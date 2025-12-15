NVIDIA Firmware Tools (MFT) Documentation v4.34.1-10 LTS (2025 LTS U1)
Secure Host

Secure host is the general term for the capability of a device to protect itself and the subnet from malicious software through mechanisms such as blocking access of untrusted entities to the device configuration registers, directly (through pci_cr or pci_conf) and indirectly (through MADs).

When Secure Host is enabled, host is blocked from performing firmware updates and setting non-volatile configurations.

Note

The supported opcodes of secure_host register by flint tool is setting/unsettling the lock.

Warning

WARNING:

  • Once a hardware access key is set, the hardware can be accessed only after the correct key is provided.

  • If a key is lost, please refer to Key Loss Recovery.

Note

  • The hardware access in this mode is allowed only if a correct 64 bits key is provided.

  • The secure host feature for ConnectX-3/ConnectX-3 Pro HCAs requires a MLNX_OFED driver installed on the machine.

Using Secure Host

Secue Host feature is supported for all NVIDIA® network adapters (listed in Group 1 and group 2). For group 1 network adapters, the user is required to generate and burn a firmware image that supports the feature (see “Generating/Burning a Firmware Supporting Secure Host” below).

For Group 2 network adapters, the feature is supported on firmware version 1x.22.1002 or newer.

Generating/Burning a Firmware Supporting Secure Host

Note

This is not applicable for ConnectX-4 devices and above. No burning of a specific firmware is needed.

  1. Make sure you have INI and mlx files suitable for the device.

    1. Add cr_protection_en=true under [HCA] section in the INI file.

    2. Generate an image using mlxburn, for example run:

      # mlxburn -fw ./fw-4099-rel.mlx -conf ./edited_conf.ini -wrimage fw-4099.bin

  2. Burn the image on the device using flint:

    # flint -d /dev/mst/mt4099_pci_cr0 -i fw-4099.secure.bin b

  3. For changes to take effect, reboot is required.

Setting the Secure Host Key (for all NIC cards)

To set the key, run:

# flint -d <dev> set_key 22062011
Setting the HW Key - OK
Restoring signature - OK

Note

A driver restart is required to activate the new key.

Accessing the device after hardware access is disabled should show the following:

# flint -d <dev> q
E- Cannot open <dev>: HW access is disabled on the device.
E- Run "flint -d <dev> hw_access enable" in order to enable HW access.


Enabling Hardware Access

Back user should run the following:

For ConnectX-4 and above devices:

run:

# flint -d <device> hw_access enable
Enter Key: ********

For ConnectX-3 and ConnectX-3 Pro devices:

  1. Make sure you have INI and MLX file suitable for the device.

    1. Remove cr_protection_en=true from the INI (if present)

    2. Generate the image using mlxburn, for example run:

      # mlxburn -fw ./fw-4099-rel.mlx -conf ./unsecure_host.ini -wrimage fw-4099.unsecure.bin

  2. Burn the firmware on the device (make sure hardware access is enabled prior to burning):

    # flint -d /dev/mst/mt4099_pci_cr0 -i fw-4099.unsecure.bin b

  3. Execute a driver restart in order to load the unsecure firmware:

    # service openibd restart

Key Loss Recovery

If a key is lost, there is no way to recover it using the tool. The only way to recover is to:

  1. Connect the flash-not-present jumper on the card.

  2. Reboot the machine.

  3. Re-burn firmware(for Group 2 network adapters re-burn the firmware following the process in Burning a New Device.)

  4. Remove the flash-not-present jumper.

  5. Reboot the machine

  6. Re-set the hardware access key
