1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33#include "qemu/osdep.h"
34#include "qemu/units.h"
35#include "hw/qdev.h"
36#include "hw/hw.h"
37#include "hw/registerfields.h"
38#include "sysemu/block-backend.h"
39#include "hw/sd/sd.h"
40#include "qapi/error.h"
41#include "qemu/bitmap.h"
42#include "hw/qdev-properties.h"
43#include "qemu/error-report.h"
44#include "qemu/timer.h"
45#include "qemu/log.h"
46#include "sdmmc-internal.h"
47#include "trace.h"
48
49
50
51typedef enum {
52 sd_r0 = 0,
53 sd_r1,
54 sd_r2_i,
55 sd_r2_s,
56 sd_r3,
57 sd_r6 = 6,
58 sd_r7,
59 sd_r1b = -1,
60 sd_illegal = -2,
61} sd_rsp_type_t;
62
63enum SDCardModes {
64 sd_inactive,
65 sd_card_identification_mode,
66 sd_data_transfer_mode,
67};
68
69enum SDCardStates {
70 sd_inactive_state = -1,
71 sd_idle_state = 0,
72 sd_ready_state,
73 sd_identification_state,
74 sd_standby_state,
75 sd_transfer_state,
76 sd_sendingdata_state,
77 sd_receivingdata_state,
78 sd_programming_state,
79 sd_disconnect_state,
80};
81
82struct SDState {
83 DeviceState parent_obj;
84
85
86 uint32_t ocr;
87 uint8_t scr[8];
88 uint8_t cid[16];
89 uint8_t csd[16];
90 uint16_t rca;
91 uint32_t card_status;
92 uint8_t sd_status[64];
93
94
95 uint8_t spec_version;
96 BlockBackend *blk;
97 bool spi;
98
99 uint32_t mode;
100 int32_t state;
101 uint32_t vhs;
102 bool wp_switch;
103 unsigned long *wp_groups;
104 int32_t wpgrps_size;
105 uint64_t size;
106 uint32_t blk_len;
107 uint32_t multi_blk_cnt;
108 uint32_t erase_start;
109 uint32_t erase_end;
110 uint8_t pwd[16];
111 uint32_t pwd_len;
112 uint8_t function_group[6];
113 uint8_t current_cmd;
114
115
116
117 bool expecting_acmd;
118 uint32_t blk_written;
119 uint64_t data_start;
120 uint32_t data_offset;
121 uint8_t data[512];
122 qemu_irq readonly_cb;
123 qemu_irq inserted_cb;
124 QEMUTimer *ocr_power_timer;
125 const char *proto_name;
126 bool enable;
127 uint8_t dat_lines;
128 bool cmd_line;
129};
130
131static const char *sd_state_name(enum SDCardStates state)
132{
133 static const char *state_name[] = {
134 [sd_idle_state] = "idle",
135 [sd_ready_state] = "ready",
136 [sd_identification_state] = "identification",
137 [sd_standby_state] = "standby",
138 [sd_transfer_state] = "transfer",
139 [sd_sendingdata_state] = "sendingdata",
140 [sd_receivingdata_state] = "receivingdata",
141 [sd_programming_state] = "programming",
142 [sd_disconnect_state] = "disconnect",
143 };
144 if (state == sd_inactive_state) {
145 return "inactive";
146 }
147 assert(state <= ARRAY_SIZE(state_name));
148 return state_name[state];
149}
150
151static const char *sd_response_name(sd_rsp_type_t rsp)
152{
153 static const char *response_name[] = {
154 [sd_r0] = "RESP#0 (no response)",
155 [sd_r1] = "RESP#1 (normal cmd)",
156 [sd_r2_i] = "RESP#2 (CID reg)",
157 [sd_r2_s] = "RESP#2 (CSD reg)",
158 [sd_r3] = "RESP#3 (OCR reg)",
159 [sd_r6] = "RESP#6 (RCA)",
160 [sd_r7] = "RESP#7 (operating voltage)",
161 };
162 if (rsp == sd_illegal) {
163 return "ILLEGAL RESP";
164 }
165 if (rsp == sd_r1b) {
166 rsp = sd_r1;
167 }
168 assert(rsp <= ARRAY_SIZE(response_name));
169 return response_name[rsp];
170}
171
172static uint8_t sd_get_dat_lines(SDState *sd)
173{
174 return sd->enable ? sd->dat_lines : 0;
175}
176
177static bool sd_get_cmd_line(SDState *sd)
178{
179 return sd->enable ? sd->cmd_line : false;
180}
181
182static void sd_set_voltage(SDState *sd, uint16_t millivolts)
183{
184 trace_sdcard_set_voltage(millivolts);
185
186 switch (millivolts) {
187 case 3001 ... 3600:
188 case 2001 ... 3000:
189 break;
190 default:
191 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
192 millivolts / 1000.f);
193 }
194}
195
196static void sd_set_mode(SDState *sd)
197{
198 switch (sd->state) {
199 case sd_inactive_state:
200 sd->mode = sd_inactive;
201 break;
202
203 case sd_idle_state:
204 case sd_ready_state:
205 case sd_identification_state:
206 sd->mode = sd_card_identification_mode;
207 break;
208
209 case sd_standby_state:
210 case sd_transfer_state:
211 case sd_sendingdata_state:
212 case sd_receivingdata_state:
213 case sd_programming_state:
214 case sd_disconnect_state:
215 sd->mode = sd_data_transfer_mode;
216 break;
217 }
218}
219
220static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
221 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
222 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
223
224 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
225 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
226
227 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
228 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
229
230 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
231 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
232};
233
234static const int sd_cmd_class[SDMMC_CMD_MAX] = {
235 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
236 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
237 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
238 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
239};
240
241static uint8_t sd_crc7(void *message, size_t width)
242{
243 int i, bit;
244 uint8_t shift_reg = 0x00;
245 uint8_t *msg = (uint8_t *) message;
246
247 for (i = 0; i < width; i ++, msg ++)
248 for (bit = 7; bit >= 0; bit --) {
249 shift_reg <<= 1;
250 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
251 shift_reg ^= 0x89;
252 }
253
254 return shift_reg;
255}
256
257static uint16_t sd_crc16(void *message, size_t width)
258{
259 int i, bit;
260 uint16_t shift_reg = 0x0000;
261 uint16_t *msg = (uint16_t *) message;
262 width <<= 1;
263
264 for (i = 0; i < width; i ++, msg ++)
265 for (bit = 15; bit >= 0; bit --) {
266 shift_reg <<= 1;
267 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
268 shift_reg ^= 0x1011;
269 }
270
271 return shift_reg;
272}
273
274#define OCR_POWER_DELAY_NS 500000
275
276FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
277FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
278FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
279FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
280FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1)
281FIELD(OCR, UHS_II_CARD, 29, 1)
282FIELD(OCR, CARD_CAPACITY, 30, 1)
283FIELD(OCR, CARD_POWER_UP, 31, 1)
284
285#define ACMD41_ENQUIRY_MASK 0x00ffffff
286#define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
287 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
288 | R_OCR_UHS_II_CARD_MASK \
289 | R_OCR_CARD_CAPACITY_MASK \
290 | R_OCR_CARD_POWER_UP_MASK)
291
292static void sd_set_ocr(SDState *sd)
293{
294
295 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
296}
297
298static void sd_ocr_powerup(void *opaque)
299{
300 SDState *sd = opaque;
301
302 trace_sdcard_powerup();
303 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
304
305
306 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
307
308 if (sd->size > 1 * GiB) {
309 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
310 }
311}
312
313static void sd_set_scr(SDState *sd)
314{
315 sd->scr[0] = 0 << 4;
316 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
317 sd->scr[0] |= 1;
318 } else {
319 sd->scr[0] |= 2;
320 }
321 sd->scr[1] = (2 << 4)
322 | 0b0101;
323 sd->scr[2] = 0x00;
324 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
325 sd->scr[2] |= 1 << 7;
326 }
327 sd->scr[3] = 0x00;
328
329 sd->scr[4] = 0x00;
330 sd->scr[5] = 0x00;
331 sd->scr[6] = 0x00;
332 sd->scr[7] = 0x00;
333}
334
335#define MID 0xaa
336#define OID "XY"
337#define PNM "QEMU!"
338#define PRV 0x01
339#define MDT_YR 2006
340#define MDT_MON 2
341
342static void sd_set_cid(SDState *sd)
343{
344 sd->cid[0] = MID;
345 sd->cid[1] = OID[0];
346 sd->cid[2] = OID[1];
347 sd->cid[3] = PNM[0];
348 sd->cid[4] = PNM[1];
349 sd->cid[5] = PNM[2];
350 sd->cid[6] = PNM[3];
351 sd->cid[7] = PNM[4];
352 sd->cid[8] = PRV;
353 sd->cid[9] = 0xde;
354 sd->cid[10] = 0xad;
355 sd->cid[11] = 0xbe;
356 sd->cid[12] = 0xef;
357 sd->cid[13] = 0x00 |
358 ((MDT_YR - 2000) / 10);
359 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
360 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
361}
362
363#define HWBLOCK_SHIFT 9
364#define SECTOR_SHIFT 5
365#define WPGROUP_SHIFT 7
366#define CMULT_SHIFT 9
367#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
368
369static const uint8_t sd_csd_rw_mask[16] = {
370 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
372};
373
374static void sd_set_csd(SDState *sd, uint64_t size)
375{
376 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
377 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
378 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
379
380 if (size <= 1 * GiB) {
381 sd->csd[0] = 0x00;
382 sd->csd[1] = 0x26;
383 sd->csd[2] = 0x00;
384 sd->csd[3] = 0x32;
385 sd->csd[4] = 0x5f;
386 sd->csd[5] = 0x50 |
387 HWBLOCK_SHIFT;
388 sd->csd[6] = 0xe0 |
389 ((csize >> 10) & 0x03);
390 sd->csd[7] = 0x00 |
391 ((csize >> 2) & 0xff);
392 sd->csd[8] = 0x3f |
393 ((csize << 6) & 0xc0);
394 sd->csd[9] = 0xfc |
395 ((CMULT_SHIFT - 2) >> 1);
396 sd->csd[10] = 0x40 |
397 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
398 sd->csd[11] = 0x00 |
399 ((sectsize << 7) & 0x80) | wpsize;
400 sd->csd[12] = 0x90 |
401 (HWBLOCK_SHIFT >> 2);
402 sd->csd[13] = 0x20 |
403 ((HWBLOCK_SHIFT << 6) & 0xc0);
404 sd->csd[14] = 0x00;
405 } else {
406 size /= 512 * KiB;
407 size -= 1;
408 sd->csd[0] = 0x40;
409 sd->csd[1] = 0x0e;
410 sd->csd[2] = 0x00;
411 sd->csd[3] = 0x32;
412 sd->csd[4] = 0x5b;
413 sd->csd[5] = 0x59;
414 sd->csd[6] = 0x00;
415 sd->csd[7] = (size >> 16) & 0xff;
416 sd->csd[8] = (size >> 8) & 0xff;
417 sd->csd[9] = (size & 0xff);
418 sd->csd[10] = 0x7f;
419 sd->csd[11] = 0x80;
420 sd->csd[12] = 0x0a;
421 sd->csd[13] = 0x40;
422 sd->csd[14] = 0x00;
423 }
424 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
425}
426
427static void sd_set_rca(SDState *sd)
428{
429 sd->rca += 0x4567;
430}
431
432FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
433FIELD(CSR, APP_CMD, 5, 1)
434FIELD(CSR, FX_EVENT, 6, 1)
435FIELD(CSR, READY_FOR_DATA, 8, 1)
436FIELD(CSR, CURRENT_STATE, 9, 4)
437FIELD(CSR, ERASE_RESET, 13, 1)
438FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
439FIELD(CSR, WP_ERASE_SKIP, 15, 1)
440FIELD(CSR, CSD_OVERWRITE, 16, 1)
441FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
442FIELD(CSR, ERROR, 19, 1)
443FIELD(CSR, CC_ERROR, 20, 1)
444FIELD(CSR, CARD_ECC_FAILED, 21, 1)
445FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
446FIELD(CSR, COM_CRC_ERROR, 23, 1)
447FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
448FIELD(CSR, CARD_IS_LOCKED, 25, 1)
449FIELD(CSR, WP_VIOLATION, 26, 1)
450FIELD(CSR, ERASE_PARAM, 27, 1)
451FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
452FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
453FIELD(CSR, ADDRESS_ERROR, 30, 1)
454FIELD(CSR, OUT_OF_RANGE, 31, 1)
455
456
457
458
459
460
461#define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
462 | R_CSR_CARD_ECC_DISABLED_MASK \
463 | R_CSR_CARD_IS_LOCKED_MASK)
464#define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
465 | R_CSR_ILLEGAL_COMMAND_MASK \
466 | R_CSR_COM_CRC_ERROR_MASK)
467#define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
468 | R_CSR_APP_CMD_MASK \
469 | R_CSR_ERASE_RESET_MASK \
470 | R_CSR_WP_ERASE_SKIP_MASK \
471 | R_CSR_CSD_OVERWRITE_MASK \
472 | R_CSR_ERROR_MASK \
473 | R_CSR_CC_ERROR_MASK \
474 | R_CSR_CARD_ECC_FAILED_MASK \
475 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
476 | R_CSR_WP_VIOLATION_MASK \
477 | R_CSR_ERASE_PARAM_MASK \
478 | R_CSR_ERASE_SEQ_ERROR_MASK \
479 | R_CSR_BLOCK_LEN_ERROR_MASK \
480 | R_CSR_ADDRESS_ERROR_MASK \
481 | R_CSR_OUT_OF_RANGE_MASK)
482
483static void sd_set_cardstatus(SDState *sd)
484{
485 sd->card_status = 0x00000100;
486}
487
488static void sd_set_sdstatus(SDState *sd)
489{
490 memset(sd->sd_status, 0, 64);
491}
492
493static int sd_req_crc_validate(SDRequest *req)
494{
495 uint8_t buffer[5];
496 buffer[0] = 0x40 | req->cmd;
497 stl_be_p(&buffer[1], req->arg);
498 return 0;
499 return sd_crc7(buffer, 5) != req->crc;
500}
501
502static void sd_response_r1_make(SDState *sd, uint8_t *response)
503{
504 stl_be_p(response, sd->card_status);
505
506
507 sd->card_status &= ~CARD_STATUS_C;
508}
509
510static void sd_response_r3_make(SDState *sd, uint8_t *response)
511{
512 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
513}
514
515static void sd_response_r6_make(SDState *sd, uint8_t *response)
516{
517 uint16_t status;
518
519 status = ((sd->card_status >> 8) & 0xc000) |
520 ((sd->card_status >> 6) & 0x2000) |
521 (sd->card_status & 0x1fff);
522 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
523 stw_be_p(response + 0, sd->rca);
524 stw_be_p(response + 2, status);
525}
526
527static void sd_response_r7_make(SDState *sd, uint8_t *response)
528{
529 stl_be_p(response, sd->vhs);
530}
531
532static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
533{
534 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
535}
536
537static void sd_reset(DeviceState *dev)
538{
539 SDState *sd = SD_CARD(dev);
540 uint64_t size;
541 uint64_t sect;
542
543 trace_sdcard_reset();
544 if (sd->blk) {
545 blk_get_geometry(sd->blk, §);
546 } else {
547 sect = 0;
548 }
549 size = sect << 9;
550
551 sect = sd_addr_to_wpnum(size) + 1;
552
553 sd->state = sd_idle_state;
554 sd->rca = 0x0000;
555 sd_set_ocr(sd);
556 sd_set_scr(sd);
557 sd_set_cid(sd);
558 sd_set_csd(sd, size);
559 sd_set_cardstatus(sd);
560 sd_set_sdstatus(sd);
561
562 g_free(sd->wp_groups);
563 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
564 sd->wpgrps_size = sect;
565 sd->wp_groups = bitmap_new(sd->wpgrps_size);
566 memset(sd->function_group, 0, sizeof(sd->function_group));
567 sd->erase_start = 0;
568 sd->erase_end = 0;
569 sd->size = size;
570 sd->blk_len = 0x200;
571 sd->pwd_len = 0;
572 sd->expecting_acmd = false;
573 sd->dat_lines = 0xf;
574 sd->cmd_line = true;
575 sd->multi_blk_cnt = 0;
576}
577
578static bool sd_get_inserted(SDState *sd)
579{
580 return sd->blk && blk_is_inserted(sd->blk);
581}
582
583static bool sd_get_readonly(SDState *sd)
584{
585 return sd->wp_switch;
586}
587
588static void sd_cardchange(void *opaque, bool load, Error **errp)
589{
590 SDState *sd = opaque;
591 DeviceState *dev = DEVICE(sd);
592 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
593 bool inserted = sd_get_inserted(sd);
594 bool readonly = sd_get_readonly(sd);
595
596 if (inserted) {
597 trace_sdcard_inserted(readonly);
598 sd_reset(dev);
599 } else {
600 trace_sdcard_ejected();
601 }
602
603
604
605
606 if (sdbus) {
607 sdbus_set_inserted(sdbus, inserted);
608 if (inserted) {
609 sdbus_set_readonly(sdbus, readonly);
610 }
611 } else {
612 qemu_set_irq(sd->inserted_cb, inserted);
613 if (inserted) {
614 qemu_set_irq(sd->readonly_cb, readonly);
615 }
616 }
617}
618
619static const BlockDevOps sd_block_ops = {
620 .change_media_cb = sd_cardchange,
621};
622
623static bool sd_ocr_vmstate_needed(void *opaque)
624{
625 SDState *sd = opaque;
626
627
628 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
629}
630
631static const VMStateDescription sd_ocr_vmstate = {
632 .name = "sd-card/ocr-state",
633 .version_id = 1,
634 .minimum_version_id = 1,
635 .needed = sd_ocr_vmstate_needed,
636 .fields = (VMStateField[]) {
637 VMSTATE_UINT32(ocr, SDState),
638 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
639 VMSTATE_END_OF_LIST()
640 },
641};
642
643static int sd_vmstate_pre_load(void *opaque)
644{
645 SDState *sd = opaque;
646
647
648
649
650
651 sd_ocr_powerup(sd);
652
653 return 0;
654}
655
656static const VMStateDescription sd_vmstate = {
657 .name = "sd-card",
658 .version_id = 1,
659 .minimum_version_id = 1,
660 .pre_load = sd_vmstate_pre_load,
661 .fields = (VMStateField[]) {
662 VMSTATE_UINT32(mode, SDState),
663 VMSTATE_INT32(state, SDState),
664 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
665 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
666 VMSTATE_UINT16(rca, SDState),
667 VMSTATE_UINT32(card_status, SDState),
668 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
669 VMSTATE_UINT32(vhs, SDState),
670 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
671 VMSTATE_UINT32(blk_len, SDState),
672 VMSTATE_UINT32(multi_blk_cnt, SDState),
673 VMSTATE_UINT32(erase_start, SDState),
674 VMSTATE_UINT32(erase_end, SDState),
675 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
676 VMSTATE_UINT32(pwd_len, SDState),
677 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
678 VMSTATE_UINT8(current_cmd, SDState),
679 VMSTATE_BOOL(expecting_acmd, SDState),
680 VMSTATE_UINT32(blk_written, SDState),
681 VMSTATE_UINT64(data_start, SDState),
682 VMSTATE_UINT32(data_offset, SDState),
683 VMSTATE_UINT8_ARRAY(data, SDState, 512),
684 VMSTATE_UNUSED_V(1, 512),
685 VMSTATE_BOOL(enable, SDState),
686 VMSTATE_END_OF_LIST()
687 },
688 .subsections = (const VMStateDescription*[]) {
689 &sd_ocr_vmstate,
690 NULL
691 },
692};
693
694
695SDState *sd_init(BlockBackend *blk, bool is_spi)
696{
697 Object *obj;
698 DeviceState *dev;
699 Error *err = NULL;
700
701 obj = object_new(TYPE_SD_CARD);
702 dev = DEVICE(obj);
703 qdev_prop_set_drive(dev, "drive", blk, &err);
704 if (err) {
705 error_report("sd_init failed: %s", error_get_pretty(err));
706 return NULL;
707 }
708 qdev_prop_set_bit(dev, "spi", is_spi);
709 object_property_set_bool(obj, true, "realized", &err);
710 if (err) {
711 error_report("sd_init failed: %s", error_get_pretty(err));
712 return NULL;
713 }
714
715 return SD_CARD(dev);
716}
717
718void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
719{
720 sd->readonly_cb = readonly;
721 sd->inserted_cb = insert;
722 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
723 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
724}
725
726static void sd_erase(SDState *sd)
727{
728 int i;
729 uint64_t erase_start = sd->erase_start;
730 uint64_t erase_end = sd->erase_end;
731
732 trace_sdcard_erase();
733 if (!sd->erase_start || !sd->erase_end) {
734 sd->card_status |= ERASE_SEQ_ERROR;
735 return;
736 }
737
738 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
739
740 erase_start *= 512;
741 erase_end *= 512;
742 }
743
744 erase_start = sd_addr_to_wpnum(erase_start);
745 erase_end = sd_addr_to_wpnum(erase_end);
746 sd->erase_start = 0;
747 sd->erase_end = 0;
748 sd->csd[14] |= 0x40;
749
750 for (i = erase_start; i <= erase_end; i++) {
751 if (test_bit(i, sd->wp_groups)) {
752 sd->card_status |= WP_ERASE_SKIP;
753 }
754 }
755}
756
757static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
758{
759 uint32_t i, wpnum;
760 uint32_t ret = 0;
761
762 wpnum = sd_addr_to_wpnum(addr);
763
764 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
765 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
766 ret |= (1 << i);
767 }
768 }
769
770 return ret;
771}
772
773static void sd_function_switch(SDState *sd, uint32_t arg)
774{
775 int i, mode, new_func;
776 mode = !!(arg & 0x80000000);
777
778 sd->data[0] = 0x00;
779 sd->data[1] = 0x01;
780 sd->data[2] = 0x80;
781 sd->data[3] = 0x01;
782 sd->data[4] = 0x80;
783 sd->data[5] = 0x01;
784 sd->data[6] = 0x80;
785 sd->data[7] = 0x01;
786 sd->data[8] = 0x80;
787 sd->data[9] = 0x01;
788 sd->data[10] = 0x80;
789 sd->data[11] = 0x43;
790 sd->data[12] = 0x80;
791 sd->data[13] = 0x03;
792 for (i = 0; i < 6; i ++) {
793 new_func = (arg >> (i * 4)) & 0x0f;
794 if (mode && new_func != 0x0f)
795 sd->function_group[i] = new_func;
796 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
797 }
798 memset(&sd->data[17], 0, 47);
799 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
800}
801
802static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
803{
804 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
805}
806
807static void sd_lock_command(SDState *sd)
808{
809 int erase, lock, clr_pwd, set_pwd, pwd_len;
810 erase = !!(sd->data[0] & 0x08);
811 lock = sd->data[0] & 0x04;
812 clr_pwd = sd->data[0] & 0x02;
813 set_pwd = sd->data[0] & 0x01;
814
815 if (sd->blk_len > 1)
816 pwd_len = sd->data[1];
817 else
818 pwd_len = 0;
819
820 if (lock) {
821 trace_sdcard_lock();
822 } else {
823 trace_sdcard_unlock();
824 }
825 if (erase) {
826 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
827 set_pwd || clr_pwd || lock || sd->wp_switch ||
828 (sd->csd[14] & 0x20)) {
829 sd->card_status |= LOCK_UNLOCK_FAILED;
830 return;
831 }
832 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
833 sd->csd[14] &= ~0x10;
834 sd->card_status &= ~CARD_IS_LOCKED;
835 sd->pwd_len = 0;
836
837 fprintf(stderr, "SD: Card force-erased by CMD42\n");
838 return;
839 }
840
841 if (sd->blk_len < 2 + pwd_len ||
842 pwd_len <= sd->pwd_len ||
843 pwd_len > sd->pwd_len + 16) {
844 sd->card_status |= LOCK_UNLOCK_FAILED;
845 return;
846 }
847
848 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
849 sd->card_status |= LOCK_UNLOCK_FAILED;
850 return;
851 }
852
853 pwd_len -= sd->pwd_len;
854 if ((pwd_len && !set_pwd) ||
855 (clr_pwd && (set_pwd || lock)) ||
856 (lock && !sd->pwd_len && !set_pwd) ||
857 (!set_pwd && !clr_pwd &&
858 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
859 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
860 sd->card_status |= LOCK_UNLOCK_FAILED;
861 return;
862 }
863
864 if (set_pwd) {
865 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
866 sd->pwd_len = pwd_len;
867 }
868
869 if (clr_pwd) {
870 sd->pwd_len = 0;
871 }
872
873 if (lock)
874 sd->card_status |= CARD_IS_LOCKED;
875 else
876 sd->card_status &= ~CARD_IS_LOCKED;
877}
878
879static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
880{
881 uint32_t rca = 0x0000;
882 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
883
884
885
886
887 if (req.cmd != 55 || sd->expecting_acmd) {
888 trace_sdcard_normal_command(sd->proto_name,
889 sd_cmd_name(req.cmd), req.cmd,
890 req.arg, sd_state_name(sd->state));
891 }
892
893
894 sd->card_status &= ~APP_CMD;
895
896 if (sd_cmd_type[req.cmd] == sd_ac
897 || sd_cmd_type[req.cmd] == sd_adtc) {
898 rca = req.arg >> 16;
899 }
900
901
902
903 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
904 sd->multi_blk_cnt = 0;
905 }
906
907 switch (req.cmd) {
908
909 case 0:
910 switch (sd->state) {
911 case sd_inactive_state:
912 return sd->spi ? sd_r1 : sd_r0;
913
914 default:
915 sd->state = sd_idle_state;
916 sd_reset(DEVICE(sd));
917 return sd->spi ? sd_r1 : sd_r0;
918 }
919 break;
920
921 case 1:
922 if (!sd->spi)
923 goto bad_cmd;
924
925 sd->state = sd_transfer_state;
926 return sd_r1;
927
928 case 2:
929 if (sd->spi)
930 goto bad_cmd;
931 switch (sd->state) {
932 case sd_ready_state:
933 sd->state = sd_identification_state;
934 return sd_r2_i;
935
936 default:
937 break;
938 }
939 break;
940
941 case 3:
942 if (sd->spi)
943 goto bad_cmd;
944 switch (sd->state) {
945 case sd_identification_state:
946 case sd_standby_state:
947 sd->state = sd_standby_state;
948 sd_set_rca(sd);
949 return sd_r6;
950
951 default:
952 break;
953 }
954 break;
955
956 case 4:
957 if (sd->spi)
958 goto bad_cmd;
959 switch (sd->state) {
960 case sd_standby_state:
961 break;
962
963 default:
964 break;
965 }
966 break;
967
968 case 5:
969 return sd_illegal;
970
971 case 6:
972 switch (sd->mode) {
973 case sd_data_transfer_mode:
974 sd_function_switch(sd, req.arg);
975 sd->state = sd_sendingdata_state;
976 sd->data_start = 0;
977 sd->data_offset = 0;
978 return sd_r1;
979
980 default:
981 break;
982 }
983 break;
984
985 case 7:
986 if (sd->spi)
987 goto bad_cmd;
988 switch (sd->state) {
989 case sd_standby_state:
990 if (sd->rca != rca)
991 return sd_r0;
992
993 sd->state = sd_transfer_state;
994 return sd_r1b;
995
996 case sd_transfer_state:
997 case sd_sendingdata_state:
998 if (sd->rca == rca)
999 break;
1000
1001 sd->state = sd_standby_state;
1002 return sd_r1b;
1003
1004 case sd_disconnect_state:
1005 if (sd->rca != rca)
1006 return sd_r0;
1007
1008 sd->state = sd_programming_state;
1009 return sd_r1b;
1010
1011 case sd_programming_state:
1012 if (sd->rca == rca)
1013 break;
1014
1015 sd->state = sd_disconnect_state;
1016 return sd_r1b;
1017
1018 default:
1019 break;
1020 }
1021 break;
1022
1023 case 8:
1024 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1025 break;
1026 }
1027 if (sd->state != sd_idle_state) {
1028 break;
1029 }
1030 sd->vhs = 0;
1031
1032
1033 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1034 return sd->spi ? sd_r7 : sd_r0;
1035 }
1036
1037
1038 sd->vhs = req.arg;
1039 return sd_r7;
1040
1041 case 9:
1042 switch (sd->state) {
1043 case sd_standby_state:
1044 if (sd->rca != rca)
1045 return sd_r0;
1046
1047 return sd_r2_s;
1048
1049 case sd_transfer_state:
1050 if (!sd->spi)
1051 break;
1052 sd->state = sd_sendingdata_state;
1053 memcpy(sd->data, sd->csd, 16);
1054 sd->data_start = addr;
1055 sd->data_offset = 0;
1056 return sd_r1;
1057
1058 default:
1059 break;
1060 }
1061 break;
1062
1063 case 10:
1064 switch (sd->state) {
1065 case sd_standby_state:
1066 if (sd->rca != rca)
1067 return sd_r0;
1068
1069 return sd_r2_i;
1070
1071 case sd_transfer_state:
1072 if (!sd->spi)
1073 break;
1074 sd->state = sd_sendingdata_state;
1075 memcpy(sd->data, sd->cid, 16);
1076 sd->data_start = addr;
1077 sd->data_offset = 0;
1078 return sd_r1;
1079
1080 default:
1081 break;
1082 }
1083 break;
1084
1085 case 12:
1086 switch (sd->state) {
1087 case sd_sendingdata_state:
1088 sd->state = sd_transfer_state;
1089 return sd_r1b;
1090
1091 case sd_receivingdata_state:
1092 sd->state = sd_programming_state;
1093
1094 sd->state = sd_transfer_state;
1095 return sd_r1b;
1096
1097 default:
1098 break;
1099 }
1100 break;
1101
1102 case 13:
1103 switch (sd->mode) {
1104 case sd_data_transfer_mode:
1105 if (sd->rca != rca)
1106 return sd_r0;
1107
1108 return sd_r1;
1109
1110 default:
1111 break;
1112 }
1113 break;
1114
1115 case 15:
1116 if (sd->spi)
1117 goto bad_cmd;
1118 switch (sd->mode) {
1119 case sd_data_transfer_mode:
1120 if (sd->rca != rca)
1121 return sd_r0;
1122
1123 sd->state = sd_inactive_state;
1124 return sd_r0;
1125
1126 default:
1127 break;
1128 }
1129 break;
1130
1131
1132 case 16:
1133 switch (sd->state) {
1134 case sd_transfer_state:
1135 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1136 sd->card_status |= BLOCK_LEN_ERROR;
1137 } else {
1138 trace_sdcard_set_blocklen(req.arg);
1139 sd->blk_len = req.arg;
1140 }
1141
1142 return sd_r1;
1143
1144 default:
1145 break;
1146 }
1147 break;
1148
1149 case 17:
1150 switch (sd->state) {
1151 case sd_transfer_state:
1152 sd->state = sd_sendingdata_state;
1153 sd->data_start = addr;
1154 sd->data_offset = 0;
1155
1156 if (sd->data_start + sd->blk_len > sd->size)
1157 sd->card_status |= ADDRESS_ERROR;
1158 return sd_r1;
1159
1160 default:
1161 break;
1162 }
1163 break;
1164
1165 case 18:
1166 switch (sd->state) {
1167 case sd_transfer_state:
1168 sd->state = sd_sendingdata_state;
1169 sd->data_start = addr;
1170 sd->data_offset = 0;
1171
1172 if (sd->data_start + sd->blk_len > sd->size)
1173 sd->card_status |= ADDRESS_ERROR;
1174 return sd_r1;
1175
1176 default:
1177 break;
1178 }
1179 break;
1180
1181 case 19:
1182 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1183 break;
1184 }
1185 if (sd->state == sd_transfer_state) {
1186 sd->state = sd_sendingdata_state;
1187 sd->data_offset = 0;
1188 return sd_r1;
1189 }
1190 break;
1191
1192 case 23:
1193 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1194 break;
1195 }
1196 switch (sd->state) {
1197 case sd_transfer_state:
1198 sd->multi_blk_cnt = req.arg;
1199 return sd_r1;
1200
1201 default:
1202 break;
1203 }
1204 break;
1205
1206
1207 case 24:
1208 switch (sd->state) {
1209 case sd_transfer_state:
1210
1211 if (sd->spi)
1212 break;
1213 sd->state = sd_receivingdata_state;
1214 sd->data_start = addr;
1215 sd->data_offset = 0;
1216 sd->blk_written = 0;
1217
1218 if (sd->data_start + sd->blk_len > sd->size)
1219 sd->card_status |= ADDRESS_ERROR;
1220 if (sd_wp_addr(sd, sd->data_start))
1221 sd->card_status |= WP_VIOLATION;
1222 if (sd->csd[14] & 0x30)
1223 sd->card_status |= WP_VIOLATION;
1224 return sd_r1;
1225
1226 default:
1227 break;
1228 }
1229 break;
1230
1231 case 25:
1232 switch (sd->state) {
1233 case sd_transfer_state:
1234
1235 if (sd->spi)
1236 break;
1237 sd->state = sd_receivingdata_state;
1238 sd->data_start = addr;
1239 sd->data_offset = 0;
1240 sd->blk_written = 0;
1241
1242 if (sd->data_start + sd->blk_len > sd->size)
1243 sd->card_status |= ADDRESS_ERROR;
1244 if (sd_wp_addr(sd, sd->data_start))
1245 sd->card_status |= WP_VIOLATION;
1246 if (sd->csd[14] & 0x30)
1247 sd->card_status |= WP_VIOLATION;
1248 return sd_r1;
1249
1250 default:
1251 break;
1252 }
1253 break;
1254
1255 case 26:
1256 if (sd->spi)
1257 goto bad_cmd;
1258 switch (sd->state) {
1259 case sd_transfer_state:
1260 sd->state = sd_receivingdata_state;
1261 sd->data_start = 0;
1262 sd->data_offset = 0;
1263 return sd_r1;
1264
1265 default:
1266 break;
1267 }
1268 break;
1269
1270 case 27:
1271 switch (sd->state) {
1272 case sd_transfer_state:
1273 sd->state = sd_receivingdata_state;
1274 sd->data_start = 0;
1275 sd->data_offset = 0;
1276 return sd_r1;
1277
1278 default:
1279 break;
1280 }
1281 break;
1282
1283
1284 case 28:
1285 switch (sd->state) {
1286 case sd_transfer_state:
1287 if (addr >= sd->size) {
1288 sd->card_status |= ADDRESS_ERROR;
1289 return sd_r1b;
1290 }
1291
1292 sd->state = sd_programming_state;
1293 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1294
1295 sd->state = sd_transfer_state;
1296 return sd_r1b;
1297
1298 default:
1299 break;
1300 }
1301 break;
1302
1303 case 29:
1304 switch (sd->state) {
1305 case sd_transfer_state:
1306 if (addr >= sd->size) {
1307 sd->card_status |= ADDRESS_ERROR;
1308 return sd_r1b;
1309 }
1310
1311 sd->state = sd_programming_state;
1312 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1313
1314 sd->state = sd_transfer_state;
1315 return sd_r1b;
1316
1317 default:
1318 break;
1319 }
1320 break;
1321
1322 case 30:
1323 switch (sd->state) {
1324 case sd_transfer_state:
1325 sd->state = sd_sendingdata_state;
1326 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1327 sd->data_start = addr;
1328 sd->data_offset = 0;
1329 return sd_r1b;
1330
1331 default:
1332 break;
1333 }
1334 break;
1335
1336
1337 case 32:
1338 switch (sd->state) {
1339 case sd_transfer_state:
1340 sd->erase_start = req.arg;
1341 return sd_r1;
1342
1343 default:
1344 break;
1345 }
1346 break;
1347
1348 case 33:
1349 switch (sd->state) {
1350 case sd_transfer_state:
1351 sd->erase_end = req.arg;
1352 return sd_r1;
1353
1354 default:
1355 break;
1356 }
1357 break;
1358
1359 case 38:
1360 switch (sd->state) {
1361 case sd_transfer_state:
1362 if (sd->csd[14] & 0x30) {
1363 sd->card_status |= WP_VIOLATION;
1364 return sd_r1b;
1365 }
1366
1367 sd->state = sd_programming_state;
1368 sd_erase(sd);
1369
1370 sd->state = sd_transfer_state;
1371 return sd_r1b;
1372
1373 default:
1374 break;
1375 }
1376 break;
1377
1378
1379 case 42:
1380 switch (sd->state) {
1381 case sd_transfer_state:
1382 sd->state = sd_receivingdata_state;
1383 sd->data_start = 0;
1384 sd->data_offset = 0;
1385 return sd_r1;
1386
1387 default:
1388 break;
1389 }
1390 break;
1391
1392 case 52 ... 54:
1393
1394
1395
1396
1397
1398
1399 return sd_illegal;
1400
1401
1402 case 55:
1403 switch (sd->state) {
1404 case sd_ready_state:
1405 case sd_identification_state:
1406 case sd_inactive_state:
1407 return sd_illegal;
1408 case sd_idle_state:
1409 if (rca) {
1410 qemu_log_mask(LOG_GUEST_ERROR,
1411 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1412 }
1413 default:
1414 break;
1415 }
1416 if (!sd->spi) {
1417 if (sd->rca != rca) {
1418 return sd_r0;
1419 }
1420 }
1421 sd->expecting_acmd = true;
1422 sd->card_status |= APP_CMD;
1423 return sd_r1;
1424
1425 case 56:
1426 switch (sd->state) {
1427 case sd_transfer_state:
1428 sd->data_offset = 0;
1429 if (req.arg & 1)
1430 sd->state = sd_sendingdata_state;
1431 else
1432 sd->state = sd_receivingdata_state;
1433 return sd_r1;
1434
1435 default:
1436 break;
1437 }
1438 break;
1439
1440 case 58:
1441 if (!sd->spi) {
1442 goto bad_cmd;
1443 }
1444 return sd_r3;
1445
1446 case 59:
1447 if (!sd->spi) {
1448 goto bad_cmd;
1449 }
1450 goto unimplemented_spi_cmd;
1451
1452 default:
1453 bad_cmd:
1454 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1455 return sd_illegal;
1456
1457 unimplemented_spi_cmd:
1458
1459 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1460 req.cmd);
1461 return sd_illegal;
1462 }
1463
1464 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1465 return sd_illegal;
1466}
1467
1468static sd_rsp_type_t sd_app_command(SDState *sd,
1469 SDRequest req)
1470{
1471 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1472 req.cmd, req.arg, sd_state_name(sd->state));
1473 sd->card_status |= APP_CMD;
1474 switch (req.cmd) {
1475 case 6:
1476 if (sd->spi) {
1477 goto unimplemented_spi_cmd;
1478 }
1479 switch (sd->state) {
1480 case sd_transfer_state:
1481 sd->sd_status[0] &= 0x3f;
1482 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1483 return sd_r1;
1484
1485 default:
1486 break;
1487 }
1488 break;
1489
1490 case 13:
1491 switch (sd->state) {
1492 case sd_transfer_state:
1493 sd->state = sd_sendingdata_state;
1494 sd->data_start = 0;
1495 sd->data_offset = 0;
1496 return sd_r1;
1497
1498 default:
1499 break;
1500 }
1501 break;
1502
1503 case 22:
1504 switch (sd->state) {
1505 case sd_transfer_state:
1506 *(uint32_t *) sd->data = sd->blk_written;
1507
1508 sd->state = sd_sendingdata_state;
1509 sd->data_start = 0;
1510 sd->data_offset = 0;
1511 return sd_r1;
1512
1513 default:
1514 break;
1515 }
1516 break;
1517
1518 case 23:
1519 switch (sd->state) {
1520 case sd_transfer_state:
1521 return sd_r1;
1522
1523 default:
1524 break;
1525 }
1526 break;
1527
1528 case 41:
1529 if (sd->spi) {
1530
1531 sd->state = sd_transfer_state;
1532 return sd_r1;
1533 }
1534 if (sd->state != sd_idle_state) {
1535 break;
1536 }
1537
1538
1539
1540
1541
1542
1543
1544
1545 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1546 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1547 timer_del(sd->ocr_power_timer);
1548 sd_ocr_powerup(sd);
1549 } else {
1550 trace_sdcard_inquiry_cmd41();
1551 if (!timer_pending(sd->ocr_power_timer)) {
1552 timer_mod_ns(sd->ocr_power_timer,
1553 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1554 + OCR_POWER_DELAY_NS));
1555 }
1556 }
1557 }
1558
1559 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1560
1561
1562
1563
1564
1565 sd->state = sd_ready_state;
1566 }
1567
1568 return sd_r3;
1569
1570 case 42:
1571 switch (sd->state) {
1572 case sd_transfer_state:
1573
1574 return sd_r1;
1575
1576 default:
1577 break;
1578 }
1579 break;
1580
1581 case 51:
1582 switch (sd->state) {
1583 case sd_transfer_state:
1584 sd->state = sd_sendingdata_state;
1585 sd->data_start = 0;
1586 sd->data_offset = 0;
1587 return sd_r1;
1588
1589 default:
1590 break;
1591 }
1592 break;
1593
1594 case 18:
1595 case 25:
1596 case 26:
1597 case 38:
1598 case 43 ... 49:
1599
1600
1601
1602 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1603 req.cmd);
1604 return sd_illegal;
1605
1606 default:
1607
1608 return sd_normal_command(sd, req);
1609
1610 unimplemented_spi_cmd:
1611
1612 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1613 req.cmd);
1614 return sd_illegal;
1615 }
1616
1617 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1618 return sd_illegal;
1619}
1620
1621static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1622{
1623
1624
1625
1626
1627
1628
1629
1630
1631 if (sd->expecting_acmd) {
1632 return req->cmd == 41 || req->cmd == 42;
1633 }
1634 if (req->cmd == 16 || req->cmd == 55) {
1635 return 1;
1636 }
1637 return sd_cmd_class[req->cmd] == 0
1638 || sd_cmd_class[req->cmd] == 7;
1639}
1640
1641int sd_do_command(SDState *sd, SDRequest *req,
1642 uint8_t *response) {
1643 int last_state;
1644 sd_rsp_type_t rtype;
1645 int rsplen;
1646
1647 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1648 return 0;
1649 }
1650
1651 if (sd_req_crc_validate(req)) {
1652 sd->card_status |= COM_CRC_ERROR;
1653 rtype = sd_illegal;
1654 goto send_response;
1655 }
1656
1657 if (req->cmd >= SDMMC_CMD_MAX) {
1658 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1659 req->cmd);
1660 req->cmd &= 0x3f;
1661 }
1662
1663 if (sd->card_status & CARD_IS_LOCKED) {
1664 if (!cmd_valid_while_locked(sd, req)) {
1665 sd->card_status |= ILLEGAL_COMMAND;
1666 sd->expecting_acmd = false;
1667 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1668 rtype = sd_illegal;
1669 goto send_response;
1670 }
1671 }
1672
1673 last_state = sd->state;
1674 sd_set_mode(sd);
1675
1676 if (sd->expecting_acmd) {
1677 sd->expecting_acmd = false;
1678 rtype = sd_app_command(sd, *req);
1679 } else {
1680 rtype = sd_normal_command(sd, *req);
1681 }
1682
1683 if (rtype == sd_illegal) {
1684 sd->card_status |= ILLEGAL_COMMAND;
1685 } else {
1686
1687
1688
1689 sd->current_cmd = req->cmd;
1690 sd->card_status &= ~CURRENT_STATE;
1691 sd->card_status |= (last_state << 9);
1692 }
1693
1694send_response:
1695 switch (rtype) {
1696 case sd_r1:
1697 case sd_r1b:
1698 sd_response_r1_make(sd, response);
1699 rsplen = 4;
1700 break;
1701
1702 case sd_r2_i:
1703 memcpy(response, sd->cid, sizeof(sd->cid));
1704 rsplen = 16;
1705 break;
1706
1707 case sd_r2_s:
1708 memcpy(response, sd->csd, sizeof(sd->csd));
1709 rsplen = 16;
1710 break;
1711
1712 case sd_r3:
1713 sd_response_r3_make(sd, response);
1714 rsplen = 4;
1715 break;
1716
1717 case sd_r6:
1718 sd_response_r6_make(sd, response);
1719 rsplen = 4;
1720 break;
1721
1722 case sd_r7:
1723 sd_response_r7_make(sd, response);
1724 rsplen = 4;
1725 break;
1726
1727 case sd_r0:
1728 case sd_illegal:
1729 rsplen = 0;
1730 break;
1731 default:
1732 g_assert_not_reached();
1733 }
1734 trace_sdcard_response(sd_response_name(rtype), rsplen);
1735
1736 if (rtype != sd_illegal) {
1737
1738
1739
1740 sd->card_status &= ~CARD_STATUS_B;
1741 }
1742
1743#ifdef DEBUG_SD
1744 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1745#endif
1746
1747 return rsplen;
1748}
1749
1750static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1751{
1752 trace_sdcard_read_block(addr, len);
1753 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1754 fprintf(stderr, "sd_blk_read: read error on host side\n");
1755 }
1756}
1757
1758static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1759{
1760 trace_sdcard_write_block(addr, len);
1761 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1762 fprintf(stderr, "sd_blk_write: write error on host side\n");
1763 }
1764}
1765
1766#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1767#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1768#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1769#define APP_WRITE_BLOCK(a, len)
1770
1771void sd_write_data(SDState *sd, uint8_t value)
1772{
1773 int i;
1774
1775 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1776 return;
1777
1778 if (sd->state != sd_receivingdata_state) {
1779 qemu_log_mask(LOG_GUEST_ERROR,
1780 "sd_write_data: not in Receiving-Data state\n");
1781 return;
1782 }
1783
1784 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1785 return;
1786
1787 trace_sdcard_write_data(sd->proto_name,
1788 sd_acmd_name(sd->current_cmd),
1789 sd->current_cmd, value);
1790 switch (sd->current_cmd) {
1791 case 24:
1792 sd->data[sd->data_offset ++] = value;
1793 if (sd->data_offset >= sd->blk_len) {
1794
1795 sd->state = sd_programming_state;
1796 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1797 sd->blk_written ++;
1798 sd->csd[14] |= 0x40;
1799
1800 sd->state = sd_transfer_state;
1801 }
1802 break;
1803
1804 case 25:
1805 if (sd->data_offset == 0) {
1806
1807 if (sd->data_start + sd->blk_len > sd->size) {
1808 sd->card_status |= ADDRESS_ERROR;
1809 break;
1810 }
1811 if (sd_wp_addr(sd, sd->data_start)) {
1812 sd->card_status |= WP_VIOLATION;
1813 break;
1814 }
1815 }
1816 sd->data[sd->data_offset++] = value;
1817 if (sd->data_offset >= sd->blk_len) {
1818
1819 sd->state = sd_programming_state;
1820 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1821 sd->blk_written++;
1822 sd->data_start += sd->blk_len;
1823 sd->data_offset = 0;
1824 sd->csd[14] |= 0x40;
1825
1826
1827 if (sd->multi_blk_cnt != 0) {
1828 if (--sd->multi_blk_cnt == 0) {
1829
1830 sd->state = sd_transfer_state;
1831 break;
1832 }
1833 }
1834
1835 sd->state = sd_receivingdata_state;
1836 }
1837 break;
1838
1839 case 26:
1840 sd->data[sd->data_offset ++] = value;
1841 if (sd->data_offset >= sizeof(sd->cid)) {
1842
1843 sd->state = sd_programming_state;
1844 for (i = 0; i < sizeof(sd->cid); i ++)
1845 if ((sd->cid[i] | 0x00) != sd->data[i])
1846 sd->card_status |= CID_CSD_OVERWRITE;
1847
1848 if (!(sd->card_status & CID_CSD_OVERWRITE))
1849 for (i = 0; i < sizeof(sd->cid); i ++) {
1850 sd->cid[i] |= 0x00;
1851 sd->cid[i] &= sd->data[i];
1852 }
1853
1854 sd->state = sd_transfer_state;
1855 }
1856 break;
1857
1858 case 27:
1859 sd->data[sd->data_offset ++] = value;
1860 if (sd->data_offset >= sizeof(sd->csd)) {
1861
1862 sd->state = sd_programming_state;
1863 for (i = 0; i < sizeof(sd->csd); i ++)
1864 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1865 (sd->data[i] | sd_csd_rw_mask[i]))
1866 sd->card_status |= CID_CSD_OVERWRITE;
1867
1868
1869 if (sd->csd[14] & ~sd->data[14] & 0x60)
1870 sd->card_status |= CID_CSD_OVERWRITE;
1871
1872 if (!(sd->card_status & CID_CSD_OVERWRITE))
1873 for (i = 0; i < sizeof(sd->csd); i ++) {
1874 sd->csd[i] |= sd_csd_rw_mask[i];
1875 sd->csd[i] &= sd->data[i];
1876 }
1877
1878 sd->state = sd_transfer_state;
1879 }
1880 break;
1881
1882 case 42:
1883 sd->data[sd->data_offset ++] = value;
1884 if (sd->data_offset >= sd->blk_len) {
1885
1886 sd->state = sd_programming_state;
1887 sd_lock_command(sd);
1888
1889 sd->state = sd_transfer_state;
1890 }
1891 break;
1892
1893 case 56:
1894 sd->data[sd->data_offset ++] = value;
1895 if (sd->data_offset >= sd->blk_len) {
1896 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1897 sd->state = sd_transfer_state;
1898 }
1899 break;
1900
1901 default:
1902 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1903 break;
1904 }
1905}
1906
1907#define SD_TUNING_BLOCK_SIZE 64
1908
1909static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1910
1911 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1912 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1913 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1914 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1915 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1916 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1917 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1918 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1919};
1920
1921uint8_t sd_read_data(SDState *sd)
1922{
1923
1924 uint8_t ret;
1925 int io_len;
1926
1927 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1928 return 0x00;
1929
1930 if (sd->state != sd_sendingdata_state) {
1931 qemu_log_mask(LOG_GUEST_ERROR,
1932 "sd_read_data: not in Sending-Data state\n");
1933 return 0x00;
1934 }
1935
1936 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1937 return 0x00;
1938
1939 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1940
1941 trace_sdcard_read_data(sd->proto_name,
1942 sd_acmd_name(sd->current_cmd),
1943 sd->current_cmd, io_len);
1944 switch (sd->current_cmd) {
1945 case 6:
1946 ret = sd->data[sd->data_offset ++];
1947
1948 if (sd->data_offset >= 64)
1949 sd->state = sd_transfer_state;
1950 break;
1951
1952 case 9:
1953 case 10:
1954 ret = sd->data[sd->data_offset ++];
1955
1956 if (sd->data_offset >= 16)
1957 sd->state = sd_transfer_state;
1958 break;
1959
1960 case 13:
1961 ret = sd->sd_status[sd->data_offset ++];
1962
1963 if (sd->data_offset >= sizeof(sd->sd_status))
1964 sd->state = sd_transfer_state;
1965 break;
1966
1967 case 17:
1968 if (sd->data_offset == 0)
1969 BLK_READ_BLOCK(sd->data_start, io_len);
1970 ret = sd->data[sd->data_offset ++];
1971
1972 if (sd->data_offset >= io_len)
1973 sd->state = sd_transfer_state;
1974 break;
1975
1976 case 18:
1977 if (sd->data_offset == 0) {
1978 if (sd->data_start + io_len > sd->size) {
1979 sd->card_status |= ADDRESS_ERROR;
1980 return 0x00;
1981 }
1982 BLK_READ_BLOCK(sd->data_start, io_len);
1983 }
1984 ret = sd->data[sd->data_offset ++];
1985
1986 if (sd->data_offset >= io_len) {
1987 sd->data_start += io_len;
1988 sd->data_offset = 0;
1989
1990 if (sd->multi_blk_cnt != 0) {
1991 if (--sd->multi_blk_cnt == 0) {
1992
1993 sd->state = sd_transfer_state;
1994 break;
1995 }
1996 }
1997 }
1998 break;
1999
2000 case 19:
2001 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2002 sd->state = sd_transfer_state;
2003 }
2004 ret = sd_tuning_block_pattern[sd->data_offset++];
2005 break;
2006
2007 case 22:
2008 ret = sd->data[sd->data_offset ++];
2009
2010 if (sd->data_offset >= 4)
2011 sd->state = sd_transfer_state;
2012 break;
2013
2014 case 30:
2015 ret = sd->data[sd->data_offset ++];
2016
2017 if (sd->data_offset >= 4)
2018 sd->state = sd_transfer_state;
2019 break;
2020
2021 case 51:
2022 ret = sd->scr[sd->data_offset ++];
2023
2024 if (sd->data_offset >= sizeof(sd->scr))
2025 sd->state = sd_transfer_state;
2026 break;
2027
2028 case 56:
2029 if (sd->data_offset == 0)
2030 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2031 ret = sd->data[sd->data_offset ++];
2032
2033 if (sd->data_offset >= sd->blk_len)
2034 sd->state = sd_transfer_state;
2035 break;
2036
2037 default:
2038 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2039 return 0x00;
2040 }
2041
2042 return ret;
2043}
2044
2045bool sd_data_ready(SDState *sd)
2046{
2047 return sd->state == sd_sendingdata_state;
2048}
2049
2050void sd_enable(SDState *sd, bool enable)
2051{
2052 sd->enable = enable;
2053}
2054
2055static void sd_instance_init(Object *obj)
2056{
2057 SDState *sd = SD_CARD(obj);
2058
2059 sd->enable = true;
2060 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2061}
2062
2063static void sd_instance_finalize(Object *obj)
2064{
2065 SDState *sd = SD_CARD(obj);
2066
2067 timer_del(sd->ocr_power_timer);
2068 timer_free(sd->ocr_power_timer);
2069}
2070
2071static void sd_realize(DeviceState *dev, Error **errp)
2072{
2073 SDState *sd = SD_CARD(dev);
2074 int ret;
2075
2076 sd->proto_name = sd->spi ? "SPI" : "SD";
2077
2078 switch (sd->spec_version) {
2079 case SD_PHY_SPECv1_10_VERS
2080 ... SD_PHY_SPECv3_01_VERS:
2081 break;
2082 default:
2083 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2084 return;
2085 }
2086
2087 if (sd->blk && blk_is_read_only(sd->blk)) {
2088 error_setg(errp, "Cannot use read-only drive as SD card");
2089 return;
2090 }
2091
2092 if (sd->blk) {
2093 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2094 BLK_PERM_ALL, errp);
2095 if (ret < 0) {
2096 return;
2097 }
2098 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2099 }
2100}
2101
2102static Property sd_properties[] = {
2103 DEFINE_PROP_UINT8("spec_version", SDState,
2104 spec_version, SD_PHY_SPECv2_00_VERS),
2105 DEFINE_PROP_DRIVE("drive", SDState, blk),
2106
2107
2108
2109
2110 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2111 DEFINE_PROP_END_OF_LIST()
2112};
2113
2114static void sd_class_init(ObjectClass *klass, void *data)
2115{
2116 DeviceClass *dc = DEVICE_CLASS(klass);
2117 SDCardClass *sc = SD_CARD_CLASS(klass);
2118
2119 dc->realize = sd_realize;
2120 dc->props = sd_properties;
2121 dc->vmsd = &sd_vmstate;
2122 dc->reset = sd_reset;
2123 dc->bus_type = TYPE_SD_BUS;
2124
2125 sc->set_voltage = sd_set_voltage;
2126 sc->get_dat_lines = sd_get_dat_lines;
2127 sc->get_cmd_line = sd_get_cmd_line;
2128 sc->do_command = sd_do_command;
2129 sc->write_data = sd_write_data;
2130 sc->read_data = sd_read_data;
2131 sc->data_ready = sd_data_ready;
2132 sc->enable = sd_enable;
2133 sc->get_inserted = sd_get_inserted;
2134 sc->get_readonly = sd_get_readonly;
2135}
2136
2137static const TypeInfo sd_info = {
2138 .name = TYPE_SD_CARD,
2139 .parent = TYPE_DEVICE,
2140 .instance_size = sizeof(SDState),
2141 .class_size = sizeof(SDCardClass),
2142 .class_init = sd_class_init,
2143 .instance_init = sd_instance_init,
2144 .instance_finalize = sd_instance_finalize,
2145};
2146
2147static void sd_register_types(void)
2148{
2149 type_register_static(&sd_info);
2150}
2151
2152type_init(sd_register_types)
2153
