BIOS Secure Boot Configuration
The NVIDIA® BlueField® BMC supports the DMTF Secure Boot schema which enables managing the state of the UEFI Secure Boot through the Redfish interface. This allows clients to set whether UEFI should authenticate the OS image during the boot process.
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot
Output example:
{
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot",
"@odata.type": "#SecureBoot.v1_1_0.SecureBoot",
"Description": "The UEFI Secure Boot associated with this system.",
"Id": "SecureBoot",
"Name": "UEFI Secure Boot",
"SecureBootCurrentBoot": "Disabled",
"SecureBootDatabases": {
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases"
},
"SecureBootEnable": false,
"SecureBootMode": "SetupMode"
}
The following command enables UEFI Secure Boot through the Redfish interface:
curl -k -u root:'<password>' -X PATCH -H "Content-Type: application/json" https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot -d '{"SecureBootEnable":true}'
The following command disables UEFI Secure Boot through the Redfish interface:
curl -k -u root:<password> -H "Content-Type: application/octet-stream" -X GET https://<BF-BMC-IP>/redfish/v1/Systems/Bluefield/SecureBoot
{
"@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot",
"@odata.type": "#SecureBoot.v1_1_0.SecureBoot",
"Description": "The UEFI Secure Boot associated with this system.",
"Id": "SecureBoot",
"Name": "UEFI Secure Boot",
"SecureBootCurrentBoot": "Enabled",
"SecureBootEnable": true,
"SecureBootMode": "SetupMode"
}
curl -k -u root:<BF-BMC-PASSWORD> -X PATCH https://<BF-BMC-IP>/redfish/v1/Systems/Bluefield/SecureBoot -H 'Content-Type: application/json' -d '{"SecureBootEnable": false}'
After running this command, the BlueField Arm OS must be rebooted twice. The first reboot is for the UEFI redfish client to read the request from the BMC and apply it; the second reboot is for the setting to take effect.
The "SecureBootEnable" property in secure boot schema takes precedence over UEFI menu BlueField Arm OS settings. This is because currently there is no separate pending setting URL and hence the value of "SecureBootEnable" property will be applied on BlueField Arm OS reboot.
From the BlueField BMC using Redfish:
curl -k -u root:<BF-BMC-PASSWORD> -X POST https://<BF-BMC-IP>/redfish/v1/Systems/Bluefield/Actions/ComputerSystem.Reset -H 'Content-Type: application/json' -d '{"ResetType":"ForceRestart"}'
From RShim:
echo 'SW_RESET 1' > /dev/rshim0/misc
From the BlueField Arm OS:
reboot
The following operations may be performed using Redfish commands. For each operation, a corresponding task is generated within the BMC's Redfish Task Service. During the subsequent BlueField reboot, the UEFI checks for any pending secure boot tasks and executes them in the order of their ascending task ID numbers. After completion, the UEFI then updates the task state to reflect the relevant status.
To read UEFI Secure boot databases:
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases
Output example:
{ "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases", "@odata.type": "#SecureBootDatabaseCollection.SecureBootDatabaseCollection", "Members": [ { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/KEK" }, .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/PK" }, .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db" }, .. .. { "@odata.id": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/dbx" }, .. ], "Members@odata.count": 10, "Name": "UEFI SecureBoot Database Collection" }
To add a certificate to the UEFI
db:NoteThe following certificate is an example only. The content of the PEM file is copied into the
curlPOST command;\nmust be used to replace EOL characters. For illustration purposes here's the original content of the PEM certificate file.-----BEGIN CERTIFICATE----- MIIDbTCCAlWgAwIBAgIUO2MdJt2cTCGr0eO4PiBV5Uk0b/IwDQYJKoZIhvcNAQEL BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdo MQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNVBAMTDkxlbm92byBVRUZJIERCMB4XDTE3 MDMxNTIxMTYzNFoXDTQxMDMxNTIxMTYzNFowVjELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdoMQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNV BAMTDkxlbm92byBVRUZJIERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA1ezmdoBlk5yDVuXw8F774CvllhMz9bT0/TpH3kmRpPAizSRDzbHLUuBMC6SE W4zjdLxTqOlwZt6UUcWxlyzKcoDPe43cE6YH1kM/rscvm3AaVL+4GcyGgS9DL6qe QFHWER25xCTokMsCdKB42Ty7hWW5FBPepgAS+GDfqQfb/4hoonIlen5X+dqVIsE/ RM1DIVBUiIbJdgERYeoGjY/Rh4A1VWl6ErzyzokYnf63JjSFR2kVV0apbr4ISOTM 7qBd1RNHwQrCAryRADX1XGvRZURzwQdEXfOqZOkVjNKr1fD761qvPE8TQWWJ9Q8r mciMocIXqoqWKPAkgbMwKmcsFQIDAQABozMwMTAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwICBDAOBgNVHQ8Baf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEB AJ2U0UjB+sxF/HE5sY56vJbdFITl8o0Yf7XJImL0VtgpYjfeqiE768G2uTUbzCKy hDOps3+4w4p8FUSO6StzCz6UuUyxlUjQzpkxZ97Ouq1sGhjy7dZybTEByJD6LpI7 l1EpJSfBiwxTdm7svJoABKs8Hs7e9f3XX5PK76SxllMbDaxAm7UvCppYBBR1SeyC gWt3rGRiO3W6pfd07ioCD03kgGzYNOZeU2S+maE1Xt4kUoYs3HxyrhJGfN26gM8h 4w5LfCKrlxi+3KMf+vXxEBfGYBvjwcA7KCW92GnUQGVjZbEGs6EaTBx7i9gA2+te oWS/500qiwNRp2xqdBxg1d0= -----END CERTIFICATE-----
curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Certificates -d \ '{"CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDbTCCAlWgAwIBAgIUO2MdJt2cTCGr0eO4PiBV5Uk0b/IwDQYJKoZIhvcNAQEL\nBQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdo\nMQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNVBAMTDkxlbm92byBVRUZJIERCMB4XDTE3\nMDMxNTIxMTYzNFoXDTQxMDMxNTIxMTYzNFowVjELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdoMQ8wDQYDVQQKEwZMZW5vdm8xFzAVBgNV\nBAMTDkxlbm92byBVRUZJIERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEA1ezmdoBlk5yDVuXw8F774CvllhMz9bT0/TpH3kmRpPAizSRDzbHLUuBMC6SE\nW4zjdLxTqOlwZt6UUcWxlyzKcoDPe43cE6YH1kM/rscvm3AaVL+4GcyGgS9DL6qe\nQFHWER25xCTokMsCdKB42Ty7hWW5FBPepgAS+GDfqQfb/4hoonIlen5X+dqVIsE/\nRM1DIVBUiIbJdgERYeoGjY/Rh4A1VWl6ErzyzokYnf63JjSFR2kVV0apbr4ISOTM\n7qBd1RNHwQrCAryRADX1XGvRZURzwQdEXfOqZOkVjNKr1fD761qvPE8TQWWJ9Q8r\nmciMocIXqoqWKPAkgbMwKmcsFQIDAQABozMwMTAPBgNVHRMBAf8EBTADAQH/MA4G\nA1UdDwEB/wQEAwICBDAOBgNVHQ8Baf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEB\nAJ2U0UjB+sxF/HE5sY56vJbdFITl8o0Yf7XJImL0VtgpYjfeqiE768G2uTUbzCKy\nhDOps3+4w4p8FUSO6StzCz6UuUyxlUjQzpkxZ97Ouq1sGhjy7dZybTEByJD6LpI7\nl1EpJSfBiwxTdm7svJoABKs8Hs7e9f3XX5PK76SxllMbDaxAm7UvCppYBBR1SeyC\ngWt3rGRiO3W6pfd07ioCD03kgGzYNOZeU2S+maE1Xt4kUoYs3HxyrhJGfN26gM8h\n4w5LfCKrlxi+3KMf+vXxEBfGYBvjwcA7KCW92GnUQGVjZbEGs6EaTBx7i9gA2+te\noWS/500qiwNRp2xqdBxg1d0=\n-----END CERTIFICATE-----","CertificateType": "PEM": "5491316d-9694-4639-b72d-b8630ffa7dab"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/0", "@odata.type": "#Task.v1_4_3.Task", "Id": "0", "TaskState": "Pending", "TaskStatus": "OK" }
To add a signature to the UEFI
db:curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Signatures -d \ '{"SignatureString": "80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A","SignatureTypeRegistry": "UEFI","SignatureType": "EFI_CERT_SHA256_GUID": "28d5e212-165b-4ca0-909b-c86b9cee0112"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/1", "@odata.type": "#Task.v1_4_3.Task", "Id": "1", "TaskState": "Pending", "TaskStatus": "OK" }
To delete UEFI
dbcertificate #1:curl -k -u root:'<password>' -H 'Content-Type: application/json' -X DELETE https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Certificates/1
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/2", "@odata.type": "#Task.v1_4_3.Task", "Id": "2", "TaskState": "Pending", "TaskStatus": "OK" }
To delete all UEFI
dbkeys:curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/db/Actions/SecureBootDatabase.ResetKeys -d '{"ResetKeysType": "DeleteAllKeys"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/3", "@odata.type": "#Task.v1_4_3.Task", "Id": "3", "TaskState": "Pending", "TaskStatus": "OK" }
The following is an example flow for deleting PK certificate using Redfish commands. This command would disable UEFI Secure Boot and revert the system to Setup Mode.
To reset all
dbkeys:root:~# curl -k -u root:'<password>' -H 'Content-Type: application/json' -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/PK/Actions/SecureBootDatabase.ResetKeys -d '{"ResetKeysType": "DeleteAllKeys"}'
Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/12", "@odata.type": "#Task.v1_4_3.Task", "Id": "12", "TaskState": "Pending", "TaskStatus": "OK" }
TipRecord the returned task ID, in this example the task ID is 12.
To read the status of task 12:
root:~# curl -k -u root:
'<password>'-H'Content-Type: application/json'-X GET https://<bmc_ip>/redfish/v1/TaskService/Tasks/12Output example:
{ "@odata.id": "/redfish/v1/TaskService/Tasks/12", "@odata.type": "#Task.v1_4_3.Task", "Id": "12", "Messages": [], "Name": "Task 12", "Payload": { "HttpHeaders": [ "Host: <IP>", "User-Agent: curl/7.81.0", "Accept: */*", "Content-Length: 34" ], "HttpOperation": "POST", "JsonBody": "{\n \"ResetKeysType\": \"DeleteAllKeys\"\n}", "TargetUri": "/redfish/v1/Systems/Bluefield/SecureBoot/SecureBootDatabases/PK/Actions/SecureBootDatabase.ResetKeys" }, "PercentComplete": 0, "StartTime": "2023-09-05T16:47:05+00:00", "TaskMonitor": "/redfish/v1/TaskService/Tasks/12/Monitor", "TaskState": "Pending", "TaskStatus": "OK" }
You can see that
TaskStatusisOKand theTaskStateisPending. This indicates that the operation has successfully enqueued in the task service and is pending the next BlueField boot.Issue the following graceful reset command to BlueField :
root:~# curl -k -u root:"<password>" -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/Systems/Bluefield/Actions/ComputerSystem.Reset -d '{"ResetType" : "GracefulRestart"}'
Output example:
{ "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_1.Message", "Message": "The request completed successfully.", "MessageArgs": [], "MessageId": "Base.1.15.0.Success", "MessageSeverity": "OK", "Resolution": "None" } ] }
UEFI reads the pending secure boot tasks and executes them.
Following BlueField reset, the UEFI updates the status of the operation on the
TaskStateandTaskStatusfields. Poll the task and check the values ofTaskStateandTaskStatus.Success
"TaskState": "Completed","TaskStatus": "OK"Failure
"TaskState": "Exception","TaskStatus": "OK"