1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33#include "qemu/osdep.h"
34#include "qemu/units.h"
35#include "qemu/cutils.h"
36#include "hw/irq.h"
37#include "hw/registerfields.h"
38#include "sysemu/block-backend.h"
39#include "hw/sd/sd.h"
40#include "hw/sd/sdcard_legacy.h"
41#include "migration/vmstate.h"
42#include "qapi/error.h"
43#include "qemu/bitmap.h"
44#include "hw/qdev-properties.h"
45#include "hw/qdev-properties-system.h"
46#include "qemu/error-report.h"
47#include "qemu/timer.h"
48#include "qemu/log.h"
49#include "qemu/module.h"
50#include "qemu-common.h"
51#include "sdmmc-internal.h"
52#include "trace.h"
53
54
55
56#define SDSC_MAX_CAPACITY (2 * GiB)
57
58#define INVALID_ADDRESS UINT32_MAX
59
60typedef enum {
61 sd_r0 = 0,
62 sd_r1,
63 sd_r2_i,
64 sd_r2_s,
65 sd_r3,
66 sd_r6 = 6,
67 sd_r7,
68 sd_r1b = -1,
69 sd_illegal = -2,
70} sd_rsp_type_t;
71
72enum SDCardModes {
73 sd_inactive,
74 sd_card_identification_mode,
75 sd_data_transfer_mode,
76};
77
78enum SDCardStates {
79 sd_inactive_state = -1,
80 sd_idle_state = 0,
81 sd_ready_state,
82 sd_identification_state,
83 sd_standby_state,
84 sd_transfer_state,
85 sd_sendingdata_state,
86 sd_receivingdata_state,
87 sd_programming_state,
88 sd_disconnect_state,
89};
90
91struct SDState {
92 DeviceState parent_obj;
93
94
95
96 bool me_no_qdev_me_kill_mammoth_with_rocks;
97
98
99 uint32_t ocr;
100 uint8_t scr[8];
101 uint8_t cid[16];
102 uint8_t csd[16];
103 uint16_t rca;
104 uint32_t card_status;
105 uint8_t sd_status[64];
106
107
108
109 uint8_t spec_version;
110 BlockBackend *blk;
111 bool spi;
112
113
114
115 uint32_t mode;
116 int32_t state;
117 uint32_t vhs;
118 bool wp_switch;
119 unsigned long *wp_groups;
120 int32_t wpgrps_size;
121 uint64_t size;
122 uint32_t blk_len;
123 uint32_t multi_blk_cnt;
124 uint32_t erase_start;
125 uint32_t erase_end;
126 uint8_t pwd[16];
127 uint32_t pwd_len;
128 uint8_t function_group[6];
129 uint8_t current_cmd;
130
131
132
133 bool expecting_acmd;
134 uint32_t blk_written;
135 uint64_t data_start;
136 uint32_t data_offset;
137 uint8_t data[512];
138 qemu_irq readonly_cb;
139 qemu_irq inserted_cb;
140 QEMUTimer *ocr_power_timer;
141 const char *proto_name;
142 bool enable;
143 uint8_t dat_lines;
144 bool cmd_line;
145};
146
147static void sd_realize(DeviceState *dev, Error **errp);
148
149static const char *sd_state_name(enum SDCardStates state)
150{
151 static const char *state_name[] = {
152 [sd_idle_state] = "idle",
153 [sd_ready_state] = "ready",
154 [sd_identification_state] = "identification",
155 [sd_standby_state] = "standby",
156 [sd_transfer_state] = "transfer",
157 [sd_sendingdata_state] = "sendingdata",
158 [sd_receivingdata_state] = "receivingdata",
159 [sd_programming_state] = "programming",
160 [sd_disconnect_state] = "disconnect",
161 };
162 if (state == sd_inactive_state) {
163 return "inactive";
164 }
165 assert(state < ARRAY_SIZE(state_name));
166 return state_name[state];
167}
168
169static const char *sd_response_name(sd_rsp_type_t rsp)
170{
171 static const char *response_name[] = {
172 [sd_r0] = "RESP#0 (no response)",
173 [sd_r1] = "RESP#1 (normal cmd)",
174 [sd_r2_i] = "RESP#2 (CID reg)",
175 [sd_r2_s] = "RESP#2 (CSD reg)",
176 [sd_r3] = "RESP#3 (OCR reg)",
177 [sd_r6] = "RESP#6 (RCA)",
178 [sd_r7] = "RESP#7 (operating voltage)",
179 };
180 if (rsp == sd_illegal) {
181 return "ILLEGAL RESP";
182 }
183 if (rsp == sd_r1b) {
184 rsp = sd_r1;
185 }
186 assert(rsp < ARRAY_SIZE(response_name));
187 return response_name[rsp];
188}
189
190static uint8_t sd_get_dat_lines(SDState *sd)
191{
192 return sd->enable ? sd->dat_lines : 0;
193}
194
195static bool sd_get_cmd_line(SDState *sd)
196{
197 return sd->enable ? sd->cmd_line : false;
198}
199
200static void sd_set_voltage(SDState *sd, uint16_t millivolts)
201{
202 trace_sdcard_set_voltage(millivolts);
203
204 switch (millivolts) {
205 case 3001 ... 3600:
206 case 2001 ... 3000:
207 break;
208 default:
209 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
210 millivolts / 1000.f);
211 }
212}
213
214static void sd_set_mode(SDState *sd)
215{
216 switch (sd->state) {
217 case sd_inactive_state:
218 sd->mode = sd_inactive;
219 break;
220
221 case sd_idle_state:
222 case sd_ready_state:
223 case sd_identification_state:
224 sd->mode = sd_card_identification_mode;
225 break;
226
227 case sd_standby_state:
228 case sd_transfer_state:
229 case sd_sendingdata_state:
230 case sd_receivingdata_state:
231 case sd_programming_state:
232 case sd_disconnect_state:
233 sd->mode = sd_data_transfer_mode;
234 break;
235 }
236}
237
238static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
239 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
240 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
241
242 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
243 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
244
245 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
246 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
247
248 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
249 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
250};
251
252static const int sd_cmd_class[SDMMC_CMD_MAX] = {
253 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
254 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
255 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
256 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
257};
258
259static uint8_t sd_crc7(const void *message, size_t width)
260{
261 int i, bit;
262 uint8_t shift_reg = 0x00;
263 const uint8_t *msg = (const uint8_t *)message;
264
265 for (i = 0; i < width; i ++, msg ++)
266 for (bit = 7; bit >= 0; bit --) {
267 shift_reg <<= 1;
268 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
269 shift_reg ^= 0x89;
270 }
271
272 return shift_reg;
273}
274
275#define OCR_POWER_DELAY_NS 500000
276
277FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
278FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
279FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
280FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
281FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1)
282FIELD(OCR, UHS_II_CARD, 29, 1)
283FIELD(OCR, CARD_CAPACITY, 30, 1)
284FIELD(OCR, CARD_POWER_UP, 31, 1)
285
286#define ACMD41_ENQUIRY_MASK 0x00ffffff
287#define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
288 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
289 | R_OCR_UHS_II_CARD_MASK \
290 | R_OCR_CARD_CAPACITY_MASK \
291 | R_OCR_CARD_POWER_UP_MASK)
292
293static void sd_set_ocr(SDState *sd)
294{
295
296 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
297}
298
299static void sd_ocr_powerup(void *opaque)
300{
301 SDState *sd = opaque;
302
303 trace_sdcard_powerup();
304 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
305
306
307 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
308
309 if (sd->size > SDSC_MAX_CAPACITY) {
310 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
311 }
312}
313
314static void sd_set_scr(SDState *sd)
315{
316 sd->scr[0] = 0 << 4;
317 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
318 sd->scr[0] |= 1;
319 } else {
320 sd->scr[0] |= 2;
321 }
322 sd->scr[1] = (2 << 4)
323 | 0b0101;
324 sd->scr[2] = 0x00;
325 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
326 sd->scr[2] |= 1 << 7;
327 }
328 sd->scr[3] = 0x00;
329
330 sd->scr[4] = 0x00;
331 sd->scr[5] = 0x00;
332 sd->scr[6] = 0x00;
333 sd->scr[7] = 0x00;
334}
335
336#define MID 0xaa
337#define OID "XY"
338#define PNM "QEMU!"
339#define PRV 0x01
340#define MDT_YR 2006
341#define MDT_MON 2
342
343static void sd_set_cid(SDState *sd)
344{
345 sd->cid[0] = MID;
346 sd->cid[1] = OID[0];
347 sd->cid[2] = OID[1];
348 sd->cid[3] = PNM[0];
349 sd->cid[4] = PNM[1];
350 sd->cid[5] = PNM[2];
351 sd->cid[6] = PNM[3];
352 sd->cid[7] = PNM[4];
353 sd->cid[8] = PRV;
354 sd->cid[9] = 0xde;
355 sd->cid[10] = 0xad;
356 sd->cid[11] = 0xbe;
357 sd->cid[12] = 0xef;
358 sd->cid[13] = 0x00 |
359 ((MDT_YR - 2000) / 10);
360 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
361 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
362}
363
364#define HWBLOCK_SHIFT 9
365#define SECTOR_SHIFT 5
366#define WPGROUP_SHIFT 7
367#define CMULT_SHIFT 9
368#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
369
370static const uint8_t sd_csd_rw_mask[16] = {
371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
373};
374
375static void sd_set_csd(SDState *sd, uint64_t size)
376{
377 int hwblock_shift = HWBLOCK_SHIFT;
378 uint32_t csize;
379 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
380 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
381
382
383 if (size == SDSC_MAX_CAPACITY) {
384 hwblock_shift += 1;
385 }
386 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
387
388 if (size <= SDSC_MAX_CAPACITY) {
389 sd->csd[0] = 0x00;
390 sd->csd[1] = 0x26;
391 sd->csd[2] = 0x00;
392 sd->csd[3] = 0x32;
393 sd->csd[4] = 0x5f;
394 sd->csd[5] = 0x50 |
395 hwblock_shift;
396 sd->csd[6] = 0xe0 |
397 ((csize >> 10) & 0x03);
398 sd->csd[7] = 0x00 |
399 ((csize >> 2) & 0xff);
400 sd->csd[8] = 0x3f |
401 ((csize << 6) & 0xc0);
402 sd->csd[9] = 0xfc |
403 ((CMULT_SHIFT - 2) >> 1);
404 sd->csd[10] = 0x40 |
405 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
406 sd->csd[11] = 0x00 |
407 ((sectsize << 7) & 0x80) | wpsize;
408 sd->csd[12] = 0x90 |
409 (hwblock_shift >> 2);
410 sd->csd[13] = 0x20 |
411 ((hwblock_shift << 6) & 0xc0);
412 sd->csd[14] = 0x00;
413 } else {
414 size /= 512 * KiB;
415 size -= 1;
416 sd->csd[0] = 0x40;
417 sd->csd[1] = 0x0e;
418 sd->csd[2] = 0x00;
419 sd->csd[3] = 0x32;
420 sd->csd[4] = 0x5b;
421 sd->csd[5] = 0x59;
422 sd->csd[6] = 0x00;
423 sd->csd[7] = (size >> 16) & 0xff;
424 sd->csd[8] = (size >> 8) & 0xff;
425 sd->csd[9] = (size & 0xff);
426 sd->csd[10] = 0x7f;
427 sd->csd[11] = 0x80;
428 sd->csd[12] = 0x0a;
429 sd->csd[13] = 0x40;
430 sd->csd[14] = 0x00;
431 }
432 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
433}
434
435static void sd_set_rca(SDState *sd)
436{
437 sd->rca += 0x4567;
438}
439
440FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
441FIELD(CSR, APP_CMD, 5, 1)
442FIELD(CSR, FX_EVENT, 6, 1)
443FIELD(CSR, READY_FOR_DATA, 8, 1)
444FIELD(CSR, CURRENT_STATE, 9, 4)
445FIELD(CSR, ERASE_RESET, 13, 1)
446FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
447FIELD(CSR, WP_ERASE_SKIP, 15, 1)
448FIELD(CSR, CSD_OVERWRITE, 16, 1)
449FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
450FIELD(CSR, ERROR, 19, 1)
451FIELD(CSR, CC_ERROR, 20, 1)
452FIELD(CSR, CARD_ECC_FAILED, 21, 1)
453FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
454FIELD(CSR, COM_CRC_ERROR, 23, 1)
455FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
456FIELD(CSR, CARD_IS_LOCKED, 25, 1)
457FIELD(CSR, WP_VIOLATION, 26, 1)
458FIELD(CSR, ERASE_PARAM, 27, 1)
459FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
460FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
461FIELD(CSR, ADDRESS_ERROR, 30, 1)
462FIELD(CSR, OUT_OF_RANGE, 31, 1)
463
464
465
466
467
468
469#define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
470 | R_CSR_CARD_ECC_DISABLED_MASK \
471 | R_CSR_CARD_IS_LOCKED_MASK)
472#define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
473 | R_CSR_ILLEGAL_COMMAND_MASK \
474 | R_CSR_COM_CRC_ERROR_MASK)
475#define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
476 | R_CSR_APP_CMD_MASK \
477 | R_CSR_ERASE_RESET_MASK \
478 | R_CSR_WP_ERASE_SKIP_MASK \
479 | R_CSR_CSD_OVERWRITE_MASK \
480 | R_CSR_ERROR_MASK \
481 | R_CSR_CC_ERROR_MASK \
482 | R_CSR_CARD_ECC_FAILED_MASK \
483 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
484 | R_CSR_WP_VIOLATION_MASK \
485 | R_CSR_ERASE_PARAM_MASK \
486 | R_CSR_ERASE_SEQ_ERROR_MASK \
487 | R_CSR_BLOCK_LEN_ERROR_MASK \
488 | R_CSR_ADDRESS_ERROR_MASK \
489 | R_CSR_OUT_OF_RANGE_MASK)
490
491static void sd_set_cardstatus(SDState *sd)
492{
493 sd->card_status = 0x00000100;
494}
495
496static void sd_set_sdstatus(SDState *sd)
497{
498 memset(sd->sd_status, 0, 64);
499}
500
501static int sd_req_crc_validate(SDRequest *req)
502{
503 uint8_t buffer[5];
504 buffer[0] = 0x40 | req->cmd;
505 stl_be_p(&buffer[1], req->arg);
506 return 0;
507 return sd_crc7(buffer, 5) != req->crc;
508}
509
510static void sd_response_r1_make(SDState *sd, uint8_t *response)
511{
512 stl_be_p(response, sd->card_status);
513
514
515 sd->card_status &= ~CARD_STATUS_C;
516}
517
518static void sd_response_r3_make(SDState *sd, uint8_t *response)
519{
520 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
521}
522
523static void sd_response_r6_make(SDState *sd, uint8_t *response)
524{
525 uint16_t status;
526
527 status = ((sd->card_status >> 8) & 0xc000) |
528 ((sd->card_status >> 6) & 0x2000) |
529 (sd->card_status & 0x1fff);
530 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
531 stw_be_p(response + 0, sd->rca);
532 stw_be_p(response + 2, status);
533}
534
535static void sd_response_r7_make(SDState *sd, uint8_t *response)
536{
537 stl_be_p(response, sd->vhs);
538}
539
540static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
541{
542 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
543}
544
545static void sd_reset(DeviceState *dev)
546{
547 SDState *sd = SD_CARD(dev);
548 uint64_t size;
549 uint64_t sect;
550
551 trace_sdcard_reset();
552 if (sd->blk) {
553 blk_get_geometry(sd->blk, §);
554 } else {
555 sect = 0;
556 }
557 size = sect << 9;
558
559 sect = sd_addr_to_wpnum(size) + 1;
560
561 sd->state = sd_idle_state;
562 sd->rca = 0x0000;
563 sd_set_ocr(sd);
564 sd_set_scr(sd);
565 sd_set_cid(sd);
566 sd_set_csd(sd, size);
567 sd_set_cardstatus(sd);
568 sd_set_sdstatus(sd);
569
570 g_free(sd->wp_groups);
571 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
572 sd->wpgrps_size = sect;
573 sd->wp_groups = bitmap_new(sd->wpgrps_size);
574 memset(sd->function_group, 0, sizeof(sd->function_group));
575 sd->erase_start = INVALID_ADDRESS;
576 sd->erase_end = INVALID_ADDRESS;
577 sd->size = size;
578 sd->blk_len = 0x200;
579 sd->pwd_len = 0;
580 sd->expecting_acmd = false;
581 sd->dat_lines = 0xf;
582 sd->cmd_line = true;
583 sd->multi_blk_cnt = 0;
584}
585
586static bool sd_get_inserted(SDState *sd)
587{
588 return sd->blk && blk_is_inserted(sd->blk);
589}
590
591static bool sd_get_readonly(SDState *sd)
592{
593 return sd->wp_switch;
594}
595
596static void sd_cardchange(void *opaque, bool load, Error **errp)
597{
598 SDState *sd = opaque;
599 DeviceState *dev = DEVICE(sd);
600 SDBus *sdbus;
601 bool inserted = sd_get_inserted(sd);
602 bool readonly = sd_get_readonly(sd);
603
604 if (inserted) {
605 trace_sdcard_inserted(readonly);
606 sd_reset(dev);
607 } else {
608 trace_sdcard_ejected();
609 }
610
611 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
612 qemu_set_irq(sd->inserted_cb, inserted);
613 if (inserted) {
614 qemu_set_irq(sd->readonly_cb, readonly);
615 }
616 } else {
617 sdbus = SD_BUS(qdev_get_parent_bus(dev));
618 sdbus_set_inserted(sdbus, inserted);
619 if (inserted) {
620 sdbus_set_readonly(sdbus, readonly);
621 }
622 }
623}
624
625static const BlockDevOps sd_block_ops = {
626 .change_media_cb = sd_cardchange,
627};
628
629static bool sd_ocr_vmstate_needed(void *opaque)
630{
631 SDState *sd = opaque;
632
633
634 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
635}
636
637static const VMStateDescription sd_ocr_vmstate = {
638 .name = "sd-card/ocr-state",
639 .version_id = 1,
640 .minimum_version_id = 1,
641 .needed = sd_ocr_vmstate_needed,
642 .fields = (VMStateField[]) {
643 VMSTATE_UINT32(ocr, SDState),
644 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
645 VMSTATE_END_OF_LIST()
646 },
647};
648
649static int sd_vmstate_pre_load(void *opaque)
650{
651 SDState *sd = opaque;
652
653
654
655
656
657 sd_ocr_powerup(sd);
658
659 return 0;
660}
661
662static const VMStateDescription sd_vmstate = {
663 .name = "sd-card",
664 .version_id = 2,
665 .minimum_version_id = 2,
666 .pre_load = sd_vmstate_pre_load,
667 .fields = (VMStateField[]) {
668 VMSTATE_UINT32(mode, SDState),
669 VMSTATE_INT32(state, SDState),
670 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
671 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
672 VMSTATE_UINT16(rca, SDState),
673 VMSTATE_UINT32(card_status, SDState),
674 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
675 VMSTATE_UINT32(vhs, SDState),
676 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
677 VMSTATE_UINT32(blk_len, SDState),
678 VMSTATE_UINT32(multi_blk_cnt, SDState),
679 VMSTATE_UINT32(erase_start, SDState),
680 VMSTATE_UINT32(erase_end, SDState),
681 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
682 VMSTATE_UINT32(pwd_len, SDState),
683 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
684 VMSTATE_UINT8(current_cmd, SDState),
685 VMSTATE_BOOL(expecting_acmd, SDState),
686 VMSTATE_UINT32(blk_written, SDState),
687 VMSTATE_UINT64(data_start, SDState),
688 VMSTATE_UINT32(data_offset, SDState),
689 VMSTATE_UINT8_ARRAY(data, SDState, 512),
690 VMSTATE_UNUSED_V(1, 512),
691 VMSTATE_BOOL(enable, SDState),
692 VMSTATE_END_OF_LIST()
693 },
694 .subsections = (const VMStateDescription*[]) {
695 &sd_ocr_vmstate,
696 NULL
697 },
698};
699
700
701SDState *sd_init(BlockBackend *blk, bool is_spi)
702{
703 Object *obj;
704 DeviceState *dev;
705 SDState *sd;
706 Error *err = NULL;
707
708 obj = object_new(TYPE_SD_CARD);
709 dev = DEVICE(obj);
710 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
711 error_reportf_err(err, "sd_init failed: ");
712 return NULL;
713 }
714 qdev_prop_set_bit(dev, "spi", is_spi);
715
716
717
718
719
720
721
722 object_ref(obj);
723 object_unparent(obj);
724 sd_realize(dev, &err);
725 if (err) {
726 error_reportf_err(err, "sd_init failed: ");
727 return NULL;
728 }
729
730 sd = SD_CARD(dev);
731 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
732 return sd;
733}
734
735void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
736{
737 sd->readonly_cb = readonly;
738 sd->inserted_cb = insert;
739 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
740 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
741}
742
743static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
744{
745 trace_sdcard_read_block(addr, len);
746 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
747 fprintf(stderr, "sd_blk_read: read error on host side\n");
748 }
749}
750
751static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
752{
753 trace_sdcard_write_block(addr, len);
754 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
755 fprintf(stderr, "sd_blk_write: write error on host side\n");
756 }
757}
758
759#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
760#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
761#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
762#define APP_WRITE_BLOCK(a, len)
763
764static void sd_erase(SDState *sd)
765{
766 uint64_t erase_start = sd->erase_start;
767 uint64_t erase_end = sd->erase_end;
768 bool sdsc = true;
769 uint64_t wpnum;
770 uint64_t erase_addr;
771 int erase_len = 1 << HWBLOCK_SHIFT;
772
773 trace_sdcard_erase(sd->erase_start, sd->erase_end);
774 if (sd->erase_start == INVALID_ADDRESS
775 || sd->erase_end == INVALID_ADDRESS) {
776 sd->card_status |= ERASE_SEQ_ERROR;
777 sd->erase_start = INVALID_ADDRESS;
778 sd->erase_end = INVALID_ADDRESS;
779 return;
780 }
781
782 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
783
784 erase_start *= 512;
785 erase_end *= 512;
786 sdsc = false;
787 }
788
789 if (erase_start > sd->size || erase_end > sd->size) {
790 sd->card_status |= OUT_OF_RANGE;
791 sd->erase_start = INVALID_ADDRESS;
792 sd->erase_end = INVALID_ADDRESS;
793 return;
794 }
795
796 sd->erase_start = INVALID_ADDRESS;
797 sd->erase_end = INVALID_ADDRESS;
798 sd->csd[14] |= 0x40;
799
800 memset(sd->data, 0xff, erase_len);
801 for (erase_addr = erase_start; erase_addr <= erase_end;
802 erase_addr += erase_len) {
803 if (sdsc) {
804
805 wpnum = sd_addr_to_wpnum(erase_addr);
806 assert(wpnum < sd->wpgrps_size);
807 if (test_bit(wpnum, sd->wp_groups)) {
808 sd->card_status |= WP_ERASE_SKIP;
809 continue;
810 }
811 }
812 BLK_WRITE_BLOCK(erase_addr, erase_len);
813 }
814}
815
816static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
817{
818 uint32_t i, wpnum;
819 uint32_t ret = 0;
820
821 wpnum = sd_addr_to_wpnum(addr);
822
823 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
824 if (addr >= sd->size) {
825
826
827
828
829 continue;
830 }
831 assert(wpnum < sd->wpgrps_size);
832 if (test_bit(wpnum, sd->wp_groups)) {
833 ret |= (1 << i);
834 }
835 }
836
837 return ret;
838}
839
840static void sd_function_switch(SDState *sd, uint32_t arg)
841{
842 int i, mode, new_func;
843 mode = !!(arg & 0x80000000);
844
845 sd->data[0] = 0x00;
846 sd->data[1] = 0x01;
847 sd->data[2] = 0x80;
848 sd->data[3] = 0x01;
849 sd->data[4] = 0x80;
850 sd->data[5] = 0x01;
851 sd->data[6] = 0x80;
852 sd->data[7] = 0x01;
853 sd->data[8] = 0x80;
854 sd->data[9] = 0x01;
855 sd->data[10] = 0x80;
856 sd->data[11] = 0x43;
857 sd->data[12] = 0x80;
858 sd->data[13] = 0x03;
859
860 memset(&sd->data[14], 0, 3);
861 for (i = 0; i < 6; i ++) {
862 new_func = (arg >> (i * 4)) & 0x0f;
863 if (mode && new_func != 0x0f)
864 sd->function_group[i] = new_func;
865 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
866 }
867 memset(&sd->data[17], 0, 47);
868}
869
870static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
871{
872 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
873}
874
875static void sd_lock_command(SDState *sd)
876{
877 int erase, lock, clr_pwd, set_pwd, pwd_len;
878 erase = !!(sd->data[0] & 0x08);
879 lock = sd->data[0] & 0x04;
880 clr_pwd = sd->data[0] & 0x02;
881 set_pwd = sd->data[0] & 0x01;
882
883 if (sd->blk_len > 1)
884 pwd_len = sd->data[1];
885 else
886 pwd_len = 0;
887
888 if (lock) {
889 trace_sdcard_lock();
890 } else {
891 trace_sdcard_unlock();
892 }
893 if (erase) {
894 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
895 set_pwd || clr_pwd || lock || sd->wp_switch ||
896 (sd->csd[14] & 0x20)) {
897 sd->card_status |= LOCK_UNLOCK_FAILED;
898 return;
899 }
900 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
901 sd->csd[14] &= ~0x10;
902 sd->card_status &= ~CARD_IS_LOCKED;
903 sd->pwd_len = 0;
904
905 fprintf(stderr, "SD: Card force-erased by CMD42\n");
906 return;
907 }
908
909 if (sd->blk_len < 2 + pwd_len ||
910 pwd_len <= sd->pwd_len ||
911 pwd_len > sd->pwd_len + 16) {
912 sd->card_status |= LOCK_UNLOCK_FAILED;
913 return;
914 }
915
916 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
917 sd->card_status |= LOCK_UNLOCK_FAILED;
918 return;
919 }
920
921 pwd_len -= sd->pwd_len;
922 if ((pwd_len && !set_pwd) ||
923 (clr_pwd && (set_pwd || lock)) ||
924 (lock && !sd->pwd_len && !set_pwd) ||
925 (!set_pwd && !clr_pwd &&
926 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
927 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
928 sd->card_status |= LOCK_UNLOCK_FAILED;
929 return;
930 }
931
932 if (set_pwd) {
933 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
934 sd->pwd_len = pwd_len;
935 }
936
937 if (clr_pwd) {
938 sd->pwd_len = 0;
939 }
940
941 if (lock)
942 sd->card_status |= CARD_IS_LOCKED;
943 else
944 sd->card_status &= ~CARD_IS_LOCKED;
945}
946
947static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
948{
949 uint32_t rca = 0x0000;
950 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
951
952
953
954
955 if (req.cmd != 55 || sd->expecting_acmd) {
956 trace_sdcard_normal_command(sd->proto_name,
957 sd_cmd_name(req.cmd), req.cmd,
958 req.arg, sd_state_name(sd->state));
959 }
960
961
962 sd->card_status &= ~APP_CMD;
963
964 if (sd_cmd_type[req.cmd] == sd_ac
965 || sd_cmd_type[req.cmd] == sd_adtc) {
966 rca = req.arg >> 16;
967 }
968
969
970
971 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
972 sd->multi_blk_cnt = 0;
973 }
974
975 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
976
977 return sd_illegal;
978 }
979
980 switch (req.cmd) {
981
982 case 0:
983 switch (sd->state) {
984 case sd_inactive_state:
985 return sd->spi ? sd_r1 : sd_r0;
986
987 default:
988 sd->state = sd_idle_state;
989 sd_reset(DEVICE(sd));
990 return sd->spi ? sd_r1 : sd_r0;
991 }
992 break;
993
994 case 1:
995 if (!sd->spi)
996 goto bad_cmd;
997
998 sd->state = sd_transfer_state;
999 return sd_r1;
1000
1001 case 2:
1002 if (sd->spi)
1003 goto bad_cmd;
1004 switch (sd->state) {
1005 case sd_ready_state:
1006 sd->state = sd_identification_state;
1007 return sd_r2_i;
1008
1009 default:
1010 break;
1011 }
1012 break;
1013
1014 case 3:
1015 if (sd->spi)
1016 goto bad_cmd;
1017 switch (sd->state) {
1018 case sd_identification_state:
1019 case sd_standby_state:
1020 sd->state = sd_standby_state;
1021 sd_set_rca(sd);
1022 return sd_r6;
1023
1024 default:
1025 break;
1026 }
1027 break;
1028
1029 case 4:
1030 if (sd->spi)
1031 goto bad_cmd;
1032 switch (sd->state) {
1033 case sd_standby_state:
1034 break;
1035
1036 default:
1037 break;
1038 }
1039 break;
1040
1041 case 5:
1042 return sd_illegal;
1043
1044 case 6:
1045 switch (sd->mode) {
1046 case sd_data_transfer_mode:
1047 sd_function_switch(sd, req.arg);
1048 sd->state = sd_sendingdata_state;
1049 sd->data_start = 0;
1050 sd->data_offset = 0;
1051 return sd_r1;
1052
1053 default:
1054 break;
1055 }
1056 break;
1057
1058 case 7:
1059 if (sd->spi)
1060 goto bad_cmd;
1061 switch (sd->state) {
1062 case sd_standby_state:
1063 if (sd->rca != rca)
1064 return sd_r0;
1065
1066 sd->state = sd_transfer_state;
1067 return sd_r1b;
1068
1069 case sd_transfer_state:
1070 case sd_sendingdata_state:
1071 if (sd->rca == rca)
1072 break;
1073
1074 sd->state = sd_standby_state;
1075 return sd_r1b;
1076
1077 case sd_disconnect_state:
1078 if (sd->rca != rca)
1079 return sd_r0;
1080
1081 sd->state = sd_programming_state;
1082 return sd_r1b;
1083
1084 case sd_programming_state:
1085 if (sd->rca == rca)
1086 break;
1087
1088 sd->state = sd_disconnect_state;
1089 return sd_r1b;
1090
1091 default:
1092 break;
1093 }
1094 break;
1095
1096 case 8:
1097 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1098 break;
1099 }
1100 if (sd->state != sd_idle_state) {
1101 break;
1102 }
1103 sd->vhs = 0;
1104
1105
1106 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1107 return sd->spi ? sd_r7 : sd_r0;
1108 }
1109
1110
1111 sd->vhs = req.arg;
1112 return sd_r7;
1113
1114 case 9:
1115 switch (sd->state) {
1116 case sd_standby_state:
1117 if (sd->rca != rca)
1118 return sd_r0;
1119
1120 return sd_r2_s;
1121
1122 case sd_transfer_state:
1123 if (!sd->spi)
1124 break;
1125 sd->state = sd_sendingdata_state;
1126 memcpy(sd->data, sd->csd, 16);
1127 sd->data_start = addr;
1128 sd->data_offset = 0;
1129 return sd_r1;
1130
1131 default:
1132 break;
1133 }
1134 break;
1135
1136 case 10:
1137 switch (sd->state) {
1138 case sd_standby_state:
1139 if (sd->rca != rca)
1140 return sd_r0;
1141
1142 return sd_r2_i;
1143
1144 case sd_transfer_state:
1145 if (!sd->spi)
1146 break;
1147 sd->state = sd_sendingdata_state;
1148 memcpy(sd->data, sd->cid, 16);
1149 sd->data_start = addr;
1150 sd->data_offset = 0;
1151 return sd_r1;
1152
1153 default:
1154 break;
1155 }
1156 break;
1157
1158 case 12:
1159 switch (sd->state) {
1160 case sd_sendingdata_state:
1161 sd->state = sd_transfer_state;
1162 return sd_r1b;
1163
1164 case sd_receivingdata_state:
1165 sd->state = sd_programming_state;
1166
1167 sd->state = sd_transfer_state;
1168 return sd_r1b;
1169
1170 default:
1171 break;
1172 }
1173 break;
1174
1175 case 13:
1176 switch (sd->mode) {
1177 case sd_data_transfer_mode:
1178 if (!sd->spi && sd->rca != rca) {
1179 return sd_r0;
1180 }
1181
1182 return sd_r1;
1183
1184 default:
1185 break;
1186 }
1187 break;
1188
1189 case 15:
1190 if (sd->spi)
1191 goto bad_cmd;
1192 switch (sd->mode) {
1193 case sd_data_transfer_mode:
1194 if (sd->rca != rca)
1195 return sd_r0;
1196
1197 sd->state = sd_inactive_state;
1198 return sd_r0;
1199
1200 default:
1201 break;
1202 }
1203 break;
1204
1205
1206 case 16:
1207 switch (sd->state) {
1208 case sd_transfer_state:
1209 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1210 sd->card_status |= BLOCK_LEN_ERROR;
1211 } else {
1212 trace_sdcard_set_blocklen(req.arg);
1213 sd->blk_len = req.arg;
1214 }
1215
1216 return sd_r1;
1217
1218 default:
1219 break;
1220 }
1221 break;
1222
1223 case 17:
1224 case 18:
1225 switch (sd->state) {
1226 case sd_transfer_state:
1227
1228 if (addr + sd->blk_len > sd->size) {
1229 sd->card_status |= ADDRESS_ERROR;
1230 return sd_r1;
1231 }
1232
1233 sd->state = sd_sendingdata_state;
1234 sd->data_start = addr;
1235 sd->data_offset = 0;
1236 return sd_r1;
1237
1238 default:
1239 break;
1240 }
1241 break;
1242
1243 case 19:
1244 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1245 break;
1246 }
1247 if (sd->state == sd_transfer_state) {
1248 sd->state = sd_sendingdata_state;
1249 sd->data_offset = 0;
1250 return sd_r1;
1251 }
1252 break;
1253
1254 case 23:
1255 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1256 break;
1257 }
1258 switch (sd->state) {
1259 case sd_transfer_state:
1260 sd->multi_blk_cnt = req.arg;
1261 return sd_r1;
1262
1263 default:
1264 break;
1265 }
1266 break;
1267
1268
1269 case 24:
1270 case 25:
1271 switch (sd->state) {
1272 case sd_transfer_state:
1273
1274 if (addr + sd->blk_len > sd->size) {
1275 sd->card_status |= ADDRESS_ERROR;
1276 return sd_r1;
1277 }
1278
1279 sd->state = sd_receivingdata_state;
1280 sd->data_start = addr;
1281 sd->data_offset = 0;
1282 sd->blk_written = 0;
1283
1284 if (sd->size <= SDSC_MAX_CAPACITY) {
1285 if (sd_wp_addr(sd, sd->data_start)) {
1286 sd->card_status |= WP_VIOLATION;
1287 }
1288 }
1289 if (sd->csd[14] & 0x30) {
1290 sd->card_status |= WP_VIOLATION;
1291 }
1292 return sd_r1;
1293
1294 default:
1295 break;
1296 }
1297 break;
1298
1299 case 26:
1300 if (sd->spi)
1301 goto bad_cmd;
1302 switch (sd->state) {
1303 case sd_transfer_state:
1304 sd->state = sd_receivingdata_state;
1305 sd->data_start = 0;
1306 sd->data_offset = 0;
1307 return sd_r1;
1308
1309 default:
1310 break;
1311 }
1312 break;
1313
1314 case 27:
1315 switch (sd->state) {
1316 case sd_transfer_state:
1317 sd->state = sd_receivingdata_state;
1318 sd->data_start = 0;
1319 sd->data_offset = 0;
1320 return sd_r1;
1321
1322 default:
1323 break;
1324 }
1325 break;
1326
1327
1328 case 28:
1329 if (sd->size > SDSC_MAX_CAPACITY) {
1330 return sd_illegal;
1331 }
1332
1333 switch (sd->state) {
1334 case sd_transfer_state:
1335 if (addr >= sd->size) {
1336 sd->card_status |= ADDRESS_ERROR;
1337 return sd_r1b;
1338 }
1339
1340 sd->state = sd_programming_state;
1341 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1342
1343 sd->state = sd_transfer_state;
1344 return sd_r1b;
1345
1346 default:
1347 break;
1348 }
1349 break;
1350
1351 case 29:
1352 if (sd->size > SDSC_MAX_CAPACITY) {
1353 return sd_illegal;
1354 }
1355
1356 switch (sd->state) {
1357 case sd_transfer_state:
1358 if (addr >= sd->size) {
1359 sd->card_status |= ADDRESS_ERROR;
1360 return sd_r1b;
1361 }
1362
1363 sd->state = sd_programming_state;
1364 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1365
1366 sd->state = sd_transfer_state;
1367 return sd_r1b;
1368
1369 default:
1370 break;
1371 }
1372 break;
1373
1374 case 30:
1375 if (sd->size > SDSC_MAX_CAPACITY) {
1376 return sd_illegal;
1377 }
1378
1379 switch (sd->state) {
1380 case sd_transfer_state:
1381 sd->state = sd_sendingdata_state;
1382 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1383 sd->data_start = addr;
1384 sd->data_offset = 0;
1385 return sd_r1;
1386
1387 default:
1388 break;
1389 }
1390 break;
1391
1392
1393 case 32:
1394 switch (sd->state) {
1395 case sd_transfer_state:
1396 sd->erase_start = req.arg;
1397 return sd_r1;
1398
1399 default:
1400 break;
1401 }
1402 break;
1403
1404 case 33:
1405 switch (sd->state) {
1406 case sd_transfer_state:
1407 sd->erase_end = req.arg;
1408 return sd_r1;
1409
1410 default:
1411 break;
1412 }
1413 break;
1414
1415 case 38:
1416 switch (sd->state) {
1417 case sd_transfer_state:
1418 if (sd->csd[14] & 0x30) {
1419 sd->card_status |= WP_VIOLATION;
1420 return sd_r1b;
1421 }
1422
1423 sd->state = sd_programming_state;
1424 sd_erase(sd);
1425
1426 sd->state = sd_transfer_state;
1427 return sd_r1b;
1428
1429 default:
1430 break;
1431 }
1432 break;
1433
1434
1435 case 42:
1436 switch (sd->state) {
1437 case sd_transfer_state:
1438 sd->state = sd_receivingdata_state;
1439 sd->data_start = 0;
1440 sd->data_offset = 0;
1441 return sd_r1;
1442
1443 default:
1444 break;
1445 }
1446 break;
1447
1448 case 52 ... 54:
1449
1450
1451
1452
1453
1454
1455 return sd_illegal;
1456
1457
1458 case 55:
1459 switch (sd->state) {
1460 case sd_ready_state:
1461 case sd_identification_state:
1462 case sd_inactive_state:
1463 return sd_illegal;
1464 case sd_idle_state:
1465 if (rca) {
1466 qemu_log_mask(LOG_GUEST_ERROR,
1467 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1468 }
1469 default:
1470 break;
1471 }
1472 if (!sd->spi) {
1473 if (sd->rca != rca) {
1474 return sd_r0;
1475 }
1476 }
1477 sd->expecting_acmd = true;
1478 sd->card_status |= APP_CMD;
1479 return sd_r1;
1480
1481 case 56:
1482 switch (sd->state) {
1483 case sd_transfer_state:
1484 sd->data_offset = 0;
1485 if (req.arg & 1)
1486 sd->state = sd_sendingdata_state;
1487 else
1488 sd->state = sd_receivingdata_state;
1489 return sd_r1;
1490
1491 default:
1492 break;
1493 }
1494 break;
1495
1496 case 58:
1497 if (!sd->spi) {
1498 goto bad_cmd;
1499 }
1500 return sd_r3;
1501
1502 case 59:
1503 if (!sd->spi) {
1504 goto bad_cmd;
1505 }
1506 return sd_r1;
1507
1508 default:
1509 bad_cmd:
1510 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1511 return sd_illegal;
1512 }
1513
1514 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1515 return sd_illegal;
1516}
1517
1518static sd_rsp_type_t sd_app_command(SDState *sd,
1519 SDRequest req)
1520{
1521 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1522 req.cmd, req.arg, sd_state_name(sd->state));
1523 sd->card_status |= APP_CMD;
1524 switch (req.cmd) {
1525 case 6:
1526 if (sd->spi) {
1527 goto unimplemented_spi_cmd;
1528 }
1529 switch (sd->state) {
1530 case sd_transfer_state:
1531 sd->sd_status[0] &= 0x3f;
1532 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1533 return sd_r1;
1534
1535 default:
1536 break;
1537 }
1538 break;
1539
1540 case 13:
1541 switch (sd->state) {
1542 case sd_transfer_state:
1543 sd->state = sd_sendingdata_state;
1544 sd->data_start = 0;
1545 sd->data_offset = 0;
1546 return sd_r1;
1547
1548 default:
1549 break;
1550 }
1551 break;
1552
1553 case 22:
1554 switch (sd->state) {
1555 case sd_transfer_state:
1556 *(uint32_t *) sd->data = sd->blk_written;
1557
1558 sd->state = sd_sendingdata_state;
1559 sd->data_start = 0;
1560 sd->data_offset = 0;
1561 return sd_r1;
1562
1563 default:
1564 break;
1565 }
1566 break;
1567
1568 case 23:
1569 switch (sd->state) {
1570 case sd_transfer_state:
1571 return sd_r1;
1572
1573 default:
1574 break;
1575 }
1576 break;
1577
1578 case 41:
1579 if (sd->spi) {
1580
1581 sd->state = sd_transfer_state;
1582 return sd_r1;
1583 }
1584 if (sd->state != sd_idle_state) {
1585 break;
1586 }
1587
1588
1589
1590
1591
1592
1593
1594
1595 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1596 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1597 timer_del(sd->ocr_power_timer);
1598 sd_ocr_powerup(sd);
1599 } else {
1600 trace_sdcard_inquiry_cmd41();
1601 if (!timer_pending(sd->ocr_power_timer)) {
1602 timer_mod_ns(sd->ocr_power_timer,
1603 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1604 + OCR_POWER_DELAY_NS));
1605 }
1606 }
1607 }
1608
1609 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1610
1611
1612
1613
1614
1615 sd->state = sd_ready_state;
1616 }
1617
1618 return sd_r3;
1619
1620 case 42:
1621 switch (sd->state) {
1622 case sd_transfer_state:
1623
1624 return sd_r1;
1625
1626 default:
1627 break;
1628 }
1629 break;
1630
1631 case 51:
1632 switch (sd->state) {
1633 case sd_transfer_state:
1634 sd->state = sd_sendingdata_state;
1635 sd->data_start = 0;
1636 sd->data_offset = 0;
1637 return sd_r1;
1638
1639 default:
1640 break;
1641 }
1642 break;
1643
1644 case 18:
1645 case 25:
1646 case 26:
1647 case 38:
1648 case 43 ... 49:
1649
1650
1651
1652 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1653 req.cmd);
1654 return sd_illegal;
1655
1656 default:
1657
1658 return sd_normal_command(sd, req);
1659
1660 unimplemented_spi_cmd:
1661
1662 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1663 req.cmd);
1664 return sd_illegal;
1665 }
1666
1667 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1668 return sd_illegal;
1669}
1670
1671static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1672{
1673
1674
1675
1676
1677
1678
1679
1680
1681 if (sd->expecting_acmd) {
1682 return cmd == 41 || cmd == 42;
1683 }
1684 if (cmd == 16 || cmd == 55) {
1685 return 1;
1686 }
1687 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1688}
1689
1690int sd_do_command(SDState *sd, SDRequest *req,
1691 uint8_t *response) {
1692 int last_state;
1693 sd_rsp_type_t rtype;
1694 int rsplen;
1695
1696 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1697 return 0;
1698 }
1699
1700 if (sd_req_crc_validate(req)) {
1701 sd->card_status |= COM_CRC_ERROR;
1702 rtype = sd_illegal;
1703 goto send_response;
1704 }
1705
1706 if (req->cmd >= SDMMC_CMD_MAX) {
1707 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1708 req->cmd);
1709 req->cmd &= 0x3f;
1710 }
1711
1712 if (sd->card_status & CARD_IS_LOCKED) {
1713 if (!cmd_valid_while_locked(sd, req->cmd)) {
1714 sd->card_status |= ILLEGAL_COMMAND;
1715 sd->expecting_acmd = false;
1716 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1717 rtype = sd_illegal;
1718 goto send_response;
1719 }
1720 }
1721
1722 last_state = sd->state;
1723 sd_set_mode(sd);
1724
1725 if (sd->expecting_acmd) {
1726 sd->expecting_acmd = false;
1727 rtype = sd_app_command(sd, *req);
1728 } else {
1729 rtype = sd_normal_command(sd, *req);
1730 }
1731
1732 if (rtype == sd_illegal) {
1733 sd->card_status |= ILLEGAL_COMMAND;
1734 } else {
1735
1736
1737
1738 sd->current_cmd = req->cmd;
1739 sd->card_status &= ~CURRENT_STATE;
1740 sd->card_status |= (last_state << 9);
1741 }
1742
1743send_response:
1744 switch (rtype) {
1745 case sd_r1:
1746 case sd_r1b:
1747 sd_response_r1_make(sd, response);
1748 rsplen = 4;
1749 break;
1750
1751 case sd_r2_i:
1752 memcpy(response, sd->cid, sizeof(sd->cid));
1753 rsplen = 16;
1754 break;
1755
1756 case sd_r2_s:
1757 memcpy(response, sd->csd, sizeof(sd->csd));
1758 rsplen = 16;
1759 break;
1760
1761 case sd_r3:
1762 sd_response_r3_make(sd, response);
1763 rsplen = 4;
1764 break;
1765
1766 case sd_r6:
1767 sd_response_r6_make(sd, response);
1768 rsplen = 4;
1769 break;
1770
1771 case sd_r7:
1772 sd_response_r7_make(sd, response);
1773 rsplen = 4;
1774 break;
1775
1776 case sd_r0:
1777 case sd_illegal:
1778 rsplen = 0;
1779 break;
1780 default:
1781 g_assert_not_reached();
1782 }
1783 trace_sdcard_response(sd_response_name(rtype), rsplen);
1784
1785 if (rtype != sd_illegal) {
1786
1787
1788
1789 sd->card_status &= ~CARD_STATUS_B;
1790 }
1791
1792#ifdef DEBUG_SD
1793 qemu_hexdump(stderr, "Response", response, rsplen);
1794#endif
1795
1796 return rsplen;
1797}
1798
1799void sd_write_byte(SDState *sd, uint8_t value)
1800{
1801 int i;
1802
1803 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1804 return;
1805
1806 if (sd->state != sd_receivingdata_state) {
1807 qemu_log_mask(LOG_GUEST_ERROR,
1808 "%s: not in Receiving-Data state\n", __func__);
1809 return;
1810 }
1811
1812 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1813 return;
1814
1815 trace_sdcard_write_data(sd->proto_name,
1816 sd_acmd_name(sd->current_cmd),
1817 sd->current_cmd, value);
1818 switch (sd->current_cmd) {
1819 case 24:
1820 sd->data[sd->data_offset ++] = value;
1821 if (sd->data_offset >= sd->blk_len) {
1822
1823 sd->state = sd_programming_state;
1824 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1825 sd->blk_written ++;
1826 sd->csd[14] |= 0x40;
1827
1828 sd->state = sd_transfer_state;
1829 }
1830 break;
1831
1832 case 25:
1833 if (sd->data_offset == 0) {
1834
1835 if (sd->data_start + sd->blk_len > sd->size) {
1836 sd->card_status |= ADDRESS_ERROR;
1837 break;
1838 }
1839 if (sd->size <= SDSC_MAX_CAPACITY) {
1840 if (sd_wp_addr(sd, sd->data_start)) {
1841 sd->card_status |= WP_VIOLATION;
1842 break;
1843 }
1844 }
1845 }
1846 sd->data[sd->data_offset++] = value;
1847 if (sd->data_offset >= sd->blk_len) {
1848
1849 sd->state = sd_programming_state;
1850 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1851 sd->blk_written++;
1852 sd->data_start += sd->blk_len;
1853 sd->data_offset = 0;
1854 sd->csd[14] |= 0x40;
1855
1856
1857 if (sd->multi_blk_cnt != 0) {
1858 if (--sd->multi_blk_cnt == 0) {
1859
1860 sd->state = sd_transfer_state;
1861 break;
1862 }
1863 }
1864
1865 sd->state = sd_receivingdata_state;
1866 }
1867 break;
1868
1869 case 26:
1870 sd->data[sd->data_offset ++] = value;
1871 if (sd->data_offset >= sizeof(sd->cid)) {
1872
1873 sd->state = sd_programming_state;
1874 for (i = 0; i < sizeof(sd->cid); i ++)
1875 if ((sd->cid[i] | 0x00) != sd->data[i])
1876 sd->card_status |= CID_CSD_OVERWRITE;
1877
1878 if (!(sd->card_status & CID_CSD_OVERWRITE))
1879 for (i = 0; i < sizeof(sd->cid); i ++) {
1880 sd->cid[i] |= 0x00;
1881 sd->cid[i] &= sd->data[i];
1882 }
1883
1884 sd->state = sd_transfer_state;
1885 }
1886 break;
1887
1888 case 27:
1889 sd->data[sd->data_offset ++] = value;
1890 if (sd->data_offset >= sizeof(sd->csd)) {
1891
1892 sd->state = sd_programming_state;
1893 for (i = 0; i < sizeof(sd->csd); i ++)
1894 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1895 (sd->data[i] | sd_csd_rw_mask[i]))
1896 sd->card_status |= CID_CSD_OVERWRITE;
1897
1898
1899 if (sd->csd[14] & ~sd->data[14] & 0x60)
1900 sd->card_status |= CID_CSD_OVERWRITE;
1901
1902 if (!(sd->card_status & CID_CSD_OVERWRITE))
1903 for (i = 0; i < sizeof(sd->csd); i ++) {
1904 sd->csd[i] |= sd_csd_rw_mask[i];
1905 sd->csd[i] &= sd->data[i];
1906 }
1907
1908 sd->state = sd_transfer_state;
1909 }
1910 break;
1911
1912 case 42:
1913 sd->data[sd->data_offset ++] = value;
1914 if (sd->data_offset >= sd->blk_len) {
1915
1916 sd->state = sd_programming_state;
1917 sd_lock_command(sd);
1918
1919 sd->state = sd_transfer_state;
1920 }
1921 break;
1922
1923 case 56:
1924 sd->data[sd->data_offset ++] = value;
1925 if (sd->data_offset >= sd->blk_len) {
1926 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1927 sd->state = sd_transfer_state;
1928 }
1929 break;
1930
1931 default:
1932 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1933 break;
1934 }
1935}
1936
1937#define SD_TUNING_BLOCK_SIZE 64
1938
1939static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1940
1941 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1942 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1943 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1944 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1945 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1946 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1947 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1948 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1949};
1950
1951uint8_t sd_read_byte(SDState *sd)
1952{
1953
1954 uint8_t ret;
1955 uint32_t io_len;
1956
1957 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1958 return 0x00;
1959
1960 if (sd->state != sd_sendingdata_state) {
1961 qemu_log_mask(LOG_GUEST_ERROR,
1962 "%s: not in Sending-Data state\n", __func__);
1963 return 0x00;
1964 }
1965
1966 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1967 return 0x00;
1968
1969 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1970
1971 trace_sdcard_read_data(sd->proto_name,
1972 sd_acmd_name(sd->current_cmd),
1973 sd->current_cmd, io_len);
1974 switch (sd->current_cmd) {
1975 case 6:
1976 ret = sd->data[sd->data_offset ++];
1977
1978 if (sd->data_offset >= 64)
1979 sd->state = sd_transfer_state;
1980 break;
1981
1982 case 9:
1983 case 10:
1984 ret = sd->data[sd->data_offset ++];
1985
1986 if (sd->data_offset >= 16)
1987 sd->state = sd_transfer_state;
1988 break;
1989
1990 case 13:
1991 ret = sd->sd_status[sd->data_offset ++];
1992
1993 if (sd->data_offset >= sizeof(sd->sd_status))
1994 sd->state = sd_transfer_state;
1995 break;
1996
1997 case 17:
1998 if (sd->data_offset == 0)
1999 BLK_READ_BLOCK(sd->data_start, io_len);
2000 ret = sd->data[sd->data_offset ++];
2001
2002 if (sd->data_offset >= io_len)
2003 sd->state = sd_transfer_state;
2004 break;
2005
2006 case 18:
2007 if (sd->data_offset == 0) {
2008 if (sd->data_start + io_len > sd->size) {
2009 sd->card_status |= ADDRESS_ERROR;
2010 return 0x00;
2011 }
2012 BLK_READ_BLOCK(sd->data_start, io_len);
2013 }
2014 ret = sd->data[sd->data_offset ++];
2015
2016 if (sd->data_offset >= io_len) {
2017 sd->data_start += io_len;
2018 sd->data_offset = 0;
2019
2020 if (sd->multi_blk_cnt != 0) {
2021 if (--sd->multi_blk_cnt == 0) {
2022
2023 sd->state = sd_transfer_state;
2024 break;
2025 }
2026 }
2027 }
2028 break;
2029
2030 case 19:
2031 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2032 sd->state = sd_transfer_state;
2033 }
2034 ret = sd_tuning_block_pattern[sd->data_offset++];
2035 break;
2036
2037 case 22:
2038 ret = sd->data[sd->data_offset ++];
2039
2040 if (sd->data_offset >= 4)
2041 sd->state = sd_transfer_state;
2042 break;
2043
2044 case 30:
2045 ret = sd->data[sd->data_offset ++];
2046
2047 if (sd->data_offset >= 4)
2048 sd->state = sd_transfer_state;
2049 break;
2050
2051 case 51:
2052 ret = sd->scr[sd->data_offset ++];
2053
2054 if (sd->data_offset >= sizeof(sd->scr))
2055 sd->state = sd_transfer_state;
2056 break;
2057
2058 case 56:
2059 if (sd->data_offset == 0)
2060 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2061 ret = sd->data[sd->data_offset ++];
2062
2063 if (sd->data_offset >= sd->blk_len)
2064 sd->state = sd_transfer_state;
2065 break;
2066
2067 default:
2068 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2069 return 0x00;
2070 }
2071
2072 return ret;
2073}
2074
2075static bool sd_receive_ready(SDState *sd)
2076{
2077 return sd->state == sd_receivingdata_state;
2078}
2079
2080static bool sd_data_ready(SDState *sd)
2081{
2082 return sd->state == sd_sendingdata_state;
2083}
2084
2085void sd_enable(SDState *sd, bool enable)
2086{
2087 sd->enable = enable;
2088}
2089
2090static void sd_instance_init(Object *obj)
2091{
2092 SDState *sd = SD_CARD(obj);
2093
2094 sd->enable = true;
2095 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2096}
2097
2098static void sd_instance_finalize(Object *obj)
2099{
2100 SDState *sd = SD_CARD(obj);
2101
2102 timer_free(sd->ocr_power_timer);
2103}
2104
2105static void sd_realize(DeviceState *dev, Error **errp)
2106{
2107 SDState *sd = SD_CARD(dev);
2108 int ret;
2109
2110 sd->proto_name = sd->spi ? "SPI" : "SD";
2111
2112 switch (sd->spec_version) {
2113 case SD_PHY_SPECv1_10_VERS
2114 ... SD_PHY_SPECv3_01_VERS:
2115 break;
2116 default:
2117 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2118 return;
2119 }
2120
2121 if (sd->blk) {
2122 int64_t blk_size;
2123
2124 if (!blk_supports_write_perm(sd->blk)) {
2125 error_setg(errp, "Cannot use read-only drive as SD card");
2126 return;
2127 }
2128
2129 blk_size = blk_getlength(sd->blk);
2130 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2131 int64_t blk_size_aligned = pow2ceil(blk_size);
2132 char *blk_size_str;
2133
2134 blk_size_str = size_to_str(blk_size);
2135 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2136 g_free(blk_size_str);
2137
2138 blk_size_str = size_to_str(blk_size_aligned);
2139 error_append_hint(errp,
2140 "SD card size has to be a power of 2, e.g. %s.\n"
2141 "You can resize disk images with"
2142 " 'qemu-img resize <imagefile> <new-size>'\n"
2143 "(note that this will lose data if you make the"
2144 " image smaller than it currently is).\n",
2145 blk_size_str);
2146 g_free(blk_size_str);
2147
2148 return;
2149 }
2150
2151 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2152 BLK_PERM_ALL, errp);
2153 if (ret < 0) {
2154 return;
2155 }
2156 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2157 }
2158}
2159
2160static Property sd_properties[] = {
2161 DEFINE_PROP_UINT8("spec_version", SDState,
2162 spec_version, SD_PHY_SPECv2_00_VERS),
2163 DEFINE_PROP_DRIVE("drive", SDState, blk),
2164
2165
2166
2167
2168 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2169 DEFINE_PROP_END_OF_LIST()
2170};
2171
2172static void sd_class_init(ObjectClass *klass, void *data)
2173{
2174 DeviceClass *dc = DEVICE_CLASS(klass);
2175 SDCardClass *sc = SD_CARD_CLASS(klass);
2176
2177 dc->realize = sd_realize;
2178 device_class_set_props(dc, sd_properties);
2179 dc->vmsd = &sd_vmstate;
2180 dc->reset = sd_reset;
2181 dc->bus_type = TYPE_SD_BUS;
2182 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2183
2184 sc->set_voltage = sd_set_voltage;
2185 sc->get_dat_lines = sd_get_dat_lines;
2186 sc->get_cmd_line = sd_get_cmd_line;
2187 sc->do_command = sd_do_command;
2188 sc->write_byte = sd_write_byte;
2189 sc->read_byte = sd_read_byte;
2190 sc->receive_ready = sd_receive_ready;
2191 sc->data_ready = sd_data_ready;
2192 sc->enable = sd_enable;
2193 sc->get_inserted = sd_get_inserted;
2194 sc->get_readonly = sd_get_readonly;
2195}
2196
2197static const TypeInfo sd_info = {
2198 .name = TYPE_SD_CARD,
2199 .parent = TYPE_DEVICE,
2200 .instance_size = sizeof(SDState),
2201 .class_size = sizeof(SDCardClass),
2202 .class_init = sd_class_init,
2203 .instance_init = sd_instance_init,
2204 .instance_finalize = sd_instance_finalize,
2205};
2206
2207static void sd_register_types(void)
2208{
2209 type_register_static(&sd_info);
2210}
2211
2212type_init(sd_register_types)
2213
