diff mbox series

[12/15] ipmi: Add an SMBus IPMI interface

Message ID 20190919213924.31852-13-minyard@acm.org (mailing list archive)
State New, archived
Headers show
Series [01/15] ipmi: Fix watchdog NMI handling | expand

Commit Message

Corey Minyard Sept. 19, 2019, 9:39 p.m. UTC
From: Corey Minyard <cminyard@mvista.com>

Signed-off-by: Corey Minyard <cminyard@mvista.com>
---
 default-configs/i386-softmmu.mak |   1 +
 hw/i386/Kconfig                  |   1 +
 hw/ipmi/Kconfig                  |   5 +
 hw/ipmi/Makefile.objs            |   1 +
 hw/ipmi/smbus_ipmi.c             | 384 +++++++++++++++++++++++++++++++
 5 files changed, 392 insertions(+)
 create mode 100644 hw/ipmi/smbus_ipmi.c

Comments

Peter Maydell June 28, 2022, 4:21 p.m. UTC | #1
On Thu, 19 Sept 2019 at 22:39, <minyard@acm.org> wrote:
>
> From: Corey Minyard <cminyard@mvista.com>
>
> Signed-off-by: Corey Minyard <cminyard@mvista.com>
> ---

Very old patch, but Coverity has decided it doesn't like something
in this function that's still basically the same in the current codebase
(CID 1487146):

> +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
> +{
> +    SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
> +    bool send = false;
> +    uint8_t cmd;
> +    int ret = 0;
> +
> +    /* length is guaranteed to be >= 1. */
> +    cmd = *buf++;
> +    len--;
> +
> +    /* Handle read request, which don't have any data in the write part. */
> +    switch (cmd) {
> +    case SSIF_IPMI_RESPONSE:
> +        sid->currblk = 0;
> +        ret = ipmi_load_readbuf(sid);
> +        break;
> +
> +    case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
> +        sid->currblk++;
> +        ret = ipmi_load_readbuf(sid);
> +        break;
> +
> +    case SSIF_IPMI_MULTI_PART_RETRY:
> +        if (len >= 1) {
> +            sid->currblk = buf[0];
> +            ret = ipmi_load_readbuf(sid);
> +        } else {
> +            ret = -1;
> +        }
> +        break;
> +
> +    default:
> +        break;
> +    }
> +
> +    /* This should be a message write, make the length is there and correct. */
> +    if (len >= 1) {
> +        if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
> +            return -1; /* Bogus message */
> +        }
> +        buf++;
> +        len--;
> +    }

After all of this preamble, len can be zero...

> +
> +    switch (cmd) {
> +    case SSIF_IPMI_REQUEST:
> +        send = true;
> +        /* FALLTHRU */
> +    case SSIF_IPMI_MULTI_PART_REQUEST_START:
> +        if (len < 2) {
> +            return -1; /* Bogus. */
> +        }
> +        memcpy(sid->inmsg, buf, len);
> +        sid->inlen = len;
> +        break;
> +
> +    case SSIF_IPMI_MULTI_PART_REQUEST_END:
> +        send = true;
> +        /* FALLTHRU */
> +    case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
> +        if (!sid->inlen) {
> +            return -1; /* Bogus. */
> +        }
> +        if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
> +            sid->inlen = 0; /* Discard the message. */
> +            return -1; /* Bogus. */
> +        }

...this error checking on the values of the 'middle' request
means that after one 'middle' request we can end up with
sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the
entire sid->inmsg[] array).

But then if we get another 'middle' request with len == 0,
that will pass this error checking because (sid->inlen + len == MSG_SIZE)
and fall through into...

> +        if (len < 32) {
> +            /*
> +             * Special hack, a multi-part middle that is less than 32 bytes
> +             * marks the end of a message.  The specification is fairly
> +             * confusing, so some systems to this, even sending a zero
> +             * length end message to mark the end.
> +             */
> +            send = true;
> +        }
> +        memcpy(sid->inmsg + sid->inlen, buf, len);

...calling memcpy() with argument 1 being a pointer that points
one past the end of the array. Even though len will be 0 and
we won't memcpy() anything, this is (depending on how you choose
to intepret things the C standard doesn't come right out and state
explicitly) undefined behaviour, because memcpy() wants to be passed
valid pointers, even if you ask it to do no work with a zero len.

This isn't going to be a visible bug in practical terms, but it would
make Coverity happy if we either (a) rejected a request with an empty
length or else (b) skipped the memcpy(). I don't know enough about
IPMI to know which is better.

> +        sid->inlen += len;
> +        break;
> +    }
> +
> +    if (send && sid->inlen) {
> +        smbus_ipmi_send_msg(sid);
> +    }
> +
> +    return ret;
> +}

thanks
-- PMM
Peter Maydell July 29, 2022, 3:34 p.m. UTC | #2
On Tue, 28 Jun 2022 at 17:21, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Thu, 19 Sept 2019 at 22:39, <minyard@acm.org> wrote:
> >
> > From: Corey Minyard <cminyard@mvista.com>
> >
> > Signed-off-by: Corey Minyard <cminyard@mvista.com>
> > ---
>
> Very old patch, but Coverity has decided it doesn't like something
> in this function that's still basically the same in the current codebase
> (CID 1487146):

Ping ?

> > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
> > +{
> > +    SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
> > +    bool send = false;
> > +    uint8_t cmd;
> > +    int ret = 0;
> > +
> > +    /* length is guaranteed to be >= 1. */
> > +    cmd = *buf++;
> > +    len--;
> > +
> > +    /* Handle read request, which don't have any data in the write part. */
> > +    switch (cmd) {
> > +    case SSIF_IPMI_RESPONSE:
> > +        sid->currblk = 0;
> > +        ret = ipmi_load_readbuf(sid);
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
> > +        sid->currblk++;
> > +        ret = ipmi_load_readbuf(sid);
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_RETRY:
> > +        if (len >= 1) {
> > +            sid->currblk = buf[0];
> > +            ret = ipmi_load_readbuf(sid);
> > +        } else {
> > +            ret = -1;
> > +        }
> > +        break;
> > +
> > +    default:
> > +        break;
> > +    }
> > +
> > +    /* This should be a message write, make the length is there and correct. */
> > +    if (len >= 1) {
> > +        if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
> > +            return -1; /* Bogus message */
> > +        }
> > +        buf++;
> > +        len--;
> > +    }
>
> After all of this preamble, len can be zero...
>
> > +
> > +    switch (cmd) {
> > +    case SSIF_IPMI_REQUEST:
> > +        send = true;
> > +        /* FALLTHRU */
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_START:
> > +        if (len < 2) {
> > +            return -1; /* Bogus. */
> > +        }
> > +        memcpy(sid->inmsg, buf, len);
> > +        sid->inlen = len;
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_END:
> > +        send = true;
> > +        /* FALLTHRU */
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
> > +        if (!sid->inlen) {
> > +            return -1; /* Bogus. */
> > +        }
> > +        if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
> > +            sid->inlen = 0; /* Discard the message. */
> > +            return -1; /* Bogus. */
> > +        }
>
> ...this error checking on the values of the 'middle' request
> means that after one 'middle' request we can end up with
> sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the
> entire sid->inmsg[] array).
>
> But then if we get another 'middle' request with len == 0,
> that will pass this error checking because (sid->inlen + len == MSG_SIZE)
> and fall through into...
>
> > +        if (len < 32) {
> > +            /*
> > +             * Special hack, a multi-part middle that is less than 32 bytes
> > +             * marks the end of a message.  The specification is fairly
> > +             * confusing, so some systems to this, even sending a zero
> > +             * length end message to mark the end.
> > +             */
> > +            send = true;
> > +        }
> > +        memcpy(sid->inmsg + sid->inlen, buf, len);
>
> ...calling memcpy() with argument 1 being a pointer that points
> one past the end of the array. Even though len will be 0 and
> we won't memcpy() anything, this is (depending on how you choose
> to intepret things the C standard doesn't come right out and state
> explicitly) undefined behaviour, because memcpy() wants to be passed
> valid pointers, even if you ask it to do no work with a zero len.
>
> This isn't going to be a visible bug in practical terms, but it would
> make Coverity happy if we either (a) rejected a request with an empty
> length or else (b) skipped the memcpy(). I don't know enough about
> IPMI to know which is better.

thanks
-- PMM
Corey Minyard July 29, 2022, 3:56 p.m. UTC | #3
On Tue, Jun 28, 2022 at 05:21:44PM +0100, Peter Maydell wrote:
> On Thu, 19 Sept 2019 at 22:39, <minyard@acm.org> wrote:
> >
> > From: Corey Minyard <cminyard@mvista.com>
> >
> > Signed-off-by: Corey Minyard <cminyard@mvista.com>
> > ---
> 

Thank you for the ping.  Comments inline...

> Very old patch, but Coverity has decided it doesn't like something
> in this function that's still basically the same in the current codebase
> (CID 1487146):
> 
> > +static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
> > +{
> > +    SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
> > +    bool send = false;
> > +    uint8_t cmd;
> > +    int ret = 0;
> > +
> > +    /* length is guaranteed to be >= 1. */
> > +    cmd = *buf++;
> > +    len--;
> > +
> > +    /* Handle read request, which don't have any data in the write part. */
> > +    switch (cmd) {
> > +    case SSIF_IPMI_RESPONSE:
> > +        sid->currblk = 0;
> > +        ret = ipmi_load_readbuf(sid);
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
> > +        sid->currblk++;
> > +        ret = ipmi_load_readbuf(sid);
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_RETRY:
> > +        if (len >= 1) {
> > +            sid->currblk = buf[0];
> > +            ret = ipmi_load_readbuf(sid);
> > +        } else {
> > +            ret = -1;
> > +        }
> > +        break;
> > +
> > +    default:
> > +        break;
> > +    }
> > +
> > +    /* This should be a message write, make the length is there and correct. */
> > +    if (len >= 1) {
> > +        if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
> > +            return -1; /* Bogus message */
> > +        }
> > +        buf++;
> > +        len--;
> > +    }
> 
> After all of this preamble, len can be zero...
> 
> > +
> > +    switch (cmd) {
> > +    case SSIF_IPMI_REQUEST:
> > +        send = true;
> > +        /* FALLTHRU */
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_START:
> > +        if (len < 2) {
> > +            return -1; /* Bogus. */
> > +        }
> > +        memcpy(sid->inmsg, buf, len);
> > +        sid->inlen = len;
> > +        break;
> > +
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_END:
> > +        send = true;
> > +        /* FALLTHRU */
> > +    case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
> > +        if (!sid->inlen) {
> > +            return -1; /* Bogus. */
> > +        }
> > +        if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
> > +            sid->inlen = 0; /* Discard the message. */
> > +            return -1; /* Bogus. */
> > +        }
> 
> ...this error checking on the values of the 'middle' request
> means that after one 'middle' request we can end up with
> sid->inlen == MAX_SSIF_IPMI_MSG_SIZE (ie we filled the
> entire sid->inmsg[] array).
> 
> But then if we get another 'middle' request with len == 0,
> that will pass this error checking because (sid->inlen + len == MSG_SIZE)
> and fall through into...
> 
> > +        if (len < 32) {
> > +            /*
> > +             * Special hack, a multi-part middle that is less than 32 bytes
> > +             * marks the end of a message.  The specification is fairly
> > +             * confusing, so some systems to this, even sending a zero
> > +             * length end message to mark the end.
> > +             */
> > +            send = true;
> > +        }
> > +        memcpy(sid->inmsg + sid->inlen, buf, len);
> 
> ...calling memcpy() with argument 1 being a pointer that points
> one past the end of the array. Even though len will be 0 and
> we won't memcpy() anything, this is (depending on how you choose
> to intepret things the C standard doesn't come right out and state
> explicitly) undefined behaviour, because memcpy() wants to be passed
> valid pointers, even if you ask it to do no work with a zero len.
> 
> This isn't going to be a visible bug in practical terms, but it would
> make Coverity happy if we either (a) rejected a request with an empty
> length or else (b) skipped the memcpy(). I don't know enough about
> IPMI to know which is better.

Hmm.  In some cases you have to accept a zero-length packet (as
described in the comments), but if you said:

  if (len > 0)
      memcpy(sid->inmsg + sid->inlen, buf, len);

would that make Coverity happy?  I was under the impression that if you
passed zero into len, you could pass anything into the data on a memcpy.
But apparently not; I can make this change.

-corey

> 
> > +        sid->inlen += len;
> > +        break;
> > +    }
> > +
> > +    if (send && sid->inlen) {
> > +        smbus_ipmi_send_msg(sid);
> > +    }
> > +
> > +    return ret;
> > +}
> 
> thanks
> -- PMM
>
Peter Maydell July 29, 2022, 4:01 p.m. UTC | #4
On Fri, 29 Jul 2022 at 16:56, Corey Minyard <minyard@acm.org> wrote:
>
> On Tue, Jun 28, 2022 at 05:21:44PM +0100, Peter Maydell wrote:
> > On Thu, 19 Sept 2019 at 22:39, <minyard@acm.org> wrote:
> > >
> > > From: Corey Minyard <cminyard@mvista.com>
> > >
> > > Signed-off-by: Corey Minyard <cminyard@mvista.com>
> > > ---
> >
>
> Thank you for the ping.  Comments inline...

> > ...calling memcpy() with argument 1 being a pointer that points
> > one past the end of the array. Even though len will be 0 and
> > we won't memcpy() anything, this is (depending on how you choose
> > to intepret things the C standard doesn't come right out and state
> > explicitly) undefined behaviour, because memcpy() wants to be passed
> > valid pointers, even if you ask it to do no work with a zero len.
> >
> > This isn't going to be a visible bug in practical terms, but it would
> > make Coverity happy if we either (a) rejected a request with an empty
> > length or else (b) skipped the memcpy(). I don't know enough about
> > IPMI to know which is better.
>
> Hmm.  In some cases you have to accept a zero-length packet (as
> described in the comments), but if you said:
>
>   if (len > 0)
>       memcpy(sid->inmsg + sid->inlen, buf, len);
>
> would that make Coverity happy?  I was under the impression that if you
> passed zero into len, you could pass anything into the data on a memcpy.
> But apparently not; I can make this change.

Yes, putting an if() around the memcpy() will be enough to avoid
the undefined behaviour. (NB that you want braces {} on it ;-))

thanks
-- PMM
diff mbox series

Patch

diff --git a/default-configs/i386-softmmu.mak b/default-configs/i386-softmmu.mak
index 2294c0be5a..4229900f57 100644
--- a/default-configs/i386-softmmu.mak
+++ b/default-configs/i386-softmmu.mak
@@ -12,6 +12,7 @@ 
 #CONFIG_ISA_IPMI_KCS=n
 #CONFIG_PCI_IPMI_KCS=n
 #CONFIG_PCI_IPMI_BT=n
+#CONFIG_IPMI_SSIF=n
 #CONFIG_PCI_DEVICES=n
 #CONFIG_PVPANIC=n
 #CONFIG_QXL=n
diff --git a/hw/i386/Kconfig b/hw/i386/Kconfig
index d10f4e3e8b..c5c9d4900e 100644
--- a/hw/i386/Kconfig
+++ b/hw/i386/Kconfig
@@ -10,6 +10,7 @@  config PC
     imply ISA_IPMI_BT
     imply PCI_IPMI_KCS
     imply PCI_IPMI_BT
+    imply IPMI_SSIF
     imply ISA_DEBUG
     imply PARALLEL
     imply PCI_DEVICES
diff --git a/hw/ipmi/Kconfig b/hw/ipmi/Kconfig
index 12db4e81ad..9befd4f422 100644
--- a/hw/ipmi/Kconfig
+++ b/hw/ipmi/Kconfig
@@ -30,3 +30,8 @@  config PCI_IPMI_BT
     bool
     depends on PCI
     select IPMI
+
+config IPMI_SSIF
+    bool
+    depends on I2C
+    select IPMI
diff --git a/hw/ipmi/Makefile.objs b/hw/ipmi/Makefile.objs
index 2d7f080a86..3cca10bc50 100644
--- a/hw/ipmi/Makefile.objs
+++ b/hw/ipmi/Makefile.objs
@@ -5,3 +5,4 @@  common-obj-$(CONFIG_ISA_IPMI_KCS) += isa_ipmi_kcs.o
 common-obj-$(CONFIG_PCI_IPMI_KCS) += pci_ipmi_kcs.o
 common-obj-$(CONFIG_ISA_IPMI_BT) += isa_ipmi_bt.o
 common-obj-$(CONFIG_PCI_IPMI_BT) += pci_ipmi_bt.o
+common-obj-$(CONFIG_IPMI_SSIF) += smbus_ipmi.o
diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c
new file mode 100644
index 0000000000..2a9470d9df
--- /dev/null
+++ b/hw/ipmi/smbus_ipmi.c
@@ -0,0 +1,384 @@ 
+/*
+ * QEMU IPMI SMBus (SSIF) emulation
+ *
+ * Copyright (c) 2015,2016 Corey Minyard, MontaVista Software, LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#include "qemu/osdep.h"
+#include "migration/vmstate.h"
+#include "hw/i2c/smbus_slave.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "hw/ipmi/ipmi.h"
+
+#define TYPE_SMBUS_IPMI "smbus-ipmi"
+#define SMBUS_IPMI(obj) OBJECT_CHECK(SMBusIPMIDevice, (obj), TYPE_SMBUS_IPMI)
+
+#define SSIF_IPMI_REQUEST                       2
+#define SSIF_IPMI_MULTI_PART_REQUEST_START      6
+#define SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE     7
+#define SSIF_IPMI_MULTI_PART_REQUEST_END        8
+#define SSIF_IPMI_RESPONSE                      3
+#define SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE    9
+#define SSIF_IPMI_MULTI_PART_RETRY              0xa
+
+#define MAX_SSIF_IPMI_MSG_SIZE 255
+#define MAX_SSIF_IPMI_MSG_CHUNK 32
+
+#define IPMI_GET_SYS_INTF_CAP_CMD 0x57
+
+typedef struct SMBusIPMIDevice {
+    SMBusDevice parent;
+
+    IPMIBmc *bmc;
+
+    uint8_t outmsg[MAX_SSIF_IPMI_MSG_SIZE];
+    uint32_t outlen;
+    uint32_t currblk;
+
+    /* Holds the SMBUS message currently being sent to the host. */
+    uint8_t outbuf[MAX_SSIF_IPMI_MSG_CHUNK + 1]; /* len + message. */
+    uint32_t outpos;
+
+    uint8_t inmsg[MAX_SSIF_IPMI_MSG_SIZE];
+    uint32_t inlen;
+
+    /*
+     * This is a response number that we send with the command to make
+     * sure that the response matches the command.
+     */
+    uint8_t waiting_rsp;
+
+    uint32_t uuid;
+} SMBusIPMIDevice;
+
+static void smbus_ipmi_handle_event(IPMIInterface *ii)
+{
+    /* No interrupts, so nothing to do here. */
+}
+
+static void smbus_ipmi_handle_rsp(IPMIInterface *ii, uint8_t msg_id,
+                                  unsigned char *rsp, unsigned int rsp_len)
+{
+    SMBusIPMIDevice *sid = SMBUS_IPMI(ii);
+
+    if (sid->waiting_rsp == msg_id) {
+        sid->waiting_rsp++;
+
+        if (rsp_len > MAX_SSIF_IPMI_MSG_SIZE) {
+            rsp[2] = IPMI_CC_REQUEST_DATA_TRUNCATED;
+            rsp_len = MAX_SSIF_IPMI_MSG_SIZE;
+        }
+        memcpy(sid->outmsg, rsp, rsp_len);
+        sid->outlen = rsp_len;
+        sid->outpos = 0;
+        sid->currblk = 0;
+    }
+}
+
+static void smbus_ipmi_set_atn(IPMIInterface *ii, int val, int irq)
+{
+    /* This is where PEC would go. */
+}
+
+static void smbus_ipmi_set_irq_enable(IPMIInterface *ii, int val)
+{
+}
+
+static void smbus_ipmi_send_msg(SMBusIPMIDevice *sid)
+{
+    uint8_t *msg = sid->inmsg;
+    uint32_t len = sid->inlen;
+    IPMIBmcClass *bk = IPMI_BMC_GET_CLASS(sid->bmc);
+
+    sid->outlen = 0;
+    sid->outpos = 0;
+    sid->currblk = 0;
+
+    if (msg[0] == (IPMI_NETFN_APP << 2) && msg[1] == IPMI_GET_SYS_INTF_CAP_CMD)
+    {
+        /* We handle this ourself. */
+        sid->outmsg[0] = (IPMI_NETFN_APP + 1) << 2;
+        sid->outmsg[1] = msg[1];
+        if (len < 3) {
+            sid->outmsg[2] = IPMI_CC_REQUEST_DATA_LENGTH_INVALID;
+            sid->outlen = 3;
+        } else if ((msg[2] & 0x0f) != 0) {
+            sid->outmsg[2] = IPMI_CC_INVALID_DATA_FIELD;
+            sid->outlen = 3;
+        } else {
+            sid->outmsg[2] = 0;
+            sid->outmsg[3] = 0;
+            sid->outmsg[4] = (2 << 6); /* Multi-part supported. */
+            sid->outmsg[5] = MAX_SSIF_IPMI_MSG_SIZE;
+            sid->outmsg[6] = MAX_SSIF_IPMI_MSG_SIZE;
+            sid->outlen = 7;
+        }
+        return;
+    }
+
+    bk->handle_command(sid->bmc, sid->inmsg, sid->inlen, sizeof(sid->inmsg),
+                       sid->waiting_rsp);
+}
+
+static uint8_t ipmi_receive_byte(SMBusDevice *dev)
+{
+    SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
+
+    if (sid->outpos >= sizeof(sid->outbuf)) {
+        return 0xff;
+    }
+
+    return sid->outbuf[sid->outpos++];
+}
+
+static int ipmi_load_readbuf(SMBusIPMIDevice *sid)
+{
+    unsigned int block = sid->currblk, pos, len;
+
+    if (sid->outlen == 0) {
+        return -1;
+    }
+
+    if (sid->outlen <= 32) {
+        if (block != 0) {
+            return -1;
+        }
+        sid->outbuf[0] = sid->outlen;
+        memcpy(sid->outbuf + 1, sid->outmsg, sid->outlen);
+        sid->outpos = 0;
+        return 0;
+    }
+
+    if (block == 0) {
+        sid->outbuf[0] = 32;
+        sid->outbuf[1] = 0;
+        sid->outbuf[2] = 1;
+        memcpy(sid->outbuf + 3, sid->outmsg, 30);
+        sid->outpos = 0;
+        return 0;
+    }
+
+    /*
+     * Calculate the position in outmsg.  30 for the first block, 31
+     * for the rest of the blocks.
+     */
+    pos = 30 + (block - 1) * 31;
+
+    if (pos >= sid->outlen) {
+        return -1;
+    }
+
+    len = sid->outlen - pos;
+    if (len > 31) {
+        /* More chunks after this. */
+        len = 31;
+        /* Blocks start at 0 for the first middle transaction. */
+        sid->outbuf[1] = block - 1;
+    } else {
+        sid->outbuf[1] = 0xff; /* End of message marker. */
+    }
+
+    sid->outbuf[0] = len + 1;
+    memcpy(sid->outbuf + 2, sid->outmsg + pos, len);
+    sid->outpos = 0;
+    return 0;
+}
+
+static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
+{
+    SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
+    bool send = false;
+    uint8_t cmd;
+    int ret = 0;
+
+    /* length is guaranteed to be >= 1. */
+    cmd = *buf++;
+    len--;
+
+    /* Handle read request, which don't have any data in the write part. */
+    switch (cmd) {
+    case SSIF_IPMI_RESPONSE:
+        sid->currblk = 0;
+        ret = ipmi_load_readbuf(sid);
+        break;
+
+    case SSIF_IPMI_MULTI_PART_RESPONSE_MIDDLE:
+        sid->currblk++;
+        ret = ipmi_load_readbuf(sid);
+        break;
+
+    case SSIF_IPMI_MULTI_PART_RETRY:
+        if (len >= 1) {
+            sid->currblk = buf[0];
+            ret = ipmi_load_readbuf(sid);
+        } else {
+            ret = -1;
+        }
+        break;
+
+    default:
+        break;
+    }
+
+    /* This should be a message write, make the length is there and correct. */
+    if (len >= 1) {
+        if (*buf != len - 1 || *buf > MAX_SSIF_IPMI_MSG_CHUNK) {
+            return -1; /* Bogus message */
+        }
+        buf++;
+        len--;
+    }
+
+    switch (cmd) {
+    case SSIF_IPMI_REQUEST:
+        send = true;
+        /* FALLTHRU */
+    case SSIF_IPMI_MULTI_PART_REQUEST_START:
+        if (len < 2) {
+            return -1; /* Bogus. */
+        }
+        memcpy(sid->inmsg, buf, len);
+        sid->inlen = len;
+        break;
+
+    case SSIF_IPMI_MULTI_PART_REQUEST_END:
+        send = true;
+        /* FALLTHRU */
+    case SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE:
+        if (!sid->inlen) {
+            return -1; /* Bogus. */
+        }
+        if (sid->inlen + len > MAX_SSIF_IPMI_MSG_SIZE) {
+            sid->inlen = 0; /* Discard the message. */
+            return -1; /* Bogus. */
+        }
+        if (len < 32) {
+            /*
+             * Special hack, a multi-part middle that is less than 32 bytes
+             * marks the end of a message.  The specification is fairly
+             * confusing, so some systems to this, even sending a zero
+             * length end message to mark the end.
+             */
+            send = true;
+        }
+        memcpy(sid->inmsg + sid->inlen, buf, len);
+        sid->inlen += len;
+        break;
+    }
+
+    if (send && sid->inlen) {
+        smbus_ipmi_send_msg(sid);
+    }
+
+    return ret;
+}
+
+static const VMStateDescription vmstate_smbus_ipmi = {
+    .name = TYPE_SMBUS_IPMI,
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields      = (VMStateField[]) {
+        VMSTATE_SMBUS_DEVICE(parent, SMBusIPMIDevice),
+        VMSTATE_UINT8(waiting_rsp, SMBusIPMIDevice),
+        VMSTATE_UINT32(outlen, SMBusIPMIDevice),
+        VMSTATE_UINT32(currblk, SMBusIPMIDevice),
+        VMSTATE_UINT8_ARRAY(outmsg, SMBusIPMIDevice, MAX_SSIF_IPMI_MSG_SIZE),
+        VMSTATE_UINT32(outpos, SMBusIPMIDevice),
+        VMSTATE_UINT8_ARRAY(outbuf, SMBusIPMIDevice,
+                            MAX_SSIF_IPMI_MSG_CHUNK + 1),
+        VMSTATE_UINT32(inlen, SMBusIPMIDevice),
+        VMSTATE_UINT8_ARRAY(inmsg, SMBusIPMIDevice, MAX_SSIF_IPMI_MSG_SIZE),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void smbus_ipmi_realize(DeviceState *dev, Error **errp)
+{
+    SMBusIPMIDevice *sid = SMBUS_IPMI(dev);
+    IPMIInterface *ii = IPMI_INTERFACE(dev);
+
+    if (!sid->bmc) {
+        error_setg(errp, "IPMI device requires a bmc attribute to be set");
+        return;
+    }
+
+    sid->uuid = ipmi_next_uuid();
+
+    sid->bmc->intf = ii;
+}
+
+static void smbus_ipmi_init(Object *obj)
+{
+    SMBusIPMIDevice *sid = SMBUS_IPMI(obj);
+
+    ipmi_bmc_find_and_link(OBJECT(obj), (Object **) &sid->bmc);
+}
+
+static void smbus_ipmi_get_fwinfo(struct IPMIInterface *ii, IPMIFwInfo *info)
+{
+    SMBusIPMIDevice *sid = SMBUS_IPMI(ii);
+
+    info->interface_name = "smbus";
+    info->interface_type = IPMI_SMBIOS_SSIF;
+    info->ipmi_spec_major_revision = 2;
+    info->ipmi_spec_minor_revision = 0;
+    info->i2c_slave_address = sid->bmc->slave_addr;
+    info->base_address = sid->parent.i2c.address;
+    info->memspace = IPMI_MEMSPACE_SMBUS;
+    info->register_spacing = 1;
+    info->uuid = sid->uuid;
+}
+
+static void smbus_ipmi_class_init(ObjectClass *oc, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(oc);
+    IPMIInterfaceClass *iic = IPMI_INTERFACE_CLASS(oc);
+    SMBusDeviceClass *sc = SMBUS_DEVICE_CLASS(oc);
+
+    sc->receive_byte = ipmi_receive_byte;
+    sc->write_data = ipmi_write_data;
+    dc->vmsd = &vmstate_smbus_ipmi;
+    dc->realize = smbus_ipmi_realize;
+    iic->set_atn = smbus_ipmi_set_atn;
+    iic->handle_rsp = smbus_ipmi_handle_rsp;
+    iic->handle_if_event = smbus_ipmi_handle_event;
+    iic->set_irq_enable = smbus_ipmi_set_irq_enable;
+    iic->get_fwinfo = smbus_ipmi_get_fwinfo;
+}
+
+static const TypeInfo smbus_ipmi_info = {
+    .name          = TYPE_SMBUS_IPMI,
+    .parent        = TYPE_SMBUS_DEVICE,
+    .instance_size = sizeof(SMBusIPMIDevice),
+    .instance_init = smbus_ipmi_init,
+    .class_init    = smbus_ipmi_class_init,
+    .interfaces = (InterfaceInfo[]) {
+        { TYPE_IPMI_INTERFACE },
+        { }
+    }
+};
+
+static void smbus_ipmi_register_types(void)
+{
+    type_register_static(&smbus_ipmi_info);
+}
+
+type_init(smbus_ipmi_register_types)