1 /* 2 * Raspberry Pi emulation (c) 2012 Gregory Estrade 3 * 4 * This work is licensed under the terms of the GNU GPL, version 2 or later. 5 * See the COPYING file in the top-level directory. 6 */ 7 8 #include "qemu/osdep.h" 9 #include "qapi/error.h" 10 #include "hw/misc/bcm2835_property.h" 11 #include "hw/qdev-properties.h" 12 #include "migration/vmstate.h" 13 #include "hw/irq.h" 14 #include "hw/misc/bcm2835_mbox_defs.h" 15 #include "hw/arm/raspberrypi-fw-defs.h" 16 #include "sysemu/dma.h" 17 #include "qemu/log.h" 18 #include "qemu/module.h" 19 #include "trace.h" 20 #include "hw/arm/raspi_platform.h" 21 22 #define VCHI_BUSADDR_SIZE sizeof(uint32_t) 23 24 /* https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface */ 25 26 static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value) 27 { 28 uint32_t tag; 29 uint32_t bufsize; 30 uint32_t tot_len; 31 size_t resplen; 32 uint32_t tmp; 33 uint32_t start_num, number, otp_row; 34 35 /* 36 * Copy the current state of the framebuffer config; we will update 37 * this copy as we process tags and then ask the framebuffer to use 38 * it at the end. 39 */ 40 BCM2835FBConfig fbconfig = s->fbdev->config; 41 bool fbconfig_updated = false; 42 43 value &= ~0xf; 44 45 s->addr = value; 46 47 tot_len = ldl_le_phys(&s->dma_as, value); 48 49 /* @(addr + 4) : Buffer response code */ 50 value = s->addr + 8; 51 while (value + 8 <= s->addr + tot_len) { 52 tag = ldl_le_phys(&s->dma_as, value); 53 bufsize = ldl_le_phys(&s->dma_as, value + 4); 54 /* @(value + 8) : Request/response indicator */ 55 resplen = 0; 56 switch (tag) { 57 case RPI_FWREQ_PROPERTY_END: 58 break; 59 case RPI_FWREQ_GET_FIRMWARE_REVISION: 60 stl_le_phys(&s->dma_as, value + 12, 346337); 61 resplen = 4; 62 break; 63 case RPI_FWREQ_GET_BOARD_MODEL: 64 qemu_log_mask(LOG_UNIMP, 65 "bcm2835_property: 0x%08x get board model NYI\n", 66 tag); 67 resplen = 4; 68 break; 69 case RPI_FWREQ_GET_BOARD_REVISION: 70 stl_le_phys(&s->dma_as, value + 12, s->board_rev); 71 resplen = 4; 72 break; 73 case RPI_FWREQ_GET_BOARD_MAC_ADDRESS: 74 resplen = sizeof(s->macaddr.a); 75 dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen, 76 MEMTXATTRS_UNSPECIFIED); 77 break; 78 case RPI_FWREQ_GET_BOARD_SERIAL: 79 qemu_log_mask(LOG_UNIMP, 80 "bcm2835_property: 0x%08x get board serial NYI\n", 81 tag); 82 resplen = 8; 83 break; 84 case RPI_FWREQ_GET_ARM_MEMORY: 85 /* base */ 86 stl_le_phys(&s->dma_as, value + 12, 0); 87 /* size */ 88 stl_le_phys(&s->dma_as, value + 16, s->fbdev->vcram_base); 89 resplen = 8; 90 break; 91 case RPI_FWREQ_GET_VC_MEMORY: 92 /* base */ 93 stl_le_phys(&s->dma_as, value + 12, s->fbdev->vcram_base); 94 /* size */ 95 stl_le_phys(&s->dma_as, value + 16, s->fbdev->vcram_size); 96 resplen = 8; 97 break; 98 case RPI_FWREQ_SET_POWER_STATE: 99 /* Assume that whatever device they asked for exists, 100 * and we'll just claim we set it to the desired state 101 */ 102 tmp = ldl_le_phys(&s->dma_as, value + 16); 103 stl_le_phys(&s->dma_as, value + 16, (tmp & 1)); 104 resplen = 8; 105 break; 106 107 /* Clocks */ 108 109 case RPI_FWREQ_GET_CLOCK_STATE: 110 stl_le_phys(&s->dma_as, value + 16, 0x1); 111 resplen = 8; 112 break; 113 114 case RPI_FWREQ_SET_CLOCK_STATE: 115 qemu_log_mask(LOG_UNIMP, 116 "bcm2835_property: 0x%08x set clock state NYI\n", 117 tag); 118 resplen = 8; 119 break; 120 121 case RPI_FWREQ_GET_CLOCK_RATE: 122 case RPI_FWREQ_GET_MAX_CLOCK_RATE: 123 case RPI_FWREQ_GET_MIN_CLOCK_RATE: 124 switch (ldl_le_phys(&s->dma_as, value + 12)) { 125 case RPI_FIRMWARE_EMMC_CLK_ID: 126 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_EMMC_CLK_RATE); 127 break; 128 case RPI_FIRMWARE_UART_CLK_ID: 129 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_UART_CLK_RATE); 130 break; 131 case RPI_FIRMWARE_CORE_CLK_ID: 132 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_CORE_CLK_RATE); 133 break; 134 default: 135 stl_le_phys(&s->dma_as, value + 16, 136 RPI_FIRMWARE_DEFAULT_CLK_RATE); 137 break; 138 } 139 resplen = 8; 140 break; 141 142 case RPI_FWREQ_GET_CLOCKS: 143 /* TODO: add more clock IDs if needed */ 144 stl_le_phys(&s->dma_as, value + 12, 0); 145 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_ARM_CLK_ID); 146 resplen = 8; 147 break; 148 149 case RPI_FWREQ_SET_CLOCK_RATE: 150 case RPI_FWREQ_SET_MAX_CLOCK_RATE: 151 case RPI_FWREQ_SET_MIN_CLOCK_RATE: 152 qemu_log_mask(LOG_UNIMP, 153 "bcm2835_property: 0x%08x set clock rate NYI\n", 154 tag); 155 resplen = 8; 156 break; 157 158 /* Temperature */ 159 160 case RPI_FWREQ_GET_TEMPERATURE: 161 stl_le_phys(&s->dma_as, value + 16, 25000); 162 resplen = 8; 163 break; 164 165 case RPI_FWREQ_GET_MAX_TEMPERATURE: 166 stl_le_phys(&s->dma_as, value + 16, 99000); 167 resplen = 8; 168 break; 169 170 /* Frame buffer */ 171 172 case RPI_FWREQ_FRAMEBUFFER_ALLOCATE: 173 stl_le_phys(&s->dma_as, value + 12, fbconfig.base); 174 stl_le_phys(&s->dma_as, value + 16, 175 bcm2835_fb_get_size(&fbconfig)); 176 resplen = 8; 177 break; 178 case RPI_FWREQ_FRAMEBUFFER_RELEASE: 179 resplen = 0; 180 break; 181 case RPI_FWREQ_FRAMEBUFFER_BLANK: 182 resplen = 4; 183 break; 184 case RPI_FWREQ_FRAMEBUFFER_TEST_PHYSICAL_WIDTH_HEIGHT: 185 case RPI_FWREQ_FRAMEBUFFER_TEST_VIRTUAL_WIDTH_HEIGHT: 186 resplen = 8; 187 break; 188 case RPI_FWREQ_FRAMEBUFFER_SET_PHYSICAL_WIDTH_HEIGHT: 189 fbconfig.xres = ldl_le_phys(&s->dma_as, value + 12); 190 fbconfig.yres = ldl_le_phys(&s->dma_as, value + 16); 191 bcm2835_fb_validate_config(&fbconfig); 192 fbconfig_updated = true; 193 /* fall through */ 194 case RPI_FWREQ_FRAMEBUFFER_GET_PHYSICAL_WIDTH_HEIGHT: 195 stl_le_phys(&s->dma_as, value + 12, fbconfig.xres); 196 stl_le_phys(&s->dma_as, value + 16, fbconfig.yres); 197 resplen = 8; 198 break; 199 case RPI_FWREQ_FRAMEBUFFER_SET_VIRTUAL_WIDTH_HEIGHT: 200 fbconfig.xres_virtual = ldl_le_phys(&s->dma_as, value + 12); 201 fbconfig.yres_virtual = ldl_le_phys(&s->dma_as, value + 16); 202 bcm2835_fb_validate_config(&fbconfig); 203 fbconfig_updated = true; 204 /* fall through */ 205 case RPI_FWREQ_FRAMEBUFFER_GET_VIRTUAL_WIDTH_HEIGHT: 206 stl_le_phys(&s->dma_as, value + 12, fbconfig.xres_virtual); 207 stl_le_phys(&s->dma_as, value + 16, fbconfig.yres_virtual); 208 resplen = 8; 209 break; 210 case RPI_FWREQ_FRAMEBUFFER_TEST_DEPTH: 211 resplen = 4; 212 break; 213 case RPI_FWREQ_FRAMEBUFFER_SET_DEPTH: 214 fbconfig.bpp = ldl_le_phys(&s->dma_as, value + 12); 215 bcm2835_fb_validate_config(&fbconfig); 216 fbconfig_updated = true; 217 /* fall through */ 218 case RPI_FWREQ_FRAMEBUFFER_GET_DEPTH: 219 stl_le_phys(&s->dma_as, value + 12, fbconfig.bpp); 220 resplen = 4; 221 break; 222 case RPI_FWREQ_FRAMEBUFFER_TEST_PIXEL_ORDER: 223 resplen = 4; 224 break; 225 case RPI_FWREQ_FRAMEBUFFER_SET_PIXEL_ORDER: 226 fbconfig.pixo = ldl_le_phys(&s->dma_as, value + 12); 227 bcm2835_fb_validate_config(&fbconfig); 228 fbconfig_updated = true; 229 /* fall through */ 230 case RPI_FWREQ_FRAMEBUFFER_GET_PIXEL_ORDER: 231 stl_le_phys(&s->dma_as, value + 12, fbconfig.pixo); 232 resplen = 4; 233 break; 234 case RPI_FWREQ_FRAMEBUFFER_TEST_ALPHA_MODE: 235 resplen = 4; 236 break; 237 case RPI_FWREQ_FRAMEBUFFER_SET_ALPHA_MODE: 238 fbconfig.alpha = ldl_le_phys(&s->dma_as, value + 12); 239 bcm2835_fb_validate_config(&fbconfig); 240 fbconfig_updated = true; 241 /* fall through */ 242 case RPI_FWREQ_FRAMEBUFFER_GET_ALPHA_MODE: 243 stl_le_phys(&s->dma_as, value + 12, fbconfig.alpha); 244 resplen = 4; 245 break; 246 case RPI_FWREQ_FRAMEBUFFER_GET_PITCH: 247 stl_le_phys(&s->dma_as, value + 12, 248 bcm2835_fb_get_pitch(&fbconfig)); 249 resplen = 4; 250 break; 251 case RPI_FWREQ_FRAMEBUFFER_TEST_VIRTUAL_OFFSET: 252 resplen = 8; 253 break; 254 case RPI_FWREQ_FRAMEBUFFER_SET_VIRTUAL_OFFSET: 255 fbconfig.xoffset = ldl_le_phys(&s->dma_as, value + 12); 256 fbconfig.yoffset = ldl_le_phys(&s->dma_as, value + 16); 257 bcm2835_fb_validate_config(&fbconfig); 258 fbconfig_updated = true; 259 /* fall through */ 260 case RPI_FWREQ_FRAMEBUFFER_GET_VIRTUAL_OFFSET: 261 stl_le_phys(&s->dma_as, value + 12, fbconfig.xoffset); 262 stl_le_phys(&s->dma_as, value + 16, fbconfig.yoffset); 263 resplen = 8; 264 break; 265 case RPI_FWREQ_FRAMEBUFFER_GET_OVERSCAN: 266 case RPI_FWREQ_FRAMEBUFFER_TEST_OVERSCAN: 267 case RPI_FWREQ_FRAMEBUFFER_SET_OVERSCAN: 268 stl_le_phys(&s->dma_as, value + 12, 0); 269 stl_le_phys(&s->dma_as, value + 16, 0); 270 stl_le_phys(&s->dma_as, value + 20, 0); 271 stl_le_phys(&s->dma_as, value + 24, 0); 272 resplen = 16; 273 break; 274 case RPI_FWREQ_FRAMEBUFFER_SET_PALETTE: 275 { 276 uint32_t offset = ldl_le_phys(&s->dma_as, value + 12); 277 uint32_t length = ldl_le_phys(&s->dma_as, value + 16); 278 int resp; 279 280 if (offset > 255 || length < 1 || length > 256) { 281 resp = 1; /* invalid request */ 282 } else { 283 for (uint32_t e = 0; e < length; e++) { 284 uint32_t color = ldl_le_phys(&s->dma_as, value + 20 + (e << 2)); 285 stl_le_phys(&s->dma_as, 286 s->fbdev->vcram_base + ((offset + e) << 2), color); 287 } 288 resp = 0; 289 } 290 stl_le_phys(&s->dma_as, value + 12, resp); 291 resplen = 4; 292 break; 293 } 294 case RPI_FWREQ_FRAMEBUFFER_GET_NUM_DISPLAYS: 295 stl_le_phys(&s->dma_as, value + 12, 1); 296 resplen = 4; 297 break; 298 299 case RPI_FWREQ_GET_DMA_CHANNELS: 300 /* channels 2-5 */ 301 stl_le_phys(&s->dma_as, value + 12, 0x003C); 302 resplen = 4; 303 break; 304 305 case RPI_FWREQ_GET_COMMAND_LINE: 306 /* 307 * We follow the firmware behaviour: no NUL terminator is 308 * written to the buffer, and if the buffer is too short 309 * we report the required length in the response header 310 * and copy nothing to the buffer. 311 */ 312 resplen = strlen(s->command_line); 313 if (bufsize >= resplen) 314 address_space_write(&s->dma_as, value + 12, 315 MEMTXATTRS_UNSPECIFIED, s->command_line, 316 resplen); 317 break; 318 319 case RPI_FWREQ_GET_THROTTLED: 320 stl_le_phys(&s->dma_as, value + 12, 0); 321 resplen = 4; 322 break; 323 324 case RPI_FWREQ_VCHIQ_INIT: 325 stl_le_phys(&s->dma_as, 326 value + offsetof(rpi_firmware_prop_request_t, payload), 327 0); 328 resplen = VCHI_BUSADDR_SIZE; 329 break; 330 331 /* Customer OTP */ 332 333 case RPI_FWREQ_GET_CUSTOMER_OTP: 334 start_num = ldl_le_phys(&s->dma_as, value + 12); 335 number = ldl_le_phys(&s->dma_as, value + 16); 336 337 resplen = 8 + 4 * number; 338 339 for (uint32_t n = start_num; n < start_num + number && 340 n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) { 341 otp_row = bcm2835_otp_get_row(s->otp, 342 BCM2835_OTP_CUSTOMER_OTP + n); 343 stl_le_phys(&s->dma_as, 344 value + 20 + ((n - start_num) << 2), otp_row); 345 } 346 break; 347 case RPI_FWREQ_SET_CUSTOMER_OTP: 348 start_num = ldl_le_phys(&s->dma_as, value + 12); 349 number = ldl_le_phys(&s->dma_as, value + 16); 350 351 resplen = 4; 352 353 /* Magic numbers to permanently lock customer OTP */ 354 if (start_num == BCM2835_OTP_LOCK_NUM1 && 355 number == BCM2835_OTP_LOCK_NUM2) { 356 bcm2835_otp_set_row(s->otp, 357 BCM2835_OTP_ROW_32, 358 BCM2835_OTP_ROW_32_LOCK); 359 break; 360 } 361 362 /* If row 32 has the lock bit, don't allow further writes */ 363 if (bcm2835_otp_get_row(s->otp, BCM2835_OTP_ROW_32) & 364 BCM2835_OTP_ROW_32_LOCK) { 365 break; 366 } 367 368 for (uint32_t n = start_num; n < start_num + number && 369 n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) { 370 otp_row = ldl_le_phys(&s->dma_as, 371 value + 20 + ((n - start_num) << 2)); 372 bcm2835_otp_set_row(s->otp, 373 BCM2835_OTP_CUSTOMER_OTP + n, otp_row); 374 } 375 break; 376 377 /* Device-specific private key */ 378 379 case RPI_FWREQ_GET_PRIVATE_KEY: 380 start_num = ldl_le_phys(&s->dma_as, value + 12); 381 number = ldl_le_phys(&s->dma_as, value + 16); 382 383 resplen = 8 + 4 * number; 384 385 for (uint32_t n = start_num; n < start_num + number && 386 n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) { 387 otp_row = bcm2835_otp_get_row(s->otp, 388 BCM2835_OTP_PRIVATE_KEY + n); 389 stl_le_phys(&s->dma_as, 390 value + 20 + ((n - start_num) << 2), otp_row); 391 } 392 break; 393 case RPI_FWREQ_SET_PRIVATE_KEY: 394 start_num = ldl_le_phys(&s->dma_as, value + 12); 395 number = ldl_le_phys(&s->dma_as, value + 16); 396 397 resplen = 4; 398 399 /* If row 32 has the lock bit, don't allow further writes */ 400 if (bcm2835_otp_get_row(s->otp, BCM2835_OTP_ROW_32) & 401 BCM2835_OTP_ROW_32_LOCK) { 402 break; 403 } 404 405 for (uint32_t n = start_num; n < start_num + number && 406 n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) { 407 otp_row = ldl_le_phys(&s->dma_as, 408 value + 20 + ((n - start_num) << 2)); 409 bcm2835_otp_set_row(s->otp, 410 BCM2835_OTP_PRIVATE_KEY + n, otp_row); 411 } 412 break; 413 default: 414 qemu_log_mask(LOG_UNIMP, 415 "bcm2835_property: unhandled tag 0x%08x\n", tag); 416 break; 417 } 418 419 trace_bcm2835_mbox_property(tag, bufsize, resplen); 420 if (tag == 0) { 421 break; 422 } 423 424 stl_le_phys(&s->dma_as, value + 8, (1 << 31) | resplen); 425 value += bufsize + 12; 426 } 427 428 /* Reconfigure framebuffer if required */ 429 if (fbconfig_updated) { 430 bcm2835_fb_reconfigure(s->fbdev, &fbconfig); 431 } 432 433 /* Buffer response code */ 434 stl_le_phys(&s->dma_as, s->addr + 4, (1 << 31)); 435 } 436 437 static uint64_t bcm2835_property_read(void *opaque, hwaddr offset, 438 unsigned size) 439 { 440 BCM2835PropertyState *s = opaque; 441 uint32_t res = 0; 442 443 switch (offset) { 444 case MBOX_AS_DATA: 445 res = MBOX_CHAN_PROPERTY | s->addr; 446 s->pending = false; 447 qemu_set_irq(s->mbox_irq, 0); 448 break; 449 450 case MBOX_AS_PENDING: 451 res = s->pending; 452 break; 453 454 default: 455 qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset %"HWADDR_PRIx"\n", 456 __func__, offset); 457 return 0; 458 } 459 460 return res; 461 } 462 463 static void bcm2835_property_write(void *opaque, hwaddr offset, 464 uint64_t value, unsigned size) 465 { 466 BCM2835PropertyState *s = opaque; 467 468 switch (offset) { 469 case MBOX_AS_DATA: 470 /* bcm2835_mbox should check our pending status before pushing */ 471 assert(!s->pending); 472 s->pending = true; 473 bcm2835_property_mbox_push(s, value); 474 qemu_set_irq(s->mbox_irq, 1); 475 break; 476 477 default: 478 qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset %"HWADDR_PRIx"\n", 479 __func__, offset); 480 return; 481 } 482 } 483 484 static const MemoryRegionOps bcm2835_property_ops = { 485 .read = bcm2835_property_read, 486 .write = bcm2835_property_write, 487 .endianness = DEVICE_NATIVE_ENDIAN, 488 .valid.min_access_size = 4, 489 .valid.max_access_size = 4, 490 }; 491 492 static const VMStateDescription vmstate_bcm2835_property = { 493 .name = TYPE_BCM2835_PROPERTY, 494 .version_id = 1, 495 .minimum_version_id = 1, 496 .fields = (const VMStateField[]) { 497 VMSTATE_MACADDR(macaddr, BCM2835PropertyState), 498 VMSTATE_UINT32(addr, BCM2835PropertyState), 499 VMSTATE_BOOL(pending, BCM2835PropertyState), 500 VMSTATE_END_OF_LIST() 501 } 502 }; 503 504 static void bcm2835_property_init(Object *obj) 505 { 506 BCM2835PropertyState *s = BCM2835_PROPERTY(obj); 507 508 memory_region_init_io(&s->iomem, OBJECT(s), &bcm2835_property_ops, s, 509 TYPE_BCM2835_PROPERTY, 0x10); 510 511 /* 512 * bcm2835_property_ops call into bcm2835_mbox, which in-turn reads from 513 * iomem. As such, mark iomem as re-entracy safe. 514 */ 515 s->iomem.disable_reentrancy_guard = true; 516 517 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem); 518 sysbus_init_irq(SYS_BUS_DEVICE(s), &s->mbox_irq); 519 } 520 521 static void bcm2835_property_reset(DeviceState *dev) 522 { 523 BCM2835PropertyState *s = BCM2835_PROPERTY(dev); 524 525 s->pending = false; 526 } 527 528 static void bcm2835_property_realize(DeviceState *dev, Error **errp) 529 { 530 BCM2835PropertyState *s = BCM2835_PROPERTY(dev); 531 Object *obj; 532 533 obj = object_property_get_link(OBJECT(dev), "fb", &error_abort); 534 s->fbdev = BCM2835_FB(obj); 535 536 obj = object_property_get_link(OBJECT(dev), "dma-mr", &error_abort); 537 s->dma_mr = MEMORY_REGION(obj); 538 address_space_init(&s->dma_as, s->dma_mr, TYPE_BCM2835_PROPERTY "-memory"); 539 540 obj = object_property_get_link(OBJECT(dev), "otp", &error_abort); 541 s->otp = BCM2835_OTP(obj); 542 543 /* TODO: connect to MAC address of USB NIC device, once we emulate it */ 544 qemu_macaddr_default_if_unset(&s->macaddr); 545 546 bcm2835_property_reset(dev); 547 } 548 549 static Property bcm2835_property_props[] = { 550 DEFINE_PROP_UINT32("board-rev", BCM2835PropertyState, board_rev, 0), 551 DEFINE_PROP_STRING("command-line", BCM2835PropertyState, command_line), 552 DEFINE_PROP_END_OF_LIST() 553 }; 554 555 static void bcm2835_property_class_init(ObjectClass *klass, void *data) 556 { 557 DeviceClass *dc = DEVICE_CLASS(klass); 558 559 device_class_set_props(dc, bcm2835_property_props); 560 dc->realize = bcm2835_property_realize; 561 dc->vmsd = &vmstate_bcm2835_property; 562 } 563 564 static const TypeInfo bcm2835_property_info = { 565 .name = TYPE_BCM2835_PROPERTY, 566 .parent = TYPE_SYS_BUS_DEVICE, 567 .instance_size = sizeof(BCM2835PropertyState), 568 .class_init = bcm2835_property_class_init, 569 .instance_init = bcm2835_property_init, 570 }; 571 572 static void bcm2835_property_register_types(void) 573 { 574 type_register_static(&bcm2835_property_info); 575 } 576 577 type_init(bcm2835_property_register_types) 578