HP Nics - security features preventing cross-flash?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Rand__

Well-Known Member
Mar 6, 2014
6,642
1,777
113
I recently got a few of these SFP28 Nics

I found the mention of firmware lock in on those
"
  • Security features - Digitally signed firmware components, secure firmware loading, secure firmware update, UEFI secure boot
  • Authentication of digitally signed firmware through true hardward root of trust and chain of trust on the NIC
"
I have not tried but that would prevent crossflashing to non HPE Firmware, wouldnt it (eg if these were Mellanox cards which they are not)?
 

vangoose

Active Member
May 21, 2019
326
104
43
Canada
I recently got a few of these SFP28 Nics

I found the mention of firmware lock in on those
"
  • Security features - Digitally signed firmware components, secure firmware loading, secure firmware update, UEFI secure boot
  • Authentication of digitally signed firmware through true hardward root of trust and chain of trust on the NIC
"
I have not tried but that would prevent crossflashing to non HPE Firmware, wouldnt it (eg if these were Mellanox cards which they are not)?
This is Broadcom BCM57414.

I have a 621sfp28 based on QL41000 chip that can't be cross flashed. Same mention of digital signature.

CX4 based 640sfp28 can be cross flashed.
 

Rand__

Well-Known Member
Mar 6, 2014
6,642
1,777
113
Yes I think its not applicable to the MLX cards (yet), but given the HPE hides it FW behind a license wall now its something to keep in mind .
Thanks for the confirmation.
 

Rand__

Well-Known Member
Mar 6, 2014
6,642
1,777
113
Anyone ever discovered if the HP nics are cross-flashable ?
Got a pair of CX5's now; thankfully Fw is accessible on HPE page, but crossflash would o/c be nice...

Code:
c:\Program Files\Mellanox\WinMFT>flint -d mt4119_pciconf0 -i c:\mlx\fw-ConnectX5-rel-16_29_2002-MCX556A-EDA_Ax_Bx-UEFI-14.22.16-FlexBoot-3.6.204.bin -allow_psid_change burn

      Current FW version on flash:   16.27.1016
      New FW version:                      16.29.2002


      You are about to replace current PSID on flash - "HPE0000000009" with a different PSID - "MT_0000000009".
      Note: It is highly recommended not to change the PSID.

  Do you want to continue ? (y/n) [n] : y
-E- Burning FS4 image failed: Changing PSID is unsupported under controlled FW. You can try to run again with the flag "--no_fw_ctrl".

c:\Program Files\Mellanox\WinMFT>flint -d mt4119_pciconf0 -i c:\mlx\fw-ConnectX5-rel-16_29_2002-MCX556A-EDA_Ax_Bx-UEFI-14.22.16-FlexBoot-3.6.204.bin -allow_psid_change --no_fw_ctrl burn
-E- Cannot open Device: mt4119_pciconf0. MFE_NO_FLASH_DETECTED
 

Rand__

Well-Known Member
Mar 6, 2014
6,642
1,777
113
Thats only when running with "--no_fw_ctrl", I think the NICs fw does not like that and 'hides' ;)

Else the card was fine, flashing to HPE latest was no issue either
 

i386

Well-Known Member
Mar 18, 2016
4,358
1,612
113
35
Germany
Has somebody a link to ebay listings with "Secure firmware update" enabled mellanox nics?
 

jpmomo

Active Member
Aug 12, 2018
547
196
43
I think the issue that everyone seems to be running into is that the hpe cx5 nics have signed fw.
I was trying to cross flash an hpe 556 cx5 that was only running at pci gen3. I wanted to crossflash with the mellanox 516a-cdat or 556-edat. both of those are pci gen4. the issue seems to be that the generic mellanox cx5 fw is not signed. they started to do that with the cx6-dx nics and then continued with the cx7s
the hpe (even the older cx5) use signed fw.
I was able to get around this with the cx6-dx by using the mtusb-1.
I can't seem to perform the same magic with these hpe cx5s.
 

cookiesowns

Active Member
Feb 12, 2016
235
83
28
28
I think the issue that everyone seems to be running into is that the hpe cx5 nics have signed fw.
I was trying to cross flash an hpe 556 cx5 that was only running at pci gen3. I wanted to crossflash with the mellanox 516a-cdat or 556-edat. both of those are pci gen4. the issue seems to be that the generic mellanox cx5 fw is not signed. they started to do that with the cx6-dx nics and then continued with the cx7s
the hpe (even the older cx5) use signed fw.
I was able to get around this with the cx6-dx by using the mtusb-1.
I can't seem to perform the same magic with these hpe cx5s.
i wasn’t able to figure out how to wipe the signed firmware lock on HPE’s. But they are still flashable with the recovery jumper set. Just have to cross flash to another HPE card firmware.
 

jpmomo

Active Member
Aug 12, 2018
547
196
43
do you know which hpe cx5 signed fw supports pci gen4?
I agree that you can probably cross flash signed fw with signed fw but I couldn't find any hpe cx5 signed fw that would support pci gen4.
I think the went to the cx6 nics for pci gen4 support. that fw might be 32K and might not work with the cx5 versions.
 

i386

Well-Known Member
Mar 18, 2016
4,358
1,612
113
35
Germany
The only pcie 4.0 enabled cx-5 are Dual Ports (2* 25gbe or 2*100gbe) skus.
There is one vpi and two Ethernet Models (sfp28 and qsfp28).
 

jpmomo

Active Member
Aug 12, 2018
547
196
43
Which specific sku is the cx5 dual port 100g that is PCI gen4?
I need to find the .bin file for that model and it needs to be signed.
 

jpmomo

Active Member
Aug 12, 2018
547
196
43
yes, EDAT means vpi and pci 4.0 but that is for mellanox fw. We need the hpe fw and I could only find the following:

Firmware for HPE InfiniBand EDR/Ethernet 100Gb 2-port 841QSFP28 Adapter : HPE part number 872726-B21
That nic is pci gen 3:

LnkCap: Port #0, Speed 8GT/s, Width x16, ASPM not supported
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
LnkCtl: ASPM Disabled; RCB 64 bytes, Disabled- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 8GT/s (ok), Width x16 (ok)

the generic mellanox equivalent is the ECAT (notice the "C" that signifies pci 3.0 vs EDAT "D" which signifies pci 4.0)

Normally, you can just put these nics into flash recovery mode (some of the cx5s you don't even need to do that!) and add the --allow_psid_change and burn away!

The issue with the hpe seems to be that it uses a signed fw:

fw-ConnectX5-rel-16_35_3502-872726-B21_Ax_Bx-UEFI-14.29.15-FlexBoot-3.6.902.signed.bin

not the generic unsigned fw:

fw-ConnectX5-rel-16_35_1012-MCX556A-EDA_Ax_Bx-UEFI-14.28.15-FlexBoot-3.6.804.bin

So I still need to find the hpe signed version of fw that correlates to the EDAT (vpi) or CDAT (ethernet)

I am assuming if it does exist like some of you have suggested, it would be something like xxxQSFP28 and have some XXXXX-B21 hpe part #
 
Last edited:

jpmomo

Active Member
Aug 12, 2018
547
196
43
all of the pci 4.0 hpe nics that I have found seem to be cx6 not cx5.
I have not had any luck cross flashing between the 2 generations.