[ownership, rescue] Allow rescue to be triggered by watchdog #28440
Conversation
Signed-off-by: Chris Frantz <[email protected]>
Allow rescue mode to be configured such that a watchdog timeout can trigger entry into rescue mode. 1. Add an configuration bit to the `RESCUE_MISC_GPIO` byte. 2. Trigger rescue when the configuration bit is true and the reset reason includes a watchdog timeout. 3. Add tests to verify entry into rescue after a watchdog timeout. Signed-off-by: Chris Frantz <[email protected]>
Update the rescue configuration struct to understand the `enter_on_watchdog` field. Signed-off-by: Chris Frantz <[email protected]>
I updated the documentation. This option is an owner configuration decision; I don't anticipate any special restrictions on its use. The change was motivated by a customer accidentally bricking one of their dev boards by flashing a correctly signed but invalid image (ie: the image contained garbage code which hung until the WDT reset). The customer was able to use rescue on their dev board (with SW_STRAPs as the rescue trigger). The customer anticipated that if the same type of image error occurred in a production environment, they'd have a difficult time recovering the device without automatic entry into rescue mode. Since a valid and properly functioning owner firmware should always manage the watchdog, a watchdog timeout is a reasonable configuration for entering rescue mode in the ROM_EXT. |
Document the rescue configuration options. Signed-off-by: Chris Frantz <[email protected]>
cfrantz
force-pushed
the
rescue-trigger-watchdog
branch
from
2649804 to
cc73748
Compare
Allow rescue mode to be configured such that a watchdog timeout can
trigger entry into rescue mode.
RESCUE_GPIOtoRESCUE_MISC_GPIO.RESCUE_MISC_GPIObyte.enter_on_watchdogfield.