ConnectX-6 Dx – PSID Change and VF Trust Mode Enablement/Exposure Without Capability Loss

jtlagrand · July 13, 2025, 7:13pm

We are seeking assistance and guidance regarding PSID migration and VF Trust Mode enablement/exposure on ConnectX-6 Dx adapters operating in a VMware ESXi 7.0 U3 environment.

Deployment Overview:

NIC Model: NVIDIA ConnectX-6 Dx (OPN: MCX623106AC-CDA_Ax)
Firmware: 22.43.2566
Host OS: VMware ESXi 7.0 Update 3
Guest OS: Ubuntu 22.04 / 24.04 with SR-IOV passthrough enabled
Pre-Boot UEFI Utility: Used to configure SRIOV_EN and NUM_OF_VFS; TRUST_MODE not exposed

Objective:

Enable VF Trust Mode to allow advanced network operations (e.g., VLAN management and monitoring) on Virtual Functions passed through to guest VMs.

Current Obstacles:

TRUST_MODE is not visible in UEFI or configurable via mlxconfig.
Attempted PSID change from MT_0000000436 to MT_0000000438 using this command at the ESXi shell with host in maintenance mode and mst in recovery mode:

flint -d <mt_device> -i .bin --allow_psid_change --no_fw_ctrl burn

Resulted in the following error:
Burning FS4 image failed: Changing PSID is unsupported under controlled FW.
The system was prepared per MFT guidelines: passthrough was disabled, the firmware was verified, tools were up to date, and firmware/PSID backups were taken prior to flashing.

Technical Constraints:

Any alternative firmware or PSID must retain all existing NIC capabilities, including:

Dual-port functionality
Crypto features
Secure Boot compatibility

The attempted PSID (MT_0000000438) was evaluated solely to expose VF Trust Mode but does not meet capability preservation requirements.

Information and assistance Sought:

We welcome input from those with experience in similar NIC configurations or firmware migrations:

Is PSID migration supported on MCX623106AC-CDA_Ax under any specific firmware conditions?
Are non-controlled firmware builds available that permit PSID modification for this OPN?
Are there supported PSIDs that expose TRUST_MODE setting without disabling dual-port, crypto, or secure boot functionality – w/o defeating the necessary security requirements?
If firmware-level TRUST_MODE exposure is not possible, are there known alternatives?

Any confirmed experience, documentation references, or workaround strategies would be ––appreciated.

Topic		Replies	Views
Firmware upgrade for ConnectX-2 Firmware Tools	2	1178	November 7, 2014
VM Passthrough of MHQH19B-XTR InfiniBand/VPI Adapter Cards	26	681	November 14, 2013
Correct firmware for my CX354A-FCBT and ESXi 6.7U2 Compatibility Question Adapters and Cables	1	813	May 15, 2019
Firmware for ConnectX-3 Cards with ISL PSIDs Firmware Tools	1	1030	October 15, 2015
Connectx-6 DX SRIOV ESXI Trust mode? Ethernet Adapter Cards sr-iov-virtualization-solutions , vmware-solutions	6	1483	August 3, 2023
Update connectx3 card's firmware under esxi 5.1 Firmware Tools	0	490	August 13, 2013
ConnectX-3 not going up in Centos 6.4 (and SL6.4) InfiniBand/VPI Adapter Cards	22	776	June 19, 2013
Flash OEM HPE Mellanox ConnectX-4 VPI with mellanox firmware InfiniBand/VPI Adapter Cards	2	735	January 10, 2018
PSID mismatch - Update SX6005 firmware InfiniBand/VPI Switch Systems	1	978	May 16, 2018
MCX354A-FCBT / ConnectX-3 in Ethernet mode InfiniBand/VPI Adapter Cards	4	2819	May 22, 2017

ConnectX-6 Dx – PSID Change and VF Trust Mode Enablement/Exposure Without Capability Loss

Related topics