On 6/29/21 12:48 PM, François Ozog wrote:
Hi
Following a discussion with Civil Infrastructure Project TSC, there is a watchdog protection issue with EFI: the time between the call to ExitBootService and Linux kernel takes over watchdog service is not covered by any watchdog protection.
The UEFI specification requires a watchdog. So this must be an implementation specific problem. Which firmware-hardware combination are you referring to?
U-Boot provides hardware watchdogs.
Before ExitBootServices() we use a timer event to implement a software watchdog (defaulting to the five minute interval required by the UEFI spec).
When booting via UEFI we check timer events and reset the hardware watchdog whenever either of the following services is called before ExitBootServices():
* RestoreTpl() * WaitForEvent() * CheckEvent() * Stall() * EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL.ReadKeyStrokeEx() * EFI_SIMPLE_TEXT_INPUT_PROTOCOL.ReadKeyStroke() * EFI_SIMPLE_NETWORK_PROTOCOL.GetStatus() * EFI_SIMPLE_NETWORK_PROTOCOL.Transmit() * EFI_SIMPLE_NETWORK_PROTOCOL.Receive()
Between ExitBootServices() and Linux booting the hardware watchdog is not reset. So it should kick in if customized.
On some systems the hardware watchdog was disabled because the longest supported timeout was too short to boot Linux successfully.
Relevant customizing settings include:
CONFIG_WDT - Enable driver model for watchdog timer drivers CONFIG_HW_WATCHDOG
Best regards
Heinrich
The EFI specification for BS.SetWatchdogTimer is very flexible as it states "perform a platform specific action that must eventually cause the platform to be reset.".
So we could naively implement a solution that would arm platform hardware watchdog in addition to EFI timer. Assuming watchdog period is long enough that it cover the time for Linux to take over the hardware watchdog, there is nothing to be done in EFI Stub to benefit from the new protection.
But this scheme fails to handle FF-A update capsules which can take a long time. So either the period is long enough to support that or we need a FF-A watchdog service. Based on Siemens feedback, time to update can last 20 minutes. StandAloneMM may also need such a protection so FF-A watchdog service seems desired.
I'd be happy to receive feedback on the problem itself (watchdog in EFI) and on the possible solution (FF-A based).
Cheers
FF _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture