Secure Host
Secure host is the general term for the capability of a device to protect itself and the subnet from malicious software through mechanisms such as blocking access of untrusted entities to the device configuration registers, directly (through pci_cr or pci_conf) and indirectly (through MADs).
WARNING:
- Once a hardware access key is set, the hardware can be accessed only after the correct key is provided. 
- If a key is lost, please refer to Key Loss Recovery. 
- The hardware access in this mode is allowed only if a correct 64 bits key is provided. 
- The secure host feature for ConnectX-3/ConnectX-3 Pro HCAs requires a MLNX_OFED driver installed on the machine. 
Secure Host feature is supported for all NVIDIA® network adapters (listed in Group 1 and group 2). For group 1 network adapters, the user is required to generate and burn a firmware image that supports the feature (see “Generating/Burning a Firmware Supporting Secure Host” below).
For Group 2 network adapters, the feature is supported on firmware version 1x.22.1002 or newer.
Generating/Burning a Firmware Supporting Secure Host
- Make sure you have INI and mlx files suitable for the device. - Add cr_protection_en=true under [HCA] section in the INI file. 
- Generate an image using mlxburn, for example run: - # mlxburn -fw ./fw- - 4099-rel.mlx -conf ./secure_host.ini -wrimage fw-- 4099.secure.bin
 
- Burn the image on the device using flint: - # flint -d /dev/mst/mt4099_pci_cr0 -i fw- - 4099.secure.bin b
- For changes to take effect, reboot is required. 
Setting the Secure Host Key
To set the key, run:
            
            # flint -d /dev/mst/mt4099_pci_cr0 set_key 22062011
Setting the HW Key - OK
Restoring signature - OK
    
A driver restart is required to activate the new key.
    
    
- Access the hardware while hardware access is disabled: - # flint -d /dev/mst/mt4099_pci_cr0 q E- Cannot open /dev/mst/mt4099_pci_cr0: HW access is disabled on the device. E- Run - "flint -d /dev/mst/mt4099_pci_cr0 hw_access enable"in order to enable HW access.
- Enable hardware access: - # flint -d /dev/mst/mt4099_pci_cr0 hw_access enable Enter Key: ******** 
- Disable hardware access: - # flint -d /dev/mst/mt4099_pci_cr0 hw_access disable 
This section is applicable to Group 1 network adapters only.
To remove the secure host feature:
- Make sure you have INI and MLX file suitable for the device. - Remove cr_protection_en=true from the INI (if present) 
- Generate the image using mlxburn, for example run: - # mlxburn -fw ./fw- - 4099-rel.mlx -conf ./unsecure_host.ini -wrimage fw-- 4099.unsecure.bin
 
- Burn the firmware on the device (make sure hardware access is enabled prior to burning): - # flint -d /dev/mst/mt4099_pci_cr0 -i fw- - 4099.unsecure.bin b
- Execute a driver restart in order to load the unsecure firmware: - # service openibd restart 
If a key is lost, there is no way to recover it using the tool. The only way to recover is to:
- Connect the flash-not-present jumper on the card. 
- Reboot the machine. 
- Re-burn firmware(for Group 2 network adapters re-burn the firmware following the process in Burning a New Device.) 
- Remove the flash-not-present jumper. 
- Reboot the machine 
- Re-set the hardware access key