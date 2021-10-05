Modes of Operation
NVIDIA BlueField DPU Modes of Operation
This document describes the modes of operation available for NVIDIA® BlueField® DPU.
The NVIDIA® BlueField® DPU has several modes of operation:
- Separated host mode (symmetric model)
- Embedded function (ECPF) ownership where the embedded Arm system controls the NIC resources and data path (default)
- Restricted mode which is an extension of the ECPF ownership with additional restrictions on the host side
Each one of the modes can be applied individually to each one of the physical ports of the DPU.
In this mode, the ECPF and the function exposed to the host are both symmetric. Each one of those functions has its own MAC address and is able to send and receive Ethernet and RDMA over Converged Ethernet (RoCE) traffic.
There is no dependency between the two functions. They can operate simultaneously or separately. The host can communicate with the embedded function as two separate hosts, each with its own MAC and IP addresses (configured as a standard interface). RDMA connection between the 2 interfaces is supported as well.
There is an equal bandwidth share between the two functions.
The limitations of this mode are as follows:
- Switchdev (virtual switch offload) mode is not supported on either of the functions
- SR-IOV is only supported on the host side
2.1. Configuring Separated Host Mode from ECPF Mode
On the server host, follow these steps:
- Enable separated host mode. Run:
$ mst start $ mlxconfig -d /dev/mst/mt41682_pciconf0 s INTERNAL_CPU_MODEL=0
- Power cycle.
- Verify configuration. Run:
$ mst start $ mlxconfig -d /dev/mst/mt41682_pciconf0 q | grep -i model
- Remove OVS bridges configuration from the Arm-side. Run:
$ ovs-vsctl del-br ovsbr1 $ ovs-vsctl del-br ovsbr2
This mode, also known as ECPF or DPU mode, is the default mode for BlueField DPU.
In ECPF mode, the NIC resources and functionality are owned and controlled by the embedded Arm subsystem. A network function is still exposed to the host, but it has limited privileges. In particular:
- The driver on the host side can only be loaded after the driver on the embedded side has loaded and completed NIC configuration.
- All ICM (Interface Configuration Memory) is allocated by the ECPF and resides in the embedded host memory.
- The ECPF controls and configures the NIC embedded switch which means that traffic to and from the host interface always lands on the Arm side.
There are two ways to pass traffic to the host interface: Either using representors to forward traffic to the host (every packet to/from the host would be handled also by the network interface on the embedded Arm side), or push rules to the embedded switch which allows and offloads this traffic.
3.1. Configuring ECPF Mode from Separated Host Mode
To enable this mode:
- Start MST (Mellanox Software Tools) driver set service:
$ mst start
- Identify the MST device:
$ mst status -v
MST modules: ------------ MST PCI module is not loaded MST PCI configuration module loaded PCI devices: ------------ DEVICE_TYPE MST PCI RDMA NET NUMA BlueField(rev:0) /dev/mst/mt41682_pciconf0.1 37:00.1 mlx5_1 net-ens1f1 0 BlueField(rev:0) /dev/mst/mt41682_pciconf0 37:00.0 mlx5_0 net-ens1f0 0
- Run the following commands on the Arm:
$ mlxconfig -d /dev/mst/mt41682_pciconf0 s INTERNAL_CPU_MODEL=1 $ mlxconfig -d /dev/mst/mt41682_pciconf0.1 s INTERNAL_CPU_MODEL=1
- Power cycle the server.
Note:
If OVS bridges
ovsbr1and
ovsbr2are not created (
ovs-vsctl show) make sure
CREATE_OVS_BRIDGES="yes"in /etc/mellanox/mlnx-ovs.conf.
By default, the host server has the same permissions as the Arm cores.
For security and isolation purposes, it is possible to restrict the host from performing operations that can compromise the DPU. The following operations can be restricted individually when changing the DPU host to restricted mode:
- Port ownership – the host cannot assign itself as port owner
- Hardware counters – the host does not have access to hardware counters
- Tracer functionality is blocked
- RShim interface is blocked
- FW flash is restricted
4.1. Enabling Host Restriction
To enable host restriction:
- Start the MST service.
$ mst start
- Set restricted mode. From the Arm side, run:
$ mlxprivhost -d /dev/mst/mt41682_pciconf0 r --disable_rshim --disable_tracer --disable_counter_rd --disable_port_ownerNote:
If RShim is disabled, power cycle is required.
4.2. Disabling Host Restriction
To disable host restriction set the mode to priviledged mode:
$ mlxprivhost -d /dev/mst/mt41682_pciconf0 p
The configuration takes effect immediately.
If reverting back from "rshim-disabled" mode, system power cycle is required.
