On 18.02.19 08:56, Tomaž Šolc wrote:
On 18. 02. 19 08:12, Oleksij Rempel wrote:
+A watchdog is the last line of defense on misbehaving systems. Thus, proper
+hardware and watchdog design considerations should be made to be able to reduce
+the impact of failing systems in the field. In the best case, the bootloader
+should not touch it at all. No watchdog feeding should be done until
+application-critical software (or a userspace service manager such as
+'systemd') was started.
+
+In case the bootloader is responsible for watchdog activation, the system can
+be considered as failed by design.
I think this is too strongly worded and I would leave out this last sentence. It seems
arrogant for documentation to judge what is "failed by design" like this, without
considering any other requirements for a system.
Can you please provide an example of a requirement, which can't be considered as bad design.
Such a "failed" watchdog is still better than no watchdog in many cases and sometimes it's
the only option, as the text in later paragraphs explains. The paragraph above already
recommends that in the ideal case the bootloader shouldn't touch the watchdog. I think
that is enough.
Also, as far as I know, the Linux kernel will feed the watchdog on a kernel timer during
boot and until a userspace process grabs /dev/watchdog. So based on this basically all
systems based on Linux are already a failed design.
Correct. The fact, it is enabled by default in kernel do not means, it was a good decision.
Kind regards,
Oleksij Rempel
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
