Updating System Firmware from Non-Root user on non-HMC machines:
Overview:
Typically, system firmware updates on power machines are performed through the Hardware Management Console (HMC). However, for systems not connected to an HMC, updates can be executed on the AIX LPAR using diagnostic service aids. This process involves the diag command or the update_flash diagnostic utility on AIX, and can only be initiated by a root user.
Historically, remote update process, often conducted by IBM support personnel, required root access to the customer's machine, raising potential security concerns. Starting with 7.3TL3, a more secure approach is available. A designated non-root user can now exclusively update and view system firmware, limiting their privileges and mitigating security risks. This blog will delve into the steps required to update system firmware (on non-HMC machines) from a non-root user perspective.
Pre-requisites
This feature is supported from AIX 7.3 TL3 release.
Detailed steps to update system firmware from diag menus
1) To use this feature, switch to non-root user 'ragent' which is an out-of-box AIX created user. This user has required authority to update system firmware image. The password for 'ragent' may be requested from customer.
$su - ragent

2) Run command 'diag -T update' to invoke system firmware update menu.
$diag -T update

3) Select task for system firmware update => "Update and Manage System Flash".

4) Select subtask => choose system firmware source => provide system firmware path.



The system firmware image file can be placed on a local file system or it can be copied from a direct attached device (eg USB, CD device). The system firmware image file (*.img) can be downloaded from http://www.ibm.com/eserver/support/fixes.
Updating system firmware using update_flash utility:
1) To run this feature directly from command line, type:
$/usr/lpp/diagnostics/bin/update_flash -q -f <path_to_system_firmware_image>
More details about this command can be found at https://www.ibm.com/docs/en/aix/7.3?topic=aids-update-system-service-processor-flash-chrp
NOTE: Once the above command sequences are done, the system reboots automatically to boot with the new system firmware image.
References
1. AIX diag command utility documentation page https://www.ibm.com/docs/en/aix/7.3?topic=commands-diag-command
2. AIX diagnostics and service aids documentation https://www.ibm.com/docs/en/POWER6/areah/areah.pdf
About the authors
Phani Kumar Ayyagari (Email: phanikumar@in.ibm.com) – AIX Diagnostics
Rajeev Ranjan (Email: Rajeev.ranjan15@ibm.com) – AIX Diagnostics