]> git.proxmox.com Git - mirror_qemu.git/blob - hw/sd/sd.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-i2c-5' into staging
[mirror_qemu.git] / hw / sd / sd.c
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
36 #include "hw/irq.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
39 #include "hw/sd/sd.h"
40 #include "migration/vmstate.h"
41 #include "qapi/error.h"
42 #include "qemu/bitmap.h"
43 #include "hw/qdev-properties.h"
44 #include "qemu/error-report.h"
45 #include "qemu/timer.h"
46 #include "qemu/log.h"
47 #include "qemu/module.h"
48 #include "sdmmc-internal.h"
49 #include "trace.h"
50
51 //#define DEBUG_SD 1
52
53 typedef enum {
54 sd_r0 = 0, /* no response */
55 sd_r1, /* normal response command */
56 sd_r2_i, /* CID register */
57 sd_r2_s, /* CSD register */
58 sd_r3, /* OCR register */
59 sd_r6 = 6, /* Published RCA response */
60 sd_r7, /* Operating voltage */
61 sd_r1b = -1,
62 sd_illegal = -2,
63 } sd_rsp_type_t;
64
65 enum SDCardModes {
66 sd_inactive,
67 sd_card_identification_mode,
68 sd_data_transfer_mode,
69 };
70
71 enum SDCardStates {
72 sd_inactive_state = -1,
73 sd_idle_state = 0,
74 sd_ready_state,
75 sd_identification_state,
76 sd_standby_state,
77 sd_transfer_state,
78 sd_sendingdata_state,
79 sd_receivingdata_state,
80 sd_programming_state,
81 sd_disconnect_state,
82 };
83
84 struct SDState {
85 DeviceState parent_obj;
86
87 /* If true, created by sd_init() for a non-qdevified caller */
88 /* TODO purge them with fire */
89 bool me_no_qdev_me_kill_mammoth_with_rocks;
90
91 /* SD Memory Card Registers */
92 uint32_t ocr;
93 uint8_t scr[8];
94 uint8_t cid[16];
95 uint8_t csd[16];
96 uint16_t rca;
97 uint32_t card_status;
98 uint8_t sd_status[64];
99
100 /* Configurable properties */
101 uint8_t spec_version;
102 BlockBackend *blk;
103 bool spi;
104
105 uint32_t mode; /* current card mode, one of SDCardModes */
106 int32_t state; /* current card state, one of SDCardStates */
107 uint32_t vhs;
108 bool wp_switch;
109 unsigned long *wp_groups;
110 int32_t wpgrps_size;
111 uint64_t size;
112 uint32_t blk_len;
113 uint32_t multi_blk_cnt;
114 uint32_t erase_start;
115 uint32_t erase_end;
116 uint8_t pwd[16];
117 uint32_t pwd_len;
118 uint8_t function_group[6];
119 uint8_t current_cmd;
120 /* True if we will handle the next command as an ACMD. Note that this does
121 * *not* track the APP_CMD status bit!
122 */
123 bool expecting_acmd;
124 uint32_t blk_written;
125 uint64_t data_start;
126 uint32_t data_offset;
127 uint8_t data[512];
128 qemu_irq readonly_cb;
129 qemu_irq inserted_cb;
130 QEMUTimer *ocr_power_timer;
131 const char *proto_name;
132 bool enable;
133 uint8_t dat_lines;
134 bool cmd_line;
135 };
136
137 static void sd_realize(DeviceState *dev, Error **errp);
138
139 static const char *sd_state_name(enum SDCardStates state)
140 {
141 static const char *state_name[] = {
142 [sd_idle_state] = "idle",
143 [sd_ready_state] = "ready",
144 [sd_identification_state] = "identification",
145 [sd_standby_state] = "standby",
146 [sd_transfer_state] = "transfer",
147 [sd_sendingdata_state] = "sendingdata",
148 [sd_receivingdata_state] = "receivingdata",
149 [sd_programming_state] = "programming",
150 [sd_disconnect_state] = "disconnect",
151 };
152 if (state == sd_inactive_state) {
153 return "inactive";
154 }
155 assert(state < ARRAY_SIZE(state_name));
156 return state_name[state];
157 }
158
159 static const char *sd_response_name(sd_rsp_type_t rsp)
160 {
161 static const char *response_name[] = {
162 [sd_r0] = "RESP#0 (no response)",
163 [sd_r1] = "RESP#1 (normal cmd)",
164 [sd_r2_i] = "RESP#2 (CID reg)",
165 [sd_r2_s] = "RESP#2 (CSD reg)",
166 [sd_r3] = "RESP#3 (OCR reg)",
167 [sd_r6] = "RESP#6 (RCA)",
168 [sd_r7] = "RESP#7 (operating voltage)",
169 };
170 if (rsp == sd_illegal) {
171 return "ILLEGAL RESP";
172 }
173 if (rsp == sd_r1b) {
174 rsp = sd_r1;
175 }
176 assert(rsp < ARRAY_SIZE(response_name));
177 return response_name[rsp];
178 }
179
180 static uint8_t sd_get_dat_lines(SDState *sd)
181 {
182 return sd->enable ? sd->dat_lines : 0;
183 }
184
185 static bool sd_get_cmd_line(SDState *sd)
186 {
187 return sd->enable ? sd->cmd_line : false;
188 }
189
190 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
191 {
192 trace_sdcard_set_voltage(millivolts);
193
194 switch (millivolts) {
195 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
196 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
197 break;
198 default:
199 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
200 millivolts / 1000.f);
201 }
202 }
203
204 static void sd_set_mode(SDState *sd)
205 {
206 switch (sd->state) {
207 case sd_inactive_state:
208 sd->mode = sd_inactive;
209 break;
210
211 case sd_idle_state:
212 case sd_ready_state:
213 case sd_identification_state:
214 sd->mode = sd_card_identification_mode;
215 break;
216
217 case sd_standby_state:
218 case sd_transfer_state:
219 case sd_sendingdata_state:
220 case sd_receivingdata_state:
221 case sd_programming_state:
222 case sd_disconnect_state:
223 sd->mode = sd_data_transfer_mode;
224 break;
225 }
226 }
227
228 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
229 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
230 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
231 /* 16 */
232 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
233 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
234 /* 32 */
235 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
236 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
237 /* 48 */
238 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
239 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
240 };
241
242 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
243 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
244 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
245 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
246 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
247 };
248
249 static uint8_t sd_crc7(void *message, size_t width)
250 {
251 int i, bit;
252 uint8_t shift_reg = 0x00;
253 uint8_t *msg = (uint8_t *) message;
254
255 for (i = 0; i < width; i ++, msg ++)
256 for (bit = 7; bit >= 0; bit --) {
257 shift_reg <<= 1;
258 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
259 shift_reg ^= 0x89;
260 }
261
262 return shift_reg;
263 }
264
265 static uint16_t sd_crc16(void *message, size_t width)
266 {
267 int i, bit;
268 uint16_t shift_reg = 0x0000;
269 uint16_t *msg = (uint16_t *) message;
270 width <<= 1;
271
272 for (i = 0; i < width; i ++, msg ++)
273 for (bit = 15; bit >= 0; bit --) {
274 shift_reg <<= 1;
275 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
276 shift_reg ^= 0x1011;
277 }
278
279 return shift_reg;
280 }
281
282 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
283
284 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
285 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
286 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
287 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
288 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
289 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
290 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
291 FIELD(OCR, CARD_POWER_UP, 31, 1)
292
293 #define ACMD41_ENQUIRY_MASK 0x00ffffff
294 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
295 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
296 | R_OCR_UHS_II_CARD_MASK \
297 | R_OCR_CARD_CAPACITY_MASK \
298 | R_OCR_CARD_POWER_UP_MASK)
299
300 static void sd_set_ocr(SDState *sd)
301 {
302 /* All voltages OK */
303 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
304 }
305
306 static void sd_ocr_powerup(void *opaque)
307 {
308 SDState *sd = opaque;
309
310 trace_sdcard_powerup();
311 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
312
313 /* card power-up OK */
314 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
315
316 if (sd->size > 1 * GiB) {
317 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
318 }
319 }
320
321 static void sd_set_scr(SDState *sd)
322 {
323 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
324 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
325 sd->scr[0] |= 1; /* Spec Version 1.10 */
326 } else {
327 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
328 }
329 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
330 | 0b0101; /* 1-bit or 4-bit width bus modes */
331 sd->scr[2] = 0x00; /* Extended Security is not supported. */
332 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
333 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
334 }
335 sd->scr[3] = 0x00;
336 /* reserved for manufacturer usage */
337 sd->scr[4] = 0x00;
338 sd->scr[5] = 0x00;
339 sd->scr[6] = 0x00;
340 sd->scr[7] = 0x00;
341 }
342
343 #define MID 0xaa
344 #define OID "XY"
345 #define PNM "QEMU!"
346 #define PRV 0x01
347 #define MDT_YR 2006
348 #define MDT_MON 2
349
350 static void sd_set_cid(SDState *sd)
351 {
352 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
353 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
354 sd->cid[2] = OID[1];
355 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
356 sd->cid[4] = PNM[1];
357 sd->cid[5] = PNM[2];
358 sd->cid[6] = PNM[3];
359 sd->cid[7] = PNM[4];
360 sd->cid[8] = PRV; /* Fake product revision (PRV) */
361 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
362 sd->cid[10] = 0xad;
363 sd->cid[11] = 0xbe;
364 sd->cid[12] = 0xef;
365 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
366 ((MDT_YR - 2000) / 10);
367 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
368 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
369 }
370
371 #define HWBLOCK_SHIFT 9 /* 512 bytes */
372 #define SECTOR_SHIFT 5 /* 16 kilobytes */
373 #define WPGROUP_SHIFT 7 /* 2 megs */
374 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
375 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
376
377 static const uint8_t sd_csd_rw_mask[16] = {
378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
380 };
381
382 static void sd_set_csd(SDState *sd, uint64_t size)
383 {
384 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
385 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
386 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
387
388 if (size <= 1 * GiB) { /* Standard Capacity SD */
389 sd->csd[0] = 0x00; /* CSD structure */
390 sd->csd[1] = 0x26; /* Data read access-time-1 */
391 sd->csd[2] = 0x00; /* Data read access-time-2 */
392 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
393 sd->csd[4] = 0x5f; /* Card Command Classes */
394 sd->csd[5] = 0x50 | /* Max. read data block length */
395 HWBLOCK_SHIFT;
396 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
397 ((csize >> 10) & 0x03);
398 sd->csd[7] = 0x00 | /* Device size */
399 ((csize >> 2) & 0xff);
400 sd->csd[8] = 0x3f | /* Max. read current */
401 ((csize << 6) & 0xc0);
402 sd->csd[9] = 0xfc | /* Max. write current */
403 ((CMULT_SHIFT - 2) >> 1);
404 sd->csd[10] = 0x40 | /* Erase sector size */
405 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
406 sd->csd[11] = 0x00 | /* Write protect group size */
407 ((sectsize << 7) & 0x80) | wpsize;
408 sd->csd[12] = 0x90 | /* Write speed factor */
409 (HWBLOCK_SHIFT >> 2);
410 sd->csd[13] = 0x20 | /* Max. write data block length */
411 ((HWBLOCK_SHIFT << 6) & 0xc0);
412 sd->csd[14] = 0x00; /* File format group */
413 } else { /* SDHC */
414 size /= 512 * KiB;
415 size -= 1;
416 sd->csd[0] = 0x40;
417 sd->csd[1] = 0x0e;
418 sd->csd[2] = 0x00;
419 sd->csd[3] = 0x32;
420 sd->csd[4] = 0x5b;
421 sd->csd[5] = 0x59;
422 sd->csd[6] = 0x00;
423 sd->csd[7] = (size >> 16) & 0xff;
424 sd->csd[8] = (size >> 8) & 0xff;
425 sd->csd[9] = (size & 0xff);
426 sd->csd[10] = 0x7f;
427 sd->csd[11] = 0x80;
428 sd->csd[12] = 0x0a;
429 sd->csd[13] = 0x40;
430 sd->csd[14] = 0x00;
431 }
432 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
433 }
434
435 static void sd_set_rca(SDState *sd)
436 {
437 sd->rca += 0x4567;
438 }
439
440 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
441 FIELD(CSR, APP_CMD, 5, 1)
442 FIELD(CSR, FX_EVENT, 6, 1)
443 FIELD(CSR, READY_FOR_DATA, 8, 1)
444 FIELD(CSR, CURRENT_STATE, 9, 4)
445 FIELD(CSR, ERASE_RESET, 13, 1)
446 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
447 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
448 FIELD(CSR, CSD_OVERWRITE, 16, 1)
449 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
450 FIELD(CSR, ERROR, 19, 1)
451 FIELD(CSR, CC_ERROR, 20, 1)
452 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
453 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
454 FIELD(CSR, COM_CRC_ERROR, 23, 1)
455 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
456 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
457 FIELD(CSR, WP_VIOLATION, 26, 1)
458 FIELD(CSR, ERASE_PARAM, 27, 1)
459 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
460 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
461 FIELD(CSR, ADDRESS_ERROR, 30, 1)
462 FIELD(CSR, OUT_OF_RANGE, 31, 1)
463
464 /* Card status bits, split by clear condition:
465 * A : According to the card current state
466 * B : Always related to the previous command
467 * C : Cleared by read
468 */
469 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
470 | R_CSR_CARD_ECC_DISABLED_MASK \
471 | R_CSR_CARD_IS_LOCKED_MASK)
472 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
473 | R_CSR_ILLEGAL_COMMAND_MASK \
474 | R_CSR_COM_CRC_ERROR_MASK)
475 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
476 | R_CSR_APP_CMD_MASK \
477 | R_CSR_ERASE_RESET_MASK \
478 | R_CSR_WP_ERASE_SKIP_MASK \
479 | R_CSR_CSD_OVERWRITE_MASK \
480 | R_CSR_ERROR_MASK \
481 | R_CSR_CC_ERROR_MASK \
482 | R_CSR_CARD_ECC_FAILED_MASK \
483 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
484 | R_CSR_WP_VIOLATION_MASK \
485 | R_CSR_ERASE_PARAM_MASK \
486 | R_CSR_ERASE_SEQ_ERROR_MASK \
487 | R_CSR_BLOCK_LEN_ERROR_MASK \
488 | R_CSR_ADDRESS_ERROR_MASK \
489 | R_CSR_OUT_OF_RANGE_MASK)
490
491 static void sd_set_cardstatus(SDState *sd)
492 {
493 sd->card_status = 0x00000100;
494 }
495
496 static void sd_set_sdstatus(SDState *sd)
497 {
498 memset(sd->sd_status, 0, 64);
499 }
500
501 static int sd_req_crc_validate(SDRequest *req)
502 {
503 uint8_t buffer[5];
504 buffer[0] = 0x40 | req->cmd;
505 stl_be_p(&buffer[1], req->arg);
506 return 0;
507 return sd_crc7(buffer, 5) != req->crc; /* TODO */
508 }
509
510 static void sd_response_r1_make(SDState *sd, uint8_t *response)
511 {
512 stl_be_p(response, sd->card_status);
513
514 /* Clear the "clear on read" status bits */
515 sd->card_status &= ~CARD_STATUS_C;
516 }
517
518 static void sd_response_r3_make(SDState *sd, uint8_t *response)
519 {
520 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
521 }
522
523 static void sd_response_r6_make(SDState *sd, uint8_t *response)
524 {
525 uint16_t status;
526
527 status = ((sd->card_status >> 8) & 0xc000) |
528 ((sd->card_status >> 6) & 0x2000) |
529 (sd->card_status & 0x1fff);
530 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
531 stw_be_p(response + 0, sd->rca);
532 stw_be_p(response + 2, status);
533 }
534
535 static void sd_response_r7_make(SDState *sd, uint8_t *response)
536 {
537 stl_be_p(response, sd->vhs);
538 }
539
540 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
541 {
542 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
543 }
544
545 static void sd_reset(DeviceState *dev)
546 {
547 SDState *sd = SD_CARD(dev);
548 uint64_t size;
549 uint64_t sect;
550
551 trace_sdcard_reset();
552 if (sd->blk) {
553 blk_get_geometry(sd->blk, &sect);
554 } else {
555 sect = 0;
556 }
557 size = sect << 9;
558
559 sect = sd_addr_to_wpnum(size) + 1;
560
561 sd->state = sd_idle_state;
562 sd->rca = 0x0000;
563 sd_set_ocr(sd);
564 sd_set_scr(sd);
565 sd_set_cid(sd);
566 sd_set_csd(sd, size);
567 sd_set_cardstatus(sd);
568 sd_set_sdstatus(sd);
569
570 g_free(sd->wp_groups);
571 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
572 sd->wpgrps_size = sect;
573 sd->wp_groups = bitmap_new(sd->wpgrps_size);
574 memset(sd->function_group, 0, sizeof(sd->function_group));
575 sd->erase_start = 0;
576 sd->erase_end = 0;
577 sd->size = size;
578 sd->blk_len = 0x200;
579 sd->pwd_len = 0;
580 sd->expecting_acmd = false;
581 sd->dat_lines = 0xf;
582 sd->cmd_line = true;
583 sd->multi_blk_cnt = 0;
584 }
585
586 static bool sd_get_inserted(SDState *sd)
587 {
588 return sd->blk && blk_is_inserted(sd->blk);
589 }
590
591 static bool sd_get_readonly(SDState *sd)
592 {
593 return sd->wp_switch;
594 }
595
596 static void sd_cardchange(void *opaque, bool load, Error **errp)
597 {
598 SDState *sd = opaque;
599 DeviceState *dev = DEVICE(sd);
600 SDBus *sdbus;
601 bool inserted = sd_get_inserted(sd);
602 bool readonly = sd_get_readonly(sd);
603
604 if (inserted) {
605 trace_sdcard_inserted(readonly);
606 sd_reset(dev);
607 } else {
608 trace_sdcard_ejected();
609 }
610
611 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
612 qemu_set_irq(sd->inserted_cb, inserted);
613 if (inserted) {
614 qemu_set_irq(sd->readonly_cb, readonly);
615 }
616 } else {
617 sdbus = SD_BUS(qdev_get_parent_bus(dev));
618 sdbus_set_inserted(sdbus, inserted);
619 if (inserted) {
620 sdbus_set_readonly(sdbus, readonly);
621 }
622 }
623 }
624
625 static const BlockDevOps sd_block_ops = {
626 .change_media_cb = sd_cardchange,
627 };
628
629 static bool sd_ocr_vmstate_needed(void *opaque)
630 {
631 SDState *sd = opaque;
632
633 /* Include the OCR state (and timer) if it is not yet powered up */
634 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
635 }
636
637 static const VMStateDescription sd_ocr_vmstate = {
638 .name = "sd-card/ocr-state",
639 .version_id = 1,
640 .minimum_version_id = 1,
641 .needed = sd_ocr_vmstate_needed,
642 .fields = (VMStateField[]) {
643 VMSTATE_UINT32(ocr, SDState),
644 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
645 VMSTATE_END_OF_LIST()
646 },
647 };
648
649 static int sd_vmstate_pre_load(void *opaque)
650 {
651 SDState *sd = opaque;
652
653 /* If the OCR state is not included (prior versions, or not
654 * needed), then the OCR must be set as powered up. If the OCR state
655 * is included, this will be replaced by the state restore.
656 */
657 sd_ocr_powerup(sd);
658
659 return 0;
660 }
661
662 static const VMStateDescription sd_vmstate = {
663 .name = "sd-card",
664 .version_id = 1,
665 .minimum_version_id = 1,
666 .pre_load = sd_vmstate_pre_load,
667 .fields = (VMStateField[]) {
668 VMSTATE_UINT32(mode, SDState),
669 VMSTATE_INT32(state, SDState),
670 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
671 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
672 VMSTATE_UINT16(rca, SDState),
673 VMSTATE_UINT32(card_status, SDState),
674 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
675 VMSTATE_UINT32(vhs, SDState),
676 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
677 VMSTATE_UINT32(blk_len, SDState),
678 VMSTATE_UINT32(multi_blk_cnt, SDState),
679 VMSTATE_UINT32(erase_start, SDState),
680 VMSTATE_UINT32(erase_end, SDState),
681 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
682 VMSTATE_UINT32(pwd_len, SDState),
683 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
684 VMSTATE_UINT8(current_cmd, SDState),
685 VMSTATE_BOOL(expecting_acmd, SDState),
686 VMSTATE_UINT32(blk_written, SDState),
687 VMSTATE_UINT64(data_start, SDState),
688 VMSTATE_UINT32(data_offset, SDState),
689 VMSTATE_UINT8_ARRAY(data, SDState, 512),
690 VMSTATE_UNUSED_V(1, 512),
691 VMSTATE_BOOL(enable, SDState),
692 VMSTATE_END_OF_LIST()
693 },
694 .subsections = (const VMStateDescription*[]) {
695 &sd_ocr_vmstate,
696 NULL
697 },
698 };
699
700 /* Legacy initialization function for use by non-qdevified callers */
701 SDState *sd_init(BlockBackend *blk, bool is_spi)
702 {
703 Object *obj;
704 DeviceState *dev;
705 SDState *sd;
706 Error *err = NULL;
707
708 obj = object_new(TYPE_SD_CARD);
709 dev = DEVICE(obj);
710 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
711 error_reportf_err(err, "sd_init failed: ");
712 return NULL;
713 }
714 qdev_prop_set_bit(dev, "spi", is_spi);
715
716 /*
717 * Realizing the device properly would put it into the QOM
718 * composition tree even though it is not plugged into an
719 * appropriate bus. That's a no-no. Hide the device from
720 * QOM/qdev, and call its qdev realize callback directly.
721 */
722 object_ref(obj);
723 object_unparent(obj);
724 sd_realize(dev, &err);
725 if (err) {
726 error_reportf_err(err, "sd_init failed: ");
727 return NULL;
728 }
729
730 sd = SD_CARD(dev);
731 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
732 return sd;
733 }
734
735 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
736 {
737 sd->readonly_cb = readonly;
738 sd->inserted_cb = insert;
739 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
740 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
741 }
742
743 static void sd_erase(SDState *sd)
744 {
745 int i;
746 uint64_t erase_start = sd->erase_start;
747 uint64_t erase_end = sd->erase_end;
748
749 trace_sdcard_erase();
750 if (!sd->erase_start || !sd->erase_end) {
751 sd->card_status |= ERASE_SEQ_ERROR;
752 return;
753 }
754
755 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
756 /* High capacity memory card: erase units are 512 byte blocks */
757 erase_start *= 512;
758 erase_end *= 512;
759 }
760
761 erase_start = sd_addr_to_wpnum(erase_start);
762 erase_end = sd_addr_to_wpnum(erase_end);
763 sd->erase_start = 0;
764 sd->erase_end = 0;
765 sd->csd[14] |= 0x40;
766
767 for (i = erase_start; i <= erase_end; i++) {
768 if (test_bit(i, sd->wp_groups)) {
769 sd->card_status |= WP_ERASE_SKIP;
770 }
771 }
772 }
773
774 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
775 {
776 uint32_t i, wpnum;
777 uint32_t ret = 0;
778
779 wpnum = sd_addr_to_wpnum(addr);
780
781 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
782 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
783 ret |= (1 << i);
784 }
785 }
786
787 return ret;
788 }
789
790 static void sd_function_switch(SDState *sd, uint32_t arg)
791 {
792 int i, mode, new_func;
793 mode = !!(arg & 0x80000000);
794
795 sd->data[0] = 0x00; /* Maximum current consumption */
796 sd->data[1] = 0x01;
797 sd->data[2] = 0x80; /* Supported group 6 functions */
798 sd->data[3] = 0x01;
799 sd->data[4] = 0x80; /* Supported group 5 functions */
800 sd->data[5] = 0x01;
801 sd->data[6] = 0x80; /* Supported group 4 functions */
802 sd->data[7] = 0x01;
803 sd->data[8] = 0x80; /* Supported group 3 functions */
804 sd->data[9] = 0x01;
805 sd->data[10] = 0x80; /* Supported group 2 functions */
806 sd->data[11] = 0x43;
807 sd->data[12] = 0x80; /* Supported group 1 functions */
808 sd->data[13] = 0x03;
809 for (i = 0; i < 6; i ++) {
810 new_func = (arg >> (i * 4)) & 0x0f;
811 if (mode && new_func != 0x0f)
812 sd->function_group[i] = new_func;
813 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
814 }
815 memset(&sd->data[17], 0, 47);
816 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
817 }
818
819 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
820 {
821 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
822 }
823
824 static void sd_lock_command(SDState *sd)
825 {
826 int erase, lock, clr_pwd, set_pwd, pwd_len;
827 erase = !!(sd->data[0] & 0x08);
828 lock = sd->data[0] & 0x04;
829 clr_pwd = sd->data[0] & 0x02;
830 set_pwd = sd->data[0] & 0x01;
831
832 if (sd->blk_len > 1)
833 pwd_len = sd->data[1];
834 else
835 pwd_len = 0;
836
837 if (lock) {
838 trace_sdcard_lock();
839 } else {
840 trace_sdcard_unlock();
841 }
842 if (erase) {
843 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
844 set_pwd || clr_pwd || lock || sd->wp_switch ||
845 (sd->csd[14] & 0x20)) {
846 sd->card_status |= LOCK_UNLOCK_FAILED;
847 return;
848 }
849 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
850 sd->csd[14] &= ~0x10;
851 sd->card_status &= ~CARD_IS_LOCKED;
852 sd->pwd_len = 0;
853 /* Erasing the entire card here! */
854 fprintf(stderr, "SD: Card force-erased by CMD42\n");
855 return;
856 }
857
858 if (sd->blk_len < 2 + pwd_len ||
859 pwd_len <= sd->pwd_len ||
860 pwd_len > sd->pwd_len + 16) {
861 sd->card_status |= LOCK_UNLOCK_FAILED;
862 return;
863 }
864
865 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
866 sd->card_status |= LOCK_UNLOCK_FAILED;
867 return;
868 }
869
870 pwd_len -= sd->pwd_len;
871 if ((pwd_len && !set_pwd) ||
872 (clr_pwd && (set_pwd || lock)) ||
873 (lock && !sd->pwd_len && !set_pwd) ||
874 (!set_pwd && !clr_pwd &&
875 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
876 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
877 sd->card_status |= LOCK_UNLOCK_FAILED;
878 return;
879 }
880
881 if (set_pwd) {
882 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
883 sd->pwd_len = pwd_len;
884 }
885
886 if (clr_pwd) {
887 sd->pwd_len = 0;
888 }
889
890 if (lock)
891 sd->card_status |= CARD_IS_LOCKED;
892 else
893 sd->card_status &= ~CARD_IS_LOCKED;
894 }
895
896 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
897 {
898 uint32_t rca = 0x0000;
899 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
900
901 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
902 * However there is no ACMD55, so we want to trace this particular case.
903 */
904 if (req.cmd != 55 || sd->expecting_acmd) {
905 trace_sdcard_normal_command(sd->proto_name,
906 sd_cmd_name(req.cmd), req.cmd,
907 req.arg, sd_state_name(sd->state));
908 }
909
910 /* Not interpreting this as an app command */
911 sd->card_status &= ~APP_CMD;
912
913 if (sd_cmd_type[req.cmd] == sd_ac
914 || sd_cmd_type[req.cmd] == sd_adtc) {
915 rca = req.arg >> 16;
916 }
917
918 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
919 * if not, its effects are cancelled */
920 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
921 sd->multi_blk_cnt = 0;
922 }
923
924 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
925 /* Only Standard Capacity cards support class 6 commands */
926 return sd_illegal;
927 }
928
929 switch (req.cmd) {
930 /* Basic commands (Class 0 and Class 1) */
931 case 0: /* CMD0: GO_IDLE_STATE */
932 switch (sd->state) {
933 case sd_inactive_state:
934 return sd->spi ? sd_r1 : sd_r0;
935
936 default:
937 sd->state = sd_idle_state;
938 sd_reset(DEVICE(sd));
939 return sd->spi ? sd_r1 : sd_r0;
940 }
941 break;
942
943 case 1: /* CMD1: SEND_OP_CMD */
944 if (!sd->spi)
945 goto bad_cmd;
946
947 sd->state = sd_transfer_state;
948 return sd_r1;
949
950 case 2: /* CMD2: ALL_SEND_CID */
951 if (sd->spi)
952 goto bad_cmd;
953 switch (sd->state) {
954 case sd_ready_state:
955 sd->state = sd_identification_state;
956 return sd_r2_i;
957
958 default:
959 break;
960 }
961 break;
962
963 case 3: /* CMD3: SEND_RELATIVE_ADDR */
964 if (sd->spi)
965 goto bad_cmd;
966 switch (sd->state) {
967 case sd_identification_state:
968 case sd_standby_state:
969 sd->state = sd_standby_state;
970 sd_set_rca(sd);
971 return sd_r6;
972
973 default:
974 break;
975 }
976 break;
977
978 case 4: /* CMD4: SEND_DSR */
979 if (sd->spi)
980 goto bad_cmd;
981 switch (sd->state) {
982 case sd_standby_state:
983 break;
984
985 default:
986 break;
987 }
988 break;
989
990 case 5: /* CMD5: reserved for SDIO cards */
991 return sd_illegal;
992
993 case 6: /* CMD6: SWITCH_FUNCTION */
994 switch (sd->mode) {
995 case sd_data_transfer_mode:
996 sd_function_switch(sd, req.arg);
997 sd->state = sd_sendingdata_state;
998 sd->data_start = 0;
999 sd->data_offset = 0;
1000 return sd_r1;
1001
1002 default:
1003 break;
1004 }
1005 break;
1006
1007 case 7: /* CMD7: SELECT/DESELECT_CARD */
1008 if (sd->spi)
1009 goto bad_cmd;
1010 switch (sd->state) {
1011 case sd_standby_state:
1012 if (sd->rca != rca)
1013 return sd_r0;
1014
1015 sd->state = sd_transfer_state;
1016 return sd_r1b;
1017
1018 case sd_transfer_state:
1019 case sd_sendingdata_state:
1020 if (sd->rca == rca)
1021 break;
1022
1023 sd->state = sd_standby_state;
1024 return sd_r1b;
1025
1026 case sd_disconnect_state:
1027 if (sd->rca != rca)
1028 return sd_r0;
1029
1030 sd->state = sd_programming_state;
1031 return sd_r1b;
1032
1033 case sd_programming_state:
1034 if (sd->rca == rca)
1035 break;
1036
1037 sd->state = sd_disconnect_state;
1038 return sd_r1b;
1039
1040 default:
1041 break;
1042 }
1043 break;
1044
1045 case 8: /* CMD8: SEND_IF_COND */
1046 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1047 break;
1048 }
1049 if (sd->state != sd_idle_state) {
1050 break;
1051 }
1052 sd->vhs = 0;
1053
1054 /* No response if not exactly one VHS bit is set. */
1055 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1056 return sd->spi ? sd_r7 : sd_r0;
1057 }
1058
1059 /* Accept. */
1060 sd->vhs = req.arg;
1061 return sd_r7;
1062
1063 case 9: /* CMD9: SEND_CSD */
1064 switch (sd->state) {
1065 case sd_standby_state:
1066 if (sd->rca != rca)
1067 return sd_r0;
1068
1069 return sd_r2_s;
1070
1071 case sd_transfer_state:
1072 if (!sd->spi)
1073 break;
1074 sd->state = sd_sendingdata_state;
1075 memcpy(sd->data, sd->csd, 16);
1076 sd->data_start = addr;
1077 sd->data_offset = 0;
1078 return sd_r1;
1079
1080 default:
1081 break;
1082 }
1083 break;
1084
1085 case 10: /* CMD10: SEND_CID */
1086 switch (sd->state) {
1087 case sd_standby_state:
1088 if (sd->rca != rca)
1089 return sd_r0;
1090
1091 return sd_r2_i;
1092
1093 case sd_transfer_state:
1094 if (!sd->spi)
1095 break;
1096 sd->state = sd_sendingdata_state;
1097 memcpy(sd->data, sd->cid, 16);
1098 sd->data_start = addr;
1099 sd->data_offset = 0;
1100 return sd_r1;
1101
1102 default:
1103 break;
1104 }
1105 break;
1106
1107 case 12: /* CMD12: STOP_TRANSMISSION */
1108 switch (sd->state) {
1109 case sd_sendingdata_state:
1110 sd->state = sd_transfer_state;
1111 return sd_r1b;
1112
1113 case sd_receivingdata_state:
1114 sd->state = sd_programming_state;
1115 /* Bzzzzzzztt .... Operation complete. */
1116 sd->state = sd_transfer_state;
1117 return sd_r1b;
1118
1119 default:
1120 break;
1121 }
1122 break;
1123
1124 case 13: /* CMD13: SEND_STATUS */
1125 switch (sd->mode) {
1126 case sd_data_transfer_mode:
1127 if (sd->rca != rca)
1128 return sd_r0;
1129
1130 return sd_r1;
1131
1132 default:
1133 break;
1134 }
1135 break;
1136
1137 case 15: /* CMD15: GO_INACTIVE_STATE */
1138 if (sd->spi)
1139 goto bad_cmd;
1140 switch (sd->mode) {
1141 case sd_data_transfer_mode:
1142 if (sd->rca != rca)
1143 return sd_r0;
1144
1145 sd->state = sd_inactive_state;
1146 return sd_r0;
1147
1148 default:
1149 break;
1150 }
1151 break;
1152
1153 /* Block read commands (Classs 2) */
1154 case 16: /* CMD16: SET_BLOCKLEN */
1155 switch (sd->state) {
1156 case sd_transfer_state:
1157 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1158 sd->card_status |= BLOCK_LEN_ERROR;
1159 } else {
1160 trace_sdcard_set_blocklen(req.arg);
1161 sd->blk_len = req.arg;
1162 }
1163
1164 return sd_r1;
1165
1166 default:
1167 break;
1168 }
1169 break;
1170
1171 case 17: /* CMD17: READ_SINGLE_BLOCK */
1172 switch (sd->state) {
1173 case sd_transfer_state:
1174
1175 if (addr + sd->blk_len > sd->size) {
1176 sd->card_status |= ADDRESS_ERROR;
1177 return sd_r1;
1178 }
1179
1180 sd->state = sd_sendingdata_state;
1181 sd->data_start = addr;
1182 sd->data_offset = 0;
1183 return sd_r1;
1184
1185 default:
1186 break;
1187 }
1188 break;
1189
1190 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1191 switch (sd->state) {
1192 case sd_transfer_state:
1193
1194 if (addr + sd->blk_len > sd->size) {
1195 sd->card_status |= ADDRESS_ERROR;
1196 return sd_r1;
1197 }
1198
1199 sd->state = sd_sendingdata_state;
1200 sd->data_start = addr;
1201 sd->data_offset = 0;
1202 return sd_r1;
1203
1204 default:
1205 break;
1206 }
1207 break;
1208
1209 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1210 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1211 break;
1212 }
1213 if (sd->state == sd_transfer_state) {
1214 sd->state = sd_sendingdata_state;
1215 sd->data_offset = 0;
1216 return sd_r1;
1217 }
1218 break;
1219
1220 case 23: /* CMD23: SET_BLOCK_COUNT */
1221 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1222 break;
1223 }
1224 switch (sd->state) {
1225 case sd_transfer_state:
1226 sd->multi_blk_cnt = req.arg;
1227 return sd_r1;
1228
1229 default:
1230 break;
1231 }
1232 break;
1233
1234 /* Block write commands (Class 4) */
1235 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1236 switch (sd->state) {
1237 case sd_transfer_state:
1238 /* Writing in SPI mode not implemented. */
1239 if (sd->spi)
1240 break;
1241
1242 if (addr + sd->blk_len > sd->size) {
1243 sd->card_status |= ADDRESS_ERROR;
1244 return sd_r1;
1245 }
1246
1247 sd->state = sd_receivingdata_state;
1248 sd->data_start = addr;
1249 sd->data_offset = 0;
1250 sd->blk_written = 0;
1251
1252 if (sd_wp_addr(sd, sd->data_start)) {
1253 sd->card_status |= WP_VIOLATION;
1254 }
1255 if (sd->csd[14] & 0x30) {
1256 sd->card_status |= WP_VIOLATION;
1257 }
1258 return sd_r1;
1259
1260 default:
1261 break;
1262 }
1263 break;
1264
1265 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1266 switch (sd->state) {
1267 case sd_transfer_state:
1268 /* Writing in SPI mode not implemented. */
1269 if (sd->spi)
1270 break;
1271
1272 if (addr + sd->blk_len > sd->size) {
1273 sd->card_status |= ADDRESS_ERROR;
1274 return sd_r1;
1275 }
1276
1277 sd->state = sd_receivingdata_state;
1278 sd->data_start = addr;
1279 sd->data_offset = 0;
1280 sd->blk_written = 0;
1281
1282 if (sd_wp_addr(sd, sd->data_start)) {
1283 sd->card_status |= WP_VIOLATION;
1284 }
1285 if (sd->csd[14] & 0x30) {
1286 sd->card_status |= WP_VIOLATION;
1287 }
1288 return sd_r1;
1289
1290 default:
1291 break;
1292 }
1293 break;
1294
1295 case 26: /* CMD26: PROGRAM_CID */
1296 if (sd->spi)
1297 goto bad_cmd;
1298 switch (sd->state) {
1299 case sd_transfer_state:
1300 sd->state = sd_receivingdata_state;
1301 sd->data_start = 0;
1302 sd->data_offset = 0;
1303 return sd_r1;
1304
1305 default:
1306 break;
1307 }
1308 break;
1309
1310 case 27: /* CMD27: PROGRAM_CSD */
1311 switch (sd->state) {
1312 case sd_transfer_state:
1313 sd->state = sd_receivingdata_state;
1314 sd->data_start = 0;
1315 sd->data_offset = 0;
1316 return sd_r1;
1317
1318 default:
1319 break;
1320 }
1321 break;
1322
1323 /* Write protection (Class 6) */
1324 case 28: /* CMD28: SET_WRITE_PROT */
1325 switch (sd->state) {
1326 case sd_transfer_state:
1327 if (addr >= sd->size) {
1328 sd->card_status |= ADDRESS_ERROR;
1329 return sd_r1b;
1330 }
1331
1332 sd->state = sd_programming_state;
1333 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1334 /* Bzzzzzzztt .... Operation complete. */
1335 sd->state = sd_transfer_state;
1336 return sd_r1b;
1337
1338 default:
1339 break;
1340 }
1341 break;
1342
1343 case 29: /* CMD29: CLR_WRITE_PROT */
1344 switch (sd->state) {
1345 case sd_transfer_state:
1346 if (addr >= sd->size) {
1347 sd->card_status |= ADDRESS_ERROR;
1348 return sd_r1b;
1349 }
1350
1351 sd->state = sd_programming_state;
1352 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1353 /* Bzzzzzzztt .... Operation complete. */
1354 sd->state = sd_transfer_state;
1355 return sd_r1b;
1356
1357 default:
1358 break;
1359 }
1360 break;
1361
1362 case 30: /* CMD30: SEND_WRITE_PROT */
1363 switch (sd->state) {
1364 case sd_transfer_state:
1365 sd->state = sd_sendingdata_state;
1366 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1367 sd->data_start = addr;
1368 sd->data_offset = 0;
1369 return sd_r1b;
1370
1371 default:
1372 break;
1373 }
1374 break;
1375
1376 /* Erase commands (Class 5) */
1377 case 32: /* CMD32: ERASE_WR_BLK_START */
1378 switch (sd->state) {
1379 case sd_transfer_state:
1380 sd->erase_start = req.arg;
1381 return sd_r1;
1382
1383 default:
1384 break;
1385 }
1386 break;
1387
1388 case 33: /* CMD33: ERASE_WR_BLK_END */
1389 switch (sd->state) {
1390 case sd_transfer_state:
1391 sd->erase_end = req.arg;
1392 return sd_r1;
1393
1394 default:
1395 break;
1396 }
1397 break;
1398
1399 case 38: /* CMD38: ERASE */
1400 switch (sd->state) {
1401 case sd_transfer_state:
1402 if (sd->csd[14] & 0x30) {
1403 sd->card_status |= WP_VIOLATION;
1404 return sd_r1b;
1405 }
1406
1407 sd->state = sd_programming_state;
1408 sd_erase(sd);
1409 /* Bzzzzzzztt .... Operation complete. */
1410 sd->state = sd_transfer_state;
1411 return sd_r1b;
1412
1413 default:
1414 break;
1415 }
1416 break;
1417
1418 /* Lock card commands (Class 7) */
1419 case 42: /* CMD42: LOCK_UNLOCK */
1420 switch (sd->state) {
1421 case sd_transfer_state:
1422 sd->state = sd_receivingdata_state;
1423 sd->data_start = 0;
1424 sd->data_offset = 0;
1425 return sd_r1;
1426
1427 default:
1428 break;
1429 }
1430 break;
1431
1432 case 52 ... 54:
1433 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1434 * (see the SDIO Simplified Specification V2.0)
1435 * Handle as illegal command but do not complain
1436 * on stderr, as some OSes may use these in their
1437 * probing for presence of an SDIO card.
1438 */
1439 return sd_illegal;
1440
1441 /* Application specific commands (Class 8) */
1442 case 55: /* CMD55: APP_CMD */
1443 switch (sd->state) {
1444 case sd_ready_state:
1445 case sd_identification_state:
1446 case sd_inactive_state:
1447 return sd_illegal;
1448 case sd_idle_state:
1449 if (rca) {
1450 qemu_log_mask(LOG_GUEST_ERROR,
1451 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1452 }
1453 default:
1454 break;
1455 }
1456 if (!sd->spi) {
1457 if (sd->rca != rca) {
1458 return sd_r0;
1459 }
1460 }
1461 sd->expecting_acmd = true;
1462 sd->card_status |= APP_CMD;
1463 return sd_r1;
1464
1465 case 56: /* CMD56: GEN_CMD */
1466 switch (sd->state) {
1467 case sd_transfer_state:
1468 sd->data_offset = 0;
1469 if (req.arg & 1)
1470 sd->state = sd_sendingdata_state;
1471 else
1472 sd->state = sd_receivingdata_state;
1473 return sd_r1;
1474
1475 default:
1476 break;
1477 }
1478 break;
1479
1480 case 58: /* CMD58: READ_OCR (SPI) */
1481 if (!sd->spi) {
1482 goto bad_cmd;
1483 }
1484 return sd_r3;
1485
1486 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1487 if (!sd->spi) {
1488 goto bad_cmd;
1489 }
1490 goto unimplemented_spi_cmd;
1491
1492 default:
1493 bad_cmd:
1494 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1495 return sd_illegal;
1496
1497 unimplemented_spi_cmd:
1498 /* Commands that are recognised but not yet implemented in SPI mode. */
1499 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1500 req.cmd);
1501 return sd_illegal;
1502 }
1503
1504 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1505 return sd_illegal;
1506 }
1507
1508 static sd_rsp_type_t sd_app_command(SDState *sd,
1509 SDRequest req)
1510 {
1511 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1512 req.cmd, req.arg, sd_state_name(sd->state));
1513 sd->card_status |= APP_CMD;
1514 switch (req.cmd) {
1515 case 6: /* ACMD6: SET_BUS_WIDTH */
1516 if (sd->spi) {
1517 goto unimplemented_spi_cmd;
1518 }
1519 switch (sd->state) {
1520 case sd_transfer_state:
1521 sd->sd_status[0] &= 0x3f;
1522 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1523 return sd_r1;
1524
1525 default:
1526 break;
1527 }
1528 break;
1529
1530 case 13: /* ACMD13: SD_STATUS */
1531 switch (sd->state) {
1532 case sd_transfer_state:
1533 sd->state = sd_sendingdata_state;
1534 sd->data_start = 0;
1535 sd->data_offset = 0;
1536 return sd_r1;
1537
1538 default:
1539 break;
1540 }
1541 break;
1542
1543 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1544 switch (sd->state) {
1545 case sd_transfer_state:
1546 *(uint32_t *) sd->data = sd->blk_written;
1547
1548 sd->state = sd_sendingdata_state;
1549 sd->data_start = 0;
1550 sd->data_offset = 0;
1551 return sd_r1;
1552
1553 default:
1554 break;
1555 }
1556 break;
1557
1558 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1559 switch (sd->state) {
1560 case sd_transfer_state:
1561 return sd_r1;
1562
1563 default:
1564 break;
1565 }
1566 break;
1567
1568 case 41: /* ACMD41: SD_APP_OP_COND */
1569 if (sd->spi) {
1570 /* SEND_OP_CMD */
1571 sd->state = sd_transfer_state;
1572 return sd_r1;
1573 }
1574 if (sd->state != sd_idle_state) {
1575 break;
1576 }
1577 /* If it's the first ACMD41 since reset, we need to decide
1578 * whether to power up. If this is not an enquiry ACMD41,
1579 * we immediately report power on and proceed below to the
1580 * ready state, but if it is, we set a timer to model a
1581 * delay for power up. This works around a bug in EDK2
1582 * UEFI, which sends an initial enquiry ACMD41, but
1583 * assumes that the card is in ready state as soon as it
1584 * sees the power up bit set. */
1585 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1586 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1587 timer_del(sd->ocr_power_timer);
1588 sd_ocr_powerup(sd);
1589 } else {
1590 trace_sdcard_inquiry_cmd41();
1591 if (!timer_pending(sd->ocr_power_timer)) {
1592 timer_mod_ns(sd->ocr_power_timer,
1593 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1594 + OCR_POWER_DELAY_NS));
1595 }
1596 }
1597 }
1598
1599 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1600 /* We accept any voltage. 10000 V is nothing.
1601 *
1602 * Once we're powered up, we advance straight to ready state
1603 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1604 */
1605 sd->state = sd_ready_state;
1606 }
1607
1608 return sd_r3;
1609
1610 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1611 switch (sd->state) {
1612 case sd_transfer_state:
1613 /* Bringing in the 50KOhm pull-up resistor... Done. */
1614 return sd_r1;
1615
1616 default:
1617 break;
1618 }
1619 break;
1620
1621 case 51: /* ACMD51: SEND_SCR */
1622 switch (sd->state) {
1623 case sd_transfer_state:
1624 sd->state = sd_sendingdata_state;
1625 sd->data_start = 0;
1626 sd->data_offset = 0;
1627 return sd_r1;
1628
1629 default:
1630 break;
1631 }
1632 break;
1633
1634 case 18: /* Reserved for SD security applications */
1635 case 25:
1636 case 26:
1637 case 38:
1638 case 43 ... 49:
1639 /* Refer to the "SD Specifications Part3 Security Specification" for
1640 * information about the SD Security Features.
1641 */
1642 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1643 req.cmd);
1644 return sd_illegal;
1645
1646 default:
1647 /* Fall back to standard commands. */
1648 return sd_normal_command(sd, req);
1649
1650 unimplemented_spi_cmd:
1651 /* Commands that are recognised but not yet implemented in SPI mode. */
1652 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1653 req.cmd);
1654 return sd_illegal;
1655 }
1656
1657 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1658 return sd_illegal;
1659 }
1660
1661 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1662 {
1663 /* Valid commands in locked state:
1664 * basic class (0)
1665 * lock card class (7)
1666 * CMD16
1667 * implicitly, the ACMD prefix CMD55
1668 * ACMD41 and ACMD42
1669 * Anything else provokes an "illegal command" response.
1670 */
1671 if (sd->expecting_acmd) {
1672 return req->cmd == 41 || req->cmd == 42;
1673 }
1674 if (req->cmd == 16 || req->cmd == 55) {
1675 return 1;
1676 }
1677 return sd_cmd_class[req->cmd] == 0
1678 || sd_cmd_class[req->cmd] == 7;
1679 }
1680
1681 int sd_do_command(SDState *sd, SDRequest *req,
1682 uint8_t *response) {
1683 int last_state;
1684 sd_rsp_type_t rtype;
1685 int rsplen;
1686
1687 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1688 return 0;
1689 }
1690
1691 if (sd_req_crc_validate(req)) {
1692 sd->card_status |= COM_CRC_ERROR;
1693 rtype = sd_illegal;
1694 goto send_response;
1695 }
1696
1697 if (req->cmd >= SDMMC_CMD_MAX) {
1698 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1699 req->cmd);
1700 req->cmd &= 0x3f;
1701 }
1702
1703 if (sd->card_status & CARD_IS_LOCKED) {
1704 if (!cmd_valid_while_locked(sd, req)) {
1705 sd->card_status |= ILLEGAL_COMMAND;
1706 sd->expecting_acmd = false;
1707 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1708 rtype = sd_illegal;
1709 goto send_response;
1710 }
1711 }
1712
1713 last_state = sd->state;
1714 sd_set_mode(sd);
1715
1716 if (sd->expecting_acmd) {
1717 sd->expecting_acmd = false;
1718 rtype = sd_app_command(sd, *req);
1719 } else {
1720 rtype = sd_normal_command(sd, *req);
1721 }
1722
1723 if (rtype == sd_illegal) {
1724 sd->card_status |= ILLEGAL_COMMAND;
1725 } else {
1726 /* Valid command, we can update the 'state before command' bits.
1727 * (Do this now so they appear in r1 responses.)
1728 */
1729 sd->current_cmd = req->cmd;
1730 sd->card_status &= ~CURRENT_STATE;
1731 sd->card_status |= (last_state << 9);
1732 }
1733
1734 send_response:
1735 switch (rtype) {
1736 case sd_r1:
1737 case sd_r1b:
1738 sd_response_r1_make(sd, response);
1739 rsplen = 4;
1740 break;
1741
1742 case sd_r2_i:
1743 memcpy(response, sd->cid, sizeof(sd->cid));
1744 rsplen = 16;
1745 break;
1746
1747 case sd_r2_s:
1748 memcpy(response, sd->csd, sizeof(sd->csd));
1749 rsplen = 16;
1750 break;
1751
1752 case sd_r3:
1753 sd_response_r3_make(sd, response);
1754 rsplen = 4;
1755 break;
1756
1757 case sd_r6:
1758 sd_response_r6_make(sd, response);
1759 rsplen = 4;
1760 break;
1761
1762 case sd_r7:
1763 sd_response_r7_make(sd, response);
1764 rsplen = 4;
1765 break;
1766
1767 case sd_r0:
1768 case sd_illegal:
1769 rsplen = 0;
1770 break;
1771 default:
1772 g_assert_not_reached();
1773 }
1774 trace_sdcard_response(sd_response_name(rtype), rsplen);
1775
1776 if (rtype != sd_illegal) {
1777 /* Clear the "clear on valid command" status bits now we've
1778 * sent any response
1779 */
1780 sd->card_status &= ~CARD_STATUS_B;
1781 }
1782
1783 #ifdef DEBUG_SD
1784 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1785 #endif
1786
1787 return rsplen;
1788 }
1789
1790 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1791 {
1792 trace_sdcard_read_block(addr, len);
1793 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1794 fprintf(stderr, "sd_blk_read: read error on host side\n");
1795 }
1796 }
1797
1798 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1799 {
1800 trace_sdcard_write_block(addr, len);
1801 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1802 fprintf(stderr, "sd_blk_write: write error on host side\n");
1803 }
1804 }
1805
1806 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1807 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1808 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1809 #define APP_WRITE_BLOCK(a, len)
1810
1811 void sd_write_data(SDState *sd, uint8_t value)
1812 {
1813 int i;
1814
1815 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1816 return;
1817
1818 if (sd->state != sd_receivingdata_state) {
1819 qemu_log_mask(LOG_GUEST_ERROR,
1820 "sd_write_data: not in Receiving-Data state\n");
1821 return;
1822 }
1823
1824 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1825 return;
1826
1827 trace_sdcard_write_data(sd->proto_name,
1828 sd_acmd_name(sd->current_cmd),
1829 sd->current_cmd, value);
1830 switch (sd->current_cmd) {
1831 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1832 sd->data[sd->data_offset ++] = value;
1833 if (sd->data_offset >= sd->blk_len) {
1834 /* TODO: Check CRC before committing */
1835 sd->state = sd_programming_state;
1836 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1837 sd->blk_written ++;
1838 sd->csd[14] |= 0x40;
1839 /* Bzzzzzzztt .... Operation complete. */
1840 sd->state = sd_transfer_state;
1841 }
1842 break;
1843
1844 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1845 if (sd->data_offset == 0) {
1846 /* Start of the block - let's check the address is valid */
1847 if (sd->data_start + sd->blk_len > sd->size) {
1848 sd->card_status |= ADDRESS_ERROR;
1849 break;
1850 }
1851 if (sd_wp_addr(sd, sd->data_start)) {
1852 sd->card_status |= WP_VIOLATION;
1853 break;
1854 }
1855 }
1856 sd->data[sd->data_offset++] = value;
1857 if (sd->data_offset >= sd->blk_len) {
1858 /* TODO: Check CRC before committing */
1859 sd->state = sd_programming_state;
1860 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1861 sd->blk_written++;
1862 sd->data_start += sd->blk_len;
1863 sd->data_offset = 0;
1864 sd->csd[14] |= 0x40;
1865
1866 /* Bzzzzzzztt .... Operation complete. */
1867 if (sd->multi_blk_cnt != 0) {
1868 if (--sd->multi_blk_cnt == 0) {
1869 /* Stop! */
1870 sd->state = sd_transfer_state;
1871 break;
1872 }
1873 }
1874
1875 sd->state = sd_receivingdata_state;
1876 }
1877 break;
1878
1879 case 26: /* CMD26: PROGRAM_CID */
1880 sd->data[sd->data_offset ++] = value;
1881 if (sd->data_offset >= sizeof(sd->cid)) {
1882 /* TODO: Check CRC before committing */
1883 sd->state = sd_programming_state;
1884 for (i = 0; i < sizeof(sd->cid); i ++)
1885 if ((sd->cid[i] | 0x00) != sd->data[i])
1886 sd->card_status |= CID_CSD_OVERWRITE;
1887
1888 if (!(sd->card_status & CID_CSD_OVERWRITE))
1889 for (i = 0; i < sizeof(sd->cid); i ++) {
1890 sd->cid[i] |= 0x00;
1891 sd->cid[i] &= sd->data[i];
1892 }
1893 /* Bzzzzzzztt .... Operation complete. */
1894 sd->state = sd_transfer_state;
1895 }
1896 break;
1897
1898 case 27: /* CMD27: PROGRAM_CSD */
1899 sd->data[sd->data_offset ++] = value;
1900 if (sd->data_offset >= sizeof(sd->csd)) {
1901 /* TODO: Check CRC before committing */
1902 sd->state = sd_programming_state;
1903 for (i = 0; i < sizeof(sd->csd); i ++)
1904 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1905 (sd->data[i] | sd_csd_rw_mask[i]))
1906 sd->card_status |= CID_CSD_OVERWRITE;
1907
1908 /* Copy flag (OTP) & Permanent write protect */
1909 if (sd->csd[14] & ~sd->data[14] & 0x60)
1910 sd->card_status |= CID_CSD_OVERWRITE;
1911
1912 if (!(sd->card_status & CID_CSD_OVERWRITE))
1913 for (i = 0; i < sizeof(sd->csd); i ++) {
1914 sd->csd[i] |= sd_csd_rw_mask[i];
1915 sd->csd[i] &= sd->data[i];
1916 }
1917 /* Bzzzzzzztt .... Operation complete. */
1918 sd->state = sd_transfer_state;
1919 }
1920 break;
1921
1922 case 42: /* CMD42: LOCK_UNLOCK */
1923 sd->data[sd->data_offset ++] = value;
1924 if (sd->data_offset >= sd->blk_len) {
1925 /* TODO: Check CRC before committing */
1926 sd->state = sd_programming_state;
1927 sd_lock_command(sd);
1928 /* Bzzzzzzztt .... Operation complete. */
1929 sd->state = sd_transfer_state;
1930 }
1931 break;
1932
1933 case 56: /* CMD56: GEN_CMD */
1934 sd->data[sd->data_offset ++] = value;
1935 if (sd->data_offset >= sd->blk_len) {
1936 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1937 sd->state = sd_transfer_state;
1938 }
1939 break;
1940
1941 default:
1942 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1943 break;
1944 }
1945 }
1946
1947 #define SD_TUNING_BLOCK_SIZE 64
1948
1949 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1950 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1951 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1952 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1953 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1954 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1955 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1956 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1957 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1958 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1959 };
1960
1961 uint8_t sd_read_data(SDState *sd)
1962 {
1963 /* TODO: Append CRCs */
1964 uint8_t ret;
1965 int io_len;
1966
1967 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1968 return 0x00;
1969
1970 if (sd->state != sd_sendingdata_state) {
1971 qemu_log_mask(LOG_GUEST_ERROR,
1972 "sd_read_data: not in Sending-Data state\n");
1973 return 0x00;
1974 }
1975
1976 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1977 return 0x00;
1978
1979 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1980
1981 trace_sdcard_read_data(sd->proto_name,
1982 sd_acmd_name(sd->current_cmd),
1983 sd->current_cmd, io_len);
1984 switch (sd->current_cmd) {
1985 case 6: /* CMD6: SWITCH_FUNCTION */
1986 ret = sd->data[sd->data_offset ++];
1987
1988 if (sd->data_offset >= 64)
1989 sd->state = sd_transfer_state;
1990 break;
1991
1992 case 9: /* CMD9: SEND_CSD */
1993 case 10: /* CMD10: SEND_CID */
1994 ret = sd->data[sd->data_offset ++];
1995
1996 if (sd->data_offset >= 16)
1997 sd->state = sd_transfer_state;
1998 break;
1999
2000 case 13: /* ACMD13: SD_STATUS */
2001 ret = sd->sd_status[sd->data_offset ++];
2002
2003 if (sd->data_offset >= sizeof(sd->sd_status))
2004 sd->state = sd_transfer_state;
2005 break;
2006
2007 case 17: /* CMD17: READ_SINGLE_BLOCK */
2008 if (sd->data_offset == 0)
2009 BLK_READ_BLOCK(sd->data_start, io_len);
2010 ret = sd->data[sd->data_offset ++];
2011
2012 if (sd->data_offset >= io_len)
2013 sd->state = sd_transfer_state;
2014 break;
2015
2016 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2017 if (sd->data_offset == 0) {
2018 if (sd->data_start + io_len > sd->size) {
2019 sd->card_status |= ADDRESS_ERROR;
2020 return 0x00;
2021 }
2022 BLK_READ_BLOCK(sd->data_start, io_len);
2023 }
2024 ret = sd->data[sd->data_offset ++];
2025
2026 if (sd->data_offset >= io_len) {
2027 sd->data_start += io_len;
2028 sd->data_offset = 0;
2029
2030 if (sd->multi_blk_cnt != 0) {
2031 if (--sd->multi_blk_cnt == 0) {
2032 /* Stop! */
2033 sd->state = sd_transfer_state;
2034 break;
2035 }
2036 }
2037 }
2038 break;
2039
2040 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2041 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2042 sd->state = sd_transfer_state;
2043 }
2044 ret = sd_tuning_block_pattern[sd->data_offset++];
2045 break;
2046
2047 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2048 ret = sd->data[sd->data_offset ++];
2049
2050 if (sd->data_offset >= 4)
2051 sd->state = sd_transfer_state;
2052 break;
2053
2054 case 30: /* CMD30: SEND_WRITE_PROT */
2055 ret = sd->data[sd->data_offset ++];
2056
2057 if (sd->data_offset >= 4)
2058 sd->state = sd_transfer_state;
2059 break;
2060
2061 case 51: /* ACMD51: SEND_SCR */
2062 ret = sd->scr[sd->data_offset ++];
2063
2064 if (sd->data_offset >= sizeof(sd->scr))
2065 sd->state = sd_transfer_state;
2066 break;
2067
2068 case 56: /* CMD56: GEN_CMD */
2069 if (sd->data_offset == 0)
2070 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2071 ret = sd->data[sd->data_offset ++];
2072
2073 if (sd->data_offset >= sd->blk_len)
2074 sd->state = sd_transfer_state;
2075 break;
2076
2077 default:
2078 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2079 return 0x00;
2080 }
2081
2082 return ret;
2083 }
2084
2085 bool sd_data_ready(SDState *sd)
2086 {
2087 return sd->state == sd_sendingdata_state;
2088 }
2089
2090 void sd_enable(SDState *sd, bool enable)
2091 {
2092 sd->enable = enable;
2093 }
2094
2095 static void sd_instance_init(Object *obj)
2096 {
2097 SDState *sd = SD_CARD(obj);
2098
2099 sd->enable = true;
2100 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2101 }
2102
2103 static void sd_instance_finalize(Object *obj)
2104 {
2105 SDState *sd = SD_CARD(obj);
2106
2107 timer_del(sd->ocr_power_timer);
2108 timer_free(sd->ocr_power_timer);
2109 }
2110
2111 static void sd_realize(DeviceState *dev, Error **errp)
2112 {
2113 SDState *sd = SD_CARD(dev);
2114 int ret;
2115
2116 sd->proto_name = sd->spi ? "SPI" : "SD";
2117
2118 switch (sd->spec_version) {
2119 case SD_PHY_SPECv1_10_VERS
2120 ... SD_PHY_SPECv3_01_VERS:
2121 break;
2122 default:
2123 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2124 return;
2125 }
2126
2127 if (sd->blk) {
2128 int64_t blk_size;
2129
2130 if (blk_is_read_only(sd->blk)) {
2131 error_setg(errp, "Cannot use read-only drive as SD card");
2132 return;
2133 }
2134
2135 blk_size = blk_getlength(sd->blk);
2136 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2137 int64_t blk_size_aligned = pow2ceil(blk_size);
2138 char *blk_size_str;
2139
2140 blk_size_str = size_to_str(blk_size);
2141 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2142 g_free(blk_size_str);
2143
2144 blk_size_str = size_to_str(blk_size_aligned);
2145 error_append_hint(errp,
2146 "SD card size has to be a power of 2, e.g. %s.\n"
2147 "You can resize disk images with"
2148 " 'qemu-img resize <imagefile> <new-size>'\n"
2149 "(note that this will lose data if you make the"
2150 " image smaller than it currently is).\n",
2151 blk_size_str);
2152 g_free(blk_size_str);
2153
2154 return;
2155 }
2156
2157 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2158 BLK_PERM_ALL, errp);
2159 if (ret < 0) {
2160 return;
2161 }
2162 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2163 }
2164 }
2165
2166 static Property sd_properties[] = {
2167 DEFINE_PROP_UINT8("spec_version", SDState,
2168 spec_version, SD_PHY_SPECv2_00_VERS),
2169 DEFINE_PROP_DRIVE("drive", SDState, blk),
2170 /* We do not model the chip select pin, so allow the board to select
2171 * whether card should be in SSI or MMC/SD mode. It is also up to the
2172 * board to ensure that ssi transfers only occur when the chip select
2173 * is asserted. */
2174 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2175 DEFINE_PROP_END_OF_LIST()
2176 };
2177
2178 static void sd_class_init(ObjectClass *klass, void *data)
2179 {
2180 DeviceClass *dc = DEVICE_CLASS(klass);
2181 SDCardClass *sc = SD_CARD_CLASS(klass);
2182
2183 dc->realize = sd_realize;
2184 device_class_set_props(dc, sd_properties);
2185 dc->vmsd = &sd_vmstate;
2186 dc->reset = sd_reset;
2187 dc->bus_type = TYPE_SD_BUS;
2188 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2189
2190 sc->set_voltage = sd_set_voltage;
2191 sc->get_dat_lines = sd_get_dat_lines;
2192 sc->get_cmd_line = sd_get_cmd_line;
2193 sc->do_command = sd_do_command;
2194 sc->write_data = sd_write_data;
2195 sc->read_data = sd_read_data;
2196 sc->data_ready = sd_data_ready;
2197 sc->enable = sd_enable;
2198 sc->get_inserted = sd_get_inserted;
2199 sc->get_readonly = sd_get_readonly;
2200 }
2201
2202 static const TypeInfo sd_info = {
2203 .name = TYPE_SD_CARD,
2204 .parent = TYPE_DEVICE,
2205 .instance_size = sizeof(SDState),
2206 .class_size = sizeof(SDCardClass),
2207 .class_init = sd_class_init,
2208 .instance_init = sd_instance_init,
2209 .instance_finalize = sd_instance_finalize,
2210 };
2211
2212 static void sd_register_types(void)
2213 {
2214 type_register_static(&sd_info);
2215 }
2216
2217 type_init(sd_register_types)
QEMU mirror