TELCODOCS-2036: Include Step 1. Configure virtual functions

Padraig O'Grady · Padraig O'Grady · commit cd276159ba1a · 2025-02-12T12:56:38.000Z
TELCODOCS-2036: Include Step 2. Configure the sriov operator with the Mellanox plugin disabled TELCODOCS-2036: Include Step 3. Check virtual functions after rebooting TELCODOCS-2036: Include Step 4. Eable secure boot TELCODOCS-2036: Dev feedback applied TELCODOCS-2036: '_mod-docs-content-type' commented out TELCODOCS-2036: Mellanox topic commented out TELCODOCS-2036: Mellanox topic reinstated TELCODOCS-2036: Some full stops addded TELCODOCS-2036: Dev feedback openshift#2 applied TELCODOCS-2036: Dev feedback openshift#3 applied TELCODOCS-2036: Dev feedback openshift#4 applied TELCODOCS-2036: Dev feedback openshift#4 applied TELCODOCS-2036: Dev feedback openshift#4 applied TELCODOCS-2036: Dev feedback openshift#4 applied TELCODOCS-2036: Dev feedback openshift#4 applied TELCODOCS-2036: Dev feedback openshift#5 applied TELCODOCS-2036: Peer review feedback applied
diff --git a/modules/nw-sriov-nic-mlx-secure-boot.adoc b/modules/nw-sriov-nic-mlx-secure-boot.adoc
@@ -2,93 +2,85 @@
 //
 // * networking/hardware_networks/configuring-sriov-device.adoc
 
+:_mod-docs-content-type: PROCEDURE
 [id="nw-sriov-nic-mlx-secure-boot_{context}"]
-= MLX Secure Boot
+= Configuring the SR-IOV Network Operator on Mellanox cards when Secure Boot is enabled
 
-In some cases, you might want to split virtual functions (VFs) from the same physical function (PF) into multiple resource pools.
-For example, you might want some of the VFs to load with the default driver and the remaining VFs load with the `vfio-pci` driver.
-In such a deployment, the `pfNames` selector in your SriovNetworkNodePolicy custom resource (CR) can be used to specify a range of VFs for a pool using the following format: `<pfname>#<first_vf>-<last_vf>`.
+The SR-IOV Network Operator supports an option to skip the firmware configuration for Mellanox (MLX) devices. It is currently the only way to create virtual functions by using the SR-IOV Network Operator, if the system has secure boot enabled. You are required to manually configure and allocate the number of virtual functions in the firmware before switching the system to secure boot.
 
-For example, the following YAML shows the selector for an interface named `netpf0` with VF `2` through `7`:
+[NOTE]
+====
+The number of virtual functions in the firmware are the maximum number of virtual functions that you can request in the policy.
+====
 
-[source,yaml]
-----
-pfNames: ["netpf0#2-7"]
-----
-
-* `netpf0` is the PF interface name.
-* `2` is the first VF index (0-based) that is included in the range.
-* `7` is the last VF index (0-based) that is included in the range.
-
-You can select VFs from the same PF by using different policy CRs if the following requirements are met:
+.Procedure
 
-* The `numVfs` value must be identical for policies that select the same PF.
-* The VF index must be in the range of `0` to `<numVfs>-1`. For example, if you have a policy with `numVfs` set to `8`, then the `<first_vf>` value must not be smaller than `0`, and the `<last_vf>` must not be larger than `7`.
-* The VFs ranges in different policies must not overlap.
-* The `<first_vf>` must not be larger than the `<last_vf>`.
+. Configure the virtual functions (VFs):
 
-The following example illustrates NIC partitioning for an SR-IOV device.
-
-The policy `policy-net-1` defines a resource pool `net-1` that contains the VF `0` of PF `netpf0` with the default VF driver.
-The policy `policy-net-1-dpdk` defines a resource pool `net-1-dpdk` that contains the VF `8` to `15` of PF `netpf0` with the `vfio` VF driver.
-
-Policy `policy-net-1`:
-
-[source,yaml]
+.. Run the following command when the system is without a secure boot when using the sriov-config daemon:
++
+[source,terminal]
 ----
-apiVersion: sriovnetwork.openshift.io/v1
-kind: SriovNetworkNodePolicy
-metadata:
-  name: policy-net-1
-  namespace: openshift-sriov-network-operator
-spec:
-  resourceName: net1
-  nodeSelector:
-    feature.node.kubernetes.io/network-sriov.capable: "true"
-  numVfs: 16
-  nicSelector:
-    pfNames: ["netpf0#0-0"]
-  deviceType: netdevice
+$ mstconfig -d -0001:b1:00.1 set SRIOV_EN=1 NUM_OF_VFS=16 <1> <2>
 ----
+<1> The `SRIOV_EN` environment variable enables the SR-IOV Network Operator support on the Mellanox card.
+<2> The `NUM_OF_VFS` environment variable specifies the number of virtual functions to enable in the firmware.
 
-Policy `policy-net-1-dpdk`:
-
+. Configure the SR-IOV Network Operator by disabling the Mellanox plugin. See the following `SriovOperatorConfig` example configuration:
++
 [source,yaml]
 ----
 apiVersion: sriovnetwork.openshift.io/v1
-kind: SriovNetworkNodePolicy
+kind: SriovOperatorConfig
 metadata:
-  name: policy-net-1-dpdk
+  name: default
   namespace: openshift-sriov-network-operator
 spec:
-  resourceName: net1dpdk
-  nodeSelector:
-    feature.node.kubernetes.io/network-sriov.capable: "true"
-  numVfs: 16
-  nicSelector:
-    pfNames: ["netpf0#8-15"]
-  deviceType: vfio-pci
+  configDaemonNodeSelector: {}
+  configurationMode: daemon
+  disableDrain: false
+  disablePlugins:
+  - mellanox
+  enableInjector: true
+  enableOperatorWebhook: true
+  logLevel: 2
 ----
 
-.Verifying that the interface is successfully partitioned
-Confirm that the interface partitioned to virtual functions (VFs) for the SR-IOV device by running the following command.
+. Reboot the system to enable the virtual functions and the configuration settings.
 
+. Check the virtual functions (VFs) after rebooting the system by running the following command:
++
 [source,terminal]
 ----
-$ ip link show <interface> <1>
+$ oc -n openshift-sriov-network-operator get sriovnetworknodestate.sriovnetwork.openshift.io worker-0 -oyaml
 ----
++
+[source,yaml]
+----
+- deviceID: 101d
+    driver: mlx5_core
+    eSwitchMode: legacy
+    linkSpeed: -1 Mb/s
+    linkType: ETH
+    mac: 08:c0:eb:96:31:25
+    mtu: 1500
+    name: ens3f1np1
+    pciAddress: 0000:b1:00.1 <1>
+    totalvfs: 16
+    vendor: 15b3
+----
+<1> The `totalvfs` value is the same number used in the `mstconfig` command earlier in the procedure. 
 
-<1> Replace `<interface>` with the interface that you specified when partitioning to VFs for the SR-IOV device, for example, `ens3f1`.
+. Enable secure boot
+Enabling secure boot improves your system's security by preventing unauthorized operating systems and malicious software from loading during the device's boot process. 
 
-.Example output
+.. Enable secure boot using the BIOS (Basic Input/Output System).
++
 [source,terminal]
 ----
-5: ens3f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
-link/ether 3c:fd:fe:d1:bc:01 brd ff:ff:ff:ff:ff:ff
-
-vf 0     link/ether 5a:e7:88:25:ea:a0 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
-vf 1     link/ether 3e:1d:36:d7:3d:49 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
-vf 2     link/ether ce:09:56:97:df:f9 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
-vf 3     link/ether 5e:91:cf:88:d1:38 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
-vf 4     link/ether e6:06:a1:96:2f:de brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
+Secure Boot: Enabled
+Secure Boot Policy: Standard
+Secure Boot Mode: Mode Deployed
 ----
+
+.. Reboot the system.
