NIC Subsystem Management

Note

This content is relevant for NVIDIA® BlueField®-3 devices only.

Redfish NIC Subsystem Management

Configuring BlueField Mode of Operation

Refer to "BlueField Modes of Operation Configuration" for information.

Getting Host RShim

Copy
Copied!

            
            curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia

Enabling Host RShim

Copy
Copied!

            
            curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST -d '{"HostRshim":"Enabled"}' https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Actions/HostRshim.Set

Disabling Host RShim

Copy
Copied!

            
            curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST -d '{"HostRshim":"Disabled"}' https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Actions/HostRshim.Set

Getting Strap Options

Copy
Copied!

            
            curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Connectx/StrapOptions

Host Privileges Configuration

This resource manages the security privileges assigned to the host interface. It allows administrators to restrict the host's ability to modify device configurations or access sensitive parameters.

Copy
Copied!

            
            https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig

Privilege Modes (Presets)

The PrivilegeMode attribute acts as a master switch, applying a predefined set of permissions.

Mode	Description
Privileged (default)	Grants full access. The host can modify firmware, flash, and global parameters.
Restricted	Locks down the host. Prevents modification of firmware, flash, and global parameters. RSHIM and Tracer access are disabled.

Configuration Breakdown by Mode

The following table shows exactly which permissions are enabled or disabled for each mode:

Setting	Privileged Mode	Restricted Mode
`HostPrivilegeLevel`	`Privileged`	`Restricted`
`FirmwareUpdate`	`Enabled`	`Disabled`
`FlashAccess`	`Enabled`	`Disabled`
`GlobalParametersAccess`	`Enabled`	`Disabled`
`HostParametersAccess`	`Enabled`	`Disabled`
`InternalCPUAccess`	`Enabled`	`Disabled`
`NicReset`	`Enabled`	`Disabled`
`PccUpdate`	`Enabled`	`Disabled`
`PortAccess`	`Enabled`	`Disabled`
`ManagementInterfaceEnabled`	`true`	`false`
`PortOwnerEnabled`	`true`	`false`
`ReadCountersEnabled`	`true`	`false`
`TracerEnabled`	`true`	`false`

Privilege Settings Definitions

This table defines the specific behavior controlled by each permission setting.

Setting	Description	Options	Default
`FlashAccess`	Permission to perform any device flash access.	`Default`, `Enable`, `Disable`	`Default`
`PccUpdate`	Permission to update the Programmable Congestion Control (PCC) algorithm.	`Default`, `Enable`, `Disable`	`Default`
`FirmwareUpdate`	Permission to perform firmware updates.	`Default`, `Enable`, `Disable`	`Default`
`NicReset`	Permission to perform a NIC Reset.	`Default`, `Enable`, `Disable`	`Default`
`GlobalParametersAccess`	Permission to access global non-volatile (NV) parameters.	`Default`, `Enable`, `Disable`	`Default`
`HostParametersAccess`	Permission to access host NV parameters.	`Default`, `Enable`, `Disable`	`Default`
`PortAccess`	Permission to access port NV parameters.	`Default`, `Enable`, `Disable`	`Default`
`InternalCPUAccess`	Permission to access Internal CPU NV parameters.	`Default`, `Enable`, `Disable`	`Default`
`ManagementInterfaceEnabled`	Controls RSHIM function. If `false`, the host cannot access embedded CPU registers.	`true`, `false`	—
`PortOwnerEnabled`	Controls Port Ownership. If `false`, the host cannot become the Port Owner.	`true`, `false`	—
`ReadCountersEnabled`	Controls physical counter access. If `false`, the host cannot read physical port counters.	`true`, `false`	—
`TracerEnabled`	Controls Tracer ownership. If `false`, the host cannot own the Tracer.	`true`, `false`	—

Example Usage

The following example demonstrates a GET request to retrieve the current privilege settings.

Request:

Copy
Copied!

            
            curl -u 'root':'<password>' -X GET https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig

Response:

Copy
Copied!

            
            {
  "@Redfish.Settings": {
    "@odata.type": "#Settings.v1_3_5.Settings",
    "SettingsObject": {
      "@odata.id": "/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings"
    }
  },
  "@odata.id": "/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig",
  "@odata.type": "#NvidiaHostPrivilegeConfig.v1_0_0.NvidiaHostPrivilegeConfig",
  "Id": "HostPrivilegeConfig",
  "Name": "Host Privilege Configuration",
  "PrivilegeMode": "Privileged",
  "PrivilegeSettings": {
    "FirmwareUpdate": "Enabled",
    "FlashAccess": "Enabled",
    "GlobalParametersAccess": "Enabled",
    "HostParametersAccess": "Enabled",
    "HostPrivilegeLevel": "Privileged",
    "InternalCPUAccess": "Enabled",
    "ManagementInterfaceEnabled": true,
    "NicReset": "Enabled",
    "PccUpdate": "Enabled",
    "PortAccess": "Enabled",
    "PortOwnerEnabled": true,
    "ReadCountersEnabled": true,
    "TracerEnabled": true
  }
}

Setting Host Privilege Configuration

To modify host privileges, send a PATCH request to the Settings URI.

Copy
Copied!

            
            PATCH https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings

Note

The /Settings path displays pending values. These changes do not take effect immediately.

Configuration Examples

View Pending Settings

Before making changes, you can verify the current pending configuration.

Request

Copy
Copied!

            
            curl -u 'root':'<password>' -X GET https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings

Response

Copy
Copied!

            
            {
  "@odata.id": "/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings",
  "@odata.type": "#NvidiaHostPrivilegeConfig.v1_0_0.NvidiaHostPrivilegeConfig",
  "Id": "Settings",
  "Name": "Host Privilege Configuration Settings",
  "PrivilegeMode": "Privileged",
  "PrivilegeSettings": {
    "FirmwareUpdate": "Enabled",
    "FlashAccess": "Enabled",
    "GlobalParametersAccess": "Enabled",
    "HostParametersAccess": "Enabled",
    "HostPrivilegeLevel": "Privileged",
    "InternalCPUAccess": "Enabled",
    "ManagementInterfaceEnabled": true,
    "NicReset": "Enabled",
    "PccUpdate": "Enabled",
    "PortAccess": "Enabled",
    "PortOwnerEnabled": true,
    "ReadCountersEnabled": true,
    "TracerEnabled": true
  }
}

Set Privilege Mode

To apply a high-level preset (Privileged or Restricted):

Copy
Copied!

            
            curl -u 'root':'<password>' -X PATCH -H "Content-Type: application/json" \
https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings \
-d '{"PrivilegeMode":"Privileged"}'

Set Specific Properties

To apply granular permissions. Note that these are nested within the PrivilegeSettings object:

Copy
Copied!

            
            curl -u 'root':'<password>' -X PATCH -H "Content-Type: application/json" \
https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings \
-d '{
    "PrivilegeSettings": {
        "NicReset": "Default",
        "PccUpdate": "Default",
        "PortAccess": "Default",
        "FirmwareUpdate": "Default",
        "FlashAccess": "Disabled",
        "GlobalParametersAccess": "Disabled",
        "HostParametersAccess": "Disabled",
        "InternalCPUAccess": "Disabled",
        "HostPrivilegeLevel": "Privileged"
    }
}'

Logic and Constraints

Note

Every change requires a System Power Cycle to take effect.

Parameter Precedence

If a conflict arises between granular access controls and global/functional flags, the granular access controls take precedence.

Category	Parameters	Precedence
Granular Access Controls	`HostParametersAccess`, `PortAccess`, `GlobalParametersAccess`, `InternalCPUAccess`, `PccUpdate`, `FirmwareUpdate`, `FlashAccess`, `NicReset`	High (wins conflicts)
Global and Functional Flags	`HostPrivilegeLevel`, `ManagementInterfaceEnabled`, `PortOwnerEnabled`, `ReadCountersEnabled`, `TracerEnabled`	Low

Transitioning to Restricted Mode

If any of the following properties are currently set to Enabled, you cannot change HostPrivilegeLevel to Restricted immediately:

GlobalParametersAccess
PortAccess
InternalCPUAccess
NicReset
FirmwareUpdate
FlashAccess

You must first (or simultaneously) set the conflicting property to Default before the system accepts the Restricted level.

IPMItool NIC Subsystem Management

Since the standard IPMItool commands do not cover all functionality, a set of custom NVIDIA IPMItool raw commands is available to enable configuring the NIC subsystem on the BlueField directly.

IPMItool raw commands follow the following format:

Copy
Copied!

            
            ipmitool -C 17 -I lanplus -H <bmc_ip_addr> -U <username> -P <password> raw <netfunc> <cmd> <data>

Where:

netfunc – network function which identifies the functional message class, and clusters IPMI commands into sets
cmd – one byte command within a network function
data – optional element which provides additional parameters for a request or response message

The following table lists the supported IPMItool raw commands:

netfunc

cmd

data

Description

Note

0x32

0x9C

N/A

Get SmartNIC mode. Prints current configuration: INTERNAL_CPU_OFFLOAD_ENGINE.

00 – Disabled
01 – Enabled

0x32

0x9D

Byte0

Set SmartNIC mode (INTERNAL_CPU_OFFLOAD_ENGINE) to Byte0.

Supported values:

00 – Disabled
01 – Enabled

0x32

0x9E

N/A

Get host access. Prints current HOST_PRIV_RSHIM.

00 – Disabled
01 – Enabled

0x32

0x9F

Byte0

Set host access. Sets HOST_PRIV_RSHIM to Byte0.

Supported values:

00 – Disabled
01 – Enabled

0x32

0xA2

N/A

Query strap options. Prints current state for all fields:

Byte	Field
0	`VERSION`
1	`DISABLE_INBAND_RECOVER_VALUE`
2	`PRIMARY_IS_PCORE_1_VALUE`
3	`2PCORE_ACTIVE_VALUE`
4	`SOCKET_DIRECT_VALUE`
5	`PCI_REVERSAL_VALUE`
6	`PCI_PARTITION_1_VALUE`
7	`PCI_PARTITION_0_VALUE`
8	`OSC_FREQ_1_VALUE`
9	`OSC_FREQ_0_VALUE`
10	`CORE_BYPASS_N_VALUE`
11	`FNP_VALUE`
12	`DISABLE_INBAND_RECOVER_VALUE`
13	`PRIMARY_IS_PCORE_1_MASK`
14	`2PCORE_ACTIVE_MASK`
15	`SOCKET_DIRECT_MASK`
16	`PCI_REVERSAL_MASK`
17	`PCI_PARTITION_1_MASK`
18	`PCI_PARTITION_0_MASK`
19	`OSC_FREQ_1_MASK`
20	`OSC_FREQ_0_MASK`
21	`CORE_BYPASS_N_MASK`
22	`FNP_MASK`

Each state is represented by binary byte in order.

Supported values:

00 – Disabled
01 – Enabled

0x32

0xA3

N/A

Get SmartNIC OS State.

00 – BootRom
01 – BL2
02 – BL31
03 – UEFI
04 – OsStarting
05 – OsIsRunning
06 – LowPowerStandby
07 – FirmwareUpdateInProgress
08 – OsCrashDumpInProgress
09 – OsCrashDumpIsComplete
0A – FWFaultCrashDumpInProgress
0B – FWFaultCrashDumpIsComplete
0C – Invalid

Setting Operation Mode

netfunc	cmd	data	Description
`0x32`	`0x9D`	`0x1`	Set DPU mode
`0x32`	`0x9D`	`0x0`	Set NIC mode

Enabling/Disabling RShim from Host

netfunc	cmd	data	Description
`0x32`	`0x9F`	`0x1`	Enable RShim from host
`0x32`	`0x9F`	`0x0`	Disable RShim from host

On This Page