On 18. 02. 19 08:12, Oleksij Rempel wrote:
+A watchdog is the last line of defense on misbehaving systems. Thus, proper +hardware and watchdog design considerations should be made to be able to reduce +the impact of failing systems in the field. In the best case, the bootloader +should not touch it at all. No watchdog feeding should be done until +application-critical software (or a userspace service manager such as +'systemd') was started. + +In case the bootloader is responsible for watchdog activation, the system can +be considered as failed by design.
I think this is too strongly worded and I would leave out this last sentence. It seems arrogant for documentation to judge what is "failed by design" like this, without considering any other requirements for a system.
Such a "failed" watchdog is still better than no watchdog in many cases and sometimes it's the only option, as the text in later paragraphs explains. The paragraph above already recommends that in the ideal case the bootloader shouldn't touch the watchdog. I think that is enough.
Also, as far as I know, the Linux kernel will feed the watchdog on a kernel timer during boot and until a userspace process grabs /dev/watchdog. So based on this basically all systems based on Linux are already a failed design.
Best regards Tomaž _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox
