mlxprivhost - NIC Configuration by the Host Restriction Tool (Zero Trust Mode)

NVIDIA Firmware Tools (MFT) Documentation v4.27.0

mlxprivhost enables the user to restrict the hosts from managing the device in case the BlueField DPU is in a Zero Trust environment, and the host cannot be considered “trusted”.

Warning

mlxprivhost is supported in Linux only.

Warning

mlxprivhost is not supported in ESXi 7.0.

Warning

This utility is supported in BlueField devices only.

Copy
Copied!
            

mlxprivhost [OPTIONS] <command> [parameters…]

  • Restrict configuration takes effect immediately, but disabling/enabling RShim requires power cycle

  • A zero-trust (restricted) host will not be able to perform operations that can compromise the DPU, such as:

    • Port ownership – the host cannot assign itself as port owner

    • Hardware counters – the host does not have access to hardware counters

    • Tracer functionality is blocked

    • RShim interface is blocked

    • FW flash is restricted

    • For Multi-host systems, the tool is compatible with firmware versions starting from xx.31.10xx and later

    where:

    -h, --help

    Shows this help message and exit

    -v, --version

    Shows program's version number and exit

    -d <dev>, --device <dev>

    Device to work with.

    --disable_rshim

    When TRUE, the host does not have an RSHIM function to access the embedded CPU registers (power cycle is required to apply changes)

    --disable_tracer

    When TRUE, the host will not be allowed to own the Tracer (requires FW reset to be applied)

    --disable_counter_rd

    When TRUE, the host will not be allowed to read Physical port counters (requires FW reset to be applied)

    --disable_port_owner

    When TRUE, the host will not be allowed to be Port Owner (requires FW reset to be applied)

    r,restrict

    Set all external hosts as zero-trust (restricted) except of the one that called the command

    p,privilege

    Set all external hosts privileged except the one that called the command

    q,query

    From external HOST: query the status of the host

    From Embedded ARM CPU: query the status of all external hosts.

    -f, --full

    Run with query command for high verbosity level - valid from embedded ARM CPU only.

    Example of mlxprivhost:

    • Enabling Zero-Trust host (Full Host Restriction - Embedded ARM CPU Only):

      Copy
      Copied!
                  

      mlxprivhost –d /dev/mst/mt41682_pciconf0 r --disable_rshim --disable_tracer --disable_counter_rd --disable_port_owner

    • Disabling Zero-Trust host restriction (Embedded ARM CPU Only):

      Copy
      Copied!
                  

      mlxprivhost –d /dev/mst/mt41682_pciconf0 p

    • Query the status of the host\hosts (the full flag valid for embedded ARM CPU Only):

      Copy
      Copied!
                  

      mlxprivhost -d /dev/mst/mt41682_pciconf0 q --full Host configurations ------------------- host index : 0 1 2 3 level : PRIVILEGED PRIVILEGED PRIVILEGED PRIVILEGED   Port functions status: ----------------------- disable_rshim : FALSE FALSE FALSE FALSE disable_tracer : FALSE FALSE FALSE FALSE disable_port_owner : FALSE FALSE FALSE FALSE disable_counter_rd : FALSE FALSE FALSE FALSE

    © Copyright 2023, NVIDIA. Last updated on Feb 8, 2024.