NVIDIA BlueField BSP v4.8.0
NVIDIA BlueField BSP v4.8.0 Download PDF

Default Passwords and Policies

The BMC password must comply with the following policy parameters:

  • Using ASCII and Unicode characters is permitted

  • Minimum length: 12

  • Maximum length: 20

  • Maximum number of consecutive character pairs: 4

    Info

    Two characters are consecutive if |hex(char_1)-hex(char_2)|=1.

    Examples of passwords with 5 consecutive character pairs (invalid): DcBa123456AbCd!; ab1XbcYcdZdeGef!; Testing_123abcgh!.

The following is a valid example password:

  • HelloNvidia3D!

Note

A user account is locked for 10 minutes after 10 consecutive failed attempts.

A password is required to enter the UEFI menu during BlueField bootup. The UEFI menu contains various settings which impact BlueField behavior. Therefore, it is very important to keep that password secure.

Default Password

  1. A first-time user accessing the UEFI menu must enter the default password for the UEFI menu, bluefield:

    default-pwd-version-1-modificationdate-1724173131347-api-v2.png

  2. The user is prompted to provide a new password:

    new-pwd-version-1-modificationdate-1724173131803-api-v2.png

    Note

    The new password entered above must be in compliance with the password policy:

    • The password must be between 12 and 64 characters (inclusive)

    • There are no requirements for upper/lower case, or special characters. Spaces are allowed.

  3. The user is prompted to confirm the new password:

    confirm-pwd-version-1-modificationdate-1724173132083-api-v2.png

Default Password Policy

The user can enable/disable the UEFI password policy. The default password policy is enabled by default using a checkbox in the UEFI menu.

The user can browse the UEFI menu and disable as follows:

  1. Navigate to "Device Configuration" > "System Configuration" > "Password Settings":

    pwd-settings-version-1-modificationdate-1724173129323-api-v2.png

  2. The "Default Password Policy" checkbox controls whether the more secure password policy is enabled:

    default-pwd-policy-version-1-modificationdate-1724173128047-api-v2.png

    Info

    To disable the Default Password Policy, hit the spacebar to clear the checkbox.

  3. The user must hit ESC ESC and answer "Y" to save the configuration change.

    save-config-version-1-modificationdate-1724173128507-api-v2.png

Disabling Default Password Policy

To disable the Default Password Policy, hit the spacebar to clear the checkbox.

disabled-default-pwd-policy-version-1-modificationdate-1724173129087-api-v2.png

Info

If the Default Password Policy is disabled, the password entered must be between 1 and 64 characters.

Software Downgrade

The UEFI's password policy is not backward compatible. Although downgrade is not recommended, users are allowed to downgrade their software while their password is set. But , if and only if the password is set, users must configure the legacy password prior to performing any downgrade.

For BSP 4.6.0 (DOCA 2.6.0) or higher, users must change the UEFI password saved to the older "Legacy" format.

Warning

If this procedure is not followed before performing a software downgrade, users would not be able to enter the UEFI menu.

In the UEFI menu:

  1. Navigate to "Device Manager" > "System Configuration" >"Password Settings" >" Set Legacy Password".

  2. Select " Set Legacy Password ".

  3. Enter your current password:

    enter-current-password-version-1-modificationdate-1724173129703-api-v2.png

  4. Type in a new legacy password between 1 and 20 characters:

    Note

    The password format allows up to 64 characters but anything greater than 20 characters is not backward compatible.

    enter-new-legacy-password-version-1-modificationdate-1724173129963-api-v2.png

  5. Confirm the new password:

    confirm-new-legacy-password-version-1-modificationdate-1724173130567-api-v2.png

Now, you may downgrade your BlueField image.

Password Reset

To reset the UEFI menu password, users may use the ready to use capsule file EnrollKeysCap installed under /lib/firmware/mellanox/boot/capsule/EnrollKeysCap on the BlueField DPU file system. From the BlueField console, execute the following command, then reboot:

Copy
Copied!
            

ubuntu@localhost:~$ bfrec --capsule /lib/firmware/mellanox/boot/capsule/EnrollKeysCap

On the next reboot, the capsule file is processed, and the UEFI password is reset to bluefield.

GRUB menu entries are protected by a username and password to prevent unwanted changes to the default boot options or parameters.

The default credentials are as follows:

Username

admin

Password

BlueField

The password can be changed during BFB installation by providing a new grub_admin_PASSWORD parameter in bf.cfg:

Copy
Copied!
            

# vim bf.cfg grub_admin_PASSWORD=' grub.pbkdf2.sha512.10000.5EB1FF92FDD89BDAF3395174282C77430656A6DBEC1F9289D5F5DAD17811AD0E2196D0E49B49EF31C21972669D180713E265BB2D1D4452B2EA9C7413C3471C53.F533423479EE7465785CC2C79B637BDF77004B5CC16C1DDE806BCEA50BF411DE04DFCCE42279E2E1F605459F1ABA3A0928CE9271F2C84E7FE7BF575DC22935B1'

To get a new encrypted password value use the command grub-mkpasswd-pbkdf2.

After the installation, the password can be updated by editing the file /etc/grub.d/40_custom and then running the command update-grub which updates the file /boot/grub/grub.cfg.

Upon first login, the username ubuntu must enter the default password ubuntu if this was not changed during the OS installation process. Users are then required to change the default password according to the following password policy:

The following table details the password policy parameters:

Info

Each of these parameters is configurable in its respective config file indicated in the "Config File Path" column.

Config File Path

Parameter

Value

Description

/etc/security/pwquality.conf

minlen

12

Minimum password length

/etc/pam.d/common-password

remember

3

The number of previous passwords which cannot be reused

/etc/security/faillock.conf

silent

Uncommented

Prevents printing informative messages to the user

deny

10

The number of authentication attempts permitted before the user is locked out

unlock_time

600

The duration of the lockout period, in seconds

© Copyright 2024, NVIDIA. Last updated on Aug 20, 2024.