From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.125]) by mx.groups.io with SMTP id smtpd.web12.5244.1635932374753568215 for ; Wed, 03 Nov 2021 02:39:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@os.amperecomputing.com header.s=selector2 header.b=jZ98bAxA; spf=pass (domain: os.amperecomputing.com, ip: 40.107.237.125, mailfrom: nhi@os.amperecomputing.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lWBGbODowhI9NFzXPBW5u5Ilqt3lv6JVfO2vlDKITLUUaLJGDnjbYxR9LpkUQ95zHcHyR0juzkFwhcqapYnDag4bN5ZLSI1bt82QWlQ6XDRaQIafAIlz0M8oBFkz2AQSYIKt+RoFfEb6SkTmbYDWS6TqSH8cA7FWsR30F5+jjFaBKQ/6PvyOjY0X6bdhSV3N+5rVzkmliix4nZzdx6FqeuuczavC8sFTvVNmkWdIKWf0ugUfMc2/OmWWl4FvUL03iZeJVHcrzKstLaqIyLGe4s/DumVVAm+5Rfcx5d+Z5TTBjgIZUYQRmDJpNWQdHGunclkL+smwDrWMrVLbTtVq8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q7hpaveUDrezwT2ijHWYgIbHTxLytbGo2drhzm0snGE=; b=Qu/FJUZZ04knV3rQnTkO6nNtQH3/nYUDyeLn0mdrwvcNlz8BQFUxI+dX/xTeM7JYpAonQIwVDihfE7uMWi3LDKwnOAg7CM8OJpuMttY9OZ5ASpVJj63X2mnImSCTpKnRGUoaahCXalEUkPfLMRBROunnWswVBNurjUSLT4EwhChF63k+acd/sTSVISXV6XQQ8yIn2dMx7UOQXPBZ+hERIV+3iOsm6cFP7akb4mOd3+7tyUTGfWbnlc+0s2ar4nKWY0F2sWq8sfMi5jfqt0OxORLKgD/N7q/Wu5Cs8yzZzn+G8E60W9IIeD3SsvReXcx73rrD1678a5XBrpl7dz5N/Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=os.amperecomputing.com; dmarc=pass action=none header.from=os.amperecomputing.com; dkim=pass header.d=os.amperecomputing.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=os.amperecomputing.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q7hpaveUDrezwT2ijHWYgIbHTxLytbGo2drhzm0snGE=; b=jZ98bAxAclcer1B+/RWLpgJDchiy2xJbXBZiJPLvJHbQvejb/NMPYBnqJwsZksvxnwnoCGIcxyxOCJA2OCWTIW5TANkRmG3++AfNGYq4UalyjLRrthIdeEiCTBRT4uknhHdwTGYwHx5Eihwlq95lMYdXboGM5CesMRcMfMTB3IE= Authentication-Results: nuviainc.com; dkim=none (message not signed) header.d=none;nuviainc.com; dmarc=none action=none header.from=os.amperecomputing.com; Received: from PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) by PH0PR01MB7333.prod.exchangelabs.com (2603:10b6:510:dd::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11; Wed, 3 Nov 2021 09:39:32 +0000 Received: from PH0PR01MB7287.prod.exchangelabs.com ([fe80::254c:9533:7f35:aee]) by PH0PR01MB7287.prod.exchangelabs.com ([fe80::254c:9533:7f35:aee%5]) with mapi id 15.20.4669.011; Wed, 3 Nov 2021 09:39:32 +0000 Message-ID: <88e0aa63-a9a1-330f-3155-d4b5052db786@os.amperecomputing.com> Date: Wed, 3 Nov 2021 16:35:36 +0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Subject: Re: [edk2-platforms][PATCH v4 03/31] AmpereAltraPkg: Add FailSafe and WDT support To: Leif Lindholm Cc: devel@edk2.groups.io, patches@amperecomputing.com, vunguyen@os.amperecomputing.com, Thang Nguyen , Chuong Tran , Phong Vo , Michael D Kinney , Ard Biesheuvel , Nate DeSimone References: <20211022061809.31087-1-nhi@os.amperecomputing.com> <20211022061809.31087-4-nhi@os.amperecomputing.com> <20211026121553.rm6l6dvoztjd3o3c@leviathan> From: "Nhi Pham" In-Reply-To: <20211026121553.rm6l6dvoztjd3o3c@leviathan> X-ClientProxiedBy: HKAPR03CA0011.apcprd03.prod.outlook.com (2603:1096:203:c8::16) To PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) Return-Path: nhi@os.amperecomputing.com MIME-Version: 1.0 Received: from [192.168.1.3] (113.188.173.157) by HKAPR03CA0011.apcprd03.prod.outlook.com (2603:1096:203:c8::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.5 via Frontend Transport; Wed, 3 Nov 2021 09:39:29 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: bd0f5b38-8046-41b2-2fae-08d99eadd709 X-MS-TrafficTypeDiagnostic: PH0PR01MB7333: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: gLrlVS/AjtdA2cNQOg1JU87t+N9hUncNE4qUZmN5FwCyLVc4WPtNqPp02Sq2ErV8b8mPBn11+WrNOZN3BW4q2195b30OAxqBy6W/lY+HWCp5uniUwDt13hAQU5tTXZy3WSirbIrxUnPBnJYZJDfR88BAr3K2zURX+awJ7jcLCHcwwrhUMVzoq+Lkf1yuKnTv/nrr/O61q9BuNAGioGmuFmcqu85e3vWyUjHMR4M6ccIeaClXbBFkyW8/36nYctgkpBFI/brN6p/cZDMdKaDqgMMnoC0/uOG67ONRlmvKNDA1dRu4zcR+3TlxBHsjVa2QIN/kn0bELG11b7qnQpnvkWiQsn4BxT04k7kuHf8Nr5gSsCofvO3S4QRynL42cR4e/H1Dm4bfP2TbaZ3q5KLk37RS03QDthSNeUsj0JtuckaJsWKwWf0i1gKgZfUQA04D6GI4uvTbbwjbWiY5Us0zv1+M2p0t4RvuBRHiGx4sTbhCis8jflSlRb/ao+A164YukLq0tl9S+t7lsnWOqQFdwl8ONST5dSB0XLPZPQUdZ2l2LiVBja0gRCjmiZZgrgs1o2a/Y3Bu2F/jtHPmAN3HDZ2xMZEoOz0XO6GKEndUSUUK/P7K99vOaSZHb4P3HUskqrZIRP5sdSOM8tPLzzD2sBDyoDIiqGunn7wbv0Nvyl3AJLe02UYiYfnDt1waEaSwPS/a9cNOKYxsPiEv8GlDm/ZyG7Tl8o1pj5uVZ6qz8zvAYkJiQUiqpCX57bmTPF89JobQQ//8CcXcwz+TnDwJwWnAv9sqS35kx627ANMsCtP4UhuFKCmHHCXUFxvzgkVZ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR01MB7287.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(6666004)(30864003)(38350700002)(66946007)(2906002)(2616005)(86362001)(38100700002)(52116002)(6486002)(53546011)(16576012)(186003)(54906003)(8676002)(5660300002)(508600001)(316002)(31696002)(83380400001)(66476007)(31686004)(66556008)(26005)(6916009)(19627235002)(4326008)(956004)(8936002)(9186005)(45980500001)(43740500002)(44824005);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?VmZtUDMyVFNFYXRMdnQxVDBuM0hSL2tKdllHVGhoNktoUUNBK0h4Rk9HUElP?= =?utf-8?B?SDM5SXM0QUtDT0dFK1dDWlpSZmZVNmFETW9aTXYvWFpFMWI0NWlpbEhUWmIy?= =?utf-8?B?SWppZDlFdHp5V1VFS21qR3daUEJDUEhtcE1DNjFrVE8zNUhpb1lZZFlqSWlr?= =?utf-8?B?NWdTWGtyTHVnTHgwK2pxcmZkZWthVWsrMGtDRXlqcGtta2FPYlpORVlUQVNk?= =?utf-8?B?TXlCUlVxUzBDSHQxanVudXR1QzVlNXB1MHZjWFM0ZkgrZC9XRGZiK2lVYlNw?= =?utf-8?B?dHRwczRYMFIvenBBeW00Y1RibG02aldNZjgwdVd4ZXUxQU1EWFg2MGYvYmd1?= =?utf-8?B?Z045amNVVGlCSm5MUmt1MUtEU0xWYlVvYjd6Q2hKWU9OaGRrcGdSV1VjejVr?= =?utf-8?B?c2Zmdk5nY2ZzY1oxUnpxSlg3eDFYWnRtcERaUkhTSjR3RGlxbUhOMDRlREkr?= =?utf-8?B?RXNCSmVYeFRXRDNGakJQYmhQV1d0bHpYeDBKajM0U1BDRzdtaVB3RXF3ckdh?= =?utf-8?B?TzRPR1hGcHhRM1h5a1kxWmI2c0htQ1EyZ0wvSWpnVk1GZlYxcHBEY0VVQUFS?= =?utf-8?B?L1JTVTRwQktMV0RXWThtTWVxbCtaaFhudUMzWm1ZWlVIb09ZaEw4TnhYbWd4?= =?utf-8?B?eGlrYXY1UVlGQ0orS3cxZzVSbllwTTJwR1dqUEY0cm1mTzRMR0I5dU52QlZZ?= =?utf-8?B?VWI3RHJkSU44RUp0aTdRc2dseUxtcithUjVIWmJYNjZ4K3NldEhITVJaMHF1?= =?utf-8?B?cjlTVElqL3ZMazc0ODBRL0NBd29TR1FDSllhYU8rcDhxeGt5UytGUHlPejF6?= =?utf-8?B?NEZselNrNmM0Z3c0ZllvYjVzZ1pTNC9PY09wVS9ENjlpdzhYVXhOVTBKaVJh?= =?utf-8?B?SEtJWU1OWjlRQ0pxNnRlcFhqQUpzakhxYnJuUE45SDQzOUR6RlNtRmxJVG5s?= =?utf-8?B?WnROZ0l5UzVyditVVm5sQnlSeVRseDd1QTIvWlR2bGFUNzVRRC8vL0xPc3Ft?= =?utf-8?B?WU1TZjgvQk9GVm44cHF0NXpHalkxS2g2ckRkMHd2M2V1bE5qbUtMcVExVWJ0?= =?utf-8?B?d3IzWmZCNC8zaUt1RGZLMkhjM3JualRleXhVM3JWTGM5UktZaWlhaGIxYUNk?= =?utf-8?B?eUsya3VuOFBxdXdsZVRxWVFhSHZDSjBYdDQvVHFHaThPdXBrdzFYMlhLY3RG?= =?utf-8?B?aDA4RVZPbWwrTjh1Mk5NdWRGcmlwZVRPdkQwWjZaWStzanFsS1hDY1RxVFhR?= =?utf-8?B?TTg4Tk53QVQ4UjhaYjY1WVRXa1hIeTJtWTdkaUZDZmpKY1ZVSGE1OVo0bUZl?= =?utf-8?B?YSt0RVFDQStWV0xVRjVRM0tJR3pyd0t4WXhaTkpjSWpwUmZ0WGpNMUo1QzMw?= =?utf-8?B?RGZySWxxYzBXN2VEUHJ2dFBXWHJlem50Q245eFRBcHg2WmkvQTZKbU1IUzlV?= =?utf-8?B?UHVZMExSeWpTOS9POW9vTWt3SXhIald0dVJhcnBiUDkxdERrVVJReDJyQWJO?= =?utf-8?B?S2JJZTUxd0kwUE9jd3hjbU9GSHJSY2ZQUlNuR0VCRnBRZi9UaG4zZk42U2xa?= =?utf-8?B?eHpxMG4wdVZqbWs1R1ZYc2FnYnhLVFBnR1lDSCt1cHVuOEdFWFd6S2ltY0xm?= =?utf-8?B?MGlZRFRqU0Y2NlhlSzdvVzdtVGFhK1NFc3VJVWZ0VVNyNUtXbG52SlRHNGJ3?= =?utf-8?B?b0RRQ1FYcWtYZ2RqckV6VUNMRFRSTGplYmJpNHlVTnp5VEY1blcvemI2S09j?= =?utf-8?B?anNKaDBxN2p0YkhZV3g4UmFidFo4MVRBQk5uUDZaRWMxa2x4QkFuS0NEOGk3?= =?utf-8?B?bzdHdGZnT2krMkpvUkM2MWhuNEprd0pYdW1CNjN6Q2t5dW9JMzZPUndRNno4?= =?utf-8?B?bnhxUkVjR2JsMFpmTmxnQ0tGS2JmcGNCVXd0aThTVWYxNUpNOG9LTEFMd1d1?= =?utf-8?B?UndqdHhEZWdXbGxLWlJHR2RraGhIM2dldjdsMVM4M2ZEN21zNi9QczZ3SWZD?= =?utf-8?B?K2ZuSm8yRXRnMmFTazhhMGE2dm9MNjFyeVVQeTNjcmpGU3RHZjhBWlUrSnpE?= =?utf-8?B?NjRCTGxjMUJIanpIamNnSlBRYlRHSTAySnM4NmtabSswRjUwWUxqMmd4VHdi?= =?utf-8?B?bDVMWmtHV3A0UWkvUXVWZFh1KzZ0V2pmNk9sRHlqNUtWaXRIcW5SNzc4cjNW?= =?utf-8?B?dnE5bnVSYmRvc09LVEJJelgzVThjTHhKZ3FEQktHbHFTeVhjcTk2NlM0R0da?= =?utf-8?Q?zZ8ptHtfoG/UBinyzvvKcfC1Baa4hOHSmD1haboiZQ=3D?= X-OriginatorOrg: os.amperecomputing.com X-MS-Exchange-CrossTenant-Network-Message-Id: bd0f5b38-8046-41b2-2fae-08d99eadd709 X-MS-Exchange-CrossTenant-AuthSource: PH0PR01MB7287.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Nov 2021 09:39:32.7504 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3bc2b170-fd94-476d-b0ce-4229bdc904a7 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GVRkxv6L0RIUnrBLTJq8T2kBy9Vptg33miju7VIpaeo8hVDqUCSPM74P9N/EbsMU9k5mg4tEHfpWo0HiSIXzwdWbr5IDEQ3e96SiBQ3+Yso= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB7333 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 26/10/2021 19:15, Leif Lindholm wrote: > Hi Nhi, > > On Fri, Oct 22, 2021 at 13:17:41 +0700, Nhi Pham wrote: >> The FailSafeDxe is a driver for the FailSafe feature which reverts the >> system's configuration to known good values if the system fails to boot >> up multiple times. Also, this driver implements the Watchdog Timer >> Architectural Protocol to reset the system if it hangs, which is >> implemented by the MdeModulePkg/Universal/WatchdogTimerDxe module. So, >> the WDT is now used exclusively by the FailSafeDxe. > I guess I skimmed this message previously. Taking a closer look, I am > very confused by this design (and the commit message), on several > levels. > > 1) Why do you need a custom watchdog driver? Because the non-secure Watchdog timer is started by ATF and the ATF controls/monitors the WDT during UEFI boot phase as its responsibility in the design of failsafe. When UEFI booting is successful, the UEFI will turn the Failsafe off and release the WDT to UEFI Arch Timer Protocol. This is quite problematic as you point out below. Thanks for that. I will remove the Failsafe support and install the generic WDT driver instead in the v5. The FailSafe will be considered to support later as I need to look back this design to make it compliant with PI/UEFI spec. Thanks a lot for your suggestion. It's really helpful. > 2) Why is it integrated into FailSafeDxe instead of being a standalone > driver? > 3) Given that it's integrated, why do you install it as an > implementation of EFI_WATCHDOG_TIMER_ARCH_PROTOCOL? > 4) Given that it's installed, how can it be exclusively for the use of > FailSafeDxe? > >> By default, when system starts, it configures the secure watchdog timer >> with a default value of 5 minutes. If the system boots up cleanly to the >> considered good stage, the counter is cleared as it indicates FailSafe >> monitor (ATF) that has booted up successfully. If the timer expires, it >> is considered a failed boot and the system is rebooted. > How? > (more below) > >> Cc: Thang Nguyen >> Cc: Chuong Tran >> Cc: Phong Vo >> Cc: Leif Lindholm >> Cc: Michael D Kinney >> Cc: Ard Biesheuvel >> Cc: Nate DeSimone >> >> Signed-off-by: Nhi Pham >> Reviewed-by: Leif Lindholm >> --- >> Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc | 6 +- >> Platform/Ampere/JadePkg/Jade.fdf | 6 +- >> Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.inf | 51 +++ >> Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafe.h | 44 +++ >> Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.h | 29 ++ >> Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.c | 243 +++++++++++++ >> Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.c | 357 ++++++++++++++++++++ >> 7 files changed, 734 insertions(+), 2 deletions(-) >> >> diff --git a/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc b/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc >> index 69a6caa56752..bfe66f332c56 100644 >> --- a/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc >> +++ b/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc >> @@ -588,7 +588,11 @@ [Components.common] >> # Timer >> # >> ArmPkg/Drivers/TimerDxe/TimerDxe.inf >> - MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf >> + >> + # >> + # FailSafe and Watchdog Timer >> + # >> + Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.inf >> >> # >> # ARM GIC Dxe >> diff --git a/Platform/Ampere/JadePkg/Jade.fdf b/Platform/Ampere/JadePkg/Jade.fdf >> index 6e228d4ecb89..49e38db1bce4 100644 >> --- a/Platform/Ampere/JadePkg/Jade.fdf >> +++ b/Platform/Ampere/JadePkg/Jade.fdf >> @@ -185,7 +185,11 @@ [FV.FvMain] >> # Timer >> # >> INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf >> - INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf >> + >> + # >> + # FailSafe and Watchdog Timer >> + # >> + INF Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.inf >> >> # >> # ARM GIC Dxe >> diff --git a/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.inf b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.inf >> new file mode 100644 >> index 000000000000..cea69516d0bb >> --- /dev/null >> +++ b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.inf >> @@ -0,0 +1,51 @@ >> +## @file >> +# >> +# Copyright (c) 2020 - 2021, Ampere Computing LLC. All rights reserved.
>> +# >> +# SPDX-License-Identifier: BSD-2-Clause-Patent >> +# >> +## >> + >> +[Defines] >> + INF_VERSION = 0x0001001B >> + BASE_NAME = FailSafeDxe >> + FILE_GUID = 7BC4F970-B1CF-11E6-80F5-76304DEC7EB7 >> + MODULE_TYPE = DXE_DRIVER >> + VERSION_STRING = 1.0 >> + ENTRY_POINT = FailSafeDxeEntryPoint >> + >> +[Sources] >> + FailSafe.h >> + FailSafeDxe.c >> + Watchdog.c >> + Watchdog.h >> + >> +[Packages] >> + ArmPkg/ArmPkg.dec >> + ArmPlatformPkg/ArmPlatformPkg.dec >> + EmbeddedPkg/EmbeddedPkg.dec >> + MdeModulePkg/MdeModulePkg.dec >> + MdePkg/MdePkg.dec >> + Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dec >> + Silicon/Ampere/AmpereSiliconPkg/AmpereSiliconPkg.dec >> + >> +[LibraryClasses] >> + DebugLib >> + FlashLib >> + IoLib >> + NVParamLib >> + TimerLib >> + UefiBootServicesTableLib >> + UefiDriverEntryPoint >> + UefiLib >> + >> +[Pcd] >> + gArmTokenSpaceGuid.PcdGenericWatchdogControlBase >> + gArmTokenSpaceGuid.PcdGenericWatchdogEl2IntrNum >> + >> +[Protocols] >> + gEfiWatchdogTimerArchProtocolGuid ## PRODUCES >> + gHardwareInterrupt2ProtocolGuid ## CONSUMES >> + >> +[Depex] >> + gHardwareInterrupt2ProtocolGuid >> diff --git a/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafe.h b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafe.h >> new file mode 100644 >> index 000000000000..911b093dce28 >> --- /dev/null >> +++ b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafe.h >> @@ -0,0 +1,44 @@ >> +/** @file >> + >> + Copyright (c) 2020 - 2021, Ampere Computing LLC. All rights reserved.
>> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#ifndef FAILSAFE_H_ >> +#define FAILSAFE_H_ >> + >> +#define FAILSAFE_BOOT_NORMAL 0x00 >> +#define FAILSAFE_BOOT_LAST_KNOWN_SETTINGS 0x01 >> +#define FAILSAFE_BOOT_DEFAULT_SETTINGS 0x02 >> +#define FAILSAFE_BOOT_DDR_DOWNGRADE 0x03 >> +#define FAILSAFE_BOOT_SUCCESSFUL 0x04 >> + >> +#pragma pack(1) >> +typedef struct { >> + UINT8 ImgMajorVer; >> + UINT8 ImgMinorVer; >> + UINT32 NumRetry1; >> + UINT32 NumRetry2; >> + UINT32 MaxRetry; >> + UINT8 Status; >> + // >> + // Byte[3]: Reserved >> + // Byte[2]: Slave MCU Failure Mask >> + // Byte[1]: Reserved >> + // Byte[0]: Master MCU Failure Mask >> + // >> + UINT32 MCUFailsMask; >> + UINT16 CRC16; >> + UINT8 Reserved[3]; >> +} FAIL_SAFE_CONTEXT; >> +#pragma pack() >> + >> +BOOLEAN >> +EFIAPI >> +IsFailSafeOff ( >> + VOID >> + ); >> + >> +#endif /* FAILSAFE_H_ */ >> diff --git a/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.h b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.h >> new file mode 100644 >> index 000000000000..6c9106fdbea5 >> --- /dev/null >> +++ b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.h >> @@ -0,0 +1,29 @@ >> +/** @file >> + >> + Copyright (c) 2020 - 2021, Ampere Computing LLC. All rights reserved.
>> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#ifndef GENERIC_WATCHDOG_H_ >> +#define GENERIC_WATCHDOG_H_ >> + >> +#include >> + >> +/* The number of 100ns periods (the unit of time passed to these functions) >> + in a second */ >> +#define TIME_UNITS_PER_SECOND 10000000 >> + >> +/** >> + The function to install Watchdog timer protocol to the system >> + >> + @retval Return EFI_SUCCESS if install Watchdog timer protocol successfully. >> + **/ >> +EFI_STATUS >> +EFIAPI >> +WatchdogTimerInstallProtocol ( >> + EFI_WATCHDOG_TIMER_ARCH_PROTOCOL **WatchdogTimerProtocol >> + ); >> + >> +#endif /* GENERIC_WATCHDOG_H_ */ >> diff --git a/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.c b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.c >> new file mode 100644 >> index 000000000000..487e0d3870ab >> --- /dev/null >> +++ b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/FailSafeDxe.c >> @@ -0,0 +1,243 @@ >> +/** @file >> + >> + Copyright (c) 2020 - 2021, Ampere Computing LLC. All rights reserved.
>> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include "FailSafe.h" >> +#include "Watchdog.h" >> + >> +STATIC UINTN gWatchdogOSTimeout; >> +STATIC BOOLEAN gFailSafeOff; >> +STATIC EFI_WATCHDOG_TIMER_ARCH_PROTOCOL *gWatchdogTimer; >> + >> +STATIC >> +INTN >> +CheckCrc16 ( >> + UINT8 *Pointer, >> + INTN Count >> + ) >> +{ >> + INTN Crc = 0; >> + INTN Index; >> + >> + while (--Count >= 0) { >> + Crc = Crc ^ (INTN)*Pointer++ << 8; >> + for (Index = 0; Index < 8; ++Index) { >> + if ((Crc & 0x8000) != 0) { >> + Crc = Crc << 1 ^ 0x1021; >> + } else { >> + Crc = Crc << 1; >> + } >> + } >> + } >> + >> + return Crc & 0xFFFF; >> +} >> + >> +BOOLEAN >> +FailSafeValidCRC ( >> + FAIL_SAFE_CONTEXT *FailSafeBuf >> + ) >> +{ >> + UINT8 Valid; >> + UINT16 Crc; >> + UINT32 Len; >> + >> + Len = sizeof (FAIL_SAFE_CONTEXT); >> + Crc = FailSafeBuf->CRC16; >> + FailSafeBuf->CRC16 = 0; >> + >> + Valid = (Crc == CheckCrc16 ((UINT8 *)FailSafeBuf, Len)); >> + FailSafeBuf->CRC16 = Crc; >> + >> + return Valid; >> +} >> + >> +BOOLEAN >> +FailSafeFailureStatus ( >> + UINT8 Status >> + ) >> +{ >> + if ((Status == FAILSAFE_BOOT_LAST_KNOWN_SETTINGS) || >> + (Status == FAILSAFE_BOOT_DEFAULT_SETTINGS) || >> + (Status == FAILSAFE_BOOT_DDR_DOWNGRADE)) { >> + return TRUE; >> + } >> + >> + return FALSE; >> +} >> + >> +EFI_STATUS >> +EFIAPI >> +FailSafeBootSuccessfully ( >> + VOID >> + ) >> +{ >> + EFI_STATUS Status; >> + FAIL_SAFE_CONTEXT FailSafeBuf; >> + UINT32 FailSafeSize; >> + UINT64 FailSafeStartOffset; >> + >> + Status = FlashGetFailSafeInfo (&FailSafeStartOffset, &FailSafeSize); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_ERROR, "%a: Failed to get context region information\n", __FUNCTION__)); >> + return EFI_DEVICE_ERROR; >> + } >> + >> + Status = FlashReadCommand (FailSafeStartOffset, (UINT8 *)&FailSafeBuf, sizeof (FAIL_SAFE_CONTEXT)); >> + if (EFI_ERROR (Status)) { >> + return Status; >> + } >> + >> + // >> + // If failsafe context is valid, and: >> + // - The status indicate non-failure, then don't clear it >> + // - The status indicate a failure, then go and clear it >> + // >> + if (FailSafeValidCRC (&FailSafeBuf) >> + && !FailSafeFailureStatus (FailSafeBuf.Status)) { >> + return EFI_SUCCESS; >> + } >> + >> + Status = FlashEraseCommand (FailSafeStartOffset, FailSafeSize); >> + if (EFI_ERROR (Status)) { >> + return Status; >> + } >> + >> + return EFI_SUCCESS; >> +} >> + >> +EFI_STATUS >> +FailSafeTestBootFailure ( >> + VOID >> + ) >> +{ >> + EFI_STATUS Status; >> + UINT32 Value = 0; >> + >> + // >> + // Simulate UEFI boot failure due to config wrong NVPARAM for >> + // testing failsafe feature >> + // >> + Status = NVParamGet (NV_SI_UEFI_FAILURE_FAILSAFE, NV_PERM_ALL, &Value); >> + if (!EFI_ERROR (Status) && (Value == 1)) { >> + CpuDeadLoop (); >> + } >> + >> + return EFI_SUCCESS; >> +} >> + >> +VOID >> +FailSafeTurnOff ( >> + VOID >> + ) >> +{ >> + EFI_STATUS Status; >> + >> + if (IsFailSafeOff ()) { >> + return; >> + } >> + >> + Status = FailSafeBootSuccessfully (); >> + ASSERT_EFI_ERROR (Status); >> + >> + gFailSafeOff = TRUE; >> + >> + /* Disable Watchdog timer */ >> + gWatchdogTimer->SetTimerPeriod (gWatchdogTimer, 0); >> +} >> + >> +BOOLEAN >> +EFIAPI >> +IsFailSafeOff ( >> + VOID >> + ) >> +{ >> + return gFailSafeOff; >> +} >> + >> +/** >> + The function to refresh Watchdog timer in the event before exiting boot services >> +**/ >> +VOID >> +WdtTimerExitBootServiceCallback ( >> + IN EFI_EVENT Event, >> + IN VOID *Context >> + ) >> +{ >> + >> + /* Enable Watchdog timer for OS booting */ >> + if (gWatchdogOSTimeout != 0) { >> + gWatchdogTimer->SetTimerPeriod ( >> + gWatchdogTimer, >> + gWatchdogOSTimeout * TIME_UNITS_PER_SECOND >> + ); >> + } else { >> + /* Disable Watchdog timer */ >> + gWatchdogTimer->SetTimerPeriod (gWatchdogTimer, 0); >> + } >> +} >> + >> +/** >> + Main entry for this driver. >> + >> + @param ImageHandle Image handle this driver. >> + @param SystemTable Pointer to SystemTable. >> + >> + @retval EFI_SUCCESS This function always complete successfully. >> + >> +**/ >> +EFI_STATUS >> +EFIAPI >> +FailSafeDxeEntryPoint ( >> + IN EFI_HANDLE ImageHandle, >> + IN EFI_SYSTEM_TABLE *SystemTable >> + ) >> +{ >> + EFI_EVENT ExitBootServicesEvent; >> + EFI_STATUS Status; >> + >> + gFailSafeOff = FALSE; >> + >> + FailSafeTestBootFailure (); >> + >> + /* We need to setup non secure Watchdog to ensure that the system will >> + * boot to OS successfully. >> + * >> + * The BIOS doesn't handle Watchdog interrupt so we expect WS1 asserted EL3 >> + * when Watchdog timeout triggered >> + */ >> + >> + Status = WatchdogTimerInstallProtocol (&gWatchdogTimer); >> + ASSERT_EFI_ERROR (Status); >> + >> + // We should register a callback function before entering to Setup screen >> + // rather than always call it at DXE phase. >> + FailSafeTurnOff (); >> + >> + /* Register event before exit boot services */ >> + Status = gBS->CreateEvent ( >> + EVT_SIGNAL_EXIT_BOOT_SERVICES, >> + TPL_NOTIFY, >> + WdtTimerExitBootServiceCallback, >> + NULL, >> + &ExitBootServicesEvent >> + ); >> + ASSERT_EFI_ERROR (Status); >> + >> + return Status; >> +} >> diff --git a/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.c b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.c >> new file mode 100644 >> index 000000000000..34329d04206a >> --- /dev/null >> +++ b/Silicon/Ampere/AmpereAltraPkg/Drivers/FailSafeDxe/Watchdog.c >> @@ -0,0 +1,357 @@ >> +/** @file >> + >> + Copyright (c) 2020 - 2021, Ampere Computing LLC. All rights reserved.
>> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include "FailSafe.h" >> +#include "Watchdog.h" >> + >> +/* Watchdog timer controller registers */ >> +#define WDT_CTRL_BASE_REG FixedPcdGet64 (PcdGenericWatchdogControlBase) >> +#define WDT_CTRL_WCS_OFF 0x0 >> +#define WDT_CTRL_WCS_ENABLE_MASK 0x1 >> +#define WDT_CTRL_WOR_OFF 0x8 >> +#define WDT_CTRL_WCV_OFF 0x10 >> +#define WS0_INTERRUPT_SOURCE FixedPcdGet32 (PcdGenericWatchdogEl2IntrNum) >> + >> +STATIC UINT64 mNumTimerTicks; >> +STATIC EFI_HARDWARE_INTERRUPT2_PROTOCOL *mInterruptProtocol; >> +BOOLEAN mInterruptWS0Enabled; >> + >> +STATIC >> +VOID >> +WatchdogTimerWriteOffsetRegister ( >> + UINT32 Value >> + ) >> +{ >> + MmioWrite32 (WDT_CTRL_BASE_REG + WDT_CTRL_WOR_OFF, Value); >> +} >> + >> +STATIC >> +VOID >> +WatchdogTimerWriteCompareRegister ( >> + UINT64 Value >> + ) >> +{ >> + MmioWrite64 (WDT_CTRL_BASE_REG + WDT_CTRL_WCV_OFF, Value); >> +} >> + >> +STATIC >> +EFI_STATUS >> +WatchdogTimerEnable ( >> + IN BOOLEAN Enable >> + ) >> +{ >> + UINT32 Val = MmioRead32 ((UINTN)(WDT_CTRL_BASE_REG + WDT_CTRL_WCS_OFF)); >> + >> + if (Enable) { >> + Val |= WDT_CTRL_WCS_ENABLE_MASK; >> + } else { >> + Val &= ~WDT_CTRL_WCS_ENABLE_MASK; >> + } >> + MmioWrite32 ((UINTN)(WDT_CTRL_BASE_REG + WDT_CTRL_WCS_OFF), Val); >> + >> + return EFI_SUCCESS; >> +} >> + >> +STATIC >> +EFI_STATUS >> +WatchdogTimerSetup ( >> + VOID >> + ) >> +{ >> + EFI_STATUS Status; >> + >> + /* Disable Watchdog timer */ >> + WatchdogTimerEnable (FALSE); >> + >> + if (!mInterruptWS0Enabled) { >> + Status = mInterruptProtocol->EnableInterruptSource ( >> + mInterruptProtocol, >> + WS0_INTERRUPT_SOURCE >> + ); >> + ASSERT_EFI_ERROR (Status); >> + >> + mInterruptWS0Enabled = TRUE; >> + } >> + >> + if (mNumTimerTicks == 0) { >> + return EFI_SUCCESS; >> + } >> + >> + /* If the number of required ticks is greater than the max the Watchdog's >> + offset register (WOR) can hold, we need to manually compute and set >> + the compare register (WCV) */ >> + if (mNumTimerTicks > MAX_UINT32) { >> + /* We need to enable the Watchdog *before* writing to the compare register, >> + because enabling the Watchdog causes an "explicit refresh", which >> + clobbers the compare register (WCV). In order to make sure this doesn't >> + trigger an interrupt, set the offset to max. */ >> + WatchdogTimerWriteOffsetRegister (MAX_UINT32); >> + WatchdogTimerEnable (TRUE); >> + WatchdogTimerWriteCompareRegister (ArmGenericTimerGetSystemCount () + mNumTimerTicks); >> + } else { >> + WatchdogTimerWriteOffsetRegister ((UINT32)mNumTimerTicks); >> + WatchdogTimerEnable (TRUE); >> + } >> + >> + return EFI_SUCCESS; >> +} >> + >> + >> +/* This function is called when the Watchdog's first signal (WS0) goes high. >> + It uses the ResetSystem Runtime Service to reset the board. >> +*/ >> +VOID >> +EFIAPI >> +WatchdogTimerInterruptHandler ( >> + IN HARDWARE_INTERRUPT_SOURCE Source, >> + IN EFI_SYSTEM_CONTEXT SystemContext >> + ) >> +{ >> + STATIC CONST CHAR16 ResetString[]= L"The generic Watchdog timer ran out."; >> + >> + mInterruptProtocol->EndOfInterrupt (mInterruptProtocol, Source); >> + >> + if (!IsFailSafeOff ()) { >> + /* Not handling interrupt as ATF is monitoring it */ >> + return; >> + } >> + >> + WatchdogTimerEnable (FALSE); >> + >> + gRT->ResetSystem ( >> + EfiResetCold, >> + EFI_TIMEOUT, >> + StrSize (ResetString), >> + (VOID *)&ResetString >> + ); >> + >> + /* If we got here then the reset didn't work */ >> + ASSERT (FALSE); >> +} >> + >> +/** >> + This function registers the handler NotifyFunction so it is called every time >> + the Watchdog timer expires. It also passes the amount of time since the last >> + handler call to the NotifyFunction. >> + If NotifyFunction is not NULL and a handler is not already registered, >> + then the new handler is registered and EFI_SUCCESS is returned. >> + If NotifyFunction is NULL, and a handler is already registered, >> + then that handler is unregistered. >> + If an attempt is made to register a handler when a handler is already >> + registered, then EFI_ALREADY_STARTED is returned. >> + If an attempt is made to unregister a handler when a handler is not >> + registered, then EFI_INVALID_PARAMETER is returned. >> + >> + @param This The EFI_TIMER_ARCH_PROTOCOL instance. >> + @param NotifyFunction The function to call when a timer interrupt fires. >> + This function executes at TPL_HIGH_LEVEL. The DXE >> + Core will register a handler for the timer interrupt, >> + so it can know how much time has passed. This >> + information is used to signal timer based events. >> + NULL will unregister the handler. >> + >> + @retval EFI_UNSUPPORTED The code does not support NotifyFunction. >> + >> +**/ >> +EFI_STATUS >> +EFIAPI >> +WatchdogTimerRegisterHandler ( >> + IN CONST EFI_WATCHDOG_TIMER_ARCH_PROTOCOL *This, >> + IN EFI_WATCHDOG_TIMER_NOTIFY NotifyFunction >> + ) >> +{ >> + /* Not support. Watchdog will reset the board */ >> + return EFI_UNSUPPORTED; > What you actually have here is a hardware watchdog. On timeout it > triggers a hardware reset. > > The definition of EFI_WATCHDOG_TIMER_ARCH_PROTOCOL is explicitly > described in PI (1.7a) as "This protocol is used to implement the Boot > Service SetWatchdogTimer().". > > Further down the definition, the following text > --- > When the watchdog timer fires, control will be passed to a handler if > one has been registered. If no handler has been registered, or the > registered handler returns, then the system will be reset by calling > the Runtime Service ResetSystem(). > --- > means that a watchdog that triggers a hardware reset on timeout is > inappropriate as the back-end for this. It cannot fulfill the > requirements of this protocol. You're right. Thanks for pointing out. Best regards, Nhi > > I see nothing wrong with including a driver for this hardware watchdog > in your platform port, but: > - It should be a standalone driver. > - It should not register itself as an implementation of > EFI_WATCHDOG_TIMER_ARCH_PROTOCOL. > - The platform port will still need to include an *actual* > implementation of EFI_WATCHDOG_TIMER_ARCH_PROTOCOL. > > / > Leif > >> +} >> + >> +/** >> + This function sets the amount of time to wait before firing the Watchdog >> + timer to TimerPeriod 100ns units. If TimerPeriod is 0, then the Watchdog >> + timer is disabled. >> + >> + @param This The EFI_WATCHDOG_TIMER_ARCH_PROTOCOL instance. >> + @param TimerPeriod The amount of time in 100ns units to wait before >> + the Watchdog timer is fired. If TimerPeriod is zero, >> + then the Watchdog timer is disabled. >> + >> + @retval EFI_SUCCESS The Watchdog timer has been programmed to fire >> + in Time 100ns units. >> + @retval EFI_DEVICE_ERROR A Watchdog timer could not be programmed due >> + to a device error. >> + >> +**/ >> +EFI_STATUS >> +EFIAPI >> +WatchdogTimerSetPeriod ( >> + IN CONST EFI_WATCHDOG_TIMER_ARCH_PROTOCOL *This, >> + IN UINT64 TimerPeriod // In 100ns units >> + ) >> +{ >> + mNumTimerTicks = (ArmGenericTimerGetTimerFreq () * TimerPeriod) / TIME_UNITS_PER_SECOND; >> + >> + if (!IsFailSafeOff ()) { >> + /* Not support Watchdog timer service until FailSafe is off as ATF is monitoring it */ >> + return EFI_SUCCESS; >> + } >> + >> + return WatchdogTimerSetup (); >> +} >> + >> +/** >> + This function retrieves the period of timer interrupts in 100ns units, >> + returns that value in TimerPeriod, and returns EFI_SUCCESS. If TimerPeriod >> + is NULL, then EFI_INVALID_PARAMETER is returned. If a TimerPeriod of 0 is >> + returned, then the timer is currently disabled. >> + >> + @param This The EFI_TIMER_ARCH_PROTOCOL instance. >> + @param TimerPeriod A pointer to the timer period to retrieve in >> + 100ns units. If 0 is returned, then the timer is >> + currently disabled. >> + >> + >> + @retval EFI_SUCCESS The timer period was returned in TimerPeriod. >> + @retval EFI_INVALID_PARAMETER TimerPeriod is NULL. >> + >> +**/ >> +EFI_STATUS >> +EFIAPI >> +WatchdogTimerGetPeriod ( >> + IN CONST EFI_WATCHDOG_TIMER_ARCH_PROTOCOL *This, >> + OUT UINT64 *TimerPeriod >> + ) >> +{ >> + if (TimerPeriod == NULL) { >> + return EFI_INVALID_PARAMETER; >> + } >> + >> + *TimerPeriod = ((TIME_UNITS_PER_SECOND / ArmGenericTimerGetTimerFreq ()) * mNumTimerTicks); >> + >> + return EFI_SUCCESS; >> +} >> + >> +/** >> + Interface structure for the Watchdog Architectural Protocol. >> + >> + @par Protocol Description: >> + This protocol provides a service to set the amount of time to wait >> + before firing the Watchdog timer, and it also provides a service to >> + register a handler that is invoked when the Watchdog timer fires. >> + >> + @par When the Watchdog timer fires, control will be passed to a handler >> + if one has been registered. If no handler has been registered, >> + or the registered handler returns, then the system will be >> + reset by calling the Runtime Service ResetSystem(). >> + >> + @param RegisterHandler >> + Registers a handler that will be called each time the >> + Watchdogtimer interrupt fires. TimerPeriod defines the minimum >> + time between timer interrupts, so TimerPeriod will also >> + be the minimum time between calls to the registered >> + handler. >> + NOTE: If the Watchdog resets the system in hardware, then >> + this function will not have any chance of executing. >> + >> + @param SetTimerPeriod >> + Sets the period of the timer interrupt in 100ns units. >> + This function is optional, and may return EFI_UNSUPPORTED. >> + If this function is supported, then the timer period will >> + be rounded up to the nearest supported timer period. >> + >> + @param GetTimerPeriod >> + Retrieves the period of the timer interrupt in 100ns units. >> + >> +**/ >> +STATIC EFI_WATCHDOG_TIMER_ARCH_PROTOCOL gWatchdogTimer = { >> + (EFI_WATCHDOG_TIMER_REGISTER_HANDLER)WatchdogTimerRegisterHandler, >> + (EFI_WATCHDOG_TIMER_SET_TIMER_PERIOD)WatchdogTimerSetPeriod, >> + (EFI_WATCHDOG_TIMER_GET_TIMER_PERIOD)WatchdogTimerGetPeriod >> +}; >> + >> +EFI_STATUS >> +EFIAPI >> +WatchdogTimerInstallProtocol ( >> + EFI_WATCHDOG_TIMER_ARCH_PROTOCOL **WatchdogTimerProtocol >> + ) >> +{ >> + EFI_STATUS Status; >> + EFI_HANDLE Handle; >> + EFI_TPL CurrentTpl; >> + >> + /* Make sure the Watchdog Timer Architectural Protocol has not been installed >> + in the system yet. >> + This will avoid conflicts with the universal Watchdog */ >> + ASSERT_PROTOCOL_ALREADY_INSTALLED (NULL, &gEfiWatchdogTimerArchProtocolGuid); >> + >> + ASSERT (ArmGenericTimerGetTimerFreq () != 0); >> + >> + /* Install interrupt handler */ >> + Status = gBS->LocateProtocol ( >> + &gHardwareInterrupt2ProtocolGuid, >> + NULL, >> + (VOID **)&mInterruptProtocol >> + ); >> + ASSERT_EFI_ERROR (Status); >> + >> + /* >> + * We don't want to be interrupted while registering Watchdog interrupt source as the interrupt >> + * may be trigger in the middle because the interrupt line already enabled in the EL3. >> + */ >> + CurrentTpl = gBS->RaiseTPL (TPL_HIGH_LEVEL); >> + >> + Status = mInterruptProtocol->RegisterInterruptSource ( >> + mInterruptProtocol, >> + WS0_INTERRUPT_SOURCE, >> + WatchdogTimerInterruptHandler >> + ); >> + ASSERT_EFI_ERROR (Status); >> + >> + /* Don't enable interrupt until FailSafe off */ >> + mInterruptWS0Enabled = FALSE; >> + Status = mInterruptProtocol->DisableInterruptSource ( >> + mInterruptProtocol, >> + WS0_INTERRUPT_SOURCE >> + ); >> + ASSERT_EFI_ERROR (Status); >> + >> + gBS->RestoreTPL (CurrentTpl); >> + >> + Status = mInterruptProtocol->SetTriggerType ( >> + mInterruptProtocol, >> + WS0_INTERRUPT_SOURCE, >> + EFI_HARDWARE_INTERRUPT2_TRIGGER_LEVEL_HIGH >> + ); >> + ASSERT_EFI_ERROR (Status); >> + >> + /* Install the Timer Architectural Protocol onto a new handle */ >> + Handle = NULL; >> + Status = gBS->InstallMultipleProtocolInterfaces ( >> + &Handle, >> + &gEfiWatchdogTimerArchProtocolGuid, >> + &gWatchdogTimer, >> + NULL >> + ); >> + ASSERT_EFI_ERROR (Status); >> + >> + mNumTimerTicks = 0; >> + >> + if (WatchdogTimerProtocol != NULL) { >> + *WatchdogTimerProtocol = &gWatchdogTimer; >> + } >> + >> + return Status; >> +} >> -- >> 2.17.1 >>