Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Fri, 29 Jul 2022 at 16:56, Corey Minyard wrote:
>
> On Tue, Jun 28, 2022 at 05:21:44PM +0100, Peter Maydell wrote:
> > On Thu, 19 Sept 2019 at 22:39, wrote:
> > >
> > > From: Corey Minyard
> > >
> > > Signed-off-by: Corey Minyard
> > > ---
> >
>
> Thank you for the ping. Comments inline...
> > ...calling memcpy() with argument 1 being a pointer that points
> > one past the end of the array. Even though len will be 0 and
> > we won't memcpy() anything, this is (depending on how you choose
> > to intepret things the C standard doesn't come right out and state
> > explicitly) undefined behaviour, because memcpy() wants to be passed
> > valid pointers, even if you ask it to do no work with a zero len.
> >
> > This isn't going to be a visible bug in practical terms, but it would
> > make Coverity happy if we either (a) rejected a request with an empty
> > length or else (b) skipped the memcpy(). I don't know enough about
> > IPMI to know which is better.
>
> Hmm. In some cases you have to accept a zero-length packet (as
> described in the comments), but if you said:
>
> if (len > 0)
> memcpy(sid->inmsg + sid->inlen, buf, len);
>
> would that make Coverity happy? I was under the impression that if you
> passed zero into len, you could pass anything into the data on a memcpy.
> But apparently not; I can make this change.
Yes, putting an if() around the memcpy() will be enough to avoid
the undefined behaviour. (NB that you want braces {} on it ;-))
thanks
-- PMM
Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Tue, Jun 28, 2022 at 05:21:44PM +0100, Peter Maydell wrote:
> On Thu, 19 Sept 2019 at 22:39, wrote:
> >
> > From: Corey Minyard
> >
> > Signed-off-by: Corey Minyard
> > ---
>
Thank you for the ping. Comments inline...
> Very old patch, but Coverity has decided it doesn't like something
> in this function that's still basically the same in the current codebase
> (CID 1487146):
>
> > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
> > +{
> > +SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
> > +bool send = false;
> > +uint8_t cmd;
> > +int ret = 0;
> > +
> > +/* length is guaranteed to be >= 1. */
> > +cmd = *buf++;
> > +len--;
> > +
> > +/* Handle read request, which don't have any data in the write part. */
> > +switch (cmd) {
> > +case SSIF_IPMI_RESPONSE:
> > +sid->currblk = 0;
> > +ret = ipmi_load_readbuf(sid);
> > +break;
> > +
> > +case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
> > +sid->currblk++;
> > +ret = ipmi_load_readbuf(sid);
> > +break;
> > +
> > +case SSIF_IPMI_MULTI_PART_RETRY:
> > +if (len >= 1) {
> > +sid->currblk = buf[0];
> > +ret = ipmi_load_readbuf(sid);
> > +} else {
> > +ret = -1;
> > +}
> > +break;
> > +
> > +default:
> > +break;
> > +}
> > +
> > +/* This should be a message write, make the length is there and
> > correct. */
> > +if (len >= 1) {
> > +if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
> > +return -1; /* Bogus message */
> > +}
> > +buf++;
> > +len--;
> > +}
>
> After all of this preamble, len can be zero...
>
> > +
> > +switch (cmd) {
> > +case SSIF_IPMI_REQUEST:
> > +send = true;
> > +/* FALLTHRU */
> > +case SSIF_IPMI_MULTI_PART_REQUEST_START:
> > +if (len < 2) {
> > +return -1; /* Bogus. */
> > +}
> > +memcpy(sid->inmsg, buf, len);
> > +sid->inlen = len;
> > +break;
> > +
> > +case SSIF_IPMI_MULTI_PART_REQUEST_END:
> > +send = true;
> > +/* FALLTHRU */
> > +case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
> > +if (!sid->inlen) {
> > +return -1; /* Bogus. */
> > +}
> > +if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
> > +sid->inlen = 0; /* Discard the message. */
> > +return -1; /* Bogus. */
> > +}
>
> ...this error checking on the values of the 'middle' request
> means that after one 'middle' request we can end up with
> sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the
> entire sid->inmsg[] array).
>
> But then if we get another 'middle' request with len == 0,
> that will pass this error checking because (sid->inlen + len == MSG_SIZE)
> and fall through into...
>
> > +if (len < 32) {
> > +/*
> > + * Special hack, a multi-part middle that is less than 32 bytes
> > + * marks the end of a message. The specification is fairly
> > + * confusing, so some systems to this, even sending a zero
> > + * length end message to mark the end.
> > + */
> > +send = true;
> > +}
> > +memcpy(sid->inmsg + sid->inlen, buf, len);
>
> ...calling memcpy() with argument 1 being a pointer that points
> one past the end of the array. Even though len will be 0 and
> we won't memcpy() anything, this is (depending on how you choose
> to intepret things the C standard doesn't come right out and state
> explicitly) undefined behaviour, because memcpy() wants to be passed
> valid pointers, even if you ask it to do no work with a zero len.
>
> This isn't going to be a visible bug in practical terms, but it would
> make Coverity happy if we either (a) rejected a request with an empty
> length or else (b) skipped the memcpy(). I don't know enough about
> IPMI to know which is better.
Hmm. In some cases you have to accept a zero-length packet (as
described in the comments), but if you said:
if (len > 0)
memcpy(sid->inmsg + sid->inlen, buf, len);
would that make Coverity happy? I was under the impression that if you
passed zero into len, you could pass anything into the data on a memcpy.
But apparently not; I can make this change.
-corey
>
> > +sid->inlen += len;
> > +break;
> > +}
> > +
> > +if (send && sid->inlen) {
> > +smbus_ipmi_send_msg(sid);
> > +}
> > +
> > +return ret;
> > +}
>
> thanks
> -- PMM
>
Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Tue, 28 Jun 2022 at 17:21, Peter Maydell wrote:
>
> On Thu, 19 Sept 2019 at 22:39, wrote:
> >
> > From: Corey Minyard
> >
> > Signed-off-by: Corey Minyard
> > ---
>
> Very old patch, but Coverity has decided it doesn't like something
> in this function that's still basically the same in the current codebase
> (CID 1487146):
Ping ?
> > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
> > +{
> > +SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
> > +bool send = false;
> > +uint8_t cmd;
> > +int ret = 0;
> > +
> > +/* length is guaranteed to be >= 1. */
> > +cmd = *buf++;
> > +len--;
> > +
> > +/* Handle read request, which don't have any data in the write part. */
> > +switch (cmd) {
> > +case SSIF_IPMI_RESPONSE:
> > +sid->currblk = 0;
> > +ret = ipmi_load_readbuf(sid);
> > +break;
> > +
> > +case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
> > +sid->currblk++;
> > +ret = ipmi_load_readbuf(sid);
> > +break;
> > +
> > +case SSIF_IPMI_MULTI_PART_RETRY:
> > +if (len >= 1) {
> > +sid->currblk = buf[0];
> > +ret = ipmi_load_readbuf(sid);
> > +} else {
> > +ret = -1;
> > +}
> > +break;
> > +
> > +default:
> > +break;
> > +}
> > +
> > +/* This should be a message write, make the length is there and
> > correct. */
> > +if (len >= 1) {
> > +if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
> > +return -1; /* Bogus message */
> > +}
> > +buf++;
> > +len--;
> > +}
>
> After all of this preamble, len can be zero...
>
> > +
> > +switch (cmd) {
> > +case SSIF_IPMI_REQUEST:
> > +send = true;
> > +/* FALLTHRU */
> > +case SSIF_IPMI_MULTI_PART_REQUEST_START:
> > +if (len < 2) {
> > +return -1; /* Bogus. */
> > +}
> > +memcpy(sid->inmsg, buf, len);
> > +sid->inlen = len;
> > +break;
> > +
> > +case SSIF_IPMI_MULTI_PART_REQUEST_END:
> > +send = true;
> > +/* FALLTHRU */
> > +case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
> > +if (!sid->inlen) {
> > +return -1; /* Bogus. */
> > +}
> > +if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
> > +sid->inlen = 0; /* Discard the message. */
> > +return -1; /* Bogus. */
> > +}
>
> ...this error checking on the values of the 'middle' request
> means that after one 'middle' request we can end up with
> sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the
> entire sid->inmsg[] array).
>
> But then if we get another 'middle' request with len == 0,
> that will pass this error checking because (sid->inlen + len == MSG_SIZE)
> and fall through into...
>
> > +if (len < 32) {
> > +/*
> > + * Special hack, a multi-part middle that is less than 32 bytes
> > + * marks the end of a message. The specification is fairly
> > + * confusing, so some systems to this, even sending a zero
> > + * length end message to mark the end.
> > + */
> > +send = true;
> > +}
> > +memcpy(sid->inmsg + sid->inlen, buf, len);
>
> ...calling memcpy() with argument 1 being a pointer that points
> one past the end of the array. Even though len will be 0 and
> we won't memcpy() anything, this is (depending on how you choose
> to intepret things the C standard doesn't come right out and state
> explicitly) undefined behaviour, because memcpy() wants to be passed
> valid pointers, even if you ask it to do no work with a zero len.
>
> This isn't going to be a visible bug in practical terms, but it would
> make Coverity happy if we either (a) rejected a request with an empty
> length or else (b) skipped the memcpy(). I don't know enough about
> IPMI to know which is better.
thanks
-- PMM
Re: [PATCH 12/15] ipmi: Add an SMBus IPMI interface
On Thu, 19 Sept 2019 at 22:39, wrote:
>
> From: Corey Minyard
>
> Signed-off-by: Corey Minyard
> ---
Very old patch, but Coverity has decided it doesn't like something
in this function that's still basically the same in the current codebase
(CID 1487146):
> +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
> +{
> +SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
> +bool send = false;
> +uint8_t cmd;
> +int ret = 0;
> +
> +/* length is guaranteed to be >= 1. */
> +cmd = *buf++;
> +len--;
> +
> +/* Handle read request, which don't have any data in the write part. */
> +switch (cmd) {
> +case SSIF_IPMI_RESPONSE:
> +sid->currblk = 0;
> +ret = ipmi_load_readbuf(sid);
> +break;
> +
> +case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
> +sid->currblk++;
> +ret = ipmi_load_readbuf(sid);
> +break;
> +
> +case SSIF_IPMI_MULTI_PART_RETRY:
> +if (len >= 1) {
> +sid->currblk = buf[0];
> +ret = ipmi_load_readbuf(sid);
> +} else {
> +ret = -1;
> +}
> +break;
> +
> +default:
> +break;
> +}
> +
> +/* This should be a message write, make the length is there and correct.
> */
> +if (len >= 1) {
> +if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
> +return -1; /* Bogus message */
> +}
> +buf++;
> +len--;
> +}
After all of this preamble, len can be zero...
> +
> +switch (cmd) {
> +case SSIF_IPMI_REQUEST:
> +send = true;
> +/* FALLTHRU */
> +case SSIF_IPMI_MULTI_PART_REQUEST_START:
> +if (len < 2) {
> +return -1; /* Bogus. */
> +}
> +memcpy(sid->inmsg, buf, len);
> +sid->inlen = len;
> +break;
> +
> +case SSIF_IPMI_MULTI_PART_REQUEST_END:
> +send = true;
> +/* FALLTHRU */
> +case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
> +if (!sid->inlen) {
> +return -1; /* Bogus. */
> +}
> +if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
> +sid->inlen = 0; /* Discard the message. */
> +return -1; /* Bogus. */
> +}
...this error checking on the values of the 'middle' request
means that after one 'middle' request we can end up with
sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the
entire sid->inmsg[] array).
But then if we get another 'middle' request with len == 0,
that will pass this error checking because (sid->inlen + len == MSG_SIZE)
and fall through into...
> +if (len < 32) {
> +/*
> + * Special hack, a multi-part middle that is less than 32 bytes
> + * marks the end of a message. The specification is fairly
> + * confusing, so some systems to this, even sending a zero
> + * length end message to mark the end.
> + */
> +send = true;
> +}
> +memcpy(sid->inmsg + sid->inlen, buf, len);
...calling memcpy() with argument 1 being a pointer that points
one past the end of the array. Even though len will be 0 and
we won't memcpy() anything, this is (depending on how you choose
to intepret things the C standard doesn't come right out and state
explicitly) undefined behaviour, because memcpy() wants to be passed
valid pointers, even if you ask it to do no work with a zero len.
This isn't going to be a visible bug in practical terms, but it would
make Coverity happy if we either (a) rejected a request with an empty
length or else (b) skipped the memcpy(). I don't know enough about
IPMI to know which is better.
> +sid->inlen += len;
> +break;
> +}
> +
> +if (send && sid->inlen) {
> +smbus_ipmi_send_msg(sid);
> +}
> +
> +return ret;
> +}
thanks
-- PMM
[PATCH 12/15] ipmi: Add an SMBus IPMI interface
From: Corey Minyard
Signed-off-by: Corey Minyard
---
default-configs/i386-softmmu.mak | 1 +
hw/i386/Kconfig | 1 +
hw/ipmi/Kconfig | 5 +
hw/ipmi/Makefile.objs| 1 +
hw/ipmi/smbus_ipmi.c | 384 +++
5 files changed, 392 insertions(+)
create mode 100644 hw/ipmi/smbus_ipmi.c
diff --git a/default-configs/i386-softmmu.mak b/default-configs/i386-softmmu.mak
index 2294c0be5a..4229900f57 100644
--- a/default-configs/i386-softmmu.mak
+++ b/default-configs/i386-softmmu.mak
@@ -12,6 +12,7 @@
#CONFIG_ISA_IPMI_KCS=n
#CONFIG_PCI_IPMI_KCS=n
#CONFIG_PCI_IPMI_BT=n
+#CONFIG_IPMI_SSIF=n
#CONFIG_PCI_DEVICES=n
#CONFIG_PVPANIC=n
#CONFIG_QXL=n
diff --git a/hw/i386/Kconfig b/hw/i386/Kconfig
index d10f4e3e8b..c5c9d4900e 100644
--- a/hw/i386/Kconfig
+++ b/hw/i386/Kconfig
@@ -10,6 +10,7 @@ config PC
imply ISA_IPMI_BT
imply PCI_IPMI_KCS
imply PCI_IPMI_BT
+imply IPMI_SSIF
imply ISA_DEBUG
imply PARALLEL
imply PCI_DEVICES
diff --git a/hw/ipmi/Kconfig b/hw/ipmi/Kconfig
index 12db4e81ad..9befd4f422 100644
--- a/hw/ipmi/Kconfig
+++ b/hw/ipmi/Kconfig
@@ -30,3 +30,8 @@ config PCI_IPMI_BT
bool
depends on PCI
select IPMI
+
+config IPMI_SSIF
+bool
+depends on I2C
+select IPMI
diff --git a/hw/ipmi/Makefile.objs b/hw/ipmi/Makefile.objs
index 2d7f080a86..3cca10bc50 100644
--- a/hw/ipmi/Makefile.objs
+++ b/hw/ipmi/Makefile.objs
@@ -5,3 +5,4 @@ common-obj-$(CONFIG_ISA_IPMI_KCS) += isa_ipmi_kcs.o
common-obj-$(CONFIG_PCI_IPMI_KCS) += pci_ipmi_kcs.o
common-obj-$(CONFIG_ISA_IPMI_BT) += isa_ipmi_bt.o
common-obj-$(CONFIG_PCI_IPMI_BT) += pci_ipmi_bt.o
+common-obj-$(CONFIG_IPMI_SSIF) += smbus_ipmi.o
diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c
new file mode 100644
index 00..2a9470d9df
--- /dev/null
+++ b/hw/ipmi/smbus_ipmi.c
@@ -0,0 +1,384 @@
+/*
+ * QEMU IPMI SMBus (SSIF) emulation
+ *
+ * Copyright (c) 2015,2016 Corey Minyard, MontaVista Software, LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#include "qemu/osdep.h"
+#include "migration/vmstate.h"
+#include "hw/i2c/smbus_slave.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "hw/ipmi/ipmi.h"
+
+#define TYPE_SMBUS_IPMI "smbus-ipmi"
+#define SMBUS_IPMI(obj) OBJECT_CHECK(SMBusIPMIDevice, (obj), TYPE_SMBUS_IPMI)
+
+#define SSIF_IPMI_REQUEST 2
+#define SSIF_IPMI_MULTI_PART_REQUEST_START 6
+#define SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE 7
+#define SSIF_IPMI_MULTI_PART_REQUEST_END8
+#define SSIF_IPMI_RESPONSE 3
+#define SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE9
+#define SSIF_IPMI_MULTI_PART_RETRY 0xa
+
+#define MAX_SSIF_IPMI_MSG_SIZE 255
+#define MAX_SSIF_IPMI_MSG_CHUNK 32
+
+#define IPMI_GET_SYS_INTF_CAP_CMD 0x57
+
+typedef struct SMBusIPMIDevice {
+SMBusDevice parent;
+
+IPMIBmc *bmc;
+
+uint8_t outmsg[MAX_SSIF_IPMI_MSG_SIZE];
+uint32_t outlen;
+uint32_t currblk;
+
+/* Holds the SMBUS message currently being sent to the host. */
+uint8_t outbuf[MAX_SSIF_IPMI_MSG_CHUNK + 1]; /* len + message. */
+uint32_t outpos;
+
+uint8_t inmsg[MAX_SSIF_IPMI_MSG_SIZE];
+uint32_t inlen;
+
+/*
+ * This is a response number that we send with the command to make
+ * sure that the response matches the command.
+ */
+uint8_t waiting_rsp;
+
+uint32_t uuid;
+} SMBusIPMIDevice;
+
+static void smbus_ipmi_handle_event(IPMIInterface *ii)
+{
+/* No interrupts, so nothing to do here. */
+}
+
+static void smbus_ipmi_handle_rsp(IPMIInterface *ii, uint8_t msg_id,
+ unsigned char *rsp, unsigned int rsp_len)
+{
+SMBusIPMIDevice *sid = SMBUS_IPMI(ii);
+
+if (sid->waiting_rsp == msg_id) {
+sid->waiting_rsp++;
+
+if (rsp_len > MAX_SSIF_IPMI_MSG_SIZE) {
+rsp[2] = IPMI_CC_REQUEST_DATA_TRUNCATED;
+
[Qemu-devel] [PATCH 12/15] ipmi: Add an SMBus IPMI interface
From: Corey Minyard
Signed-off-by: Corey Minyard
---
default-configs/i386-softmmu.mak | 1 +
hw/i386/Kconfig | 1 +
hw/ipmi/Kconfig | 5 +
hw/ipmi/Makefile.objs| 1 +
hw/ipmi/smbus_ipmi.c | 384 +++
5 files changed, 392 insertions(+)
create mode 100644 hw/ipmi/smbus_ipmi.c
diff --git a/default-configs/i386-softmmu.mak b/default-configs/i386-softmmu.mak
index b819582d78..19914c8aec 100644
--- a/default-configs/i386-softmmu.mak
+++ b/default-configs/i386-softmmu.mak
@@ -12,6 +12,7 @@
#CONFIG_ISA_IPMI_KCS=n
#CONFIG_PCI_IPMI_KCS=n
#CONFIG_PCI_IPMI_BT=n
+#CONFIG_IPMI_SSIF=n
#CONFIG_PCI_DEVICES=n
#CONFIG_PVPANIC=n
#CONFIG_QXL=n
diff --git a/hw/i386/Kconfig b/hw/i386/Kconfig
index b4efaa0818..87db9c2ba1 100644
--- a/hw/i386/Kconfig
+++ b/hw/i386/Kconfig
@@ -10,6 +10,7 @@ config PC
imply ISA_IPMI_BT
imply PCI_IPMI_KCS
imply PCI_IPMI_BT
+imply IPMI_SSIF
imply ISA_DEBUG
imply PARALLEL
imply PCI_DEVICES
diff --git a/hw/ipmi/Kconfig b/hw/ipmi/Kconfig
index 12db4e81ad..9befd4f422 100644
--- a/hw/ipmi/Kconfig
+++ b/hw/ipmi/Kconfig
@@ -30,3 +30,8 @@ config PCI_IPMI_BT
bool
depends on PCI
select IPMI
+
+config IPMI_SSIF
+bool
+depends on I2C
+select IPMI
diff --git a/hw/ipmi/Makefile.objs b/hw/ipmi/Makefile.objs
index 2d7f080a86..3cca10bc50 100644
--- a/hw/ipmi/Makefile.objs
+++ b/hw/ipmi/Makefile.objs
@@ -5,3 +5,4 @@ common-obj-$(CONFIG_ISA_IPMI_KCS) += isa_ipmi_kcs.o
common-obj-$(CONFIG_PCI_IPMI_KCS) += pci_ipmi_kcs.o
common-obj-$(CONFIG_ISA_IPMI_BT) += isa_ipmi_bt.o
common-obj-$(CONFIG_PCI_IPMI_BT) += pci_ipmi_bt.o
+common-obj-$(CONFIG_IPMI_SSIF) += smbus_ipmi.o
diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c
new file mode 100644
index 00..2a9470d9df
--- /dev/null
+++ b/hw/ipmi/smbus_ipmi.c
@@ -0,0 +1,384 @@
+/*
+ * QEMU IPMI SMBus (SSIF) emulation
+ *
+ * Copyright (c) 2015,2016 Corey Minyard, MontaVista Software, LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#include "qemu/osdep.h"
+#include "migration/vmstate.h"
+#include "hw/i2c/smbus_slave.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "hw/ipmi/ipmi.h"
+
+#define TYPE_SMBUS_IPMI "smbus-ipmi"
+#define SMBUS_IPMI(obj) OBJECT_CHECK(SMBusIPMIDevice, (obj), TYPE_SMBUS_IPMI)
+
+#define SSIF_IPMI_REQUEST 2
+#define SSIF_IPMI_MULTI_PART_REQUEST_START 6
+#define SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE 7
+#define SSIF_IPMI_MULTI_PART_REQUEST_END8
+#define SSIF_IPMI_RESPONSE 3
+#define SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE9
+#define SSIF_IPMI_MULTI_PART_RETRY 0xa
+
+#define MAX_SSIF_IPMI_MSG_SIZE 255
+#define MAX_SSIF_IPMI_MSG_CHUNK 32
+
+#define IPMI_GET_SYS_INTF_CAP_CMD 0x57
+
+typedef struct SMBusIPMIDevice {
+SMBusDevice parent;
+
+IPMIBmc *bmc;
+
+uint8_t outmsg[MAX_SSIF_IPMI_MSG_SIZE];
+uint32_t outlen;
+uint32_t currblk;
+
+/* Holds the SMBUS message currently being sent to the host. */
+uint8_t outbuf[MAX_SSIF_IPMI_MSG_CHUNK + 1]; /* len + message. */
+uint32_t outpos;
+
+uint8_t inmsg[MAX_SSIF_IPMI_MSG_SIZE];
+uint32_t inlen;
+
+/*
+ * This is a response number that we send with the command to make
+ * sure that the response matches the command.
+ */
+uint8_t waiting_rsp;
+
+uint32_t uuid;
+} SMBusIPMIDevice;
+
+static void smbus_ipmi_handle_event(IPMIInterface *ii)
+{
+/* No interrupts, so nothing to do here. */
+}
+
+static void smbus_ipmi_handle_rsp(IPMIInterface *ii, uint8_t msg_id,
+ unsigned char *rsp, unsigned int rsp_len)
+{
+SMBusIPMIDevice *sid = SMBUS_IPMI(ii);
+
+if (sid->waiting_rsp == msg_id) {
+sid->waiting_rsp++;
+
+if (rsp_len > MAX_SSIF_IPMI_MSG_SIZE) {
+rsp[2] = IPMI_CC_REQUEST_DATA_TRUNCATED;
+
