Watchod drivers support
23 views
Skip to first unread message
dmitri....@litmusautomation.com
Jan 31, 2018, 4:06:14 PM1/31/18
to EFI Boot Guard
Hi,
We build images with Yocto project for several different platforms including VMware and I'm trying to use efibootguard + swupdate for handling firmware updates. However, I'm having troubles with watchdog driver not being found. So, is there a way to have support for generic driver? Something like `softdog` that can be used on platforms with no hardware watchdog.
Regards,
-Dmitri
Jan Kiszka
Jan 31, 2018, 4:18:17 PM1/31/18
to dmitri....@litmusautomation.com, EFI Boot Guard
some null watchdog might be fine (with a big-fat warning). In the latter
case, you need to study if there is any virtual watchdog support on
VMware and write some driver. QEMU/KVM does have this, and efi-bootguard
supports that.
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
dmitri....@litmusautomation.com
Jan 31, 2018, 8:19:42 PM1/31/18
to EFI Boot Guard
Jan,
I did some searching around and indeed, qemu/kvm have a virtual watchdog driver, that simulates i6300ESB. I could not find any notion of watchdog driver in VMware though.
Here is what I'm thinking though:
1. We could add support for software watchdog that is available from kernel. I don't like this approach since driver need to be compiled into the kernel and it will likely override all other drivers giving implementor a false sense of security.
2. Add an option to `efibootguard` to disable watchdog activativation and then re-enable it later from user space if supported hardware is detected. That would cover our use case when availability of watchdog hardware is unknown. This way we would be able to support wide range of hardwares and add gradually add support for other WD driver if necessary.
What do you think?
Regards,
-Dmitri
dmitri....@litmusautomation.com
Feb 1, 2018, 1:23:02 AM2/1/18
to EFI Boot Guard
Jan,
I've just posted patch that enables booting without watchdog driver if "watchog=0" is provided as parameter.
It does not alter original behavior and if timeout is not zero it will fail as expected if no driver is found. However,
It provides the way to run without watchdog to cover additional use cases.
Please let me know if this is something you would include in your code base.
Regards,
-Dmitri
On Wednesday, January 31, 2018 at 4:18:17 PM UTC-5, Jan Kiszka wrote:
On Wednesday, January 31, 2018 at 4:18:17 PM UTC-5, Jan Kiszka wrote:
Jan Kiszka
Feb 1, 2018, 1:43:07 AM2/1/18
to Dmitri Toubelis, efibootguard-dev
[CC list again]
On 2018-02-01 00:47, Dmitri Toubelis wrote:
> Jan,
>
> Thanks for the reply. We use VMware images for internal testing, not for
> production. Right now I'm trying to figure it to what kernel modules
> those drivers that you currently support translate. So far I've got
> this:
>
> Intel Quark: CONFIG_ITCO_WDT=y
> Intel i6300esb: CONFIG_I6300ESB_WDT=y
> TCO: CONFIG_IE6XX_WDT=y
>
> (I assume they need to be compiled into the kernel, not loaded as
> modules.)
Nope, modules are fine as well. You just have to ensure that the kernel
driver takes over the watchdog prior to the expiry that efibootguard sets.
>
> Does this sound right? It would be nice to have this somewhere in
> README.
Feel free to send a patch the correlates the watchdog names with the
kernel config switches, and maybe also the hints that i6300esb is
available through QEMU/KVM (makes a nice test case) and that Quark as
well as the i6300esb watchdogs have a no-way-out feature while iTCO does
not (slightly less safe).
Thanks,
Jan
>
> -Dmitri
On 2018-02-01 00:47, Dmitri Toubelis wrote:
> Jan,
>
> Thanks for the reply. We use VMware images for internal testing, not for
> production. Right now I'm trying to figure it to what kernel modules
> those drivers that you currently support translate. So far I've got
> this:
>
> Intel Quark: CONFIG_ITCO_WDT=y
> Intel i6300esb: CONFIG_I6300ESB_WDT=y
> TCO: CONFIG_IE6XX_WDT=y
>
> (I assume they need to be compiled into the kernel, not loaded as
> modules.)
Nope, modules are fine as well. You just have to ensure that the kernel
driver takes over the watchdog prior to the expiry that efibootguard sets.
>
> Does this sound right? It would be nice to have this somewhere in
> README.
Feel free to send a patch the correlates the watchdog names with the
kernel config switches, and maybe also the hints that i6300esb is
available through QEMU/KVM (makes a nice test case) and that Quark as
well as the i6300esb watchdogs have a no-way-out feature while iTCO does
not (slightly less safe).
Thanks,
Jan
>
> -Dmitri
dmitri....@litmusautomation.com
Feb 1, 2018, 8:32:37 AM2/1/18
to EFI Boot Guard
Oh I see now, it is the efi loader that arms the watchdog not the kernel. Makes sense now.
Jan Kiszka
Feb 1, 2018, 8:37:34 AM2/1/18
to dmitri....@litmusautomation.com, EFI Boot Guard
On 2018-02-01 14:32, dmitri....@litmusautomation.com wrote:
> Oh I see now, it is the efi loader that arms the watchdog not the
> kernel. Makes sense now.
Yes. Otherwise, if the new kernel gets stuck, you're bricked (until a
> Oh I see now, it is the efi loader that arms the watchdog not the
> kernel. Makes sense now.
power cycle).
Jan
> You received this message because you are subscribed to the Google
> Groups "EFI Boot Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to efibootguard-d...@googlegroups.com
> <mailto:efibootguard-d...@googlegroups.com>.
> To post to this group, send email to efibootg...@googlegroups.com
> <mailto:efibootg...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/efibootguard-dev/517baf4a-5b36-4299-bef0-bffa90ffa490%40googlegroups.com
> <https://groups.google.com/d/msgid/efibootguard-dev/517baf4a-5b36-4299-bef0-bffa90ffa490%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages