Is there a way I can password protect Vivado's hw_server?

VPN
1

As the title states, are there any ways to add authentication to Vivado’s hw_server?

2

I don’t believe that hw_server offers any password protection, nor would I trust it’s internal security implementation if it did.

I’m assuming that you want to access hw_server from over the network, somewhat securely, maybe over the internet to boot.

Since hw_server doesn’t implement any L5/L7 security, you can control the L4 security, or in other words, controlling who/what can talk to hw_server.

https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/

That might mean using a network firewall on your machine to restrict access to the port hw_server listens to on your machine’s external (LAN) interface to only certain source IPs (though IP based authentication is a poor solution).

Assuming that you’re running Linux/OpenSSH, I would suggest binding hw_server to only listen on localhost. I would then configure my SSH client to perform local port forwarding, and establish a connection to the machine running hw_server. In Vivado, you would connect to localhost on your client, and your SSH client would tunnel that to the remote machine and allow you to connect to the hw_server instance.

Assuming that:

  1. the Linux machine is accessible at ssh_server_hostname

  2. hw_server is bound to localhost:3121

  3. You are connecting to Vivado to port 12457 locally

The ssh command would look something like:
ssh -L 12457:127.0.0.1:3121 ssh_server_hostname

(in a more HTTP world, this would be using a reverse proxy to add security in front of something that might not understand it well)

The easier method, especially if hw_server uses multiple ports to communicate, would be to setup Tailscale, or a similar VPN, and to bind hw_server to the VPN’s interface, such that hw_server can only be accessed by using the VPN. Hamachi is another VPN implementation that effectively does the same thing (though I have not used it in nearly a decade).

You would then be relying on your VPN to broker the connection between your client machine and your hw_server host, and to handle the authentication/authorization.

However, I don’t know your environment, and you might not be able to run a VPN.

TL;DR:

  • Bind hw_server to the local machine and use ssh tunneling

  • Bind hw_server to a VPN network

3

Hi, thanks for the extremely detailed answer, I will try that out