Secure mode capability is enabled by setting the "cr_protection_en" parameter set to 1 in the [HCA] section of the .ini file and then burning the firmware with this .ini file. If the parameter is set to zero, or is missing, secure-mode operation will not be possible.

Once the firmware allows secure-mode operation, the secure-mode capability must be activated by using "flint" to set a 64-bit key (and then restarting the driver).

The flint command is as follows (the key is specified as up to 16 hex digits):

Copy Copied! flint -d <device> set_key < 64 -bit key>

Example:

Copy Copied! flint -d /dev/mst/mt26428_pci_cr0 set_key 1a1a1a1a2b2b2b2b

Once a 64-bit key is installed, the secure-mode is active once the driver is restarted. If the host is rebooted, the HCA comes out of reboot with secure-mode enabled. Hardware access can be disabled while the driver is running to enable operation such as maintenance, or firmware burning and then restored at the end of the operation.

Warning The temporary enable does not affect the SMP firewall. This remains active even if the "cr-space" is temporarily permitted.

To enable hardware access:

Copy Copied! flint -d /dev/mst/mt26428_pci_cr0 hw_access enable Enter Key: ********

disable hardware access:

Copy Copied! flint -d /dev/mst/mt26428_pci_cr0 hw_access disable

Warning If you do not explicitly restore hardware access when the maintenance operation is completed, the driver restart will NOT do so. The driver will come back after restart with hardware access disabled. Note, though, that the SMP firewall will remain active.

A host reboot will restore hardware access (with SMP firewall active). Thus, when you disable hardware access, you should restore it immediately after maintenance has been completed, either by using the flint command above or by rebooting the host (or both).

Temporarily enable the hardware access (see Enabling/Disabling Hardware Access section). Burn the new firmware. Reboot the host (not just restart the driver).

Temporarily disable secure-mode (see Enabling/Disabling Hardware Access section). Reset the pass-key to zero. Copy Copied! flint -d <device> set_key 0 Reboot the host.

This operation will cause the HCA to always come up (even from host reboot) in insecure mode. To restore security, simply set a non-zero pass-key again.

:

Copy Copied! flint -d /dev/mst/mt26428_pci_cr0 -qq q

If the hardware access is active, you will see the following error message:

Copy Copied! E- Cannot open /dev/mst/mt26428_pci_cr0: HW access is disabled on the device. E- Run "flint -d /dev/mst/mt26428_pci_cr0 hw_access enable" in order to enable HW access.

The SMP firewall is active as long as there is a non-zero pass-key active in the firmware (regardless of whether or not the Secure-Mode has been temporarily disabled).

To check if SMP Firewall is active, run the InfiniBand diagnostic command sminfo.

If the SMP firewall is active, the command will fail as shown below: