xref: /openbmc/qemu/hw/ssi/aspeed_smc.c (revision 520e210c)
1 /*
2  * ASPEED AST2400 SMC Controller (SPI Flash Only)
3  *
4  * Copyright (C) 2016 IBM Corp.
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23  */
24 
25 #include "qemu/osdep.h"
26 #include "hw/sysbus.h"
27 #include "sysemu/sysemu.h"
28 #include "qemu/log.h"
29 #include "qemu/error-report.h"
30 
31 #include "hw/ssi/aspeed_smc.h"
32 
33 /* CE Type Setting Register */
34 #define R_CONF            (0x00 / 4)
35 #define   CONF_LEGACY_DISABLE  (1 << 31)
36 #define   CONF_ENABLE_W4       20
37 #define   CONF_ENABLE_W3       19
38 #define   CONF_ENABLE_W2       18
39 #define   CONF_ENABLE_W1       17
40 #define   CONF_ENABLE_W0       16
41 #define   CONF_FLASH_TYPE4     8
42 #define   CONF_FLASH_TYPE3     6
43 #define   CONF_FLASH_TYPE2     4
44 #define   CONF_FLASH_TYPE1     2
45 #define   CONF_FLASH_TYPE0     0
46 #define      CONF_FLASH_TYPE_NOR   0x0
47 #define      CONF_FLASH_TYPE_NAND  0x1
48 #define      CONF_FLASH_TYPE_SPI   0x2
49 
50 /* CE Control Register */
51 #define R_CE_CTRL            (0x04 / 4)
52 #define   CTRL_EXTENDED4       4  /* 32 bit addressing for SPI */
53 #define   CTRL_EXTENDED3       3  /* 32 bit addressing for SPI */
54 #define   CTRL_EXTENDED2       2  /* 32 bit addressing for SPI */
55 #define   CTRL_EXTENDED1       1  /* 32 bit addressing for SPI */
56 #define   CTRL_EXTENDED0       0  /* 32 bit addressing for SPI */
57 
58 /* Interrupt Control and Status Register */
59 #define R_INTR_CTRL       (0x08 / 4)
60 #define   INTR_CTRL_DMA_STATUS            (1 << 11)
61 #define   INTR_CTRL_CMD_ABORT_STATUS      (1 << 10)
62 #define   INTR_CTRL_WRITE_PROTECT_STATUS  (1 << 9)
63 #define   INTR_CTRL_DMA_EN                (1 << 3)
64 #define   INTR_CTRL_CMD_ABORT_EN          (1 << 2)
65 #define   INTR_CTRL_WRITE_PROTECT_EN      (1 << 1)
66 
67 /* CEx Control Register */
68 #define R_CTRL0           (0x10 / 4)
69 #define   CTRL_IO_DUAL_DATA        (1 << 29)
70 #define   CTRL_IO_DUAL_ADDR_DATA   (1 << 28) /* Includes dummies */
71 #define   CTRL_CMD_SHIFT           16
72 #define   CTRL_CMD_MASK            0xff
73 #define   CTRL_DUMMY_HIGH_SHIFT    14
74 #define   CTRL_AST2400_SPI_4BYTE   (1 << 13)
75 #define   CTRL_DUMMY_LOW_SHIFT     6 /* 2 bits [7:6] */
76 #define   CTRL_CE_STOP_ACTIVE      (1 << 2)
77 #define   CTRL_CMD_MODE_MASK       0x3
78 #define     CTRL_READMODE          0x0
79 #define     CTRL_FREADMODE         0x1
80 #define     CTRL_WRITEMODE         0x2
81 #define     CTRL_USERMODE          0x3
82 #define R_CTRL1           (0x14 / 4)
83 #define R_CTRL2           (0x18 / 4)
84 #define R_CTRL3           (0x1C / 4)
85 #define R_CTRL4           (0x20 / 4)
86 
87 /* CEx Segment Address Register */
88 #define R_SEG_ADDR0       (0x30 / 4)
89 #define   SEG_END_SHIFT        24   /* 8MB units */
90 #define   SEG_END_MASK         0xff
91 #define   SEG_START_SHIFT      16   /* address bit [A29-A23] */
92 #define   SEG_START_MASK       0xff
93 #define R_SEG_ADDR1       (0x34 / 4)
94 #define R_SEG_ADDR2       (0x38 / 4)
95 #define R_SEG_ADDR3       (0x3C / 4)
96 #define R_SEG_ADDR4       (0x40 / 4)
97 
98 /* Misc Control Register #1 */
99 #define R_MISC_CTRL1      (0x50 / 4)
100 
101 /* SPI dummy cycle data */
102 #define R_DUMMY_DATA      (0x54 / 4)
103 
104 /* DMA Control/Status Register */
105 #define R_DMA_CTRL        (0x80 / 4)
106 #define   DMA_CTRL_DELAY_MASK   0xf
107 #define   DMA_CTRL_DELAY_SHIFT  8
108 #define   DMA_CTRL_FREQ_MASK    0xf
109 #define   DMA_CTRL_FREQ_SHIFT   4
110 #define   DMA_CTRL_MODE         (1 << 3)
111 #define   DMA_CTRL_CKSUM        (1 << 2)
112 #define   DMA_CTRL_DIR          (1 << 1)
113 #define   DMA_CTRL_EN           (1 << 0)
114 
115 /* DMA Flash Side Address */
116 #define R_DMA_FLASH_ADDR  (0x84 / 4)
117 
118 /* DMA DRAM Side Address */
119 #define R_DMA_DRAM_ADDR   (0x88 / 4)
120 
121 /* DMA Length Register */
122 #define R_DMA_LEN         (0x8C / 4)
123 
124 /* Checksum Calculation Result */
125 #define R_DMA_CHECKSUM    (0x90 / 4)
126 
127 /* Misc Control Register #2 */
128 #define R_TIMINGS         (0x94 / 4)
129 
130 /* SPI controller registers and bits */
131 #define R_SPI_CONF        (0x00 / 4)
132 #define   SPI_CONF_ENABLE_W0   0
133 #define R_SPI_CTRL0       (0x4 / 4)
134 #define R_SPI_MISC_CTRL   (0x10 / 4)
135 #define R_SPI_TIMINGS     (0x14 / 4)
136 
137 #define ASPEED_SMC_R_SPI_MAX (0x20 / 4)
138 #define ASPEED_SMC_R_SMC_MAX (0x20 / 4)
139 
140 #define ASPEED_SOC_SMC_FLASH_BASE   0x10000000
141 #define ASPEED_SOC_FMC_FLASH_BASE   0x20000000
142 #define ASPEED_SOC_SPI_FLASH_BASE   0x30000000
143 #define ASPEED_SOC_SPI2_FLASH_BASE  0x38000000
144 
145 /* Flash opcodes. */
146 #define SPI_OP_READ       0x03    /* Read data bytes (low frequency) */
147 
148 #define SNOOP_OFF         0xFF
149 #define SNOOP_START       0x0
150 
151 /*
152  * Default segments mapping addresses and size for each slave per
153  * controller. These can be changed when board is initialized with the
154  * Segment Address Registers.
155  */
156 static const AspeedSegments aspeed_segments_legacy[] = {
157     { 0x10000000, 32 * 1024 * 1024 },
158 };
159 
160 static const AspeedSegments aspeed_segments_fmc[] = {
161     { 0x20000000, 64 * 1024 * 1024 }, /* start address is readonly */
162     { 0x24000000, 32 * 1024 * 1024 },
163     { 0x26000000, 32 * 1024 * 1024 },
164     { 0x28000000, 32 * 1024 * 1024 },
165     { 0x2A000000, 32 * 1024 * 1024 }
166 };
167 
168 static const AspeedSegments aspeed_segments_spi[] = {
169     { 0x30000000, 64 * 1024 * 1024 },
170 };
171 
172 static const AspeedSegments aspeed_segments_ast2500_fmc[] = {
173     { 0x20000000, 128 * 1024 * 1024 }, /* start address is readonly */
174     { 0x28000000,  32 * 1024 * 1024 },
175     { 0x2A000000,  32 * 1024 * 1024 },
176 };
177 
178 static const AspeedSegments aspeed_segments_ast2500_spi1[] = {
179     { 0x30000000, 32 * 1024 * 1024 }, /* start address is readonly */
180     { 0x32000000, 96 * 1024 * 1024 }, /* end address is readonly */
181 };
182 
183 static const AspeedSegments aspeed_segments_ast2500_spi2[] = {
184     { 0x38000000, 32 * 1024 * 1024 }, /* start address is readonly */
185     { 0x3A000000, 96 * 1024 * 1024 }, /* end address is readonly */
186 };
187 
188 static const AspeedSMCController controllers[] = {
189     {
190         .name              = "aspeed.smc.smc",
191         .r_conf            = R_CONF,
192         .r_ce_ctrl         = R_CE_CTRL,
193         .r_ctrl0           = R_CTRL0,
194         .r_timings         = R_TIMINGS,
195         .conf_enable_w0    = CONF_ENABLE_W0,
196         .max_slaves        = 5,
197         .segments          = aspeed_segments_legacy,
198         .flash_window_base = ASPEED_SOC_SMC_FLASH_BASE,
199         .flash_window_size = 0x6000000,
200         .has_dma           = false,
201         .nregs             = ASPEED_SMC_R_SMC_MAX,
202     }, {
203         .name              = "aspeed.smc.fmc",
204         .r_conf            = R_CONF,
205         .r_ce_ctrl         = R_CE_CTRL,
206         .r_ctrl0           = R_CTRL0,
207         .r_timings         = R_TIMINGS,
208         .conf_enable_w0    = CONF_ENABLE_W0,
209         .max_slaves        = 5,
210         .segments          = aspeed_segments_fmc,
211         .flash_window_base = ASPEED_SOC_FMC_FLASH_BASE,
212         .flash_window_size = 0x10000000,
213         .has_dma           = true,
214         .nregs             = ASPEED_SMC_R_MAX,
215     }, {
216         .name              = "aspeed.smc.spi",
217         .r_conf            = R_SPI_CONF,
218         .r_ce_ctrl         = 0xff,
219         .r_ctrl0           = R_SPI_CTRL0,
220         .r_timings         = R_SPI_TIMINGS,
221         .conf_enable_w0    = SPI_CONF_ENABLE_W0,
222         .max_slaves        = 1,
223         .segments          = aspeed_segments_spi,
224         .flash_window_base = ASPEED_SOC_SPI_FLASH_BASE,
225         .flash_window_size = 0x10000000,
226         .has_dma           = false,
227         .nregs             = ASPEED_SMC_R_SPI_MAX,
228     }, {
229         .name              = "aspeed.smc.ast2500-fmc",
230         .r_conf            = R_CONF,
231         .r_ce_ctrl         = R_CE_CTRL,
232         .r_ctrl0           = R_CTRL0,
233         .r_timings         = R_TIMINGS,
234         .conf_enable_w0    = CONF_ENABLE_W0,
235         .max_slaves        = 3,
236         .segments          = aspeed_segments_ast2500_fmc,
237         .flash_window_base = ASPEED_SOC_FMC_FLASH_BASE,
238         .flash_window_size = 0x10000000,
239         .has_dma           = true,
240         .nregs             = ASPEED_SMC_R_MAX,
241     }, {
242         .name              = "aspeed.smc.ast2500-spi1",
243         .r_conf            = R_CONF,
244         .r_ce_ctrl         = R_CE_CTRL,
245         .r_ctrl0           = R_CTRL0,
246         .r_timings         = R_TIMINGS,
247         .conf_enable_w0    = CONF_ENABLE_W0,
248         .max_slaves        = 2,
249         .segments          = aspeed_segments_ast2500_spi1,
250         .flash_window_base = ASPEED_SOC_SPI_FLASH_BASE,
251         .flash_window_size = 0x8000000,
252         .has_dma           = false,
253         .nregs             = ASPEED_SMC_R_MAX,
254     }, {
255         .name              = "aspeed.smc.ast2500-spi2",
256         .r_conf            = R_CONF,
257         .r_ce_ctrl         = R_CE_CTRL,
258         .r_ctrl0           = R_CTRL0,
259         .r_timings         = R_TIMINGS,
260         .conf_enable_w0    = CONF_ENABLE_W0,
261         .max_slaves        = 2,
262         .segments          = aspeed_segments_ast2500_spi2,
263         .flash_window_base = ASPEED_SOC_SPI2_FLASH_BASE,
264         .flash_window_size = 0x8000000,
265         .has_dma           = false,
266         .nregs             = ASPEED_SMC_R_MAX,
267     },
268 };
269 
270 /*
271  * The Segment Register uses a 8MB unit to encode the start address
272  * and the end address of the mapping window of a flash SPI slave :
273  *
274  *        | byte 1 | byte 2 | byte 3 | byte 4 |
275  *        +--------+--------+--------+--------+
276  *        |  end   |  start |   0    |   0    |
277  *
278  */
279 static inline uint32_t aspeed_smc_segment_to_reg(const AspeedSegments *seg)
280 {
281     uint32_t reg = 0;
282     reg |= ((seg->addr >> 23) & SEG_START_MASK) << SEG_START_SHIFT;
283     reg |= (((seg->addr + seg->size) >> 23) & SEG_END_MASK) << SEG_END_SHIFT;
284     return reg;
285 }
286 
287 static inline void aspeed_smc_reg_to_segment(uint32_t reg, AspeedSegments *seg)
288 {
289     seg->addr = ((reg >> SEG_START_SHIFT) & SEG_START_MASK) << 23;
290     seg->size = (((reg >> SEG_END_SHIFT) & SEG_END_MASK) << 23) - seg->addr;
291 }
292 
293 static bool aspeed_smc_flash_overlap(const AspeedSMCState *s,
294                                      const AspeedSegments *new,
295                                      int cs)
296 {
297     AspeedSegments seg;
298     int i;
299 
300     for (i = 0; i < s->ctrl->max_slaves; i++) {
301         if (i == cs) {
302             continue;
303         }
304 
305         aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + i], &seg);
306 
307         if (new->addr + new->size > seg.addr &&
308             new->addr < seg.addr + seg.size) {
309             qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment CS%d [ 0x%"
310                           HWADDR_PRIx" - 0x%"HWADDR_PRIx" ] overlaps with "
311                           "CS%d [ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
312                           s->ctrl->name, cs, new->addr, new->addr + new->size,
313                           i, seg.addr, seg.addr + seg.size);
314             return true;
315         }
316     }
317     return false;
318 }
319 
320 static void aspeed_smc_flash_set_segment(AspeedSMCState *s, int cs,
321                                          uint64_t new)
322 {
323     AspeedSMCFlash *fl = &s->flashes[cs];
324     AspeedSegments seg;
325 
326     aspeed_smc_reg_to_segment(new, &seg);
327 
328     /* The start address of CS0 is read-only */
329     if (cs == 0 && seg.addr != s->ctrl->flash_window_base) {
330         qemu_log_mask(LOG_GUEST_ERROR,
331                       "%s: Tried to change CS0 start address to 0x%"
332                       HWADDR_PRIx "\n", s->ctrl->name, seg.addr);
333         seg.addr = s->ctrl->flash_window_base;
334         new = aspeed_smc_segment_to_reg(&seg);
335     }
336 
337     /*
338      * The end address of the AST2500 spi controllers is also
339      * read-only.
340      */
341     if ((s->ctrl->segments == aspeed_segments_ast2500_spi1 ||
342          s->ctrl->segments == aspeed_segments_ast2500_spi2) &&
343         cs == s->ctrl->max_slaves &&
344         seg.addr + seg.size != s->ctrl->segments[cs].addr +
345         s->ctrl->segments[cs].size) {
346         qemu_log_mask(LOG_GUEST_ERROR,
347                       "%s: Tried to change CS%d end address to 0x%"
348                       HWADDR_PRIx "\n", s->ctrl->name, cs, seg.addr + seg.size);
349         seg.size = s->ctrl->segments[cs].addr + s->ctrl->segments[cs].size -
350             seg.addr;
351         new = aspeed_smc_segment_to_reg(&seg);
352     }
353 
354     /* Keep the segment in the overall flash window */
355     if (seg.addr + seg.size <= s->ctrl->flash_window_base ||
356         seg.addr > s->ctrl->flash_window_base + s->ctrl->flash_window_size) {
357         qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment for CS%d is invalid : "
358                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
359                       s->ctrl->name, cs, seg.addr, seg.addr + seg.size);
360         return;
361     }
362 
363     /* Check start address vs. alignment */
364     if (seg.size && !QEMU_IS_ALIGNED(seg.addr, seg.size)) {
365         qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment for CS%d is not "
366                       "aligned : [ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
367                       s->ctrl->name, cs, seg.addr, seg.addr + seg.size);
368     }
369 
370     /* And segments should not overlap (in the specs) */
371     aspeed_smc_flash_overlap(s, &seg, cs);
372 
373     /* All should be fine now to move the region */
374     memory_region_transaction_begin();
375     memory_region_set_size(&fl->mmio, seg.size);
376     memory_region_set_address(&fl->mmio, seg.addr - s->ctrl->flash_window_base);
377     memory_region_set_enabled(&fl->mmio, true);
378     memory_region_transaction_commit();
379 
380     s->regs[R_SEG_ADDR0 + cs] = new;
381 }
382 
383 static uint64_t aspeed_smc_flash_default_read(void *opaque, hwaddr addr,
384                                               unsigned size)
385 {
386     qemu_log_mask(LOG_GUEST_ERROR, "%s: To 0x%" HWADDR_PRIx " of size %u"
387                   PRIx64 "\n", __func__, addr, size);
388     return 0;
389 }
390 
391 static void aspeed_smc_flash_default_write(void *opaque, hwaddr addr,
392                                            uint64_t data, unsigned size)
393 {
394     qemu_log_mask(LOG_GUEST_ERROR, "%s: To 0x%" HWADDR_PRIx " of size %u: 0x%"
395                   PRIx64 "\n", __func__, addr, size, data);
396 }
397 
398 static const MemoryRegionOps aspeed_smc_flash_default_ops = {
399     .read = aspeed_smc_flash_default_read,
400     .write = aspeed_smc_flash_default_write,
401     .endianness = DEVICE_LITTLE_ENDIAN,
402     .valid = {
403         .min_access_size = 1,
404         .max_access_size = 4,
405     },
406 };
407 
408 static inline int aspeed_smc_flash_mode(const AspeedSMCFlash *fl)
409 {
410     const AspeedSMCState *s = fl->controller;
411 
412     return s->regs[s->r_ctrl0 + fl->id] & CTRL_CMD_MODE_MASK;
413 }
414 
415 static inline bool aspeed_smc_is_writable(const AspeedSMCFlash *fl)
416 {
417     const AspeedSMCState *s = fl->controller;
418 
419     return s->regs[s->r_conf] & (1 << (s->conf_enable_w0 + fl->id));
420 }
421 
422 static inline int aspeed_smc_flash_cmd(const AspeedSMCFlash *fl)
423 {
424     const AspeedSMCState *s = fl->controller;
425     int cmd = (s->regs[s->r_ctrl0 + fl->id] >> CTRL_CMD_SHIFT) & CTRL_CMD_MASK;
426 
427     /* In read mode, the default SPI command is READ (0x3). In other
428      * modes, the command should necessarily be defined */
429     if (aspeed_smc_flash_mode(fl) == CTRL_READMODE) {
430         cmd = SPI_OP_READ;
431     }
432 
433     if (!cmd) {
434         qemu_log_mask(LOG_GUEST_ERROR, "%s: no command defined for mode %d\n",
435                       __func__, aspeed_smc_flash_mode(fl));
436     }
437 
438     return cmd;
439 }
440 
441 static inline int aspeed_smc_flash_is_4byte(const AspeedSMCFlash *fl)
442 {
443     const AspeedSMCState *s = fl->controller;
444 
445     if (s->ctrl->segments == aspeed_segments_spi) {
446         return s->regs[s->r_ctrl0] & CTRL_AST2400_SPI_4BYTE;
447     } else {
448         return s->regs[s->r_ce_ctrl] & (1 << (CTRL_EXTENDED0 + fl->id));
449     }
450 }
451 
452 static inline bool aspeed_smc_is_ce_stop_active(const AspeedSMCFlash *fl)
453 {
454     const AspeedSMCState *s = fl->controller;
455 
456     return s->regs[s->r_ctrl0 + fl->id] & CTRL_CE_STOP_ACTIVE;
457 }
458 
459 static void aspeed_smc_flash_select(AspeedSMCFlash *fl)
460 {
461     AspeedSMCState *s = fl->controller;
462 
463     s->regs[s->r_ctrl0 + fl->id] &= ~CTRL_CE_STOP_ACTIVE;
464     qemu_set_irq(s->cs_lines[fl->id], aspeed_smc_is_ce_stop_active(fl));
465 }
466 
467 static void aspeed_smc_flash_unselect(AspeedSMCFlash *fl)
468 {
469     AspeedSMCState *s = fl->controller;
470 
471     s->regs[s->r_ctrl0 + fl->id] |= CTRL_CE_STOP_ACTIVE;
472     qemu_set_irq(s->cs_lines[fl->id], aspeed_smc_is_ce_stop_active(fl));
473 }
474 
475 static uint32_t aspeed_smc_check_segment_addr(const AspeedSMCFlash *fl,
476                                               uint32_t addr)
477 {
478     const AspeedSMCState *s = fl->controller;
479     AspeedSegments seg;
480 
481     aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + fl->id], &seg);
482     if ((addr % seg.size) != addr) {
483         qemu_log_mask(LOG_GUEST_ERROR,
484                       "%s: invalid address 0x%08x for CS%d segment : "
485                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
486                       s->ctrl->name, addr, fl->id, seg.addr,
487                       seg.addr + seg.size);
488         addr %= seg.size;
489     }
490 
491     return addr;
492 }
493 
494 static int aspeed_smc_flash_dummies(const AspeedSMCFlash *fl)
495 {
496     const AspeedSMCState *s = fl->controller;
497     uint32_t r_ctrl0 = s->regs[s->r_ctrl0 + fl->id];
498     uint32_t dummy_high = (r_ctrl0 >> CTRL_DUMMY_HIGH_SHIFT) & 0x1;
499     uint32_t dummy_low = (r_ctrl0 >> CTRL_DUMMY_LOW_SHIFT) & 0x3;
500     uint32_t dummies = ((dummy_high << 2) | dummy_low) * 8;
501 
502     if (r_ctrl0 & CTRL_IO_DUAL_ADDR_DATA) {
503         dummies /= 2;
504     }
505 
506     return dummies;
507 }
508 
509 static void aspeed_smc_flash_setup(AspeedSMCFlash *fl, uint32_t addr)
510 {
511     const AspeedSMCState *s = fl->controller;
512     uint8_t cmd = aspeed_smc_flash_cmd(fl);
513     int i;
514 
515     /* Flash access can not exceed CS segment */
516     addr = aspeed_smc_check_segment_addr(fl, addr);
517 
518     ssi_transfer(s->spi, cmd);
519 
520     if (aspeed_smc_flash_is_4byte(fl)) {
521         ssi_transfer(s->spi, (addr >> 24) & 0xff);
522     }
523     ssi_transfer(s->spi, (addr >> 16) & 0xff);
524     ssi_transfer(s->spi, (addr >> 8) & 0xff);
525     ssi_transfer(s->spi, (addr & 0xff));
526 
527     /*
528      * Use fake transfers to model dummy bytes. The value should
529      * be configured to some non-zero value in fast read mode and
530      * zero in read mode. But, as the HW allows inconsistent
531      * settings, let's check for fast read mode.
532      */
533     if (aspeed_smc_flash_mode(fl) == CTRL_FREADMODE) {
534         for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
535             ssi_transfer(fl->controller->spi, s->regs[R_DUMMY_DATA] & 0xff);
536         }
537     }
538 }
539 
540 static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
541 {
542     AspeedSMCFlash *fl = opaque;
543     AspeedSMCState *s = fl->controller;
544     uint64_t ret = 0;
545     int i;
546 
547     switch (aspeed_smc_flash_mode(fl)) {
548     case CTRL_USERMODE:
549         for (i = 0; i < size; i++) {
550             ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
551         }
552         break;
553     case CTRL_READMODE:
554     case CTRL_FREADMODE:
555         aspeed_smc_flash_select(fl);
556         aspeed_smc_flash_setup(fl, addr);
557 
558         for (i = 0; i < size; i++) {
559             ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
560         }
561 
562         aspeed_smc_flash_unselect(fl);
563         break;
564     default:
565         qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid flash mode %d\n",
566                       __func__, aspeed_smc_flash_mode(fl));
567     }
568 
569     return ret;
570 }
571 
572 /*
573  * TODO (clg@kaod.org): stolen from xilinx_spips.c. Should move to a
574  * common include header.
575  */
576 typedef enum {
577     READ = 0x3,         READ_4 = 0x13,
578     FAST_READ = 0xb,    FAST_READ_4 = 0x0c,
579     DOR = 0x3b,         DOR_4 = 0x3c,
580     QOR = 0x6b,         QOR_4 = 0x6c,
581     DIOR = 0xbb,        DIOR_4 = 0xbc,
582     QIOR = 0xeb,        QIOR_4 = 0xec,
583 
584     PP = 0x2,           PP_4 = 0x12,
585     DPP = 0xa2,
586     QPP = 0x32,         QPP_4 = 0x34,
587 } FlashCMD;
588 
589 static int aspeed_smc_num_dummies(uint8_t command)
590 {
591     switch (command) { /* check for dummies */
592     case READ: /* no dummy bytes/cycles */
593     case PP:
594     case DPP:
595     case QPP:
596     case READ_4:
597     case PP_4:
598     case QPP_4:
599         return 0;
600     case FAST_READ:
601     case DOR:
602     case QOR:
603     case DOR_4:
604     case QOR_4:
605         return 1;
606     case DIOR:
607     case FAST_READ_4:
608     case DIOR_4:
609         return 2;
610     case QIOR:
611     case QIOR_4:
612         return 4;
613     default:
614         return -1;
615     }
616 }
617 
618 static bool aspeed_smc_do_snoop(AspeedSMCFlash *fl,  uint64_t data,
619                                 unsigned size)
620 {
621     AspeedSMCState *s = fl->controller;
622     uint8_t addr_width = aspeed_smc_flash_is_4byte(fl) ? 4 : 3;
623 
624     if (s->snoop_index == SNOOP_OFF) {
625         return false; /* Do nothing */
626 
627     } else if (s->snoop_index == SNOOP_START) {
628         uint8_t cmd = data & 0xff;
629         int ndummies = aspeed_smc_num_dummies(cmd);
630 
631         /*
632          * No dummy cycles are expected with the current command. Turn
633          * off snooping and let the transfer proceed normally.
634          */
635         if (ndummies <= 0) {
636             s->snoop_index = SNOOP_OFF;
637             return false;
638         }
639 
640         s->snoop_dummies = ndummies * 8;
641 
642     } else if (s->snoop_index >= addr_width + 1) {
643 
644         /* The SPI transfer has reached the dummy cycles sequence */
645         for (; s->snoop_dummies; s->snoop_dummies--) {
646             ssi_transfer(s->spi, s->regs[R_DUMMY_DATA] & 0xff);
647         }
648 
649         /* If no more dummy cycles are expected, turn off snooping */
650         if (!s->snoop_dummies) {
651             s->snoop_index = SNOOP_OFF;
652         } else {
653             s->snoop_index += size;
654         }
655 
656         /*
657          * Dummy cycles have been faked already. Ignore the current
658          * SPI transfer
659          */
660         return true;
661     }
662 
663     s->snoop_index += size;
664     return false;
665 }
666 
667 static void aspeed_smc_flash_write(void *opaque, hwaddr addr, uint64_t data,
668                                    unsigned size)
669 {
670     AspeedSMCFlash *fl = opaque;
671     AspeedSMCState *s = fl->controller;
672     int i;
673 
674     if (!aspeed_smc_is_writable(fl)) {
675         qemu_log_mask(LOG_GUEST_ERROR, "%s: flash is not writable at 0x%"
676                       HWADDR_PRIx "\n", __func__, addr);
677         return;
678     }
679 
680     switch (aspeed_smc_flash_mode(fl)) {
681     case CTRL_USERMODE:
682         if (aspeed_smc_do_snoop(fl, data, size)) {
683             break;
684         }
685 
686         for (i = 0; i < size; i++) {
687             ssi_transfer(s->spi, (data >> (8 * i)) & 0xff);
688         }
689         break;
690     case CTRL_WRITEMODE:
691         aspeed_smc_flash_select(fl);
692         aspeed_smc_flash_setup(fl, addr);
693 
694         for (i = 0; i < size; i++) {
695             ssi_transfer(s->spi, (data >> (8 * i)) & 0xff);
696         }
697 
698         aspeed_smc_flash_unselect(fl);
699         break;
700     default:
701         qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid flash mode %d\n",
702                       __func__, aspeed_smc_flash_mode(fl));
703     }
704 }
705 
706 static const MemoryRegionOps aspeed_smc_flash_ops = {
707     .read = aspeed_smc_flash_read,
708     .write = aspeed_smc_flash_write,
709     .endianness = DEVICE_LITTLE_ENDIAN,
710     .valid = {
711         .min_access_size = 1,
712         .max_access_size = 4,
713     },
714 };
715 
716 static void aspeed_smc_flash_update_cs(AspeedSMCFlash *fl)
717 {
718     AspeedSMCState *s = fl->controller;
719 
720     s->snoop_index = aspeed_smc_is_ce_stop_active(fl) ? SNOOP_OFF : SNOOP_START;
721 
722     qemu_set_irq(s->cs_lines[fl->id], aspeed_smc_is_ce_stop_active(fl));
723 }
724 
725 static void aspeed_smc_reset(DeviceState *d)
726 {
727     AspeedSMCState *s = ASPEED_SMC(d);
728     int i;
729 
730     memset(s->regs, 0, sizeof s->regs);
731 
732     /* Pretend DMA is done (u-boot initialization) */
733     s->regs[R_INTR_CTRL] = INTR_CTRL_DMA_STATUS;
734 
735     /* Unselect all slaves */
736     for (i = 0; i < s->num_cs; ++i) {
737         s->regs[s->r_ctrl0 + i] |= CTRL_CE_STOP_ACTIVE;
738         qemu_set_irq(s->cs_lines[i], true);
739     }
740 
741     /* setup default segment register values for all */
742     for (i = 0; i < s->ctrl->max_slaves; ++i) {
743         s->regs[R_SEG_ADDR0 + i] =
744             aspeed_smc_segment_to_reg(&s->ctrl->segments[i]);
745     }
746 
747     /* HW strapping flash type for FMC controllers  */
748     if (s->ctrl->segments == aspeed_segments_ast2500_fmc) {
749         /* flash type is fixed to SPI for CE0 and CE1 */
750         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE0);
751         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE1);
752     }
753 
754     /* HW strapping for AST2400 FMC controllers (SCU70). Let's use the
755      * configuration of the palmetto-bmc machine */
756     if (s->ctrl->segments == aspeed_segments_fmc) {
757         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE0);
758     }
759 
760     s->snoop_index = SNOOP_OFF;
761     s->snoop_dummies = 0;
762 }
763 
764 static uint64_t aspeed_smc_read(void *opaque, hwaddr addr, unsigned int size)
765 {
766     AspeedSMCState *s = ASPEED_SMC(opaque);
767 
768     addr >>= 2;
769 
770     if (addr == s->r_conf ||
771         addr == s->r_timings ||
772         addr == s->r_ce_ctrl ||
773         addr == R_INTR_CTRL ||
774         addr == R_DUMMY_DATA ||
775         (addr >= R_SEG_ADDR0 && addr < R_SEG_ADDR0 + s->ctrl->max_slaves) ||
776         (addr >= s->r_ctrl0 && addr < s->r_ctrl0 + s->ctrl->max_slaves)) {
777         return s->regs[addr];
778     } else {
779         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\n",
780                       __func__, addr);
781         return -1;
782     }
783 }
784 
785 static void aspeed_smc_write(void *opaque, hwaddr addr, uint64_t data,
786                              unsigned int size)
787 {
788     AspeedSMCState *s = ASPEED_SMC(opaque);
789     uint32_t value = data;
790 
791     addr >>= 2;
792 
793     if (addr == s->r_conf ||
794         addr == s->r_timings ||
795         addr == s->r_ce_ctrl) {
796         s->regs[addr] = value;
797     } else if (addr >= s->r_ctrl0 && addr < s->r_ctrl0 + s->num_cs) {
798         int cs = addr - s->r_ctrl0;
799         s->regs[addr] = value;
800         aspeed_smc_flash_update_cs(&s->flashes[cs]);
801     } else if (addr >= R_SEG_ADDR0 &&
802                addr < R_SEG_ADDR0 + s->ctrl->max_slaves) {
803         int cs = addr - R_SEG_ADDR0;
804 
805         if (value != s->regs[R_SEG_ADDR0 + cs]) {
806             aspeed_smc_flash_set_segment(s, cs, value);
807         }
808     } else if (addr == R_DUMMY_DATA) {
809         s->regs[addr] = value & 0xff;
810     } else {
811         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\n",
812                       __func__, addr);
813         return;
814     }
815 }
816 
817 static const MemoryRegionOps aspeed_smc_ops = {
818     .read = aspeed_smc_read,
819     .write = aspeed_smc_write,
820     .endianness = DEVICE_LITTLE_ENDIAN,
821     .valid.unaligned = true,
822 };
823 
824 static void aspeed_smc_realize(DeviceState *dev, Error **errp)
825 {
826     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
827     AspeedSMCState *s = ASPEED_SMC(dev);
828     AspeedSMCClass *mc = ASPEED_SMC_GET_CLASS(s);
829     int i;
830     char name[32];
831     hwaddr offset = 0;
832 
833     s->ctrl = mc->ctrl;
834 
835     /* keep a copy under AspeedSMCState to speed up accesses */
836     s->r_conf = s->ctrl->r_conf;
837     s->r_ce_ctrl = s->ctrl->r_ce_ctrl;
838     s->r_ctrl0 = s->ctrl->r_ctrl0;
839     s->r_timings = s->ctrl->r_timings;
840     s->conf_enable_w0 = s->ctrl->conf_enable_w0;
841 
842     /* Enforce some real HW limits */
843     if (s->num_cs > s->ctrl->max_slaves) {
844         qemu_log_mask(LOG_GUEST_ERROR, "%s: num_cs cannot exceed: %d\n",
845                       __func__, s->ctrl->max_slaves);
846         s->num_cs = s->ctrl->max_slaves;
847     }
848 
849     s->spi = ssi_create_bus(dev, "spi");
850 
851     /* Setup cs_lines for slaves */
852     sysbus_init_irq(sbd, &s->irq);
853     s->cs_lines = g_new0(qemu_irq, s->num_cs);
854     ssi_auto_connect_slaves(dev, s->cs_lines, s->spi);
855 
856     for (i = 0; i < s->num_cs; ++i) {
857         sysbus_init_irq(sbd, &s->cs_lines[i]);
858     }
859 
860     /* The memory region for the controller registers */
861     memory_region_init_io(&s->mmio, OBJECT(s), &aspeed_smc_ops, s,
862                           s->ctrl->name, s->ctrl->nregs * 4);
863     sysbus_init_mmio(sbd, &s->mmio);
864 
865     /*
866      * The container memory region representing the address space
867      * window in which the flash modules are mapped. The size and
868      * address depends on the SoC model and controller type.
869      */
870     snprintf(name, sizeof(name), "%s.flash", s->ctrl->name);
871 
872     memory_region_init_io(&s->mmio_flash, OBJECT(s),
873                           &aspeed_smc_flash_default_ops, s, name,
874                           s->ctrl->flash_window_size);
875     sysbus_init_mmio(sbd, &s->mmio_flash);
876 
877     s->flashes = g_new0(AspeedSMCFlash, s->ctrl->max_slaves);
878 
879     /*
880      * Let's create a sub memory region for each possible slave. All
881      * have a configurable memory segment in the overall flash mapping
882      * window of the controller but, there is not necessarily a flash
883      * module behind to handle the memory accesses. This depends on
884      * the board configuration.
885      */
886     for (i = 0; i < s->ctrl->max_slaves; ++i) {
887         AspeedSMCFlash *fl = &s->flashes[i];
888 
889         snprintf(name, sizeof(name), "%s.%d", s->ctrl->name, i);
890 
891         fl->id = i;
892         fl->controller = s;
893         fl->size = s->ctrl->segments[i].size;
894         memory_region_init_io(&fl->mmio, OBJECT(s), &aspeed_smc_flash_ops,
895                               fl, name, fl->size);
896         memory_region_add_subregion(&s->mmio_flash, offset, &fl->mmio);
897         offset += fl->size;
898     }
899 }
900 
901 static const VMStateDescription vmstate_aspeed_smc = {
902     .name = "aspeed.smc",
903     .version_id = 2,
904     .minimum_version_id = 2,
905     .fields = (VMStateField[]) {
906         VMSTATE_UINT32_ARRAY(regs, AspeedSMCState, ASPEED_SMC_R_MAX),
907         VMSTATE_UINT8(snoop_index, AspeedSMCState),
908         VMSTATE_UINT8(snoop_dummies, AspeedSMCState),
909         VMSTATE_END_OF_LIST()
910     }
911 };
912 
913 static Property aspeed_smc_properties[] = {
914     DEFINE_PROP_UINT32("num-cs", AspeedSMCState, num_cs, 1),
915     DEFINE_PROP_END_OF_LIST(),
916 };
917 
918 static void aspeed_smc_class_init(ObjectClass *klass, void *data)
919 {
920     DeviceClass *dc = DEVICE_CLASS(klass);
921     AspeedSMCClass *mc = ASPEED_SMC_CLASS(klass);
922 
923     dc->realize = aspeed_smc_realize;
924     dc->reset = aspeed_smc_reset;
925     dc->props = aspeed_smc_properties;
926     dc->vmsd = &vmstate_aspeed_smc;
927     mc->ctrl = data;
928 }
929 
930 static const TypeInfo aspeed_smc_info = {
931     .name           = TYPE_ASPEED_SMC,
932     .parent         = TYPE_SYS_BUS_DEVICE,
933     .instance_size  = sizeof(AspeedSMCState),
934     .class_size     = sizeof(AspeedSMCClass),
935     .abstract       = true,
936 };
937 
938 static void aspeed_smc_register_types(void)
939 {
940     int i;
941 
942     type_register_static(&aspeed_smc_info);
943     for (i = 0; i < ARRAY_SIZE(controllers); ++i) {
944         TypeInfo ti = {
945             .name       = controllers[i].name,
946             .parent     = TYPE_ASPEED_SMC,
947             .class_init = aspeed_smc_class_init,
948             .class_data = (void *)&controllers[i],
949         };
950         type_register(&ti);
951     }
952 }
953 
954 type_init(aspeed_smc_register_types)
955