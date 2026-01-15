Secure Firmware Update
Secure Firmware Update is supported only on ConnectX-4 onwards adapter cards.
A “Secure firmware update” is the ability of a device to verify digital signatures of new firmware binaries, in order to assure that only officially approved versions can be installed from the host, the network[1] or a Board Management Controller (BMC).
The firmware of devices with “secure firmware up date” functionality (secure FW), restricts access to specific commands and registers that can be used to modify the firmware binary image on the flash, as well as commands that can jeopardize security in general. Most notably, the commands and registers for random flash access are disabled.
Secure FW verifies new binaries before activating them, compared to legacy devices where this task is done by the update tool using direct flash access commands. In addition to signature verification, secure FW also checks that the binary is designated to the same device model, that the new firmware is also secured, and that the new FW version is not included in a forbidden versions blacklist. The firmware rejects binaries that do not match the verification criteria.
Secure FW utilizes the same ‘fail safe’ upgrade procedures, so events like power failure during update should not leave the device in an unstable state. The table below lists the impact of secure FW update on MFT tools.
Tool
Flow
Secure FW
With CS Token
Blocked Commands
flint / mlxburn
Burn FW
Working with controlled fw update
Working with controlled fw update
Query
Working with controlled fw update
Working with controlled fw update
Set GUIDs
Working with controlled fw update
Working with controlled fw update
Verify
Working partially (BOOT image)
Working partially (BOOT image)
Set DV INFO: SET MFG, SET VSD, VPD
Not supported in Secure FW
Not supported in Secure FW
MFBA
ROM OPS: BROM, DROM
Not supported, BOOT image modification is not supported (MFBA)
Not supported, BOOT image modification is not supported (MFBA)
MFBA
"-ocr" override cache replacement (Direct flash GW access)
Not supported in Secure FW
Not supported in Secure FW
Flash GW is blocked
HW SET (Set flash parameters)
Flash GW is blocked
Flash GW is blocked
Flash GW is blocked
"--no_fw_ctrl" (Legacy Flow)
Not supported in Secure FW
Not supported in Secure FW
MFBA
mlxfwmanager / mlxup
Burn FW
Working with controlled fw update
Working with controlled fw update
mlxfwmanager
with --no_fw_ctrl
Not supported in Secure FW
Not supported in Secure FW
MFBA
mlxdump
fsdump
Blocked icmds
Working
gcif_get_ft_info, gcif_get_ft_list, gcif_get_fg, gcif_get_fg_list, gcif_get_fte, gcif_get_fte_list
phyUc
Blocked icmds
working
gcif_phy_uc_get_array_prop_px, gcif_phy_uc_set_get_data,
gcif_phy_uc_get_array_prop_EDR, gcif_phy_uc_get_array_prop_HDR
rxdump
CR-Space is locked & Blocked icmds
working
gcif_read_rx_slice_desc, gcif_read_rx_slice_packet
sxdump
CR-Space is locked & Blocked icmds
working
gcif_read_wq_buf fer
wqdump
Dump QP contexts
Blocked icmds
working
gcif_read_context
Dump WQs
Blocked icmds
working
gcif_read_host_m em, gcif_read_q_en- try, gcif_qp_get_pi_ci
ICM
Blocked icmds
working
gcif_read_icm
WRITE QP (Devmon)
working
gcif_write_context
mget_temp
hw_access
Read Only CR- Space
working
Read Only CR- Space
mcra
Read
working
working
working
Write
Read Only CR- Space
working
Read Only CR- Space
mstdump
Read
working
working
working
mlxtrace / fwtrace
MEM & FIFO
Only fwtrace is supported and only in Linux
working
Read Only CR- Space
pckt_drop
uses write to CR- Space to work
Read Only CR- Space
working
Read Only CR- Space
mlxlink
working
working
working
working
mlxreg
working
working
working
working
mlxcables
working
working
working
working
mlxconfig
working
working
working
working
mlxfwreset
working
working
working
working
i2c/mlxi2c
Not relevant when not in livefish
With Force flag (ENV VAR)
Read Only CR- Space
working
Read Only CR- Space
When Secure Firmware is enabled, the flint output slightly changes due to the differences in the underlying NIC accessing methods. Some functionalities may be restricted according to the device security level.
flint query under secure mode:
# flint -d /dev/mst/mt4115_pciconf0 q
Image type: FS3
FW Version:
12.19.
2278
FW Release Date:
7.6.
2017
Description: UID GuidsNumber
Base GUID: 7cfe90030029205e
4
Base MAC: 00007cfe9029205e
4
Image VSD:
Device VSD:
PSID: MT_2190110032
Security Attributes: secure-fw, dev
Unavailable information is reported as N/A.