What can I help you with?
DOCA Documentation v3.0.0

DOCA App Shield Agent Application Guide

The App Shield Agent uses the DOCA App Shield library to monitor processes running on the host system. This security feature allows for the detection of core process corruption from a trusted, independent DPU, providing an intrusion detection system (IDS) that otherwise cannot be achieved from within the host itself.

The DOCA App Shield library enables the DPU to directly read, analyze, and verify the memory of the host, whether it's a bare metal system or a virtual machine. By using this library, the application calculates cryptographic hashes of non-writable memory pages, including those that are unloaded, for a specific process and its associated libraries. It then periodically re-verifies these pages to identify any unauthorized changes.

After each check, the application outputs a pass or fail attestation result, continuing the process until the first failure is detected. These results are logged to the console and also sent to the DOCA Telemetry Service (DTS) via inter-process communication (IPC).

This guide illustrates how to implement secure process monitoring using the DOCA App Shield library, taking advantage of the BlueField DPU's capabilities, such as hardware-accelerated DMA and root-of-trust integrity enforcement.

The App Shield agent is designed to operate independently on the DPU's Arm core without impacting the host system's performance.

The host's role is minimal and primarily involves configuring the monitoring of a new process when necessary. This configuration includes generating the required ZIP and JSON files, which are then passed to the DPU. This setup is performed at the initial stage, often referred to as "time 0," when the host is still in a "safe" state.

To generate these files, use the doca_apsh_config.py tool provided by DOCA App Shield. For detailed information, refer to DOCA App Shield.

high-level-diagram-version-1-modificationdate-1744050172100-api-v2.png

The user creates three mandatory files using the DOCA tool doca_apsh_config.py and copies them to the DPU. The application can report attestation results to the:

  • File

  • Terminal

  • DTS

app-shield-arch-version-1-modificationdate-1744050171763-api-v2.png

  1. The files are generated by running doca_apsh_config.py on the host against the process at time zero.

    Note

    The actions 2-5 recur at regular time intervals.

  2. The App Shield agent requests new attestation from DOCA App Shield library.

  3. The DOCA App Shield library creates a new attestation:

    1. Scans and hashes process memory pages (that are currently in use).

    2. Compares the hash to the original hash.

    3. Creates attestation for each lib/exe involved in the process. Each of attestation includes the number of valid pages and the number of pages.

  4. The App Shield agent searches each attestation for inconsistency between number of used pages and number of valid pages.

  5. The App Shield agent reports results with a timestamp and scan count to:

    1. Local telemetry files – a folder and files representing the data a real DTS would have received. These files are used for the purposes of this example only as normally this data is not exported into user-readable files.

    2. DOCA log (without scan count).

    3. DTS IPC interface (even if no DTS is active).

  6. The App Shield agent exits on first attestation failure.

This application leverages the following DOCA libraries:

Refer to their respective programming guide for more information.

Info

Please refer to the DOCA Installation Guide for Linux for details on how to install BlueField-related software.

The installation of DOCA's reference applications contains the sources of the applications, alongside the matching compilation instructions. This allows for compiling the applications "as-is" and provides the ability to modify the sources, then compile a new version of the application.

Tip

For more information about the applications as well as development and compilation tips, refer to the DOCA Reference Applications page.

The sources of the application can be found under the application's directory: /opt/mellanox/doca/applications/app_shield_agent/.

Compiling All Applications

All DOCA applications are defined within a single meson project. Therefore, by default, the compilation process includes all of them.

To build all the applications together, run:

Copy
Copied!
            

cd /opt/mellanox/doca/applications/ meson /tmp/build ninja -C /tmp/build

Info

doca_app_shield_agent is created under /tmp/build/app_shield_agent/.


Compiling Only the Current Application

To build only the App Shield Agent application:

Copy
Copied!
            

cd /opt/mellanox/doca/applications/ meson /tmp/build -Denable_all_applications=false -Denable_app_shield_agent=true ninja -C /tmp/build

Info

doca_app_shield_agent is created under /tmp/build/app_shield_agent/.

Alternatively, you can set the flags in the meson_options.txt file instead of providing them in the compilation command line:

  1. Edit the following flags in /opt/mellanox/doca/applications/meson_options.txt:

    • Set enable_all_applications to false

    • Set enable_app_shield_agent to true

  2. Run the following compilation commands :

    Copy
    Copied!
                

    cd /opt/mellanox/doca/applications/ meson /tmp/build ninja -C /tmp/build

    Info

    doca_app_shield_agent is created under /tmp/build/app_shield_agent/.

Prerequisites

  1. Configure the BlueField's firmware.

    1. On the BlueField system, configure the PF base address register and NVMe emulation. Run:

      Copy
      Copied!
                  

      dpu> mlxconfig -d /dev/mst/mt41686_pciconf0 s PF_BAR2_SIZE=2 PF_BAR2_ENABLE=1 NVME_EMULATION_ENABLE=1 

    2. Perform a BlueField system reboot for the mlxconfig settings to take effect.

    3. You may verify these configurations using the following command:

      Copy
      Copied!
                  

      dpu> mlxconfig -d /dev/mst/mt41686_pciconf0 q | grep -E "NVME|BAR"

  2. Download target system (host/VM) symbols.

    • For Ubuntu:

      Copy
      Copied!
                  

      host> sudo tee /etc/apt/sources.list.d/ddebs.list << EOF deb http://ddebs.ubuntu.com/ $(lsb_release -cs) main restricted universe multiverse deb http://ddebs.ubuntu.com/ $(lsb_release -cs)-updates main restricted universe multiverse deb http://ddebs.ubuntu.com/ $(lsb_release -cs)-proposed main restricted universe multiverse EOF host> sudo apt install ubuntu-dbgsym-keyring host> sudo apt-get update host> sudo apt-get install linux-image-$(uname -r)-dbgsym

    • For CentOS:

      Copy
      Copied!
                  

      host> yum install --enablerepo=base-debuginfo kernel-devel-$(uname -r) kernel-debuginfo-$(uname -r) kernel-debuginfo-common-$(uname -m)-$(uname -r)

    • No action is needed for Windows

  3. Perform IOMMU passthrough. This stage is only necessary if IOMMU is not enabled by default (for example, if the host is using an AMD CPU).

    Note

    Skip this step if you are not sure whether it is needed. Return to it only if DMA fails with a message similar to the following in dmesg:

    Copy
    Copied!
                

    host> dmesg [ 3839.822897] mlx5_core 0000:81:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0047 address=0x2a0aff8 flags=0x0000]

    1. Locate your OS's grub file (most likely /boot/grub/grub.conf, /boot/grub2/grub.cfg, or /etc/default/grub) and open it for editing. Run:

      Copy
      Copied!
                  

      host> vim /etc/default/grub

    2. Search for the line defining GRUB_CMDLINE_LINUX_DEFAULT and add the argument iommu=pt. For example:

      Copy
      Copied!
                  

      GRUB_CMDLINE_LINUX_DEFAULT="iommu=pt <intel/amd>_iommu=on"

    3. Run:

      Note

      Prior to performing a power cycle, make sure to do a graceful shutdown.

      • For Ubuntu:

        Copy
        Copied!
                    

        host> sudo update-grub host> ipmitool power cycle

      • For CentOS:

        Copy
        Copied!
                    

        host> grub2-mkconfig -o /boot/grub2/grub.cfg host> ipmitool power cycle

      • For Windows targets, turn off Hyper-V capability.

  4. Prepare target:

    1. Install DOCA on the target system.

    2. Create the ZIP and JSON files. Run:

      Copy
      Copied!
                  

      target-system> cd /opt/mellanox/doca/tools/ target-system> python3 doca_apsh_config.py --pid <pid-of-process-to-monitor> --os <windows/linux> --path <path to dwarf2json executable or pdbparse-to-json.py> target-system> cp /opt/mellanox/doca/tools/*.* <shared-folder-with-baremetal> dpu> scp <shared-folder-with-baremetal>/* <path-to-app-shield-binary>

      If the target system does not have DOCA installed, the script can be copied from the BlueField.

      The required dwaf2json and pdbparse-to-json.py are not provided with DOCA.

      Note

      If the kernel and process .exe have not changed, there no need to redo this step.

Application Execution

  1. The App Shield Agent application is provided in source form, so it needs to be compiled before it can be executed.

    1. Application usage instructions:

      Copy
      Copied!
                  

      Usage: doca_app_shield_agent [DOCA Flags] [Program Flags]   DOCA Flags: -h, --help Print a help synopsis -v, --version Print program version information -l, --log-level Set the (numeric) log level for the program <10=DISABLE, 20=CRITICAL, 30=ERROR, 40=WARNING, 50=INFO, 60=DEBUG, 70=TRACE> --sdk-log-level Set the SDK (numeric) log level for the program <10=DISABLE, 20=CRITICAL, 30=ERROR, 40=WARNING, 50=INFO, 60=DEBUG, 70=TRACE> -j, --json <path> Parse all command flags from an input json file   Program Flags: -p, --pid Process ID of process to be attested -e, --ehm <path> Exec hash map path -m, --memr <path> System memory regions map -f, --vuid VUID of the System device -d, --dma DMA device name -o, --osym <path> System OS symbol map path -s, --osty <windows|linux> System OS type - windows/linux -t, --time <seconds> Scan time interval in seconds

    2. CLI example for running the application on the BlueField:

      Copy
      Copied!
                  

      ./doca_app_shield_agent -p 13577 -e hash.zip -m mem_regions.json -o symbols.json -f MT2125X03335MLNXS0D0F0VF1 -d mlx5_0 -t 3 -s linux

      Note

      All used identifiers (-f , -p and -d flags) should match the identifier of the desired devices and processes.

Command Line Flags

Flag Type

Short Flag

Long Flag

Description

General flags

h

help

Print a help synopsis

v

version

Print program version information

l

log-level

Set the log level for the application:

  • DISABLE=10

  • CRITICAL=20

  • ERROR=30

  • WARNING=40

  • INFO=50

  • DEBUG=60

  • TRACE=70 (requires compilation with TRACE log level support)

N/A

sdk-log-level

Set the log level for the program:

  • DISABLE=10

  • CRITICAL=20

  • ERROR=30

  • WARNING=40

  • INFO=50

  • DEBUG=60

  • TRACE=70

j

json

Parse all command flags from an input JSON file

Program flags

p

pid

PID of the process to be attested

e

ehm

Path to the pre-generated hash.zip file transferred from the host

m

memr

Path to the pre-generated mem_regions.json file transferred from the host

f

pcif

System PCIe function vendor unique identifier (VUID) of the VF/PF exposed to the target system. Used for DMA operations.

To obtain this argument, run:

Copy
Copied!
            

target-system> lspci -vv | grep "\[VU\] Vendor specific:"

Example output:

Copy
Copied!
            

[VU] Vendor specific: MT2125X03335MLNXS0D0F0 [VU] Vendor specific: MT2125X03335MLNXS0D0F1

Two VUIDs are printed for each DPU connected to the target system. The first is of the DPU on pf0 and the second is of the DPU on port pf1.

Note

Running this command on the DPU outputs VUIDs with an additional "EC" string in the middle. You must remove the "EC" to arrive at the correct VUID.

The VUID of a VF allocated on PF0/1 is the VUID of the PF with an additional suffix, VF<vf-number>, where vf-number is the VF index +1.

For example, for the output in the example above:

  • PF0 VUID = MT2125X03335MLNXS0D0F0

  • PF1 VUID = MT2125X03335MLNXS0D0F1

  • VUID of VF0 on PF0 = MT2125X03335MLNXS0D0F0VF1

VUIDs are persistent even on reset.

d

dma

DMA device name to use

o

osym

Path to the pre-generated symbols.json file transferred from the host

s

osty

OS type (windows or linux) of the system where the process is running

t

time

Number of seconds to sleep between scans

Info

Refer to DOCA Arg Parser for more information about supported flags and execution modes.


Troubleshooting

Refer to the DOCA Troubleshooting for any issue encountered with the installation or execution of the DOCA applications.

  1. Parse application argument.

    1. Initialize arg parser resources and register DOCA general parameters.

      Copy
      Copied!
                  

      doca_argp_init();

    2. Register application parameters.

      Copy
      Copied!
                  

      register_apsh_params();

    3. Parse the arguments.

      Copy
      Copied!
                  

      doca_argp_start();

  2. Initialize DOCA App Shield lib context.

    1. Create lib context.

      Copy
      Copied!
                  

      doca_apsh_create();

    2. Set DMA device for lib.

      Copy
      Copied!
                  

      doca_devinfo_list_create(); doca_dev_open(); doca_devinfo_list_destroy(); doca_apsh_dma_dev_set();

    3. Start the context

      Copy
      Copied!
                  

      doca_apsh_start(); apsh_system_init();

  3. Initialize DOCA App Shield lib system context handler.

    1. Get the representor of the remote PCIe function exposed to the system.

      Copy
      Copied!
                  

      doca_devinfo_remote_list_create(); doca_dev_remote_open(); doca_devinfo_remote_list_destroy();

    2. Create and start the system context handler.

      Copy
      Copied!
                  

      doca_apsh_system_create(); doca_apsh_sys_os_symbol_map_set(); doca_apsh_sys_mem_region_set(); doca_apsh_sys_dev_set(); doca_apsh_sys_os_type_set(); doca_apsh_system_start();

  4. Find target process by pid.

    Copy
    Copied!
                

    doca_apsh_processes_get();

  5. Telemetry initialization.

    Copy
    Copied!
                

    telemetry_start();

    1. Initialize a new telemetry schema.

    2. Register attestation type event.

    3. Set up output to file (in addition to default IPC).

    4. Start the telemetry schema.

    5. Initialize and start a new DTS source with the gethostname() name as source ID.

  6. Get initial attestation of the process.

    Copy
    Copied!
                

    doca_apsh_attestation_get();

  7. Loop until attestation validation fail.

    Copy
    Copied!
                

    doca_apsh_attst_refresh(); /* validation logic */ doca_telemetry_exporter_source_report(); DOCA_LOG_INFO(); sleep();

  8. DOCA App Shield Agent destroy.

    Copy
    Copied!
                

    doca_apsh_attestation_free(); doca_apsh_processes_free(); doca_apsh_system_destroy(); doca_apsh_destroy(); doca_dev_close(); doca_dev_remote_close();

  9. Telemetry destroy.

    Copy
    Copied!
                

    telemetry_destroy();

  10. Arg parser destroy.

    Copy
    Copied!
                

    doca_argp_destroy();

  • /opt/mellanox/doca/applications/app_shield_agent/

© Copyright 2025, NVIDIA. Last updated on May 5, 2025.