NVIDIA BlueField DPU BSP v4.0.3
1.0

Modes of Operation

The NVIDIA® BlueField® DPU has several modes of operation:

  • DPU mode, or embedded function (ECPF) ownership, where the embedded Arm system controls the NIC resources and data path (default)

  • Zero-trust mode which is an extension of the ECPF ownership with additional restrictions on the host side

  • NIC mode where the DPU behaves exactly like an adapter card from the perspective of the external host

This mode, known also as embedded CPU function ownership (ECPF) mode, is the default mode for BlueField DPU.

In DPU mode, the NIC resources and functionality are owned and controlled by the embedded Arm subsystem. All network communication to the host flows through a virtual switch control plane hosted on the Arm cores, and only then proceeds to the host. While working in this mode, the DPU is the trusted function managed by the data center and host administrator—to load network drivers, reset an interface, bring an interface up and down, update the firmware, and change the mode of operation on the DPU device.

A network function is still exposed to the host, but it has limited privileges. In particular:

  1. The driver on the host side can only be loaded after the driver on the DPU has loaded and completed NIC configuration.

  2. All ICM (Interface Configuration Memory) is allocated by the ECPF and resides in the DPU's memory.

  3. The ECPF controls and configures the NIC embedded switch which means that traffic to and from the host (DPU) interface always lands on the Arm side.

embedded-mode.png

When the server and DPU are initiated, the networking to the host is blocked until the virtual switch on the DPU is loaded. Once it is loaded, traffic to the host is allowed by default.

There are two ways to pass traffic to the host interface: Either using representors to forward traffic to the host (every packet to/from the host would be handled also by the network interface on the embedded Arm side), or push rules to the embedded switch which allows and offloads this traffic.

Zero-trust mode is a specialization of DPU mode which implements an additional layer of security where the host system administrator is prevented from accessing the DPU from the host. Once zero-trust mode is enabled, the data center administrator should control the DPU entirely through the Arm cores and/or BMC connection instead of through the host.

For security and isolation purposes, it is possible to restrict the host from performing operations that can compromise the DPU. The following operations can be restricted individually when changing the DPU host to zero-trust mode:

  • Port ownership – the host cannot assign itself as port owner

  • Hardware counters – t he host does not have access to hardware counters

  • Tracer functionality is blocked

  • RShim interface is blocked

  • Firmware flash is restricted

To enable host restriction:

  1. Start the MST service.

  2. Set zero-trust mode. From the Arm side, run:

    Copy
    Copied!
                

    $ mlxprivhost -d /dev/mst/<device> r --disable_rshim --disable_tracer --disable_counter_rd --disable_port_owner

    Warning

    P ower cycle is required if any --disable_* flags are used.

Warning

If RShim is disabled, power cycle is required.

To disable host restriction set the mode to privileged mode, run:

Copy
Copied!
            

$ mlxprivhost -d /dev/mst/<device> p

The configuration takes effect immediately.

Warning

If you are reverting from rshim-disabled mode, system power cycle is required.

Warning

P ower cycle is required when reverting to privileged mode if host restriction has been applied using any --disable_* flags.

Warning

Prior to configuring NIC mode, refer to known issue # 3048250.

Warning

NIC mode is supported with MLNX_OFED version 5.6 and later.

Warning

When NIC mode is enabled, the drivers and services on the Arm are no longer functional.

In this mode, the DPU behaves exactly like an adapter card from the perspective of the external host. The ECPFs on the Arm side are not functional in this mode but the user is still able to access the Arm system and update mlxconfig options.

To enable DPU NIC mode:

  1. Run the following from the x86 host side:

    Copy
    Copied!
                

    $ sudo mst start $ sudo mlxconfig -d /dev/mst/<device> s INTERNAL_CPU_MODEL=1 INTERNAL_CPU_OFFLOAD_ENGINE=1

    Warning

    To restrict RShim PF (optional), make sure to configure INTERNAL_CPU_RSHIM=1 as part of the mlxconfig command.

  2. Power cycle the host

Warning

Multi-host is not supported when the DPU is operating in NIC mode.

Warning

To obtain firmware BINs for NVIDIA® BlueField®-2 devices, refer to the BlueField-2 firmware download page.

Warning

To obtain firmware BINs for NVIDIA® BlueField®-3 devices, refer to the BlueField-3 firmware download page.

To change from NIC mode back to DPU mode:

  1. Install and start the RShim driver on the host.

  2. Disable NIC mode. Run:

    Copy
    Copied!
                

    $ sudo mst start $ sudo mlxconfig -d /dev/mst/<device> s INTERNAL_CPU_MODEL=1 \ INTERNAL_CPU_PAGE_SUPPLIER=0 \ INTERNAL_CPU_ESWITCH_MANAGER=0 \ INTERNAL_CPU_IB_VPORT0=0 \ INTERNAL_CPU_OFFLOAD_ENGINE=0

    Warning

    If INTERNAL_CPU_RSHIM=1 , then make sure to configure INTERNAL_CPU_RSHIM=0 as part of the mlxconfig command.

  3. Power cycle the host.

© Copyright 2023, NVIDIA. Last updated on Jun 23, 2023.