qemu/hw/ssi/npcm7xx_fiu.c
Havard Skinnemoen b821242c7b hw/ssi: NPCM7xx Flash Interface Unit device model
This implements a device model for the NPCM7xx SPI flash controller.

Direct reads and writes, and user-mode transactions have been tested in
various modes. Protection features are not implemented yet.

All the FIU instances are available in the SoC's address space,
regardless of whether or not they're connected to actual flash chips.

Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com>
Message-id: 20200911052101.2602693-11-hskinnemoen@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-09-14 14:24:59 +01:00

573 lines
18 KiB
C

/*
* Nuvoton NPCM7xx Flash Interface Unit (FIU)
*
* Copyright 2020 Google LLC
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "qemu/osdep.h"
#include "hw/irq.h"
#include "hw/qdev-properties.h"
#include "hw/ssi/npcm7xx_fiu.h"
#include "migration/vmstate.h"
#include "qapi/error.h"
#include "qemu/error-report.h"
#include "qemu/log.h"
#include "qemu/module.h"
#include "qemu/units.h"
#include "trace.h"
/* Up to 128 MiB of flash may be accessed directly as memory. */
#define NPCM7XX_FIU_FLASH_WINDOW_SIZE (128 * MiB)
/* Each module has 4 KiB of register space. Only a fraction of it is used. */
#define NPCM7XX_FIU_CTRL_REGS_SIZE (4 * KiB)
/* 32-bit FIU register indices. */
enum NPCM7xxFIURegister {
NPCM7XX_FIU_DRD_CFG,
NPCM7XX_FIU_DWR_CFG,
NPCM7XX_FIU_UMA_CFG,
NPCM7XX_FIU_UMA_CTS,
NPCM7XX_FIU_UMA_CMD,
NPCM7XX_FIU_UMA_ADDR,
NPCM7XX_FIU_PRT_CFG,
NPCM7XX_FIU_UMA_DW0 = 0x0020 / sizeof(uint32_t),
NPCM7XX_FIU_UMA_DW1,
NPCM7XX_FIU_UMA_DW2,
NPCM7XX_FIU_UMA_DW3,
NPCM7XX_FIU_UMA_DR0,
NPCM7XX_FIU_UMA_DR1,
NPCM7XX_FIU_UMA_DR2,
NPCM7XX_FIU_UMA_DR3,
NPCM7XX_FIU_PRT_CMD0,
NPCM7XX_FIU_PRT_CMD1,
NPCM7XX_FIU_PRT_CMD2,
NPCM7XX_FIU_PRT_CMD3,
NPCM7XX_FIU_PRT_CMD4,
NPCM7XX_FIU_PRT_CMD5,
NPCM7XX_FIU_PRT_CMD6,
NPCM7XX_FIU_PRT_CMD7,
NPCM7XX_FIU_PRT_CMD8,
NPCM7XX_FIU_PRT_CMD9,
NPCM7XX_FIU_CFG = 0x78 / sizeof(uint32_t),
NPCM7XX_FIU_REGS_END,
};
/* FIU_{DRD,DWR,UMA,PTR}_CFG cannot be written when this bit is set. */
#define NPCM7XX_FIU_CFG_LCK BIT(31)
/* Direct Read configuration register fields. */
#define FIU_DRD_CFG_ADDSIZ(rv) extract32(rv, 16, 2)
#define FIU_ADDSIZ_3BYTES 0
#define FIU_ADDSIZ_4BYTES 1
#define FIU_DRD_CFG_DBW(rv) extract32(rv, 12, 2)
#define FIU_DRD_CFG_ACCTYPE(rv) extract32(rv, 8, 2)
#define FIU_DRD_CFG_RDCMD(rv) extract32(rv, 0, 8)
/* Direct Write configuration register fields. */
#define FIU_DWR_CFG_ADDSIZ(rv) extract32(rv, 16, 2)
#define FIU_DWR_CFG_WRCMD(rv) extract32(rv, 0, 8)
/* User-Mode Access register fields. */
/* Command Mode Lock and the bits protected by it. */
#define FIU_UMA_CFG_CMMLCK BIT(30)
#define FIU_UMA_CFG_CMMLCK_MASK 0x00000403
#define FIU_UMA_CFG_RDATSIZ(rv) extract32(rv, 24, 5)
#define FIU_UMA_CFG_DBSIZ(rv) extract32(rv, 21, 3)
#define FIU_UMA_CFG_WDATSIZ(rv) extract32(rv, 16, 5)
#define FIU_UMA_CFG_ADDSIZ(rv) extract32(rv, 11, 3)
#define FIU_UMA_CFG_CMDSIZ(rv) extract32(rv, 10, 1)
#define FIU_UMA_CFG_DBPCK(rv) extract32(rv, 6, 2)
#define FIU_UMA_CTS_RDYIE BIT(25)
#define FIU_UMA_CTS_RDYST BIT(24)
#define FIU_UMA_CTS_SW_CS BIT(16)
#define FIU_UMA_CTS_DEV_NUM(rv) extract32(rv, 8, 2)
#define FIU_UMA_CTS_EXEC_DONE BIT(0)
/*
* Returns the index of flash in the fiu->flash array. This corresponds to the
* chip select ID of the flash.
*/
static int npcm7xx_fiu_cs_index(NPCM7xxFIUState *fiu, NPCM7xxFIUFlash *flash)
{
int index = flash - fiu->flash;
g_assert(index >= 0 && index < fiu->cs_count);
return index;
}
/* Assert the chip select specified in the UMA Control/Status Register. */
static void npcm7xx_fiu_select(NPCM7xxFIUState *s, int cs_id)
{
trace_npcm7xx_fiu_select(DEVICE(s)->canonical_path, cs_id);
if (cs_id < s->cs_count) {
qemu_irq_lower(s->cs_lines[cs_id]);
} else {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: UMA to CS%d; this module has only %d chip selects",
DEVICE(s)->canonical_path, cs_id, s->cs_count);
cs_id = -1;
}
s->active_cs = cs_id;
}
/* Deassert the currently active chip select. */
static void npcm7xx_fiu_deselect(NPCM7xxFIUState *s)
{
if (s->active_cs < 0) {
return;
}
trace_npcm7xx_fiu_deselect(DEVICE(s)->canonical_path, s->active_cs);
qemu_irq_raise(s->cs_lines[s->active_cs]);
s->active_cs = -1;
}
/* Direct flash memory read handler. */
static uint64_t npcm7xx_fiu_flash_read(void *opaque, hwaddr addr,
unsigned int size)
{
NPCM7xxFIUFlash *f = opaque;
NPCM7xxFIUState *fiu = f->fiu;
uint64_t value = 0;
uint32_t drd_cfg;
int dummy_cycles;
int i;
if (fiu->active_cs != -1) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: direct flash read with CS%d already active",
DEVICE(fiu)->canonical_path, fiu->active_cs);
}
npcm7xx_fiu_select(fiu, npcm7xx_fiu_cs_index(fiu, f));
drd_cfg = fiu->regs[NPCM7XX_FIU_DRD_CFG];
ssi_transfer(fiu->spi, FIU_DRD_CFG_RDCMD(drd_cfg));
switch (FIU_DRD_CFG_ADDSIZ(drd_cfg)) {
case FIU_ADDSIZ_4BYTES:
ssi_transfer(fiu->spi, extract32(addr, 24, 8));
/* fall through */
case FIU_ADDSIZ_3BYTES:
ssi_transfer(fiu->spi, extract32(addr, 16, 8));
ssi_transfer(fiu->spi, extract32(addr, 8, 8));
ssi_transfer(fiu->spi, extract32(addr, 0, 8));
break;
default:
qemu_log_mask(LOG_GUEST_ERROR, "%s: bad address size %d\n",
DEVICE(fiu)->canonical_path, FIU_DRD_CFG_ADDSIZ(drd_cfg));
break;
}
/* Flash chip model expects one transfer per dummy bit, not byte */
dummy_cycles =
(FIU_DRD_CFG_DBW(drd_cfg) * 8) >> FIU_DRD_CFG_ACCTYPE(drd_cfg);
for (i = 0; i < dummy_cycles; i++) {
ssi_transfer(fiu->spi, 0);
}
for (i = 0; i < size; i++) {
value = deposit64(value, 8 * i, 8, ssi_transfer(fiu->spi, 0));
}
trace_npcm7xx_fiu_flash_read(DEVICE(fiu)->canonical_path, fiu->active_cs,
addr, size, value);
npcm7xx_fiu_deselect(fiu);
return value;
}
/* Direct flash memory write handler. */
static void npcm7xx_fiu_flash_write(void *opaque, hwaddr addr, uint64_t v,
unsigned int size)
{
NPCM7xxFIUFlash *f = opaque;
NPCM7xxFIUState *fiu = f->fiu;
uint32_t dwr_cfg;
int cs_id;
int i;
if (fiu->active_cs != -1) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: direct flash write with CS%d already active",
DEVICE(fiu)->canonical_path, fiu->active_cs);
}
cs_id = npcm7xx_fiu_cs_index(fiu, f);
trace_npcm7xx_fiu_flash_write(DEVICE(fiu)->canonical_path, cs_id, addr,
size, v);
npcm7xx_fiu_select(fiu, cs_id);
dwr_cfg = fiu->regs[NPCM7XX_FIU_DWR_CFG];
ssi_transfer(fiu->spi, FIU_DWR_CFG_WRCMD(dwr_cfg));
switch (FIU_DWR_CFG_ADDSIZ(dwr_cfg)) {
case FIU_ADDSIZ_4BYTES:
ssi_transfer(fiu->spi, extract32(addr, 24, 8));
/* fall through */
case FIU_ADDSIZ_3BYTES:
ssi_transfer(fiu->spi, extract32(addr, 16, 8));
ssi_transfer(fiu->spi, extract32(addr, 8, 8));
ssi_transfer(fiu->spi, extract32(addr, 0, 8));
break;
default:
qemu_log_mask(LOG_GUEST_ERROR, "%s: bad address size %d\n",
DEVICE(fiu)->canonical_path, FIU_DWR_CFG_ADDSIZ(dwr_cfg));
break;
}
for (i = 0; i < size; i++) {
ssi_transfer(fiu->spi, extract64(v, i * 8, 8));
}
npcm7xx_fiu_deselect(fiu);
}
static const MemoryRegionOps npcm7xx_fiu_flash_ops = {
.read = npcm7xx_fiu_flash_read,
.write = npcm7xx_fiu_flash_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {
.min_access_size = 1,
.max_access_size = 8,
.unaligned = true,
},
};
/* Control register read handler. */
static uint64_t npcm7xx_fiu_ctrl_read(void *opaque, hwaddr addr,
unsigned int size)
{
hwaddr reg = addr / sizeof(uint32_t);
NPCM7xxFIUState *s = opaque;
uint32_t value;
if (reg < NPCM7XX_FIU_NR_REGS) {
value = s->regs[reg];
} else {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: read from invalid offset 0x%" PRIx64 "\n",
DEVICE(s)->canonical_path, addr);
value = 0;
}
trace_npcm7xx_fiu_ctrl_read(DEVICE(s)->canonical_path, addr, value);
return value;
}
/* Send the specified number of address bytes from the UMA address register. */
static void send_address(SSIBus *spi, unsigned int addsiz, uint32_t addr)
{
switch (addsiz) {
case 4:
ssi_transfer(spi, extract32(addr, 24, 8));
/* fall through */
case 3:
ssi_transfer(spi, extract32(addr, 16, 8));
/* fall through */
case 2:
ssi_transfer(spi, extract32(addr, 8, 8));
/* fall through */
case 1:
ssi_transfer(spi, extract32(addr, 0, 8));
/* fall through */
case 0:
break;
}
}
/* Send the number of dummy bits specified in the UMA config register. */
static void send_dummy_bits(SSIBus *spi, uint32_t uma_cfg, uint32_t uma_cmd)
{
unsigned int bits_per_clock = 1U << FIU_UMA_CFG_DBPCK(uma_cfg);
unsigned int i;
for (i = 0; i < FIU_UMA_CFG_DBSIZ(uma_cfg); i++) {
/* Use bytes 0 and 1 first, then keep repeating byte 2 */
unsigned int field = (i < 2) ? ((i + 1) * 8) : 24;
unsigned int j;
for (j = 0; j < 8; j += bits_per_clock) {
ssi_transfer(spi, extract32(uma_cmd, field + j, bits_per_clock));
}
}
}
/* Perform a User-Mode Access transaction. */
static void npcm7xx_fiu_uma_transaction(NPCM7xxFIUState *s)
{
uint32_t uma_cts = s->regs[NPCM7XX_FIU_UMA_CTS];
uint32_t uma_cfg;
unsigned int i;
/* SW_CS means the CS is already forced low, so don't touch it. */
if (uma_cts & FIU_UMA_CTS_SW_CS) {
int cs_id = FIU_UMA_CTS_DEV_NUM(s->regs[NPCM7XX_FIU_UMA_CTS]);
npcm7xx_fiu_select(s, cs_id);
}
/* Send command, if present. */
uma_cfg = s->regs[NPCM7XX_FIU_UMA_CFG];
if (FIU_UMA_CFG_CMDSIZ(uma_cfg) > 0) {
ssi_transfer(s->spi, extract32(s->regs[NPCM7XX_FIU_UMA_CMD], 0, 8));
}
/* Send address, if present. */
send_address(s->spi, FIU_UMA_CFG_ADDSIZ(uma_cfg),
s->regs[NPCM7XX_FIU_UMA_ADDR]);
/* Write data, if present. */
for (i = 0; i < FIU_UMA_CFG_WDATSIZ(uma_cfg); i++) {
unsigned int reg =
(i < 16) ? (NPCM7XX_FIU_UMA_DW0 + i / 4) : NPCM7XX_FIU_UMA_DW3;
unsigned int field = (i % 4) * 8;
ssi_transfer(s->spi, extract32(s->regs[reg], field, 8));
}
/* Send dummy bits, if present. */
send_dummy_bits(s->spi, uma_cfg, s->regs[NPCM7XX_FIU_UMA_CMD]);
/* Read data, if present. */
for (i = 0; i < FIU_UMA_CFG_RDATSIZ(uma_cfg); i++) {
unsigned int reg = NPCM7XX_FIU_UMA_DR0 + i / 4;
unsigned int field = (i % 4) * 8;
uint8_t c;
c = ssi_transfer(s->spi, 0);
if (reg <= NPCM7XX_FIU_UMA_DR3) {
s->regs[reg] = deposit32(s->regs[reg], field, 8, c);
}
}
/* Again, don't touch CS if the user is forcing it low. */
if (uma_cts & FIU_UMA_CTS_SW_CS) {
npcm7xx_fiu_deselect(s);
}
/* RDYST means a command has completed since it was cleared. */
s->regs[NPCM7XX_FIU_UMA_CTS] |= FIU_UMA_CTS_RDYST;
/* EXEC_DONE means Execute Command / Not Done, so clear it here. */
s->regs[NPCM7XX_FIU_UMA_CTS] &= ~FIU_UMA_CTS_EXEC_DONE;
}
/* Control register write handler. */
static void npcm7xx_fiu_ctrl_write(void *opaque, hwaddr addr, uint64_t v,
unsigned int size)
{
hwaddr reg = addr / sizeof(uint32_t);
NPCM7xxFIUState *s = opaque;
uint32_t value = v;
trace_npcm7xx_fiu_ctrl_write(DEVICE(s)->canonical_path, addr, value);
switch (reg) {
case NPCM7XX_FIU_UMA_CFG:
if (s->regs[reg] & FIU_UMA_CFG_CMMLCK) {
value &= ~FIU_UMA_CFG_CMMLCK_MASK;
value |= (s->regs[reg] & FIU_UMA_CFG_CMMLCK_MASK);
}
/* fall through */
case NPCM7XX_FIU_DRD_CFG:
case NPCM7XX_FIU_DWR_CFG:
if (s->regs[reg] & NPCM7XX_FIU_CFG_LCK) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: write to locked register @ 0x%" PRIx64 "\n",
DEVICE(s)->canonical_path, addr);
return;
}
s->regs[reg] = value;
break;
case NPCM7XX_FIU_UMA_CTS:
if (value & FIU_UMA_CTS_RDYST) {
value &= ~FIU_UMA_CTS_RDYST;
} else {
value |= s->regs[reg] & FIU_UMA_CTS_RDYST;
}
if ((s->regs[reg] ^ value) & FIU_UMA_CTS_SW_CS) {
if (value & FIU_UMA_CTS_SW_CS) {
/*
* Don't drop CS if there's a transfer in progress, or we're
* about to start one.
*/
if (!((value | s->regs[reg]) & FIU_UMA_CTS_EXEC_DONE)) {
npcm7xx_fiu_deselect(s);
}
} else {
int cs_id = FIU_UMA_CTS_DEV_NUM(s->regs[NPCM7XX_FIU_UMA_CTS]);
npcm7xx_fiu_select(s, cs_id);
}
}
s->regs[reg] = value | (s->regs[reg] & FIU_UMA_CTS_EXEC_DONE);
if (value & FIU_UMA_CTS_EXEC_DONE) {
npcm7xx_fiu_uma_transaction(s);
}
break;
case NPCM7XX_FIU_UMA_DR0 ... NPCM7XX_FIU_UMA_DR3:
qemu_log_mask(LOG_GUEST_ERROR,
"%s: write to read-only register @ 0x%" PRIx64 "\n",
DEVICE(s)->canonical_path, addr);
return;
case NPCM7XX_FIU_PRT_CFG:
case NPCM7XX_FIU_PRT_CMD0 ... NPCM7XX_FIU_PRT_CMD9:
qemu_log_mask(LOG_UNIMP, "%s: PRT is not implemented\n", __func__);
break;
case NPCM7XX_FIU_UMA_CMD:
case NPCM7XX_FIU_UMA_ADDR:
case NPCM7XX_FIU_UMA_DW0 ... NPCM7XX_FIU_UMA_DW3:
case NPCM7XX_FIU_CFG:
s->regs[reg] = value;
break;
default:
qemu_log_mask(LOG_GUEST_ERROR,
"%s: write to invalid offset 0x%" PRIx64 "\n",
DEVICE(s)->canonical_path, addr);
return;
}
}
static const MemoryRegionOps npcm7xx_fiu_ctrl_ops = {
.read = npcm7xx_fiu_ctrl_read,
.write = npcm7xx_fiu_ctrl_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {
.min_access_size = 4,
.max_access_size = 4,
.unaligned = false,
},
};
static void npcm7xx_fiu_enter_reset(Object *obj, ResetType type)
{
NPCM7xxFIUState *s = NPCM7XX_FIU(obj);
trace_npcm7xx_fiu_enter_reset(DEVICE(obj)->canonical_path, type);
memset(s->regs, 0, sizeof(s->regs));
s->regs[NPCM7XX_FIU_DRD_CFG] = 0x0300100b;
s->regs[NPCM7XX_FIU_DWR_CFG] = 0x03000002;
s->regs[NPCM7XX_FIU_UMA_CFG] = 0x00000400;
s->regs[NPCM7XX_FIU_UMA_CTS] = 0x00010000;
s->regs[NPCM7XX_FIU_UMA_CMD] = 0x0000000b;
s->regs[NPCM7XX_FIU_PRT_CFG] = 0x00000400;
s->regs[NPCM7XX_FIU_CFG] = 0x0000000b;
}
static void npcm7xx_fiu_hold_reset(Object *obj)
{
NPCM7xxFIUState *s = NPCM7XX_FIU(obj);
int i;
trace_npcm7xx_fiu_hold_reset(DEVICE(obj)->canonical_path);
for (i = 0; i < s->cs_count; i++) {
qemu_irq_raise(s->cs_lines[i]);
}
}
static void npcm7xx_fiu_realize(DeviceState *dev, Error **errp)
{
NPCM7xxFIUState *s = NPCM7XX_FIU(dev);
SysBusDevice *sbd = &s->parent;
int i;
if (s->cs_count <= 0) {
error_setg(errp, "%s: %d chip selects specified, need at least one",
dev->canonical_path, s->cs_count);
return;
}
s->spi = ssi_create_bus(dev, "spi");
s->cs_lines = g_new0(qemu_irq, s->cs_count);
qdev_init_gpio_out_named(DEVICE(s), s->cs_lines, "cs", s->cs_count);
s->flash = g_new0(NPCM7xxFIUFlash, s->cs_count);
/*
* Register the control registers region first. It may be followed by one
* or more direct flash access regions.
*/
memory_region_init_io(&s->mmio, OBJECT(s), &npcm7xx_fiu_ctrl_ops, s, "ctrl",
NPCM7XX_FIU_CTRL_REGS_SIZE);
sysbus_init_mmio(sbd, &s->mmio);
for (i = 0; i < s->cs_count; i++) {
NPCM7xxFIUFlash *flash = &s->flash[i];
flash->fiu = s;
memory_region_init_io(&flash->direct_access, OBJECT(s),
&npcm7xx_fiu_flash_ops, &s->flash[i], "flash",
NPCM7XX_FIU_FLASH_WINDOW_SIZE);
sysbus_init_mmio(sbd, &flash->direct_access);
}
}
static const VMStateDescription vmstate_npcm7xx_fiu = {
.name = "npcm7xx-fiu",
.version_id = 0,
.minimum_version_id = 0,
.fields = (VMStateField[]) {
VMSTATE_INT32(active_cs, NPCM7xxFIUState),
VMSTATE_UINT32_ARRAY(regs, NPCM7xxFIUState, NPCM7XX_FIU_NR_REGS),
VMSTATE_END_OF_LIST(),
},
};
static Property npcm7xx_fiu_properties[] = {
DEFINE_PROP_INT32("cs-count", NPCM7xxFIUState, cs_count, 0),
DEFINE_PROP_END_OF_LIST(),
};
static void npcm7xx_fiu_class_init(ObjectClass *klass, void *data)
{
ResettableClass *rc = RESETTABLE_CLASS(klass);
DeviceClass *dc = DEVICE_CLASS(klass);
QEMU_BUILD_BUG_ON(NPCM7XX_FIU_REGS_END > NPCM7XX_FIU_NR_REGS);
dc->desc = "NPCM7xx Flash Interface Unit";
dc->realize = npcm7xx_fiu_realize;
dc->vmsd = &vmstate_npcm7xx_fiu;
rc->phases.enter = npcm7xx_fiu_enter_reset;
rc->phases.hold = npcm7xx_fiu_hold_reset;
device_class_set_props(dc, npcm7xx_fiu_properties);
}
static const TypeInfo npcm7xx_fiu_types[] = {
{
.name = TYPE_NPCM7XX_FIU,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(NPCM7xxFIUState),
.class_init = npcm7xx_fiu_class_init,
},
};
DEFINE_TYPES(npcm7xx_fiu_types);