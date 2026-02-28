On This Page
- Redfish NIC Subsystem Management
- Setting Host Privilege Configuration
- IPMItool NIC Subsystem Management
NIC Subsystem Management
This content is relevant for NVIDIA® BlueField®-3 devices only.
Configuring BlueField Mode of Operation
Refer to "BlueField Modes of Operation Configuration" for information.
Getting Host RShim
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia
Enabling Host RShim
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST -d '{"HostRshim":"Enabled"}' https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Actions/HostRshim.Set
Disabling Host RShim
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST -d '{"HostRshim":"Disabled"}' https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Actions/HostRshim.Set
Getting Strap Options
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Systems/Bluefield/Oem/Nvidia/Connectx/StrapOptions
Host Privileges Configuration
This resource manages the security privileges assigned to the host interface. It allows administrators to restrict the host's ability to modify device configurations or access sensitive parameters.
https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig
Privilege Modes (Presets)
The
PrivilegeMode attribute acts as a master switch, applying a predefined set of permissions.
Mode
Description
Privileged (default)
Grants full access. The host can modify firmware, flash, and global parameters.
Restricted
Locks down the host. Prevents modification of firmware, flash, and global parameters. RSHIM and Tracer access are disabled.
Configuration Breakdown by Mode
The following table shows exactly which permissions are enabled or disabled for each mode:
Setting
Privileged Mode
Restricted Mode
Privilege Settings Definitions
This table defines the specific behavior controlled by each permission setting.
Setting
Description
Options
Default
Permission to perform any device flash access.
Permission to update the Programmable Congestion Control (PCC) algorithm.
Permission to perform firmware updates.
Permission to perform a NIC Reset.
Permission to access global non-volatile (NV) parameters.
Permission to access host NV parameters.
Permission to access port NV parameters.
Permission to access Internal CPU NV parameters.
Controls RSHIM function. If
—
Controls Port Ownership. If
—
Controls physical counter access. If
—
Controls Tracer ownership. If
—
Example Usage
The following example demonstrates a
GET request to retrieve the current privilege settings.
Request:
curl -u
'root':
'<password>'-X GET https:
//<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig
Response:
{
"@Redfish.Settings": {
"@odata.type":
"#Settings.v1_3_5.Settings",
"SettingsObject": {
"@odata.id":
"/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings"} },
"@odata.id":
"/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig",
"@odata.type":
"#NvidiaHostPrivilegeConfig.v1_0_0.NvidiaHostPrivilegeConfig",
"Id":
"HostPrivilegeConfig",
"Name":
"Host Privilege Configuration",
"PrivilegeMode":
"Privileged",
"PrivilegeSettings": {
"FirmwareUpdate":
"Enabled",
"FlashAccess":
"Enabled",
"GlobalParametersAccess":
"Enabled",
"HostParametersAccess":
"Enabled",
"HostPrivilegeLevel":
"Privileged",
"InternalCPUAccess":
"Enabled",
"ManagementInterfaceEnabled":
true,
"NicReset":
"Enabled",
"PccUpdate":
"Enabled",
"PortAccess":
"Enabled",
"PortOwnerEnabled":
true,
"ReadCountersEnabled":
true,
"TracerEnabled":
true} }
To modify host privileges, send a
PATCH request to the
Settings URI.
PATCH https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings
The
/Settings path displays pending values. These changes do not take effect immediately.
Configuration Examples
View Pending Settings
Before making changes, you can verify the current pending configuration.
Request
curl -u 'root':'<password>' -X GET https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings
Response
{ "@odata.id": "/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings", "@odata.type": "#NvidiaHostPrivilegeConfig.v1_0_0.NvidiaHostPrivilegeConfig", "Id": "Settings", "Name": "Host Privilege Configuration Settings", "PrivilegeMode": "Privileged", "PrivilegeSettings": { "FirmwareUpdate": "Enabled", "FlashAccess": "Enabled", "GlobalParametersAccess": "Enabled", "HostParametersAccess": "Enabled", "HostPrivilegeLevel": "Privileged", "InternalCPUAccess": "Enabled", "ManagementInterfaceEnabled": true, "NicReset": "Enabled", "PccUpdate": "Enabled", "PortAccess": "Enabled", "PortOwnerEnabled": true, "ReadCountersEnabled": true, "TracerEnabled": true } }
Set Privilege Mode
To apply a high-level preset (Privileged or Restricted):
curl -u 'root':'<password>' -X PATCH -H "Content-Type: application/json" \
https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings \
-d '{"PrivilegeMode":"Privileged"}'
Set Specific Properties
To apply granular permissions. Note that these are nested within the
PrivilegeSettings object:
curl -u 'root':'<password>' -X PATCH -H "Content-Type: application/json" \
https://<bmc_ip>/redfish/v1/Chassis/Card1/NetworkAdapters/NvidiaNetworkAdapter/Oem/Nvidia/HostPrivilegeConfig/Settings \
-d '{
"PrivilegeSettings": {
"NicReset": "Default",
"PccUpdate": "Default",
"PortAccess": "Default",
"FirmwareUpdate": "Default",
"FlashAccess": "Disabled",
"GlobalParametersAccess": "Disabled",
"HostParametersAccess": "Disabled",
"InternalCPUAccess": "Disabled",
"HostPrivilegeLevel": "Privileged"
}
}'
Logic and Constraints
Every change requires a System Power Cycle to take effect.
Parameter Precedence
If a conflict arises between granular access controls and global/functional flags, the granular access controls take precedence.
Category
Parameters
Precedence
Granular Access Controls
High (wins conflicts)
Global and Functional Flags
Low
Transitioning to Restricted Mode
If any of the following properties are currently set to
Enabled, you cannot change
HostPrivilegeLevel to
Restricted immediately:
GlobalParametersAccess
PortAccess
InternalCPUAccess
NicReset
FirmwareUpdate
FlashAccess
You must first (or simultaneously) set the conflicting property to
Default before the system accepts the
Restricted level.
Since the standard IPMItool commands do not cover all functionality, a set of custom NVIDIA IPMItool
raw commands is available to enable configuring the NIC subsystem on the BlueField directly.
IPMItool raw commands follow the following format:
ipmitool -C 17 -I lanplus -H <bmc_ip_addr> -U <username> -P <password> raw <netfunc> <cmd> <data>
Where:
netfunc– network function which identifies the functional message class, and clusters IPMI commands into sets
cmd– one byte command within a network function
data– optional element which provides additional parameters for a request or response message
The following table lists the supported IPMItool raw commands:
netfunc
cmd
data
Description
|
|
Note
N/A
Get SmartNIC mode. Prints current configuration:
Byte0
Set SmartNIC mode (
Supported values:
N/A
Get host access. Prints current
Byte0
Set host access. Sets
Supported values:
N/A
Query strap options. Prints current state for all fields:
Each state is represented by binary byte in order.
Supported values:
N/A
Get SmartNIC OS State.
Setting Operation Mode
netfunc
cmd
data
Description
Set DPU mode
Set NIC mode
Enabling/Disabling RShim from Host
netfunc
cmd
data
Description
Enable RShim from host
Disable RShim from host