On Tue, 20 Jan 2026 at 18:08, Heinrich Schuchardt <[email protected]> wrote: > > On 1/20/26 16:52, Tom Rini wrote: > > On Tue, Jan 20, 2026 at 04:12:27PM +0100, Casey Connolly wrote: > >> > >> > >> On 20/01/2026 11:01, Heinrich Schuchardt wrote: > >>> On 1/20/26 10:33, Mark Kettenis wrote: > >>>>> From: Casey Connolly <[email protected]> > >>>>> Date: Mon, 19 Jan 2026 22:09:25 +0100 > >>>>> > >>>>> Hardware watchdogs don't currently get stopped as part of > >>>>> ExitBootServices, this can result in resets during boot if the OS > >>>>> doesn't have a driver for the watchdog, or if the driver isn't loaded > >>>>> in time. > >>>>> > >>>>> As with the EFI watchdog, stop any hardware watchdogs as well. > >>>> > >>>> This has been discussed before and rejected on the grounds that this > >>>> defeats the purpose of the watchdog. I think there was some consensus > >>>> that an OS that doesn't have a driver for the watchdog or doesn't load > >>>> it in time is broken. Some folks also pointed out that on some > >>>> platforms it isn't possible to disable the watchdog. > >>>> > >>>> Ultimately, I think EFI needs an API to control the hardware watchdog, > >>>> such that an OS doesn't need a driver. > >>> > >>> The hardware watchdog interrupting an OS if it is hanging is intended > >>> behavior. It is required for recovering from a failed capsule update. > >>> > >>> Some watchdog timers have a maximum timeout that is too short for > >>> booting (e.g. 16s on some Sunxi boards). To avoid resets these options > >>> are available: > >>> > >>> * Set CONFIG_WATCHDOG_AUTOSTART=n. > >>> * Use device-tree property u-boot,noautostart. > >>> * Use the `wdt stop` command in PREBOOT. > >> > >> Hmm, thanks for the suggestions. I considered doing this in some > >> platform-specific way, but I don't think it's correct for U-Boot's > >> default behaviour to leave watchdogs enabled, I haven't gone digging > >> through the EFI spec but I would imagine it's not EFI compliant either? > > > > We've had some long discussions about this in the past. It's very much > > intentional that U-Boot leaves watchdogs running. As Heinrich noted (and > > is a summary of the older threads) some hardware doesn't even let you > > disable a watchdog. But it otherwise defeats the purpose of one to turn > > it off. Part of my feedback before was that the EFI spec needs to be > > addressed if it can't handle this correctly. > > > > The UEFI specification explicitly requires a 5 min watchdog to be > enabled when starting an EFI binary. It should be disabled when > returning to the boot manager. See chapter 7.5.1 > EFI_BOOT_SERVICES.SetWatchdogTimer(). > > In 7.4.6 EFI_BOOT_SERVICES.ExitBootServices() the specification requires > that "the boot services watchdog timer is disabled". > > Both has has been implemented in U-Boot as a software watchdog because > some hardware watchdogs don't support 5 min intervals. > > A watchdog for the phase after ExitBootServices() is not described. > > Setting CONFIG_WATCHDOG_AUTOSTART=n would comply with the specification.
I think both approaches have pros and cons. There's a small period of time between the EFI stub (at least for linux ) calling EBS and the OS taking over, loading a watchdog driver and setting up keepalives. Keeping the watchdog enabled, will obviously revive the board if something goes wrong between EBS and loading the driver. OTOH if the hardware watchdog doesn't support big intervals between keepalives, you might end up rebooting for no reason. As you all mentioned this has been discussed extensively so I agree not too change the current behavior after all. Regards /Ilias > > Best regards > > Heinrich
