xref: /openbmc/qemu/hw/ssi/aspeed_smc.c (revision 500eb6db)
1 /*
2  * ASPEED AST2400 SMC Controller (SPI Flash Only)
3  *
4  * Copyright (C) 2016 IBM Corp.
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23  */
24 
25 #include "qemu/osdep.h"
26 #include "hw/sysbus.h"
27 #include "sysemu/sysemu.h"
28 #include "qemu/log.h"
29 #include "qemu/module.h"
30 #include "qemu/error-report.h"
31 
32 #include "hw/ssi/aspeed_smc.h"
33 
34 /* CE Type Setting Register */
35 #define R_CONF            (0x00 / 4)
36 #define   CONF_LEGACY_DISABLE  (1 << 31)
37 #define   CONF_ENABLE_W4       20
38 #define   CONF_ENABLE_W3       19
39 #define   CONF_ENABLE_W2       18
40 #define   CONF_ENABLE_W1       17
41 #define   CONF_ENABLE_W0       16
42 #define   CONF_FLASH_TYPE4     8
43 #define   CONF_FLASH_TYPE3     6
44 #define   CONF_FLASH_TYPE2     4
45 #define   CONF_FLASH_TYPE1     2
46 #define   CONF_FLASH_TYPE0     0
47 #define      CONF_FLASH_TYPE_NOR   0x0
48 #define      CONF_FLASH_TYPE_NAND  0x1
49 #define      CONF_FLASH_TYPE_SPI   0x2
50 
51 /* CE Control Register */
52 #define R_CE_CTRL            (0x04 / 4)
53 #define   CTRL_EXTENDED4       4  /* 32 bit addressing for SPI */
54 #define   CTRL_EXTENDED3       3  /* 32 bit addressing for SPI */
55 #define   CTRL_EXTENDED2       2  /* 32 bit addressing for SPI */
56 #define   CTRL_EXTENDED1       1  /* 32 bit addressing for SPI */
57 #define   CTRL_EXTENDED0       0  /* 32 bit addressing for SPI */
58 
59 /* Interrupt Control and Status Register */
60 #define R_INTR_CTRL       (0x08 / 4)
61 #define   INTR_CTRL_DMA_STATUS            (1 << 11)
62 #define   INTR_CTRL_CMD_ABORT_STATUS      (1 << 10)
63 #define   INTR_CTRL_WRITE_PROTECT_STATUS  (1 << 9)
64 #define   INTR_CTRL_DMA_EN                (1 << 3)
65 #define   INTR_CTRL_CMD_ABORT_EN          (1 << 2)
66 #define   INTR_CTRL_WRITE_PROTECT_EN      (1 << 1)
67 
68 /* CEx Control Register */
69 #define R_CTRL0           (0x10 / 4)
70 #define   CTRL_IO_DUAL_DATA        (1 << 29)
71 #define   CTRL_IO_DUAL_ADDR_DATA   (1 << 28) /* Includes dummies */
72 #define   CTRL_CMD_SHIFT           16
73 #define   CTRL_CMD_MASK            0xff
74 #define   CTRL_DUMMY_HIGH_SHIFT    14
75 #define   CTRL_AST2400_SPI_4BYTE   (1 << 13)
76 #define   CTRL_DUMMY_LOW_SHIFT     6 /* 2 bits [7:6] */
77 #define   CTRL_CE_STOP_ACTIVE      (1 << 2)
78 #define   CTRL_CMD_MODE_MASK       0x3
79 #define     CTRL_READMODE          0x0
80 #define     CTRL_FREADMODE         0x1
81 #define     CTRL_WRITEMODE         0x2
82 #define     CTRL_USERMODE          0x3
83 #define R_CTRL1           (0x14 / 4)
84 #define R_CTRL2           (0x18 / 4)
85 #define R_CTRL3           (0x1C / 4)
86 #define R_CTRL4           (0x20 / 4)
87 
88 /* CEx Segment Address Register */
89 #define R_SEG_ADDR0       (0x30 / 4)
90 #define   SEG_END_SHIFT        24   /* 8MB units */
91 #define   SEG_END_MASK         0xff
92 #define   SEG_START_SHIFT      16   /* address bit [A29-A23] */
93 #define   SEG_START_MASK       0xff
94 #define R_SEG_ADDR1       (0x34 / 4)
95 #define R_SEG_ADDR2       (0x38 / 4)
96 #define R_SEG_ADDR3       (0x3C / 4)
97 #define R_SEG_ADDR4       (0x40 / 4)
98 
99 /* Misc Control Register #1 */
100 #define R_MISC_CTRL1      (0x50 / 4)
101 
102 /* SPI dummy cycle data */
103 #define R_DUMMY_DATA      (0x54 / 4)
104 
105 /* DMA Control/Status Register */
106 #define R_DMA_CTRL        (0x80 / 4)
107 #define   DMA_CTRL_DELAY_MASK   0xf
108 #define   DMA_CTRL_DELAY_SHIFT  8
109 #define   DMA_CTRL_FREQ_MASK    0xf
110 #define   DMA_CTRL_FREQ_SHIFT   4
111 #define   DMA_CTRL_MODE         (1 << 3)
112 #define   DMA_CTRL_CKSUM        (1 << 2)
113 #define   DMA_CTRL_DIR          (1 << 1)
114 #define   DMA_CTRL_EN           (1 << 0)
115 
116 /* DMA Flash Side Address */
117 #define R_DMA_FLASH_ADDR  (0x84 / 4)
118 
119 /* DMA DRAM Side Address */
120 #define R_DMA_DRAM_ADDR   (0x88 / 4)
121 
122 /* DMA Length Register */
123 #define R_DMA_LEN         (0x8C / 4)
124 
125 /* Checksum Calculation Result */
126 #define R_DMA_CHECKSUM    (0x90 / 4)
127 
128 /* Misc Control Register #2 */
129 #define R_TIMINGS         (0x94 / 4)
130 
131 /* SPI controller registers and bits */
132 #define R_SPI_CONF        (0x00 / 4)
133 #define   SPI_CONF_ENABLE_W0   0
134 #define R_SPI_CTRL0       (0x4 / 4)
135 #define R_SPI_MISC_CTRL   (0x10 / 4)
136 #define R_SPI_TIMINGS     (0x14 / 4)
137 
138 #define ASPEED_SMC_R_SPI_MAX (0x20 / 4)
139 #define ASPEED_SMC_R_SMC_MAX (0x20 / 4)
140 
141 #define ASPEED_SOC_SMC_FLASH_BASE   0x10000000
142 #define ASPEED_SOC_FMC_FLASH_BASE   0x20000000
143 #define ASPEED_SOC_SPI_FLASH_BASE   0x30000000
144 #define ASPEED_SOC_SPI2_FLASH_BASE  0x38000000
145 
146 /* Flash opcodes. */
147 #define SPI_OP_READ       0x03    /* Read data bytes (low frequency) */
148 
149 #define SNOOP_OFF         0xFF
150 #define SNOOP_START       0x0
151 
152 /*
153  * Default segments mapping addresses and size for each slave per
154  * controller. These can be changed when board is initialized with the
155  * Segment Address Registers.
156  */
157 static const AspeedSegments aspeed_segments_legacy[] = {
158     { 0x10000000, 32 * 1024 * 1024 },
159 };
160 
161 static const AspeedSegments aspeed_segments_fmc[] = {
162     { 0x20000000, 64 * 1024 * 1024 }, /* start address is readonly */
163     { 0x24000000, 32 * 1024 * 1024 },
164     { 0x26000000, 32 * 1024 * 1024 },
165     { 0x28000000, 32 * 1024 * 1024 },
166     { 0x2A000000, 32 * 1024 * 1024 }
167 };
168 
169 static const AspeedSegments aspeed_segments_spi[] = {
170     { 0x30000000, 64 * 1024 * 1024 },
171 };
172 
173 static const AspeedSegments aspeed_segments_ast2500_fmc[] = {
174     { 0x20000000, 128 * 1024 * 1024 }, /* start address is readonly */
175     { 0x28000000,  32 * 1024 * 1024 },
176     { 0x2A000000,  32 * 1024 * 1024 },
177 };
178 
179 static const AspeedSegments aspeed_segments_ast2500_spi1[] = {
180     { 0x30000000, 32 * 1024 * 1024 }, /* start address is readonly */
181     { 0x32000000, 96 * 1024 * 1024 }, /* end address is readonly */
182 };
183 
184 static const AspeedSegments aspeed_segments_ast2500_spi2[] = {
185     { 0x38000000, 32 * 1024 * 1024 }, /* start address is readonly */
186     { 0x3A000000, 96 * 1024 * 1024 }, /* end address is readonly */
187 };
188 
189 static const AspeedSMCController controllers[] = {
190     {
191         .name              = "aspeed.smc.smc",
192         .r_conf            = R_CONF,
193         .r_ce_ctrl         = R_CE_CTRL,
194         .r_ctrl0           = R_CTRL0,
195         .r_timings         = R_TIMINGS,
196         .conf_enable_w0    = CONF_ENABLE_W0,
197         .max_slaves        = 5,
198         .segments          = aspeed_segments_legacy,
199         .flash_window_base = ASPEED_SOC_SMC_FLASH_BASE,
200         .flash_window_size = 0x6000000,
201         .has_dma           = false,
202         .nregs             = ASPEED_SMC_R_SMC_MAX,
203     }, {
204         .name              = "aspeed.smc.fmc",
205         .r_conf            = R_CONF,
206         .r_ce_ctrl         = R_CE_CTRL,
207         .r_ctrl0           = R_CTRL0,
208         .r_timings         = R_TIMINGS,
209         .conf_enable_w0    = CONF_ENABLE_W0,
210         .max_slaves        = 5,
211         .segments          = aspeed_segments_fmc,
212         .flash_window_base = ASPEED_SOC_FMC_FLASH_BASE,
213         .flash_window_size = 0x10000000,
214         .has_dma           = true,
215         .nregs             = ASPEED_SMC_R_MAX,
216     }, {
217         .name              = "aspeed.smc.spi",
218         .r_conf            = R_SPI_CONF,
219         .r_ce_ctrl         = 0xff,
220         .r_ctrl0           = R_SPI_CTRL0,
221         .r_timings         = R_SPI_TIMINGS,
222         .conf_enable_w0    = SPI_CONF_ENABLE_W0,
223         .max_slaves        = 1,
224         .segments          = aspeed_segments_spi,
225         .flash_window_base = ASPEED_SOC_SPI_FLASH_BASE,
226         .flash_window_size = 0x10000000,
227         .has_dma           = false,
228         .nregs             = ASPEED_SMC_R_SPI_MAX,
229     }, {
230         .name              = "aspeed.smc.ast2500-fmc",
231         .r_conf            = R_CONF,
232         .r_ce_ctrl         = R_CE_CTRL,
233         .r_ctrl0           = R_CTRL0,
234         .r_timings         = R_TIMINGS,
235         .conf_enable_w0    = CONF_ENABLE_W0,
236         .max_slaves        = 3,
237         .segments          = aspeed_segments_ast2500_fmc,
238         .flash_window_base = ASPEED_SOC_FMC_FLASH_BASE,
239         .flash_window_size = 0x10000000,
240         .has_dma           = true,
241         .nregs             = ASPEED_SMC_R_MAX,
242     }, {
243         .name              = "aspeed.smc.ast2500-spi1",
244         .r_conf            = R_CONF,
245         .r_ce_ctrl         = R_CE_CTRL,
246         .r_ctrl0           = R_CTRL0,
247         .r_timings         = R_TIMINGS,
248         .conf_enable_w0    = CONF_ENABLE_W0,
249         .max_slaves        = 2,
250         .segments          = aspeed_segments_ast2500_spi1,
251         .flash_window_base = ASPEED_SOC_SPI_FLASH_BASE,
252         .flash_window_size = 0x8000000,
253         .has_dma           = false,
254         .nregs             = ASPEED_SMC_R_MAX,
255     }, {
256         .name              = "aspeed.smc.ast2500-spi2",
257         .r_conf            = R_CONF,
258         .r_ce_ctrl         = R_CE_CTRL,
259         .r_ctrl0           = R_CTRL0,
260         .r_timings         = R_TIMINGS,
261         .conf_enable_w0    = CONF_ENABLE_W0,
262         .max_slaves        = 2,
263         .segments          = aspeed_segments_ast2500_spi2,
264         .flash_window_base = ASPEED_SOC_SPI2_FLASH_BASE,
265         .flash_window_size = 0x8000000,
266         .has_dma           = false,
267         .nregs             = ASPEED_SMC_R_MAX,
268     },
269 };
270 
271 /*
272  * The Segment Register uses a 8MB unit to encode the start address
273  * and the end address of the mapping window of a flash SPI slave :
274  *
275  *        | byte 1 | byte 2 | byte 3 | byte 4 |
276  *        +--------+--------+--------+--------+
277  *        |  end   |  start |   0    |   0    |
278  *
279  */
280 static inline uint32_t aspeed_smc_segment_to_reg(const AspeedSegments *seg)
281 {
282     uint32_t reg = 0;
283     reg |= ((seg->addr >> 23) & SEG_START_MASK) << SEG_START_SHIFT;
284     reg |= (((seg->addr + seg->size) >> 23) & SEG_END_MASK) << SEG_END_SHIFT;
285     return reg;
286 }
287 
288 static inline void aspeed_smc_reg_to_segment(uint32_t reg, AspeedSegments *seg)
289 {
290     seg->addr = ((reg >> SEG_START_SHIFT) & SEG_START_MASK) << 23;
291     seg->size = (((reg >> SEG_END_SHIFT) & SEG_END_MASK) << 23) - seg->addr;
292 }
293 
294 static bool aspeed_smc_flash_overlap(const AspeedSMCState *s,
295                                      const AspeedSegments *new,
296                                      int cs)
297 {
298     AspeedSegments seg;
299     int i;
300 
301     for (i = 0; i < s->ctrl->max_slaves; i++) {
302         if (i == cs) {
303             continue;
304         }
305 
306         aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + i], &seg);
307 
308         if (new->addr + new->size > seg.addr &&
309             new->addr < seg.addr + seg.size) {
310             qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment CS%d [ 0x%"
311                           HWADDR_PRIx" - 0x%"HWADDR_PRIx" ] overlaps with "
312                           "CS%d [ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
313                           s->ctrl->name, cs, new->addr, new->addr + new->size,
314                           i, seg.addr, seg.addr + seg.size);
315             return true;
316         }
317     }
318     return false;
319 }
320 
321 static void aspeed_smc_flash_set_segment(AspeedSMCState *s, int cs,
322                                          uint64_t new)
323 {
324     AspeedSMCFlash *fl = &s->flashes[cs];
325     AspeedSegments seg;
326 
327     aspeed_smc_reg_to_segment(new, &seg);
328 
329     /* The start address of CS0 is read-only */
330     if (cs == 0 && seg.addr != s->ctrl->flash_window_base) {
331         qemu_log_mask(LOG_GUEST_ERROR,
332                       "%s: Tried to change CS0 start address to 0x%"
333                       HWADDR_PRIx "\n", s->ctrl->name, seg.addr);
334         seg.addr = s->ctrl->flash_window_base;
335         new = aspeed_smc_segment_to_reg(&seg);
336     }
337 
338     /*
339      * The end address of the AST2500 spi controllers is also
340      * read-only.
341      */
342     if ((s->ctrl->segments == aspeed_segments_ast2500_spi1 ||
343          s->ctrl->segments == aspeed_segments_ast2500_spi2) &&
344         cs == s->ctrl->max_slaves &&
345         seg.addr + seg.size != s->ctrl->segments[cs].addr +
346         s->ctrl->segments[cs].size) {
347         qemu_log_mask(LOG_GUEST_ERROR,
348                       "%s: Tried to change CS%d end address to 0x%"
349                       HWADDR_PRIx "\n", s->ctrl->name, cs, seg.addr + seg.size);
350         seg.size = s->ctrl->segments[cs].addr + s->ctrl->segments[cs].size -
351             seg.addr;
352         new = aspeed_smc_segment_to_reg(&seg);
353     }
354 
355     /* Keep the segment in the overall flash window */
356     if (seg.addr + seg.size <= s->ctrl->flash_window_base ||
357         seg.addr > s->ctrl->flash_window_base + s->ctrl->flash_window_size) {
358         qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment for CS%d is invalid : "
359                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
360                       s->ctrl->name, cs, seg.addr, seg.addr + seg.size);
361         return;
362     }
363 
364     /* Check start address vs. alignment */
365     if (seg.size && !QEMU_IS_ALIGNED(seg.addr, seg.size)) {
366         qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment for CS%d is not "
367                       "aligned : [ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
368                       s->ctrl->name, cs, seg.addr, seg.addr + seg.size);
369     }
370 
371     /* And segments should not overlap (in the specs) */
372     aspeed_smc_flash_overlap(s, &seg, cs);
373 
374     /* All should be fine now to move the region */
375     memory_region_transaction_begin();
376     memory_region_set_size(&fl->mmio, seg.size);
377     memory_region_set_address(&fl->mmio, seg.addr - s->ctrl->flash_window_base);
378     memory_region_set_enabled(&fl->mmio, true);
379     memory_region_transaction_commit();
380 
381     s->regs[R_SEG_ADDR0 + cs] = new;
382 }
383 
384 static uint64_t aspeed_smc_flash_default_read(void *opaque, hwaddr addr,
385                                               unsigned size)
386 {
387     qemu_log_mask(LOG_GUEST_ERROR, "%s: To 0x%" HWADDR_PRIx " of size %u"
388                   PRIx64 "\n", __func__, addr, size);
389     return 0;
390 }
391 
392 static void aspeed_smc_flash_default_write(void *opaque, hwaddr addr,
393                                            uint64_t data, unsigned size)
394 {
395     qemu_log_mask(LOG_GUEST_ERROR, "%s: To 0x%" HWADDR_PRIx " of size %u: 0x%"
396                   PRIx64 "\n", __func__, addr, size, data);
397 }
398 
399 static const MemoryRegionOps aspeed_smc_flash_default_ops = {
400     .read = aspeed_smc_flash_default_read,
401     .write = aspeed_smc_flash_default_write,
402     .endianness = DEVICE_LITTLE_ENDIAN,
403     .valid = {
404         .min_access_size = 1,
405         .max_access_size = 4,
406     },
407 };
408 
409 static inline int aspeed_smc_flash_mode(const AspeedSMCFlash *fl)
410 {
411     const AspeedSMCState *s = fl->controller;
412 
413     return s->regs[s->r_ctrl0 + fl->id] & CTRL_CMD_MODE_MASK;
414 }
415 
416 static inline bool aspeed_smc_is_writable(const AspeedSMCFlash *fl)
417 {
418     const AspeedSMCState *s = fl->controller;
419 
420     return s->regs[s->r_conf] & (1 << (s->conf_enable_w0 + fl->id));
421 }
422 
423 static inline int aspeed_smc_flash_cmd(const AspeedSMCFlash *fl)
424 {
425     const AspeedSMCState *s = fl->controller;
426     int cmd = (s->regs[s->r_ctrl0 + fl->id] >> CTRL_CMD_SHIFT) & CTRL_CMD_MASK;
427 
428     /* In read mode, the default SPI command is READ (0x3). In other
429      * modes, the command should necessarily be defined */
430     if (aspeed_smc_flash_mode(fl) == CTRL_READMODE) {
431         cmd = SPI_OP_READ;
432     }
433 
434     if (!cmd) {
435         qemu_log_mask(LOG_GUEST_ERROR, "%s: no command defined for mode %d\n",
436                       __func__, aspeed_smc_flash_mode(fl));
437     }
438 
439     return cmd;
440 }
441 
442 static inline int aspeed_smc_flash_is_4byte(const AspeedSMCFlash *fl)
443 {
444     const AspeedSMCState *s = fl->controller;
445 
446     if (s->ctrl->segments == aspeed_segments_spi) {
447         return s->regs[s->r_ctrl0] & CTRL_AST2400_SPI_4BYTE;
448     } else {
449         return s->regs[s->r_ce_ctrl] & (1 << (CTRL_EXTENDED0 + fl->id));
450     }
451 }
452 
453 static inline bool aspeed_smc_is_ce_stop_active(const AspeedSMCFlash *fl)
454 {
455     const AspeedSMCState *s = fl->controller;
456 
457     return s->regs[s->r_ctrl0 + fl->id] & CTRL_CE_STOP_ACTIVE;
458 }
459 
460 static void aspeed_smc_flash_select(AspeedSMCFlash *fl)
461 {
462     AspeedSMCState *s = fl->controller;
463 
464     s->regs[s->r_ctrl0 + fl->id] &= ~CTRL_CE_STOP_ACTIVE;
465     qemu_set_irq(s->cs_lines[fl->id], aspeed_smc_is_ce_stop_active(fl));
466 }
467 
468 static void aspeed_smc_flash_unselect(AspeedSMCFlash *fl)
469 {
470     AspeedSMCState *s = fl->controller;
471 
472     s->regs[s->r_ctrl0 + fl->id] |= CTRL_CE_STOP_ACTIVE;
473     qemu_set_irq(s->cs_lines[fl->id], aspeed_smc_is_ce_stop_active(fl));
474 }
475 
476 static uint32_t aspeed_smc_check_segment_addr(const AspeedSMCFlash *fl,
477                                               uint32_t addr)
478 {
479     const AspeedSMCState *s = fl->controller;
480     AspeedSegments seg;
481 
482     aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + fl->id], &seg);
483     if ((addr % seg.size) != addr) {
484         qemu_log_mask(LOG_GUEST_ERROR,
485                       "%s: invalid address 0x%08x for CS%d segment : "
486                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
487                       s->ctrl->name, addr, fl->id, seg.addr,
488                       seg.addr + seg.size);
489         addr %= seg.size;
490     }
491 
492     return addr;
493 }
494 
495 static int aspeed_smc_flash_dummies(const AspeedSMCFlash *fl)
496 {
497     const AspeedSMCState *s = fl->controller;
498     uint32_t r_ctrl0 = s->regs[s->r_ctrl0 + fl->id];
499     uint32_t dummy_high = (r_ctrl0 >> CTRL_DUMMY_HIGH_SHIFT) & 0x1;
500     uint32_t dummy_low = (r_ctrl0 >> CTRL_DUMMY_LOW_SHIFT) & 0x3;
501     uint32_t dummies = ((dummy_high << 2) | dummy_low) * 8;
502 
503     if (r_ctrl0 & CTRL_IO_DUAL_ADDR_DATA) {
504         dummies /= 2;
505     }
506 
507     return dummies;
508 }
509 
510 static void aspeed_smc_flash_setup(AspeedSMCFlash *fl, uint32_t addr)
511 {
512     const AspeedSMCState *s = fl->controller;
513     uint8_t cmd = aspeed_smc_flash_cmd(fl);
514     int i;
515 
516     /* Flash access can not exceed CS segment */
517     addr = aspeed_smc_check_segment_addr(fl, addr);
518 
519     ssi_transfer(s->spi, cmd);
520 
521     if (aspeed_smc_flash_is_4byte(fl)) {
522         ssi_transfer(s->spi, (addr >> 24) & 0xff);
523     }
524     ssi_transfer(s->spi, (addr >> 16) & 0xff);
525     ssi_transfer(s->spi, (addr >> 8) & 0xff);
526     ssi_transfer(s->spi, (addr & 0xff));
527 
528     /*
529      * Use fake transfers to model dummy bytes. The value should
530      * be configured to some non-zero value in fast read mode and
531      * zero in read mode. But, as the HW allows inconsistent
532      * settings, let's check for fast read mode.
533      */
534     if (aspeed_smc_flash_mode(fl) == CTRL_FREADMODE) {
535         for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
536             ssi_transfer(fl->controller->spi, s->regs[R_DUMMY_DATA] & 0xff);
537         }
538     }
539 }
540 
541 static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
542 {
543     AspeedSMCFlash *fl = opaque;
544     AspeedSMCState *s = fl->controller;
545     uint64_t ret = 0;
546     int i;
547 
548     switch (aspeed_smc_flash_mode(fl)) {
549     case CTRL_USERMODE:
550         for (i = 0; i < size; i++) {
551             ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
552         }
553         break;
554     case CTRL_READMODE:
555     case CTRL_FREADMODE:
556         aspeed_smc_flash_select(fl);
557         aspeed_smc_flash_setup(fl, addr);
558 
559         for (i = 0; i < size; i++) {
560             ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
561         }
562 
563         aspeed_smc_flash_unselect(fl);
564         break;
565     default:
566         qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid flash mode %d\n",
567                       __func__, aspeed_smc_flash_mode(fl));
568     }
569 
570     return ret;
571 }
572 
573 /*
574  * TODO (clg@kaod.org): stolen from xilinx_spips.c. Should move to a
575  * common include header.
576  */
577 typedef enum {
578     READ = 0x3,         READ_4 = 0x13,
579     FAST_READ = 0xb,    FAST_READ_4 = 0x0c,
580     DOR = 0x3b,         DOR_4 = 0x3c,
581     QOR = 0x6b,         QOR_4 = 0x6c,
582     DIOR = 0xbb,        DIOR_4 = 0xbc,
583     QIOR = 0xeb,        QIOR_4 = 0xec,
584 
585     PP = 0x2,           PP_4 = 0x12,
586     DPP = 0xa2,
587     QPP = 0x32,         QPP_4 = 0x34,
588 } FlashCMD;
589 
590 static int aspeed_smc_num_dummies(uint8_t command)
591 {
592     switch (command) { /* check for dummies */
593     case READ: /* no dummy bytes/cycles */
594     case PP:
595     case DPP:
596     case QPP:
597     case READ_4:
598     case PP_4:
599     case QPP_4:
600         return 0;
601     case FAST_READ:
602     case DOR:
603     case QOR:
604     case DOR_4:
605     case QOR_4:
606         return 1;
607     case DIOR:
608     case FAST_READ_4:
609     case DIOR_4:
610         return 2;
611     case QIOR:
612     case QIOR_4:
613         return 4;
614     default:
615         return -1;
616     }
617 }
618 
619 static bool aspeed_smc_do_snoop(AspeedSMCFlash *fl,  uint64_t data,
620                                 unsigned size)
621 {
622     AspeedSMCState *s = fl->controller;
623     uint8_t addr_width = aspeed_smc_flash_is_4byte(fl) ? 4 : 3;
624 
625     if (s->snoop_index == SNOOP_OFF) {
626         return false; /* Do nothing */
627 
628     } else if (s->snoop_index == SNOOP_START) {
629         uint8_t cmd = data & 0xff;
630         int ndummies = aspeed_smc_num_dummies(cmd);
631 
632         /*
633          * No dummy cycles are expected with the current command. Turn
634          * off snooping and let the transfer proceed normally.
635          */
636         if (ndummies <= 0) {
637             s->snoop_index = SNOOP_OFF;
638             return false;
639         }
640 
641         s->snoop_dummies = ndummies * 8;
642 
643     } else if (s->snoop_index >= addr_width + 1) {
644 
645         /* The SPI transfer has reached the dummy cycles sequence */
646         for (; s->snoop_dummies; s->snoop_dummies--) {
647             ssi_transfer(s->spi, s->regs[R_DUMMY_DATA] & 0xff);
648         }
649 
650         /* If no more dummy cycles are expected, turn off snooping */
651         if (!s->snoop_dummies) {
652             s->snoop_index = SNOOP_OFF;
653         } else {
654             s->snoop_index += size;
655         }
656 
657         /*
658          * Dummy cycles have been faked already. Ignore the current
659          * SPI transfer
660          */
661         return true;
662     }
663 
664     s->snoop_index += size;
665     return false;
666 }
667 
668 static void aspeed_smc_flash_write(void *opaque, hwaddr addr, uint64_t data,
669                                    unsigned size)
670 {
671     AspeedSMCFlash *fl = opaque;
672     AspeedSMCState *s = fl->controller;
673     int i;
674 
675     if (!aspeed_smc_is_writable(fl)) {
676         qemu_log_mask(LOG_GUEST_ERROR, "%s: flash is not writable at 0x%"
677                       HWADDR_PRIx "\n", __func__, addr);
678         return;
679     }
680 
681     switch (aspeed_smc_flash_mode(fl)) {
682     case CTRL_USERMODE:
683         if (aspeed_smc_do_snoop(fl, data, size)) {
684             break;
685         }
686 
687         for (i = 0; i < size; i++) {
688             ssi_transfer(s->spi, (data >> (8 * i)) & 0xff);
689         }
690         break;
691     case CTRL_WRITEMODE:
692         aspeed_smc_flash_select(fl);
693         aspeed_smc_flash_setup(fl, addr);
694 
695         for (i = 0; i < size; i++) {
696             ssi_transfer(s->spi, (data >> (8 * i)) & 0xff);
697         }
698 
699         aspeed_smc_flash_unselect(fl);
700         break;
701     default:
702         qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid flash mode %d\n",
703                       __func__, aspeed_smc_flash_mode(fl));
704     }
705 }
706 
707 static const MemoryRegionOps aspeed_smc_flash_ops = {
708     .read = aspeed_smc_flash_read,
709     .write = aspeed_smc_flash_write,
710     .endianness = DEVICE_LITTLE_ENDIAN,
711     .valid = {
712         .min_access_size = 1,
713         .max_access_size = 4,
714     },
715 };
716 
717 static void aspeed_smc_flash_update_cs(AspeedSMCFlash *fl)
718 {
719     AspeedSMCState *s = fl->controller;
720 
721     s->snoop_index = aspeed_smc_is_ce_stop_active(fl) ? SNOOP_OFF : SNOOP_START;
722 
723     qemu_set_irq(s->cs_lines[fl->id], aspeed_smc_is_ce_stop_active(fl));
724 }
725 
726 static void aspeed_smc_reset(DeviceState *d)
727 {
728     AspeedSMCState *s = ASPEED_SMC(d);
729     int i;
730 
731     memset(s->regs, 0, sizeof s->regs);
732 
733     /* Pretend DMA is done (u-boot initialization) */
734     s->regs[R_INTR_CTRL] = INTR_CTRL_DMA_STATUS;
735 
736     /* Unselect all slaves */
737     for (i = 0; i < s->num_cs; ++i) {
738         s->regs[s->r_ctrl0 + i] |= CTRL_CE_STOP_ACTIVE;
739         qemu_set_irq(s->cs_lines[i], true);
740     }
741 
742     /* setup default segment register values for all */
743     for (i = 0; i < s->ctrl->max_slaves; ++i) {
744         s->regs[R_SEG_ADDR0 + i] =
745             aspeed_smc_segment_to_reg(&s->ctrl->segments[i]);
746     }
747 
748     /* HW strapping flash type for FMC controllers  */
749     if (s->ctrl->segments == aspeed_segments_ast2500_fmc) {
750         /* flash type is fixed to SPI for CE0 and CE1 */
751         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE0);
752         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE1);
753     }
754 
755     /* HW strapping for AST2400 FMC controllers (SCU70). Let's use the
756      * configuration of the palmetto-bmc machine */
757     if (s->ctrl->segments == aspeed_segments_fmc) {
758         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE0);
759     }
760 
761     s->snoop_index = SNOOP_OFF;
762     s->snoop_dummies = 0;
763 }
764 
765 static uint64_t aspeed_smc_read(void *opaque, hwaddr addr, unsigned int size)
766 {
767     AspeedSMCState *s = ASPEED_SMC(opaque);
768 
769     addr >>= 2;
770 
771     if (addr == s->r_conf ||
772         addr == s->r_timings ||
773         addr == s->r_ce_ctrl ||
774         addr == R_INTR_CTRL ||
775         addr == R_DUMMY_DATA ||
776         (addr >= R_SEG_ADDR0 && addr < R_SEG_ADDR0 + s->ctrl->max_slaves) ||
777         (addr >= s->r_ctrl0 && addr < s->r_ctrl0 + s->ctrl->max_slaves)) {
778         return s->regs[addr];
779     } else {
780         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\n",
781                       __func__, addr);
782         return -1;
783     }
784 }
785 
786 static void aspeed_smc_write(void *opaque, hwaddr addr, uint64_t data,
787                              unsigned int size)
788 {
789     AspeedSMCState *s = ASPEED_SMC(opaque);
790     uint32_t value = data;
791 
792     addr >>= 2;
793 
794     if (addr == s->r_conf ||
795         addr == s->r_timings ||
796         addr == s->r_ce_ctrl) {
797         s->regs[addr] = value;
798     } else if (addr >= s->r_ctrl0 && addr < s->r_ctrl0 + s->num_cs) {
799         int cs = addr - s->r_ctrl0;
800         s->regs[addr] = value;
801         aspeed_smc_flash_update_cs(&s->flashes[cs]);
802     } else if (addr >= R_SEG_ADDR0 &&
803                addr < R_SEG_ADDR0 + s->ctrl->max_slaves) {
804         int cs = addr - R_SEG_ADDR0;
805 
806         if (value != s->regs[R_SEG_ADDR0 + cs]) {
807             aspeed_smc_flash_set_segment(s, cs, value);
808         }
809     } else if (addr == R_DUMMY_DATA) {
810         s->regs[addr] = value & 0xff;
811     } else {
812         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\n",
813                       __func__, addr);
814         return;
815     }
816 }
817 
818 static const MemoryRegionOps aspeed_smc_ops = {
819     .read = aspeed_smc_read,
820     .write = aspeed_smc_write,
821     .endianness = DEVICE_LITTLE_ENDIAN,
822     .valid.unaligned = true,
823 };
824 
825 static void aspeed_smc_realize(DeviceState *dev, Error **errp)
826 {
827     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
828     AspeedSMCState *s = ASPEED_SMC(dev);
829     AspeedSMCClass *mc = ASPEED_SMC_GET_CLASS(s);
830     int i;
831     char name[32];
832     hwaddr offset = 0;
833 
834     s->ctrl = mc->ctrl;
835 
836     /* keep a copy under AspeedSMCState to speed up accesses */
837     s->r_conf = s->ctrl->r_conf;
838     s->r_ce_ctrl = s->ctrl->r_ce_ctrl;
839     s->r_ctrl0 = s->ctrl->r_ctrl0;
840     s->r_timings = s->ctrl->r_timings;
841     s->conf_enable_w0 = s->ctrl->conf_enable_w0;
842 
843     /* Enforce some real HW limits */
844     if (s->num_cs > s->ctrl->max_slaves) {
845         qemu_log_mask(LOG_GUEST_ERROR, "%s: num_cs cannot exceed: %d\n",
846                       __func__, s->ctrl->max_slaves);
847         s->num_cs = s->ctrl->max_slaves;
848     }
849 
850     s->spi = ssi_create_bus(dev, "spi");
851 
852     /* Setup cs_lines for slaves */
853     sysbus_init_irq(sbd, &s->irq);
854     s->cs_lines = g_new0(qemu_irq, s->num_cs);
855     ssi_auto_connect_slaves(dev, s->cs_lines, s->spi);
856 
857     for (i = 0; i < s->num_cs; ++i) {
858         sysbus_init_irq(sbd, &s->cs_lines[i]);
859     }
860 
861     /* The memory region for the controller registers */
862     memory_region_init_io(&s->mmio, OBJECT(s), &aspeed_smc_ops, s,
863                           s->ctrl->name, s->ctrl->nregs * 4);
864     sysbus_init_mmio(sbd, &s->mmio);
865 
866     /*
867      * The container memory region representing the address space
868      * window in which the flash modules are mapped. The size and
869      * address depends on the SoC model and controller type.
870      */
871     snprintf(name, sizeof(name), "%s.flash", s->ctrl->name);
872 
873     memory_region_init_io(&s->mmio_flash, OBJECT(s),
874                           &aspeed_smc_flash_default_ops, s, name,
875                           s->ctrl->flash_window_size);
876     sysbus_init_mmio(sbd, &s->mmio_flash);
877 
878     s->flashes = g_new0(AspeedSMCFlash, s->ctrl->max_slaves);
879 
880     /*
881      * Let's create a sub memory region for each possible slave. All
882      * have a configurable memory segment in the overall flash mapping
883      * window of the controller but, there is not necessarily a flash
884      * module behind to handle the memory accesses. This depends on
885      * the board configuration.
886      */
887     for (i = 0; i < s->ctrl->max_slaves; ++i) {
888         AspeedSMCFlash *fl = &s->flashes[i];
889 
890         snprintf(name, sizeof(name), "%s.%d", s->ctrl->name, i);
891 
892         fl->id = i;
893         fl->controller = s;
894         fl->size = s->ctrl->segments[i].size;
895         memory_region_init_io(&fl->mmio, OBJECT(s), &aspeed_smc_flash_ops,
896                               fl, name, fl->size);
897         memory_region_add_subregion(&s->mmio_flash, offset, &fl->mmio);
898         offset += fl->size;
899     }
900 }
901 
902 static const VMStateDescription vmstate_aspeed_smc = {
903     .name = "aspeed.smc",
904     .version_id = 2,
905     .minimum_version_id = 2,
906     .fields = (VMStateField[]) {
907         VMSTATE_UINT32_ARRAY(regs, AspeedSMCState, ASPEED_SMC_R_MAX),
908         VMSTATE_UINT8(snoop_index, AspeedSMCState),
909         VMSTATE_UINT8(snoop_dummies, AspeedSMCState),
910         VMSTATE_END_OF_LIST()
911     }
912 };
913 
914 static Property aspeed_smc_properties[] = {
915     DEFINE_PROP_UINT32("num-cs", AspeedSMCState, num_cs, 1),
916     DEFINE_PROP_END_OF_LIST(),
917 };
918 
919 static void aspeed_smc_class_init(ObjectClass *klass, void *data)
920 {
921     DeviceClass *dc = DEVICE_CLASS(klass);
922     AspeedSMCClass *mc = ASPEED_SMC_CLASS(klass);
923 
924     dc->realize = aspeed_smc_realize;
925     dc->reset = aspeed_smc_reset;
926     dc->props = aspeed_smc_properties;
927     dc->vmsd = &vmstate_aspeed_smc;
928     mc->ctrl = data;
929 }
930 
931 static const TypeInfo aspeed_smc_info = {
932     .name           = TYPE_ASPEED_SMC,
933     .parent         = TYPE_SYS_BUS_DEVICE,
934     .instance_size  = sizeof(AspeedSMCState),
935     .class_size     = sizeof(AspeedSMCClass),
936     .abstract       = true,
937 };
938 
939 static void aspeed_smc_register_types(void)
940 {
941     int i;
942 
943     type_register_static(&aspeed_smc_info);
944     for (i = 0; i < ARRAY_SIZE(controllers); ++i) {
945         TypeInfo ti = {
946             .name       = controllers[i].name,
947             .parent     = TYPE_ASPEED_SMC,
948             .class_init = aspeed_smc_class_init,
949             .class_data = (void *)&controllers[i],
950         };
951         type_register(&ti);
952     }
953 }
954 
955 type_init(aspeed_smc_register_types)
956