[PATCH] lib: sbi: Apply budget restriction when polling Zkr CSR state transition

[PATCH] lib: sbi: Apply budget restriction when polling Zkr CSR state transition

[Evgeny Voevodin]

Zkr architecture doesn't define a time limit on state transitions
which results in hanging on unresponsive or event-driven platforms.
To prevent this, we need to limit polling iterations and fall back
in case the budget is over, and stack guard keeps its initial value.
The budget is configurable with CONFIG_SBI_INIT_ZKR_POLL_BUDGET,
defaulting to 1000 iterations.
Successful reads do not consume a try.

Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
---
 lib/sbi/Kconfig    | 12 ++++++++++++
 lib/sbi/sbi_init.c | 12 +++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/lib/sbi/Kconfig b/lib/sbi/Kconfig
index c6cc04bc..a11f788c 100644
--- a/lib/sbi/Kconfig
+++ b/lib/sbi/Kconfig
@@ -6,6 +6,18 @@ config CONSOLE_EARLY_BUFFER_SIZE
 	int "Early console buffer size (bytes)"
 	default 256
 
+config SBI_INIT_ZKR_POLL_BUDGET
+	int "Zkr seed polling budget (iterations)"
+	default 1000
+	help
+	  Maximum number of iterations to poll CSR_SEED when initializing
+	  the stack guard variable. The Zkr specification doesn't define
+	  a time limit on transitioning to ES16 between polls, which
+	  makes it impossible to tell whether entropy is being
+	  accumulated slowly or the entropy source is not functioning.
+	  This also limits the wait time on systems with an event-driven
+	  entropy source. A successful read doesn't consume a try.
+
 config SBI_ECALL_TIME
 	bool "Timer extension"
 	default y
diff --git a/lib/sbi/sbi_init.c b/lib/sbi/sbi_init.c
index b248e73f..7a0c4f74 100644
--- a/lib/sbi/sbi_init.c
+++ b/lib/sbi/sbi_init.c
@@ -280,20 +280,26 @@ static void __noreturn init_coldboot(struct sbi_scratch *scratch, u32 hartid)
 	if (sbi_hart_has_extension(scratch, SBI_HART_EXT_ZKR)) {
 		unsigned long guard_val = 0;
 		int chunks = sizeof(unsigned long) / sizeof(uint16_t);
-		bool res = true;
+		unsigned int tries = CONFIG_SBI_INIT_ZKR_POLL_BUDGET;
+		bool res = false;
 
-		while (chunks) {
+		while (chunks && tries) {
 			unsigned long seed = csr_swap(CSR_SEED, 0);
 			unsigned long opst = seed & SEED_OPTS_MASK;
+			res = false;
 
 			if (opst == SEED_OPTS_DEAD) {
-				res = false;
 				break;
 			}
 			if (opst == SEED_OPTS_ES16) {
 				guard_val = (guard_val << 16) | (seed & SEED_ENTROPY_MASK);
 				chunks--;
+				res = true;
+				/* Successful read doesn't consume a try */
+				tries++;
 			}
+
+			tries--;
 			continue;
 		}
 		if (res)
-- 
2.43.0


-- 
opensbi mailing list
opensbi@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/opensbi

Re: [PATCH] lib: sbi: Apply budget restriction when polling Zkr CSR state transition

[Nicholas Piggin]

On Tue, May 19, 2026 at 10:50:14PM +0000, Evgeny Voevodin wrote:
> Zkr architecture doesn't define a time limit on state transitions
> which results in hanging on unresponsive or event-driven platforms.
> To prevent this, we need to limit polling iterations and fall back
> in case the budget is over, and stack guard keeps its initial value.
> The budget is configurable with CONFIG_SBI_INIT_ZKR_POLL_BUDGET,
> defaulting to 1000 iterations.
> Successful reads do not consume a try.
> 
> Signed-off-by: Evgeny Voevodin <evvoevod@tenstorrent.com>
> ---
>  lib/sbi/Kconfig    | 12 ++++++++++++
>  lib/sbi/sbi_init.c | 12 +++++++++---
>  2 files changed, 21 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/sbi/Kconfig b/lib/sbi/Kconfig
> index c6cc04bc..a11f788c 100644
> --- a/lib/sbi/Kconfig
> +++ b/lib/sbi/Kconfig
> @@ -6,6 +6,18 @@ config CONSOLE_EARLY_BUFFER_SIZE
>  	int "Early console buffer size (bytes)"
>  	default 256
>  
> +config SBI_INIT_ZKR_POLL_BUDGET
> +	int "Zkr seed polling budget (iterations)"
> +	default 1000
> +	help
> +	  Maximum number of iterations to poll CSR_SEED when initializing
> +	  the stack guard variable. The Zkr specification doesn't define
> +	  a time limit on transitioning to ES16 between polls, which
> +	  makes it impossible to tell whether entropy is being
> +	  accumulated slowly or the entropy source is not functioning.

If entropy source is not functioning it should return DEAD, surely.
Specifications always require a "reasonable" performance, whether that
is explicit or not. That's open to interpretation and application, but
if a word of entropy at boot causes a responsiveness problem, I don't
know if that's a reasonable expectation in the spec that needs to be
accounted for.

So I think a bit more information would be good. If if this is a
workaround for a particular platform that might be okay but I think it
should be framed as such.

Thanks,
Nick

-- 
opensbi mailing list
opensbi@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/opensbi

Re: [PATCH] lib: sbi: Apply budget restriction when polling Zkr CSR state transition

[Evgeny Voevodin]

Yes, DEAD is the architectural way to signal a non-functioning source,
and the spec implicitly assumes reasonable timing. The actual scenario
this patch fixes is more specific:

This patch fixes a hang on platforms where either internal entropy
source is event driven and requires corresponding interrupt line to be
enabled or external entropy FIFO refill source is not wired up (as on
SW and HW emulation of Tenstorrent platform).

Without the cap, init_coldboot() spins forever - no console output, no
diagnostic, just a silent boot-time hang. With it, __stack_chk_guard
keeps its compile-time default and the firmware boots.

Given this explanation, is it OK to keep this patch as is or is it
better to send v2 with updated commit message and Kconfig help text?

Thanks,
Evgeny

-- 
opensbi mailing list
opensbi@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/opensbi