On 1/20/26 16:52, Tom Rini wrote:
On Tue, Jan 20, 2026 at 04:12:27PM +0100, Casey Connolly wrote:
On 20/01/2026 11:01, Heinrich Schuchardt wrote:
On 1/20/26 10:33, Mark Kettenis wrote:
From: Casey Connolly <[email protected]>
Date: Mon, 19 Jan 2026 22:09:25 +0100
Hardware watchdogs don't currently get stopped as part of
ExitBootServices, this can result in resets during boot if the OS
doesn't have a driver for the watchdog, or if the driver isn't loaded
in time.
As with the EFI watchdog, stop any hardware watchdogs as well.
This has been discussed before and rejected on the grounds that this
defeats the purpose of the watchdog. I think there was some consensus
that an OS that doesn't have a driver for the watchdog or doesn't load
it in time is broken. Some folks also pointed out that on some
platforms it isn't possible to disable the watchdog.
Ultimately, I think EFI needs an API to control the hardware watchdog,
such that an OS doesn't need a driver.
The hardware watchdog interrupting an OS if it is hanging is intended
behavior. It is required for recovering from a failed capsule update.
Some watchdog timers have a maximum timeout that is too short for
booting (e.g. 16s on some Sunxi boards). To avoid resets these options
are available:
* Set CONFIG_WATCHDOG_AUTOSTART=n.
* Use device-tree property u-boot,noautostart.
* Use the `wdt stop` command in PREBOOT.
Hmm, thanks for the suggestions. I considered doing this in some
platform-specific way, but I don't think it's correct for U-Boot's
default behaviour to leave watchdogs enabled, I haven't gone digging
through the EFI spec but I would imagine it's not EFI compliant either?
We've had some long discussions about this in the past. It's very much
intentional that U-Boot leaves watchdogs running. As Heinrich noted (and
is a summary of the older threads) some hardware doesn't even let you
disable a watchdog. But it otherwise defeats the purpose of one to turn
it off. Part of my feedback before was that the EFI spec needs to be
addressed if it can't handle this correctly.
The UEFI specification explicitly requires a 5 min watchdog to be
enabled when starting an EFI binary. It should be disabled when
returning to the boot manager. See chapter 7.5.1
EFI_BOOT_SERVICES.SetWatchdogTimer().
In 7.4.6 EFI_BOOT_SERVICES.ExitBootServices() the specification requires
that "the boot services watchdog timer is disabled".
Both has has been implemented in U-Boot as a software watchdog because
some hardware watchdogs don't support 5 min intervals.
A watchdog for the phase after ExitBootServices() is not described.
Setting CONFIG_WATCHDOG_AUTOSTART=n would comply with the specification.
Best regards
Heinrich
