1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * eMMC emulation defined in "JEDEC Standard No. 84-A43" 6 * 7 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 8 * Copyright (c) 2007 CodeSourcery 9 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in 19 * the documentation and/or other materials provided with the 20 * distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 23 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 25 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 26 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 29 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 30 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include "qemu/osdep.h" 36 #include "qemu/units.h" 37 #include "qemu/cutils.h" 38 #include "hw/irq.h" 39 #include "hw/registerfields.h" 40 #include "system/block-backend.h" 41 #include "hw/sd/sd.h" 42 #include "migration/vmstate.h" 43 #include "qapi/error.h" 44 #include "qemu/bitmap.h" 45 #include "hw/qdev-properties.h" 46 #include "hw/qdev-properties-system.h" 47 #include "qemu/error-report.h" 48 #include "qemu/timer.h" 49 #include "qemu/log.h" 50 #include "qemu/guest-random.h" 51 #include "qemu/module.h" 52 #include "sdmmc-internal.h" 53 #include "trace.h" 54 55 //#define DEBUG_SD 1 56 57 #define SDSC_MAX_CAPACITY (2 * GiB) 58 59 #define INVALID_ADDRESS UINT32_MAX 60 61 typedef enum { 62 sd_r0 = 0, /* no response */ 63 sd_r1, /* normal response command */ 64 sd_r2_i, /* CID register */ 65 sd_r2_s, /* CSD register */ 66 sd_r3, /* OCR register */ 67 sd_r6 = 6, /* Published RCA response */ 68 sd_r7, /* Operating voltage */ 69 sd_r1b = -1, 70 sd_illegal = -2, 71 } sd_rsp_type_t; 72 73 typedef enum { 74 sd_spi, 75 sd_bc, /* broadcast -- no response */ 76 sd_bcr, /* broadcast with response */ 77 sd_ac, /* addressed -- no data transfer */ 78 sd_adtc, /* addressed with data transfer */ 79 } sd_cmd_type_t; 80 81 enum SDCardModes { 82 sd_inactive, 83 sd_card_identification_mode, 84 sd_data_transfer_mode, 85 }; 86 87 enum SDCardStates { 88 sd_waitirq_state = -2, /* emmc */ 89 sd_inactive_state = -1, 90 91 sd_idle_state = 0, 92 sd_ready_state = 1, 93 sd_identification_state = 2, 94 sd_standby_state = 3, 95 sd_transfer_state = 4, 96 sd_sendingdata_state = 5, 97 sd_receivingdata_state = 6, 98 sd_programming_state = 7, 99 sd_disconnect_state = 8, 100 sd_bus_test_state = 9, /* emmc */ 101 sd_sleep_state = 10, /* emmc */ 102 sd_io_state = 15 /* sd */ 103 }; 104 105 #define SDMMC_CMD_MAX 64 106 107 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req); 108 109 typedef struct SDProto { 110 const char *name; 111 struct { 112 const unsigned class; 113 const sd_cmd_type_t type; 114 const char *name; 115 sd_cmd_handler handler; 116 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX]; 117 } SDProto; 118 119 struct SDState { 120 DeviceState parent_obj; 121 122 /* SD Memory Card Registers */ 123 uint32_t ocr; 124 uint8_t scr[8]; 125 uint8_t cid[16]; 126 uint8_t csd[16]; 127 uint16_t rca; 128 uint32_t card_status; 129 uint8_t sd_status[64]; 130 union { 131 uint8_t ext_csd[512]; 132 struct { 133 uint8_t ext_csd_rw[192]; /* Modes segment */ 134 uint8_t ext_csd_ro[320]; /* Properties segment */ 135 }; 136 }; 137 138 /* Static properties */ 139 140 uint8_t spec_version; 141 uint64_t boot_part_size; 142 BlockBackend *blk; 143 uint8_t boot_config; 144 145 const SDProto *proto; 146 147 /* Runtime changeables */ 148 149 uint32_t mode; /* current card mode, one of SDCardModes */ 150 int32_t state; /* current card state, one of SDCardStates */ 151 uint32_t vhs; 152 bool wp_switch; 153 unsigned long *wp_group_bmap; 154 int32_t wp_group_bits; 155 uint64_t size; 156 uint32_t blk_len; 157 uint32_t multi_blk_cnt; 158 uint32_t erase_start; 159 uint32_t erase_end; 160 uint8_t pwd[16]; 161 uint32_t pwd_len; 162 uint8_t function_group[6]; 163 uint8_t current_cmd; 164 const char *last_cmd_name; 165 /* True if we will handle the next command as an ACMD. Note that this does 166 * *not* track the APP_CMD status bit! 167 */ 168 bool expecting_acmd; 169 uint32_t blk_written; 170 171 uint64_t data_start; 172 uint32_t data_offset; 173 size_t data_size; 174 uint8_t data[512]; 175 QEMUTimer *ocr_power_timer; 176 uint8_t dat_lines; 177 bool cmd_line; 178 }; 179 180 static void sd_realize(DeviceState *dev, Error **errp); 181 182 static const SDProto sd_proto_spi; 183 static const SDProto sd_proto_emmc; 184 185 static bool sd_is_spi(SDState *sd) 186 { 187 return sd->proto == &sd_proto_spi; 188 } 189 190 static bool sd_is_emmc(SDState *sd) 191 { 192 return sd->proto == &sd_proto_emmc; 193 } 194 195 static const char *sd_version_str(enum SDPhySpecificationVersion version) 196 { 197 static const char *sdphy_version[] = { 198 [SD_PHY_SPECv1_10_VERS] = "v1.10", 199 [SD_PHY_SPECv2_00_VERS] = "v2.00", 200 [SD_PHY_SPECv3_01_VERS] = "v3.01", 201 }; 202 if (version >= ARRAY_SIZE(sdphy_version)) { 203 return "unsupported version"; 204 } 205 return sdphy_version[version]; 206 } 207 208 static const char *sd_mode_name(enum SDCardModes mode) 209 { 210 static const char *mode_name[] = { 211 [sd_inactive] = "inactive", 212 [sd_card_identification_mode] = "identification", 213 [sd_data_transfer_mode] = "transfer", 214 }; 215 assert(mode < ARRAY_SIZE(mode_name)); 216 return mode_name[mode]; 217 } 218 219 static const char *sd_state_name(enum SDCardStates state) 220 { 221 static const char *state_name[] = { 222 [sd_idle_state] = "idle", 223 [sd_ready_state] = "ready", 224 [sd_identification_state] = "identification", 225 [sd_standby_state] = "standby", 226 [sd_transfer_state] = "transfer", 227 [sd_sendingdata_state] = "sendingdata", 228 [sd_bus_test_state] = "bus-test", 229 [sd_receivingdata_state] = "receivingdata", 230 [sd_programming_state] = "programming", 231 [sd_disconnect_state] = "disconnect", 232 [sd_sleep_state] = "sleep", 233 [sd_io_state] = "i/o" 234 }; 235 if (state == sd_inactive_state) { 236 return "inactive"; 237 } 238 if (state == sd_waitirq_state) { 239 return "wait-irq"; 240 } 241 assert(state < ARRAY_SIZE(state_name)); 242 return state_name[state]; 243 } 244 245 static const char *sd_response_name(sd_rsp_type_t rsp) 246 { 247 static const char *response_name[] = { 248 [sd_r0] = "RESP#0 (no response)", 249 [sd_r1] = "RESP#1 (normal cmd)", 250 [sd_r2_i] = "RESP#2 (CID reg)", 251 [sd_r2_s] = "RESP#2 (CSD reg)", 252 [sd_r3] = "RESP#3 (OCR reg)", 253 [sd_r6] = "RESP#6 (RCA)", 254 [sd_r7] = "RESP#7 (operating voltage)", 255 }; 256 if (rsp == sd_illegal) { 257 return "ILLEGAL RESP"; 258 } 259 if (rsp == sd_r1b) { 260 rsp = sd_r1; 261 } 262 assert(rsp < ARRAY_SIZE(response_name)); 263 return response_name[rsp]; 264 } 265 266 static const char *sd_cmd_name(SDState *sd, uint8_t cmd) 267 { 268 static const char *cmd_abbrev[SDMMC_CMD_MAX] = { 269 [18] = "READ_MULTIPLE_BLOCK", 270 [25] = "WRITE_MULTIPLE_BLOCK", 271 }; 272 const SDProto *sdp = sd->proto; 273 274 if (sdp->cmd[cmd].handler) { 275 assert(!cmd_abbrev[cmd]); 276 return sdp->cmd[cmd].name; 277 } 278 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD"; 279 } 280 281 static const char *sd_acmd_name(SDState *sd, uint8_t cmd) 282 { 283 const SDProto *sdp = sd->proto; 284 285 if (sdp->acmd[cmd].handler) { 286 return sdp->acmd[cmd].name; 287 } 288 289 return "UNKNOWN_ACMD"; 290 } 291 292 static uint8_t sd_get_dat_lines(SDState *sd) 293 { 294 return sd->dat_lines; 295 } 296 297 static bool sd_get_cmd_line(SDState *sd) 298 { 299 return sd->cmd_line; 300 } 301 302 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 303 { 304 trace_sdcard_set_voltage(millivolts); 305 306 switch (millivolts) { 307 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 308 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 309 break; 310 default: 311 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 312 millivolts / 1000.f); 313 } 314 } 315 316 static void sd_set_mode(SDState *sd) 317 { 318 switch (sd->state) { 319 case sd_inactive_state: 320 sd->mode = sd_inactive; 321 break; 322 323 case sd_idle_state: 324 case sd_ready_state: 325 case sd_identification_state: 326 sd->mode = sd_card_identification_mode; 327 break; 328 329 case sd_standby_state: 330 case sd_transfer_state: 331 case sd_sendingdata_state: 332 case sd_receivingdata_state: 333 case sd_programming_state: 334 case sd_disconnect_state: 335 sd->mode = sd_data_transfer_mode; 336 break; 337 } 338 } 339 340 static uint8_t sd_crc7(const void *message, size_t width) 341 { 342 int i, bit; 343 uint8_t shift_reg = 0x00; 344 const uint8_t *msg = (const uint8_t *)message; 345 346 for (i = 0; i < width; i ++, msg ++) 347 for (bit = 7; bit >= 0; bit --) { 348 shift_reg <<= 1; 349 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 350 shift_reg ^= 0x89; 351 } 352 353 return shift_reg; 354 } 355 356 /* Operation Conditions register */ 357 358 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 359 360 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 361 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 362 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 363 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 364 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 365 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 366 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 367 FIELD(OCR, CARD_POWER_UP, 31, 1) 368 369 #define ACMD41_ENQUIRY_MASK 0x00ffffff 370 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 371 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 372 | R_OCR_UHS_II_CARD_MASK \ 373 | R_OCR_CARD_CAPACITY_MASK \ 374 | R_OCR_CARD_POWER_UP_MASK) 375 376 static void sd_ocr_powerup(void *opaque) 377 { 378 SDState *sd = opaque; 379 380 trace_sdcard_powerup(); 381 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 382 383 /* card power-up OK */ 384 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 385 386 if (sd->size > SDSC_MAX_CAPACITY) { 387 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 388 } 389 } 390 391 static void sd_set_ocr(SDState *sd) 392 { 393 /* All voltages OK */ 394 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 395 396 if (sd_is_spi(sd)) { 397 /* 398 * We don't need to emulate power up sequence in SPI-mode. 399 * Thus, the card's power up status bit should be set to 1 when reset. 400 * The card's capacity status bit should also be set if SD card size 401 * is larger than 2GB for SDHC support. 402 */ 403 sd_ocr_powerup(sd); 404 } 405 } 406 407 /* SD Configuration register */ 408 409 static void sd_set_scr(SDState *sd) 410 { 411 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 412 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 413 sd->scr[0] |= 1; /* Spec Version 1.10 */ 414 } else { 415 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 416 } 417 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 418 | 0b0101; /* 1-bit or 4-bit width bus modes */ 419 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 420 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 421 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 422 } 423 sd->scr[3] = 0x00; 424 /* reserved for manufacturer usage */ 425 sd->scr[4] = 0x00; 426 sd->scr[5] = 0x00; 427 sd->scr[6] = 0x00; 428 sd->scr[7] = 0x00; 429 } 430 431 /* Card IDentification register */ 432 433 #define MID 0xaa 434 #define OID "XY" 435 #define PNM "QEMU!" 436 #define PRV 0x01 437 #define MDT_YR 2006 438 #define MDT_MON 2 439 440 static void sd_set_cid(SDState *sd) 441 { 442 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 443 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 444 sd->cid[2] = OID[1]; 445 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 446 sd->cid[4] = PNM[1]; 447 sd->cid[5] = PNM[2]; 448 sd->cid[6] = PNM[3]; 449 sd->cid[7] = PNM[4]; 450 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 451 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */ 452 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 453 ((MDT_YR - 2000) / 10); 454 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 455 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 456 } 457 458 static void emmc_set_cid(SDState *sd) 459 { 460 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 461 sd->cid[1] = 0b01; /* CBX: soldered BGA */ 462 sd->cid[2] = OID[0]; /* OEM/Application ID (OID) */ 463 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 464 sd->cid[4] = PNM[1]; 465 sd->cid[5] = PNM[2]; 466 sd->cid[6] = PNM[3]; 467 sd->cid[7] = PNM[4]; 468 sd->cid[8] = PNM[4]; 469 sd->cid[9] = PRV; /* Fake product revision (PRV) */ 470 stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */ 471 sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */ 472 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 473 } 474 475 /* Card-Specific Data register */ 476 477 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 478 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 479 #define WPGROUP_SHIFT 7 /* 2 megs */ 480 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 481 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 482 483 static const uint8_t sd_csd_rw_mask[16] = { 484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 486 }; 487 488 static void emmc_set_ext_csd(SDState *sd, uint64_t size) 489 { 490 uint32_t sectcount = size >> HWBLOCK_SHIFT; 491 492 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */ 493 494 /* Properties segment (RO) */ 495 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */ 496 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */ 497 /* Boot partition size. 128KB unit */ 498 sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB); 499 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */ 500 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */ 501 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */ 502 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */ 503 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */ 504 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC */ 505 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */ 506 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */ 507 stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */ 508 sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */ 509 sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz */ 510 sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */ 511 sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */ 512 sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */ 513 sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */ 514 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11; 515 sd->ext_csd[EXT_CSD_STRUCTURE] = 2; 516 sd->ext_csd[EXT_CSD_REV] = 3; 517 518 /* Mode segment (RW) */ 519 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config; 520 } 521 522 static void emmc_set_csd(SDState *sd, uint64_t size) 523 { 524 int hwblock_shift = HWBLOCK_SHIFT; 525 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 526 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 527 528 sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */ 529 sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */ 530 sd->csd[2] = 0x00; 531 sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */ 532 sd->csd[4] = 0x0f; 533 if (size <= 2 * GiB) { 534 /* use 1k blocks */ 535 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1; 536 sd->csd[5] = 0x5a; 537 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf); 538 sd->csd[7] = (csize1k >> 2) & 0xff; 539 } else { /* >= 2GB : size stored in ext CSD, block addressing */ 540 sd->csd[5] = 0x59; 541 sd->csd[6] = 0x8f; 542 sd->csd[7] = 0xff; 543 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 544 } 545 sd->csd[8] = 0xff; 546 sd->csd[9] = 0xfc | /* Max. write current */ 547 ((CMULT_SHIFT - 2) >> 1); 548 sd->csd[10] = 0x40 | /* Erase sector size */ 549 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 550 sd->csd[11] = 0x00 | /* Write protect group size */ 551 ((sectsize << 7) & 0x80) | wpsize; 552 sd->csd[12] = 0x90 | /* Write speed factor */ 553 (hwblock_shift >> 2); 554 sd->csd[13] = 0x20 | /* Max. write data block length */ 555 ((hwblock_shift << 6) & 0xc0); 556 sd->csd[14] = 0x00; 557 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 558 emmc_set_ext_csd(sd, size); 559 } 560 561 static void sd_set_csd(SDState *sd, uint64_t size) 562 { 563 int hwblock_shift = HWBLOCK_SHIFT; 564 uint32_t csize; 565 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 566 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 567 568 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */ 569 if (size == SDSC_MAX_CAPACITY) { 570 hwblock_shift += 1; 571 } 572 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1; 573 574 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */ 575 sd->csd[0] = 0x00; /* CSD structure */ 576 sd->csd[1] = 0x26; /* Data read access-time-1 */ 577 sd->csd[2] = 0x00; /* Data read access-time-2 */ 578 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 579 sd->csd[4] = 0x5f; /* Card Command Classes */ 580 sd->csd[5] = 0x50 | /* Max. read data block length */ 581 hwblock_shift; 582 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 583 ((csize >> 10) & 0x03); 584 sd->csd[7] = 0x00 | /* Device size */ 585 ((csize >> 2) & 0xff); 586 sd->csd[8] = 0x3f | /* Max. read current */ 587 ((csize << 6) & 0xc0); 588 sd->csd[9] = 0xfc | /* Max. write current */ 589 ((CMULT_SHIFT - 2) >> 1); 590 sd->csd[10] = 0x40 | /* Erase sector size */ 591 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 592 sd->csd[11] = 0x00 | /* Write protect group size */ 593 ((sectsize << 7) & 0x80) | wpsize; 594 sd->csd[12] = 0x90 | /* Write speed factor */ 595 (hwblock_shift >> 2); 596 sd->csd[13] = 0x20 | /* Max. write data block length */ 597 ((hwblock_shift << 6) & 0xc0); 598 sd->csd[14] = 0x00; /* File format group */ 599 } else { /* SDHC */ 600 size /= 512 * KiB; 601 size -= 1; 602 sd->csd[0] = 0x40; 603 sd->csd[1] = 0x0e; 604 sd->csd[2] = 0x00; 605 sd->csd[3] = 0x32; 606 sd->csd[4] = 0x5b; 607 sd->csd[5] = 0x59; 608 sd->csd[6] = 0x00; 609 st24_be_p(&sd->csd[7], size); 610 sd->csd[10] = 0x7f; 611 sd->csd[11] = 0x80; 612 sd->csd[12] = 0x0a; 613 sd->csd[13] = 0x40; 614 sd->csd[14] = 0x00; 615 } 616 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 617 } 618 619 /* Relative Card Address register */ 620 621 static void sd_set_rca(SDState *sd, uint16_t value) 622 { 623 trace_sdcard_set_rca(value); 624 sd->rca = value; 625 } 626 627 static uint16_t sd_req_get_rca(SDState *s, SDRequest req) 628 { 629 switch (s->proto->cmd[req.cmd].type) { 630 case sd_ac: 631 case sd_adtc: 632 return req.arg >> 16; 633 case sd_spi: 634 default: 635 g_assert_not_reached(); 636 } 637 } 638 639 static bool sd_req_rca_same(SDState *s, SDRequest req) 640 { 641 return sd_req_get_rca(s, req) == s->rca; 642 } 643 644 /* Card Status register */ 645 646 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 647 FIELD(CSR, APP_CMD, 5, 1) 648 FIELD(CSR, FX_EVENT, 6, 1) 649 FIELD(CSR, SWITCH_ERROR, 7, 1) 650 FIELD(CSR, READY_FOR_DATA, 8, 1) 651 FIELD(CSR, CURRENT_STATE, 9, 4) 652 FIELD(CSR, ERASE_RESET, 13, 1) 653 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 654 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 655 FIELD(CSR, CSD_OVERWRITE, 16, 1) 656 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 657 FIELD(CSR, ERROR, 19, 1) 658 FIELD(CSR, CC_ERROR, 20, 1) 659 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 660 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 661 FIELD(CSR, COM_CRC_ERROR, 23, 1) 662 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 663 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 664 FIELD(CSR, WP_VIOLATION, 26, 1) 665 FIELD(CSR, ERASE_PARAM, 27, 1) 666 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 667 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 668 FIELD(CSR, ADDRESS_ERROR, 30, 1) 669 FIELD(CSR, OUT_OF_RANGE, 31, 1) 670 671 /* Card status bits, split by clear condition: 672 * A : According to the card current state 673 * B : Always related to the previous command 674 * C : Cleared by read 675 */ 676 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 677 | R_CSR_CARD_ECC_DISABLED_MASK \ 678 | R_CSR_CARD_IS_LOCKED_MASK) 679 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 680 | R_CSR_ILLEGAL_COMMAND_MASK \ 681 | R_CSR_COM_CRC_ERROR_MASK) 682 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 683 | R_CSR_APP_CMD_MASK \ 684 | R_CSR_ERASE_RESET_MASK \ 685 | R_CSR_WP_ERASE_SKIP_MASK \ 686 | R_CSR_CSD_OVERWRITE_MASK \ 687 | R_CSR_ERROR_MASK \ 688 | R_CSR_CC_ERROR_MASK \ 689 | R_CSR_CARD_ECC_FAILED_MASK \ 690 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 691 | R_CSR_WP_VIOLATION_MASK \ 692 | R_CSR_ERASE_PARAM_MASK \ 693 | R_CSR_ERASE_SEQ_ERROR_MASK \ 694 | R_CSR_BLOCK_LEN_ERROR_MASK \ 695 | R_CSR_ADDRESS_ERROR_MASK \ 696 | R_CSR_OUT_OF_RANGE_MASK) 697 698 static void sd_set_cardstatus(SDState *sd) 699 { 700 sd->card_status = READY_FOR_DATA; 701 } 702 703 static void sd_set_sdstatus(SDState *sd) 704 { 705 memset(sd->sd_status, 0, 64); 706 } 707 708 static const uint8_t sd_tuning_block_pattern4[64] = { 709 /* 710 * See: Physical Layer Simplified Specification Version 3.01, 711 * Table 4-2. 712 */ 713 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 714 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 715 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 716 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 717 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 718 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 719 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 720 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde 721 }; 722 723 static int sd_req_crc_validate(SDRequest *req) 724 { 725 uint8_t buffer[5]; 726 buffer[0] = 0x40 | req->cmd; 727 stl_be_p(&buffer[1], req->arg); 728 return 0; 729 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 730 } 731 732 static void sd_response_r1_make(SDState *sd, uint8_t *response) 733 { 734 stl_be_p(response, sd->card_status); 735 736 /* Clear the "clear on read" status bits */ 737 sd->card_status &= ~CARD_STATUS_C; 738 } 739 740 static void sd_response_r3_make(SDState *sd, uint8_t *response) 741 { 742 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 743 } 744 745 static void sd_response_r6_make(SDState *sd, uint8_t *response) 746 { 747 uint16_t status; 748 749 status = ((sd->card_status >> 8) & 0xc000) | 750 ((sd->card_status >> 6) & 0x2000) | 751 (sd->card_status & 0x1fff); 752 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 753 stw_be_p(response + 0, sd->rca); 754 stw_be_p(response + 2, status); 755 } 756 757 static void sd_response_r7_make(SDState *sd, uint8_t *response) 758 { 759 stl_be_p(response, sd->vhs); 760 } 761 762 static uint32_t sd_blk_len(SDState *sd) 763 { 764 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 765 return 1 << HWBLOCK_SHIFT; 766 } 767 return sd->blk_len; 768 } 769 770 /* 771 * This requires a disk image that has two boot partitions inserted at the 772 * beginning of it. The size of the boot partitions is the "boot-size" 773 * property. 774 */ 775 static uint32_t sd_bootpart_offset(SDState *sd) 776 { 777 unsigned partition_access; 778 779 if (!sd->boot_part_size || !sd_is_emmc(sd)) { 780 return 0; 781 } 782 783 partition_access = sd->ext_csd[EXT_CSD_PART_CONFIG] 784 & EXT_CSD_PART_CONFIG_ACC_MASK; 785 switch (partition_access) { 786 case EXT_CSD_PART_CONFIG_ACC_DEFAULT: 787 return sd->boot_part_size * 2; 788 case EXT_CSD_PART_CONFIG_ACC_BOOT0: 789 return 0; 790 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1: 791 return sd->boot_part_size * 1; 792 default: 793 g_assert_not_reached(); 794 } 795 } 796 797 static uint64_t sd_req_get_address(SDState *sd, SDRequest req) 798 { 799 uint64_t addr; 800 801 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 802 addr = (uint64_t) req.arg << HWBLOCK_SHIFT; 803 } else { 804 addr = req.arg; 805 } 806 trace_sdcard_req_addr(req.arg, addr); 807 return addr; 808 } 809 810 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 811 { 812 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 813 } 814 815 static void sd_reset(DeviceState *dev) 816 { 817 SDState *sd = SDMMC_COMMON(dev); 818 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 819 uint64_t size; 820 uint64_t sect; 821 822 trace_sdcard_reset(); 823 if (sd->blk) { 824 blk_get_geometry(sd->blk, §); 825 } else { 826 sect = 0; 827 } 828 size = sect << HWBLOCK_SHIFT; 829 if (sd_is_emmc(sd)) { 830 size -= sd->boot_part_size * 2; 831 } 832 833 sect = sd_addr_to_wpnum(size) + 1; 834 835 sd->state = sd_idle_state; 836 837 /* card registers */ 838 sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000; 839 sd->size = size; 840 sd_set_ocr(sd); 841 sd_set_scr(sd); 842 sc->set_cid(sd); 843 sc->set_csd(sd, size); 844 sd_set_cardstatus(sd); 845 sd_set_sdstatus(sd); 846 847 g_free(sd->wp_group_bmap); 848 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false; 849 sd->wp_group_bits = sect; 850 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits); 851 memset(sd->function_group, 0, sizeof(sd->function_group)); 852 sd->erase_start = INVALID_ADDRESS; 853 sd->erase_end = INVALID_ADDRESS; 854 sd->blk_len = 0x200; 855 sd->pwd_len = 0; 856 sd->expecting_acmd = false; 857 sd->dat_lines = 0xf; 858 sd->cmd_line = true; 859 sd->multi_blk_cnt = 0; 860 } 861 862 static bool sd_get_inserted(SDState *sd) 863 { 864 return sd->blk && blk_is_inserted(sd->blk); 865 } 866 867 static bool sd_get_readonly(SDState *sd) 868 { 869 return sd->wp_switch; 870 } 871 872 static void sd_cardchange(void *opaque, bool load, Error **errp) 873 { 874 SDState *sd = opaque; 875 DeviceState *dev = DEVICE(sd); 876 SDBus *sdbus; 877 bool inserted = sd_get_inserted(sd); 878 bool readonly = sd_get_readonly(sd); 879 880 if (inserted) { 881 trace_sdcard_inserted(readonly); 882 sd_reset(dev); 883 } else { 884 trace_sdcard_ejected(); 885 } 886 887 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 888 sdbus_set_inserted(sdbus, inserted); 889 if (inserted) { 890 sdbus_set_readonly(sdbus, readonly); 891 } 892 } 893 894 static const BlockDevOps sd_block_ops = { 895 .change_media_cb = sd_cardchange, 896 }; 897 898 static bool sd_ocr_vmstate_needed(void *opaque) 899 { 900 SDState *sd = opaque; 901 902 /* Include the OCR state (and timer) if it is not yet powered up */ 903 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 904 } 905 906 static const VMStateDescription sd_ocr_vmstate = { 907 .name = "sd-card/ocr-state", 908 .version_id = 1, 909 .minimum_version_id = 1, 910 .needed = sd_ocr_vmstate_needed, 911 .fields = (const VMStateField[]) { 912 VMSTATE_UINT32(ocr, SDState), 913 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 914 VMSTATE_END_OF_LIST() 915 }, 916 }; 917 918 static bool vmstate_needed_for_emmc(void *opaque) 919 { 920 SDState *sd = opaque; 921 922 return sd_is_emmc(sd); 923 } 924 925 static const VMStateDescription emmc_extcsd_vmstate = { 926 .name = "sd-card/ext_csd_modes-state", 927 .version_id = 1, 928 .minimum_version_id = 1, 929 .needed = vmstate_needed_for_emmc, 930 .fields = (const VMStateField[]) { 931 VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192), 932 VMSTATE_END_OF_LIST() 933 }, 934 }; 935 936 static int sd_vmstate_pre_load(void *opaque) 937 { 938 SDState *sd = opaque; 939 940 /* If the OCR state is not included (prior versions, or not 941 * needed), then the OCR must be set as powered up. If the OCR state 942 * is included, this will be replaced by the state restore. 943 */ 944 sd_ocr_powerup(sd); 945 946 return 0; 947 } 948 949 static const VMStateDescription sd_vmstate = { 950 .name = "sd-card", 951 .version_id = 2, 952 .minimum_version_id = 2, 953 .pre_load = sd_vmstate_pre_load, 954 .fields = (const VMStateField[]) { 955 VMSTATE_UINT32(mode, SDState), 956 VMSTATE_INT32(state, SDState), 957 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 958 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 959 VMSTATE_UINT16(rca, SDState), 960 VMSTATE_UINT32(card_status, SDState), 961 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 962 VMSTATE_UINT32(vhs, SDState), 963 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits), 964 VMSTATE_UINT32(blk_len, SDState), 965 VMSTATE_UINT32(multi_blk_cnt, SDState), 966 VMSTATE_UINT32(erase_start, SDState), 967 VMSTATE_UINT32(erase_end, SDState), 968 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 969 VMSTATE_UINT32(pwd_len, SDState), 970 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 971 VMSTATE_UINT8(current_cmd, SDState), 972 VMSTATE_BOOL(expecting_acmd, SDState), 973 VMSTATE_UINT32(blk_written, SDState), 974 VMSTATE_UINT64(data_start, SDState), 975 VMSTATE_UINT32(data_offset, SDState), 976 VMSTATE_UINT8_ARRAY(data, SDState, 512), 977 VMSTATE_UNUSED_V(1, 512), 978 VMSTATE_UNUSED(1), 979 VMSTATE_END_OF_LIST() 980 }, 981 .subsections = (const VMStateDescription * const []) { 982 &sd_ocr_vmstate, 983 &emmc_extcsd_vmstate, 984 NULL 985 }, 986 }; 987 988 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 989 { 990 trace_sdcard_read_block(addr, len); 991 addr += sd_bootpart_offset(sd); 992 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) { 993 fprintf(stderr, "sd_blk_read: read error on host side\n"); 994 } 995 } 996 997 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 998 { 999 trace_sdcard_write_block(addr, len); 1000 addr += sd_bootpart_offset(sd); 1001 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) { 1002 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1003 } 1004 } 1005 1006 static void sd_erase(SDState *sd) 1007 { 1008 uint64_t erase_start = sd->erase_start; 1009 uint64_t erase_end = sd->erase_end; 1010 bool sdsc = true; 1011 uint64_t wpnum; 1012 uint64_t erase_addr; 1013 int erase_len = 1 << HWBLOCK_SHIFT; 1014 1015 trace_sdcard_erase(sd->erase_start, sd->erase_end); 1016 if (sd->erase_start == INVALID_ADDRESS 1017 || sd->erase_end == INVALID_ADDRESS) { 1018 sd->card_status |= ERASE_SEQ_ERROR; 1019 sd->erase_start = INVALID_ADDRESS; 1020 sd->erase_end = INVALID_ADDRESS; 1021 return; 1022 } 1023 1024 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 1025 /* High capacity memory card: erase units are 512 byte blocks */ 1026 erase_start <<= HWBLOCK_SHIFT; 1027 erase_end <<= HWBLOCK_SHIFT; 1028 sdsc = false; 1029 } 1030 1031 if (erase_start > sd->size || erase_end > sd->size) { 1032 sd->card_status |= OUT_OF_RANGE; 1033 sd->erase_start = INVALID_ADDRESS; 1034 sd->erase_end = INVALID_ADDRESS; 1035 return; 1036 } 1037 1038 sd->erase_start = INVALID_ADDRESS; 1039 sd->erase_end = INVALID_ADDRESS; 1040 sd->csd[14] |= 0x40; 1041 1042 memset(sd->data, 0xff, erase_len); 1043 for (erase_addr = erase_start; erase_addr <= erase_end; 1044 erase_addr += erase_len) { 1045 if (sdsc) { 1046 /* Only SDSC cards support write protect groups */ 1047 wpnum = sd_addr_to_wpnum(erase_addr); 1048 assert(wpnum < sd->wp_group_bits); 1049 if (test_bit(wpnum, sd->wp_group_bmap)) { 1050 sd->card_status |= WP_ERASE_SKIP; 1051 continue; 1052 } 1053 } 1054 sd_blk_write(sd, erase_addr, erase_len); 1055 } 1056 } 1057 1058 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 1059 { 1060 uint32_t i, wpnum; 1061 uint32_t ret = 0; 1062 1063 wpnum = sd_addr_to_wpnum(addr); 1064 1065 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 1066 if (addr >= sd->size) { 1067 /* 1068 * If the addresses of the last groups are outside the valid range, 1069 * then the corresponding write protection bits shall be set to 0. 1070 */ 1071 continue; 1072 } 1073 assert(wpnum < sd->wp_group_bits); 1074 if (test_bit(wpnum, sd->wp_group_bmap)) { 1075 ret |= (1 << i); 1076 } 1077 } 1078 1079 return ret; 1080 } 1081 1082 enum ExtCsdAccessMode { 1083 EXT_CSD_ACCESS_MODE_COMMAND_SET = 0, 1084 EXT_CSD_ACCESS_MODE_SET_BITS = 1, 1085 EXT_CSD_ACCESS_MODE_CLEAR_BITS = 2, 1086 EXT_CSD_ACCESS_MODE_WRITE_BYTE = 3 1087 }; 1088 1089 static void emmc_function_switch(SDState *sd, uint32_t arg) 1090 { 1091 uint8_t access = extract32(arg, 24, 2); 1092 uint8_t index = extract32(arg, 16, 8); 1093 uint8_t value = extract32(arg, 8, 8); 1094 uint8_t b = sd->ext_csd[index]; 1095 1096 trace_sdcard_switch(access, index, value, extract32(arg, 0, 2)); 1097 1098 if (index >= 192) { 1099 qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n"); 1100 sd->card_status |= R_CSR_SWITCH_ERROR_MASK; 1101 return; 1102 } 1103 1104 switch (access) { 1105 case EXT_CSD_ACCESS_MODE_COMMAND_SET: 1106 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n"); 1107 return; 1108 case EXT_CSD_ACCESS_MODE_SET_BITS: 1109 b |= value; 1110 break; 1111 case EXT_CSD_ACCESS_MODE_CLEAR_BITS: 1112 b &= ~value; 1113 break; 1114 case EXT_CSD_ACCESS_MODE_WRITE_BYTE: 1115 b = value; 1116 break; 1117 } 1118 1119 trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b); 1120 sd->ext_csd[index] = b; 1121 } 1122 1123 static void sd_function_switch(SDState *sd, uint32_t arg) 1124 { 1125 int i, mode, new_func; 1126 mode = !!(arg & 0x80000000); 1127 1128 sd->data[0] = 0x00; /* Maximum current consumption */ 1129 sd->data[1] = 0x01; 1130 sd->data[2] = 0x80; /* Supported group 6 functions */ 1131 sd->data[3] = 0x01; 1132 sd->data[4] = 0x80; /* Supported group 5 functions */ 1133 sd->data[5] = 0x01; 1134 sd->data[6] = 0x80; /* Supported group 4 functions */ 1135 sd->data[7] = 0x01; 1136 sd->data[8] = 0x80; /* Supported group 3 functions */ 1137 sd->data[9] = 0x01; 1138 sd->data[10] = 0x80; /* Supported group 2 functions */ 1139 sd->data[11] = 0x43; 1140 sd->data[12] = 0x80; /* Supported group 1 functions */ 1141 sd->data[13] = 0x03; 1142 1143 memset(&sd->data[14], 0, 3); 1144 for (i = 0; i < 6; i ++) { 1145 new_func = (arg >> (i * 4)) & 0x0f; 1146 if (mode && new_func != 0x0f) 1147 sd->function_group[i] = new_func; 1148 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4); 1149 } 1150 memset(&sd->data[17], 0, 47); 1151 } 1152 1153 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 1154 { 1155 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1156 } 1157 1158 static void sd_lock_command(SDState *sd) 1159 { 1160 int erase, lock, clr_pwd, set_pwd, pwd_len; 1161 erase = !!(sd->data[0] & 0x08); 1162 lock = sd->data[0] & 0x04; 1163 clr_pwd = sd->data[0] & 0x02; 1164 set_pwd = sd->data[0] & 0x01; 1165 1166 if (sd->blk_len > 1) 1167 pwd_len = sd->data[1]; 1168 else 1169 pwd_len = 0; 1170 1171 if (lock) { 1172 trace_sdcard_lock(); 1173 } else { 1174 trace_sdcard_unlock(); 1175 } 1176 if (erase) { 1177 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 1178 set_pwd || clr_pwd || lock || sd->wp_switch || 1179 (sd->csd[14] & 0x20)) { 1180 sd->card_status |= LOCK_UNLOCK_FAILED; 1181 return; 1182 } 1183 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits); 1184 sd->csd[14] &= ~0x10; 1185 sd->card_status &= ~CARD_IS_LOCKED; 1186 sd->pwd_len = 0; 1187 /* Erasing the entire card here! */ 1188 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 1189 return; 1190 } 1191 1192 if (sd->blk_len < 2 + pwd_len || 1193 pwd_len <= sd->pwd_len || 1194 pwd_len > sd->pwd_len + 16) { 1195 sd->card_status |= LOCK_UNLOCK_FAILED; 1196 return; 1197 } 1198 1199 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 1200 sd->card_status |= LOCK_UNLOCK_FAILED; 1201 return; 1202 } 1203 1204 pwd_len -= sd->pwd_len; 1205 if ((pwd_len && !set_pwd) || 1206 (clr_pwd && (set_pwd || lock)) || 1207 (lock && !sd->pwd_len && !set_pwd) || 1208 (!set_pwd && !clr_pwd && 1209 (((sd->card_status & CARD_IS_LOCKED) && lock) || 1210 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 1211 sd->card_status |= LOCK_UNLOCK_FAILED; 1212 return; 1213 } 1214 1215 if (set_pwd) { 1216 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 1217 sd->pwd_len = pwd_len; 1218 } 1219 1220 if (clr_pwd) { 1221 sd->pwd_len = 0; 1222 } 1223 1224 if (lock) 1225 sd->card_status |= CARD_IS_LOCKED; 1226 else 1227 sd->card_status &= ~CARD_IS_LOCKED; 1228 } 1229 1230 static bool address_in_range(SDState *sd, const char *desc, 1231 uint64_t addr, uint32_t length) 1232 { 1233 if (addr + length > sd->size) { 1234 qemu_log_mask(LOG_GUEST_ERROR, 1235 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n", 1236 desc, addr, sd->size, length); 1237 sd->card_status |= ADDRESS_ERROR; 1238 return false; 1239 } 1240 return true; 1241 } 1242 1243 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req) 1244 { 1245 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n", 1246 sd->proto->name, req.cmd, sd_state_name(sd->state), 1247 sd_version_str(sd->spec_version)); 1248 1249 return sd_illegal; 1250 } 1251 1252 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req) 1253 { 1254 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n", 1255 sd->proto->name, req.cmd, sd_mode_name(sd->mode), 1256 sd_version_str(sd->spec_version)); 1257 1258 return sd_illegal; 1259 } 1260 1261 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req) 1262 { 1263 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n", 1264 sd->proto->name, req.cmd, 1265 sd_version_str(sd->spec_version)); 1266 1267 return sd_illegal; 1268 } 1269 1270 /* Commands that are recognised but not yet implemented. */ 1271 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req) 1272 { 1273 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n", 1274 sd->proto->name, req.cmd); 1275 1276 return sd_illegal; 1277 } 1278 1279 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req) 1280 { 1281 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n", 1282 sd->proto->name, req.cmd); 1283 1284 return sd_illegal; 1285 } 1286 1287 /* Configure fields for following sd_generic_write_byte() calls */ 1288 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req, 1289 uint64_t start, size_t size) 1290 { 1291 if (sd->state != sd_transfer_state) { 1292 return sd_invalid_state_for_cmd(sd, req); 1293 } 1294 sd->state = sd_receivingdata_state; 1295 sd->data_start = start; 1296 sd->data_offset = 0; 1297 /* sd->data[] used as receive buffer */ 1298 sd->data_size = size ?: sizeof(sd->data); 1299 return sd_r1; 1300 } 1301 1302 /* Configure fields for following sd_generic_read_byte() calls */ 1303 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req, 1304 uint64_t start, 1305 const void *data, size_t size) 1306 { 1307 if (sd->state != sd_transfer_state) { 1308 sd_invalid_state_for_cmd(sd, req); 1309 } 1310 1311 sd->state = sd_sendingdata_state; 1312 sd->data_start = start; 1313 sd->data_offset = 0; 1314 if (data) { 1315 assert(size > 0 && size <= sizeof(sd->data)); 1316 memcpy(sd->data, data, size); 1317 } 1318 if (size) { 1319 sd->data_size = size; 1320 } 1321 return sd_r1; 1322 } 1323 1324 /* CMD0 */ 1325 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req) 1326 { 1327 if (sd->state == sd_sleep_state) { 1328 switch (req.arg) { 1329 case 0x00000000: 1330 case 0xf0f0f0f0: 1331 break; 1332 default: 1333 return sd_r0; 1334 } 1335 } 1336 if (sd->state != sd_inactive_state) { 1337 sd->state = sd_idle_state; 1338 sd_reset(DEVICE(sd)); 1339 } 1340 1341 return sd_is_spi(sd) ? sd_r1 : sd_r0; 1342 } 1343 1344 /* CMD1 */ 1345 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1346 { 1347 sd->state = sd_transfer_state; 1348 1349 return sd_r1; 1350 } 1351 1352 /* CMD2 */ 1353 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 1354 { 1355 switch (sd->state) { 1356 case sd_ready_state: 1357 sd->state = sd_identification_state; 1358 return sd_r2_i; 1359 default: 1360 return sd_invalid_state_for_cmd(sd, req); 1361 } 1362 } 1363 1364 /* CMD3 */ 1365 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1366 { 1367 uint16_t random_rca; 1368 1369 switch (sd->state) { 1370 case sd_identification_state: 1371 case sd_standby_state: 1372 sd->state = sd_standby_state; 1373 qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca)); 1374 sd_set_rca(sd, random_rca); 1375 return sd_r6; 1376 1377 default: 1378 return sd_invalid_state_for_cmd(sd, req); 1379 } 1380 } 1381 1382 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req) 1383 { 1384 switch (sd->state) { 1385 case sd_identification_state: 1386 case sd_standby_state: 1387 sd->state = sd_standby_state; 1388 sd_set_rca(sd, req.arg >> 16); 1389 return sd_r1; 1390 1391 default: 1392 return sd_invalid_state_for_cmd(sd, req); 1393 } 1394 } 1395 1396 /* CMD5 */ 1397 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req) 1398 { 1399 bool do_sleep = extract32(req.arg, 15, 1); 1400 1401 switch (sd->state) { 1402 case sd_sleep_state: 1403 if (!do_sleep) { 1404 /* Awake */ 1405 sd->state = sd_standby_state; 1406 } 1407 return sd_r1b; 1408 1409 case sd_standby_state: 1410 if (do_sleep) { 1411 sd->state = sd_sleep_state; 1412 } 1413 return sd_r1b; 1414 1415 default: 1416 return sd_invalid_state_for_cmd(sd, req); 1417 } 1418 } 1419 1420 /* CMD6 */ 1421 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req) 1422 { 1423 if (sd->mode != sd_data_transfer_mode) { 1424 return sd_invalid_mode_for_cmd(sd, req); 1425 } 1426 if (sd->state != sd_transfer_state) { 1427 return sd_invalid_state_for_cmd(sd, req); 1428 } 1429 1430 sd_function_switch(sd, req.arg); 1431 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64); 1432 } 1433 1434 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req) 1435 { 1436 switch (sd->state) { 1437 case sd_transfer_state: 1438 sd->state = sd_programming_state; 1439 emmc_function_switch(sd, req.arg); 1440 sd->state = sd_transfer_state; 1441 return sd_r1b; 1442 default: 1443 return sd_invalid_state_for_cmd(sd, req); 1444 } 1445 } 1446 1447 /* CMD7 */ 1448 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req) 1449 { 1450 bool same_rca = sd_req_rca_same(sd, req); 1451 1452 switch (sd->state) { 1453 case sd_standby_state: 1454 if (!same_rca) { 1455 return sd_r0; 1456 } 1457 sd->state = sd_transfer_state; 1458 return sd_r1b; 1459 1460 case sd_transfer_state: 1461 case sd_sendingdata_state: 1462 if (same_rca) { 1463 break; 1464 } 1465 sd->state = sd_standby_state; 1466 return sd_r1b; 1467 1468 case sd_disconnect_state: 1469 if (!same_rca) { 1470 return sd_r0; 1471 } 1472 sd->state = sd_programming_state; 1473 return sd_r1b; 1474 1475 case sd_programming_state: 1476 if (same_rca) { 1477 break; 1478 } 1479 sd->state = sd_disconnect_state; 1480 return sd_r1b; 1481 1482 default: 1483 break; 1484 } 1485 return sd_invalid_state_for_cmd(sd, req); 1486 } 1487 1488 /* CMD8 */ 1489 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req) 1490 { 1491 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1492 return sd_cmd_illegal(sd, req); 1493 } 1494 if (sd->state != sd_idle_state) { 1495 return sd_invalid_state_for_cmd(sd, req); 1496 } 1497 sd->vhs = 0; 1498 1499 /* No response if not exactly one VHS bit is set. */ 1500 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1501 return sd_is_spi(sd) ? sd_r7 : sd_r0; 1502 } 1503 1504 /* Accept. */ 1505 sd->vhs = req.arg; 1506 return sd_r7; 1507 } 1508 1509 /* CMD8 */ 1510 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req) 1511 { 1512 if (sd->state != sd_transfer_state) { 1513 return sd_invalid_state_for_cmd(sd, req); 1514 } 1515 1516 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1517 sd->ext_csd, sizeof(sd->ext_csd)); 1518 } 1519 1520 /* CMD9 */ 1521 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req) 1522 { 1523 if (sd->state != sd_standby_state) { 1524 return sd_invalid_state_for_cmd(sd, req); 1525 } 1526 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1527 sd->csd, 16); 1528 } 1529 1530 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req) 1531 { 1532 if (sd->state != sd_standby_state) { 1533 return sd_invalid_state_for_cmd(sd, req); 1534 } 1535 1536 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0; 1537 } 1538 1539 /* CMD10 */ 1540 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req) 1541 { 1542 if (sd->state != sd_standby_state) { 1543 return sd_invalid_state_for_cmd(sd, req); 1544 } 1545 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1546 sd->cid, 16); 1547 } 1548 1549 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req) 1550 { 1551 if (sd->state != sd_standby_state) { 1552 return sd_invalid_state_for_cmd(sd, req); 1553 } 1554 1555 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0; 1556 } 1557 1558 /* CMD12 */ 1559 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req) 1560 { 1561 switch (sd->state) { 1562 case sd_sendingdata_state: 1563 sd->state = sd_transfer_state; 1564 return sd_r1b; 1565 case sd_receivingdata_state: 1566 sd->state = sd_programming_state; 1567 /* Bzzzzzzztt .... Operation complete. */ 1568 sd->state = sd_transfer_state; 1569 return sd_r1; 1570 default: 1571 return sd_invalid_state_for_cmd(sd, req); 1572 } 1573 } 1574 1575 /* CMD13 */ 1576 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req) 1577 { 1578 if (sd->mode != sd_data_transfer_mode) { 1579 return sd_invalid_mode_for_cmd(sd, req); 1580 } 1581 1582 switch (sd->state) { 1583 case sd_standby_state: 1584 case sd_transfer_state: 1585 case sd_sendingdata_state: 1586 case sd_receivingdata_state: 1587 case sd_programming_state: 1588 case sd_disconnect_state: 1589 break; 1590 default: 1591 return sd_invalid_state_for_cmd(sd, req); 1592 } 1593 1594 if (sd_is_spi(sd)) { 1595 return sd_r2_s; 1596 } 1597 1598 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0; 1599 } 1600 1601 /* CMD15 */ 1602 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req) 1603 { 1604 if (sd->mode != sd_data_transfer_mode) { 1605 return sd_invalid_mode_for_cmd(sd, req); 1606 } 1607 switch (sd->state) { 1608 case sd_standby_state: 1609 case sd_transfer_state: 1610 case sd_sendingdata_state: 1611 case sd_receivingdata_state: 1612 case sd_programming_state: 1613 case sd_disconnect_state: 1614 break; 1615 default: 1616 return sd_invalid_state_for_cmd(sd, req); 1617 } 1618 if (sd_req_rca_same(sd, req)) { 1619 sd->state = sd_inactive_state; 1620 } 1621 1622 return sd_r0; 1623 } 1624 1625 /* CMD16 */ 1626 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req) 1627 { 1628 if (sd->state != sd_transfer_state) { 1629 return sd_invalid_state_for_cmd(sd, req); 1630 } 1631 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1632 sd->card_status |= BLOCK_LEN_ERROR; 1633 } else { 1634 trace_sdcard_set_blocklen(req.arg); 1635 sd->blk_len = req.arg; 1636 } 1637 1638 return sd_r1; 1639 } 1640 1641 /* CMD17 */ 1642 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req) 1643 { 1644 uint64_t addr; 1645 1646 if (sd->state != sd_transfer_state) { 1647 return sd_invalid_state_for_cmd(sd, req); 1648 } 1649 1650 addr = sd_req_get_address(sd, req); 1651 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) { 1652 return sd_r1; 1653 } 1654 1655 sd_blk_read(sd, addr, sd->blk_len); 1656 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len); 1657 } 1658 1659 /* CMD19 */ 1660 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 1661 { 1662 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1663 return sd_cmd_illegal(sd, req); 1664 } 1665 1666 return sd_cmd_to_sendingdata(sd, req, 0, 1667 sd_tuning_block_pattern4, 1668 sizeof(sd_tuning_block_pattern4)); 1669 } 1670 1671 /* CMD23 */ 1672 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req) 1673 { 1674 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1675 return sd_cmd_illegal(sd, req); 1676 } 1677 1678 if (sd->state != sd_transfer_state) { 1679 return sd_invalid_state_for_cmd(sd, req); 1680 } 1681 1682 sd->multi_blk_cnt = req.arg; 1683 if (sd_is_emmc(sd)) { 1684 sd->multi_blk_cnt &= 0xffff; 1685 } 1686 trace_sdcard_set_block_count(sd->multi_blk_cnt); 1687 1688 return sd_r1; 1689 } 1690 1691 /* CMD24 */ 1692 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req) 1693 { 1694 uint64_t addr; 1695 1696 if (sd->state != sd_transfer_state) { 1697 return sd_invalid_state_for_cmd(sd, req); 1698 } 1699 1700 addr = sd_req_get_address(sd, req); 1701 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) { 1702 return sd_r1; 1703 } 1704 1705 if (sd->size <= SDSC_MAX_CAPACITY) { 1706 if (sd_wp_addr(sd, addr)) { 1707 sd->card_status |= WP_VIOLATION; 1708 } 1709 } 1710 if (sd->csd[14] & 0x30) { 1711 sd->card_status |= WP_VIOLATION; 1712 } 1713 1714 sd->blk_written = 0; 1715 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len); 1716 } 1717 1718 /* CMD26 */ 1719 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req) 1720 { 1721 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid)); 1722 } 1723 1724 /* CMD27 */ 1725 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req) 1726 { 1727 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd)); 1728 } 1729 1730 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req, 1731 bool is_write) 1732 { 1733 uint64_t addr; 1734 1735 if (sd->size > SDSC_MAX_CAPACITY) { 1736 return sd_illegal; 1737 } 1738 1739 if (sd->state != sd_transfer_state) { 1740 return sd_invalid_state_for_cmd(sd, req); 1741 } 1742 1743 addr = sd_req_get_address(sd, req); 1744 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT", 1745 addr, 1)) { 1746 return sd_r1b; 1747 } 1748 1749 sd->state = sd_programming_state; 1750 if (is_write) { 1751 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1752 } else { 1753 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1754 } 1755 /* Bzzzzzzztt .... Operation complete. */ 1756 sd->state = sd_transfer_state; 1757 return sd_r1; 1758 } 1759 1760 /* CMD28 */ 1761 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req) 1762 { 1763 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true); 1764 } 1765 1766 /* CMD29 */ 1767 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req) 1768 { 1769 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false); 1770 } 1771 1772 /* CMD30 */ 1773 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req) 1774 { 1775 uint64_t addr; 1776 uint32_t data; 1777 1778 if (sd->size > SDSC_MAX_CAPACITY) { 1779 return sd_illegal; 1780 } 1781 1782 if (sd->state != sd_transfer_state) { 1783 return sd_invalid_state_for_cmd(sd, req); 1784 } 1785 1786 addr = sd_req_get_address(sd, req); 1787 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) { 1788 return sd_r1; 1789 } 1790 1791 data = sd_wpbits(sd, req.arg); 1792 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data)); 1793 } 1794 1795 /* CMD32 */ 1796 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req) 1797 { 1798 if (sd->state != sd_transfer_state) { 1799 return sd_invalid_state_for_cmd(sd, req); 1800 } 1801 sd->erase_start = req.arg; 1802 return sd_r1; 1803 } 1804 1805 /* CMD33 */ 1806 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req) 1807 { 1808 if (sd->state != sd_transfer_state) { 1809 return sd_invalid_state_for_cmd(sd, req); 1810 } 1811 sd->erase_end = req.arg; 1812 return sd_r1; 1813 } 1814 1815 /* CMD38 */ 1816 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req) 1817 { 1818 if (sd->state != sd_transfer_state) { 1819 return sd_invalid_state_for_cmd(sd, req); 1820 } 1821 if (sd->csd[14] & 0x30) { 1822 sd->card_status |= WP_VIOLATION; 1823 return sd_r1b; 1824 } 1825 1826 sd->state = sd_programming_state; 1827 sd_erase(sd); 1828 /* Bzzzzzzztt .... Operation complete. */ 1829 sd->state = sd_transfer_state; 1830 return sd_r1b; 1831 } 1832 1833 /* CMD42 */ 1834 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req) 1835 { 1836 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1837 } 1838 1839 /* CMD55 */ 1840 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req) 1841 { 1842 switch (sd->state) { 1843 case sd_ready_state: 1844 case sd_identification_state: 1845 case sd_inactive_state: 1846 case sd_sleep_state: 1847 return sd_invalid_state_for_cmd(sd, req); 1848 case sd_idle_state: 1849 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) { 1850 qemu_log_mask(LOG_GUEST_ERROR, 1851 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1852 } 1853 /* fall-through */ 1854 default: 1855 break; 1856 } 1857 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) { 1858 return sd_r0; 1859 } 1860 sd->expecting_acmd = true; 1861 sd->card_status |= APP_CMD; 1862 1863 return sd_r1; 1864 } 1865 1866 /* CMD56 */ 1867 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req) 1868 { 1869 if (sd->state != sd_transfer_state) { 1870 return sd_invalid_state_for_cmd(sd, req); 1871 } 1872 1873 /* Vendor specific command: our model is RAZ/WI */ 1874 if (req.arg & 1) { 1875 memset(sd->data, 0, sizeof(sd->data)); 1876 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0); 1877 } else { 1878 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1879 } 1880 } 1881 1882 /* CMD58 */ 1883 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req) 1884 { 1885 return sd_r3; 1886 } 1887 1888 /* CMD59 */ 1889 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req) 1890 { 1891 return sd_r1; 1892 } 1893 1894 /* ACMD6 */ 1895 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req) 1896 { 1897 if (sd->state != sd_transfer_state) { 1898 return sd_invalid_state_for_cmd(sd, req); 1899 } 1900 1901 sd->sd_status[0] &= 0x3f; 1902 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1903 return sd_r1; 1904 } 1905 1906 /* ACMD13 */ 1907 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req) 1908 { 1909 return sd_cmd_to_sendingdata(sd, req, 0, 1910 sd->sd_status, sizeof(sd->sd_status)); 1911 } 1912 1913 /* ACMD22 */ 1914 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req) 1915 { 1916 return sd_cmd_to_sendingdata(sd, req, 0, 1917 &sd->blk_written, sizeof(sd->blk_written)); 1918 } 1919 1920 /* ACMD23 */ 1921 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req) 1922 { 1923 if (sd->state != sd_transfer_state) { 1924 return sd_invalid_state_for_cmd(sd, req); 1925 } 1926 return sd_r1; 1927 } 1928 1929 /* ACMD41 */ 1930 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1931 { 1932 if (sd->state != sd_idle_state) { 1933 return sd_invalid_state_for_cmd(sd, req); 1934 } 1935 1936 /* 1937 * If it's the first ACMD41 since reset, we need to decide 1938 * whether to power up. If this is not an enquiry ACMD41, 1939 * we immediately report power on and proceed below to the 1940 * ready state, but if it is, we set a timer to model a 1941 * delay for power up. This works around a bug in EDK2 1942 * UEFI, which sends an initial enquiry ACMD41, but 1943 * assumes that the card is in ready state as soon as it 1944 * sees the power up bit set. 1945 */ 1946 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1947 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1948 timer_del(sd->ocr_power_timer); 1949 sd_ocr_powerup(sd); 1950 } else { 1951 trace_sdcard_inquiry_cmd41(); 1952 if (!timer_pending(sd->ocr_power_timer)) { 1953 timer_mod_ns(sd->ocr_power_timer, 1954 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1955 + OCR_POWER_DELAY_NS)); 1956 } 1957 } 1958 } 1959 1960 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1961 /* 1962 * We accept any voltage. 10000 V is nothing. 1963 * 1964 * Once we're powered up, we advance straight to ready state 1965 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1966 */ 1967 sd->state = sd_ready_state; 1968 } 1969 1970 return sd_r3; 1971 } 1972 1973 /* ACMD42 */ 1974 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req) 1975 { 1976 if (sd->state != sd_transfer_state) { 1977 return sd_invalid_state_for_cmd(sd, req); 1978 } 1979 1980 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1981 return sd_r1; 1982 } 1983 1984 /* ACMD51 */ 1985 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req) 1986 { 1987 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr)); 1988 } 1989 1990 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 1991 { 1992 uint64_t addr; 1993 1994 sd->last_cmd_name = sd_cmd_name(sd, req.cmd); 1995 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 1996 * However there is no ACMD55, so we want to trace this particular case. 1997 */ 1998 if (req.cmd != 55 || sd->expecting_acmd) { 1999 trace_sdcard_normal_command(sd->proto->name, 2000 sd->last_cmd_name, req.cmd, 2001 req.arg, sd_state_name(sd->state)); 2002 } 2003 2004 /* Not interpreting this as an app command */ 2005 sd->card_status &= ~APP_CMD; 2006 2007 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 2008 * if not, its effects are cancelled */ 2009 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 2010 sd->multi_blk_cnt = 0; 2011 } 2012 2013 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR, 2014 CARD_CAPACITY)) { 2015 /* Only Standard Capacity cards support class 6 commands */ 2016 return sd_illegal; 2017 } 2018 2019 if (sd->proto->cmd[req.cmd].handler) { 2020 return sd->proto->cmd[req.cmd].handler(sd, req); 2021 } 2022 2023 switch (req.cmd) { 2024 /* Block read commands (Class 2) */ 2025 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2026 addr = sd_req_get_address(sd, req); 2027 switch (sd->state) { 2028 case sd_transfer_state: 2029 2030 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { 2031 return sd_r1; 2032 } 2033 2034 sd->state = sd_sendingdata_state; 2035 sd->data_start = addr; 2036 sd->data_offset = 0; 2037 return sd_r1; 2038 2039 default: 2040 break; 2041 } 2042 break; 2043 2044 /* Block write commands (Class 4) */ 2045 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2046 addr = sd_req_get_address(sd, req); 2047 switch (sd->state) { 2048 case sd_transfer_state: 2049 2050 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { 2051 return sd_r1; 2052 } 2053 2054 sd->state = sd_receivingdata_state; 2055 sd->data_start = addr; 2056 sd->data_offset = 0; 2057 sd->blk_written = 0; 2058 2059 if (sd->size <= SDSC_MAX_CAPACITY) { 2060 if (sd_wp_addr(sd, sd->data_start)) { 2061 sd->card_status |= WP_VIOLATION; 2062 } 2063 } 2064 if (sd->csd[14] & 0x30) { 2065 sd->card_status |= WP_VIOLATION; 2066 } 2067 return sd_r1; 2068 2069 default: 2070 break; 2071 } 2072 break; 2073 2074 default: 2075 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 2076 return sd_illegal; 2077 } 2078 2079 return sd_invalid_state_for_cmd(sd, req); 2080 } 2081 2082 static sd_rsp_type_t sd_app_command(SDState *sd, 2083 SDRequest req) 2084 { 2085 sd->last_cmd_name = sd_acmd_name(sd, req.cmd); 2086 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name, 2087 req.cmd, req.arg, sd_state_name(sd->state)); 2088 sd->card_status |= APP_CMD; 2089 2090 if (sd->proto->acmd[req.cmd].handler) { 2091 return sd->proto->acmd[req.cmd].handler(sd, req); 2092 } 2093 2094 switch (req.cmd) { 2095 case 18: /* Reserved for SD security applications */ 2096 case 25: 2097 case 26: 2098 case 38: 2099 case 43 ... 49: 2100 /* Refer to the "SD Specifications Part3 Security Specification" for 2101 * information about the SD Security Features. 2102 */ 2103 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 2104 req.cmd); 2105 return sd_illegal; 2106 2107 default: 2108 /* Fall back to standard commands. */ 2109 return sd_normal_command(sd, req); 2110 } 2111 2112 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 2113 return sd_illegal; 2114 } 2115 2116 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd) 2117 { 2118 unsigned cmd_class; 2119 2120 /* Valid commands in locked state: 2121 * basic class (0) 2122 * lock card class (7) 2123 * CMD16 2124 * implicitly, the ACMD prefix CMD55 2125 * ACMD41 and ACMD42 2126 * Anything else provokes an "illegal command" response. 2127 */ 2128 if (sd->expecting_acmd) { 2129 return cmd == 41 || cmd == 42; 2130 } 2131 if (cmd == 16 || cmd == 55) { 2132 return true; 2133 } 2134 if (!sd->proto->cmd[cmd].handler) { 2135 return false; 2136 } 2137 cmd_class = sd->proto->cmd[cmd].class; 2138 2139 return cmd_class == 0 || cmd_class == 7; 2140 } 2141 2142 static int sd_do_command(SDState *sd, SDRequest *req, 2143 uint8_t *response) { 2144 int last_state; 2145 sd_rsp_type_t rtype; 2146 int rsplen; 2147 2148 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2149 return 0; 2150 } 2151 2152 if (sd->state == sd_inactive_state) { 2153 rtype = sd_illegal; 2154 goto send_response; 2155 } 2156 2157 if (sd_req_crc_validate(req)) { 2158 sd->card_status |= COM_CRC_ERROR; 2159 rtype = sd_illegal; 2160 goto send_response; 2161 } 2162 2163 if (req->cmd >= SDMMC_CMD_MAX) { 2164 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 2165 req->cmd); 2166 req->cmd &= 0x3f; 2167 } 2168 2169 if (sd->state == sd_sleep_state && req->cmd) { 2170 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n"); 2171 rtype = sd_r0; 2172 goto send_response; 2173 } 2174 2175 if (sd->card_status & CARD_IS_LOCKED) { 2176 if (!cmd_valid_while_locked(sd, req->cmd)) { 2177 sd->card_status |= ILLEGAL_COMMAND; 2178 sd->expecting_acmd = false; 2179 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 2180 rtype = sd_illegal; 2181 goto send_response; 2182 } 2183 } 2184 2185 last_state = sd->state; 2186 sd_set_mode(sd); 2187 2188 if (sd->expecting_acmd) { 2189 sd->expecting_acmd = false; 2190 rtype = sd_app_command(sd, *req); 2191 } else { 2192 rtype = sd_normal_command(sd, *req); 2193 } 2194 2195 if (rtype == sd_illegal) { 2196 sd->card_status |= ILLEGAL_COMMAND; 2197 } else { 2198 /* Valid command, we can update the 'state before command' bits. 2199 * (Do this now so they appear in r1 responses.) 2200 */ 2201 sd->card_status = FIELD_DP32(sd->card_status, CSR, 2202 CURRENT_STATE, last_state); 2203 } 2204 2205 send_response: 2206 switch (rtype) { 2207 case sd_r1: 2208 case sd_r1b: 2209 sd_response_r1_make(sd, response); 2210 rsplen = 4; 2211 break; 2212 2213 case sd_r2_i: 2214 memcpy(response, sd->cid, sizeof(sd->cid)); 2215 rsplen = 16; 2216 break; 2217 2218 case sd_r2_s: 2219 memcpy(response, sd->csd, sizeof(sd->csd)); 2220 rsplen = 16; 2221 break; 2222 2223 case sd_r3: 2224 sd_response_r3_make(sd, response); 2225 rsplen = 4; 2226 break; 2227 2228 case sd_r6: 2229 sd_response_r6_make(sd, response); 2230 rsplen = 4; 2231 break; 2232 2233 case sd_r7: 2234 sd_response_r7_make(sd, response); 2235 rsplen = 4; 2236 break; 2237 2238 case sd_r0: 2239 /* 2240 * Invalid state transition, reset implementation 2241 * fields to avoid OOB abuse. 2242 */ 2243 sd->data_start = 0; 2244 sd->data_offset = 0; 2245 /* fall-through */ 2246 case sd_illegal: 2247 rsplen = 0; 2248 break; 2249 default: 2250 g_assert_not_reached(); 2251 } 2252 trace_sdcard_response(sd_response_name(rtype), rsplen); 2253 2254 if (rtype != sd_illegal) { 2255 /* Clear the "clear on valid command" status bits now we've 2256 * sent any response 2257 */ 2258 sd->card_status &= ~CARD_STATUS_B; 2259 } 2260 2261 #ifdef DEBUG_SD 2262 qemu_hexdump(stderr, "Response", response, rsplen); 2263 #endif 2264 2265 sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd; 2266 2267 return rsplen; 2268 } 2269 2270 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */ 2271 static bool sd_generic_write_byte(SDState *sd, uint8_t value) 2272 { 2273 sd->data[sd->data_offset] = value; 2274 2275 if (++sd->data_offset >= sd->data_size) { 2276 sd->state = sd_transfer_state; 2277 return true; 2278 } 2279 return false; 2280 } 2281 2282 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */ 2283 static bool sd_generic_read_byte(SDState *sd, uint8_t *value) 2284 { 2285 *value = sd->data[sd->data_offset]; 2286 2287 if (++sd->data_offset >= sd->data_size) { 2288 sd->state = sd_transfer_state; 2289 return true; 2290 } 2291 2292 return false; 2293 } 2294 2295 static void sd_write_byte(SDState *sd, uint8_t value) 2296 { 2297 int i; 2298 2299 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2300 return; 2301 } 2302 2303 if (sd->state != sd_receivingdata_state) { 2304 qemu_log_mask(LOG_GUEST_ERROR, 2305 "%s: not in Receiving-Data state\n", __func__); 2306 return; 2307 } 2308 2309 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2310 return; 2311 2312 trace_sdcard_write_data(sd->proto->name, 2313 sd->last_cmd_name, 2314 sd->current_cmd, sd->data_offset, value); 2315 switch (sd->current_cmd) { 2316 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 2317 if (sd_generic_write_byte(sd, value)) { 2318 /* TODO: Check CRC before committing */ 2319 sd->state = sd_programming_state; 2320 sd_blk_write(sd, sd->data_start, sd->data_offset); 2321 sd->blk_written ++; 2322 sd->csd[14] |= 0x40; 2323 /* Bzzzzzzztt .... Operation complete. */ 2324 sd->state = sd_transfer_state; 2325 } 2326 break; 2327 2328 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2329 if (sd->data_offset == 0) { 2330 /* Start of the block - let's check the address is valid */ 2331 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", 2332 sd->data_start, sd->blk_len)) { 2333 break; 2334 } 2335 if (sd->size <= SDSC_MAX_CAPACITY) { 2336 if (sd_wp_addr(sd, sd->data_start)) { 2337 sd->card_status |= WP_VIOLATION; 2338 break; 2339 } 2340 } 2341 } 2342 sd->data[sd->data_offset++] = value; 2343 if (sd->data_offset >= sd->blk_len) { 2344 /* TODO: Check CRC before committing */ 2345 sd->state = sd_programming_state; 2346 sd_blk_write(sd, sd->data_start, sd->data_offset); 2347 sd->blk_written++; 2348 sd->data_start += sd->blk_len; 2349 sd->data_offset = 0; 2350 sd->csd[14] |= 0x40; 2351 2352 /* Bzzzzzzztt .... Operation complete. */ 2353 if (sd->multi_blk_cnt != 0) { 2354 if (--sd->multi_blk_cnt == 0) { 2355 /* Stop! */ 2356 sd->state = sd_transfer_state; 2357 break; 2358 } 2359 } 2360 2361 sd->state = sd_receivingdata_state; 2362 } 2363 break; 2364 2365 case 26: /* CMD26: PROGRAM_CID */ 2366 if (sd_generic_write_byte(sd, value)) { 2367 /* TODO: Check CRC before committing */ 2368 sd->state = sd_programming_state; 2369 for (i = 0; i < sizeof(sd->cid); i ++) 2370 if ((sd->cid[i] | 0x00) != sd->data[i]) 2371 sd->card_status |= CID_CSD_OVERWRITE; 2372 2373 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2374 for (i = 0; i < sizeof(sd->cid); i ++) { 2375 sd->cid[i] |= 0x00; 2376 sd->cid[i] &= sd->data[i]; 2377 } 2378 /* Bzzzzzzztt .... Operation complete. */ 2379 sd->state = sd_transfer_state; 2380 } 2381 break; 2382 2383 case 27: /* CMD27: PROGRAM_CSD */ 2384 if (sd_generic_write_byte(sd, value)) { 2385 /* TODO: Check CRC before committing */ 2386 sd->state = sd_programming_state; 2387 for (i = 0; i < sizeof(sd->csd); i ++) 2388 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 2389 (sd->data[i] | sd_csd_rw_mask[i])) 2390 sd->card_status |= CID_CSD_OVERWRITE; 2391 2392 /* Copy flag (OTP) & Permanent write protect */ 2393 if (sd->csd[14] & ~sd->data[14] & 0x60) 2394 sd->card_status |= CID_CSD_OVERWRITE; 2395 2396 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2397 for (i = 0; i < sizeof(sd->csd); i ++) { 2398 sd->csd[i] |= sd_csd_rw_mask[i]; 2399 sd->csd[i] &= sd->data[i]; 2400 } 2401 /* Bzzzzzzztt .... Operation complete. */ 2402 sd->state = sd_transfer_state; 2403 } 2404 break; 2405 2406 case 42: /* CMD42: LOCK_UNLOCK */ 2407 if (sd_generic_write_byte(sd, value)) { 2408 /* TODO: Check CRC before committing */ 2409 sd->state = sd_programming_state; 2410 sd_lock_command(sd); 2411 /* Bzzzzzzztt .... Operation complete. */ 2412 sd->state = sd_transfer_state; 2413 } 2414 break; 2415 2416 case 56: /* CMD56: GEN_CMD */ 2417 sd_generic_write_byte(sd, value); 2418 break; 2419 2420 default: 2421 g_assert_not_reached(); 2422 } 2423 } 2424 2425 static uint8_t sd_read_byte(SDState *sd) 2426 { 2427 /* TODO: Append CRCs */ 2428 const uint8_t dummy_byte = 0x00; 2429 uint8_t ret; 2430 uint32_t io_len; 2431 2432 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2433 return dummy_byte; 2434 } 2435 2436 if (sd->state != sd_sendingdata_state) { 2437 qemu_log_mask(LOG_GUEST_ERROR, 2438 "%s: not in Sending-Data state\n", __func__); 2439 return dummy_byte; 2440 } 2441 2442 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) { 2443 return dummy_byte; 2444 } 2445 2446 io_len = sd_blk_len(sd); 2447 2448 trace_sdcard_read_data(sd->proto->name, 2449 sd->last_cmd_name, sd->current_cmd, 2450 sd->data_offset, sd->data_size, io_len); 2451 switch (sd->current_cmd) { 2452 case 6: /* CMD6: SWITCH_FUNCTION */ 2453 case 8: /* CMD8: SEND_EXT_CSD */ 2454 case 9: /* CMD9: SEND_CSD */ 2455 case 10: /* CMD10: SEND_CID */ 2456 case 13: /* ACMD13: SD_STATUS */ 2457 case 17: /* CMD17: READ_SINGLE_BLOCK */ 2458 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2459 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2460 case 30: /* CMD30: SEND_WRITE_PROT */ 2461 case 51: /* ACMD51: SEND_SCR */ 2462 case 56: /* CMD56: GEN_CMD */ 2463 sd_generic_read_byte(sd, &ret); 2464 break; 2465 2466 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2467 if (sd->data_offset == 0) { 2468 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", 2469 sd->data_start, io_len)) { 2470 return dummy_byte; 2471 } 2472 sd_blk_read(sd, sd->data_start, io_len); 2473 } 2474 ret = sd->data[sd->data_offset ++]; 2475 2476 if (sd->data_offset >= io_len) { 2477 sd->data_start += io_len; 2478 sd->data_offset = 0; 2479 2480 if (sd->multi_blk_cnt != 0) { 2481 if (--sd->multi_blk_cnt == 0) { 2482 /* Stop! */ 2483 sd->state = sd_transfer_state; 2484 break; 2485 } 2486 } 2487 } 2488 break; 2489 2490 default: 2491 qemu_log_mask(LOG_GUEST_ERROR, "%s: DAT read illegal for command %s\n", 2492 __func__, sd->last_cmd_name); 2493 return dummy_byte; 2494 } 2495 2496 return ret; 2497 } 2498 2499 static bool sd_receive_ready(SDState *sd) 2500 { 2501 return sd->state == sd_receivingdata_state; 2502 } 2503 2504 static bool sd_data_ready(SDState *sd) 2505 { 2506 return sd->state == sd_sendingdata_state; 2507 } 2508 2509 static const SDProto sd_proto_spi = { 2510 .name = "SPI", 2511 .cmd = { 2512 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2513 [1] = {0, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2514 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional}, 2515 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2516 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2517 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD}, 2518 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID}, 2519 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2520 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2521 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2522 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2523 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2524 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2525 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2526 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2527 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2528 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2529 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2530 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional}, 2531 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional}, 2532 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional}, 2533 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2534 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE}, 2535 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2536 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional}, 2537 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional}, 2538 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional}, 2539 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD}, 2540 [56] = {8, sd_spi, "GEN_CMD", sd_cmd_GEN_CMD}, 2541 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2542 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR}, 2543 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF}, 2544 }, 2545 .acmd = { 2546 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS}, 2547 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2548 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2549 [41] = {8, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2550 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2551 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR}, 2552 }, 2553 }; 2554 2555 static const SDProto sd_proto_sd = { 2556 .name = "SD", 2557 .cmd = { 2558 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2559 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2560 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR}, 2561 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2562 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional}, 2563 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2564 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2565 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2566 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2567 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2568 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional}, 2569 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2570 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2571 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2572 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2573 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2574 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK}, 2575 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional}, 2576 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2577 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2578 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2579 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2580 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2581 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2582 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2583 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2584 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional}, 2585 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional}, 2586 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional}, 2587 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2588 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2589 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2590 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional}, 2591 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional}, 2592 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional}, 2593 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional}, 2594 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional}, 2595 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional}, 2596 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional}, 2597 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional}, 2598 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional}, 2599 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional}, 2600 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2601 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2602 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2603 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional}, 2604 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional}, 2605 }, 2606 .acmd = { 2607 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH}, 2608 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS}, 2609 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2610 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2611 [41] = {8, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2612 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2613 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR}, 2614 }, 2615 }; 2616 2617 static const SDProto sd_proto_emmc = { 2618 /* Only v4.3 is supported */ 2619 .name = "eMMC", 2620 .cmd = { 2621 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2622 [1] = {0, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2623 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2624 [3] = {0, sd_ac, "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR}, 2625 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2626 [5] = {0, sd_ac, "SLEEP/AWAKE", emmc_cmd_sleep_awake}, 2627 [6] = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH}, 2628 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2629 [8] = {0, sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD}, 2630 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2631 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2632 [11] = {1, sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2633 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2634 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2635 [14] = {0, sd_adtc, "BUSTEST_R", sd_cmd_unimplemented}, 2636 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2637 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2638 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2639 [19] = {0, sd_adtc, "BUSTEST_W", sd_cmd_unimplemented}, 2640 [20] = {3, sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2641 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2642 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2643 [26] = {4, sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID}, 2644 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2645 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2646 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2647 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2648 [31] = {6, sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented}, 2649 [35] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2650 [36] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2651 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2652 [39] = {9, sd_ac, "FAST_IO", sd_cmd_unimplemented}, 2653 [40] = {9, sd_bcr, "GO_IRQ_STATE", sd_cmd_unimplemented}, 2654 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2655 [49] = {0, sd_adtc, "SET_TIME", sd_cmd_unimplemented}, 2656 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2657 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2658 }, 2659 }; 2660 2661 static void sd_instance_init(Object *obj) 2662 { 2663 SDState *sd = SDMMC_COMMON(obj); 2664 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 2665 2666 sd->proto = sc->proto; 2667 sd->last_cmd_name = "UNSET"; 2668 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2669 } 2670 2671 static void sd_instance_finalize(Object *obj) 2672 { 2673 SDState *sd = SDMMC_COMMON(obj); 2674 2675 timer_free(sd->ocr_power_timer); 2676 } 2677 2678 static void sd_realize(DeviceState *dev, Error **errp) 2679 { 2680 SDState *sd = SDMMC_COMMON(dev); 2681 int ret; 2682 2683 switch (sd->spec_version) { 2684 case SD_PHY_SPECv1_10_VERS 2685 ... SD_PHY_SPECv3_01_VERS: 2686 break; 2687 default: 2688 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2689 return; 2690 } 2691 2692 if (sd->blk) { 2693 int64_t blk_size; 2694 2695 if (!blk_supports_write_perm(sd->blk)) { 2696 error_setg(errp, "Cannot use read-only drive as SD card"); 2697 return; 2698 } 2699 2700 blk_size = blk_getlength(sd->blk); 2701 if (blk_size > 0 && !is_power_of_2(blk_size)) { 2702 int64_t blk_size_aligned = pow2ceil(blk_size); 2703 char *blk_size_str; 2704 2705 blk_size_str = size_to_str(blk_size); 2706 error_setg(errp, "Invalid SD card size: %s", blk_size_str); 2707 g_free(blk_size_str); 2708 2709 blk_size_str = size_to_str(blk_size_aligned); 2710 error_append_hint(errp, 2711 "SD card size has to be a power of 2, e.g. %s.\n" 2712 "You can resize disk images with" 2713 " 'qemu-img resize <imagefile> <new-size>'\n" 2714 "(note that this will lose data if you make the" 2715 " image smaller than it currently is).\n", 2716 blk_size_str); 2717 g_free(blk_size_str); 2718 2719 return; 2720 } 2721 2722 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2723 BLK_PERM_ALL, errp); 2724 if (ret < 0) { 2725 return; 2726 } 2727 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2728 } 2729 } 2730 2731 static void emmc_realize(DeviceState *dev, Error **errp) 2732 { 2733 SDState *sd = SDMMC_COMMON(dev); 2734 2735 sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */ 2736 2737 sd_realize(dev, errp); 2738 } 2739 2740 static const Property sdmmc_common_properties[] = { 2741 DEFINE_PROP_DRIVE("drive", SDState, blk), 2742 }; 2743 2744 static const Property sd_properties[] = { 2745 DEFINE_PROP_UINT8("spec_version", SDState, 2746 spec_version, SD_PHY_SPECv3_01_VERS), 2747 }; 2748 2749 static const Property emmc_properties[] = { 2750 DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0), 2751 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0), 2752 }; 2753 2754 static void sdmmc_common_class_init(ObjectClass *klass, const void *data) 2755 { 2756 DeviceClass *dc = DEVICE_CLASS(klass); 2757 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2758 2759 device_class_set_props(dc, sdmmc_common_properties); 2760 dc->vmsd = &sd_vmstate; 2761 device_class_set_legacy_reset(dc, sd_reset); 2762 dc->bus_type = TYPE_SD_BUS; 2763 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2764 2765 sc->set_voltage = sd_set_voltage; 2766 sc->get_dat_lines = sd_get_dat_lines; 2767 sc->get_cmd_line = sd_get_cmd_line; 2768 sc->do_command = sd_do_command; 2769 sc->write_byte = sd_write_byte; 2770 sc->read_byte = sd_read_byte; 2771 sc->receive_ready = sd_receive_ready; 2772 sc->data_ready = sd_data_ready; 2773 sc->get_inserted = sd_get_inserted; 2774 sc->get_readonly = sd_get_readonly; 2775 } 2776 2777 static void sd_class_init(ObjectClass *klass, const void *data) 2778 { 2779 DeviceClass *dc = DEVICE_CLASS(klass); 2780 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2781 2782 dc->realize = sd_realize; 2783 device_class_set_props(dc, sd_properties); 2784 2785 sc->set_cid = sd_set_cid; 2786 sc->set_csd = sd_set_csd; 2787 sc->proto = &sd_proto_sd; 2788 } 2789 2790 /* 2791 * We do not model the chip select pin, so allow the board to select 2792 * whether card should be in SSI or MMC/SD mode. It is also up to the 2793 * board to ensure that ssi transfers only occur when the chip select 2794 * is asserted. 2795 */ 2796 static void sd_spi_class_init(ObjectClass *klass, const void *data) 2797 { 2798 DeviceClass *dc = DEVICE_CLASS(klass); 2799 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2800 2801 dc->desc = "SD SPI"; 2802 sc->proto = &sd_proto_spi; 2803 } 2804 2805 static void emmc_class_init(ObjectClass *klass, const void *data) 2806 { 2807 DeviceClass *dc = DEVICE_CLASS(klass); 2808 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2809 2810 dc->desc = "eMMC"; 2811 dc->realize = emmc_realize; 2812 device_class_set_props(dc, emmc_properties); 2813 /* Reason: Soldered on board */ 2814 dc->user_creatable = false; 2815 2816 sc->proto = &sd_proto_emmc; 2817 2818 sc->set_cid = emmc_set_cid; 2819 sc->set_csd = emmc_set_csd; 2820 } 2821 2822 static const TypeInfo sd_types[] = { 2823 { 2824 .name = TYPE_SDMMC_COMMON, 2825 .parent = TYPE_DEVICE, 2826 .abstract = true, 2827 .instance_size = sizeof(SDState), 2828 .class_size = sizeof(SDCardClass), 2829 .class_init = sdmmc_common_class_init, 2830 .instance_init = sd_instance_init, 2831 .instance_finalize = sd_instance_finalize, 2832 }, 2833 { 2834 .name = TYPE_SD_CARD, 2835 .parent = TYPE_SDMMC_COMMON, 2836 .class_init = sd_class_init, 2837 }, 2838 { 2839 .name = TYPE_SD_CARD_SPI, 2840 .parent = TYPE_SD_CARD, 2841 .class_init = sd_spi_class_init, 2842 }, 2843 { 2844 .name = TYPE_EMMC, 2845 .parent = TYPE_SDMMC_COMMON, 2846 .class_init = emmc_class_init, 2847 }, 2848 }; 2849 2850 DEFINE_TYPES(sd_types) 2851