Updating Platform Firmware

1.0

To update the platform firmware on secured devices, download the latest NVIDIA BlueField software images from NVIDIA.com.

The capsule file /lib/firmware/mellanox/boot/capsule/MmcBootCap is used to update the eMMC boot partition and update the Arm pre-boot code (i.e., Arm trusted firmware and UEFI).

The capsule file is signed with NVIDIA keys. If UEFI secure boot is enabled, make sure the NVIDIA certificate files are enrolled into the UEFI database. Please refer to "UEFI Secure Boot" for more information on how to update the UEFI database key certificates.

To initiate the update of the eMMC boot partitions, run the following command:

Copy
Copied!
            

ubuntu@localhost:~$ sudo bfrec --capsule /lib/firmware/mellanox/boot/capsule/MmcBootCap

After the command completes, reboot the system to process the capsule file. On the next reboot, UEFI will verify the capsule signature. If verified, UEFI will process the capsule file, extract the pre-boot image and burn it into the eMMC boot partitions.

Note that the pre-boot code is signed with the NVIDIA key. The bootloader images are installed into the eMMC with their associated certificate files. The public key is derived from the certificate file and its integrity is verified by the ROM code against an on-chip public key hash value stored in E-FUSEs. If the verification fails, then the pre-boot code will not be allowed to execute.

Recovering eMMC Boot Partition

If the system cannot boot from the eMMC boot partitions for any reason, it is recommended to download a valid BFB image and boot it over the BlueField platform.

The recovery path relies on the platform to be configured to boot solely from the RShim interface (either RShim USB or RShim PCIe). With this configuration there must not be a way to interrupt or bypass the RoT when secure booting.

You will need to append a capsule file to the BFB prior to booting. Run:

Copy
Copied!
            

$ mlx-mkbfb --capsule MmcBootCap install.bfb recovery_install.bfb

Then boot the recovery_install.bfb using the RShim interface. Run:

Copy
Copied!
            

$ cat recovery_install.bfb > /dev/rshim0/boot

The capsule file will be processed by UEFI upon boot.

The SPI flash contains the firmware image of the DPU firmware in FS4 format. The firmware image is provided along with the software.

There are two different ways to install the firmware image:

  • From the BlueField console, using the following command:

    Copy
    Copied!
                

    ubuntu@localhost:~$ /opt/mellanox/mlnx-fw-updater/firmware/mlxfwmanager_sriov_dis_aarch64_41686

  • From the PCIe host console, using the following command:

    Copy
    Copied!
                

    # flint -d /dev/mst/mt41686_pciconf0 -i firmware.bin b

© Copyright 2023, NVIDIA. Last updated on Oct 3, 2023.