[PATCH v2] efi: stop hw watchdog during EBS

Tue Jan 20 16:45:22 CET 2026

On 1/20/26 16:12, Casey Connolly wrote:
> 
> 
> On 20/01/2026 11:01, Heinrich Schuchardt wrote:
>> On 1/20/26 10:33, Mark Kettenis wrote:
>>>> From: Casey Connolly <casey.connolly at linaro.org>
>>>> Date: Mon, 19 Jan 2026 22:09:25 +0100
>>>>
>>>> Hardware watchdogs don't currently get stopped as part of
>>>> ExitBootServices, this can result in resets during boot if the OS
>>>> doesn't have a driver for the watchdog, or if the driver isn't loaded
>>>> in time.
>>>>
>>>> As with the EFI watchdog, stop any hardware watchdogs as well.
>>>
>>> This has been discussed before and rejected on the grounds that this
>>> defeats the purpose of the watchdog.  I think there was some consensus
>>> that an OS that doesn't have a driver for the watchdog or doesn't load
>>> it in time is broken.  Some folks also pointed out that on some
>>> platforms it isn't possible to disable the watchdog.
>>>
>>> Ultimately, I think EFI needs an API to control the hardware watchdog,
>>> such that an OS doesn't need a driver.
>>
>> The hardware watchdog interrupting an OS if it is hanging is intended
>> behavior. It is required for recovering from a failed capsule update.
>>
>> Some watchdog timers have a maximum timeout that is too short for
>> booting (e.g. 16s on some Sunxi boards). To avoid resets these options
>> are available:
>>
>> * Set CONFIG_WATCHDOG_AUTOSTART=n.
>> * Use device-tree property u-boot,noautostart.
>> * Use the `wdt stop` command in PREBOOT.
> 
> Hmm, thanks for the suggestions. I considered doing this in some
> platform-specific way, but I don't think it's correct for U-Boot's
> default behaviour to leave watchdogs enabled, I haven't gone digging
> through the EFI spec but I would imagine it's not EFI compliant either?
> 
> I can totally understand why it would be desirable to leave the watchdog
> enabled, but I think boards that want/need that should have to opt-in
> rather than it being the upstream default.
> 
> Would you be ok with adding a new config option:
> CONFIG_WATCHDOG_LEAVE_ENABLED or something along those lines? I'd rather
> avoid adding platform-specific workarounds to U-Boot's default behaviour
> like this.>

Why does CONFIG_WATCHDOG_AUTOSTART=n not work for your specific hardware?

Best regards

Heinrich

>> Best regards
>>
>> Heinrich
>>
>>>
>>>> Signed-off-by: Casey Connolly <casey.connolly at linaro.org>
>>>> ---
>>>> Changes in v2:
>>>> * Fix compilation when CONFIG_WATCHDOG is disabled.
>>>>
>>>> ---
>>>>    lib/efi_loader/efi_boottime.c | 3 +++
>>>>    1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/
>>>> efi_boottime.c
>>>> index ddc935d22409..c34616db578a 100644
>>>> --- a/lib/efi_loader/efi_boottime.c
>>>> +++ b/lib/efi_loader/efi_boottime.c
>>>> @@ -21,8 +21,9 @@
>>>>    #include <time.h>
>>>>    #include <u-boot/crc.h>
>>>>    #include <usb.h>
>>>>    #include <watchdog.h>
>>>> +#include <wdt.h>
>>>>    #include <asm/global_data.h>
>>>>    #include <linux/libfdt_env.h>
>>>>      DECLARE_GLOBAL_DATA_PTR;
>>>> @@ -2263,8 +2264,10 @@ static efi_status_t EFIAPI
>>>> efi_exit_boot_services(efi_handle_t image_handle,
>>>>        efi_update_table_header_crc32(&systab.hdr);
>>>>          /* Give the payload some time to boot */
>>>>        efi_set_watchdog(0);
>>>> +    if (CONFIG_IS_ENABLED(WDT))
>>>> +        wdt_stop_all();
>>>>        schedule();
>>>>    out:
>>>>        if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) {
>>>>            if (ret != EFI_SUCCESS)
>>>> -- 
>>>> 2.52.0
>>>>
>>>>
>>
> 