Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Fri, 29 Jul 2022 at 16:56, Corey Minyard wrote: > > On Tue, Jun 28, 2022 at 05:21:44PM +0100, Peter Maydell wrote: > > On Thu, 19 Sept 2019 at 22:39, wrote: > > > > > > From: Corey Minyard > > > > > > Signed-off-by: Corey Minyard > > > --- > > > > Thank you for the ping. Comments inline... > > ...calling memcpy() with argument 1 being a pointer that points > > one past the end of the array. Even though len will be 0 and > > we won't memcpy() anything, this is (depending on how you choose > > to intepret things the C standard doesn't come right out and state > > explicitly) undefined behaviour, because memcpy() wants to be passed > > valid pointers, even if you ask it to do no work with a zero len. > > > > This isn't going to be a visible bug in practical terms, but it would > > make Coverity happy if we either (a) rejected a request with an empty > > length or else (b) skipped the memcpy(). I don't know enough about > > IPMI to know which is better. > > Hmm. In some cases you have to accept a zero-length packet (as > described in the comments), but if you said: > > if (len > 0) > memcpy(sid->inmsg + sid->inlen, buf, len); > > would that make Coverity happy? I was under the impression that if you > passed zero into len, you could pass anything into the data on a memcpy. > But apparently not; I can make this change. Yes, putting an if() around the memcpy() will be enough to avoid the undefined behaviour. (NB that you want braces {} on it ;-)) thanks -- PMM
Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Tue, Jun 28, 2022 at 05:21:44PM +0100, Peter Maydell wrote: > On Thu, 19 Sept 2019 at 22:39, wrote: > > > > From: Corey Minyard > > > > Signed-off-by: Corey Minyard > > --- > Thank you for the ping. Comments inline... > Very old patch, but Coverity has decided it doesn't like something > in this function that's still basically the same in the current codebase > (CID 1487146): > > > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len) > > +{ > > +SMBusIPMIDevice *sid = SMBUS_IPMI(dev); > > +bool send = false; > > +uint8_t cmd; > > +int ret = 0; > > + > > +/* length is guaranteed to be >= 1. */ > > +cmd = *buf++; > > +len--; > > + > > +/* Handle read request, which don't have any data in the write part. */ > > +switch (cmd) { > > +case SSIF_IPMI_RESPONSE: > > +sid->currblk = 0; > > +ret = ipmi_load_readbuf(sid); > > +break; > > + > > +case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE: > > +sid->currblk++; > > +ret = ipmi_load_readbuf(sid); > > +break; > > + > > +case SSIF_IPMI_MULTI_PART_RETRY: > > +if (len >= 1) { > > +sid->currblk = buf[0]; > > +ret = ipmi_load_readbuf(sid); > > +} else { > > +ret = -1; > > +} > > +break; > > + > > +default: > > +break; > > +} > > + > > +/* This should be a message write, make the length is there and > > correct. */ > > +if (len >= 1) { > > +if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) { > > +return -1; /* Bogus message */ > > +} > > +buf++; > > +len--; > > +} > > After all of this preamble, len can be zero... > > > + > > +switch (cmd) { > > +case SSIF_IPMI_REQUEST: > > +send = true; > > +/* FALLTHRU */ > > +case SSIF_IPMI_MULTI_PART_REQUEST_START: > > +if (len < 2) { > > +return -1; /* Bogus. */ > > +} > > +memcpy(sid->inmsg, buf, len); > > +sid->inlen = len; > > +break; > > + > > +case SSIF_IPMI_MULTI_PART_REQUEST_END: > > +send = true; > > +/* FALLTHRU */ > > +case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE: > > +if (!sid->inlen) { > > +return -1; /* Bogus. */ > > +} > > +if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) { > > +sid->inlen = 0; /* Discard the message. */ > > +return -1; /* Bogus. */ > > +} > > ...this error checking on the values of the 'middle' request > means that after one 'middle' request we can end up with > sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the > entire sid->inmsg[] array). > > But then if we get another 'middle' request with len == 0, > that will pass this error checking because (sid->inlen + len == MSG_SIZE) > and fall through into... > > > +if (len < 32) { > > +/* > > + * Special hack, a multi-part middle that is less than 32 bytes > > + * marks the end of a message. The specification is fairly > > + * confusing, so some systems to this, even sending a zero > > + * length end message to mark the end. > > + */ > > +send = true; > > +} > > +memcpy(sid->inmsg + sid->inlen, buf, len); > > ...calling memcpy() with argument 1 being a pointer that points > one past the end of the array. Even though len will be 0 and > we won't memcpy() anything, this is (depending on how you choose > to intepret things the C standard doesn't come right out and state > explicitly) undefined behaviour, because memcpy() wants to be passed > valid pointers, even if you ask it to do no work with a zero len. > > This isn't going to be a visible bug in practical terms, but it would > make Coverity happy if we either (a) rejected a request with an empty > length or else (b) skipped the memcpy(). I don't know enough about > IPMI to know which is better. Hmm. In some cases you have to accept a zero-length packet (as described in the comments), but if you said: if (len > 0) memcpy(sid->inmsg + sid->inlen, buf, len); would that make Coverity happy? I was under the impression that if you passed zero into len, you could pass anything into the data on a memcpy. But apparently not; I can make this change. -corey > > > +sid->inlen += len; > > +break; > > +} > > + > > +if (send && sid->inlen) { > > +smbus_ipmi_send_msg(sid); > > +} > > + > > +return ret; > > +} > > thanks > -- PMM >
Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Tue, 28 Jun 2022 at 17:21, Peter Maydell wrote: > > On Thu, 19 Sept 2019 at 22:39, wrote: > > > > From: Corey Minyard > > > > Signed-off-by: Corey Minyard > > --- > > Very old patch, but Coverity has decided it doesn't like something > in this function that's still basically the same in the current codebase > (CID 1487146): Ping ? > > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len) > > +{ > > +SMBusIPMIDevice *sid = SMBUS_IPMI(dev); > > +bool send = false; > > +uint8_t cmd; > > +int ret = 0; > > + > > +/* length is guaranteed to be >= 1. */ > > +cmd = *buf++; > > +len--; > > + > > +/* Handle read request, which don't have any data in the write part. */ > > +switch (cmd) { > > +case SSIF_IPMI_RESPONSE: > > +sid->currblk = 0; > > +ret = ipmi_load_readbuf(sid); > > +break; > > + > > +case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE: > > +sid->currblk++; > > +ret = ipmi_load_readbuf(sid); > > +break; > > + > > +case SSIF_IPMI_MULTI_PART_RETRY: > > +if (len >= 1) { > > +sid->currblk = buf[0]; > > +ret = ipmi_load_readbuf(sid); > > +} else { > > +ret = -1; > > +} > > +break; > > + > > +default: > > +break; > > +} > > + > > +/* This should be a message write, make the length is there and > > correct. */ > > +if (len >= 1) { > > +if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) { > > +return -1; /* Bogus message */ > > +} > > +buf++; > > +len--; > > +} > > After all of this preamble, len can be zero... > > > + > > +switch (cmd) { > > +case SSIF_IPMI_REQUEST: > > +send = true; > > +/* FALLTHRU */ > > +case SSIF_IPMI_MULTI_PART_REQUEST_START: > > +if (len < 2) { > > +return -1; /* Bogus. */ > > +} > > +memcpy(sid->inmsg, buf, len); > > +sid->inlen = len; > > +break; > > + > > +case SSIF_IPMI_MULTI_PART_REQUEST_END: > > +send = true; > > +/* FALLTHRU */ > > +case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE: > > +if (!sid->inlen) { > > +return -1; /* Bogus. */ > > +} > > +if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) { > > +sid->inlen = 0; /* Discard the message. */ > > +return -1; /* Bogus. */ > > +} > > ...this error checking on the values of the 'middle' request > means that after one 'middle' request we can end up with > sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the > entire sid->inmsg[] array). > > But then if we get another 'middle' request with len == 0, > that will pass this error checking because (sid->inlen + len == MSG_SIZE) > and fall through into... > > > +if (len < 32) { > > +/* > > + * Special hack, a multi-part middle that is less than 32 bytes > > + * marks the end of a message. The specification is fairly > > + * confusing, so some systems to this, even sending a zero > > + * length end message to mark the end. > > + */ > > +send = true; > > +} > > +memcpy(sid->inmsg + sid->inlen, buf, len); > > ...calling memcpy() with argument 1 being a pointer that points > one past the end of the array. Even though len will be 0 and > we won't memcpy() anything, this is (depending on how you choose > to intepret things the C standard doesn't come right out and state > explicitly) undefined behaviour, because memcpy() wants to be passed > valid pointers, even if you ask it to do no work with a zero len. > > This isn't going to be a visible bug in practical terms, but it would > make Coverity happy if we either (a) rejected a request with an empty > length or else (b) skipped the memcpy(). I don't know enough about > IPMI to know which is better. thanks -- PMM
Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Thu, 19 Sept 2019 at 22:39, wrote: > > From: Corey Minyard > > Signed-off-by: Corey Minyard > --- Very old patch, but Coverity has decided it doesn't like something in this function that's still basically the same in the current codebase (CID 1487146): > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len) > +{ > +SMBusIPMIDevice *sid = SMBUS_IPMI(dev); > +bool send = false; > +uint8_t cmd; > +int ret = 0; > + > +/* length is guaranteed to be >= 1. */ > +cmd = *buf++; > +len--; > + > +/* Handle read request, which don't have any data in the write part. */ > +switch (cmd) { > +case SSIF_IPMI_RESPONSE: > +sid->currblk = 0; > +ret = ipmi_load_readbuf(sid); > +break; > + > +case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE: > +sid->currblk++; > +ret = ipmi_load_readbuf(sid); > +break; > + > +case SSIF_IPMI_MULTI_PART_RETRY: > +if (len >= 1) { > +sid->currblk = buf[0]; > +ret = ipmi_load_readbuf(sid); > +} else { > +ret = -1; > +} > +break; > + > +default: > +break; > +} > + > +/* This should be a message write, make the length is there and correct. > */ > +if (len >= 1) { > +if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) { > +return -1; /* Bogus message */ > +} > +buf++; > +len--; > +} After all of this preamble, len can be zero... > + > +switch (cmd) { > +case SSIF_IPMI_REQUEST: > +send = true; > +/* FALLTHRU */ > +case SSIF_IPMI_MULTI_PART_REQUEST_START: > +if (len < 2) { > +return -1; /* Bogus. */ > +} > +memcpy(sid->inmsg, buf, len); > +sid->inlen = len; > +break; > + > +case SSIF_IPMI_MULTI_PART_REQUEST_END: > +send = true; > +/* FALLTHRU */ > +case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE: > +if (!sid->inlen) { > +return -1; /* Bogus. */ > +} > +if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) { > +sid->inlen = 0; /* Discard the message. */ > +return -1; /* Bogus. */ > +} ...this error checking on the values of the 'middle' request means that after one 'middle' request we can end up with sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the entire sid->inmsg[] array). But then if we get another 'middle' request with len == 0, that will pass this error checking because (sid->inlen + len == MSG_SIZE) and fall through into... > +if (len < 32) { > +/* > + * Special hack, a multi-part middle that is less than 32 bytes > + * marks the end of a message. The specification is fairly > + * confusing, so some systems to this, even sending a zero > + * length end message to mark the end. > + */ > +send = true; > +} > +memcpy(sid->inmsg + sid->inlen, buf, len); ...calling memcpy() with argument 1 being a pointer that points one past the end of the array. Even though len will be 0 and we won't memcpy() anything, this is (depending on how you choose to intepret things the C standard doesn't come right out and state explicitly) undefined behaviour, because memcpy() wants to be passed valid pointers, even if you ask it to do no work with a zero len. This isn't going to be a visible bug in practical terms, but it would make Coverity happy if we either (a) rejected a request with an empty length or else (b) skipped the memcpy(). I don't know enough about IPMI to know which is better. > +sid->inlen += len; > +break; > +} > + > +if (send && sid->inlen) { > +smbus_ipmi_send_msg(sid); > +} > + > +return ret; > +} thanks -- PMM
[PATCH 12/15] ipmi: Add an SMBus IPMI interface
From: Corey Minyard Signed-off-by: Corey Minyard --- default-configs/i386-softmmu.mak | 1 + hw/i386/Kconfig | 1 + hw/ipmi/Kconfig | 5 + hw/ipmi/Makefile.objs| 1 + hw/ipmi/smbus_ipmi.c | 384 +++ 5 files changed, 392 insertions(+) create mode 100644 hw/ipmi/smbus_ipmi.c diff --git a/default-configs/i386-softmmu.mak b/default-configs/i386-softmmu.mak index 2294c0be5a..4229900f57 100644 --- a/default-configs/i386-softmmu.mak +++ b/default-configs/i386-softmmu.mak @@ -12,6 +12,7 @@ #CONFIG_ISA_IPMI_KCS=n #CONFIG_PCI_IPMI_KCS=n #CONFIG_PCI_IPMI_BT=n +#CONFIG_IPMI_SSIF=n #CONFIG_PCI_DEVICES=n #CONFIG_PVPANIC=n #CONFIG_QXL=n diff --git a/hw/i386/Kconfig b/hw/i386/Kconfig index d10f4e3e8b..c5c9d4900e 100644 --- a/hw/i386/Kconfig +++ b/hw/i386/Kconfig @@ -10,6 +10,7 @@ config PC imply ISA_IPMI_BT imply PCI_IPMI_KCS imply PCI_IPMI_BT +imply IPMI_SSIF imply ISA_DEBUG imply PARALLEL imply PCI_DEVICES diff --git a/hw/ipmi/Kconfig b/hw/ipmi/Kconfig index 12db4e81ad..9befd4f422 100644 --- a/hw/ipmi/Kconfig +++ b/hw/ipmi/Kconfig @@ -30,3 +30,8 @@ config PCI_IPMI_BT bool depends on PCI select IPMI + +config IPMI_SSIF +bool +depends on I2C +select IPMI diff --git a/hw/ipmi/Makefile.objs b/hw/ipmi/Makefile.objs index 2d7f080a86..3cca10bc50 100644 --- a/hw/ipmi/Makefile.objs +++ b/hw/ipmi/Makefile.objs @@ -5,3 +5,4 @@ common-obj-$(CONFIG_ISA_IPMI_KCS) += isa_ipmi_kcs.o common-obj-$(CONFIG_PCI_IPMI_KCS) += pci_ipmi_kcs.o common-obj-$(CONFIG_ISA_IPMI_BT) += isa_ipmi_bt.o common-obj-$(CONFIG_PCI_IPMI_BT) += pci_ipmi_bt.o +common-obj-$(CONFIG_IPMI_SSIF) += smbus_ipmi.o diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c new file mode 100644 index 00..2a9470d9df --- /dev/null +++ b/hw/ipmi/smbus_ipmi.c @@ -0,0 +1,384 @@ +/* + * QEMU IPMI SMBus (SSIF) emulation + * + * Copyright (c) 2015,2016 Corey Minyard, MontaVista Software, LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ +#include "qemu/osdep.h" +#include "migration/vmstate.h" +#include "hw/i2c/smbus_slave.h" +#include "qapi/error.h" +#include "qemu/error-report.h" +#include "hw/ipmi/ipmi.h" + +#define TYPE_SMBUS_IPMI "smbus-ipmi" +#define SMBUS_IPMI(obj) OBJECT_CHECK(SMBusIPMIDevice, (obj), TYPE_SMBUS_IPMI) + +#define SSIF_IPMI_REQUEST 2 +#define SSIF_IPMI_MULTI_PART_REQUEST_START 6 +#define SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE 7 +#define SSIF_IPMI_MULTI_PART_REQUEST_END8 +#define SSIF_IPMI_RESPONSE 3 +#define SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE9 +#define SSIF_IPMI_MULTI_PART_RETRY 0xa + +#define MAX_SSIF_IPMI_MSG_SIZE 255 +#define MAX_SSIF_IPMI_MSG_CHUNK 32 + +#define IPMI_GET_SYS_INTF_CAP_CMD 0x57 + +typedef struct SMBusIPMIDevice { +SMBusDevice parent; + +IPMIBmc *bmc; + +uint8_t outmsg[MAX_SSIF_IPMI_MSG_SIZE]; +uint32_t outlen; +uint32_t currblk; + +/* Holds the SMBUS message currently being sent to the host. */ +uint8_t outbuf[MAX_SSIF_IPMI_MSG_CHUNK + 1]; /* len + message. */ +uint32_t outpos; + +uint8_t inmsg[MAX_SSIF_IPMI_MSG_SIZE]; +uint32_t inlen; + +/* + * This is a response number that we send with the command to make + * sure that the response matches the command. + */ +uint8_t waiting_rsp; + +uint32_t uuid; +} SMBusIPMIDevice; + +static void smbus_ipmi_handle_event(IPMIInterface *ii) +{ +/* No interrupts, so nothing to do here. */ +} + +static void smbus_ipmi_handle_rsp(IPMIInterface *ii, uint8_t msg_id, + unsigned char *rsp, unsigned int rsp_len) +{ +SMBusIPMIDevice *sid = SMBUS_IPMI(ii); + +if (sid->waiting_rsp == msg_id) { +sid->waiting_rsp++; + +if (rsp_len > MAX_SSIF_IPMI_MSG_SIZE) { +rsp[2] = IPMI_CC_REQUEST_DATA_TRUNCATED; +
[Qemu-devel] [PATCH 12/15] ipmi: Add an SMBus IPMI interface
From: Corey Minyard Signed-off-by: Corey Minyard --- default-configs/i386-softmmu.mak | 1 + hw/i386/Kconfig | 1 + hw/ipmi/Kconfig | 5 + hw/ipmi/Makefile.objs| 1 + hw/ipmi/smbus_ipmi.c | 384 +++ 5 files changed, 392 insertions(+) create mode 100644 hw/ipmi/smbus_ipmi.c diff --git a/default-configs/i386-softmmu.mak b/default-configs/i386-softmmu.mak index b819582d78..19914c8aec 100644 --- a/default-configs/i386-softmmu.mak +++ b/default-configs/i386-softmmu.mak @@ -12,6 +12,7 @@ #CONFIG_ISA_IPMI_KCS=n #CONFIG_PCI_IPMI_KCS=n #CONFIG_PCI_IPMI_BT=n +#CONFIG_IPMI_SSIF=n #CONFIG_PCI_DEVICES=n #CONFIG_PVPANIC=n #CONFIG_QXL=n diff --git a/hw/i386/Kconfig b/hw/i386/Kconfig index b4efaa0818..87db9c2ba1 100644 --- a/hw/i386/Kconfig +++ b/hw/i386/Kconfig @@ -10,6 +10,7 @@ config PC imply ISA_IPMI_BT imply PCI_IPMI_KCS imply PCI_IPMI_BT +imply IPMI_SSIF imply ISA_DEBUG imply PARALLEL imply PCI_DEVICES diff --git a/hw/ipmi/Kconfig b/hw/ipmi/Kconfig index 12db4e81ad..9befd4f422 100644 --- a/hw/ipmi/Kconfig +++ b/hw/ipmi/Kconfig @@ -30,3 +30,8 @@ config PCI_IPMI_BT bool depends on PCI select IPMI + +config IPMI_SSIF +bool +depends on I2C +select IPMI diff --git a/hw/ipmi/Makefile.objs b/hw/ipmi/Makefile.objs index 2d7f080a86..3cca10bc50 100644 --- a/hw/ipmi/Makefile.objs +++ b/hw/ipmi/Makefile.objs @@ -5,3 +5,4 @@ common-obj-$(CONFIG_ISA_IPMI_KCS) += isa_ipmi_kcs.o common-obj-$(CONFIG_PCI_IPMI_KCS) += pci_ipmi_kcs.o common-obj-$(CONFIG_ISA_IPMI_BT) += isa_ipmi_bt.o common-obj-$(CONFIG_PCI_IPMI_BT) += pci_ipmi_bt.o +common-obj-$(CONFIG_IPMI_SSIF) += smbus_ipmi.o diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c new file mode 100644 index 00..2a9470d9df --- /dev/null +++ b/hw/ipmi/smbus_ipmi.c @@ -0,0 +1,384 @@ +/* + * QEMU IPMI SMBus (SSIF) emulation + * + * Copyright (c) 2015,2016 Corey Minyard, MontaVista Software, LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ +#include "qemu/osdep.h" +#include "migration/vmstate.h" +#include "hw/i2c/smbus_slave.h" +#include "qapi/error.h" +#include "qemu/error-report.h" +#include "hw/ipmi/ipmi.h" + +#define TYPE_SMBUS_IPMI "smbus-ipmi" +#define SMBUS_IPMI(obj) OBJECT_CHECK(SMBusIPMIDevice, (obj), TYPE_SMBUS_IPMI) + +#define SSIF_IPMI_REQUEST 2 +#define SSIF_IPMI_MULTI_PART_REQUEST_START 6 +#define SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE 7 +#define SSIF_IPMI_MULTI_PART_REQUEST_END8 +#define SSIF_IPMI_RESPONSE 3 +#define SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE9 +#define SSIF_IPMI_MULTI_PART_RETRY 0xa + +#define MAX_SSIF_IPMI_MSG_SIZE 255 +#define MAX_SSIF_IPMI_MSG_CHUNK 32 + +#define IPMI_GET_SYS_INTF_CAP_CMD 0x57 + +typedef struct SMBusIPMIDevice { +SMBusDevice parent; + +IPMIBmc *bmc; + +uint8_t outmsg[MAX_SSIF_IPMI_MSG_SIZE]; +uint32_t outlen; +uint32_t currblk; + +/* Holds the SMBUS message currently being sent to the host. */ +uint8_t outbuf[MAX_SSIF_IPMI_MSG_CHUNK + 1]; /* len + message. */ +uint32_t outpos; + +uint8_t inmsg[MAX_SSIF_IPMI_MSG_SIZE]; +uint32_t inlen; + +/* + * This is a response number that we send with the command to make + * sure that the response matches the command. + */ +uint8_t waiting_rsp; + +uint32_t uuid; +} SMBusIPMIDevice; + +static void smbus_ipmi_handle_event(IPMIInterface *ii) +{ +/* No interrupts, so nothing to do here. */ +} + +static void smbus_ipmi_handle_rsp(IPMIInterface *ii, uint8_t msg_id, + unsigned char *rsp, unsigned int rsp_len) +{ +SMBusIPMIDevice *sid = SMBUS_IPMI(ii); + +if (sid->waiting_rsp == msg_id) { +sid->waiting_rsp++; + +if (rsp_len > MAX_SSIF_IPMI_MSG_SIZE) { +rsp[2] = IPMI_CC_REQUEST_DATA_TRUNCATED; +