[PATCH v2] efi: stop hw watchdog during EBS

[Heinrich Schuchardt]

On 1/20/26 16:52, Tom Rini wrote:
> On Tue, Jan 20, 2026 at 04:12:27PM +0100, Casey Connolly wrote:
>>
>>
>> On 20/01/2026 11:01, Heinrich Schuchardt wrote:
>>> On 1/20/26 10:33, Mark Kettenis wrote:
>>>>> From: Casey Connolly <casey.connolly at linaro.org>
>>>>> Date: Mon, 19 Jan 2026 22:09:25 +0100
>>>>>
>>>>> Hardware watchdogs don't currently get stopped as part of
>>>>> ExitBootServices, this can result in resets during boot if the OS
>>>>> doesn't have a driver for the watchdog, or if the driver isn't loaded
>>>>> in time.
>>>>>
>>>>> As with the EFI watchdog, stop any hardware watchdogs as well.
>>>>
>>>> This has been discussed before and rejected on the grounds that this
>>>> defeats the purpose of the watchdog.  I think there was some consensus
>>>> that an OS that doesn't have a driver for the watchdog or doesn't load
>>>> it in time is broken.  Some folks also pointed out that on some
>>>> platforms it isn't possible to disable the watchdog.
>>>>
>>>> Ultimately, I think EFI needs an API to control the hardware watchdog,
>>>> such that an OS doesn't need a driver.
>>>
>>> The hardware watchdog interrupting an OS if it is hanging is intended
>>> behavior. It is required for recovering from a failed capsule update.
>>>
>>> Some watchdog timers have a maximum timeout that is too short for
>>> booting (e.g. 16s on some Sunxi boards). To avoid resets these options
>>> are available:
>>>
>>> * Set CONFIG_WATCHDOG_AUTOSTART=n.
>>> * Use device-tree property u-boot,noautostart.
>>> * Use the `wdt stop` command in PREBOOT.
>>
>> Hmm, thanks for the suggestions. I considered doing this in some
>> platform-specific way, but I don't think it's correct for U-Boot's
>> default behaviour to leave watchdogs enabled, I haven't gone digging
>> through the EFI spec but I would imagine it's not EFI compliant either?
> 
> We've had some long discussions about this in the past. It's very much
> intentional that U-Boot leaves watchdogs running. As Heinrich noted (and
> is a summary of the older threads) some hardware doesn't even let you
> disable a watchdog. But it otherwise defeats the purpose of one to turn
> it off. Part of my feedback before was that the EFI spec needs to be
> addressed if it can't handle this correctly.
> 

The UEFI specification explicitly requires a 5 min watchdog to be 
enabled when starting an EFI binary. It should be disabled when 
returning to the boot manager. See chapter 7.5.1 
EFI_BOOT_SERVICES.SetWatchdogTimer().

In 7.4.6 EFI_BOOT_SERVICES.ExitBootServices() the specification requires 
that "the boot services watchdog timer is disabled".

Both has has been implemented in U-Boot as a software watchdog because 
some hardware watchdogs don't support 5 min intervals.

A watchdog for the phase after ExitBootServices() is not described.

Setting CONFIG_WATCHDOG_AUTOSTART=n would comply with the specification.

Best regards

Heinrich