HP Nics - security features preventing cross-flash?

[Rand__]

I recently got a few of these SFP28 Nics

Document Display | HPE Support Center

support.hpe.com

I found the mention of firmware lock in on those
"

• Security features - Digitally signed firmware components, secure firmware loading, secure firmware update, UEFI secure boot
• Authentication of digitally signed firmware through true hardward root of trust and chain of trust on the NIC

"
I have not tried but that would prevent crossflashing to non HPE Firmware, wouldnt it (eg if these were Mellanox cards which they are not)?

 

[vangoose]

I recently got a few of these SFP28 Nics

Document Display | HPE Support Center

support.hpe.com

I found the mention of firmware lock in on those
"

• Security features - Digitally signed firmware components, secure firmware loading, secure firmware update, UEFI secure boot
• Authentication of digitally signed firmware through true hardward root of trust and chain of trust on the NIC

"
I have not tried but that would prevent crossflashing to non HPE Firmware, wouldnt it (eg if these were Mellanox cards which they are not)?

This is Broadcom BCM57414.

I have a 621sfp28 based on QL41000 chip that can't be cross flashed. Same mention of digital signature.

CX4 based 640sfp28 can be cross flashed.

 

[Rand__]

Yes I think its not applicable to the MLX cards (yet), but given the HPE hides it FW behind a license wall now its something to keep in mind .
Thanks for the confirmation.

 

[Rand__]

Anyone ever discovered if the HP nics are cross-flashable ?
Got a pair of CX5's now; thankfully Fw is accessible on HPE page, but crossflash would o/c be nice...

c:\Program Files\Mellanox\WinMFT>flint -d mt4119_pciconf0 -i c:\mlx\fw-ConnectX5-rel-16_29_2002-MCX556A-EDA_Ax_Bx-UEFI-14.22.16-FlexBoot-3.6.204.bin -allow_psid_change burn

      Current FW version on flash:   16.27.1016
      New FW version:                      16.29.2002


      You are about to replace current PSID on flash - "HPE0000000009" with a different PSID - "MT_0000000009".
      Note: It is highly recommended not to change the PSID.

  Do you want to continue ? (y/n) [n] : y
-E- Burning FS4 image failed: Changing PSID is unsupported under controlled FW. You can try to run again with the flag "--no_fw_ctrl".

c:\Program Files\Mellanox\WinMFT>flint -d mt4119_pciconf0 -i c:\mlx\fw-ConnectX5-rel-16_29_2002-MCX556A-EDA_Ax_Bx-UEFI-14.22.16-FlexBoot-3.6.204.bin -allow_psid_change --no_fw_ctrl burn
-E- Cannot open Device: mt4119_pciconf0. MFE_NO_FLASH_DETECTED

 

[i386]

Googling the error message shows a post on rssing:

the MFE_NO_FLASH_DETECTED is indicating a possible flash corruption

 

[Rand__]

Thats only when running with "--no_fw_ctrl", I think the NICs fw does not like that and 'hides'

Else the card was fine, flashing to HPE latest was no issue either

 

[cookiesowns]

@Rand__ were you ever able to sort this out? I just got a bunch of CX5's HPEs that I'd like to xflash to original firmware

 

[i386]

Has somebody a link to ebay listings with "Secure firmware update" enabled mellanox nics?

 

[cookiesowns]

Has somebody a link to ebay listings with "Secure firmware update" enabled mellanox nics?

Basically any HPE CX5 has that enabled.

I was able to cross flash mine using the standard commands by jumping the firmware recovery pins. JP2 on the HPE cards.

 

[Rand__]

Had not tried further, but very good to know, thanks

 

[kedzior]

Basically any HPE CX5 has that enabled.

I was able to cross flash mine using the standard commands by jumping the firmware recovery pins. JP2 on the HPE cards.

Nice to know that, any additional special steps needed ?