1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33#include "qemu/osdep.h"
34#include "qemu/units.h"
35#include "qemu/cutils.h"
36#include "hw/irq.h"
37#include "hw/registerfields.h"
38#include "sysemu/block-backend.h"
39#include "hw/sd/sd.h"
40#include "hw/sd/sdcard_legacy.h"
41#include "migration/vmstate.h"
42#include "qapi/error.h"
43#include "qemu/bitmap.h"
44#include "hw/qdev-properties.h"
45#include "hw/qdev-properties-system.h"
46#include "qemu/error-report.h"
47#include "qemu/timer.h"
48#include "qemu/log.h"
49#include "qemu/module.h"
50#include "qemu-common.h"
51#include "sdmmc-internal.h"
52#include "trace.h"
53
54
55
56#define SDSC_MAX_CAPACITY (2 * GiB)
57
58#define INVALID_ADDRESS UINT32_MAX
59
60typedef enum {
61 sd_r0 = 0,
62 sd_r1,
63 sd_r2_i,
64 sd_r2_s,
65 sd_r3,
66 sd_r6 = 6,
67 sd_r7,
68 sd_r1b = -1,
69 sd_illegal = -2,
70} sd_rsp_type_t;
71
72enum SDCardModes {
73 sd_inactive,
74 sd_card_identification_mode,
75 sd_data_transfer_mode,
76};
77
78enum SDCardStates {
79 sd_inactive_state = -1,
80 sd_idle_state = 0,
81 sd_ready_state,
82 sd_identification_state,
83 sd_standby_state,
84 sd_transfer_state,
85 sd_sendingdata_state,
86 sd_receivingdata_state,
87 sd_programming_state,
88 sd_disconnect_state,
89};
90
91struct SDState {
92 DeviceState parent_obj;
93
94
95
96 bool me_no_qdev_me_kill_mammoth_with_rocks;
97
98
99 uint32_t ocr;
100 uint8_t scr[8];
101 uint8_t cid[16];
102 uint8_t csd[16];
103 uint16_t rca;
104 uint32_t card_status;
105 uint8_t sd_status[64];
106
107
108
109 uint8_t spec_version;
110 BlockBackend *blk;
111 bool spi;
112
113
114
115 uint32_t mode;
116 int32_t state;
117 uint32_t vhs;
118 bool wp_switch;
119 unsigned long *wp_group_bmap;
120 int32_t wp_group_bits;
121 uint64_t size;
122 uint32_t blk_len;
123 uint32_t multi_blk_cnt;
124 uint32_t erase_start;
125 uint32_t erase_end;
126 uint8_t pwd[16];
127 uint32_t pwd_len;
128 uint8_t function_group[6];
129 uint8_t current_cmd;
130
131
132
133 bool expecting_acmd;
134 uint32_t blk_written;
135 uint64_t data_start;
136 uint32_t data_offset;
137 uint8_t data[512];
138 qemu_irq readonly_cb;
139 qemu_irq inserted_cb;
140 QEMUTimer *ocr_power_timer;
141 const char *proto_name;
142 bool enable;
143 uint8_t dat_lines;
144 bool cmd_line;
145};
146
147static void sd_realize(DeviceState *dev, Error **errp);
148
149static const char *sd_state_name(enum SDCardStates state)
150{
151 static const char *state_name[] = {
152 [sd_idle_state] = "idle",
153 [sd_ready_state] = "ready",
154 [sd_identification_state] = "identification",
155 [sd_standby_state] = "standby",
156 [sd_transfer_state] = "transfer",
157 [sd_sendingdata_state] = "sendingdata",
158 [sd_receivingdata_state] = "receivingdata",
159 [sd_programming_state] = "programming",
160 [sd_disconnect_state] = "disconnect",
161 };
162 if (state == sd_inactive_state) {
163 return "inactive";
164 }
165 assert(state < ARRAY_SIZE(state_name));
166 return state_name[state];
167}
168
169static const char *sd_response_name(sd_rsp_type_t rsp)
170{
171 static const char *response_name[] = {
172 [sd_r0] = "RESP#0 (no response)",
173 [sd_r1] = "RESP#1 (normal cmd)",
174 [sd_r2_i] = "RESP#2 (CID reg)",
175 [sd_r2_s] = "RESP#2 (CSD reg)",
176 [sd_r3] = "RESP#3 (OCR reg)",
177 [sd_r6] = "RESP#6 (RCA)",
178 [sd_r7] = "RESP#7 (operating voltage)",
179 };
180 if (rsp == sd_illegal) {
181 return "ILLEGAL RESP";
182 }
183 if (rsp == sd_r1b) {
184 rsp = sd_r1;
185 }
186 assert(rsp < ARRAY_SIZE(response_name));
187 return response_name[rsp];
188}
189
190static uint8_t sd_get_dat_lines(SDState *sd)
191{
192 return sd->enable ? sd->dat_lines : 0;
193}
194
195static bool sd_get_cmd_line(SDState *sd)
196{
197 return sd->enable ? sd->cmd_line : false;
198}
199
200static void sd_set_voltage(SDState *sd, uint16_t millivolts)
201{
202 trace_sdcard_set_voltage(millivolts);
203
204 switch (millivolts) {
205 case 3001 ... 3600:
206 case 2001 ... 3000:
207 break;
208 default:
209 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
210 millivolts / 1000.f);
211 }
212}
213
214static void sd_set_mode(SDState *sd)
215{
216 switch (sd->state) {
217 case sd_inactive_state:
218 sd->mode = sd_inactive;
219 break;
220
221 case sd_idle_state:
222 case sd_ready_state:
223 case sd_identification_state:
224 sd->mode = sd_card_identification_mode;
225 break;
226
227 case sd_standby_state:
228 case sd_transfer_state:
229 case sd_sendingdata_state:
230 case sd_receivingdata_state:
231 case sd_programming_state:
232 case sd_disconnect_state:
233 sd->mode = sd_data_transfer_mode;
234 break;
235 }
236}
237
238static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
239 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
240 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
241
242 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
243 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
244
245 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
246 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
247
248 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
249 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
250};
251
252static const int sd_cmd_class[SDMMC_CMD_MAX] = {
253 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
254 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
255 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
256 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
257};
258
259static uint8_t sd_crc7(const void *message, size_t width)
260{
261 int i, bit;
262 uint8_t shift_reg = 0x00;
263 const uint8_t *msg = (const uint8_t *)message;
264
265 for (i = 0; i < width; i ++, msg ++)
266 for (bit = 7; bit >= 0; bit --) {
267 shift_reg <<= 1;
268 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
269 shift_reg ^= 0x89;
270 }
271
272 return shift_reg;
273}
274
275#define OCR_POWER_DELAY_NS 500000
276
277FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
278FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
279FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
280FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
281FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1)
282FIELD(OCR, UHS_II_CARD, 29, 1)
283FIELD(OCR, CARD_CAPACITY, 30, 1)
284FIELD(OCR, CARD_POWER_UP, 31, 1)
285
286#define ACMD41_ENQUIRY_MASK 0x00ffffff
287#define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
288 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
289 | R_OCR_UHS_II_CARD_MASK \
290 | R_OCR_CARD_CAPACITY_MASK \
291 | R_OCR_CARD_POWER_UP_MASK)
292
293static void sd_ocr_powerup(void *opaque)
294{
295 SDState *sd = opaque;
296
297 trace_sdcard_powerup();
298 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
299
300
301 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
302
303 if (sd->size > SDSC_MAX_CAPACITY) {
304 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
305 }
306}
307
308static void sd_set_ocr(SDState *sd)
309{
310
311 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
312
313 if (sd->spi) {
314
315
316
317
318
319
320 sd_ocr_powerup(sd);
321 }
322}
323
324static void sd_set_scr(SDState *sd)
325{
326 sd->scr[0] = 0 << 4;
327 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
328 sd->scr[0] |= 1;
329 } else {
330 sd->scr[0] |= 2;
331 }
332 sd->scr[1] = (2 << 4)
333 | 0b0101;
334 sd->scr[2] = 0x00;
335 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
336 sd->scr[2] |= 1 << 7;
337 }
338 sd->scr[3] = 0x00;
339
340 sd->scr[4] = 0x00;
341 sd->scr[5] = 0x00;
342 sd->scr[6] = 0x00;
343 sd->scr[7] = 0x00;
344}
345
346#define MID 0xaa
347#define OID "XY"
348#define PNM "QEMU!"
349#define PRV 0x01
350#define MDT_YR 2006
351#define MDT_MON 2
352
353static void sd_set_cid(SDState *sd)
354{
355 sd->cid[0] = MID;
356 sd->cid[1] = OID[0];
357 sd->cid[2] = OID[1];
358 sd->cid[3] = PNM[0];
359 sd->cid[4] = PNM[1];
360 sd->cid[5] = PNM[2];
361 sd->cid[6] = PNM[3];
362 sd->cid[7] = PNM[4];
363 sd->cid[8] = PRV;
364 sd->cid[9] = 0xde;
365 sd->cid[10] = 0xad;
366 sd->cid[11] = 0xbe;
367 sd->cid[12] = 0xef;
368 sd->cid[13] = 0x00 |
369 ((MDT_YR - 2000) / 10);
370 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
371 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
372}
373
374#define HWBLOCK_SHIFT 9
375#define SECTOR_SHIFT 5
376#define WPGROUP_SHIFT 7
377#define CMULT_SHIFT 9
378#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
379
380static const uint8_t sd_csd_rw_mask[16] = {
381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
383};
384
385static void sd_set_csd(SDState *sd, uint64_t size)
386{
387 int hwblock_shift = HWBLOCK_SHIFT;
388 uint32_t csize;
389 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
390 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
391
392
393 if (size == SDSC_MAX_CAPACITY) {
394 hwblock_shift += 1;
395 }
396 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
397
398 if (size <= SDSC_MAX_CAPACITY) {
399 sd->csd[0] = 0x00;
400 sd->csd[1] = 0x26;
401 sd->csd[2] = 0x00;
402 sd->csd[3] = 0x32;
403 sd->csd[4] = 0x5f;
404 sd->csd[5] = 0x50 |
405 hwblock_shift;
406 sd->csd[6] = 0xe0 |
407 ((csize >> 10) & 0x03);
408 sd->csd[7] = 0x00 |
409 ((csize >> 2) & 0xff);
410 sd->csd[8] = 0x3f |
411 ((csize << 6) & 0xc0);
412 sd->csd[9] = 0xfc |
413 ((CMULT_SHIFT - 2) >> 1);
414 sd->csd[10] = 0x40 |
415 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
416 sd->csd[11] = 0x00 |
417 ((sectsize << 7) & 0x80) | wpsize;
418 sd->csd[12] = 0x90 |
419 (hwblock_shift >> 2);
420 sd->csd[13] = 0x20 |
421 ((hwblock_shift << 6) & 0xc0);
422 sd->csd[14] = 0x00;
423 } else {
424 size /= 512 * KiB;
425 size -= 1;
426 sd->csd[0] = 0x40;
427 sd->csd[1] = 0x0e;
428 sd->csd[2] = 0x00;
429 sd->csd[3] = 0x32;
430 sd->csd[4] = 0x5b;
431 sd->csd[5] = 0x59;
432 sd->csd[6] = 0x00;
433 sd->csd[7] = (size >> 16) & 0xff;
434 sd->csd[8] = (size >> 8) & 0xff;
435 sd->csd[9] = (size & 0xff);
436 sd->csd[10] = 0x7f;
437 sd->csd[11] = 0x80;
438 sd->csd[12] = 0x0a;
439 sd->csd[13] = 0x40;
440 sd->csd[14] = 0x00;
441 }
442 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
443}
444
445static void sd_set_rca(SDState *sd)
446{
447 sd->rca += 0x4567;
448}
449
450FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
451FIELD(CSR, APP_CMD, 5, 1)
452FIELD(CSR, FX_EVENT, 6, 1)
453FIELD(CSR, READY_FOR_DATA, 8, 1)
454FIELD(CSR, CURRENT_STATE, 9, 4)
455FIELD(CSR, ERASE_RESET, 13, 1)
456FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
457FIELD(CSR, WP_ERASE_SKIP, 15, 1)
458FIELD(CSR, CSD_OVERWRITE, 16, 1)
459FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
460FIELD(CSR, ERROR, 19, 1)
461FIELD(CSR, CC_ERROR, 20, 1)
462FIELD(CSR, CARD_ECC_FAILED, 21, 1)
463FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
464FIELD(CSR, COM_CRC_ERROR, 23, 1)
465FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
466FIELD(CSR, CARD_IS_LOCKED, 25, 1)
467FIELD(CSR, WP_VIOLATION, 26, 1)
468FIELD(CSR, ERASE_PARAM, 27, 1)
469FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
470FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
471FIELD(CSR, ADDRESS_ERROR, 30, 1)
472FIELD(CSR, OUT_OF_RANGE, 31, 1)
473
474
475
476
477
478
479#define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
480 | R_CSR_CARD_ECC_DISABLED_MASK \
481 | R_CSR_CARD_IS_LOCKED_MASK)
482#define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
483 | R_CSR_ILLEGAL_COMMAND_MASK \
484 | R_CSR_COM_CRC_ERROR_MASK)
485#define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
486 | R_CSR_APP_CMD_MASK \
487 | R_CSR_ERASE_RESET_MASK \
488 | R_CSR_WP_ERASE_SKIP_MASK \
489 | R_CSR_CSD_OVERWRITE_MASK \
490 | R_CSR_ERROR_MASK \
491 | R_CSR_CC_ERROR_MASK \
492 | R_CSR_CARD_ECC_FAILED_MASK \
493 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
494 | R_CSR_WP_VIOLATION_MASK \
495 | R_CSR_ERASE_PARAM_MASK \
496 | R_CSR_ERASE_SEQ_ERROR_MASK \
497 | R_CSR_BLOCK_LEN_ERROR_MASK \
498 | R_CSR_ADDRESS_ERROR_MASK \
499 | R_CSR_OUT_OF_RANGE_MASK)
500
501static void sd_set_cardstatus(SDState *sd)
502{
503 sd->card_status = 0x00000100;
504}
505
506static void sd_set_sdstatus(SDState *sd)
507{
508 memset(sd->sd_status, 0, 64);
509}
510
511static int sd_req_crc_validate(SDRequest *req)
512{
513 uint8_t buffer[5];
514 buffer[0] = 0x40 | req->cmd;
515 stl_be_p(&buffer[1], req->arg);
516 return 0;
517 return sd_crc7(buffer, 5) != req->crc;
518}
519
520static void sd_response_r1_make(SDState *sd, uint8_t *response)
521{
522 stl_be_p(response, sd->card_status);
523
524
525 sd->card_status &= ~CARD_STATUS_C;
526}
527
528static void sd_response_r3_make(SDState *sd, uint8_t *response)
529{
530 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
531}
532
533static void sd_response_r6_make(SDState *sd, uint8_t *response)
534{
535 uint16_t status;
536
537 status = ((sd->card_status >> 8) & 0xc000) |
538 ((sd->card_status >> 6) & 0x2000) |
539 (sd->card_status & 0x1fff);
540 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
541 stw_be_p(response + 0, sd->rca);
542 stw_be_p(response + 2, status);
543}
544
545static void sd_response_r7_make(SDState *sd, uint8_t *response)
546{
547 stl_be_p(response, sd->vhs);
548}
549
550static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
551{
552 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
553}
554
555static void sd_reset(DeviceState *dev)
556{
557 SDState *sd = SD_CARD(dev);
558 uint64_t size;
559 uint64_t sect;
560
561 trace_sdcard_reset();
562 if (sd->blk) {
563 blk_get_geometry(sd->blk, §);
564 } else {
565 sect = 0;
566 }
567 size = sect << 9;
568
569 sect = sd_addr_to_wpnum(size) + 1;
570
571 sd->state = sd_idle_state;
572 sd->rca = 0x0000;
573 sd->size = size;
574 sd_set_ocr(sd);
575 sd_set_scr(sd);
576 sd_set_cid(sd);
577 sd_set_csd(sd, size);
578 sd_set_cardstatus(sd);
579 sd_set_sdstatus(sd);
580
581 g_free(sd->wp_group_bmap);
582 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
583 sd->wp_group_bits = sect;
584 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
585 memset(sd->function_group, 0, sizeof(sd->function_group));
586 sd->erase_start = INVALID_ADDRESS;
587 sd->erase_end = INVALID_ADDRESS;
588 sd->blk_len = 0x200;
589 sd->pwd_len = 0;
590 sd->expecting_acmd = false;
591 sd->dat_lines = 0xf;
592 sd->cmd_line = true;
593 sd->multi_blk_cnt = 0;
594}
595
596static bool sd_get_inserted(SDState *sd)
597{
598 return sd->blk && blk_is_inserted(sd->blk);
599}
600
601static bool sd_get_readonly(SDState *sd)
602{
603 return sd->wp_switch;
604}
605
606static void sd_cardchange(void *opaque, bool load, Error **errp)
607{
608 SDState *sd = opaque;
609 DeviceState *dev = DEVICE(sd);
610 SDBus *sdbus;
611 bool inserted = sd_get_inserted(sd);
612 bool readonly = sd_get_readonly(sd);
613
614 if (inserted) {
615 trace_sdcard_inserted(readonly);
616 sd_reset(dev);
617 } else {
618 trace_sdcard_ejected();
619 }
620
621 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
622 qemu_set_irq(sd->inserted_cb, inserted);
623 if (inserted) {
624 qemu_set_irq(sd->readonly_cb, readonly);
625 }
626 } else {
627 sdbus = SD_BUS(qdev_get_parent_bus(dev));
628 sdbus_set_inserted(sdbus, inserted);
629 if (inserted) {
630 sdbus_set_readonly(sdbus, readonly);
631 }
632 }
633}
634
635static const BlockDevOps sd_block_ops = {
636 .change_media_cb = sd_cardchange,
637};
638
639static bool sd_ocr_vmstate_needed(void *opaque)
640{
641 SDState *sd = opaque;
642
643
644 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
645}
646
647static const VMStateDescription sd_ocr_vmstate = {
648 .name = "sd-card/ocr-state",
649 .version_id = 1,
650 .minimum_version_id = 1,
651 .needed = sd_ocr_vmstate_needed,
652 .fields = (VMStateField[]) {
653 VMSTATE_UINT32(ocr, SDState),
654 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
655 VMSTATE_END_OF_LIST()
656 },
657};
658
659static int sd_vmstate_pre_load(void *opaque)
660{
661 SDState *sd = opaque;
662
663
664
665
666
667 sd_ocr_powerup(sd);
668
669 return 0;
670}
671
672static const VMStateDescription sd_vmstate = {
673 .name = "sd-card",
674 .version_id = 2,
675 .minimum_version_id = 2,
676 .pre_load = sd_vmstate_pre_load,
677 .fields = (VMStateField[]) {
678 VMSTATE_UINT32(mode, SDState),
679 VMSTATE_INT32(state, SDState),
680 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
681 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
682 VMSTATE_UINT16(rca, SDState),
683 VMSTATE_UINT32(card_status, SDState),
684 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
685 VMSTATE_UINT32(vhs, SDState),
686 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
687 VMSTATE_UINT32(blk_len, SDState),
688 VMSTATE_UINT32(multi_blk_cnt, SDState),
689 VMSTATE_UINT32(erase_start, SDState),
690 VMSTATE_UINT32(erase_end, SDState),
691 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
692 VMSTATE_UINT32(pwd_len, SDState),
693 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
694 VMSTATE_UINT8(current_cmd, SDState),
695 VMSTATE_BOOL(expecting_acmd, SDState),
696 VMSTATE_UINT32(blk_written, SDState),
697 VMSTATE_UINT64(data_start, SDState),
698 VMSTATE_UINT32(data_offset, SDState),
699 VMSTATE_UINT8_ARRAY(data, SDState, 512),
700 VMSTATE_UNUSED_V(1, 512),
701 VMSTATE_BOOL(enable, SDState),
702 VMSTATE_END_OF_LIST()
703 },
704 .subsections = (const VMStateDescription*[]) {
705 &sd_ocr_vmstate,
706 NULL
707 },
708};
709
710
711SDState *sd_init(BlockBackend *blk, bool is_spi)
712{
713 Object *obj;
714 DeviceState *dev;
715 SDState *sd;
716 Error *err = NULL;
717
718 obj = object_new(TYPE_SD_CARD);
719 dev = DEVICE(obj);
720 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
721 error_reportf_err(err, "sd_init failed: ");
722 return NULL;
723 }
724 qdev_prop_set_bit(dev, "spi", is_spi);
725
726
727
728
729
730
731
732 object_ref(obj);
733 object_unparent(obj);
734 sd_realize(dev, &err);
735 if (err) {
736 error_reportf_err(err, "sd_init failed: ");
737 return NULL;
738 }
739
740 sd = SD_CARD(dev);
741 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
742 return sd;
743}
744
745void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
746{
747 sd->readonly_cb = readonly;
748 sd->inserted_cb = insert;
749 qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
750 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
751}
752
753static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
754{
755 trace_sdcard_read_block(addr, len);
756 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
757 fprintf(stderr, "sd_blk_read: read error on host side\n");
758 }
759}
760
761static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
762{
763 trace_sdcard_write_block(addr, len);
764 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
765 fprintf(stderr, "sd_blk_write: write error on host side\n");
766 }
767}
768
769#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
770#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
771#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
772#define APP_WRITE_BLOCK(a, len)
773
774static void sd_erase(SDState *sd)
775{
776 uint64_t erase_start = sd->erase_start;
777 uint64_t erase_end = sd->erase_end;
778 bool sdsc = true;
779 uint64_t wpnum;
780 uint64_t erase_addr;
781 int erase_len = 1 << HWBLOCK_SHIFT;
782
783 trace_sdcard_erase(sd->erase_start, sd->erase_end);
784 if (sd->erase_start == INVALID_ADDRESS
785 || sd->erase_end == INVALID_ADDRESS) {
786 sd->card_status |= ERASE_SEQ_ERROR;
787 sd->erase_start = INVALID_ADDRESS;
788 sd->erase_end = INVALID_ADDRESS;
789 return;
790 }
791
792 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
793
794 erase_start *= 512;
795 erase_end *= 512;
796 sdsc = false;
797 }
798
799 if (erase_start > sd->size || erase_end > sd->size) {
800 sd->card_status |= OUT_OF_RANGE;
801 sd->erase_start = INVALID_ADDRESS;
802 sd->erase_end = INVALID_ADDRESS;
803 return;
804 }
805
806 sd->erase_start = INVALID_ADDRESS;
807 sd->erase_end = INVALID_ADDRESS;
808 sd->csd[14] |= 0x40;
809
810 memset(sd->data, 0xff, erase_len);
811 for (erase_addr = erase_start; erase_addr <= erase_end;
812 erase_addr += erase_len) {
813 if (sdsc) {
814
815 wpnum = sd_addr_to_wpnum(erase_addr);
816 assert(wpnum < sd->wp_group_bits);
817 if (test_bit(wpnum, sd->wp_group_bmap)) {
818 sd->card_status |= WP_ERASE_SKIP;
819 continue;
820 }
821 }
822 BLK_WRITE_BLOCK(erase_addr, erase_len);
823 }
824}
825
826static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
827{
828 uint32_t i, wpnum;
829 uint32_t ret = 0;
830
831 wpnum = sd_addr_to_wpnum(addr);
832
833 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
834 if (addr >= sd->size) {
835
836
837
838
839 continue;
840 }
841 assert(wpnum < sd->wp_group_bits);
842 if (test_bit(wpnum, sd->wp_group_bmap)) {
843 ret |= (1 << i);
844 }
845 }
846
847 return ret;
848}
849
850static void sd_function_switch(SDState *sd, uint32_t arg)
851{
852 int i, mode, new_func;
853 mode = !!(arg & 0x80000000);
854
855 sd->data[0] = 0x00;
856 sd->data[1] = 0x01;
857 sd->data[2] = 0x80;
858 sd->data[3] = 0x01;
859 sd->data[4] = 0x80;
860 sd->data[5] = 0x01;
861 sd->data[6] = 0x80;
862 sd->data[7] = 0x01;
863 sd->data[8] = 0x80;
864 sd->data[9] = 0x01;
865 sd->data[10] = 0x80;
866 sd->data[11] = 0x43;
867 sd->data[12] = 0x80;
868 sd->data[13] = 0x03;
869
870 memset(&sd->data[14], 0, 3);
871 for (i = 0; i < 6; i ++) {
872 new_func = (arg >> (i * 4)) & 0x0f;
873 if (mode && new_func != 0x0f)
874 sd->function_group[i] = new_func;
875 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
876 }
877 memset(&sd->data[17], 0, 47);
878}
879
880static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
881{
882 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
883}
884
885static void sd_lock_command(SDState *sd)
886{
887 int erase, lock, clr_pwd, set_pwd, pwd_len;
888 erase = !!(sd->data[0] & 0x08);
889 lock = sd->data[0] & 0x04;
890 clr_pwd = sd->data[0] & 0x02;
891 set_pwd = sd->data[0] & 0x01;
892
893 if (sd->blk_len > 1)
894 pwd_len = sd->data[1];
895 else
896 pwd_len = 0;
897
898 if (lock) {
899 trace_sdcard_lock();
900 } else {
901 trace_sdcard_unlock();
902 }
903 if (erase) {
904 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
905 set_pwd || clr_pwd || lock || sd->wp_switch ||
906 (sd->csd[14] & 0x20)) {
907 sd->card_status |= LOCK_UNLOCK_FAILED;
908 return;
909 }
910 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
911 sd->csd[14] &= ~0x10;
912 sd->card_status &= ~CARD_IS_LOCKED;
913 sd->pwd_len = 0;
914
915 fprintf(stderr, "SD: Card force-erased by CMD42\n");
916 return;
917 }
918
919 if (sd->blk_len < 2 + pwd_len ||
920 pwd_len <= sd->pwd_len ||
921 pwd_len > sd->pwd_len + 16) {
922 sd->card_status |= LOCK_UNLOCK_FAILED;
923 return;
924 }
925
926 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
927 sd->card_status |= LOCK_UNLOCK_FAILED;
928 return;
929 }
930
931 pwd_len -= sd->pwd_len;
932 if ((pwd_len && !set_pwd) ||
933 (clr_pwd && (set_pwd || lock)) ||
934 (lock && !sd->pwd_len && !set_pwd) ||
935 (!set_pwd && !clr_pwd &&
936 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
937 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
938 sd->card_status |= LOCK_UNLOCK_FAILED;
939 return;
940 }
941
942 if (set_pwd) {
943 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
944 sd->pwd_len = pwd_len;
945 }
946
947 if (clr_pwd) {
948 sd->pwd_len = 0;
949 }
950
951 if (lock)
952 sd->card_status |= CARD_IS_LOCKED;
953 else
954 sd->card_status &= ~CARD_IS_LOCKED;
955}
956
957static bool address_in_range(SDState *sd, const char *desc,
958 uint64_t addr, uint32_t length)
959{
960 if (addr + length > sd->size) {
961 qemu_log_mask(LOG_GUEST_ERROR,
962 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
963 desc, addr, sd->size, length);
964 sd->card_status |= ADDRESS_ERROR;
965 return false;
966 }
967 return true;
968}
969
970static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
971{
972 uint32_t rca = 0x0000;
973 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
974
975
976
977
978 if (req.cmd != 55 || sd->expecting_acmd) {
979 trace_sdcard_normal_command(sd->proto_name,
980 sd_cmd_name(req.cmd), req.cmd,
981 req.arg, sd_state_name(sd->state));
982 }
983
984
985 sd->card_status &= ~APP_CMD;
986
987 if (sd_cmd_type[req.cmd] == sd_ac
988 || sd_cmd_type[req.cmd] == sd_adtc) {
989 rca = req.arg >> 16;
990 }
991
992
993
994 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
995 sd->multi_blk_cnt = 0;
996 }
997
998 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
999
1000 return sd_illegal;
1001 }
1002
1003 switch (req.cmd) {
1004
1005 case 0:
1006 switch (sd->state) {
1007 case sd_inactive_state:
1008 return sd->spi ? sd_r1 : sd_r0;
1009
1010 default:
1011 sd->state = sd_idle_state;
1012 sd_reset(DEVICE(sd));
1013 return sd->spi ? sd_r1 : sd_r0;
1014 }
1015 break;
1016
1017 case 1:
1018 if (!sd->spi)
1019 goto bad_cmd;
1020
1021 sd->state = sd_transfer_state;
1022 return sd_r1;
1023
1024 case 2:
1025 if (sd->spi)
1026 goto bad_cmd;
1027 switch (sd->state) {
1028 case sd_ready_state:
1029 sd->state = sd_identification_state;
1030 return sd_r2_i;
1031
1032 default:
1033 break;
1034 }
1035 break;
1036
1037 case 3:
1038 if (sd->spi)
1039 goto bad_cmd;
1040 switch (sd->state) {
1041 case sd_identification_state:
1042 case sd_standby_state:
1043 sd->state = sd_standby_state;
1044 sd_set_rca(sd);
1045 return sd_r6;
1046
1047 default:
1048 break;
1049 }
1050 break;
1051
1052 case 4:
1053 if (sd->spi)
1054 goto bad_cmd;
1055 switch (sd->state) {
1056 case sd_standby_state:
1057 break;
1058
1059 default:
1060 break;
1061 }
1062 break;
1063
1064 case 5:
1065 return sd_illegal;
1066
1067 case 6:
1068 switch (sd->mode) {
1069 case sd_data_transfer_mode:
1070 sd_function_switch(sd, req.arg);
1071 sd->state = sd_sendingdata_state;
1072 sd->data_start = 0;
1073 sd->data_offset = 0;
1074 return sd_r1;
1075
1076 default:
1077 break;
1078 }
1079 break;
1080
1081 case 7:
1082 if (sd->spi)
1083 goto bad_cmd;
1084 switch (sd->state) {
1085 case sd_standby_state:
1086 if (sd->rca != rca)
1087 return sd_r0;
1088
1089 sd->state = sd_transfer_state;
1090 return sd_r1b;
1091
1092 case sd_transfer_state:
1093 case sd_sendingdata_state:
1094 if (sd->rca == rca)
1095 break;
1096
1097 sd->state = sd_standby_state;
1098 return sd_r1b;
1099
1100 case sd_disconnect_state:
1101 if (sd->rca != rca)
1102 return sd_r0;
1103
1104 sd->state = sd_programming_state;
1105 return sd_r1b;
1106
1107 case sd_programming_state:
1108 if (sd->rca == rca)
1109 break;
1110
1111 sd->state = sd_disconnect_state;
1112 return sd_r1b;
1113
1114 default:
1115 break;
1116 }
1117 break;
1118
1119 case 8:
1120 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1121 break;
1122 }
1123 if (sd->state != sd_idle_state) {
1124 break;
1125 }
1126 sd->vhs = 0;
1127
1128
1129 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1130 return sd->spi ? sd_r7 : sd_r0;
1131 }
1132
1133
1134 sd->vhs = req.arg;
1135 return sd_r7;
1136
1137 case 9:
1138 switch (sd->state) {
1139 case sd_standby_state:
1140 if (sd->rca != rca)
1141 return sd_r0;
1142
1143 return sd_r2_s;
1144
1145 case sd_transfer_state:
1146 if (!sd->spi)
1147 break;
1148 sd->state = sd_sendingdata_state;
1149 memcpy(sd->data, sd->csd, 16);
1150 sd->data_start = addr;
1151 sd->data_offset = 0;
1152 return sd_r1;
1153
1154 default:
1155 break;
1156 }
1157 break;
1158
1159 case 10:
1160 switch (sd->state) {
1161 case sd_standby_state:
1162 if (sd->rca != rca)
1163 return sd_r0;
1164
1165 return sd_r2_i;
1166
1167 case sd_transfer_state:
1168 if (!sd->spi)
1169 break;
1170 sd->state = sd_sendingdata_state;
1171 memcpy(sd->data, sd->cid, 16);
1172 sd->data_start = addr;
1173 sd->data_offset = 0;
1174 return sd_r1;
1175
1176 default:
1177 break;
1178 }
1179 break;
1180
1181 case 12:
1182 switch (sd->state) {
1183 case sd_sendingdata_state:
1184 sd->state = sd_transfer_state;
1185 return sd_r1b;
1186
1187 case sd_receivingdata_state:
1188 sd->state = sd_programming_state;
1189
1190 sd->state = sd_transfer_state;
1191 return sd_r1b;
1192
1193 default:
1194 break;
1195 }
1196 break;
1197
1198 case 13:
1199 switch (sd->mode) {
1200 case sd_data_transfer_mode:
1201 if (!sd->spi && sd->rca != rca) {
1202 return sd_r0;
1203 }
1204
1205 return sd_r1;
1206
1207 default:
1208 break;
1209 }
1210 break;
1211
1212 case 15:
1213 if (sd->spi)
1214 goto bad_cmd;
1215 switch (sd->mode) {
1216 case sd_data_transfer_mode:
1217 if (sd->rca != rca)
1218 return sd_r0;
1219
1220 sd->state = sd_inactive_state;
1221 return sd_r0;
1222
1223 default:
1224 break;
1225 }
1226 break;
1227
1228
1229 case 16:
1230 switch (sd->state) {
1231 case sd_transfer_state:
1232 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1233 sd->card_status |= BLOCK_LEN_ERROR;
1234 } else {
1235 trace_sdcard_set_blocklen(req.arg);
1236 sd->blk_len = req.arg;
1237 }
1238
1239 return sd_r1;
1240
1241 default:
1242 break;
1243 }
1244 break;
1245
1246 case 17:
1247 case 18:
1248 switch (sd->state) {
1249 case sd_transfer_state:
1250
1251 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
1252 return sd_r1;
1253 }
1254
1255 sd->state = sd_sendingdata_state;
1256 sd->data_start = addr;
1257 sd->data_offset = 0;
1258 return sd_r1;
1259
1260 default:
1261 break;
1262 }
1263 break;
1264
1265 case 19:
1266 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1267 break;
1268 }
1269 if (sd->state == sd_transfer_state) {
1270 sd->state = sd_sendingdata_state;
1271 sd->data_offset = 0;
1272 return sd_r1;
1273 }
1274 break;
1275
1276 case 23:
1277 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1278 break;
1279 }
1280 switch (sd->state) {
1281 case sd_transfer_state:
1282 sd->multi_blk_cnt = req.arg;
1283 return sd_r1;
1284
1285 default:
1286 break;
1287 }
1288 break;
1289
1290
1291 case 24:
1292 case 25:
1293 switch (sd->state) {
1294 case sd_transfer_state:
1295
1296 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
1297 return sd_r1;
1298 }
1299
1300 sd->state = sd_receivingdata_state;
1301 sd->data_start = addr;
1302 sd->data_offset = 0;
1303 sd->blk_written = 0;
1304
1305 if (sd->size <= SDSC_MAX_CAPACITY) {
1306 if (sd_wp_addr(sd, sd->data_start)) {
1307 sd->card_status |= WP_VIOLATION;
1308 }
1309 }
1310 if (sd->csd[14] & 0x30) {
1311 sd->card_status |= WP_VIOLATION;
1312 }
1313 return sd_r1;
1314
1315 default:
1316 break;
1317 }
1318 break;
1319
1320 case 26:
1321 if (sd->spi)
1322 goto bad_cmd;
1323 switch (sd->state) {
1324 case sd_transfer_state:
1325 sd->state = sd_receivingdata_state;
1326 sd->data_start = 0;
1327 sd->data_offset = 0;
1328 return sd_r1;
1329
1330 default:
1331 break;
1332 }
1333 break;
1334
1335 case 27:
1336 switch (sd->state) {
1337 case sd_transfer_state:
1338 sd->state = sd_receivingdata_state;
1339 sd->data_start = 0;
1340 sd->data_offset = 0;
1341 return sd_r1;
1342
1343 default:
1344 break;
1345 }
1346 break;
1347
1348
1349 case 28:
1350 if (sd->size > SDSC_MAX_CAPACITY) {
1351 return sd_illegal;
1352 }
1353
1354 switch (sd->state) {
1355 case sd_transfer_state:
1356 if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
1357 return sd_r1b;
1358 }
1359
1360 sd->state = sd_programming_state;
1361 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1362
1363 sd->state = sd_transfer_state;
1364 return sd_r1b;
1365
1366 default:
1367 break;
1368 }
1369 break;
1370
1371 case 29:
1372 if (sd->size > SDSC_MAX_CAPACITY) {
1373 return sd_illegal;
1374 }
1375
1376 switch (sd->state) {
1377 case sd_transfer_state:
1378 if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
1379 return sd_r1b;
1380 }
1381
1382 sd->state = sd_programming_state;
1383 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
1384
1385 sd->state = sd_transfer_state;
1386 return sd_r1b;
1387
1388 default:
1389 break;
1390 }
1391 break;
1392
1393 case 30:
1394 if (sd->size > SDSC_MAX_CAPACITY) {
1395 return sd_illegal;
1396 }
1397
1398 switch (sd->state) {
1399 case sd_transfer_state:
1400 if (!address_in_range(sd, "SEND_WRITE_PROT",
1401 req.arg, sd->blk_len)) {
1402 return sd_r1;
1403 }
1404
1405 sd->state = sd_sendingdata_state;
1406 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1407 sd->data_start = addr;
1408 sd->data_offset = 0;
1409 return sd_r1;
1410
1411 default:
1412 break;
1413 }
1414 break;
1415
1416
1417 case 32:
1418 switch (sd->state) {
1419 case sd_transfer_state:
1420 sd->erase_start = req.arg;
1421 return sd_r1;
1422
1423 default:
1424 break;
1425 }
1426 break;
1427
1428 case 33:
1429 switch (sd->state) {
1430 case sd_transfer_state:
1431 sd->erase_end = req.arg;
1432 return sd_r1;
1433
1434 default:
1435 break;
1436 }
1437 break;
1438
1439 case 38:
1440 switch (sd->state) {
1441 case sd_transfer_state:
1442 if (sd->csd[14] & 0x30) {
1443 sd->card_status |= WP_VIOLATION;
1444 return sd_r1b;
1445 }
1446
1447 sd->state = sd_programming_state;
1448 sd_erase(sd);
1449
1450 sd->state = sd_transfer_state;
1451 return sd_r1b;
1452
1453 default:
1454 break;
1455 }
1456 break;
1457
1458
1459 case 42:
1460 switch (sd->state) {
1461 case sd_transfer_state:
1462 sd->state = sd_receivingdata_state;
1463 sd->data_start = 0;
1464 sd->data_offset = 0;
1465 return sd_r1;
1466
1467 default:
1468 break;
1469 }
1470 break;
1471
1472 case 52 ... 54:
1473
1474
1475
1476
1477
1478
1479 return sd_illegal;
1480
1481
1482 case 55:
1483 switch (sd->state) {
1484 case sd_ready_state:
1485 case sd_identification_state:
1486 case sd_inactive_state:
1487 return sd_illegal;
1488 case sd_idle_state:
1489 if (rca) {
1490 qemu_log_mask(LOG_GUEST_ERROR,
1491 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1492 }
1493 default:
1494 break;
1495 }
1496 if (!sd->spi) {
1497 if (sd->rca != rca) {
1498 return sd_r0;
1499 }
1500 }
1501 sd->expecting_acmd = true;
1502 sd->card_status |= APP_CMD;
1503 return sd_r1;
1504
1505 case 56:
1506 switch (sd->state) {
1507 case sd_transfer_state:
1508 sd->data_offset = 0;
1509 if (req.arg & 1)
1510 sd->state = sd_sendingdata_state;
1511 else
1512 sd->state = sd_receivingdata_state;
1513 return sd_r1;
1514
1515 default:
1516 break;
1517 }
1518 break;
1519
1520 case 58:
1521 if (!sd->spi) {
1522 goto bad_cmd;
1523 }
1524 return sd_r3;
1525
1526 case 59:
1527 if (!sd->spi) {
1528 goto bad_cmd;
1529 }
1530 return sd_r1;
1531
1532 default:
1533 bad_cmd:
1534 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1535 return sd_illegal;
1536 }
1537
1538 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
1539 req.cmd, sd_state_name(sd->state));
1540 return sd_illegal;
1541}
1542
1543static sd_rsp_type_t sd_app_command(SDState *sd,
1544 SDRequest req)
1545{
1546 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1547 req.cmd, req.arg, sd_state_name(sd->state));
1548 sd->card_status |= APP_CMD;
1549 switch (req.cmd) {
1550 case 6:
1551 if (sd->spi) {
1552 goto unimplemented_spi_cmd;
1553 }
1554 switch (sd->state) {
1555 case sd_transfer_state:
1556 sd->sd_status[0] &= 0x3f;
1557 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1558 return sd_r1;
1559
1560 default:
1561 break;
1562 }
1563 break;
1564
1565 case 13:
1566 switch (sd->state) {
1567 case sd_transfer_state:
1568 sd->state = sd_sendingdata_state;
1569 sd->data_start = 0;
1570 sd->data_offset = 0;
1571 return sd_r1;
1572
1573 default:
1574 break;
1575 }
1576 break;
1577
1578 case 22:
1579 switch (sd->state) {
1580 case sd_transfer_state:
1581 *(uint32_t *) sd->data = sd->blk_written;
1582
1583 sd->state = sd_sendingdata_state;
1584 sd->data_start = 0;
1585 sd->data_offset = 0;
1586 return sd_r1;
1587
1588 default:
1589 break;
1590 }
1591 break;
1592
1593 case 23:
1594 switch (sd->state) {
1595 case sd_transfer_state:
1596 return sd_r1;
1597
1598 default:
1599 break;
1600 }
1601 break;
1602
1603 case 41:
1604 if (sd->spi) {
1605
1606 sd->state = sd_transfer_state;
1607 return sd_r1;
1608 }
1609 if (sd->state != sd_idle_state) {
1610 break;
1611 }
1612
1613
1614
1615
1616
1617
1618
1619
1620 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1621 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1622 timer_del(sd->ocr_power_timer);
1623 sd_ocr_powerup(sd);
1624 } else {
1625 trace_sdcard_inquiry_cmd41();
1626 if (!timer_pending(sd->ocr_power_timer)) {
1627 timer_mod_ns(sd->ocr_power_timer,
1628 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1629 + OCR_POWER_DELAY_NS));
1630 }
1631 }
1632 }
1633
1634 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1635
1636
1637
1638
1639
1640 sd->state = sd_ready_state;
1641 }
1642
1643 return sd_r3;
1644
1645 case 42:
1646 switch (sd->state) {
1647 case sd_transfer_state:
1648
1649 return sd_r1;
1650
1651 default:
1652 break;
1653 }
1654 break;
1655
1656 case 51:
1657 switch (sd->state) {
1658 case sd_transfer_state:
1659 sd->state = sd_sendingdata_state;
1660 sd->data_start = 0;
1661 sd->data_offset = 0;
1662 return sd_r1;
1663
1664 default:
1665 break;
1666 }
1667 break;
1668
1669 case 18:
1670 case 25:
1671 case 26:
1672 case 38:
1673 case 43 ... 49:
1674
1675
1676
1677 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1678 req.cmd);
1679 return sd_illegal;
1680
1681 default:
1682
1683 return sd_normal_command(sd, req);
1684
1685 unimplemented_spi_cmd:
1686
1687 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1688 req.cmd);
1689 return sd_illegal;
1690 }
1691
1692 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1693 return sd_illegal;
1694}
1695
1696static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
1697{
1698
1699
1700
1701
1702
1703
1704
1705
1706 if (sd->expecting_acmd) {
1707 return cmd == 41 || cmd == 42;
1708 }
1709 if (cmd == 16 || cmd == 55) {
1710 return 1;
1711 }
1712 return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
1713}
1714
1715int sd_do_command(SDState *sd, SDRequest *req,
1716 uint8_t *response) {
1717 int last_state;
1718 sd_rsp_type_t rtype;
1719 int rsplen;
1720
1721 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1722 return 0;
1723 }
1724
1725 if (sd_req_crc_validate(req)) {
1726 sd->card_status |= COM_CRC_ERROR;
1727 rtype = sd_illegal;
1728 goto send_response;
1729 }
1730
1731 if (req->cmd >= SDMMC_CMD_MAX) {
1732 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1733 req->cmd);
1734 req->cmd &= 0x3f;
1735 }
1736
1737 if (sd->card_status & CARD_IS_LOCKED) {
1738 if (!cmd_valid_while_locked(sd, req->cmd)) {
1739 sd->card_status |= ILLEGAL_COMMAND;
1740 sd->expecting_acmd = false;
1741 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1742 rtype = sd_illegal;
1743 goto send_response;
1744 }
1745 }
1746
1747 last_state = sd->state;
1748 sd_set_mode(sd);
1749
1750 if (sd->expecting_acmd) {
1751 sd->expecting_acmd = false;
1752 rtype = sd_app_command(sd, *req);
1753 } else {
1754 rtype = sd_normal_command(sd, *req);
1755 }
1756
1757 if (rtype == sd_illegal) {
1758 sd->card_status |= ILLEGAL_COMMAND;
1759 } else {
1760
1761
1762
1763 sd->current_cmd = req->cmd;
1764 sd->card_status &= ~CURRENT_STATE;
1765 sd->card_status |= (last_state << 9);
1766 }
1767
1768send_response:
1769 switch (rtype) {
1770 case sd_r1:
1771 case sd_r1b:
1772 sd_response_r1_make(sd, response);
1773 rsplen = 4;
1774 break;
1775
1776 case sd_r2_i:
1777 memcpy(response, sd->cid, sizeof(sd->cid));
1778 rsplen = 16;
1779 break;
1780
1781 case sd_r2_s:
1782 memcpy(response, sd->csd, sizeof(sd->csd));
1783 rsplen = 16;
1784 break;
1785
1786 case sd_r3:
1787 sd_response_r3_make(sd, response);
1788 rsplen = 4;
1789 break;
1790
1791 case sd_r6:
1792 sd_response_r6_make(sd, response);
1793 rsplen = 4;
1794 break;
1795
1796 case sd_r7:
1797 sd_response_r7_make(sd, response);
1798 rsplen = 4;
1799 break;
1800
1801 case sd_r0:
1802 case sd_illegal:
1803 rsplen = 0;
1804 break;
1805 default:
1806 g_assert_not_reached();
1807 }
1808 trace_sdcard_response(sd_response_name(rtype), rsplen);
1809
1810 if (rtype != sd_illegal) {
1811
1812
1813
1814 sd->card_status &= ~CARD_STATUS_B;
1815 }
1816
1817#ifdef DEBUG_SD
1818 qemu_hexdump(stderr, "Response", response, rsplen);
1819#endif
1820
1821 return rsplen;
1822}
1823
1824void sd_write_byte(SDState *sd, uint8_t value)
1825{
1826 int i;
1827
1828 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1829 return;
1830
1831 if (sd->state != sd_receivingdata_state) {
1832 qemu_log_mask(LOG_GUEST_ERROR,
1833 "%s: not in Receiving-Data state\n", __func__);
1834 return;
1835 }
1836
1837 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1838 return;
1839
1840 trace_sdcard_write_data(sd->proto_name,
1841 sd_acmd_name(sd->current_cmd),
1842 sd->current_cmd, value);
1843 switch (sd->current_cmd) {
1844 case 24:
1845 sd->data[sd->data_offset ++] = value;
1846 if (sd->data_offset >= sd->blk_len) {
1847
1848 sd->state = sd_programming_state;
1849 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1850 sd->blk_written ++;
1851 sd->csd[14] |= 0x40;
1852
1853 sd->state = sd_transfer_state;
1854 }
1855 break;
1856
1857 case 25:
1858 if (sd->data_offset == 0) {
1859
1860 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
1861 sd->data_start, sd->blk_len)) {
1862 break;
1863 }
1864 if (sd->size <= SDSC_MAX_CAPACITY) {
1865 if (sd_wp_addr(sd, sd->data_start)) {
1866 sd->card_status |= WP_VIOLATION;
1867 break;
1868 }
1869 }
1870 }
1871 sd->data[sd->data_offset++] = value;
1872 if (sd->data_offset >= sd->blk_len) {
1873
1874 sd->state = sd_programming_state;
1875 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1876 sd->blk_written++;
1877 sd->data_start += sd->blk_len;
1878 sd->data_offset = 0;
1879 sd->csd[14] |= 0x40;
1880
1881
1882 if (sd->multi_blk_cnt != 0) {
1883 if (--sd->multi_blk_cnt == 0) {
1884
1885 sd->state = sd_transfer_state;
1886 break;
1887 }
1888 }
1889
1890 sd->state = sd_receivingdata_state;
1891 }
1892 break;
1893
1894 case 26:
1895 sd->data[sd->data_offset ++] = value;
1896 if (sd->data_offset >= sizeof(sd->cid)) {
1897
1898 sd->state = sd_programming_state;
1899 for (i = 0; i < sizeof(sd->cid); i ++)
1900 if ((sd->cid[i] | 0x00) != sd->data[i])
1901 sd->card_status |= CID_CSD_OVERWRITE;
1902
1903 if (!(sd->card_status & CID_CSD_OVERWRITE))
1904 for (i = 0; i < sizeof(sd->cid); i ++) {
1905 sd->cid[i] |= 0x00;
1906 sd->cid[i] &= sd->data[i];
1907 }
1908
1909 sd->state = sd_transfer_state;
1910 }
1911 break;
1912
1913 case 27:
1914 sd->data[sd->data_offset ++] = value;
1915 if (sd->data_offset >= sizeof(sd->csd)) {
1916
1917 sd->state = sd_programming_state;
1918 for (i = 0; i < sizeof(sd->csd); i ++)
1919 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1920 (sd->data[i] | sd_csd_rw_mask[i]))
1921 sd->card_status |= CID_CSD_OVERWRITE;
1922
1923
1924 if (sd->csd[14] & ~sd->data[14] & 0x60)
1925 sd->card_status |= CID_CSD_OVERWRITE;
1926
1927 if (!(sd->card_status & CID_CSD_OVERWRITE))
1928 for (i = 0; i < sizeof(sd->csd); i ++) {
1929 sd->csd[i] |= sd_csd_rw_mask[i];
1930 sd->csd[i] &= sd->data[i];
1931 }
1932
1933 sd->state = sd_transfer_state;
1934 }
1935 break;
1936
1937 case 42:
1938 sd->data[sd->data_offset ++] = value;
1939 if (sd->data_offset >= sd->blk_len) {
1940
1941 sd->state = sd_programming_state;
1942 sd_lock_command(sd);
1943
1944 sd->state = sd_transfer_state;
1945 }
1946 break;
1947
1948 case 56:
1949 sd->data[sd->data_offset ++] = value;
1950 if (sd->data_offset >= sd->blk_len) {
1951 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1952 sd->state = sd_transfer_state;
1953 }
1954 break;
1955
1956 default:
1957 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1958 break;
1959 }
1960}
1961
1962#define SD_TUNING_BLOCK_SIZE 64
1963
1964static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1965
1966 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1967 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1968 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1969 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1970 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1971 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1972 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1973 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1974};
1975
1976uint8_t sd_read_byte(SDState *sd)
1977{
1978
1979 uint8_t ret;
1980 uint32_t io_len;
1981
1982 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1983 return 0x00;
1984
1985 if (sd->state != sd_sendingdata_state) {
1986 qemu_log_mask(LOG_GUEST_ERROR,
1987 "%s: not in Sending-Data state\n", __func__);
1988 return 0x00;
1989 }
1990
1991 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1992 return 0x00;
1993
1994 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1995
1996 trace_sdcard_read_data(sd->proto_name,
1997 sd_acmd_name(sd->current_cmd),
1998 sd->current_cmd, io_len);
1999 switch (sd->current_cmd) {
2000 case 6:
2001 ret = sd->data[sd->data_offset ++];
2002
2003 if (sd->data_offset >= 64)
2004 sd->state = sd_transfer_state;
2005 break;
2006
2007 case 9:
2008 case 10:
2009 ret = sd->data[sd->data_offset ++];
2010
2011 if (sd->data_offset >= 16)
2012 sd->state = sd_transfer_state;
2013 break;
2014
2015 case 13:
2016 ret = sd->sd_status[sd->data_offset ++];
2017
2018 if (sd->data_offset >= sizeof(sd->sd_status))
2019 sd->state = sd_transfer_state;
2020 break;
2021
2022 case 17:
2023 if (sd->data_offset == 0)
2024 BLK_READ_BLOCK(sd->data_start, io_len);
2025 ret = sd->data[sd->data_offset ++];
2026
2027 if (sd->data_offset >= io_len)
2028 sd->state = sd_transfer_state;
2029 break;
2030
2031 case 18:
2032 if (sd->data_offset == 0) {
2033 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
2034 sd->data_start, io_len)) {
2035 return 0x00;
2036 }
2037 BLK_READ_BLOCK(sd->data_start, io_len);
2038 }
2039 ret = sd->data[sd->data_offset ++];
2040
2041 if (sd->data_offset >= io_len) {
2042 sd->data_start += io_len;
2043 sd->data_offset = 0;
2044
2045 if (sd->multi_blk_cnt != 0) {
2046 if (--sd->multi_blk_cnt == 0) {
2047
2048 sd->state = sd_transfer_state;
2049 break;
2050 }
2051 }
2052 }
2053 break;
2054
2055 case 19:
2056 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2057 sd->state = sd_transfer_state;
2058 }
2059 ret = sd_tuning_block_pattern[sd->data_offset++];
2060 break;
2061
2062 case 22:
2063 ret = sd->data[sd->data_offset ++];
2064
2065 if (sd->data_offset >= 4)
2066 sd->state = sd_transfer_state;
2067 break;
2068
2069 case 30:
2070 ret = sd->data[sd->data_offset ++];
2071
2072 if (sd->data_offset >= 4)
2073 sd->state = sd_transfer_state;
2074 break;
2075
2076 case 51:
2077 ret = sd->scr[sd->data_offset ++];
2078
2079 if (sd->data_offset >= sizeof(sd->scr))
2080 sd->state = sd_transfer_state;
2081 break;
2082
2083 case 56:
2084 if (sd->data_offset == 0)
2085 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2086 ret = sd->data[sd->data_offset ++];
2087
2088 if (sd->data_offset >= sd->blk_len)
2089 sd->state = sd_transfer_state;
2090 break;
2091
2092 default:
2093 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2094 return 0x00;
2095 }
2096
2097 return ret;
2098}
2099
2100static bool sd_receive_ready(SDState *sd)
2101{
2102 return sd->state == sd_receivingdata_state;
2103}
2104
2105static bool sd_data_ready(SDState *sd)
2106{
2107 return sd->state == sd_sendingdata_state;
2108}
2109
2110void sd_enable(SDState *sd, bool enable)
2111{
2112 sd->enable = enable;
2113}
2114
2115static void sd_instance_init(Object *obj)
2116{
2117 SDState *sd = SD_CARD(obj);
2118
2119 sd->enable = true;
2120 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2121}
2122
2123static void sd_instance_finalize(Object *obj)
2124{
2125 SDState *sd = SD_CARD(obj);
2126
2127 timer_free(sd->ocr_power_timer);
2128}
2129
2130static void sd_realize(DeviceState *dev, Error **errp)
2131{
2132 SDState *sd = SD_CARD(dev);
2133 int ret;
2134
2135 sd->proto_name = sd->spi ? "SPI" : "SD";
2136
2137 switch (sd->spec_version) {
2138 case SD_PHY_SPECv1_10_VERS
2139 ... SD_PHY_SPECv3_01_VERS:
2140 break;
2141 default:
2142 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2143 return;
2144 }
2145
2146 if (sd->blk) {
2147 int64_t blk_size;
2148
2149 if (!blk_supports_write_perm(sd->blk)) {
2150 error_setg(errp, "Cannot use read-only drive as SD card");
2151 return;
2152 }
2153
2154 blk_size = blk_getlength(sd->blk);
2155 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2156 int64_t blk_size_aligned = pow2ceil(blk_size);
2157 char *blk_size_str;
2158
2159 blk_size_str = size_to_str(blk_size);
2160 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2161 g_free(blk_size_str);
2162
2163 blk_size_str = size_to_str(blk_size_aligned);
2164 error_append_hint(errp,
2165 "SD card size has to be a power of 2, e.g. %s.\n"
2166 "You can resize disk images with"
2167 " 'qemu-img resize <imagefile> <new-size>'\n"
2168 "(note that this will lose data if you make the"
2169 " image smaller than it currently is).\n",
2170 blk_size_str);
2171 g_free(blk_size_str);
2172
2173 return;
2174 }
2175
2176 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2177 BLK_PERM_ALL, errp);
2178 if (ret < 0) {
2179 return;
2180 }
2181 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2182 }
2183}
2184
2185static Property sd_properties[] = {
2186 DEFINE_PROP_UINT8("spec_version", SDState,
2187 spec_version, SD_PHY_SPECv2_00_VERS),
2188 DEFINE_PROP_DRIVE("drive", SDState, blk),
2189
2190
2191
2192
2193 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2194 DEFINE_PROP_END_OF_LIST()
2195};
2196
2197static void sd_class_init(ObjectClass *klass, void *data)
2198{
2199 DeviceClass *dc = DEVICE_CLASS(klass);
2200 SDCardClass *sc = SD_CARD_CLASS(klass);
2201
2202 dc->realize = sd_realize;
2203 device_class_set_props(dc, sd_properties);
2204 dc->vmsd = &sd_vmstate;
2205 dc->reset = sd_reset;
2206 dc->bus_type = TYPE_SD_BUS;
2207 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2208
2209 sc->set_voltage = sd_set_voltage;
2210 sc->get_dat_lines = sd_get_dat_lines;
2211 sc->get_cmd_line = sd_get_cmd_line;
2212 sc->do_command = sd_do_command;
2213 sc->write_byte = sd_write_byte;
2214 sc->read_byte = sd_read_byte;
2215 sc->receive_ready = sd_receive_ready;
2216 sc->data_ready = sd_data_ready;
2217 sc->enable = sd_enable;
2218 sc->get_inserted = sd_get_inserted;
2219 sc->get_readonly = sd_get_readonly;
2220}
2221
2222static const TypeInfo sd_info = {
2223 .name = TYPE_SD_CARD,
2224 .parent = TYPE_DEVICE,
2225 .instance_size = sizeof(SDState),
2226 .class_size = sizeof(SDCardClass),
2227 .class_init = sd_class_init,
2228 .instance_init = sd_instance_init,
2229 .instance_finalize = sd_instance_finalize,
2230};
2231
2232static void sd_register_types(void)
2233{
2234 type_register_static(&sd_info);
2235}
2236
2237type_init(sd_register_types)
2238
