360 | R_OCR_CARD_CAPACITY_MASK \ 361 | R_OCR_CARD_POWER_UP_MASK) 362 363 static void sd_ocr_powerup(void *opaque) 364 { 365 SDState *sd = opaque; 366 367 trace_sdcard_powerup(); 368 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 369 370 /* card power-up OK */ 371 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 372 373 if (sd->size > SDSC_MAX_CAPACITY) { 374 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 375 } 376 } 377 378 static void sd_set_ocr(SDState *sd) 379 { 380 /* All voltages OK */ 381 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 382 383 if (sd_is_spi(sd)) { 384 /* 385 * We don't need to emulate power up sequence in SPI-mode. 386 * Thus, the card's power up status bit should be set to 1 when reset. 387 * The card's capacity status bit should also be set if SD card size 388 * is larger than 2GB for SDHC support. 389 */ 390 sd_ocr_powerup(sd); 391 } 392 } 393 394 /* SD Configuration register */ 395 396 static void sd_set_scr(SDState *sd) 397 { 398 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 399 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 400 sd->scr[0] |= 1; /* Spec Version 1.10 */ 401 } else { 402 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 403 } 404 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 405 | 0b0101; /* 1-bit or 4-bit width bus modes */ 406 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 407 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 408 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 409 } 410 sd->scr[3] = 0x00; 411 /* reserved for manufacturer usage */ 412 sd->scr[4] = 0x00; 413 sd->scr[5] = 0x00; 414 sd->scr[6] = 0x00; 415 sd->scr[7] = 0x00; 416 } 417 418 /* Card IDentification register */ 419 420 #define MID 0xaa 421 #define OID "XY" 422 #define PNM "QEMU!" 423 #define PRV 0x01 424 #define MDT_YR 2006 425 #define MDT_MON 2 426 427 static void sd_set_cid(SDState *sd) 428 { 429 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 430 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 431 sd->cid[2] = OID[1]; 432 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 433 sd->cid[4] = PNM[1]; 434 sd->cid[5] = PNM[2]; 435 sd->cid[6] = PNM[3]; 436 sd->cid[7] = PNM[4]; 437 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 438 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */ 439 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 440 ((MDT_YR - 2000) / 10); 441 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 442 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 443 } 444 445 /* Card-Specific Data register */ 446 447 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 448 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 449 #define WPGROUP_SHIFT 7 /* 2 megs */ 450 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 451 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 452 453 static const uint8_t sd_csd_rw_mask[16] = { 454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 456 }; 457 458 static void sd_set_csd(SDState *sd, uint64_t size) 459 { 460 int hwblock_shift = HWBLOCK_SHIFT; 461 uint32_t csize; 462 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 463 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 464 465 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */ 466 if (size == SDSC_MAX_CAPACITY) { 467 hwblock_shift += 1; 468 } 469 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1; 470 471 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */ 472 sd->csd[0] = 0x00; /* CSD structure */ 473 sd->csd[1] = 0x26; /* Data read access-time-1 */ 474 sd->csd[2] = 0x00; /* Data read access-time-2 */ 475 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 476 sd->csd[4] = 0x5f; /* Card Command Classes */ 477 sd->csd[5] = 0x50 | /* Max. read data block length */ 478 hwblock_shift; 479 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 480 ((csize >> 10) & 0x03); 481 sd->csd[7] = 0x00 | /* Device size */ 482 ((csize >> 2) & 0xff); 483 sd->csd[8] = 0x3f | /* Max. read current */ 484 ((csize << 6) & 0xc0); 485 sd->csd[9] = 0xfc | /* Max. write current */ 486 ((CMULT_SHIFT - 2) >> 1); 487 sd->csd[10] = 0x40 | /* Erase sector size */ 488 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 489 sd->csd[11] = 0x00 | /* Write protect group size */ 490 ((sectsize << 7) & 0x80) | wpsize; 491 sd->csd[12] = 0x90 | /* Write speed factor */ 492 (hwblock_shift >> 2); 493 sd->csd[13] = 0x20 | /* Max. write data block length */ 494 ((hwblock_shift << 6) & 0xc0); 495 sd->csd[14] = 0x00; /* File format group */ 496 } else { /* SDHC */ 497 size /= 512 * KiB; 498 size -= 1; 499 sd->csd[0] = 0x40; 500 sd->csd[1] = 0x0e; 501 sd->csd[2] = 0x00; 502 sd->csd[3] = 0x32; 503 sd->csd[4] = 0x5b; 504 sd->csd[5] = 0x59; 505 sd->csd[6] = 0x00; 506 st24_be_p(&sd->csd[7], size); 507 sd->csd[10] = 0x7f; 508 sd->csd[11] = 0x80; 509 sd->csd[12] = 0x0a; 510 sd->csd[13] = 0x40; 511 sd->csd[14] = 0x00; 512 } 513 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 514 } 515 516 /* Relative Card Address register */ 517 518 static void sd_set_rca(SDState *sd) 519 { 520 sd->rca += 0x4567; 521 } 522 523 static uint16_t sd_req_get_rca(SDState *s, SDRequest req) 524 { 525 switch (s->proto->cmd[req.cmd].type) { 526 case sd_none: 527 /* Called from legacy code not ported to SDProto array */ 528 assert(!s->proto->cmd[req.cmd].handler); 529 /* fall-through */ 530 case sd_ac: 531 case sd_adtc: 532 return req.arg >> 16; 533 case sd_spi: 534 g_assert_not_reached(); 535 default: 536 return 0; 537 } 538 } 539 540 static bool sd_req_rca_same(SDState *s, SDRequest req) 541 { 542 return sd_req_get_rca(s, req) == s->rca; 543 } 544 545 /* Card Status register */ 546 547 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 548 FIELD(CSR, APP_CMD, 5, 1) 549 FIELD(CSR, FX_EVENT, 6, 1) 550 FIELD(CSR, READY_FOR_DATA, 8, 1) 551 FIELD(CSR, CURRENT_STATE, 9, 4) 552 FIELD(CSR, ERASE_RESET, 13, 1) 553 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 554 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 555 FIELD(CSR, CSD_OVERWRITE, 16, 1) 556 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 557 FIELD(CSR, ERROR, 19, 1) 558 FIELD(CSR, CC_ERROR, 20, 1) 559 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 560 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 561 FIELD(CSR, COM_CRC_ERROR, 23, 1) 562 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 563 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 564 FIELD(CSR, WP_VIOLATION, 26, 1) 565 FIELD(CSR, ERASE_PARAM, 27, 1) 566 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 567 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 568 FIELD(CSR, ADDRESS_ERROR, 30, 1) 569 FIELD(CSR, OUT_OF_RANGE, 31, 1) 570 571 /* Card status bits, split by clear condition: 572 * A : According to the card current state 573 * B : Always related to the previous command 574 * C : Cleared by read 575 */ 576 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 577 | R_CSR_CARD_ECC_DISABLED_MASK \ 578 | R_CSR_CARD_IS_LOCKED_MASK) 579 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 580 | R_CSR_ILLEGAL_COMMAND_MASK \ 581 | R_CSR_COM_CRC_ERROR_MASK) 582 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 583 | R_CSR_APP_CMD_MASK \ 584 | R_CSR_ERASE_RESET_MASK \ 585 | R_CSR_WP_ERASE_SKIP_MASK \ 586 | R_CSR_CSD_OVERWRITE_MASK \ 587 | R_CSR_ERROR_MASK \ 588 | R_CSR_CC_ERROR_MASK \ 589 | R_CSR_CARD_ECC_FAILED_MASK \ 590 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 591 | R_CSR_WP_VIOLATION_MASK \ 592 | R_CSR_ERASE_PARAM_MASK \ 593 | R_CSR_ERASE_SEQ_ERROR_MASK \ 594 | R_CSR_BLOCK_LEN_ERROR_MASK \ 595 | R_CSR_ADDRESS_ERROR_MASK \ 596 | R_CSR_OUT_OF_RANGE_MASK) 597 598 static void sd_set_cardstatus(SDState *sd) 599 { 600 sd->card_status = READY_FOR_DATA; 601 } 602 603 static void sd_set_sdstatus(SDState *sd) 604 { 605 memset(sd->sd_status, 0, 64); 606 } 607 608 static const uint8_t sd_tuning_block_pattern4[64] = { 609 /* 610 * See: Physical Layer Simplified Specification Version 3.01, 611 * Table 4-2. 612 */ 613 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 614 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 615 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 616 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 617 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 618 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 619 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 620 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde 621 }; 622 623 static int sd_req_crc_validate(SDRequest *req) 624 { 625 uint8_t buffer[5]; 626 buffer[0] = 0x40 | req->cmd; 627 stl_be_p(&buffer[1], req->arg); 628 return 0; 629 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 630 } 631 632 static void sd_response_r1_make(SDState *sd, uint8_t *response) 633 { 634 stl_be_p(response, sd->card_status); 635 636 /* Clear the "clear on read" status bits */ 637 sd->card_status &= ~CARD_STATUS_C; 638 } 639 640 static void sd_response_r3_make(SDState *sd, uint8_t *response) 641 { 642 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 643 } 644 645 static void sd_response_r6_make(SDState *sd, uint8_t *response) 646 { 647 uint16_t status; 648 649 status = ((sd->card_status >> 8) & 0xc000) | 650 ((sd->card_status >> 6) & 0x2000) | 651 (sd->card_status & 0x1fff); 652 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 653 stw_be_p(response + 0, sd->rca); 654 stw_be_p(response + 2, status); 655 } 656 657 static void sd_response_r7_make(SDState *sd, uint8_t *response) 658 { 659 stl_be_p(response, sd->vhs); 660 } 661 662 static uint32_t sd_blk_len(SDState *sd) 663 { 664 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 665 return 1 << HWBLOCK_SHIFT; 666 } 667 return sd->blk_len; 668 } 669 670 static uint64_t sd_req_get_address(SDState *sd, SDRequest req) 671 { 672 uint64_t addr; 673 674 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 675 addr = (uint64_t) req.arg << HWBLOCK_SHIFT; 676 } else { 677 addr = req.arg; 678 } 679 trace_sdcard_req_addr(req.arg, addr); 680 return addr; 681 } 682 683 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 684 { 685 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 686 } 687 688 static void sd_reset(DeviceState *dev) 689 { 690 SDState *sd = SD_CARD(dev); 691 uint64_t size; 692 uint64_t sect; 693 694 trace_sdcard_reset(); 695 if (sd->blk) { 696 blk_get_geometry(sd->blk, §); 697 } else { 698 sect = 0; 699 } 700 size = sect << HWBLOCK_SHIFT; 701 702 sect = sd_addr_to_wpnum(size) + 1; 703 704 sd->state = sd_idle_state; 705 706 /* card registers */ 707 sd->rca = 0x0000; 708 sd->size = size; 709 sd_set_ocr(sd); 710 sd_set_scr(sd); 711 sd_set_cid(sd); 712 sd_set_csd(sd, size); 713 sd_set_cardstatus(sd); 714 sd_set_sdstatus(sd); 715 716 g_free(sd->wp_group_bmap); 717 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false; 718 sd->wp_group_bits = sect; 719 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits); 720 memset(sd->function_group, 0, sizeof(sd->function_group)); 721 sd->erase_start = INVALID_ADDRESS; 722 sd->erase_end = INVALID_ADDRESS; 723 sd->blk_len = 0x200; 724 sd->pwd_len = 0; 725 sd->expecting_acmd = false; 726 sd->dat_lines = 0xf; 727 sd->cmd_line = true; 728 sd->multi_blk_cnt = 0; 729 } 730 731 static bool sd_get_inserted(SDState *sd) 732 { 733 return sd->blk && blk_is_inserted(sd->blk); 734 } 735 736 static bool sd_get_readonly(SDState *sd) 737 { 738 return sd->wp_switch; 739 } 740 741 static void sd_cardchange(void *opaque, bool load, Error **errp) 742 { 743 SDState *sd = opaque; 744 DeviceState *dev = DEVICE(sd); 745 SDBus *sdbus; 746 bool inserted = sd_get_inserted(sd); 747 bool readonly = sd_get_readonly(sd); 748 749 if (inserted) { 750 trace_sdcard_inserted(readonly); 751 sd_reset(dev); 752 } else { 753 trace_sdcard_ejected(); 754 } 755 756 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) { 757 qemu_set_irq(sd->inserted_cb, inserted); 758 if (inserted) { 759 qemu_set_irq(sd->readonly_cb, readonly); 760 } 761 } else { 762 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 763 sdbus_set_inserted(sdbus, inserted); 764 if (inserted) { 765 sdbus_set_readonly(sdbus, readonly); 766 } 767 } 768 } 769 770 static const BlockDevOps sd_block_ops = { 771 .change_media_cb = sd_cardchange, 772 }; 773 774 static bool sd_ocr_vmstate_needed(void *opaque) 775 { 776 SDState *sd = opaque; 777 778 /* Include the OCR state (and timer) if it is not yet powered up */ 779 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 780 } 781 782 static const VMStateDescription sd_ocr_vmstate = { 783 .name = "sd-card/ocr-state", 784 .version_id = 1, 785 .minimum_version_id = 1, 786 .needed = sd_ocr_vmstate_needed, 787 .fields = (const VMStateField[]) { 788 VMSTATE_UINT32(ocr, SDState), 789 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 790 VMSTATE_END_OF_LIST() 791 }, 792 }; 793 794 static int sd_vmstate_pre_load(void *opaque) 795 { 796 SDState *sd = opaque; 797 798 /* If the OCR state is not included (prior versions, or not 799 * needed), then the OCR must be set as powered up. If the OCR state 800 * is included, this will be replaced by the state restore. 801 */ 802 sd_ocr_powerup(sd); 803 804 return 0; 805 } 806 807 static const VMStateDescription sd_vmstate = { 808 .name = "sd-card", 809 .version_id = 2, 810 .minimum_version_id = 2, 811 .pre_load = sd_vmstate_pre_load, 812 .fields = (const VMStateField[]) { 813 VMSTATE_UINT32(mode, SDState), 814 VMSTATE_INT32(state, SDState), 815 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 816 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 817 VMSTATE_UINT16(rca, SDState), 818 VMSTATE_UINT32(card_status, SDState), 819 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 820 VMSTATE_UINT32(vhs, SDState), 821 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits), 822 VMSTATE_UINT32(blk_len, SDState), 823 VMSTATE_UINT32(multi_blk_cnt, SDState), 824 VMSTATE_UINT32(erase_start, SDState), 825 VMSTATE_UINT32(erase_end, SDState), 826 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 827 VMSTATE_UINT32(pwd_len, SDState), 828 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 829 VMSTATE_UINT8(current_cmd, SDState), 830 VMSTATE_BOOL(expecting_acmd, SDState), 831 VMSTATE_UINT32(blk_written, SDState), 832 VMSTATE_UINT64(data_start, SDState), 833 VMSTATE_UINT32(data_offset, SDState), 834 VMSTATE_UINT8_ARRAY(data, SDState, 512), 835 VMSTATE_UNUSED_V(1, 512), 836 VMSTATE_BOOL(enable, SDState), 837 VMSTATE_END_OF_LIST() 838 }, 839 .subsections = (const VMStateDescription * const []) { 840 &sd_ocr_vmstate, 841 NULL 842 }, 843 }; 844 845 /* Legacy initialization function for use by non-qdevified callers */ 846 SDState *sd_init(BlockBackend *blk, bool is_spi) 847 { 848 Object *obj; 849 DeviceState *dev; 850 SDState *sd; 851 Error *err = NULL; 852 853 obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD); 854 dev = DEVICE(obj); 855 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) { 856 error_reportf_err(err, "sd_init failed: "); 857 return NULL; 858 } 859 860 /* 861 * Realizing the device properly would put it into the QOM 862 * composition tree even though it is not plugged into an 863 * appropriate bus. That's a no-no. Hide the device from 864 * QOM/qdev, and call its qdev realize callback directly. 865 */ 866 object_ref(obj); 867 object_unparent(obj); 868 sd_realize(dev, &err); 869 if (err) { 870 error_reportf_err(err, "sd_init failed: "); 871 return NULL; 872 } 873 874 sd = SD_CARD(dev); 875 sd->me_no_qdev_me_kill_mammoth_with_rocks = true; 876 return sd; 877 } 878 879 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 880 { 881 sd->readonly_cb = readonly; 882 sd->inserted_cb = insert; 883 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0); 884 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 885 } 886 887 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 888 { 889 trace_sdcard_read_block(addr, len); 890 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) { 891 fprintf(stderr, "sd_blk_read: read error on host side\n"); 892 } 893 } 894 895 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 896 { 897 trace_sdcard_write_block(addr, len); 898 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) { 899 fprintf(stderr, "sd_blk_write: write error on host side\n"); 900 } 901 } 902 903 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 904 #define APP_WRITE_BLOCK(a, len) 905 906 static void sd_erase(SDState *sd) 907 { 908 uint64_t erase_start = sd->erase_start; 909 uint64_t erase_end = sd->erase_end; 910 bool sdsc = true; 911 uint64_t wpnum; 912 uint64_t erase_addr; 913 int erase_len = 1 << HWBLOCK_SHIFT; 914 915 trace_sdcard_erase(sd->erase_start, sd->erase_end); 916 if (sd->erase_start == INVALID_ADDRESS 917 || sd->erase_end == INVALID_ADDRESS) { 918 sd->card_status |= ERASE_SEQ_ERROR; 919 sd->erase_start = INVALID_ADDRESS; 920 sd->erase_end = INVALID_ADDRESS; 921 return; 922 } 923 924 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 925 /* High capacity memory card: erase units are 512 byte blocks */ 926 erase_start <<= HWBLOCK_SHIFT; 927 erase_end <<= HWBLOCK_SHIFT; 928 sdsc = false; 929 } 930 931 if (erase_start > sd->size || erase_end > sd->size) { 932 sd->card_status |= OUT_OF_RANGE; 933 sd->erase_start = INVALID_ADDRESS; 934 sd->erase_end = INVALID_ADDRESS; 935 return; 936 } 937 938 sd->erase_start = INVALID_ADDRESS; 939 sd->erase_end = INVALID_ADDRESS; 940 sd->csd[14] |= 0x40; 941 942 memset(sd->data, 0xff, erase_len); 943 for (erase_addr = erase_start; erase_addr <= erase_end; 944 erase_addr += erase_len) { 945 if (sdsc) { 946 /* Only SDSC cards support write protect groups */ 947 wpnum = sd_addr_to_wpnum(erase_addr); 948 assert(wpnum < sd->wp_group_bits); 949 if (test_bit(wpnum, sd->wp_group_bmap)) { 950 sd->card_status |= WP_ERASE_SKIP; 951 continue; 952 } 953 } 954 sd_blk_write(sd, erase_addr, erase_len); 955 } 956 } 957 958 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 959 { 960 uint32_t i, wpnum; 961 uint32_t ret = 0; 962 963 wpnum = sd_addr_to_wpnum(addr); 964 965 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 966 if (addr >= sd->size) { 967 /* 968 * If the addresses of the last groups are outside the valid range, 969 * then the corresponding write protection bits shall be set to 0. 970 */ 971 continue; 972 } 973 assert(wpnum < sd->wp_group_bits); 974 if (test_bit(wpnum, sd->wp_group_bmap)) { 975 ret |= (1 << i); 976 } 977 } 978 979 return ret; 980 } 981 982 static void sd_function_switch(SDState *sd, uint32_t arg) 983 { 984 int i, mode, new_func; 985 mode = !!(arg & 0x80000000); 986 987 sd->data[0] = 0x00; /* Maximum current consumption */ 988 sd->data[1] = 0x01; 989 sd->data[2] = 0x80; /* Supported group 6 functions */ 990 sd->data[3] = 0x01; 991 sd->data[4] = 0x80; /* Supported group 5 functions */ 992 sd->data[5] = 0x01; 993 sd->data[6] = 0x80; /* Supported group 4 functions */ 994 sd->data[7] = 0x01; 995 sd->data[8] = 0x80; /* Supported group 3 functions */ 996 sd->data[9] = 0x01; 997 sd->data[10] = 0x80; /* Supported group 2 functions */ 998 sd->data[11] = 0x43; 999 sd->data[12] = 0x80; /* Supported group 1 functions */ 1000 sd->data[13] = 0x03; 1001 1002 memset(&sd->data[14], 0, 3); 1003 for (i = 0; i < 6; i ++) { 1004 new_func = (arg >> (i * 4)) & 0x0f; 1005 if (mode && new_func != 0x0f) 1006 sd->function_group[i] = new_func; 1007 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4); 1008 } 1009 memset(&sd->data[17], 0, 47); 1010 } 1011 1012 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 1013 { 1014 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1015 } 1016 1017 static void sd_lock_command(SDState *sd) 1018 { 1019 int erase, lock, clr_pwd, set_pwd, pwd_len; 1020 erase = !!(sd->data[0] & 0x08); 1021 lock = sd->data[0] & 0x04; 1022 clr_pwd = sd->data[0] & 0x02; 1023 set_pwd = sd->data[0] & 0x01; 1024 1025 if (sd->blk_len > 1) 1026 pwd_len = sd->data[1]; 1027 else 1028 pwd_len = 0; 1029 1030 if (lock) { 1031 trace_sdcard_lock(); 1032 } else { 1033 trace_sdcard_unlock(); 1034 } 1035 if (erase) { 1036 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 1037 set_pwd || clr_pwd || lock || sd->wp_switch || 1038 (sd->csd[14] & 0x20)) { 1039 sd->card_status |= LOCK_UNLOCK_FAILED; 1040 return; 1041 } 1042 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits); 1043 sd->csd[14] &= ~0x10; 1044 sd->card_status &= ~CARD_IS_LOCKED; 1045 sd->pwd_len = 0; 1046 /* Erasing the entire card here! */ 1047 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 1048 return; 1049 } 1050 1051 if (sd->blk_len < 2 + pwd_len || 1052 pwd_len <= sd->pwd_len || 1053 pwd_len > sd->pwd_len + 16) { 1054 sd->card_status |= LOCK_UNLOCK_FAILED; 1055 return; 1056 } 1057 1058 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 1059 sd->card_status |= LOCK_UNLOCK_FAILED; 1060 return; 1061 } 1062 1063 pwd_len -= sd->pwd_len; 1064 if ((pwd_len && !set_pwd) || 1065 (clr_pwd && (set_pwd || lock)) || 1066 (lock && !sd->pwd_len && !set_pwd) || 1067 (!set_pwd && !clr_pwd && 1068 (((sd->card_status & CARD_IS_LOCKED) && lock) || 1069 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 1070 sd->card_status |= LOCK_UNLOCK_FAILED; 1071 return; 1072 } 1073 1074 if (set_pwd) { 1075 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 1076 sd->pwd_len = pwd_len; 1077 } 1078 1079 if (clr_pwd) { 1080 sd->pwd_len = 0; 1081 } 1082 1083 if (lock) 1084 sd->card_status |= CARD_IS_LOCKED; 1085 else 1086 sd->card_status &= ~CARD_IS_LOCKED; 1087 } 1088 1089 static bool address_in_range(SDState *sd, const char *desc, 1090 uint64_t addr, uint32_t length) 1091 { 1092 if (addr + length > sd->size) { 1093 qemu_log_mask(LOG_GUEST_ERROR, 1094 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n", 1095 desc, addr, sd->size, length); 1096 sd->card_status |= ADDRESS_ERROR; 1097 return false; 1098 } 1099 return true; 1100 } 1101 1102 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req) 1103 { 1104 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n", 1105 sd->proto->name, req.cmd, sd_state_name(sd->state), 1106 sd_version_str(sd->spec_version)); 1107 1108 return sd_illegal; 1109 } 1110 1111 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req) 1112 { 1113 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n", 1114 sd->proto->name, req.cmd, sd_mode_name(sd->mode), 1115 sd_version_str(sd->spec_version)); 1116 1117 return sd_illegal; 1118 } 1119 1120 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req) 1121 { 1122 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n", 1123 sd->proto->name, req.cmd, 1124 sd_version_str(sd->spec_version)); 1125 1126 return sd_illegal; 1127 } 1128 1129 /* Commands that are recognised but not yet implemented. */ 1130 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req) 1131 { 1132 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n", 1133 sd->proto->name, req.cmd); 1134 1135 return sd_illegal; 1136 } 1137 1138 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req) 1139 { 1140 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n", 1141 sd->proto->name, req.cmd); 1142 1143 return sd_illegal; 1144 } 1145 1146 /* Configure fields for following sd_generic_write_byte() calls */ 1147 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req, 1148 uint64_t start, size_t size) 1149 { 1150 if (sd->state != sd_transfer_state) { 1151 return sd_invalid_state_for_cmd(sd, req); 1152 } 1153 sd->state = sd_receivingdata_state; 1154 sd->data_start = start; 1155 sd->data_offset = 0; 1156 /* sd->data[] used as receive buffer */ 1157 sd->data_size = size ?: sizeof(sd->data); 1158 return sd_r1; 1159 } 1160 1161 /* Configure fields for following sd_generic_read_byte() calls */ 1162 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req, 1163 uint64_t start, 1164 const void *data, size_t size) 1165 { 1166 if (sd->state != sd_transfer_state) { 1167 sd_invalid_state_for_cmd(sd, req); 1168 } 1169 1170 sd->state = sd_sendingdata_state; 1171 sd->data_start = start; 1172 sd->data_offset = 0; 1173 if (data) { 1174 assert(size > 0 && size <= sizeof(sd->data)); 1175 memcpy(sd->data, data, size); 1176 } 1177 if (size) { 1178 sd->data_size = size; 1179 } 1180 return sd_r1; 1181 } 1182 1183 /* CMD0 */ 1184 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req) 1185 { 1186 sd->state = sd_idle_state; 1187 sd_reset(DEVICE(sd)); 1188 1189 return sd_is_spi(sd) ? sd_r1 : sd_r0; 1190 } 1191 1192 /* CMD1 */ 1193 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1194 { 1195 sd->state = sd_transfer_state; 1196 1197 return sd_r1; 1198 } 1199 1200 /* CMD2 */ 1201 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 1202 { 1203 switch (sd->state) { 1204 case sd_ready_state: 1205 sd->state = sd_identification_state; 1206 return sd_r2_i; 1207 default: 1208 return sd_invalid_state_for_cmd(sd, req); 1209 } 1210 } 1211 1212 /* CMD3 */ 1213 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1214 { 1215 switch (sd->state) { 1216 case sd_identification_state: 1217 case sd_standby_state: 1218 sd->state = sd_standby_state; 1219 sd_set_rca(sd); 1220 return sd_r6; 1221 1222 default: 1223 return sd_invalid_state_for_cmd(sd, req); 1224 } 1225 } 1226 1227 /* CMD6 */ 1228 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req) 1229 { 1230 if (sd->mode != sd_data_transfer_mode) { 1231 return sd_invalid_mode_for_cmd(sd, req); 1232 } 1233 if (sd->state != sd_transfer_state) { 1234 return sd_invalid_state_for_cmd(sd, req); 1235 } 1236 1237 sd_function_switch(sd, req.arg); 1238 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64); 1239 } 1240 1241 /* CMD7 */ 1242 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req) 1243 { 1244 bool same_rca = sd_req_rca_same(sd, req); 1245 1246 switch (sd->state) { 1247 case sd_standby_state: 1248 if (!same_rca) { 1249 return sd_r0; 1250 } 1251 sd->state = sd_transfer_state; 1252 return sd_r1b; 1253 1254 case sd_transfer_state: 1255 case sd_sendingdata_state: 1256 if (same_rca) { 1257 break; 1258 } 1259 sd->state = sd_standby_state; 1260 return sd_r1b; 1261 1262 case sd_disconnect_state: 1263 if (!same_rca) { 1264 return sd_r0; 1265 } 1266 sd->state = sd_programming_state; 1267 return sd_r1b; 1268 1269 case sd_programming_state: 1270 if (same_rca) { 1271 break; 1272 } 1273 sd->state = sd_disconnect_state; 1274 return sd_r1b; 1275 1276 default: 1277 break; 1278 } 1279 return sd_invalid_state_for_cmd(sd, req); 1280 } 1281 1282 /* CMD8 */ 1283 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req) 1284 { 1285 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1286 return sd_cmd_illegal(sd, req); 1287 } 1288 if (sd->state != sd_idle_state) { 1289 return sd_invalid_state_for_cmd(sd, req); 1290 } 1291 sd->vhs = 0; 1292 1293 /* No response if not exactly one VHS bit is set. */ 1294 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1295 return sd_is_spi(sd) ? sd_r7 : sd_r0; 1296 } 1297 1298 /* Accept. */ 1299 sd->vhs = req.arg; 1300 return sd_r7; 1301 } 1302 1303 /* CMD9 */ 1304 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req) 1305 { 1306 if (sd->state != sd_standby_state) { 1307 return sd_invalid_state_for_cmd(sd, req); 1308 } 1309 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1310 sd->csd, 16); 1311 } 1312 1313 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req) 1314 { 1315 if (sd->state != sd_standby_state) { 1316 return sd_invalid_state_for_cmd(sd, req); 1317 } 1318 1319 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0; 1320 } 1321 1322 /* CMD10 */ 1323 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req) 1324 { 1325 if (sd->state != sd_standby_state) { 1326 return sd_invalid_state_for_cmd(sd, req); 1327 } 1328 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1329 sd->cid, 16); 1330 } 1331 1332 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req) 1333 { 1334 if (sd->state != sd_standby_state) { 1335 return sd_invalid_state_for_cmd(sd, req); 1336 } 1337 1338 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0; 1339 } 1340 1341 /* CMD12 */ 1342 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req) 1343 { 1344 switch (sd->state) { 1345 case sd_sendingdata_state: 1346 sd->state = sd_transfer_state; 1347 return sd_r1b; 1348 case sd_receivingdata_state: 1349 sd->state = sd_programming_state; 1350 /* Bzzzzzzztt .... Operation complete. */ 1351 sd->state = sd_transfer_state; 1352 return sd_r1; 1353 default: 1354 return sd_invalid_state_for_cmd(sd, req); 1355 } 1356 } 1357 1358 /* CMD13 */ 1359 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req) 1360 { 1361 if (sd->mode != sd_data_transfer_mode) { 1362 return sd_invalid_mode_for_cmd(sd, req); 1363 } 1364 1365 switch (sd->state) { 1366 case sd_standby_state: 1367 case sd_transfer_state: 1368 case sd_sendingdata_state: 1369 case sd_receivingdata_state: 1370 case sd_programming_state: 1371 case sd_disconnect_state: 1372 break; 1373 default: 1374 return sd_invalid_state_for_cmd(sd, req); 1375 } 1376 1377 if (sd_is_spi(sd)) { 1378 return sd_r2_s; 1379 } 1380 1381 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0; 1382 } 1383 1384 /* CMD15 */ 1385 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req) 1386 { 1387 if (sd->mode != sd_data_transfer_mode) { 1388 return sd_invalid_mode_for_cmd(sd, req); 1389 } 1390 switch (sd->state) { 1391 case sd_standby_state: 1392 case sd_transfer_state: 1393 case sd_sendingdata_state: 1394 case sd_receivingdata_state: 1395 case sd_programming_state: 1396 case sd_disconnect_state: 1397 break; 1398 default: 1399 return sd_invalid_state_for_cmd(sd, req); 1400 } 1401 if (sd_req_rca_same(sd, req)) { 1402 sd->state = sd_inactive_state; 1403 } 1404 1405 return sd_r0; 1406 } 1407 1408 /* CMD16 */ 1409 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req) 1410 { 1411 if (sd->state != sd_transfer_state) { 1412 return sd_invalid_state_for_cmd(sd, req); 1413 } 1414 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1415 sd->card_status |= BLOCK_LEN_ERROR; 1416 } else { 1417 trace_sdcard_set_blocklen(req.arg); 1418 sd->blk_len = req.arg; 1419 } 1420 1421 return sd_r1; 1422 } 1423 1424 /* CMD17 */ 1425 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req) 1426 { 1427 uint64_t addr; 1428 1429 if (sd->state != sd_transfer_state) { 1430 return sd_invalid_state_for_cmd(sd, req); 1431 } 1432 1433 addr = sd_req_get_address(sd, req); 1434 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) { 1435 return sd_r1; 1436 } 1437 1438 sd_blk_read(sd, addr, sd->blk_len); 1439 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len); 1440 } 1441 1442 /* CMD19 */ 1443 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 1444 { 1445 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1446 return sd_cmd_illegal(sd, req); 1447 } 1448 1449 return sd_cmd_to_sendingdata(sd, req, 0, 1450 sd_tuning_block_pattern4, 1451 sizeof(sd_tuning_block_pattern4)); 1452 } 1453 1454 /* CMD23 */ 1455 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req) 1456 { 1457 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1458 return sd_cmd_illegal(sd, req); 1459 } 1460 1461 if (sd->state != sd_transfer_state) { 1462 return sd_invalid_state_for_cmd(sd, req); 1463 } 1464 1465 sd->multi_blk_cnt = req.arg; 1466 trace_sdcard_set_block_count(sd->multi_blk_cnt); 1467 1468 return sd_r1; 1469 } 1470 1471 /* CMD24 */ 1472 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req) 1473 { 1474 uint64_t addr; 1475 1476 if (sd->state != sd_transfer_state) { 1477 return sd_invalid_state_for_cmd(sd, req); 1478 } 1479 1480 addr = sd_req_get_address(sd, req); 1481 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) { 1482 return sd_r1; 1483 } 1484 1485 if (sd->size <= SDSC_MAX_CAPACITY) { 1486 if (sd_wp_addr(sd, addr)) { 1487 sd->card_status |= WP_VIOLATION; 1488 } 1489 } 1490 if (sd->csd[14] & 0x30) { 1491 sd->card_status |= WP_VIOLATION; 1492 } 1493 1494 sd->blk_written = 0; 1495 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len); 1496 } 1497 1498 /* CMD27 */ 1499 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req) 1500 { 1501 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd)); 1502 } 1503 1504 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req, 1505 bool is_write) 1506 { 1507 uint64_t addr; 1508 1509 if (sd->size > SDSC_MAX_CAPACITY) { 1510 return sd_illegal; 1511 } 1512 1513 if (sd->state != sd_transfer_state) { 1514 return sd_invalid_state_for_cmd(sd, req); 1515 } 1516 1517 addr = sd_req_get_address(sd, req); 1518 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT", 1519 addr, 1)) { 1520 return sd_r1b; 1521 } 1522 1523 sd->state = sd_programming_state; 1524 if (is_write) { 1525 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1526 } else { 1527 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1528 } 1529 /* Bzzzzzzztt .... Operation complete. */ 1530 sd->state = sd_transfer_state; 1531 return sd_r1; 1532 } 1533 1534 /* CMD28 */ 1535 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req) 1536 { 1537 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true); 1538 } 1539 1540 /* CMD29 */ 1541 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req) 1542 { 1543 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false); 1544 } 1545 1546 /* CMD30 */ 1547 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req) 1548 { 1549 uint64_t addr; 1550 uint32_t data; 1551 1552 if (sd->size > SDSC_MAX_CAPACITY) { 1553 return sd_illegal; 1554 } 1555 1556 if (sd->state != sd_transfer_state) { 1557 return sd_invalid_state_for_cmd(sd, req); 1558 } 1559 1560 addr = sd_req_get_address(sd, req); 1561 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) { 1562 return sd_r1; 1563 } 1564 1565 data = sd_wpbits(sd, req.arg); 1566 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data)); 1567 } 1568 1569 /* CMD32 */ 1570 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req) 1571 { 1572 if (sd->state != sd_transfer_state) { 1573 return sd_invalid_state_for_cmd(sd, req); 1574 } 1575 sd->erase_start = req.arg; 1576 return sd_r1; 1577 } 1578 1579 /* CMD33 */ 1580 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req) 1581 { 1582 if (sd->state != sd_transfer_state) { 1583 return sd_invalid_state_for_cmd(sd, req); 1584 } 1585 sd->erase_end = req.arg; 1586 return sd_r1; 1587 } 1588 1589 /* CMD38 */ 1590 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req) 1591 { 1592 if (sd->state != sd_transfer_state) { 1593 return sd_invalid_state_for_cmd(sd, req); 1594 } 1595 if (sd->csd[14] & 0x30) { 1596 sd->card_status |= WP_VIOLATION; 1597 return sd_r1b; 1598 } 1599 1600 sd->state = sd_programming_state; 1601 sd_erase(sd); 1602 /* Bzzzzzzztt .... Operation complete. */ 1603 sd->state = sd_transfer_state; 1604 return sd_r1b; 1605 } 1606 1607 /* CMD42 */ 1608 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req) 1609 { 1610 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1611 } 1612 1613 /* CMD55 */ 1614 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req) 1615 { 1616 switch (sd->state) { 1617 case sd_ready_state: 1618 case sd_identification_state: 1619 case sd_inactive_state: 1620 return sd_invalid_state_for_cmd(sd, req); 1621 case sd_idle_state: 1622 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) { 1623 qemu_log_mask(LOG_GUEST_ERROR, 1624 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1625 } 1626 /* fall-through */ 1627 default: 1628 break; 1629 } 1630 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) { 1631 return sd_r0; 1632 } 1633 sd->expecting_acmd = true; 1634 sd->card_status |= APP_CMD; 1635 1636 return sd_r1; 1637 } 1638 1639 /* CMD58 */ 1640 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req) 1641 { 1642 return sd_r3; 1643 } 1644 1645 /* CMD59 */ 1646 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req) 1647 { 1648 return sd_r1; 1649 } 1650 1651 /* ACMD6 */ 1652 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req) 1653 { 1654 if (sd->state != sd_transfer_state) { 1655 return sd_invalid_state_for_cmd(sd, req); 1656 } 1657 1658 sd->sd_status[0] &= 0x3f; 1659 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1660 return sd_r1; 1661 } 1662 1663 /* ACMD13 */ 1664 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req) 1665 { 1666 return sd_cmd_to_sendingdata(sd, req, 0, 1667 sd->sd_status, sizeof(sd->sd_status)); 1668 } 1669 1670 /* ACMD22 */ 1671 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req) 1672 { 1673 return sd_cmd_to_sendingdata(sd, req, 0, 1674 &sd->blk_written, sizeof(sd->blk_written)); 1675 } 1676 1677 /* ACMD23 */ 1678 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req) 1679 { 1680 if (sd->state != sd_transfer_state) { 1681 return sd_invalid_state_for_cmd(sd, req); 1682 } 1683 return sd_r1; 1684 } 1685 1686 /* ACMD41 */ 1687 static sd_rsp_type_t sd_acmd_SD_APP_OP_COND(SDState *sd, SDRequest req) 1688 { 1689 if (sd->state != sd_idle_state) { 1690 return sd_invalid_state_for_cmd(sd, req); 1691 } 1692 1693 /* 1694 * If it's the first ACMD41 since reset, we need to decide 1695 * whether to power up. If this is not an enquiry ACMD41, 1696 * we immediately report power on and proceed below to the 1697 * ready state, but if it is, we set a timer to model a 1698 * delay for power up. This works around a bug in EDK2 1699 * UEFI, which sends an initial enquiry ACMD41, but 1700 * assumes that the card is in ready state as soon as it 1701 * sees the power up bit set. 1702 */ 1703 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1704 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1705 timer_del(sd->ocr_power_timer); 1706 sd_ocr_powerup(sd); 1707 } else { 1708 trace_sdcard_inquiry_cmd41(); 1709 if (!timer_pending(sd->ocr_power_timer)) { 1710 timer_mod_ns(sd->ocr_power_timer, 1711 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1712 + OCR_POWER_DELAY_NS)); 1713 } 1714 } 1715 } 1716 1717 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1718 /* 1719 * We accept any voltage. 10000 V is nothing. 1720 * 1721 * Once we're powered up, we advance straight to ready state 1722 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1723 */ 1724 sd->state = sd_ready_state; 1725 } 1726 1727 return sd_r3; 1728 } 1729 1730 /* ACMD42 */ 1731 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req) 1732 { 1733 if (sd->state != sd_transfer_state) { 1734 return sd_invalid_state_for_cmd(sd, req); 1735 } 1736 1737 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1738 return sd_r1; 1739 } 1740 1741 /* ACMD51 */ 1742 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req) 1743 { 1744 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr)); 1745 } 1746 1747 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 1748 { 1749 uint64_t addr; 1750 1751 sd->last_cmd_name = sd_cmd_name(sd, req.cmd); 1752 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 1753 * However there is no ACMD55, so we want to trace this particular case. 1754 */ 1755 if (req.cmd != 55 || sd->expecting_acmd) { 1756 trace_sdcard_normal_command(sd->proto->name, 1757 sd->last_cmd_name, req.cmd, 1758 req.arg, sd_state_name(sd->state)); 1759 } 1760 1761 /* Not interpreting this as an app command */ 1762 sd->card_status &= ~APP_CMD; 1763 1764 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 1765 * if not, its effects are cancelled */ 1766 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 1767 sd->multi_blk_cnt = 0; 1768 } 1769 1770 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR, 1771 CARD_CAPACITY)) { 1772 /* Only Standard Capacity cards support class 6 commands */ 1773 return sd_illegal; 1774 } 1775 1776 if (sd->proto->cmd[req.cmd].handler) { 1777 return sd->proto->cmd[req.cmd].handler(sd, req); 1778 } 1779 1780 switch (req.cmd) { 1781 /* Block read commands (Class 2) */ 1782 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1783 addr = sd_req_get_address(sd, req); 1784 switch (sd->state) { 1785 case sd_transfer_state: 1786 1787 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { 1788 return sd_r1; 1789 } 1790 1791 sd->state = sd_sendingdata_state; 1792 sd->data_start = addr; 1793 sd->data_offset = 0; 1794 return sd_r1; 1795 1796 default: 1797 break; 1798 } 1799 break; 1800 1801 /* Block write commands (Class 4) */ 1802 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1803 addr = sd_req_get_address(sd, req); 1804 switch (sd->state) { 1805 case sd_transfer_state: 1806 1807 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { 1808 return sd_r1; 1809 } 1810 1811 sd->state = sd_receivingdata_state; 1812 sd->data_start = addr; 1813 sd->data_offset = 0; 1814 sd->blk_written = 0; 1815 1816 if (sd->size <= SDSC_MAX_CAPACITY) { 1817 if (sd_wp_addr(sd, sd->data_start)) { 1818 sd->card_status |= WP_VIOLATION; 1819 } 1820 } 1821 if (sd->csd[14] & 0x30) { 1822 sd->card_status |= WP_VIOLATION; 1823 } 1824 return sd_r1; 1825 1826 default: 1827 break; 1828 } 1829 break; 1830 1831 case 26: /* CMD26: PROGRAM_CID */ 1832 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid)); 1833 1834 /* Application specific commands (Class 8) */ 1835 case 56: /* CMD56: GEN_CMD */ 1836 switch (sd->state) { 1837 case sd_transfer_state: 1838 sd->data_offset = 0; 1839 if (req.arg & 1) 1840 sd->state = sd_sendingdata_state; 1841 else 1842 sd->state = sd_receivingdata_state; 1843 return sd_r1; 1844 1845 default: 1846 break; 1847 } 1848 break; 1849 1850 default: 1851 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1852 return sd_illegal; 1853 } 1854 1855 return sd_invalid_state_for_cmd(sd, req); 1856 } 1857 1858 static sd_rsp_type_t sd_app_command(SDState *sd, 1859 SDRequest req) 1860 { 1861 sd->last_cmd_name = sd_acmd_name(sd, req.cmd); 1862 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name, 1863 req.cmd, req.arg, sd_state_name(sd->state)); 1864 sd->card_status |= APP_CMD; 1865 1866 if (sd->proto->acmd[req.cmd].handler) { 1867 return sd->proto->acmd[req.cmd].handler(sd, req); 1868 } 1869 1870 switch (req.cmd) { 1871 case 18: /* Reserved for SD security applications */ 1872 case 25: 1873 case 26: 1874 case 38: 1875 case 43 ... 49: 1876 /* Refer to the "SD Specifications Part3 Security Specification" for 1877 * information about the SD Security Features. 1878 */ 1879 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 1880 req.cmd); 1881 return sd_illegal; 1882 1883 default: 1884 /* Fall back to standard commands. */ 1885 return sd_normal_command(sd, req); 1886 } 1887 1888 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1889 return sd_illegal; 1890 } 1891 1892 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd) 1893 { 1894 unsigned cmd_class; 1895 1896 /* Valid commands in locked state: 1897 * basic class (0) 1898 * lock card class (7) 1899 * CMD16 1900 * implicitly, the ACMD prefix CMD55 1901 * ACMD41 and ACMD42 1902 * Anything else provokes an "illegal command" response. 1903 */ 1904 if (sd->expecting_acmd) { 1905 return cmd == 41 || cmd == 42; 1906 } 1907 if (cmd == 16 || cmd == 55) { 1908 return true; 1909 } 1910 if (!sd->proto->cmd[cmd].handler) { 1911 return false; 1912 } 1913 cmd_class = sd->proto->cmd[cmd].class; 1914 1915 return cmd_class == 0 || cmd_class == 7; 1916 } 1917 1918 int sd_do_command(SDState *sd, SDRequest *req, 1919 uint8_t *response) { 1920 int last_state; 1921 sd_rsp_type_t rtype; 1922 int rsplen; 1923 1924 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1925 return 0; 1926 } 1927 1928 if (sd->state == sd_inactive_state) { 1929 rtype = sd_illegal; 1930 goto send_response; 1931 } 1932 1933 if (sd_req_crc_validate(req)) { 1934 sd->card_status |= COM_CRC_ERROR; 1935 rtype = sd_illegal; 1936 goto send_response; 1937 } 1938 1939 if (req->cmd >= SDMMC_CMD_MAX) { 1940 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 1941 req->cmd); 1942 req->cmd &= 0x3f; 1943 } 1944 1945 if (sd->card_status & CARD_IS_LOCKED) { 1946 if (!cmd_valid_while_locked(sd, req->cmd)) { 1947 sd->card_status |= ILLEGAL_COMMAND; 1948 sd->expecting_acmd = false; 1949 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1950 rtype = sd_illegal; 1951 goto send_response; 1952 } 1953 } 1954 1955 last_state = sd->state; 1956 sd_set_mode(sd); 1957 1958 if (sd->expecting_acmd) { 1959 sd->expecting_acmd = false; 1960 rtype = sd_app_command(sd, *req); 1961 } else { 1962 rtype = sd_normal_command(sd, *req); 1963 } 1964 1965 if (rtype == sd_illegal) { 1966 sd->card_status |= ILLEGAL_COMMAND; 1967 } else { 1968 /* Valid command, we can update the 'state before command' bits. 1969 * (Do this now so they appear in r1 responses.) 1970 */ 1971 sd->current_cmd = req->cmd; 1972 sd->card_status = FIELD_DP32(sd->card_status, CSR, 1973 CURRENT_STATE, last_state); 1974 } 1975 1976 send_response: 1977 switch (rtype) { 1978 case sd_r1: 1979 case sd_r1b: 1980 sd_response_r1_make(sd, response); 1981 rsplen = 4; 1982 break; 1983 1984 case sd_r2_i: 1985 memcpy(response, sd->cid, sizeof(sd->cid)); 1986 rsplen = 16; 1987 break; 1988 1989 case sd_r2_s: 1990 memcpy(response, sd->csd, sizeof(sd->csd)); 1991 rsplen = 16; 1992 break; 1993 1994 case sd_r3: 1995 sd_response_r3_make(sd, response); 1996 rsplen = 4; 1997 break; 1998 1999 case sd_r6: 2000 sd_response_r6_make(sd, response); 2001 rsplen = 4; 2002 break; 2003 2004 case sd_r7: 2005 sd_response_r7_make(sd, response); 2006 rsplen = 4; 2007 break; 2008 2009 case sd_r0: 2010 /* 2011 * Invalid state transition, reset implementation 2012 * fields to avoid OOB abuse. 2013 */ 2014 sd->data_start = 0; 2015 sd->data_offset = 0; 2016 /* fall-through */ 2017 case sd_illegal: 2018 rsplen = 0; 2019 break; 2020 default: 2021 g_assert_not_reached(); 2022 } 2023 trace_sdcard_response(sd_response_name(rtype), rsplen); 2024 2025 if (rtype != sd_illegal) { 2026 /* Clear the "clear on valid command" status bits now we've 2027 * sent any response 2028 */ 2029 sd->card_status &= ~CARD_STATUS_B; 2030 } 2031 2032 #ifdef DEBUG_SD 2033 qemu_hexdump(stderr, "Response", response, rsplen); 2034 #endif 2035 2036 return rsplen; 2037 } 2038 2039 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */ 2040 static bool sd_generic_write_byte(SDState *sd, uint8_t value) 2041 { 2042 sd->data[sd->data_offset] = value; 2043 2044 if (++sd->data_offset >= sd->data_size) { 2045 sd->state = sd_transfer_state; 2046 return true; 2047 } 2048 return false; 2049 } 2050 2051 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */ 2052 static bool sd_generic_read_byte(SDState *sd, uint8_t *value) 2053 { 2054 *value = sd->data[sd->data_offset]; 2055 2056 if (++sd->data_offset >= sd->data_size) { 2057 sd->state = sd_transfer_state; 2058 return true; 2059 } 2060 2061 return false; 2062 } 2063 2064 void sd_write_byte(SDState *sd, uint8_t value) 2065 { 2066 int i; 2067 2068 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2069 return; 2070 2071 if (sd->state != sd_receivingdata_state) { 2072 qemu_log_mask(LOG_GUEST_ERROR, 2073 "%s: not in Receiving-Data state\n", __func__); 2074 return; 2075 } 2076 2077 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2078 return; 2079 2080 trace_sdcard_write_data(sd->proto->name, 2081 sd->last_cmd_name, 2082 sd->current_cmd, sd->data_offset, value); 2083 switch (sd->current_cmd) { 2084 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 2085 if (sd_generic_write_byte(sd, value)) { 2086 /* TODO: Check CRC before committing */ 2087 sd->state = sd_programming_state; 2088 sd_blk_write(sd, sd->data_start, sd->data_offset); 2089 sd->blk_written ++; 2090 sd->csd[14] |= 0x40; 2091 /* Bzzzzzzztt .... Operation complete. */ 2092 sd->state = sd_transfer_state; 2093 } 2094 break; 2095 2096 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2097 if (sd->data_offset == 0) { 2098 /* Start of the block - let's check the address is valid */ 2099 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", 2100 sd->data_start, sd->blk_len)) { 2101 break; 2102 } 2103 if (sd->size <= SDSC_MAX_CAPACITY) { 2104 if (sd_wp_addr(sd, sd->data_start)) { 2105 sd->card_status |= WP_VIOLATION; 2106 break; 2107 } 2108 } 2109 } 2110 sd->data[sd->data_offset++] = value; 2111 if (sd->data_offset >= sd->blk_len) { 2112 /* TODO: Check CRC before committing */ 2113 sd->state = sd_programming_state; 2114 sd_blk_write(sd, sd->data_start, sd->data_offset); 2115 sd->blk_written++; 2116 sd->data_start += sd->blk_len; 2117 sd->data_offset = 0; 2118 sd->csd[14] |= 0x40; 2119 2120 /* Bzzzzzzztt .... Operation complete. */ 2121 if (sd->multi_blk_cnt != 0) { 2122 if (--sd->multi_blk_cnt == 0) { 2123 /* Stop! */ 2124 sd->state = sd_transfer_state; 2125 break; 2126 } 2127 } 2128 2129 sd->state = sd_receivingdata_state; 2130 } 2131 break; 2132 2133 case 26: /* CMD26: PROGRAM_CID */ 2134 if (sd_generic_write_byte(sd, value)) { 2135 /* TODO: Check CRC before committing */ 2136 sd->state = sd_programming_state; 2137 for (i = 0; i < sizeof(sd->cid); i ++) 2138 if ((sd->cid[i] | 0x00) != sd->data[i]) 2139 sd->card_status |= CID_CSD_OVERWRITE; 2140 2141 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2142 for (i = 0; i < sizeof(sd->cid); i ++) { 2143 sd->cid[i] |= 0x00; 2144 sd->cid[i] &= sd->data[i]; 2145 } 2146 /* Bzzzzzzztt .... Operation complete. */ 2147 sd->state = sd_transfer_state; 2148 } 2149 break; 2150 2151 case 27: /* CMD27: PROGRAM_CSD */ 2152 if (sd_generic_write_byte(sd, value)) { 2153 /* TODO: Check CRC before committing */ 2154 sd->state = sd_programming_state; 2155 for (i = 0; i < sizeof(sd->csd); i ++) 2156 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 2157 (sd->data[i] | sd_csd_rw_mask[i])) 2158 sd->card_status |= CID_CSD_OVERWRITE; 2159 2160 /* Copy flag (OTP) & Permanent write protect */ 2161 if (sd->csd[14] & ~sd->data[14] & 0x60) 2162 sd->card_status |= CID_CSD_OVERWRITE; 2163 2164 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2165 for (i = 0; i < sizeof(sd->csd); i ++) { 2166 sd->csd[i] |= sd_csd_rw_mask[i]; 2167 sd->csd[i] &= sd->data[i]; 2168 } 2169 /* Bzzzzzzztt .... Operation complete. */ 2170 sd->state = sd_transfer_state; 2171 } 2172 break; 2173 2174 case 42: /* CMD42: LOCK_UNLOCK */ 2175 if (sd_generic_write_byte(sd, value)) { 2176 /* TODO: Check CRC before committing */ 2177 sd->state = sd_programming_state; 2178 sd_lock_command(sd); 2179 /* Bzzzzzzztt .... Operation complete. */ 2180 sd->state = sd_transfer_state; 2181 } 2182 break; 2183 2184 case 56: /* CMD56: GEN_CMD */ 2185 sd->data[sd->data_offset ++] = value; 2186 if (sd->data_offset >= sd->blk_len) { 2187 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 2188 sd->state = sd_transfer_state; 2189 } 2190 break; 2191 2192 default: 2193 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__); 2194 break; 2195 } 2196 } 2197 2198 uint8_t sd_read_byte(SDState *sd) 2199 { 2200 /* TODO: Append CRCs */ 2201 uint8_t ret; 2202 uint32_t io_len; 2203 2204 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2205 return 0x00; 2206 2207 if (sd->state != sd_sendingdata_state) { 2208 qemu_log_mask(LOG_GUEST_ERROR, 2209 "%s: not in Sending-Data state\n", __func__); 2210 return 0x00; 2211 } 2212 2213 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2214 return 0x00; 2215 2216 io_len = sd_blk_len(sd); 2217 2218 trace_sdcard_read_data(sd->proto->name, 2219 sd->last_cmd_name, 2220 sd->current_cmd, sd->data_offset, io_len); 2221 switch (sd->current_cmd) { 2222 case 6: /* CMD6: SWITCH_FUNCTION */ 2223 case 9: /* CMD9: SEND_CSD */ 2224 case 10: /* CMD10: SEND_CID */ 2225 case 13: /* ACMD13: SD_STATUS */ 2226 case 17: /* CMD17: READ_SINGLE_BLOCK */ 2227 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2228 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2229 case 30: /* CMD30: SEND_WRITE_PROT */ 2230 case 51: /* ACMD51: SEND_SCR */ 2231 sd_generic_read_byte(sd, &ret); 2232 break; 2233 2234 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2235 if (sd->data_offset == 0) { 2236 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", 2237 sd->data_start, io_len)) { 2238 return 0x00; 2239 } 2240 sd_blk_read(sd, sd->data_start, io_len); 2241 } 2242 ret = sd->data[sd->data_offset ++]; 2243 2244 if (sd->data_offset >= io_len) { 2245 sd->data_start += io_len; 2246 sd->data_offset = 0; 2247 2248 if (sd->multi_blk_cnt != 0) { 2249 if (--sd->multi_blk_cnt == 0) { 2250 /* Stop! */ 2251 sd->state = sd_transfer_state; 2252 break; 2253 } 2254 } 2255 } 2256 break; 2257 2258 case 56: /* CMD56: GEN_CMD */ 2259 if (sd->data_offset == 0) 2260 APP_READ_BLOCK(sd->data_start, sd->blk_len); 2261 ret = sd->data[sd->data_offset ++]; 2262 2263 if (sd->data_offset >= sd->blk_len) 2264 sd->state = sd_transfer_state; 2265 break; 2266 2267 default: 2268 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__); 2269 return 0x00; 2270 } 2271 2272 return ret; 2273 } 2274 2275 static bool sd_receive_ready(SDState *sd) 2276 { 2277 return sd->state == sd_receivingdata_state; 2278 } 2279 2280 static bool sd_data_ready(SDState *sd) 2281 { 2282 return sd->state == sd_sendingdata_state; 2283 } 2284 2285 void sd_enable(SDState *sd, bool enable) 2286 { 2287 sd->enable = enable; 2288 } 2289 2290 static const SDProto sd_proto_spi = { 2291 .name = "SPI", 2292 .cmd = { 2293 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2294 [1] = {0, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2295 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional}, 2296 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2297 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2298 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD}, 2299 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID}, 2300 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2301 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2302 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2303 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2304 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2305 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2306 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2307 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2308 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2309 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2310 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2311 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional}, 2312 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional}, 2313 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional}, 2314 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2315 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE}, 2316 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2317 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional}, 2318 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional}, 2319 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional}, 2320 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD}, 2321 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2322 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR}, 2323 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF}, 2324 }, 2325 .acmd = { 2326 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS}, 2327 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2328 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2329 [41] = {8, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2330 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2331 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR}, 2332 }, 2333 }; 2334 2335 static const SDProto sd_proto_sd = { 2336 .name = "SD", 2337 .cmd = { 2338 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2339 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2340 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR}, 2341 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2342 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional}, 2343 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2344 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2345 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2346 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2347 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2348 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional}, 2349 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2350 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2351 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2352 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2353 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2354 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK}, 2355 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional}, 2356 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2357 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2358 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2359 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2360 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2361 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2362 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2363 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2364 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional}, 2365 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional}, 2366 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional}, 2367 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2368 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2369 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2370 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional}, 2371 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional}, 2372 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional}, 2373 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional}, 2374 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional}, 2375 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional}, 2376 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional}, 2377 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional}, 2378 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional}, 2379 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional}, 2380 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2381 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2382 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional}, 2383 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional}, 2384 }, 2385 .acmd = { 2386 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH}, 2387 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS}, 2388 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2389 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2390 [41] = {8, sd_bcr, "SD_APP_OP_COND", sd_acmd_SD_APP_OP_COND}, 2391 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2392 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR}, 2393 }, 2394 }; 2395 2396 static void sd_instance_init(Object *obj) 2397 { 2398 SDState *sd = SD_CARD(obj); 2399 SDCardClass *sc = SD_CARD_GET_CLASS(sd); 2400 2401 sd->proto = sc->proto; 2402 sd->last_cmd_name = "UNSET"; 2403 sd->enable = true; 2404 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2405 } 2406 2407 static void sd_instance_finalize(Object *obj) 2408 { 2409 SDState *sd = SD_CARD(obj); 2410 2411 timer_free(sd->ocr_power_timer); 2412 } 2413 2414 static void sd_realize(DeviceState *dev, Error **errp) 2415 { 2416 SDState *sd = SD_CARD(dev); 2417 int ret; 2418 2419 switch (sd->spec_version) { 2420 case SD_PHY_SPECv1_10_VERS 2421 ... SD_PHY_SPECv3_01_VERS: 2422 break; 2423 default: 2424 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2425 return; 2426 } 2427 2428 if (sd->blk) { 2429 int64_t blk_size; 2430 2431 if (!blk_supports_write_perm(sd->blk)) { 2432 error_setg(errp, "Cannot use read-only drive as SD card"); 2433 return; 2434 } 2435 2436 blk_size = blk_getlength(sd->blk); 2437 if (blk_size > 0 && !is_power_of_2(blk_size)) { 2438 int64_t blk_size_aligned = pow2ceil(blk_size); 2439 char *blk_size_str; 2440 2441 blk_size_str = size_to_str(blk_size); 2442 error_setg(errp, "Invalid SD card size: %s", blk_size_str); 2443 g_free(blk_size_str); 2444 2445 blk_size_str = size_to_str(blk_size_aligned); 2446 error_append_hint(errp, 2447 "SD card size has to be a power of 2, e.g. %s.\n" 2448 "You can resize disk images with" 2449 " 'qemu-img resize <imagefile> <new-size>'\n" 2450 "(note that this will lose data if you make the" 2451 " image smaller than it currently is).\n", 2452 blk_size_str); 2453 g_free(blk_size_str); 2454 2455 return; 2456 } 2457 2458 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2459 BLK_PERM_ALL, errp); 2460 if (ret < 0) { 2461 return; 2462 } 2463 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2464 } 2465 } 2466 2467 static Property sd_properties[] = { 2468 DEFINE_PROP_UINT8("spec_version", SDState, 2469 spec_version, SD_PHY_SPECv2_00_VERS), 2470 DEFINE_PROP_DRIVE("drive", SDState, blk), 2471 /* We do not model the chip select pin, so allow the board to select 2472 * whether card should be in SSI or MMC/SD mode. It is also up to the 2473 * board to ensure that ssi transfers only occur when the chip select 2474 * is asserted. */ 2475 DEFINE_PROP_END_OF_LIST() 2476 }; 2477 2478 static void sd_class_init(ObjectClass *klass, void *data) 2479 { 2480 DeviceClass *dc = DEVICE_CLASS(klass); 2481 SDCardClass *sc = SD_CARD_CLASS(klass); 2482 2483 dc->realize = sd_realize; 2484 device_class_set_props(dc, sd_properties); 2485 dc->vmsd = &sd_vmstate; 2486 dc->reset = sd_reset; 2487 dc->bus_type = TYPE_SD_BUS; 2488 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2489 2490 sc->set_voltage = sd_set_voltage; 2491 sc->get_dat_lines = sd_get_dat_lines; 2492 sc->get_cmd_line = sd_get_cmd_line; 2493 sc->do_command = sd_do_command; 2494 sc->write_byte = sd_write_byte; 2495 sc->read_byte = sd_read_byte; 2496 sc->receive_ready = sd_receive_ready; 2497 sc->data_ready = sd_data_ready; 2498 sc->enable = sd_enable; 2499 sc->get_inserted = sd_get_inserted; 2500 sc->get_readonly = sd_get_readonly; 2501 sc->proto = &sd_proto_sd; 2502 } 2503 2504 /* 2505 * We do not model the chip select pin, so allow the board to select 2506 * whether card should be in SSI or MMC/SD mode. It is also up to the 2507 * board to ensure that ssi transfers only occur when the chip select 2508 * is asserted. 2509 */ 2510 static void sd_spi_class_init(ObjectClass *klass, void *data) 2511 { 2512 DeviceClass *dc = DEVICE_CLASS(klass); 2513 SDCardClass *sc = SD_CARD_CLASS(klass); 2514 2515 dc->desc = "SD SPI"; 2516 sc->proto = &sd_proto_spi; 2517 } 2518 2519 static const TypeInfo sd_types[] = { 2520 { 2521 .name = TYPE_SD_CARD, 2522 .parent = TYPE_DEVICE, 2523 .instance_size = sizeof(SDState), 2524 .class_size = sizeof(SDCardClass), 2525 .class_init = sd_class_init, 2526 .instance_init = sd_instance_init, 2527 .instance_finalize = sd_instance_finalize, 2528 }, 2529 { 2530 .name = TYPE_SD_CARD_SPI, 2531 .parent = TYPE_SD_CARD, 2532 .class_init = sd_spi_class_init, 2533 }, 2534 }; 2535 2536 DEFINE_TYPES(sd_types) 2537