xref: /openbmc/qemu/hw/ssi/aspeed_smc.c (revision f6476697)
1 /*
2  * ASPEED AST2400 SMC Controller (SPI Flash Only)
3  *
4  * Copyright (C) 2016 IBM Corp.
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23  */
24 
25 #include "qemu/osdep.h"
26 #include "hw/sysbus.h"
27 #include "migration/vmstate.h"
28 #include "qemu/log.h"
29 #include "qemu/module.h"
30 #include "qemu/error-report.h"
31 #include "qapi/error.h"
32 #include "qemu/units.h"
33 #include "trace.h"
34 
35 #include "hw/irq.h"
36 #include "hw/qdev-properties.h"
37 #include "hw/ssi/aspeed_smc.h"
38 
39 /* CE Type Setting Register */
40 #define R_CONF            (0x00 / 4)
41 #define   CONF_LEGACY_DISABLE  (1 << 31)
42 #define   CONF_ENABLE_W4       20
43 #define   CONF_ENABLE_W3       19
44 #define   CONF_ENABLE_W2       18
45 #define   CONF_ENABLE_W1       17
46 #define   CONF_ENABLE_W0       16
47 #define   CONF_FLASH_TYPE4     8
48 #define   CONF_FLASH_TYPE3     6
49 #define   CONF_FLASH_TYPE2     4
50 #define   CONF_FLASH_TYPE1     2
51 #define   CONF_FLASH_TYPE0     0
52 #define      CONF_FLASH_TYPE_NOR   0x0
53 #define      CONF_FLASH_TYPE_NAND  0x1
54 #define      CONF_FLASH_TYPE_SPI   0x2 /* AST2600 is SPI only */
55 
56 /* CE Control Register */
57 #define R_CE_CTRL            (0x04 / 4)
58 #define   CTRL_EXTENDED4       4  /* 32 bit addressing for SPI */
59 #define   CTRL_EXTENDED3       3  /* 32 bit addressing for SPI */
60 #define   CTRL_EXTENDED2       2  /* 32 bit addressing for SPI */
61 #define   CTRL_EXTENDED1       1  /* 32 bit addressing for SPI */
62 #define   CTRL_EXTENDED0       0  /* 32 bit addressing for SPI */
63 
64 /* Interrupt Control and Status Register */
65 #define R_INTR_CTRL       (0x08 / 4)
66 #define   INTR_CTRL_DMA_STATUS            (1 << 11)
67 #define   INTR_CTRL_CMD_ABORT_STATUS      (1 << 10)
68 #define   INTR_CTRL_WRITE_PROTECT_STATUS  (1 << 9)
69 #define   INTR_CTRL_DMA_EN                (1 << 3)
70 #define   INTR_CTRL_CMD_ABORT_EN          (1 << 2)
71 #define   INTR_CTRL_WRITE_PROTECT_EN      (1 << 1)
72 
73 /* Command Control Register */
74 #define R_CE_CMD_CTRL      (0x0C / 4)
75 #define   CTRL_ADDR_BYTE0_DISABLE_SHIFT       4
76 #define   CTRL_DATA_BYTE0_DISABLE_SHIFT       0
77 
78 #define aspeed_smc_addr_byte_enabled(s, i)                               \
79     (!((s)->regs[R_CE_CMD_CTRL] & (1 << (CTRL_ADDR_BYTE0_DISABLE_SHIFT + (i)))))
80 #define aspeed_smc_data_byte_enabled(s, i)                               \
81     (!((s)->regs[R_CE_CMD_CTRL] & (1 << (CTRL_DATA_BYTE0_DISABLE_SHIFT + (i)))))
82 
83 /* CEx Control Register */
84 #define R_CTRL0           (0x10 / 4)
85 #define   CTRL_IO_QPI              (1 << 31)
86 #define   CTRL_IO_QUAD_DATA        (1 << 30)
87 #define   CTRL_IO_DUAL_DATA        (1 << 29)
88 #define   CTRL_IO_DUAL_ADDR_DATA   (1 << 28) /* Includes dummies */
89 #define   CTRL_IO_QUAD_ADDR_DATA   (1 << 28) /* Includes dummies */
90 #define   CTRL_CMD_SHIFT           16
91 #define   CTRL_CMD_MASK            0xff
92 #define   CTRL_DUMMY_HIGH_SHIFT    14
93 #define   CTRL_AST2400_SPI_4BYTE   (1 << 13)
94 #define CE_CTRL_CLOCK_FREQ_SHIFT   8
95 #define CE_CTRL_CLOCK_FREQ_MASK    0xf
96 #define CE_CTRL_CLOCK_FREQ(div)                                         \
97     (((div) & CE_CTRL_CLOCK_FREQ_MASK) << CE_CTRL_CLOCK_FREQ_SHIFT)
98 #define   CTRL_DUMMY_LOW_SHIFT     6 /* 2 bits [7:6] */
99 #define   CTRL_CE_STOP_ACTIVE      (1 << 2)
100 #define   CTRL_CMD_MODE_MASK       0x3
101 #define     CTRL_READMODE          0x0
102 #define     CTRL_FREADMODE         0x1
103 #define     CTRL_WRITEMODE         0x2
104 #define     CTRL_USERMODE          0x3
105 #define R_CTRL1           (0x14 / 4)
106 #define R_CTRL2           (0x18 / 4)
107 #define R_CTRL3           (0x1C / 4)
108 #define R_CTRL4           (0x20 / 4)
109 
110 /* CEx Segment Address Register */
111 #define R_SEG_ADDR0       (0x30 / 4)
112 #define   SEG_END_SHIFT        24   /* 8MB units */
113 #define   SEG_END_MASK         0xff
114 #define   SEG_START_SHIFT      16   /* address bit [A29-A23] */
115 #define   SEG_START_MASK       0xff
116 #define R_SEG_ADDR1       (0x34 / 4)
117 #define R_SEG_ADDR2       (0x38 / 4)
118 #define R_SEG_ADDR3       (0x3C / 4)
119 #define R_SEG_ADDR4       (0x40 / 4)
120 
121 /* Misc Control Register #1 */
122 #define R_MISC_CTRL1      (0x50 / 4)
123 
124 /* SPI dummy cycle data */
125 #define R_DUMMY_DATA      (0x54 / 4)
126 
127 /* DMA Control/Status Register */
128 #define R_DMA_CTRL        (0x80 / 4)
129 #define   DMA_CTRL_REQUEST      (1 << 31)
130 #define   DMA_CTRL_GRANT        (1 << 30)
131 #define   DMA_CTRL_DELAY_MASK   0xf
132 #define   DMA_CTRL_DELAY_SHIFT  8
133 #define   DMA_CTRL_FREQ_MASK    0xf
134 #define   DMA_CTRL_FREQ_SHIFT   4
135 #define   DMA_CTRL_CALIB        (1 << 3)
136 #define   DMA_CTRL_CKSUM        (1 << 2)
137 #define   DMA_CTRL_WRITE        (1 << 1)
138 #define   DMA_CTRL_ENABLE       (1 << 0)
139 
140 /* DMA Flash Side Address */
141 #define R_DMA_FLASH_ADDR  (0x84 / 4)
142 
143 /* DMA DRAM Side Address */
144 #define R_DMA_DRAM_ADDR   (0x88 / 4)
145 
146 /* DMA Length Register */
147 #define R_DMA_LEN         (0x8C / 4)
148 
149 /* Checksum Calculation Result */
150 #define R_DMA_CHECKSUM    (0x90 / 4)
151 
152 /* Read Timing Compensation Register */
153 #define R_TIMINGS         (0x94 / 4)
154 
155 /* SPI controller registers and bits (AST2400) */
156 #define R_SPI_CONF        (0x00 / 4)
157 #define   SPI_CONF_ENABLE_W0   0
158 #define R_SPI_CTRL0       (0x4 / 4)
159 #define R_SPI_MISC_CTRL   (0x10 / 4)
160 #define R_SPI_TIMINGS     (0x14 / 4)
161 
162 #define ASPEED_SMC_R_SPI_MAX (0x20 / 4)
163 #define ASPEED_SMC_R_SMC_MAX (0x20 / 4)
164 
165 #define ASPEED_SOC_SMC_FLASH_BASE   0x10000000
166 #define ASPEED_SOC_FMC_FLASH_BASE   0x20000000
167 #define ASPEED_SOC_SPI_FLASH_BASE   0x30000000
168 #define ASPEED_SOC_SPI2_FLASH_BASE  0x38000000
169 
170 /*
171  * DMA DRAM addresses should be 4 bytes aligned and the valid address
172  * range is 0x40000000 - 0x5FFFFFFF (AST2400)
173  *          0x80000000 - 0xBFFFFFFF (AST2500)
174  *
175  * DMA flash addresses should be 4 bytes aligned and the valid address
176  * range is 0x20000000 - 0x2FFFFFFF.
177  *
178  * DMA length is from 4 bytes to 32MB
179  *   0: 4 bytes
180  *   0x7FFFFF: 32M bytes
181  */
182 #define DMA_DRAM_ADDR(s, val)   ((val) & (s)->ctrl->dma_dram_mask)
183 #define DMA_FLASH_ADDR(s, val)  ((val) & (s)->ctrl->dma_flash_mask)
184 #define DMA_LENGTH(val)         ((val) & 0x01FFFFFC)
185 
186 /* Flash opcodes. */
187 #define SPI_OP_READ       0x03    /* Read data bytes (low frequency) */
188 
189 #define SNOOP_OFF         0xFF
190 #define SNOOP_START       0x0
191 
192 /*
193  * Default segments mapping addresses and size for each peripheral per
194  * controller. These can be changed when board is initialized with the
195  * Segment Address Registers.
196  */
197 static const AspeedSegments aspeed_segments_legacy[] = {
198     { 0x10000000, 32 * 1024 * 1024 },
199 };
200 
201 static const AspeedSegments aspeed_segments_fmc[] = {
202     { 0x20000000, 64 * 1024 * 1024 }, /* start address is readonly */
203     { 0x24000000, 32 * 1024 * 1024 },
204     { 0x26000000, 32 * 1024 * 1024 },
205     { 0x28000000, 32 * 1024 * 1024 },
206     { 0x2A000000, 32 * 1024 * 1024 }
207 };
208 
209 static const AspeedSegments aspeed_segments_spi[] = {
210     { 0x30000000, 64 * 1024 * 1024 },
211 };
212 
213 static const AspeedSegments aspeed_segments_ast2500_fmc[] = {
214     { 0x20000000, 128 * 1024 * 1024 }, /* start address is readonly */
215     { 0x28000000,  32 * 1024 * 1024 },
216     { 0x2A000000,  32 * 1024 * 1024 },
217 };
218 
219 static const AspeedSegments aspeed_segments_ast2500_spi1[] = {
220     { 0x30000000, 32 * 1024 * 1024 }, /* start address is readonly */
221     { 0x32000000, 96 * 1024 * 1024 }, /* end address is readonly */
222 };
223 
224 static const AspeedSegments aspeed_segments_ast2500_spi2[] = {
225     { 0x38000000, 32 * 1024 * 1024 }, /* start address is readonly */
226     { 0x3A000000, 96 * 1024 * 1024 }, /* end address is readonly */
227 };
228 static uint32_t aspeed_smc_segment_to_reg(const AspeedSMCState *s,
229                                           const AspeedSegments *seg);
230 static void aspeed_smc_reg_to_segment(const AspeedSMCState *s, uint32_t reg,
231                                       AspeedSegments *seg);
232 static void aspeed_smc_dma_ctrl(AspeedSMCState *s, uint32_t value);
233 
234 /*
235  * AST2600 definitions
236  */
237 #define ASPEED26_SOC_FMC_FLASH_BASE   0x20000000
238 #define ASPEED26_SOC_SPI_FLASH_BASE   0x30000000
239 #define ASPEED26_SOC_SPI2_FLASH_BASE  0x50000000
240 
241 static const AspeedSegments aspeed_segments_ast2600_fmc[] = {
242     { 0x0, 128 * MiB }, /* start address is readonly */
243     { 128 * MiB, 128 * MiB }, /* default is disabled but needed for -kernel */
244     { 0x0, 0 }, /* disabled */
245 };
246 
247 static const AspeedSegments aspeed_segments_ast2600_spi1[] = {
248     { 0x0, 128 * MiB }, /* start address is readonly */
249     { 0x0, 0 }, /* disabled */
250 };
251 
252 static const AspeedSegments aspeed_segments_ast2600_spi2[] = {
253     { 0x0, 128 * MiB }, /* start address is readonly */
254     { 0x0, 0 }, /* disabled */
255     { 0x0, 0 }, /* disabled */
256 };
257 
258 static uint32_t aspeed_2600_smc_segment_to_reg(const AspeedSMCState *s,
259                                                const AspeedSegments *seg);
260 static void aspeed_2600_smc_reg_to_segment(const AspeedSMCState *s,
261                                            uint32_t reg, AspeedSegments *seg);
262 static void aspeed_2600_smc_dma_ctrl(AspeedSMCState *s, uint32_t value);
263 
264 #define ASPEED_SMC_FEATURE_DMA       0x1
265 #define ASPEED_SMC_FEATURE_DMA_GRANT 0x2
266 
267 static inline bool aspeed_smc_has_dma(const AspeedSMCState *s)
268 {
269     return !!(s->ctrl->features & ASPEED_SMC_FEATURE_DMA);
270 }
271 
272 static const AspeedSMCController controllers[] = {
273     {
274         .name              = "aspeed.smc-ast2400",
275         .r_conf            = R_CONF,
276         .r_ce_ctrl         = R_CE_CTRL,
277         .r_ctrl0           = R_CTRL0,
278         .r_timings         = R_TIMINGS,
279         .nregs_timings     = 1,
280         .conf_enable_w0    = CONF_ENABLE_W0,
281         .max_peripherals   = 1,
282         .segments          = aspeed_segments_legacy,
283         .flash_window_base = ASPEED_SOC_SMC_FLASH_BASE,
284         .flash_window_size = 0x6000000,
285         .features          = 0x0,
286         .nregs             = ASPEED_SMC_R_SMC_MAX,
287         .segment_to_reg    = aspeed_smc_segment_to_reg,
288         .reg_to_segment    = aspeed_smc_reg_to_segment,
289         .dma_ctrl          = aspeed_smc_dma_ctrl,
290     }, {
291         .name              = "aspeed.fmc-ast2400",
292         .r_conf            = R_CONF,
293         .r_ce_ctrl         = R_CE_CTRL,
294         .r_ctrl0           = R_CTRL0,
295         .r_timings         = R_TIMINGS,
296         .nregs_timings     = 1,
297         .conf_enable_w0    = CONF_ENABLE_W0,
298         .max_peripherals   = 5,
299         .segments          = aspeed_segments_fmc,
300         .flash_window_base = ASPEED_SOC_FMC_FLASH_BASE,
301         .flash_window_size = 0x10000000,
302         .features          = ASPEED_SMC_FEATURE_DMA,
303         .dma_flash_mask    = 0x0FFFFFFC,
304         .dma_dram_mask     = 0x1FFFFFFC,
305         .nregs             = ASPEED_SMC_R_MAX,
306         .segment_to_reg    = aspeed_smc_segment_to_reg,
307         .reg_to_segment    = aspeed_smc_reg_to_segment,
308         .dma_ctrl          = aspeed_smc_dma_ctrl,
309     }, {
310         .name              = "aspeed.spi1-ast2400",
311         .r_conf            = R_SPI_CONF,
312         .r_ce_ctrl         = 0xff,
313         .r_ctrl0           = R_SPI_CTRL0,
314         .r_timings         = R_SPI_TIMINGS,
315         .nregs_timings     = 1,
316         .conf_enable_w0    = SPI_CONF_ENABLE_W0,
317         .max_peripherals   = 1,
318         .segments          = aspeed_segments_spi,
319         .flash_window_base = ASPEED_SOC_SPI_FLASH_BASE,
320         .flash_window_size = 0x10000000,
321         .features          = 0x0,
322         .nregs             = ASPEED_SMC_R_SPI_MAX,
323         .segment_to_reg    = aspeed_smc_segment_to_reg,
324         .reg_to_segment    = aspeed_smc_reg_to_segment,
325         .dma_ctrl          = aspeed_smc_dma_ctrl,
326     }, {
327         .name              = "aspeed.fmc-ast2500",
328         .r_conf            = R_CONF,
329         .r_ce_ctrl         = R_CE_CTRL,
330         .r_ctrl0           = R_CTRL0,
331         .r_timings         = R_TIMINGS,
332         .nregs_timings     = 1,
333         .conf_enable_w0    = CONF_ENABLE_W0,
334         .max_peripherals   = 3,
335         .segments          = aspeed_segments_ast2500_fmc,
336         .flash_window_base = ASPEED_SOC_FMC_FLASH_BASE,
337         .flash_window_size = 0x10000000,
338         .features          = ASPEED_SMC_FEATURE_DMA,
339         .dma_flash_mask    = 0x0FFFFFFC,
340         .dma_dram_mask     = 0x3FFFFFFC,
341         .nregs             = ASPEED_SMC_R_MAX,
342         .segment_to_reg    = aspeed_smc_segment_to_reg,
343         .reg_to_segment    = aspeed_smc_reg_to_segment,
344         .dma_ctrl          = aspeed_smc_dma_ctrl,
345     }, {
346         .name              = "aspeed.spi1-ast2500",
347         .r_conf            = R_CONF,
348         .r_ce_ctrl         = R_CE_CTRL,
349         .r_ctrl0           = R_CTRL0,
350         .r_timings         = R_TIMINGS,
351         .nregs_timings     = 1,
352         .conf_enable_w0    = CONF_ENABLE_W0,
353         .max_peripherals   = 2,
354         .segments          = aspeed_segments_ast2500_spi1,
355         .flash_window_base = ASPEED_SOC_SPI_FLASH_BASE,
356         .flash_window_size = 0x8000000,
357         .features          = 0x0,
358         .nregs             = ASPEED_SMC_R_MAX,
359         .segment_to_reg    = aspeed_smc_segment_to_reg,
360         .reg_to_segment    = aspeed_smc_reg_to_segment,
361         .dma_ctrl          = aspeed_smc_dma_ctrl,
362     }, {
363         .name              = "aspeed.spi2-ast2500",
364         .r_conf            = R_CONF,
365         .r_ce_ctrl         = R_CE_CTRL,
366         .r_ctrl0           = R_CTRL0,
367         .r_timings         = R_TIMINGS,
368         .nregs_timings     = 1,
369         .conf_enable_w0    = CONF_ENABLE_W0,
370         .max_peripherals   = 2,
371         .segments          = aspeed_segments_ast2500_spi2,
372         .flash_window_base = ASPEED_SOC_SPI2_FLASH_BASE,
373         .flash_window_size = 0x8000000,
374         .features          = 0x0,
375         .nregs             = ASPEED_SMC_R_MAX,
376         .segment_to_reg    = aspeed_smc_segment_to_reg,
377         .reg_to_segment    = aspeed_smc_reg_to_segment,
378         .dma_ctrl          = aspeed_smc_dma_ctrl,
379     }, {
380         .name              = "aspeed.fmc-ast2600",
381         .r_conf            = R_CONF,
382         .r_ce_ctrl         = R_CE_CTRL,
383         .r_ctrl0           = R_CTRL0,
384         .r_timings         = R_TIMINGS,
385         .nregs_timings     = 1,
386         .conf_enable_w0    = CONF_ENABLE_W0,
387         .max_peripherals   = 3,
388         .segments          = aspeed_segments_ast2600_fmc,
389         .flash_window_base = ASPEED26_SOC_FMC_FLASH_BASE,
390         .flash_window_size = 0x10000000,
391         .features          = ASPEED_SMC_FEATURE_DMA,
392         .dma_flash_mask    = 0x0FFFFFFC,
393         .dma_dram_mask     = 0x3FFFFFFC,
394         .nregs             = ASPEED_SMC_R_MAX,
395         .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
396         .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
397         .dma_ctrl          = aspeed_2600_smc_dma_ctrl,
398     }, {
399         .name              = "aspeed.spi1-ast2600",
400         .r_conf            = R_CONF,
401         .r_ce_ctrl         = R_CE_CTRL,
402         .r_ctrl0           = R_CTRL0,
403         .r_timings         = R_TIMINGS,
404         .nregs_timings     = 2,
405         .conf_enable_w0    = CONF_ENABLE_W0,
406         .max_peripherals   = 2,
407         .segments          = aspeed_segments_ast2600_spi1,
408         .flash_window_base = ASPEED26_SOC_SPI_FLASH_BASE,
409         .flash_window_size = 0x10000000,
410         .features          = ASPEED_SMC_FEATURE_DMA |
411                              ASPEED_SMC_FEATURE_DMA_GRANT,
412         .dma_flash_mask    = 0x0FFFFFFC,
413         .dma_dram_mask     = 0x3FFFFFFC,
414         .nregs             = ASPEED_SMC_R_MAX,
415         .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
416         .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
417         .dma_ctrl          = aspeed_2600_smc_dma_ctrl,
418     }, {
419         .name              = "aspeed.spi2-ast2600",
420         .r_conf            = R_CONF,
421         .r_ce_ctrl         = R_CE_CTRL,
422         .r_ctrl0           = R_CTRL0,
423         .r_timings         = R_TIMINGS,
424         .nregs_timings     = 3,
425         .conf_enable_w0    = CONF_ENABLE_W0,
426         .max_peripherals   = 3,
427         .segments          = aspeed_segments_ast2600_spi2,
428         .flash_window_base = ASPEED26_SOC_SPI2_FLASH_BASE,
429         .flash_window_size = 0x10000000,
430         .features          = ASPEED_SMC_FEATURE_DMA |
431                              ASPEED_SMC_FEATURE_DMA_GRANT,
432         .dma_flash_mask    = 0x0FFFFFFC,
433         .dma_dram_mask     = 0x3FFFFFFC,
434         .nregs             = ASPEED_SMC_R_MAX,
435         .segment_to_reg    = aspeed_2600_smc_segment_to_reg,
436         .reg_to_segment    = aspeed_2600_smc_reg_to_segment,
437         .dma_ctrl          = aspeed_2600_smc_dma_ctrl,
438     },
439 };
440 
441 /*
442  * The Segment Registers of the AST2400 and AST2500 have a 8MB
443  * unit. The address range of a flash SPI peripheral is encoded with
444  * absolute addresses which should be part of the overall controller
445  * window.
446  */
447 static uint32_t aspeed_smc_segment_to_reg(const AspeedSMCState *s,
448                                           const AspeedSegments *seg)
449 {
450     uint32_t reg = 0;
451     reg |= ((seg->addr >> 23) & SEG_START_MASK) << SEG_START_SHIFT;
452     reg |= (((seg->addr + seg->size) >> 23) & SEG_END_MASK) << SEG_END_SHIFT;
453     return reg;
454 }
455 
456 static void aspeed_smc_reg_to_segment(const AspeedSMCState *s,
457                                       uint32_t reg, AspeedSegments *seg)
458 {
459     seg->addr = ((reg >> SEG_START_SHIFT) & SEG_START_MASK) << 23;
460     seg->size = (((reg >> SEG_END_SHIFT) & SEG_END_MASK) << 23) - seg->addr;
461 }
462 
463 /*
464  * The Segment Registers of the AST2600 have a 1MB unit. The address
465  * range of a flash SPI peripheral is encoded with offsets in the overall
466  * controller window. The previous SoC AST2400 and AST2500 used
467  * absolute addresses. Only bits [27:20] are relevant and the end
468  * address is an upper bound limit.
469  */
470 #define AST2600_SEG_ADDR_MASK 0x0ff00000
471 
472 static uint32_t aspeed_2600_smc_segment_to_reg(const AspeedSMCState *s,
473                                                const AspeedSegments *seg)
474 {
475     uint32_t reg = 0;
476 
477     /* Disabled segments have a nil register */
478     if (!seg->size) {
479         return 0;
480     }
481 
482     reg |= (seg->addr & AST2600_SEG_ADDR_MASK) >> 16; /* start offset */
483     reg |= (seg->addr + seg->size - 1) & AST2600_SEG_ADDR_MASK; /* end offset */
484     return reg;
485 }
486 
487 static void aspeed_2600_smc_reg_to_segment(const AspeedSMCState *s,
488                                            uint32_t reg, AspeedSegments *seg)
489 {
490     uint32_t start_offset = (reg << 16) & AST2600_SEG_ADDR_MASK;
491     uint32_t end_offset = reg & AST2600_SEG_ADDR_MASK;
492 
493     if (reg) {
494         seg->addr = s->ctrl->flash_window_base + start_offset;
495         seg->size = end_offset + MiB - start_offset;
496     } else {
497         seg->addr = s->ctrl->flash_window_base;
498         seg->size = 0;
499     }
500 }
501 
502 static bool aspeed_smc_flash_overlap(const AspeedSMCState *s,
503                                      const AspeedSegments *new,
504                                      int cs)
505 {
506     AspeedSegments seg;
507     int i;
508 
509     for (i = 0; i < s->ctrl->max_peripherals; i++) {
510         if (i == cs) {
511             continue;
512         }
513 
514         s->ctrl->reg_to_segment(s, s->regs[R_SEG_ADDR0 + i], &seg);
515 
516         if (new->addr + new->size > seg.addr &&
517             new->addr < seg.addr + seg.size) {
518             qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment CS%d [ 0x%"
519                           HWADDR_PRIx" - 0x%"HWADDR_PRIx" ] overlaps with "
520                           "CS%d [ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
521                           s->ctrl->name, cs, new->addr, new->addr + new->size,
522                           i, seg.addr, seg.addr + seg.size);
523             return true;
524         }
525     }
526     return false;
527 }
528 
529 static void aspeed_smc_flash_set_segment_region(AspeedSMCState *s, int cs,
530                                                 uint64_t regval)
531 {
532     AspeedSMCFlash *fl = &s->flashes[cs];
533     AspeedSegments seg;
534 
535     s->ctrl->reg_to_segment(s, regval, &seg);
536 
537     memory_region_transaction_begin();
538     memory_region_set_size(&fl->mmio, seg.size);
539     memory_region_set_address(&fl->mmio, seg.addr - s->ctrl->flash_window_base);
540     memory_region_set_enabled(&fl->mmio, !!seg.size);
541     memory_region_transaction_commit();
542 
543     s->regs[R_SEG_ADDR0 + cs] = regval;
544 }
545 
546 static void aspeed_smc_flash_set_segment(AspeedSMCState *s, int cs,
547                                          uint64_t new)
548 {
549     AspeedSegments seg;
550 
551     s->ctrl->reg_to_segment(s, new, &seg);
552 
553     trace_aspeed_smc_flash_set_segment(cs, new, seg.addr, seg.addr + seg.size);
554 
555     /* The start address of CS0 is read-only */
556     if (cs == 0 && seg.addr != s->ctrl->flash_window_base) {
557         qemu_log_mask(LOG_GUEST_ERROR,
558                       "%s: Tried to change CS0 start address to 0x%"
559                       HWADDR_PRIx "\n", s->ctrl->name, seg.addr);
560         seg.addr = s->ctrl->flash_window_base;
561         new = s->ctrl->segment_to_reg(s, &seg);
562     }
563 
564     /*
565      * The end address of the AST2500 spi controllers is also
566      * read-only.
567      */
568     if ((s->ctrl->segments == aspeed_segments_ast2500_spi1 ||
569          s->ctrl->segments == aspeed_segments_ast2500_spi2) &&
570         cs == s->ctrl->max_peripherals &&
571         seg.addr + seg.size != s->ctrl->segments[cs].addr +
572         s->ctrl->segments[cs].size) {
573         qemu_log_mask(LOG_GUEST_ERROR,
574                       "%s: Tried to change CS%d end address to 0x%"
575                       HWADDR_PRIx "\n", s->ctrl->name, cs, seg.addr + seg.size);
576         seg.size = s->ctrl->segments[cs].addr + s->ctrl->segments[cs].size -
577             seg.addr;
578         new = s->ctrl->segment_to_reg(s, &seg);
579     }
580 
581     /* Keep the segment in the overall flash window */
582     if (seg.size &&
583         (seg.addr + seg.size <= s->ctrl->flash_window_base ||
584          seg.addr > s->ctrl->flash_window_base + s->ctrl->flash_window_size)) {
585         qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment for CS%d is invalid : "
586                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
587                       s->ctrl->name, cs, seg.addr, seg.addr + seg.size);
588         return;
589     }
590 
591     /* Check start address vs. alignment */
592     if (seg.size && !QEMU_IS_ALIGNED(seg.addr, seg.size)) {
593         qemu_log_mask(LOG_GUEST_ERROR, "%s: new segment for CS%d is not "
594                       "aligned : [ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
595                       s->ctrl->name, cs, seg.addr, seg.addr + seg.size);
596     }
597 
598     /* And segments should not overlap (in the specs) */
599     aspeed_smc_flash_overlap(s, &seg, cs);
600 
601     /* All should be fine now to move the region */
602     aspeed_smc_flash_set_segment_region(s, cs, new);
603 }
604 
605 static uint64_t aspeed_smc_flash_default_read(void *opaque, hwaddr addr,
606                                               unsigned size)
607 {
608     qemu_log_mask(LOG_GUEST_ERROR, "%s: To 0x%" HWADDR_PRIx " of size %u"
609                   PRIx64 "\n", __func__, addr, size);
610     return 0;
611 }
612 
613 static void aspeed_smc_flash_default_write(void *opaque, hwaddr addr,
614                                            uint64_t data, unsigned size)
615 {
616     qemu_log_mask(LOG_GUEST_ERROR, "%s: To 0x%" HWADDR_PRIx " of size %u: 0x%"
617                   PRIx64 "\n", __func__, addr, size, data);
618 }
619 
620 static const MemoryRegionOps aspeed_smc_flash_default_ops = {
621     .read = aspeed_smc_flash_default_read,
622     .write = aspeed_smc_flash_default_write,
623     .endianness = DEVICE_LITTLE_ENDIAN,
624     .valid = {
625         .min_access_size = 1,
626         .max_access_size = 4,
627     },
628 };
629 
630 static inline int aspeed_smc_flash_mode(const AspeedSMCFlash *fl)
631 {
632     const AspeedSMCState *s = fl->controller;
633 
634     return s->regs[s->r_ctrl0 + fl->id] & CTRL_CMD_MODE_MASK;
635 }
636 
637 static inline bool aspeed_smc_is_writable(const AspeedSMCFlash *fl)
638 {
639     const AspeedSMCState *s = fl->controller;
640 
641     return s->regs[s->r_conf] & (1 << (s->conf_enable_w0 + fl->id));
642 }
643 
644 static inline int aspeed_smc_flash_cmd(const AspeedSMCFlash *fl)
645 {
646     const AspeedSMCState *s = fl->controller;
647     int cmd = (s->regs[s->r_ctrl0 + fl->id] >> CTRL_CMD_SHIFT) & CTRL_CMD_MASK;
648 
649     /*
650      * In read mode, the default SPI command is READ (0x3). In other
651      * modes, the command should necessarily be defined
652      *
653      * TODO: add support for READ4 (0x13) on AST2600
654      */
655     if (aspeed_smc_flash_mode(fl) == CTRL_READMODE) {
656         cmd = SPI_OP_READ;
657     }
658 
659     if (!cmd) {
660         qemu_log_mask(LOG_GUEST_ERROR, "%s: no command defined for mode %d\n",
661                       __func__, aspeed_smc_flash_mode(fl));
662     }
663 
664     return cmd;
665 }
666 
667 static inline int aspeed_smc_flash_is_4byte(const AspeedSMCFlash *fl)
668 {
669     const AspeedSMCState *s = fl->controller;
670 
671     if (s->ctrl->segments == aspeed_segments_spi) {
672         return s->regs[s->r_ctrl0] & CTRL_AST2400_SPI_4BYTE;
673     } else {
674         return s->regs[s->r_ce_ctrl] & (1 << (CTRL_EXTENDED0 + fl->id));
675     }
676 }
677 
678 static void aspeed_smc_flash_do_select(AspeedSMCFlash *fl, bool unselect)
679 {
680     AspeedSMCState *s = fl->controller;
681 
682     trace_aspeed_smc_flash_select(fl->id, unselect ? "un" : "");
683 
684     qemu_set_irq(s->cs_lines[fl->id], unselect);
685 }
686 
687 static void aspeed_smc_flash_select(AspeedSMCFlash *fl)
688 {
689     aspeed_smc_flash_do_select(fl, false);
690 }
691 
692 static void aspeed_smc_flash_unselect(AspeedSMCFlash *fl)
693 {
694     aspeed_smc_flash_do_select(fl, true);
695 }
696 
697 static uint32_t aspeed_smc_check_segment_addr(const AspeedSMCFlash *fl,
698                                               uint32_t addr)
699 {
700     const AspeedSMCState *s = fl->controller;
701     AspeedSegments seg;
702 
703     s->ctrl->reg_to_segment(s, s->regs[R_SEG_ADDR0 + fl->id], &seg);
704     if ((addr % seg.size) != addr) {
705         qemu_log_mask(LOG_GUEST_ERROR,
706                       "%s: invalid address 0x%08x for CS%d segment : "
707                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
708                       s->ctrl->name, addr, fl->id, seg.addr,
709                       seg.addr + seg.size);
710         addr %= seg.size;
711     }
712 
713     return addr;
714 }
715 
716 static int aspeed_smc_flash_dummies(const AspeedSMCFlash *fl)
717 {
718     const AspeedSMCState *s = fl->controller;
719     uint32_t r_ctrl0 = s->regs[s->r_ctrl0 + fl->id];
720     uint32_t dummy_high = (r_ctrl0 >> CTRL_DUMMY_HIGH_SHIFT) & 0x1;
721     uint32_t dummy_low = (r_ctrl0 >> CTRL_DUMMY_LOW_SHIFT) & 0x3;
722     uint32_t dummies = ((dummy_high << 2) | dummy_low) * 8;
723 
724     if (r_ctrl0 & CTRL_IO_DUAL_ADDR_DATA) {
725         dummies /= 2;
726     }
727 
728     return dummies;
729 }
730 
731 static void aspeed_smc_flash_setup(AspeedSMCFlash *fl, uint32_t addr)
732 {
733     const AspeedSMCState *s = fl->controller;
734     uint8_t cmd = aspeed_smc_flash_cmd(fl);
735     int i = aspeed_smc_flash_is_4byte(fl) ? 4 : 3;
736 
737     /* Flash access can not exceed CS segment */
738     addr = aspeed_smc_check_segment_addr(fl, addr);
739 
740     ssi_transfer(s->spi, cmd);
741     while (i--) {
742         if (aspeed_smc_addr_byte_enabled(s, i)) {
743             ssi_transfer(s->spi, (addr >> (i * 8)) & 0xff);
744         }
745     }
746 
747     /*
748      * Use fake transfers to model dummy bytes. The value should
749      * be configured to some non-zero value in fast read mode and
750      * zero in read mode. But, as the HW allows inconsistent
751      * settings, let's check for fast read mode.
752      */
753     if (aspeed_smc_flash_mode(fl) == CTRL_FREADMODE) {
754         for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
755             ssi_transfer(fl->controller->spi, s->regs[R_DUMMY_DATA] & 0xff);
756         }
757     }
758 }
759 
760 static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
761 {
762     AspeedSMCFlash *fl = opaque;
763     AspeedSMCState *s = fl->controller;
764     uint64_t ret = 0;
765     int i;
766 
767     switch (aspeed_smc_flash_mode(fl)) {
768     case CTRL_USERMODE:
769         for (i = 0; i < size; i++) {
770             ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
771         }
772         break;
773     case CTRL_READMODE:
774     case CTRL_FREADMODE:
775         aspeed_smc_flash_select(fl);
776         aspeed_smc_flash_setup(fl, addr);
777 
778         for (i = 0; i < size; i++) {
779             ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
780         }
781 
782         aspeed_smc_flash_unselect(fl);
783         break;
784     default:
785         qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid flash mode %d\n",
786                       __func__, aspeed_smc_flash_mode(fl));
787     }
788 
789     trace_aspeed_smc_flash_read(fl->id, addr, size, ret,
790                                 aspeed_smc_flash_mode(fl));
791     return ret;
792 }
793 
794 /*
795  * TODO (clg@kaod.org): stolen from xilinx_spips.c. Should move to a
796  * common include header.
797  */
798 typedef enum {
799     READ = 0x3,         READ_4 = 0x13,
800     FAST_READ = 0xb,    FAST_READ_4 = 0x0c,
801     DOR = 0x3b,         DOR_4 = 0x3c,
802     QOR = 0x6b,         QOR_4 = 0x6c,
803     DIOR = 0xbb,        DIOR_4 = 0xbc,
804     QIOR = 0xeb,        QIOR_4 = 0xec,
805 
806     PP = 0x2,           PP_4 = 0x12,
807     DPP = 0xa2,
808     QPP = 0x32,         QPP_4 = 0x34,
809 } FlashCMD;
810 
811 static int aspeed_smc_num_dummies(uint8_t command)
812 {
813     switch (command) { /* check for dummies */
814     case READ: /* no dummy bytes/cycles */
815     case PP:
816     case DPP:
817     case QPP:
818     case READ_4:
819     case PP_4:
820     case QPP_4:
821         return 0;
822     case FAST_READ:
823     case DOR:
824     case QOR:
825     case FAST_READ_4:
826     case DOR_4:
827     case QOR_4:
828         return 1;
829     case DIOR:
830     case DIOR_4:
831         return 2;
832     case QIOR:
833     case QIOR_4:
834         return 4;
835     default:
836         return -1;
837     }
838 }
839 
840 static bool aspeed_smc_do_snoop(AspeedSMCFlash *fl,  uint64_t data,
841                                 unsigned size)
842 {
843     AspeedSMCState *s = fl->controller;
844     uint8_t addr_width = aspeed_smc_flash_is_4byte(fl) ? 4 : 3;
845 
846     trace_aspeed_smc_do_snoop(fl->id, s->snoop_index, s->snoop_dummies,
847                               (uint8_t) data & 0xff);
848 
849     if (s->snoop_index == SNOOP_OFF) {
850         return false; /* Do nothing */
851 
852     } else if (s->snoop_index == SNOOP_START) {
853         uint8_t cmd = data & 0xff;
854         int ndummies = aspeed_smc_num_dummies(cmd);
855 
856         /*
857          * No dummy cycles are expected with the current command. Turn
858          * off snooping and let the transfer proceed normally.
859          */
860         if (ndummies <= 0) {
861             s->snoop_index = SNOOP_OFF;
862             return false;
863         }
864 
865         s->snoop_dummies = ndummies * 8;
866 
867     } else if (s->snoop_index >= addr_width + 1) {
868 
869         /* The SPI transfer has reached the dummy cycles sequence */
870         for (; s->snoop_dummies; s->snoop_dummies--) {
871             ssi_transfer(s->spi, s->regs[R_DUMMY_DATA] & 0xff);
872         }
873 
874         /* If no more dummy cycles are expected, turn off snooping */
875         if (!s->snoop_dummies) {
876             s->snoop_index = SNOOP_OFF;
877         } else {
878             s->snoop_index += size;
879         }
880 
881         /*
882          * Dummy cycles have been faked already. Ignore the current
883          * SPI transfer
884          */
885         return true;
886     }
887 
888     s->snoop_index += size;
889     return false;
890 }
891 
892 static void aspeed_smc_flash_write(void *opaque, hwaddr addr, uint64_t data,
893                                    unsigned size)
894 {
895     AspeedSMCFlash *fl = opaque;
896     AspeedSMCState *s = fl->controller;
897     int i;
898 
899     trace_aspeed_smc_flash_write(fl->id, addr, size, data,
900                                  aspeed_smc_flash_mode(fl));
901 
902     if (!aspeed_smc_is_writable(fl)) {
903         qemu_log_mask(LOG_GUEST_ERROR, "%s: flash is not writable at 0x%"
904                       HWADDR_PRIx "\n", __func__, addr);
905         return;
906     }
907 
908     switch (aspeed_smc_flash_mode(fl)) {
909     case CTRL_USERMODE:
910         if (aspeed_smc_do_snoop(fl, data, size)) {
911             break;
912         }
913 
914         for (i = 0; i < size; i++) {
915             ssi_transfer(s->spi, (data >> (8 * i)) & 0xff);
916         }
917         break;
918     case CTRL_WRITEMODE:
919         aspeed_smc_flash_select(fl);
920         aspeed_smc_flash_setup(fl, addr);
921 
922         for (i = 0; i < size; i++) {
923             ssi_transfer(s->spi, (data >> (8 * i)) & 0xff);
924         }
925 
926         aspeed_smc_flash_unselect(fl);
927         break;
928     default:
929         qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid flash mode %d\n",
930                       __func__, aspeed_smc_flash_mode(fl));
931     }
932 }
933 
934 static const MemoryRegionOps aspeed_smc_flash_ops = {
935     .read = aspeed_smc_flash_read,
936     .write = aspeed_smc_flash_write,
937     .endianness = DEVICE_LITTLE_ENDIAN,
938     .valid = {
939         .min_access_size = 1,
940         .max_access_size = 4,
941     },
942 };
943 
944 static void aspeed_smc_flash_update_ctrl(AspeedSMCFlash *fl, uint32_t value)
945 {
946     AspeedSMCState *s = fl->controller;
947     bool unselect;
948 
949     /* User mode selects the CS, other modes unselect */
950     unselect = (value & CTRL_CMD_MODE_MASK) != CTRL_USERMODE;
951 
952     /* A change of CTRL_CE_STOP_ACTIVE from 0 to 1, unselects the CS */
953     if (!(s->regs[s->r_ctrl0 + fl->id] & CTRL_CE_STOP_ACTIVE) &&
954         value & CTRL_CE_STOP_ACTIVE) {
955         unselect = true;
956     }
957 
958     s->regs[s->r_ctrl0 + fl->id] = value;
959 
960     s->snoop_index = unselect ? SNOOP_OFF : SNOOP_START;
961 
962     aspeed_smc_flash_do_select(fl, unselect);
963 }
964 
965 static void aspeed_smc_reset(DeviceState *d)
966 {
967     AspeedSMCState *s = ASPEED_SMC(d);
968     int i;
969 
970     memset(s->regs, 0, sizeof s->regs);
971 
972     /* Unselect all peripherals */
973     for (i = 0; i < s->num_cs; ++i) {
974         s->regs[s->r_ctrl0 + i] |= CTRL_CE_STOP_ACTIVE;
975         qemu_set_irq(s->cs_lines[i], true);
976     }
977 
978     /* setup the default segment register values and regions for all */
979     for (i = 0; i < s->ctrl->max_peripherals; ++i) {
980         aspeed_smc_flash_set_segment_region(s, i,
981                     s->ctrl->segment_to_reg(s, &s->ctrl->segments[i]));
982     }
983 
984     /* HW strapping flash type for the AST2600 controllers  */
985     if (s->ctrl->segments == aspeed_segments_ast2600_fmc) {
986         /* flash type is fixed to SPI for all */
987         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE0);
988         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE1);
989         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE2);
990     }
991 
992     /* HW strapping flash type for FMC controllers  */
993     if (s->ctrl->segments == aspeed_segments_ast2500_fmc) {
994         /* flash type is fixed to SPI for CE0 and CE1 */
995         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE0);
996         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE1);
997     }
998 
999     /* HW strapping for AST2400 FMC controllers (SCU70). Let's use the
1000      * configuration of the palmetto-bmc machine */
1001     if (s->ctrl->segments == aspeed_segments_fmc) {
1002         s->regs[s->r_conf] |= (CONF_FLASH_TYPE_SPI << CONF_FLASH_TYPE0);
1003     }
1004 
1005     s->snoop_index = SNOOP_OFF;
1006     s->snoop_dummies = 0;
1007 }
1008 
1009 static uint64_t aspeed_smc_read(void *opaque, hwaddr addr, unsigned int size)
1010 {
1011     AspeedSMCState *s = ASPEED_SMC(opaque);
1012 
1013     addr >>= 2;
1014 
1015     if (addr == s->r_conf ||
1016         (addr >= s->r_timings &&
1017          addr < s->r_timings + s->ctrl->nregs_timings) ||
1018         addr == s->r_ce_ctrl ||
1019         addr == R_CE_CMD_CTRL ||
1020         addr == R_INTR_CTRL ||
1021         addr == R_DUMMY_DATA ||
1022         (aspeed_smc_has_dma(s) && addr == R_DMA_CTRL) ||
1023         (aspeed_smc_has_dma(s) && addr == R_DMA_FLASH_ADDR) ||
1024         (aspeed_smc_has_dma(s) && addr == R_DMA_DRAM_ADDR) ||
1025         (aspeed_smc_has_dma(s) && addr == R_DMA_LEN) ||
1026         (aspeed_smc_has_dma(s) && addr == R_DMA_CHECKSUM) ||
1027         (addr >= R_SEG_ADDR0 &&
1028          addr < R_SEG_ADDR0 + s->ctrl->max_peripherals) ||
1029         (addr >= s->r_ctrl0 && addr < s->r_ctrl0 + s->ctrl->max_peripherals)) {
1030 
1031         trace_aspeed_smc_read(addr, size, s->regs[addr]);
1032 
1033         return s->regs[addr];
1034     } else {
1035         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\n",
1036                       __func__, addr);
1037         return -1;
1038     }
1039 }
1040 
1041 static uint8_t aspeed_smc_hclk_divisor(uint8_t hclk_mask)
1042 {
1043     /* HCLK/1 .. HCLK/16 */
1044     const uint8_t hclk_divisors[] = {
1045         15, 7, 14, 6, 13, 5, 12, 4, 11, 3, 10, 2, 9, 1, 8, 0
1046     };
1047     int i;
1048 
1049     for (i = 0; i < ARRAY_SIZE(hclk_divisors); i++) {
1050         if (hclk_mask == hclk_divisors[i]) {
1051             return i + 1;
1052         }
1053     }
1054 
1055     qemu_log_mask(LOG_GUEST_ERROR, "invalid HCLK mask %x", hclk_mask);
1056     return 0;
1057 }
1058 
1059 /*
1060  * When doing calibration, the SPI clock rate in the CE0 Control
1061  * Register and the read delay cycles in the Read Timing Compensation
1062  * Register are set using bit[11:4] of the DMA Control Register.
1063  */
1064 static void aspeed_smc_dma_calibration(AspeedSMCState *s)
1065 {
1066     uint8_t delay =
1067         (s->regs[R_DMA_CTRL] >> DMA_CTRL_DELAY_SHIFT) & DMA_CTRL_DELAY_MASK;
1068     uint8_t hclk_mask =
1069         (s->regs[R_DMA_CTRL] >> DMA_CTRL_FREQ_SHIFT) & DMA_CTRL_FREQ_MASK;
1070     uint8_t hclk_div = aspeed_smc_hclk_divisor(hclk_mask);
1071     uint32_t hclk_shift = (hclk_div - 1) << 2;
1072     uint8_t cs;
1073 
1074     /*
1075      * The Read Timing Compensation Register values apply to all CS on
1076      * the SPI bus and only HCLK/1 - HCLK/5 can have tunable delays
1077      */
1078     if (hclk_div && hclk_div < 6) {
1079         s->regs[s->r_timings] &= ~(0xf << hclk_shift);
1080         s->regs[s->r_timings] |= delay << hclk_shift;
1081     }
1082 
1083     /*
1084      * TODO: compute the CS from the DMA address and the segment
1085      * registers. This is not really a problem for now because the
1086      * Timing Register values apply to all CS and software uses CS0 to
1087      * do calibration.
1088      */
1089     cs = 0;
1090     s->regs[s->r_ctrl0 + cs] &=
1091         ~(CE_CTRL_CLOCK_FREQ_MASK << CE_CTRL_CLOCK_FREQ_SHIFT);
1092     s->regs[s->r_ctrl0 + cs] |= CE_CTRL_CLOCK_FREQ(hclk_div);
1093 }
1094 
1095 /*
1096  * Emulate read errors in the DMA Checksum Register for high
1097  * frequencies and optimistic settings of the Read Timing Compensation
1098  * Register. This will help in tuning the SPI timing calibration
1099  * algorithm.
1100  */
1101 static bool aspeed_smc_inject_read_failure(AspeedSMCState *s)
1102 {
1103     uint8_t delay =
1104         (s->regs[R_DMA_CTRL] >> DMA_CTRL_DELAY_SHIFT) & DMA_CTRL_DELAY_MASK;
1105     uint8_t hclk_mask =
1106         (s->regs[R_DMA_CTRL] >> DMA_CTRL_FREQ_SHIFT) & DMA_CTRL_FREQ_MASK;
1107 
1108     /*
1109      * Typical values of a palmetto-bmc machine.
1110      */
1111     switch (aspeed_smc_hclk_divisor(hclk_mask)) {
1112     case 4 ... 16:
1113         return false;
1114     case 3: /* at least one HCLK cycle delay */
1115         return (delay & 0x7) < 1;
1116     case 2: /* at least two HCLK cycle delay */
1117         return (delay & 0x7) < 2;
1118     case 1: /* (> 100MHz) is above the max freq of the controller */
1119         return true;
1120     default:
1121         g_assert_not_reached();
1122     }
1123 }
1124 
1125 /*
1126  * Accumulate the result of the reads to provide a checksum that will
1127  * be used to validate the read timing settings.
1128  */
1129 static void aspeed_smc_dma_checksum(AspeedSMCState *s)
1130 {
1131     MemTxResult result;
1132     uint32_t data;
1133 
1134     if (s->regs[R_DMA_CTRL] & DMA_CTRL_WRITE) {
1135         qemu_log_mask(LOG_GUEST_ERROR,
1136                       "%s: invalid direction for DMA checksum\n",  __func__);
1137         return;
1138     }
1139 
1140     if (s->regs[R_DMA_CTRL] & DMA_CTRL_CALIB) {
1141         aspeed_smc_dma_calibration(s);
1142     }
1143 
1144     while (s->regs[R_DMA_LEN]) {
1145         data = address_space_ldl_le(&s->flash_as, s->regs[R_DMA_FLASH_ADDR],
1146                                     MEMTXATTRS_UNSPECIFIED, &result);
1147         if (result != MEMTX_OK) {
1148             qemu_log_mask(LOG_GUEST_ERROR, "%s: Flash read failed @%08x\n",
1149                           __func__, s->regs[R_DMA_FLASH_ADDR]);
1150             return;
1151         }
1152         trace_aspeed_smc_dma_checksum(s->regs[R_DMA_FLASH_ADDR], data);
1153 
1154         /*
1155          * When the DMA is on-going, the DMA registers are updated
1156          * with the current working addresses and length.
1157          */
1158         s->regs[R_DMA_CHECKSUM] += data;
1159         s->regs[R_DMA_FLASH_ADDR] += 4;
1160         s->regs[R_DMA_LEN] -= 4;
1161     }
1162 
1163     if (s->inject_failure && aspeed_smc_inject_read_failure(s)) {
1164         s->regs[R_DMA_CHECKSUM] = 0xbadc0de;
1165     }
1166 
1167 }
1168 
1169 static void aspeed_smc_dma_rw(AspeedSMCState *s)
1170 {
1171     MemTxResult result;
1172     uint32_t data;
1173 
1174     trace_aspeed_smc_dma_rw(s->regs[R_DMA_CTRL] & DMA_CTRL_WRITE ?
1175                             "write" : "read",
1176                             s->regs[R_DMA_FLASH_ADDR],
1177                             s->regs[R_DMA_DRAM_ADDR],
1178                             s->regs[R_DMA_LEN]);
1179     while (s->regs[R_DMA_LEN]) {
1180         if (s->regs[R_DMA_CTRL] & DMA_CTRL_WRITE) {
1181             data = address_space_ldl_le(&s->dram_as, s->regs[R_DMA_DRAM_ADDR],
1182                                         MEMTXATTRS_UNSPECIFIED, &result);
1183             if (result != MEMTX_OK) {
1184                 qemu_log_mask(LOG_GUEST_ERROR, "%s: DRAM read failed @%08x\n",
1185                               __func__, s->regs[R_DMA_DRAM_ADDR]);
1186                 return;
1187             }
1188 
1189             address_space_stl_le(&s->flash_as, s->regs[R_DMA_FLASH_ADDR],
1190                                  data, MEMTXATTRS_UNSPECIFIED, &result);
1191             if (result != MEMTX_OK) {
1192                 qemu_log_mask(LOG_GUEST_ERROR, "%s: Flash write failed @%08x\n",
1193                               __func__, s->regs[R_DMA_FLASH_ADDR]);
1194                 return;
1195             }
1196         } else {
1197             data = address_space_ldl_le(&s->flash_as, s->regs[R_DMA_FLASH_ADDR],
1198                                         MEMTXATTRS_UNSPECIFIED, &result);
1199             if (result != MEMTX_OK) {
1200                 qemu_log_mask(LOG_GUEST_ERROR, "%s: Flash read failed @%08x\n",
1201                               __func__, s->regs[R_DMA_FLASH_ADDR]);
1202                 return;
1203             }
1204 
1205             address_space_stl_le(&s->dram_as, s->regs[R_DMA_DRAM_ADDR],
1206                                  data, MEMTXATTRS_UNSPECIFIED, &result);
1207             if (result != MEMTX_OK) {
1208                 qemu_log_mask(LOG_GUEST_ERROR, "%s: DRAM write failed @%08x\n",
1209                               __func__, s->regs[R_DMA_DRAM_ADDR]);
1210                 return;
1211             }
1212         }
1213 
1214         /*
1215          * When the DMA is on-going, the DMA registers are updated
1216          * with the current working addresses and length.
1217          */
1218         s->regs[R_DMA_FLASH_ADDR] += 4;
1219         s->regs[R_DMA_DRAM_ADDR] += 4;
1220         s->regs[R_DMA_LEN] -= 4;
1221         s->regs[R_DMA_CHECKSUM] += data;
1222     }
1223 }
1224 
1225 static void aspeed_smc_dma_stop(AspeedSMCState *s)
1226 {
1227     /*
1228      * When the DMA is disabled, INTR_CTRL_DMA_STATUS=0 means the
1229      * engine is idle
1230      */
1231     s->regs[R_INTR_CTRL] &= ~INTR_CTRL_DMA_STATUS;
1232     s->regs[R_DMA_CHECKSUM] = 0;
1233 
1234     /*
1235      * Lower the DMA irq in any case. The IRQ control register could
1236      * have been cleared before disabling the DMA.
1237      */
1238     qemu_irq_lower(s->irq);
1239 }
1240 
1241 /*
1242  * When INTR_CTRL_DMA_STATUS=1, the DMA has completed and a new DMA
1243  * can start even if the result of the previous was not collected.
1244  */
1245 static bool aspeed_smc_dma_in_progress(AspeedSMCState *s)
1246 {
1247     return s->regs[R_DMA_CTRL] & DMA_CTRL_ENABLE &&
1248         !(s->regs[R_INTR_CTRL] & INTR_CTRL_DMA_STATUS);
1249 }
1250 
1251 static void aspeed_smc_dma_done(AspeedSMCState *s)
1252 {
1253     s->regs[R_INTR_CTRL] |= INTR_CTRL_DMA_STATUS;
1254     if (s->regs[R_INTR_CTRL] & INTR_CTRL_DMA_EN) {
1255         qemu_irq_raise(s->irq);
1256     }
1257 }
1258 
1259 static void aspeed_smc_dma_ctrl(AspeedSMCState *s, uint32_t dma_ctrl)
1260 {
1261     if (!(dma_ctrl & DMA_CTRL_ENABLE)) {
1262         s->regs[R_DMA_CTRL] = dma_ctrl;
1263 
1264         aspeed_smc_dma_stop(s);
1265         return;
1266     }
1267 
1268     if (aspeed_smc_dma_in_progress(s)) {
1269         qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA in progress\n",  __func__);
1270         return;
1271     }
1272 
1273     s->regs[R_DMA_CTRL] = dma_ctrl;
1274 
1275     if (s->regs[R_DMA_CTRL] & DMA_CTRL_CKSUM) {
1276         aspeed_smc_dma_checksum(s);
1277     } else {
1278         aspeed_smc_dma_rw(s);
1279     }
1280 
1281     aspeed_smc_dma_done(s);
1282 }
1283 
1284 static inline bool aspeed_smc_dma_granted(AspeedSMCState *s)
1285 {
1286     if (!(s->ctrl->features & ASPEED_SMC_FEATURE_DMA_GRANT)) {
1287         return true;
1288     }
1289 
1290     if (!(s->regs[R_DMA_CTRL] & DMA_CTRL_GRANT)) {
1291         qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA not granted\n",  __func__);
1292         return false;
1293     }
1294 
1295     return true;
1296 }
1297 
1298 static void aspeed_2600_smc_dma_ctrl(AspeedSMCState *s, uint32_t dma_ctrl)
1299 {
1300     /* Preserve DMA bits  */
1301     dma_ctrl |= s->regs[R_DMA_CTRL] & (DMA_CTRL_REQUEST | DMA_CTRL_GRANT);
1302 
1303     if (dma_ctrl == 0xAEED0000) {
1304         /* automatically grant request */
1305         s->regs[R_DMA_CTRL] |= (DMA_CTRL_REQUEST | DMA_CTRL_GRANT);
1306         return;
1307     }
1308 
1309     /* clear request */
1310     if (dma_ctrl == 0xDEEA0000) {
1311         s->regs[R_DMA_CTRL] &= ~(DMA_CTRL_REQUEST | DMA_CTRL_GRANT);
1312         return;
1313     }
1314 
1315     if (!aspeed_smc_dma_granted(s)) {
1316         qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA not granted\n",  __func__);
1317         return;
1318     }
1319 
1320     aspeed_smc_dma_ctrl(s, dma_ctrl);
1321     s->regs[R_DMA_CTRL] &= ~(DMA_CTRL_REQUEST | DMA_CTRL_GRANT);
1322 }
1323 
1324 static void aspeed_smc_write(void *opaque, hwaddr addr, uint64_t data,
1325                              unsigned int size)
1326 {
1327     AspeedSMCState *s = ASPEED_SMC(opaque);
1328     uint32_t value = data;
1329 
1330     addr >>= 2;
1331 
1332     trace_aspeed_smc_write(addr, size, data);
1333 
1334     if (addr == s->r_conf ||
1335         (addr >= s->r_timings &&
1336          addr < s->r_timings + s->ctrl->nregs_timings) ||
1337         addr == s->r_ce_ctrl) {
1338         s->regs[addr] = value;
1339     } else if (addr >= s->r_ctrl0 && addr < s->r_ctrl0 + s->num_cs) {
1340         int cs = addr - s->r_ctrl0;
1341         aspeed_smc_flash_update_ctrl(&s->flashes[cs], value);
1342     } else if (addr >= R_SEG_ADDR0 &&
1343                addr < R_SEG_ADDR0 + s->ctrl->max_peripherals) {
1344         int cs = addr - R_SEG_ADDR0;
1345 
1346         if (value != s->regs[R_SEG_ADDR0 + cs]) {
1347             aspeed_smc_flash_set_segment(s, cs, value);
1348         }
1349     } else if (addr == R_CE_CMD_CTRL) {
1350         s->regs[addr] = value & 0xff;
1351     } else if (addr == R_DUMMY_DATA) {
1352         s->regs[addr] = value & 0xff;
1353     } else if (addr == R_INTR_CTRL) {
1354         s->regs[addr] = value;
1355     } else if (aspeed_smc_has_dma(s) && addr == R_DMA_CTRL) {
1356         s->ctrl->dma_ctrl(s, value);
1357     } else if (aspeed_smc_has_dma(s) && addr == R_DMA_DRAM_ADDR &&
1358                aspeed_smc_dma_granted(s)) {
1359         s->regs[addr] = DMA_DRAM_ADDR(s, value);
1360     } else if (aspeed_smc_has_dma(s) && addr == R_DMA_FLASH_ADDR &&
1361                aspeed_smc_dma_granted(s)) {
1362         s->regs[addr] = DMA_FLASH_ADDR(s, value);
1363     } else if (aspeed_smc_has_dma(s) && addr == R_DMA_LEN &&
1364                aspeed_smc_dma_granted(s)) {
1365         s->regs[addr] = DMA_LENGTH(value);
1366     } else {
1367         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\n",
1368                       __func__, addr);
1369         return;
1370     }
1371 }
1372 
1373 static const MemoryRegionOps aspeed_smc_ops = {
1374     .read = aspeed_smc_read,
1375     .write = aspeed_smc_write,
1376     .endianness = DEVICE_LITTLE_ENDIAN,
1377 };
1378 
1379 /*
1380  * Initialize the custom address spaces for DMAs
1381  */
1382 static void aspeed_smc_dma_setup(AspeedSMCState *s, Error **errp)
1383 {
1384     char *name;
1385 
1386     if (!s->dram_mr) {
1387         error_setg(errp, TYPE_ASPEED_SMC ": 'dram' link not set");
1388         return;
1389     }
1390 
1391     name = g_strdup_printf("%s-dma-flash", s->ctrl->name);
1392     address_space_init(&s->flash_as, &s->mmio_flash, name);
1393     g_free(name);
1394 
1395     name = g_strdup_printf("%s-dma-dram", s->ctrl->name);
1396     address_space_init(&s->dram_as, s->dram_mr, name);
1397     g_free(name);
1398 }
1399 
1400 static void aspeed_smc_realize(DeviceState *dev, Error **errp)
1401 {
1402     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1403     AspeedSMCState *s = ASPEED_SMC(dev);
1404     AspeedSMCClass *mc = ASPEED_SMC_GET_CLASS(s);
1405     int i;
1406     char name[32];
1407     hwaddr offset = 0;
1408 
1409     s->ctrl = mc->ctrl;
1410 
1411     /* keep a copy under AspeedSMCState to speed up accesses */
1412     s->r_conf = s->ctrl->r_conf;
1413     s->r_ce_ctrl = s->ctrl->r_ce_ctrl;
1414     s->r_ctrl0 = s->ctrl->r_ctrl0;
1415     s->r_timings = s->ctrl->r_timings;
1416     s->conf_enable_w0 = s->ctrl->conf_enable_w0;
1417 
1418     /* Enforce some real HW limits */
1419     if (s->num_cs > s->ctrl->max_peripherals) {
1420         qemu_log_mask(LOG_GUEST_ERROR, "%s: num_cs cannot exceed: %d\n",
1421                       __func__, s->ctrl->max_peripherals);
1422         s->num_cs = s->ctrl->max_peripherals;
1423     }
1424 
1425     /* DMA irq. Keep it first for the initialization in the SoC */
1426     sysbus_init_irq(sbd, &s->irq);
1427 
1428     s->spi = ssi_create_bus(dev, "spi");
1429 
1430     /* Setup cs_lines for peripherals */
1431     s->cs_lines = g_new0(qemu_irq, s->num_cs);
1432 
1433     for (i = 0; i < s->num_cs; ++i) {
1434         sysbus_init_irq(sbd, &s->cs_lines[i]);
1435     }
1436 
1437     /* The memory region for the controller registers */
1438     memory_region_init_io(&s->mmio, OBJECT(s), &aspeed_smc_ops, s,
1439                           s->ctrl->name, s->ctrl->nregs * 4);
1440     sysbus_init_mmio(sbd, &s->mmio);
1441 
1442     /*
1443      * The container memory region representing the address space
1444      * window in which the flash modules are mapped. The size and
1445      * address depends on the SoC model and controller type.
1446      */
1447     snprintf(name, sizeof(name), "%s.flash", s->ctrl->name);
1448 
1449     memory_region_init_io(&s->mmio_flash, OBJECT(s),
1450                           &aspeed_smc_flash_default_ops, s, name,
1451                           s->ctrl->flash_window_size);
1452     memory_region_init_alias(&s->mmio_flash_alias, OBJECT(s), name,
1453                              &s->mmio_flash, 0, s->ctrl->flash_window_size);
1454     sysbus_init_mmio(sbd, &s->mmio_flash_alias);
1455 
1456     s->flashes = g_new0(AspeedSMCFlash, s->ctrl->max_peripherals);
1457 
1458     /*
1459      * Let's create a sub memory region for each possible peripheral. All
1460      * have a configurable memory segment in the overall flash mapping
1461      * window of the controller but, there is not necessarily a flash
1462      * module behind to handle the memory accesses. This depends on
1463      * the board configuration.
1464      */
1465     for (i = 0; i < s->ctrl->max_peripherals; ++i) {
1466         AspeedSMCFlash *fl = &s->flashes[i];
1467 
1468         snprintf(name, sizeof(name), "%s.%d", s->ctrl->name, i);
1469 
1470         fl->id = i;
1471         fl->controller = s;
1472         fl->size = s->ctrl->segments[i].size;
1473         memory_region_init_io(&fl->mmio, OBJECT(s), &aspeed_smc_flash_ops,
1474                               fl, name, fl->size);
1475         memory_region_add_subregion(&s->mmio_flash, offset, &fl->mmio);
1476         offset += fl->size;
1477     }
1478 
1479     /* DMA support */
1480     if (aspeed_smc_has_dma(s)) {
1481         aspeed_smc_dma_setup(s, errp);
1482     }
1483 }
1484 
1485 static const VMStateDescription vmstate_aspeed_smc = {
1486     .name = "aspeed.smc",
1487     .version_id = 2,
1488     .minimum_version_id = 2,
1489     .fields = (VMStateField[]) {
1490         VMSTATE_UINT32_ARRAY(regs, AspeedSMCState, ASPEED_SMC_R_MAX),
1491         VMSTATE_UINT8(snoop_index, AspeedSMCState),
1492         VMSTATE_UINT8(snoop_dummies, AspeedSMCState),
1493         VMSTATE_END_OF_LIST()
1494     }
1495 };
1496 
1497 static Property aspeed_smc_properties[] = {
1498     DEFINE_PROP_UINT32("num-cs", AspeedSMCState, num_cs, 1),
1499     DEFINE_PROP_BOOL("inject-failure", AspeedSMCState, inject_failure, false),
1500     DEFINE_PROP_LINK("dram", AspeedSMCState, dram_mr,
1501                      TYPE_MEMORY_REGION, MemoryRegion *),
1502     DEFINE_PROP_END_OF_LIST(),
1503 };
1504 
1505 static void aspeed_smc_class_init(ObjectClass *klass, void *data)
1506 {
1507     DeviceClass *dc = DEVICE_CLASS(klass);
1508     AspeedSMCClass *mc = ASPEED_SMC_CLASS(klass);
1509 
1510     dc->realize = aspeed_smc_realize;
1511     dc->reset = aspeed_smc_reset;
1512     device_class_set_props(dc, aspeed_smc_properties);
1513     dc->vmsd = &vmstate_aspeed_smc;
1514     mc->ctrl = data;
1515 }
1516 
1517 static const TypeInfo aspeed_smc_info = {
1518     .name           = TYPE_ASPEED_SMC,
1519     .parent         = TYPE_SYS_BUS_DEVICE,
1520     .instance_size  = sizeof(AspeedSMCState),
1521     .class_size     = sizeof(AspeedSMCClass),
1522     .abstract       = true,
1523 };
1524 
1525 static void aspeed_smc_register_types(void)
1526 {
1527     int i;
1528 
1529     type_register_static(&aspeed_smc_info);
1530     for (i = 0; i < ARRAY_SIZE(controllers); ++i) {
1531         TypeInfo ti = {
1532             .name       = controllers[i].name,
1533             .parent     = TYPE_ASPEED_SMC,
1534             .class_init = aspeed_smc_class_init,
1535             .class_data = (void *)&controllers[i],
1536         };
1537         type_register(&ti);
1538     }
1539 }
1540 
1541 type_init(aspeed_smc_register_types)
1542