NVIDIA BlueField BMC Software v25.04
NVIDIA Docs Hub Homepage  NVIDIA Networking  BlueField DPUs / SuperNICs & DOCA  NVIDIA BlueField BMC Software v25.04  Changes and New Features

Changes and New Features

Info

For an archive of changes and features from previous releases, please refer to "Change Log History".

Changes and New Features

  • Extended Arm-UEFI support to ensure seamless operation until BlueField BMC initialization completes

  • Added RTC battery voltage monitoring to the SDR list for enhanced system diagnostics

  • Implemented Redfish mutual authentication support for BlueField-3 platforms

  • Updated BMC FRU content to enhance backward compatibility

  • Added BMC Redfish support for remote attestation over Redfish specifically for SPDM:

    • BlueField NIC

    • CEC1736 (BMC ERoT)

  • Security Hardening: Implemented several Linux kernel configuration changes to improve system security and activated kernel module signature. The following table summarizes key modifications:

    Parameter

    Old Value

    New Value

    Reason

    CONFIG_KEXEC

    yes

    Not set

    Enables replacement of running kernel using kexec command.

    CONFIG_SLAB_MERGE_DEFAULT

    yes

    Not set

    Prevents merging similar-sized slab caches, mitigating cross-slab heap attacks

    CONFIG_SHUFFLE_PAGE_ALLOCATOR

    Not set

    yes

    Enables randomization of the high-order page allocation freelist

    CONFIG_SECURITY_DMESG_RESTRICT

    Not set

    yes

    Prevents kernel memory address leakage through dmesg

    CONFIG_DEBUG_FS

    yes

    Not set

    Disables debugfs, reducing the kernel’s attack surface

    CONFIG_BPF_SYSCALL

    yes

    Not set

    Disables the bpf() syscall, restricting manipulation of BPF programs and maps

    CONFIG_USER_NS

    yes

    Not set

    Disables user namespaces to prevent privilege escalation via namespace exploits

    CONFIG_BUG_ON_DATA_CORRUPTION

    Not set

    yes

    Enables kernel validation checks for detecting data corruption

    CONFIG_STATIC_USERMODEHELPER

    Not set

    yes

    Forces all usermode helper calls to a single, fixed executable to prevent manipulation

    CONFIG_DEFAULT_MMAP_MIN_ADDR

    4096

    32768

    Increases the minimum mmap address to mitigate kernel NULL pointer dereference exploits

    CONFIG_DEBUG_KMEMLEAK

    yes

    Not set

    Disabled due to its dependency on CONFIG_DEBUG_FS, which is also now disabled

    This parameter changed only in BlueField-2 (already not set in BlueField-3).

    CONFIG_MODULE_SIG

    Not set

    yes

    Kernel module signature

    CONFIG_MODULE_SIG_ALL

    Not set

    yes

    CONFIG_MODULE_SIG_FORCE

    Not set

    yes

    CONFIG_MODULE_SIG_SHA512

    Not set

    yes

    Info

    Changes to the kernel configuration parameters were made in accordance with recommended security hardening practices from the Linux Kernel Self-Protection Project (KSPP), grsecurity and CLIP OS.
© Copyright 2025, NVIDIA. Last updated on May 5, 2025.
content here