1 /* 2 * Raspberry Pi emulation (c) 2012 Gregory Estrade 3 * 4 * This work is licensed under the terms of the GNU GPL, version 2 or later. 5 * See the COPYING file in the top-level directory. 6 */ 7 8 #include "qemu/osdep.h" 9 #include "qapi/error.h" 10 #include "hw/misc/bcm2835_property.h" 11 #include "hw/qdev-properties.h" 12 #include "migration/vmstate.h" 13 #include "hw/irq.h" 14 #include "hw/misc/bcm2835_mbox_defs.h" 15 #include "hw/arm/raspberrypi-fw-defs.h" 16 #include "sysemu/dma.h" 17 #include "qemu/log.h" 18 #include "qemu/module.h" 19 #include "trace.h" 20 #include "hw/arm/raspi_platform.h" 21 22 #define VCHI_BUSADDR_SIZE sizeof(uint32_t) 23 24 /* https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface */ 25 26 static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value) 27 { 28 uint32_t tag; 29 uint32_t bufsize; 30 uint32_t tot_len; 31 size_t resplen; 32 uint32_t tmp; 33 34 /* 35 * Copy the current state of the framebuffer config; we will update 36 * this copy as we process tags and then ask the framebuffer to use 37 * it at the end. 38 */ 39 BCM2835FBConfig fbconfig = s->fbdev->config; 40 bool fbconfig_updated = false; 41 42 value &= ~0xf; 43 44 s->addr = value; 45 46 tot_len = ldl_le_phys(&s->dma_as, value); 47 48 /* @(addr + 4) : Buffer response code */ 49 value = s->addr + 8; 50 while (value + 8 <= s->addr + tot_len) { 51 tag = ldl_le_phys(&s->dma_as, value); 52 bufsize = ldl_le_phys(&s->dma_as, value + 4); 53 /* @(value + 8) : Request/response indicator */ 54 resplen = 0; 55 switch (tag) { 56 case RPI_FWREQ_PROPERTY_END: 57 break; 58 case RPI_FWREQ_GET_FIRMWARE_REVISION: 59 stl_le_phys(&s->dma_as, value + 12, 346337); 60 resplen = 4; 61 break; 62 case RPI_FWREQ_GET_BOARD_MODEL: 63 qemu_log_mask(LOG_UNIMP, 64 "bcm2835_property: 0x%08x get board model NYI\n", 65 tag); 66 resplen = 4; 67 break; 68 case RPI_FWREQ_GET_BOARD_REVISION: 69 stl_le_phys(&s->dma_as, value + 12, s->board_rev); 70 resplen = 4; 71 break; 72 case RPI_FWREQ_GET_BOARD_MAC_ADDRESS: 73 resplen = sizeof(s->macaddr.a); 74 dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen, 75 MEMTXATTRS_UNSPECIFIED); 76 break; 77 case RPI_FWREQ_GET_BOARD_SERIAL: 78 qemu_log_mask(LOG_UNIMP, 79 "bcm2835_property: 0x%08x get board serial NYI\n", 80 tag); 81 resplen = 8; 82 break; 83 case RPI_FWREQ_GET_ARM_MEMORY: 84 /* base */ 85 stl_le_phys(&s->dma_as, value + 12, 0); 86 /* size */ 87 stl_le_phys(&s->dma_as, value + 16, s->fbdev->vcram_base); 88 resplen = 8; 89 break; 90 case RPI_FWREQ_GET_VC_MEMORY: 91 /* base */ 92 stl_le_phys(&s->dma_as, value + 12, s->fbdev->vcram_base); 93 /* size */ 94 stl_le_phys(&s->dma_as, value + 16, s->fbdev->vcram_size); 95 resplen = 8; 96 break; 97 case RPI_FWREQ_SET_POWER_STATE: 98 /* Assume that whatever device they asked for exists, 99 * and we'll just claim we set it to the desired state 100 */ 101 tmp = ldl_le_phys(&s->dma_as, value + 16); 102 stl_le_phys(&s->dma_as, value + 16, (tmp & 1)); 103 resplen = 8; 104 break; 105 106 /* Clocks */ 107 108 case RPI_FWREQ_GET_CLOCK_STATE: 109 stl_le_phys(&s->dma_as, value + 16, 0x1); 110 resplen = 8; 111 break; 112 113 case RPI_FWREQ_SET_CLOCK_STATE: 114 qemu_log_mask(LOG_UNIMP, 115 "bcm2835_property: 0x%08x set clock state NYI\n", 116 tag); 117 resplen = 8; 118 break; 119 120 case RPI_FWREQ_GET_CLOCK_RATE: 121 case RPI_FWREQ_GET_MAX_CLOCK_RATE: 122 case RPI_FWREQ_GET_MIN_CLOCK_RATE: 123 switch (ldl_le_phys(&s->dma_as, value + 12)) { 124 case RPI_FIRMWARE_EMMC_CLK_ID: 125 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_EMMC_CLK_RATE); 126 break; 127 case RPI_FIRMWARE_UART_CLK_ID: 128 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_UART_CLK_RATE); 129 break; 130 case RPI_FIRMWARE_CORE_CLK_ID: 131 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_CORE_CLK_RATE); 132 break; 133 default: 134 stl_le_phys(&s->dma_as, value + 16, 135 RPI_FIRMWARE_DEFAULT_CLK_RATE); 136 break; 137 } 138 resplen = 8; 139 break; 140 141 case RPI_FWREQ_GET_CLOCKS: 142 /* TODO: add more clock IDs if needed */ 143 stl_le_phys(&s->dma_as, value + 12, 0); 144 stl_le_phys(&s->dma_as, value + 16, RPI_FIRMWARE_ARM_CLK_ID); 145 resplen = 8; 146 break; 147 148 case RPI_FWREQ_SET_CLOCK_RATE: 149 case RPI_FWREQ_SET_MAX_CLOCK_RATE: 150 case RPI_FWREQ_SET_MIN_CLOCK_RATE: 151 qemu_log_mask(LOG_UNIMP, 152 "bcm2835_property: 0x%08x set clock rate NYI\n", 153 tag); 154 resplen = 8; 155 break; 156 157 /* Temperature */ 158 159 case RPI_FWREQ_GET_TEMPERATURE: 160 stl_le_phys(&s->dma_as, value + 16, 25000); 161 resplen = 8; 162 break; 163 164 case RPI_FWREQ_GET_MAX_TEMPERATURE: 165 stl_le_phys(&s->dma_as, value + 16, 99000); 166 resplen = 8; 167 break; 168 169 /* Frame buffer */ 170 171 case RPI_FWREQ_FRAMEBUFFER_ALLOCATE: 172 stl_le_phys(&s->dma_as, value + 12, fbconfig.base); 173 stl_le_phys(&s->dma_as, value + 16, 174 bcm2835_fb_get_size(&fbconfig)); 175 resplen = 8; 176 break; 177 case RPI_FWREQ_FRAMEBUFFER_RELEASE: 178 resplen = 0; 179 break; 180 case RPI_FWREQ_FRAMEBUFFER_BLANK: 181 resplen = 4; 182 break; 183 case RPI_FWREQ_FRAMEBUFFER_TEST_PHYSICAL_WIDTH_HEIGHT: 184 case RPI_FWREQ_FRAMEBUFFER_TEST_VIRTUAL_WIDTH_HEIGHT: 185 resplen = 8; 186 break; 187 case RPI_FWREQ_FRAMEBUFFER_SET_PHYSICAL_WIDTH_HEIGHT: 188 fbconfig.xres = ldl_le_phys(&s->dma_as, value + 12); 189 fbconfig.yres = ldl_le_phys(&s->dma_as, value + 16); 190 bcm2835_fb_validate_config(&fbconfig); 191 fbconfig_updated = true; 192 /* fall through */ 193 case RPI_FWREQ_FRAMEBUFFER_GET_PHYSICAL_WIDTH_HEIGHT: 194 stl_le_phys(&s->dma_as, value + 12, fbconfig.xres); 195 stl_le_phys(&s->dma_as, value + 16, fbconfig.yres); 196 resplen = 8; 197 break; 198 case RPI_FWREQ_FRAMEBUFFER_SET_VIRTUAL_WIDTH_HEIGHT: 199 fbconfig.xres_virtual = ldl_le_phys(&s->dma_as, value + 12); 200 fbconfig.yres_virtual = ldl_le_phys(&s->dma_as, value + 16); 201 bcm2835_fb_validate_config(&fbconfig); 202 fbconfig_updated = true; 203 /* fall through */ 204 case RPI_FWREQ_FRAMEBUFFER_GET_VIRTUAL_WIDTH_HEIGHT: 205 stl_le_phys(&s->dma_as, value + 12, fbconfig.xres_virtual); 206 stl_le_phys(&s->dma_as, value + 16, fbconfig.yres_virtual); 207 resplen = 8; 208 break; 209 case RPI_FWREQ_FRAMEBUFFER_TEST_DEPTH: 210 resplen = 4; 211 break; 212 case RPI_FWREQ_FRAMEBUFFER_SET_DEPTH: 213 fbconfig.bpp = ldl_le_phys(&s->dma_as, value + 12); 214 bcm2835_fb_validate_config(&fbconfig); 215 fbconfig_updated = true; 216 /* fall through */ 217 case RPI_FWREQ_FRAMEBUFFER_GET_DEPTH: 218 stl_le_phys(&s->dma_as, value + 12, fbconfig.bpp); 219 resplen = 4; 220 break; 221 case RPI_FWREQ_FRAMEBUFFER_TEST_PIXEL_ORDER: 222 resplen = 4; 223 break; 224 case RPI_FWREQ_FRAMEBUFFER_SET_PIXEL_ORDER: 225 fbconfig.pixo = ldl_le_phys(&s->dma_as, value + 12); 226 bcm2835_fb_validate_config(&fbconfig); 227 fbconfig_updated = true; 228 /* fall through */ 229 case RPI_FWREQ_FRAMEBUFFER_GET_PIXEL_ORDER: 230 stl_le_phys(&s->dma_as, value + 12, fbconfig.pixo); 231 resplen = 4; 232 break; 233 case RPI_FWREQ_FRAMEBUFFER_TEST_ALPHA_MODE: 234 resplen = 4; 235 break; 236 case RPI_FWREQ_FRAMEBUFFER_SET_ALPHA_MODE: 237 fbconfig.alpha = ldl_le_phys(&s->dma_as, value + 12); 238 bcm2835_fb_validate_config(&fbconfig); 239 fbconfig_updated = true; 240 /* fall through */ 241 case RPI_FWREQ_FRAMEBUFFER_GET_ALPHA_MODE: 242 stl_le_phys(&s->dma_as, value + 12, fbconfig.alpha); 243 resplen = 4; 244 break; 245 case RPI_FWREQ_FRAMEBUFFER_GET_PITCH: 246 stl_le_phys(&s->dma_as, value + 12, 247 bcm2835_fb_get_pitch(&fbconfig)); 248 resplen = 4; 249 break; 250 case RPI_FWREQ_FRAMEBUFFER_TEST_VIRTUAL_OFFSET: 251 resplen = 8; 252 break; 253 case RPI_FWREQ_FRAMEBUFFER_SET_VIRTUAL_OFFSET: 254 fbconfig.xoffset = ldl_le_phys(&s->dma_as, value + 12); 255 fbconfig.yoffset = ldl_le_phys(&s->dma_as, value + 16); 256 bcm2835_fb_validate_config(&fbconfig); 257 fbconfig_updated = true; 258 /* fall through */ 259 case RPI_FWREQ_FRAMEBUFFER_GET_VIRTUAL_OFFSET: 260 stl_le_phys(&s->dma_as, value + 12, fbconfig.xoffset); 261 stl_le_phys(&s->dma_as, value + 16, fbconfig.yoffset); 262 resplen = 8; 263 break; 264 case RPI_FWREQ_FRAMEBUFFER_GET_OVERSCAN: 265 case RPI_FWREQ_FRAMEBUFFER_TEST_OVERSCAN: 266 case RPI_FWREQ_FRAMEBUFFER_SET_OVERSCAN: 267 stl_le_phys(&s->dma_as, value + 12, 0); 268 stl_le_phys(&s->dma_as, value + 16, 0); 269 stl_le_phys(&s->dma_as, value + 20, 0); 270 stl_le_phys(&s->dma_as, value + 24, 0); 271 resplen = 16; 272 break; 273 case RPI_FWREQ_FRAMEBUFFER_SET_PALETTE: 274 { 275 uint32_t offset = ldl_le_phys(&s->dma_as, value + 12); 276 uint32_t length = ldl_le_phys(&s->dma_as, value + 16); 277 int resp; 278 279 if (offset > 255 || length < 1 || length > 256) { 280 resp = 1; /* invalid request */ 281 } else { 282 for (uint32_t e = 0; e < length; e++) { 283 uint32_t color = ldl_le_phys(&s->dma_as, value + 20 + (e << 2)); 284 stl_le_phys(&s->dma_as, 285 s->fbdev->vcram_base + ((offset + e) << 2), color); 286 } 287 resp = 0; 288 } 289 stl_le_phys(&s->dma_as, value + 12, resp); 290 resplen = 4; 291 break; 292 } 293 case RPI_FWREQ_FRAMEBUFFER_GET_NUM_DISPLAYS: 294 stl_le_phys(&s->dma_as, value + 12, 1); 295 resplen = 4; 296 break; 297 298 case RPI_FWREQ_GET_DMA_CHANNELS: 299 /* channels 2-5 */ 300 stl_le_phys(&s->dma_as, value + 12, 0x003C); 301 resplen = 4; 302 break; 303 304 case RPI_FWREQ_GET_COMMAND_LINE: 305 /* 306 * We follow the firmware behaviour: no NUL terminator is 307 * written to the buffer, and if the buffer is too short 308 * we report the required length in the response header 309 * and copy nothing to the buffer. 310 */ 311 resplen = strlen(s->command_line); 312 if (bufsize >= resplen) 313 address_space_write(&s->dma_as, value + 12, 314 MEMTXATTRS_UNSPECIFIED, s->command_line, 315 resplen); 316 break; 317 318 case RPI_FWREQ_GET_THROTTLED: 319 stl_le_phys(&s->dma_as, value + 12, 0); 320 resplen = 4; 321 break; 322 323 case RPI_FWREQ_VCHIQ_INIT: 324 stl_le_phys(&s->dma_as, 325 value + offsetof(rpi_firmware_prop_request_t, payload), 326 0); 327 resplen = VCHI_BUSADDR_SIZE; 328 break; 329 330 /* Customer OTP */ 331 332 case RPI_FWREQ_GET_CUSTOMER_OTP: 333 { 334 uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12); 335 uint32_t number = ldl_le_phys(&s->dma_as, value + 16); 336 337 resplen = 8 + 4 * number; 338 339 for (uint32_t n = start_num; n < start_num + number && 340 n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) { 341 uint32_t otp_row = bcm2835_otp_get_row(s->otp, 342 BCM2835_OTP_CUSTOMER_OTP + n); 343 stl_le_phys(&s->dma_as, 344 value + 20 + ((n - start_num) << 2), otp_row); 345 } 346 break; 347 } 348 case RPI_FWREQ_SET_CUSTOMER_OTP: 349 { 350 uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12); 351 uint32_t number = ldl_le_phys(&s->dma_as, value + 16); 352 353 resplen = 4; 354 355 /* Magic numbers to permanently lock customer OTP */ 356 if (start_num == BCM2835_OTP_LOCK_NUM1 && 357 number == BCM2835_OTP_LOCK_NUM2) { 358 bcm2835_otp_set_row(s->otp, 359 BCM2835_OTP_ROW_32, 360 BCM2835_OTP_ROW_32_LOCK); 361 break; 362 } 363 364 /* If row 32 has the lock bit, don't allow further writes */ 365 if (bcm2835_otp_get_row(s->otp, BCM2835_OTP_ROW_32) & 366 BCM2835_OTP_ROW_32_LOCK) { 367 break; 368 } 369 370 for (uint32_t n = start_num; n < start_num + number && 371 n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) { 372 uint32_t otp_row = ldl_le_phys(&s->dma_as, 373 value + 20 + ((n - start_num) << 2)); 374 bcm2835_otp_set_row(s->otp, 375 BCM2835_OTP_CUSTOMER_OTP + n, otp_row); 376 } 377 break; 378 } 379 380 /* Device-specific private key */ 381 case RPI_FWREQ_GET_PRIVATE_KEY: 382 { 383 uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12); 384 uint32_t number = ldl_le_phys(&s->dma_as, value + 16); 385 386 resplen = 8 + 4 * number; 387 388 for (uint32_t n = start_num; n < start_num + number && 389 n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) { 390 uint32_t otp_row = bcm2835_otp_get_row(s->otp, 391 BCM2835_OTP_PRIVATE_KEY + n); 392 stl_le_phys(&s->dma_as, 393 value + 20 + ((n - start_num) << 2), otp_row); 394 } 395 break; 396 } 397 case RPI_FWREQ_SET_PRIVATE_KEY: 398 { 399 uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12); 400 uint32_t number = ldl_le_phys(&s->dma_as, value + 16); 401 402 resplen = 4; 403 404 /* If row 32 has the lock bit, don't allow further writes */ 405 if (bcm2835_otp_get_row(s->otp, BCM2835_OTP_ROW_32) & 406 BCM2835_OTP_ROW_32_LOCK) { 407 break; 408 } 409 410 for (uint32_t n = start_num; n < start_num + number && 411 n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) { 412 uint32_t otp_row = ldl_le_phys(&s->dma_as, 413 value + 20 + ((n - start_num) << 2)); 414 bcm2835_otp_set_row(s->otp, 415 BCM2835_OTP_PRIVATE_KEY + n, otp_row); 416 } 417 break; 418 } 419 default: 420 qemu_log_mask(LOG_UNIMP, 421 "bcm2835_property: unhandled tag 0x%08x\n", tag); 422 break; 423 } 424 425 trace_bcm2835_mbox_property(tag, bufsize, resplen); 426 if (tag == 0) { 427 break; 428 } 429 430 stl_le_phys(&s->dma_as, value + 8, (1 << 31) | resplen); 431 value += bufsize + 12; 432 } 433 434 /* Reconfigure framebuffer if required */ 435 if (fbconfig_updated) { 436 bcm2835_fb_reconfigure(s->fbdev, &fbconfig); 437 } 438 439 /* Buffer response code */ 440 stl_le_phys(&s->dma_as, s->addr + 4, (1 << 31)); 441 } 442 443 static uint64_t bcm2835_property_read(void *opaque, hwaddr offset, 444 unsigned size) 445 { 446 BCM2835PropertyState *s = opaque; 447 uint32_t res = 0; 448 449 switch (offset) { 450 case MBOX_AS_DATA: 451 res = MBOX_CHAN_PROPERTY | s->addr; 452 s->pending = false; 453 qemu_set_irq(s->mbox_irq, 0); 454 break; 455 456 case MBOX_AS_PENDING: 457 res = s->pending; 458 break; 459 460 default: 461 qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset %"HWADDR_PRIx"\n", 462 __func__, offset); 463 return 0; 464 } 465 466 return res; 467 } 468 469 static void bcm2835_property_write(void *opaque, hwaddr offset, 470 uint64_t value, unsigned size) 471 { 472 BCM2835PropertyState *s = opaque; 473 474 switch (offset) { 475 case MBOX_AS_DATA: 476 /* bcm2835_mbox should check our pending status before pushing */ 477 assert(!s->pending); 478 s->pending = true; 479 bcm2835_property_mbox_push(s, value); 480 qemu_set_irq(s->mbox_irq, 1); 481 break; 482 483 default: 484 qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset %"HWADDR_PRIx"\n", 485 __func__, offset); 486 return; 487 } 488 } 489 490 static const MemoryRegionOps bcm2835_property_ops = { 491 .read = bcm2835_property_read, 492 .write = bcm2835_property_write, 493 .endianness = DEVICE_NATIVE_ENDIAN, 494 .valid.min_access_size = 4, 495 .valid.max_access_size = 4, 496 }; 497 498 static const VMStateDescription vmstate_bcm2835_property = { 499 .name = TYPE_BCM2835_PROPERTY, 500 .version_id = 1, 501 .minimum_version_id = 1, 502 .fields = (const VMStateField[]) { 503 VMSTATE_MACADDR(macaddr, BCM2835PropertyState), 504 VMSTATE_UINT32(addr, BCM2835PropertyState), 505 VMSTATE_BOOL(pending, BCM2835PropertyState), 506 VMSTATE_END_OF_LIST() 507 } 508 }; 509 510 static void bcm2835_property_init(Object *obj) 511 { 512 BCM2835PropertyState *s = BCM2835_PROPERTY(obj); 513 514 memory_region_init_io(&s->iomem, OBJECT(s), &bcm2835_property_ops, s, 515 TYPE_BCM2835_PROPERTY, 0x10); 516 517 /* 518 * bcm2835_property_ops call into bcm2835_mbox, which in-turn reads from 519 * iomem. As such, mark iomem as re-entracy safe. 520 */ 521 s->iomem.disable_reentrancy_guard = true; 522 523 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem); 524 sysbus_init_irq(SYS_BUS_DEVICE(s), &s->mbox_irq); 525 } 526 527 static void bcm2835_property_reset(DeviceState *dev) 528 { 529 BCM2835PropertyState *s = BCM2835_PROPERTY(dev); 530 531 s->pending = false; 532 } 533 534 static void bcm2835_property_realize(DeviceState *dev, Error **errp) 535 { 536 BCM2835PropertyState *s = BCM2835_PROPERTY(dev); 537 Object *obj; 538 539 obj = object_property_get_link(OBJECT(dev), "fb", &error_abort); 540 s->fbdev = BCM2835_FB(obj); 541 542 obj = object_property_get_link(OBJECT(dev), "dma-mr", &error_abort); 543 s->dma_mr = MEMORY_REGION(obj); 544 address_space_init(&s->dma_as, s->dma_mr, TYPE_BCM2835_PROPERTY "-memory"); 545 546 obj = object_property_get_link(OBJECT(dev), "otp", &error_abort); 547 s->otp = BCM2835_OTP(obj); 548 549 /* TODO: connect to MAC address of USB NIC device, once we emulate it */ 550 qemu_macaddr_default_if_unset(&s->macaddr); 551 552 bcm2835_property_reset(dev); 553 } 554 555 static Property bcm2835_property_props[] = { 556 DEFINE_PROP_UINT32("board-rev", BCM2835PropertyState, board_rev, 0), 557 DEFINE_PROP_STRING("command-line", BCM2835PropertyState, command_line), 558 DEFINE_PROP_END_OF_LIST() 559 }; 560 561 static void bcm2835_property_class_init(ObjectClass *klass, void *data) 562 { 563 DeviceClass *dc = DEVICE_CLASS(klass); 564 565 device_class_set_props(dc, bcm2835_property_props); 566 dc->realize = bcm2835_property_realize; 567 dc->vmsd = &vmstate_bcm2835_property; 568 } 569 570 static const TypeInfo bcm2835_property_info = { 571 .name = TYPE_BCM2835_PROPERTY, 572 .parent = TYPE_SYS_BUS_DEVICE, 573 .instance_size = sizeof(BCM2835PropertyState), 574 .class_init = bcm2835_property_class_init, 575 .instance_init = bcm2835_property_init, 576 }; 577 578 static void bcm2835_property_register_types(void) 579 { 580 type_register_static(&bcm2835_property_info); 581 } 582 583 type_init(bcm2835_property_register_types) 584