From: Wolfgang Denk <wd@denx.de>
To: u-boot@lists.denx.de
Subject: [PATCH 2/2] watchdog: add watchdog behavior configuration
Date: Sat, 26 Sep 2020 16:40:56 +0200 [thread overview]
Message-ID: <7920.1601131256@gemini.denx.de> (raw)
In-Reply-To: <ef24629c-2c57-c681-eae5-2d034abfbd9b@gmx.de>
Dear Heinrich,
In message <ef24629c-2c57-c681-eae5-2d034abfbd9b@gmx.de> you wrote:
>
> This is why UEFI API has the EFI_BOOT_SERVICES.SetWatchdogTimer()
> service which allows to set the timeout or disable the watchdog completely.
UEFI may have any APIs it wants, this will not change the underlying
hardware in any way. A proper watchdog implementation has
write-once register to prime the watchdog. Once it is armed, there
will be no other way to disarm it except for a hardware reset.
> The Linux EFI stub calls EFI_BOOT_SERVICES.ExitBootServices. According
> to the UEFI spec this is the moment when the watchdog must be disabled.
>
> So in a UEFI environment you can only monitor the time in U-Boot, in
> GRUB and part of the Linux EFI stub. You cannot monitor if Linux reaches
> the command prompt using the watchdog provided by the UEFI firmware.
> Linux could set up its own watchdog that takes over.
The logical approach is to leave the watchdog uninitialized in
U-Boot, and activate it in Linux only.
Or, if you need to be able to detect and reset a system hanging in
the boot process, then simply do not use UEFI at all. Apparently it
is unsuitable for any reliable systems.
I mean - when there are mandatory phases in EFI boot where the WD
_must_ be disabled, then what happens when booting hangs exactly
then? then you are exactly in the same position as if not enabling
the WD at all in U-Boot.
> If we want to have a hardware based watchdog in the UEFI context, we
> need a U-Boot internal API by which we can enable and disable a hardware
> watchdog with an arbitrary duration (>> 5 min) with 1 second resolution.
> Then our implementation of SetWatchdogTimer() could call into this API.
Sorry, but please stop ignoring hardware properties!
Yes, eventually we could implement a software layer that triggers
the watchdog _while_U-Boot_is_running. But as soon as U-Boot loats
and starts the next payload, this code is gone.
For example, assume a hardware watchdog with a fixed time-out
interval of 1.6 seconds that cannot be disabled at all in software -
it starts running with power on. [Note that this is not a theoretical
example, but real life.]
We can deal with this in U-Boot just fine. We can also deal with
this booting Linux - 1.6 seconds is usually enough to get the needed
driver initialized in Linux, too. But as soon as U-Boot starts the
first payload, you have only those 1.6 seconds - so if your payload
does not trigger the WD, you lose.
You can implement software services only within the capabilities of
the given hardware.
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
If a packet hits a pocket on a socket on a port,
And the bus is interrupted as a very last resort,
And the address of the memory makes your floppy disk abort,
Then the socket packet pocket has an error to report! - Ken Burchill?
next prev parent reply other threads:[~2020-09-26 14:40 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-23 16:45 [PATCH 1/2] watchdog: Hide WATCHDOG_RESET_DISABLE Michael Walle
2020-09-23 16:45 ` [PATCH 2/2] watchdog: add watchdog behavior configuration Michael Walle
2020-09-23 17:01 ` Mark Kettenis
2020-09-23 17:14 ` Tom Rini
2020-09-23 17:31 ` Heinrich Schuchardt
2020-09-23 17:35 ` Tom Rini
2020-09-24 7:33 ` Michael Walle
2020-09-24 8:10 ` Mark Kettenis
2020-09-24 8:20 ` Michael Walle
2020-09-24 10:22 ` Mark Kettenis
2020-09-24 21:05 ` Michael Walle
2020-09-24 13:19 ` Tom Rini
2020-09-24 20:30 ` Michael Walle
2020-09-24 20:58 ` Mark Kettenis
2020-09-24 21:14 ` Michael Walle
2020-09-25 1:17 ` Tom Rini
2020-09-25 8:36 ` Wolfgang Denk
2020-09-25 11:29 ` Heinrich Schuchardt
2020-09-25 13:00 ` Tom Rini
2020-09-25 13:26 ` Heinrich Schuchardt
2020-09-26 8:45 ` Wolfgang Denk
2020-09-26 10:54 ` Mark Kettenis
2020-09-26 12:39 ` Heinrich Schuchardt
2020-09-26 12:44 ` Tom Rini
2020-09-27 16:06 ` Michael Walle
2020-09-28 15:34 ` Tom Rini
2020-09-26 14:40 ` Wolfgang Denk [this message]
2020-09-26 14:22 ` Wolfgang Denk
2020-09-25 13:04 ` Wolfgang Denk
2020-10-04 14:55 ` Michael Walle
2020-10-04 15:10 ` Heinrich Schuchardt
2020-10-04 15:40 ` Tom Rini
2020-09-23 17:53 ` Mark Kettenis
2020-09-23 18:51 ` Heinrich Schuchardt
2020-09-23 19:02 ` Tom Rini
2020-09-23 20:01 ` Heinrich Schuchardt
2020-09-23 20:23 ` Tom Rini
2020-09-23 20:58 ` Heinrich Schuchardt
2020-09-23 21:09 ` Tom Rini
2020-09-23 20:38 ` Michael Walle
2020-09-23 21:01 ` Heinrich Schuchardt
2020-09-23 17:21 ` Heinrich Schuchardt
2020-09-23 17:28 ` Tom Rini
2020-09-24 6:53 ` Michael Walle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7920.1601131256@gemini.denx.de \
--to=wd@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox