Introduction to Mellanox Network Interface Card with Secure Firmware Updates on Alibaba Cloud

Mellanox Technologies (NASDAQ: MLNX) is a leading supplier of end-to-end Ethernet and InfiniBand intelligent interconnect solutions and services for servers, storage, and hyper-converged infrastructure. Founded in 1999, Mellanox Technologies is headquartered in Sunnyvale, California and Yokneam, Israel. Mellanox offers a choice of high-performance solutions for a wide range of markets including high performance computing, enterprise data centers, Web 2.0, cloud, storage, network security, telecom and financial services. [1]

This article will focus on a security feature provided by Mellanox’s network interface card (NIC): the secure firmware updates. This security feature is becoming a basic requirement for a hardware device to be a part of Alibaba Cloud. Secure firmware updates feature provide devices with the ability to verify digital signatures of new firmware binaries, in order to ensure that only officially approved versions are installed on the devices. With this feature, the Mellanox NIC and SmartNIC can become the more trusted devices on Alibaba Cloud.

Secure Firmware

Note: the content of this chapter referrers to Mellanox documents.

The firmware of devices on which the secure firmware updates functionality is enabled, restricts access to registers that can be used to modify the firmware binary image on the flash, as well as commands that can jeopardize security in general. The differences between secure and regular devices are mainly related to maintenance and low-level troubleshooting. In all other aspects, devices with secure firmware are similar to regular devices.

Secure firmware binary files are digitally signed by Mellanox according to the PKCS RSASSA-PKCS1-v1_5 standard. This FIPS approved signature algorithm, utilizes SHA256 digest and 2048 bits RSA cryptography. The running firmware uses its embedded public keys to authenticate signatures of new updates, while the corresponding private keys are kept within and protected by Mellanox dedicated sign servers.

Here are some advantages of a device running secure firmware over the one that does not:

  1. Random access, especially writing, to chip registers or flash is restricted or even unavailable.
  2. The FW controls the binary verification and updating process.
  3. Most administrative operations, such as collecting debug info or activating tracers, require specific tools or a CS token.
  4. Only designated managers with the production private key can approve and sign a released version of FW binary.

Tools for Secure Firmware Updates

Note: the content of this chapter referrers to Mellanox documents.

The Mellanox Firmware Tools (MFT) package is a set of firmware management and debug tools for Mellanox devices. MFT can be used for generating a standard or customized Mellanox firmware image, querying for firmware information, and burning a firmware image to a single Mellanox device.

In contrast to the old firmware update procedure, where the update application is responsible for the entire update flow, in secure FW, the update application operates a state machine in the firmware that performs the update procedure. This includes checking the new binary applicability, integrity, and burning the image in the right flash location.

Additionally, the firmware state machine is also responsible to verify the image signature, and check that the new FW version is not included in the FORBIDDEN_VERSIONS blacklist. The firmware rejects binaries that do not match the verification criteria. The state- machine utilize the same ‘fail safe’ upgrade procedures, so events like power failure during update should not leave the device in an unstable state.

Secure Firmware Updates Example

In the example below, we used Mellanox Technologies MT27710 Family [ConnectX-4 Lx]. The operation system is Ubuntu 16.04.2.

The MFT installation package can be downloaded at:

The firmware image can be downloaded at:

Get Started with MFT

  1. Extract the installation package
  2. Run install script
  3. ./
  1. Start mst
  2. mst start
  1. Check mst status
  2. mst status
  1. Check current firmware version
  2. flint -d /dev/mst/mt4117_pciconf0 q

Update a Signed Firmware

  1. flint -d /dev/mst/mt4117_pciconf0 -i fw-ConnectX4Lx-rel-14_22_4020-MCX4121A-ACS_Ax-FlexBoot-3.5.404.signed.bin b
  2. output indicates the firmware update has succeeded
  1. After reboot the host, verify that the new firmware is burnt into the NIC
  2. flint -d /dev/mst/mt4117_pciconf0 q
  1. Update an un-signed firmware
  • flint -d /dev/mst/mt4117_pciconf0 -i fw-ConnectX4Lx-rel-14_22_4020-MCX4121A-ACS_Ax-FlexBoot-3.5.404.bin b
  1. The output indicates this update has failed
  1. Check the firmware version and verify it’s not changed
  2. flint -d /dev/mst/mt4117_pciconf0 q


Secure firmware updates feature is a basic requirement for a trusted hardware device to be used on Alibaba Cloud. Mellanox’s NICs offer this important security feature now.




Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store