Title: Porting from MFT, based on 4.11.0 release.

dev_mgt/tools_dev_types.c

@@ -298,6 +298,15 @@ static struct device_info g_devs_info[] = {
         80,                     //port_num
         DM_SWITCH               //dev_type
     },
+    {
+        DeviceSecureHost,       //dm_id
+        0xcafe,                 //hw_dev_i
+        0xd0,                   //hw_rev_i
+        0,                      //sw_dev_i
+        "Unknown Device",       //name
+        -1,                     //port_num
+        DM_UNKNOWN              //dev_type
+    },
     {
         DeviceUnknown,          //dm_id
         0,                      //hw_dev_i

dev_mgt/tools_dev_types.h

@@ -90,6 +90,7 @@ enum dm_dev_id
     DeviceCableSFP51Paging,
     DeviceSpectrum2,
     DeviceDummy,
+    DeviceSecureHost,
 
     DeviceEndMarker           // Dummy Device - Marker for indicating end of devices when iterating
 };

flint/cmd_line_parser.cpp

@@ -113,7 +113,7 @@ SubCmdMetaData::SubCmdMetaData()
     _sCmds.push_back(new SubCmd("ts", "timestamp", SC_Time_Stamp));
     _sCmds.push_back(new SubCmd("ci", "cache_image", SC_Cache_Image));
     _sCmds.push_back(new SubCmd("", "sign", SC_Sign));
-    _sCmds.push_back(new SubCmd("", "add_hmac", SC_Add_Hmac));
+    _sCmds.push_back(new SubCmd("", "sign_with_hmac", SC_Add_Hmac));
     _sCmds.push_back(new SubCmd("", "extract_fw_data", SC_Extract_4MB_Image));
     _sCmds.push_back(new SubCmd("", "set_public_keys", SC_Set_Public_Keys));
     _sCmds.push_back(new SubCmd("", "set_forbidden_versions", SC_Set_Forbidden_Versions));
@@ -196,7 +196,7 @@ FlagMetaData::FlagMetaData()
     _flags.push_back(new Flag("", "private_key", 1));
     _flags.push_back(new Flag("", "key_uuid", 1));
     _flags.push_back(new Flag("", "private_key2", 1));
-    _flags.push_back(new Flag("", "hmac", 1));
+    _flags.push_back(new Flag("", "hmac_key", 1));
     _flags.push_back(new Flag("", "key_uuid2", 1));
     _flags.push_back(new Flag("", "no_fw_ctrl", 0));
 }
@@ -661,9 +661,9 @@ void Flint::initCmdParser()
                ' ',
                "<key_file>",
                "path to PEM formatted private key to be used by the sign command");
-    AddOptions("hmac",
+    AddOptions("hmac_key",
                ' ',
-               "<hmac>",
+               "<hmac_key>",
                "path to file containing key (For FS4 image only).");
 
     AddOptions("key_uuid2",
@@ -870,7 +870,7 @@ ParseStatus Flint::HandleOption(string name, string value)
     } else if (name == "key_uuid") {
         _flintParams.uuid_specified = true;
         _flintParams.privkey_uuid = value;
-    } else if (name == "hmac") {
+    } else if (name == "hmac_key") {
         _flintParams.key_specified = true;
         _flintParams.key = value;
     } else if (name == "private_key2") {

flint/subcommands.cpp

@@ -1306,13 +1306,13 @@ FlintStatus Extract4MBImageSubCommand::executeCommand()
  * ***********************/
 AddHmacSubCommand:: AddHmacSubCommand()
 {
-    _name = "add_hmac";
-    _desc = "Add Hmac to image";
-    _extendedDesc = "Add Hmac to image";
-    _flagLong = "add_hmac";
+    _name = "sign_with_hmac";
+    _desc = "Sign image with HMAC";
+    _extendedDesc = "Sign image with HMAC";
+    _flagLong = "sign_with_hmac";
     _flagShort = "";
     _paramExp = "None";
-    _example = FLINT_NAME " -i fw_image.bin --hmac hmac_key_file add_hmac";
+    _example = FLINT_NAME " -i fw_image.bin --hmac_key hmac_key_file sign_with_hmac";
     _v = Wtv_Img;
     _maxCmdParamNum = 0;
     _cmdType = SC_Add_Hmac;
@@ -1329,7 +1329,7 @@ FlintStatus AddHmacSubCommand::executeCommand()
         return FLINT_FAILED;
     }
     if (_imgOps->FwType() != FIT_FS4) {
-        reportErr(true, "Adding Hmac is applicable only for FS4 FW.\n");
+        reportErr(true, "Signing with HMAC is applicable only for FS4 FW.\n");
         return FLINT_FAILED;
     }
 
@@ -1343,7 +1343,7 @@ FlintStatus AddHmacSubCommand::executeCommand()
 bool AddHmacSubCommand::verifyParams()
 {
     if (!_flintParams.key_specified) {
-        reportErr(true, "To add hmac, you must provide a key \n");
+        reportErr(true, "To sign with HMAC, you must provide a key \n");
         return false;
     }
 
@@ -2537,11 +2537,12 @@ FlintStatus SwResetSubCommand::executeCommand()
     if (preFwOps() == FLINT_FAILED) {
         return FLINT_FAILED;
     }
-    printf("-I- Resetting device %s ...\n", _flintParams.device.c_str());
+    printf("-I- Sending reset command to device %s ...\n", _flintParams.device.c_str());
     if (!_fwOps->FwSwReset()) {
         reportErr(true, FLINT_SWRESET_ERROR, _fwOps->err());
         return FLINT_FAILED;
     }
+    printf("-I- Reset command accepted by the device.\n");
     return FLINT_SUCCESS;
 }
 

mflash/mflash.c

@@ -2838,7 +2838,6 @@ int mf_open_int(mflash **pmfl, const char *dev, int num_of_banks, flash_params_t
     }
 
     rc = mf_opend_int(pmfl, (struct mfile_t*) mf, num_of_banks, flash_params, ignore_cache_rep_guard, MFAT_MFILE, NULL, cx3_fw_access);
-
     if ((*pmfl)) {
         (*pmfl)->opts[MFO_CLOSE_MF_ON_EXIT] = 1;
     }
@@ -3644,6 +3643,7 @@ int mf_disable_hw_access(mflash *mfl)
 #ifndef UEFI_BUILD
     int rc = 0;
     // We need to release the semaphore because we will not have any access to semaphore after disabling the HW access
+    mfl->unlock_flash_prog_allowed = 1;
     rc = release_semaphore(mfl, 1);
     CHECK_RC(rc);
 

mflash/mflash_dev_capability.c

@@ -59,6 +59,7 @@ int is_four_byte_address_needed(mflash *mfl, MfError *status)
     case DeviceSwitchIB2:
     case DeviceConnectX5:
     case DeviceBlueField:
+    case DeviceSecureHost:
         return 0;
     case DeviceQuantum:
     case DeviceConnectX6:
@@ -94,6 +95,7 @@ int is_flash_enable_needed(mflash *mfl, MfError *status)
     case DeviceQuantum:
     case DeviceConnectX6:
     case DeviceSpectrum2:
+    case DeviceSecureHost:
         return 0;
     default:
         *status = MFE_UNSUPPORTED_DEVICE;
@@ -113,6 +115,7 @@ int is_icmdif_supported(mflash *mfl, MfError *status)
     case DeviceConnectX3:
     case DeviceConnectX3Pro:
     case DeviceSwitchX:
+    case DeviceSecureHost:
         return 0;
     case DeviceConnectIB:
     case DeviceSwitchIB:
@@ -156,6 +159,7 @@ int is_supports_sw_reset(mflash *mfl, MfError *status)
     case DeviceBlueField:
     case DeviceConnectX6:
     case DeviceSpectrum2:
+    case DeviceSecureHost:
         return 0;
     default:
         *status = MFE_UNSUPPORTED_DEVICE;

mlxarchive/mlxarchive.cpp

@@ -120,7 +120,7 @@ void Mlxarchive::paramValidate()
         success = false;
     }
     else {
-        boost::regex version_expression("^[0-9]..{3}$");
+        boost::regex version_expression("^[0-9].[0-9].[0-9]$");
         status_match = boost::regex_match(_version, match, version_expression);
         if(!status_match) {
             fprintf(stderr, err_regex.c_str(), "version", _version.c_str(), "x.x.x");

mlxarchive/mlxarchive_mfa2_builder.cpp

@@ -204,9 +204,22 @@ FWDirectoryBuilder::FWDirectoryBuilder(const string& version, string directory)
 {
     string fileExtension = ".bin";
     vector<string> files;
-
     int index = 0;
-    listDir(directory.c_str(), files);
+    try
+    {
+        listDir(directory.c_str(), files);
+    }
+    catch(std::exception& e)
+    {
+        std::string err_str = "locale::facet::_S_create_c_locale name not valid";
+        if(!err_str.compare(e.what()))
+        {
+            fprintf(stderr, "Exception: '%s' was catched.\nPlease try to add the following line into your /etc/profile file and retry:\nexport LC_ALL=C; unset LANGUAGE\n"
+            "Please note, you need to reload the .profile file, after editing. \nsource /etc/profile might help.\n", e.what());
+            exit(1);
+        }
+        throw e;
+    }
     VECTOR_ITERATOR(string, files, file) {
       if ((*file).rfind(fileExtension) == ((*file).size() - fileExtension.size())) {
         string fullPath = directory + "/" + (*file);
@@ -239,7 +252,6 @@ FWDirectoryBuilder::FWDirectoryBuilder(const string& version, string directory)
         componentPointers.push_back(componentPointer);
         DeviceDescriptor deviceDescriptor(componentPointers, PSID);
         _deviceDescriptors.push_back(deviceDescriptor);
-
         VersionExtension version(fwQueryResult.fw_info.fw_ver);
         vector<u_int8_t> data;
         if (!ops->FwExtract4MBImage(data, true)) {

mlxconfig/mlxcfg_ui.cpp

@@ -801,6 +801,10 @@ mlxCfgStatus MlxCfg::setDevRawCfg()
         for (std::vector<std::vector<u_int32_t> >::iterator it = rawTlvsAsDw.begin(); it != rawTlvsAsDw.end(); it++, tlvIdx++) {
             commander->setRawCfg(*it);
         }
+        //send mfrl command to fw
+        //this command indicate to the fw that next time perst signal go down
+        //[reboot] fw need to perform reset )
+        commander->loadConfigurationGetStr();
     } catch (MlxcfgException& e) {
         delete commander;
         return err(true, "Failed to run set_raw command: %s", e._err.c_str());

mlxconfig/mstprivhost.py

@@ -18,13 +18,35 @@
 """
 
 DESCRIPTION = """\
-restrict or privilege owner
+restrict or privilege host
 Note: New configurations takes effect immediately.
-Note: a restricted host is not allowed to be port_owner, to own the tracer
-      and to read physical port counters.
+Note: priviliged host - host has all supported privileges.
+      restricted host - host is not allowed to modify global
+      per port/parameters or access other hosts parametersis.
 
 """
 
+DISABLE_RSHIM_HELP = """\
+When TRUE, the host does not have an RSHIM function
+to access the embedded CPU registers
+mlxconfig_name: HOST_DISABLE_RSHIM
+"""
+
+DISABLE_TRACER_HELP = """\
+When TRUE, the host will not be allowed to own the Tracer
+mlxconfig_name: HOST_DISABLE_TRACER_OWNER
+"""
+
+DISABLE_COUNTER_RD_HELP = """\
+When TRUE, the host will not be allowed to read Physical port counters
+mlxconfig_name: HOST_DISABLE_PORT_COUNTER
+"""
+
+DISABLE_PORT_OWNER_HELP = """\
+When TRUE, the host will not be allowed to be Port Owner
+mlxconfig_name: HOST_DISABLE_PORT_OWNER
+"""
+
 
 def _log(level, msg, *args, **kw):
     if args:
@@ -43,23 +65,43 @@ def error(msg, *args, **kw):
 class PrivilegeMgr(object):
     CMD_LINE = "mstconfig -d %s -f %s --yes set_raw"
     TITLE = "MLNX_RAW_TLV_FILE\n"
+    RAW_BYTES = "0x03000204 0x07000083 0x00000000"
+
+    LIMITED = 0x10000000
+    DISABLE_PORT_OWNER = 0x01
+    DISABLE_COUNTER_RD = 0x02
+    DISABLE_TRACER = 0x04
+    DISABLE_RSHIM = 0x08
+
     RESTRICT_BYTES = "0x03000204 0x07000083 0x00000000 0x1000000f"
     PRIVILEGE_BYTES = "0x03000204 0x07000083 0x00000000 0x00000000"
 
-    def __init__(self, device, privilege):
+    def __init__(self, device, privilege, disable_rshim, disable_tracer,
+                 disable_counter_rd, disable_port_owner):
         self._privilege = privilege
         self._device = device
         self._file_p = tempfile.NamedTemporaryFile(
             suffix='.raw', prefix="nvconfig_setting_")
         self._file_name = self._file_p.name
+        self._nv_host_priv_conf = 0
+        if not self._privilege:
+            self._nv_host_priv_conf = self.LIMITED
+            if disable_rshim:
+                self._nv_host_priv_conf |= self.DISABLE_RSHIM
+            if disable_tracer:
+                self._nv_host_priv_conf |= self.DISABLE_TRACER
+            if disable_counter_rd:
+                self._nv_host_priv_conf |= self.DISABLE_COUNTER_RD
+            if disable_port_owner:
+                self._nv_host_priv_conf |= self.DISABLE_PORT_OWNER
 
     def prepare(self):
         info("preparing configuration file...", end='')
         self._file_p.write(self.TITLE)
-        if self._privilege:
-            self._file_p.write(self.PRIVILEGE_BYTES)
-        else:
-            self._file_p.write(self.RESTRICT_BYTES)
+
+        nv_host_priv_conf_str = '0x%08x' % self._nv_host_priv_conf
+        conf_bytes = " ".join((self.RAW_BYTES, nv_host_priv_conf_str))
+        self._file_p.write(conf_bytes)
         self._file_p.flush()
         print("Done!")
 
@@ -114,12 +156,28 @@ def parse_args():
         nargs=1,
         choices=["r", "restrict", "p", "privilege"],
         help=CMD_HELP)
+    options_group.add_argument('--disable_rshim', action="store_true",
+                             help=DISABLE_RSHIM_HELP)
+    options_group.add_argument('--disable_tracer', action="store_true",
+                             help=DISABLE_TRACER_HELP)
+    options_group.add_argument('--disable_counter_rd', action="store_true",
+                             help=DISABLE_COUNTER_RD_HELP)
+    options_group.add_argument('--disable_port_owner', action="store_true",
+                             help=DISABLE_PORT_OWNER_HELP)
     args = parser.parse_args()
+    if args.command[0] in ("p", "privilege"):
+        if args.disable_rshim or args.disable_tracer or \
+                args.disable_counter_rd or args.disable_port_owner:
+            parser.error("disable flags are not allowed in privilege mode")
     return args
 
 
 def main():
     args = parse_args()
+    disable_rshim = args.disable_rshim
+    disable_tracer = args.disable_tracer
+    disable_counter_rd = args.disable_counter_rd
+    disable_port_owner = args.disable_port_owner
 
     device = args.device
 
@@ -129,7 +187,9 @@ def main():
     elif command in ("r", "restrict"):
         privilege = False
     retcode = 0
-    mgr = PrivilegeMgr(device, privilege)
+    mgr = PrivilegeMgr(device, privilege, args.disable_rshim,
+                       args.disable_tracer, args.disable_counter_rd,
+                       args.disable_port_owner)
     try:
         mgr.prepare()
         retcode = mgr.configure()

mlxfwops/lib/fs3_ops.cpp

@@ -3315,11 +3315,10 @@ bool Fs3Operations::AddHMACIfNeeded(Fs3Operations* imageOps, Flash *f)
             return errmsg(MLXFW_FLASH_WRITE_ERR, "Failed to burn HMAC digest: %s", f->err());
         }
     }
-
 #else
     (void)imageOps;
     (void)f;
-    //ignore
+    //ignore for UEFI
 #endif
     return true;
 }

mlxfwops/lib/fw_ops.cpp

@@ -1082,7 +1082,6 @@ const FwOperations::HwDevData FwOperations::hwDevData[] = {
     { "Spectrum",         SPECTRUM_HW_ID,   CT_SPECTRUM,     CFT_SWITCH,  0, {52100, 0}, {{UNKNOWN_BIN, {0}}}},
     { "Switch_IB2",       SWITCH_IB2_HW_ID, CT_SWITCH_IB2,   CFT_SWITCH,  0, {53000, 0}, {{UNKNOWN_BIN, {0}}}},
     { "Quantum",          QUANTUM_HW_ID,    CT_QUANTUM,      CFT_SWITCH,  0, {54000, 0}, {{UNKNOWN_BIN, {0}}}},
-    { "Spectrum2",        SPECTRUM2_HW_ID,  CT_SPECTRUM2,    CFT_SWITCH,  0, {53100, 0}, {{UNKNOWN_BIN, {0}}}},
     { (char*)NULL,       0,                CT_UNKNOWN,      CFT_UNKNOWN, 0, {0}, {{UNKNOWN_BIN, {0}}}},// zero devid terminator
 };
 
@@ -1106,7 +1105,6 @@ const FwOperations::HwDev2Str FwOperations::hwDev2Str[] = {
     {"SwitchIB2 A0",      SWITCH_IB2_HW_ID, 0x00},
     {"Quantum A0",        QUANTUM_HW_ID,    0x00},
     {"Spectrum A1",       SPECTRUM_HW_ID,   0x01},
-    {"Spectrum2 A0",      SPECTRUM2_HW_ID,  0x00},
     { (char*)NULL,       (u_int32_t)0, (u_int8_t)0x00},      // zero device ID terminator
 };
 
@@ -1676,7 +1674,7 @@ void FwOperations::SetDevFlags(chip_type_t chipType, u_int32_t devType, fw_img_t
         ibDev  = (fwType == FIT_FS3 && chipType != CT_SPECTRUM) || (chipType == CT_CONNECTX && !CntxEthOnly(devType));
         ethDev = (chipType == CT_CONNECTX) || (chipType == CT_SPECTRUM) || (chipType == CT_CONNECTX4) || \
                  (chipType == CT_CONNECTX4_LX) || (chipType == CT_CONNECTX5) || (chipType == CT_BLUEFIELD) || \
-                 (chipType == CT_SPECTRUM2) || (chipType == CT_CONNECTX6);
+                 (chipType == CT_CONNECTX6);
     }
 
     if ((!ibDev && !ethDev) || chipType == CT_UNKNOWN) {
@@ -1993,9 +1991,8 @@ u_int8_t FwOperations::GetFwFormatFromHwDevID(u_int32_t hwDevId)
         return FS_FS3_GEN;
     } else if (hwDevId == CX5_HW_ID ||
                hwDevId == CX6_HW_ID ||
-               hwDevId == BF_HW_ID      ||
-               hwDevId == QUANTUM_HW_ID ||
-               hwDevId == SPECTRUM2_HW_ID) {
+               hwDevId == BF_HW_ID  ||
+               hwDevId == QUANTUM_HW_ID)  {
         return FS_FS4_GEN;
     }
     return FS_UNKNOWN_IMG;