xref: /openbmc/qemu/hw/sd/sd.c (revision fe1127da)
1 /*
2  * SD Memory Card emulation as defined in the "SD Memory Card Physical
3  * layer specification, Version 2.00."
4  *
5  * Copyright (c) 2006 Andrzej Zaborowski  <balrog@zabor.org>
6  * Copyright (c) 2007 CodeSourcery
7  * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR
24  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "qemu/error-report.h"
46 #include "qemu/timer.h"
47 #include "qemu/log.h"
48 #include "qemu/module.h"
49 #include "sdmmc-internal.h"
50 #include "trace.h"
51 
52 //#define DEBUG_SD 1
53 
54 #define SDSC_MAX_CAPACITY   (2 * GiB)
55 
56 #define INVALID_ADDRESS     UINT32_MAX
57 
58 typedef enum {
59     sd_r0 = 0,    /* no response */
60     sd_r1,        /* normal response command */
61     sd_r2_i,      /* CID register */
62     sd_r2_s,      /* CSD register */
63     sd_r3,        /* OCR register */
64     sd_r6 = 6,    /* Published RCA response */
65     sd_r7,        /* Operating voltage */
66     sd_r1b = -1,
67     sd_illegal = -2,
68 } sd_rsp_type_t;
69 
70 enum SDCardModes {
71     sd_inactive,
72     sd_card_identification_mode,
73     sd_data_transfer_mode,
74 };
75 
76 enum SDCardStates {
77     sd_inactive_state = -1,
78     sd_idle_state = 0,
79     sd_ready_state,
80     sd_identification_state,
81     sd_standby_state,
82     sd_transfer_state,
83     sd_sendingdata_state,
84     sd_receivingdata_state,
85     sd_programming_state,
86     sd_disconnect_state,
87 };
88 
89 struct SDState {
90     DeviceState parent_obj;
91 
92     /* If true, created by sd_init() for a non-qdevified caller */
93     /* TODO purge them with fire */
94     bool me_no_qdev_me_kill_mammoth_with_rocks;
95 
96     /* SD Memory Card Registers */
97     uint32_t ocr;
98     uint8_t scr[8];
99     uint8_t cid[16];
100     uint8_t csd[16];
101     uint16_t rca;
102     uint32_t card_status;
103     uint8_t sd_status[64];
104 
105     /* Static properties */
106 
107     uint8_t spec_version;
108     BlockBackend *blk;
109     bool spi;
110 
111     /* Runtime changeables */
112 
113     uint32_t mode;    /* current card mode, one of SDCardModes */
114     int32_t state;    /* current card state, one of SDCardStates */
115     uint32_t vhs;
116     bool wp_switch;
117     unsigned long *wp_groups;
118     int32_t wpgrps_size;
119     uint64_t size;
120     uint32_t blk_len;
121     uint32_t multi_blk_cnt;
122     uint32_t erase_start;
123     uint32_t erase_end;
124     uint8_t pwd[16];
125     uint32_t pwd_len;
126     uint8_t function_group[6];
127     uint8_t current_cmd;
128     /* True if we will handle the next command as an ACMD. Note that this does
129      * *not* track the APP_CMD status bit!
130      */
131     bool expecting_acmd;
132     uint32_t blk_written;
133     uint64_t data_start;
134     uint32_t data_offset;
135     uint8_t data[512];
136     qemu_irq readonly_cb;
137     qemu_irq inserted_cb;
138     QEMUTimer *ocr_power_timer;
139     const char *proto_name;
140     bool enable;
141     uint8_t dat_lines;
142     bool cmd_line;
143 };
144 
145 static void sd_realize(DeviceState *dev, Error **errp);
146 
147 static const char *sd_state_name(enum SDCardStates state)
148 {
149     static const char *state_name[] = {
150         [sd_idle_state]             = "idle",
151         [sd_ready_state]            = "ready",
152         [sd_identification_state]   = "identification",
153         [sd_standby_state]          = "standby",
154         [sd_transfer_state]         = "transfer",
155         [sd_sendingdata_state]      = "sendingdata",
156         [sd_receivingdata_state]    = "receivingdata",
157         [sd_programming_state]      = "programming",
158         [sd_disconnect_state]       = "disconnect",
159     };
160     if (state == sd_inactive_state) {
161         return "inactive";
162     }
163     assert(state < ARRAY_SIZE(state_name));
164     return state_name[state];
165 }
166 
167 static const char *sd_response_name(sd_rsp_type_t rsp)
168 {
169     static const char *response_name[] = {
170         [sd_r0]     = "RESP#0 (no response)",
171         [sd_r1]     = "RESP#1 (normal cmd)",
172         [sd_r2_i]   = "RESP#2 (CID reg)",
173         [sd_r2_s]   = "RESP#2 (CSD reg)",
174         [sd_r3]     = "RESP#3 (OCR reg)",
175         [sd_r6]     = "RESP#6 (RCA)",
176         [sd_r7]     = "RESP#7 (operating voltage)",
177     };
178     if (rsp == sd_illegal) {
179         return "ILLEGAL RESP";
180     }
181     if (rsp == sd_r1b) {
182         rsp = sd_r1;
183     }
184     assert(rsp < ARRAY_SIZE(response_name));
185     return response_name[rsp];
186 }
187 
188 static uint8_t sd_get_dat_lines(SDState *sd)
189 {
190     return sd->enable ? sd->dat_lines : 0;
191 }
192 
193 static bool sd_get_cmd_line(SDState *sd)
194 {
195     return sd->enable ? sd->cmd_line : false;
196 }
197 
198 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
199 {
200     trace_sdcard_set_voltage(millivolts);
201 
202     switch (millivolts) {
203     case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
204     case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
205         break;
206     default:
207         qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
208                       millivolts / 1000.f);
209     }
210 }
211 
212 static void sd_set_mode(SDState *sd)
213 {
214     switch (sd->state) {
215     case sd_inactive_state:
216         sd->mode = sd_inactive;
217         break;
218 
219     case sd_idle_state:
220     case sd_ready_state:
221     case sd_identification_state:
222         sd->mode = sd_card_identification_mode;
223         break;
224 
225     case sd_standby_state:
226     case sd_transfer_state:
227     case sd_sendingdata_state:
228     case sd_receivingdata_state:
229     case sd_programming_state:
230     case sd_disconnect_state:
231         sd->mode = sd_data_transfer_mode;
232         break;
233     }
234 }
235 
236 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
237     sd_bc,   sd_none, sd_bcr,  sd_bcr,  sd_none, sd_none, sd_none, sd_ac,
238     sd_bcr,  sd_ac,   sd_ac,   sd_adtc, sd_ac,   sd_ac,   sd_none, sd_ac,
239     /* 16 */
240     sd_ac,   sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
241     sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac,   sd_ac,   sd_adtc, sd_none,
242     /* 32 */
243     sd_ac,   sd_ac,   sd_none, sd_none, sd_none, sd_none, sd_ac,   sd_none,
244     sd_none, sd_none, sd_bc,   sd_none, sd_none, sd_none, sd_none, sd_none,
245     /* 48 */
246     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
247     sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
248 };
249 
250 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
251     0,  0,  0,  0,  0,  9, 10,  0,  0,  0,  0,  1,  0,  0,  0,  0,
252     2,  2,  2,  2,  3,  3,  3,  3,  4,  4,  4,  4,  6,  6,  6,  6,
253     5,  5, 10, 10, 10, 10,  5,  9,  9,  9,  7,  7,  7,  7,  7,  7,
254     7,  7, 10,  7,  9,  9,  9,  8,  8, 10,  8,  8,  8,  8,  8,  8,
255 };
256 
257 static uint8_t sd_crc7(const void *message, size_t width)
258 {
259     int i, bit;
260     uint8_t shift_reg = 0x00;
261     const uint8_t *msg = (const uint8_t *)message;
262 
263     for (i = 0; i < width; i ++, msg ++)
264         for (bit = 7; bit >= 0; bit --) {
265             shift_reg <<= 1;
266             if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
267                 shift_reg ^= 0x89;
268         }
269 
270     return shift_reg;
271 }
272 
273 static uint16_t sd_crc16(const void *message, size_t width)
274 {
275     int i, bit;
276     uint16_t shift_reg = 0x0000;
277     const uint16_t *msg = (const uint16_t *)message;
278     width <<= 1;
279 
280     for (i = 0; i < width; i ++, msg ++)
281         for (bit = 15; bit >= 0; bit --) {
282             shift_reg <<= 1;
283             if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
284                 shift_reg ^= 0x1011;
285         }
286 
287     return shift_reg;
288 }
289 
290 #define OCR_POWER_DELAY_NS      500000 /* 0.5ms */
291 
292 FIELD(OCR, VDD_VOLTAGE_WINDOW,          0, 24)
293 FIELD(OCR, VDD_VOLTAGE_WIN_LO,          0,  8)
294 FIELD(OCR, DUAL_VOLTAGE_CARD,           7,  1)
295 FIELD(OCR, VDD_VOLTAGE_WIN_HI,          8, 16)
296 FIELD(OCR, ACCEPT_SWITCH_1V8,          24,  1) /* Only UHS-I */
297 FIELD(OCR, UHS_II_CARD,                29,  1) /* Only UHS-II */
298 FIELD(OCR, CARD_CAPACITY,              30,  1) /* 0:SDSC, 1:SDHC/SDXC */
299 FIELD(OCR, CARD_POWER_UP,              31,  1)
300 
301 #define ACMD41_ENQUIRY_MASK     0x00ffffff
302 #define ACMD41_R3_MASK          (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
303                                | R_OCR_ACCEPT_SWITCH_1V8_MASK \
304                                | R_OCR_UHS_II_CARD_MASK \
305                                | R_OCR_CARD_CAPACITY_MASK \
306                                | R_OCR_CARD_POWER_UP_MASK)
307 
308 static void sd_set_ocr(SDState *sd)
309 {
310     /* All voltages OK */
311     sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
312 }
313 
314 static void sd_ocr_powerup(void *opaque)
315 {
316     SDState *sd = opaque;
317 
318     trace_sdcard_powerup();
319     assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
320 
321     /* card power-up OK */
322     sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
323 
324     if (sd->size > SDSC_MAX_CAPACITY) {
325         sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
326     }
327 }
328 
329 static void sd_set_scr(SDState *sd)
330 {
331     sd->scr[0] = 0 << 4;        /* SCR structure version 1.0 */
332     if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
333         sd->scr[0] |= 1;        /* Spec Version 1.10 */
334     } else {
335         sd->scr[0] |= 2;        /* Spec Version 2.00 or Version 3.0X */
336     }
337     sd->scr[1] = (2 << 4)       /* SDSC Card (Security Version 1.01) */
338                  | 0b0101;      /* 1-bit or 4-bit width bus modes */
339     sd->scr[2] = 0x00;          /* Extended Security is not supported. */
340     if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
341         sd->scr[2] |= 1 << 7;   /* Spec Version 3.0X */
342     }
343     sd->scr[3] = 0x00;
344     /* reserved for manufacturer usage */
345     sd->scr[4] = 0x00;
346     sd->scr[5] = 0x00;
347     sd->scr[6] = 0x00;
348     sd->scr[7] = 0x00;
349 }
350 
351 #define MID	0xaa
352 #define OID	"XY"
353 #define PNM	"QEMU!"
354 #define PRV	0x01
355 #define MDT_YR	2006
356 #define MDT_MON	2
357 
358 static void sd_set_cid(SDState *sd)
359 {
360     sd->cid[0] = MID;		/* Fake card manufacturer ID (MID) */
361     sd->cid[1] = OID[0];	/* OEM/Application ID (OID) */
362     sd->cid[2] = OID[1];
363     sd->cid[3] = PNM[0];	/* Fake product name (PNM) */
364     sd->cid[4] = PNM[1];
365     sd->cid[5] = PNM[2];
366     sd->cid[6] = PNM[3];
367     sd->cid[7] = PNM[4];
368     sd->cid[8] = PRV;		/* Fake product revision (PRV) */
369     sd->cid[9] = 0xde;		/* Fake serial number (PSN) */
370     sd->cid[10] = 0xad;
371     sd->cid[11] = 0xbe;
372     sd->cid[12] = 0xef;
373     sd->cid[13] = 0x00 |	/* Manufacture date (MDT) */
374         ((MDT_YR - 2000) / 10);
375     sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
376     sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
377 }
378 
379 #define HWBLOCK_SHIFT	9			/* 512 bytes */
380 #define SECTOR_SHIFT	5			/* 16 kilobytes */
381 #define WPGROUP_SHIFT	7			/* 2 megs */
382 #define CMULT_SHIFT	9			/* 512 times HWBLOCK_SIZE */
383 #define WPGROUP_SIZE	(1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
384 
385 static const uint8_t sd_csd_rw_mask[16] = {
386     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
387     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
388 };
389 
390 static void sd_set_csd(SDState *sd, uint64_t size)
391 {
392     int hwblock_shift = HWBLOCK_SHIFT;
393     uint32_t csize;
394     uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
395     uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
396 
397     /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
398     if (size == SDSC_MAX_CAPACITY) {
399         hwblock_shift += 1;
400     }
401     csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
402 
403     if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
404         sd->csd[0] = 0x00;	/* CSD structure */
405         sd->csd[1] = 0x26;	/* Data read access-time-1 */
406         sd->csd[2] = 0x00;	/* Data read access-time-2 */
407         sd->csd[3] = 0x32;      /* Max. data transfer rate: 25 MHz */
408         sd->csd[4] = 0x5f;	/* Card Command Classes */
409         sd->csd[5] = 0x50 |	/* Max. read data block length */
410             hwblock_shift;
411         sd->csd[6] = 0xe0 |	/* Partial block for read allowed */
412             ((csize >> 10) & 0x03);
413         sd->csd[7] = 0x00 |	/* Device size */
414             ((csize >> 2) & 0xff);
415         sd->csd[8] = 0x3f |	/* Max. read current */
416             ((csize << 6) & 0xc0);
417         sd->csd[9] = 0xfc |	/* Max. write current */
418             ((CMULT_SHIFT - 2) >> 1);
419         sd->csd[10] = 0x40 |	/* Erase sector size */
420             (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
421         sd->csd[11] = 0x00 |	/* Write protect group size */
422             ((sectsize << 7) & 0x80) | wpsize;
423         sd->csd[12] = 0x90 |	/* Write speed factor */
424             (hwblock_shift >> 2);
425         sd->csd[13] = 0x20 |	/* Max. write data block length */
426             ((hwblock_shift << 6) & 0xc0);
427         sd->csd[14] = 0x00;	/* File format group */
428     } else {			/* SDHC */
429         size /= 512 * KiB;
430         size -= 1;
431         sd->csd[0] = 0x40;
432         sd->csd[1] = 0x0e;
433         sd->csd[2] = 0x00;
434         sd->csd[3] = 0x32;
435         sd->csd[4] = 0x5b;
436         sd->csd[5] = 0x59;
437         sd->csd[6] = 0x00;
438         sd->csd[7] = (size >> 16) & 0xff;
439         sd->csd[8] = (size >> 8) & 0xff;
440         sd->csd[9] = (size & 0xff);
441         sd->csd[10] = 0x7f;
442         sd->csd[11] = 0x80;
443         sd->csd[12] = 0x0a;
444         sd->csd[13] = 0x40;
445         sd->csd[14] = 0x00;
446     }
447     sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
448 }
449 
450 static void sd_set_rca(SDState *sd)
451 {
452     sd->rca += 0x4567;
453 }
454 
455 FIELD(CSR, AKE_SEQ_ERROR,               3,  1)
456 FIELD(CSR, APP_CMD,                     5,  1)
457 FIELD(CSR, FX_EVENT,                    6,  1)
458 FIELD(CSR, READY_FOR_DATA,              8,  1)
459 FIELD(CSR, CURRENT_STATE,               9,  4)
460 FIELD(CSR, ERASE_RESET,                13,  1)
461 FIELD(CSR, CARD_ECC_DISABLED,          14,  1)
462 FIELD(CSR, WP_ERASE_SKIP,              15,  1)
463 FIELD(CSR, CSD_OVERWRITE,              16,  1)
464 FIELD(CSR, DEFERRED_RESPONSE,          17,  1)
465 FIELD(CSR, ERROR,                      19,  1)
466 FIELD(CSR, CC_ERROR,                   20,  1)
467 FIELD(CSR, CARD_ECC_FAILED,            21,  1)
468 FIELD(CSR, ILLEGAL_COMMAND,            22,  1)
469 FIELD(CSR, COM_CRC_ERROR,              23,  1)
470 FIELD(CSR, LOCK_UNLOCK_FAILED,         24,  1)
471 FIELD(CSR, CARD_IS_LOCKED,             25,  1)
472 FIELD(CSR, WP_VIOLATION,               26,  1)
473 FIELD(CSR, ERASE_PARAM,                27,  1)
474 FIELD(CSR, ERASE_SEQ_ERROR,            28,  1)
475 FIELD(CSR, BLOCK_LEN_ERROR,            29,  1)
476 FIELD(CSR, ADDRESS_ERROR,              30,  1)
477 FIELD(CSR, OUT_OF_RANGE,               31,  1)
478 
479 /* Card status bits, split by clear condition:
480  * A : According to the card current state
481  * B : Always related to the previous command
482  * C : Cleared by read
483  */
484 #define CARD_STATUS_A           (R_CSR_READY_FOR_DATA_MASK \
485                                | R_CSR_CARD_ECC_DISABLED_MASK \
486                                | R_CSR_CARD_IS_LOCKED_MASK)
487 #define CARD_STATUS_B           (R_CSR_CURRENT_STATE_MASK \
488                                | R_CSR_ILLEGAL_COMMAND_MASK \
489                                | R_CSR_COM_CRC_ERROR_MASK)
490 #define CARD_STATUS_C           (R_CSR_AKE_SEQ_ERROR_MASK \
491                                | R_CSR_APP_CMD_MASK \
492                                | R_CSR_ERASE_RESET_MASK \
493                                | R_CSR_WP_ERASE_SKIP_MASK \
494                                | R_CSR_CSD_OVERWRITE_MASK \
495                                | R_CSR_ERROR_MASK \
496                                | R_CSR_CC_ERROR_MASK \
497                                | R_CSR_CARD_ECC_FAILED_MASK \
498                                | R_CSR_LOCK_UNLOCK_FAILED_MASK \
499                                | R_CSR_WP_VIOLATION_MASK \
500                                | R_CSR_ERASE_PARAM_MASK \
501                                | R_CSR_ERASE_SEQ_ERROR_MASK \
502                                | R_CSR_BLOCK_LEN_ERROR_MASK \
503                                | R_CSR_ADDRESS_ERROR_MASK \
504                                | R_CSR_OUT_OF_RANGE_MASK)
505 
506 static void sd_set_cardstatus(SDState *sd)
507 {
508     sd->card_status = 0x00000100;
509 }
510 
511 static void sd_set_sdstatus(SDState *sd)
512 {
513     memset(sd->sd_status, 0, 64);
514 }
515 
516 static int sd_req_crc_validate(SDRequest *req)
517 {
518     uint8_t buffer[5];
519     buffer[0] = 0x40 | req->cmd;
520     stl_be_p(&buffer[1], req->arg);
521     return 0;
522     return sd_crc7(buffer, 5) != req->crc;	/* TODO */
523 }
524 
525 static void sd_response_r1_make(SDState *sd, uint8_t *response)
526 {
527     stl_be_p(response, sd->card_status);
528 
529     /* Clear the "clear on read" status bits */
530     sd->card_status &= ~CARD_STATUS_C;
531 }
532 
533 static void sd_response_r3_make(SDState *sd, uint8_t *response)
534 {
535     stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
536 }
537 
538 static void sd_response_r6_make(SDState *sd, uint8_t *response)
539 {
540     uint16_t status;
541 
542     status = ((sd->card_status >> 8) & 0xc000) |
543              ((sd->card_status >> 6) & 0x2000) |
544               (sd->card_status & 0x1fff);
545     sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
546     stw_be_p(response + 0, sd->rca);
547     stw_be_p(response + 2, status);
548 }
549 
550 static void sd_response_r7_make(SDState *sd, uint8_t *response)
551 {
552     stl_be_p(response, sd->vhs);
553 }
554 
555 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
556 {
557     return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
558 }
559 
560 static void sd_reset(DeviceState *dev)
561 {
562     SDState *sd = SD_CARD(dev);
563     uint64_t size;
564     uint64_t sect;
565 
566     trace_sdcard_reset();
567     if (sd->blk) {
568         blk_get_geometry(sd->blk, &sect);
569     } else {
570         sect = 0;
571     }
572     size = sect << 9;
573 
574     sect = sd_addr_to_wpnum(size) + 1;
575 
576     sd->state = sd_idle_state;
577     sd->rca = 0x0000;
578     sd_set_ocr(sd);
579     sd_set_scr(sd);
580     sd_set_cid(sd);
581     sd_set_csd(sd, size);
582     sd_set_cardstatus(sd);
583     sd_set_sdstatus(sd);
584 
585     g_free(sd->wp_groups);
586     sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
587     sd->wpgrps_size = sect;
588     sd->wp_groups = bitmap_new(sd->wpgrps_size);
589     memset(sd->function_group, 0, sizeof(sd->function_group));
590     sd->erase_start = INVALID_ADDRESS;
591     sd->erase_end = INVALID_ADDRESS;
592     sd->size = size;
593     sd->blk_len = 0x200;
594     sd->pwd_len = 0;
595     sd->expecting_acmd = false;
596     sd->dat_lines = 0xf;
597     sd->cmd_line = true;
598     sd->multi_blk_cnt = 0;
599 }
600 
601 static bool sd_get_inserted(SDState *sd)
602 {
603     return sd->blk && blk_is_inserted(sd->blk);
604 }
605 
606 static bool sd_get_readonly(SDState *sd)
607 {
608     return sd->wp_switch;
609 }
610 
611 static void sd_cardchange(void *opaque, bool load, Error **errp)
612 {
613     SDState *sd = opaque;
614     DeviceState *dev = DEVICE(sd);
615     SDBus *sdbus;
616     bool inserted = sd_get_inserted(sd);
617     bool readonly = sd_get_readonly(sd);
618 
619     if (inserted) {
620         trace_sdcard_inserted(readonly);
621         sd_reset(dev);
622     } else {
623         trace_sdcard_ejected();
624     }
625 
626     if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
627         qemu_set_irq(sd->inserted_cb, inserted);
628         if (inserted) {
629             qemu_set_irq(sd->readonly_cb, readonly);
630         }
631     } else {
632         sdbus = SD_BUS(qdev_get_parent_bus(dev));
633         sdbus_set_inserted(sdbus, inserted);
634         if (inserted) {
635             sdbus_set_readonly(sdbus, readonly);
636         }
637     }
638 }
639 
640 static const BlockDevOps sd_block_ops = {
641     .change_media_cb = sd_cardchange,
642 };
643 
644 static bool sd_ocr_vmstate_needed(void *opaque)
645 {
646     SDState *sd = opaque;
647 
648     /* Include the OCR state (and timer) if it is not yet powered up */
649     return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
650 }
651 
652 static const VMStateDescription sd_ocr_vmstate = {
653     .name = "sd-card/ocr-state",
654     .version_id = 1,
655     .minimum_version_id = 1,
656     .needed = sd_ocr_vmstate_needed,
657     .fields = (VMStateField[]) {
658         VMSTATE_UINT32(ocr, SDState),
659         VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
660         VMSTATE_END_OF_LIST()
661     },
662 };
663 
664 static int sd_vmstate_pre_load(void *opaque)
665 {
666     SDState *sd = opaque;
667 
668     /* If the OCR state is not included (prior versions, or not
669      * needed), then the OCR must be set as powered up. If the OCR state
670      * is included, this will be replaced by the state restore.
671      */
672     sd_ocr_powerup(sd);
673 
674     return 0;
675 }
676 
677 static const VMStateDescription sd_vmstate = {
678     .name = "sd-card",
679     .version_id = 2,
680     .minimum_version_id = 2,
681     .pre_load = sd_vmstate_pre_load,
682     .fields = (VMStateField[]) {
683         VMSTATE_UINT32(mode, SDState),
684         VMSTATE_INT32(state, SDState),
685         VMSTATE_UINT8_ARRAY(cid, SDState, 16),
686         VMSTATE_UINT8_ARRAY(csd, SDState, 16),
687         VMSTATE_UINT16(rca, SDState),
688         VMSTATE_UINT32(card_status, SDState),
689         VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
690         VMSTATE_UINT32(vhs, SDState),
691         VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
692         VMSTATE_UINT32(blk_len, SDState),
693         VMSTATE_UINT32(multi_blk_cnt, SDState),
694         VMSTATE_UINT32(erase_start, SDState),
695         VMSTATE_UINT32(erase_end, SDState),
696         VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
697         VMSTATE_UINT32(pwd_len, SDState),
698         VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
699         VMSTATE_UINT8(current_cmd, SDState),
700         VMSTATE_BOOL(expecting_acmd, SDState),
701         VMSTATE_UINT32(blk_written, SDState),
702         VMSTATE_UINT64(data_start, SDState),
703         VMSTATE_UINT32(data_offset, SDState),
704         VMSTATE_UINT8_ARRAY(data, SDState, 512),
705         VMSTATE_UNUSED_V(1, 512),
706         VMSTATE_BOOL(enable, SDState),
707         VMSTATE_END_OF_LIST()
708     },
709     .subsections = (const VMStateDescription*[]) {
710         &sd_ocr_vmstate,
711         NULL
712     },
713 };
714 
715 /* Legacy initialization function for use by non-qdevified callers */
716 SDState *sd_init(BlockBackend *blk, bool is_spi)
717 {
718     Object *obj;
719     DeviceState *dev;
720     SDState *sd;
721     Error *err = NULL;
722 
723     obj = object_new(TYPE_SD_CARD);
724     dev = DEVICE(obj);
725     if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
726         error_reportf_err(err, "sd_init failed: ");
727         return NULL;
728     }
729     qdev_prop_set_bit(dev, "spi", is_spi);
730 
731     /*
732      * Realizing the device properly would put it into the QOM
733      * composition tree even though it is not plugged into an
734      * appropriate bus.  That's a no-no.  Hide the device from
735      * QOM/qdev, and call its qdev realize callback directly.
736      */
737     object_ref(obj);
738     object_unparent(obj);
739     sd_realize(dev, &err);
740     if (err) {
741         error_reportf_err(err, "sd_init failed: ");
742         return NULL;
743     }
744 
745     sd = SD_CARD(dev);
746     sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
747     return sd;
748 }
749 
750 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
751 {
752     sd->readonly_cb = readonly;
753     sd->inserted_cb = insert;
754     qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
755     qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
756 }
757 
758 static void sd_erase(SDState *sd)
759 {
760     int i;
761     uint64_t erase_start = sd->erase_start;
762     uint64_t erase_end = sd->erase_end;
763 
764     trace_sdcard_erase(sd->erase_start, sd->erase_end);
765     if (sd->erase_start == INVALID_ADDRESS
766             || sd->erase_end == INVALID_ADDRESS) {
767         sd->card_status |= ERASE_SEQ_ERROR;
768         sd->erase_start = INVALID_ADDRESS;
769         sd->erase_end = INVALID_ADDRESS;
770         return;
771     }
772 
773     if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
774         /* High capacity memory card: erase units are 512 byte blocks */
775         erase_start *= 512;
776         erase_end *= 512;
777     }
778 
779     if (sd->erase_start > sd->size || sd->erase_end > sd->size) {
780         sd->card_status |= OUT_OF_RANGE;
781         sd->erase_start = INVALID_ADDRESS;
782         sd->erase_end = INVALID_ADDRESS;
783         return;
784     }
785 
786     erase_start = sd_addr_to_wpnum(erase_start);
787     erase_end = sd_addr_to_wpnum(erase_end);
788     sd->erase_start = INVALID_ADDRESS;
789     sd->erase_end = INVALID_ADDRESS;
790     sd->csd[14] |= 0x40;
791 
792     for (i = erase_start; i <= erase_end; i++) {
793         assert(i < sd->wpgrps_size);
794         if (test_bit(i, sd->wp_groups)) {
795             sd->card_status |= WP_ERASE_SKIP;
796         }
797     }
798 }
799 
800 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
801 {
802     uint32_t i, wpnum;
803     uint32_t ret = 0;
804 
805     wpnum = sd_addr_to_wpnum(addr);
806 
807     for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
808         assert(wpnum < sd->wpgrps_size);
809         if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
810             ret |= (1 << i);
811         }
812     }
813 
814     return ret;
815 }
816 
817 static void sd_function_switch(SDState *sd, uint32_t arg)
818 {
819     int i, mode, new_func;
820     mode = !!(arg & 0x80000000);
821 
822     sd->data[0] = 0x00;		/* Maximum current consumption */
823     sd->data[1] = 0x01;
824     sd->data[2] = 0x80;		/* Supported group 6 functions */
825     sd->data[3] = 0x01;
826     sd->data[4] = 0x80;		/* Supported group 5 functions */
827     sd->data[5] = 0x01;
828     sd->data[6] = 0x80;		/* Supported group 4 functions */
829     sd->data[7] = 0x01;
830     sd->data[8] = 0x80;		/* Supported group 3 functions */
831     sd->data[9] = 0x01;
832     sd->data[10] = 0x80;	/* Supported group 2 functions */
833     sd->data[11] = 0x43;
834     sd->data[12] = 0x80;	/* Supported group 1 functions */
835     sd->data[13] = 0x03;
836 
837     memset(&sd->data[14], 0, 3);
838     for (i = 0; i < 6; i ++) {
839         new_func = (arg >> (i * 4)) & 0x0f;
840         if (mode && new_func != 0x0f)
841             sd->function_group[i] = new_func;
842         sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
843     }
844     memset(&sd->data[17], 0, 47);
845     stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
846 }
847 
848 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
849 {
850     return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
851 }
852 
853 static void sd_lock_command(SDState *sd)
854 {
855     int erase, lock, clr_pwd, set_pwd, pwd_len;
856     erase = !!(sd->data[0] & 0x08);
857     lock = sd->data[0] & 0x04;
858     clr_pwd = sd->data[0] & 0x02;
859     set_pwd = sd->data[0] & 0x01;
860 
861     if (sd->blk_len > 1)
862         pwd_len = sd->data[1];
863     else
864         pwd_len = 0;
865 
866     if (lock) {
867         trace_sdcard_lock();
868     } else {
869         trace_sdcard_unlock();
870     }
871     if (erase) {
872         if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
873                         set_pwd || clr_pwd || lock || sd->wp_switch ||
874                         (sd->csd[14] & 0x20)) {
875             sd->card_status |= LOCK_UNLOCK_FAILED;
876             return;
877         }
878         bitmap_zero(sd->wp_groups, sd->wpgrps_size);
879         sd->csd[14] &= ~0x10;
880         sd->card_status &= ~CARD_IS_LOCKED;
881         sd->pwd_len = 0;
882         /* Erasing the entire card here! */
883         fprintf(stderr, "SD: Card force-erased by CMD42\n");
884         return;
885     }
886 
887     if (sd->blk_len < 2 + pwd_len ||
888                     pwd_len <= sd->pwd_len ||
889                     pwd_len > sd->pwd_len + 16) {
890         sd->card_status |= LOCK_UNLOCK_FAILED;
891         return;
892     }
893 
894     if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
895         sd->card_status |= LOCK_UNLOCK_FAILED;
896         return;
897     }
898 
899     pwd_len -= sd->pwd_len;
900     if ((pwd_len && !set_pwd) ||
901                     (clr_pwd && (set_pwd || lock)) ||
902                     (lock && !sd->pwd_len && !set_pwd) ||
903                     (!set_pwd && !clr_pwd &&
904                      (((sd->card_status & CARD_IS_LOCKED) && lock) ||
905                       (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
906         sd->card_status |= LOCK_UNLOCK_FAILED;
907         return;
908     }
909 
910     if (set_pwd) {
911         memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
912         sd->pwd_len = pwd_len;
913     }
914 
915     if (clr_pwd) {
916         sd->pwd_len = 0;
917     }
918 
919     if (lock)
920         sd->card_status |= CARD_IS_LOCKED;
921     else
922         sd->card_status &= ~CARD_IS_LOCKED;
923 }
924 
925 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
926 {
927     uint32_t rca = 0x0000;
928     uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
929 
930     /* CMD55 precedes an ACMD, so we are not interested in tracing it.
931      * However there is no ACMD55, so we want to trace this particular case.
932      */
933     if (req.cmd != 55 || sd->expecting_acmd) {
934         trace_sdcard_normal_command(sd->proto_name,
935                                     sd_cmd_name(req.cmd), req.cmd,
936                                     req.arg, sd_state_name(sd->state));
937     }
938 
939     /* Not interpreting this as an app command */
940     sd->card_status &= ~APP_CMD;
941 
942     if (sd_cmd_type[req.cmd] == sd_ac
943         || sd_cmd_type[req.cmd] == sd_adtc) {
944         rca = req.arg >> 16;
945     }
946 
947     /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
948      * if not, its effects are cancelled */
949     if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
950         sd->multi_blk_cnt = 0;
951     }
952 
953     if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
954         /* Only Standard Capacity cards support class 6 commands */
955         return sd_illegal;
956     }
957 
958     switch (req.cmd) {
959     /* Basic commands (Class 0 and Class 1) */
960     case 0:	/* CMD0:   GO_IDLE_STATE */
961         switch (sd->state) {
962         case sd_inactive_state:
963             return sd->spi ? sd_r1 : sd_r0;
964 
965         default:
966             sd->state = sd_idle_state;
967             sd_reset(DEVICE(sd));
968             return sd->spi ? sd_r1 : sd_r0;
969         }
970         break;
971 
972     case 1:	/* CMD1:   SEND_OP_CMD */
973         if (!sd->spi)
974             goto bad_cmd;
975 
976         sd->state = sd_transfer_state;
977         return sd_r1;
978 
979     case 2:	/* CMD2:   ALL_SEND_CID */
980         if (sd->spi)
981             goto bad_cmd;
982         switch (sd->state) {
983         case sd_ready_state:
984             sd->state = sd_identification_state;
985             return sd_r2_i;
986 
987         default:
988             break;
989         }
990         break;
991 
992     case 3:	/* CMD3:   SEND_RELATIVE_ADDR */
993         if (sd->spi)
994             goto bad_cmd;
995         switch (sd->state) {
996         case sd_identification_state:
997         case sd_standby_state:
998             sd->state = sd_standby_state;
999             sd_set_rca(sd);
1000             return sd_r6;
1001 
1002         default:
1003             break;
1004         }
1005         break;
1006 
1007     case 4:	/* CMD4:   SEND_DSR */
1008         if (sd->spi)
1009             goto bad_cmd;
1010         switch (sd->state) {
1011         case sd_standby_state:
1012             break;
1013 
1014         default:
1015             break;
1016         }
1017         break;
1018 
1019     case 5: /* CMD5: reserved for SDIO cards */
1020         return sd_illegal;
1021 
1022     case 6:	/* CMD6:   SWITCH_FUNCTION */
1023         switch (sd->mode) {
1024         case sd_data_transfer_mode:
1025             sd_function_switch(sd, req.arg);
1026             sd->state = sd_sendingdata_state;
1027             sd->data_start = 0;
1028             sd->data_offset = 0;
1029             return sd_r1;
1030 
1031         default:
1032             break;
1033         }
1034         break;
1035 
1036     case 7:	/* CMD7:   SELECT/DESELECT_CARD */
1037         if (sd->spi)
1038             goto bad_cmd;
1039         switch (sd->state) {
1040         case sd_standby_state:
1041             if (sd->rca != rca)
1042                 return sd_r0;
1043 
1044             sd->state = sd_transfer_state;
1045             return sd_r1b;
1046 
1047         case sd_transfer_state:
1048         case sd_sendingdata_state:
1049             if (sd->rca == rca)
1050                 break;
1051 
1052             sd->state = sd_standby_state;
1053             return sd_r1b;
1054 
1055         case sd_disconnect_state:
1056             if (sd->rca != rca)
1057                 return sd_r0;
1058 
1059             sd->state = sd_programming_state;
1060             return sd_r1b;
1061 
1062         case sd_programming_state:
1063             if (sd->rca == rca)
1064                 break;
1065 
1066             sd->state = sd_disconnect_state;
1067             return sd_r1b;
1068 
1069         default:
1070             break;
1071         }
1072         break;
1073 
1074     case 8:	/* CMD8:   SEND_IF_COND */
1075         if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1076             break;
1077         }
1078         if (sd->state != sd_idle_state) {
1079             break;
1080         }
1081         sd->vhs = 0;
1082 
1083         /* No response if not exactly one VHS bit is set.  */
1084         if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1085             return sd->spi ? sd_r7 : sd_r0;
1086         }
1087 
1088         /* Accept.  */
1089         sd->vhs = req.arg;
1090         return sd_r7;
1091 
1092     case 9:	/* CMD9:   SEND_CSD */
1093         switch (sd->state) {
1094         case sd_standby_state:
1095             if (sd->rca != rca)
1096                 return sd_r0;
1097 
1098             return sd_r2_s;
1099 
1100         case sd_transfer_state:
1101             if (!sd->spi)
1102                 break;
1103             sd->state = sd_sendingdata_state;
1104             memcpy(sd->data, sd->csd, 16);
1105             sd->data_start = addr;
1106             sd->data_offset = 0;
1107             return sd_r1;
1108 
1109         default:
1110             break;
1111         }
1112         break;
1113 
1114     case 10:	/* CMD10:  SEND_CID */
1115         switch (sd->state) {
1116         case sd_standby_state:
1117             if (sd->rca != rca)
1118                 return sd_r0;
1119 
1120             return sd_r2_i;
1121 
1122         case sd_transfer_state:
1123             if (!sd->spi)
1124                 break;
1125             sd->state = sd_sendingdata_state;
1126             memcpy(sd->data, sd->cid, 16);
1127             sd->data_start = addr;
1128             sd->data_offset = 0;
1129             return sd_r1;
1130 
1131         default:
1132             break;
1133         }
1134         break;
1135 
1136     case 12:	/* CMD12:  STOP_TRANSMISSION */
1137         switch (sd->state) {
1138         case sd_sendingdata_state:
1139             sd->state = sd_transfer_state;
1140             return sd_r1b;
1141 
1142         case sd_receivingdata_state:
1143             sd->state = sd_programming_state;
1144             /* Bzzzzzzztt .... Operation complete.  */
1145             sd->state = sd_transfer_state;
1146             return sd_r1b;
1147 
1148         default:
1149             break;
1150         }
1151         break;
1152 
1153     case 13:	/* CMD13:  SEND_STATUS */
1154         switch (sd->mode) {
1155         case sd_data_transfer_mode:
1156             if (sd->rca != rca)
1157                 return sd_r0;
1158 
1159             return sd_r1;
1160 
1161         default:
1162             break;
1163         }
1164         break;
1165 
1166     case 15:	/* CMD15:  GO_INACTIVE_STATE */
1167         if (sd->spi)
1168             goto bad_cmd;
1169         switch (sd->mode) {
1170         case sd_data_transfer_mode:
1171             if (sd->rca != rca)
1172                 return sd_r0;
1173 
1174             sd->state = sd_inactive_state;
1175             return sd_r0;
1176 
1177         default:
1178             break;
1179         }
1180         break;
1181 
1182     /* Block read commands (Classs 2) */
1183     case 16:	/* CMD16:  SET_BLOCKLEN */
1184         switch (sd->state) {
1185         case sd_transfer_state:
1186             if (req.arg > (1 << HWBLOCK_SHIFT)) {
1187                 sd->card_status |= BLOCK_LEN_ERROR;
1188             } else {
1189                 trace_sdcard_set_blocklen(req.arg);
1190                 sd->blk_len = req.arg;
1191             }
1192 
1193             return sd_r1;
1194 
1195         default:
1196             break;
1197         }
1198         break;
1199 
1200     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
1201         switch (sd->state) {
1202         case sd_transfer_state:
1203 
1204             if (addr + sd->blk_len > sd->size) {
1205                 sd->card_status |= ADDRESS_ERROR;
1206                 return sd_r1;
1207             }
1208 
1209             sd->state = sd_sendingdata_state;
1210             sd->data_start = addr;
1211             sd->data_offset = 0;
1212             return sd_r1;
1213 
1214         default:
1215             break;
1216         }
1217         break;
1218 
1219     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
1220         switch (sd->state) {
1221         case sd_transfer_state:
1222 
1223             if (addr + sd->blk_len > sd->size) {
1224                 sd->card_status |= ADDRESS_ERROR;
1225                 return sd_r1;
1226             }
1227 
1228             sd->state = sd_sendingdata_state;
1229             sd->data_start = addr;
1230             sd->data_offset = 0;
1231             return sd_r1;
1232 
1233         default:
1234             break;
1235         }
1236         break;
1237 
1238     case 19:    /* CMD19: SEND_TUNING_BLOCK (SD) */
1239         if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1240             break;
1241         }
1242         if (sd->state == sd_transfer_state) {
1243             sd->state = sd_sendingdata_state;
1244             sd->data_offset = 0;
1245             return sd_r1;
1246         }
1247         break;
1248 
1249     case 23:    /* CMD23: SET_BLOCK_COUNT */
1250         if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1251             break;
1252         }
1253         switch (sd->state) {
1254         case sd_transfer_state:
1255             sd->multi_blk_cnt = req.arg;
1256             return sd_r1;
1257 
1258         default:
1259             break;
1260         }
1261         break;
1262 
1263     /* Block write commands (Class 4) */
1264     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
1265         switch (sd->state) {
1266         case sd_transfer_state:
1267             /* Writing in SPI mode not implemented.  */
1268             if (sd->spi)
1269                 break;
1270 
1271             if (addr + sd->blk_len > sd->size) {
1272                 sd->card_status |= ADDRESS_ERROR;
1273                 return sd_r1;
1274             }
1275 
1276             sd->state = sd_receivingdata_state;
1277             sd->data_start = addr;
1278             sd->data_offset = 0;
1279             sd->blk_written = 0;
1280 
1281             if (sd_wp_addr(sd, sd->data_start)) {
1282                 sd->card_status |= WP_VIOLATION;
1283             }
1284             if (sd->csd[14] & 0x30) {
1285                 sd->card_status |= WP_VIOLATION;
1286             }
1287             return sd_r1;
1288 
1289         default:
1290             break;
1291         }
1292         break;
1293 
1294     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
1295         switch (sd->state) {
1296         case sd_transfer_state:
1297             /* Writing in SPI mode not implemented.  */
1298             if (sd->spi)
1299                 break;
1300 
1301             if (addr + sd->blk_len > sd->size) {
1302                 sd->card_status |= ADDRESS_ERROR;
1303                 return sd_r1;
1304             }
1305 
1306             sd->state = sd_receivingdata_state;
1307             sd->data_start = addr;
1308             sd->data_offset = 0;
1309             sd->blk_written = 0;
1310 
1311             if (sd_wp_addr(sd, sd->data_start)) {
1312                 sd->card_status |= WP_VIOLATION;
1313             }
1314             if (sd->csd[14] & 0x30) {
1315                 sd->card_status |= WP_VIOLATION;
1316             }
1317             return sd_r1;
1318 
1319         default:
1320             break;
1321         }
1322         break;
1323 
1324     case 26:	/* CMD26:  PROGRAM_CID */
1325         if (sd->spi)
1326             goto bad_cmd;
1327         switch (sd->state) {
1328         case sd_transfer_state:
1329             sd->state = sd_receivingdata_state;
1330             sd->data_start = 0;
1331             sd->data_offset = 0;
1332             return sd_r1;
1333 
1334         default:
1335             break;
1336         }
1337         break;
1338 
1339     case 27:	/* CMD27:  PROGRAM_CSD */
1340         switch (sd->state) {
1341         case sd_transfer_state:
1342             sd->state = sd_receivingdata_state;
1343             sd->data_start = 0;
1344             sd->data_offset = 0;
1345             return sd_r1;
1346 
1347         default:
1348             break;
1349         }
1350         break;
1351 
1352     /* Write protection (Class 6) */
1353     case 28:	/* CMD28:  SET_WRITE_PROT */
1354         switch (sd->state) {
1355         case sd_transfer_state:
1356             if (addr >= sd->size) {
1357                 sd->card_status |= ADDRESS_ERROR;
1358                 return sd_r1b;
1359             }
1360 
1361             sd->state = sd_programming_state;
1362             set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1363             /* Bzzzzzzztt .... Operation complete.  */
1364             sd->state = sd_transfer_state;
1365             return sd_r1b;
1366 
1367         default:
1368             break;
1369         }
1370         break;
1371 
1372     case 29:	/* CMD29:  CLR_WRITE_PROT */
1373         switch (sd->state) {
1374         case sd_transfer_state:
1375             if (addr >= sd->size) {
1376                 sd->card_status |= ADDRESS_ERROR;
1377                 return sd_r1b;
1378             }
1379 
1380             sd->state = sd_programming_state;
1381             clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1382             /* Bzzzzzzztt .... Operation complete.  */
1383             sd->state = sd_transfer_state;
1384             return sd_r1b;
1385 
1386         default:
1387             break;
1388         }
1389         break;
1390 
1391     case 30:	/* CMD30:  SEND_WRITE_PROT */
1392         switch (sd->state) {
1393         case sd_transfer_state:
1394             sd->state = sd_sendingdata_state;
1395             *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1396             sd->data_start = addr;
1397             sd->data_offset = 0;
1398             return sd_r1b;
1399 
1400         default:
1401             break;
1402         }
1403         break;
1404 
1405     /* Erase commands (Class 5) */
1406     case 32:	/* CMD32:  ERASE_WR_BLK_START */
1407         switch (sd->state) {
1408         case sd_transfer_state:
1409             sd->erase_start = req.arg;
1410             return sd_r1;
1411 
1412         default:
1413             break;
1414         }
1415         break;
1416 
1417     case 33:	/* CMD33:  ERASE_WR_BLK_END */
1418         switch (sd->state) {
1419         case sd_transfer_state:
1420             sd->erase_end = req.arg;
1421             return sd_r1;
1422 
1423         default:
1424             break;
1425         }
1426         break;
1427 
1428     case 38:	/* CMD38:  ERASE */
1429         switch (sd->state) {
1430         case sd_transfer_state:
1431             if (sd->csd[14] & 0x30) {
1432                 sd->card_status |= WP_VIOLATION;
1433                 return sd_r1b;
1434             }
1435 
1436             sd->state = sd_programming_state;
1437             sd_erase(sd);
1438             /* Bzzzzzzztt .... Operation complete.  */
1439             sd->state = sd_transfer_state;
1440             return sd_r1b;
1441 
1442         default:
1443             break;
1444         }
1445         break;
1446 
1447     /* Lock card commands (Class 7) */
1448     case 42:	/* CMD42:  LOCK_UNLOCK */
1449         switch (sd->state) {
1450         case sd_transfer_state:
1451             sd->state = sd_receivingdata_state;
1452             sd->data_start = 0;
1453             sd->data_offset = 0;
1454             return sd_r1;
1455 
1456         default:
1457             break;
1458         }
1459         break;
1460 
1461     case 52 ... 54:
1462         /* CMD52, CMD53, CMD54: reserved for SDIO cards
1463          * (see the SDIO Simplified Specification V2.0)
1464          * Handle as illegal command but do not complain
1465          * on stderr, as some OSes may use these in their
1466          * probing for presence of an SDIO card.
1467          */
1468         return sd_illegal;
1469 
1470     /* Application specific commands (Class 8) */
1471     case 55:	/* CMD55:  APP_CMD */
1472         switch (sd->state) {
1473         case sd_ready_state:
1474         case sd_identification_state:
1475         case sd_inactive_state:
1476             return sd_illegal;
1477         case sd_idle_state:
1478             if (rca) {
1479                 qemu_log_mask(LOG_GUEST_ERROR,
1480                               "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1481             }
1482         default:
1483             break;
1484         }
1485         if (!sd->spi) {
1486             if (sd->rca != rca) {
1487                 return sd_r0;
1488             }
1489         }
1490         sd->expecting_acmd = true;
1491         sd->card_status |= APP_CMD;
1492         return sd_r1;
1493 
1494     case 56:	/* CMD56:  GEN_CMD */
1495         switch (sd->state) {
1496         case sd_transfer_state:
1497             sd->data_offset = 0;
1498             if (req.arg & 1)
1499                 sd->state = sd_sendingdata_state;
1500             else
1501                 sd->state = sd_receivingdata_state;
1502             return sd_r1;
1503 
1504         default:
1505             break;
1506         }
1507         break;
1508 
1509     case 58:    /* CMD58:   READ_OCR (SPI) */
1510         if (!sd->spi) {
1511             goto bad_cmd;
1512         }
1513         return sd_r3;
1514 
1515     case 59:    /* CMD59:   CRC_ON_OFF (SPI) */
1516         if (!sd->spi) {
1517             goto bad_cmd;
1518         }
1519         goto unimplemented_spi_cmd;
1520 
1521     default:
1522     bad_cmd:
1523         qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1524         return sd_illegal;
1525 
1526     unimplemented_spi_cmd:
1527         /* Commands that are recognised but not yet implemented in SPI mode.  */
1528         qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1529                       req.cmd);
1530         return sd_illegal;
1531     }
1532 
1533     qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1534     return sd_illegal;
1535 }
1536 
1537 static sd_rsp_type_t sd_app_command(SDState *sd,
1538                                     SDRequest req)
1539 {
1540     trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1541                              req.cmd, req.arg, sd_state_name(sd->state));
1542     sd->card_status |= APP_CMD;
1543     switch (req.cmd) {
1544     case 6:	/* ACMD6:  SET_BUS_WIDTH */
1545         if (sd->spi) {
1546             goto unimplemented_spi_cmd;
1547         }
1548         switch (sd->state) {
1549         case sd_transfer_state:
1550             sd->sd_status[0] &= 0x3f;
1551             sd->sd_status[0] |= (req.arg & 0x03) << 6;
1552             return sd_r1;
1553 
1554         default:
1555             break;
1556         }
1557         break;
1558 
1559     case 13:	/* ACMD13: SD_STATUS */
1560         switch (sd->state) {
1561         case sd_transfer_state:
1562             sd->state = sd_sendingdata_state;
1563             sd->data_start = 0;
1564             sd->data_offset = 0;
1565             return sd_r1;
1566 
1567         default:
1568             break;
1569         }
1570         break;
1571 
1572     case 22:	/* ACMD22: SEND_NUM_WR_BLOCKS */
1573         switch (sd->state) {
1574         case sd_transfer_state:
1575             *(uint32_t *) sd->data = sd->blk_written;
1576 
1577             sd->state = sd_sendingdata_state;
1578             sd->data_start = 0;
1579             sd->data_offset = 0;
1580             return sd_r1;
1581 
1582         default:
1583             break;
1584         }
1585         break;
1586 
1587     case 23:	/* ACMD23: SET_WR_BLK_ERASE_COUNT */
1588         switch (sd->state) {
1589         case sd_transfer_state:
1590             return sd_r1;
1591 
1592         default:
1593             break;
1594         }
1595         break;
1596 
1597     case 41:	/* ACMD41: SD_APP_OP_COND */
1598         if (sd->spi) {
1599             /* SEND_OP_CMD */
1600             sd->state = sd_transfer_state;
1601             return sd_r1;
1602         }
1603         if (sd->state != sd_idle_state) {
1604             break;
1605         }
1606         /* If it's the first ACMD41 since reset, we need to decide
1607          * whether to power up. If this is not an enquiry ACMD41,
1608          * we immediately report power on and proceed below to the
1609          * ready state, but if it is, we set a timer to model a
1610          * delay for power up. This works around a bug in EDK2
1611          * UEFI, which sends an initial enquiry ACMD41, but
1612          * assumes that the card is in ready state as soon as it
1613          * sees the power up bit set. */
1614         if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1615             if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1616                 timer_del(sd->ocr_power_timer);
1617                 sd_ocr_powerup(sd);
1618             } else {
1619                 trace_sdcard_inquiry_cmd41();
1620                 if (!timer_pending(sd->ocr_power_timer)) {
1621                     timer_mod_ns(sd->ocr_power_timer,
1622                                  (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1623                                   + OCR_POWER_DELAY_NS));
1624                 }
1625             }
1626         }
1627 
1628         if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1629             /* We accept any voltage.  10000 V is nothing.
1630              *
1631              * Once we're powered up, we advance straight to ready state
1632              * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1633              */
1634             sd->state = sd_ready_state;
1635         }
1636 
1637         return sd_r3;
1638 
1639     case 42:	/* ACMD42: SET_CLR_CARD_DETECT */
1640         switch (sd->state) {
1641         case sd_transfer_state:
1642             /* Bringing in the 50KOhm pull-up resistor... Done.  */
1643             return sd_r1;
1644 
1645         default:
1646             break;
1647         }
1648         break;
1649 
1650     case 51:	/* ACMD51: SEND_SCR */
1651         switch (sd->state) {
1652         case sd_transfer_state:
1653             sd->state = sd_sendingdata_state;
1654             sd->data_start = 0;
1655             sd->data_offset = 0;
1656             return sd_r1;
1657 
1658         default:
1659             break;
1660         }
1661         break;
1662 
1663     case 18:    /* Reserved for SD security applications */
1664     case 25:
1665     case 26:
1666     case 38:
1667     case 43 ... 49:
1668         /* Refer to the "SD Specifications Part3 Security Specification" for
1669          * information about the SD Security Features.
1670          */
1671         qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1672                       req.cmd);
1673         return sd_illegal;
1674 
1675     default:
1676         /* Fall back to standard commands.  */
1677         return sd_normal_command(sd, req);
1678 
1679     unimplemented_spi_cmd:
1680         /* Commands that are recognised but not yet implemented in SPI mode.  */
1681         qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1682                       req.cmd);
1683         return sd_illegal;
1684     }
1685 
1686     qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1687     return sd_illegal;
1688 }
1689 
1690 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1691 {
1692     /* Valid commands in locked state:
1693      * basic class (0)
1694      * lock card class (7)
1695      * CMD16
1696      * implicitly, the ACMD prefix CMD55
1697      * ACMD41 and ACMD42
1698      * Anything else provokes an "illegal command" response.
1699      */
1700     if (sd->expecting_acmd) {
1701         return cmd == 41 || cmd == 42;
1702     }
1703     if (cmd == 16 || cmd == 55) {
1704         return 1;
1705     }
1706     return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1707 }
1708 
1709 int sd_do_command(SDState *sd, SDRequest *req,
1710                   uint8_t *response) {
1711     int last_state;
1712     sd_rsp_type_t rtype;
1713     int rsplen;
1714 
1715     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1716         return 0;
1717     }
1718 
1719     if (sd_req_crc_validate(req)) {
1720         sd->card_status |= COM_CRC_ERROR;
1721         rtype = sd_illegal;
1722         goto send_response;
1723     }
1724 
1725     if (req->cmd >= SDMMC_CMD_MAX) {
1726         qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1727                       req->cmd);
1728         req->cmd &= 0x3f;
1729     }
1730 
1731     if (sd->card_status & CARD_IS_LOCKED) {
1732         if (!cmd_valid_while_locked(sd, req->cmd)) {
1733             sd->card_status |= ILLEGAL_COMMAND;
1734             sd->expecting_acmd = false;
1735             qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1736             rtype = sd_illegal;
1737             goto send_response;
1738         }
1739     }
1740 
1741     last_state = sd->state;
1742     sd_set_mode(sd);
1743 
1744     if (sd->expecting_acmd) {
1745         sd->expecting_acmd = false;
1746         rtype = sd_app_command(sd, *req);
1747     } else {
1748         rtype = sd_normal_command(sd, *req);
1749     }
1750 
1751     if (rtype == sd_illegal) {
1752         sd->card_status |= ILLEGAL_COMMAND;
1753     } else {
1754         /* Valid command, we can update the 'state before command' bits.
1755          * (Do this now so they appear in r1 responses.)
1756          */
1757         sd->current_cmd = req->cmd;
1758         sd->card_status &= ~CURRENT_STATE;
1759         sd->card_status |= (last_state << 9);
1760     }
1761 
1762 send_response:
1763     switch (rtype) {
1764     case sd_r1:
1765     case sd_r1b:
1766         sd_response_r1_make(sd, response);
1767         rsplen = 4;
1768         break;
1769 
1770     case sd_r2_i:
1771         memcpy(response, sd->cid, sizeof(sd->cid));
1772         rsplen = 16;
1773         break;
1774 
1775     case sd_r2_s:
1776         memcpy(response, sd->csd, sizeof(sd->csd));
1777         rsplen = 16;
1778         break;
1779 
1780     case sd_r3:
1781         sd_response_r3_make(sd, response);
1782         rsplen = 4;
1783         break;
1784 
1785     case sd_r6:
1786         sd_response_r6_make(sd, response);
1787         rsplen = 4;
1788         break;
1789 
1790     case sd_r7:
1791         sd_response_r7_make(sd, response);
1792         rsplen = 4;
1793         break;
1794 
1795     case sd_r0:
1796     case sd_illegal:
1797         rsplen = 0;
1798         break;
1799     default:
1800         g_assert_not_reached();
1801     }
1802     trace_sdcard_response(sd_response_name(rtype), rsplen);
1803 
1804     if (rtype != sd_illegal) {
1805         /* Clear the "clear on valid command" status bits now we've
1806          * sent any response
1807          */
1808         sd->card_status &= ~CARD_STATUS_B;
1809     }
1810 
1811 #ifdef DEBUG_SD
1812     qemu_hexdump(stderr, "Response", response, rsplen);
1813 #endif
1814 
1815     return rsplen;
1816 }
1817 
1818 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1819 {
1820     trace_sdcard_read_block(addr, len);
1821     if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1822         fprintf(stderr, "sd_blk_read: read error on host side\n");
1823     }
1824 }
1825 
1826 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1827 {
1828     trace_sdcard_write_block(addr, len);
1829     if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1830         fprintf(stderr, "sd_blk_write: write error on host side\n");
1831     }
1832 }
1833 
1834 #define BLK_READ_BLOCK(a, len)	sd_blk_read(sd, a, len)
1835 #define BLK_WRITE_BLOCK(a, len)	sd_blk_write(sd, a, len)
1836 #define APP_READ_BLOCK(a, len)	memset(sd->data, 0xec, len)
1837 #define APP_WRITE_BLOCK(a, len)
1838 
1839 void sd_write_byte(SDState *sd, uint8_t value)
1840 {
1841     int i;
1842 
1843     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1844         return;
1845 
1846     if (sd->state != sd_receivingdata_state) {
1847         qemu_log_mask(LOG_GUEST_ERROR,
1848                       "%s: not in Receiving-Data state\n", __func__);
1849         return;
1850     }
1851 
1852     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1853         return;
1854 
1855     trace_sdcard_write_data(sd->proto_name,
1856                             sd_acmd_name(sd->current_cmd),
1857                             sd->current_cmd, value);
1858     switch (sd->current_cmd) {
1859     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
1860         sd->data[sd->data_offset ++] = value;
1861         if (sd->data_offset >= sd->blk_len) {
1862             /* TODO: Check CRC before committing */
1863             sd->state = sd_programming_state;
1864             BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1865             sd->blk_written ++;
1866             sd->csd[14] |= 0x40;
1867             /* Bzzzzzzztt .... Operation complete.  */
1868             sd->state = sd_transfer_state;
1869         }
1870         break;
1871 
1872     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
1873         if (sd->data_offset == 0) {
1874             /* Start of the block - let's check the address is valid */
1875             if (sd->data_start + sd->blk_len > sd->size) {
1876                 sd->card_status |= ADDRESS_ERROR;
1877                 break;
1878             }
1879             if (sd_wp_addr(sd, sd->data_start)) {
1880                 sd->card_status |= WP_VIOLATION;
1881                 break;
1882             }
1883         }
1884         sd->data[sd->data_offset++] = value;
1885         if (sd->data_offset >= sd->blk_len) {
1886             /* TODO: Check CRC before committing */
1887             sd->state = sd_programming_state;
1888             BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1889             sd->blk_written++;
1890             sd->data_start += sd->blk_len;
1891             sd->data_offset = 0;
1892             sd->csd[14] |= 0x40;
1893 
1894             /* Bzzzzzzztt .... Operation complete.  */
1895             if (sd->multi_blk_cnt != 0) {
1896                 if (--sd->multi_blk_cnt == 0) {
1897                     /* Stop! */
1898                     sd->state = sd_transfer_state;
1899                     break;
1900                 }
1901             }
1902 
1903             sd->state = sd_receivingdata_state;
1904         }
1905         break;
1906 
1907     case 26:	/* CMD26:  PROGRAM_CID */
1908         sd->data[sd->data_offset ++] = value;
1909         if (sd->data_offset >= sizeof(sd->cid)) {
1910             /* TODO: Check CRC before committing */
1911             sd->state = sd_programming_state;
1912             for (i = 0; i < sizeof(sd->cid); i ++)
1913                 if ((sd->cid[i] | 0x00) != sd->data[i])
1914                     sd->card_status |= CID_CSD_OVERWRITE;
1915 
1916             if (!(sd->card_status & CID_CSD_OVERWRITE))
1917                 for (i = 0; i < sizeof(sd->cid); i ++) {
1918                     sd->cid[i] |= 0x00;
1919                     sd->cid[i] &= sd->data[i];
1920                 }
1921             /* Bzzzzzzztt .... Operation complete.  */
1922             sd->state = sd_transfer_state;
1923         }
1924         break;
1925 
1926     case 27:	/* CMD27:  PROGRAM_CSD */
1927         sd->data[sd->data_offset ++] = value;
1928         if (sd->data_offset >= sizeof(sd->csd)) {
1929             /* TODO: Check CRC before committing */
1930             sd->state = sd_programming_state;
1931             for (i = 0; i < sizeof(sd->csd); i ++)
1932                 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1933                     (sd->data[i] | sd_csd_rw_mask[i]))
1934                     sd->card_status |= CID_CSD_OVERWRITE;
1935 
1936             /* Copy flag (OTP) & Permanent write protect */
1937             if (sd->csd[14] & ~sd->data[14] & 0x60)
1938                 sd->card_status |= CID_CSD_OVERWRITE;
1939 
1940             if (!(sd->card_status & CID_CSD_OVERWRITE))
1941                 for (i = 0; i < sizeof(sd->csd); i ++) {
1942                     sd->csd[i] |= sd_csd_rw_mask[i];
1943                     sd->csd[i] &= sd->data[i];
1944                 }
1945             /* Bzzzzzzztt .... Operation complete.  */
1946             sd->state = sd_transfer_state;
1947         }
1948         break;
1949 
1950     case 42:	/* CMD42:  LOCK_UNLOCK */
1951         sd->data[sd->data_offset ++] = value;
1952         if (sd->data_offset >= sd->blk_len) {
1953             /* TODO: Check CRC before committing */
1954             sd->state = sd_programming_state;
1955             sd_lock_command(sd);
1956             /* Bzzzzzzztt .... Operation complete.  */
1957             sd->state = sd_transfer_state;
1958         }
1959         break;
1960 
1961     case 56:	/* CMD56:  GEN_CMD */
1962         sd->data[sd->data_offset ++] = value;
1963         if (sd->data_offset >= sd->blk_len) {
1964             APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1965             sd->state = sd_transfer_state;
1966         }
1967         break;
1968 
1969     default:
1970         qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1971         break;
1972     }
1973 }
1974 
1975 #define SD_TUNING_BLOCK_SIZE    64
1976 
1977 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1978     /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1979     0xff, 0x0f, 0xff, 0x00,         0x0f, 0xfc, 0xc3, 0xcc,
1980     0xc3, 0x3c, 0xcc, 0xff,         0xfe, 0xff, 0xfe, 0xef,
1981     0xff, 0xdf, 0xff, 0xdd,         0xff, 0xfb, 0xff, 0xfb,
1982     0xbf, 0xff, 0x7f, 0xff,         0x77, 0xf7, 0xbd, 0xef,
1983     0xff, 0xf0, 0xff, 0xf0,         0x0f, 0xfc, 0xcc, 0x3c,
1984     0xcc, 0x33, 0xcc, 0xcf,         0xff, 0xef, 0xff, 0xee,
1985     0xff, 0xfd, 0xff, 0xfd,         0xdf, 0xff, 0xbf, 0xff,
1986     0xbb, 0xff, 0xf7, 0xff,         0xf7, 0x7f, 0x7b, 0xde,
1987 };
1988 
1989 uint8_t sd_read_byte(SDState *sd)
1990 {
1991     /* TODO: Append CRCs */
1992     uint8_t ret;
1993     uint32_t io_len;
1994 
1995     if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1996         return 0x00;
1997 
1998     if (sd->state != sd_sendingdata_state) {
1999         qemu_log_mask(LOG_GUEST_ERROR,
2000                       "%s: not in Sending-Data state\n", __func__);
2001         return 0x00;
2002     }
2003 
2004     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2005         return 0x00;
2006 
2007     io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
2008 
2009     trace_sdcard_read_data(sd->proto_name,
2010                            sd_acmd_name(sd->current_cmd),
2011                            sd->current_cmd, io_len);
2012     switch (sd->current_cmd) {
2013     case 6:	/* CMD6:   SWITCH_FUNCTION */
2014         ret = sd->data[sd->data_offset ++];
2015 
2016         if (sd->data_offset >= 64)
2017             sd->state = sd_transfer_state;
2018         break;
2019 
2020     case 9:	/* CMD9:   SEND_CSD */
2021     case 10:	/* CMD10:  SEND_CID */
2022         ret = sd->data[sd->data_offset ++];
2023 
2024         if (sd->data_offset >= 16)
2025             sd->state = sd_transfer_state;
2026         break;
2027 
2028     case 13:	/* ACMD13: SD_STATUS */
2029         ret = sd->sd_status[sd->data_offset ++];
2030 
2031         if (sd->data_offset >= sizeof(sd->sd_status))
2032             sd->state = sd_transfer_state;
2033         break;
2034 
2035     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
2036         if (sd->data_offset == 0)
2037             BLK_READ_BLOCK(sd->data_start, io_len);
2038         ret = sd->data[sd->data_offset ++];
2039 
2040         if (sd->data_offset >= io_len)
2041             sd->state = sd_transfer_state;
2042         break;
2043 
2044     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
2045         if (sd->data_offset == 0) {
2046             if (sd->data_start + io_len > sd->size) {
2047                 sd->card_status |= ADDRESS_ERROR;
2048                 return 0x00;
2049             }
2050             BLK_READ_BLOCK(sd->data_start, io_len);
2051         }
2052         ret = sd->data[sd->data_offset ++];
2053 
2054         if (sd->data_offset >= io_len) {
2055             sd->data_start += io_len;
2056             sd->data_offset = 0;
2057 
2058             if (sd->multi_blk_cnt != 0) {
2059                 if (--sd->multi_blk_cnt == 0) {
2060                     /* Stop! */
2061                     sd->state = sd_transfer_state;
2062                     break;
2063                 }
2064             }
2065         }
2066         break;
2067 
2068     case 19:    /* CMD19:  SEND_TUNING_BLOCK (SD) */
2069         if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2070             sd->state = sd_transfer_state;
2071         }
2072         ret = sd_tuning_block_pattern[sd->data_offset++];
2073         break;
2074 
2075     case 22:	/* ACMD22: SEND_NUM_WR_BLOCKS */
2076         ret = sd->data[sd->data_offset ++];
2077 
2078         if (sd->data_offset >= 4)
2079             sd->state = sd_transfer_state;
2080         break;
2081 
2082     case 30:	/* CMD30:  SEND_WRITE_PROT */
2083         ret = sd->data[sd->data_offset ++];
2084 
2085         if (sd->data_offset >= 4)
2086             sd->state = sd_transfer_state;
2087         break;
2088 
2089     case 51:	/* ACMD51: SEND_SCR */
2090         ret = sd->scr[sd->data_offset ++];
2091 
2092         if (sd->data_offset >= sizeof(sd->scr))
2093             sd->state = sd_transfer_state;
2094         break;
2095 
2096     case 56:	/* CMD56:  GEN_CMD */
2097         if (sd->data_offset == 0)
2098             APP_READ_BLOCK(sd->data_start, sd->blk_len);
2099         ret = sd->data[sd->data_offset ++];
2100 
2101         if (sd->data_offset >= sd->blk_len)
2102             sd->state = sd_transfer_state;
2103         break;
2104 
2105     default:
2106         qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2107         return 0x00;
2108     }
2109 
2110     return ret;
2111 }
2112 
2113 static bool sd_data_ready(SDState *sd)
2114 {
2115     return sd->state == sd_sendingdata_state;
2116 }
2117 
2118 void sd_enable(SDState *sd, bool enable)
2119 {
2120     sd->enable = enable;
2121 }
2122 
2123 static void sd_instance_init(Object *obj)
2124 {
2125     SDState *sd = SD_CARD(obj);
2126 
2127     sd->enable = true;
2128     sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2129 }
2130 
2131 static void sd_instance_finalize(Object *obj)
2132 {
2133     SDState *sd = SD_CARD(obj);
2134 
2135     timer_del(sd->ocr_power_timer);
2136     timer_free(sd->ocr_power_timer);
2137 }
2138 
2139 static void sd_realize(DeviceState *dev, Error **errp)
2140 {
2141     SDState *sd = SD_CARD(dev);
2142     int ret;
2143 
2144     sd->proto_name = sd->spi ? "SPI" : "SD";
2145 
2146     switch (sd->spec_version) {
2147     case SD_PHY_SPECv1_10_VERS
2148      ... SD_PHY_SPECv3_01_VERS:
2149         break;
2150     default:
2151         error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2152         return;
2153     }
2154 
2155     if (sd->blk) {
2156         int64_t blk_size;
2157 
2158         if (blk_is_read_only(sd->blk)) {
2159             error_setg(errp, "Cannot use read-only drive as SD card");
2160             return;
2161         }
2162 
2163         blk_size = blk_getlength(sd->blk);
2164         if (blk_size > 0 && !is_power_of_2(blk_size)) {
2165             int64_t blk_size_aligned = pow2ceil(blk_size);
2166             char *blk_size_str;
2167 
2168             blk_size_str = size_to_str(blk_size);
2169             error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2170             g_free(blk_size_str);
2171 
2172             blk_size_str = size_to_str(blk_size_aligned);
2173             error_append_hint(errp,
2174                               "SD card size has to be a power of 2, e.g. %s.\n"
2175                               "You can resize disk images with"
2176                               " 'qemu-img resize <imagefile> <new-size>'\n"
2177                               "(note that this will lose data if you make the"
2178                               " image smaller than it currently is).\n",
2179                               blk_size_str);
2180             g_free(blk_size_str);
2181 
2182             return;
2183         }
2184 
2185         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2186                            BLK_PERM_ALL, errp);
2187         if (ret < 0) {
2188             return;
2189         }
2190         blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2191     }
2192 }
2193 
2194 static Property sd_properties[] = {
2195     DEFINE_PROP_UINT8("spec_version", SDState,
2196                       spec_version, SD_PHY_SPECv2_00_VERS),
2197     DEFINE_PROP_DRIVE("drive", SDState, blk),
2198     /* We do not model the chip select pin, so allow the board to select
2199      * whether card should be in SSI or MMC/SD mode.  It is also up to the
2200      * board to ensure that ssi transfers only occur when the chip select
2201      * is asserted.  */
2202     DEFINE_PROP_BOOL("spi", SDState, spi, false),
2203     DEFINE_PROP_END_OF_LIST()
2204 };
2205 
2206 static void sd_class_init(ObjectClass *klass, void *data)
2207 {
2208     DeviceClass *dc = DEVICE_CLASS(klass);
2209     SDCardClass *sc = SD_CARD_CLASS(klass);
2210 
2211     dc->realize = sd_realize;
2212     device_class_set_props(dc, sd_properties);
2213     dc->vmsd = &sd_vmstate;
2214     dc->reset = sd_reset;
2215     dc->bus_type = TYPE_SD_BUS;
2216     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2217 
2218     sc->set_voltage = sd_set_voltage;
2219     sc->get_dat_lines = sd_get_dat_lines;
2220     sc->get_cmd_line = sd_get_cmd_line;
2221     sc->do_command = sd_do_command;
2222     sc->write_byte = sd_write_byte;
2223     sc->read_byte = sd_read_byte;
2224     sc->data_ready = sd_data_ready;
2225     sc->enable = sd_enable;
2226     sc->get_inserted = sd_get_inserted;
2227     sc->get_readonly = sd_get_readonly;
2228 }
2229 
2230 static const TypeInfo sd_info = {
2231     .name = TYPE_SD_CARD,
2232     .parent = TYPE_DEVICE,
2233     .instance_size = sizeof(SDState),
2234     .class_size = sizeof(SDCardClass),
2235     .class_init = sd_class_init,
2236     .instance_init = sd_instance_init,
2237     .instance_finalize = sd_instance_finalize,
2238 };
2239 
2240 static void sd_register_types(void)
2241 {
2242     type_register_static(&sd_info);
2243 }
2244 
2245 type_init(sd_register_types)
2246