What can I help you with?
NVIDIA BlueField Platform Software Troubleshooting Guide
NVIDIA Docs Hub  NVIDIA Networking  BlueField DPUs / SuperNICs & DOCA  NVIDIA BlueField Platform Software Troubleshooting Guide  Password Policy
Download PDF

On This Page

Password Policy

Preface

Most password-related issues are encountered during execution of UEFI menu choices and when defining/changing a password. When an error is triggered, pop-up menus appear describing the errors. The resolution for these errors should be self-explanatory.

This page focuses on the following 3 scenarios whose resolution is not self-evident:

  • User forgets their password

  • User does not downgrade properly from 4.6.0 or greater to a BFB image lower than 4.6.0

  • User is running a BFB image downloaded over the RShim and breaks into the UEFI menu to change the password

Command Cheat Sheet

Command

Description

obmc-console-client

A DPU BMC program to access the BlueField console

echo "DISPLAY_LEVEL 2" > /dev/rshim0/misc

Set the RShim log debug level to 2

cat /dev/rhim0/misc

Dump the RShim log

bfrec --capsule /usr/lib/firmware/mellanox/boot/capsule/EnrollKeysCap

Allows a user from the BlueField to reset their current UEFI password back to the default password, bluefield

Logging and Counters

Note there are NO counters involved for debugging the Password Policy.

RShim Log Messages

When an existing password does not meet the requirements for the new password policy, search the RShim log for the message called out below:

Copy
Copied!
            

            
# cat /dev/rshim0/misc
DISPLAY_LEVEL   2 (0:basic, 1:advanced, 2:log)
BOOT_MODE       1 (0:rshim, 1:emmc, 2:emmc-boot-swap)
BOOT_TIMEOUT    150 (seconds)
DROP_MODE       0 (0:normal, 1:drop)
SW_RESET        0 (1: reset)
DEV_NAME        pcie-0000:3b:00.1
DEV_INFO        BlueField-3(Rev 1)
OPN_STR         N/A
---------------------------------------
             Log Messages
---------------------------------------
 INFO[MISC]: PSC BL1 START
 INFO[BL2]: start
 INFO[BL2]: boot mode (emmc)
 INFO[BL2]: VDD_CPU: 751 mV
 INFO[BL2]: VDDQ: 1118 mV
 INFO[BL2]: DDR POST passed
 INFO[BL2]: UEFI loaded
 INFO[BL31]: start
 INFO[BL31]: lifecycle Secured (development)
 INFO[BL31]: runtime
 INFO[BL31]: MB ping success
 INFO[UEFI]: eMMC init
 INFO[UEFI]: eMMC probed
 INFO[UEFI]: UPVS valid
 INFO[UEFI]: PCIe enum start
 INFO[UEFI]: PCIe enum end
 WARN[UEFI]: Weak password, please update   <<====== Indicates the current password does not meet password policy size requirement
 INFO[UEFI]: UEFI Secure Boot (disabled)
 INFO[UEFI]: PK configured
 INFO[UEFI]: Redfish enabled
 INFO[UEFI]: DPU-BMC RF credentials found
 
Weak password, please update

Upon upgrade, the warning message above indicates that the user logged in with a password shorter than the current policy requirements (a minimum of 12 characters and a maximum of 64 characters).

For more information on collecting and reading RShim logs, please refer to the SoC Management Interface.

Debug Info Package

N/A

Scenarios

User Forgets Password

If a user forgets their password and is trying to log in from a UEFI console, they should use a capsule to reset the password to a default well known value (i.e. bluefield). This allows the user to log in and prompts the user to enter a stronger, more secure password for future logins.

  1. Use EnrollKeyCaps (easiest method) to reset the password back to the default of bluefield.

    Info

    The following command is run on the BlueField.

    Password Reset

    Copy
    Copied!
                
    
            
    [root@localhost ~]# bfrec --capsule /usr/lib/firmware/mellanox/boot/capsule/EnrollKeysCap

  2. "Next reboot" the system and allow it to get to the Linux prompt. The next time the system boots, users can ESC into the UEFI menu and enter the default bluefield password. They are then prompted to change the password to another one between 12-64 characters long (inclusive).

User Does Not Downgrade Properly

If a user is running a 4.6.0 BFB or greater, this means their UEFI password will have been converted to the new password policy/format. If the user then downgrades to an image lower than 4.6.0 without setting a legacy password in the UEFI menu, then they will not be able to log into the UEFI, as the Legacy Password format is different from the current password policy.

Two options to resolve this:

  • Perform a proper downgrade:

    1. Upgrade back to the ≥4.6.0 BFB.

    2. Log into the UEFI and enter your password.

    3. Access the UEFI menu and navigate to Device Configuration > System Configuration > Password Settings >Set Legacy Password

    4. Enter a legacy password between 1 and 20 characters (inclusive).

    5. Downgrade to the desired <4.6.0 BFB image.

  • Use the EnrollKeyCaps (as mentioned earlier) included with the legacy image. This allows you to reset the password to the default legacy password, bluefield, and log into the UEFI. Later, if you upgrade to a BFB image ≥4.6.0, the legacy password entered is automatically converted to the new format.

RShim BFB Installations

Example 1

In this example, the user has a legacy image (<4.6.0) installed on the eMMC and run a BFB image ≥4.6.0 image via RShim:

  1. While booting the ≥4.6.0 image, ESC into the UEFI menu.

  2. After entering your legacy-formatted password, it is not converted to the new password format. The reason for this is to not disrupt usage of the installed older image.

Note, in this configuration, users would not be able to execute either of the following via the UEFI menu:

  • Device Configuration > System Configuration > Set Password

  • Device Configuration > System Configuration > Password Settings > Set Legacy Password

Example 2

In this example, the user has a newer (≥4.6) image on the eMMC and runs another new image (≥4.6) via RShim:

Info

The same restriction holds as mentioned in Example 1.

When booting the ≥4.6 image and ESC-ing into the UEFI, the password entered does not need to be converted.

In this scenario, users would not be able to execute either of the following:

  • Device Configuration > System Configuration > Set Password

  • Device Configuration > System Configuration > Password Settings > Set Legacy Password

This is done to send a consistent message that changing the UEFI Password while running an RShim BFB image is not allowed.

Example 3

In this example, the user has installed the newer (≥4.6) BFB image on the eMMC and runs an older (<4.6) image via the RShim (without downgrading the ≥4.6 eMMC image):

In this case, users would not be able to access the UEFI menu if they try to ESC into it while the older image is loading. This is of course because the password was upgraded to the new password format when the newer (≥4.6) BFB image was installed, and the legacy BFB image does not understand the new format.

If users must log into the UEFI menu at this point, you would have to f orce a system reboot, logging into the newer (≥4.6) UEFI and executing the following downgrade procedure: Device Configuration > System Configuration > Password Settings > Set Legacy Password. This would then allow users to log into the older image (via RShim).

Once you have downgraded and are running the older (Legacy formatted password), you may execute Set Password from the UEFI menu, changing to legacy password. This does no harm because when the system is rebooted and the newer (≥ 4.6) image runs, logging into the UEFI at that point is treated exactly as an upgrade, converting the legacy password to the new password format.
© Copyright 2024, NVIDIA. Last updated on Nov 12, 2024.
content here