DOCA App Shield Agent Application Guide

This guide provides process introspection system implementation on top of NVIDIA® BlueField® DPU.

Introduction

App Shield Agent monitors a process in the host system using the DOCA App Shield library.

This security capability helps identify corruption of core processes in the system from an independent and trusted DPU. This is a major and innovate intrusion detection system (IDS) ability since it cannot be provided from inside the host.

The DOCA App Shield Library gives the capability to read, analyze, and authenticate the host (bare metal/VM) memory directly from the DPU.

Using the library, this application hashes the un-writeable memory pages (also unloaded pages) of a specific process and its libraries. Then, at regular intervals, the app authenticates the loaded pages.

The app reports pass/fail after every iteration until the first attestation failure. The reports are both printed to the console and exported to the DOCA Telemetry Service (DTS) using inter-process communication (IPC).

This guide describes how to build secure process monitoring using the DOCA App Shield library, which leverages the DPU's advantages such as hardware-based DMA, integrity, and more.

System Design

The App Shield agent is designed to run independently on the DPU's Arm without hindering the host.

The host's involvement is limited to configuring monitoring of a new process when there is a need to generate the needed ZIP and JSON files to pass to the DPU. This is done at inception ("time 0") which is when the host is still in a "safe" state.

Generating the needed files can be done by running DOCA App Shield's doca_apsh_config.py tool on the host. See DOCA App Shield for more info.

high-level-diagram-version-1-modificationdate-1734469400997-api-v2.png

Application Architecture

The user creates three mandatory files using the DOCA tool doca_apsh_config.py and copies them to the DPU. The application can report attestation results to the:

File
Terminal
DTS

app-shield-arch-version-1-modificationdate-1734469401320-api-v2.png

The files are generated by running doca_apsh_config.py on the host against the process at time zero.

Note

The actions 2-5 recur at regular time intervals.
The App Shield agent requests new attestation from DOCA App Shield library.
The DOCA App Shield library creates a new attestation:
1. Scans and hashes process memory pages (that are currently in use).
2. Compares the hash to the original hash.
3. Creates attestation for each lib/exe involved in the process. Each of attestation includes the number of valid pages and the number of pages.
The App Shield agent searches each attestation for inconsistency between number of used pages and number of valid pages.
The App Shield agent reports results with a timestamp and scan count to:
1. Local telemetry files – a folder and files representing the data a real DTS would have received. These files are used for the purposes of this example only as normally this data is not exported into user-readable files.
2. DOCA log (without scan count).
3. DTS IPC interface (even if no DTS is active).
The App Shield agent exits on first attestation failure.

DOCA Libraries

This application leverages the following DOCA libraries:

Refer to their respective programming guide for more information.

Compiling the Application

Info

Please refer to the DOCA Installation Guide for Linux for details on how to install BlueField-related software.

The installation of DOCA's reference applications contains the sources of the applications, alongside the matching compilation instructions. This allows for compiling the applications "as-is" and provides the ability to modify the sources, then compile a new version of the application.

Tip

For more information about the applications as well as development and compilation tips, refer to the DOCA Reference Applications page.

The sources of the application can be found under the application's directory: /opt/mellanox/doca/applications/app_shield_agent/.

Compiling All Applications

All DOCA applications are defined under a single meson project. So, by default, the compilation includes all of them.

To build all the applications together, run:

Copy
Copied!

            
            cd /opt/mellanox/doca/applications/
meson /tmp/build 
ninja -C /tmp/build

Info

doca_app_shield_agent is created under /tmp/build/app_shield_agent/.

Compiling Only the Current Application

To build only the App Shield Agent application:

Copy
Copied!

            
            cd /opt/mellanox/doca/applications/
meson /tmp/build -Denable_all_applications=false -Denable_app_shield_agent=true
ninja -C /tmp/build

Info

doca_app_shield_agent is created under /tmp/build/app_shield_agent/.

Alternatively, the user can set the desired flags in the meson_options.txt file instead of providing them in the compilation command line:

Edit the following flags in /opt/mellanox/doca/applications/meson_options.txt:
- Set enable_all_applications to false
- Set enable_app_shield_agent to true

Run the following compilation commands :

Copy
Copied!

            
            cd /opt/mellanox/doca/applications/
meson /tmp/build 
ninja -C /tmp/build

Info

doca_app_shield_agent is created under /tmp/build/app_shield_agent/.

Troubleshooting

Refer to the DOCA Troubleshooting for any issue encountered with the compilation of the application .

Running the Application

Prerequisites

Configure the BlueField's firmware.

On the BlueField system, configure the PF base address register and NVMe emulation. Run:

Copy
Copied!

            
            dpu> mlxconfig -d /dev/mst/mt41686_pciconf0 s PF_BAR2_SIZE=2 PF_BAR2_ENABLE=1 NVME_EMULATION_ENABLE=1

Perform a BlueField system reboot for the mlxconfig settings to take effect.

You may verify these configurations using the following command:

Copy
Copied!

            
            dpu> mlxconfig -d /dev/mst/mt41686_pciconf0 q | grep -E "NVME|BAR"

Download target system (host/VM) symbols.

For Ubuntu:

Copy
Copied!

            
            host> sudo tee /etc/apt/sources.list.d/ddebs.list << EOF
deb http://ddebs.ubuntu.com/ $(lsb_release -cs) main restricted universe multiverse
deb http://ddebs.ubuntu.com/ $(lsb_release -cs)-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com/ $(lsb_release -cs)-proposed main restricted universe multiverse
EOF
host> sudo apt install ubuntu-dbgsym-keyring
host> sudo apt-get update
host> sudo apt-get install linux-image-$(uname -r)-dbgsym

For CentOS:

Copy
Copied!

            
            host> yum install --enablerepo=base-debuginfo kernel-devel-$(uname -r) kernel-debuginfo-$(uname -r) kernel-debuginfo-common-$(uname -m)-$(uname -r)

No action is needed for Windows

Perform IOMMU passthrough. This stage is only necessary if IOMMU is not enabled by default (e.g., when the host is using an AMD CPU).
Note
Skip this step if you are not sure whether it is needed. Return to it only if DMA fails with a message similar to the following in dmesg:
Copy

Copied!

host> dmesg [ 3839.822897] mlx5_core 0000:81:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0047 address=0x2a0aff8 flags=0x0000]
1. Locate your OS's grub file (most likely /boot/grub/grub.conf, /boot/grub2/grub.cfg, or /etc/default/grub) and open it for editing. Run:
  Copy
  
  Copied!
```
            
            host> vim /etc/default/grub
        
```
2. Search for the line defining GRUB_CMDLINE_LINUX_DEFAULT and add the argument iommu=pt. For example:
  Copy
  
  Copied!
```
            
            GRUB_CMDLINE_LINUX_DEFAULT="iommu=pt <intel/amd>_iommu=on"
        
```
3. Run:
  
  Note
  
  Prior to performing a power cycle, make sure to do a graceful shutdown.
  - For Ubuntu:
    Copy
    
    Copied!
    
    host> sudo update-grub host> ipmitool power cycle
  - For CentOS:
    Copy
    
    Copied!
    
    host> grub2-mkconfig -o /boot/grub2/grub.cfg host> ipmitool power cycle
  - For Windows targets, turn off Hyper-V capability.

Prepare target:

Install DOCA on the target system.

Create the ZIP and JSON files. Run:

Copy
Copied!

            
            target-system> cd /opt/mellanox/doca/tools/
target-system> python3 doca_apsh_config.py --pid <pid-of-process-to-monitor> --os <windows/linux> --path <path to dwarf2json executable  or pdbparse-to-json.py>
target-system> cp /opt/mellanox/doca/tools/*.* <shared-folder-with-baremetal>
dpu> scp <shared-folder-with-baremetal>/* <path-to-app-shield-binary>

If the target system does not have DOCA installed, the script can be copied from the BlueField.

The required dwaf2json and pdbparse-to-json.py are not provided with DOCA.

Note

If the kernel and process .exe have not changed, there no need to redo this step.

Application Execution

The App Shield Agent application is provided in source form; hence a compilation is required before the application can be executed.

Application usage instructions:

Copy
Copied!

            
            Usage: doca_app_shield_agent [DOCA Flags] [Program Flags]
 
DOCA Flags:
  -h, --help                        Print a help synopsis
  -v, --version                     Print program version information
  -l, --log-level                   Set the (numeric) log level for the program <10=DISABLE, 20=CRITICAL, 30=ERROR, 40=WARNING, 50=INFO, 60=DEBUG, 70=TRACE>
  --sdk-log-level                   Set the SDK (numeric) log level for the program <10=DISABLE, 20=CRITICAL, 30=ERROR, 40=WARNING, 50=INFO, 60=DEBUG, 70=TRACE>
  -j, --json <path>                 Parse all command flags from an input json file
 
Program Flags:
  -p, --pid                         Process ID of process to be attested
  -e, --ehm <path>                  Exec hash map path
  -m, --memr <path>                 System memory regions map
  -f, --vuid                        VUID of the System device
  -d, --dma                         DMA device name
  -o, --osym <path>                 System OS symbol map path
  -s, --osty <windows|linux>        System OS type - windows/linux
  -t, --time <seconds>              Scan time interval in seconds

Info

This usage printout can be printed to the command line using the -h (or --help) options:

Copy
Copied!

            
            ./doca_app_shield_agent -h

Info

For additional information, please refer to section "Command Line Flags".

CLI example for running the application on the BlueField:

Copy
Copied!

            
            ./doca_app_shield_agent -p 13577 -e hash.zip -m mem_regions.json -o symbols.json -f MT2125X03335MLNXS0D0F0VF1 -d mlx5_0 -t 3 -s linux

Note

All used identifiers (-f , -p and -d flags) should match the identifier of the desired devices and processes.

Command Line Flags

Flag Type	Short Flag	Long Flag	Description
General flags	`h`	`help`	Print a help synopsis
	`v`	`version`	Print program version information
	`l`	`log-level`	Set the log level for the application: DISABLE=10 CRITICAL=20 ERROR=30 WARNING=40 INFO=50 DEBUG=60 TRACE=70 (requires compilation with `TRACE` log level support)
	N/A	`sdk-log-level`	Set the log level for the program: DISABLE=10 CRITICAL=20 ERROR=30 WARNING=40 INFO=50 DEBUG=60 TRACE=70
	`j`	`json`	Parse all command flags from an input JSON file
Program flags	`p`	`pid`	PID of the process to be attested
	`e`	`ehm`	Path to the pre-generated `hash.zip` file transferred from the host
	`m`	`memr`	Path to the pre-generated `mem_regions.json` file transferred from the host
	`f`	`pcif`	System PCIe function vendor unique identifier (VUID) of the VF/PF exposed to the target system. Used for DMA operations. To obtain this argument, run: Copy Copied! `target-system> lspci -vv \| grep "\[VU\] Vendor specific:"` Example output: Copy Copied! `[VU] Vendor specific: MT2125X03335MLNXS0D0F0 [VU] Vendor specific: MT2125X03335MLNXS0D0F1` Two VUIDs are printed for each DPU connected to the target system. The first is of the DPU on pf0 and the second is of the DPU on port `pf1`. Note Running this command on the DPU outputs VUIDs with an additional "EC" string in the middle. You must remove the "EC" to arrive at the correct VUID. The VUID of a VF allocated on PF0/1 is the VUID of the PF with an additional suffix, `VF<vf-number>`, where `vf-number` is the VF index +1. For example, for the output in the example above: PF0 VUID = MT2125X03335MLNXS0D0F0 PF1 VUID = MT2125X03335MLNXS0D0F1 VUID of VF0 on PF0 = MT2125X03335MLNXS0D0F0VF1 VUIDs are persistent even on reset.
	`d`	`dma`	DMA device name to use
	`o`	`osym`	Path to the pre-generated `symbols.json` file transferred from the host
	`s`	`osty`	OS type (`windows` or `linux`) of the system where the process is running
	`t`	`time`	Number of seconds to sleep between scans

Info

Refer to DOCA Arg Parser for more information regarding the supported flags and execution modes.

Troubleshooting

Refer to the DOCA Troubleshooting for any issue encountered with the installation or execution of the DOCA applications.

Application Code Flow

Parse application argument.

Initialize arg parser resources and register DOCA general parameters.
Copy

Copied!
```
            
            doca_argp_init();
        
```

Register application parameters.

Copy
Copied!

            
            register_apsh_params();

Parse the arguments.

Copy
Copied!

            
            doca_argp_start();

Initialize DOCA App Shield lib context.

Create lib context.

Copy
Copied!

            
            doca_apsh_create();

Set DMA device for lib.

Copy
Copied!

            
            doca_devinfo_list_create();
doca_dev_open();
doca_devinfo_list_destroy();
doca_apsh_dma_dev_set();

Start the context

Copy
Copied!

            
            doca_apsh_start();
apsh_system_init();

Initialize DOCA App Shield lib system context handler.

Get the representor of the remote PCIe function exposed to the system.

Copy
Copied!

            
            doca_devinfo_remote_list_create();
doca_dev_remote_open();
doca_devinfo_remote_list_destroy();

Create and start the system context handler.

Copy
Copied!

            
            doca_apsh_system_create();
doca_apsh_sys_os_symbol_map_set();
doca_apsh_sys_mem_region_set();
doca_apsh_sys_dev_set();
doca_apsh_sys_os_type_set();
doca_apsh_system_start();

Find target process by pid.

Copy
Copied!

            
            doca_apsh_processes_get();

Telemetry initialization.
Copy

Copied!
```
            
            telemetry_start();
        
```
1. Initialize a new telemetry schema.
2. Register attestation type event.
3. Set up output to file (in addition to default IPC).
4. Start the telemetry schema.
5. Initialize and start a new DTS source with the gethostname() name as source ID.

Get initial attestation of the process.

Copy
Copied!

            
            doca_apsh_attestation_get();

Loop until attestation validation fail.

Copy
Copied!

            
            doca_apsh_attst_refresh();
/* validation logic */
doca_telemetry_exporter_source_report();
DOCA_LOG_INFO();
sleep();

DOCA App Shield Agent destroy.

Copy
Copied!

            
            doca_apsh_attestation_free();
doca_apsh_processes_free();
doca_apsh_system_destroy();
doca_apsh_destroy();
doca_dev_close();
doca_dev_remote_close();

Telemetry destroy.

Copy
Copied!

            
            telemetry_destroy();

Arg parser destroy.

Copy
Copied!

            
            doca_argp_destroy();

References

/opt/mellanox/doca/applications/app_shield_agent/

On This Page