2.
Burn the firmware on the device (make sure hardware access is enabled prior to
burning):
# mstflint -d
3.
Execute a driver restart in order to load the unsecure firmware:
# service openibd restart
Key Loss Recovery
If a key is lost, there is no way to recover it using the tool. The only way to recover is to:
1.
Connect the flash-not-present jumper on the card.
2.
Reboot the machine.
3.
Re-burn firmware
4.
Remove the flash-not-present jumper.
5.
Reboot the machine
6.
Re-set the hardware access key
mstflint: Secure Firmware Update
Secure Firmware Update is supported only on ConnectX-4 onwards adapter cards and as of
mstflint v4.10.0-3. .
A "Secure firmware update" is the ability of a device to verify digital signatures of new firmware
binaries, in order to assure that only officially approved versions can be installed from the host, the
network[1] or a Board Management Controller (BMC).
The firmware of devices with "secure firmware up date" functionality (secure FW), restricts access to
specific commands and registers that can be used to modify the firmware binary image on the flash, as
well as commands that can jeopardize security in general. Most notably, the commands and registers
for random flash access are disabled.
Secure FW verifies new binaries before activating them, compared to legacy devices where this task is
done by the update tool using direct flash access commands. In addition to signature verification,
secure FW also checks that the binary is designated to the same device model, that the new firmware
is also secured, and that the new FW version is not included in a forbidden versions blacklist. The
firmware rejects binaries that do not match the verification criteria.
Secure FW utilizes the same 'fail safe' upgrade procedures, so events like power failure during update
should not leave the device in an unstable state. The table below lists the impact of secure FW update
on mstflint tools.
Tool
Flow
mstfli
Burn FW
nt
Query
41:00.0
-i fw-4099.unsecure.bin b
Secure FW
Working with controlled fw
update
Working with MCC
commands
With CS Token
Working with controlled fw
update
Working with MCC
commands
Blocked
Command
s
72