Secure Boot
These pages provide guidelines on how to operate secured NVIDIA® BlueField®-2 DPUs. They provide UEFI secure boot references for the UEFI portion of the secure boot process.
This section provides directions for illustration purposes, it does not intend to enforce or mandate any procedure about managing keys and/or production guidelines. Platform users are solely responsible of implementing secure strategies and safe approaches to manage their boot images and their associated keys and certificates.
Security aspects such as key generation, key management, key protection, and certificate generation are out of the scope of this section.
Secure boot is a process which verifies each element in the boot process prior to execution, and halts or enters a special state if a verification step fails at any point during the boot. It is based on an unmodifiable ROM code which acts as the root-of-trust (RoT) and uses an off-chip public key, to authenticate the initial code which is loaded from an external non-volatile storage. The off-chip public key integrity is verified by the ROM code against an on-chip public key hash value stored in E-FUSEs. Then the authenticated code and each element in the boot process cryptographically verify the next element prior to passing execution to it. This extends the chain-of-trust (CoT) by verifying elements that have their RoT in hardware. In addition, no external intervention in the authentication process is permitted to prevent unauthorized software and firmware from being loaded. There should be no way to interrupt or bypass the RoT with runtime changes.
The following secure boot enabled BlueField-2 DPUs are available:
MBF2M516A-CECOT
MBF2M516A-EECOT
MBF2H332A-AECOT
MBF2H322A-AECOT
Secured NVIDIA® BlueField® platforms have pre-installed software and firmware signed with NVIDIA signing keys. The on-chip public key hash is programmed into E-FUSEs.
To verify whether the DPU in your possession supports secure boot, run the following command:
# sudo mst start
# sudo flint -d /dev/mst/mt41686_pciconf0 q full | grep "Life cycle"
Life cycle: GA SECURED
“GA SECURED” indicates that the BlueField device has secure boot enabled.
To verify whether the BlueField Arm has secure boot enabled, run the following command from the BlueField console:
ubuntu@localhost:~$ sudo mlxbf-bootctl | grep lifecycle
lifecycle state: GA Secured