u-boot leaves watchdog enabled by default

Michael Walle michael at walle.cc
Tue Sep 22 15:18:58 CEST 2020


Hi,

Am 2020-09-22 14:36, schrieb Tom Rini:
> On Tue, Sep 22, 2020 at 08:59:00AM +0200, Michael Walle wrote:
>> Hi,
>> 
>> Am 2020-09-22 03:18, schrieb Tom Rini:
>> > On Mon, Sep 21, 2020 at 10:56:14PM +0200, Michael Walle wrote:
>> > > Hi,
>> > >
>> [..]
>> > > > > >>>      >> called in the bootefi case. So even if I'd do a workaround and
>> > > > > >>>     stop it
>> > > > > >>>      >> manually in my board code, I couldn't do that consistently for
>> > > > > >>>      >> bootm/bootefi.
>> > > > > >>>      >>
>> > > > > >>>      >> Or am I missing something here?
>> > > > > >>>      >
>> > > > > >>>      > Define CONFIG_WATCHDOG.
>> > > > > >>>      > This takes care of resetting wdt.
>> > > > > >>>
>> > > > > >>>     Yes as along as you're inside the bootloader, but when u-boot hands
>> > > > > >>>     control over the OS the watchdog is not serviced anymore; which wouldn't
>> > > > > >>>     be a problem per se, but it is enabled unconditionally by u-boot.
>> > > > > >>>
>> > > > > >>>
>> > > > > >>> Just to add some data. At $dayjob we use this behaviour as a failsafe to
>> > > > > >>> make sure our userspace gets to a point where it is servicing the
>> > > > > >>> watchdog.
>> > > > > >>
>> > > > > >> Yes, this is exactly how this is supposed to work AFAIK.
>> > > > > >>
>> > > > > >> Michael, are you sure that the watchdog was disabled in U-Boot when
>> > > > > >> booting into the OS before this patch?
>> > > > > >>
>> > > > > >>> That said having a leave-wdt-running environment variable would work for
>> > > > > >>> our use case.
>> > > > > >>
>> > > > > >> I would rather use it the other way around. Something like "wdt-stop-
>> > > > > >> pre-os" to optionally stop the WDT before booting into the OS.
>> > > > > >>
>> > > > > >> Remark:
>> > > > > >> IMHO, if you don't use the WDT in the OS, it does not make much sense
>> > > > > >> to enable the WDT in U-Boot.
>> > > > > >
>> > > > > > Yes, we need to be very careful about making it so that a watchdog is
>> > > > > > disabled and not re-enabled before moving on for a whole bunch of
>> > > > > > reasons.  And the best option would be to just disable the watchdog if
>> > > > > > it won't be used while the device is running the OS.
>> > > > > >
>> > > > >
>> > > > > The requirement of the UEFI specification is that if booting fails a
>> > > > > system should reset after five minutes by default. We ensure this in
>> > > > > the
>> > > > > UEFI sub-system before ExitBootServices() using an EFI timer event.
>> > > > >
>> > > > > In the UEFI sub-system we currently call in ExitBootServices():
>> > > > >
>> > > > >         efi_set_watchdog(0); /* this disables the EFI timer */
>> > > > >         WATCHDOG_RESET();
>> > > > >
>> > > > > Is there any requirement to do more?
>> > > >
>> > > > For EFI or ?  What I'm saying is that the watchdog must be left running
>> > > > and not stopped, if we either:
>> > > > - Came in to the world with the watchdog running AND were not
>> > > >   specifically told to disable the watching.
>> > > > - Came in to the world and were told to enable a watchdog.
>> > >
>> > > My reason to start this thread was the fact that a watchdog is started
>> > > by default in a generic way (i.e. initr_watchdog()) but there is _no_
>> > > way to disable it. I'm having a minimal board configuration and I want
>> >
>> > OK, but why is CONFIG_WDT enabled if you don't want to use the watchdog?
>> 
>> I guess we agree, that there are good reasons to have watchdog support 
>> in
>> the bootloader (and even to keep in on before starting an OS). Think 
>> of
>> tailored embedded operating systems for a specifc use case.
>> In fact, for my board, the initial watchdog might even be enabled 
>> before
>> u-boot and supervises the bootloader startup and switches to a 
>> failsafe
>> image in case of an error. Thus, there is also a handy command "wdt
>> expire 1" to restart into that image manually.
>> 
>> OTOH, I really want to support generic distributions which doesn't 
>> know
>> anything about an already running watchdog.
>> 
>> Oh and I want the user to be able to install and boot a distribution
>> without any change to the bootloader environment. Therefore, the
>> default for this board has to be "watchdog disabled before booting
>> OS". Like I said, I'm fine with having a
>>   #define ENV "disable-wdt-pre-os"
>> in the board configuration.
> 
> The next question I have, and I didn't see a good answer to yet in a
> quick search is, how does this work out on x86 server hardware?  Are 
> you
> supposed to disable the watchdog before installing there too?

I can only guess here, but there seems to be no watchdog driver support
at all (i.e. there are no wdt modules available).

> But all that said, since we have "wdt stop", perhaps you can find a
> place to put that in the boot script?  Or just declare that if we get
> far enough to run preboot cmd then it's good enough, and update your
> call to "wdt expire 1" to be "wdt start && wdt expire 1" ?

"wdt expire 1" will automatically start the watchdog, won't it? Anyway,
it was just an example why I need the CONFIG_WDT.

Just to get your opinion correct on this topic: you say as soon as the
CONFIG_WDT is enabled u-boot will start it and never stop it, although
CONFIG_WDT is just "Enable driver model watchdog timer drivers" and the
help text is just about that, too.

IMHO it is wrong to enable the watchdog together with that option. There
should be another one (even defaulting to 'yes') which tells u-boot 
whether
it should be enabled by default.

config WDT_AUTOSTART
    boot "Start the (first) watchdog by default"
    default y
    help
      Upon u-boot startup the first watchdog will be started 
automatically.
      Be aware, that it will also kept enabled after the bootloader 
starts
      the operation system!

-michael


More information about the U-Boot mailing list