NVIDIA Docs Hub NVIDIA Networking BlueField DPUs / SuperNICs & DOCA NVIDIA BlueField BMC Software v25.04 Changes and New Features

Changes and New Features

Info

For an archive of changes and features from previous releases, please refer to "Change Log History".

Changes and New Features

Extended Arm-UEFI support to ensure seamless operation until BlueField BMC initialization completes
Added RTC battery voltage monitoring to the SDR list for enhanced system diagnostics
Implemented Redfish mutual authentication support for BlueField-3 platforms
Updated BMC FRU content to enhance backward compatibility
Added BMC Redfish support for remote attestation over Redfish specifically for SPDM:
- BlueField NIC
- CEC1736 (BMC ERoT)

Security Hardening: Implemented several Linux kernel configuration changes to improve system security and activated kernel module signature. The following table summarizes key modifications:

Parameter	Old Value	New Value	Reason
`CONFIG_KEXEC`	`yes`	Not set	Enables replacement of running kernel using `kexec` command.
`CONFIG_SLAB_MERGE_DEFAULT`	`yes`	Not set	Prevents merging similar-sized slab caches, mitigating cross-slab heap attacks
`CONFIG_SHUFFLE_PAGE_ALLOCATOR`	Not set	`yes`	Enables randomization of the high-order page allocation freelist
`CONFIG_SECURITY_DMESG_RESTRICT`	Not set	`yes`	Prevents kernel memory address leakage through `dmesg`
`CONFIG_DEBUG_FS`	`yes`	Not set	Disables `debugfs`, reducing the kernel’s attack surface
`CONFIG_BPF_SYSCALL`	`yes`	Not set	Disables the `bpf()` syscall, restricting manipulation of BPF programs and maps
`CONFIG_USER_NS`	`yes`	Not set	Disables user namespaces to prevent privilege escalation via namespace exploits
`CONFIG_BUG_ON_DATA_CORRUPTION`	Not set	`yes`	Enables kernel validation checks for detecting data corruption
`CONFIG_STATIC_USERMODEHELPER`	Not set	`yes`	Forces all usermode helper calls to a single, fixed executable to prevent manipulation
`CONFIG_DEFAULT_MMAP_MIN_ADDR`	`4096`	`32768`	Increases the minimum mmap address to mitigate kernel NULL pointer dereference exploits
`CONFIG_DEBUG_KMEMLEAK`	`yes`	Not set	Disabled due to its dependency on `CONFIG_DEBUG_FS`, which is also now disabled This parameter changed only in BlueField-2 (already not set in BlueField-3).
`CONFIG_MODULE_SIG`	Not set	`yes`	Kernel module signature
`CONFIG_MODULE_SIG_ALL`	Not set	`yes`
`CONFIG_MODULE_SIG_FORCE`	Not set	`yes`
`CONFIG_MODULE_SIG_SHA512`	Not set	`yes`

Info

Changes to the kernel configuration parameters were made in accordance with recommended security hardening practices from the Linux Kernel Self-Protection Project (KSPP), grsecurity and CLIP OS.