DOCA Documentation v3.0.0

BF-Bundle Installation and Upgrade

Note

Important! Make sure to update DOCA on the host side before installing the BF-bundle on the BlueField.

Users have three options for installing or upgrading DOCA on BlueField DPU or SuperNIC:

Method

Option Name

Description

Installation

BF-bundle DOCA image

This option overwrites the entire boot partition with an Ubuntu 22.04 installation and updates BlueField and NIC firmware

Upgrade

Standard Linux Tools

This option upgrades DOCA components without overwriting the boot partition. Use this option to preserve configurations or files on BlueField itself

Installation

ISO DOCA image

This option overwrites the entire boot partition with an Ubuntu 22.04 installation

Info

Find the DOCA installation files for BlueField from the NVIDIA DOCA Downloads page.

Make sure to update DOCA on the host side before installing the BF-bundle on the BlueField.

Warning

The ATF will not boot 150W BlueField-3 platforms if the ATX +12V power supply is not connected. This requirement ensures the proper operation of the BlueField device. For detailed instructions on connecting the external power supply connector, refer to the NVIDIA BlueField-3 Networking Platform User Guide.

Users can install DOCA on BlueField DPU or SuperNIC by upgrading the full DOCA image on BlueField.

Info

This overwrites the entire boot partition with an Ubuntu 22.04 installation and updates BlueField and NIC firmware.

Note

This installation sets up the OVS bridge.

Note

Upgrading DOCA components on BlueField networking platforms, such as DPUs or SuperNICs, using standard Linux tools will install the new doca-eula package located at /etc/NVIDIA/doca-license/DOCA-EULA.txt. By installing this package, you accept the NVIDIA DOCA SDK end-user license agreement.

Option 1 – No Pre-defined Password

Note

To change the default Ubuntu password during the BFB bundle installation, proceed to Option 2.

To install a BFB, use the following command:

Copy
Copied!
            

host# sudo bfb-install --rshim rshim<N> --bfb <image_path.bfb>

Where:

  • <N> – the appropriate RShim device identifier. If you have only one BlueField device, use rshim0.

  • <image_path.bfb> – Replace this with the path to the BFB image file.

To list the RShim devices present on your system, run the following command:

Copy
Copied!
            

host# ls -la /dev/ | grep rshim

Note

By default bfb-install will clear the RShim log in /dev/rshim<N>/misc and save it as tmp/bfb-install-rshim[N].log instead. To preserve the RShim log in /dev/rshim<N>/misc, provide the --keep-log argument to the bfb-install command line.


Option 2 – Set Pre-defined Password

Ubuntu users can set a unique password for the ubuntu user in the bf.cfg configuration file , which will be applied automatically at the end of the BlueField BFB bundle installation.

To do this, follow these steps:

  1. Generate the hashed password:

    Copy
    Copied!
                

    host# openssl passwd -1 Password: Verifying - Password: $1$3B0RIrfX$TlHry93NFUJzg3Nya00rE1

  2. Add the password hash to the bf.cfg configuration file:

    Copy
    Copied!
                

    host# echo ubuntu_PASSWORD='$1$3B0RIrfX$TlHry93NFUJzg3Nya00rE1' > bf.cfg

  3. Use the --config flag to specify the configuration file when running the installation command:

    Copy
    Copied!
                

    host# sudo bfb-install --rshim rshim<N> --bfb <image_path.bfb> --config bf.cfg

    Note

    If --config is not used, then upon first login to the BlueField device, users will be prompted to update the default ubuntu password.

    Note

    Optionally, to upgrade the BlueField integrated BMC firmware using BFB bundle, please provide the current BMC root credentials in a bf.cfg file, as shown in the following:

    Copy
    Copied!
                

    BMC_PASSWORD="<root password>" BMC_USER="root" BMC_REBOOT="yes"

    Unless previously changed, the default BMC root password is 0penBmc.

    The following is an example output of Ubuntu-22.04 BFB bundle installation (version may vary in the future):

    Copy
    Copied!
                

    host# sudo bfb-install --rshim rshim0 --bfb bf-bundle-2.7.0_24.04_ubuntu-22.04_prod.bfb --config bf.cfg Pushing bfb 1.41GiB 0:02:02 [11.7MiB/s] [ <=> ] Collecting BlueField booting status. Press Ctrl+C to stop INFO[PSC]: PSC BL1 START INFO[BL2]: start INFO[BL2]: boot mode (rshim) INFO[BL2]: VDDQ: 1120 mV INFO[BL2]: DDR POST passed INFO[BL2]: UEFI loaded INFO[BL31]: start INFO[BL31]: lifecycle GA Secured INFO[BL31]: VDD: 850 mV INFO[BL31]: runtime INFO[BL31]: MB ping success INFO[UEFI]: eMMC init INFO[UEFI]: eMMC probed INFO[UEFI]: UPVS valid INFO[UEFI]: PMI: updates started INFO[UEFI]: PMI: total updates: 1 INFO[UEFI]: PMI: updates completed, status 0 INFO[UEFI]: PCIe enum start INFO[UEFI]: PCIe enum end INFO[UEFI]: UEFI Secure Boot INFO[UEFI]: PK configured INFO[UEFI]: Redfish enabled INFO[UEFI]: exit Boot Service INFO[MISC]: Found bf.cfg INFO[MISC]: Ubuntu installation started INFO[MISC]: Installing OS image INFO[MISC]: Changing the default password for user ubuntu INFO[MISC]: Ubuntu installation completed INFO[MISC]: Updating NIC firmware... INFO[MISC]: NIC firmware update done INFO[MISC]: Installation finished

  4. To verify that the BlueField device has completed booting, wait 90 seconds after the installation process finishes and run the following command:

    Copy
    Copied!
                

    host# sudo cat /dev/rshim<N>/misc ...  INFO[MISC]: Linux up  INFO[MISC]: DPU is ready

  5. Retrieve installed packages and their versions as part of BF-Bundle installation:

    1. Log into BlueField.

    2. Run the following:

      Copy
      Copied!
                  

      bf# sudo bf-info

      Example output:

      Copy
      Copied!
                  

      Firmware: - ATF: v2.2(release):4.11.0-31-g3cc9f6506 - UEFI: 4.11.0-44-gb67dfb4a53 - BSP: 4.11.0.13582 - NIC Firmware: 32.45.0350 - BMC Firmware: 25.04-3 - CEC Firmware: 00.02.0195.0000   Drivers: - mlnx-dpdk: 'MLNX_DPDK 22.11.2504.0.2' - Kernel: 5.15.0-1064-bluefield   Tools: - MFT: 4.32.0-94 - mstflint: 4.29.0-1   Storage: - mlnx-libsnap 1.6.0-1 - spdk 23.01.5-24 - virtio-net-controller 24.10.15-1   DOCA: - doca-apsh-config 2.9.0064-1 - libdoca-sdk-urom-dev 2.9.0064-1 ... FlexIO: - flexio-samples 24.10.2447 - flexio-sdk 24.10.2447 ... SoC Platform: - mlxbf-gige-modules 1.0-0.kver.6.1.0-11-arm64 - sdhci-of-dwcmshc-modules 1.0-0.kver.6.1.0-11-arm64 ... OFED: rdma-core 2410mlnx54-1.2410051 ucx 1.18.0-1.2410051 ...

  6. To configure the tmfifo_net0 interface over IPv4 for SSH access to the BlueField Arm OS:

    Copy
    Copied!
                

    host# ifconfig tmfifo_net0 192.168.100.1/24

    Info

    SSH into the BlueField Arm OS with 192.168.100.2 (preconfigured default):

    Copy
    Copied!
                

    host# ssh ubuntu@192.168.100.2

This procedure allows for upgrading DOCA components on BlueField networking platforms (DPUs or SuperNICs) using standard Linux tools (e.g., apt update and yum update). It leverages native package manager repositories to update components without requiring a full reinstallation.

Note

While this approach enables updating specific DOCA components, the combinations created by selective updates are not validated by NVIDIA. NVIDIA only validates the full installation of the BF-Bundle package.

Note

Upgrading DOCA components on BlueField networking platforms using standard Linux tools will install the new doca-eula package located at /etc/NVIDIA/doca-license/DOCA-EULA.txt. By installing this package, you accept the NVIDIA DOCA SDK end-user license agreement.

This process has the following benefits :

  • Only updates components that include modifications

  • Includes upgrade of:

    • DOCA drivers and libraries

    • DOCA reference applications

    • BSP (UEFI/ATF) upgrade while maintaining the configuration

    • NIC firmware upgrade while maintaining the configuration

    • BMC components upgrade

  • Does not:

    • Impact user binaries

    • Upgrade non-Ubuntu OS kernels

  • After completion of BlueField upgrade:

    • If NIC firmware was not updated, perform BlueField Arm reset (software reset/reboot BlueField )

    • If NIC firmware was updated, perform firmware reset (mlxfwreset) or perform a graceful shutdown and power cycle

DEB-based

Action

Instructions

Export the desired distribution

Export DOCA_REPO with the relevant URL:

Copy
Copied!
            

<bf> $ export DOCA_REPO="<URL>"

Add GPG key to APT trusted keyring

Copy
Copied!
            

<bf> $ curl $DOCA_REPO/GPG-KEY-Mellanox.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/GPG-KEY-Mellanox.pub

Add DOCA online repository

Copy
Copied!
            

<bf> $ echo "deb [signed-by=/etc/apt/trusted.gpg.d/GPG-KEY-Mellanox.pub] $DOCA_REPO ./" > /etc/apt/sources.list.d/doca.list

Update index

Copy
Copied!
            

<bf> $ apt update

Choose one of the two options for packages upgrade

Option-1

Upgrade BlueField FW Bundle package ( including ATF-UEFI, NIC firmware, and BMC firmware ):

Copy
Copied!
            

<bf> $ apt install bf-fwbundle

Option-2

System upgrade (install all packages):

Copy
Copied!
            

<bf> $ apt upgrade

Configure BMC parameters

Add the BMC user and password to config file /etc/bf-upgrade.conf. The format of bf-upgrade.conf should be identical to bf.cfg. Refer to "Customizing BlueField Software Deployment" for information.

Copy
Copied!
            

<bf> $ cat > /etc/bf-upgrade.conf << EOF BMC_USER="<username>" BMC_PASSWORD="<password>" EOF

Components activation

Copy
Copied!
            

<bf> $ dpu-bmc-upgrade

Info

The upgrade process should take up to 20 minutes.

Apply the new changes, NIC firmware, and UEFI/ATF

For the upgrade to take effect, perform BlueField system reboot.

Note

This step triggers immediate reboot of the BlueField Arm cores.


RPM-based

Action

Instructions

Export the desired distribution

Export DOCA_REPO with the relevant URL:

Copy
Copied!
            

<bf> $ export DOCA_REPO="<URL>"

Add DOCA online repository

Copy
Copied!
            

echo "[doca] name=DOCA Online Repo baseurl=$DOCA_REPO enabled=1 gpgcheck=0 priority=10 cost=10" > /etc/yum.repos.d/doca.repo

A file is created under /etc/yum.repos.d/doca.repo.

Update index

Copy
Copied!
            

<bf> $ yum makecache

Choose one of the two options for packages upgrade

Option-1

Upgrade BlueField FW Bundle package ( including ATF-UEFI, NIC firmware, and BMC firmware ):

Copy
Copied!
            

<bf> $ dnf install bf-fwbundle

Option-2

  1. Unlock the kernel (delete the kernel lock) to ensure the required kernel by DOCA packages are applied on your system:

    Copy
    Copied!
                

    <bf> dnf install -y 'dnf-command(versionlock)' <bf> dnf versionlock delete kernel*

  2. System upgrade (install all packages):

    Copy
    Copied!
                

    <bf> $ dnf upgrade --nobest

  3. Pin the kernel package versions:

    Copy
    Copied!
                

    <bf> dnf versionlock kernel*

  4. Update grub file parameter to enable the OS to boot after BlueField system reboot:

    *Replace the <OS_NAME> according to your operating system.

    Example for OS name: anolis, openEuler,rocky

Copy
Copied!
            

<bf> $ sed -i 's/^GRUB_DEFAULT=.*/GRUB_DEFAULT=0/' /etc/default/grub <bf> $ grub2-mkconfig -o /boot/efi/EFI/<OS_NAME>/grub.cfg

Configure BMC parameters

Add the BMC user and password to config file /etc/bf-upgrade.conf. The format of bf-upgrade.conf should be identical to bf.cfg. Refer to "Customizing BlueField Software Deployment" for information.

Copy
Copied!
            

<bf> $ cat > /etc/bf-upgrade.conf << EOF BMC_USER="<username>" BMC_PASSWORD="<password>" EOF

Components activation

Copy
Copied!
            

<bf> $ dpu-bmc-upgrade

Info

The upgrade process should take up to 20 minutes.

Apply the new changes, NIC firmware, and UEFI/ATF

For the upgrade to take effect, perform BlueField system reboot.

Note

This step triggers immediate reboot of the BlueField Arm cores.


The DOCA Installer is a utility for installing or upgrading one or more BlueField DPUs in parallel. It supports both bf-bundle and bf-fw-bundle image types and is compatible with multiple BlueField operation modes, including NIC mode, DPU mode, or both on the same host. Customization is supported through INI or YAML configuration files.

Prerequisites

Make sure to update DOCA on the host side before installing doca-installer.

DEB-based

  1. Download and install the DOCA host repo from the NVIDIA DOCA Downloads page.

  2. Install doca-installer using the following command:

    Copy
    Copied!
                

    host# apt-get install doca-installer

RPM-based

  1. Download the DOCA host repo from the NVIDIA DOCA Downloads page.

  2. Install doca-installer using the following command:

    Copy
    Copied!
                

    host# sudo yum install doca-installer


DOCA Installer Operation Modes

The installer supports the following execution modes:

  • Global run (applies to all devices):

    Copy
    Copied!
                

    host# doca-installer -b <image_path.bfb> -c <path-to-config>

  • Per PSID group (targets devices sharing the same PSID):

    Copy
    Copied!
                

    host# doca-installer -b <image_path.bfb> --psid <PSID> -c <path-to-config>

    Info

    To exclude devices when using global or per-PSID runs, use --exclude rshim<X>.

  • Per RShim device (targets a specific RShim interface):

    Copy
    Copied!
                

    host# doca-installer -b <image_path.bfb> --rshim rshim<N> -c <path-to-config>

Where:

  • -c or --config-file – defines a configuration via INI or YAML files

    Note

    To upgrade BMC, CEC, or Golden Image firmware, include BMC_USER and BMC_PASSWORD in the bf.cfg or bf.yaml file.

  • <path-to-config> – Path to the INI or YAML configuration file

  • <image_path.bfb> – Path to the BFB image file

  • <PSID> – Shared PSID value for the target group

    Note

    Devices that do not match the provided PSID will not be upgraded.

  • <N> – RShim device index (e.g., 0 for a single-device setup)

Note

The doca-installer script attempts to load the new NIC firmware automatically, but if that fails, it will print out the following message:

Copy
Copied!
            

INFO: At least one device requires a host power cycle for new NIC Firmware to be loaded.

Note

If the script discovers that one or more of the devices did not have BMC_REBOOT set to 'yes' as part of the configuration file, it will print out the following message:

Copy
Copied!
            

WARNING: BMC_REBOOT is not configured for all devices or is not set to 'yes'. BMC firmware updates will only take effect after a BMC reboot.


Configuration File Options

YAML Configuration File

The YAML format supports global and per-device customization using structured keys:

  • global_configs – Shared parameters for all devices (e.g., credentials)

  • rshim – Device-specific configurations

    • Each key under rshim (e.g., rshim1, rshim2) defines variables and methods for that device

  • variables – Parameters that control the installation process (e.g., WITH_NIC_FW_UPDATE, BMC_REBOOT)

  • methods – Custom shell commands run during installation. You can use YAML anchors (&, *) to reuse methods across devices.

Note

When a value is defined both globally and per-device, the per-device value takes precedence.

Per-Device Configuration Only Example

Copy
Copied!
            

rshim: rshim1: variables: BMC_USER: 'root' BMC_PASSWORD: '<root password>' methods: bfb_modify_os: command: | sed -i -e "s@192.168.100.2@192.168.101.2@" /mnt/etc/sysconfig/network-scripts/ifcfg-tmfifo_net0 sed -i -e "s@192.168.100.1@192.168.101.1@" /mnt/etc/sysconfig/network-scripts/ifcfg-tmfifo_net0


Global Configuration Only Example

Copy
Copied!
            

global_configs: variables: BMC_USER: 'root' BMC_PASSWORD: '<root password>'


Global and Per-Device Configuration Example

Copy
Copied!
            

global_configs: variables: BMC_USER: 'root' BMC_PASSWORD: '<root password>'   rshim: rshim1: variables: WITH_NIC_FW_UPDATE: 'no' rshim2: variables: BMC_PASSWORD: '<rshim2 password>'


Reusing Methods with Anchors Example

Copy
Copied!
            

global_configs: variables: BMC_USER: 'root' BMC_PASSWORD: '<root password>'   rshim: rshim1: variables: BMC_REBOOT: 'yes' methods: bfb_post_install: &default_post_install command: | echo "Running post-install on rshim1"   rshim2: methods: bfb_post_install: *default_post_install

INI Configuration File

Per-Device Configuration ini Copy Edit Example

Copy
Copied!
            

RSHIM0_BMC_USER="root" RSHIM0_BMC_PASSWORD="<password>"   RSHIM1_BMC_USER="root" RSHIM1_BMC_PASSWORD="<password>"


Shared and Per-Device Parameters Example

Copy
Copied!
            

# Shared across all devices BMC_USER="root" BMC_PASSWORD="<password>" BMC_NEW_PASSWORD="<new password>"   # Device-specific (optional) RSHIM0_NET_RSHIM_MAC=00:1a:ca:ff:ff:01 RSHIM1_NET_RSHIM_MAC=00:1a:ca:ff:ff:03

Logs and Debuggability

The DOCA Installer tool provides extended logging and improved debuggability compared to the legacy bfb-install tool.

Note

For each execution of the doca-installer, a unique log directory is created under:

Copy
Copied!
            

/var/log/doca_installer_logs/doca_installer_<timestamp>

This directory includes comprehensive logs and outputs such as:

  • Full execution log of the doca-installer tool

  • rshim diagnostics (per device)

  • lspci output (per device and full system)

  • bfb-install output

  • mlxconfig output

  • mlxprivhost output

  • mstdump output (if applicable)

  • flint image retrieval logs (if applicable)


DOCA Installer Standalone Flags

The doca-installer tool introduces enhanced capabilities for comparing target image firmware versions with those currently running on devices. This allows for safer, more controlled upgrade decisions.

Fetch Firmware Versions from Image

Use the --show-target-fw flag to display firmware versions embedded in the provided BFB image:

Copy
Copied!
            

host# doca-installer -b <image_path.bfb> --show-target-fw

Example output:

fetch-firmware-versions-from-image-version-1-modificationdate-1751918793157-api-v2.png

Fetch Firmware Versions from Running Devices

Use the --show-running-fw flag to display firmware versions currently installed on each detected BlueField device:

Copy
Copied!
            

host# doca-installer --show-running-fw

Example output:

fetch-firmware-versions-from-running-devices-version-1-modificationdate-1751918793880-api-v2.png

Compare Image vs. Running Firmware Versions

Use the --compare option to compare current firmware versions on each device with those contained in the image:

Copy
Copied!
            

host# doca-installer -b <image_path.bfb> --compare

Example output:

compare-image-vs-running-firmware-versions-version-1-modificationdate-1751918794227-api-v2.png

Supported DOCA-Host OS for DOCA Installer

The following OSs on the host machine are supported for doca-installer:

Operating System

Architecture

debian10.13

x86_64

aarch64

debian12.1

x86_64

aarch64

debian12.5

x86_64

aarch64

openeuler24.03

x86_64

aarch64

ol8.4

x86_64

ol8.6

x86_64

ol8.7

x86_64

ol8.8

x86_64

ol8.10

x86_64

ol9.1

x86_64

ol9.2

x86_64

ol9.4

aarch64

rhel8.2

x86_64

aarch64

rhel8.4

x86_64

aarch64

rhel8.6

x86_64

ppc64le

aarch64

rhel8.8

x86_64

ppc64le

aarch64

rhel8.9

x86_64

ppc64le

aarch64

rhel8.10

x86_64

ppc64le

aarch64

rhel9.0

x86_64

ppc64le

aarch64

rhel9.2

x86_64

ppc64le

aarch64

rhel9.4

x86_64

ppc64le

aarch64

rhel9.5

x86_64

aarch64

ppc64le

rhel9.6

x86_64

aarch64

ppc64le

ubuntu22.04

x86_64

ppc64le

aarch64

ubuntu24.04

x86_64

aarch64

ppc64le

ubuntu24.10

x86_64

ubuntu25.04

x86_64

aarch64

azurelinux3.0

x86_64

aarch64


Users wishing to build their own customized BlueField OS image can use the BFB build environment. For more details, refer to the bfb-build project in this GitHub webpage.

To boot a customized BlueField OS image on a UEFI secure-boot-enabled BlueField (the default secure boot setting), the following conditions must be met:

  • The OS image must be signed with a key already present in the UEFI DB (e.g., the Microsoft key)

  • If the above is not possible, UEFI secure boot must be disabled to allow booting of an unsigned or differently signed image

For detailed instructions on managing UEFI secure boot, refer to the "Secure Boot" page in the BlueField Platform SW Documentation.

© Copyright 2025, NVIDIA. Last updated on Jul 10, 2025.