BMC Management

NVIDIA BMC is based on the OpenBMC open-software framework which builds a complete Linux image for a board management controller (BMC). It uses the Yocto project as the underlying building and distro generation framework.

The primary software components of BMC are the following:

  • U-boot bootloader

  • Linux kernel

  • OpenBMC distro

There is a software version for each of the BMC software components. You may retrieve this information by running the following for each component:

  • U-boot version – version command from the u-boot prompt

  • Linux version – uname -a command from the Linux prompt

  • OpenBMC version – cat /etc/os-release from the Linux prompt

  1. BMC starts booting through u-boot bootloader once the power supply is powered on.

  2. By default, the BMC automatically boots into Linux. To stop at the u-boot prompt, users must type the password 0penBmc (note the use of the digit zero in 0pen) within 5 seconds. To boot Linux from the u-boot prompt, type boot.

  3. The default password for the root user, to be typed in once Linux is booted, is 0penBmc.

    Important

    The default global password is set to expire upon first login. A new password must be configured according to the following policy:

    • Minimum length: 13

    • Minimum upper case characters: 1

    • Minimum lower case characters: 1

    • Minimum digits: 1

    Note that the root account locks after four consecutive failed attempts and automatically unlocks after 10 minutes.

The BlueField platform BMC uses Flattened Image Tree (FIT) format for its Linux kernel.

The output from u-boot's imls command shows the configurations within the FIT image. By default, u-boot has bootcmd_string=bootm 0x20070000 configured and there is no configuration ID used to boot configuration 1 or 2 of the FIT image. So, by default, the BlueField platform BMC boots using BlueField 1U Reference Platform DTB file.

To boot the BMC using the BlueField 2U Reference Platform DTB, do one of two things from the u-boot command line:

  • For a one-time boot of the platform, run:

    Copy
    Copied!
                

    bootm 0x20070000#conf@aspeed-bmc-mlx-bluewhale2u.dtb

  • For persistent boot of the 2U reference platform, modify the environmental variable bootcmd_string:

    Copy
    Copied!
                

    setenv bootcmd_string bootm 0x20070000#conf@aspeed-bmc-mlx-bluewhale2u.dtb saveenv boot

The supported user management commands are listed in the following table.

No.

Function

Command

1

List the users

Copy
Copied!
            

ipmitool user list [<channel number>]

For example:

Copy
Copied!
            

ipmitool user list 1

2

User creation

Copy
Copied!
            

ipmitool user set name <user id> <user name>

For example:

Copy
Copied!
            

ipmitool user set name 2 ADMIN

3

Set user password

Copy
Copied!
            

ipmitool user set password <user id> <password>

For example:

Copy
Copied!
            

ipmitool user set password 2 ADMIN123

Password policy:

  • Minimum length: 13

  • Minimum upper case characters: 1

  • Minimum lower case characters: 1

  • Minimum digits: 1

4

Enable user

Copy
Copied!
            

ipmitool user enable <user id>

For example:

Copy
Copied!
            

ipmitool user enable 2

5

Disable user

Copy
Copied!
            

ipmitool user disable <user id>

For example:

Copy
Copied!
            

ipmitool user disable 2

6

Set user privilege

Copy
Copied!
            

ipmitool user priv <user id> <privilege level(1-4)> [<channel number>]

Where "privilege level":

  • 1 – callback level

  • 2 – user level

  • 3 – operator level

  • 4 – administrator level

For example:

Copy
Copied!
            

ipmitool user priv 2 0x3 1

7

Enable remote IPMI command functionality for user

Copy
Copied!
            

ipmitool channel setaccess [<channel number>] <user id> ipmi = on| off

For example:

Copy
Copied!
            

ipmitool channel setaccess 1 2 ipmi=on

8

Lanplus commands to execute IPMI commands remotely for users with admin permissions

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U <user> -P <password> -H <bmc_ip_address> <ipmi command>

For example:

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U ADMIN -P ADMIN123 -H 10.10.10.10 user list 1

9

Lanplus commands to execute IPMI commands remotely for users with other than administrator roles

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U <user> -P <password> -H <bmc_ip_address> -L <privilege (operator|user)> <ipmi command>

For example:

Copy
Copied!
            

ipmitool -C 17 -I lanplus -U operator1 -P operator123 -H 10.10.10.10 -L operator user list 1 ipmitool -C 17 -I lanplus -U user1 -P user123 -H 10.10.10.10 -L user chassis status

10

Delete user

Copy
Copied!
            

ipmitool user set name <user id> ""

For example:

Copy
Copied!
            

ipmitool user set name 2 ""

Warning

The BMC MAC address is derived from the DPU's base MAC with +2 offset. For example:

Base MAC

B8:CE:F6:F7:FF:8C

BMC MAC

B8:CE:F6:F7:FF:8E

BMC management network interface can be configured using IPMI. By default, BMC comes up with the DHCP network configuration.

Network configuration functions:

  • Setting DHCP/Static network mode configuration

  • Adding/setting IPv4/IPv6 configuration including IP address, gateway, netmask

  • Adding DNS servers

  • Adding NTP server

  • Setting BMC time with NTP server or system RTC

The following table lists the available network IPMI commands:

No.

Function

Command

Description

1

Change mode to Static

Copy
Copied!
            

ipmitool lan set 1 ipsrc <mode>

For example:

Copy
Copied!
            

ipmitool lan set 1 ipsrc static

Sets LAN channel 1 IP config mode to static which corresponds to network interface "eth0"

2

Change mode to DHCP

Copy
Copied!
            

ipmitool lan set 1 ipsrc <mode>

For example:

Copy
Copied!
            

ipmitool lan set 1 ipsrc dhcp

Sets LAN channel 1 IP config mode to DHCP which corresponds to the network interface "eth0"

3

Add IPv4 address

Copy
Copied!
            

ipmitool lan set 1 ipaddr <IP Address>

Copy
Copied!
            

ipmitool lan set 1 defgw ipaddr <IP Address>

Copy
Copied!
            

ipmitool lan set 1 netmask <Netmask>

Adds IPv4 address, default gateway, and netmask to the network interface "eth0"

4

Get IPv4 config

Copy
Copied!
            

ipmitool lan print 1

Gets IPv4 network config for channel 1 which corresponds to the network interface "eth0"

5

Set IPv6 address

Copy
Copied!
            

ipmitool lan6 set 1 nolock static_addr 0 enable <IPv6 address> 64

Adds IPv6 address to the network interface "eth0"

6

Get IPv6 config

Copy
Copied!
            

ipmitool lan6 print 1

Gets IPv6 network config for channel 1 which corresponds to the network interface "eth0"

7

Get DNS server

Copy
Copied!
            

ipmitool raw 0x32 0x6B

Output:

Copy
Copied!
            

0b 31 30 2e 31 35 2e 31 32 2e 36 37

Corresponds to: 10.15.12.67

Gets the DNS server

8

Add DNS server

Copy
Copied!
            

ipmitool raw 0x32 0x6C 0x0b 0x31 0x30 0x2e 0x31 0x35 0x2e 0x31 0x32 0x2e 0x36 0x37

Output:

Copy
Copied!
            

0x0b 0x31 0x30 0x2e 0x31 0x35 0x2e 0x31 0x32 0x2e 0x36 0x37

Corresponds to: 10.15.12.67

Adds the DNS server

9

Get NTP server

Copy
Copied!
            

ipmitool raw 0x32 0xA7

Output:

Copy
Copied!
            

01 11 31 2e 69 6e 2e 70 6f 6f 6c 2e 6e 74 70 2e 6f 72 67

Where:

  • 01 – NTP status enable/disable

  • 11 – NTP server length

  • 31 2e 69 6e 2e 70 6f 6f 6c 2e 6e 74 70 2e 6f 72 67 – NTP server address byte stream corresponds to 1.in.pool.ntp.org

Gets NTP server

10

Add NTP server

Copy
Copied!
            

ipmitool raw 0x32 0xA8 0x01 0x31 0x2e 0x69 0x6e 0x2e 0x70 0x6f 0x6f 0x6c 0x2e 0x6e 0x74 0x70 0x2e 0x6f 0x72 0x67

Where:

  • 31 2e 69 6e 2e 70 6f 6f 6c 2e 6e 74 70 2e 6f 72 67 – NTP server address byte stream corresponds to 1.in.pool.ntp.org

Adds NTP server

11

Enable time sync to NTP server

Copy
Copied!
            

ipmitool raw 0x32 0xA8 0x02 0x01

Where:

  • 0x01 – enable NTP

Enables NTP time sync

12

Enable time sync to system RTC

Copy
Copied!
            

ipmitool raw 0x32 0xA8 0x02 0x00

Where:

  • 0x00 – disable NTP

Disables NTP time sync

DPU reset and checking reset status can be performed from a remote server using the openbmctool.

No.

Function

Command

Description

1

Trigger soft reset to the DPU

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> dpu_reset soft \ -t

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

  • -t – wait till finish the reset with timeout

Triggers soft reset to the DPU

2

Track DPU reset status

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> dpu_reset status

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

Track the BMC-DPU reset status

Run the following IPMI command to factory reset the BMC configuration.

Copy
Copied!
            

ipmitool raw 0x32 0x66

After issuing the ipmitool raw command for factory reset, you must log into the BMC and reboot it for the factory reset to take effect.

Warning

If you have lost your BMC login credentials and cannot login, you may issue the following command from the BlueField Arm:

Copy
Copied!
            

ipmitool mc reset cold

Important

Factory reset also sets the global password for the root user back to its default (0penBmc). Upon first boot following factory reset, make sure to reconfigure the default global password to prevent potential malicious attackers from hacking your system.

Be sure to follow this password policy:

  • Minimum length: 13

  • Minimum upper case characters: 1

  • Minimum lower case characters: 1

  • Minimum digits: 1

Note that the root account locks after four consecutive failed attempts and automatically unlocks after 10 minutes.

Firmware upgrade of BMC and CEC components using BMC can be performed from a remote server using openbmctool.

The following table presents the commands available to perform the upgrade:

No.

Function

Command

Description

1

Trigger a BMC secure update

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> firmware flash bmc \ -f <path>

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

  • -f – path to signed BMC image tar file

Triggers BMC secure update

2

Track a BMC firmware update

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> task status \ -i <task-id>

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

  • -i – task ID of the triggered firmware update, will be displayed after triggering the firmware update

Tracks the BMC firmware update

3

Fetch running BMC firmware version

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> firmware running_version

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

Fetches the running firmware version from BMC

4

Reset/reboot a BMC

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> bmc reset warm

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

Reboots/resets the BMC

5

Trigger a CEC secure update

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> apfirmware flash cec \ -f <path>

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

  • -f – path to signed CEC OTA image file

Triggers CEC secure update

6

Track a CEC firmware update

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> \ -U <username> \ -P <password> apfirmware status cec

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

Tracks the CEC firmware update

7

Trigger CEC attestation/challenge-response

Copy
Copied!
            

python3 -H <bmc_ip> -U <username> \ -P <password> apfirmware getattestation cec \ --pubkeyfile <public key file> \ --randomnumbers <32-byte random number in hex format>

Where:

  • -H – BMC IP

  • -U – username

  • -P – password

  • --pubkeyfile – (optional) NVIDIA public key certificate provided for CEC validation

  • --randomnumbers – (optional) 32-byte random number in hex format (see format in the example below) to use in challenge response. The same set of numbers as provided in same order can be validated in the attestation file returned from CEC.

For example:

Copy
Copied!
            

python3 openbmctool.py -H <bmc_ip> \ -U <username> \ -P <password> apfirmware getattestation cec \ --pubkeyfile pubkey.pem \ --randomnumbers 0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20

In the above example the hex string represents the 32-byte decimal number "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32".

Triggers CEC attestation or challenge-response

BMC Update

The command in line #2 in the table above can be used to track the BMC firmware update. The following example shows the completion the first stage of BMC secure update.

Copy
Copied!
            

python3 openbmctool.py -H <ip_address> -U <username> -P <password> task status -i <task-id> Attempting login... Task Details: TaskState="Completed" TaskStatus="OK" TaskProgress="100" User root has been logged out

BMC reboot is required to complete the BMC secure update operation. BMC reboot can be triggered after the completion of the first stage of BMC secure update operation.

CEC Update

The command in line #6 in the table above can be used to track the CEC firmware update. The following example shows the completion of the first stage of CEC secure update:

Copy
Copied!
            

python3 openbmctool.py -H <bmc_ip> -U <username> -P <password> apfirmware status cec Firmware update status for the component cec as below. TaskState=Frimware update succeeded. TaskStatus=OK TaskProgress=100

Power-cycle/cold reset is required to complete the CEC secure update operation. Power-cycle/cold reset can be triggered after the completion of the first stage of CEC secure update operation.

© Copyright 2023, NVIDIA. Last updated on Jan 16, 2024.