|Firmware Based Attestation Flow|
Attestation is a cryptographic reporting of the security configuration of a device, used by a platform to establish trust in the device. The device’s security configuration includes (but is not limited to) its identity, the code it is running and the states of security related mechanisms and assets.
This new capability enables BMC to attest the device over SPDM protocol. The feature works for secure NICs with production certificates installed. SPDM protocol is defined in DMTF DSP0274 v1.1.0.
Currently the following SPDM commands are supported:
Since CHALLENGE and GET_MEASUREMENTS are not functional yet, when they are called, the NIC will respond with RESPONSE_NOT_READY.
Added support for 100G & 200G optical cables (InfiniBand & Ethernet).
Please note this support comes with a limitation when connecting ConnectX-7 to a ConnectX-6 Dx or an NVIDIA Spectrum-3 as described in Known Issues 3070409.
|Bug Fixes||See Bug Fixes section.|
This is the initial firmware release of NVIDIA® ConnectX®-7 adapter cards.
ConnectX-7 has the same feature set as ConnectX-6 adapter card. For the list of the ConnectX-6 firmware features, please see ConnectX-6 Firmware Release Notes.
The features described here are new features in addition to the ConnectX-6 set.
|200Gb/s Throughput on Crypto Capable Devices|
Enabled 200Gb/s out-of-the-box throughput on crypto capable devices.
Note: If any crypto offloads is in use, 200Gb/s throughput can be achieved only after the next firmware reset
|VF Migration||Added support for VF migration. The hypervisor can now suspend its VF, meaning from that point the VF cannot perform action such as send/receive traffic or run any command. In this firmware version only the suspend resume mode is supported (on the same VM).|
|MADs||Added a new MAD of class SMP that has the attributes |
|VF Migration||Added support for VF migration.|
[Beta] A single DCI can be connected to only one target at the time and cannot start new connection until the previous work request is completed. To avoid delays that occur when the initiator process needs to transfer data to multiple targets at the same time, a new offload process (DCS) is introduced to handle and spread the work request on many DCIs according to destinations.
Note: In this firmware version, the following actions are not supported:
|Strided KLM||Added support for large strided KLM (KLM is an MKEY asses mode which allows MKEYs usage with different window size).|
|NV Configurations via the Relevant Reset Flow||Added |
Note: If the Keep Link Up NV configuration is changed, phyless reset will be blocked.
|ICM Pages||Added a new register (|
|Livefish Mode||Enables the user to burn firmware via MTUSB when in livefish mode.|
|Media Access Control Security Offload|
Media Access Control Security Offload allows the NIC to accelerate Macsec operation. Macsec offload handles packets inline - as they go through the NIC.
For inbound packets, the host receives plaintext packets (for instance MAC|ETH|IP|TCP) while on the network these packets are encrypted + authenticated and encapsulated within an SecTag header and vice versa for outbound packets.
|NetworkPort Schema Replacement||Replaced the deprecated NetworkPort schema with Port schema in NIC RDE implementation.|
|Steering Definer||Added support for creating a steering definer with a dword selector using |
|XRQ QP Errors Enhancements||Enhanced the XRQ QP error information provided to the user in case QP goes into an error state. In such case, QUERY_QP will provide information on the syndrome type and which side caused|
|HW Steering: WQE Insertion Rules|
[Beta] Added HW Steering support for the following:
|ibstat||Updated the ibstat status reported when the phy link is down. Now |
|Congestion Control||Enabled APU based programmable congestion control capability with multiple algorithm.|
|ZTRCC||Added support for advanced ZTR_RTTCC algorithm based on the Programmable CC platform to achieve better congestion control without dependency on the switch ECN marking.|
|SMPs||Disabled the option to send SMPs from unauthorized hosts.|
|SW Steering Cache||Modified the TX or RX cache invalidation behavior. TX or RX cache invalidation now does not occur automatically but only when the software performs the sync operation using the using sync_steering command.|
|Mega Allocations in Bulk Allocator Mechanism||Modified the maximum bulk size per single allocation from |
|SNAPI: Comm-Channel||Added support for SNAPI (comm-channel) connection while running on raw ETH link.|
|Changing all the Crypto Features to Wrapped or Cleartext|
Crypto features can be in either wrapped or unwrapped mode. Meaning, the key can be wrapped or in plaintext when running the CREATE_DEK PRM command. To comply with the requirements specified in FIPS publication, all the created DEKs must be wrapped.
This feature adds new
|ICM Direct Access by the Software to write/modify the DEK Objects|
[Beta] This new capability enables the software to directly access ICM and write/modify the DEK objects. Such change improves the DEK object update rate by re-using DEK object instead of creating a new one.
In addition, added the following:
|Page Tracking During VM Migration||To allow page tracking during VM migration, this new capability enables the user to mark all the modified pages and report them to the software, in order to copy the memory without stopping the VM, and only copy a small amount of pages (the ones that were modified in the last iteration) after stopping the VM.|
On This Page