xref: /openbmc/docs/designs/power-recovery.md (revision 7d092034) 
1# OpenBMC Server Power Recovery
2
3Author: Andrew Geissler (geissonator)
4
5Other contributors:
6
7Created: October 11th, 2021
8
9## Problem Description
10Modern computer systems have a feature, automated power-on recovery, which
11in essence is the ability to tell your system what to do when it hits
12issues with power to the system. If the system had a black out (i.e. power
13was completely cut to the system), should it automatically power the system
14on? Should it leave it off? Or maybe the user would like the system to
15go to whichever state it was at before the power loss.
16
17There are also instances where the user may not want automatic power recovery
18to occur. For example, some systems have op-panels, and on these op-panels
19there can be a pin hole reset. This is a manual mechanism for the user to
20force a hard reset to the BMC in situations where it is hung or not responding.
21In these situations, the user may wish for the system to not automatically
22power on the system, because they want to debug the reason for the BMC error.
23
24During blackout scenarios, system owners may have a set of services they need
25run once the power is restored. For example, IBM requires all LED's be toggled
26to off in a blackout. OpenBMC needs to provide a mechanism for system owners
27to run services in this scenario.
28
29A brownout is another scenario that commonly utilizes automated power-on
30recovery features. A brownout is a scenario where BMC firmware detects (or is
31told) that chassis power can no longer be supported, but power to the BMC
32will be retained. On some systems, it's desired to utilize the automated
33power-on feature to turn chassis power back on as soon as the brownout condition
34ends.
35
36Some system owners may chose to attach an Uninterrupted Power Supply (UPS) to
37their system. A UPS continues to provide power to a system through a blackout
38or brownout scenario. A UPS has a limited amount of power so it's main
39purpose is to handle brief power interruptions or to allow for an orderly
40shutdown of the host firmware.
41
42The goal of this design document is to describe how OpenBMC firmware will
43deal with these questions.
44
45## Background and References
46The BMC already implements a limited subset of function in this area.
47The [PowerRestorePolicy][pdi-restore] property out in phosphor-dbus-interface
48defines the function capability.
49
50In smaller servers, this feature is commonly found within the Advanced
51Configuration and Power Interface (ACPI).
52
53[openbmc/phosphor-state-manager][state-mgr] supports this property as defined
54in the phosphor-dbus-interface.
55
56## Requirements
57
58### Automated Power-On Recovery
59OpenBMC software must ensure it persists the state of power to the chassis so
60it can know what to restore it to if necessary
61
62OpenBMC software must provide support for the following options:
63- Do nothing when power is lost to the system (this will be the
64  default)
65- Always power the system on and boot the host
66- Always power the system off (previous power was on, power is now off, run
67  all chassis power off services to ensure a clean state of software and
68  hardware)
69- Restore the previous state of the chassis power and host
70
71These options are only checked and enforced in situations where the BMC does
72not detect that chassis power is already on to the system when it comes out
73of reboot.
74
75OpenBMC software must also support the concept of a one_time power restore
76policy. This is a separate instance of the `PowerRestorePolicy` which will
77be hosted under a D-Bus object path which ends with "one_time". If this
78one_time setting is not the default, `None`, then software will execute
79the policy defined under it, and then reset the one_time property to `None`.
80This one_time feature is a way for software to utilize automated power-on
81recovery function for other areas like firmware update scenarios where a
82certain power on behavior is desired once an update has completed.
83
84### BMC and System Recovery Paths
85In situations where the BMC or the system have gotten into a bad state, and
86the user has initiated some form of manual reset which is detectable by the
87BMC as being user initiated, the BMC software must:
88- Fill in appropriate `RebootCause` within the [BMC state interface][bmc-state]
89  - At a minimum, `PinholeReset` will be added. Others can be added as needed
90- Log an error indicating a user initiated forced reset has occurred
91- Not log an error indicating a blackout has occurred if chassis power was on
92  prior to the pin hole reset
93- Not implement any power recovery policy on the system
94- Turn power recovery back on once BMC has a normal reboot
95
96### Blackout
97A blackout occurs when AC power is cut from the system, resulting in a total
98loss of power if there is no UPS installed to keep the system on. To identify
99this scenario after a BMC reboot, chassis-state-manager will check to see what
100the last power state was before the loss of power and compares it against
101the pgood pin. Blackouts can be intentionally triggered by a user
102(i.e a pinhole reset) or in severe cases occur when there is some sort of
103an external outage. In either case the BMC must take into account this
104detrimental state.
105When this condition occurs, the BMC may(depending on configuration):
106- Provide a generic target, `obmc-chassis-blackout@.target` to be called when
107  a blackout is detected
108- Adhere to the current power restore policy
109
110BMC firmware must also be able to:
111- Discover why the system is in a blackout situation. From either loss of
112  power or user actions.
113
114### Brownout
115As noted above, a brownout condition is when AC power can not continue to be
116supplied to the chassis, but the BMC can continue to have power and run.
117
118When this condition occurs, the BMC must:
119- Power system off as quickly as situations requires (or gracefully handle
120  the loss of power if it occurred without warning)
121- Log an error indicating the brownout event has occurred
122- Support the ability for host firmware to indicate a one-time power restore
123  policy if they wish for when the brownout completes
124- Identify when a brownout condition has completed
125- Wait for the brownout to complete and implement the one-time power restore
126  policy. If no one-time policy is defined then run the standard power restore
127  policy defined for the system
128
129BMC firmware must also be able to:
130- Discover if system is in a brownout situation
131  - Run when the BMC first comes up to know if it should implement any automated
132    power-on recovery
133- Not run any power-on recovery logic when a brownout is occurring
134- Tell the host firmware that it is a automated power-on recovery initiated
135  boot when that firmware is what boots the system
136
137### Uninterruptible Power Supply (UPS)
138When a UPS is present and a blackout or brownout condition occurs, the BMC must:
139- Log an error to indicate the condition has occurred
140- If host firmware is running, notify the host firmware of this utility failure
141  condition (this behavior is build-time configurable)
142- If the UPS battery power becomes low and if host firmware is running, notify
143  the host firmware of the condition, indicating a quick power off is required
144  (this behavior is build-time configurable)
145- Log an error if the UPS battery power becomes low and a power loss to the
146  entire system is imminent(i.e. a blackout scenario where BMC will also lose
147  power and UPS is about to run out of power)
148- Not execute any automated power-on recovery logic to prevent power on/off
149  thrasing (this behavior is build-time configurable)
150
151## Proposed Design
152
153### Automated Power-On Recovery
154An application will be run after the chassis and host states have been
155determined which will only run if the chassis power is not on.
156
157This application will look for the one_time setting and use it if its value
158is not `None`. If it does use the one_time setting then it will reset it
159to `None` once it has read it. Otherwise the application will read the
160persistent value of the `PowerRestorePolicy`. The application will then
161run the logic as defined in the Requirements above.
162
163This function will be hosted in phosphor-state-manger and potentially
164x86-power-control.
165
166### BMC and System Recovery Paths
167The BMC state manager application currently looks at a file in the
168sysfs to try and determine the cause of a BMC reboot. It then puts this
169reason in the `RebootCause` property.
170
171One possible cause of a BMC reset is an external reset (EXTRST). There are
172a variety of reasons an external reset can occur. Some systems are adding
173GPIOs to provide additional detail on these types of resets.
174
175A new GPIO name will be added to the [device-tree-gpio-naming.md][dev-tree]
176which reports whether a pin hole reset has occurred on the previous reboot of
177the BMC. The BMC state manager application will enhance its support of the
178`RebootCause` to look for this GPIO and if present, read it and set
179`RebootCause` accordingly when it can either not determine the reason for
180the reboot via the sysfs or sysfs reports a EXTRST reason (in which case
181the GPIO will be utilized to enhance the reboot reason).
182
183If the power recovery software sees the `PinholeReset` reason within the
184`RebootCause` then it will not implement any of its policy. Future BMC
185reboots which are not pin hole reset caused, will cause `RebootCause` to go
186back to a default and therefore power recovery policy will be re-enabled on that
187BMC boot.
188
189The phosphor-state-manager chassis software will not log a blackout error
190if it sees the `PinholeReset` reason (or any other reason that indicates a user
191initiated a reset of the system).
192
193### Blackout
194A new systemd target `obmc-chassis-blackout.target` should be added to
195allow system maintainers to call services in this condition. This new target
196will be called when the BMC detects a blackout. The target will allow for
197system owners to add their own specific services to this new target.
198Phosphor-chassis-state-manager will ensure `obmc-chassis-blackout.target` will
199be called after a blackout.
200
201### Brownout
202The existing `xyz.openbmc_project.State.Chassis` interface will be enhanced to
203support a `CurrentPowerStatus` property.  The existing
204phosphor-chassis-state-manager, which is instantiated per instance of chassis in
205the system, will support a read of this property. The following will be the
206possible returned values for the power status of the target chassis:
207- `Undefined`
208- `BrownOut`
209- `UninterruptiblePowerSupply`
210- `Good`
211
212The phosphor-psu-monitor application within the phosphor-power repository will
213be responsible for monitoring for brownout conditions. It will support a
214per-chassis interface which represents the status of the power going into
215the target chassis. This interface will be generic in that other applications
216could host it to report the status of the power. The state-manager software
217will utilize mapper to look for all implementations of the interface for its
218chassis and aggregate the status (i.e. if any reports a brownout, then
219`BrownOut` will be returned). This interface will be defined in a later update
220to this document.
221
222The application(s) responsible for detecting and reporting chassis power will
223run on startup and discover the correct state for their property. These
224applications will log an error when a brownout occurs and initiate the fast
225power off.
226
227If the system design needs it, the existing one-time function provided by
228phosphor-state-manager for auto power on policy will be utilized for when
229the brownout completes.
230
231When the phosphor-power application detects that a brownout condition has
232completed it will reset its interface representing power status to good and
233start the state-manager service which executes the automated power-on logic.
234
235phosphor-state-manager will ensure automated power-on recovery logic is only run
236when the power supply interface reports the power status is good. If there are
237multiple chassis and/or host instances in the system then the host instances
238associated with the chassis(s) with a bad power status will be the only ones
239prevented from booting.
240
241### Uninterruptible Power Supply (UPS)
242A new phosphor-dbus-interface will be defined to represent a UPS. A BMC
243application will implement one of these per UPS attached to the system.
244This application will monitor UPS status and monitor for the following:
245- UPS utility fail (system power has failed and UPS is providing system power)
246- UPS battery low (UPS is about to run out of power)
247
248If the application sees power has been lost and the system is running on
249UPS battery power then it will monitor for the power remaining in the UPS and
250notify the host that a shutdown is required if needed. This application
251will also be responsible for logging an error indicating the UPS backup power
252has been switched to and set the appropriate property in their interface to
253indicate the scenario is present when the system can no longer remain on.
254phosphor-state-manager will query mapper for implementation of this new UPS
255interface and utilize them in combination with power supply brownout status
256when determining the value to return for its `CurrentPowerStatus`.
257
258Similar to the above brownout scenario, phosphor-state-manager will ensure
259automated power-on recovery logic is not run if `PowerStatus` is not set to
260`Good`. This behavior will be build-time configurable within
261phosphor-state-manager.
262
263## Alternatives Considered
264None, this is a pretty basic feature that does not have a lot of alternatives
265(other then just not doing it).
266
267## Impacts
268None
269
270## Testing
271The control of this policy can already bet set via the Redfish API.
272```
273#  Power Restore Policy
274curl -k -X PATCH -d '{"PowerRestorePolicy":"AlwaysOn"}' https://${bmc}/redfish/v1/Systems/system
275curl -k -X PATCH -d '{"PowerRestorePolicy":"AlwaysOff"}' https://${bmc}/redfish/v1/Systems/system
276curl -k -X PATCH -d '{"PowerRestorePolicy":"LastState"}' https://${bmc}/redfish/v1/Systems/system
277```
278For testing, each policy should be set and verified. The one_time aspect should
279also be checked for each possible value and verified to only be used once.
280
281Validate that when multiple black outs occur, the firmware continues to try
282and power on the system when policy is `AlwaysOn` or `Restore`.
283
284On supported systems, a pin hole reset should be done with a system that has
285a policy set to always power on. Tester should verify system does not
286automatically power on after a pin hole reset. Verify it does automatically
287power on when a normal reboot of the BMC is done.
288
289A brownout condition should be injected into a system and appropriate paths
290should be verified:
291- Error log generated
292- Host notified (if running and notification possible)
293- System quickly powered off
294- Power recovery function is not run while a brownout is present
295- System automatically powers back on when brownout condition ends (assuming a
296  one-time or system auto power-on recovery policy of `AlwaysOn` or `Restore`)
297
298Plug a UPS into a system and ensure when power is cut to the system that an
299error is logged and the host is notified and allowed to power off.
300
301[pdi-restore]:https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/yaml/xyz/openbmc_project/Control/Power/RestorePolicy.interface.yaml
302[state-mgr]: https://github.com/openbmc/phosphor-state-manager
303[bmc-state]:https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/yaml/xyz/openbmc_project/State/BMC.interface.yaml
304[dev-tree]:https://github.com/openbmc/docs/blob/master/designs/device-tree-gpio-naming.md
305