On 9/23/20 7:53 PM, Mark Kettenis wrote: >> Date: Wed, 23 Sep 2020 13:14:09 -0400 >> From: Tom Rini <tr...@konsulko.com> >> >> On Wed, Sep 23, 2020 at 07:01:54PM +0200, Mark Kettenis wrote: >>>> From: Michael Walle <mich...@walle.cc> >>>> Date: Wed, 23 Sep 2020 18:45:27 +0200 >>>> >>>> Let the user choose between three different behaviours of the watchdog: >>>> (1) Keep the watchdog disabled >>>> (2) Supervise u-boot >>>> (3) Supervise u-boot and the operating systen (default) >>>> >>>> Option (2) will disable the watchdog right before handing control to the >>>> operating system. This is useful when the OS is not aware of the >>>> watchdog. Option (3) doesn't disable the watchdog and assumes the OS >>>> will continue servicing. >>> >>> (3) can't be the default, at least for EFI >>> >>> The UEFI standard explicitly says that upon calling >>> ExitBootServices(), the watchdog timer is disabled. >>>
So 3) must not be allowed for CONFIG_EFI_LOADER=y which we have enabled on most boards. >>> In general, you can't expect an OS to have support for a particular >>> watchdog timer. So (3) only makes sense in cases where U-Boot is >>> bundled with an OS image. >> >> We need to be careful here then. The current and historical / generally >> expected behavior is if we've enabled the watchdog we supervise it and >> leave it enabled for the OS. Given what UEFI requires I'd like to see >> that case handled with a print about disabling the watchdog so it's not >> a surprise to the user. I say this because it's a surprise to me and I >> guess answers the question of "how does x86 handle this?" I had the >> other day. > > So the UEFI requirement actually is: > > * Before starting an EFI payload a watchdog timer is started to reset > the system after 5 minutes. > > * This watchdog timer is cancelled as soon as the EFI payload calls > ExitBootServices(). This requirement is currently fulfilled by a software watchdog in lib/efi_loader/efi_watchdog.c. We need an emulation because many boards don't offer a hardware watchdog in U-Boot. > > The OpenBSD kernel in general does not supervise the watchdog unless > explicitly requested to do so by the user. What may happen is that > the driver for the hardware stops the watchdog timer when it attaches, > but (a) that is just a side-effect and (b) watchdog timer support > isn't implemented for all supported SoCs. > > The OpenBSD EFI bootloader does explicitly disable the watchdog timer > though by calling SetWatchdogTime() as soon as it starts. This is to > prevent an automatic reboot if you leave it sitting at the boot prompt > for more than 5 minutes. This is done across all our architectures > that support EFI, including amd64. So maybe that hides any > non-conforming behaviour. > SetWatchdogTime() resets the software watchdog implemented in lib/efi_loader/efi_watchdog.c. When an UEFI payload reads a key via the simple text input protocol or the extended simple text input protocol U-Boot calls efi_timer_check() which invokes WATCHDOG_RESET(). This is why hardware watchdogs don't kill an UEFI application waiting for keyboard input. Best regards Heinrich
