BIOS Secure Boot Configuration
The NVIDIA® BlueField® BMC supports the DMTF Secure Boot schema which enables managing the state of the UEFI Secure Boot through the Redfish interface. This allows clients to set whether UEFI should authenticate the OS image during the boot process.
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot
Output example:
{
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot",
"@odata.type": "#SecureBoot.v1_1_0.SecureBoot",
"Description": "The UEFI Secure Boot associated with this system.",
"Id": "SecureBoot",
"Name": "UEFI Secure Boot",
"SecureBootCurrentBoot": "Disabled",
"SecureBootDatabases": {
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases"
},
"SecureBootEnable": false,
"SecureBootMode": "SetupMode"
}
The following command enables UEFI Secure Boot through the Redfish interface:
curl -k -u root:'<password>' -X PATCH -H "Content-Type: application/json" https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot -d '{"SecureBootEnable":true}'
The following command disables UEFI Secure Boot through the Redfish interface:
curl -k -u root:<password> -H "Content-Type: application/octet-stream" -X GET https://<BF-BMC-IP>/redfish/v1/Systems/Bluefield/SecureBoot
{
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot",
"@odata.type": "#SecureBoot.v1_1_0.SecureBoot",
"Description": "The UEFI Secure Boot associated with this system.",
"Id": "SecureBoot",
"Name": "UEFI Secure Boot",
"SecureBootCurrentBoot": "Enabled",
"SecureBootEnable": true,
"SecureBootMode": "SetupMode"
}
curl -k -u root:<BF-BMC-PASSWORD> -X PATCH https://<BF-BMC-IP>/redfish/v1/Systems/Bluefield/SecureBoot -H 'Content-Type: application/json' -d '{"SecureBootEnable": false}'
After running this command, the BlueField Arm OS must be rebooted twice. The first reboot is for the UEFI redfish client to read the request from the BMC and apply it; the second reboot is for the setting to take effect.
From the BlueField BMC using Redfish:
curl -k -u root:<BF-BMC-PASSWORD> -X POST https://<BF-BMC-IP>/redfish/v1/Systems/Bluefield/Actions/ComputerSystem.Reset -H 'Content-Type: application/json' -d '{"ResetType":"ForceRestart"}'
From RShim:
echo 'SW_RESET 1' > /dev/rshim0/misc
From the BlueField Arm OS:
reboot
The following operations may be performed using Redfish commands. For each operation, a corresponding task is generated within the BMC's Redfish Task Service. During the subsequent BlueField reboot, the UEFI checks for any pending secure boot tasks and executes them in the order of their ascending task ID numbers. After completion, the UEFI then updates the task state to reflect the relevant status.
To read UEFI Secure boot databases:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases
Output example:
{ "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases", "@odata.type": "#SecureBootDatabaseCollection.SecureBootDatabaseCollection", "Members": [ { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/KEK" }, .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/PK" }, .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db" }, .. .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/dbx" }, .. ], "Members@odata.count": 10, "Name": "UEFI SecureBoot Database Collection" }
To add a certificate to the UEFI db:
NoteThe following certificate is an example only and can not be used as is. db certificate must be signed by the public key certificate.
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Certificates -d \ '{"CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDbTCCAlWgAwIBAgIUO2MdJt2cTCGr0eO4PiBV5Uk0b/IwDQYJKoZIhvcNAQEL\nBQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdo\nMQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNVBAMTDkxlbm92byBVRUZJIERCMB4XDTE3\nMDMxNTIxMTYzNFoXDTQxMDMxNTIxMTYzNFowVjELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdoMQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNV\nBAMTDkxlbm92byBVRUZJIERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEA1ezmdoBlk5yDVuXw8F774CvllhMz9bT0/TpH3kmRpPAizSRDzbHLUuBMC6SE\nW4zjdLxTqOlwZt6UUcWxlyzKcoDPe43cE6YH1kM/rscvm3AaVL+4GcyGgS9DL6qe\nQFHWER25xCTokMsCdKB42Ty7hWW5FBPepgAS+GDfqQfb/4hoonIlen5X+dqVIsE/\nRM1DIVBUiIbJdgERYeoGjY/Rh4A1VWl6ErzyzokYnf63JjSFR2kVV0apbr4ISOTM\n7qBd1RNHwQrCAryRADX1XGvRZURzwQdEXfOqZOkVjNKr1fD761qvPE8TQWWJ9Q8r\nmciMocIXqoqWKPAkgbMwKmcsFQIDAQABozMwMTAPBgNVHRMBAf8EBTADAQH/MA4G\nA1UdDwEB/wQEAwICBDAOBgNVHQ8Baf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEB\nAJ2U0UjB+sxF/HE5sY56vJbdFITl8o0Yf7XJImL0VtgpYjfeqiE768G2uTUbzCKy\nhDOps3+4w4p8FUSO6StzCz6UuUyxlUjQzpkxZ97Ouq1sGhjy7dZybTEByJD6LpI7\nl1EpJSfBiwxTdm7svJoABKs8Hs7e9f3XX5PK76SxllMbDaxAm7UvCppYBBR1SeyC\ngWt3rGRiO3W6pfd07ioCD03kgGzYNOZeU2S+maE1Xt4kUoYs3HxyrhJGfN26gM8h\n4w5LfCKrlxi+3KMf+vXxEBfGYBvjwcA7KCW92GnUQGVjZbEGs6EaTBx7i9gA2+te\noWS/500qiwNRp2xqdBxg1d0=\n-----END CERTIFICATE-----","CertificateType": "PEM","UefiSignatureOwner": "5491316d-9694-4639-b72d-b8630ffa7dab"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/0", "@odata.type": "#Task.v1_4_3.Task", "Id": "0", "TaskState": "Pending", "TaskStatus": "OK" }
To add a signature to the UEFI db:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Signatures -d \ '{"SignatureString": "80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A","SignatureTypeRegistry": "UEFI","SignatureType": "EFI_CERT_SHA256_GUID","UefiSignatureOwner": "28d5e212-165b-4ca0-909b-c86b9cee0112"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/1", "@odata.type": "#Task.v1_4_3.Task", "Id": "1", "TaskState": "Pending", "TaskStatus": "OK" }
To delete UEFI db certificate #1:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X DELETE https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Certificates/1
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/2", "@odata.type": "#Task.v1_4_3.Task", "Id": "2", "TaskState": "Pending", "TaskStatus": "OK" }
To delete all UEFI db keys:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Actions/SecureBootDatabase.ResetKeys -d '{"ResetKeysType": "DeleteAllKeys"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/3", "@odata.type": "#Task.v1_4_3.Task", "Id": "3", "TaskState": "Pending", "TaskStatus": "OK" }
The following is an example flow for resetting all db certificates using Redfish commands:
To reset all db keys:
root:~# curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Actions/SecureBootDatabase.ResetKeys -d '{"ResetKeysType": "DeleteAllKeys"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/12", "@odata.type": "#Task.v1_4_3.Task", "Id": "12", "TaskState": "Pending", "TaskStatus": "OK" }
TipRecord the returned task ID, in this example the task ID is 12.
To read the status of task 12:
root:~# curl -k -u root:
'<password>'
-H'Content-Type: application/json'
-X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/12
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/12", "@odata.type": "#Task.v1_4_3.Task", "Id": "12", "Messages": [], "Name": "Task 12", "Payload": { "HttpHeaders": [ "Host: <IP>", "User-Agent: curl/7.81.0", "Accept: */*", "Content-Length: 34" ], "HttpOperation": "POST", "JsonBody": "{\n \"ResetKeysType\": \"DeleteAllKeys\"\n}", "TargetUri": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Actions/SecureBootDatabase.ResetKeys" }, "PercentComplete": 0, "StartTime": "2023-09-05T16:47:05+00:00", "TaskMonitor": "/redfish/v1/TaskService/Tasks/12/Monitor", "TaskState": "Pending", "TaskStatus": "OK" }
You can see that TaskStatus is OK and the TaskState is Pending. This indicates that the operation has successfully enqueued in the task service and is pending the next BlueField boot.
Issue the following graceful reset command to BlueField :
root:~# curl -k -u root:"<password>" -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/Actions/ComputerSystem.Reset -d '{"ResetType" : "GracefulRestart"}'
Output example:
{ "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The request completed successfully.", "MessageArgs": [], "MessageId": "Base.1.15.0.Success", "MessageSeverity": "OK", "Resolution": "None" } ] }
UEFI reads the pending secure boot tasks and executes them.
Following BlueField reset, the UEFI updates the status of the operation on the TaskState and TaskStatus fields. Poll the task and check the values of TaskState and TaskStatus.
Success
"TaskState": "Completed","TaskStatus": "OK"
Failure
"TaskState": "Exception","TaskStatus": "OK"