BIOS Configuration
BMC supports configuring the NVIDIA® BlueField®'s BIOS using Redfish commands.
The BIOS schema includes properties associated with the BIOS attribute registry, which defines system-specific BIOS attributes and the actions needed to modify BIOS settings. If the @Redfish.Settings term is present in this resource, a client can use it to request changes to the BIOS settings by updating the resource identified by the @Redfish.Settings annotation.
Getting BIOS Attributes List
After running factory reset, the BIOS configuration attributes list is updated only after rebooting the BlueField as the list gets its values from UEFI as BlueField is booting and Redfish is enabled.
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Registries/BiosAttributeRegistry/BiosAttributeRegistry
Output example:
In the following output, there is only one BIOS attribute, UefiPassword.
{
"@Redfish.Settings": {
"@odata.type": "#Settings.v1_3_5.Settings",
"SettingsObject": {
"@odata.id": "/redfish/v1/Systems/Bluefield/Bios/Settings"
}
},
"@odata.id": "/redfish/v1/Systems/Bluefield/Bios",
"@odata.type": "#Bios.v1_2_0.Bios",
"Actions": {
"#Bios.ChangePassword": {
"target": "/redfish/v1/Systems/Bluefield/Bios/Actions/Bios.ChangePassword"
},
"#Bios.ResetBios": {
"target": "/redfish/v1/Systems/Bluefield/Bios/Actions/Bios.ResetBios"
}
},
"Attributes": {
"BootPartitionProtection": false,
"CeThreshold": 5000,
"CurrentUefiPassword": "",
"DateTime": "2024-10-17T19:47:04Z",
"DefaultPasswordPolicy": true,
"DisableHEST": false,
"DisableI2c1": false,
"DisablePCIe": false,
"DisableSPMI": false,
"DisableTMFF": false,
"EmmcWipe": false,
"Enable2ndeMMC": false,
"EnableDdr5600": false,
"EnableOPTEE": false,
"EnableSMMU": true,
"FieldMode": false,
"ForcePxeRetryDisable": false,
"HostPrivilegeLevel": "Restricted",
"InternalCPUModel": "Embedded",
"L3CachePartitionLevel": 0,
"LegacyPasswordEnable": false,
"NicMode": "DpuMode",
"NvmeWipe": false,
"OsArgs": "",
"ResetEfiVars": false,
"SPCR_UART": "Disabled",
"UefiArgs": "",
"UefiPassword": ""
},
"Description": "BIOS Configuration Service",
"Id": "BIOS",
"Links": {
"SoftwareImages": [
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_ATF"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_BOARD"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_BSP"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_NIC"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_NODE"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_OFED"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_OS"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_SYS_IMAGE"
},
{
"@odata.id": "/redfish/v1/UpdateService/FirmwareInventory/DPU_UEFI"
}
],
"SoftwareImages@odata.count": 9
},
"Name": "BIOS Configuration",
"ResetBiosToDefaultsPending": false
}
For information on each of the attributes listed in output, please refer to section "System Configuration" in the UEFI Menu page of the NVIDIA BlueField BSP manual.
Getting Current BIOS Attributes Value
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/Bios/
Output example:
The current value of UefiPassword is an empty string.
{
"@Redfish.Settings": {
"@odata.type": "#Settings.v1_3_5.Settings",
"SettingsObject": {
"@odata.id": "/redfish/v1/Systems/Bluefield/Bios/Settings"
}
},
"@odata.id": "/redfish/v1/Systems/Bluefield/Bios",
"@odata.type": "#Bios.v1_2_0.Bios",
...
"Attributes": {
"UefiPassword": ""
},
"Description": "BIOS Configuration Service",
"Id": "BIOS",
"Name": "BIOS Configuration",
...
}
Changing BIOS Attributes Value
Follow this command template to request changing BIOS attribute values:
curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Systems/Bluefield/Bios/Settings -d '{Attributes:{<attribute-name> : <attribute-value>}}'
At the next boot cycle of the BlueField, the UEFI changes the requested attribute if the requested value is valid.
Getting Pending BIOS Attribute Values
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/Bios/Settings
Pending values are a list of values that that user has requested to change. The list of pending values is purged once the UEFI changes the pending attributes.
Output example:
UefiPassword appears in the pending attributes list.
{
"@odata.id": "/redfish/v1/Systems/Bluefield/Bios/Settings",
"@odata.type": "#Bios.v1_2_0.Bios",
"Attributes": {
"UefiPassword": "NewPassword123"
},
"Description": "BIOS Settings",
"Id": "BIOS_Settings",
"Name": "BIOS Configuration"
}
The active BIOS attribute list is updated only after the UEFI approves the changes during the next reboot cycle.
BIOS Configuration Examples
Changing Default UEFI Password Using Redfish
Look for the "Attributes" property to make sure the UEFI version being used has all the necessary attributes. See section "Get BIOS Attributes List" for instructions.
Perform PATCH to BIOS pending settings URI as follows:
curl -k -u root:<password> -X PATCH -H "Content-Type: application/json" https://<bmc_ip>/redfish/v1/Systems/Bluefield/Bios/Settings -d '{"Attributes":{"CurrentUefiPassword":"CurrentPassword","UefiPassword":"NewPassword321"}}'
Reboot BlueField using the Redfish System schema over 1GbE OOB to the BlueField BMC. See section "Reset Control" for instructions.
If
CurrentUefiPasswordis correct, then the UEFI password is updated during the UEFI Redfish phase of the boot.
Viewing Currently Installed BIOS CA Certificates
The certificates installed on the UEFI may differ from the certificate presented on the BlueField BMC. This discrepancy arises from a distinct certificate validation processed implemented in the UEFI and BlueField BMC.
Trigger the following GET request to view the content of the system's Truststore:
curl -k -u root:<password> -X GET https:
//<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Truststore/CertificatesFor example, the following is the response when there are two certificates installed:
{
"@Redfish.SupportedCertificates": ["PEM"],"@odata.id":"/redfish/v1/Systems/Bluefield/Oem/Nvidia/Truststore/Certificates","@odata.type":"#CertificateCollection.CertificateCollection","Members": [ {"@odata.id":"/redfish/v1/Systems/Bluefield/Oem/Nvidia/Truststore/Certificates/1"}, {"@odata.id":"/redfish/v1/Systems/Bluefield/Oem/Nvidia/Truststore/Certificates/2"} ],"Members@odata.count":2,"Name":"TruststoreBios Certificate Collection"}Trigger the following GET request to view the details of a specific certificate:
curl -k -u root:<password> -X GET https:
//<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Truststore/Certificates/<cert_num>For example:
{
"@odata.id":"/redfish/v1/Systems/Bluefield/Boot/Certificates/1","@odata.type":"#Certificate.v1_7_0.Certificate","CertificateString":"<cert_str>","CertificateType":"PEM","Id":"1","Issuer": {"City":"Santa Clara","CommonName":"Kg639IcpJtYMRzvh.nvidia","Country":"US","Organization":"NVIDIA","OrganizationalUnit":"NBU","State":"California"},"KeyUsage": ["CRLSigning"],"Name":"TruststoreBios Certificate","Subject": {"City":"Santa Clara","CommonName":"Kg639IcpJtYMRzvh.nvidia","Country":"US","Organization":"NVIDIA","OrganizationalUnit":"NBU","State":"California"},"UefiSignatureOwner":"<UEFI_Owner>","ValidNotAfter":"2043-01-01T00:00:00+00:00","ValidNotBefore":"2023-01-01T00:00:00+00:00"}
BIOS CA Certificates Collection Operations
Request for an operation:
To install a certificate, trigger the following POST request which contains the certificate string and type in JSON format:
NoteThe BMC certificate must be replaced with a CA signed certificate before installing new CA certificates, and after BMC factory reset. See section "Example for CSR Generation, Certificate Creation and Replacement" for instructions.
WarningIf an invalid certificate is installed, the BMC rejects it and does not display it. However, it is still accepted by the UEFI and it must be deleted manually through the UEFI menu.
curl -k -u root:<password> -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Truststore/Certificates -d @CAcert.json
The content of
CAcert.jsonmust be{"CertificateString": "<cert_string>", "CertificateType": "<cert_type>"}. Where:
cert_string– certification string which starts with-----BEGIN CERTIFICATE-----\nand ends with-----END CERTIFICATE-----\n.NoteThe "\n" at the end are mandatory.
cert_type– certification type. Only "PEM" is supported.
To delete a CA certificate, trigger the following
DELETErequest with the CA certificate URI that should be deleted, this only delete it from the BMC trust store:curl -k -u root:<password> -H "Content-Type: application/json" -X DELETE https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Truststore/Certificates/<cert_num>
To reset all certificates in the Truststore, trigger the following
TruststoreCertificates.ResetKeysaction with theDeleteAllKeysoption:curl -k -u root:<password> -H
"Content-Type: application/json"-X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Actions/TruststoreCertificates.ResetKeys -d '{"ResetKeysType":"DeleteAllKeys"}'
Verify the new task is
Pending:The responses of these requests indicate the creation of a new task for the UEFI:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/<task_id>", "@odata.type": "#Task.v1_4_3.Task", "Id": "<task_id>", "TaskState": "Pending", "TaskStatus": "OK" }
Perform BlueField soft reset in order for the UEFI to start handling the pending tasks:
curl -k -u root:<password> -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/Actions/ComputerSystem.Reset -d '{"ResetType" : "GracefulRestart"}'
Wait until task is
Completed.The task details and status can be checked using the following
GETrequest:curl -k -u root:<password> -H "Content-Type: application/json" -X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/<task_id>
The task status can be either:
Pending – Initial state.
{
"@odata.id":"/redfish/v1/TaskService/Tasks/<task_id>","@odata.type":"#Task.v1_4_3.Task", ..."PercentComplete":0, ..."TaskState":"Pending","TaskStatus":"OK"}If the task remains in a "Pending" state after BlueField reset completes, please check the UEFI-BMC communication.
If a communication failure occurs, consider either:
Replacing the BMC certificate with one signed by a CA whose certificate was installed and resetting BlueField
Removing all CA certificates from the UEFI menu
Completed – Finished state.
{
"@odata.id":"/redfish/v1/TaskService/Tasks/<task_id>","@odata.type":"#Task.v1_4_3.Task", ..."PercentComplete":100, ..."TaskState":"Completed","TaskStatus":"OK"}Exception – Failure state.
{
"@odata.id":"/redfish/v1/TaskService/Tasks/<task_id>","@odata.type":"#Task.v1_4_3.Task", ..."PercentComplete":0, ..."TaskState":"Exception","TaskStatus":"OK"}In this case, verify that the certificate is valid.
Check updates in Truststore. See section "Viewing Currently Installed BIOS CA Certificates" for details.
For a full list of the BIOS attributes, please refer to the "Redfish" section of the NVIDIA BlueField BSP documentation.
BIOS debug mode allows users to view the UEFI debug logs when the BlueField Arm OS is booting up.
To enable the logs, run:
ipmitool raw 0x3e 0x24 0x1
Returns 01 if successful.
To disable debug mode, run:
ipmitool raw 0x3e 0x24 0x0
Returns 00 if successful.
To query the current applied mode, run:
ipmitool raw 0x3e 0x24 0x2
Returns:
00 – Normal (default) mode
01 – Debug mode
After setting your desired mode, reset the BlueField Arm OS to view the logs.
Power cycling the system or hard resetting the BlueField SoC resets the BIOS mode value back to its default normal mode.