The TCO watchdog is unconditionally integrated into the Q35 machine type by default, but at the same time is unconditionally disabled from firing by a host config option that overrides guest OS attempts to enable it. People have to know to set a magic -global to make it non-broken
IOW we're exposing a broken watchdog by default to all Q35 machines, but which to the guest OS & its apps looks fully functional :-( This behaviour was set in response to feedback from Michael: https://lists.gnu.org/archive/html/qemu-devel/2015-06/msg07128.html "I think sample high is a safer default." but as explained in the commit message in the last patch, I think the watchdog defaults were already safe without that pin strap setting. The guest OS needs to take explicit action to clear the guest visible 'no reboot' flag, and so we don't need a second guest hidden 'no reboot' flag to override that choice IMHO. Am I missing something ? NB, I'm toggling this for 7.2 machine type since that's the current git latest machine. Since this has already been "broken" for 7 years though, I am ambivalent about whether we try todo this for 7.2, vs just wait until the 8.0 machine types arrive. Daniel P. Berrangé (4): hw/acpi: add trace events for TCO watchdog register access hw/isa: add trace events for ICH9 LPC chip config access hw/watchdog: add trace events for watchdog action handling hw/isa: enable TCO watchdog reboot pin strap by default hw/acpi/tco.c | 41 +++++++++++++++++++++++++++------------- hw/acpi/trace-events | 2 ++ hw/i386/pc.c | 4 +++- hw/isa/lpc_ich9.c | 5 ++++- hw/isa/trace-events | 4 ++++ hw/watchdog/trace-events | 4 ++++ hw/watchdog/watchdog.c | 4 ++++ tests/qtest/tco-test.c | 2 +- 8 files changed, 50 insertions(+), 16 deletions(-) -- 2.37.3
