On Tue, Sep 22, 2020 at 08:59:00AM +0200, Michael Walle wrote:
> Hi,
> 
> Am 2020-09-22 03:18, schrieb Tom Rini:
> > On Mon, Sep 21, 2020 at 10:56:14PM +0200, Michael Walle wrote:
> > > Hi,
> > > 
> [..]
> > > > > >>>      >> called in the bootefi case. So even if I'd do a 
> > > > > >>> workaround and
> > > > > >>>     stop it
> > > > > >>>      >> manually in my board code, I couldn't do that 
> > > > > >>> consistently for
> > > > > >>>      >> bootm/bootefi.
> > > > > >>>      >>
> > > > > >>>      >> Or am I missing something here?
> > > > > >>>      >
> > > > > >>>      > Define CONFIG_WATCHDOG.
> > > > > >>>      > This takes care of resetting wdt.
> > > > > >>>
> > > > > >>>     Yes as along as you're inside the bootloader, but when u-boot 
> > > > > >>> hands
> > > > > >>>     control over the OS the watchdog is not serviced anymore; 
> > > > > >>> which wouldn't
> > > > > >>>     be a problem per se, but it is enabled unconditionally by 
> > > > > >>> u-boot.
> > > > > >>>
> > > > > >>>
> > > > > >>> Just to add some data. At $dayjob we use this behaviour as a 
> > > > > >>> failsafe to
> > > > > >>> make sure our userspace gets to a point where it is servicing the
> > > > > >>> watchdog.
> > > > > >>
> > > > > >> Yes, this is exactly how this is supposed to work AFAIK.
> > > > > >>
> > > > > >> Michael, are you sure that the watchdog was disabled in U-Boot when
> > > > > >> booting into the OS before this patch?
> > > > > >>
> > > > > >>> That said having a leave-wdt-running environment variable would 
> > > > > >>> work for
> > > > > >>> our use case.
> > > > > >>
> > > > > >> I would rather use it the other way around. Something like 
> > > > > >> "wdt-stop-
> > > > > >> pre-os" to optionally stop the WDT before booting into the OS.
> > > > > >>
> > > > > >> Remark:
> > > > > >> IMHO, if you don't use the WDT in the OS, it does not make much 
> > > > > >> sense
> > > > > >> to enable the WDT in U-Boot.
> > > > > >
> > > > > > Yes, we need to be very careful about making it so that a watchdog 
> > > > > > is
> > > > > > disabled and not re-enabled before moving on for a whole bunch of
> > > > > > reasons.  And the best option would be to just disable the watchdog 
> > > > > > if
> > > > > > it won't be used while the device is running the OS.
> > > > > >
> > > > >
> > > > > The requirement of the UEFI specification is that if booting fails a
> > > > > system should reset after five minutes by default. We ensure this in
> > > > > the
> > > > > UEFI sub-system before ExitBootServices() using an EFI timer event.
> > > > >
> > > > > In the UEFI sub-system we currently call in ExitBootServices():
> > > > >
> > > > >         efi_set_watchdog(0); /* this disables the EFI timer */
> > > > >         WATCHDOG_RESET();
> > > > >
> > > > > Is there any requirement to do more?
> > > >
> > > > For EFI or ?  What I'm saying is that the watchdog must be left running
> > > > and not stopped, if we either:
> > > > - Came in to the world with the watchdog running AND were not
> > > >   specifically told to disable the watching.
> > > > - Came in to the world and were told to enable a watchdog.
> > > 
> > > My reason to start this thread was the fact that a watchdog is started
> > > by default in a generic way (i.e. initr_watchdog()) but there is _no_
> > > way to disable it. I'm having a minimal board configuration and I want
> > 
> > OK, but why is CONFIG_WDT enabled if you don't want to use the watchdog?
> 
> I guess we agree, that there are good reasons to have watchdog support in
> the bootloader (and even to keep in on before starting an OS). Think of
> tailored embedded operating systems for a specifc use case.
> In fact, for my board, the initial watchdog might even be enabled before
> u-boot and supervises the bootloader startup and switches to a failsafe
> image in case of an error. Thus, there is also a handy command "wdt
> expire 1" to restart into that image manually.
> 
> OTOH, I really want to support generic distributions which doesn't know
> anything about an already running watchdog.
> 
> Oh and I want the user to be able to install and boot a distribution
> without any change to the bootloader environment. Therefore, the
> default for this board has to be "watchdog disabled before booting
> OS". Like I said, I'm fine with having a
>   #define ENV "disable-wdt-pre-os"
> in the board configuration.

The next question I have, and I didn't see a good answer to yet in a
quick search is, how does this work out on x86 server hardware?  Are you
supposed to disable the watchdog before installing there too?

But all that said, since we have "wdt stop", perhaps you can find a
place to put that in the boot script?  Or just declare that if we get
far enough to run preboot cmd then it's good enough, and update your
call to "wdt expire 1" to be "wdt start && wdt expire 1" ?

-- 
Tom

Attachment: signature.asc
Description: PGP signature

Reply via email to