1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * eMMC emulation defined in "JEDEC Standard No. 84-A43" 6 * 7 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 8 * Copyright (c) 2007 CodeSourcery 9 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in 19 * the documentation and/or other materials provided with the 20 * distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 23 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 25 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 26 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 29 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 30 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include "qemu/osdep.h" 36 #include "qemu/units.h" 37 #include "qemu/cutils.h" 38 #include "hw/irq.h" 39 #include "hw/registerfields.h" 40 #include "system/block-backend.h" 41 #include "hw/sd/sd.h" 42 #include "migration/vmstate.h" 43 #include "qapi/error.h" 44 #include "qemu/bitmap.h" 45 #include "hw/qdev-properties.h" 46 #include "hw/qdev-properties-system.h" 47 #include "qemu/error-report.h" 48 #include "qemu/timer.h" 49 #include "qemu/log.h" 50 #include "qemu/guest-random.h" 51 #include "qemu/module.h" 52 #include "sdmmc-internal.h" 53 #include "trace.h" 54 55 //#define DEBUG_SD 1 56 57 #define SDSC_MAX_CAPACITY (2 * GiB) 58 59 #define INVALID_ADDRESS UINT32_MAX 60 61 typedef enum { 62 sd_r0 = 0, /* no response */ 63 sd_r1, /* normal response command */ 64 sd_r2_i, /* CID register */ 65 sd_r2_s, /* CSD register */ 66 sd_r3, /* OCR register */ 67 sd_r6 = 6, /* Published RCA response */ 68 sd_r7, /* Operating voltage */ 69 sd_r1b = -1, 70 sd_illegal = -2, 71 } sd_rsp_type_t; 72 73 typedef enum { 74 sd_spi, 75 sd_bc, /* broadcast -- no response */ 76 sd_bcr, /* broadcast with response */ 77 sd_ac, /* addressed -- no data transfer */ 78 sd_adtc, /* addressed with data transfer */ 79 } sd_cmd_type_t; 80 81 enum SDCardModes { 82 sd_inactive, 83 sd_card_identification_mode, 84 sd_data_transfer_mode, 85 }; 86 87 enum SDCardStates { 88 sd_waitirq_state = -2, /* emmc */ 89 sd_inactive_state = -1, 90 91 sd_idle_state = 0, 92 sd_ready_state = 1, 93 sd_identification_state = 2, 94 sd_standby_state = 3, 95 sd_transfer_state = 4, 96 sd_sendingdata_state = 5, 97 sd_receivingdata_state = 6, 98 sd_programming_state = 7, 99 sd_disconnect_state = 8, 100 sd_bus_test_state = 9, /* emmc */ 101 sd_sleep_state = 10, /* emmc */ 102 sd_io_state = 15 /* sd */ 103 }; 104 105 #define SDMMC_CMD_MAX 64 106 107 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req); 108 109 typedef struct SDProto { 110 const char *name; 111 struct { 112 const unsigned class; 113 const sd_cmd_type_t type; 114 const char *name; 115 sd_cmd_handler handler; 116 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX]; 117 } SDProto; 118 119 struct SDState { 120 DeviceState parent_obj; 121 122 /* SD Memory Card Registers */ 123 uint32_t ocr; 124 uint8_t scr[8]; 125 uint8_t cid[16]; 126 uint8_t csd[16]; 127 uint16_t rca; 128 uint32_t card_status; 129 uint8_t sd_status[64]; 130 union { 131 uint8_t ext_csd[512]; 132 struct { 133 uint8_t ext_csd_rw[192]; /* Modes segment */ 134 uint8_t ext_csd_ro[320]; /* Properties segment */ 135 }; 136 }; 137 138 /* Static properties */ 139 140 uint8_t spec_version; 141 uint64_t boot_part_size; 142 BlockBackend *blk; 143 uint8_t boot_config; 144 145 const SDProto *proto; 146 147 /* Runtime changeables */ 148 149 uint32_t mode; /* current card mode, one of SDCardModes */ 150 int32_t state; /* current card state, one of SDCardStates */ 151 uint32_t vhs; 152 bool wp_switch; 153 unsigned long *wp_group_bmap; 154 int32_t wp_group_bits; 155 uint64_t size; 156 uint32_t blk_len; 157 uint32_t multi_blk_cnt; 158 uint32_t erase_start; 159 uint32_t erase_end; 160 uint8_t pwd[16]; 161 uint32_t pwd_len; 162 uint8_t function_group[6]; 163 uint8_t current_cmd; 164 const char *last_cmd_name; 165 /* True if we will handle the next command as an ACMD. Note that this does 166 * *not* track the APP_CMD status bit! 167 */ 168 bool expecting_acmd; 169 uint32_t blk_written; 170 171 uint64_t data_start; 172 uint32_t data_offset; 173 size_t data_size; 174 uint8_t data[512]; 175 QEMUTimer *ocr_power_timer; 176 bool enable; 177 uint8_t dat_lines; 178 bool cmd_line; 179 }; 180 181 static void sd_realize(DeviceState *dev, Error **errp); 182 183 static const SDProto sd_proto_spi; 184 static const SDProto sd_proto_emmc; 185 186 static bool sd_is_spi(SDState *sd) 187 { 188 return sd->proto == &sd_proto_spi; 189 } 190 191 static bool sd_is_emmc(SDState *sd) 192 { 193 return sd->proto == &sd_proto_emmc; 194 } 195 196 static const char *sd_version_str(enum SDPhySpecificationVersion version) 197 { 198 static const char *sdphy_version[] = { 199 [SD_PHY_SPECv1_10_VERS] = "v1.10", 200 [SD_PHY_SPECv2_00_VERS] = "v2.00", 201 [SD_PHY_SPECv3_01_VERS] = "v3.01", 202 }; 203 if (version >= ARRAY_SIZE(sdphy_version)) { 204 return "unsupported version"; 205 } 206 return sdphy_version[version]; 207 } 208 209 static const char *sd_mode_name(enum SDCardModes mode) 210 { 211 static const char *mode_name[] = { 212 [sd_inactive] = "inactive", 213 [sd_card_identification_mode] = "identification", 214 [sd_data_transfer_mode] = "transfer", 215 }; 216 assert(mode < ARRAY_SIZE(mode_name)); 217 return mode_name[mode]; 218 } 219 220 static const char *sd_state_name(enum SDCardStates state) 221 { 222 static const char *state_name[] = { 223 [sd_idle_state] = "idle", 224 [sd_ready_state] = "ready", 225 [sd_identification_state] = "identification", 226 [sd_standby_state] = "standby", 227 [sd_transfer_state] = "transfer", 228 [sd_sendingdata_state] = "sendingdata", 229 [sd_bus_test_state] = "bus-test", 230 [sd_receivingdata_state] = "receivingdata", 231 [sd_programming_state] = "programming", 232 [sd_disconnect_state] = "disconnect", 233 [sd_sleep_state] = "sleep", 234 [sd_io_state] = "i/o" 235 }; 236 if (state == sd_inactive_state) { 237 return "inactive"; 238 } 239 if (state == sd_waitirq_state) { 240 return "wait-irq"; 241 } 242 assert(state < ARRAY_SIZE(state_name)); 243 return state_name[state]; 244 } 245 246 static const char *sd_response_name(sd_rsp_type_t rsp) 247 { 248 static const char *response_name[] = { 249 [sd_r0] = "RESP#0 (no response)", 250 [sd_r1] = "RESP#1 (normal cmd)", 251 [sd_r2_i] = "RESP#2 (CID reg)", 252 [sd_r2_s] = "RESP#2 (CSD reg)", 253 [sd_r3] = "RESP#3 (OCR reg)", 254 [sd_r6] = "RESP#6 (RCA)", 255 [sd_r7] = "RESP#7 (operating voltage)", 256 }; 257 if (rsp == sd_illegal) { 258 return "ILLEGAL RESP"; 259 } 260 if (rsp == sd_r1b) { 261 rsp = sd_r1; 262 } 263 assert(rsp < ARRAY_SIZE(response_name)); 264 return response_name[rsp]; 265 } 266 267 static const char *sd_cmd_name(SDState *sd, uint8_t cmd) 268 { 269 static const char *cmd_abbrev[SDMMC_CMD_MAX] = { 270 [18] = "READ_MULTIPLE_BLOCK", 271 [25] = "WRITE_MULTIPLE_BLOCK", 272 }; 273 const SDProto *sdp = sd->proto; 274 275 if (sdp->cmd[cmd].handler) { 276 assert(!cmd_abbrev[cmd]); 277 return sdp->cmd[cmd].name; 278 } 279 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD"; 280 } 281 282 static const char *sd_acmd_name(SDState *sd, uint8_t cmd) 283 { 284 const SDProto *sdp = sd->proto; 285 286 if (sdp->acmd[cmd].handler) { 287 return sdp->acmd[cmd].name; 288 } 289 290 return "UNKNOWN_ACMD"; 291 } 292 293 static uint8_t sd_get_dat_lines(SDState *sd) 294 { 295 return sd->enable ? sd->dat_lines : 0; 296 } 297 298 static bool sd_get_cmd_line(SDState *sd) 299 { 300 return sd->enable ? sd->cmd_line : false; 301 } 302 303 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 304 { 305 trace_sdcard_set_voltage(millivolts); 306 307 switch (millivolts) { 308 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 309 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 310 break; 311 default: 312 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 313 millivolts / 1000.f); 314 } 315 } 316 317 static void sd_set_mode(SDState *sd) 318 { 319 switch (sd->state) { 320 case sd_inactive_state: 321 sd->mode = sd_inactive; 322 break; 323 324 case sd_idle_state: 325 case sd_ready_state: 326 case sd_identification_state: 327 sd->mode = sd_card_identification_mode; 328 break; 329 330 case sd_standby_state: 331 case sd_transfer_state: 332 case sd_sendingdata_state: 333 case sd_receivingdata_state: 334 case sd_programming_state: 335 case sd_disconnect_state: 336 sd->mode = sd_data_transfer_mode; 337 break; 338 } 339 } 340 341 static uint8_t sd_crc7(const void *message, size_t width) 342 { 343 int i, bit; 344 uint8_t shift_reg = 0x00; 345 const uint8_t *msg = (const uint8_t *)message; 346 347 for (i = 0; i < width; i ++, msg ++) 348 for (bit = 7; bit >= 0; bit --) { 349 shift_reg <<= 1; 350 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 351 shift_reg ^= 0x89; 352 } 353 354 return shift_reg; 355 } 356 357 /* Operation Conditions register */ 358 359 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 360 361 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 362 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 363 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 364 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 365 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 366 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 367 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 368 FIELD(OCR, CARD_POWER_UP, 31, 1) 369 370 #define ACMD41_ENQUIRY_MASK 0x00ffffff 371 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 372 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 373 | R_OCR_UHS_II_CARD_MASK \ 374 | R_OCR_CARD_CAPACITY_MASK \ 375 | R_OCR_CARD_POWER_UP_MASK) 376 377 static void sd_ocr_powerup(void *opaque) 378 { 379 SDState *sd = opaque; 380 381 trace_sdcard_powerup(); 382 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 383 384 /* card power-up OK */ 385 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 386 387 if (sd->size > SDSC_MAX_CAPACITY) { 388 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 389 } 390 } 391 392 static void sd_set_ocr(SDState *sd) 393 { 394 /* All voltages OK */ 395 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 396 397 if (sd_is_spi(sd)) { 398 /* 399 * We don't need to emulate power up sequence in SPI-mode. 400 * Thus, the card's power up status bit should be set to 1 when reset. 401 * The card's capacity status bit should also be set if SD card size 402 * is larger than 2GB for SDHC support. 403 */ 404 sd_ocr_powerup(sd); 405 } 406 } 407 408 /* SD Configuration register */ 409 410 static void sd_set_scr(SDState *sd) 411 { 412 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 413 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 414 sd->scr[0] |= 1; /* Spec Version 1.10 */ 415 } else { 416 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 417 } 418 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 419 | 0b0101; /* 1-bit or 4-bit width bus modes */ 420 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 421 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 422 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 423 } 424 sd->scr[3] = 0x00; 425 /* reserved for manufacturer usage */ 426 sd->scr[4] = 0x00; 427 sd->scr[5] = 0x00; 428 sd->scr[6] = 0x00; 429 sd->scr[7] = 0x00; 430 } 431 432 /* Card IDentification register */ 433 434 #define MID 0xaa 435 #define OID "XY" 436 #define PNM "QEMU!" 437 #define PRV 0x01 438 #define MDT_YR 2006 439 #define MDT_MON 2 440 441 static void sd_set_cid(SDState *sd) 442 { 443 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 444 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 445 sd->cid[2] = OID[1]; 446 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 447 sd->cid[4] = PNM[1]; 448 sd->cid[5] = PNM[2]; 449 sd->cid[6] = PNM[3]; 450 sd->cid[7] = PNM[4]; 451 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 452 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */ 453 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 454 ((MDT_YR - 2000) / 10); 455 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 456 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 457 } 458 459 static void emmc_set_cid(SDState *sd) 460 { 461 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 462 sd->cid[1] = 0b01; /* CBX: soldered BGA */ 463 sd->cid[2] = OID[0]; /* OEM/Application ID (OID) */ 464 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 465 sd->cid[4] = PNM[1]; 466 sd->cid[5] = PNM[2]; 467 sd->cid[6] = PNM[3]; 468 sd->cid[7] = PNM[4]; 469 sd->cid[8] = PNM[4]; 470 sd->cid[9] = PRV; /* Fake product revision (PRV) */ 471 stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */ 472 sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */ 473 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 474 } 475 476 /* Card-Specific Data register */ 477 478 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 479 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 480 #define WPGROUP_SHIFT 7 /* 2 megs */ 481 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 482 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 483 484 static const uint8_t sd_csd_rw_mask[16] = { 485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 486 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 487 }; 488 489 static void emmc_set_ext_csd(SDState *sd, uint64_t size) 490 { 491 uint32_t sectcount = size >> HWBLOCK_SHIFT; 492 493 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */ 494 495 /* Properties segment (RO) */ 496 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */ 497 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */ 498 /* Boot partition size. 128KB unit */ 499 sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB); 500 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */ 501 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */ 502 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */ 503 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */ 504 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */ 505 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC */ 506 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */ 507 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */ 508 stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */ 509 sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */ 510 sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz */ 511 sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */ 512 sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */ 513 sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */ 514 sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */ 515 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11; 516 sd->ext_csd[EXT_CSD_STRUCTURE] = 2; 517 sd->ext_csd[EXT_CSD_REV] = 3; 518 519 /* Mode segment (RW) */ 520 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config; 521 } 522 523 static void emmc_set_csd(SDState *sd, uint64_t size) 524 { 525 int hwblock_shift = HWBLOCK_SHIFT; 526 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 527 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 528 529 sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */ 530 sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */ 531 sd->csd[2] = 0x00; 532 sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */ 533 sd->csd[4] = 0x0f; 534 if (size <= 2 * GiB) { 535 /* use 1k blocks */ 536 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1; 537 sd->csd[5] = 0x5a; 538 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf); 539 sd->csd[7] = (csize1k >> 2) & 0xff; 540 } else { /* >= 2GB : size stored in ext CSD, block addressing */ 541 sd->csd[5] = 0x59; 542 sd->csd[6] = 0x8f; 543 sd->csd[7] = 0xff; 544 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 545 } 546 sd->csd[8] = 0xff; 547 sd->csd[9] = 0xfc | /* Max. write current */ 548 ((CMULT_SHIFT - 2) >> 1); 549 sd->csd[10] = 0x40 | /* Erase sector size */ 550 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 551 sd->csd[11] = 0x00 | /* Write protect group size */ 552 ((sectsize << 7) & 0x80) | wpsize; 553 sd->csd[12] = 0x90 | /* Write speed factor */ 554 (hwblock_shift >> 2); 555 sd->csd[13] = 0x20 | /* Max. write data block length */ 556 ((hwblock_shift << 6) & 0xc0); 557 sd->csd[14] = 0x00; 558 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 559 emmc_set_ext_csd(sd, size); 560 } 561 562 static void sd_set_csd(SDState *sd, uint64_t size) 563 { 564 int hwblock_shift = HWBLOCK_SHIFT; 565 uint32_t csize; 566 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 567 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 568 569 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */ 570 if (size == SDSC_MAX_CAPACITY) { 571 hwblock_shift += 1; 572 } 573 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1; 574 575 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */ 576 sd->csd[0] = 0x00; /* CSD structure */ 577 sd->csd[1] = 0x26; /* Data read access-time-1 */ 578 sd->csd[2] = 0x00; /* Data read access-time-2 */ 579 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 580 sd->csd[4] = 0x5f; /* Card Command Classes */ 581 sd->csd[5] = 0x50 | /* Max. read data block length */ 582 hwblock_shift; 583 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 584 ((csize >> 10) & 0x03); 585 sd->csd[7] = 0x00 | /* Device size */ 586 ((csize >> 2) & 0xff); 587 sd->csd[8] = 0x3f | /* Max. read current */ 588 ((csize << 6) & 0xc0); 589 sd->csd[9] = 0xfc | /* Max. write current */ 590 ((CMULT_SHIFT - 2) >> 1); 591 sd->csd[10] = 0x40 | /* Erase sector size */ 592 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 593 sd->csd[11] = 0x00 | /* Write protect group size */ 594 ((sectsize << 7) & 0x80) | wpsize; 595 sd->csd[12] = 0x90 | /* Write speed factor */ 596 (hwblock_shift >> 2); 597 sd->csd[13] = 0x20 | /* Max. write data block length */ 598 ((hwblock_shift << 6) & 0xc0); 599 sd->csd[14] = 0x00; /* File format group */ 600 } else { /* SDHC */ 601 size /= 512 * KiB; 602 size -= 1; 603 sd->csd[0] = 0x40; 604 sd->csd[1] = 0x0e; 605 sd->csd[2] = 0x00; 606 sd->csd[3] = 0x32; 607 sd->csd[4] = 0x5b; 608 sd->csd[5] = 0x59; 609 sd->csd[6] = 0x00; 610 st24_be_p(&sd->csd[7], size); 611 sd->csd[10] = 0x7f; 612 sd->csd[11] = 0x80; 613 sd->csd[12] = 0x0a; 614 sd->csd[13] = 0x40; 615 sd->csd[14] = 0x00; 616 } 617 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 618 } 619 620 /* Relative Card Address register */ 621 622 static void sd_set_rca(SDState *sd, uint16_t value) 623 { 624 trace_sdcard_set_rca(value); 625 sd->rca = value; 626 } 627 628 static uint16_t sd_req_get_rca(SDState *s, SDRequest req) 629 { 630 switch (s->proto->cmd[req.cmd].type) { 631 case sd_ac: 632 case sd_adtc: 633 return req.arg >> 16; 634 case sd_spi: 635 default: 636 g_assert_not_reached(); 637 } 638 } 639 640 static bool sd_req_rca_same(SDState *s, SDRequest req) 641 { 642 return sd_req_get_rca(s, req) == s->rca; 643 } 644 645 /* Card Status register */ 646 647 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 648 FIELD(CSR, APP_CMD, 5, 1) 649 FIELD(CSR, FX_EVENT, 6, 1) 650 FIELD(CSR, SWITCH_ERROR, 7, 1) 651 FIELD(CSR, READY_FOR_DATA, 8, 1) 652 FIELD(CSR, CURRENT_STATE, 9, 4) 653 FIELD(CSR, ERASE_RESET, 13, 1) 654 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 655 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 656 FIELD(CSR, CSD_OVERWRITE, 16, 1) 657 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 658 FIELD(CSR, ERROR, 19, 1) 659 FIELD(CSR, CC_ERROR, 20, 1) 660 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 661 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 662 FIELD(CSR, COM_CRC_ERROR, 23, 1) 663 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 664 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 665 FIELD(CSR, WP_VIOLATION, 26, 1) 666 FIELD(CSR, ERASE_PARAM, 27, 1) 667 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 668 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 669 FIELD(CSR, ADDRESS_ERROR, 30, 1) 670 FIELD(CSR, OUT_OF_RANGE, 31, 1) 671 672 /* Card status bits, split by clear condition: 673 * A : According to the card current state 674 * B : Always related to the previous command 675 * C : Cleared by read 676 */ 677 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 678 | R_CSR_CARD_ECC_DISABLED_MASK \ 679 | R_CSR_CARD_IS_LOCKED_MASK) 680 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 681 | R_CSR_ILLEGAL_COMMAND_MASK \ 682 | R_CSR_COM_CRC_ERROR_MASK) 683 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 684 | R_CSR_APP_CMD_MASK \ 685 | R_CSR_ERASE_RESET_MASK \ 686 | R_CSR_WP_ERASE_SKIP_MASK \ 687 | R_CSR_CSD_OVERWRITE_MASK \ 688 | R_CSR_ERROR_MASK \ 689 | R_CSR_CC_ERROR_MASK \ 690 | R_CSR_CARD_ECC_FAILED_MASK \ 691 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 692 | R_CSR_WP_VIOLATION_MASK \ 693 | R_CSR_ERASE_PARAM_MASK \ 694 | R_CSR_ERASE_SEQ_ERROR_MASK \ 695 | R_CSR_BLOCK_LEN_ERROR_MASK \ 696 | R_CSR_ADDRESS_ERROR_MASK \ 697 | R_CSR_OUT_OF_RANGE_MASK) 698 699 static void sd_set_cardstatus(SDState *sd) 700 { 701 sd->card_status = READY_FOR_DATA; 702 } 703 704 static void sd_set_sdstatus(SDState *sd) 705 { 706 memset(sd->sd_status, 0, 64); 707 } 708 709 static const uint8_t sd_tuning_block_pattern4[64] = { 710 /* 711 * See: Physical Layer Simplified Specification Version 3.01, 712 * Table 4-2. 713 */ 714 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 715 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 716 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 717 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 718 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 719 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 720 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 721 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde 722 }; 723 724 static int sd_req_crc_validate(SDRequest *req) 725 { 726 uint8_t buffer[5]; 727 buffer[0] = 0x40 | req->cmd; 728 stl_be_p(&buffer[1], req->arg); 729 return 0; 730 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 731 } 732 733 static void sd_response_r1_make(SDState *sd, uint8_t *response) 734 { 735 stl_be_p(response, sd->card_status); 736 737 /* Clear the "clear on read" status bits */ 738 sd->card_status &= ~CARD_STATUS_C; 739 } 740 741 static void sd_response_r3_make(SDState *sd, uint8_t *response) 742 { 743 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 744 } 745 746 static void sd_response_r6_make(SDState *sd, uint8_t *response) 747 { 748 uint16_t status; 749 750 status = ((sd->card_status >> 8) & 0xc000) | 751 ((sd->card_status >> 6) & 0x2000) | 752 (sd->card_status & 0x1fff); 753 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 754 stw_be_p(response + 0, sd->rca); 755 stw_be_p(response + 2, status); 756 } 757 758 static void sd_response_r7_make(SDState *sd, uint8_t *response) 759 { 760 stl_be_p(response, sd->vhs); 761 } 762 763 static uint32_t sd_blk_len(SDState *sd) 764 { 765 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 766 return 1 << HWBLOCK_SHIFT; 767 } 768 return sd->blk_len; 769 } 770 771 /* 772 * This requires a disk image that has two boot partitions inserted at the 773 * beginning of it. The size of the boot partitions is the "boot-size" 774 * property. 775 */ 776 static uint32_t sd_bootpart_offset(SDState *sd) 777 { 778 unsigned partition_access; 779 780 if (!sd->boot_part_size || !sd_is_emmc(sd)) { 781 return 0; 782 } 783 784 partition_access = sd->ext_csd[EXT_CSD_PART_CONFIG] 785 & EXT_CSD_PART_CONFIG_ACC_MASK; 786 switch (partition_access) { 787 case EXT_CSD_PART_CONFIG_ACC_DEFAULT: 788 return sd->boot_part_size * 2; 789 case EXT_CSD_PART_CONFIG_ACC_BOOT0: 790 return 0; 791 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1: 792 return sd->boot_part_size * 1; 793 default: 794 g_assert_not_reached(); 795 } 796 } 797 798 static uint64_t sd_req_get_address(SDState *sd, SDRequest req) 799 { 800 uint64_t addr; 801 802 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 803 addr = (uint64_t) req.arg << HWBLOCK_SHIFT; 804 } else { 805 addr = req.arg; 806 } 807 trace_sdcard_req_addr(req.arg, addr); 808 return addr; 809 } 810 811 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 812 { 813 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 814 } 815 816 static void sd_reset(DeviceState *dev) 817 { 818 SDState *sd = SDMMC_COMMON(dev); 819 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 820 uint64_t size; 821 uint64_t sect; 822 823 trace_sdcard_reset(); 824 if (sd->blk) { 825 blk_get_geometry(sd->blk, §); 826 } else { 827 sect = 0; 828 } 829 size = sect << HWBLOCK_SHIFT; 830 if (sd_is_emmc(sd)) { 831 size -= sd->boot_part_size * 2; 832 } 833 834 sect = sd_addr_to_wpnum(size) + 1; 835 836 sd->state = sd_idle_state; 837 838 /* card registers */ 839 sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000; 840 sd->size = size; 841 sd_set_ocr(sd); 842 sd_set_scr(sd); 843 sc->set_cid(sd); 844 sc->set_csd(sd, size); 845 sd_set_cardstatus(sd); 846 sd_set_sdstatus(sd); 847 848 g_free(sd->wp_group_bmap); 849 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false; 850 sd->wp_group_bits = sect; 851 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits); 852 memset(sd->function_group, 0, sizeof(sd->function_group)); 853 sd->erase_start = INVALID_ADDRESS; 854 sd->erase_end = INVALID_ADDRESS; 855 sd->blk_len = 0x200; 856 sd->pwd_len = 0; 857 sd->expecting_acmd = false; 858 sd->dat_lines = 0xf; 859 sd->cmd_line = true; 860 sd->multi_blk_cnt = 0; 861 } 862 863 static bool sd_get_inserted(SDState *sd) 864 { 865 return sd->blk && blk_is_inserted(sd->blk); 866 } 867 868 static bool sd_get_readonly(SDState *sd) 869 { 870 return sd->wp_switch; 871 } 872 873 static void sd_cardchange(void *opaque, bool load, Error **errp) 874 { 875 SDState *sd = opaque; 876 DeviceState *dev = DEVICE(sd); 877 SDBus *sdbus; 878 bool inserted = sd_get_inserted(sd); 879 bool readonly = sd_get_readonly(sd); 880 881 if (inserted) { 882 trace_sdcard_inserted(readonly); 883 sd_reset(dev); 884 } else { 885 trace_sdcard_ejected(); 886 } 887 888 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 889 sdbus_set_inserted(sdbus, inserted); 890 if (inserted) { 891 sdbus_set_readonly(sdbus, readonly); 892 } 893 } 894 895 static const BlockDevOps sd_block_ops = { 896 .change_media_cb = sd_cardchange, 897 }; 898 899 static bool sd_ocr_vmstate_needed(void *opaque) 900 { 901 SDState *sd = opaque; 902 903 /* Include the OCR state (and timer) if it is not yet powered up */ 904 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 905 } 906 907 static const VMStateDescription sd_ocr_vmstate = { 908 .name = "sd-card/ocr-state", 909 .version_id = 1, 910 .minimum_version_id = 1, 911 .needed = sd_ocr_vmstate_needed, 912 .fields = (const VMStateField[]) { 913 VMSTATE_UINT32(ocr, SDState), 914 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 915 VMSTATE_END_OF_LIST() 916 }, 917 }; 918 919 static bool vmstate_needed_for_emmc(void *opaque) 920 { 921 SDState *sd = opaque; 922 923 return sd_is_emmc(sd); 924 } 925 926 static const VMStateDescription emmc_extcsd_vmstate = { 927 .name = "sd-card/ext_csd_modes-state", 928 .version_id = 1, 929 .minimum_version_id = 1, 930 .needed = vmstate_needed_for_emmc, 931 .fields = (const VMStateField[]) { 932 VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192), 933 VMSTATE_END_OF_LIST() 934 }, 935 }; 936 937 static int sd_vmstate_pre_load(void *opaque) 938 { 939 SDState *sd = opaque; 940 941 /* If the OCR state is not included (prior versions, or not 942 * needed), then the OCR must be set as powered up. If the OCR state 943 * is included, this will be replaced by the state restore. 944 */ 945 sd_ocr_powerup(sd); 946 947 return 0; 948 } 949 950 static const VMStateDescription sd_vmstate = { 951 .name = "sd-card", 952 .version_id = 2, 953 .minimum_version_id = 2, 954 .pre_load = sd_vmstate_pre_load, 955 .fields = (const VMStateField[]) { 956 VMSTATE_UINT32(mode, SDState), 957 VMSTATE_INT32(state, SDState), 958 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 959 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 960 VMSTATE_UINT16(rca, SDState), 961 VMSTATE_UINT32(card_status, SDState), 962 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 963 VMSTATE_UINT32(vhs, SDState), 964 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits), 965 VMSTATE_UINT32(blk_len, SDState), 966 VMSTATE_UINT32(multi_blk_cnt, SDState), 967 VMSTATE_UINT32(erase_start, SDState), 968 VMSTATE_UINT32(erase_end, SDState), 969 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 970 VMSTATE_UINT32(pwd_len, SDState), 971 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 972 VMSTATE_UINT8(current_cmd, SDState), 973 VMSTATE_BOOL(expecting_acmd, SDState), 974 VMSTATE_UINT32(blk_written, SDState), 975 VMSTATE_UINT64(data_start, SDState), 976 VMSTATE_UINT32(data_offset, SDState), 977 VMSTATE_UINT8_ARRAY(data, SDState, 512), 978 VMSTATE_UNUSED_V(1, 512), 979 VMSTATE_BOOL(enable, SDState), 980 VMSTATE_END_OF_LIST() 981 }, 982 .subsections = (const VMStateDescription * const []) { 983 &sd_ocr_vmstate, 984 &emmc_extcsd_vmstate, 985 NULL 986 }, 987 }; 988 989 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 990 { 991 trace_sdcard_read_block(addr, len); 992 addr += sd_bootpart_offset(sd); 993 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) { 994 fprintf(stderr, "sd_blk_read: read error on host side\n"); 995 } 996 } 997 998 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 999 { 1000 trace_sdcard_write_block(addr, len); 1001 addr += sd_bootpart_offset(sd); 1002 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) { 1003 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1004 } 1005 } 1006 1007 static void sd_erase(SDState *sd) 1008 { 1009 uint64_t erase_start = sd->erase_start; 1010 uint64_t erase_end = sd->erase_end; 1011 bool sdsc = true; 1012 uint64_t wpnum; 1013 uint64_t erase_addr; 1014 int erase_len = 1 << HWBLOCK_SHIFT; 1015 1016 trace_sdcard_erase(sd->erase_start, sd->erase_end); 1017 if (sd->erase_start == INVALID_ADDRESS 1018 || sd->erase_end == INVALID_ADDRESS) { 1019 sd->card_status |= ERASE_SEQ_ERROR; 1020 sd->erase_start = INVALID_ADDRESS; 1021 sd->erase_end = INVALID_ADDRESS; 1022 return; 1023 } 1024 1025 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 1026 /* High capacity memory card: erase units are 512 byte blocks */ 1027 erase_start <<= HWBLOCK_SHIFT; 1028 erase_end <<= HWBLOCK_SHIFT; 1029 sdsc = false; 1030 } 1031 1032 if (erase_start > sd->size || erase_end > sd->size) { 1033 sd->card_status |= OUT_OF_RANGE; 1034 sd->erase_start = INVALID_ADDRESS; 1035 sd->erase_end = INVALID_ADDRESS; 1036 return; 1037 } 1038 1039 sd->erase_start = INVALID_ADDRESS; 1040 sd->erase_end = INVALID_ADDRESS; 1041 sd->csd[14] |= 0x40; 1042 1043 memset(sd->data, 0xff, erase_len); 1044 for (erase_addr = erase_start; erase_addr <= erase_end; 1045 erase_addr += erase_len) { 1046 if (sdsc) { 1047 /* Only SDSC cards support write protect groups */ 1048 wpnum = sd_addr_to_wpnum(erase_addr); 1049 assert(wpnum < sd->wp_group_bits); 1050 if (test_bit(wpnum, sd->wp_group_bmap)) { 1051 sd->card_status |= WP_ERASE_SKIP; 1052 continue; 1053 } 1054 } 1055 sd_blk_write(sd, erase_addr, erase_len); 1056 } 1057 } 1058 1059 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 1060 { 1061 uint32_t i, wpnum; 1062 uint32_t ret = 0; 1063 1064 wpnum = sd_addr_to_wpnum(addr); 1065 1066 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 1067 if (addr >= sd->size) { 1068 /* 1069 * If the addresses of the last groups are outside the valid range, 1070 * then the corresponding write protection bits shall be set to 0. 1071 */ 1072 continue; 1073 } 1074 assert(wpnum < sd->wp_group_bits); 1075 if (test_bit(wpnum, sd->wp_group_bmap)) { 1076 ret |= (1 << i); 1077 } 1078 } 1079 1080 return ret; 1081 } 1082 1083 enum ExtCsdAccessMode { 1084 EXT_CSD_ACCESS_MODE_COMMAND_SET = 0, 1085 EXT_CSD_ACCESS_MODE_SET_BITS = 1, 1086 EXT_CSD_ACCESS_MODE_CLEAR_BITS = 2, 1087 EXT_CSD_ACCESS_MODE_WRITE_BYTE = 3 1088 }; 1089 1090 static void emmc_function_switch(SDState *sd, uint32_t arg) 1091 { 1092 uint8_t access = extract32(arg, 24, 2); 1093 uint8_t index = extract32(arg, 16, 8); 1094 uint8_t value = extract32(arg, 8, 8); 1095 uint8_t b = sd->ext_csd[index]; 1096 1097 trace_sdcard_switch(access, index, value, extract32(arg, 0, 2)); 1098 1099 if (index >= 192) { 1100 qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n"); 1101 sd->card_status |= R_CSR_SWITCH_ERROR_MASK; 1102 return; 1103 } 1104 1105 switch (access) { 1106 case EXT_CSD_ACCESS_MODE_COMMAND_SET: 1107 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n"); 1108 return; 1109 case EXT_CSD_ACCESS_MODE_SET_BITS: 1110 b |= value; 1111 break; 1112 case EXT_CSD_ACCESS_MODE_CLEAR_BITS: 1113 b &= ~value; 1114 break; 1115 case EXT_CSD_ACCESS_MODE_WRITE_BYTE: 1116 b = value; 1117 break; 1118 } 1119 1120 trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b); 1121 sd->ext_csd[index] = b; 1122 } 1123 1124 static void sd_function_switch(SDState *sd, uint32_t arg) 1125 { 1126 int i, mode, new_func; 1127 mode = !!(arg & 0x80000000); 1128 1129 sd->data[0] = 0x00; /* Maximum current consumption */ 1130 sd->data[1] = 0x01; 1131 sd->data[2] = 0x80; /* Supported group 6 functions */ 1132 sd->data[3] = 0x01; 1133 sd->data[4] = 0x80; /* Supported group 5 functions */ 1134 sd->data[5] = 0x01; 1135 sd->data[6] = 0x80; /* Supported group 4 functions */ 1136 sd->data[7] = 0x01; 1137 sd->data[8] = 0x80; /* Supported group 3 functions */ 1138 sd->data[9] = 0x01; 1139 sd->data[10] = 0x80; /* Supported group 2 functions */ 1140 sd->data[11] = 0x43; 1141 sd->data[12] = 0x80; /* Supported group 1 functions */ 1142 sd->data[13] = 0x03; 1143 1144 memset(&sd->data[14], 0, 3); 1145 for (i = 0; i < 6; i ++) { 1146 new_func = (arg >> (i * 4)) & 0x0f; 1147 if (mode && new_func != 0x0f) 1148 sd->function_group[i] = new_func; 1149 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4); 1150 } 1151 memset(&sd->data[17], 0, 47); 1152 } 1153 1154 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 1155 { 1156 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1157 } 1158 1159 static void sd_lock_command(SDState *sd) 1160 { 1161 int erase, lock, clr_pwd, set_pwd, pwd_len; 1162 erase = !!(sd->data[0] & 0x08); 1163 lock = sd->data[0] & 0x04; 1164 clr_pwd = sd->data[0] & 0x02; 1165 set_pwd = sd->data[0] & 0x01; 1166 1167 if (sd->blk_len > 1) 1168 pwd_len = sd->data[1]; 1169 else 1170 pwd_len = 0; 1171 1172 if (lock) { 1173 trace_sdcard_lock(); 1174 } else { 1175 trace_sdcard_unlock(); 1176 } 1177 if (erase) { 1178 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 1179 set_pwd || clr_pwd || lock || sd->wp_switch || 1180 (sd->csd[14] & 0x20)) { 1181 sd->card_status |= LOCK_UNLOCK_FAILED; 1182 return; 1183 } 1184 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits); 1185 sd->csd[14] &= ~0x10; 1186 sd->card_status &= ~CARD_IS_LOCKED; 1187 sd->pwd_len = 0; 1188 /* Erasing the entire card here! */ 1189 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 1190 return; 1191 } 1192 1193 if (sd->blk_len < 2 + pwd_len || 1194 pwd_len <= sd->pwd_len || 1195 pwd_len > sd->pwd_len + 16) { 1196 sd->card_status |= LOCK_UNLOCK_FAILED; 1197 return; 1198 } 1199 1200 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 1201 sd->card_status |= LOCK_UNLOCK_FAILED; 1202 return; 1203 } 1204 1205 pwd_len -= sd->pwd_len; 1206 if ((pwd_len && !set_pwd) || 1207 (clr_pwd && (set_pwd || lock)) || 1208 (lock && !sd->pwd_len && !set_pwd) || 1209 (!set_pwd && !clr_pwd && 1210 (((sd->card_status & CARD_IS_LOCKED) && lock) || 1211 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 1212 sd->card_status |= LOCK_UNLOCK_FAILED; 1213 return; 1214 } 1215 1216 if (set_pwd) { 1217 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 1218 sd->pwd_len = pwd_len; 1219 } 1220 1221 if (clr_pwd) { 1222 sd->pwd_len = 0; 1223 } 1224 1225 if (lock) 1226 sd->card_status |= CARD_IS_LOCKED; 1227 else 1228 sd->card_status &= ~CARD_IS_LOCKED; 1229 } 1230 1231 static bool address_in_range(SDState *sd, const char *desc, 1232 uint64_t addr, uint32_t length) 1233 { 1234 if (addr + length > sd->size) { 1235 qemu_log_mask(LOG_GUEST_ERROR, 1236 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n", 1237 desc, addr, sd->size, length); 1238 sd->card_status |= ADDRESS_ERROR; 1239 return false; 1240 } 1241 return true; 1242 } 1243 1244 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req) 1245 { 1246 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n", 1247 sd->proto->name, req.cmd, sd_state_name(sd->state), 1248 sd_version_str(sd->spec_version)); 1249 1250 return sd_illegal; 1251 } 1252 1253 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req) 1254 { 1255 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n", 1256 sd->proto->name, req.cmd, sd_mode_name(sd->mode), 1257 sd_version_str(sd->spec_version)); 1258 1259 return sd_illegal; 1260 } 1261 1262 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req) 1263 { 1264 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n", 1265 sd->proto->name, req.cmd, 1266 sd_version_str(sd->spec_version)); 1267 1268 return sd_illegal; 1269 } 1270 1271 /* Commands that are recognised but not yet implemented. */ 1272 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req) 1273 { 1274 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n", 1275 sd->proto->name, req.cmd); 1276 1277 return sd_illegal; 1278 } 1279 1280 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req) 1281 { 1282 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n", 1283 sd->proto->name, req.cmd); 1284 1285 return sd_illegal; 1286 } 1287 1288 /* Configure fields for following sd_generic_write_byte() calls */ 1289 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req, 1290 uint64_t start, size_t size) 1291 { 1292 if (sd->state != sd_transfer_state) { 1293 return sd_invalid_state_for_cmd(sd, req); 1294 } 1295 sd->state = sd_receivingdata_state; 1296 sd->data_start = start; 1297 sd->data_offset = 0; 1298 /* sd->data[] used as receive buffer */ 1299 sd->data_size = size ?: sizeof(sd->data); 1300 return sd_r1; 1301 } 1302 1303 /* Configure fields for following sd_generic_read_byte() calls */ 1304 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req, 1305 uint64_t start, 1306 const void *data, size_t size) 1307 { 1308 if (sd->state != sd_transfer_state) { 1309 sd_invalid_state_for_cmd(sd, req); 1310 } 1311 1312 sd->state = sd_sendingdata_state; 1313 sd->data_start = start; 1314 sd->data_offset = 0; 1315 if (data) { 1316 assert(size > 0 && size <= sizeof(sd->data)); 1317 memcpy(sd->data, data, size); 1318 } 1319 if (size) { 1320 sd->data_size = size; 1321 } 1322 return sd_r1; 1323 } 1324 1325 /* CMD0 */ 1326 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req) 1327 { 1328 if (sd->state == sd_sleep_state) { 1329 switch (req.arg) { 1330 case 0x00000000: 1331 case 0xf0f0f0f0: 1332 break; 1333 default: 1334 return sd_r0; 1335 } 1336 } 1337 if (sd->state != sd_inactive_state) { 1338 sd->state = sd_idle_state; 1339 sd_reset(DEVICE(sd)); 1340 } 1341 1342 return sd_is_spi(sd) ? sd_r1 : sd_r0; 1343 } 1344 1345 /* CMD1 */ 1346 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1347 { 1348 sd->state = sd_transfer_state; 1349 1350 return sd_r1; 1351 } 1352 1353 /* CMD2 */ 1354 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 1355 { 1356 switch (sd->state) { 1357 case sd_ready_state: 1358 sd->state = sd_identification_state; 1359 return sd_r2_i; 1360 default: 1361 return sd_invalid_state_for_cmd(sd, req); 1362 } 1363 } 1364 1365 /* CMD3 */ 1366 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1367 { 1368 uint16_t random_rca; 1369 1370 switch (sd->state) { 1371 case sd_identification_state: 1372 case sd_standby_state: 1373 sd->state = sd_standby_state; 1374 qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca)); 1375 sd_set_rca(sd, random_rca); 1376 return sd_r6; 1377 1378 default: 1379 return sd_invalid_state_for_cmd(sd, req); 1380 } 1381 } 1382 1383 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req) 1384 { 1385 switch (sd->state) { 1386 case sd_identification_state: 1387 case sd_standby_state: 1388 sd->state = sd_standby_state; 1389 sd_set_rca(sd, req.arg >> 16); 1390 return sd_r1; 1391 1392 default: 1393 return sd_invalid_state_for_cmd(sd, req); 1394 } 1395 } 1396 1397 /* CMD5 */ 1398 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req) 1399 { 1400 bool do_sleep = extract32(req.arg, 15, 1); 1401 1402 switch (sd->state) { 1403 case sd_sleep_state: 1404 if (!do_sleep) { 1405 /* Awake */ 1406 sd->state = sd_standby_state; 1407 } 1408 return sd_r1b; 1409 1410 case sd_standby_state: 1411 if (do_sleep) { 1412 sd->state = sd_sleep_state; 1413 } 1414 return sd_r1b; 1415 1416 default: 1417 return sd_invalid_state_for_cmd(sd, req); 1418 } 1419 } 1420 1421 /* CMD6 */ 1422 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req) 1423 { 1424 if (sd->mode != sd_data_transfer_mode) { 1425 return sd_invalid_mode_for_cmd(sd, req); 1426 } 1427 if (sd->state != sd_transfer_state) { 1428 return sd_invalid_state_for_cmd(sd, req); 1429 } 1430 1431 sd_function_switch(sd, req.arg); 1432 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64); 1433 } 1434 1435 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req) 1436 { 1437 switch (sd->state) { 1438 case sd_transfer_state: 1439 sd->state = sd_programming_state; 1440 emmc_function_switch(sd, req.arg); 1441 sd->state = sd_transfer_state; 1442 return sd_r1b; 1443 default: 1444 return sd_invalid_state_for_cmd(sd, req); 1445 } 1446 } 1447 1448 /* CMD7 */ 1449 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req) 1450 { 1451 bool same_rca = sd_req_rca_same(sd, req); 1452 1453 switch (sd->state) { 1454 case sd_standby_state: 1455 if (!same_rca) { 1456 return sd_r0; 1457 } 1458 sd->state = sd_transfer_state; 1459 return sd_r1b; 1460 1461 case sd_transfer_state: 1462 case sd_sendingdata_state: 1463 if (same_rca) { 1464 break; 1465 } 1466 sd->state = sd_standby_state; 1467 return sd_r1b; 1468 1469 case sd_disconnect_state: 1470 if (!same_rca) { 1471 return sd_r0; 1472 } 1473 sd->state = sd_programming_state; 1474 return sd_r1b; 1475 1476 case sd_programming_state: 1477 if (same_rca) { 1478 break; 1479 } 1480 sd->state = sd_disconnect_state; 1481 return sd_r1b; 1482 1483 default: 1484 break; 1485 } 1486 return sd_invalid_state_for_cmd(sd, req); 1487 } 1488 1489 /* CMD8 */ 1490 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req) 1491 { 1492 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1493 return sd_cmd_illegal(sd, req); 1494 } 1495 if (sd->state != sd_idle_state) { 1496 return sd_invalid_state_for_cmd(sd, req); 1497 } 1498 sd->vhs = 0; 1499 1500 /* No response if not exactly one VHS bit is set. */ 1501 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1502 return sd_is_spi(sd) ? sd_r7 : sd_r0; 1503 } 1504 1505 /* Accept. */ 1506 sd->vhs = req.arg; 1507 return sd_r7; 1508 } 1509 1510 /* CMD8 */ 1511 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req) 1512 { 1513 if (sd->state != sd_transfer_state) { 1514 return sd_invalid_state_for_cmd(sd, req); 1515 } 1516 1517 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1518 sd->ext_csd, sizeof(sd->ext_csd)); 1519 } 1520 1521 /* CMD9 */ 1522 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req) 1523 { 1524 if (sd->state != sd_standby_state) { 1525 return sd_invalid_state_for_cmd(sd, req); 1526 } 1527 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1528 sd->csd, 16); 1529 } 1530 1531 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req) 1532 { 1533 if (sd->state != sd_standby_state) { 1534 return sd_invalid_state_for_cmd(sd, req); 1535 } 1536 1537 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0; 1538 } 1539 1540 /* CMD10 */ 1541 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req) 1542 { 1543 if (sd->state != sd_standby_state) { 1544 return sd_invalid_state_for_cmd(sd, req); 1545 } 1546 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1547 sd->cid, 16); 1548 } 1549 1550 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req) 1551 { 1552 if (sd->state != sd_standby_state) { 1553 return sd_invalid_state_for_cmd(sd, req); 1554 } 1555 1556 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0; 1557 } 1558 1559 /* CMD12 */ 1560 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req) 1561 { 1562 switch (sd->state) { 1563 case sd_sendingdata_state: 1564 sd->state = sd_transfer_state; 1565 return sd_r1b; 1566 case sd_receivingdata_state: 1567 sd->state = sd_programming_state; 1568 /* Bzzzzzzztt .... Operation complete. */ 1569 sd->state = sd_transfer_state; 1570 return sd_r1; 1571 default: 1572 return sd_invalid_state_for_cmd(sd, req); 1573 } 1574 } 1575 1576 /* CMD13 */ 1577 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req) 1578 { 1579 if (sd->mode != sd_data_transfer_mode) { 1580 return sd_invalid_mode_for_cmd(sd, req); 1581 } 1582 1583 switch (sd->state) { 1584 case sd_standby_state: 1585 case sd_transfer_state: 1586 case sd_sendingdata_state: 1587 case sd_receivingdata_state: 1588 case sd_programming_state: 1589 case sd_disconnect_state: 1590 break; 1591 default: 1592 return sd_invalid_state_for_cmd(sd, req); 1593 } 1594 1595 if (sd_is_spi(sd)) { 1596 return sd_r2_s; 1597 } 1598 1599 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0; 1600 } 1601 1602 /* CMD15 */ 1603 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req) 1604 { 1605 if (sd->mode != sd_data_transfer_mode) { 1606 return sd_invalid_mode_for_cmd(sd, req); 1607 } 1608 switch (sd->state) { 1609 case sd_standby_state: 1610 case sd_transfer_state: 1611 case sd_sendingdata_state: 1612 case sd_receivingdata_state: 1613 case sd_programming_state: 1614 case sd_disconnect_state: 1615 break; 1616 default: 1617 return sd_invalid_state_for_cmd(sd, req); 1618 } 1619 if (sd_req_rca_same(sd, req)) { 1620 sd->state = sd_inactive_state; 1621 } 1622 1623 return sd_r0; 1624 } 1625 1626 /* CMD16 */ 1627 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req) 1628 { 1629 if (sd->state != sd_transfer_state) { 1630 return sd_invalid_state_for_cmd(sd, req); 1631 } 1632 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1633 sd->card_status |= BLOCK_LEN_ERROR; 1634 } else { 1635 trace_sdcard_set_blocklen(req.arg); 1636 sd->blk_len = req.arg; 1637 } 1638 1639 return sd_r1; 1640 } 1641 1642 /* CMD17 */ 1643 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req) 1644 { 1645 uint64_t addr; 1646 1647 if (sd->state != sd_transfer_state) { 1648 return sd_invalid_state_for_cmd(sd, req); 1649 } 1650 1651 addr = sd_req_get_address(sd, req); 1652 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) { 1653 return sd_r1; 1654 } 1655 1656 sd_blk_read(sd, addr, sd->blk_len); 1657 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len); 1658 } 1659 1660 /* CMD19 */ 1661 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 1662 { 1663 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1664 return sd_cmd_illegal(sd, req); 1665 } 1666 1667 return sd_cmd_to_sendingdata(sd, req, 0, 1668 sd_tuning_block_pattern4, 1669 sizeof(sd_tuning_block_pattern4)); 1670 } 1671 1672 /* CMD23 */ 1673 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req) 1674 { 1675 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1676 return sd_cmd_illegal(sd, req); 1677 } 1678 1679 if (sd->state != sd_transfer_state) { 1680 return sd_invalid_state_for_cmd(sd, req); 1681 } 1682 1683 sd->multi_blk_cnt = req.arg; 1684 if (sd_is_emmc(sd)) { 1685 sd->multi_blk_cnt &= 0xffff; 1686 } 1687 trace_sdcard_set_block_count(sd->multi_blk_cnt); 1688 1689 return sd_r1; 1690 } 1691 1692 /* CMD24 */ 1693 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req) 1694 { 1695 uint64_t addr; 1696 1697 if (sd->state != sd_transfer_state) { 1698 return sd_invalid_state_for_cmd(sd, req); 1699 } 1700 1701 addr = sd_req_get_address(sd, req); 1702 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) { 1703 return sd_r1; 1704 } 1705 1706 if (sd->size <= SDSC_MAX_CAPACITY) { 1707 if (sd_wp_addr(sd, addr)) { 1708 sd->card_status |= WP_VIOLATION; 1709 } 1710 } 1711 if (sd->csd[14] & 0x30) { 1712 sd->card_status |= WP_VIOLATION; 1713 } 1714 1715 sd->blk_written = 0; 1716 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len); 1717 } 1718 1719 /* CMD26 */ 1720 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req) 1721 { 1722 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid)); 1723 } 1724 1725 /* CMD27 */ 1726 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req) 1727 { 1728 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd)); 1729 } 1730 1731 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req, 1732 bool is_write) 1733 { 1734 uint64_t addr; 1735 1736 if (sd->size > SDSC_MAX_CAPACITY) { 1737 return sd_illegal; 1738 } 1739 1740 if (sd->state != sd_transfer_state) { 1741 return sd_invalid_state_for_cmd(sd, req); 1742 } 1743 1744 addr = sd_req_get_address(sd, req); 1745 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT", 1746 addr, 1)) { 1747 return sd_r1b; 1748 } 1749 1750 sd->state = sd_programming_state; 1751 if (is_write) { 1752 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1753 } else { 1754 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1755 } 1756 /* Bzzzzzzztt .... Operation complete. */ 1757 sd->state = sd_transfer_state; 1758 return sd_r1; 1759 } 1760 1761 /* CMD28 */ 1762 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req) 1763 { 1764 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true); 1765 } 1766 1767 /* CMD29 */ 1768 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req) 1769 { 1770 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false); 1771 } 1772 1773 /* CMD30 */ 1774 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req) 1775 { 1776 uint64_t addr; 1777 uint32_t data; 1778 1779 if (sd->size > SDSC_MAX_CAPACITY) { 1780 return sd_illegal; 1781 } 1782 1783 if (sd->state != sd_transfer_state) { 1784 return sd_invalid_state_for_cmd(sd, req); 1785 } 1786 1787 addr = sd_req_get_address(sd, req); 1788 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) { 1789 return sd_r1; 1790 } 1791 1792 data = sd_wpbits(sd, req.arg); 1793 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data)); 1794 } 1795 1796 /* CMD32 */ 1797 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req) 1798 { 1799 if (sd->state != sd_transfer_state) { 1800 return sd_invalid_state_for_cmd(sd, req); 1801 } 1802 sd->erase_start = req.arg; 1803 return sd_r1; 1804 } 1805 1806 /* CMD33 */ 1807 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req) 1808 { 1809 if (sd->state != sd_transfer_state) { 1810 return sd_invalid_state_for_cmd(sd, req); 1811 } 1812 sd->erase_end = req.arg; 1813 return sd_r1; 1814 } 1815 1816 /* CMD38 */ 1817 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req) 1818 { 1819 if (sd->state != sd_transfer_state) { 1820 return sd_invalid_state_for_cmd(sd, req); 1821 } 1822 if (sd->csd[14] & 0x30) { 1823 sd->card_status |= WP_VIOLATION; 1824 return sd_r1b; 1825 } 1826 1827 sd->state = sd_programming_state; 1828 sd_erase(sd); 1829 /* Bzzzzzzztt .... Operation complete. */ 1830 sd->state = sd_transfer_state; 1831 return sd_r1b; 1832 } 1833 1834 /* CMD42 */ 1835 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req) 1836 { 1837 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1838 } 1839 1840 /* CMD55 */ 1841 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req) 1842 { 1843 switch (sd->state) { 1844 case sd_ready_state: 1845 case sd_identification_state: 1846 case sd_inactive_state: 1847 case sd_sleep_state: 1848 return sd_invalid_state_for_cmd(sd, req); 1849 case sd_idle_state: 1850 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) { 1851 qemu_log_mask(LOG_GUEST_ERROR, 1852 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1853 } 1854 /* fall-through */ 1855 default: 1856 break; 1857 } 1858 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) { 1859 return sd_r0; 1860 } 1861 sd->expecting_acmd = true; 1862 sd->card_status |= APP_CMD; 1863 1864 return sd_r1; 1865 } 1866 1867 /* CMD56 */ 1868 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req) 1869 { 1870 if (sd->state != sd_transfer_state) { 1871 return sd_invalid_state_for_cmd(sd, req); 1872 } 1873 1874 /* Vendor specific command: our model is RAZ/WI */ 1875 if (req.arg & 1) { 1876 memset(sd->data, 0, sizeof(sd->data)); 1877 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0); 1878 } else { 1879 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1880 } 1881 } 1882 1883 /* CMD58 */ 1884 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req) 1885 { 1886 return sd_r3; 1887 } 1888 1889 /* CMD59 */ 1890 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req) 1891 { 1892 return sd_r1; 1893 } 1894 1895 /* ACMD6 */ 1896 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req) 1897 { 1898 if (sd->state != sd_transfer_state) { 1899 return sd_invalid_state_for_cmd(sd, req); 1900 } 1901 1902 sd->sd_status[0] &= 0x3f; 1903 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1904 return sd_r1; 1905 } 1906 1907 /* ACMD13 */ 1908 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req) 1909 { 1910 return sd_cmd_to_sendingdata(sd, req, 0, 1911 sd->sd_status, sizeof(sd->sd_status)); 1912 } 1913 1914 /* ACMD22 */ 1915 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req) 1916 { 1917 return sd_cmd_to_sendingdata(sd, req, 0, 1918 &sd->blk_written, sizeof(sd->blk_written)); 1919 } 1920 1921 /* ACMD23 */ 1922 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req) 1923 { 1924 if (sd->state != sd_transfer_state) { 1925 return sd_invalid_state_for_cmd(sd, req); 1926 } 1927 return sd_r1; 1928 } 1929 1930 /* ACMD41 */ 1931 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1932 { 1933 if (sd->state != sd_idle_state) { 1934 return sd_invalid_state_for_cmd(sd, req); 1935 } 1936 1937 /* 1938 * If it's the first ACMD41 since reset, we need to decide 1939 * whether to power up. If this is not an enquiry ACMD41, 1940 * we immediately report power on and proceed below to the 1941 * ready state, but if it is, we set a timer to model a 1942 * delay for power up. This works around a bug in EDK2 1943 * UEFI, which sends an initial enquiry ACMD41, but 1944 * assumes that the card is in ready state as soon as it 1945 * sees the power up bit set. 1946 */ 1947 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1948 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1949 timer_del(sd->ocr_power_timer); 1950 sd_ocr_powerup(sd); 1951 } else { 1952 trace_sdcard_inquiry_cmd41(); 1953 if (!timer_pending(sd->ocr_power_timer)) { 1954 timer_mod_ns(sd->ocr_power_timer, 1955 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1956 + OCR_POWER_DELAY_NS)); 1957 } 1958 } 1959 } 1960 1961 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1962 /* 1963 * We accept any voltage. 10000 V is nothing. 1964 * 1965 * Once we're powered up, we advance straight to ready state 1966 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1967 */ 1968 sd->state = sd_ready_state; 1969 } 1970 1971 return sd_r3; 1972 } 1973 1974 /* ACMD42 */ 1975 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req) 1976 { 1977 if (sd->state != sd_transfer_state) { 1978 return sd_invalid_state_for_cmd(sd, req); 1979 } 1980 1981 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1982 return sd_r1; 1983 } 1984 1985 /* ACMD51 */ 1986 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req) 1987 { 1988 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr)); 1989 } 1990 1991 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 1992 { 1993 uint64_t addr; 1994 1995 sd->last_cmd_name = sd_cmd_name(sd, req.cmd); 1996 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 1997 * However there is no ACMD55, so we want to trace this particular case. 1998 */ 1999 if (req.cmd != 55 || sd->expecting_acmd) { 2000 trace_sdcard_normal_command(sd->proto->name, 2001 sd->last_cmd_name, req.cmd, 2002 req.arg, sd_state_name(sd->state)); 2003 } 2004 2005 /* Not interpreting this as an app command */ 2006 sd->card_status &= ~APP_CMD; 2007 2008 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 2009 * if not, its effects are cancelled */ 2010 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 2011 sd->multi_blk_cnt = 0; 2012 } 2013 2014 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR, 2015 CARD_CAPACITY)) { 2016 /* Only Standard Capacity cards support class 6 commands */ 2017 return sd_illegal; 2018 } 2019 2020 if (sd->proto->cmd[req.cmd].handler) { 2021 return sd->proto->cmd[req.cmd].handler(sd, req); 2022 } 2023 2024 switch (req.cmd) { 2025 /* Block read commands (Class 2) */ 2026 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2027 addr = sd_req_get_address(sd, req); 2028 switch (sd->state) { 2029 case sd_transfer_state: 2030 2031 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { 2032 return sd_r1; 2033 } 2034 2035 sd->state = sd_sendingdata_state; 2036 sd->data_start = addr; 2037 sd->data_offset = 0; 2038 return sd_r1; 2039 2040 default: 2041 break; 2042 } 2043 break; 2044 2045 /* Block write commands (Class 4) */ 2046 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2047 addr = sd_req_get_address(sd, req); 2048 switch (sd->state) { 2049 case sd_transfer_state: 2050 2051 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { 2052 return sd_r1; 2053 } 2054 2055 sd->state = sd_receivingdata_state; 2056 sd->data_start = addr; 2057 sd->data_offset = 0; 2058 sd->blk_written = 0; 2059 2060 if (sd->size <= SDSC_MAX_CAPACITY) { 2061 if (sd_wp_addr(sd, sd->data_start)) { 2062 sd->card_status |= WP_VIOLATION; 2063 } 2064 } 2065 if (sd->csd[14] & 0x30) { 2066 sd->card_status |= WP_VIOLATION; 2067 } 2068 return sd_r1; 2069 2070 default: 2071 break; 2072 } 2073 break; 2074 2075 default: 2076 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 2077 return sd_illegal; 2078 } 2079 2080 return sd_invalid_state_for_cmd(sd, req); 2081 } 2082 2083 static sd_rsp_type_t sd_app_command(SDState *sd, 2084 SDRequest req) 2085 { 2086 sd->last_cmd_name = sd_acmd_name(sd, req.cmd); 2087 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name, 2088 req.cmd, req.arg, sd_state_name(sd->state)); 2089 sd->card_status |= APP_CMD; 2090 2091 if (sd->proto->acmd[req.cmd].handler) { 2092 return sd->proto->acmd[req.cmd].handler(sd, req); 2093 } 2094 2095 switch (req.cmd) { 2096 case 18: /* Reserved for SD security applications */ 2097 case 25: 2098 case 26: 2099 case 38: 2100 case 43 ... 49: 2101 /* Refer to the "SD Specifications Part3 Security Specification" for 2102 * information about the SD Security Features. 2103 */ 2104 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 2105 req.cmd); 2106 return sd_illegal; 2107 2108 default: 2109 /* Fall back to standard commands. */ 2110 return sd_normal_command(sd, req); 2111 } 2112 2113 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 2114 return sd_illegal; 2115 } 2116 2117 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd) 2118 { 2119 unsigned cmd_class; 2120 2121 /* Valid commands in locked state: 2122 * basic class (0) 2123 * lock card class (7) 2124 * CMD16 2125 * implicitly, the ACMD prefix CMD55 2126 * ACMD41 and ACMD42 2127 * Anything else provokes an "illegal command" response. 2128 */ 2129 if (sd->expecting_acmd) { 2130 return cmd == 41 || cmd == 42; 2131 } 2132 if (cmd == 16 || cmd == 55) { 2133 return true; 2134 } 2135 if (!sd->proto->cmd[cmd].handler) { 2136 return false; 2137 } 2138 cmd_class = sd->proto->cmd[cmd].class; 2139 2140 return cmd_class == 0 || cmd_class == 7; 2141 } 2142 2143 static int sd_do_command(SDState *sd, SDRequest *req, 2144 uint8_t *response) { 2145 int last_state; 2146 sd_rsp_type_t rtype; 2147 int rsplen; 2148 2149 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 2150 return 0; 2151 } 2152 2153 if (sd->state == sd_inactive_state) { 2154 rtype = sd_illegal; 2155 goto send_response; 2156 } 2157 2158 if (sd_req_crc_validate(req)) { 2159 sd->card_status |= COM_CRC_ERROR; 2160 rtype = sd_illegal; 2161 goto send_response; 2162 } 2163 2164 if (req->cmd >= SDMMC_CMD_MAX) { 2165 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 2166 req->cmd); 2167 req->cmd &= 0x3f; 2168 } 2169 2170 if (sd->state == sd_sleep_state && req->cmd) { 2171 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n"); 2172 rtype = sd_r0; 2173 goto send_response; 2174 } 2175 2176 if (sd->card_status & CARD_IS_LOCKED) { 2177 if (!cmd_valid_while_locked(sd, req->cmd)) { 2178 sd->card_status |= ILLEGAL_COMMAND; 2179 sd->expecting_acmd = false; 2180 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 2181 rtype = sd_illegal; 2182 goto send_response; 2183 } 2184 } 2185 2186 last_state = sd->state; 2187 sd_set_mode(sd); 2188 2189 if (sd->expecting_acmd) { 2190 sd->expecting_acmd = false; 2191 rtype = sd_app_command(sd, *req); 2192 } else { 2193 rtype = sd_normal_command(sd, *req); 2194 } 2195 2196 if (rtype == sd_illegal) { 2197 sd->card_status |= ILLEGAL_COMMAND; 2198 } else { 2199 /* Valid command, we can update the 'state before command' bits. 2200 * (Do this now so they appear in r1 responses.) 2201 */ 2202 sd->card_status = FIELD_DP32(sd->card_status, CSR, 2203 CURRENT_STATE, last_state); 2204 } 2205 2206 send_response: 2207 switch (rtype) { 2208 case sd_r1: 2209 case sd_r1b: 2210 sd_response_r1_make(sd, response); 2211 rsplen = 4; 2212 break; 2213 2214 case sd_r2_i: 2215 memcpy(response, sd->cid, sizeof(sd->cid)); 2216 rsplen = 16; 2217 break; 2218 2219 case sd_r2_s: 2220 memcpy(response, sd->csd, sizeof(sd->csd)); 2221 rsplen = 16; 2222 break; 2223 2224 case sd_r3: 2225 sd_response_r3_make(sd, response); 2226 rsplen = 4; 2227 break; 2228 2229 case sd_r6: 2230 sd_response_r6_make(sd, response); 2231 rsplen = 4; 2232 break; 2233 2234 case sd_r7: 2235 sd_response_r7_make(sd, response); 2236 rsplen = 4; 2237 break; 2238 2239 case sd_r0: 2240 /* 2241 * Invalid state transition, reset implementation 2242 * fields to avoid OOB abuse. 2243 */ 2244 sd->data_start = 0; 2245 sd->data_offset = 0; 2246 /* fall-through */ 2247 case sd_illegal: 2248 rsplen = 0; 2249 break; 2250 default: 2251 g_assert_not_reached(); 2252 } 2253 trace_sdcard_response(sd_response_name(rtype), rsplen); 2254 2255 if (rtype != sd_illegal) { 2256 /* Clear the "clear on valid command" status bits now we've 2257 * sent any response 2258 */ 2259 sd->card_status &= ~CARD_STATUS_B; 2260 } 2261 2262 #ifdef DEBUG_SD 2263 qemu_hexdump(stderr, "Response", response, rsplen); 2264 #endif 2265 2266 sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd; 2267 2268 return rsplen; 2269 } 2270 2271 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */ 2272 static bool sd_generic_write_byte(SDState *sd, uint8_t value) 2273 { 2274 sd->data[sd->data_offset] = value; 2275 2276 if (++sd->data_offset >= sd->data_size) { 2277 sd->state = sd_transfer_state; 2278 return true; 2279 } 2280 return false; 2281 } 2282 2283 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */ 2284 static bool sd_generic_read_byte(SDState *sd, uint8_t *value) 2285 { 2286 *value = sd->data[sd->data_offset]; 2287 2288 if (++sd->data_offset >= sd->data_size) { 2289 sd->state = sd_transfer_state; 2290 return true; 2291 } 2292 2293 return false; 2294 } 2295 2296 static void sd_write_byte(SDState *sd, uint8_t value) 2297 { 2298 int i; 2299 2300 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2301 return; 2302 2303 if (sd->state != sd_receivingdata_state) { 2304 qemu_log_mask(LOG_GUEST_ERROR, 2305 "%s: not in Receiving-Data state\n", __func__); 2306 return; 2307 } 2308 2309 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2310 return; 2311 2312 trace_sdcard_write_data(sd->proto->name, 2313 sd->last_cmd_name, 2314 sd->current_cmd, sd->data_offset, value); 2315 switch (sd->current_cmd) { 2316 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 2317 if (sd_generic_write_byte(sd, value)) { 2318 /* TODO: Check CRC before committing */ 2319 sd->state = sd_programming_state; 2320 sd_blk_write(sd, sd->data_start, sd->data_offset); 2321 sd->blk_written ++; 2322 sd->csd[14] |= 0x40; 2323 /* Bzzzzzzztt .... Operation complete. */ 2324 sd->state = sd_transfer_state; 2325 } 2326 break; 2327 2328 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2329 if (sd->data_offset == 0) { 2330 /* Start of the block - let's check the address is valid */ 2331 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", 2332 sd->data_start, sd->blk_len)) { 2333 break; 2334 } 2335 if (sd->size <= SDSC_MAX_CAPACITY) { 2336 if (sd_wp_addr(sd, sd->data_start)) { 2337 sd->card_status |= WP_VIOLATION; 2338 break; 2339 } 2340 } 2341 } 2342 sd->data[sd->data_offset++] = value; 2343 if (sd->data_offset >= sd->blk_len) { 2344 /* TODO: Check CRC before committing */ 2345 sd->state = sd_programming_state; 2346 sd_blk_write(sd, sd->data_start, sd->data_offset); 2347 sd->blk_written++; 2348 sd->data_start += sd->blk_len; 2349 sd->data_offset = 0; 2350 sd->csd[14] |= 0x40; 2351 2352 /* Bzzzzzzztt .... Operation complete. */ 2353 if (sd->multi_blk_cnt != 0) { 2354 if (--sd->multi_blk_cnt == 0) { 2355 /* Stop! */ 2356 sd->state = sd_transfer_state; 2357 break; 2358 } 2359 } 2360 2361 sd->state = sd_receivingdata_state; 2362 } 2363 break; 2364 2365 case 26: /* CMD26: PROGRAM_CID */ 2366 if (sd_generic_write_byte(sd, value)) { 2367 /* TODO: Check CRC before committing */ 2368 sd->state = sd_programming_state; 2369 for (i = 0; i < sizeof(sd->cid); i ++) 2370 if ((sd->cid[i] | 0x00) != sd->data[i]) 2371 sd->card_status |= CID_CSD_OVERWRITE; 2372 2373 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2374 for (i = 0; i < sizeof(sd->cid); i ++) { 2375 sd->cid[i] |= 0x00; 2376 sd->cid[i] &= sd->data[i]; 2377 } 2378 /* Bzzzzzzztt .... Operation complete. */ 2379 sd->state = sd_transfer_state; 2380 } 2381 break; 2382 2383 case 27: /* CMD27: PROGRAM_CSD */ 2384 if (sd_generic_write_byte(sd, value)) { 2385 /* TODO: Check CRC before committing */ 2386 sd->state = sd_programming_state; 2387 for (i = 0; i < sizeof(sd->csd); i ++) 2388 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 2389 (sd->data[i] | sd_csd_rw_mask[i])) 2390 sd->card_status |= CID_CSD_OVERWRITE; 2391 2392 /* Copy flag (OTP) & Permanent write protect */ 2393 if (sd->csd[14] & ~sd->data[14] & 0x60) 2394 sd->card_status |= CID_CSD_OVERWRITE; 2395 2396 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2397 for (i = 0; i < sizeof(sd->csd); i ++) { 2398 sd->csd[i] |= sd_csd_rw_mask[i]; 2399 sd->csd[i] &= sd->data[i]; 2400 } 2401 /* Bzzzzzzztt .... Operation complete. */ 2402 sd->state = sd_transfer_state; 2403 } 2404 break; 2405 2406 case 42: /* CMD42: LOCK_UNLOCK */ 2407 if (sd_generic_write_byte(sd, value)) { 2408 /* TODO: Check CRC before committing */ 2409 sd->state = sd_programming_state; 2410 sd_lock_command(sd); 2411 /* Bzzzzzzztt .... Operation complete. */ 2412 sd->state = sd_transfer_state; 2413 } 2414 break; 2415 2416 case 56: /* CMD56: GEN_CMD */ 2417 sd_generic_write_byte(sd, value); 2418 break; 2419 2420 default: 2421 g_assert_not_reached(); 2422 } 2423 } 2424 2425 static uint8_t sd_read_byte(SDState *sd) 2426 { 2427 /* TODO: Append CRCs */ 2428 const uint8_t dummy_byte = 0x00; 2429 uint8_t ret; 2430 uint32_t io_len; 2431 2432 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 2433 return dummy_byte; 2434 2435 if (sd->state != sd_sendingdata_state) { 2436 qemu_log_mask(LOG_GUEST_ERROR, 2437 "%s: not in Sending-Data state\n", __func__); 2438 return dummy_byte; 2439 } 2440 2441 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) { 2442 return dummy_byte; 2443 } 2444 2445 io_len = sd_blk_len(sd); 2446 2447 trace_sdcard_read_data(sd->proto->name, 2448 sd->last_cmd_name, sd->current_cmd, 2449 sd->data_offset, sd->data_size, io_len); 2450 switch (sd->current_cmd) { 2451 case 6: /* CMD6: SWITCH_FUNCTION */ 2452 case 8: /* CMD8: SEND_EXT_CSD */ 2453 case 9: /* CMD9: SEND_CSD */ 2454 case 10: /* CMD10: SEND_CID */ 2455 case 13: /* ACMD13: SD_STATUS */ 2456 case 17: /* CMD17: READ_SINGLE_BLOCK */ 2457 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2458 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2459 case 30: /* CMD30: SEND_WRITE_PROT */ 2460 case 51: /* ACMD51: SEND_SCR */ 2461 case 56: /* CMD56: GEN_CMD */ 2462 sd_generic_read_byte(sd, &ret); 2463 break; 2464 2465 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2466 if (sd->data_offset == 0) { 2467 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", 2468 sd->data_start, io_len)) { 2469 return dummy_byte; 2470 } 2471 sd_blk_read(sd, sd->data_start, io_len); 2472 } 2473 ret = sd->data[sd->data_offset ++]; 2474 2475 if (sd->data_offset >= io_len) { 2476 sd->data_start += io_len; 2477 sd->data_offset = 0; 2478 2479 if (sd->multi_blk_cnt != 0) { 2480 if (--sd->multi_blk_cnt == 0) { 2481 /* Stop! */ 2482 sd->state = sd_transfer_state; 2483 break; 2484 } 2485 } 2486 } 2487 break; 2488 2489 default: 2490 qemu_log_mask(LOG_GUEST_ERROR, "%s: DAT read illegal for command %s\n", 2491 __func__, sd->last_cmd_name); 2492 return dummy_byte; 2493 } 2494 2495 return ret; 2496 } 2497 2498 static bool sd_receive_ready(SDState *sd) 2499 { 2500 return sd->state == sd_receivingdata_state; 2501 } 2502 2503 static bool sd_data_ready(SDState *sd) 2504 { 2505 return sd->state == sd_sendingdata_state; 2506 } 2507 2508 static const SDProto sd_proto_spi = { 2509 .name = "SPI", 2510 .cmd = { 2511 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2512 [1] = {0, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2513 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional}, 2514 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2515 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2516 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD}, 2517 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID}, 2518 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2519 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2520 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2521 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2522 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2523 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2524 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2525 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2526 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2527 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2528 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2529 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional}, 2530 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional}, 2531 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional}, 2532 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2533 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE}, 2534 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2535 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional}, 2536 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional}, 2537 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional}, 2538 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD}, 2539 [56] = {8, sd_spi, "GEN_CMD", sd_cmd_GEN_CMD}, 2540 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2541 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR}, 2542 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF}, 2543 }, 2544 .acmd = { 2545 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS}, 2546 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2547 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2548 [41] = {8, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2549 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2550 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR}, 2551 }, 2552 }; 2553 2554 static const SDProto sd_proto_sd = { 2555 .name = "SD", 2556 .cmd = { 2557 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2558 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2559 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR}, 2560 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2561 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional}, 2562 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2563 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2564 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2565 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2566 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2567 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional}, 2568 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2569 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2570 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2571 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2572 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2573 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK}, 2574 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional}, 2575 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2576 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2577 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2578 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2579 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2580 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2581 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2582 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2583 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional}, 2584 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional}, 2585 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional}, 2586 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2587 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2588 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2589 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional}, 2590 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional}, 2591 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional}, 2592 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional}, 2593 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional}, 2594 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional}, 2595 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional}, 2596 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional}, 2597 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional}, 2598 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional}, 2599 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2600 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2601 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2602 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional}, 2603 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional}, 2604 }, 2605 .acmd = { 2606 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH}, 2607 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS}, 2608 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2609 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2610 [41] = {8, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2611 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2612 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR}, 2613 }, 2614 }; 2615 2616 static const SDProto sd_proto_emmc = { 2617 /* Only v4.3 is supported */ 2618 .name = "eMMC", 2619 .cmd = { 2620 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2621 [1] = {0, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2622 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2623 [3] = {0, sd_ac, "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR}, 2624 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2625 [5] = {0, sd_ac, "SLEEP/AWAKE", emmc_cmd_sleep_awake}, 2626 [6] = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH}, 2627 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2628 [8] = {0, sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD}, 2629 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2630 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2631 [11] = {1, sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2632 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2633 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2634 [14] = {0, sd_adtc, "BUSTEST_R", sd_cmd_unimplemented}, 2635 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2636 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2637 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2638 [19] = {0, sd_adtc, "BUSTEST_W", sd_cmd_unimplemented}, 2639 [20] = {3, sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2640 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2641 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2642 [26] = {4, sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID}, 2643 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2644 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2645 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2646 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2647 [31] = {6, sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented}, 2648 [35] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2649 [36] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2650 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2651 [39] = {9, sd_ac, "FAST_IO", sd_cmd_unimplemented}, 2652 [40] = {9, sd_bcr, "GO_IRQ_STATE", sd_cmd_unimplemented}, 2653 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2654 [49] = {0, sd_adtc, "SET_TIME", sd_cmd_unimplemented}, 2655 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2656 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2657 }, 2658 }; 2659 2660 static void sd_instance_init(Object *obj) 2661 { 2662 SDState *sd = SDMMC_COMMON(obj); 2663 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 2664 2665 sd->proto = sc->proto; 2666 sd->last_cmd_name = "UNSET"; 2667 sd->enable = true; 2668 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2669 } 2670 2671 static void sd_instance_finalize(Object *obj) 2672 { 2673 SDState *sd = SDMMC_COMMON(obj); 2674 2675 timer_free(sd->ocr_power_timer); 2676 } 2677 2678 static void sd_realize(DeviceState *dev, Error **errp) 2679 { 2680 SDState *sd = SDMMC_COMMON(dev); 2681 int ret; 2682 2683 switch (sd->spec_version) { 2684 case SD_PHY_SPECv1_10_VERS 2685 ... SD_PHY_SPECv3_01_VERS: 2686 break; 2687 default: 2688 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2689 return; 2690 } 2691 2692 if (sd->blk) { 2693 int64_t blk_size; 2694 2695 if (!blk_supports_write_perm(sd->blk)) { 2696 error_setg(errp, "Cannot use read-only drive as SD card"); 2697 return; 2698 } 2699 2700 blk_size = blk_getlength(sd->blk); 2701 if (blk_size > 0 && !is_power_of_2(blk_size)) { 2702 int64_t blk_size_aligned = pow2ceil(blk_size); 2703 char *blk_size_str; 2704 2705 blk_size_str = size_to_str(blk_size); 2706 error_setg(errp, "Invalid SD card size: %s", blk_size_str); 2707 g_free(blk_size_str); 2708 2709 blk_size_str = size_to_str(blk_size_aligned); 2710 error_append_hint(errp, 2711 "SD card size has to be a power of 2, e.g. %s.\n" 2712 "You can resize disk images with" 2713 " 'qemu-img resize <imagefile> <new-size>'\n" 2714 "(note that this will lose data if you make the" 2715 " image smaller than it currently is).\n", 2716 blk_size_str); 2717 g_free(blk_size_str); 2718 2719 return; 2720 } 2721 2722 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2723 BLK_PERM_ALL, errp); 2724 if (ret < 0) { 2725 return; 2726 } 2727 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2728 } 2729 } 2730 2731 static void emmc_realize(DeviceState *dev, Error **errp) 2732 { 2733 SDState *sd = SDMMC_COMMON(dev); 2734 2735 sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */ 2736 2737 sd_realize(dev, errp); 2738 } 2739 2740 static const Property sdmmc_common_properties[] = { 2741 DEFINE_PROP_DRIVE("drive", SDState, blk), 2742 }; 2743 2744 static const Property sd_properties[] = { 2745 DEFINE_PROP_UINT8("spec_version", SDState, 2746 spec_version, SD_PHY_SPECv3_01_VERS), 2747 }; 2748 2749 static const Property emmc_properties[] = { 2750 DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0), 2751 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0), 2752 }; 2753 2754 static void sdmmc_common_class_init(ObjectClass *klass, void *data) 2755 { 2756 DeviceClass *dc = DEVICE_CLASS(klass); 2757 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2758 2759 device_class_set_props(dc, sdmmc_common_properties); 2760 dc->vmsd = &sd_vmstate; 2761 device_class_set_legacy_reset(dc, sd_reset); 2762 dc->bus_type = TYPE_SD_BUS; 2763 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2764 2765 sc->set_voltage = sd_set_voltage; 2766 sc->get_dat_lines = sd_get_dat_lines; 2767 sc->get_cmd_line = sd_get_cmd_line; 2768 sc->do_command = sd_do_command; 2769 sc->write_byte = sd_write_byte; 2770 sc->read_byte = sd_read_byte; 2771 sc->receive_ready = sd_receive_ready; 2772 sc->data_ready = sd_data_ready; 2773 sc->get_inserted = sd_get_inserted; 2774 sc->get_readonly = sd_get_readonly; 2775 } 2776 2777 static void sd_class_init(ObjectClass *klass, void *data) 2778 { 2779 DeviceClass *dc = DEVICE_CLASS(klass); 2780 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2781 2782 dc->realize = sd_realize; 2783 device_class_set_props(dc, sd_properties); 2784 2785 sc->set_cid = sd_set_cid; 2786 sc->set_csd = sd_set_csd; 2787 sc->proto = &sd_proto_sd; 2788 } 2789 2790 /* 2791 * We do not model the chip select pin, so allow the board to select 2792 * whether card should be in SSI or MMC/SD mode. It is also up to the 2793 * board to ensure that ssi transfers only occur when the chip select 2794 * is asserted. 2795 */ 2796 static void sd_spi_class_init(ObjectClass *klass, void *data) 2797 { 2798 DeviceClass *dc = DEVICE_CLASS(klass); 2799 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2800 2801 dc->desc = "SD SPI"; 2802 sc->proto = &sd_proto_spi; 2803 } 2804 2805 static void emmc_class_init(ObjectClass *klass, void *data) 2806 { 2807 DeviceClass *dc = DEVICE_CLASS(klass); 2808 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2809 2810 dc->desc = "eMMC"; 2811 dc->realize = emmc_realize; 2812 device_class_set_props(dc, emmc_properties); 2813 /* Reason: Soldered on board */ 2814 dc->user_creatable = false; 2815 2816 sc->proto = &sd_proto_emmc; 2817 2818 sc->set_cid = emmc_set_cid; 2819 sc->set_csd = emmc_set_csd; 2820 } 2821 2822 static const TypeInfo sd_types[] = { 2823 { 2824 .name = TYPE_SDMMC_COMMON, 2825 .parent = TYPE_DEVICE, 2826 .abstract = true, 2827 .instance_size = sizeof(SDState), 2828 .class_size = sizeof(SDCardClass), 2829 .class_init = sdmmc_common_class_init, 2830 .instance_init = sd_instance_init, 2831 .instance_finalize = sd_instance_finalize, 2832 }, 2833 { 2834 .name = TYPE_SD_CARD, 2835 .parent = TYPE_SDMMC_COMMON, 2836 .class_init = sd_class_init, 2837 }, 2838 { 2839 .name = TYPE_SD_CARD_SPI, 2840 .parent = TYPE_SD_CARD, 2841 .class_init = sd_spi_class_init, 2842 }, 2843 { 2844 .name = TYPE_EMMC, 2845 .parent = TYPE_SDMMC_COMMON, 2846 .class_init = emmc_class_init, 2847 }, 2848 }; 2849 2850 DEFINE_TYPES(sd_types) 2851