1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33#include "qemu/osdep.h"
34#include "qemu/units.h"
35#include "hw/qdev.h"
36#include "hw/hw.h"
37#include "hw/registerfields.h"
38#include "sysemu/block-backend.h"
39#include "hw/sd/sd.h"
40#include "qapi/error.h"
41#include "qemu/bitmap.h"
42#include "hw/qdev-properties.h"
43#include "qemu/error-report.h"
44#include "qemu/timer.h"
45#include "qemu/log.h"
46#include "qemu/module.h"
47#include "sdmmc-internal.h"
48#include "trace.h"
49
50
51
52typedef enum {
53 sd_r0 = 0,
54 sd_r1,
55 sd_r2_i,
56 sd_r2_s,
57 sd_r3,
58 sd_r6 = 6,
59 sd_r7,
60 sd_r1b = -1,
61 sd_illegal = -2,
62} sd_rsp_type_t;
63
64enum SDCardModes {
65 sd_inactive,
66 sd_card_identification_mode,
67 sd_data_transfer_mode,
68};
69
70enum SDCardStates {
71 sd_inactive_state = -1,
72 sd_idle_state = 0,
73 sd_ready_state,
74 sd_identification_state,
75 sd_standby_state,
76 sd_transfer_state,
77 sd_sendingdata_state,
78 sd_receivingdata_state,
79 sd_programming_state,
80 sd_disconnect_state,
81};
82
83struct SDState {
84 DeviceState parent_obj;
85
86
87 uint32_t ocr;
88 uint8_t scr[8];
89 uint8_t cid[16];
90 uint8_t csd[16];
91 uint16_t rca;
92 uint32_t card_status;
93 uint8_t sd_status[64];
94
95
96 uint8_t spec_version;
97 BlockBackend *blk;
98 bool spi;
99
100 uint32_t mode;
101 int32_t state;
102 uint32_t vhs;
103 bool wp_switch;
104 unsigned long *wp_groups;
105 int32_t wpgrps_size;
106 uint64_t size;
107 uint32_t blk_len;
108 uint32_t multi_blk_cnt;
109 uint32_t erase_start;
110 uint32_t erase_end;
111 uint8_t pwd[16];
112 uint32_t pwd_len;
113 uint8_t function_group[6];
114 uint8_t current_cmd;
115
116
117
118 bool expecting_acmd;
119 uint32_t blk_written;
120 uint64_t data_start;
121 uint32_t data_offset;
122 uint8_t data[512];
123 qemu_irq readonly_cb;
124 qemu_irq inserted_cb;
125 QEMUTimer *ocr_power_timer;
126 const char *proto_name;
127 bool enable;
128 uint8_t dat_lines;
129 bool cmd_line;
130};
131
132static const char *sd_state_name(enum SDCardStates state)
133{
134 static const char *state_name[] = {
135 [sd_idle_state] = "idle",
136 [sd_ready_state] = "ready",
137 [sd_identification_state] = "identification",
138 [sd_standby_state] = "standby",
139 [sd_transfer_state] = "transfer",
140 [sd_sendingdata_state] = "sendingdata",
141 [sd_receivingdata_state] = "receivingdata",
142 [sd_programming_state] = "programming",
143 [sd_disconnect_state] = "disconnect",
144 };
145 if (state == sd_inactive_state) {
146 return "inactive";
147 }
148 assert(state < ARRAY_SIZE(state_name));
149 return state_name[state];
150}
151
152static const char *sd_response_name(sd_rsp_type_t rsp)
153{
154 static const char *response_name[] = {
155 [sd_r0] = "RESP#0 (no response)",
156 [sd_r1] = "RESP#1 (normal cmd)",
157 [sd_r2_i] = "RESP#2 (CID reg)",
158 [sd_r2_s] = "RESP#2 (CSD reg)",
159 [sd_r3] = "RESP#3 (OCR reg)",
160 [sd_r6] = "RESP#6 (RCA)",
161 [sd_r7] = "RESP#7 (operating voltage)",
162 };
163 if (rsp == sd_illegal) {
164 return "ILLEGAL RESP";
165 }
166 if (rsp == sd_r1b) {
167 rsp = sd_r1;
168 }
169 assert(rsp < ARRAY_SIZE(response_name));
170 return response_name[rsp];
171}
172
173static uint8_t sd_get_dat_lines(SDState *sd)
174{
175 return sd->enable ? sd->dat_lines : 0;
176}
177
178static bool sd_get_cmd_line(SDState *sd)
179{
180 return sd->enable ? sd->cmd_line : false;
181}
182
183static void sd_set_voltage(SDState *sd, uint16_t millivolts)
184{
185 trace_sdcard_set_voltage(millivolts);
186
187 switch (millivolts) {
188 case 3001 ... 3600:
189 case 2001 ... 3000:
190 break;
191 default:
192 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
193 millivolts / 1000.f);
194 }
195}
196
197static void sd_set_mode(SDState *sd)
198{
199 switch (sd->state) {
200 case sd_inactive_state:
201 sd->mode = sd_inactive;
202 break;
203
204 case sd_idle_state:
205 case sd_ready_state:
206 case sd_identification_state:
207 sd->mode = sd_card_identification_mode;
208 break;
209
210 case sd_standby_state:
211 case sd_transfer_state:
212 case sd_sendingdata_state:
213 case sd_receivingdata_state:
214 case sd_programming_state:
215 case sd_disconnect_state:
216 sd->mode = sd_data_transfer_mode;
217 break;
218 }
219}
220
221static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
222 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
223 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
224
225 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
226 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
227
228 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
229 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
230
231 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
232 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
233};
234
235static const int sd_cmd_class[SDMMC_CMD_MAX] = {
236 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
237 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
238 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
239 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
240};
241
242static uint8_t sd_crc7(void *message, size_t width)
243{
244 int i, bit;
245 uint8_t shift_reg = 0x00;
246 uint8_t *msg = (uint8_t *) message;
247
248 for (i = 0; i < width; i ++, msg ++)
249 for (bit = 7; bit >= 0; bit --) {
250 shift_reg <<= 1;
251 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
252 shift_reg ^= 0x89;
253 }
254
255 return shift_reg;
256}
257
258static uint16_t sd_crc16(void *message, size_t width)
259{
260 int i, bit;
261 uint16_t shift_reg = 0x0000;
262 uint16_t *msg = (uint16_t *) message;
263 width <<= 1;
264
265 for (i = 0; i < width; i ++, msg ++)
266 for (bit = 15; bit >= 0; bit --) {
267 shift_reg <<= 1;
268 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
269 shift_reg ^= 0x1011;
270 }
271
272 return shift_reg;
273}
274
275#define OCR_POWER_DELAY_NS 500000
276
277FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
278FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
279FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
280FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
281FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1)
282FIELD(OCR, UHS_II_CARD, 29, 1)
283FIELD(OCR, CARD_CAPACITY, 30, 1)
284FIELD(OCR, CARD_POWER_UP, 31, 1)
285
286#define ACMD41_ENQUIRY_MASK 0x00ffffff
287#define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
288 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
289 | R_OCR_UHS_II_CARD_MASK \
290 | R_OCR_CARD_CAPACITY_MASK \
291 | R_OCR_CARD_POWER_UP_MASK)
292
293static void sd_set_ocr(SDState *sd)
294{
295
296 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
297}
298
299static void sd_ocr_powerup(void *opaque)
300{
301 SDState *sd = opaque;
302
303 trace_sdcard_powerup();
304 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
305
306
307 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
308
309 if (sd->size > 1 * GiB) {
310 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
311 }
312}
313
314static void sd_set_scr(SDState *sd)
315{
316 sd->scr[0] = 0 << 4;
317 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
318 sd->scr[0] |= 1;
319 } else {
320 sd->scr[0] |= 2;
321 }
322 sd->scr[1] = (2 << 4)
323 | 0b0101;
324 sd->scr[2] = 0x00;
325 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
326 sd->scr[2] |= 1 << 7;
327 }
328 sd->scr[3] = 0x00;
329
330 sd->scr[4] = 0x00;
331 sd->scr[5] = 0x00;
332 sd->scr[6] = 0x00;
333 sd->scr[7] = 0x00;
334}
335
336#define MID 0xaa
337#define OID "XY"
338#define PNM "QEMU!"
339#define PRV 0x01
340#define MDT_YR 2006
341#define MDT_MON 2
342
343static void sd_set_cid(SDState *sd)
344{
345 sd->cid[0] = MID;
346 sd->cid[1] = OID[0];
347 sd->cid[2] = OID[1];
348 sd->cid[3] = PNM[0];
349 sd->cid[4] = PNM[1];
350 sd->cid[5] = PNM[2];
351 sd->cid[6] = PNM[3];
352 sd->cid[7] = PNM[4];
353 sd->cid[8] = PRV;
354 sd->cid[9] = 0xde;
355 sd->cid[10] = 0xad;
356 sd->cid[11] = 0xbe;
357 sd->cid[12] = 0xef;
358 sd->cid[13] = 0x00 |
359 ((MDT_YR - 2000) / 10);
360 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
361 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
362}
363
364#define HWBLOCK_SHIFT 9
365#define SECTOR_SHIFT 5
366#define WPGROUP_SHIFT 7
367#define CMULT_SHIFT 9
368#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
369
370static const uint8_t sd_csd_rw_mask[16] = {
371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
373};
374
375static void sd_set_csd(SDState *sd, uint64_t size)
376{
377 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
378 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
379 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
380
381 if (size <= 1 * GiB) {
382 sd->csd[0] = 0x00;
383 sd->csd[1] = 0x26;
384 sd->csd[2] = 0x00;
385 sd->csd[3] = 0x32;
386 sd->csd[4] = 0x5f;
387 sd->csd[5] = 0x50 |
388 HWBLOCK_SHIFT;
389 sd->csd[6] = 0xe0 |
390 ((csize >> 10) & 0x03);
391 sd->csd[7] = 0x00 |
392 ((csize >> 2) & 0xff);
393 sd->csd[8] = 0x3f |
394 ((csize << 6) & 0xc0);
395 sd->csd[9] = 0xfc |
396 ((CMULT_SHIFT - 2) >> 1);
397 sd->csd[10] = 0x40 |
398 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
399 sd->csd[11] = 0x00 |
400 ((sectsize << 7) & 0x80) | wpsize;
401 sd->csd[12] = 0x90 |
402 (HWBLOCK_SHIFT >> 2);
403 sd->csd[13] = 0x20 |
404 ((HWBLOCK_SHIFT << 6) & 0xc0);
405 sd->csd[14] = 0x00;
406 } else {
407 size /= 512 * KiB;
408 size -= 1;
409 sd->csd[0] = 0x40;
410 sd->csd[1] = 0x0e;
411 sd->csd[2] = 0x00;
412 sd->csd[3] = 0x32;
413 sd->csd[4] = 0x5b;
414 sd->csd[5] = 0x59;
415 sd->csd[6] = 0x00;
416 sd->csd[7] = (size >> 16) & 0xff;
417 sd->csd[8] = (size >> 8) & 0xff;
418 sd->csd[9] = (size & 0xff);
419 sd->csd[10] = 0x7f;
420 sd->csd[11] = 0x80;
421 sd->csd[12] = 0x0a;
422 sd->csd[13] = 0x40;
423 sd->csd[14] = 0x00;
424 }
425 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
426}
427
428static void sd_set_rca(SDState *sd)
429{
430 sd->rca += 0x4567;
431}
432
433FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
434FIELD(CSR, APP_CMD, 5, 1)
435FIELD(CSR, FX_EVENT, 6, 1)
436FIELD(CSR, READY_FOR_DATA, 8, 1)
437FIELD(CSR, CURRENT_STATE, 9, 4)
438FIELD(CSR, ERASE_RESET, 13, 1)
439FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
440FIELD(CSR, WP_ERASE_SKIP, 15, 1)
441FIELD(CSR, CSD_OVERWRITE, 16, 1)
442FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
443FIELD(CSR, ERROR, 19, 1)
444FIELD(CSR, CC_ERROR, 20, 1)
445FIELD(CSR, CARD_ECC_FAILED, 21, 1)
446FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
447FIELD(CSR, COM_CRC_ERROR, 23, 1)
448FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
449FIELD(CSR, CARD_IS_LOCKED, 25, 1)
450FIELD(CSR, WP_VIOLATION, 26, 1)
451FIELD(CSR, ERASE_PARAM, 27, 1)
452FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
453FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
454FIELD(CSR, ADDRESS_ERROR, 30, 1)
455FIELD(CSR, OUT_OF_RANGE, 31, 1)
456
457
458
459
460
461
462#define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
463 | R_CSR_CARD_ECC_DISABLED_MASK \
464 | R_CSR_CARD_IS_LOCKED_MASK)
465#define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
466 | R_CSR_ILLEGAL_COMMAND_MASK \
467 | R_CSR_COM_CRC_ERROR_MASK)
468#define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
469 | R_CSR_APP_CMD_MASK \
470 | R_CSR_ERASE_RESET_MASK \
471 | R_CSR_WP_ERASE_SKIP_MASK \
472 | R_CSR_CSD_OVERWRITE_MASK \
473 | R_CSR_ERROR_MASK \
474 | R_CSR_CC_ERROR_MASK \
475 | R_CSR_CARD_ECC_FAILED_MASK \
476 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
477 | R_CSR_WP_VIOLATION_MASK \
478 | R_CSR_ERASE_PARAM_MASK \
479 | R_CSR_ERASE_SEQ_ERROR_MASK \
480 | R_CSR_BLOCK_LEN_ERROR_MASK \
481 | R_CSR_ADDRESS_ERROR_MASK \
482 | R_CSR_OUT_OF_RANGE_MASK)
483
484static void sd_set_cardstatus(SDState *sd)
485{
486 sd->card_status = 0x00000100;
487}
488
489static void sd_set_sdstatus(SDState *sd)
490{
491 memset(sd->sd_status, 0, 64);
492}
493
494static int sd_req_crc_validate(SDRequest *req)
495{
496 uint8_t buffer[5];
497 buffer[0] = 0x40 | req->cmd;
498 stl_be_p(&buffer[1], req->arg);
499 return 0;
500 return sd_crc7(buffer, 5) != req->crc;
501}
502
503static void sd_response_r1_make(SDState *sd, uint8_t *response)
504{
505 stl_be_p(response, sd->card_status);
506
507
508 sd->card_status &= ~CARD_STATUS_C;
509}
510
511static void sd_response_r3_make(SDState *sd, uint8_t *response)
512{
513 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
514}
515
516static void sd_response_r6_make(SDState *sd, uint8_t *response)
517{
518 uint16_t status;
519
520 status = ((sd->card_status >> 8) & 0xc000) |
521 ((sd->card_status >> 6) & 0x2000) |
522 (sd->card_status & 0x1fff);
523 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
524 stw_be_p(response + 0, sd->rca);
525 stw_be_p(response + 2, status);
526}
527
528static void sd_response_r7_make(SDState *sd, uint8_t *response)
529{
530 stl_be_p(response, sd->vhs);
531}
532
533static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
534{
535 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
536}
537
538static void sd_reset(DeviceState *dev)
539{
540 SDState *sd = SD_CARD(dev);
541 uint64_t size;
542 uint64_t sect;
543
544 trace_sdcard_reset();
545 if (sd->blk) {
546 blk_get_geometry(sd->blk, §);
547 } else {
548 sect = 0;
549 }
550 size = sect << 9;
551
552 sect = sd_addr_to_wpnum(size) + 1;
553
554 sd->state = sd_idle_state;
555 sd->rca = 0x0000;
556 sd_set_ocr(sd);
557 sd_set_scr(sd);
558 sd_set_cid(sd);
559 sd_set_csd(sd, size);
560 sd_set_cardstatus(sd);
561 sd_set_sdstatus(sd);
562
563 g_free(sd->wp_groups);
564 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
565 sd->wpgrps_size = sect;
566 sd->wp_groups = bitmap_new(sd->wpgrps_size);
567 memset(sd->function_group, 0, sizeof(sd->function_group));
568 sd->erase_start = 0;
569 sd->erase_end = 0;
570 sd->size = size;
571 sd->blk_len = 0x200;
572 sd->pwd_len = 0;
573 sd->expecting_acmd = false;
574 sd->dat_lines = 0xf;
575 sd->cmd_line = true;
576 sd->multi_blk_cnt = 0;
577}
578
579static bool sd_get_inserted(SDState *sd)
580{
581 return sd->blk && blk_is_inserted(sd->blk);
582}
583
584static bool sd_get_readonly(SDState *sd)
585{
586 return sd->wp_switch;
587}
588
589static void sd_cardchange(void *opaque, bool load, Error **errp)
590{
591 SDState *sd = opaque;
592 DeviceState *dev = DEVICE(sd);
593 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
594 bool inserted = sd_get_inserted(sd);
595 bool readonly = sd_get_readonly(sd);
596
597 if (inserted) {
598 trace_sdcard_inserted(readonly);
599 sd_reset(dev);
600 } else {
601 trace_sdcard_ejected();
602 }
603
604
605
606
607 if (sdbus) {
608 sdbus_set_inserted(sdbus, inserted);
609 if (inserted) {
610 sdbus_set_readonly(sdbus, readonly);
611 }
612 } else {
613 qemu_set_irq(sd->inserted_cb, inserted);
614 if (inserted) {
615 qemu_set_irq(sd->readonly_cb, readonly);
616 }
617 }
618}
619
620static const BlockDevOps sd_block_ops = {
621 .change_media_cb = sd_cardchange,
622};
623
624static bool sd_ocr_vmstate_needed(void *opaque)
625{
626 SDState *sd = opaque;
627
628
629 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
630}
631
632static const VMStateDescription sd_ocr_vmstate = {
633 .name = "sd-card/ocr-state",
634 .version_id = 1,
635 .minimum_version_id = 1,
636 .needed = sd_ocr_vmstate_needed,
637 .fields = (VMStateField[]) {
638 VMSTATE_UINT32(ocr, SDState),
639 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
640 VMSTATE_END_OF_LIST()
641 },
642};
643
644static int sd_vmstate_pre_load(void *opaque)
645{
646 SDState *sd = opaque;
647
648
649
650
651
652 sd_ocr_powerup(sd);
653
654 return 0;
655}
656
657static const VMStateDescription sd_vmstate = {
658 .name = "sd-card",
659 .version_id = 1,
660 .minimum_version_id = 1,
661 .pre_load = sd_vmstate_pre_load,
662 .fields = (VMStateField[]) {
663 VMSTATE_UINT32(mode, SDState),
664 VMSTATE_INT32(state, SDState),
665 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
666 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
667 VMSTATE_UINT16(rca, SDState),
668 VMSTATE_UINT32(card_status, SDState),
669 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
670 VMSTATE_UINT32(vhs, SDState),
671 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
672 VMSTATE_UINT32(blk_len, SDState),
673 VMSTATE_UINT32(multi_blk_cnt, SDState),
674 VMSTATE_UINT32(erase_start, SDState),
675 VMSTATE_UINT32(erase_end, SDState),
676 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
677 VMSTATE_UINT32(pwd_len, SDState),
678 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
679 VMSTATE_UINT8(current_cmd, SDState),
680 VMSTATE_BOOL(expecting_acmd, SDState),
681 VMSTATE_UINT32(blk_written, SDState),
682 VMSTATE_UINT64(data_start, SDState),
683 VMSTATE_UINT32(data_offset, SDState),
684 VMSTATE_UINT8_ARRAY(data, SDState, 512),
685 VMSTATE_UNUSED_V(1, 512),
686 VMSTATE_BOOL(enable, SDState),
687 VMSTATE_END_OF_LIST()
688 },
689 .subsections = (const VMStateDescription*[]) {
690 &sd_ocr_vmstate,
691 NULL
692 },
693};
694
695
696SDState *sd_init(BlockBackend *blk, bool is_spi)
697{
698 Object *obj;
699 DeviceState *dev;
700 Error *err = NULL;
701
702 obj = object_new(TYPE_SD_CARD);
703 dev = DEVICE(obj);
704 qdev_prop_set_drive(dev, "drive", blk, &err);
705 if (err) {
706 error_report("sd_init failed: %s", error_get_pretty(err));
707 return NULL;
708 }
709 qdev_prop_set_bit(dev, "spi", is_spi);
710 object_property_set_bool(obj, true, "realized", &err);
711 if (err) {
712 error_report("sd_init failed: %s", error_get_pretty(err));
713 return NULL;
714 }
715
716 return SD_CARD(dev);
717}
718
719void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
720{
721 sd->readonly_cb = readonly;
722 sd->inserted_cb = insert;
723 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
724 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
725}
726
727static void sd_erase(SDState *sd)
728{
729 int i;
730 uint64_t erase_start = sd->erase_start;
731 uint64_t erase_end = sd->erase_end;
732
733 trace_sdcard_erase();
734 if (!sd->erase_start || !sd->erase_end) {
735 sd->card_status |= ERASE_SEQ_ERROR;
736 return;
737 }
738
739 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
740
741 erase_start *= 512;
742 erase_end *= 512;
743 }
744
745 erase_start = sd_addr_to_wpnum(erase_start);
746 erase_end = sd_addr_to_wpnum(erase_end);
747 sd->erase_start = 0;
748 sd->erase_end = 0;
749 sd->csd[14] |= 0x40;
750
751 for (i = erase_start; i <= erase_end; i++) {
752 if (test_bit(i, sd->wp_groups)) {
753 sd->card_status |= WP_ERASE_SKIP;
754 }
755 }
756}
757
758static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
759{
760 uint32_t i, wpnum;
761 uint32_t ret = 0;
762
763 wpnum = sd_addr_to_wpnum(addr);
764
765 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
766 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
767 ret |= (1 << i);
768 }
769 }
770
771 return ret;
772}
773
774static void sd_function_switch(SDState *sd, uint32_t arg)
775{
776 int i, mode, new_func;
777 mode = !!(arg & 0x80000000);
778
779 sd->data[0] = 0x00;
780 sd->data[1] = 0x01;
781 sd->data[2] = 0x80;
782 sd->data[3] = 0x01;
783 sd->data[4] = 0x80;
784 sd->data[5] = 0x01;
785 sd->data[6] = 0x80;
786 sd->data[7] = 0x01;
787 sd->data[8] = 0x80;
788 sd->data[9] = 0x01;
789 sd->data[10] = 0x80;
790 sd->data[11] = 0x43;
791 sd->data[12] = 0x80;
792 sd->data[13] = 0x03;
793 for (i = 0; i < 6; i ++) {
794 new_func = (arg >> (i * 4)) & 0x0f;
795 if (mode && new_func != 0x0f)
796 sd->function_group[i] = new_func;
797 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
798 }
799 memset(&sd->data[17], 0, 47);
800 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
801}
802
803static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
804{
805 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
806}
807
808static void sd_lock_command(SDState *sd)
809{
810 int erase, lock, clr_pwd, set_pwd, pwd_len;
811 erase = !!(sd->data[0] & 0x08);
812 lock = sd->data[0] & 0x04;
813 clr_pwd = sd->data[0] & 0x02;
814 set_pwd = sd->data[0] & 0x01;
815
816 if (sd->blk_len > 1)
817 pwd_len = sd->data[1];
818 else
819 pwd_len = 0;
820
821 if (lock) {
822 trace_sdcard_lock();
823 } else {
824 trace_sdcard_unlock();
825 }
826 if (erase) {
827 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
828 set_pwd || clr_pwd || lock || sd->wp_switch ||
829 (sd->csd[14] & 0x20)) {
830 sd->card_status |= LOCK_UNLOCK_FAILED;
831 return;
832 }
833 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
834 sd->csd[14] &= ~0x10;
835 sd->card_status &= ~CARD_IS_LOCKED;
836 sd->pwd_len = 0;
837
838 fprintf(stderr, "SD: Card force-erased by CMD42\n");
839 return;
840 }
841
842 if (sd->blk_len < 2 + pwd_len ||
843 pwd_len <= sd->pwd_len ||
844 pwd_len > sd->pwd_len + 16) {
845 sd->card_status |= LOCK_UNLOCK_FAILED;
846 return;
847 }
848
849 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
850 sd->card_status |= LOCK_UNLOCK_FAILED;
851 return;
852 }
853
854 pwd_len -= sd->pwd_len;
855 if ((pwd_len && !set_pwd) ||
856 (clr_pwd && (set_pwd || lock)) ||
857 (lock && !sd->pwd_len && !set_pwd) ||
858 (!set_pwd && !clr_pwd &&
859 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
860 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
861 sd->card_status |= LOCK_UNLOCK_FAILED;
862 return;
863 }
864
865 if (set_pwd) {
866 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
867 sd->pwd_len = pwd_len;
868 }
869
870 if (clr_pwd) {
871 sd->pwd_len = 0;
872 }
873
874 if (lock)
875 sd->card_status |= CARD_IS_LOCKED;
876 else
877 sd->card_status &= ~CARD_IS_LOCKED;
878}
879
880static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
881{
882 uint32_t rca = 0x0000;
883 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
884
885
886
887
888 if (req.cmd != 55 || sd->expecting_acmd) {
889 trace_sdcard_normal_command(sd->proto_name,
890 sd_cmd_name(req.cmd), req.cmd,
891 req.arg, sd_state_name(sd->state));
892 }
893
894
895 sd->card_status &= ~APP_CMD;
896
897 if (sd_cmd_type[req.cmd] == sd_ac
898 || sd_cmd_type[req.cmd] == sd_adtc) {
899 rca = req.arg >> 16;
900 }
901
902
903
904 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
905 sd->multi_blk_cnt = 0;
906 }
907
908 switch (req.cmd) {
909
910 case 0:
911 switch (sd->state) {
912 case sd_inactive_state:
913 return sd->spi ? sd_r1 : sd_r0;
914
915 default:
916 sd->state = sd_idle_state;
917 sd_reset(DEVICE(sd));
918 return sd->spi ? sd_r1 : sd_r0;
919 }
920 break;
921
922 case 1:
923 if (!sd->spi)
924 goto bad_cmd;
925
926 sd->state = sd_transfer_state;
927 return sd_r1;
928
929 case 2:
930 if (sd->spi)
931 goto bad_cmd;
932 switch (sd->state) {
933 case sd_ready_state:
934 sd->state = sd_identification_state;
935 return sd_r2_i;
936
937 default:
938 break;
939 }
940 break;
941
942 case 3:
943 if (sd->spi)
944 goto bad_cmd;
945 switch (sd->state) {
946 case sd_identification_state:
947 case sd_standby_state:
948 sd->state = sd_standby_state;
949 sd_set_rca(sd);
950 return sd_r6;
951
952 default:
953 break;
954 }
955 break;
956
957 case 4:
958 if (sd->spi)
959 goto bad_cmd;
960 switch (sd->state) {
961 case sd_standby_state:
962 break;
963
964 default:
965 break;
966 }
967 break;
968
969 case 5:
970 return sd_illegal;
971
972 case 6:
973 switch (sd->mode) {
974 case sd_data_transfer_mode:
975 sd_function_switch(sd, req.arg);
976 sd->state = sd_sendingdata_state;
977 sd->data_start = 0;
978 sd->data_offset = 0;
979 return sd_r1;
980
981 default:
982 break;
983 }
984 break;
985
986 case 7:
987 if (sd->spi)
988 goto bad_cmd;
989 switch (sd->state) {
990 case sd_standby_state:
991 if (sd->rca != rca)
992 return sd_r0;
993
994 sd->state = sd_transfer_state;
995 return sd_r1b;
996
997 case sd_transfer_state:
998 case sd_sendingdata_state:
999 if (sd->rca == rca)
1000 break;
1001
1002 sd->state = sd_standby_state;
1003 return sd_r1b;
1004
1005 case sd_disconnect_state:
1006 if (sd->rca != rca)
1007 return sd_r0;
1008
1009 sd->state = sd_programming_state;
1010 return sd_r1b;
1011
1012 case sd_programming_state:
1013 if (sd->rca == rca)
1014 break;
1015
1016 sd->state = sd_disconnect_state;
1017 return sd_r1b;
1018
1019 default:
1020 break;
1021 }
1022 break;
1023
1024 case 8:
1025 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1026 break;
1027 }
1028 if (sd->state != sd_idle_state) {
1029 break;
1030 }
1031 sd->vhs = 0;
1032
1033
1034 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1035 return sd->spi ? sd_r7 : sd_r0;
1036 }
1037
1038
1039 sd->vhs = req.arg;
1040 return sd_r7;
1041
1042 case 9:
1043 switch (sd->state) {
1044 case sd_standby_state:
1045 if (sd->rca != rca)
1046 return sd_r0;
1047
1048 return sd_r2_s;
1049
1050 case sd_transfer_state:
1051 if (!sd->spi)
1052 break;
1053 sd->state = sd_sendingdata_state;
1054 memcpy(sd->data, sd->csd, 16);
1055 sd->data_start = addr;
1056 sd->data_offset = 0;
1057 return sd_r1;
1058
1059 default:
1060 break;
1061 }
1062 break;
1063
1064 case 10:
1065 switch (sd->state) {
1066 case sd_standby_state:
1067 if (sd->rca != rca)
1068 return sd_r0;
1069
1070 return sd_r2_i;
1071
1072 case sd_transfer_state:
1073 if (!sd->spi)
1074 break;
1075 sd->state = sd_sendingdata_state;
1076 memcpy(sd->data, sd->cid, 16);
1077 sd->data_start = addr;
1078 sd->data_offset = 0;
1079 return sd_r1;
1080
1081 default:
1082 break;
1083 }
1084 break;
1085
1086 case 12:
1087 switch (sd->state) {
1088 case sd_sendingdata_state:
1089 sd->state = sd_transfer_state;
1090 return sd_r1b;
1091
1092 case sd_receivingdata_state:
1093 sd->state = sd_programming_state;
1094
1095 sd->state = sd_transfer_state;
1096 return sd_r1b;
1097
1098 default:
1099 break;
1100 }
1101 break;
1102
1103 case 13:
1104 switch (sd->mode) {
1105 case sd_data_transfer_mode:
1106 if (sd->rca != rca)
1107 return sd_r0;
1108
1109 return sd_r1;
1110
1111 default:
1112 break;
1113 }
1114 break;
1115
1116 case 15:
1117 if (sd->spi)
1118 goto bad_cmd;
1119 switch (sd->mode) {
1120 case sd_data_transfer_mode:
1121 if (sd->rca != rca)
1122 return sd_r0;
1123
1124 sd->state = sd_inactive_state;
1125 return sd_r0;
1126
1127 default:
1128 break;
1129 }
1130 break;
1131
1132
1133 case 16:
1134 switch (sd->state) {
1135 case sd_transfer_state:
1136 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1137 sd->card_status |= BLOCK_LEN_ERROR;
1138 } else {
1139 trace_sdcard_set_blocklen(req.arg);
1140 sd->blk_len = req.arg;
1141 }
1142
1143 return sd_r1;
1144
1145 default:
1146 break;
1147 }
1148 break;
1149
1150 case 17:
1151 switch (sd->state) {
1152 case sd_transfer_state:
1153 sd->state = sd_sendingdata_state;
1154 sd->data_start = addr;
1155 sd->data_offset = 0;
1156
1157 if (sd->data_start + sd->blk_len > sd->size)
1158 sd->card_status |= ADDRESS_ERROR;
1159 return sd_r1;
1160
1161 default:
1162 break;
1163 }
1164 break;
1165
1166 case 18:
1167 switch (sd->state) {
1168 case sd_transfer_state:
1169 sd->state = sd_sendingdata_state;
1170 sd->data_start = addr;
1171 sd->data_offset = 0;
1172
1173 if (sd->data_start + sd->blk_len > sd->size)
1174 sd->card_status |= ADDRESS_ERROR;
1175 return sd_r1;
1176
1177 default:
1178 break;
1179 }
1180 break;
1181
1182 case 19:
1183 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1184 break;
1185 }
1186 if (sd->state == sd_transfer_state) {
1187 sd->state = sd_sendingdata_state;
1188 sd->data_offset = 0;
1189 return sd_r1;
1190 }
1191 break;
1192
1193 case 23:
1194 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1195 break;
1196 }
1197 switch (sd->state) {
1198 case sd_transfer_state:
1199 sd->multi_blk_cnt = req.arg;
1200 return sd_r1;
1201
1202 default:
1203 break;
1204 }
1205 break;
1206
1207
1208 case 24:
1209 switch (sd->state) {
1210 case sd_transfer_state:
1211
1212 if (sd->spi)
1213 break;
1214 sd->state = sd_receivingdata_state;
1215 sd->data_start = addr;
1216 sd->data_offset = 0;
1217 sd->blk_written = 0;
1218
1219 if (sd->data_start + sd->blk_len > sd->size)
1220 sd->card_status |= ADDRESS_ERROR;
1221 if (sd_wp_addr(sd, sd->data_start))
1222 sd->card_status |= WP_VIOLATION;
1223 if (sd->csd[14] & 0x30)
1224 sd->card_status |= WP_VIOLATION;
1225 return sd_r1;
1226
1227 default:
1228 break;
1229 }
1230 break;
1231
1232 case 25:
1233 switch (sd->state) {
1234 case sd_transfer_state:
1235
1236 if (sd->spi)
1237 break;
1238 sd->state = sd_receivingdata_state;
1239 sd->data_start = addr;
1240 sd->data_offset = 0;
1241 sd->blk_written = 0;
1242
1243 if (sd->data_start + sd->blk_len > sd->size)
1244 sd->card_status |= ADDRESS_ERROR;
1245 if (sd_wp_addr(sd, sd->data_start))
1246 sd->card_status |= WP_VIOLATION;
1247 if (sd->csd[14] & 0x30)
1248 sd->card_status |= WP_VIOLATION;
1249 return sd_r1;
1250
1251 default:
1252 break;
1253 }
1254 break;
1255
1256 case 26:
1257 if (sd->spi)
1258 goto bad_cmd;
1259 switch (sd->state) {
1260 case sd_transfer_state:
1261 sd->state = sd_receivingdata_state;
1262 sd->data_start = 0;
1263 sd->data_offset = 0;
1264 return sd_r1;
1265
1266 default:
1267 break;
1268 }
1269 break;
1270
1271 case 27:
1272 switch (sd->state) {
1273 case sd_transfer_state:
1274 sd->state = sd_receivingdata_state;
1275 sd->data_start = 0;
1276 sd->data_offset = 0;
1277 return sd_r1;
1278
1279 default:
1280 break;
1281 }
1282 break;
1283
1284
1285 case 28:
1286 switch (sd->state) {
1287 case sd_transfer_state:
1288 if (addr >= sd->size) {
1289 sd->card_status |= ADDRESS_ERROR;
1290 return sd_r1b;
1291 }
1292
1293 sd->state = sd_programming_state;
1294 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1295
1296 sd->state = sd_transfer_state;
1297 return sd_r1b;
1298
1299 default:
1300 break;
1301 }
1302 break;
1303
1304 case 29:
1305 switch (sd->state) {
1306 case sd_transfer_state:
1307 if (addr >= sd->size) {
1308 sd->card_status |= ADDRESS_ERROR;
1309 return sd_r1b;
1310 }
1311
1312 sd->state = sd_programming_state;
1313 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1314
1315 sd->state = sd_transfer_state;
1316 return sd_r1b;
1317
1318 default:
1319 break;
1320 }
1321 break;
1322
1323 case 30:
1324 switch (sd->state) {
1325 case sd_transfer_state:
1326 sd->state = sd_sendingdata_state;
1327 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1328 sd->data_start = addr;
1329 sd->data_offset = 0;
1330 return sd_r1b;
1331
1332 default:
1333 break;
1334 }
1335 break;
1336
1337
1338 case 32:
1339 switch (sd->state) {
1340 case sd_transfer_state:
1341 sd->erase_start = req.arg;
1342 return sd_r1;
1343
1344 default:
1345 break;
1346 }
1347 break;
1348
1349 case 33:
1350 switch (sd->state) {
1351 case sd_transfer_state:
1352 sd->erase_end = req.arg;
1353 return sd_r1;
1354
1355 default:
1356 break;
1357 }
1358 break;
1359
1360 case 38:
1361 switch (sd->state) {
1362 case sd_transfer_state:
1363 if (sd->csd[14] & 0x30) {
1364 sd->card_status |= WP_VIOLATION;
1365 return sd_r1b;
1366 }
1367
1368 sd->state = sd_programming_state;
1369 sd_erase(sd);
1370
1371 sd->state = sd_transfer_state;
1372 return sd_r1b;
1373
1374 default:
1375 break;
1376 }
1377 break;
1378
1379
1380 case 42:
1381 switch (sd->state) {
1382 case sd_transfer_state:
1383 sd->state = sd_receivingdata_state;
1384 sd->data_start = 0;
1385 sd->data_offset = 0;
1386 return sd_r1;
1387
1388 default:
1389 break;
1390 }
1391 break;
1392
1393 case 52 ... 54:
1394
1395
1396
1397
1398
1399
1400 return sd_illegal;
1401
1402
1403 case 55:
1404 switch (sd->state) {
1405 case sd_ready_state:
1406 case sd_identification_state:
1407 case sd_inactive_state:
1408 return sd_illegal;
1409 case sd_idle_state:
1410 if (rca) {
1411 qemu_log_mask(LOG_GUEST_ERROR,
1412 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1413 }
1414 default:
1415 break;
1416 }
1417 if (!sd->spi) {
1418 if (sd->rca != rca) {
1419 return sd_r0;
1420 }
1421 }
1422 sd->expecting_acmd = true;
1423 sd->card_status |= APP_CMD;
1424 return sd_r1;
1425
1426 case 56:
1427 switch (sd->state) {
1428 case sd_transfer_state:
1429 sd->data_offset = 0;
1430 if (req.arg & 1)
1431 sd->state = sd_sendingdata_state;
1432 else
1433 sd->state = sd_receivingdata_state;
1434 return sd_r1;
1435
1436 default:
1437 break;
1438 }
1439 break;
1440
1441 case 58:
1442 if (!sd->spi) {
1443 goto bad_cmd;
1444 }
1445 return sd_r3;
1446
1447 case 59:
1448 if (!sd->spi) {
1449 goto bad_cmd;
1450 }
1451 goto unimplemented_spi_cmd;
1452
1453 default:
1454 bad_cmd:
1455 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1456 return sd_illegal;
1457
1458 unimplemented_spi_cmd:
1459
1460 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1461 req.cmd);
1462 return sd_illegal;
1463 }
1464
1465 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1466 return sd_illegal;
1467}
1468
1469static sd_rsp_type_t sd_app_command(SDState *sd,
1470 SDRequest req)
1471{
1472 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1473 req.cmd, req.arg, sd_state_name(sd->state));
1474 sd->card_status |= APP_CMD;
1475 switch (req.cmd) {
1476 case 6:
1477 if (sd->spi) {
1478 goto unimplemented_spi_cmd;
1479 }
1480 switch (sd->state) {
1481 case sd_transfer_state:
1482 sd->sd_status[0] &= 0x3f;
1483 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1484 return sd_r1;
1485
1486 default:
1487 break;
1488 }
1489 break;
1490
1491 case 13:
1492 switch (sd->state) {
1493 case sd_transfer_state:
1494 sd->state = sd_sendingdata_state;
1495 sd->data_start = 0;
1496 sd->data_offset = 0;
1497 return sd_r1;
1498
1499 default:
1500 break;
1501 }
1502 break;
1503
1504 case 22:
1505 switch (sd->state) {
1506 case sd_transfer_state:
1507 *(uint32_t *) sd->data = sd->blk_written;
1508
1509 sd->state = sd_sendingdata_state;
1510 sd->data_start = 0;
1511 sd->data_offset = 0;
1512 return sd_r1;
1513
1514 default:
1515 break;
1516 }
1517 break;
1518
1519 case 23:
1520 switch (sd->state) {
1521 case sd_transfer_state:
1522 return sd_r1;
1523
1524 default:
1525 break;
1526 }
1527 break;
1528
1529 case 41:
1530 if (sd->spi) {
1531
1532 sd->state = sd_transfer_state;
1533 return sd_r1;
1534 }
1535 if (sd->state != sd_idle_state) {
1536 break;
1537 }
1538
1539
1540
1541
1542
1543
1544
1545
1546 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1547 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1548 timer_del(sd->ocr_power_timer);
1549 sd_ocr_powerup(sd);
1550 } else {
1551 trace_sdcard_inquiry_cmd41();
1552 if (!timer_pending(sd->ocr_power_timer)) {
1553 timer_mod_ns(sd->ocr_power_timer,
1554 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1555 + OCR_POWER_DELAY_NS));
1556 }
1557 }
1558 }
1559
1560 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1561
1562
1563
1564
1565
1566 sd->state = sd_ready_state;
1567 }
1568
1569 return sd_r3;
1570
1571 case 42:
1572 switch (sd->state) {
1573 case sd_transfer_state:
1574
1575 return sd_r1;
1576
1577 default:
1578 break;
1579 }
1580 break;
1581
1582 case 51:
1583 switch (sd->state) {
1584 case sd_transfer_state:
1585 sd->state = sd_sendingdata_state;
1586 sd->data_start = 0;
1587 sd->data_offset = 0;
1588 return sd_r1;
1589
1590 default:
1591 break;
1592 }
1593 break;
1594
1595 case 18:
1596 case 25:
1597 case 26:
1598 case 38:
1599 case 43 ... 49:
1600
1601
1602
1603 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1604 req.cmd);
1605 return sd_illegal;
1606
1607 default:
1608
1609 return sd_normal_command(sd, req);
1610
1611 unimplemented_spi_cmd:
1612
1613 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1614 req.cmd);
1615 return sd_illegal;
1616 }
1617
1618 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1619 return sd_illegal;
1620}
1621
1622static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1623{
1624
1625
1626
1627
1628
1629
1630
1631
1632 if (sd->expecting_acmd) {
1633 return req->cmd == 41 || req->cmd == 42;
1634 }
1635 if (req->cmd == 16 || req->cmd == 55) {
1636 return 1;
1637 }
1638 return sd_cmd_class[req->cmd] == 0
1639 || sd_cmd_class[req->cmd] == 7;
1640}
1641
1642int sd_do_command(SDState *sd, SDRequest *req,
1643 uint8_t *response) {
1644 int last_state;
1645 sd_rsp_type_t rtype;
1646 int rsplen;
1647
1648 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1649 return 0;
1650 }
1651
1652 if (sd_req_crc_validate(req)) {
1653 sd->card_status |= COM_CRC_ERROR;
1654 rtype = sd_illegal;
1655 goto send_response;
1656 }
1657
1658 if (req->cmd >= SDMMC_CMD_MAX) {
1659 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1660 req->cmd);
1661 req->cmd &= 0x3f;
1662 }
1663
1664 if (sd->card_status & CARD_IS_LOCKED) {
1665 if (!cmd_valid_while_locked(sd, req)) {
1666 sd->card_status |= ILLEGAL_COMMAND;
1667 sd->expecting_acmd = false;
1668 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1669 rtype = sd_illegal;
1670 goto send_response;
1671 }
1672 }
1673
1674 last_state = sd->state;
1675 sd_set_mode(sd);
1676
1677 if (sd->expecting_acmd) {
1678 sd->expecting_acmd = false;
1679 rtype = sd_app_command(sd, *req);
1680 } else {
1681 rtype = sd_normal_command(sd, *req);
1682 }
1683
1684 if (rtype == sd_illegal) {
1685 sd->card_status |= ILLEGAL_COMMAND;
1686 } else {
1687
1688
1689
1690 sd->current_cmd = req->cmd;
1691 sd->card_status &= ~CURRENT_STATE;
1692 sd->card_status |= (last_state << 9);
1693 }
1694
1695send_response:
1696 switch (rtype) {
1697 case sd_r1:
1698 case sd_r1b:
1699 sd_response_r1_make(sd, response);
1700 rsplen = 4;
1701 break;
1702
1703 case sd_r2_i:
1704 memcpy(response, sd->cid, sizeof(sd->cid));
1705 rsplen = 16;
1706 break;
1707
1708 case sd_r2_s:
1709 memcpy(response, sd->csd, sizeof(sd->csd));
1710 rsplen = 16;
1711 break;
1712
1713 case sd_r3:
1714 sd_response_r3_make(sd, response);
1715 rsplen = 4;
1716 break;
1717
1718 case sd_r6:
1719 sd_response_r6_make(sd, response);
1720 rsplen = 4;
1721 break;
1722
1723 case sd_r7:
1724 sd_response_r7_make(sd, response);
1725 rsplen = 4;
1726 break;
1727
1728 case sd_r0:
1729 case sd_illegal:
1730 rsplen = 0;
1731 break;
1732 default:
1733 g_assert_not_reached();
1734 }
1735 trace_sdcard_response(sd_response_name(rtype), rsplen);
1736
1737 if (rtype != sd_illegal) {
1738
1739
1740
1741 sd->card_status &= ~CARD_STATUS_B;
1742 }
1743
1744#ifdef DEBUG_SD
1745 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1746#endif
1747
1748 return rsplen;
1749}
1750
1751static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1752{
1753 trace_sdcard_read_block(addr, len);
1754 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1755 fprintf(stderr, "sd_blk_read: read error on host side\n");
1756 }
1757}
1758
1759static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1760{
1761 trace_sdcard_write_block(addr, len);
1762 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1763 fprintf(stderr, "sd_blk_write: write error on host side\n");
1764 }
1765}
1766
1767#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1768#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1769#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1770#define APP_WRITE_BLOCK(a, len)
1771
1772void sd_write_data(SDState *sd, uint8_t value)
1773{
1774 int i;
1775
1776 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1777 return;
1778
1779 if (sd->state != sd_receivingdata_state) {
1780 qemu_log_mask(LOG_GUEST_ERROR,
1781 "sd_write_data: not in Receiving-Data state\n");
1782 return;
1783 }
1784
1785 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1786 return;
1787
1788 trace_sdcard_write_data(sd->proto_name,
1789 sd_acmd_name(sd->current_cmd),
1790 sd->current_cmd, value);
1791 switch (sd->current_cmd) {
1792 case 24:
1793 sd->data[sd->data_offset ++] = value;
1794 if (sd->data_offset >= sd->blk_len) {
1795
1796 sd->state = sd_programming_state;
1797 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1798 sd->blk_written ++;
1799 sd->csd[14] |= 0x40;
1800
1801 sd->state = sd_transfer_state;
1802 }
1803 break;
1804
1805 case 25:
1806 if (sd->data_offset == 0) {
1807
1808 if (sd->data_start + sd->blk_len > sd->size) {
1809 sd->card_status |= ADDRESS_ERROR;
1810 break;
1811 }
1812 if (sd_wp_addr(sd, sd->data_start)) {
1813 sd->card_status |= WP_VIOLATION;
1814 break;
1815 }
1816 }
1817 sd->data[sd->data_offset++] = value;
1818 if (sd->data_offset >= sd->blk_len) {
1819
1820 sd->state = sd_programming_state;
1821 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1822 sd->blk_written++;
1823 sd->data_start += sd->blk_len;
1824 sd->data_offset = 0;
1825 sd->csd[14] |= 0x40;
1826
1827
1828 if (sd->multi_blk_cnt != 0) {
1829 if (--sd->multi_blk_cnt == 0) {
1830
1831 sd->state = sd_transfer_state;
1832 break;
1833 }
1834 }
1835
1836 sd->state = sd_receivingdata_state;
1837 }
1838 break;
1839
1840 case 26:
1841 sd->data[sd->data_offset ++] = value;
1842 if (sd->data_offset >= sizeof(sd->cid)) {
1843
1844 sd->state = sd_programming_state;
1845 for (i = 0; i < sizeof(sd->cid); i ++)
1846 if ((sd->cid[i] | 0x00) != sd->data[i])
1847 sd->card_status |= CID_CSD_OVERWRITE;
1848
1849 if (!(sd->card_status & CID_CSD_OVERWRITE))
1850 for (i = 0; i < sizeof(sd->cid); i ++) {
1851 sd->cid[i] |= 0x00;
1852 sd->cid[i] &= sd->data[i];
1853 }
1854
1855 sd->state = sd_transfer_state;
1856 }
1857 break;
1858
1859 case 27:
1860 sd->data[sd->data_offset ++] = value;
1861 if (sd->data_offset >= sizeof(sd->csd)) {
1862
1863 sd->state = sd_programming_state;
1864 for (i = 0; i < sizeof(sd->csd); i ++)
1865 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1866 (sd->data[i] | sd_csd_rw_mask[i]))
1867 sd->card_status |= CID_CSD_OVERWRITE;
1868
1869
1870 if (sd->csd[14] & ~sd->data[14] & 0x60)
1871 sd->card_status |= CID_CSD_OVERWRITE;
1872
1873 if (!(sd->card_status & CID_CSD_OVERWRITE))
1874 for (i = 0; i < sizeof(sd->csd); i ++) {
1875 sd->csd[i] |= sd_csd_rw_mask[i];
1876 sd->csd[i] &= sd->data[i];
1877 }
1878
1879 sd->state = sd_transfer_state;
1880 }
1881 break;
1882
1883 case 42:
1884 sd->data[sd->data_offset ++] = value;
1885 if (sd->data_offset >= sd->blk_len) {
1886
1887 sd->state = sd_programming_state;
1888 sd_lock_command(sd);
1889
1890 sd->state = sd_transfer_state;
1891 }
1892 break;
1893
1894 case 56:
1895 sd->data[sd->data_offset ++] = value;
1896 if (sd->data_offset >= sd->blk_len) {
1897 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1898 sd->state = sd_transfer_state;
1899 }
1900 break;
1901
1902 default:
1903 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1904 break;
1905 }
1906}
1907
1908#define SD_TUNING_BLOCK_SIZE 64
1909
1910static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1911
1912 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1913 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1914 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1915 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1916 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1917 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1918 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1919 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1920};
1921
1922uint8_t sd_read_data(SDState *sd)
1923{
1924
1925 uint8_t ret;
1926 int io_len;
1927
1928 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1929 return 0x00;
1930
1931 if (sd->state != sd_sendingdata_state) {
1932 qemu_log_mask(LOG_GUEST_ERROR,
1933 "sd_read_data: not in Sending-Data state\n");
1934 return 0x00;
1935 }
1936
1937 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1938 return 0x00;
1939
1940 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1941
1942 trace_sdcard_read_data(sd->proto_name,
1943 sd_acmd_name(sd->current_cmd),
1944 sd->current_cmd, io_len);
1945 switch (sd->current_cmd) {
1946 case 6:
1947 ret = sd->data[sd->data_offset ++];
1948
1949 if (sd->data_offset >= 64)
1950 sd->state = sd_transfer_state;
1951 break;
1952
1953 case 9:
1954 case 10:
1955 ret = sd->data[sd->data_offset ++];
1956
1957 if (sd->data_offset >= 16)
1958 sd->state = sd_transfer_state;
1959 break;
1960
1961 case 13:
1962 ret = sd->sd_status[sd->data_offset ++];
1963
1964 if (sd->data_offset >= sizeof(sd->sd_status))
1965 sd->state = sd_transfer_state;
1966 break;
1967
1968 case 17:
1969 if (sd->data_offset == 0)
1970 BLK_READ_BLOCK(sd->data_start, io_len);
1971 ret = sd->data[sd->data_offset ++];
1972
1973 if (sd->data_offset >= io_len)
1974 sd->state = sd_transfer_state;
1975 break;
1976
1977 case 18:
1978 if (sd->data_offset == 0) {
1979 if (sd->data_start + io_len > sd->size) {
1980 sd->card_status |= ADDRESS_ERROR;
1981 return 0x00;
1982 }
1983 BLK_READ_BLOCK(sd->data_start, io_len);
1984 }
1985 ret = sd->data[sd->data_offset ++];
1986
1987 if (sd->data_offset >= io_len) {
1988 sd->data_start += io_len;
1989 sd->data_offset = 0;
1990
1991 if (sd->multi_blk_cnt != 0) {
1992 if (--sd->multi_blk_cnt == 0) {
1993
1994 sd->state = sd_transfer_state;
1995 break;
1996 }
1997 }
1998 }
1999 break;
2000
2001 case 19:
2002 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2003 sd->state = sd_transfer_state;
2004 }
2005 ret = sd_tuning_block_pattern[sd->data_offset++];
2006 break;
2007
2008 case 22:
2009 ret = sd->data[sd->data_offset ++];
2010
2011 if (sd->data_offset >= 4)
2012 sd->state = sd_transfer_state;
2013 break;
2014
2015 case 30:
2016 ret = sd->data[sd->data_offset ++];
2017
2018 if (sd->data_offset >= 4)
2019 sd->state = sd_transfer_state;
2020 break;
2021
2022 case 51:
2023 ret = sd->scr[sd->data_offset ++];
2024
2025 if (sd->data_offset >= sizeof(sd->scr))
2026 sd->state = sd_transfer_state;
2027 break;
2028
2029 case 56:
2030 if (sd->data_offset == 0)
2031 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2032 ret = sd->data[sd->data_offset ++];
2033
2034 if (sd->data_offset >= sd->blk_len)
2035 sd->state = sd_transfer_state;
2036 break;
2037
2038 default:
2039 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2040 return 0x00;
2041 }
2042
2043 return ret;
2044}
2045
2046bool sd_data_ready(SDState *sd)
2047{
2048 return sd->state == sd_sendingdata_state;
2049}
2050
2051void sd_enable(SDState *sd, bool enable)
2052{
2053 sd->enable = enable;
2054}
2055
2056static void sd_instance_init(Object *obj)
2057{
2058 SDState *sd = SD_CARD(obj);
2059
2060 sd->enable = true;
2061 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2062}
2063
2064static void sd_instance_finalize(Object *obj)
2065{
2066 SDState *sd = SD_CARD(obj);
2067
2068 timer_del(sd->ocr_power_timer);
2069 timer_free(sd->ocr_power_timer);
2070}
2071
2072static void sd_realize(DeviceState *dev, Error **errp)
2073{
2074 SDState *sd = SD_CARD(dev);
2075 int ret;
2076
2077 sd->proto_name = sd->spi ? "SPI" : "SD";
2078
2079 switch (sd->spec_version) {
2080 case SD_PHY_SPECv1_10_VERS
2081 ... SD_PHY_SPECv3_01_VERS:
2082 break;
2083 default:
2084 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2085 return;
2086 }
2087
2088 if (sd->blk && blk_is_read_only(sd->blk)) {
2089 error_setg(errp, "Cannot use read-only drive as SD card");
2090 return;
2091 }
2092
2093 if (sd->blk) {
2094 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2095 BLK_PERM_ALL, errp);
2096 if (ret < 0) {
2097 return;
2098 }
2099 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2100 }
2101}
2102
2103static Property sd_properties[] = {
2104 DEFINE_PROP_UINT8("spec_version", SDState,
2105 spec_version, SD_PHY_SPECv2_00_VERS),
2106 DEFINE_PROP_DRIVE("drive", SDState, blk),
2107
2108
2109
2110
2111 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2112 DEFINE_PROP_END_OF_LIST()
2113};
2114
2115static void sd_class_init(ObjectClass *klass, void *data)
2116{
2117 DeviceClass *dc = DEVICE_CLASS(klass);
2118 SDCardClass *sc = SD_CARD_CLASS(klass);
2119
2120 dc->realize = sd_realize;
2121 dc->props = sd_properties;
2122 dc->vmsd = &sd_vmstate;
2123 dc->reset = sd_reset;
2124 dc->bus_type = TYPE_SD_BUS;
2125 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2126
2127 sc->set_voltage = sd_set_voltage;
2128 sc->get_dat_lines = sd_get_dat_lines;
2129 sc->get_cmd_line = sd_get_cmd_line;
2130 sc->do_command = sd_do_command;
2131 sc->write_data = sd_write_data;
2132 sc->read_data = sd_read_data;
2133 sc->data_ready = sd_data_ready;
2134 sc->enable = sd_enable;
2135 sc->get_inserted = sd_get_inserted;
2136 sc->get_readonly = sd_get_readonly;
2137}
2138
2139static const TypeInfo sd_info = {
2140 .name = TYPE_SD_CARD,
2141 .parent = TYPE_DEVICE,
2142 .instance_size = sizeof(SDState),
2143 .class_size = sizeof(SDCardClass),
2144 .class_init = sd_class_init,
2145 .instance_init = sd_instance_init,
2146 .instance_finalize = sd_instance_finalize,
2147};
2148
2149static void sd_register_types(void)
2150{
2151 type_register_static(&sd_info);
2152}
2153
2154type_init(sd_register_types)
2155
