1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * eMMC emulation defined in "JEDEC Standard No. 84-A43"
6 *
7 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
8 * Copyright (c) 2007 CodeSourcery
9 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 *
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in
19 * the documentation and/or other materials provided with the
20 * distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
23 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
25 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
26 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
29 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
30 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35 #include "qemu/osdep.h"
36 #include "qemu/units.h"
37 #include "qemu/cutils.h"
38 #include "hw/irq.h"
39 #include "hw/registerfields.h"
40 #include "system/block-backend.h"
41 #include "hw/sd/sd.h"
42 #include "migration/vmstate.h"
43 #include "qapi/error.h"
44 #include "qemu/bitmap.h"
45 #include "hw/qdev-properties.h"
46 #include "hw/qdev-properties-system.h"
47 #include "qemu/error-report.h"
48 #include "qemu/timer.h"
49 #include "qemu/log.h"
50 #include "qemu/guest-random.h"
51 #include "qemu/module.h"
52 #include "sdmmc-internal.h"
53 #include "trace.h"
54
55 //#define DEBUG_SD 1
56
57 #define SDSC_MAX_CAPACITY (2 * GiB)
58
59 #define INVALID_ADDRESS UINT32_MAX
60
61 typedef enum {
62 sd_r0 = 0, /* no response */
63 sd_r1, /* normal response command */
64 sd_r2_i, /* CID register */
65 sd_r2_s, /* CSD register */
66 sd_r3, /* OCR register */
67 sd_r6 = 6, /* Published RCA response */
68 sd_r7, /* Operating voltage */
69 sd_r1b = -1,
70 sd_illegal = -2,
71 } sd_rsp_type_t;
72
73 typedef enum {
74 sd_spi,
75 sd_bc, /* broadcast -- no response */
76 sd_bcr, /* broadcast with response */
77 sd_ac, /* addressed -- no data transfer */
78 sd_adtc, /* addressed with data transfer */
79 } sd_cmd_type_t;
80
81 enum SDCardModes {
82 sd_inactive,
83 sd_card_identification_mode,
84 sd_data_transfer_mode,
85 };
86
87 enum SDCardStates {
88 sd_waitirq_state = -2, /* emmc */
89 sd_inactive_state = -1,
90
91 sd_idle_state = 0,
92 sd_ready_state = 1,
93 sd_identification_state = 2,
94 sd_standby_state = 3,
95 sd_transfer_state = 4,
96 sd_sendingdata_state = 5,
97 sd_receivingdata_state = 6,
98 sd_programming_state = 7,
99 sd_disconnect_state = 8,
100 sd_bus_test_state = 9, /* emmc */
101 sd_sleep_state = 10, /* emmc */
102 sd_io_state = 15 /* sd */
103 };
104
105 #define SDMMC_CMD_MAX 64
106
107 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
108
109 typedef struct SDProto {
110 const char *name;
111 struct {
112 const unsigned class;
113 const sd_cmd_type_t type;
114 const char *name;
115 sd_cmd_handler handler;
116 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX];
117 } SDProto;
118
119 struct SDState {
120 DeviceState parent_obj;
121
122 /* SD Memory Card Registers */
123 uint32_t ocr;
124 uint8_t scr[8];
125 uint8_t cid[16];
126 uint8_t csd[16];
127 uint16_t rca;
128 uint32_t card_status;
129 uint8_t sd_status[64];
130 union {
131 uint8_t ext_csd[512];
132 struct {
133 uint8_t ext_csd_rw[192]; /* Modes segment */
134 uint8_t ext_csd_ro[320]; /* Properties segment */
135 };
136 };
137
138 /* Static properties */
139
140 uint8_t spec_version;
141 uint64_t boot_part_size;
142 BlockBackend *blk;
143 uint8_t boot_config;
144
145 const SDProto *proto;
146
147 /* Runtime changeables */
148
149 uint32_t mode; /* current card mode, one of SDCardModes */
150 int32_t state; /* current card state, one of SDCardStates */
151 uint32_t vhs;
152 bool wp_switch;
153 unsigned long *wp_group_bmap;
154 int32_t wp_group_bits;
155 uint64_t size;
156 uint32_t blk_len;
157 uint32_t multi_blk_cnt;
158 uint32_t erase_start;
159 uint32_t erase_end;
160 uint8_t pwd[16];
161 uint32_t pwd_len;
162 uint8_t function_group[6];
163 uint8_t current_cmd;
164 const char *last_cmd_name;
165 /* True if we will handle the next command as an ACMD. Note that this does
166 * *not* track the APP_CMD status bit!
167 */
168 bool expecting_acmd;
169 uint32_t blk_written;
170
171 uint64_t data_start;
172 uint32_t data_offset;
173 size_t data_size;
174 uint8_t data[512];
175 QEMUTimer *ocr_power_timer;
176 uint8_t dat_lines;
177 bool cmd_line;
178 };
179
180 static void sd_realize(DeviceState *dev, Error **errp);
181
182 static const SDProto sd_proto_spi;
183 static const SDProto sd_proto_emmc;
184
sd_is_spi(SDState * sd)185 static bool sd_is_spi(SDState *sd)
186 {
187 return sd->proto == &sd_proto_spi;
188 }
189
sd_is_emmc(SDState * sd)190 static bool sd_is_emmc(SDState *sd)
191 {
192 return sd->proto == &sd_proto_emmc;
193 }
194
sd_version_str(enum SDPhySpecificationVersion version)195 static const char *sd_version_str(enum SDPhySpecificationVersion version)
196 {
197 static const char *sdphy_version[] = {
198 [SD_PHY_SPECv1_10_VERS] = "v1.10",
199 [SD_PHY_SPECv2_00_VERS] = "v2.00",
200 [SD_PHY_SPECv3_01_VERS] = "v3.01",
201 };
202 if (version >= ARRAY_SIZE(sdphy_version)) {
203 return "unsupported version";
204 }
205 return sdphy_version[version];
206 }
207
sd_mode_name(enum SDCardModes mode)208 static const char *sd_mode_name(enum SDCardModes mode)
209 {
210 static const char *mode_name[] = {
211 [sd_inactive] = "inactive",
212 [sd_card_identification_mode] = "identification",
213 [sd_data_transfer_mode] = "transfer",
214 };
215 assert(mode < ARRAY_SIZE(mode_name));
216 return mode_name[mode];
217 }
218
sd_state_name(enum SDCardStates state)219 static const char *sd_state_name(enum SDCardStates state)
220 {
221 static const char *state_name[] = {
222 [sd_idle_state] = "idle",
223 [sd_ready_state] = "ready",
224 [sd_identification_state] = "identification",
225 [sd_standby_state] = "standby",
226 [sd_transfer_state] = "transfer",
227 [sd_sendingdata_state] = "sendingdata",
228 [sd_bus_test_state] = "bus-test",
229 [sd_receivingdata_state] = "receivingdata",
230 [sd_programming_state] = "programming",
231 [sd_disconnect_state] = "disconnect",
232 [sd_sleep_state] = "sleep",
233 [sd_io_state] = "i/o"
234 };
235 if (state == sd_inactive_state) {
236 return "inactive";
237 }
238 if (state == sd_waitirq_state) {
239 return "wait-irq";
240 }
241 assert(state < ARRAY_SIZE(state_name));
242 return state_name[state];
243 }
244
sd_response_name(sd_rsp_type_t rsp)245 static const char *sd_response_name(sd_rsp_type_t rsp)
246 {
247 static const char *response_name[] = {
248 [sd_r0] = "RESP#0 (no response)",
249 [sd_r1] = "RESP#1 (normal cmd)",
250 [sd_r2_i] = "RESP#2 (CID reg)",
251 [sd_r2_s] = "RESP#2 (CSD reg)",
252 [sd_r3] = "RESP#3 (OCR reg)",
253 [sd_r6] = "RESP#6 (RCA)",
254 [sd_r7] = "RESP#7 (operating voltage)",
255 };
256 if (rsp == sd_illegal) {
257 return "ILLEGAL RESP";
258 }
259 if (rsp == sd_r1b) {
260 rsp = sd_r1;
261 }
262 assert(rsp < ARRAY_SIZE(response_name));
263 return response_name[rsp];
264 }
265
sd_cmd_name(SDState * sd,uint8_t cmd)266 static const char *sd_cmd_name(SDState *sd, uint8_t cmd)
267 {
268 static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
269 [18] = "READ_MULTIPLE_BLOCK",
270 [25] = "WRITE_MULTIPLE_BLOCK",
271 };
272 const SDProto *sdp = sd->proto;
273
274 if (sdp->cmd[cmd].handler) {
275 assert(!cmd_abbrev[cmd]);
276 return sdp->cmd[cmd].name;
277 }
278 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
279 }
280
sd_acmd_name(SDState * sd,uint8_t cmd)281 static const char *sd_acmd_name(SDState *sd, uint8_t cmd)
282 {
283 const SDProto *sdp = sd->proto;
284
285 if (sdp->acmd[cmd].handler) {
286 return sdp->acmd[cmd].name;
287 }
288
289 return "UNKNOWN_ACMD";
290 }
291
sd_get_dat_lines(SDState * sd)292 static uint8_t sd_get_dat_lines(SDState *sd)
293 {
294 return sd->dat_lines;
295 }
296
sd_get_cmd_line(SDState * sd)297 static bool sd_get_cmd_line(SDState *sd)
298 {
299 return sd->cmd_line;
300 }
301
sd_set_voltage(SDState * sd,uint16_t millivolts)302 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
303 {
304 trace_sdcard_set_voltage(millivolts);
305
306 switch (millivolts) {
307 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
308 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
309 break;
310 default:
311 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
312 millivolts / 1000.f);
313 }
314 }
315
sd_set_mode(SDState * sd)316 static void sd_set_mode(SDState *sd)
317 {
318 switch (sd->state) {
319 case sd_inactive_state:
320 sd->mode = sd_inactive;
321 break;
322
323 case sd_idle_state:
324 case sd_ready_state:
325 case sd_identification_state:
326 sd->mode = sd_card_identification_mode;
327 break;
328
329 case sd_standby_state:
330 case sd_transfer_state:
331 case sd_sendingdata_state:
332 case sd_receivingdata_state:
333 case sd_programming_state:
334 case sd_disconnect_state:
335 sd->mode = sd_data_transfer_mode;
336 break;
337 }
338 }
339
sd_crc7(const void * message,size_t width)340 static uint8_t sd_crc7(const void *message, size_t width)
341 {
342 int i, bit;
343 uint8_t shift_reg = 0x00;
344 const uint8_t *msg = (const uint8_t *)message;
345
346 for (i = 0; i < width; i ++, msg ++)
347 for (bit = 7; bit >= 0; bit --) {
348 shift_reg <<= 1;
349 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
350 shift_reg ^= 0x89;
351 }
352
353 return shift_reg;
354 }
355
356 /* Operation Conditions register */
357
358 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
359
360 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
361 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
362 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
363 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
364 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
365 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
366 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
367 FIELD(OCR, CARD_POWER_UP, 31, 1)
368
369 #define ACMD41_ENQUIRY_MASK 0x00ffffff
370 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
371 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
372 | R_OCR_UHS_II_CARD_MASK \
373 | R_OCR_CARD_CAPACITY_MASK \
374 | R_OCR_CARD_POWER_UP_MASK)
375
sd_ocr_powerup(void * opaque)376 static void sd_ocr_powerup(void *opaque)
377 {
378 SDState *sd = opaque;
379
380 trace_sdcard_powerup();
381 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
382
383 /* card power-up OK */
384 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
385
386 if (sd->size > SDSC_MAX_CAPACITY) {
387 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
388 }
389 }
390
sd_set_ocr(SDState * sd)391 static void sd_set_ocr(SDState *sd)
392 {
393 /* All voltages OK */
394 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
395
396 if (sd_is_spi(sd)) {
397 /*
398 * We don't need to emulate power up sequence in SPI-mode.
399 * Thus, the card's power up status bit should be set to 1 when reset.
400 * The card's capacity status bit should also be set if SD card size
401 * is larger than 2GB for SDHC support.
402 */
403 sd_ocr_powerup(sd);
404 }
405 }
406
407 /* SD Configuration register */
408
sd_set_scr(SDState * sd)409 static void sd_set_scr(SDState *sd)
410 {
411 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
412 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
413 sd->scr[0] |= 1; /* Spec Version 1.10 */
414 } else {
415 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
416 }
417 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
418 | 0b0101; /* 1-bit or 4-bit width bus modes */
419 sd->scr[2] = 0x00; /* Extended Security is not supported. */
420 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
421 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
422 }
423 sd->scr[3] = 0x00;
424 /* reserved for manufacturer usage */
425 sd->scr[4] = 0x00;
426 sd->scr[5] = 0x00;
427 sd->scr[6] = 0x00;
428 sd->scr[7] = 0x00;
429 }
430
431 /* Card IDentification register */
432
433 #define MID 0xaa
434 #define OID "XY"
435 #define PNM "QEMU!"
436 #define PRV 0x01
437 #define MDT_YR 2006
438 #define MDT_MON 2
439
sd_set_cid(SDState * sd)440 static void sd_set_cid(SDState *sd)
441 {
442 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
443 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
444 sd->cid[2] = OID[1];
445 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
446 sd->cid[4] = PNM[1];
447 sd->cid[5] = PNM[2];
448 sd->cid[6] = PNM[3];
449 sd->cid[7] = PNM[4];
450 sd->cid[8] = PRV; /* Fake product revision (PRV) */
451 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
452 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
453 ((MDT_YR - 2000) / 10);
454 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
455 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
456 }
457
emmc_set_cid(SDState * sd)458 static void emmc_set_cid(SDState *sd)
459 {
460 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
461 sd->cid[1] = 0b01; /* CBX: soldered BGA */
462 sd->cid[2] = OID[0]; /* OEM/Application ID (OID) */
463 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
464 sd->cid[4] = PNM[1];
465 sd->cid[5] = PNM[2];
466 sd->cid[6] = PNM[3];
467 sd->cid[7] = PNM[4];
468 sd->cid[8] = PNM[4];
469 sd->cid[9] = PRV; /* Fake product revision (PRV) */
470 stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */
471 sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */
472 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
473 }
474
475 /* Card-Specific Data register */
476
477 #define HWBLOCK_SHIFT 9 /* 512 bytes */
478 #define SECTOR_SHIFT 5 /* 16 kilobytes */
479 #define WPGROUP_SHIFT 7 /* 2 megs */
480 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
481 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
482
483 static const uint8_t sd_csd_rw_mask[16] = {
484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
486 };
487
emmc_set_ext_csd(SDState * sd,uint64_t size)488 static void emmc_set_ext_csd(SDState *sd, uint64_t size)
489 {
490 uint32_t sectcount = size >> HWBLOCK_SHIFT;
491
492 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */
493
494 /* Properties segment (RO) */
495 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */
496 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */
497 /* Boot partition size. 128KB unit */
498 sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB);
499 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */
500 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */
501 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */
502 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */
503 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */
504 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC */
505 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */
506 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */
507 stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */
508 sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */
509 sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz */
510 sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */
511 sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */
512 sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */
513 sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */
514 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11;
515 sd->ext_csd[EXT_CSD_STRUCTURE] = 2;
516 sd->ext_csd[EXT_CSD_REV] = 3;
517
518 /* Mode segment (RW) */
519 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config;
520 }
521
emmc_set_csd(SDState * sd,uint64_t size)522 static void emmc_set_csd(SDState *sd, uint64_t size)
523 {
524 int hwblock_shift = HWBLOCK_SHIFT;
525 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
526 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
527
528 sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */
529 sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */
530 sd->csd[2] = 0x00;
531 sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */
532 sd->csd[4] = 0x0f;
533 if (size <= 2 * GiB) {
534 /* use 1k blocks */
535 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1;
536 sd->csd[5] = 0x5a;
537 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf);
538 sd->csd[7] = (csize1k >> 2) & 0xff;
539 } else { /* >= 2GB : size stored in ext CSD, block addressing */
540 sd->csd[5] = 0x59;
541 sd->csd[6] = 0x8f;
542 sd->csd[7] = 0xff;
543 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
544 }
545 sd->csd[8] = 0xff;
546 sd->csd[9] = 0xfc | /* Max. write current */
547 ((CMULT_SHIFT - 2) >> 1);
548 sd->csd[10] = 0x40 | /* Erase sector size */
549 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
550 sd->csd[11] = 0x00 | /* Write protect group size */
551 ((sectsize << 7) & 0x80) | wpsize;
552 sd->csd[12] = 0x90 | /* Write speed factor */
553 (hwblock_shift >> 2);
554 sd->csd[13] = 0x20 | /* Max. write data block length */
555 ((hwblock_shift << 6) & 0xc0);
556 sd->csd[14] = 0x00;
557 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
558 emmc_set_ext_csd(sd, size);
559 }
560
sd_set_csd(SDState * sd,uint64_t size)561 static void sd_set_csd(SDState *sd, uint64_t size)
562 {
563 int hwblock_shift = HWBLOCK_SHIFT;
564 uint32_t csize;
565 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
566 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
567
568 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
569 if (size == SDSC_MAX_CAPACITY) {
570 hwblock_shift += 1;
571 }
572 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
573
574 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
575 sd->csd[0] = 0x00; /* CSD structure */
576 sd->csd[1] = 0x26; /* Data read access-time-1 */
577 sd->csd[2] = 0x00; /* Data read access-time-2 */
578 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
579 sd->csd[4] = 0x5f; /* Card Command Classes */
580 sd->csd[5] = 0x50 | /* Max. read data block length */
581 hwblock_shift;
582 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
583 ((csize >> 10) & 0x03);
584 sd->csd[7] = 0x00 | /* Device size */
585 ((csize >> 2) & 0xff);
586 sd->csd[8] = 0x3f | /* Max. read current */
587 ((csize << 6) & 0xc0);
588 sd->csd[9] = 0xfc | /* Max. write current */
589 ((CMULT_SHIFT - 2) >> 1);
590 sd->csd[10] = 0x40 | /* Erase sector size */
591 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
592 sd->csd[11] = 0x00 | /* Write protect group size */
593 ((sectsize << 7) & 0x80) | wpsize;
594 sd->csd[12] = 0x90 | /* Write speed factor */
595 (hwblock_shift >> 2);
596 sd->csd[13] = 0x20 | /* Max. write data block length */
597 ((hwblock_shift << 6) & 0xc0);
598 sd->csd[14] = 0x00; /* File format group */
599 } else { /* SDHC */
600 size /= 512 * KiB;
601 size -= 1;
602 sd->csd[0] = 0x40;
603 sd->csd[1] = 0x0e;
604 sd->csd[2] = 0x00;
605 sd->csd[3] = 0x32;
606 sd->csd[4] = 0x5b;
607 sd->csd[5] = 0x59;
608 sd->csd[6] = 0x00;
609 st24_be_p(&sd->csd[7], size);
610 sd->csd[10] = 0x7f;
611 sd->csd[11] = 0x80;
612 sd->csd[12] = 0x0a;
613 sd->csd[13] = 0x40;
614 sd->csd[14] = 0x00;
615 }
616 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
617 }
618
619 /* Relative Card Address register */
620
sd_set_rca(SDState * sd,uint16_t value)621 static void sd_set_rca(SDState *sd, uint16_t value)
622 {
623 trace_sdcard_set_rca(value);
624 sd->rca = value;
625 }
626
sd_req_get_rca(SDState * s,SDRequest req)627 static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
628 {
629 switch (s->proto->cmd[req.cmd].type) {
630 case sd_ac:
631 case sd_adtc:
632 return req.arg >> 16;
633 case sd_spi:
634 default:
635 g_assert_not_reached();
636 }
637 }
638
sd_req_rca_same(SDState * s,SDRequest req)639 static bool sd_req_rca_same(SDState *s, SDRequest req)
640 {
641 return sd_req_get_rca(s, req) == s->rca;
642 }
643
644 /* Card Status register */
645
646 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
647 FIELD(CSR, APP_CMD, 5, 1)
648 FIELD(CSR, FX_EVENT, 6, 1)
649 FIELD(CSR, SWITCH_ERROR, 7, 1)
650 FIELD(CSR, READY_FOR_DATA, 8, 1)
651 FIELD(CSR, CURRENT_STATE, 9, 4)
652 FIELD(CSR, ERASE_RESET, 13, 1)
653 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
654 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
655 FIELD(CSR, CSD_OVERWRITE, 16, 1)
656 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
657 FIELD(CSR, ERROR, 19, 1)
658 FIELD(CSR, CC_ERROR, 20, 1)
659 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
660 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
661 FIELD(CSR, COM_CRC_ERROR, 23, 1)
662 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
663 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
664 FIELD(CSR, WP_VIOLATION, 26, 1)
665 FIELD(CSR, ERASE_PARAM, 27, 1)
666 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
667 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
668 FIELD(CSR, ADDRESS_ERROR, 30, 1)
669 FIELD(CSR, OUT_OF_RANGE, 31, 1)
670
671 /* Card status bits, split by clear condition:
672 * A : According to the card current state
673 * B : Always related to the previous command
674 * C : Cleared by read
675 */
676 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
677 | R_CSR_CARD_ECC_DISABLED_MASK \
678 | R_CSR_CARD_IS_LOCKED_MASK)
679 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
680 | R_CSR_ILLEGAL_COMMAND_MASK \
681 | R_CSR_COM_CRC_ERROR_MASK)
682 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
683 | R_CSR_APP_CMD_MASK \
684 | R_CSR_ERASE_RESET_MASK \
685 | R_CSR_WP_ERASE_SKIP_MASK \
686 | R_CSR_CSD_OVERWRITE_MASK \
687 | R_CSR_ERROR_MASK \
688 | R_CSR_CC_ERROR_MASK \
689 | R_CSR_CARD_ECC_FAILED_MASK \
690 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
691 | R_CSR_WP_VIOLATION_MASK \
692 | R_CSR_ERASE_PARAM_MASK \
693 | R_CSR_ERASE_SEQ_ERROR_MASK \
694 | R_CSR_BLOCK_LEN_ERROR_MASK \
695 | R_CSR_ADDRESS_ERROR_MASK \
696 | R_CSR_OUT_OF_RANGE_MASK)
697
sd_set_cardstatus(SDState * sd)698 static void sd_set_cardstatus(SDState *sd)
699 {
700 sd->card_status = READY_FOR_DATA;
701 }
702
sd_set_sdstatus(SDState * sd)703 static void sd_set_sdstatus(SDState *sd)
704 {
705 memset(sd->sd_status, 0, 64);
706 }
707
708 static const uint8_t sd_tuning_block_pattern4[64] = {
709 /*
710 * See: Physical Layer Simplified Specification Version 3.01,
711 * Table 4-2.
712 */
713 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
714 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
715 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
716 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
717 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
718 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
719 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
720 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde
721 };
722
sd_req_crc_validate(SDRequest * req)723 static int sd_req_crc_validate(SDRequest *req)
724 {
725 uint8_t buffer[5];
726 buffer[0] = 0x40 | req->cmd;
727 stl_be_p(&buffer[1], req->arg);
728 return 0;
729 return sd_crc7(buffer, 5) != req->crc; /* TODO */
730 }
731
sd_response_r1_make(SDState * sd,uint8_t * response)732 static void sd_response_r1_make(SDState *sd, uint8_t *response)
733 {
734 stl_be_p(response, sd->card_status);
735
736 /* Clear the "clear on read" status bits */
737 sd->card_status &= ~CARD_STATUS_C;
738 }
739
sd_response_r3_make(SDState * sd,uint8_t * response)740 static void sd_response_r3_make(SDState *sd, uint8_t *response)
741 {
742 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
743 }
744
sd_response_r6_make(SDState * sd,uint8_t * response)745 static void sd_response_r6_make(SDState *sd, uint8_t *response)
746 {
747 uint16_t status;
748
749 status = ((sd->card_status >> 8) & 0xc000) |
750 ((sd->card_status >> 6) & 0x2000) |
751 (sd->card_status & 0x1fff);
752 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
753 stw_be_p(response + 0, sd->rca);
754 stw_be_p(response + 2, status);
755 }
756
sd_response_r7_make(SDState * sd,uint8_t * response)757 static void sd_response_r7_make(SDState *sd, uint8_t *response)
758 {
759 stl_be_p(response, sd->vhs);
760 }
761
sd_blk_len(SDState * sd)762 static uint32_t sd_blk_len(SDState *sd)
763 {
764 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
765 return 1 << HWBLOCK_SHIFT;
766 }
767 return sd->blk_len;
768 }
769
770 /*
771 * This requires a disk image that has two boot partitions inserted at the
772 * beginning of it. The size of the boot partitions is the "boot-size"
773 * property.
774 */
sd_bootpart_offset(SDState * sd)775 static uint32_t sd_bootpart_offset(SDState *sd)
776 {
777 unsigned partition_access;
778
779 if (!sd->boot_part_size || !sd_is_emmc(sd)) {
780 return 0;
781 }
782
783 partition_access = sd->ext_csd[EXT_CSD_PART_CONFIG]
784 & EXT_CSD_PART_CONFIG_ACC_MASK;
785 switch (partition_access) {
786 case EXT_CSD_PART_CONFIG_ACC_DEFAULT:
787 return sd->boot_part_size * 2;
788 case EXT_CSD_PART_CONFIG_ACC_BOOT0:
789 return 0;
790 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1:
791 return sd->boot_part_size * 1;
792 default:
793 g_assert_not_reached();
794 }
795 }
796
sd_req_get_address(SDState * sd,SDRequest req)797 static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
798 {
799 uint64_t addr;
800
801 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
802 addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
803 } else {
804 addr = req.arg;
805 }
806 trace_sdcard_req_addr(req.arg, addr);
807 return addr;
808 }
809
sd_addr_to_wpnum(uint64_t addr)810 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
811 {
812 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
813 }
814
sd_reset(DeviceState * dev)815 static void sd_reset(DeviceState *dev)
816 {
817 SDState *sd = SDMMC_COMMON(dev);
818 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
819 uint64_t size;
820 uint64_t sect;
821
822 trace_sdcard_reset();
823 if (sd->blk) {
824 blk_get_geometry(sd->blk, §);
825 } else {
826 sect = 0;
827 }
828 size = sect << HWBLOCK_SHIFT;
829 if (sd_is_emmc(sd)) {
830 size -= sd->boot_part_size * 2;
831 }
832
833 sect = sd_addr_to_wpnum(size) + 1;
834
835 sd->state = sd_idle_state;
836
837 /* card registers */
838 sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000;
839 sd->size = size;
840 sd_set_ocr(sd);
841 sd_set_scr(sd);
842 sc->set_cid(sd);
843 sc->set_csd(sd, size);
844 sd_set_cardstatus(sd);
845 sd_set_sdstatus(sd);
846
847 g_free(sd->wp_group_bmap);
848 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
849 sd->wp_group_bits = sect;
850 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
851 memset(sd->function_group, 0, sizeof(sd->function_group));
852 sd->erase_start = INVALID_ADDRESS;
853 sd->erase_end = INVALID_ADDRESS;
854 sd->blk_len = 0x200;
855 sd->pwd_len = 0;
856 sd->expecting_acmd = false;
857 sd->dat_lines = 0xf;
858 sd->cmd_line = true;
859 sd->multi_blk_cnt = 0;
860 }
861
sd_get_inserted(SDState * sd)862 static bool sd_get_inserted(SDState *sd)
863 {
864 return sd->blk && blk_is_inserted(sd->blk);
865 }
866
sd_get_readonly(SDState * sd)867 static bool sd_get_readonly(SDState *sd)
868 {
869 return sd->wp_switch;
870 }
871
sd_cardchange(void * opaque,bool load,Error ** errp)872 static void sd_cardchange(void *opaque, bool load, Error **errp)
873 {
874 SDState *sd = opaque;
875 DeviceState *dev = DEVICE(sd);
876 SDBus *sdbus;
877 bool inserted = sd_get_inserted(sd);
878 bool readonly = sd_get_readonly(sd);
879
880 if (inserted) {
881 trace_sdcard_inserted(readonly);
882 sd_reset(dev);
883 } else {
884 trace_sdcard_ejected();
885 }
886
887 sdbus = SD_BUS(qdev_get_parent_bus(dev));
888 sdbus_set_inserted(sdbus, inserted);
889 if (inserted) {
890 sdbus_set_readonly(sdbus, readonly);
891 }
892 }
893
894 static const BlockDevOps sd_block_ops = {
895 .change_media_cb = sd_cardchange,
896 };
897
sd_ocr_vmstate_needed(void * opaque)898 static bool sd_ocr_vmstate_needed(void *opaque)
899 {
900 SDState *sd = opaque;
901
902 /* Include the OCR state (and timer) if it is not yet powered up */
903 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
904 }
905
906 static const VMStateDescription sd_ocr_vmstate = {
907 .name = "sd-card/ocr-state",
908 .version_id = 1,
909 .minimum_version_id = 1,
910 .needed = sd_ocr_vmstate_needed,
911 .fields = (const VMStateField[]) {
912 VMSTATE_UINT32(ocr, SDState),
913 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
914 VMSTATE_END_OF_LIST()
915 },
916 };
917
vmstate_needed_for_emmc(void * opaque)918 static bool vmstate_needed_for_emmc(void *opaque)
919 {
920 SDState *sd = opaque;
921
922 return sd_is_emmc(sd);
923 }
924
925 static const VMStateDescription emmc_extcsd_vmstate = {
926 .name = "sd-card/ext_csd_modes-state",
927 .version_id = 1,
928 .minimum_version_id = 1,
929 .needed = vmstate_needed_for_emmc,
930 .fields = (const VMStateField[]) {
931 VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192),
932 VMSTATE_END_OF_LIST()
933 },
934 };
935
sd_vmstate_pre_load(void * opaque)936 static int sd_vmstate_pre_load(void *opaque)
937 {
938 SDState *sd = opaque;
939
940 /* If the OCR state is not included (prior versions, or not
941 * needed), then the OCR must be set as powered up. If the OCR state
942 * is included, this will be replaced by the state restore.
943 */
944 sd_ocr_powerup(sd);
945
946 return 0;
947 }
948
949 static const VMStateDescription sd_vmstate = {
950 .name = "sd-card",
951 .version_id = 2,
952 .minimum_version_id = 2,
953 .pre_load = sd_vmstate_pre_load,
954 .fields = (const VMStateField[]) {
955 VMSTATE_UINT32(mode, SDState),
956 VMSTATE_INT32(state, SDState),
957 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
958 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
959 VMSTATE_UINT16(rca, SDState),
960 VMSTATE_UINT32(card_status, SDState),
961 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
962 VMSTATE_UINT32(vhs, SDState),
963 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
964 VMSTATE_UINT32(blk_len, SDState),
965 VMSTATE_UINT32(multi_blk_cnt, SDState),
966 VMSTATE_UINT32(erase_start, SDState),
967 VMSTATE_UINT32(erase_end, SDState),
968 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
969 VMSTATE_UINT32(pwd_len, SDState),
970 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
971 VMSTATE_UINT8(current_cmd, SDState),
972 VMSTATE_BOOL(expecting_acmd, SDState),
973 VMSTATE_UINT32(blk_written, SDState),
974 VMSTATE_UINT64(data_start, SDState),
975 VMSTATE_UINT32(data_offset, SDState),
976 VMSTATE_UINT8_ARRAY(data, SDState, 512),
977 VMSTATE_UNUSED_V(1, 512),
978 VMSTATE_UNUSED(1),
979 VMSTATE_END_OF_LIST()
980 },
981 .subsections = (const VMStateDescription * const []) {
982 &sd_ocr_vmstate,
983 &emmc_extcsd_vmstate,
984 NULL
985 },
986 };
987
sd_blk_read(SDState * sd,uint64_t addr,uint32_t len)988 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
989 {
990 trace_sdcard_read_block(addr, len);
991 addr += sd_bootpart_offset(sd);
992 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
993 fprintf(stderr, "sd_blk_read: read error on host side\n");
994 }
995 }
996
sd_blk_write(SDState * sd,uint64_t addr,uint32_t len)997 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
998 {
999 trace_sdcard_write_block(addr, len);
1000 addr += sd_bootpart_offset(sd);
1001 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
1002 fprintf(stderr, "sd_blk_write: write error on host side\n");
1003 }
1004 }
1005
sd_erase(SDState * sd)1006 static void sd_erase(SDState *sd)
1007 {
1008 uint64_t erase_start = sd->erase_start;
1009 uint64_t erase_end = sd->erase_end;
1010 bool sdsc = true;
1011 uint64_t wpnum;
1012 uint64_t erase_addr;
1013 int erase_len = 1 << HWBLOCK_SHIFT;
1014
1015 trace_sdcard_erase(sd->erase_start, sd->erase_end);
1016 if (sd->erase_start == INVALID_ADDRESS
1017 || sd->erase_end == INVALID_ADDRESS) {
1018 sd->card_status |= ERASE_SEQ_ERROR;
1019 sd->erase_start = INVALID_ADDRESS;
1020 sd->erase_end = INVALID_ADDRESS;
1021 return;
1022 }
1023
1024 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
1025 /* High capacity memory card: erase units are 512 byte blocks */
1026 erase_start <<= HWBLOCK_SHIFT;
1027 erase_end <<= HWBLOCK_SHIFT;
1028 sdsc = false;
1029 }
1030
1031 if (erase_start > sd->size || erase_end > sd->size) {
1032 sd->card_status |= OUT_OF_RANGE;
1033 sd->erase_start = INVALID_ADDRESS;
1034 sd->erase_end = INVALID_ADDRESS;
1035 return;
1036 }
1037
1038 sd->erase_start = INVALID_ADDRESS;
1039 sd->erase_end = INVALID_ADDRESS;
1040 sd->csd[14] |= 0x40;
1041
1042 memset(sd->data, 0xff, erase_len);
1043 for (erase_addr = erase_start; erase_addr <= erase_end;
1044 erase_addr += erase_len) {
1045 if (sdsc) {
1046 /* Only SDSC cards support write protect groups */
1047 wpnum = sd_addr_to_wpnum(erase_addr);
1048 assert(wpnum < sd->wp_group_bits);
1049 if (test_bit(wpnum, sd->wp_group_bmap)) {
1050 sd->card_status |= WP_ERASE_SKIP;
1051 continue;
1052 }
1053 }
1054 sd_blk_write(sd, erase_addr, erase_len);
1055 }
1056 }
1057
sd_wpbits(SDState * sd,uint64_t addr)1058 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
1059 {
1060 uint32_t i, wpnum;
1061 uint32_t ret = 0;
1062
1063 wpnum = sd_addr_to_wpnum(addr);
1064
1065 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
1066 if (addr >= sd->size) {
1067 /*
1068 * If the addresses of the last groups are outside the valid range,
1069 * then the corresponding write protection bits shall be set to 0.
1070 */
1071 continue;
1072 }
1073 assert(wpnum < sd->wp_group_bits);
1074 if (test_bit(wpnum, sd->wp_group_bmap)) {
1075 ret |= (1 << i);
1076 }
1077 }
1078
1079 return ret;
1080 }
1081
1082 enum ExtCsdAccessMode {
1083 EXT_CSD_ACCESS_MODE_COMMAND_SET = 0,
1084 EXT_CSD_ACCESS_MODE_SET_BITS = 1,
1085 EXT_CSD_ACCESS_MODE_CLEAR_BITS = 2,
1086 EXT_CSD_ACCESS_MODE_WRITE_BYTE = 3
1087 };
1088
emmc_function_switch(SDState * sd,uint32_t arg)1089 static void emmc_function_switch(SDState *sd, uint32_t arg)
1090 {
1091 uint8_t access = extract32(arg, 24, 2);
1092 uint8_t index = extract32(arg, 16, 8);
1093 uint8_t value = extract32(arg, 8, 8);
1094 uint8_t b = sd->ext_csd[index];
1095
1096 trace_sdcard_switch(access, index, value, extract32(arg, 0, 2));
1097
1098 if (index >= 192) {
1099 qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n");
1100 sd->card_status |= R_CSR_SWITCH_ERROR_MASK;
1101 return;
1102 }
1103
1104 switch (access) {
1105 case EXT_CSD_ACCESS_MODE_COMMAND_SET:
1106 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n");
1107 return;
1108 case EXT_CSD_ACCESS_MODE_SET_BITS:
1109 b |= value;
1110 break;
1111 case EXT_CSD_ACCESS_MODE_CLEAR_BITS:
1112 b &= ~value;
1113 break;
1114 case EXT_CSD_ACCESS_MODE_WRITE_BYTE:
1115 b = value;
1116 break;
1117 }
1118
1119 trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b);
1120 sd->ext_csd[index] = b;
1121 }
1122
sd_function_switch(SDState * sd,uint32_t arg)1123 static void sd_function_switch(SDState *sd, uint32_t arg)
1124 {
1125 int i, mode, new_func;
1126 mode = !!(arg & 0x80000000);
1127
1128 sd->data[0] = 0x00; /* Maximum current consumption */
1129 sd->data[1] = 0x01;
1130 sd->data[2] = 0x80; /* Supported group 6 functions */
1131 sd->data[3] = 0x01;
1132 sd->data[4] = 0x80; /* Supported group 5 functions */
1133 sd->data[5] = 0x01;
1134 sd->data[6] = 0x80; /* Supported group 4 functions */
1135 sd->data[7] = 0x01;
1136 sd->data[8] = 0x80; /* Supported group 3 functions */
1137 sd->data[9] = 0x01;
1138 sd->data[10] = 0x80; /* Supported group 2 functions */
1139 sd->data[11] = 0x43;
1140 sd->data[12] = 0x80; /* Supported group 1 functions */
1141 sd->data[13] = 0x03;
1142
1143 memset(&sd->data[14], 0, 3);
1144 for (i = 0; i < 6; i ++) {
1145 new_func = (arg >> (i * 4)) & 0x0f;
1146 if (mode && new_func != 0x0f)
1147 sd->function_group[i] = new_func;
1148 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
1149 }
1150 memset(&sd->data[17], 0, 47);
1151 }
1152
sd_wp_addr(SDState * sd,uint64_t addr)1153 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
1154 {
1155 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1156 }
1157
sd_lock_command(SDState * sd)1158 static void sd_lock_command(SDState *sd)
1159 {
1160 int erase, lock, clr_pwd, set_pwd, pwd_len;
1161 erase = !!(sd->data[0] & 0x08);
1162 lock = sd->data[0] & 0x04;
1163 clr_pwd = sd->data[0] & 0x02;
1164 set_pwd = sd->data[0] & 0x01;
1165
1166 if (sd->blk_len > 1)
1167 pwd_len = sd->data[1];
1168 else
1169 pwd_len = 0;
1170
1171 if (lock) {
1172 trace_sdcard_lock();
1173 } else {
1174 trace_sdcard_unlock();
1175 }
1176 if (erase) {
1177 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
1178 set_pwd || clr_pwd || lock || sd->wp_switch ||
1179 (sd->csd[14] & 0x20)) {
1180 sd->card_status |= LOCK_UNLOCK_FAILED;
1181 return;
1182 }
1183 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
1184 sd->csd[14] &= ~0x10;
1185 sd->card_status &= ~CARD_IS_LOCKED;
1186 sd->pwd_len = 0;
1187 /* Erasing the entire card here! */
1188 fprintf(stderr, "SD: Card force-erased by CMD42\n");
1189 return;
1190 }
1191
1192 if (sd->blk_len < 2 + pwd_len ||
1193 pwd_len <= sd->pwd_len ||
1194 pwd_len > sd->pwd_len + 16) {
1195 sd->card_status |= LOCK_UNLOCK_FAILED;
1196 return;
1197 }
1198
1199 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
1200 sd->card_status |= LOCK_UNLOCK_FAILED;
1201 return;
1202 }
1203
1204 pwd_len -= sd->pwd_len;
1205 if ((pwd_len && !set_pwd) ||
1206 (clr_pwd && (set_pwd || lock)) ||
1207 (lock && !sd->pwd_len && !set_pwd) ||
1208 (!set_pwd && !clr_pwd &&
1209 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
1210 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
1211 sd->card_status |= LOCK_UNLOCK_FAILED;
1212 return;
1213 }
1214
1215 if (set_pwd) {
1216 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
1217 sd->pwd_len = pwd_len;
1218 }
1219
1220 if (clr_pwd) {
1221 sd->pwd_len = 0;
1222 }
1223
1224 if (lock)
1225 sd->card_status |= CARD_IS_LOCKED;
1226 else
1227 sd->card_status &= ~CARD_IS_LOCKED;
1228 }
1229
address_in_range(SDState * sd,const char * desc,uint64_t addr,uint32_t length)1230 static bool address_in_range(SDState *sd, const char *desc,
1231 uint64_t addr, uint32_t length)
1232 {
1233 if (addr + length > sd->size) {
1234 qemu_log_mask(LOG_GUEST_ERROR,
1235 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
1236 desc, addr, sd->size, length);
1237 sd->card_status |= ADDRESS_ERROR;
1238 return false;
1239 }
1240 return true;
1241 }
1242
sd_invalid_state_for_cmd(SDState * sd,SDRequest req)1243 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
1244 {
1245 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
1246 sd->proto->name, req.cmd, sd_state_name(sd->state),
1247 sd_version_str(sd->spec_version));
1248
1249 return sd_illegal;
1250 }
1251
sd_invalid_mode_for_cmd(SDState * sd,SDRequest req)1252 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
1253 {
1254 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
1255 sd->proto->name, req.cmd, sd_mode_name(sd->mode),
1256 sd_version_str(sd->spec_version));
1257
1258 return sd_illegal;
1259 }
1260
sd_cmd_illegal(SDState * sd,SDRequest req)1261 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
1262 {
1263 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
1264 sd->proto->name, req.cmd,
1265 sd_version_str(sd->spec_version));
1266
1267 return sd_illegal;
1268 }
1269
1270 /* Commands that are recognised but not yet implemented. */
sd_cmd_unimplemented(SDState * sd,SDRequest req)1271 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
1272 {
1273 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
1274 sd->proto->name, req.cmd);
1275
1276 return sd_illegal;
1277 }
1278
sd_cmd_optional(SDState * sd,SDRequest req)1279 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req)
1280 {
1281 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n",
1282 sd->proto->name, req.cmd);
1283
1284 return sd_illegal;
1285 }
1286
1287 /* Configure fields for following sd_generic_write_byte() calls */
sd_cmd_to_receivingdata(SDState * sd,SDRequest req,uint64_t start,size_t size)1288 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
1289 uint64_t start, size_t size)
1290 {
1291 if (sd->state != sd_transfer_state) {
1292 return sd_invalid_state_for_cmd(sd, req);
1293 }
1294 sd->state = sd_receivingdata_state;
1295 sd->data_start = start;
1296 sd->data_offset = 0;
1297 /* sd->data[] used as receive buffer */
1298 sd->data_size = size ?: sizeof(sd->data);
1299 return sd_r1;
1300 }
1301
1302 /* Configure fields for following sd_generic_read_byte() calls */
sd_cmd_to_sendingdata(SDState * sd,SDRequest req,uint64_t start,const void * data,size_t size)1303 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
1304 uint64_t start,
1305 const void *data, size_t size)
1306 {
1307 if (sd->state != sd_transfer_state) {
1308 sd_invalid_state_for_cmd(sd, req);
1309 }
1310
1311 sd->state = sd_sendingdata_state;
1312 sd->data_start = start;
1313 sd->data_offset = 0;
1314 if (data) {
1315 assert(size > 0 && size <= sizeof(sd->data));
1316 memcpy(sd->data, data, size);
1317 }
1318 if (size) {
1319 sd->data_size = size;
1320 }
1321 return sd_r1;
1322 }
1323
1324 /* CMD0 */
sd_cmd_GO_IDLE_STATE(SDState * sd,SDRequest req)1325 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
1326 {
1327 if (sd->state == sd_sleep_state) {
1328 switch (req.arg) {
1329 case 0x00000000:
1330 case 0xf0f0f0f0:
1331 break;
1332 default:
1333 return sd_r0;
1334 }
1335 }
1336 if (sd->state != sd_inactive_state) {
1337 sd->state = sd_idle_state;
1338 sd_reset(DEVICE(sd));
1339 }
1340
1341 return sd_is_spi(sd) ? sd_r1 : sd_r0;
1342 }
1343
1344 /* CMD1 */
spi_cmd_SEND_OP_COND(SDState * sd,SDRequest req)1345 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1346 {
1347 sd->state = sd_transfer_state;
1348
1349 return sd_r1;
1350 }
1351
1352 /* CMD2 */
sd_cmd_ALL_SEND_CID(SDState * sd,SDRequest req)1353 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
1354 {
1355 switch (sd->state) {
1356 case sd_ready_state:
1357 sd->state = sd_identification_state;
1358 return sd_r2_i;
1359 default:
1360 return sd_invalid_state_for_cmd(sd, req);
1361 }
1362 }
1363
1364 /* CMD3 */
sd_cmd_SEND_RELATIVE_ADDR(SDState * sd,SDRequest req)1365 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
1366 {
1367 uint16_t random_rca;
1368
1369 switch (sd->state) {
1370 case sd_identification_state:
1371 case sd_standby_state:
1372 sd->state = sd_standby_state;
1373 qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca));
1374 sd_set_rca(sd, random_rca);
1375 return sd_r6;
1376
1377 default:
1378 return sd_invalid_state_for_cmd(sd, req);
1379 }
1380 }
1381
emmc_cmd_SET_RELATIVE_ADDR(SDState * sd,SDRequest req)1382 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req)
1383 {
1384 switch (sd->state) {
1385 case sd_identification_state:
1386 case sd_standby_state:
1387 sd->state = sd_standby_state;
1388 sd_set_rca(sd, req.arg >> 16);
1389 return sd_r1;
1390
1391 default:
1392 return sd_invalid_state_for_cmd(sd, req);
1393 }
1394 }
1395
1396 /* CMD5 */
emmc_cmd_sleep_awake(SDState * sd,SDRequest req)1397 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req)
1398 {
1399 bool do_sleep = extract32(req.arg, 15, 1);
1400
1401 switch (sd->state) {
1402 case sd_sleep_state:
1403 if (!do_sleep) {
1404 /* Awake */
1405 sd->state = sd_standby_state;
1406 }
1407 return sd_r1b;
1408
1409 case sd_standby_state:
1410 if (do_sleep) {
1411 sd->state = sd_sleep_state;
1412 }
1413 return sd_r1b;
1414
1415 default:
1416 return sd_invalid_state_for_cmd(sd, req);
1417 }
1418 }
1419
1420 /* CMD6 */
sd_cmd_SWITCH_FUNCTION(SDState * sd,SDRequest req)1421 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req)
1422 {
1423 if (sd->mode != sd_data_transfer_mode) {
1424 return sd_invalid_mode_for_cmd(sd, req);
1425 }
1426 if (sd->state != sd_transfer_state) {
1427 return sd_invalid_state_for_cmd(sd, req);
1428 }
1429
1430 sd_function_switch(sd, req.arg);
1431 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
1432 }
1433
emmc_cmd_SWITCH(SDState * sd,SDRequest req)1434 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req)
1435 {
1436 switch (sd->state) {
1437 case sd_transfer_state:
1438 sd->state = sd_programming_state;
1439 emmc_function_switch(sd, req.arg);
1440 sd->state = sd_transfer_state;
1441 return sd_r1b;
1442 default:
1443 return sd_invalid_state_for_cmd(sd, req);
1444 }
1445 }
1446
1447 /* CMD7 */
sd_cmd_DE_SELECT_CARD(SDState * sd,SDRequest req)1448 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req)
1449 {
1450 bool same_rca = sd_req_rca_same(sd, req);
1451
1452 switch (sd->state) {
1453 case sd_standby_state:
1454 if (!same_rca) {
1455 return sd_r0;
1456 }
1457 sd->state = sd_transfer_state;
1458 return sd_r1b;
1459
1460 case sd_transfer_state:
1461 case sd_sendingdata_state:
1462 if (same_rca) {
1463 break;
1464 }
1465 sd->state = sd_standby_state;
1466 return sd_r1b;
1467
1468 case sd_disconnect_state:
1469 if (!same_rca) {
1470 return sd_r0;
1471 }
1472 sd->state = sd_programming_state;
1473 return sd_r1b;
1474
1475 case sd_programming_state:
1476 if (same_rca) {
1477 break;
1478 }
1479 sd->state = sd_disconnect_state;
1480 return sd_r1b;
1481
1482 default:
1483 break;
1484 }
1485 return sd_invalid_state_for_cmd(sd, req);
1486 }
1487
1488 /* CMD8 */
sd_cmd_SEND_IF_COND(SDState * sd,SDRequest req)1489 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req)
1490 {
1491 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1492 return sd_cmd_illegal(sd, req);
1493 }
1494 if (sd->state != sd_idle_state) {
1495 return sd_invalid_state_for_cmd(sd, req);
1496 }
1497 sd->vhs = 0;
1498
1499 /* No response if not exactly one VHS bit is set. */
1500 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1501 return sd_is_spi(sd) ? sd_r7 : sd_r0;
1502 }
1503
1504 /* Accept. */
1505 sd->vhs = req.arg;
1506 return sd_r7;
1507 }
1508
1509 /* CMD8 */
emmc_cmd_SEND_EXT_CSD(SDState * sd,SDRequest req)1510 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req)
1511 {
1512 if (sd->state != sd_transfer_state) {
1513 return sd_invalid_state_for_cmd(sd, req);
1514 }
1515
1516 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1517 sd->ext_csd, sizeof(sd->ext_csd));
1518 }
1519
1520 /* CMD9 */
spi_cmd_SEND_CSD(SDState * sd,SDRequest req)1521 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req)
1522 {
1523 if (sd->state != sd_standby_state) {
1524 return sd_invalid_state_for_cmd(sd, req);
1525 }
1526 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1527 sd->csd, 16);
1528 }
1529
sd_cmd_SEND_CSD(SDState * sd,SDRequest req)1530 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req)
1531 {
1532 if (sd->state != sd_standby_state) {
1533 return sd_invalid_state_for_cmd(sd, req);
1534 }
1535
1536 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0;
1537 }
1538
1539 /* CMD10 */
spi_cmd_SEND_CID(SDState * sd,SDRequest req)1540 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req)
1541 {
1542 if (sd->state != sd_standby_state) {
1543 return sd_invalid_state_for_cmd(sd, req);
1544 }
1545 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
1546 sd->cid, 16);
1547 }
1548
sd_cmd_SEND_CID(SDState * sd,SDRequest req)1549 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req)
1550 {
1551 if (sd->state != sd_standby_state) {
1552 return sd_invalid_state_for_cmd(sd, req);
1553 }
1554
1555 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0;
1556 }
1557
1558 /* CMD12 */
sd_cmd_STOP_TRANSMISSION(SDState * sd,SDRequest req)1559 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req)
1560 {
1561 switch (sd->state) {
1562 case sd_sendingdata_state:
1563 sd->state = sd_transfer_state;
1564 return sd_r1b;
1565 case sd_receivingdata_state:
1566 sd->state = sd_programming_state;
1567 /* Bzzzzzzztt .... Operation complete. */
1568 sd->state = sd_transfer_state;
1569 return sd_r1;
1570 default:
1571 return sd_invalid_state_for_cmd(sd, req);
1572 }
1573 }
1574
1575 /* CMD13 */
sd_cmd_SEND_STATUS(SDState * sd,SDRequest req)1576 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req)
1577 {
1578 if (sd->mode != sd_data_transfer_mode) {
1579 return sd_invalid_mode_for_cmd(sd, req);
1580 }
1581
1582 switch (sd->state) {
1583 case sd_standby_state:
1584 case sd_transfer_state:
1585 case sd_sendingdata_state:
1586 case sd_receivingdata_state:
1587 case sd_programming_state:
1588 case sd_disconnect_state:
1589 break;
1590 default:
1591 return sd_invalid_state_for_cmd(sd, req);
1592 }
1593
1594 if (sd_is_spi(sd)) {
1595 return sd_r2_s;
1596 }
1597
1598 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0;
1599 }
1600
1601 /* CMD15 */
sd_cmd_GO_INACTIVE_STATE(SDState * sd,SDRequest req)1602 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req)
1603 {
1604 if (sd->mode != sd_data_transfer_mode) {
1605 return sd_invalid_mode_for_cmd(sd, req);
1606 }
1607 switch (sd->state) {
1608 case sd_standby_state:
1609 case sd_transfer_state:
1610 case sd_sendingdata_state:
1611 case sd_receivingdata_state:
1612 case sd_programming_state:
1613 case sd_disconnect_state:
1614 break;
1615 default:
1616 return sd_invalid_state_for_cmd(sd, req);
1617 }
1618 if (sd_req_rca_same(sd, req)) {
1619 sd->state = sd_inactive_state;
1620 }
1621
1622 return sd_r0;
1623 }
1624
1625 /* CMD16 */
sd_cmd_SET_BLOCKLEN(SDState * sd,SDRequest req)1626 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req)
1627 {
1628 if (sd->state != sd_transfer_state) {
1629 return sd_invalid_state_for_cmd(sd, req);
1630 }
1631 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1632 sd->card_status |= BLOCK_LEN_ERROR;
1633 } else {
1634 trace_sdcard_set_blocklen(req.arg);
1635 sd->blk_len = req.arg;
1636 }
1637
1638 return sd_r1;
1639 }
1640
1641 /* CMD17 */
sd_cmd_READ_SINGLE_BLOCK(SDState * sd,SDRequest req)1642 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req)
1643 {
1644 uint64_t addr;
1645
1646 if (sd->state != sd_transfer_state) {
1647 return sd_invalid_state_for_cmd(sd, req);
1648 }
1649
1650 addr = sd_req_get_address(sd, req);
1651 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
1652 return sd_r1;
1653 }
1654
1655 sd_blk_read(sd, addr, sd->blk_len);
1656 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
1657 }
1658
1659 /* CMD19 */
sd_cmd_SEND_TUNING_BLOCK(SDState * sd,SDRequest req)1660 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
1661 {
1662 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1663 return sd_cmd_illegal(sd, req);
1664 }
1665
1666 return sd_cmd_to_sendingdata(sd, req, 0,
1667 sd_tuning_block_pattern4,
1668 sizeof(sd_tuning_block_pattern4));
1669 }
1670
1671 /* CMD23 */
sd_cmd_SET_BLOCK_COUNT(SDState * sd,SDRequest req)1672 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
1673 {
1674 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1675 return sd_cmd_illegal(sd, req);
1676 }
1677
1678 if (sd->state != sd_transfer_state) {
1679 return sd_invalid_state_for_cmd(sd, req);
1680 }
1681
1682 sd->multi_blk_cnt = req.arg;
1683 if (sd_is_emmc(sd)) {
1684 sd->multi_blk_cnt &= 0xffff;
1685 }
1686 trace_sdcard_set_block_count(sd->multi_blk_cnt);
1687
1688 return sd_r1;
1689 }
1690
1691 /* CMD24 */
sd_cmd_WRITE_SINGLE_BLOCK(SDState * sd,SDRequest req)1692 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req)
1693 {
1694 uint64_t addr;
1695
1696 if (sd->state != sd_transfer_state) {
1697 return sd_invalid_state_for_cmd(sd, req);
1698 }
1699
1700 addr = sd_req_get_address(sd, req);
1701 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) {
1702 return sd_r1;
1703 }
1704
1705 if (sd->size <= SDSC_MAX_CAPACITY) {
1706 if (sd_wp_addr(sd, addr)) {
1707 sd->card_status |= WP_VIOLATION;
1708 }
1709 }
1710 if (sd->csd[14] & 0x30) {
1711 sd->card_status |= WP_VIOLATION;
1712 }
1713
1714 sd->blk_written = 0;
1715 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len);
1716 }
1717
1718 /* CMD26 */
emmc_cmd_PROGRAM_CID(SDState * sd,SDRequest req)1719 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req)
1720 {
1721 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid));
1722 }
1723
1724 /* CMD27 */
sd_cmd_PROGRAM_CSD(SDState * sd,SDRequest req)1725 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req)
1726 {
1727 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd));
1728 }
1729
sd_cmd_SET_CLR_WRITE_PROT(SDState * sd,SDRequest req,bool is_write)1730 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req,
1731 bool is_write)
1732 {
1733 uint64_t addr;
1734
1735 if (sd->size > SDSC_MAX_CAPACITY) {
1736 return sd_illegal;
1737 }
1738
1739 if (sd->state != sd_transfer_state) {
1740 return sd_invalid_state_for_cmd(sd, req);
1741 }
1742
1743 addr = sd_req_get_address(sd, req);
1744 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT",
1745 addr, 1)) {
1746 return sd_r1b;
1747 }
1748
1749 sd->state = sd_programming_state;
1750 if (is_write) {
1751 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1752 } else {
1753 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1754 }
1755 /* Bzzzzzzztt .... Operation complete. */
1756 sd->state = sd_transfer_state;
1757 return sd_r1;
1758 }
1759
1760 /* CMD28 */
sd_cmd_SET_WRITE_PROT(SDState * sd,SDRequest req)1761 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req)
1762 {
1763 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true);
1764 }
1765
1766 /* CMD29 */
sd_cmd_CLR_WRITE_PROT(SDState * sd,SDRequest req)1767 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req)
1768 {
1769 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false);
1770 }
1771
1772 /* CMD30 */
sd_cmd_SEND_WRITE_PROT(SDState * sd,SDRequest req)1773 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req)
1774 {
1775 uint64_t addr;
1776 uint32_t data;
1777
1778 if (sd->size > SDSC_MAX_CAPACITY) {
1779 return sd_illegal;
1780 }
1781
1782 if (sd->state != sd_transfer_state) {
1783 return sd_invalid_state_for_cmd(sd, req);
1784 }
1785
1786 addr = sd_req_get_address(sd, req);
1787 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) {
1788 return sd_r1;
1789 }
1790
1791 data = sd_wpbits(sd, req.arg);
1792 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
1793 }
1794
1795 /* CMD32 */
sd_cmd_ERASE_WR_BLK_START(SDState * sd,SDRequest req)1796 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req)
1797 {
1798 if (sd->state != sd_transfer_state) {
1799 return sd_invalid_state_for_cmd(sd, req);
1800 }
1801 sd->erase_start = req.arg;
1802 return sd_r1;
1803 }
1804
1805 /* CMD33 */
sd_cmd_ERASE_WR_BLK_END(SDState * sd,SDRequest req)1806 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req)
1807 {
1808 if (sd->state != sd_transfer_state) {
1809 return sd_invalid_state_for_cmd(sd, req);
1810 }
1811 sd->erase_end = req.arg;
1812 return sd_r1;
1813 }
1814
1815 /* CMD38 */
sd_cmd_ERASE(SDState * sd,SDRequest req)1816 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req)
1817 {
1818 if (sd->state != sd_transfer_state) {
1819 return sd_invalid_state_for_cmd(sd, req);
1820 }
1821 if (sd->csd[14] & 0x30) {
1822 sd->card_status |= WP_VIOLATION;
1823 return sd_r1b;
1824 }
1825
1826 sd->state = sd_programming_state;
1827 sd_erase(sd);
1828 /* Bzzzzzzztt .... Operation complete. */
1829 sd->state = sd_transfer_state;
1830 return sd_r1b;
1831 }
1832
1833 /* CMD42 */
sd_cmd_LOCK_UNLOCK(SDState * sd,SDRequest req)1834 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req)
1835 {
1836 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1837 }
1838
1839 /* CMD55 */
sd_cmd_APP_CMD(SDState * sd,SDRequest req)1840 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req)
1841 {
1842 switch (sd->state) {
1843 case sd_ready_state:
1844 case sd_identification_state:
1845 case sd_inactive_state:
1846 case sd_sleep_state:
1847 return sd_invalid_state_for_cmd(sd, req);
1848 case sd_idle_state:
1849 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) {
1850 qemu_log_mask(LOG_GUEST_ERROR,
1851 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1852 }
1853 /* fall-through */
1854 default:
1855 break;
1856 }
1857 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) {
1858 return sd_r0;
1859 }
1860 sd->expecting_acmd = true;
1861 sd->card_status |= APP_CMD;
1862
1863 return sd_r1;
1864 }
1865
1866 /* CMD56 */
sd_cmd_GEN_CMD(SDState * sd,SDRequest req)1867 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req)
1868 {
1869 if (sd->state != sd_transfer_state) {
1870 return sd_invalid_state_for_cmd(sd, req);
1871 }
1872
1873 /* Vendor specific command: our model is RAZ/WI */
1874 if (req.arg & 1) {
1875 memset(sd->data, 0, sizeof(sd->data));
1876 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0);
1877 } else {
1878 return sd_cmd_to_receivingdata(sd, req, 0, 0);
1879 }
1880 }
1881
1882 /* CMD58 */
spi_cmd_READ_OCR(SDState * sd,SDRequest req)1883 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req)
1884 {
1885 return sd_r3;
1886 }
1887
1888 /* CMD59 */
spi_cmd_CRC_ON_OFF(SDState * sd,SDRequest req)1889 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req)
1890 {
1891 return sd_r1;
1892 }
1893
1894 /* ACMD6 */
sd_acmd_SET_BUS_WIDTH(SDState * sd,SDRequest req)1895 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req)
1896 {
1897 if (sd->state != sd_transfer_state) {
1898 return sd_invalid_state_for_cmd(sd, req);
1899 }
1900
1901 sd->sd_status[0] &= 0x3f;
1902 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1903 return sd_r1;
1904 }
1905
1906 /* ACMD13 */
sd_acmd_SD_STATUS(SDState * sd,SDRequest req)1907 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req)
1908 {
1909 return sd_cmd_to_sendingdata(sd, req, 0,
1910 sd->sd_status, sizeof(sd->sd_status));
1911 }
1912
1913 /* ACMD22 */
sd_acmd_SEND_NUM_WR_BLOCKS(SDState * sd,SDRequest req)1914 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req)
1915 {
1916 return sd_cmd_to_sendingdata(sd, req, 0,
1917 &sd->blk_written, sizeof(sd->blk_written));
1918 }
1919
1920 /* ACMD23 */
sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState * sd,SDRequest req)1921 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req)
1922 {
1923 if (sd->state != sd_transfer_state) {
1924 return sd_invalid_state_for_cmd(sd, req);
1925 }
1926 return sd_r1;
1927 }
1928
1929 /* ACMD41 */
sd_cmd_SEND_OP_COND(SDState * sd,SDRequest req)1930 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
1931 {
1932 if (sd->state != sd_idle_state) {
1933 return sd_invalid_state_for_cmd(sd, req);
1934 }
1935
1936 /*
1937 * If it's the first ACMD41 since reset, we need to decide
1938 * whether to power up. If this is not an enquiry ACMD41,
1939 * we immediately report power on and proceed below to the
1940 * ready state, but if it is, we set a timer to model a
1941 * delay for power up. This works around a bug in EDK2
1942 * UEFI, which sends an initial enquiry ACMD41, but
1943 * assumes that the card is in ready state as soon as it
1944 * sees the power up bit set.
1945 */
1946 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1947 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1948 timer_del(sd->ocr_power_timer);
1949 sd_ocr_powerup(sd);
1950 } else {
1951 trace_sdcard_inquiry_cmd41();
1952 if (!timer_pending(sd->ocr_power_timer)) {
1953 timer_mod_ns(sd->ocr_power_timer,
1954 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1955 + OCR_POWER_DELAY_NS));
1956 }
1957 }
1958 }
1959
1960 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1961 /*
1962 * We accept any voltage. 10000 V is nothing.
1963 *
1964 * Once we're powered up, we advance straight to ready state
1965 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1966 */
1967 sd->state = sd_ready_state;
1968 }
1969
1970 return sd_r3;
1971 }
1972
1973 /* ACMD42 */
sd_acmd_SET_CLR_CARD_DETECT(SDState * sd,SDRequest req)1974 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req)
1975 {
1976 if (sd->state != sd_transfer_state) {
1977 return sd_invalid_state_for_cmd(sd, req);
1978 }
1979
1980 /* Bringing in the 50KOhm pull-up resistor... Done. */
1981 return sd_r1;
1982 }
1983
1984 /* ACMD51 */
sd_acmd_SEND_SCR(SDState * sd,SDRequest req)1985 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req)
1986 {
1987 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
1988 }
1989
sd_normal_command(SDState * sd,SDRequest req)1990 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
1991 {
1992 uint64_t addr;
1993
1994 sd->last_cmd_name = sd_cmd_name(sd, req.cmd);
1995 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
1996 * However there is no ACMD55, so we want to trace this particular case.
1997 */
1998 if (req.cmd != 55 || sd->expecting_acmd) {
1999 trace_sdcard_normal_command(sd->proto->name,
2000 sd->last_cmd_name, req.cmd,
2001 req.arg, sd_state_name(sd->state));
2002 }
2003
2004 /* Not interpreting this as an app command */
2005 sd->card_status &= ~APP_CMD;
2006
2007 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
2008 * if not, its effects are cancelled */
2009 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
2010 sd->multi_blk_cnt = 0;
2011 }
2012
2013 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR,
2014 CARD_CAPACITY)) {
2015 /* Only Standard Capacity cards support class 6 commands */
2016 return sd_illegal;
2017 }
2018
2019 if (sd->proto->cmd[req.cmd].handler) {
2020 return sd->proto->cmd[req.cmd].handler(sd, req);
2021 }
2022
2023 switch (req.cmd) {
2024 /* Block read commands (Class 2) */
2025 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2026 addr = sd_req_get_address(sd, req);
2027 switch (sd->state) {
2028 case sd_transfer_state:
2029
2030 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
2031 return sd_r1;
2032 }
2033
2034 sd->state = sd_sendingdata_state;
2035 sd->data_start = addr;
2036 sd->data_offset = 0;
2037 return sd_r1;
2038
2039 default:
2040 break;
2041 }
2042 break;
2043
2044 /* Block write commands (Class 4) */
2045 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2046 addr = sd_req_get_address(sd, req);
2047 switch (sd->state) {
2048 case sd_transfer_state:
2049
2050 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
2051 return sd_r1;
2052 }
2053
2054 sd->state = sd_receivingdata_state;
2055 sd->data_start = addr;
2056 sd->data_offset = 0;
2057 sd->blk_written = 0;
2058
2059 if (sd->size <= SDSC_MAX_CAPACITY) {
2060 if (sd_wp_addr(sd, sd->data_start)) {
2061 sd->card_status |= WP_VIOLATION;
2062 }
2063 }
2064 if (sd->csd[14] & 0x30) {
2065 sd->card_status |= WP_VIOLATION;
2066 }
2067 return sd_r1;
2068
2069 default:
2070 break;
2071 }
2072 break;
2073
2074 default:
2075 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
2076 return sd_illegal;
2077 }
2078
2079 return sd_invalid_state_for_cmd(sd, req);
2080 }
2081
sd_app_command(SDState * sd,SDRequest req)2082 static sd_rsp_type_t sd_app_command(SDState *sd,
2083 SDRequest req)
2084 {
2085 sd->last_cmd_name = sd_acmd_name(sd, req.cmd);
2086 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
2087 req.cmd, req.arg, sd_state_name(sd->state));
2088 sd->card_status |= APP_CMD;
2089
2090 if (sd->proto->acmd[req.cmd].handler) {
2091 return sd->proto->acmd[req.cmd].handler(sd, req);
2092 }
2093
2094 switch (req.cmd) {
2095 case 18: /* Reserved for SD security applications */
2096 case 25:
2097 case 26:
2098 case 38:
2099 case 43 ... 49:
2100 /* Refer to the "SD Specifications Part3 Security Specification" for
2101 * information about the SD Security Features.
2102 */
2103 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
2104 req.cmd);
2105 return sd_illegal;
2106
2107 default:
2108 /* Fall back to standard commands. */
2109 return sd_normal_command(sd, req);
2110 }
2111
2112 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
2113 return sd_illegal;
2114 }
2115
cmd_valid_while_locked(SDState * sd,unsigned cmd)2116 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
2117 {
2118 unsigned cmd_class;
2119
2120 /* Valid commands in locked state:
2121 * basic class (0)
2122 * lock card class (7)
2123 * CMD16
2124 * implicitly, the ACMD prefix CMD55
2125 * ACMD41 and ACMD42
2126 * Anything else provokes an "illegal command" response.
2127 */
2128 if (sd->expecting_acmd) {
2129 return cmd == 41 || cmd == 42;
2130 }
2131 if (cmd == 16 || cmd == 55) {
2132 return true;
2133 }
2134 if (!sd->proto->cmd[cmd].handler) {
2135 return false;
2136 }
2137 cmd_class = sd->proto->cmd[cmd].class;
2138
2139 return cmd_class == 0 || cmd_class == 7;
2140 }
2141
sd_do_command(SDState * sd,SDRequest * req,uint8_t * response)2142 static int sd_do_command(SDState *sd, SDRequest *req,
2143 uint8_t *response) {
2144 int last_state;
2145 sd_rsp_type_t rtype;
2146 int rsplen;
2147
2148 if (!sd->blk || !blk_is_inserted(sd->blk)) {
2149 return 0;
2150 }
2151
2152 if (sd->state == sd_inactive_state) {
2153 rtype = sd_illegal;
2154 goto send_response;
2155 }
2156
2157 if (sd_req_crc_validate(req)) {
2158 sd->card_status |= COM_CRC_ERROR;
2159 rtype = sd_illegal;
2160 goto send_response;
2161 }
2162
2163 if (req->cmd >= SDMMC_CMD_MAX) {
2164 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
2165 req->cmd);
2166 req->cmd &= 0x3f;
2167 }
2168
2169 if (sd->state == sd_sleep_state && req->cmd) {
2170 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n");
2171 rtype = sd_r0;
2172 goto send_response;
2173 }
2174
2175 if (sd->card_status & CARD_IS_LOCKED) {
2176 if (!cmd_valid_while_locked(sd, req->cmd)) {
2177 sd->card_status |= ILLEGAL_COMMAND;
2178 sd->expecting_acmd = false;
2179 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
2180 rtype = sd_illegal;
2181 goto send_response;
2182 }
2183 }
2184
2185 last_state = sd->state;
2186 sd_set_mode(sd);
2187
2188 if (sd->expecting_acmd) {
2189 sd->expecting_acmd = false;
2190 rtype = sd_app_command(sd, *req);
2191 } else {
2192 rtype = sd_normal_command(sd, *req);
2193 }
2194
2195 if (rtype == sd_illegal) {
2196 sd->card_status |= ILLEGAL_COMMAND;
2197 } else {
2198 /* Valid command, we can update the 'state before command' bits.
2199 * (Do this now so they appear in r1 responses.)
2200 */
2201 sd->card_status = FIELD_DP32(sd->card_status, CSR,
2202 CURRENT_STATE, last_state);
2203 }
2204
2205 send_response:
2206 switch (rtype) {
2207 case sd_r1:
2208 case sd_r1b:
2209 sd_response_r1_make(sd, response);
2210 rsplen = 4;
2211 break;
2212
2213 case sd_r2_i:
2214 memcpy(response, sd->cid, sizeof(sd->cid));
2215 rsplen = 16;
2216 break;
2217
2218 case sd_r2_s:
2219 memcpy(response, sd->csd, sizeof(sd->csd));
2220 rsplen = 16;
2221 break;
2222
2223 case sd_r3:
2224 sd_response_r3_make(sd, response);
2225 rsplen = 4;
2226 break;
2227
2228 case sd_r6:
2229 sd_response_r6_make(sd, response);
2230 rsplen = 4;
2231 break;
2232
2233 case sd_r7:
2234 sd_response_r7_make(sd, response);
2235 rsplen = 4;
2236 break;
2237
2238 case sd_r0:
2239 /*
2240 * Invalid state transition, reset implementation
2241 * fields to avoid OOB abuse.
2242 */
2243 sd->data_start = 0;
2244 sd->data_offset = 0;
2245 /* fall-through */
2246 case sd_illegal:
2247 rsplen = 0;
2248 break;
2249 default:
2250 g_assert_not_reached();
2251 }
2252 trace_sdcard_response(sd_response_name(rtype), rsplen);
2253
2254 if (rtype != sd_illegal) {
2255 /* Clear the "clear on valid command" status bits now we've
2256 * sent any response
2257 */
2258 sd->card_status &= ~CARD_STATUS_B;
2259 }
2260
2261 #ifdef DEBUG_SD
2262 qemu_hexdump(stderr, "Response", response, rsplen);
2263 #endif
2264
2265 sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd;
2266
2267 return rsplen;
2268 }
2269
2270 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
sd_generic_write_byte(SDState * sd,uint8_t value)2271 static bool sd_generic_write_byte(SDState *sd, uint8_t value)
2272 {
2273 sd->data[sd->data_offset] = value;
2274
2275 if (++sd->data_offset >= sd->data_size) {
2276 sd->state = sd_transfer_state;
2277 return true;
2278 }
2279 return false;
2280 }
2281
2282 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
sd_generic_read_byte(SDState * sd,uint8_t * value)2283 static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
2284 {
2285 *value = sd->data[sd->data_offset];
2286
2287 if (++sd->data_offset >= sd->data_size) {
2288 sd->state = sd_transfer_state;
2289 return true;
2290 }
2291
2292 return false;
2293 }
2294
sd_write_byte(SDState * sd,uint8_t value)2295 static void sd_write_byte(SDState *sd, uint8_t value)
2296 {
2297 int i;
2298
2299 if (!sd->blk || !blk_is_inserted(sd->blk)) {
2300 return;
2301 }
2302
2303 if (sd->state != sd_receivingdata_state) {
2304 qemu_log_mask(LOG_GUEST_ERROR,
2305 "%s: not in Receiving-Data state\n", __func__);
2306 return;
2307 }
2308
2309 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2310 return;
2311
2312 trace_sdcard_write_data(sd->proto->name,
2313 sd->last_cmd_name,
2314 sd->current_cmd, sd->data_offset, value);
2315 switch (sd->current_cmd) {
2316 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
2317 if (sd_generic_write_byte(sd, value)) {
2318 /* TODO: Check CRC before committing */
2319 sd->state = sd_programming_state;
2320 sd_blk_write(sd, sd->data_start, sd->data_offset);
2321 sd->blk_written ++;
2322 sd->csd[14] |= 0x40;
2323 /* Bzzzzzzztt .... Operation complete. */
2324 sd->state = sd_transfer_state;
2325 }
2326 break;
2327
2328 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
2329 if (sd->data_offset == 0) {
2330 /* Start of the block - let's check the address is valid */
2331 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
2332 sd->data_start, sd->blk_len)) {
2333 break;
2334 }
2335 if (sd->size <= SDSC_MAX_CAPACITY) {
2336 if (sd_wp_addr(sd, sd->data_start)) {
2337 sd->card_status |= WP_VIOLATION;
2338 break;
2339 }
2340 }
2341 }
2342 sd->data[sd->data_offset++] = value;
2343 if (sd->data_offset >= sd->blk_len) {
2344 /* TODO: Check CRC before committing */
2345 sd->state = sd_programming_state;
2346 sd_blk_write(sd, sd->data_start, sd->data_offset);
2347 sd->blk_written++;
2348 sd->data_start += sd->blk_len;
2349 sd->data_offset = 0;
2350 sd->csd[14] |= 0x40;
2351
2352 /* Bzzzzzzztt .... Operation complete. */
2353 if (sd->multi_blk_cnt != 0) {
2354 if (--sd->multi_blk_cnt == 0) {
2355 /* Stop! */
2356 sd->state = sd_transfer_state;
2357 break;
2358 }
2359 }
2360
2361 sd->state = sd_receivingdata_state;
2362 }
2363 break;
2364
2365 case 26: /* CMD26: PROGRAM_CID */
2366 if (sd_generic_write_byte(sd, value)) {
2367 /* TODO: Check CRC before committing */
2368 sd->state = sd_programming_state;
2369 for (i = 0; i < sizeof(sd->cid); i ++)
2370 if ((sd->cid[i] | 0x00) != sd->data[i])
2371 sd->card_status |= CID_CSD_OVERWRITE;
2372
2373 if (!(sd->card_status & CID_CSD_OVERWRITE))
2374 for (i = 0; i < sizeof(sd->cid); i ++) {
2375 sd->cid[i] |= 0x00;
2376 sd->cid[i] &= sd->data[i];
2377 }
2378 /* Bzzzzzzztt .... Operation complete. */
2379 sd->state = sd_transfer_state;
2380 }
2381 break;
2382
2383 case 27: /* CMD27: PROGRAM_CSD */
2384 if (sd_generic_write_byte(sd, value)) {
2385 /* TODO: Check CRC before committing */
2386 sd->state = sd_programming_state;
2387 for (i = 0; i < sizeof(sd->csd); i ++)
2388 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
2389 (sd->data[i] | sd_csd_rw_mask[i]))
2390 sd->card_status |= CID_CSD_OVERWRITE;
2391
2392 /* Copy flag (OTP) & Permanent write protect */
2393 if (sd->csd[14] & ~sd->data[14] & 0x60)
2394 sd->card_status |= CID_CSD_OVERWRITE;
2395
2396 if (!(sd->card_status & CID_CSD_OVERWRITE))
2397 for (i = 0; i < sizeof(sd->csd); i ++) {
2398 sd->csd[i] |= sd_csd_rw_mask[i];
2399 sd->csd[i] &= sd->data[i];
2400 }
2401 /* Bzzzzzzztt .... Operation complete. */
2402 sd->state = sd_transfer_state;
2403 }
2404 break;
2405
2406 case 42: /* CMD42: LOCK_UNLOCK */
2407 if (sd_generic_write_byte(sd, value)) {
2408 /* TODO: Check CRC before committing */
2409 sd->state = sd_programming_state;
2410 sd_lock_command(sd);
2411 /* Bzzzzzzztt .... Operation complete. */
2412 sd->state = sd_transfer_state;
2413 }
2414 break;
2415
2416 case 56: /* CMD56: GEN_CMD */
2417 sd_generic_write_byte(sd, value);
2418 break;
2419
2420 default:
2421 g_assert_not_reached();
2422 }
2423 }
2424
sd_read_byte(SDState * sd)2425 static uint8_t sd_read_byte(SDState *sd)
2426 {
2427 /* TODO: Append CRCs */
2428 const uint8_t dummy_byte = 0x00;
2429 uint8_t ret;
2430 uint32_t io_len;
2431
2432 if (!sd->blk || !blk_is_inserted(sd->blk)) {
2433 return dummy_byte;
2434 }
2435
2436 if (sd->state != sd_sendingdata_state) {
2437 qemu_log_mask(LOG_GUEST_ERROR,
2438 "%s: not in Sending-Data state\n", __func__);
2439 return dummy_byte;
2440 }
2441
2442 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) {
2443 return dummy_byte;
2444 }
2445
2446 io_len = sd_blk_len(sd);
2447
2448 trace_sdcard_read_data(sd->proto->name,
2449 sd->last_cmd_name, sd->current_cmd,
2450 sd->data_offset, sd->data_size, io_len);
2451 switch (sd->current_cmd) {
2452 case 6: /* CMD6: SWITCH_FUNCTION */
2453 case 8: /* CMD8: SEND_EXT_CSD */
2454 case 9: /* CMD9: SEND_CSD */
2455 case 10: /* CMD10: SEND_CID */
2456 case 13: /* ACMD13: SD_STATUS */
2457 case 17: /* CMD17: READ_SINGLE_BLOCK */
2458 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2459 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2460 case 30: /* CMD30: SEND_WRITE_PROT */
2461 case 51: /* ACMD51: SEND_SCR */
2462 case 56: /* CMD56: GEN_CMD */
2463 sd_generic_read_byte(sd, &ret);
2464 break;
2465
2466 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2467 if (sd->data_offset == 0) {
2468 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2469 sd->data_start, io_len)) {
2470 return dummy_byte;
2471 }
2472 sd_blk_read(sd, sd->data_start, io_len);
2473 }
2474 ret = sd->data[sd->data_offset ++];
2475
2476 if (sd->data_offset >= io_len) {
2477 sd->data_start += io_len;
2478 sd->data_offset = 0;
2479
2480 if (sd->multi_blk_cnt != 0) {
2481 if (--sd->multi_blk_cnt == 0) {
2482 /* Stop! */
2483 sd->state = sd_transfer_state;
2484 break;
2485 }
2486 }
2487 }
2488 break;
2489
2490 default:
2491 qemu_log_mask(LOG_GUEST_ERROR, "%s: DAT read illegal for command %s\n",
2492 __func__, sd->last_cmd_name);
2493 return dummy_byte;
2494 }
2495
2496 return ret;
2497 }
2498
sd_receive_ready(SDState * sd)2499 static bool sd_receive_ready(SDState *sd)
2500 {
2501 return sd->state == sd_receivingdata_state;
2502 }
2503
sd_data_ready(SDState * sd)2504 static bool sd_data_ready(SDState *sd)
2505 {
2506 return sd->state == sd_sendingdata_state;
2507 }
2508
2509 static const SDProto sd_proto_spi = {
2510 .name = "SPI",
2511 .cmd = {
2512 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2513 [1] = {0, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2514 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional},
2515 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2516 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2517 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD},
2518 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID},
2519 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2520 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS},
2521 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2522 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2523 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2524 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2525 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2526 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2527 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2528 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2529 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2530 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional},
2531 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional},
2532 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional},
2533 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2534 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE},
2535 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2536 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional},
2537 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional},
2538 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional},
2539 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD},
2540 [56] = {8, sd_spi, "GEN_CMD", sd_cmd_GEN_CMD},
2541 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2542 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR},
2543 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF},
2544 },
2545 .acmd = {
2546 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS},
2547 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2548 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2549 [41] = {8, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND},
2550 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2551 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR},
2552 },
2553 };
2554
2555 static const SDProto sd_proto_sd = {
2556 .name = "SD",
2557 .cmd = {
2558 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2559 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2560 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR},
2561 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented},
2562 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional},
2563 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION},
2564 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2565 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND},
2566 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD},
2567 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID},
2568 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional},
2569 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2570 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS},
2571 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2572 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2573 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2574 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK},
2575 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional},
2576 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2577 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2578 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2579 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2580 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2581 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2582 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2583 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2584 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional},
2585 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional},
2586 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional},
2587 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional},
2588 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE},
2589 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2590 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional},
2591 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional},
2592 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional},
2593 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional},
2594 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional},
2595 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional},
2596 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional},
2597 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional},
2598 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional},
2599 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional},
2600 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD},
2601 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2602 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional},
2603 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional},
2604 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional},
2605 },
2606 .acmd = {
2607 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH},
2608 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS},
2609 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS},
2610 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT},
2611 [41] = {8, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2612 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT},
2613 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR},
2614 },
2615 };
2616
2617 static const SDProto sd_proto_emmc = {
2618 /* Only v4.3 is supported */
2619 .name = "eMMC",
2620 .cmd = {
2621 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE},
2622 [1] = {0, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND},
2623 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID},
2624 [3] = {0, sd_ac, "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR},
2625 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented},
2626 [5] = {0, sd_ac, "SLEEP/AWAKE", emmc_cmd_sleep_awake},
2627 [6] = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH},
2628 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD},
2629 [8] = {0, sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD},
2630 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD},
2631 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID},
2632 [11] = {1, sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2633 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION},
2634 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS},
2635 [14] = {0, sd_adtc, "BUSTEST_R", sd_cmd_unimplemented},
2636 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE},
2637 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN},
2638 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK},
2639 [19] = {0, sd_adtc, "BUSTEST_W", sd_cmd_unimplemented},
2640 [20] = {3, sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented},
2641 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT},
2642 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK},
2643 [26] = {4, sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID},
2644 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD},
2645 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT},
2646 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT},
2647 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT},
2648 [31] = {6, sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented},
2649 [35] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START},
2650 [36] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END},
2651 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE},
2652 [39] = {9, sd_ac, "FAST_IO", sd_cmd_unimplemented},
2653 [40] = {9, sd_bcr, "GO_IRQ_STATE", sd_cmd_unimplemented},
2654 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK},
2655 [49] = {0, sd_adtc, "SET_TIME", sd_cmd_unimplemented},
2656 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD},
2657 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD},
2658 },
2659 };
2660
sd_instance_init(Object * obj)2661 static void sd_instance_init(Object *obj)
2662 {
2663 SDState *sd = SDMMC_COMMON(obj);
2664 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd);
2665
2666 sd->proto = sc->proto;
2667 sd->last_cmd_name = "UNSET";
2668 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2669 }
2670
sd_instance_finalize(Object * obj)2671 static void sd_instance_finalize(Object *obj)
2672 {
2673 SDState *sd = SDMMC_COMMON(obj);
2674
2675 timer_free(sd->ocr_power_timer);
2676 }
2677
sd_realize(DeviceState * dev,Error ** errp)2678 static void sd_realize(DeviceState *dev, Error **errp)
2679 {
2680 SDState *sd = SDMMC_COMMON(dev);
2681 int ret;
2682
2683 switch (sd->spec_version) {
2684 case SD_PHY_SPECv1_10_VERS
2685 ... SD_PHY_SPECv3_01_VERS:
2686 break;
2687 default:
2688 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2689 return;
2690 }
2691
2692 if (sd->blk) {
2693 int64_t blk_size;
2694
2695 if (!blk_supports_write_perm(sd->blk)) {
2696 error_setg(errp, "Cannot use read-only drive as SD card");
2697 return;
2698 }
2699
2700 blk_size = blk_getlength(sd->blk);
2701 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2702 int64_t blk_size_aligned = pow2ceil(blk_size);
2703 char *blk_size_str;
2704
2705 blk_size_str = size_to_str(blk_size);
2706 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2707 g_free(blk_size_str);
2708
2709 blk_size_str = size_to_str(blk_size_aligned);
2710 error_append_hint(errp,
2711 "SD card size has to be a power of 2, e.g. %s.\n"
2712 "You can resize disk images with"
2713 " 'qemu-img resize <imagefile> <new-size>'\n"
2714 "(note that this will lose data if you make the"
2715 " image smaller than it currently is).\n",
2716 blk_size_str);
2717 g_free(blk_size_str);
2718
2719 return;
2720 }
2721
2722 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2723 BLK_PERM_ALL, errp);
2724 if (ret < 0) {
2725 return;
2726 }
2727 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2728 }
2729 }
2730
emmc_realize(DeviceState * dev,Error ** errp)2731 static void emmc_realize(DeviceState *dev, Error **errp)
2732 {
2733 SDState *sd = SDMMC_COMMON(dev);
2734
2735 sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */
2736
2737 sd_realize(dev, errp);
2738 }
2739
2740 static const Property sdmmc_common_properties[] = {
2741 DEFINE_PROP_DRIVE("drive", SDState, blk),
2742 };
2743
2744 static const Property sd_properties[] = {
2745 DEFINE_PROP_UINT8("spec_version", SDState,
2746 spec_version, SD_PHY_SPECv3_01_VERS),
2747 };
2748
2749 static const Property emmc_properties[] = {
2750 DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0),
2751 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0),
2752 };
2753
sdmmc_common_class_init(ObjectClass * klass,const void * data)2754 static void sdmmc_common_class_init(ObjectClass *klass, const void *data)
2755 {
2756 DeviceClass *dc = DEVICE_CLASS(klass);
2757 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2758
2759 device_class_set_props(dc, sdmmc_common_properties);
2760 dc->vmsd = &sd_vmstate;
2761 device_class_set_legacy_reset(dc, sd_reset);
2762 dc->bus_type = TYPE_SD_BUS;
2763 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2764
2765 sc->set_voltage = sd_set_voltage;
2766 sc->get_dat_lines = sd_get_dat_lines;
2767 sc->get_cmd_line = sd_get_cmd_line;
2768 sc->do_command = sd_do_command;
2769 sc->write_byte = sd_write_byte;
2770 sc->read_byte = sd_read_byte;
2771 sc->receive_ready = sd_receive_ready;
2772 sc->data_ready = sd_data_ready;
2773 sc->get_inserted = sd_get_inserted;
2774 sc->get_readonly = sd_get_readonly;
2775 }
2776
sd_class_init(ObjectClass * klass,const void * data)2777 static void sd_class_init(ObjectClass *klass, const void *data)
2778 {
2779 DeviceClass *dc = DEVICE_CLASS(klass);
2780 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2781
2782 dc->realize = sd_realize;
2783 device_class_set_props(dc, sd_properties);
2784
2785 sc->set_cid = sd_set_cid;
2786 sc->set_csd = sd_set_csd;
2787 sc->proto = &sd_proto_sd;
2788 }
2789
2790 /*
2791 * We do not model the chip select pin, so allow the board to select
2792 * whether card should be in SSI or MMC/SD mode. It is also up to the
2793 * board to ensure that ssi transfers only occur when the chip select
2794 * is asserted.
2795 */
sd_spi_class_init(ObjectClass * klass,const void * data)2796 static void sd_spi_class_init(ObjectClass *klass, const void *data)
2797 {
2798 DeviceClass *dc = DEVICE_CLASS(klass);
2799 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2800
2801 dc->desc = "SD SPI";
2802 sc->proto = &sd_proto_spi;
2803 }
2804
emmc_class_init(ObjectClass * klass,const void * data)2805 static void emmc_class_init(ObjectClass *klass, const void *data)
2806 {
2807 DeviceClass *dc = DEVICE_CLASS(klass);
2808 SDCardClass *sc = SDMMC_COMMON_CLASS(klass);
2809
2810 dc->desc = "eMMC";
2811 dc->realize = emmc_realize;
2812 device_class_set_props(dc, emmc_properties);
2813 /* Reason: Soldered on board */
2814 dc->user_creatable = false;
2815
2816 sc->proto = &sd_proto_emmc;
2817
2818 sc->set_cid = emmc_set_cid;
2819 sc->set_csd = emmc_set_csd;
2820 }
2821
2822 static const TypeInfo sd_types[] = {
2823 {
2824 .name = TYPE_SDMMC_COMMON,
2825 .parent = TYPE_DEVICE,
2826 .abstract = true,
2827 .instance_size = sizeof(SDState),
2828 .class_size = sizeof(SDCardClass),
2829 .class_init = sdmmc_common_class_init,
2830 .instance_init = sd_instance_init,
2831 .instance_finalize = sd_instance_finalize,
2832 },
2833 {
2834 .name = TYPE_SD_CARD,
2835 .parent = TYPE_SDMMC_COMMON,
2836 .class_init = sd_class_init,
2837 },
2838 {
2839 .name = TYPE_SD_CARD_SPI,
2840 .parent = TYPE_SD_CARD,
2841 .class_init = sd_spi_class_init,
2842 },
2843 {
2844 .name = TYPE_EMMC,
2845 .parent = TYPE_SDMMC_COMMON,
2846 .class_init = emmc_class_init,
2847 },
2848 };
2849
2850 DEFINE_TYPES(sd_types)
2851