BMC Management

NVIDIA BMC is based on the OpenBMC open-software framework which builds a complete Linux image for a board management controller (BMC). It uses the Yocto project as the underlying building and distro generation framework.

The primary software components of BMC are the following:

  • U-boot bootloader

  • Linux kernel

  • OpenBMC distro

There is a software version for each of the BMC software components. You may retrieve this information by running the following for each component:

  • Linux version – uname -a command from the Linux prompt

  • OpenBMC version – cat /etc/os-release from the Linux prompt

Retrieving BMC Version Using Redfish

Copy
Copied!
            

curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/BMC_Firmware { "@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/BMC_Firmware", "@odata.type": "#SoftwareInventory.v1_4_0.SoftwareInventory", "Description": "BMC image", "Id": "BMC_Firmware", "Name": "Software Inventory", "RelatedItem": [], "RelatedItem@odata.count": 0, "SoftwareId": "", "Status": { "Conditions": [], "Health": "OK", "HealthRollup": "OK", "State": "Enabled" }, "Updateable": true, "Version": "BF-23.09-1", "WriteProtected": false }


Retrieving BMC Version Using IPMI

Copy
Copied!
            

# ipmitool mc info Device ID : 1 Device Revision : 1 Firmware Revision : 23.09 IPMI Version : 2.0 Manufacturer ID : 33049 Manufacturer Name : NVIDIA Product ID : 4 (0x0004) Product Name : Bluefield3 BMC Device Available : yes Provides Device SDRs : yes Additional Device Support : Sensor Device SDR Repository Device SEL Device FRU Inventory Device IPMB Event Receiver Chassis Device Aux Firmware Rev Info : 0x10 0x01 0x00 0x00

Where the BMC version is composed of: [Firmware Revision]-[Aux Firmware Rev Info 2nd byte] in this example 23.9-1.

  1. BMC starts booting through u-boot bootloader once the power supply is powered on.

  2. By default, the BMC automatically boots into Linux. To stop at the u-boot prompt, users must type the password 0penBmc (note the use of the digit zero in 0pen) within 5 seconds. To boot Linux from the u-boot prompt, type boot.

  3. The BMC provides indications of its status during its operation:

    Scenario

    Message

    At the beginning of the boot process of the u-boot

    Copy
    Copied!
                

    Nvidia Bluefield BMC U-BOOT starting

    At the beginning of the OS boot process

    Copy
    Copied!
                

    Nvidia Bluefield BMC Starting kernel ...

    At the login prompt

    Copy
    Copied!
                

    Nvidia Bluefield BMC OS is up and running

    Upon reboot or shutdown

    Copy
    Copied!
                

    Nvidia Bluefield BMC is shutting down

  4. The default password for the root user, to be typed in once Linux is booted, is 0penBmc.

    Note

    For information on password policy, refer to section "BMC Management Interface".

User Management Redfish Commands

General Information

General information about the BMC account services

Copy
Copied!
            

curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<IP>/redfish/v1/AccountService

Example output:

Copy
Copied!
            

{ "@odata.id": "/redfish/v1/AccountService", "@odata.type": "#AccountService.v1_10_0.AccountService", "AccountLockoutDuration": 600, "AccountLockoutThreshold": 4, "Accounts": { "@odata.id": "/redfish/v1/AccountService/Accounts" }, .. "MaxPasswordLength": 20, "MinPasswordLength": 13, "Name": "Account Service", "Oem": { .. "Roles": { "@odata.id": "/redfish/v1/AccountService/Roles" }, "ServiceEnabled": true }


List Supported User Roles

List supported user roles in the system:

Copy
Copied!
            

curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<IP>/redfish/v1/AccountService/Roles

Example output:

Copy
Copied!
            

{ "@odata.id": "/redfish/v1/AccountService/Roles", "@odata.type": "#RoleCollection.RoleCollection", "Description": "BMC User Roles", "Members": [ { "@odata.id": "/redfish/v1/AccountService/Roles/Administrator" }, { "@odata.id": "/redfish/v1/AccountService/Roles/Operator" }, { "@odata.id": "/redfish/v1/AccountService/Roles/ReadOnly" }, { "@odata.id": "/redfish/v1/AccountService/Roles/NoAccess" } ], "Members@odata.count": 4, "Name": "Roles Collection" }


List User Accounts

Copy
Copied!
            

curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<IP>/redfish/v1/AccountService/Accounts

Example output:

Copy
Copied!
            

{ "@odata.id": "/redfish/v1/AccountService/Accounts", "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection", "Description": "BMC User Accounts", "Members": [ { "@odata.id": "/redfish/v1/AccountService/Accounts/NvdBluefieldUefi" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/root" } ], "Members@odata.count": 2, "Name": "Accounts Collection" }


Create New User

Create a new user on the BMC:

Copy
Copied!
            

curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<IP>/redfish/v1/AccountService/Accounts -d '{ "UserName":"<USER>", "Password":"<PASSWORD>", "RoleId":"<ROLE>", "Enabled":true}'

Example output:

Copy
Copied!
            

{ "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The resource has been created successfully.", "MessageArgs": [], "MessageId": "Base.1.15.0.Created", "MessageSeverity": "OK", "Resolution": "None." } ] }


Delete User

Delete user form the system:

Copy
Copied!
            

curl -k -u root:'<password>' -H 'Content-Type: application/json' -X DELETE https://<IP>/redfish/v1/AccountService/Accounts/<USER>

Example output:

Copy
Copied!
            

{ "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The account was successfully removed.", "MessageArgs": [], "MessageId": "Base.1.15.0.AccountRemoved", "MessageSeverity": "OK", "Resolution": "No resolution is required." } ] }

User Management IPMI Commands

#

Function

Command

1

List the users

Copy
Copied!
            

ipmitool user list [<channel-number>]

For example:

Copy
Copied!
            

ipmitool user list 1

2

User creation

Copy
Copied!
            

ipmitool user set name <user-id> <username>

For example:

Copy
Copied!
            

ipmitool user set name 2 Admin

3

Set user password

Copy
Copied!
            

ipmitool user set password <user-id> <password>

For example:

Copy
Copied!
            

ipmitool user set password 2 AdminPass_123

4

Enable user

Copy
Copied!
            

ipmitool user enable <user-id>

For example:

Copy
Copied!
            

ipmitool user enable 2

5

Disable user

Copy
Copied!
            

ipmitool user disable <user-id>

For example:

Copy
Copied!
            

ipmitool user disable 2

6

Set user privilege

Copy
Copied!
            

ipmitool user priv <user-id> <privilege level(1-4)> [<channel-number>]

Where "privilege level":

  • 1 – callback level (currently not supported)

  • 2 – user level

  • 3 – operator level

  • 4 – administrator level

For example:

Copy
Copied!
            

ipmitool user priv 2 0x3 1

7

Enable remote IPMI command functionality for user

Copy
Copied!
            

ipmitool channel setaccess [<channel-number>] <user id> ipmi = on| off

For example:

Copy
Copied!
            

ipmitool channel setaccess 1 2 ipmi=on

8

Lanplus commands to execute IPMI commands remotely for users with admin permissions

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U <user> -P <password> -H <bmc-ip-address> <ipmi-command>

For example:

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U ADMIN -P AdminPass_123! -H 10.10.10.10 user list 1

9

Lanplus commands to execute IPMI commands remotely for users with other than administrator roles

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U <user> -P <password> -H <bmc-ip-address> -L <privilege (operator|user)> <ipmi-command>

For example:

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U operator1 -P operator123 -H 10.10.10.10 -L operator user list 1 ipmitool -C 17 -I lanplus -U user1 -P user123 -H 10.10.10.10 -L user chassis status

10

Delete user

Copy
Copied!
            

ipmitool user set name <user-id> ""

For example:

Copy
Copied!
            

ipmitool user set name 2 ""


Warning

To obtain the BMC's MAC address, refer to the DPU's board label.

BMC management network interface can be configured using Redfish or IPMI. By default, BMC comes up with the DHCP network configuration.

Network configuration functions:

  • Setting DHCP/Static network mode configuration

  • Adding/setting IPv4/IPv6 configuration including IP address, gateway, netmask

  • Adding DNS servers

  • Adding NTP server

  • Setting BMC time with NTP server or system RTC

Network Management Redfish Commands

Get Network Protocol Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol


Get Interface Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -XGET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0


Enable/Disable Interface

Copy
Copied!
            

curl -k -u root:'<password>' -XPATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"InterfaceEnabled": <state>}'

Where <state> can be true or false.

Static IPv4 Address Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"IPv4StaticAddresses": [{"Address": "<ip_addr>","SubnetMask": "<netmask>","Gateway":"<gw_ip_addr>"}]}'

Example:

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"IPv4StaticAddresses": [{"Address": "10.7.7.7","SubnetMask": "255.255.0.0","Gateway":"10.7.0.1"}]}'


IPv4 DHCP Enable/Disable Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"DHCPv4": {"DHCPEnabled": <state>}}'

Where <state> can be true or false.

Static DNS server IPv4 and IPv6 Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"StaticNameServers": ["<dns_ip>"]}'

Static IPv6 Address Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"IPv6StaticAddresses": [{"Address": "<ip>", "PrefixLength": <len>}]}'

Example:

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"IPv6StaticAddresses": [{"Address": "fe80::3eec:efff:fe3b:e02f", "PrefixLength": 64}]}'


IPv6 DHCP Enable/Disable Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/EthernetInterfaces/eth0 -d '{"DHCPv6": {"OperatingMode": "<state>"}}'

Where <state> can be:

  • stateful – DHCPv6 stateful mode is used to configure addresses, and when it is enabled, stateless mode is also implicitly enabled.

  • stateless – DHCPv6 stateless mode allows configuring the interface using DHCP options but does not configure addresses. It is always enabled by default whenever DHCPv6 stateful mode is also enabled.

  • disabled – DHCPv6 is disabled for this interface.

Enable NTP Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol -d '{"NTP": {"ProtocolEnabled": <state>}}'

Where <state> can be true or false.

Static NTP Server IP Configuration

Copy
Copied!
            

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol -d '{"NTP": {"NTPServers": ["<ntp_server_ip>"]}}'

Network Management IPMI Commands

The following table lists the available network IPMI commands:

No.

Function

Command

Description

1

Change mode to Static

Copy
Copied!
            

ipmitool lan set 1 ipsrc <mode>

For example:

Copy
Copied!
            

ipmitool lan set 1 ipsrc static

Sets LAN channel 1 IP config mode to static which corresponds to network interface "eth0"

2

Change mode to DHCP

Copy
Copied!
            

ipmitool lan set 1 ipsrc <mode>

For example:

Copy
Copied!
            

ipmitool lan set 1 ipsrc dhcp

Sets LAN channel 1 IP config mode to DHCP which corresponds to the network interface "eth0"

3

Add IPv4 address

Copy
Copied!
            

ipmitool lan set 1 ipaddr <ip-address>

Copy
Copied!
            

ipmitool lan set 1 defgw ipaddr <ip-address>

Copy
Copied!
            

ipmitool lan set 1 netmask <netmask>

Adds IPv4 address, default gateway, and netmask to the network interface "eth0"

4

Get IPv4 config

Copy
Copied!
            

ipmitool lan print 1

Gets IPv4 network config for channel 1 which corresponds to the network interface "eth0"

5

Set IPv6 address

Copy
Copied!
            

ipmitool lan6 set 1 nolock static_addr 0 enable <ipv6-address> 64

Adds IPv6 address to the network interface "eth0"

6

Get IPv6 config

Copy
Copied!
            

ipmitool lan6 print 1

Gets IPv6 network config for channel 1 which corresponds to the network interface "eth0"

7

Get DNS server

Copy
Copied!
            

ipmitool raw 0x32 0x6B

Output:

Copy
Copied!
            

0b 31 30 2e 31 35 2e 31 32 2e 36 37

Corresponds to: 10.15.12.67

Gets the DNS server

8

Add DNS server

Copy
Copied!
            

ipmitool raw 0x32 0x6C 0x0b 0x31 0x30 0x2e 0x31 0x35 0x2e 0x31 0x32 0x2e 0x36 0x37

Output:

Copy
Copied!
            

0x0b 0x31 0x30 0x2e 0x31 0x35 0x2e 0x31 0x32 0x2e 0x36 0x37

Corresponds to: 10.15.12.67

Adds the DNS server

9

Get NTP server

Copy
Copied!
            

ipmitool raw 0x32 0xA7

Output:

Copy
Copied!
            

01 11 31 2e 69 6e 2e 70 6f 6f 6c 2e 6e 74 70 2e 6f 72 67

Where:

  • 01 – NTP status enable/disable

  • 11 – NTP server length

  • 31 2e 69 6e 2e 70 6f 6f 6c 2e 6e 74 70 2e 6f 72 67 – NTP server address byte stream corresponds to 1.in.pool.ntp.org

Gets NTP server

10

Add NTP server

Copy
Copied!
            

ipmitool raw 0x32 0xA8 0x01 0x31 0x2e 0x69 0x6e 0x2e 0x70 0x6f 0x6f 0x6c 0x2e 0x6e 0x74 0x70 0x2e 0x6f 0x72 0x67

Where:

  • 31 2e 69 6e 2e 70 6f 6f 6c 2e 6e 74 70 2e 6f 72 67 – NTP server address byte stream corresponds to 1.in.pool.ntp.org

Adds NTP server

11

Enable time sync to NTP server

Copy
Copied!
            

ipmitool raw 0x32 0xA8 0x02 0x01

Where:

  • 0x01 – enable NTP

Enables NTP time sync

12

Enable time sync to system RTC

Copy
Copied!
            

ipmitool raw 0x32 0xA8 0x02 0x00

Where:

  • 0x00 – disable NTP

Disables NTP time sync


Reboot BMC Redfish Command

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST -d '{"ResetType": "GracefulRestart"}' https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Actions/Manager.Reset


Reboot BMC IPMI Command

Copy
Copied!
            

ipmitool mc re cold


The following commands factory reset the BMC configuration.

Factory Reset Redfish Command

Copy
Copied!
            

curl -k -u root:"<PASSWORD>" -H "Content-Type: application/json" -X POST https:/<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Actions/Manager.ResetToDefaults -d '{"ResetToDefaultsType": "ResetAll"}'

Important

Before connecting to the internet, it is important to change the default global password to prevent potential malicious attackers from hacking your system. For information on password policy, refer to section "BMC Management Interface".


Factory Reset IPMI Command

Copy
Copied!
            

ipmitool raw 0x32 0x66

After issuing the ipmitool raw command for factory reset, you must log into the BMC and reboot it for the factory reset to take effect.

Warning

If you have lost your BMC login credentials and cannot login, you may issue the following command from the BlueField Arm:

Copy
Copied!
            

ipmitool mc reset cold

Important

Before connecting to the internet, it is important to change the default global password to prevent potential malicious attackers from hacking your system. For information on password policy, refer to section "BMC Management Interface".


Firmware upgrade of BMC and CEC components using BMC can be performed from a remote server using the Redfish interface.

No.

Function

Command

Required for BMC/CEC Update

Description

1

Trigger a secure firmware update

  • Standard update with HttpPushUri API:

    Copy
    Copied!
                

    curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST -T <package_path> https://<bmc_ip>/redfish/v1/UpdateService/update

  • Multipart update with MultipartHttpPushUri API:

    Copy
    Copied!
                

    curl -k -u root:'<password>' https://<bmc_ip>/redfish/v1/UpdateService/update-multipart --form UpdateFile=@<package_path>;type=application/octet-stream --form 'UpdateParameters={}'

Where:

  • password – password of root user

  • bmc_ip – BMC IP address

  • package_path – firmware update package path

BMC

CEC

Triggers the secure update and starts tracking the secure update progress

2

Track secure firmware update progress

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks

Find the current task ID in the response and use it for checking the progress:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/<task_id> | jq -r ' .PercentComplete'

Where:

  • password – password of root user

  • bmc_ip – BMC IP address

  • task_id – Task ID

BMC

CEC

Tracks the firmware update progress

3

Reset/reboot a BMC

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST -d '{"ResetType": "GracefulRestart"}' https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Actions/Manager.Reset

Where:

  • password – password of root user

  • bmc_ip – BMC IP address

BMC

Resets/reboots the BMC

4

Fetch running BMC firmware version

For BlueField-3:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/BMC_Firmware | jq -r ' .Version'

Where:

  • password – password of root user

  • bmc_ip – BMC IP address

BMC

Fetches the running firmware version from BMC

For BlueField-2:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory

Fetch the current firmware ID and then perform:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/<firmware_id>_BMC_Firmware | jq -r ' .Version'

Where:

  • password – password of root user

  • bmc_ip – BMC IP address

  • firmware_id – numeric value found in the FwInventory schema only. It is calculated during firmware update by the BMC and used to distinguish between the versions.

5

Fetch running CEC firmware version

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/Bluefield_FW_ERoT | jq -r ' .Version'

Where:

  • password – password of root user

  • bmc_ip – BMC IP address

CEC

Fetches the running firmware version from CEC

BMC Update

Note

Firmware update takes about 12 minutes.

After initiating the BMC secure update with the command #1 from the previous table, a response similar to the following is received depending on whether HttpPushUri or MultipartHttpPushUri is used:

  • HttpPushUri API:

    Copy
    Copied!
                

    curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST -T <package_path> https://<bmc_ip>/redfish/v1/UpdateService   { "@odata.id": "/redfish/v1/TaskService/Tasks/0", "@odata.type": "#Task.v1_4_3.Task", "Id": "0", "TaskState": "Running" }

  • MultipartHttpPushUri API:

    Copy
    Copied!
                

    curl -k -u root:'<password>' https://<bmc_ip>/redfish/v1/UpdateService/update-multipart --form "UpdateFile=@<package_path>;type=application/octet-stream" --form 'UpdateParameters={}' { "@odata.id": "/redfish/v1/TaskService/Tasks/0", "@odata.type": "#Task.v1_4_3.Task", "Id": "0", "TaskState": "Running", "TaskStatus": "OK" }

Command #2 from the previous table can be used to track secure firmware update progress. For instance:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/0 | jq -r ' .PercentComplete'   % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2123 100 2123 0 0 38600 0 --:--:-- --:--:-- --:--:-- 37910 20

Command #2 is used to verify the task has completed because during the update procedure the reboot option is disabled. When PercentComplete reaches 100, command #3 is used to reboot the BMC. For example:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/0 | jq -r ' .PercentComplete' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3822 100 3822 0 0 81319 0 --:--:-- --:--:-- --:--:-- 81319 100   curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST -d '{"ResetType": "GracefulRestart"}' https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Actions/Manager.Reset { "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The request completed successfully.", "MessageArgs": [], "MessageId": "Base.1.13.0.Success", "MessageSeverity": "OK", "Resolution": "None" } ] }

Command #4 can be used to verify the current BMC firmware version after reboot:

  • For BlueField-3:

    Copy
    Copied!
                

    curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/BMC_Firmware | jq -r ' .Version'   % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 513 100 513 0 0 9679 0 --:--:-- --:--:-- --:--:-- 9679

  • For BlueField-2:

    1. Fetch the firmware ID from FirmwareInventory:

      Copy
      Copied!
                  

      curl -k -u root:'<password>' -X GET https:/<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/ { "@odata.id": "/redfish/v1/UpdateService/FirmwareInventory", "@odata.type": "#SoftwareInventoryCollection.SoftwareInventoryCollection", "Members": [ { "@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/8c8549f3_BMC_Firmware" …

    2. Use command #4 with the fetched firmware ID in the previous step:

      Copy
      Copied!
                  

      curl -k -u root:'<password>' -X GET https:/<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/8c8549f3_BMC_Firmware | jq -r ' .Version'   % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 471 100 471 0 0 622 0 --:--:-- --:--:-- --:--:-- 621 bmc-23.04

CEC Update

Note

Firmware update takes about 20 seconds.

After initiating the BMC secure update with the command #1 to from the previous table, a response similar to the following is received depending on whether HttpPushUri or MultipartHttpPushUri is used:

  • HttpPushUri API:

    Copy
    Copied!
                

    curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST -T <package_path> https://<bmc_ip>/redfish/v1/UpdateService { "@odata.id": "/redfish/v1/TaskService/Tasks/0", "@odata.type": "#Task.v1_4_3.Task", "Id": "0", "TaskState": "Running"

  • MultipartHttpPushUri API:

    Copy
    Copied!
                

    curl -k -u root:'<password>' https://<bmc_ip>/redfish/v1/UpdateService/update-multipart --form "UpdateFile=@<package_path>;type=application/octet-stream" --form 'UpdateParameters={}' { "@odata.id": "/redfish/v1/TaskService/Tasks/0", "@odata.type": "#Task.v1_4_3.Task", "Id": "0", "TaskState": "Running", "TaskStatus": "OK" }

Command #2 can be used to track the progress of the CEC firmware update. For example:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/0 | jq -r ' .PercentComplete' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2123 100 2123 0 0 38600 0 --:--:-- --:--:-- --:--:-- 37910 100

After the CEC secure update operation is complete, a power cycle or cold reset of the BlueField-3 DPU must be manually triggered to apply the changes once the update is finished.

Command #5 can be used to verify the current CEC firmware version after reboot:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/UpdateService/FirmwareInventory/Bluefield_FW_ERoT | jq -r ' .Version'   % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 421 100 421 0 0 1172 0 --:--:-- --:--:-- --:--:-- 1172 19-4


CEC Activation and Reset

Warning

This is relevant only for BlueField-3 DPUs only.

To activate the new CEC firmware, it is necessary to reset the CEC device. The following options are available:

  • Reset the entire BlueField DPU, which typically involves a full power cycle of the host platform.

  • Reset the CEC and BMC subsystems only. This can be done using the ipmitool i2c command over the SMBus channel connected to the PCIe golden finger.

    Warning

    This option is valid only for servers which support I2C over SMBus from the host BMC.

These options provide flexibility in managing the CEC device to apply the firmware update as needed.

To trigger the CEC reset:

Copy
Copied!
            

ipmitool raw 0x06 0x52 <BUS-ID> 0x82 0x00 0x03 0xFE ipmitool raw 0x06 0x52 <BUS-ID> 0x82 0x00 0x01 0xFE sleep <100ms> ipmitool raw 0x06 0x52 <BUS-ID> 0x82 0x00 0x01 0xFF ipmitool raw 0x06 0x52 <BUS-ID> 0x82 0x00 0x03 0xFF

Warning

The BUS-ID value is system related. It relays how the host BMC is connected to the SMBus of the related DPU.

Warning

The format of the ipmitool i2c command is as follows:

Copy
Copied!
            

ipmitool raw <netfun> <cmd> <bus-id> <addr> <read-count> <write-data1> <write-data2>


CEC Background Update Status

Note

This section is relevant only for BlueField-3.

BMC and CEC have an active and inactive copy of the same firmware image on their respective firmware SPI flash. The firmware update updates the inactive copy, and on a successful boot from the newly updated and active image, the inactive image (e.g., the previous active image) is updated with the latest image.

Warning

Firmware update cannot be initiated if the background copy is in progress.

To check the status of the background update:

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Chassis/Bluefield_ERoT ... "Oem": { "Nvidia": { "@odata.type": "#NvidiaChassis.v1_0_0.NvidiaChassis", "AutomaticBackgroundCopyEnabled": true, "BackgroundCopyStatus": "Completed", "InbandUpdatePolicyEnabled": true } } …

Note

The background update initially indicates InProgress while the inactive copy of the image is being updated with the copy.


Possible Error Codes

Note

This section is relevant only for BlueField-3.

Fault

Diagnosis and Possible Solution

Connection to BMC breaks during firmware package transfer

  • Redfish task URI is not returned by the Redfish server

  • The Redfish server (if operational) is in idle state

  • After a reboot of BMC, or restart/recovery of the Redfish server, the Redfish server is in idle state

A new firmware update can be attempted by the Redfish client.

Connection to BMC breaks during firmware update

  • Redfish task URI previously returned by the Redfish server is no longer accessible

  • The Redfish server (if operational) is in one of the following states:

    • In idle state, if the firmware update has completed

    • In update state, if the firmware update is still ongoing

  • After a BMC reboot, or the restart/recovery of the Redfish server, the Redfish server is in idle state

A new firmware update can be attempted by the Redfish client.

Two firmware update requests are initiated

The Redfish server blocks the second firmware update request and returns the following:

  • HTTP code 400 "Bad Request"

  • Redfish message based on standard registry entry UpdateInProgress

  • A resolution is proposed: "Another update is in progress. Retry the update operation once it is complete."

Check the status of the ongoing firmware update by looking at the TaskCollection resource.

Redfish task hangs

  • Redfish task URI that previously returned by the Redfish server is no longer accessible

  • PLDM-based firmware update progresses

  • After a reboot of BMC, or restart/recovery of the Redfish server, the Redfish server us in idle state

A new firmware update can be attempted by the Redfish client.

BMC-EROT communication failure during image transfer

The Redfish task monitoring the firmware update indicates a failure:

  • TaskState is set to Exception

  • TaskStatus is set to Warning

  • Messages array in the task includes an entry based on the standard registry Update.1.0.0.TransferFailed indicating the components that failed during image transfer

The Redfish client may retry the firmware update.

Firmware update fails

The Redfish task monitoring the firmware update indicates a failure:

  • TaskState is set to Exception

  • TaskStatus is set to Warning

  • Messages array in the task includes an entry describing the error

The Redfish client may retry the firmware update.

ERoT failure (not responding)

The Redfish task monitoring the firmware update indicates a failure:

  • TaskState is set to Canceled

  • TaskStatus is set to Warning

  • Messages array in the task includes an entry describing the error

  • The Redfish client reports the error

The Redfish client may retry the firmware update.

Firmware image validation failure

The Redfish task monitoring the firmware update indicates a failure:

  • TaskState is set to Exception

  • TaskStatus is set to Warning

  • Messages array in the task includes an entry based on the standard registry Update.1.0.0.VerificationFailed to indicate the component for which verification failed

  • The Redfish client reports the error

The Redfish client might retry the firmware update.

Power loss before activation command is sent

  • The Redfish server is in idle state

A new firmware update can be attempted by the Redfish client.

Firmware activation failure

The Redfish task monitoring the firmware update indicates a failure:

  • TaskState is set to Exception

  • TaskStatus is set to Warning

  • Messages array in the task includes an entry based on the standard registry Update.1.0.ActivateFailed

The Redfish client may retry the firmware update.

Push to BMC firmware package greater than 200 MB

  • No Redfish task is created

  • Messages array in the task includes an entry based on the standard registry

    Base.1.15.0.PayloadTooLarge and the Resolution "Firmware package size is greater than allowed size". Make sure the package size is less than the UpdateService.MaxImageSizeBytes property and retry the firmware update operation.

Redfish triggers allow the user to get a journal message when a certain metric crosses a defined threshold for a defined time:

  • The trigger threshold can only be a numeric threshold

  • The trigger thresholds are unrelated to the sensor thresholds

  • The maximum number of triggers allowed in the system is 10

For more details, refer to Redfish Resource and Schema Guide.

Function

Command

Description

1

Add a numeric trigger

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/TelemetryService/Triggers/ -d '{"Id":"< >","Name":"<>","MetricType":"<>","TriggerActions":["<>"],"NumericThresholds":{"<>":{"Activation":"<>","DwellTime":"<>","Reading":<>}},"MetricProperties":["<>"]}'

Adds a numeric trigger to the BMC

2

Delete a trigger

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/json" -X DELETE https://<bmc_ip>/redfish/v1/TelemetryService/Triggers/<trigger-name>

Deletes a trigger

Certificate management actions (e.g., getting certificate information, doing atomic replacement of certificates) are found in the CertificateService resource.

The CertificateLocations resource is responsible for providing inventory of all the certificates which the service manages.

More details can be found in the Redfish Certificate Management White Paper.

Function

Command

Description

1

Get certificate locations

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/CertificateService/CertificateLocations

Inventory of all certificates the service is managing

2

Get certificate Information

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1

Get

certificate info

3

Replace existing certificate

Copy
Copied!
            

curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json

Replace certificate

4

Generate CSR

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json

Generate certificate signing request

5

Install a certificate

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates -d @certificate.json

Install a certificate

Example for CSR Generation, Certificate Creation and Replacement

  1. Configure your CA to include at least the following extensions for the signed TLS server certificates:

    Copy
    Copied!
                

    basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = IP:192.168.240.1

    Warning

    The extension subjectAltName = IP:192.168.240.1 is mandatory.

  2. Create a JSON containing the subject data for the DPU BMC to use when creating the CSR. For example:

    Copy
    Copied!
                

    { "City": "<city>", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" }, "CommonName": "bmc0123456789.mycompany.com", "Country": "<country>", "Organization": "<company_name>", "OrganizationalUnit": "<my_org>", "State": "<state>", "KeyPairAlgorithm": "EC" }

  3. Generate a certificate signing request using the forth command in the table above and the JSON file created in the previous step:

    Note

    The BMC replies with a JSON containing the CSR.

    Copy
    Copied!
                

    curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json { "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\<CSR_DATA>\n-----END CERTIFICATE REQUEST-----\n", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" } }

  4. Extract the CSR string from the JSON and sign the CSR using your CA. For example, this is how to include the required extensions to the signed TLS server certificates:

    Copy
    Copied!
                

    openssl x509 -req -in bmc.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out bmc.crt -days 3650 -sha384 -extfile exfile.txt

    Where:

    • bmc.csr contains the CSR string from the previous step

    • CA-cert.pem contains the CA certificate to be used to sign the CSR

    • CA-key.pem contains the CA private key

    • extfile.txt contains the extensions mentioned in the first step (basicConstraints, keyUsage, and subjectAltName)

    • bmc.crt is the output file which will contain the BMC certificate signed by the CA

  5. Create a JSON file for the DPU BMC signed TLS server certificate data:

    Copy
    Copied!
                

    { "CertificateString": "-----BEGIN CERTIFICATE-----\n<bmc.crt-data>\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1" } }

  6. Replace the BMC certificate using the third command in the table above and the JSON created in the previous step.

    Copy
    Copied!
                

    curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json

© Copyright 2023, NVIDIA. Last updated on Feb 8, 2024.