mstflint: Secure Host

NVIDIA Firmware Tools (MFT) Documentation v4.26.1 LTS

Secure host is the general term for the capability of a device to protect itself and the subnet from malicious software through mechanisms such as blocking access of untrusted entities to the device configuration registers.



  • Once a hardware access key is set, the hardware can be accessed only after the correct key is provided.

  • If a key is lost, please refer to Key Loss Recovery.

  • The hardware access in this mode is allowed only if a correct 64 bits key is provided.

  • The secure host feature for ConnectX-3/ConnectX-3 Pro HCAs requires a MLNX_OFED driver installed on the machine.

Secure Host feature is supported for all NVIDIA network adapters (listed in Group 1 and group 2). For group 1 network adapters, the user is required to generate and burn a firmware image that supports the feature (see “Generating/Burning a Firmware Supporting Secure Host” below).

For Group 2 network adapters, the feature is supported on firmware version 1x.22.1002 or newer.

Generating/Burning a Firmware Supporting Secure Host

  1. Make sure you have INI and mlx files suitable for the device. Both files are available for download at:

    1. Add cr_protection_en=true under [HCA] section in the INI file.

  2. Burn the image on the device using mstflint:


    # mstflint -d 41:00.0 -i b

  3. For changes to take effect, reboot is required.

Setting the Secure Host Key

To set the key, run:


# mstflint -d 41:00.0 set_key 22062011 Setting the HW Key - OK Restoring signature - OK


A driver restart is required to activate the new key.

  1. Access the hardware while hardware access is disabled:


    # mstflint -d 41:00.0 q E- Cannot open 41:00.0: HW access is disabled on the device. E- Run "mstflint -d 41:00.0 hw_access enable" in order to enable HW access.

  2. Enable hardware access:


    # mstflint -d 41:00.0 hw_access enable Enter Key: ********

  3. Disable hardware access:


    # mstflint -d 41:00.0 hw_access disable


This section is applicable to Group 1 network adapters only.

To remove the secure host feature:

  1. Make sure you have INI and MLX file suitable for the device.

    1. Remove cr_protection_en=true from the INI (if present)

  2. Burn the firmware on the device (make sure hardware access is enabled prior to burning):


    # mstflint -d 41:00.0 -i fw-4099.unsecure.bin b

  3. Execute a driver restart in order to load the unsecure firmware:


    # service openibd restart

If a key is lost, there is no way to recover it using the tool. The only way to recover is to:

  1. Connect the flash-not-present jumper on the card.

  2. Reboot the machine.

  3. Re-burn firmware

  4. Remove the flash-not-present jumper.

  5. Reboot the machine

  6. Re-set the hardware access key

© Copyright 2023, NVIDIA. Last updated on Mar 21, 2024.