The Bluefield software distribution provides a boot file that can be used to update the eMMC boot partitions. The BlueField boot file (BFB) is located in the boot directory <BF_INST_DIR>/boot/ and contains all the necessary boot loader images (i.e. ATF binary file images and UEFI binary image).

The table below presents the pre-built boot images included within the BlueField software release:

Filename Description bl1.bin The trusted firmware bootloader stage 1 (BL1) image, already stored into the on-chip boot ROM. It is executed when the device is reset. bl2r.bin The secure firmware (RIoT core) image. This image provides support for crypto operation and calculating measurements for security attestation and is relevant to BlueField-2 devices only. bl2.bin The trusted firmware bootloader stage 2 (BL2) image bl31.bin The trusted firmware bootloader stage 3-1 (BL31) image BLUEFIELD_EFI.fd The UEFI firmware image. It is also referred to as the non-trusted firmware bootloader stage 3-3 (BL33) image. default.bfb The BlueField boot file (BFB) which encapsulates all bootloader components such as bl2r.bin, bl2.bin, bl31.bin, and BLUEFIELD_EFI.fd. This file may be used to boot the BlueField devices from the RShim interface. It also could be installed into the eMMC boot partition.

It is also possible to build bootloader images from sources and create the BlueField boot file (BFB). Please refer to the sections below for more details.

The software image includes various tools and utilities to update the eMMC boot partitions. It also embeds a boot file in "/lib/firmware/mellanox/boot/default.bfb". To update the eMMC boot partitions using the embedded boot file, execute the following command from the BlueField console:

Copy Copied! $ /opt/mellanox/scripts/bfrec

Warning bfrec is also available under " /usr/bin ".

The boot partitions update is initiated by the bfrec tool at runtime. With no options specified, the "bfrec" uses the default boot file "/lib/firmware/mellanox/boot/default.bfb" to update the boot partitions of device /dev/mmcblk0. This might be done directly in an OS using the "mlxbf-bootctl" utility, or at a later stage after reset using the capsule interface.

The syntax of bfrec is as follows:

Copy Copied! Syntax: bfrec [--help] [--bootctl [<FILE>]] [--capsule [<FILE>]] Description: --help : print help --bootctl [<FILE>] : update the boot partition via the kernel path. If no FILE is specified, then default is used. --capsule [<FILE>] : update the boot partition via the capsule path. If no FILE is specified, then default is used. --policy POLICY : determines the update policy. May be: single - updates the secondary partition and swaps to it, dual - updates both boot partitions, does not swap. If this flag is not specified, 'single' policy is assumed.

When bfrec is called with the option --bootctl , the tool uses the boot file FILE, if given, rather than the default /lib/firmware/mellanox/boot/default.bfb in order to update the boot partitions. The command line usage is as follows:

Copy Copied! $ bfrec --bootctl $ bfrec --bootctl FILE

Where FILE represents the BlueField boot file encapsulating the new bootloader images to be written to the eMMC boot partitions.

For example, if the new bootstream file which we would like to install and validate is called newdefault.bfb , download the file to the BlueField and update the eMMC boot partitions by executing the following commands from the BlueField console:

Copy Copied! # /opt/mellanox/scripts/bfrec –-bootctl newdefault.bfb

The --capsule option updates the boot partition via the capsule interface. The capsule update image is reported in UEFI, so that at a later point the bootloader consumes the capsule file and performs the boot partition update. This option might be executed with or without additional arguments. The command line usage is as follows:

Copy Copied! $ bfrec --capsule $ bfrec –-capsule FILE

Where FILE represents the capsule update image file encapsulating the new boot image to be written to the eMMC boot partitions.

For example, if the new bootstream file which we want to install and validate is called " newdefault.bfb ", download the file to the BlueField and update the eMMC boot partitions by executing the following commands from the BlueField console:

Copy Copied! $ /opt/mellanox/scripts/bfrec --capsule newdefault.bfb $ reboot

For more information about the capsule updates, please refer to <BF_INST_DIR>/Documentation/HOWTO-capsule .

After reset, the BlueField platform boots from the newly updated boot partition. To verify the version of ATF and UEFI, execute the following command:

Copy Copied! $ /opt/mellanox/scripts/bfver

It is also possible to update the eMMC boot partitions directly with the mlxbf-bootctl tool. The tool is shipped as part of the software image (under /sbin ) and the sources are shipped in the src directory in the BlueField Runtime Distribution. A simple make command builds the utility.

The syntax of mlxbf-bootctl is as follows:

Copy Copied! syntax: mlxbf-bootctl [--help | -h] [--swap | -s] [--device | -d MMCFILE] [--output | -o OUTPUT] [--read | -r INPUT] [--bootstream | -b BFBFILE] [--overwrite-current] [--watchdog-swap interval | --nowatchdog-swap]

Where:

--device – use a device other than the default /dev/mmcblk0

--bootstream – write the specified bootstream to the alternate partition of the device. This queries the base device (e.g. /dev/mmcblk0 ) for the alternate partition, and uses that information to open the appropriate boot partition device (e.g. /dev/mmcblk0boot0 ).

--overwrite-current (used with " --bootstream ") – overwrite the current boot partition instead of the alternate one Important Not recommended as there is no easy way to recover if the new bootloader code does not bring the system up. Use --swap instead.

--output (used with " --bootstream ") – specify a file to which to write the boot partition data (creating it if necessary), rather than using an existing master device and deriving the boot partition device

--watchdog-swap – arrange to start the Arm watchdog timer with a countdown of the specified number of seconds until it triggers; also, set the boot software so that it swaps the primary and alternate partitions at the next reset

--nowatchdog-swap – ensure that after the next reset, no watchdog is started, and no swapping of boot partitions occurs

To update the boot partitions, execute the following command:

Copy Copied! $ mlxbf-bootctl –-swap –-device /dev/mmcblk0 --bootstream default.bfb

This writes the new bootstream to the alternate boot partition, swaps alternate and primary so that the new bootstream is used on the next reboot.

It is recommended to enable the watchdog when calling mlxbf-bootcl in order to ensure that the Arm bootloader can perform alternate boot in case of a nonfunctional bootloader code within the primary boot partition. If something goes wrong on the next reboot and the system does not come up properly, it will reboot and return to the original configuration. To do so, the user may run:

Copy Copied! $ mlxbf-bootctl --bootstream bootstream.new --swap --watchdog-swap 60

This reboots the system, and if it hangs for 60 seconds or more, the watchdog fires and resets the chip, the bootloader swaps the partitions back again to the way they were before, and the system reboots back with the original boot partition data. Similarly, if the system comes up but panics and resets, the bootloader will again swap the boot partition back to the way it was before.

The user must ensure that Linux after the reboot is configured to boot up with the sbsa_gwdt driver enabled. This is the Server Base System Architecture (SBSA) Generic WatchDog Timer. As soon as the driver is loaded, it begins refreshing the watchdog and preventing it from firing, which allows the system to finish booting up safely. In the example above, 60 seconds are allowed from system reset until the Linux watchdog kernel driver is loaded. At that point, the user’s application may open /dev/watchdog explicitly, and the application would then become responsible for refreshing the watchdog frequently enough to keep the system from rebooting.

For documentation on the Linux watchdog subsystem, see Linux watchdog documentation.

To disable the watchdog completely, run:

Copy Copied! $ echo V > /dev/watchdog

The user may select to incorporate other features of the Arm generic watchdog into their application code using the programming API as well.

Once the system has booted up, in addition to disabling or reconfiguring the watchdog itself if the user desires, they must also clear the "swap on next reset" functionality from the bootloader by running:

Copy Copied! $ mlxbf-bootctl --nowatchdog-swap

Otherwise, next time the system is reset (via reboot, external reset, etc.) it assumes a failure or watchdog reset occurred and swaps the eMMC boot partition automatically.

Officially released bootloaders (ATF and UEFI) may be alternatively installed from the LVFS (Linux Vendor Firmware Service). LVFS is a free service operated by the Linux Foundation, which allows vendors to host stable firmware images for easy download and installation.

Warning The DPU must have a functioning connection to the internet.

Interaction with LVFS is carried out through a standard open-source tool called fwupd. fwupd is an updater daemon that runs in the background, waiting for commands from a management application. fwupd and the command line manager, fwupdmgr, comes pre-installed on the BlueField Ubuntu image.

To verify bootloader support for a fwupd update, run the following command:

Copy Copied! $ fwupdmgr get-devices

If "UEFI Device Firmware" device appears, then your currently installed bootloader supports the update process. Other devices may appear depending on your distribution of choice. Version numbers similar to 0.0.0.1 may appear if you are using an older version of the bootloader.

Before updating, a fresh list of release metadata must be obtained. Run: Copy Copied! $ fwupdmgr refresh Optionally, to confirm if a new release is available, run: Copy Copied! $ fwupdmgr get-releases Update your system bootloader, run "upgrade" with the GUID of the UEFI device. Run: Copy Copied! $ fwupdmgr upgrade 39342586-4e0e-4833-b4ba-1256b0ffb471 This will upgrade the ATF and UEFI to the latest available stable version of the bootloader through a UEFI capsule update, without upgrading the root file system. If your system is already at the latest available version, this upgrade command will do nothing. Reboot the DPU to complete the upgrade.

Warning Installing boot firmware directly through mlxbf-bootctl may cause fwupdmgr to detect an incorrect version string. If your workflow depends on fwupd, try to update the bootloader through capsule update (i.e. bfrec --capsule) or fwupdmgr only.

For more information about LVFS and fwupd, please refer to the official website of LVFS.

Updating Boot Partitions with BMC

The Arm cores notify the BMC prior to the reboot that an upgrade is about to happen. Software running on the BMC can then be implemented to watch the Arm cores after reboot. If after some time the BMC does not detect the Arm cores come up properly, it can use its USB debug connection to the Arm cores to properly reset the Arm cores. It first sets a suitable mode bit that the Arm bootloader responds to by switching the primary and alternating boot partitions as part of resetting into its original state.