Manualshelf

User Manual

ManualsBrandsAsus ManualsServer AccessoriesPEM-FDR
121122123124125126127128129130
Features Overview and ConfigurationRev 2.3-1.0.1
Mellanox Technologies
124
3.2.4 Secure Host
Secure host enables the device to protect itself and the subnet from malicious software. This is
achieved by:
Not allowing untrusted entities to access the device configuration registers, directly
(through pci_cr or pci_conf) and indirectly (through MADs)
Hiding the M_Key from the untrusted entities
Preventing the modification of GUID0 by the untrusted entities
Preventing drivers on untrusted hosts to receive or transmit SMP (QP0) MAD packets
(SMP firewall)
When the SMP firewall is enabled, the firmware handles all QP0 packets, and does not forward
them to the driver
. Any information required by the driver for proper operation (e.g., SM lid) is
passed via events generated by the firmware while processing QP0 MADs.
Driver support mainly requires using the MAD_DEMUX firmware command at driver startup.
3.2.4.1 Secure Mode Operation
Secure mode capability is enabled by setting the "cr_protection_en" parameter set to 1 in the
[HCA] section of the .ini file and then burning the firmware with this .ini file. If the parameter is
set to zero, or is missing, secure-mode operation will not be possible.
Once the firmware allows secure-mode operation, the secure-mode capability must be activated
by using "flint" to set a 64-bit key (and then restarting the driver).
The flint command is as follows (the key is specified as up to 16 hex digits):
flint -d <device> set_key <64-bit key>
Example:
flint -d /dev/mst/mt26428_pci_cr0 set_key 1a1a1a1a2b2b2b2b
3.2.4.1.1 Enabling/Disabling Hardware Access
Once a 64-bit key is installed, the secure-mode is active once the driver is restarted. If the host is
rebooted, the HCA comes out of reboot with secure-mode enabled. Hardware access can be dis-
abled while the driver is running to enable operation such as maintenance, or firmware burning
and then restored at the end of the operation.
The temporary enable does not affect the SMP firewall. This remains active even if the "cr-space"
is temporarily permitted.
To enable hardware access:
flint -d /dev/mst/mt26428_pci_cr0 hw_access enable
Enter Key: ********
To disable hardware access:
flint -d /dev/mst/mt26428_pci_cr0 hw_access disable