Disable transceivers which reply with too many NACKs

[mkeeter]

We track NACKs on a per-port basis. If we see too many (3), then we disable the port at the Hubris level.

When disabled:

• The port is powered off, reset is asserted, and lpmode is not asserted (to prevent leakage)
• UDP messages to change power, reset, and lpmode are rejected with a new HwError::DisabledBySp error type
• Ports are skipped in the thermal loop
• The new StatusV2 request/response includes StatusV2::DISABLED_BY_SP in the bitfield

Ports must be explicitly re-enabled with the HostRequest::ClearDisableLatch.

Open questions:

• Bikeshedding about names for HwError::DisabledBySp and HostRequest::ClearDisableLatch, since I don't love either of them
• Should we also reject the Idol APIs to change transceiver state when disabled? Probably!

[Aaron-Hartwig]

This broadly looks good, but I've left a couple thoughts on where I think we should make changes.

[Aaron-Hartwig]

While asserting LPMode makes sense, in reality driving LPMode to some modules while they're unpowered causes other 3V3 issues, so we want this step to be deassert_lpmode. Our investigations of this on the board: https://github.com/oxidecomputer/hardware-qsfp-x32/issues/47#issuecomment-1329846157

[mkeeter]

thanks, I remembered the leakage issue but got the sign wrong here!

[Aaron-Hartwig]

Suggested change

	/// where a `ModuleResult` is returned, use sandle_errors_and_failures
	/// where a `ModuleResult` is returned, use handle_errors_and_failures

[mkeeter]

Fixed, thanks!

[Aaron-Hartwig]

Just putting a reminder here to rename this to align with w/e we land on.

[mkeeter]

Yes, renamed to get_extended_status

[mkeeter]

I think this and oxidecomputer/transceiver-control#113 are read to go.

I tested on the niles Sidecar by adding a Chaos Monkey that gives a 50% change of failing every transceiver temperature read operation. Sure enough, this caused it to disable transceivers after some amount of time:

 NDX LINE      GEN    COUNT PAYLOAD
   4  336        1        1 GetInterfaceError(0x0, NotInitialized)
   5  336        1        1 GetInterfaceError(0x1, NotInitialized)
   6  336        1        1 GetInterfaceError(0x0, NotInitialized)
   7  336        1        1 GetInterfaceError(0x1, NotInitialized)
   8  336        1        1 GetInterfaceError(0x0, NotInitialized)
   9  336        1        1 GetInterfaceError(0x1, NotInitialized)
  10  336        1        1 GetInterfaceError(0x0, NotInitialized)
  11  336        1        1 GetInterfaceError(0x1, NotInitialized)
  12  295        1        1 GotInterface(0x0, Sff8636)
  13  295        1        1 GotInterface(0x1, Sff8636)
  14  408        1        2 TemperatureReadError(0x0, I2cAddressNack)
  15  408        1        1 TemperatureReadError(0x1, I2cAddressNack)
   0  408        2        1 TemperatureReadError(0x0, I2cAddressNack)
   1  461        2        1 DisablingPorts(LogicalPortMask(0x1))
   2  408        2       33 TemperatureReadError(0x1, I2cAddressNack)
   3  461        2        1 DisablingPorts(LogicalPortMask(0x2))

(it's probabilistic, since we have to have 3 failures in a row)

Once ports are disabled, we see it in xcvradm:

matt@niles ~ () $ ./xcvradm -iaxf4 -pfe80::aa40:25ff:fe05:ff00 -t0,1 status
Port Status
   0 PRESENT | RESET | INTERRUPT | DISABLED_BY_SP
   1 PRESENT | RESET | INTERRUPT | DISABLED_BY_SP

We get reasonable errors from xcvradm when performing Forbidden Operations:

matt@niles ~ () $ ./xcvradm -iaxf4 -pfe80::aa40:25ff:fe05:ff00 -t0,1 read-lower --sff 0 4
Port Data
   1 [0x11,0x08,0x00,0xf0]
Some operations failed, errors below
Port Error
   0 Hardware error accessing module 0: Port is disabled by the SP

(time passes, port 1 also gets disabled by Hubris)

matt@niles ~ () $ ./xcvradm -iaxf4 -pfe80::aa40:25ff:fe05:ff00 -t0,1 enable-power
Some operations failed, errors below
Port Error
   0 Hardware error accessing module 0: Port is disabled by the SP
   1 Hardware error accessing module 1: Port is disabled by the SP

Resetting the disabled flag with xcvradm clear-disable-latch allows us to power the transceivers back on and read from them, although they power off stochastically due to the Chaos Monkey.

[Aaron-Hartwig]

Thanks for tackling this!

[bnaecker]

A few style nits, but all functionality LGTM!

[bnaecker]

It seems like we'd want to saturate instead of wrap, though I hope that's pretty unlikely in any case.

[mkeeter]

Good catch, I failed my coin flip. Fixed in 5100704

[bnaecker]

There's an all_sidecar() helper function to return the lower 32 bits, so you could use that and negate it.

[mkeeter]

I don't see a function with this name anywhere in Hubris, can you point me to it?

[bnaecker]

Ah, sorry for the confusion. It’s a public constructor on the ModuleId type.

[mkeeter]

Hmmm, I see ModuleId::all(), but that actually sets every bit, including the invalid ones. Anyways, the 0xffffffff00000000 pattern was pre-existing, so I'm fine leaving it as-is.

[bnaecker]

@mkeeter Yeah, that's fine it's a nit. Here's the method I was referring to.