search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
qapi: Improve specificity of type/member descriptions
[qemu/armbru.git] / hw / sd / sd.c
blob77a717d35507a7b03853093e15fc21eb07c77410
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
48 #include "qemu/log.h"
49 #include "qemu/module.h"
50 #include "sdmmc-internal.h"
51 #include "trace.h"
52
53 //#define DEBUG_SD 1
54
55 #define SDSC_MAX_CAPACITY (2 * GiB)
56
57 #define INVALID_ADDRESS UINT32_MAX
58
59 typedef enum {
60 sd_r0 = 0, /* no response */
61 sd_r1, /* normal response command */
62 sd_r2_i, /* CID register */
63 sd_r2_s, /* CSD register */
64 sd_r3, /* OCR register */
65 sd_r6 = 6, /* Published RCA response */
66 sd_r7, /* Operating voltage */
67 sd_r1b = -1,
68 sd_illegal = -2,
69 } sd_rsp_type_t;
70
71 enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75 };
76
77 enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88 };
89
90 struct SDState {
91 DeviceState parent_obj;
92
93 /* If true, created by sd_init() for a non-qdevified caller */
94 /* TODO purge them with fire */
95 bool me_no_qdev_me_kill_mammoth_with_rocks;
96
97 /* SD Memory Card Registers */
98 uint32_t ocr;
99 uint8_t scr[8];
100 uint8_t cid[16];
101 uint8_t csd[16];
102 uint16_t rca;
103 uint32_t card_status;
104 uint8_t sd_status[64];
105
106 /* Static properties */
107
108 uint8_t spec_version;
109 BlockBackend *blk;
110 bool spi;
111
112 /* Runtime changeables */
113
114 uint32_t mode; /* current card mode, one of SDCardModes */
115 int32_t state; /* current card state, one of SDCardStates */
116 uint32_t vhs;
117 bool wp_switch;
118 unsigned long *wp_group_bmap;
119 int32_t wp_group_bits;
120 uint64_t size;
121 uint32_t blk_len;
122 uint32_t multi_blk_cnt;
123 uint32_t erase_start;
124 uint32_t erase_end;
125 uint8_t pwd[16];
126 uint32_t pwd_len;
127 uint8_t function_group[6];
128 uint8_t current_cmd;
129 /* True if we will handle the next command as an ACMD. Note that this does
130 * *not* track the APP_CMD status bit!
131 */
132 bool expecting_acmd;
133 uint32_t blk_written;
134 uint64_t data_start;
135 uint32_t data_offset;
136 uint8_t data[512];
137 qemu_irq readonly_cb;
138 qemu_irq inserted_cb;
139 QEMUTimer *ocr_power_timer;
140 const char *proto_name;
141 bool enable;
142 uint8_t dat_lines;
143 bool cmd_line;
144 };
145
146 static void sd_realize(DeviceState *dev, Error **errp);
147
148 static const char *sd_state_name(enum SDCardStates state)
149 {
150 static const char *state_name[] = {
151 [sd_idle_state] = "idle",
152 [sd_ready_state] = "ready",
153 [sd_identification_state] = "identification",
154 [sd_standby_state] = "standby",
155 [sd_transfer_state] = "transfer",
156 [sd_sendingdata_state] = "sendingdata",
157 [sd_receivingdata_state] = "receivingdata",
158 [sd_programming_state] = "programming",
159 [sd_disconnect_state] = "disconnect",
160 };
161 if (state == sd_inactive_state) {
162 return "inactive";
163 }
164 assert(state < ARRAY_SIZE(state_name));
165 return state_name[state];
166 }
167
168 static const char *sd_response_name(sd_rsp_type_t rsp)
169 {
170 static const char *response_name[] = {
171 [sd_r0] = "RESP#0 (no response)",
172 [sd_r1] = "RESP#1 (normal cmd)",
173 [sd_r2_i] = "RESP#2 (CID reg)",
174 [sd_r2_s] = "RESP#2 (CSD reg)",
175 [sd_r3] = "RESP#3 (OCR reg)",
176 [sd_r6] = "RESP#6 (RCA)",
177 [sd_r7] = "RESP#7 (operating voltage)",
178 };
179 if (rsp == sd_illegal) {
180 return "ILLEGAL RESP";
181 }
182 if (rsp == sd_r1b) {
183 rsp = sd_r1;
184 }
185 assert(rsp < ARRAY_SIZE(response_name));
186 return response_name[rsp];
187 }
188
189 static uint8_t sd_get_dat_lines(SDState *sd)
190 {
191 return sd->enable ? sd->dat_lines : 0;
192 }
193
194 static bool sd_get_cmd_line(SDState *sd)
195 {
196 return sd->enable ? sd->cmd_line : false;
197 }
198
199 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
200 {
201 trace_sdcard_set_voltage(millivolts);
202
203 switch (millivolts) {
204 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
205 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
206 break;
207 default:
208 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
209 millivolts / 1000.f);
210 }
211 }
212
213 static void sd_set_mode(SDState *sd)
214 {
215 switch (sd->state) {
216 case sd_inactive_state:
217 sd->mode = sd_inactive;
218 break;
219
220 case sd_idle_state:
221 case sd_ready_state:
222 case sd_identification_state:
223 sd->mode = sd_card_identification_mode;
224 break;
225
226 case sd_standby_state:
227 case sd_transfer_state:
228 case sd_sendingdata_state:
229 case sd_receivingdata_state:
230 case sd_programming_state:
231 case sd_disconnect_state:
232 sd->mode = sd_data_transfer_mode;
233 break;
234 }
235 }
236
237 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
238 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
239 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
240 /* 16 */
241 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
242 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
243 /* 32 */
244 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
245 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
246 /* 48 */
247 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
248 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
249 };
250
251 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
252 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
253 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
254 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
255 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
256 };
257
258 static uint8_t sd_crc7(const void *message, size_t width)
259 {
260 int i, bit;
261 uint8_t shift_reg = 0x00;
262 const uint8_t *msg = (const uint8_t *)message;
263
264 for (i = 0; i < width; i ++, msg ++)
265 for (bit = 7; bit >= 0; bit --) {
266 shift_reg <<= 1;
267 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
268 shift_reg ^= 0x89;
269 }
270
271 return shift_reg;
272 }
273
274 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
275
276 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
277 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
278 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
279 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
280 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
281 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
282 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
283 FIELD(OCR, CARD_POWER_UP, 31, 1)
284
285 #define ACMD41_ENQUIRY_MASK 0x00ffffff
286 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
287 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
288 | R_OCR_UHS_II_CARD_MASK \
289 | R_OCR_CARD_CAPACITY_MASK \
290 | R_OCR_CARD_POWER_UP_MASK)
291
292 static void sd_ocr_powerup(void *opaque)
293 {
294 SDState *sd = opaque;
295
296 trace_sdcard_powerup();
297 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
298
299 /* card power-up OK */
300 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
301
302 if (sd->size > SDSC_MAX_CAPACITY) {
303 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
304 }
305 }
306
307 static void sd_set_ocr(SDState *sd)
308 {
309 /* All voltages OK */
310 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
311
312 if (sd->spi) {
313 /*
314 * We don't need to emulate power up sequence in SPI-mode.
315 * Thus, the card's power up status bit should be set to 1 when reset.
316 * The card's capacity status bit should also be set if SD card size
317 * is larger than 2GB for SDHC support.
318 */
319 sd_ocr_powerup(sd);
320 }
321 }
322
323 static void sd_set_scr(SDState *sd)
324 {
325 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
326 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
327 sd->scr[0] |= 1; /* Spec Version 1.10 */
328 } else {
329 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
330 }
331 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
332 | 0b0101; /* 1-bit or 4-bit width bus modes */
333 sd->scr[2] = 0x00; /* Extended Security is not supported. */
334 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
335 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
336 }
337 sd->scr[3] = 0x00;
338 /* reserved for manufacturer usage */
339 sd->scr[4] = 0x00;
340 sd->scr[5] = 0x00;
341 sd->scr[6] = 0x00;
342 sd->scr[7] = 0x00;
343 }
344
345 #define MID 0xaa
346 #define OID "XY"
347 #define PNM "QEMU!"
348 #define PRV 0x01
349 #define MDT_YR 2006
350 #define MDT_MON 2
351
352 static void sd_set_cid(SDState *sd)
353 {
354 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
355 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
356 sd->cid[2] = OID[1];
357 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
358 sd->cid[4] = PNM[1];
359 sd->cid[5] = PNM[2];
360 sd->cid[6] = PNM[3];
361 sd->cid[7] = PNM[4];
362 sd->cid[8] = PRV; /* Fake product revision (PRV) */
363 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
364 sd->cid[10] = 0xad;
365 sd->cid[11] = 0xbe;
366 sd->cid[12] = 0xef;
367 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
368 ((MDT_YR - 2000) / 10);
369 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
370 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
371 }
372
373 #define HWBLOCK_SHIFT 9 /* 512 bytes */
374 #define SECTOR_SHIFT 5 /* 16 kilobytes */
375 #define WPGROUP_SHIFT 7 /* 2 megs */
376 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
377 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
378
379 static const uint8_t sd_csd_rw_mask[16] = {
380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
382 };
383
384 static void sd_set_csd(SDState *sd, uint64_t size)
385 {
386 int hwblock_shift = HWBLOCK_SHIFT;
387 uint32_t csize;
388 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
389 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
390
391 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
392 if (size == SDSC_MAX_CAPACITY) {
393 hwblock_shift += 1;
394 }
395 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
396
397 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
398 sd->csd[0] = 0x00; /* CSD structure */
399 sd->csd[1] = 0x26; /* Data read access-time-1 */
400 sd->csd[2] = 0x00; /* Data read access-time-2 */
401 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
402 sd->csd[4] = 0x5f; /* Card Command Classes */
403 sd->csd[5] = 0x50 | /* Max. read data block length */
404 hwblock_shift;
405 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
406 ((csize >> 10) & 0x03);
407 sd->csd[7] = 0x00 | /* Device size */
408 ((csize >> 2) & 0xff);
409 sd->csd[8] = 0x3f | /* Max. read current */
410 ((csize << 6) & 0xc0);
411 sd->csd[9] = 0xfc | /* Max. write current */
412 ((CMULT_SHIFT - 2) >> 1);
413 sd->csd[10] = 0x40 | /* Erase sector size */
414 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
415 sd->csd[11] = 0x00 | /* Write protect group size */
416 ((sectsize << 7) & 0x80) | wpsize;
417 sd->csd[12] = 0x90 | /* Write speed factor */
418 (hwblock_shift >> 2);
419 sd->csd[13] = 0x20 | /* Max. write data block length */
420 ((hwblock_shift << 6) & 0xc0);
421 sd->csd[14] = 0x00; /* File format group */
422 } else { /* SDHC */
423 size /= 512 * KiB;
424 size -= 1;
425 sd->csd[0] = 0x40;
426 sd->csd[1] = 0x0e;
427 sd->csd[2] = 0x00;
428 sd->csd[3] = 0x32;
429 sd->csd[4] = 0x5b;
430 sd->csd[5] = 0x59;
431 sd->csd[6] = 0x00;
432 sd->csd[7] = (size >> 16) & 0xff;
433 sd->csd[8] = (size >> 8) & 0xff;
434 sd->csd[9] = (size & 0xff);
435 sd->csd[10] = 0x7f;
436 sd->csd[11] = 0x80;
437 sd->csd[12] = 0x0a;
438 sd->csd[13] = 0x40;
439 sd->csd[14] = 0x00;
440 }
441 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
442 }
443
444 static void sd_set_rca(SDState *sd)
445 {
446 sd->rca += 0x4567;
447 }
448
449 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
450 FIELD(CSR, APP_CMD, 5, 1)
451 FIELD(CSR, FX_EVENT, 6, 1)
452 FIELD(CSR, READY_FOR_DATA, 8, 1)
453 FIELD(CSR, CURRENT_STATE, 9, 4)
454 FIELD(CSR, ERASE_RESET, 13, 1)
455 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
456 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
457 FIELD(CSR, CSD_OVERWRITE, 16, 1)
458 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
459 FIELD(CSR, ERROR, 19, 1)
460 FIELD(CSR, CC_ERROR, 20, 1)
461 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
462 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
463 FIELD(CSR, COM_CRC_ERROR, 23, 1)
464 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
465 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
466 FIELD(CSR, WP_VIOLATION, 26, 1)
467 FIELD(CSR, ERASE_PARAM, 27, 1)
468 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
469 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
470 FIELD(CSR, ADDRESS_ERROR, 30, 1)
471 FIELD(CSR, OUT_OF_RANGE, 31, 1)
472
473 /* Card status bits, split by clear condition:
474 * A : According to the card current state
475 * B : Always related to the previous command
476 * C : Cleared by read
477 */
478 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
479 | R_CSR_CARD_ECC_DISABLED_MASK \
480 | R_CSR_CARD_IS_LOCKED_MASK)
481 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
482 | R_CSR_ILLEGAL_COMMAND_MASK \
483 | R_CSR_COM_CRC_ERROR_MASK)
484 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
485 | R_CSR_APP_CMD_MASK \
486 | R_CSR_ERASE_RESET_MASK \
487 | R_CSR_WP_ERASE_SKIP_MASK \
488 | R_CSR_CSD_OVERWRITE_MASK \
489 | R_CSR_ERROR_MASK \
490 | R_CSR_CC_ERROR_MASK \
491 | R_CSR_CARD_ECC_FAILED_MASK \
492 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
493 | R_CSR_WP_VIOLATION_MASK \
494 | R_CSR_ERASE_PARAM_MASK \
495 | R_CSR_ERASE_SEQ_ERROR_MASK \
496 | R_CSR_BLOCK_LEN_ERROR_MASK \
497 | R_CSR_ADDRESS_ERROR_MASK \
498 | R_CSR_OUT_OF_RANGE_MASK)
499
500 static void sd_set_cardstatus(SDState *sd)
501 {
502 sd->card_status = 0x00000100;
503 }
504
505 static void sd_set_sdstatus(SDState *sd)
506 {
507 memset(sd->sd_status, 0, 64);
508 }
509
510 static int sd_req_crc_validate(SDRequest *req)
511 {
512 uint8_t buffer[5];
513 buffer[0] = 0x40 | req->cmd;
514 stl_be_p(&buffer[1], req->arg);
515 return 0;
516 return sd_crc7(buffer, 5) != req->crc; /* TODO */
517 }
518
519 static void sd_response_r1_make(SDState *sd, uint8_t *response)
520 {
521 stl_be_p(response, sd->card_status);
522
523 /* Clear the "clear on read" status bits */
524 sd->card_status &= ~CARD_STATUS_C;
525 }
526
527 static void sd_response_r3_make(SDState *sd, uint8_t *response)
528 {
529 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
530 }
531
532 static void sd_response_r6_make(SDState *sd, uint8_t *response)
533 {
534 uint16_t status;
535
536 status = ((sd->card_status >> 8) & 0xc000) |
537 ((sd->card_status >> 6) & 0x2000) |
538 (sd->card_status & 0x1fff);
539 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
540 stw_be_p(response + 0, sd->rca);
541 stw_be_p(response + 2, status);
542 }
543
544 static void sd_response_r7_make(SDState *sd, uint8_t *response)
545 {
546 stl_be_p(response, sd->vhs);
547 }
548
549 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
550 {
551 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
552 }
553
554 static void sd_reset(DeviceState *dev)
555 {
556 SDState *sd = SD_CARD(dev);
557 uint64_t size;
558 uint64_t sect;
559
560 trace_sdcard_reset();
561 if (sd->blk) {
562 blk_get_geometry(sd->blk, &sect);
563 } else {
564 sect = 0;
565 }
566 size = sect << 9;
567
568 sect = sd_addr_to_wpnum(size) + 1;
569
570 sd->state = sd_idle_state;
571 sd->rca = 0x0000;
572 sd->size = size;
573 sd_set_ocr(sd);
574 sd_set_scr(sd);
575 sd_set_cid(sd);
576 sd_set_csd(sd, size);
577 sd_set_cardstatus(sd);
578 sd_set_sdstatus(sd);
579
580 g_free(sd->wp_group_bmap);
581 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
582 sd->wp_group_bits = sect;
583 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
584 memset(sd->function_group, 0, sizeof(sd->function_group));
585 sd->erase_start = INVALID_ADDRESS;
586 sd->erase_end = INVALID_ADDRESS;
587 sd->blk_len = 0x200;
588 sd->pwd_len = 0;
589 sd->expecting_acmd = false;
590 sd->dat_lines = 0xf;
591 sd->cmd_line = true;
592 sd->multi_blk_cnt = 0;
593 }
594
595 static bool sd_get_inserted(SDState *sd)
596 {
597 return sd->blk && blk_is_inserted(sd->blk);
598 }
599
600 static bool sd_get_readonly(SDState *sd)
601 {
602 return sd->wp_switch;
603 }
604
605 static void sd_cardchange(void *opaque, bool load, Error **errp)
606 {
607 SDState *sd = opaque;
608 DeviceState *dev = DEVICE(sd);
609 SDBus *sdbus;
610 bool inserted = sd_get_inserted(sd);
611 bool readonly = sd_get_readonly(sd);
612
613 if (inserted) {
614 trace_sdcard_inserted(readonly);
615 sd_reset(dev);
616 } else {
617 trace_sdcard_ejected();
618 }
619
620 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
621 qemu_set_irq(sd->inserted_cb, inserted);
622 if (inserted) {
623 qemu_set_irq(sd->readonly_cb, readonly);
624 }
625 } else {
626 sdbus = SD_BUS(qdev_get_parent_bus(dev));
627 sdbus_set_inserted(sdbus, inserted);
628 if (inserted) {
629 sdbus_set_readonly(sdbus, readonly);
630 }
631 }
632 }
633
634 static const BlockDevOps sd_block_ops = {
635 .change_media_cb = sd_cardchange,
636 };
637
638 static bool sd_ocr_vmstate_needed(void *opaque)
639 {
640 SDState *sd = opaque;
641
642 /* Include the OCR state (and timer) if it is not yet powered up */
643 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
644 }
645
646 static const VMStateDescription sd_ocr_vmstate = {
647 .name = "sd-card/ocr-state",
648 .version_id = 1,
649 .minimum_version_id = 1,
650 .needed = sd_ocr_vmstate_needed,
651 .fields = (VMStateField[]) {
652 VMSTATE_UINT32(ocr, SDState),
653 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
654 VMSTATE_END_OF_LIST()
655 },
656 };
657
658 static int sd_vmstate_pre_load(void *opaque)
659 {
660 SDState *sd = opaque;
661
662 /* If the OCR state is not included (prior versions, or not
663 * needed), then the OCR must be set as powered up. If the OCR state
664 * is included, this will be replaced by the state restore.
665 */
666 sd_ocr_powerup(sd);
667
668 return 0;
669 }
670
671 static const VMStateDescription sd_vmstate = {
672 .name = "sd-card",
673 .version_id = 2,
674 .minimum_version_id = 2,
675 .pre_load = sd_vmstate_pre_load,
676 .fields = (VMStateField[]) {
677 VMSTATE_UINT32(mode, SDState),
678 VMSTATE_INT32(state, SDState),
679 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
680 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
681 VMSTATE_UINT16(rca, SDState),
682 VMSTATE_UINT32(card_status, SDState),
683 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
684 VMSTATE_UINT32(vhs, SDState),
685 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
686 VMSTATE_UINT32(blk_len, SDState),
687 VMSTATE_UINT32(multi_blk_cnt, SDState),
688 VMSTATE_UINT32(erase_start, SDState),
689 VMSTATE_UINT32(erase_end, SDState),
690 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
691 VMSTATE_UINT32(pwd_len, SDState),
692 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
693 VMSTATE_UINT8(current_cmd, SDState),
694 VMSTATE_BOOL(expecting_acmd, SDState),
695 VMSTATE_UINT32(blk_written, SDState),
696 VMSTATE_UINT64(data_start, SDState),
697 VMSTATE_UINT32(data_offset, SDState),
698 VMSTATE_UINT8_ARRAY(data, SDState, 512),
699 VMSTATE_UNUSED_V(1, 512),
700 VMSTATE_BOOL(enable, SDState),
701 VMSTATE_END_OF_LIST()
702 },
703 .subsections = (const VMStateDescription*[]) {
704 &sd_ocr_vmstate,
705 NULL
706 },
707 };
708
709 /* Legacy initialization function for use by non-qdevified callers */
710 SDState *sd_init(BlockBackend *blk, bool is_spi)
711 {
712 Object *obj;
713 DeviceState *dev;
714 SDState *sd;
715 Error *err = NULL;
716
717 obj = object_new(TYPE_SD_CARD);
718 dev = DEVICE(obj);
719 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
720 error_reportf_err(err, "sd_init failed: ");
721 return NULL;
722 }
723 qdev_prop_set_bit(dev, "spi", is_spi);
724
725 /*
726 * Realizing the device properly would put it into the QOM
727 * composition tree even though it is not plugged into an
728 * appropriate bus. That's a no-no. Hide the device from
729 * QOM/qdev, and call its qdev realize callback directly.
730 */
731 object_ref(obj);
732 object_unparent(obj);
733 sd_realize(dev, &err);
734 if (err) {
735 error_reportf_err(err, "sd_init failed: ");
736 return NULL;
737 }
738
739 sd = SD_CARD(dev);
740 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
741 return sd;
742 }
743
744 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
745 {
746 sd->readonly_cb = readonly;
747 sd->inserted_cb = insert;
748 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
749 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
750 }
751
752 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
753 {
754 trace_sdcard_read_block(addr, len);
755 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
756 fprintf(stderr, "sd_blk_read: read error on host side\n");
757 }
758 }
759
760 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
761 {
762 trace_sdcard_write_block(addr, len);
763 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
764 fprintf(stderr, "sd_blk_write: write error on host side\n");
765 }
766 }
767
768 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
769 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
770 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
771 #define APP_WRITE_BLOCK(a, len)
772
773 static void sd_erase(SDState *sd)
774 {
775 uint64_t erase_start = sd->erase_start;
776 uint64_t erase_end = sd->erase_end;
777 bool sdsc = true;
778 uint64_t wpnum;
779 uint64_t erase_addr;
780 int erase_len = 1 << HWBLOCK_SHIFT;
781
782 trace_sdcard_erase(sd->erase_start, sd->erase_end);
783 if (sd->erase_start == INVALID_ADDRESS
784 || sd->erase_end == INVALID_ADDRESS) {
785 sd->card_status |= ERASE_SEQ_ERROR;
786 sd->erase_start = INVALID_ADDRESS;
787 sd->erase_end = INVALID_ADDRESS;
788 return;
789 }
790
791 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
792 /* High capacity memory card: erase units are 512 byte blocks */
793 erase_start *= 512;
794 erase_end *= 512;
795 sdsc = false;
796 }
797
798 if (erase_start > sd->size || erase_end > sd->size) {
799 sd->card_status |= OUT_OF_RANGE;
800 sd->erase_start = INVALID_ADDRESS;
801 sd->erase_end = INVALID_ADDRESS;
802 return;
803 }
804
805 sd->erase_start = INVALID_ADDRESS;
806 sd->erase_end = INVALID_ADDRESS;
807 sd->csd[14] |= 0x40;
808
809 memset(sd->data, 0xff, erase_len);
810 for (erase_addr = erase_start; erase_addr <= erase_end;
811 erase_addr += erase_len) {
812 if (sdsc) {
813 /* Only SDSC cards support write protect groups */
814 wpnum = sd_addr_to_wpnum(erase_addr);
815 assert(wpnum < sd->wp_group_bits);
816 if (test_bit(wpnum, sd->wp_group_bmap)) {
817 sd->card_status |= WP_ERASE_SKIP;
818 continue;
819 }
820 }
821 BLK_WRITE_BLOCK(erase_addr, erase_len);
822 }
823 }
824
825 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
826 {
827 uint32_t i, wpnum;
828 uint32_t ret = 0;
829
830 wpnum = sd_addr_to_wpnum(addr);
831
832 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
833 if (addr >= sd->size) {
834 /*
835 * If the addresses of the last groups are outside the valid range,
836 * then the corresponding write protection bits shall be set to 0.
837 */
838 continue;
839 }
840 assert(wpnum < sd->wp_group_bits);
841 if (test_bit(wpnum, sd->wp_group_bmap)) {
842 ret |= (1 << i);
843 }
844 }
845
846 return ret;
847 }
848
849 static void sd_function_switch(SDState *sd, uint32_t arg)
850 {
851 int i, mode, new_func;
852 mode = !!(arg & 0x80000000);
853
854 sd->data[0] = 0x00; /* Maximum current consumption */
855 sd->data[1] = 0x01;
856 sd->data[2] = 0x80; /* Supported group 6 functions */
857 sd->data[3] = 0x01;
858 sd->data[4] = 0x80; /* Supported group 5 functions */
859 sd->data[5] = 0x01;
860 sd->data[6] = 0x80; /* Supported group 4 functions */
861 sd->data[7] = 0x01;
862 sd->data[8] = 0x80; /* Supported group 3 functions */
863 sd->data[9] = 0x01;
864 sd->data[10] = 0x80; /* Supported group 2 functions */
865 sd->data[11] = 0x43;
866 sd->data[12] = 0x80; /* Supported group 1 functions */
867 sd->data[13] = 0x03;
868
869 memset(&sd->data[14], 0, 3);
870 for (i = 0; i < 6; i ++) {
871 new_func = (arg >> (i * 4)) & 0x0f;
872 if (mode && new_func != 0x0f)
873 sd->function_group[i] = new_func;
874 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
875 }
876 memset(&sd->data[17], 0, 47);
877 }
878
879 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
880 {
881 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
882 }
883
884 static void sd_lock_command(SDState *sd)
885 {
886 int erase, lock, clr_pwd, set_pwd, pwd_len;
887 erase = !!(sd->data[0] & 0x08);
888 lock = sd->data[0] & 0x04;
889 clr_pwd = sd->data[0] & 0x02;
890 set_pwd = sd->data[0] & 0x01;
891
892 if (sd->blk_len > 1)
893 pwd_len = sd->data[1];
894 else
895 pwd_len = 0;
896
897 if (lock) {
898 trace_sdcard_lock();
899 } else {
900 trace_sdcard_unlock();
901 }
902 if (erase) {
903 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
904 set_pwd || clr_pwd || lock || sd->wp_switch ||
905 (sd->csd[14] & 0x20)) {
906 sd->card_status |= LOCK_UNLOCK_FAILED;
907 return;
908 }
909 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
910 sd->csd[14] &= ~0x10;
911 sd->card_status &= ~CARD_IS_LOCKED;
912 sd->pwd_len = 0;
913 /* Erasing the entire card here! */
914 fprintf(stderr, "SD: Card force-erased by CMD42\n");
915 return;
916 }
917
918 if (sd->blk_len < 2 + pwd_len ||
919 pwd_len <= sd->pwd_len ||
920 pwd_len > sd->pwd_len + 16) {
921 sd->card_status |= LOCK_UNLOCK_FAILED;
922 return;
923 }
924
925 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
926 sd->card_status |= LOCK_UNLOCK_FAILED;
927 return;
928 }
929
930 pwd_len -= sd->pwd_len;
931 if ((pwd_len && !set_pwd) ||
932 (clr_pwd && (set_pwd || lock)) ||
933 (lock && !sd->pwd_len && !set_pwd) ||
934 (!set_pwd && !clr_pwd &&
935 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
936 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
937 sd->card_status |= LOCK_UNLOCK_FAILED;
938 return;
939 }
940
941 if (set_pwd) {
942 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
943 sd->pwd_len = pwd_len;
944 }
945
946 if (clr_pwd) {
947 sd->pwd_len = 0;
948 }
949
950 if (lock)
951 sd->card_status |= CARD_IS_LOCKED;
952 else
953 sd->card_status &= ~CARD_IS_LOCKED;
954 }
955
956 static bool address_in_range(SDState *sd, const char *desc,
957 uint64_t addr, uint32_t length)
958 {
959 if (addr + length > sd->size) {
960 qemu_log_mask(LOG_GUEST_ERROR,
961 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
962 desc, addr, sd->size, length);
963 sd->card_status |= ADDRESS_ERROR;
964 return false;
965 }
966 return true;
967 }
968
969 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
970 {
971 uint32_t rca = 0x0000;
972 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
973
974 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
975 * However there is no ACMD55, so we want to trace this particular case.
976 */
977 if (req.cmd != 55 || sd->expecting_acmd) {
978 trace_sdcard_normal_command(sd->proto_name,
979 sd_cmd_name(req.cmd), req.cmd,
980 req.arg, sd_state_name(sd->state));
981 }
982
983 /* Not interpreting this as an app command */
984 sd->card_status &= ~APP_CMD;
985
986 if (sd_cmd_type[req.cmd] == sd_ac
987 || sd_cmd_type[req.cmd] == sd_adtc) {
988 rca = req.arg >> 16;
989 }
990
991 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
992 * if not, its effects are cancelled */
993 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
994 sd->multi_blk_cnt = 0;
995 }
996
997 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
998 /* Only Standard Capacity cards support class 6 commands */
999 return sd_illegal;
1000 }
1001
1002 switch (req.cmd) {
1003 /* Basic commands (Class 0 and Class 1) */
1004 case 0: /* CMD0: GO_IDLE_STATE */
1005 switch (sd->state) {
1006 case sd_inactive_state:
1007 return sd->spi ? sd_r1 : sd_r0;
1008
1009 default:
1010 sd->state = sd_idle_state;
1011 sd_reset(DEVICE(sd));
1012 return sd->spi ? sd_r1 : sd_r0;
1013 }
1014 break;
1015
1016 case 1: /* CMD1: SEND_OP_CMD */
1017 if (!sd->spi)
1018 goto bad_cmd;
1019
1020 sd->state = sd_transfer_state;
1021 return sd_r1;
1022
1023 case 2: /* CMD2: ALL_SEND_CID */
1024 if (sd->spi)
1025 goto bad_cmd;
1026 switch (sd->state) {
1027 case sd_ready_state:
1028 sd->state = sd_identification_state;
1029 return sd_r2_i;
1030
1031 default:
1032 break;
1033 }
1034 break;
1035
1036 case 3: /* CMD3: SEND_RELATIVE_ADDR */
1037 if (sd->spi)
1038 goto bad_cmd;
1039 switch (sd->state) {
1040 case sd_identification_state:
1041 case sd_standby_state:
1042 sd->state = sd_standby_state;
1043 sd_set_rca(sd);
1044 return sd_r6;
1045
1046 default:
1047 break;
1048 }
1049 break;
1050
1051 case 4: /* CMD4: SEND_DSR */
1052 if (sd->spi)
1053 goto bad_cmd;
1054 switch (sd->state) {
1055 case sd_standby_state:
1056 break;
1057
1058 default:
1059 break;
1060 }
1061 break;
1062
1063 case 5: /* CMD5: reserved for SDIO cards */
1064 return sd_illegal;
1065
1066 case 6: /* CMD6: SWITCH_FUNCTION */
1067 switch (sd->mode) {
1068 case sd_data_transfer_mode:
1069 sd_function_switch(sd, req.arg);
1070 sd->state = sd_sendingdata_state;
1071 sd->data_start = 0;
1072 sd->data_offset = 0;
1073 return sd_r1;
1074
1075 default:
1076 break;
1077 }
1078 break;
1079
1080 case 7: /* CMD7: SELECT/DESELECT_CARD */
1081 if (sd->spi)
1082 goto bad_cmd;
1083 switch (sd->state) {
1084 case sd_standby_state:
1085 if (sd->rca != rca)
1086 return sd_r0;
1087
1088 sd->state = sd_transfer_state;
1089 return sd_r1b;
1090
1091 case sd_transfer_state:
1092 case sd_sendingdata_state:
1093 if (sd->rca == rca)
1094 break;
1095
1096 sd->state = sd_standby_state;
1097 return sd_r1b;
1098
1099 case sd_disconnect_state:
1100 if (sd->rca != rca)
1101 return sd_r0;
1102
1103 sd->state = sd_programming_state;
1104 return sd_r1b;
1105
1106 case sd_programming_state:
1107 if (sd->rca == rca)
1108 break;
1109
1110 sd->state = sd_disconnect_state;
1111 return sd_r1b;
1112
1113 default:
1114 break;
1115 }
1116 break;
1117
1118 case 8: /* CMD8: SEND_IF_COND */
1119 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1120 break;
1121 }
1122 if (sd->state != sd_idle_state) {
1123 break;
1124 }
1125 sd->vhs = 0;
1126
1127 /* No response if not exactly one VHS bit is set. */
1128 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1129 return sd->spi ? sd_r7 : sd_r0;
1130 }
1131
1132 /* Accept. */
1133 sd->vhs = req.arg;
1134 return sd_r7;
1135
1136 case 9: /* CMD9: SEND_CSD */
1137 switch (sd->state) {
1138 case sd_standby_state:
1139 if (sd->rca != rca)
1140 return sd_r0;
1141
1142 return sd_r2_s;
1143
1144 case sd_transfer_state:
1145 if (!sd->spi)
1146 break;
1147 sd->state = sd_sendingdata_state;
1148 memcpy(sd->data, sd->csd, 16);
1149 sd->data_start = addr;
1150 sd->data_offset = 0;
1151 return sd_r1;
1152
1153 default:
1154 break;
1155 }
1156 break;
1157
1158 case 10: /* CMD10: SEND_CID */
1159 switch (sd->state) {
1160 case sd_standby_state:
1161 if (sd->rca != rca)
1162 return sd_r0;
1163
1164 return sd_r2_i;
1165
1166 case sd_transfer_state:
1167 if (!sd->spi)
1168 break;
1169 sd->state = sd_sendingdata_state;
1170 memcpy(sd->data, sd->cid, 16);
1171 sd->data_start = addr;
1172 sd->data_offset = 0;
1173 return sd_r1;
1174
1175 default:
1176 break;
1177 }
1178 break;
1179
1180 case 12: /* CMD12: STOP_TRANSMISSION */
1181 switch (sd->state) {
1182 case sd_sendingdata_state:
1183 sd->state = sd_transfer_state;
1184 return sd_r1b;
1185
1186 case sd_receivingdata_state:
1187 sd->state = sd_programming_state;
1188 /* Bzzzzzzztt .... Operation complete. */
1189 sd->state = sd_transfer_state;
1190 return sd_r1b;
1191
1192 default:
1193 break;
1194 }
1195 break;
1196
1197 case 13: /* CMD13: SEND_STATUS */
1198 switch (sd->mode) {
1199 case sd_data_transfer_mode:
1200 if (!sd->spi && sd->rca != rca) {
1201 return sd_r0;
1202 }
1203
1204 return sd_r1;
1205
1206 default:
1207 break;
1208 }
1209 break;
1210
1211 case 15: /* CMD15: GO_INACTIVE_STATE */
1212 if (sd->spi)
1213 goto bad_cmd;
1214 switch (sd->mode) {
1215 case sd_data_transfer_mode:
1216 if (sd->rca != rca)
1217 return sd_r0;
1218
1219 sd->state = sd_inactive_state;
1220 return sd_r0;
1221
1222 default:
1223 break;
1224 }
1225 break;
1226
1227 /* Block read commands (Classs 2) */
1228 case 16: /* CMD16: SET_BLOCKLEN */
1229 switch (sd->state) {
1230 case sd_transfer_state:
1231 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1232 sd->card_status |= BLOCK_LEN_ERROR;
1233 } else {
1234 trace_sdcard_set_blocklen(req.arg);
1235 sd->blk_len = req.arg;
1236 }
1237
1238 return sd_r1;
1239
1240 default:
1241 break;
1242 }
1243 break;
1244
1245 case 17: /* CMD17: READ_SINGLE_BLOCK */
1246 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1247 switch (sd->state) {
1248 case sd_transfer_state:
1249
1250 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1251 return sd_r1;
1252 }
1253
1254 sd->state = sd_sendingdata_state;
1255 sd->data_start = addr;
1256 sd->data_offset = 0;
1257 return sd_r1;
1258
1259 default:
1260 break;
1261 }
1262 break;
1263
1264 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1265 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1266 break;
1267 }
1268 if (sd->state == sd_transfer_state) {
1269 sd->state = sd_sendingdata_state;
1270 sd->data_offset = 0;
1271 return sd_r1;
1272 }
1273 break;
1274
1275 case 23: /* CMD23: SET_BLOCK_COUNT */
1276 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1277 break;
1278 }
1279 switch (sd->state) {
1280 case sd_transfer_state:
1281 sd->multi_blk_cnt = req.arg;
1282 return sd_r1;
1283
1284 default:
1285 break;
1286 }
1287 break;
1288
1289 /* Block write commands (Class 4) */
1290 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1291 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1292 switch (sd->state) {
1293 case sd_transfer_state:
1294
1295 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1296 return sd_r1;
1297 }
1298
1299 sd->state = sd_receivingdata_state;
1300 sd->data_start = addr;
1301 sd->data_offset = 0;
1302 sd->blk_written = 0;
1303
1304 if (sd->size <= SDSC_MAX_CAPACITY) {
1305 if (sd_wp_addr(sd, sd->data_start)) {
1306 sd->card_status |= WP_VIOLATION;
1307 }
1308 }
1309 if (sd->csd[14] & 0x30) {
1310 sd->card_status |= WP_VIOLATION;
1311 }
1312 return sd_r1;
1313
1314 default:
1315 break;
1316 }
1317 break;
1318
1319 case 26: /* CMD26: PROGRAM_CID */
1320 if (sd->spi)
1321 goto bad_cmd;
1322 switch (sd->state) {
1323 case sd_transfer_state:
1324 sd->state = sd_receivingdata_state;
1325 sd->data_start = 0;
1326 sd->data_offset = 0;
1327 return sd_r1;
1328
1329 default:
1330 break;
1331 }
1332 break;
1333
1334 case 27: /* CMD27: PROGRAM_CSD */
1335 switch (sd->state) {
1336 case sd_transfer_state:
1337 sd->state = sd_receivingdata_state;
1338 sd->data_start = 0;
1339 sd->data_offset = 0;
1340 return sd_r1;
1341
1342 default:
1343 break;
1344 }
1345 break;
1346
1347 /* Write protection (Class 6) */
1348 case 28: /* CMD28: SET_WRITE_PROT */
1349 if (sd->size > SDSC_MAX_CAPACITY) {
1350 return sd_illegal;
1351 }
1352
1353 switch (sd->state) {
1354 case sd_transfer_state:
1355 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1356 return sd_r1b;
1357 }
1358
1359 sd->state = sd_programming_state;
1360 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1361 /* Bzzzzzzztt .... Operation complete. */
1362 sd->state = sd_transfer_state;
1363 return sd_r1b;
1364
1365 default:
1366 break;
1367 }
1368 break;
1369
1370 case 29: /* CMD29: CLR_WRITE_PROT */
1371 if (sd->size > SDSC_MAX_CAPACITY) {
1372 return sd_illegal;
1373 }
1374
1375 switch (sd->state) {
1376 case sd_transfer_state:
1377 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1378 return sd_r1b;
1379 }
1380
1381 sd->state = sd_programming_state;
1382 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1383 /* Bzzzzzzztt .... Operation complete. */
1384 sd->state = sd_transfer_state;
1385 return sd_r1b;
1386
1387 default:
1388 break;
1389 }
1390 break;
1391
1392 case 30: /* CMD30: SEND_WRITE_PROT */
1393 if (sd->size > SDSC_MAX_CAPACITY) {
1394 return sd_illegal;
1395 }
1396
1397 switch (sd->state) {
1398 case sd_transfer_state:
1399 if (!address_in_range(sd, "SEND_WRITE_PROT",
1400 req.arg, sd->blk_len)) {
1401 return sd_r1;
1402 }
1403
1404 sd->state = sd_sendingdata_state;
1405 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1406 sd->data_start = addr;
1407 sd->data_offset = 0;
1408 return sd_r1;
1409
1410 default:
1411 break;
1412 }
1413 break;
1414
1415 /* Erase commands (Class 5) */
1416 case 32: /* CMD32: ERASE_WR_BLK_START */
1417 switch (sd->state) {
1418 case sd_transfer_state:
1419 sd->erase_start = req.arg;
1420 return sd_r1;
1421
1422 default:
1423 break;
1424 }
1425 break;
1426
1427 case 33: /* CMD33: ERASE_WR_BLK_END */
1428 switch (sd->state) {
1429 case sd_transfer_state:
1430 sd->erase_end = req.arg;
1431 return sd_r1;
1432
1433 default:
1434 break;
1435 }
1436 break;
1437
1438 case 38: /* CMD38: ERASE */
1439 switch (sd->state) {
1440 case sd_transfer_state:
1441 if (sd->csd[14] & 0x30) {
1442 sd->card_status |= WP_VIOLATION;
1443 return sd_r1b;
1444 }
1445
1446 sd->state = sd_programming_state;
1447 sd_erase(sd);
1448 /* Bzzzzzzztt .... Operation complete. */
1449 sd->state = sd_transfer_state;
1450 return sd_r1b;
1451
1452 default:
1453 break;
1454 }
1455 break;
1456
1457 /* Lock card commands (Class 7) */
1458 case 42: /* CMD42: LOCK_UNLOCK */
1459 switch (sd->state) {
1460 case sd_transfer_state:
1461 sd->state = sd_receivingdata_state;
1462 sd->data_start = 0;
1463 sd->data_offset = 0;
1464 return sd_r1;
1465
1466 default:
1467 break;
1468 }
1469 break;
1470
1471 case 52 ... 54:
1472 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1473 * (see the SDIO Simplified Specification V2.0)
1474 * Handle as illegal command but do not complain
1475 * on stderr, as some OSes may use these in their
1476 * probing for presence of an SDIO card.
1477 */
1478 return sd_illegal;
1479
1480 /* Application specific commands (Class 8) */
1481 case 55: /* CMD55: APP_CMD */
1482 switch (sd->state) {
1483 case sd_ready_state:
1484 case sd_identification_state:
1485 case sd_inactive_state:
1486 return sd_illegal;
1487 case sd_idle_state:
1488 if (rca) {
1489 qemu_log_mask(LOG_GUEST_ERROR,
1490 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1491 }
1492 default:
1493 break;
1494 }
1495 if (!sd->spi) {
1496 if (sd->rca != rca) {
1497 return sd_r0;
1498 }
1499 }
1500 sd->expecting_acmd = true;
1501 sd->card_status |= APP_CMD;
1502 return sd_r1;
1503
1504 case 56: /* CMD56: GEN_CMD */
1505 switch (sd->state) {
1506 case sd_transfer_state:
1507 sd->data_offset = 0;
1508 if (req.arg & 1)
1509 sd->state = sd_sendingdata_state;
1510 else
1511 sd->state = sd_receivingdata_state;
1512 return sd_r1;
1513
1514 default:
1515 break;
1516 }
1517 break;
1518
1519 case 58: /* CMD58: READ_OCR (SPI) */
1520 if (!sd->spi) {
1521 goto bad_cmd;
1522 }
1523 return sd_r3;
1524
1525 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1526 if (!sd->spi) {
1527 goto bad_cmd;
1528 }
1529 return sd_r1;
1530
1531 default:
1532 bad_cmd:
1533 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1534 return sd_illegal;
1535 }
1536
1537 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
1538 req.cmd, sd_state_name(sd->state));
1539 return sd_illegal;
1540 }
1541
1542 static sd_rsp_type_t sd_app_command(SDState *sd,
1543 SDRequest req)
1544 {
1545 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1546 req.cmd, req.arg, sd_state_name(sd->state));
1547 sd->card_status |= APP_CMD;
1548 switch (req.cmd) {
1549 case 6: /* ACMD6: SET_BUS_WIDTH */
1550 if (sd->spi) {
1551 goto unimplemented_spi_cmd;
1552 }
1553 switch (sd->state) {
1554 case sd_transfer_state:
1555 sd->sd_status[0] &= 0x3f;
1556 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1557 return sd_r1;
1558
1559 default:
1560 break;
1561 }
1562 break;
1563
1564 case 13: /* ACMD13: SD_STATUS */
1565 switch (sd->state) {
1566 case sd_transfer_state:
1567 sd->state = sd_sendingdata_state;
1568 sd->data_start = 0;
1569 sd->data_offset = 0;
1570 return sd_r1;
1571
1572 default:
1573 break;
1574 }
1575 break;
1576
1577 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1578 switch (sd->state) {
1579 case sd_transfer_state:
1580 *(uint32_t *) sd->data = sd->blk_written;
1581
1582 sd->state = sd_sendingdata_state;
1583 sd->data_start = 0;
1584 sd->data_offset = 0;
1585 return sd_r1;
1586
1587 default:
1588 break;
1589 }
1590 break;
1591
1592 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1593 switch (sd->state) {
1594 case sd_transfer_state:
1595 return sd_r1;
1596
1597 default:
1598 break;
1599 }
1600 break;
1601
1602 case 41: /* ACMD41: SD_APP_OP_COND */
1603 if (sd->spi) {
1604 /* SEND_OP_CMD */
1605 sd->state = sd_transfer_state;
1606 return sd_r1;
1607 }
1608 if (sd->state != sd_idle_state) {
1609 break;
1610 }
1611 /* If it's the first ACMD41 since reset, we need to decide
1612 * whether to power up. If this is not an enquiry ACMD41,
1613 * we immediately report power on and proceed below to the
1614 * ready state, but if it is, we set a timer to model a
1615 * delay for power up. This works around a bug in EDK2
1616 * UEFI, which sends an initial enquiry ACMD41, but
1617 * assumes that the card is in ready state as soon as it
1618 * sees the power up bit set. */
1619 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1620 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1621 timer_del(sd->ocr_power_timer);
1622 sd_ocr_powerup(sd);
1623 } else {
1624 trace_sdcard_inquiry_cmd41();
1625 if (!timer_pending(sd->ocr_power_timer)) {
1626 timer_mod_ns(sd->ocr_power_timer,
1627 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1628 + OCR_POWER_DELAY_NS));
1629 }
1630 }
1631 }
1632
1633 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1634 /* We accept any voltage. 10000 V is nothing.
1635 *
1636 * Once we're powered up, we advance straight to ready state
1637 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1638 */
1639 sd->state = sd_ready_state;
1640 }
1641
1642 return sd_r3;
1643
1644 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1645 switch (sd->state) {
1646 case sd_transfer_state:
1647 /* Bringing in the 50KOhm pull-up resistor... Done. */
1648 return sd_r1;
1649
1650 default:
1651 break;
1652 }
1653 break;
1654
1655 case 51: /* ACMD51: SEND_SCR */
1656 switch (sd->state) {
1657 case sd_transfer_state:
1658 sd->state = sd_sendingdata_state;
1659 sd->data_start = 0;
1660 sd->data_offset = 0;
1661 return sd_r1;
1662
1663 default:
1664 break;
1665 }
1666 break;
1667
1668 case 18: /* Reserved for SD security applications */
1669 case 25:
1670 case 26:
1671 case 38:
1672 case 43 ... 49:
1673 /* Refer to the "SD Specifications Part3 Security Specification" for
1674 * information about the SD Security Features.
1675 */
1676 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1677 req.cmd);
1678 return sd_illegal;
1679
1680 default:
1681 /* Fall back to standard commands. */
1682 return sd_normal_command(sd, req);
1683
1684 unimplemented_spi_cmd:
1685 /* Commands that are recognised but not yet implemented in SPI mode. */
1686 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1687 req.cmd);
1688 return sd_illegal;
1689 }
1690
1691 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1692 return sd_illegal;
1693 }
1694
1695 static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1696 {
1697 /* Valid commands in locked state:
1698 * basic class (0)
1699 * lock card class (7)
1700 * CMD16
1701 * implicitly, the ACMD prefix CMD55
1702 * ACMD41 and ACMD42
1703 * Anything else provokes an "illegal command" response.
1704 */
1705 if (sd->expecting_acmd) {
1706 return cmd == 41 || cmd == 42;
1707 }
1708 if (cmd == 16 || cmd == 55) {
1709 return 1;
1710 }
1711 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1712 }
1713
1714 int sd_do_command(SDState *sd, SDRequest *req,
1715 uint8_t *response) {
1716 int last_state;
1717 sd_rsp_type_t rtype;
1718 int rsplen;
1719
1720 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1721 return 0;
1722 }
1723
1724 if (sd_req_crc_validate(req)) {
1725 sd->card_status |= COM_CRC_ERROR;
1726 rtype = sd_illegal;
1727 goto send_response;
1728 }
1729
1730 if (req->cmd >= SDMMC_CMD_MAX) {
1731 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1732 req->cmd);
1733 req->cmd &= 0x3f;
1734 }
1735
1736 if (sd->card_status & CARD_IS_LOCKED) {
1737 if (!cmd_valid_while_locked(sd, req->cmd)) {
1738 sd->card_status |= ILLEGAL_COMMAND;
1739 sd->expecting_acmd = false;
1740 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1741 rtype = sd_illegal;
1742 goto send_response;
1743 }
1744 }
1745
1746 last_state = sd->state;
1747 sd_set_mode(sd);
1748
1749 if (sd->expecting_acmd) {
1750 sd->expecting_acmd = false;
1751 rtype = sd_app_command(sd, *req);
1752 } else {
1753 rtype = sd_normal_command(sd, *req);
1754 }
1755
1756 if (rtype == sd_illegal) {
1757 sd->card_status |= ILLEGAL_COMMAND;
1758 } else {
1759 /* Valid command, we can update the 'state before command' bits.
1760 * (Do this now so they appear in r1 responses.)
1761 */
1762 sd->current_cmd = req->cmd;
1763 sd->card_status &= ~CURRENT_STATE;
1764 sd->card_status |= (last_state << 9);
1765 }
1766
1767 send_response:
1768 switch (rtype) {
1769 case sd_r1:
1770 case sd_r1b:
1771 sd_response_r1_make(sd, response);
1772 rsplen = 4;
1773 break;
1774
1775 case sd_r2_i:
1776 memcpy(response, sd->cid, sizeof(sd->cid));
1777 rsplen = 16;
1778 break;
1779
1780 case sd_r2_s:
1781 memcpy(response, sd->csd, sizeof(sd->csd));
1782 rsplen = 16;
1783 break;
1784
1785 case sd_r3:
1786 sd_response_r3_make(sd, response);
1787 rsplen = 4;
1788 break;
1789
1790 case sd_r6:
1791 sd_response_r6_make(sd, response);
1792 rsplen = 4;
1793 break;
1794
1795 case sd_r7:
1796 sd_response_r7_make(sd, response);
1797 rsplen = 4;
1798 break;
1799
1800 case sd_r0:
1801 case sd_illegal:
1802 rsplen = 0;
1803 break;
1804 default:
1805 g_assert_not_reached();
1806 }
1807 trace_sdcard_response(sd_response_name(rtype), rsplen);
1808
1809 if (rtype != sd_illegal) {
1810 /* Clear the "clear on valid command" status bits now we've
1811 * sent any response
1812 */
1813 sd->card_status &= ~CARD_STATUS_B;
1814 }
1815
1816 #ifdef DEBUG_SD
1817 qemu_hexdump(stderr, "Response", response, rsplen);
1818 #endif
1819
1820 return rsplen;
1821 }
1822
1823 void sd_write_byte(SDState *sd, uint8_t value)
1824 {
1825 int i;
1826
1827 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1828 return;
1829
1830 if (sd->state != sd_receivingdata_state) {
1831 qemu_log_mask(LOG_GUEST_ERROR,
1832 "%s: not in Receiving-Data state\n", __func__);
1833 return;
1834 }
1835
1836 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1837 return;
1838
1839 trace_sdcard_write_data(sd->proto_name,
1840 sd_acmd_name(sd->current_cmd),
1841 sd->current_cmd, value);
1842 switch (sd->current_cmd) {
1843 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1844 sd->data[sd->data_offset ++] = value;
1845 if (sd->data_offset >= sd->blk_len) {
1846 /* TODO: Check CRC before committing */
1847 sd->state = sd_programming_state;
1848 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1849 sd->blk_written ++;
1850 sd->csd[14] |= 0x40;
1851 /* Bzzzzzzztt .... Operation complete. */
1852 sd->state = sd_transfer_state;
1853 }
1854 break;
1855
1856 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1857 if (sd->data_offset == 0) {
1858 /* Start of the block - let's check the address is valid */
1859 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
1860 sd->data_start, sd->blk_len)) {
1861 break;
1862 }
1863 if (sd->size <= SDSC_MAX_CAPACITY) {
1864 if (sd_wp_addr(sd, sd->data_start)) {
1865 sd->card_status |= WP_VIOLATION;
1866 break;
1867 }
1868 }
1869 }
1870 sd->data[sd->data_offset++] = value;
1871 if (sd->data_offset >= sd->blk_len) {
1872 /* TODO: Check CRC before committing */
1873 sd->state = sd_programming_state;
1874 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1875 sd->blk_written++;
1876 sd->data_start += sd->blk_len;
1877 sd->data_offset = 0;
1878 sd->csd[14] |= 0x40;
1879
1880 /* Bzzzzzzztt .... Operation complete. */
1881 if (sd->multi_blk_cnt != 0) {
1882 if (--sd->multi_blk_cnt == 0) {
1883 /* Stop! */
1884 sd->state = sd_transfer_state;
1885 break;
1886 }
1887 }
1888
1889 sd->state = sd_receivingdata_state;
1890 }
1891 break;
1892
1893 case 26: /* CMD26: PROGRAM_CID */
1894 sd->data[sd->data_offset ++] = value;
1895 if (sd->data_offset >= sizeof(sd->cid)) {
1896 /* TODO: Check CRC before committing */
1897 sd->state = sd_programming_state;
1898 for (i = 0; i < sizeof(sd->cid); i ++)
1899 if ((sd->cid[i] | 0x00) != sd->data[i])
1900 sd->card_status |= CID_CSD_OVERWRITE;
1901
1902 if (!(sd->card_status & CID_CSD_OVERWRITE))
1903 for (i = 0; i < sizeof(sd->cid); i ++) {
1904 sd->cid[i] |= 0x00;
1905 sd->cid[i] &= sd->data[i];
1906 }
1907 /* Bzzzzzzztt .... Operation complete. */
1908 sd->state = sd_transfer_state;
1909 }
1910 break;
1911
1912 case 27: /* CMD27: PROGRAM_CSD */
1913 sd->data[sd->data_offset ++] = value;
1914 if (sd->data_offset >= sizeof(sd->csd)) {
1915 /* TODO: Check CRC before committing */
1916 sd->state = sd_programming_state;
1917 for (i = 0; i < sizeof(sd->csd); i ++)
1918 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1919 (sd->data[i] | sd_csd_rw_mask[i]))
1920 sd->card_status |= CID_CSD_OVERWRITE;
1921
1922 /* Copy flag (OTP) & Permanent write protect */
1923 if (sd->csd[14] & ~sd->data[14] & 0x60)
1924 sd->card_status |= CID_CSD_OVERWRITE;
1925
1926 if (!(sd->card_status & CID_CSD_OVERWRITE))
1927 for (i = 0; i < sizeof(sd->csd); i ++) {
1928 sd->csd[i] |= sd_csd_rw_mask[i];
1929 sd->csd[i] &= sd->data[i];
1930 }
1931 /* Bzzzzzzztt .... Operation complete. */
1932 sd->state = sd_transfer_state;
1933 }
1934 break;
1935
1936 case 42: /* CMD42: LOCK_UNLOCK */
1937 sd->data[sd->data_offset ++] = value;
1938 if (sd->data_offset >= sd->blk_len) {
1939 /* TODO: Check CRC before committing */
1940 sd->state = sd_programming_state;
1941 sd_lock_command(sd);
1942 /* Bzzzzzzztt .... Operation complete. */
1943 sd->state = sd_transfer_state;
1944 }
1945 break;
1946
1947 case 56: /* CMD56: GEN_CMD */
1948 sd->data[sd->data_offset ++] = value;
1949 if (sd->data_offset >= sd->blk_len) {
1950 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1951 sd->state = sd_transfer_state;
1952 }
1953 break;
1954
1955 default:
1956 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1957 break;
1958 }
1959 }
1960
1961 #define SD_TUNING_BLOCK_SIZE 64
1962
1963 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1964 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1965 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1966 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1967 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1968 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1969 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1970 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1971 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1972 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1973 };
1974
1975 uint8_t sd_read_byte(SDState *sd)
1976 {
1977 /* TODO: Append CRCs */
1978 uint8_t ret;
1979 uint32_t io_len;
1980
1981 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1982 return 0x00;
1983
1984 if (sd->state != sd_sendingdata_state) {
1985 qemu_log_mask(LOG_GUEST_ERROR,
1986 "%s: not in Sending-Data state\n", __func__);
1987 return 0x00;
1988 }
1989
1990 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1991 return 0x00;
1992
1993 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1994
1995 trace_sdcard_read_data(sd->proto_name,
1996 sd_acmd_name(sd->current_cmd),
1997 sd->current_cmd, io_len);
1998 switch (sd->current_cmd) {
1999 case 6: /* CMD6: SWITCH_FUNCTION */
2000 ret = sd->data[sd->data_offset ++];
2001
2002 if (sd->data_offset >= 64)
2003 sd->state = sd_transfer_state;
2004 break;
2005
2006 case 9: /* CMD9: SEND_CSD */
2007 case 10: /* CMD10: SEND_CID */
2008 ret = sd->data[sd->data_offset ++];
2009
2010 if (sd->data_offset >= 16)
2011 sd->state = sd_transfer_state;
2012 break;
2013
2014 case 13: /* ACMD13: SD_STATUS */
2015 ret = sd->sd_status[sd->data_offset ++];
2016
2017 if (sd->data_offset >= sizeof(sd->sd_status))
2018 sd->state = sd_transfer_state;
2019 break;
2020
2021 case 17: /* CMD17: READ_SINGLE_BLOCK */
2022 if (sd->data_offset == 0)
2023 BLK_READ_BLOCK(sd->data_start, io_len);
2024 ret = sd->data[sd->data_offset ++];
2025
2026 if (sd->data_offset >= io_len)
2027 sd->state = sd_transfer_state;
2028 break;
2029
2030 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2031 if (sd->data_offset == 0) {
2032 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2033 sd->data_start, io_len)) {
2034 return 0x00;
2035 }
2036 BLK_READ_BLOCK(sd->data_start, io_len);
2037 }
2038 ret = sd->data[sd->data_offset ++];
2039
2040 if (sd->data_offset >= io_len) {
2041 sd->data_start += io_len;
2042 sd->data_offset = 0;
2043
2044 if (sd->multi_blk_cnt != 0) {
2045 if (--sd->multi_blk_cnt == 0) {
2046 /* Stop! */
2047 sd->state = sd_transfer_state;
2048 break;
2049 }
2050 }
2051 }
2052 break;
2053
2054 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2055 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2056 sd->state = sd_transfer_state;
2057 }
2058 ret = sd_tuning_block_pattern[sd->data_offset++];
2059 break;
2060
2061 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2062 ret = sd->data[sd->data_offset ++];
2063
2064 if (sd->data_offset >= 4)
2065 sd->state = sd_transfer_state;
2066 break;
2067
2068 case 30: /* CMD30: SEND_WRITE_PROT */
2069 ret = sd->data[sd->data_offset ++];
2070
2071 if (sd->data_offset >= 4)
2072 sd->state = sd_transfer_state;
2073 break;
2074
2075 case 51: /* ACMD51: SEND_SCR */
2076 ret = sd->scr[sd->data_offset ++];
2077
2078 if (sd->data_offset >= sizeof(sd->scr))
2079 sd->state = sd_transfer_state;
2080 break;
2081
2082 case 56: /* CMD56: GEN_CMD */
2083 if (sd->data_offset == 0)
2084 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2085 ret = sd->data[sd->data_offset ++];
2086
2087 if (sd->data_offset >= sd->blk_len)
2088 sd->state = sd_transfer_state;
2089 break;
2090
2091 default:
2092 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2093 return 0x00;
2094 }
2095
2096 return ret;
2097 }
2098
2099 static bool sd_receive_ready(SDState *sd)
2100 {
2101 return sd->state == sd_receivingdata_state;
2102 }
2103
2104 static bool sd_data_ready(SDState *sd)
2105 {
2106 return sd->state == sd_sendingdata_state;
2107 }
2108
2109 void sd_enable(SDState *sd, bool enable)
2110 {
2111 sd->enable = enable;
2112 }
2113
2114 static void sd_instance_init(Object *obj)
2115 {
2116 SDState *sd = SD_CARD(obj);
2117
2118 sd->enable = true;
2119 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2120 }
2121
2122 static void sd_instance_finalize(Object *obj)
2123 {
2124 SDState *sd = SD_CARD(obj);
2125
2126 timer_free(sd->ocr_power_timer);
2127 }
2128
2129 static void sd_realize(DeviceState *dev, Error **errp)
2130 {
2131 SDState *sd = SD_CARD(dev);
2132 int ret;
2133
2134 sd->proto_name = sd->spi ? "SPI" : "SD";
2135
2136 switch (sd->spec_version) {
2137 case SD_PHY_SPECv1_10_VERS
2138 ... SD_PHY_SPECv3_01_VERS:
2139 break;
2140 default:
2141 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2142 return;
2143 }
2144
2145 if (sd->blk) {
2146 int64_t blk_size;
2147
2148 if (!blk_supports_write_perm(sd->blk)) {
2149 error_setg(errp, "Cannot use read-only drive as SD card");
2150 return;
2151 }
2152
2153 blk_size = blk_getlength(sd->blk);
2154 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2155 int64_t blk_size_aligned = pow2ceil(blk_size);
2156 char *blk_size_str;
2157
2158 blk_size_str = size_to_str(blk_size);
2159 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2160 g_free(blk_size_str);
2161
2162 blk_size_str = size_to_str(blk_size_aligned);
2163 error_append_hint(errp,
2164 "SD card size has to be a power of 2, e.g. %s.\n"
2165 "You can resize disk images with"
2166 " 'qemu-img resize <imagefile> <new-size>'\n"
2167 "(note that this will lose data if you make the"
2168 " image smaller than it currently is).\n",
2169 blk_size_str);
2170 g_free(blk_size_str);
2171
2172 return;
2173 }
2174
2175 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2176 BLK_PERM_ALL, errp);
2177 if (ret < 0) {
2178 return;
2179 }
2180 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2181 }
2182 }
2183
2184 static Property sd_properties[] = {
2185 DEFINE_PROP_UINT8("spec_version", SDState,
2186 spec_version, SD_PHY_SPECv2_00_VERS),
2187 DEFINE_PROP_DRIVE("drive", SDState, blk),
2188 /* We do not model the chip select pin, so allow the board to select
2189 * whether card should be in SSI or MMC/SD mode. It is also up to the
2190 * board to ensure that ssi transfers only occur when the chip select
2191 * is asserted. */
2192 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2193 DEFINE_PROP_END_OF_LIST()
2194 };
2195
2196 static void sd_class_init(ObjectClass *klass, void *data)
2197 {
2198 DeviceClass *dc = DEVICE_CLASS(klass);
2199 SDCardClass *sc = SD_CARD_CLASS(klass);
2200
2201 dc->realize = sd_realize;
2202 device_class_set_props(dc, sd_properties);
2203 dc->vmsd = &sd_vmstate;
2204 dc->reset = sd_reset;
2205 dc->bus_type = TYPE_SD_BUS;
2206 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2207
2208 sc->set_voltage = sd_set_voltage;
2209 sc->get_dat_lines = sd_get_dat_lines;
2210 sc->get_cmd_line = sd_get_cmd_line;
2211 sc->do_command = sd_do_command;
2212 sc->write_byte = sd_write_byte;
2213 sc->read_byte = sd_read_byte;
2214 sc->receive_ready = sd_receive_ready;
2215 sc->data_ready = sd_data_ready;
2216 sc->enable = sd_enable;
2217 sc->get_inserted = sd_get_inserted;
2218 sc->get_readonly = sd_get_readonly;
2219 }
2220
2221 static const TypeInfo sd_info = {
2222 .name = TYPE_SD_CARD,
2223 .parent = TYPE_DEVICE,
2224 .instance_size = sizeof(SDState),
2225 .class_size = sizeof(SDCardClass),
2226 .class_init = sd_class_init,
2227 .instance_init = sd_instance_init,
2228 .instance_finalize = sd_instance_finalize,
2229 };
2230
2231 static void sd_register_types(void)
2232 {
2233 type_register_static(&sd_info);
2234 }
2235
2236 type_init(sd_register_types)
armbru's QEMU hackery