> >>> This project is what I have been looking for (secure boot + watchdog), > >>> but I have a hard time grasping why it works. > >>> > >>> The UEFI spec states[1]: > >>> "The watchdog timer is only used during boot services. On successful > >>> completion of EFI_BOOT_SERVICES.ExitBootServices() the watchdog timer is > >>> disabled." > >>> > >>> So the boot looke something like this (AFAIU): > >>> 1. efibootguard starts > >>> 2. efibootguard initializes the watchdog > >>> 3. LoadImage() > >>> 4. StartImage() > >>> 5. Linux starts and calls ExitBootServices() > >>> > >>> Why isn't UEFI disabling the watchdog initialized by efibootguard when > >>> ExitBootServices() is called? > >>> > >>> [1] UEFI Spec 2.6, EFI_BOOT_SERVICES.SetWatchdogTimer(): > >>> > >> > >> Actually, this limitation of the UEFI-specified watchdog is one of the > >> reasons EFI Boot Guard exists. Here, we don't use the UEFI-provided > >> watchdog but real ones (including those described via WDAT, but those > >> are HW watchdogs as well). And those real watchdogs will not stop when > >> the boot services are terminated. Rather, Linux will pick them up and > >> continue to drive them. > > > > Thanks for the explanation, is the "UEFI-specified watchdog" not using > > the hardware watchdog?
No, it's usually using an event-based mechanism, see, e.g. EDK2. That said, there *could* be an EFI implementation using a hardware watchdog instead of the event-based mechanism. Then, EFI Boot Guard would re-initialize the watchdog. If this gets disabled on ExitBootServices(), then we have a problem. However, I have not encountered this in the field. > > or how is efibootguard preventing UEFI from > > messing with the watchdog? Usually, UEFI doesn't know or care about the hardware watchdog (see above), so it's left alone and no special measures need to be taken. > > According to the spec UEFI will disable the watchdog when > > ExitBootServices() is called. I assume that is still happening with > > efibootguard? Yes, UEFI disables its own event-based watchdog ― and the timer mechanism used for this is not available beyond boot services. > Honestly, I have no clue how UEFI implementations map the watchdog API > requests on real hardware. So far, we have not seen any conflicts in > practice, probably because that UEFI watchdog service is generally not > requested (definitely not by EFI Boot Guard). The event-based mechanism watchdog is running unconditionally with a 5 minute timeout per default. This is why some bootloaders reset the value via BS->SetWatchdogTimer(5 * 60, WATCHDOGCODE, 0, NULL) prior to starting the chain-callee so to give it the whole 5 minutes. Kind regards, Christian -- Dr. Christian Storm Siemens AG, Technology, T RDA IOT SES-DE Otto-Hahn-Ring 6, 81739 München, Germany -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20211217154618.imrpht7q3qolvqdc%40MD1ZFJVC.ad001.siemens.net.
