]> git.proxmox.com Git - mirror_qemu.git/blame - hw/sd/sd.c
projects / mirror_qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
hw/arm/virt: Support -machine gic-version=max
[mirror_qemu.git] / hw / sd / sd.c
CommitLineData
5fafdf24 1/*
a1bb27b1
PB		 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 1.10."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
0430891c 32#include "qemu/osdep.h"
c759a790 33#include "hw/qdev.h"
83c9f4ca 34#include "hw/hw.h"
6f296421 35#include "hw/registerfields.h"
4be74634 36#include "sysemu/block-backend.h"
e3382ef0 37#include "hw/sd/sd.h"
da34e65c 38#include "qapi/error.h"
1de7afc9 39#include "qemu/bitmap.h"
7af83490 40#include "qemu/cutils.h"
260bc9d8
PM		 41#include "hw/qdev-properties.h"
42#include "qemu/error-report.h"
dd26eb43 43#include "qemu/timer.h"
03dd024f 44#include "qemu/log.h"
f250015b 45#include "sdmmc-internal.h"
1b640aa9 46#include "trace.h"
a1bb27b1
PB		 47
48//#define DEBUG_SD 1
49
a1bb27b1
PB		 50typedef enum {
51 sd_r0 = 0, /* no response */
52 sd_r1, /* normal response command */
53 sd_r2_i, /* CID register */
54 sd_r2_s, /* CSD register */
55 sd_r3, /* OCR register */
56 sd_r6 = 6, /* Published RCA response */
1b088995 57 sd_r7, /* Operating voltage */
a1bb27b1 58 sd_r1b = -1,
53bb8cc4 59 sd_illegal = -2,
c227f099 60} sd_rsp_type_t;
a1bb27b1 61
50a5be6c
IM		 62enum SDCardModes {
63 sd_inactive,
64 sd_card_identification_mode,
65 sd_data_transfer_mode,
66};
67
68enum SDCardStates {
69 sd_inactive_state = -1,
70 sd_idle_state = 0,
71 sd_ready_state,
72 sd_identification_state,
73 sd_standby_state,
74 sd_transfer_state,
75 sd_sendingdata_state,
76 sd_receivingdata_state,
77 sd_programming_state,
78 sd_disconnect_state,
79};
80
a1bb27b1 81struct SDState {
260bc9d8
PM		 82 DeviceState parent_obj;
83
d49b1ce0 84 /* SD Memory Card Registers */
a1bb27b1
PB		 85 uint32_t ocr;
86 uint8_t scr[8];
87 uint8_t cid[16];
88 uint8_t csd[16];
89 uint16_t rca;
90 uint32_t card_status;
91 uint8_t sd_status[64];
d49b1ce0
PMD		 92
93 /* Configurable properties */
94 BlockBackend *blk;
95 bool spi;
96
97 uint32_t mode; /* current card mode, one of SDCardModes */
98 int32_t state; /* current card state, one of SDCardStates */
1b088995 99 uint32_t vhs;
bebd1271 100 bool wp_switch;
a9c01830 101 unsigned long *wp_groups;
50a5be6c 102 int32_t wpgrps_size;
2d7adea4 103 uint64_t size;
50a5be6c 104 uint32_t blk_len;
4481bbc7 105 uint32_t multi_blk_cnt;
a1bb27b1
PB		 106 uint32_t erase_start;
107 uint32_t erase_end;
108 uint8_t pwd[16];
50a5be6c
IM		 109 uint32_t pwd_len;
110 uint8_t function_group[6];
50a5be6c 111 uint8_t current_cmd;
1d06cb7a
PM		 112 /* True if we will handle the next command as an ACMD. Note that this does
113 * *not* track the APP_CMD status bit!
114 */
bebd1271 115 bool expecting_acmd;
50a5be6c 116 uint32_t blk_written;
2d7adea4 117 uint64_t data_start;
a1bb27b1
PB		 118 uint32_t data_offset;
119 uint8_t data[512];
02ce600c
AZ		 120 qemu_irq readonly_cb;
121 qemu_irq inserted_cb;
d49b1ce0 122 QEMUTimer *ocr_power_timer;
bebd1271 123 bool enable;
da346922
PMD		 124 uint8_t dat_lines;
125 bool cmd_line;
a1bb27b1
PB		 126};
127
1b640aa9
PMD		 128static const char *sd_state_name(enum SDCardStates state)
129{
130 static const char *state_name[] = {
131 [sd_idle_state] = "idle",
132 [sd_ready_state] = "ready",
133 [sd_identification_state] = "identification",
134 [sd_standby_state] = "standby",
135 [sd_transfer_state] = "transfer",
136 [sd_sendingdata_state] = "sendingdata",
137 [sd_receivingdata_state] = "receivingdata",
138 [sd_programming_state] = "programming",
139 [sd_disconnect_state] = "disconnect",
140 };
141 if (state == sd_inactive_state) {
142 return "inactive";
143 }
144 assert(state <= ARRAY_SIZE(state_name));
145 return state_name[state];
146}
147
55921932
PMD		 148static const char *sd_response_name(sd_rsp_type_t rsp)
149{
150 static const char *response_name[] = {
151 [sd_r0] = "RESP#0 (no response)",
152 [sd_r1] = "RESP#1 (normal cmd)",
153 [sd_r2_i] = "RESP#2 (CID reg)",
154 [sd_r2_s] = "RESP#2 (CSD reg)",
155 [sd_r3] = "RESP#3 (OCR reg)",
156 [sd_r6] = "RESP#6 (RCA)",
157 [sd_r7] = "RESP#7 (operating voltage)",
158 };
159 if (rsp == sd_illegal) {
160 return "ILLEGAL RESP";
161 }
162 if (rsp == sd_r1b) {
163 rsp = sd_r1;
164 }
165 assert(rsp <= ARRAY_SIZE(response_name));
166 return response_name[rsp];
167}
168
da346922
PMD		 169static uint8_t sd_get_dat_lines(SDState *sd)
170{
171 return sd->enable ? sd->dat_lines : 0;
172}
173
174static bool sd_get_cmd_line(SDState *sd)
175{
176 return sd->enable ? sd->cmd_line : false;
177}
178
0034ebe6
PMD		 179static void sd_set_voltage(SDState *sd, uint16_t millivolts)
180{
814b2adc
PMD		 181 trace_sdcard_set_voltage(millivolts);
182
0034ebe6
PMD		 183 switch (millivolts) {
184 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
185 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
186 break;
187 default:
188 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
189 millivolts / 1000.f);
190 }
191}
192
10a412da 193static void sd_set_mode(SDState *sd)
a1bb27b1
PB		 194{
195 switch (sd->state) {
196 case sd_inactive_state:
197 sd->mode = sd_inactive;
198 break;
199
200 case sd_idle_state:
201 case sd_ready_state:
202 case sd_identification_state:
203 sd->mode = sd_card_identification_mode;
204 break;
205
206 case sd_standby_state:
207 case sd_transfer_state:
208 case sd_sendingdata_state:
209 case sd_receivingdata_state:
210 case sd_programming_state:
211 case sd_disconnect_state:
212 sd->mode = sd_data_transfer_mode;
213 break;
214 }
a1bb27b1
PB		 215}
216
f250015b 217static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
a1bb27b1 218 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
1b088995 219 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
f250015b 220 /* 16 */
a1bb27b1
PB		 221 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
222 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
f250015b 223 /* 32 */
a1bb27b1
PB		 224 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
225 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
f250015b 226 /* 48 */
a1bb27b1
PB		 227 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
228 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
229};
230
f250015b 231static const int sd_cmd_class[SDMMC_CMD_MAX] = {
a1bb27b1
PB		 232 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
233 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
234 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
235 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
236};
237
238static uint8_t sd_crc7(void *message, size_t width)
239{
240 int i, bit;
241 uint8_t shift_reg = 0x00;
242 uint8_t *msg = (uint8_t *) message;
243
244 for (i = 0; i < width; i ++, msg ++)
245 for (bit = 7; bit >= 0; bit --) {
246 shift_reg <<= 1;
247 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
248 shift_reg ^= 0x89;
249 }
250
251 return shift_reg;
252}
253
254static uint16_t sd_crc16(void *message, size_t width)
255{
256 int i, bit;
257 uint16_t shift_reg = 0x0000;
258 uint16_t *msg = (uint16_t *) message;
259 width <<= 1;
260
261 for (i = 0; i < width; i ++, msg ++)
262 for (bit = 15; bit >= 0; bit --) {
263 shift_reg <<= 1;
264 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
265 shift_reg ^= 0x1011;
266 }
267
268 return shift_reg;
269}
270
6f296421
PMD		 271#define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
272
3d42fb52
PMD		 273FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
274FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
275FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
276FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
277FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
278FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
6f296421
PMD		 279FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
280FIELD(OCR, CARD_POWER_UP, 31, 1)
281
3d42fb52
PMD		 282#define ACMD41_ENQUIRY_MASK 0x00ffffff
283#define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
284 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
285 | R_OCR_UHS_II_CARD_MASK \
286 | R_OCR_CARD_CAPACITY_MASK \
287 | R_OCR_CARD_POWER_UP_MASK)
288
a1bb27b1
PB		 289static void sd_set_ocr(SDState *sd)
290{
3d42fb52
PMD		 291 /* All voltages OK */
292 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
dd26eb43
AB		 293}
294
295static void sd_ocr_powerup(void *opaque)
296{
297 SDState *sd = opaque;
298
814b2adc 299 trace_sdcard_powerup();
6f296421
PMD		 300 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
301
302 /* card power-up OK */
303 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
9273ea61
PMD		 304
305 if (sd->size > 1 * G_BYTE) {
306 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
307 }
a1bb27b1
PB		 308}
309
310static void sd_set_scr(SDState *sd)
311{
9b7ec55c
PMD		 312 sd->scr[0] = (0 << 4) /* SCR version 1.0 */
313 | 0; /* Spec Versions 1.0 and 1.01 */
314 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
315 | 0b0101; /* 1-bit or 4-bit width bus modes */
316 sd->scr[2] = 0x00; /* Extended Security is not supported. */
a1bb27b1 317 sd->scr[3] = 0x00;
9b7ec55c 318 /* reserved for manufacturer usage */
a1bb27b1
PB		 319 sd->scr[4] = 0x00;
320 sd->scr[5] = 0x00;
321 sd->scr[6] = 0x00;
322 sd->scr[7] = 0x00;
323}
324
325#define MID 0xaa
326#define OID "XY"
327#define PNM "QEMU!"
328#define PRV 0x01
329#define MDT_YR 2006
330#define MDT_MON 2
331
332static void sd_set_cid(SDState *sd)
333{
334 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
335 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
336 sd->cid[2] = OID[1];
337 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
338 sd->cid[4] = PNM[1];
339 sd->cid[5] = PNM[2];
340 sd->cid[6] = PNM[3];
341 sd->cid[7] = PNM[4];
342 sd->cid[8] = PRV; /* Fake product revision (PRV) */
343 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
344 sd->cid[10] = 0xad;
345 sd->cid[11] = 0xbe;
346 sd->cid[12] = 0xef;
347 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
348 ((MDT_YR - 2000) / 10);
349 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
350 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
351}
352
353#define HWBLOCK_SHIFT 9 /* 512 bytes */
354#define SECTOR_SHIFT 5 /* 16 kilobytes */
355#define WPGROUP_SHIFT 7 /* 2 megs */
356#define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
a1bb27b1
PB		 357#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
358
359static const uint8_t sd_csd_rw_mask[16] = {
360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
362};
363
2d7adea4 364static void sd_set_csd(SDState *sd, uint64_t size)
a1bb27b1
PB		 365{
366 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
367 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
368 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
369
7af83490 370 if (size <= 1 * G_BYTE) { /* Standard Capacity SD */
2d7adea4
AZ		 371 sd->csd[0] = 0x00; /* CSD structure */
372 sd->csd[1] = 0x26; /* Data read access-time-1 */
373 sd->csd[2] = 0x00; /* Data read access-time-2 */
d7ecb867 374 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
2d7adea4
AZ		 375 sd->csd[4] = 0x5f; /* Card Command Classes */
376 sd->csd[5] = 0x50 | /* Max. read data block length */
377 HWBLOCK_SHIFT;
378 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
379 ((csize >> 10) & 0x03);
380 sd->csd[7] = 0x00 | /* Device size */
381 ((csize >> 2) & 0xff);
382 sd->csd[8] = 0x3f | /* Max. read current */
383 ((csize << 6) & 0xc0);
384 sd->csd[9] = 0xfc | /* Max. write current */
385 ((CMULT_SHIFT - 2) >> 1);
386 sd->csd[10] = 0x40 | /* Erase sector size */
387 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
388 sd->csd[11] = 0x00 | /* Write protect group size */
389 ((sectsize << 7) & 0x80) | wpsize;
390 sd->csd[12] = 0x90 | /* Write speed factor */
391 (HWBLOCK_SHIFT >> 2);
392 sd->csd[13] = 0x20 | /* Max. write data block length */
393 ((HWBLOCK_SHIFT << 6) & 0xc0);
394 sd->csd[14] = 0x00; /* File format group */
2d7adea4
AZ		 395 } else { /* SDHC */
396 size /= 512 * 1024;
397 size -= 1;
398 sd->csd[0] = 0x40;
399 sd->csd[1] = 0x0e;
400 sd->csd[2] = 0x00;
401 sd->csd[3] = 0x32;
402 sd->csd[4] = 0x5b;
403 sd->csd[5] = 0x59;
404 sd->csd[6] = 0x00;
405 sd->csd[7] = (size >> 16) & 0xff;
406 sd->csd[8] = (size >> 8) & 0xff;
407 sd->csd[9] = (size & 0xff);
408 sd->csd[10] = 0x7f;
409 sd->csd[11] = 0x80;
410 sd->csd[12] = 0x0a;
411 sd->csd[13] = 0x40;
412 sd->csd[14] = 0x00;
2d7adea4 413 }
e8feec80 414 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
a1bb27b1
PB		 415}
416
417static void sd_set_rca(SDState *sd)
418{
419 sd->rca += 0x4567;
420}
421
da26e3f3
PMD		 422FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
423FIELD(CSR, APP_CMD, 5, 1)
424FIELD(CSR, FX_EVENT, 6, 1)
425FIELD(CSR, READY_FOR_DATA, 8, 1)
426FIELD(CSR, CURRENT_STATE, 9, 4)
427FIELD(CSR, ERASE_RESET, 13, 1)
428FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
429FIELD(CSR, WP_ERASE_SKIP, 15, 1)
430FIELD(CSR, CSD_OVERWRITE, 16, 1)
431FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
432FIELD(CSR, ERROR, 19, 1)
433FIELD(CSR, CC_ERROR, 20, 1)
434FIELD(CSR, CARD_ECC_FAILED, 21, 1)
435FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
436FIELD(CSR, COM_CRC_ERROR, 23, 1)
437FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
438FIELD(CSR, CARD_IS_LOCKED, 25, 1)
439FIELD(CSR, WP_VIOLATION, 26, 1)
440FIELD(CSR, ERASE_PARAM, 27, 1)
441FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
442FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
443FIELD(CSR, ADDRESS_ERROR, 30, 1)
444FIELD(CSR, OUT_OF_RANGE, 31, 1)
445
b8d334c8
PM		 446/* Card status bits, split by clear condition:
447 * A : According to the card current state
448 * B : Always related to the previous command
449 * C : Cleared by read
450 */
da26e3f3
PMD		 451#define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
452 | R_CSR_CARD_ECC_DISABLED_MASK \
453 | R_CSR_CARD_IS_LOCKED_MASK)
454#define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
455 | R_CSR_ILLEGAL_COMMAND_MASK \
456 | R_CSR_COM_CRC_ERROR_MASK)
457#define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
458 | R_CSR_APP_CMD_MASK \
459 | R_CSR_ERASE_RESET_MASK \
460 | R_CSR_WP_ERASE_SKIP_MASK \
461 | R_CSR_CSD_OVERWRITE_MASK \
462 | R_CSR_ERROR_MASK \
463 | R_CSR_CC_ERROR_MASK \
464 | R_CSR_CARD_ECC_FAILED_MASK \
465 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
466 | R_CSR_WP_VIOLATION_MASK \
467 | R_CSR_ERASE_PARAM_MASK \
468 | R_CSR_ERASE_SEQ_ERROR_MASK \
469 | R_CSR_BLOCK_LEN_ERROR_MASK \
470 | R_CSR_ADDRESS_ERROR_MASK \
471 | R_CSR_OUT_OF_RANGE_MASK)
a1bb27b1
PB		 472
473static void sd_set_cardstatus(SDState *sd)
474{
475 sd->card_status = 0x00000100;
476}
477
478static void sd_set_sdstatus(SDState *sd)
479{
480 memset(sd->sd_status, 0, 64);
481}
482
bc24a225 483static int sd_req_crc_validate(SDRequest *req)
a1bb27b1
PB		 484{
485 uint8_t buffer[5];
486 buffer[0] = 0x40 | req->cmd;
67bfddd6 487 stl_be_p(&buffer[1], req->arg);
a1bb27b1
PB		 488 return 0;
489 return sd_crc7(buffer, 5) != req->crc; /* TODO */
490}
491
10a412da 492static void sd_response_r1_make(SDState *sd, uint8_t *response)
a1bb27b1 493{
67bfddd6
PMD		 494 stl_be_p(response, sd->card_status);
495
1d06cb7a
PM		 496 /* Clear the "clear on read" status bits */
497 sd->card_status &= ~CARD_STATUS_C;
a1bb27b1
PB		 498}
499
9596ebb7 500static void sd_response_r3_make(SDState *sd, uint8_t *response)
a1bb27b1 501{
3d42fb52 502 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
a1bb27b1
PB		 503}
504
9596ebb7 505static void sd_response_r6_make(SDState *sd, uint8_t *response)
a1bb27b1 506{
a1bb27b1
PB		 507 uint16_t status;
508
a1bb27b1
PB		 509 status = ((sd->card_status >> 8) & 0xc000) |
510 ((sd->card_status >> 6) & 0x2000) |
511 (sd->card_status & 0x1fff);
fcfa9351 512 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
67bfddd6
PMD		 513 stw_be_p(response + 0, sd->rca);
514 stw_be_p(response + 2, status);
a1bb27b1
PB		 515}
516
1b088995
AZ		 517static void sd_response_r7_make(SDState *sd, uint8_t *response)
518{
67bfddd6 519 stl_be_p(response, sd->vhs);
1b088995
AZ		 520}
521
b7202b88
MI		 522static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
523{
524 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
525}
526
ba3ed0fa 527static void sd_reset(DeviceState *dev)
a1bb27b1 528{
ba3ed0fa 529 SDState *sd = SD_CARD(dev);
2d7adea4 530 uint64_t size;
a1bb27b1
PB		 531 uint64_t sect;
532
814b2adc 533 trace_sdcard_reset();
16b781aa
PM		 534 if (sd->blk) {
535 blk_get_geometry(sd->blk, &sect);
03f311ed
PB		 536 } else {
537 sect = 0;
538 }
5e37141b 539 size = sect << 9;
a1bb27b1 540
b7202b88 541 sect = sd_addr_to_wpnum(size) + 1;
a1bb27b1
PB		 542
543 sd->state = sd_idle_state;
544 sd->rca = 0x0000;
545 sd_set_ocr(sd);
546 sd_set_scr(sd);
547 sd_set_cid(sd);
548 sd_set_csd(sd, size);
549 sd_set_cardstatus(sd);
550 sd_set_sdstatus(sd);
551
ef1e1e07 552 g_free(sd->wp_groups);
16b781aa 553 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
50a5be6c
IM		 554 sd->wpgrps_size = sect;
555 sd->wp_groups = bitmap_new(sd->wpgrps_size);
556 memset(sd->function_group, 0, sizeof(sd->function_group));
a1bb27b1
PB		 557 sd->erase_start = 0;
558 sd->erase_end = 0;
559 sd->size = size;
560 sd->blk_len = 0x200;
561 sd->pwd_len = 0;
bebd1271 562 sd->expecting_acmd = false;
da346922
PMD		 563 sd->dat_lines = 0xf;
564 sd->cmd_line = true;
4481bbc7 565 sd->multi_blk_cnt = 0;
a1bb27b1
PB		 566}
567
c759a790
PM		 568static bool sd_get_inserted(SDState *sd)
569{
0719e71e 570 return sd->blk && blk_is_inserted(sd->blk);
c759a790
PM		 571}
572
573static bool sd_get_readonly(SDState *sd)
574{
575 return sd->wp_switch;
576}
577
39829a01 578static void sd_cardchange(void *opaque, bool load, Error **errp)
a1bb27b1
PB		 579{
580 SDState *sd = opaque;
c759a790
PM		 581 DeviceState *dev = DEVICE(sd);
582 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
583 bool inserted = sd_get_inserted(sd);
584 bool readonly = sd_get_readonly(sd);
db97ee6a 585
c759a790 586 if (inserted) {
814b2adc 587 trace_sdcard_inserted(readonly);
c759a790 588 sd_reset(dev);
814b2adc
PMD		 589 } else {
590 trace_sdcard_ejected();
c759a790
PM		 591 }
592
593 /* The IRQ notification is for legacy non-QOM SD controller devices;
594 * QOMified controllers use the SDBus APIs.
595 */
596 if (sdbus) {
597 sdbus_set_inserted(sdbus, inserted);
598 if (inserted) {
599 sdbus_set_readonly(sdbus, readonly);
600 }
601 } else {
602 qemu_set_irq(sd->inserted_cb, inserted);
603 if (inserted) {
604 qemu_set_irq(sd->readonly_cb, readonly);
605 }
a1bb27b1
PB		 606 }
607}
608
0e49de52 609static const BlockDevOps sd_block_ops = {
145feb17 610 .change_media_cb = sd_cardchange,
0e49de52
MA		 611};
612
dd26eb43
AB		 613static bool sd_ocr_vmstate_needed(void *opaque)
614{
615 SDState *sd = opaque;
616
617 /* Include the OCR state (and timer) if it is not yet powered up */
6f296421 618 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
dd26eb43
AB		 619}
620
621static const VMStateDescription sd_ocr_vmstate = {
622 .name = "sd-card/ocr-state",
623 .version_id = 1,
624 .minimum_version_id = 1,
625 .needed = sd_ocr_vmstate_needed,
626 .fields = (VMStateField[]) {
627 VMSTATE_UINT32(ocr, SDState),
628 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
629 VMSTATE_END_OF_LIST()
630 },
631};
632
633static int sd_vmstate_pre_load(void *opaque)
634{
635 SDState *sd = opaque;
636
637 /* If the OCR state is not included (prior versions, or not
638 * needed), then the OCR must be set as powered up. If the OCR state
639 * is included, this will be replaced by the state restore.
640 */
641 sd_ocr_powerup(sd);
642
643 return 0;
644}
645
50a5be6c
IM		 646static const VMStateDescription sd_vmstate = {
647 .name = "sd-card",
648 .version_id = 1,
649 .minimum_version_id = 1,
dd26eb43 650 .pre_load = sd_vmstate_pre_load,
50a5be6c
IM		 651 .fields = (VMStateField[]) {
652 VMSTATE_UINT32(mode, SDState),
653 VMSTATE_INT32(state, SDState),
654 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
655 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
656 VMSTATE_UINT16(rca, SDState),
657 VMSTATE_UINT32(card_status, SDState),
658 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
659 VMSTATE_UINT32(vhs, SDState),
660 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
661 VMSTATE_UINT32(blk_len, SDState),
4481bbc7 662 VMSTATE_UINT32(multi_blk_cnt, SDState),
50a5be6c
IM		 663 VMSTATE_UINT32(erase_start, SDState),
664 VMSTATE_UINT32(erase_end, SDState),
665 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
666 VMSTATE_UINT32(pwd_len, SDState),
667 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
668 VMSTATE_UINT8(current_cmd, SDState),
669 VMSTATE_BOOL(expecting_acmd, SDState),
670 VMSTATE_UINT32(blk_written, SDState),
671 VMSTATE_UINT64(data_start, SDState),
672 VMSTATE_UINT32(data_offset, SDState),
673 VMSTATE_UINT8_ARRAY(data, SDState, 512),
12c125cb 674 VMSTATE_UNUSED_V(1, 512),
50a5be6c
IM		 675 VMSTATE_BOOL(enable, SDState),
676 VMSTATE_END_OF_LIST()
dd26eb43
AB		 677 },
678 .subsections = (const VMStateDescription*[]) {
679 &sd_ocr_vmstate,
680 NULL
681 },
50a5be6c
IM		 682};
683
260bc9d8 684/* Legacy initialization function for use by non-qdevified callers */
4be74634 685SDState *sd_init(BlockBackend *blk, bool is_spi)
a1bb27b1 686{
fec44a8c 687 Object *obj;
260bc9d8
PM		 688 DeviceState *dev;
689 Error *err = NULL;
a1bb27b1 690
fec44a8c
PM		 691 obj = object_new(TYPE_SD_CARD);
692 dev = DEVICE(obj);
260bc9d8
PM		 693 qdev_prop_set_drive(dev, "drive", blk, &err);
694 if (err) {
695 error_report("sd_init failed: %s", error_get_pretty(err));
4f8a066b
KW		 696 return NULL;
697 }
260bc9d8 698 qdev_prop_set_bit(dev, "spi", is_spi);
fec44a8c 699 object_property_set_bool(obj, true, "realized", &err);
260bc9d8
PM		 700 if (err) {
701 error_report("sd_init failed: %s", error_get_pretty(err));
702 return NULL;
03f311ed 703 }
260bc9d8
PM		 704
705 return SD_CARD(dev);
a1bb27b1
PB		 706}
707
02ce600c 708void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
a1bb27b1 709{
02ce600c
AZ		 710 sd->readonly_cb = readonly;
711 sd->inserted_cb = insert;
4be74634
MA		 712 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
713 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
a1bb27b1
PB		 714}
715
716static void sd_erase(SDState *sd)
717{
f2d189d3
IM		 718 int i;
719 uint64_t erase_start = sd->erase_start;
720 uint64_t erase_end = sd->erase_end;
721
814b2adc 722 trace_sdcard_erase();
a1bb27b1
PB		 723 if (!sd->erase_start || !sd->erase_end) {
724 sd->card_status |= ERASE_SEQ_ERROR;
725 return;
726 }
727
6f296421 728 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
f2d189d3
IM		 729 /* High capacity memory card: erase units are 512 byte blocks */
730 erase_start *= 512;
731 erase_end *= 512;
732 }
733
734 erase_start = sd_addr_to_wpnum(erase_start);
735 erase_end = sd_addr_to_wpnum(erase_end);
a1bb27b1
PB		 736 sd->erase_start = 0;
737 sd->erase_end = 0;
738 sd->csd[14] |= 0x40;
739
f2d189d3 740 for (i = erase_start; i <= erase_end; i++) {
a9c01830 741 if (test_bit(i, sd->wp_groups)) {
a1bb27b1 742 sd->card_status |= WP_ERASE_SKIP;
a9c01830
MI		 743 }
744 }
a1bb27b1
PB		 745}
746
2d7adea4 747static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
a1bb27b1
PB		 748{
749 uint32_t i, wpnum;
750 uint32_t ret = 0;
751
b7202b88 752 wpnum = sd_addr_to_wpnum(addr);
a1bb27b1 753
a9c01830
MI		 754 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
755 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
a1bb27b1 756 ret |= (1 << i);
a9c01830
MI		 757 }
758 }
a1bb27b1
PB		 759
760 return ret;
761}
762
763static void sd_function_switch(SDState *sd, uint32_t arg)
764{
67bfddd6 765 int i, mode, new_func;
a1bb27b1
PB		 766 mode = !!(arg & 0x80000000);
767
768 sd->data[0] = 0x00; /* Maximum current consumption */
769 sd->data[1] = 0x01;
770 sd->data[2] = 0x80; /* Supported group 6 functions */
771 sd->data[3] = 0x01;
772 sd->data[4] = 0x80; /* Supported group 5 functions */
773 sd->data[5] = 0x01;
774 sd->data[6] = 0x80; /* Supported group 4 functions */
775 sd->data[7] = 0x01;
776 sd->data[8] = 0x80; /* Supported group 3 functions */
777 sd->data[9] = 0x01;
778 sd->data[10] = 0x80; /* Supported group 2 functions */
779 sd->data[11] = 0x43;
780 sd->data[12] = 0x80; /* Supported group 1 functions */
781 sd->data[13] = 0x03;
782 for (i = 0; i < 6; i ++) {
783 new_func = (arg >> (i * 4)) & 0x0f;
784 if (mode && new_func != 0x0f)
785 sd->function_group[i] = new_func;
786 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
787 }
788 memset(&sd->data[17], 0, 47);
67bfddd6 789 stw_be_p(sd->data + 65, sd_crc16(sd->data, 64));
a1bb27b1
PB		 790}
791
4e8f1be2 792static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
a1bb27b1 793{
b7202b88 794 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
a1bb27b1
PB		 795}
796
797static void sd_lock_command(SDState *sd)
798{
799 int erase, lock, clr_pwd, set_pwd, pwd_len;
800 erase = !!(sd->data[0] & 0x08);
801 lock = sd->data[0] & 0x04;
802 clr_pwd = sd->data[0] & 0x02;
803 set_pwd = sd->data[0] & 0x01;
804
805 if (sd->blk_len > 1)
806 pwd_len = sd->data[1];
807 else
808 pwd_len = 0;
809
814b2adc
PMD		 810 if (lock) {
811 trace_sdcard_lock();
812 } else {
813 trace_sdcard_unlock();
814 }
a1bb27b1
PB		 815 if (erase) {
816 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
817 set_pwd || clr_pwd || lock || sd->wp_switch ||
818 (sd->csd[14] & 0x20)) {
819 sd->card_status |= LOCK_UNLOCK_FAILED;
820 return;
821 }
50a5be6c 822 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
a1bb27b1
PB		 823 sd->csd[14] &= ~0x10;
824 sd->card_status &= ~CARD_IS_LOCKED;
825 sd->pwd_len = 0;
826 /* Erasing the entire card here! */
827df9f3 827 fprintf(stderr, "SD: Card force-erased by CMD42\n");
a1bb27b1
PB		 828 return;
829 }
830
831 if (sd->blk_len < 2 + pwd_len ||
832 pwd_len <= sd->pwd_len ||
833 pwd_len > sd->pwd_len + 16) {
834 sd->card_status |= LOCK_UNLOCK_FAILED;
835 return;
836 }
837
838 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
839 sd->card_status |= LOCK_UNLOCK_FAILED;
840 return;
841 }
842
843 pwd_len -= sd->pwd_len;
844 if ((pwd_len && !set_pwd) ||
845 (clr_pwd && (set_pwd || lock)) ||
846 (lock && !sd->pwd_len && !set_pwd) ||
847 (!set_pwd && !clr_pwd &&
848 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
849 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
850 sd->card_status |= LOCK_UNLOCK_FAILED;
851 return;
852 }
853
854 if (set_pwd) {
855 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
856 sd->pwd_len = pwd_len;
857 }
858
859 if (clr_pwd) {
860 sd->pwd_len = 0;
861 }
862
863 if (lock)
864 sd->card_status |= CARD_IS_LOCKED;
865 else
866 sd->card_status &= ~CARD_IS_LOCKED;
867}
868
c227f099 869static sd_rsp_type_t sd_normal_command(SDState *sd,
bc24a225 870 SDRequest req)
a1bb27b1
PB		 871{
872 uint32_t rca = 0x0000;
2d7adea4 873 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
a1bb27b1 874
1b640aa9
PMD		 875 trace_sdcard_normal_command(req.cmd, req.arg, sd_state_name(sd->state));
876
1d06cb7a
PM		 877 /* Not interpreting this as an app command */
878 sd->card_status &= ~APP_CMD;
879
f250015b
PMD		 880 if (sd_cmd_type[req.cmd] == sd_ac
881 || sd_cmd_type[req.cmd] == sd_adtc) {
a1bb27b1 882 rca = req.arg >> 16;
97f4ed3b 883 }
a1bb27b1 884
4481bbc7
AB		 885 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
886 * if not, its effects are cancelled */
887 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
888 sd->multi_blk_cnt = 0;
889 }
890
a1bb27b1
PB		 891 switch (req.cmd) {
892 /* Basic commands (Class 0 and Class 1) */
893 case 0: /* CMD0: GO_IDLE_STATE */
894 switch (sd->state) {
895 case sd_inactive_state:
775616c3 896 return sd->spi ? sd_r1 : sd_r0;
a1bb27b1
PB		 897
898 default:
899 sd->state = sd_idle_state;
ba3ed0fa 900 sd_reset(DEVICE(sd));
775616c3 901 return sd->spi ? sd_r1 : sd_r0;
a1bb27b1
PB		 902 }
903 break;
904
775616c3
PB		 905 case 1: /* CMD1: SEND_OP_CMD */
906 if (!sd->spi)
907 goto bad_cmd;
908
909 sd->state = sd_transfer_state;
910 return sd_r1;
911
a1bb27b1 912 case 2: /* CMD2: ALL_SEND_CID */
775616c3
PB		 913 if (sd->spi)
914 goto bad_cmd;
a1bb27b1
PB		 915 switch (sd->state) {
916 case sd_ready_state:
917 sd->state = sd_identification_state;
918 return sd_r2_i;
919
920 default:
921 break;
922 }
923 break;
924
925 case 3: /* CMD3: SEND_RELATIVE_ADDR */
775616c3
PB		 926 if (sd->spi)
927 goto bad_cmd;
a1bb27b1
PB		 928 switch (sd->state) {
929 case sd_identification_state:
930 case sd_standby_state:
931 sd->state = sd_standby_state;
932 sd_set_rca(sd);
933 return sd_r6;
934
935 default:
936 break;
937 }
938 break;
939
940 case 4: /* CMD4: SEND_DSR */
775616c3
PB		 941 if (sd->spi)
942 goto bad_cmd;
a1bb27b1
PB		 943 switch (sd->state) {
944 case sd_standby_state:
945 break;
946
947 default:
948 break;
949 }
950 break;
951
109ac32f 952 case 5: /* CMD5: reserved for SDIO cards */
53bb8cc4 953 return sd_illegal;
109ac32f 954
a1bb27b1 955 case 6: /* CMD6: SWITCH_FUNCTION */
775616c3
PB		 956 if (sd->spi)
957 goto bad_cmd;
a1bb27b1
PB		 958 switch (sd->mode) {
959 case sd_data_transfer_mode:
960 sd_function_switch(sd, req.arg);
961 sd->state = sd_sendingdata_state;
962 sd->data_start = 0;
963 sd->data_offset = 0;
964 return sd_r1;
965
966 default:
967 break;
968 }
969 break;
970
971 case 7: /* CMD7: SELECT/DESELECT_CARD */
775616c3
PB		 972 if (sd->spi)
973 goto bad_cmd;
a1bb27b1
PB		 974 switch (sd->state) {
975 case sd_standby_state:
976 if (sd->rca != rca)
977 return sd_r0;
978
979 sd->state = sd_transfer_state;
980 return sd_r1b;
981
982 case sd_transfer_state:
983 case sd_sendingdata_state:
984 if (sd->rca == rca)
985 break;
986
987 sd->state = sd_standby_state;
988 return sd_r1b;
989
990 case sd_disconnect_state:
991 if (sd->rca != rca)
992 return sd_r0;
993
994 sd->state = sd_programming_state;
995 return sd_r1b;
996
997 case sd_programming_state:
998 if (sd->rca == rca)
999 break;
1000
1001 sd->state = sd_disconnect_state;
1002 return sd_r1b;
1003
1004 default:
1005 break;
1006 }
1007 break;
1008
1b088995
AZ		 1009 case 8: /* CMD8: SEND_IF_COND */
1010 /* Physical Layer Specification Version 2.00 command */
ad0ade55 1011 if (sd->state != sd_idle_state) {
1b088995
AZ		 1012 break;
1013 }
ad0ade55
PMD		 1014 sd->vhs = 0;
1015
1016 /* No response if not exactly one VHS bit is set. */
1017 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1018 return sd->spi ? sd_r7 : sd_r0;
1019 }
1020
1021 /* Accept. */
1022 sd->vhs = req.arg;
1023 return sd_r7;
1b088995 1024
a1bb27b1
PB		 1025 case 9: /* CMD9: SEND_CSD */
1026 switch (sd->state) {
1027 case sd_standby_state:
1028 if (sd->rca != rca)
1029 return sd_r0;
1030
1031 return sd_r2_s;
1032
775616c3
PB		 1033 case sd_transfer_state:
1034 if (!sd->spi)
1035 break;
1036 sd->state = sd_sendingdata_state;
1037 memcpy(sd->data, sd->csd, 16);
2d7adea4 1038 sd->data_start = addr;
775616c3
PB		 1039 sd->data_offset = 0;
1040 return sd_r1;
1041
a1bb27b1
PB		 1042 default:
1043 break;
1044 }
1045 break;
1046
1047 case 10: /* CMD10: SEND_CID */
1048 switch (sd->state) {
1049 case sd_standby_state:
1050 if (sd->rca != rca)
1051 return sd_r0;
1052
1053 return sd_r2_i;
1054
775616c3
PB		 1055 case sd_transfer_state:
1056 if (!sd->spi)
1057 break;
1058 sd->state = sd_sendingdata_state;
1059 memcpy(sd->data, sd->cid, 16);
2d7adea4 1060 sd->data_start = addr;
775616c3
PB		 1061 sd->data_offset = 0;
1062 return sd_r1;
1063
a1bb27b1
PB		 1064 default:
1065 break;
1066 }
1067 break;
1068
a1bb27b1
PB		 1069 case 12: /* CMD12: STOP_TRANSMISSION */
1070 switch (sd->state) {
1071 case sd_sendingdata_state:
1072 sd->state = sd_transfer_state;
1073 return sd_r1b;
1074
1075 case sd_receivingdata_state:
1076 sd->state = sd_programming_state;
1077 /* Bzzzzzzztt .... Operation complete. */
1078 sd->state = sd_transfer_state;
1079 return sd_r1b;
1080
1081 default:
1082 break;
1083 }
1084 break;
1085
1086 case 13: /* CMD13: SEND_STATUS */
1087 switch (sd->mode) {
1088 case sd_data_transfer_mode:
1089 if (sd->rca != rca)
1090 return sd_r0;
1091
1092 return sd_r1;
1093
1094 default:
1095 break;
1096 }
1097 break;
1098
1099 case 15: /* CMD15: GO_INACTIVE_STATE */
775616c3
PB		 1100 if (sd->spi)
1101 goto bad_cmd;
a1bb27b1
PB		 1102 switch (sd->mode) {
1103 case sd_data_transfer_mode:
1104 if (sd->rca != rca)
1105 return sd_r0;
1106
1107 sd->state = sd_inactive_state;
1108 return sd_r0;
1109
1110 default:
1111 break;
1112 }
1113 break;
1114
1115 /* Block read commands (Classs 2) */
1116 case 16: /* CMD16: SET_BLOCKLEN */
1117 switch (sd->state) {
1118 case sd_transfer_state:
814b2adc 1119 if (req.arg > (1 << HWBLOCK_SHIFT)) {
a1bb27b1 1120 sd->card_status |= BLOCK_LEN_ERROR;
814b2adc
PMD		 1121 } else {
1122 trace_sdcard_set_blocklen(req.arg);
a1bb27b1 1123 sd->blk_len = req.arg;
814b2adc 1124 }
a1bb27b1
PB		 1125
1126 return sd_r1;
1127
1128 default:
1129 break;
1130 }
1131 break;
1132
1133 case 17: /* CMD17: READ_SINGLE_BLOCK */
1134 switch (sd->state) {
1135 case sd_transfer_state:
1136 sd->state = sd_sendingdata_state;
2d7adea4 1137 sd->data_start = addr;
a1bb27b1
PB		 1138 sd->data_offset = 0;
1139
1140 if (sd->data_start + sd->blk_len > sd->size)
1141 sd->card_status |= ADDRESS_ERROR;
1142 return sd_r1;
1143
1144 default:
1145 break;
1146 }
1147 break;
1148
1149 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1150 switch (sd->state) {
1151 case sd_transfer_state:
1152 sd->state = sd_sendingdata_state;
2d7adea4 1153 sd->data_start = addr;
a1bb27b1
PB		 1154 sd->data_offset = 0;
1155
1156 if (sd->data_start + sd->blk_len > sd->size)
1157 sd->card_status |= ADDRESS_ERROR;
1158 return sd_r1;
1159
1160 default:
1161 break;
1162 }
1163 break;
1164
4481bbc7
AB		 1165 case 23: /* CMD23: SET_BLOCK_COUNT */
1166 switch (sd->state) {
1167 case sd_transfer_state:
1168 sd->multi_blk_cnt = req.arg;
1169 return sd_r1;
1170
1171 default:
1172 break;
1173 }
1174 break;
1175
a1bb27b1
PB		 1176 /* Block write commands (Class 4) */
1177 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
a2120864
PMD		 1178 if (sd->spi) {
1179 goto unimplemented_spi_cmd;
1180 }
a1bb27b1
PB		 1181 switch (sd->state) {
1182 case sd_transfer_state:
775616c3
PB		 1183 /* Writing in SPI mode not implemented. */
1184 if (sd->spi)
1185 break;
a1bb27b1 1186 sd->state = sd_receivingdata_state;
2d7adea4 1187 sd->data_start = addr;
a1bb27b1
PB		 1188 sd->data_offset = 0;
1189 sd->blk_written = 0;
1190
1191 if (sd->data_start + sd->blk_len > sd->size)
1192 sd->card_status |= ADDRESS_ERROR;
1193 if (sd_wp_addr(sd, sd->data_start))
1194 sd->card_status |= WP_VIOLATION;
1195 if (sd->csd[14] & 0x30)
1196 sd->card_status |= WP_VIOLATION;
1197 return sd_r1;
1198
1199 default:
1200 break;
1201 }
1202 break;
1203
1204 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
a2120864
PMD		 1205 if (sd->spi) {
1206 goto unimplemented_spi_cmd;
1207 }
a1bb27b1
PB		 1208 switch (sd->state) {
1209 case sd_transfer_state:
775616c3
PB		 1210 /* Writing in SPI mode not implemented. */
1211 if (sd->spi)
1212 break;
a1bb27b1 1213 sd->state = sd_receivingdata_state;
2d7adea4 1214 sd->data_start = addr;
a1bb27b1
PB		 1215 sd->data_offset = 0;
1216 sd->blk_written = 0;
1217
1218 if (sd->data_start + sd->blk_len > sd->size)
1219 sd->card_status |= ADDRESS_ERROR;
1220 if (sd_wp_addr(sd, sd->data_start))
1221 sd->card_status |= WP_VIOLATION;
1222 if (sd->csd[14] & 0x30)
1223 sd->card_status |= WP_VIOLATION;
1224 return sd_r1;
1225
1226 default:
1227 break;
1228 }
1229 break;
1230
1231 case 26: /* CMD26: PROGRAM_CID */
775616c3
PB		 1232 if (sd->spi)
1233 goto bad_cmd;
a1bb27b1
PB		 1234 switch (sd->state) {
1235 case sd_transfer_state:
1236 sd->state = sd_receivingdata_state;
1237 sd->data_start = 0;
1238 sd->data_offset = 0;
1239 return sd_r1;
1240
1241 default:
1242 break;
1243 }
1244 break;
1245
1246 case 27: /* CMD27: PROGRAM_CSD */
a2120864
PMD		 1247 if (sd->spi) {
1248 goto unimplemented_spi_cmd;
1249 }
a1bb27b1
PB		 1250 switch (sd->state) {
1251 case sd_transfer_state:
1252 sd->state = sd_receivingdata_state;
1253 sd->data_start = 0;
1254 sd->data_offset = 0;
1255 return sd_r1;
1256
1257 default:
1258 break;
1259 }
1260 break;
1261
1262 /* Write protection (Class 6) */
1263 case 28: /* CMD28: SET_WRITE_PROT */
1264 switch (sd->state) {
1265 case sd_transfer_state:
2d7adea4 1266 if (addr >= sd->size) {
e30d5938 1267 sd->card_status |= ADDRESS_ERROR;
a1bb27b1
PB		 1268 return sd_r1b;
1269 }
1270
1271 sd->state = sd_programming_state;
b7202b88 1272 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
a1bb27b1
PB		 1273 /* Bzzzzzzztt .... Operation complete. */
1274 sd->state = sd_transfer_state;
1275 return sd_r1b;
1276
1277 default:
1278 break;
1279 }
1280 break;
1281
1282 case 29: /* CMD29: CLR_WRITE_PROT */
1283 switch (sd->state) {
1284 case sd_transfer_state:
2d7adea4 1285 if (addr >= sd->size) {
e30d5938 1286 sd->card_status |= ADDRESS_ERROR;
a1bb27b1
PB		 1287 return sd_r1b;
1288 }
1289
1290 sd->state = sd_programming_state;
b7202b88 1291 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
a1bb27b1
PB		 1292 /* Bzzzzzzztt .... Operation complete. */
1293 sd->state = sd_transfer_state;
1294 return sd_r1b;
1295
1296 default:
1297 break;
1298 }
1299 break;
1300
1301 case 30: /* CMD30: SEND_WRITE_PROT */
1302 switch (sd->state) {
1303 case sd_transfer_state:
1304 sd->state = sd_sendingdata_state;
1305 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
2d7adea4 1306 sd->data_start = addr;
a1bb27b1
PB		 1307 sd->data_offset = 0;
1308 return sd_r1b;
1309
1310 default:
1311 break;
1312 }
1313 break;
1314
1315 /* Erase commands (Class 5) */
1316 case 32: /* CMD32: ERASE_WR_BLK_START */
1317 switch (sd->state) {
1318 case sd_transfer_state:
1319 sd->erase_start = req.arg;
1320 return sd_r1;
1321
1322 default:
1323 break;
1324 }
1325 break;
1326
1327 case 33: /* CMD33: ERASE_WR_BLK_END */
1328 switch (sd->state) {
1329 case sd_transfer_state:
1330 sd->erase_end = req.arg;
1331 return sd_r1;
1332
1333 default:
1334 break;
1335 }
1336 break;
1337
1338 case 38: /* CMD38: ERASE */
1339 switch (sd->state) {
1340 case sd_transfer_state:
1341 if (sd->csd[14] & 0x30) {
1342 sd->card_status |= WP_VIOLATION;
1343 return sd_r1b;
1344 }
1345
1346 sd->state = sd_programming_state;
1347 sd_erase(sd);
1348 /* Bzzzzzzztt .... Operation complete. */
1349 sd->state = sd_transfer_state;
1350 return sd_r1b;
1351
1352 default:
1353 break;
1354 }
1355 break;
1356
1357 /* Lock card commands (Class 7) */
1358 case 42: /* CMD42: LOCK_UNLOCK */
a2120864
PMD		 1359 if (sd->spi) {
1360 goto unimplemented_spi_cmd;
1361 }
a1bb27b1
PB		 1362 switch (sd->state) {
1363 case sd_transfer_state:
1364 sd->state = sd_receivingdata_state;
1365 sd->data_start = 0;
1366 sd->data_offset = 0;
1367 return sd_r1;
1368
1369 default:
1370 break;
1371 }
1372 break;
1373
49fb7381
PMD		 1374 case 52 ... 54:
1375 /* CMD52, CMD53, CMD54: reserved for SDIO cards
39e594db
PM		 1376 * (see the SDIO Simplified Specification V2.0)
1377 * Handle as illegal command but do not complain
1378 * on stderr, as some OSes may use these in their
1379 * probing for presence of an SDIO card.
1380 */
53bb8cc4 1381 return sd_illegal;
39e594db 1382
a1bb27b1
PB		 1383 /* Application specific commands (Class 8) */
1384 case 55: /* CMD55: APP_CMD */
d6911486
PMD		 1385 switch (sd->state) {
1386 case sd_ready_state:
1387 case sd_identification_state:
1388 case sd_inactive_state:
1389 return sd_illegal;
31162800
PMD		 1390 case sd_idle_state:
1391 if (rca) {
1392 qemu_log_mask(LOG_GUEST_ERROR,
1393 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1394 }
d6911486
PMD		 1395 default:
1396 break;
1397 }
946897ce
PMD		 1398 if (!sd->spi) {
1399 if (sd->rca != rca) {
1400 return sd_r0;
1401 }
1402 }
bebd1271 1403 sd->expecting_acmd = true;
a1bb27b1
PB		 1404 sd->card_status |= APP_CMD;
1405 return sd_r1;
1406
1407 case 56: /* CMD56: GEN_CMD */
a1bb27b1
PB		 1408 switch (sd->state) {
1409 case sd_transfer_state:
1410 sd->data_offset = 0;
1411 if (req.arg & 1)
1412 sd->state = sd_sendingdata_state;
1413 else
1414 sd->state = sd_receivingdata_state;
1415 return sd_r1;
1416
1417 default:
1418 break;
1419 }
1420 break;
1421
946897ce
PMD		 1422 case 58: /* CMD58: READ_OCR (SPI) */
1423 if (!sd->spi) {
1424 goto bad_cmd;
1425 }
1426 return sd_r3;
1427
1428 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1429 if (!sd->spi) {
1430 goto bad_cmd;
1431 }
1432 goto unimplemented_spi_cmd;
1433
a1bb27b1 1434 default:
775616c3 1435 bad_cmd:
9800ad88 1436 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
53bb8cc4 1437 return sd_illegal;
775616c3 1438
a2120864 1439 unimplemented_spi_cmd:
775616c3 1440 /* Commands that are recognised but not yet implemented in SPI mode. */
9800ad88
AB		 1441 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1442 req.cmd);
53bb8cc4 1443 return sd_illegal;
a1bb27b1
PB		 1444 }
1445
9800ad88 1446 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
53bb8cc4 1447 return sd_illegal;
a1bb27b1
PB		 1448}
1449
c227f099 1450static sd_rsp_type_t sd_app_command(SDState *sd,
22ed1d34
BS		 1451 SDRequest req)
1452{
1b640aa9 1453 trace_sdcard_app_command(req.cmd, req.arg);
1d06cb7a 1454 sd->card_status |= APP_CMD;
a1bb27b1
PB		 1455 switch (req.cmd) {
1456 case 6: /* ACMD6: SET_BUS_WIDTH */
946897ce
PMD		 1457 if (sd->spi) {
1458 goto unimplemented_spi_cmd;
1459 }
a1bb27b1
PB		 1460 switch (sd->state) {
1461 case sd_transfer_state:
1462 sd->sd_status[0] &= 0x3f;
1463 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1464 return sd_r1;
1465
1466 default:
1467 break;
1468 }
1469 break;
1470
1471 case 13: /* ACMD13: SD_STATUS */
1472 switch (sd->state) {
1473 case sd_transfer_state:
fb1ba03a 1474 sd->state = sd_sendingdata_state;
a1bb27b1
PB		 1475 sd->data_start = 0;
1476 sd->data_offset = 0;
1477 return sd_r1;
1478
1479 default:
1480 break;
1481 }
1482 break;
1483
1484 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1485 switch (sd->state) {
1486 case sd_transfer_state:
1487 *(uint32_t *) sd->data = sd->blk_written;
1488
fb1ba03a 1489 sd->state = sd_sendingdata_state;
a1bb27b1
PB		 1490 sd->data_start = 0;
1491 sd->data_offset = 0;
1492 return sd_r1;
1493
1494 default:
1495 break;
1496 }
1497 break;
1498
1499 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1500 switch (sd->state) {
1501 case sd_transfer_state:
1502 return sd_r1;
1503
1504 default:
1505 break;
1506 }
1507 break;
1508
1509 case 41: /* ACMD41: SD_APP_OP_COND */
775616c3
PB		 1510 if (sd->spi) {
1511 /* SEND_OP_CMD */
1512 sd->state = sd_transfer_state;
1513 return sd_r1;
1514 }
4e5cc675
PMD		 1515 if (sd->state != sd_idle_state) {
1516 break;
1517 }
1518 /* If it's the first ACMD41 since reset, we need to decide
1519 * whether to power up. If this is not an enquiry ACMD41,
1520 * we immediately report power on and proceed below to the
1521 * ready state, but if it is, we set a timer to model a
1522 * delay for power up. This works around a bug in EDK2
1523 * UEFI, which sends an initial enquiry ACMD41, but
1524 * assumes that the card is in ready state as soon as it
1525 * sees the power up bit set. */
1526 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1527 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1528 timer_del(sd->ocr_power_timer);
1529 sd_ocr_powerup(sd);
1530 } else {
1531 trace_sdcard_inquiry_cmd41();
1532 if (!timer_pending(sd->ocr_power_timer)) {
1533 timer_mod_ns(sd->ocr_power_timer,
1534 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1535 + OCR_POWER_DELAY_NS));
dd26eb43
AB		 1536 }
1537 }
4e5cc675 1538 }
dd26eb43 1539
4e5cc675 1540 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
37ab4a56
PC		 1541 /* We accept any voltage. 10000 V is nothing.
1542 *
dd26eb43 1543 * Once we're powered up, we advance straight to ready state
37ab4a56
PC		 1544 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1545 */
4e5cc675 1546 sd->state = sd_ready_state;
a1bb27b1 1547 }
4e5cc675
PMD		 1548
1549 return sd_r3;
a1bb27b1
PB		 1550
1551 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1552 switch (sd->state) {
1553 case sd_transfer_state:
1554 /* Bringing in the 50KOhm pull-up resistor... Done. */
1555 return sd_r1;
1556
1557 default:
1558 break;
1559 }
1560 break;
1561
1562 case 51: /* ACMD51: SEND_SCR */
1563 switch (sd->state) {
1564 case sd_transfer_state:
1565 sd->state = sd_sendingdata_state;
1566 sd->data_start = 0;
1567 sd->data_offset = 0;
1568 return sd_r1;
1569
1570 default:
1571 break;
1572 }
1573 break;
1574
688491c7
PMD		 1575 case 18: /* Reserved for SD security applications */
1576 case 25:
1577 case 26:
1578 case 38:
1579 case 43 ... 49:
1580 /* Refer to the "SD Specifications Part3 Security Specification" for
1581 * information about the SD Security Features.
1582 */
1583 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1584 req.cmd);
1585 return sd_illegal;
1586
a1bb27b1
PB		 1587 default:
1588 /* Fall back to standard commands. */
a1bb27b1 1589 return sd_normal_command(sd, req);
946897ce
PMD		 1590
1591 unimplemented_spi_cmd:
1592 /* Commands that are recognised but not yet implemented in SPI mode. */
1593 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1594 req.cmd);
1595 return sd_illegal;
a1bb27b1
PB		 1596 }
1597
9800ad88 1598 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
5b08bfe2 1599 return sd_illegal;
a1bb27b1
PB		 1600}
1601
25881d33
PM		 1602static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1603{
1604 /* Valid commands in locked state:
1605 * basic class (0)
1606 * lock card class (7)
1607 * CMD16
1608 * implicitly, the ACMD prefix CMD55
1609 * ACMD41 and ACMD42
1610 * Anything else provokes an "illegal command" response.
1611 */
1d06cb7a 1612 if (sd->expecting_acmd) {
25881d33
PM		 1613 return req->cmd == 41 || req->cmd == 42;
1614 }
1615 if (req->cmd == 16 || req->cmd == 55) {
1616 return 1;
1617 }
f250015b
PMD		 1618 return sd_cmd_class[req->cmd] == 0
1619 || sd_cmd_class[req->cmd] == 7;
25881d33
PM		 1620}
1621
bc24a225 1622int sd_do_command(SDState *sd, SDRequest *req,
a1bb27b1 1623 uint8_t *response) {
10a412da 1624 int last_state;
c227f099 1625 sd_rsp_type_t rtype;
a1bb27b1
PB		 1626 int rsplen;
1627
4be74634 1628 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
a1bb27b1
PB		 1629 return 0;
1630 }
1631
1632 if (sd_req_crc_validate(req)) {
abda1f37 1633 sd->card_status |= COM_CRC_ERROR;
b1f517ed
PM		 1634 rtype = sd_illegal;
1635 goto send_response;
a1bb27b1
PB		 1636 }
1637
f250015b
PMD		 1638 if (req->cmd >= SDMMC_CMD_MAX) {
1639 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1640 req->cmd);
1641 req->cmd &= 0x3f;
1642 }
1643
10a412da 1644 if (sd->card_status & CARD_IS_LOCKED) {
25881d33 1645 if (!cmd_valid_while_locked(sd, req)) {
a1bb27b1 1646 sd->card_status |= ILLEGAL_COMMAND;
bebd1271 1647 sd->expecting_acmd = false;
9800ad88 1648 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
b1f517ed
PM		 1649 rtype = sd_illegal;
1650 goto send_response;
a1bb27b1 1651 }
25881d33 1652 }
a1bb27b1 1653
10a412da
PM		 1654 last_state = sd->state;
1655 sd_set_mode(sd);
1656
1d06cb7a 1657 if (sd->expecting_acmd) {
bebd1271 1658 sd->expecting_acmd = false;
a1bb27b1 1659 rtype = sd_app_command(sd, *req);
1d06cb7a 1660 } else {
a1bb27b1 1661 rtype = sd_normal_command(sd, *req);
1d06cb7a 1662 }
a1bb27b1 1663
53bb8cc4
PM		 1664 if (rtype == sd_illegal) {
1665 sd->card_status |= ILLEGAL_COMMAND;
10a412da
PM		 1666 } else {
1667 /* Valid command, we can update the 'state before command' bits.
1668 * (Do this now so they appear in r1 responses.)
1669 */
1670 sd->current_cmd = req->cmd;
1671 sd->card_status &= ~CURRENT_STATE;
1672 sd->card_status |= (last_state << 9);
53bb8cc4
PM		 1673 }
1674
b1f517ed 1675send_response:
a1bb27b1
PB		 1676 switch (rtype) {
1677 case sd_r1:
1678 case sd_r1b:
10a412da 1679 sd_response_r1_make(sd, response);
a1bb27b1
PB		 1680 rsplen = 4;
1681 break;
1682
1683 case sd_r2_i:
1684 memcpy(response, sd->cid, sizeof(sd->cid));
a1bb27b1
PB		 1685 rsplen = 16;
1686 break;
1687
1688 case sd_r2_s:
1689 memcpy(response, sd->csd, sizeof(sd->csd));
a1bb27b1
PB		 1690 rsplen = 16;
1691 break;
1692
1693 case sd_r3:
1694 sd_response_r3_make(sd, response);
1695 rsplen = 4;
1696 break;
1697
1698 case sd_r6:
1699 sd_response_r6_make(sd, response);
1700 rsplen = 4;
1701 break;
1702
1b088995
AZ		 1703 case sd_r7:
1704 sd_response_r7_make(sd, response);
1705 rsplen = 4;
1706 break;
1707
a1bb27b1 1708 case sd_r0:
53bb8cc4 1709 case sd_illegal:
a1bb27b1
PB		 1710 rsplen = 0;
1711 break;
55921932
PMD		 1712 default:
1713 g_assert_not_reached();
a1bb27b1 1714 }
55921932 1715 trace_sdcard_response(sd_response_name(rtype), rsplen);
a1bb27b1 1716
10a412da
PM		 1717 if (rtype != sd_illegal) {
1718 /* Clear the "clear on valid command" status bits now we've
1719 * sent any response
1720 */
1721 sd->card_status &= ~CARD_STATUS_B;
1722 }
1723
a1bb27b1 1724#ifdef DEBUG_SD
5cd5e2e7 1725 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
a1bb27b1
PB		 1726#endif
1727
1728 return rsplen;
1729}
1730
2d7adea4 1731static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
a1bb27b1 1732{
1b640aa9 1733 trace_sdcard_read_block(addr, len);
12c125cb 1734 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
827df9f3 1735 fprintf(stderr, "sd_blk_read: read error on host side\n");
a1bb27b1 1736 }
a1bb27b1
PB		 1737}
1738
2d7adea4 1739static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
a1bb27b1 1740{
1b640aa9 1741 trace_sdcard_write_block(addr, len);
12c125cb
EB		 1742 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1743 fprintf(stderr, "sd_blk_write: write error on host side\n");
a1bb27b1
PB		 1744 }
1745}
1746
33f00271
AZ		 1747#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1748#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
a1bb27b1
PB		 1749#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1750#define APP_WRITE_BLOCK(a, len)
1751
1752void sd_write_data(SDState *sd, uint8_t value)
1753{
1754 int i;
1755
4be74634 1756 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
a1bb27b1
PB		 1757 return;
1758
1759 if (sd->state != sd_receivingdata_state) {
9800ad88
AB		 1760 qemu_log_mask(LOG_GUEST_ERROR,
1761 "sd_write_data: not in Receiving-Data state\n");
a1bb27b1
PB		 1762 return;
1763 }
1764
1765 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1766 return;
1767
814b2adc 1768 trace_sdcard_write_data(sd->current_cmd, value);
a1bb27b1
PB		 1769 switch (sd->current_cmd) {
1770 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1771 sd->data[sd->data_offset ++] = value;
1772 if (sd->data_offset >= sd->blk_len) {
1773 /* TODO: Check CRC before committing */
1774 sd->state = sd_programming_state;
1775 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1776 sd->blk_written ++;
1777 sd->csd[14] |= 0x40;
1778 /* Bzzzzzzztt .... Operation complete. */
1779 sd->state = sd_transfer_state;
1780 }
1781 break;
1782
1783 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
33fa8234 1784 if (sd->data_offset == 0) {
e03ba136 1785 /* Start of the block - let's check the address is valid */
a1bb27b1
PB		 1786 if (sd->data_start + sd->blk_len > sd->size) {
1787 sd->card_status |= ADDRESS_ERROR;
1788 break;
1789 }
1790 if (sd_wp_addr(sd, sd->data_start)) {
1791 sd->card_status |= WP_VIOLATION;
1792 break;
1793 }
33fa8234
DDAG		 1794 }
1795 sd->data[sd->data_offset++] = value;
1796 if (sd->data_offset >= sd->blk_len) {
1797 /* TODO: Check CRC before committing */
1798 sd->state = sd_programming_state;
1799 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1800 sd->blk_written++;
1801 sd->data_start += sd->blk_len;
1802 sd->data_offset = 0;
a1bb27b1
PB		 1803 sd->csd[14] |= 0x40;
1804
1805 /* Bzzzzzzztt .... Operation complete. */
4481bbc7
AB		 1806 if (sd->multi_blk_cnt != 0) {
1807 if (--sd->multi_blk_cnt == 0) {
1808 /* Stop! */
1809 sd->state = sd_transfer_state;
1810 break;
1811 }
1812 }
1813
a1bb27b1
PB		 1814 sd->state = sd_receivingdata_state;
1815 }
1816 break;
1817
1818 case 26: /* CMD26: PROGRAM_CID */
1819 sd->data[sd->data_offset ++] = value;
1820 if (sd->data_offset >= sizeof(sd->cid)) {
1821 /* TODO: Check CRC before committing */
1822 sd->state = sd_programming_state;
1823 for (i = 0; i < sizeof(sd->cid); i ++)
1824 if ((sd->cid[i] | 0x00) != sd->data[i])
1825 sd->card_status |= CID_CSD_OVERWRITE;
1826
1827 if (!(sd->card_status & CID_CSD_OVERWRITE))
1828 for (i = 0; i < sizeof(sd->cid); i ++) {
1829 sd->cid[i] |= 0x00;
1830 sd->cid[i] &= sd->data[i];
1831 }
1832 /* Bzzzzzzztt .... Operation complete. */
1833 sd->state = sd_transfer_state;
1834 }
1835 break;
1836
1837 case 27: /* CMD27: PROGRAM_CSD */
1838 sd->data[sd->data_offset ++] = value;
1839 if (sd->data_offset >= sizeof(sd->csd)) {
1840 /* TODO: Check CRC before committing */
1841 sd->state = sd_programming_state;
1842 for (i = 0; i < sizeof(sd->csd); i ++)
1843 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1844 (sd->data[i] | sd_csd_rw_mask[i]))
1845 sd->card_status |= CID_CSD_OVERWRITE;
1846
1847 /* Copy flag (OTP) & Permanent write protect */
1848 if (sd->csd[14] & ~sd->data[14] & 0x60)
1849 sd->card_status |= CID_CSD_OVERWRITE;
1850
1851 if (!(sd->card_status & CID_CSD_OVERWRITE))
1852 for (i = 0; i < sizeof(sd->csd); i ++) {
1853 sd->csd[i] |= sd_csd_rw_mask[i];
1854 sd->csd[i] &= sd->data[i];
1855 }
1856 /* Bzzzzzzztt .... Operation complete. */
1857 sd->state = sd_transfer_state;
1858 }
1859 break;
1860
1861 case 42: /* CMD42: LOCK_UNLOCK */
1862 sd->data[sd->data_offset ++] = value;
1863 if (sd->data_offset >= sd->blk_len) {
1864 /* TODO: Check CRC before committing */
1865 sd->state = sd_programming_state;
1866 sd_lock_command(sd);
1867 /* Bzzzzzzztt .... Operation complete. */
1868 sd->state = sd_transfer_state;
1869 }
1870 break;
1871
1872 case 56: /* CMD56: GEN_CMD */
1873 sd->data[sd->data_offset ++] = value;
1874 if (sd->data_offset >= sd->blk_len) {
1875 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1876 sd->state = sd_transfer_state;
1877 }
1878 break;
1879
1880 default:
9800ad88 1881 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
a1bb27b1
PB		 1882 break;
1883 }
1884}
1885
1886uint8_t sd_read_data(SDState *sd)
1887{
1888 /* TODO: Append CRCs */
1889 uint8_t ret;
2d7adea4 1890 int io_len;
a1bb27b1 1891
4be74634 1892 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
a1bb27b1
PB		 1893 return 0x00;
1894
1895 if (sd->state != sd_sendingdata_state) {
9800ad88
AB		 1896 qemu_log_mask(LOG_GUEST_ERROR,
1897 "sd_read_data: not in Sending-Data state\n");
a1bb27b1
PB		 1898 return 0x00;
1899 }
1900
1901 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1902 return 0x00;
1903
2d7adea4
AZ		 1904 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1905
814b2adc 1906 trace_sdcard_read_data(sd->current_cmd, io_len);
a1bb27b1
PB		 1907 switch (sd->current_cmd) {
1908 case 6: /* CMD6: SWITCH_FUNCTION */
1909 ret = sd->data[sd->data_offset ++];
1910
1911 if (sd->data_offset >= 64)
1912 sd->state = sd_transfer_state;
1913 break;
1914
775616c3
PB		 1915 case 9: /* CMD9: SEND_CSD */
1916 case 10: /* CMD10: SEND_CID */
1917 ret = sd->data[sd->data_offset ++];
1918
1919 if (sd->data_offset >= 16)
1920 sd->state = sd_transfer_state;
1921 break;
1922
a1bb27b1
PB		 1923 case 13: /* ACMD13: SD_STATUS */
1924 ret = sd->sd_status[sd->data_offset ++];
1925
1926 if (sd->data_offset >= sizeof(sd->sd_status))
1927 sd->state = sd_transfer_state;
1928 break;
1929
1930 case 17: /* CMD17: READ_SINGLE_BLOCK */
1931 if (sd->data_offset == 0)
2d7adea4 1932 BLK_READ_BLOCK(sd->data_start, io_len);
a1bb27b1
PB		 1933 ret = sd->data[sd->data_offset ++];
1934
2d7adea4 1935 if (sd->data_offset >= io_len)
a1bb27b1
PB		 1936 sd->state = sd_transfer_state;
1937 break;
1938
1939 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
8573378e
MO		 1940 if (sd->data_offset == 0) {
1941 if (sd->data_start + io_len > sd->size) {
1942 sd->card_status |= ADDRESS_ERROR;
1943 return 0x00;
1944 }
2d7adea4 1945 BLK_READ_BLOCK(sd->data_start, io_len);
8573378e 1946 }
a1bb27b1
PB		 1947 ret = sd->data[sd->data_offset ++];
1948
2d7adea4
AZ		 1949 if (sd->data_offset >= io_len) {
1950 sd->data_start += io_len;
a1bb27b1 1951 sd->data_offset = 0;
4481bbc7
AB		 1952
1953 if (sd->multi_blk_cnt != 0) {
1954 if (--sd->multi_blk_cnt == 0) {
1955 /* Stop! */
1956 sd->state = sd_transfer_state;
1957 break;
1958 }
1959 }
a1bb27b1
PB		 1960 }
1961 break;
1962
1963 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1964 ret = sd->data[sd->data_offset ++];
1965
1966 if (sd->data_offset >= 4)
1967 sd->state = sd_transfer_state;
1968 break;
1969
1970 case 30: /* CMD30: SEND_WRITE_PROT */
1971 ret = sd->data[sd->data_offset ++];
1972
1973 if (sd->data_offset >= 4)
1974 sd->state = sd_transfer_state;
1975 break;
1976
1977 case 51: /* ACMD51: SEND_SCR */
1978 ret = sd->scr[sd->data_offset ++];
1979
1980 if (sd->data_offset >= sizeof(sd->scr))
1981 sd->state = sd_transfer_state;
1982 break;
1983
1984 case 56: /* CMD56: GEN_CMD */
1985 if (sd->data_offset == 0)
1986 APP_READ_BLOCK(sd->data_start, sd->blk_len);
1987 ret = sd->data[sd->data_offset ++];
1988
1989 if (sd->data_offset >= sd->blk_len)
1990 sd->state = sd_transfer_state;
1991 break;
1992
1993 default:
9800ad88 1994 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
a1bb27b1
PB		 1995 return 0x00;
1996 }
1997
1998 return ret;
1999}
2000
879bf4a7 2001bool sd_data_ready(SDState *sd)
a1bb27b1
PB		 2002{
2003 return sd->state == sd_sendingdata_state;
2004}
827df9f3 2005
bebd1271 2006void sd_enable(SDState *sd, bool enable)
827df9f3
AZ		 2007{
2008 sd->enable = enable;
2009}
260bc9d8
PM		 2010
2011static void sd_instance_init(Object *obj)
2012{
2013 SDState *sd = SD_CARD(obj);
2014
2015 sd->enable = true;
dd26eb43 2016 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
260bc9d8
PM		 2017}
2018
5ba34401
MAL		 2019static void sd_instance_finalize(Object *obj)
2020{
2021 SDState *sd = SD_CARD(obj);
2022
2023 timer_del(sd->ocr_power_timer);
2024 timer_free(sd->ocr_power_timer);
2025}
2026
260bc9d8
PM		 2027static void sd_realize(DeviceState *dev, Error **errp)
2028{
2029 SDState *sd = SD_CARD(dev);
a17c17a2 2030 int ret;
260bc9d8
PM		 2031
2032 if (sd->blk && blk_is_read_only(sd->blk)) {
2033 error_setg(errp, "Cannot use read-only drive as SD card");
2034 return;
2035 }
2036
260bc9d8 2037 if (sd->blk) {
a17c17a2
KW		 2038 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2039 BLK_PERM_ALL, errp);
2040 if (ret < 0) {
2041 return;
2042 }
260bc9d8
PM		 2043 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2044 }
260bc9d8
PM		 2045}
2046
2047static Property sd_properties[] = {
2048 DEFINE_PROP_DRIVE("drive", SDState, blk),
2049 /* We do not model the chip select pin, so allow the board to select
2050 * whether card should be in SSI or MMC/SD mode. It is also up to the
2051 * board to ensure that ssi transfers only occur when the chip select
2052 * is asserted. */
2053 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2054 DEFINE_PROP_END_OF_LIST()
2055};
2056
2057static void sd_class_init(ObjectClass *klass, void *data)
2058{
2059 DeviceClass *dc = DEVICE_CLASS(klass);
c759a790 2060 SDCardClass *sc = SD_CARD_CLASS(klass);
260bc9d8
PM		 2061
2062 dc->realize = sd_realize;
2063 dc->props = sd_properties;
2064 dc->vmsd = &sd_vmstate;
ba3ed0fa 2065 dc->reset = sd_reset;
c759a790
PM		 2066 dc->bus_type = TYPE_SD_BUS;
2067
0034ebe6 2068 sc->set_voltage = sd_set_voltage;
da346922
PMD		 2069 sc->get_dat_lines = sd_get_dat_lines;
2070 sc->get_cmd_line = sd_get_cmd_line;
c759a790
PM		 2071 sc->do_command = sd_do_command;
2072 sc->write_data = sd_write_data;
2073 sc->read_data = sd_read_data;
2074 sc->data_ready = sd_data_ready;
2075 sc->enable = sd_enable;
2076 sc->get_inserted = sd_get_inserted;
2077 sc->get_readonly = sd_get_readonly;
260bc9d8
PM		 2078}
2079
2080static const TypeInfo sd_info = {
2081 .name = TYPE_SD_CARD,
2082 .parent = TYPE_DEVICE,
2083 .instance_size = sizeof(SDState),
c759a790 2084 .class_size = sizeof(SDCardClass),
260bc9d8
PM		 2085 .class_init = sd_class_init,
2086 .instance_init = sd_instance_init,
5ba34401 2087 .instance_finalize = sd_instance_finalize,
260bc9d8
PM		 2088};
2089
2090static void sd_register_types(void)
2091{
2092 type_register_static(&sd_info);
2093}
2094
2095type_init(sd_register_types)
QEMU mirror