This post explains and shows how to configure for privileged (trusted) VF on ConnectX-4.
This feature is supported in MLNX_OFED version 3.3.
- HowTo Configure SR-IOV for ConnectX-4 with KVM (Ethernet)
- HowTo Configure MAC Anti-Spoofing for VMs over SR-IOV
We will describe how to give special privileges to a specific trusted Virtual Function (VF). It is possible to have a malicious driver run over one of the VFs, and thus give that VF physical function privileges that might open security holes.
For example, any VF that is specified in promiscuous mode will enable sniffing and monitoring on the entire physical port for incoming traffic, including traffic targeting other virtual functions.
Example for special privileges given to privileged VF:
- Setting promiscuous Rx mode.
- Setting all-multi Rx mode.
The Network Administrator configures the VF to be trusted.
If you have a VF set up in promiscuous VF, it means that besides the traffic originally targeted to go to the VF, it will receive the unmatched traffic and all the multicast traffic received in the physical port.
Note that all traffic that is dmac that does not match any of the VFs/PF MAC addresses is referred to as unmatched traffic.
Only Privileged VFs are able to enter promiscuous mode.
If you have a VF set up as an all-multi VF, it means that in addition to the traffic originally targeted to the VF it will receive all the multicast traffic sent from/to the other functions on the same physical port. This does not include the unmatched traffic, as in promiscuous mode.
1. Start by following the instructions in HowTo Configure SR-IOV for ConnectX-4 with KVM (Ethernet). Make sure that you have one Virtual Machine (VM) with a configured MAC address.
In this example the Network Administrator gave the VM located on VF-0 the MAC address: 00:22:33:44:55:66.
# ip link show
9: ens785f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP mode DEFAULT qlen 1000
link/ether e4:1d:2d:f2:a4:89 brd ff:ff:ff:ff:ff:ff
vf 0 MAC 00:22:33:44:55:66, spoof checking off, link-state auto
vf 1 MAC 00:00:00:00:00:00, spoof checking off, link-state auto
vf 2 MAC 00:00:00:00:00:00, spoof checking off, link-state auto
vf 3 MAC 00:00:00:00:00:00, spoof checking off, link-state auto
2. Enable trust.
There are two options to enable or disable trust.
Option 1: Using the standard ip link commands (supported in kernel version 4.5, and later).
To enable trust for a specific VF (e.g. VF 0), run:
# ip link set ens785f1 vf 0 trust on
To disable trust for a specific VF (e.g. VF 0), run:
# ip link set ens785f1 vf 0 trust off
To see other ip link examples, refer to HowTo Set Virtual Network Attributes on a Virtual Function (SR-IOV).
Option 2: Specify echo "ON" or "OFF" to the file located under /sys/class/net/<ETH_IF_NAME> /device/sriov/<VF index>/trust.
For example, to enable trust on VF 0, run:
# echo "ON" > /sys/class/net/ens785f1/device/sriov/vf/0/trust
3. Set Rx Promiscuous mode (on the VM) as follows:
# ifconfig eth2 promisc
Exit promiscuous Rx mode as follows:
# ifconfig eth2 –promisc
4. Set All-Multi mode:
ifconfig eth2 allmulti (on the VM)
Exit all-multi rx mode as follows:
#ifconfig eth2 –allmulti
Note: The all-multi option is included in the promiscuous mode. When you enable the promiscuous mode, you do not need to enable the all-muliti option, as it is automatically enabled.
1. Check that trust is configured for VF 0.
# cat /sys/class/net/eth5/device/sriov/0/config
VF : 0
MAC : 00:22:33:44:55:66
VLAN : 0
QoS : 0
SpoofCheck : OFF
Trust : ON
LinkState : Follow
2. Check that Promiscuous mode is configured on the VM interface:
eth2 Link encap:Ethernet HWaddr F4:52:14:15:82:02
BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)