HowTo Configure Privileged VF on ConnectX-4

Version 8

    This post explains and shows how to configure for privileged (trusted) VF on ConnectX-4.

    This feature is supported in MLNX_OFED version 3.3.

     

    References

     

    Overview

     

    We will describe how to give special privileges to a specific trusted Virtual Function (VF). It is possible to have a malicious driver run over one of the VFs, and thus give that VF physical function privileges that might open security holes.

    For example, any VF that is specified in promiscuous mode will enable sniffing and monitoring on the entire physical port for incoming traffic, including traffic targeting other virtual functions.

     

    Example for special privileges given to privileged VF:

    • Setting promiscuous Rx mode.
    • Setting all-multi Rx mode.

     

    The Network Administrator configures the VF to be trusted.

     

    Promiscuous Mode

    If you have a VF set up in promiscuous VF, it means that besides the traffic originally targeted to go to the VF,  it will receive the unmatched traffic and all the multicast traffic received in the physical port.

    Note that all traffic that is dmac that does not match any of the VFs/PF MAC addresses is referred to as unmatched traffic.

    Only Privileged VFs are able to enter promiscuous mode.

     

    All-Multi Mode

    If you have a VF set up as an all-multi VF, it means that in addition to the traffic originally targeted to the VF it will receive all the multicast traffic sent from/to the other functions on the same physical port. This does not include the unmatched traffic, as in promiscuous mode.

     

    Configuration

    1. Start by following the instructions in HowTo Configure SR-IOV for ConnectX-4 with KVM (Ethernet). Make sure that you have one Virtual Machine (VM) with a configured MAC address.

    In this example the Network Administrator gave the VM located on VF-0 the MAC address: 00:22:33:44:55:66.

     

    # ip link show

    ...

    9: ens785f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP mode DEFAULT qlen 1000

        link/ether e4:1d:2d:f2:a4:89 brd ff:ff:ff:ff:ff:ff

        vf 0 MAC 00:22:33:44:55:66, spoof checking off, link-state auto

        vf 1 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

        vf 2 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

        vf 3 MAC 00:00:00:00:00:00, spoof checking off, link-state auto

    ...

     

    2. Enable trust.

    There are two options to enable or disable trust.

    Option 1: Using the standard ip link commands (supported in kernel version 4.5, and later).

    To enable trust for a specific VF (e.g. VF 0), run:

    # ip link set ens785f1 vf 0 trust on

     

    To disable trust for a specific VF (e.g. VF 0), run:

    # ip link set ens785f1 vf 0 trust off

     

    To see other ip link examples, refer to  HowTo Set Virtual Network Attributes on a Virtual Function (SR-IOV).

     

    Option 2: Specify echo "ON" or "OFF" to the file located under /sys/class/net/<ETH_IF_NAME> /device/sriov/<VF index>/trust.

    For example, to enable trust on VF 0, run:

    # echo "ON" > /sys/class/net/ens785f1/device/sriov/vf/0/trust

     

    3. Set Rx Promiscuous mode (on the VM) as follows:

    # ifconfig eth2 promisc

     

    Exit promiscuous  Rx mode as follows:

    # ifconfig eth2 –promisc

     

    4. Set All-Multi mode:

    ifconfig eth2 allmulti (on the VM)

    Exit all-multi rx mode as follows:

    #ifconfig eth2 –allmulti

     

    Note: The all-multi option is included in the promiscuous mode. When you enable the promiscuous mode, you do not need to enable the all-muliti option, as it is automatically enabled.

     

    Verification

    1. Check that trust is configured for VF 0.

    # cat /sys/class/net/eth5/device/sriov/0/config

    VF : 0

    MAC : 00:22:33:44:55:66

    VLAN : 0

    QoS : 0

    SpoofCheck : OFF

    Trust : ON

    LinkState  : Follow

     

    2. Check that Promiscuous mode is configured on the VM interface:

    ifconfig eth2        

    eth2      Link encap:Ethernet  HWaddr F4:52:14:15:82:02 

              BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

              RX packets:0 errors:0 dropped:0 overruns:0 frame:0

              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

              collisions:0 txqueuelen:1000

              RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)