BIOS Secure Boot Configuration
The NVIDIA® BlueField® DPU's BMC supports the DMTF Secure Boot schema which enables managing the state of the UEFI Secure Boot through the Redfish interface. This allows clients to set whether UEFI should authenticate the OS image during the boot process.
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot
{
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot",
"@odata.type": "#SecureBoot.v1_1_0.SecureBoot",
"Description": "The UEFI Secure Boot associated with this system.",
"Id": "SecureBoot",
"Name": "UEFI Secure Boot",
"SecureBootCurrentBoot": "Disabled",
"SecureBootDatabases": {
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases"
},
"SecureBootEnable": false,
"SecureBootMode": "SetupMode"
}
The following example illustrates how to deactivate UEFI Secure Boot through the Redfish interface:
curl -k -u root:'<password>' -X PATCH -H "Content-Type: application/json" https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot -d '{"SecureBootEnable":false}'
The following operations may be performed using Redfish commands. For each operation, a corresponding task is generated within the BMC's Redfish Task Service. During the subsequent DPU reboot, the UEFI checks for any pending secure boot tasks and executes them in the order of their ascending task ID numbers. After completion, the UEFI then updates the task state to reflect the relevant status.
To read UEFI Secure boot databases:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases", "@odata.type": "#SecureBootDatabaseCollection.SecureBootDatabaseCollection", "Members": [ { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/KEK" }, .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/PK" }, .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db" }, .. .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/dbx" }, .. ], "Members@odata.count": 10, "Name": "UEFI SecureBoot Database Collection" }
To add a certificate to the UEFI db:
WarningThe following certificate is an example only and can not be used as is. db certificate must be signed by the public key certificate.
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Certificates -d \ '{"CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDbTCCAlWgAwIBAgIUO2MdJt2cTCGr0eO4PiBV5Uk0b/IwDQYJKoZIhvcNAQEL\nBQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdo\nMQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNVBAMTDkxlbm92byBVRUZJIERCMB4XDTE3\nMDMxNTIxMTYzNFoXDTQxMDMxNTIxMTYzNFowVjELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdoMQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNV\nBAMTDkxlbm92byBVRUZJIERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEA1ezmdoBlk5yDVuXw8F774CvllhMz9bT0/TpH3kmRpPAizSRDzbHLUuBMC6SE\nW4zjdLxTqOlwZt6UUcWxlyzKcoDPe43cE6YH1kM/rscvm3AaVL+4GcyGgS9DL6qe\nQFHWER25xCTokMsCdKB42Ty7hWW5FBPepgAS+GDfqQfb/4hoonIlen5X+dqVIsE/\nRM1DIVBUiIbJdgERYeoGjY/Rh4A1VWl6ErzyzokYnf63JjSFR2kVV0apbr4ISOTM\n7qBd1RNHwQrCAryRADX1XGvRZURzwQdEXfOqZOkVjNKr1fD761qvPE8TQWWJ9Q8r\nmciMocIXqoqWKPAkgbMwKmcsFQIDAQABozMwMTAPBgNVHRMBAf8EBTADAQH/MA4G\nA1UdDwEB/wQEAwICBDAOBgNVHQ8Baf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEB\nAJ2U0UjB+sxF/HE5sY56vJbdFITl8o0Yf7XJImL0VtgpYjfeqiE768G2uTUbzCKy\nhDOps3+4w4p8FUSO6StzCz6UuUyxlUjQzpkxZ97Ouq1sGhjy7dZybTEByJD6LpI7\nl1EpJSfBiwxTdm7svJoABKs8Hs7e9f3XX5PK76SxllMbDaxAm7UvCppYBBR1SeyC\ngWt3rGRiO3W6pfd07ioCD03kgGzYNOZeU2S+maE1Xt4kUoYs3HxyrhJGfN26gM8h\n4w5LfCKrlxi+3KMf+vXxEBfGYBvjwcA7KCW92GnUQGVjZbEGs6EaTBx7i9gA2+te\noWS/500qiwNRp2xqdBxg1d0=\n-----END CERTIFICATE-----","CertificateType": "PEM","UefiSignatureOwner": "5491316d-9694-4639-b72d-b8630ffa7dab"}' { "@odata.id": "/redfish/v1/TaskService/Tasks/0", "@odata.type": "#Task.v1_4_3.Task", “Id”: “0”, "TaskState": "Pending", "TaskStatus": "OK" }
To add a signature to the UEFI db:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Signatures -d \ '{"SignatureString": "80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A","SignatureTypeRegistry": "UEFI","SignatureType": "EFI_CERT_SHA256_GUID","UefiSignatureOwner": "28d5e212-165b-4ca0-909b-c86b9cee0112"}' { "@odata.id": "/redfish/v1/TaskService/Tasks/1", "@odata.type": "#Task.v1_4_3.Task", "Id": "1", "TaskState": "Pending", "TaskStatus": "OK" }
To delete UEFI db certificate #1:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X DELETE https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Certificates/1 { "@odata.id": "/redfish/v1/TaskService/Tasks/2", "@odata.type": "#Task.v1_4_3.Task", "Id": "2", "TaskState": "Pending", "TaskStatus": "OK" }
To delete all UEFI db keys:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Actions/SecureBootDatabase.ResetKeys -d '{"ResetKeysType": "DeleteAllKeys"}' { "@odata.id": "/redfish/v1/TaskService/Tasks/3", "@odata.type": "#Task.v1_4_3.Task", "Id": "3", "TaskState": "Pending", "TaskStatus": "OK" }
The following is an example flow for resetting all db certificates using Redfish commands:
To reset all db keys:
root:~# curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Actions/SecureBootDatabase.ResetKeys -d '{"ResetKeysType": "DeleteAllKeys"}' { "@odata.id": "/redfish/v1/TaskService/Tasks/12", "@odata.type": "#Task.v1_4_3.Task", "Id": "12", "TaskState": "Pending", "TaskStatus": "OK" }
TipRecord the returned task ID, in this example the task ID is 12.
To read the status of task 12:
root:~# curl -k -u root:
'<password>'
-H'Content-Type: application/json'
-X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/12
{"@odata.id"
:"/redfish/v1/TaskService/Tasks/12"
,"@odata.type"
:"#Task.v1_4_3.Task"
,"Id"
:"12"
,"Messages"
: [],"Name"
:"Task 12"
,"Payload"
: {"HttpHeaders"
: ["Host: <IP>"
,"User-Agent: curl/7.81.0"
,"Accept: */*"
,"Content-Length: 34"
],"HttpOperation"
:"POST"
,"JsonBody"
:"{\n \"ResetKeysType\": \"DeleteAllKeys\"\n}"
,"TargetUri"
:"/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Actions/SecureBootDatabase.ResetKeys"
},"PercentComplete"
:0
,"StartTime"
:"2023-09-05T16:47:05+00:00"
,"TaskMonitor"
:"/redfish/v1/TaskService/Tasks/12/Monitor"
,"TaskState"
:"Pending"
,"TaskStatus"
:"OK"
}You can see that TaskStatus is OK and the TaskState is Pending. This indicates that the operation has successfully enqueued in the task service and is pending the next DPU boot.
Issue the following graceful reset command to the DPU:
root:~# curl -k -u root:"<password>" -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/Actions/ComputerSystem.Reset -d '{"ResetType" : "GracefulRestart"}' { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The request completed successfully.", "MessageArgs": [], "MessageId": "Base.1.15.0.Success", "MessageSeverity": "OK", "Resolution": "None" } ] }
UEFI reads the pending secure boot tasks and executes them.
Following DPU reset, the UEFI updates the status of the operation on the TaskState and TaskStatus fields. Poll the task and check the values of TaskState and TaskStatus.
Success
"TaskState": "Completed","TaskStatus": "OK"
Failure
"TaskState": "Exception","TaskStatus": "OK"