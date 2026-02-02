BlueField software and firmware can be deployed using one of two methods:

Update Flow Description Supported Image Types Offline Update Flow Traditional method where the DPU or SuperNIC is taken out of service immediately when the update begins. The device reboots into maintenance mode, applies firmware, system image, and DOCA component updates, and reboots again to activate the new versions. Ensures a clean, immediate transition but involves downtime. This flow supports recovery as well. BF-Bundle BFB (firmware + Arm OS + DOCA)

BF-fwBundle BFB (firmware only)

Per-SKU BF-fwBundle BFB Deferred Update Flow BlueField-3 supports a Deferred Update Flow, which enables administrators to update firmware and DOCA components without immediate service interruption. This capability allows a DPU or SuperNIC to continue servicing workloads while a new firmware bundle and user-space/kernel DOCA components are staged in the background. The new versions become active only after an activation command and reset are applied, minimizing downtime in production environments. Per-SKU BF fwBundle BFB in flat format. Use bfb-tool with the --output-format flat option to convert to flat format.

The BFB deployment process consists of these main stages:

Stage Description 1 Disable RShim (if applicable) Ensure that the RShim interface is disabled on the host side where the given DPU resides to prevent interference with the BFB update process. 2 Transfer the BFB image Initiate the image transfer using one of the supported methods: Redfish interface via SCP, HTTP, or HTTPS When using SCP for the first time (or after a BMC factory reset), confirm the SSH identity of the BMC when connecting to the server hosting the BFB. Send the update request via the Redfish API.

Direct SCP — Transfer the BFB directly to the BMC file system using secure copy. 3 Monitor installation progress Track the update process and verify installation status through Redfish logs, BMC console, or CLI output. 4 Apply the new version Reboot the system to activate the new firmware and software. The specific reboot behavior depends on the selected update flow (offline or deferred).

If installing the BF-Bundle BFB with BlueField Arm OS, Ubuntu users are prompted to change the default password (ubuntu) for the default user (ubuntu) upon first login. Logging in will not be possible even if the login prompt appears until all services are up ( DPU is ready message appears in /dev/rshim0/misc ).

Alternatively, Ubuntu users can provide a unique password that will be applied at the end of the BFB installation. This password must be defined in a bf.cfg configuration file. To set the password for the ubuntu user:

Create password hash. Run: Copy Copied! # openssl passwd - 1 Password: Verifying - Password: $ 1 $3B0RIrfX$TlHry93NFUJzg3Nya00rE1 Add the password hash in quotes to the bf.cfg file: Copy Copied! # vim bf.cfg ubuntu_PASSWORD= '$1$3B0RIrfX$TlHry93NFUJzg3Nya00rE1' The bf.cfg file is used with the bfb-install script in the steps that follow.

Perform the following steps to update the device using the offline flow:



(SuperNIC only) Unbind the PFs from the host driver before starting the update. Run the following on the host:

Copy Copied! echo 0000:21:00.0 > /sys/bus/pci/drivers/mlx5_core/unbind # Example PCIe ID for the first PF echo 0000:21:00.1 > /sys/bus/pci/drivers/mlx5_core/unbind # Example PCIe ID for the second PF (if present) Run the following Redfish command to initiate the update:

Copy Copied! curl -k -u root: '<password>' -H "Content-Type: application/json" -X POST -d '{"TransferProtocol":"SCP", "ImageURI":"<image_uri>","Targets":["redfish/v1/UpdateService/FirmwareInventory/DPU_OS"], "Username":"<username>"}' https: Note This command initiates a soft reset on the BlueField and then pushes the boot stream. For NVIDIA-supplied BFBs, the eMMC is flashed automatically once the boot stream is pushed. Upon success, a running message is received. Info After the BMC boots, it may take a few seconds (6-8 seconds for NVIDIA® BlueField®-2, and 2 seconds for BlueField-3) until the BlueField BSP ( DPU_OS ) is up. (SuperNIC only) Once the installation is complete, bind the SuperNIC PFs back to the host driver:

Copy Copied! echo 0000:21:00.0 > /sys/bus/pci/drivers/mlx5_core/bind # Example PCI ID for the first PF echo 0000:21:00.1 > /sys/bus/pci/drivers/mlx5_core/bind # Example PCI ID for the second PF (if present)

Note Supported at beta level.

Deferred update flow enables upgrading DOCA components on NVIDIA® BlueField® platforms running in DPU mode while keeping services operational throughout the process. The update is applied only after a coordinated reset, minimizing downtime.

Download the per-SKU fw-bundle BFB from DOCA Downloads page. Note The installed firmware must be BSP 4.13.0 (DOCA 3.2.0) or later. Repackage the bf-fwbundle in flat format using the bfb-tool : Copy Copied! bfb-tool repack --bfb bf-fwbundle-<version>.bfb --psid <PSID> --output-format flat Expected output: Copy Copied! BFB: .../bf-fwbundle-*.flat.bfb (Optional) If a bf.cfg file is required, bundle it into the flat BFB using mlx-mkbfb . Copy Copied! mlx-mkbfb --boot-args bf.cfg <input_flat.bfb> <output_cfg_flat.bfb> If operating in DPU mode, add the DPU-BMC credentials to /etc/bf-upgrade.conf on the Arm OS using the standard bf.cfg format. For more details, refer to "Customizing BlueField Software Deployment". (Optional) To coordinate the BlueField reboot with the host reboot, run the following on the BlueField Arm OS: Copy Copied! mlxconfig -d /dev/mst/<device> set INT_CPU_AUTO_SHUTDOWN= 1 Note This must be configured in advance, as it requires a BlueField system-level reset to take effect.

Copy Copied! curl -k -u root: '<password>' -H "Content-Type: application/json" -X POST -d '{"TransferProtocol":"HTTP", "ImageURI":"<image_uri>","Targets":["redfish/v1/UpdateService/FirmwareInventory/DPU_OS"], "Username":"<username>", "Stage":true}' https:

Note The parameter Stage is only supported when Targets is set to redfish/v1/UpdateService/ FirmwareInventory/DPU_OS . Another deferred update will fail if the staging has not completed.

Example success message if the request is valid and a task is created:

Copy Copied! { "@odata.id" : "/redfish/v1/TaskService/Tasks/<task_id>" , "@odata.type" : "#Task.v1_4_3.Task" , "Id" : "<task_id>" , "TaskState" : "Running" , "TaskStatus" : "OK" }

image_uri – specifies the complete location of the BFB file on the remote server. It is constructed by joining the Remote Server IP and the Absolute File Path with a single forward slash (i.e., <Remote_IP>/<Absolute_Path> ). Note Because absolute paths start with a slash (e.g., /tmp/... ), the final string will typically contain a double slash ( // ) between the IP and the directory. For example, if the IP is 10.10.10.10 and the file path is /tmp/image.bfb , the resulting URI is: "ImageURI": "10.10.10.10//tmp/image.bfb" .

TransferProtocol – set to either SCP , HTTP , HTTPS Note If using HTTPS, make sure the BMC has a certificate to authenticate the HTTPS server. Or install a valid certificate to authenticate: Copy Copied! curl -c cjar -b cjar -k -u root: '<password>' -X POST https:

username – username on the remote server (only required for SCP)

– username on the remote server (only required for SCP) bmc_ip – BMC IP address

– BMC IP address Stage – a value of True indicates a deferred flow, a value of False or omitting this parameter indicates an offline update flow

Note Relevant only for SCP users with Redfish.

Note The following is an example for how to generate the server public key on Ubuntu 22.04 and it may be different on other OS distributions/versions.

Gather the public SSH host keys of the server holding the new.bfb file. Run the following against the server holding the new.bfb file ("Remote Server"): Info OpenSSH is required for this step. Copy Copied! ssh-keyscan -t <key_type> <remote_server_ip> Where: key_type – the type of key associated with the server storing the BFB file (e.g., ed25519)

– the type of key associated with the server storing the BFB file (e.g., ed25519) remote_server_ip – the IP address of the server hosting the BFB file Retrieve the remote server's public key from the response, and send the following Redfish command to the BlueField BMC: Copy Copied! curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST -d '{"RemoteServerIP":"<remote_server_ip>", "RemoteServerKeyString":"<remote_server_public_key>"}' https://<bmc_ip>/redfish/v1/UpdateService/Actions/Oem/NvidiaUpdateService.PublicKeyExchange Where: password – BlueField BMC password

– BlueField BMC password remote_server_ip – the IP address of the server hosting the BFB file

– the IP address of the server hosting the BFB file remote_server_public_key – remote server's public key from the ssh-keyscan response, which contains both the type and the public key with one space between the two fields (i.e., " <type> <public_key> ")

– remote server's public key from the response, which contains both the type and the public key with between the two fields (i.e., " ") bmc_ip – BMC IP address Extract the BMC public key information (i.e., " <type> <bmc_public_key> <username>@<hostname> ") from the PublicKeyExchange response and append it to the authorized_keys file on the remote server holding the BFB file. This enables password-less key-based authentication for users. Copy Copied! { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "Please add the following public key info to ~/.ssh/authorized_keys on the remote server", "MessageArgs": [ "<type> <bmc_public_key> root@dpu-bmc" ] }, { "@odata.type": "#Message.v1_1_1.Message", "Message": "The request completed successfully.", "MessageArgs": [], "MessageId": "Base.1.15.0.Success", "MessageSeverity": "OK", "Resolution": "None" } ] }

After receiving a success message of a valid SimpleUpdate request and a running task state. Run the following Redfish command to track image transfer status and progress:

Copy Copied! curl -k -u root: '<password>' -X GET https:

Note During the transfer, the PercentComplete value remains at 0 for offline update flow. If no errors occur, the TaskState is set to Running , and a keep-alive message is generated every 5 minutes. Once the transfer is completed, the PercentComplete is set to 100 , and the TaskState is updated to Completed . Upon failure, a message is generated with the relevant resolution.

Example:

Copy Copied! { "@odata.type" : "#MessageRegistry.v1_4_1.MessageRegistry" , "Message" : "Image 'new.bfb' is being transferred to '/dev/rshim0/boot'." , "MessageArgs" : [ "new.bfb" , "/dev/rshim0/boot" ], "MessageId" : "Update.1.0.TransferringToComponent" , "Resolution" : "Transfer started" , "Severity" : "OK" }, … "PercentComplete" : 60 , "StartTime" : "2024-06-10T19:39:03+00:00" , "TaskMonitor" : "/redfish/v1/TaskService/Tasks/1/Monitor" , "TaskState" : "Running" , "TaskStatus" : "OK"

In the Offline Update Flow, once the image transfer finishes, users can use the RShim miscellaneous messages log dump to track the installation's progress and status.

Initiate request for dump download: Copy Copied! sudo curl -k -u root:'<password>' -d '{"DiagnosticDataType": "Manager"}' -X POST https://<ip_address>/redfish/v1/Managers/Bluefield_BMC/LogServices/Dump/Actions/LogService.CollectDiagnosticData Where: <ip-address> – BMC IP address

– BMC IP address <password> – BMC password Use the received task ID to poll for dump completion: Copy Copied! sudo curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<ip_address>/redfish/v1/TaskService/Tasks/<task_id> Where: <ip-address> – BMC IP address

– BMC IP address <password> – BMC password

– BMC password <task_id> – Task ID received from the first command Once dump is complete, download and review the dump: Copy Copied! sudo curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<ip_address>/redfish/v1/Managers/Bluefield_BMC/LogServices/Dump/Entries/<entry_id>/attachment --output </path/to/tar/log_dump.tar.xz> Where: <ip-address> – BMC IP address

– BMC IP address <password> – BMC password

– BMC password <entry_id> – The entry ID of the dump in redfish/v1/Managers/Bluefield_BMC/LogServices/Dump/Entries

– The entry ID of the dump in </path/to/tar/log_dump.tar.xz> – path to download the log dump log_dump.tar.xz Untar the file to review the logs. For example: Copy Copied! tar xvfJ log_dump.tar.xz The log is contained in the rshim.log file. The log displays Reboot , finished , DPU is ready , or In Enhanced NIC mode when BFB installation completes. Note If the downloaded log file does not contain any of these strings, keep downloading the log file until they appear. When installation is complete, you may crosscheck the new BFB version against the version provided to verify a successful upgrade: Copy Copied! curl -k -u root:"<PASSWORD>" -H "Content-Type: application/json" -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/DPU_OS Example response: Copy Copied! "@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_OS", "@odata.type": "#SoftwareInventory.v1_4_0.SoftwareInventory", "Description": "Host image", "Id": "DPU_OS", "Members@odata.count": 1, "Name": "Software Inventory", "RelatedItem": [ { "@odata.id": "/redfish/v1/Systems/Bluefield/Bios" } ], "SoftwareId": "", "Status": { "Conditions": [], "Health": "OK", "HealthRollup": "OK", "State": "Enabled" }, "Updateable": true, "Version": "DOCA_2.2.0_BSP_4.2.1_Ubuntu_22.04-8.23-07"

Check the staging status after the transfer (i.e., the SimpleUpdate task) is completed successfully. A successful result of the staging procedure will be com.nvidia.BF.Rshim.Status.Completed after staging completes.

Copy Copied! curl -k -u root: '<password>' -H "Content-Type: application/json" -X GET https: { "UpdateStatus" : "com.nvidia.BF.Rshim.Status.Completed" }

Note The UpdateStatus can be: 'com.nvidia.BF.Rshim.Status.Invalid' Note This references not having RShim on BMC side.

'com.nvidia.BF.Rshim.Status.Idle'

'com.nvidia.BF.Rshim.Status.InProgress'

'com.nvidia.BF.Rshim.Status.Completed'

'com.nvidia.BF.Rshim.Status.Failed' The default status is com.nvidia.BF.Rshim.Status.Idle and it take a while to update the status from com.nvidia.BF.Rshim.Status.Idle to com.nvidia.BF.Rshim.Status.InProgress after the SimpleUpdate command is sent. The final status should be com.nvidia.BF.Rshim.Status.Completed or com.nvidia.BF.Rshim.Status.Failed .

Once staging is completed successfully, issue the Activate command. Activation is required to apply the new staged components:

Copy Copied! curl -k -u root: '<password>' \ -H "Content-Type: application/json" \ -X POST https:

Notes on BMC firmware activation:

Regular BFB bundle – BMC firmware is updated without needing this manual activation command.

PLDM BFB bundle – This activation command is required to apply the new BMC firmware.

To complete an update to a new GA release, the DOCA Components on the Arm OS are to be updated as well. User may SSH into the DPU Arm OS and use standard Linux tools to update the DOCA components. See section "Upgrading BlueField Using Standard Linux Tools" in DOCA documentation for more details.

The following are different options for applying the new version:

Reset Type Mode of Operation Applying Reset Steps Notes Cold Boot (AC/DC Power Cycle) DPU Mode

NIC Mode (DPU Mode only) Gracefully shut down the BlueField Arm OS. Perform a full server power cycle. The firmware update is applied automatically during power-up.

DPU Mode only: The BlueField Arm OS must be manually shut down before the reboot; otherwise, the update will not apply. Standard Warm Reboot DPU Mode

NIC Mode (DPU Mode only) Gracefully shut down the BlueField Arm OS. Perform a server warm reboot. Updates firmware and software after reboot.

DPU Mode only: The BlueField Arm OS must be manually shut down before the reboot; otherwise, the update will not apply. Coordinated Reset (Server + DPU) DPU Mode When the administrator has completed all update flows, the DPU must be armed for the coordinated reset. Run the following command from the BlueField Arm OS. This sets a firmware trigger ( MFRL[reset_trigger]=0x48 ) that instructs the DPU and its DPU-BMC to automatically reset in sync with the next host server reboot. This coordinated reset is required to apply the new firmware and software versions. Copy Copied! mlxreg -d /dev/mst/<device> -y --set "reset_trigger=c" --reg_name= "MFRL" Perform a server warm reboot. Note Once the coordinated reset is triggered, the BlueField DPU expects the next PCIe reset to be part of a host reboot flow.

Success – If the subsequent PCIe reset originates from a host reboot, the coordinated reset completes successfully.

Stall condition – If the PCIe reset is triggered by any other source, the DPU will stall in a "prepare for reset" state.

Recovery – To recover from this state, you must perform a host reboot or power-cycle the host to finalize the sequence. Relevant to Deferred Update Flow only.

The next warm reboot will: Gracefully shut down BlueField Arm cores Reset the NIC, Arm Complex, and BMC Boot from the new firmware image



After DPU reboots, check that the components have been updated: