On 20/01/2026 11:01, Heinrich Schuchardt wrote:
> On 1/20/26 10:33, Mark Kettenis wrote:
>>> From: Casey Connolly <[email protected]>
>>> Date: Mon, 19 Jan 2026 22:09:25 +0100
>>>
>>> Hardware watchdogs don't currently get stopped as part of
>>> ExitBootServices, this can result in resets during boot if the OS
>>> doesn't have a driver for the watchdog, or if the driver isn't loaded
>>> in time.
>>>
>>> As with the EFI watchdog, stop any hardware watchdogs as well.
>>
>> This has been discussed before and rejected on the grounds that this
>> defeats the purpose of the watchdog. I think there was some consensus
>> that an OS that doesn't have a driver for the watchdog or doesn't load
>> it in time is broken. Some folks also pointed out that on some
>> platforms it isn't possible to disable the watchdog.
>>
>> Ultimately, I think EFI needs an API to control the hardware watchdog,
>> such that an OS doesn't need a driver.
>
> The hardware watchdog interrupting an OS if it is hanging is intended
> behavior. It is required for recovering from a failed capsule update.
>
> Some watchdog timers have a maximum timeout that is too short for
> booting (e.g. 16s on some Sunxi boards). To avoid resets these options
> are available:
>
> * Set CONFIG_WATCHDOG_AUTOSTART=n.
> * Use device-tree property u-boot,noautostart.
> * Use the `wdt stop` command in PREBOOT.
Hmm, thanks for the suggestions. I considered doing this in some
platform-specific way, but I don't think it's correct for U-Boot's
default behaviour to leave watchdogs enabled, I haven't gone digging
through the EFI spec but I would imagine it's not EFI compliant either?
I can totally understand why it would be desirable to leave the watchdog
enabled, but I think boards that want/need that should have to opt-in
rather than it being the upstream default.
Would you be ok with adding a new config option:
CONFIG_WATCHDOG_LEAVE_ENABLED or something along those lines? I'd rather
avoid adding platform-specific workarounds to U-Boot's default behaviour
like this.>
> Best regards
>
> Heinrich
>
>>
>>> Signed-off-by: Casey Connolly <[email protected]>
>>> ---
>>> Changes in v2:
>>> * Fix compilation when CONFIG_WATCHDOG is disabled.
>>>
>>> ---
>>> lib/efi_loader/efi_boottime.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/
>>> efi_boottime.c
>>> index ddc935d22409..c34616db578a 100644
>>> --- a/lib/efi_loader/efi_boottime.c
>>> +++ b/lib/efi_loader/efi_boottime.c
>>> @@ -21,8 +21,9 @@
>>> #include <time.h>
>>> #include <u-boot/crc.h>
>>> #include <usb.h>
>>> #include <watchdog.h>
>>> +#include <wdt.h>
>>> #include <asm/global_data.h>
>>> #include <linux/libfdt_env.h>
>>> DECLARE_GLOBAL_DATA_PTR;
>>> @@ -2263,8 +2264,10 @@ static efi_status_t EFIAPI
>>> efi_exit_boot_services(efi_handle_t image_handle,
>>> efi_update_table_header_crc32(&systab.hdr);
>>> /* Give the payload some time to boot */
>>> efi_set_watchdog(0);
>>> + if (CONFIG_IS_ENABLED(WDT))
>>> + wdt_stop_all();
>>> schedule();
>>> out:
>>> if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) {
>>> if (ret != EFI_SUCCESS)
>>> --
>>> 2.52.0
>>>
>>>
>
--
// Casey (she/her)
