# Managing HPE BIOS resources Note It is possible that some properties or resources described in this section are not implemented in iLO 4 and iLO 5. This section presents the HPE specific Bios resources (attributes and OEM resources) implemented in HPE iLO based servers. Refer to the [BIOS data model](/docs/concepts/biosdatamodel/) section for a generic overview of the standard Redfish Bios data model. The HPE Bios subsystem contains two families of elements: - A set of **attributes** located under the `/redfish/v1/Systems/{item}/Bios` standard URI, and described in the [Bios registry](/docs/concepts/biosdatamodel/#bios-attribute-registry-overview) section. - Sets of **OEM Bios resources** described in proprietary schemas (i.e. `HpeTlsConfig`) The URIs of the HPE OEM Bios resources can be retrieved from `/redfish/v1/Systems/{item}/Bios/Oem/Hpe` as shown in the next example. Note HPE OEM Bios resource links have been moved from `/redfish/v1/Systems/1/Bios` in Gen10 servers to `/redfish/v1/Systems/1/Oem/Hpe` in Gen10 Plus and Gen11 servers. Refer to the following example for a generic method to retrieve them, regardless of the server generation. Generic request ```text GET /redfish/v1/systems/1/bios/?$select=Oem/Hpe/Links ``` iLOrest ```shell # The following request retrieves Bios related URIs # using a recursive jq request, ignoring errors # and 'null' responses ilorest login -u -p password ilorest rawget --silent \ '/redfish/v1/systems/1/bios/?$select=Oem/Hpe/Links' | \ jq -r '..|."@odata.id"?' | grep -v null ilorest logout ``` cURL ```shell # The following request retrieves Bios related URIs # using a recursive jq request, ignoring errors # and 'null' responses curl --silent --insecure -u :password \ 'https:///redfish/v1/systems/1/bios/?$select=Oem/Hpe/Links' | \ jq -r '..|."@odata.id"?' \ | grep -v null ``` Gen10 response body ```text /redfish/v1/systems/1/bios/ /redfish/v1/systems/1/bios/baseconfigs/ /redfish/v1/systems/1/bios/boot/ /redfish/v1/systems/1/bios/kmsconfig/ /redfish/v1/systems/1/bios/mappings/ /redfish/v1/systems/1/bios/serverconfiglock/ /redfish/v1/systems/1/bios/tlsconfig/ /redfish/v1/systems/1/bios/iscsi/ ``` Gen10 Plus and Gen11 response body ```text /redfish/v1/systems/1/bios/ /redfish/v1/systems/1/bios/oem/hpe/baseconfigs/ /redfish/v1/systems/1/bios/oem/hpe/boot/ /redfish/v1/systems/1/bios/oem/hpe/kmsconfig/ /redfish/v1/systems/1/bios/oem/hpe/mappings/ /redfish/v1/systems/1/bios/oem/hpe/serverconfiglock/ /redfish/v1/systems/1/bios/oem/hpe/tlsconfig/ /redfish/v1/systems/1/bios/oem/hpe/iscsi/ ``` NOTE The **HPE service Bios** extension is dedicated to HPE field service employees, and should not be accessed programmatically by Redfish clients. The **HPE service Bios** extension URI is not mentioned explicitly under the Bios `Oem/Hpe` extension on purpose. However, like other HPE Bios extensions, it is located at `/redfish/v1/Systems/1/Bios/Oem/Hpe/Service` in Gen10 Plus and Gen11 servers and at `/redfish/v1/Systems/1/Bios/Service` in Gen10 servers. ## RESTful API BIOS Schemas/Registries As explained in the [Bios attribute registry overview](/docs/concepts/biosdatamodel/#bios-attribute-registry-overview) paragraph, the Bios registry file URI of a live system can be easily located under `/redfish/v1/Registries`. This file is specific to the platform model and the Bios/ROM version loaded in the server. For example, if you follow the `BiosAttributeRegistryA55.v1_1_62` URI, you will find the Bios attributes and registries for a DL365 Gen11 (A55) with ROM version 1.1.62. If you want to know precisely the property and attribute differences between two Bios/ROM versions of a specific platform, you can download the corresponding Schemas/Registries from the HPE Support Center. Then, you will have to unzip the downloaded files and compare them manually using your favorite JSON editor. HPE provides RESTful API BIOS Schemas/Registries via the HPE Support Center. These are static files and meant as references. They are not meant to be "installed". After downloading, you will need to unzip the file. The resulting files are useful for: 1. Comparing BIOS attribute differences between two BIOS/ROM versions of a platform. 2. Analyzing BIOS attributes for their [factory default](/docs/redfishservices/ilos/supplementdocuments/biosdoc/#retrieving-default-bios-attributes-from-a-registry-file) values on a platform. 3. Helping to create a Redfish mockup like the one the DMTF provides. NOTE HPE RESTful API BIOS Schemas/Registries **are not** intended to be installed anywhere in servers, iLOs, or iLOrest configuration file. They are **NOT** ROM Flash Universal Firmware Packages. ROM Flash Universal Firmware Packages should be installed from Software Support Packs (SPP) or downloaded as `.fwpkg` files from the HPE Support Center. ## Reinitializing secure boot databases Tip For a generic introduction to secure boot databases, refer to the related section of the [concept part](/docs/concepts/securebootdatabases#secure-boot-databases) of the documentation. After upgrading or downgrading HPE iLO, first reboot the server. After reboot, the BIOS rebuilds the secure boot databases. If you do not reboot the server for certain conditions, the BIOS and HPE iLO secure boot databases do not synchronize. Reboot the server only under the following conditions: - HPE iLO upgrade: The source version is HPE iLO 6 1.61 or earlier, and the target version is HPE iLO 6 1.62 or later. - HPE iLO downgrade: The source version is HPE iLO 6 1.62 or later, and the target version is HPE iLO 6 1.61 or earlier. The length of the certificate string is 3072 bytes. The BIOS can delete certificates and signatures from the default secure boot databases stored in HPE iLO. Note The maximum length of certificates is 3 KiB. ## Synchronize data with HPE iLO and BIOS The BIOS or UEFI variable stores the secure boot databases. The OS, ROM-Based Setup Utility setting (RBSU), or Redfish API can modify the databases. To maintain consistency, the BIOS synchronizes the data with HPE iLO. The BIOS can identify the certificates or signatures that must synchronize with HPE iLO. When a certificate or signature is added or deleted using RBSU (and not using the Redfish API), the BIOS provides a POST or a DELETE Redfish method to manage such certificate or signature. The synchronization between BIOS and HPE iLO is an internal process and the user cannot control it. The following table lists the maximum number of certificates and signatures allowed for each of the secure boot database types: | **Database Name** | **Number of certificates** | **Number of signatures** | | --- | --- | --- | | Platform Key (PK) | 1 | N/A | | PKDefault | 1 | N/A | | Key Exchange Key (KEK) | 16 | N/A | | KEKDefault | 10 | N/A | | db/dbx/dbt/dbr | 16 | 10 | | dbDefault/dbxDefault /dbtDefault /dbrDefault | 10 | 10 | For more information about secure boot databases, refer to [Secure Databases](/docs/concepts/securebootdatabases/) paragraph. ## SecureBoot certificates management HPE iLO does not allow enrollment or deletion of certificates from the default databases. Refer to the [Secure Boot databases](/docs/concepts/securebootdatabases/) generic section for an introduction on this subject. Among other things, it contains allowed operations on the different databases. Refer to the Secure Boot and Driver Signing for more information about the UEFI specifications of SecureBoot authentication. Notes - When Platform Key (PK) is enrolled, `SecureBootMode` is set to the `User` Mode. - A PK can be deleted. When it's deleted, `SecureBootMode` changes to `Setup` mode. The mechanism of `SecureBoot` gets disabled. This means that the system could boot to any image not allowed by the `SecureBoot` databases. - Delete a PK certificate if you want to transition from the `SecureBootMode` to `SetupMode`. - All the HPE built-in certificates contain a valid GUID. Therefore, the GUID for SecureBoot database certificates added using HPE iLO in BIOS RBSU always has a valid string. Refer to the [Secure Boot databases](/docs/concepts/securebootdatabases/) section for more information on that subject. ### Enrolling SecureBoot keys #### Important points to remember - User does not require an HPE iLO License. - If you have not installed an OS, Hewlett Packard Enterprise recommends that you execute the Secure Boot Database APIs while the system is powered off. - If you have installed an OS, you do not have to perform any action to set up SecureBoot Mode. To enroll certificates or signatures in a non-default SecureBoot database, perform the following steps: 1) Perform a `POST` on the API using the following URIs: - `/redfish/v1/systems/1/secureboot/securebootdatabases/{@securebootdatabaseId}/certificates/` - `/redfish/v1/systems/1/secureboot/securebootdatabases/{@securebootdatabaseId}/signatures/` - The value of SecureBootMode under `/redfish/v1/systems/1/secureboot/securebootdatabases/` does not affect the ability to enroll certificates. - The SecureBootMode value can be set to either `SetupMode` or `UserMode`. - You can enroll multiple SecureBoot keys simultaneously using the same API call. Ensure that you reboot the system after enrollment to apply the changes. You can call one API multiple times for multiple operations. Once system reboots, BIOS will process these tasks one by one. For example, to enroll 10 certificates, you must call the same API 10 times. 2) Reboot or power cycle the host server. You must reboot the server for the changes to take effect after modifying the SecureBoot database. 3) Perform a `GET` on the SecureBoot databases. You can see the certificate under the database where it was enrolled. Sample payload: The following example enrolls a certificate in the authorized certificate signature database of an HPE iLO server. Tip Refer to this [TIP](/docs/redfishservices/ilos/supplementdocuments/securityservice/#importing-a-signed-certificate-into-ilo) to convert a CRLF-terminated file into a string. Generic POST request ```text POST /redfish/v1/Systems/1/SecureBoot/SecureBootDatabases/{@SecureBootDatabaseId}/Certificates/ ``` Body ```json { "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIEXTCCA0WgAwIBAgIUILNZIX8LjJ/AMdsrsUl5eiGWY5kwDQYJKoZIhvcNAQEL\nBQAwgb0xCzAJBgNVBAYTAkZSMSMwIQYDVQQIDBpQcm92ZW5jZS1BbHBlcy1Db3Rl\nFooIs\n HappyjEZMBcGA1UEBwwQU29waGlhLUFudGlwb2xpczEMMAoGA1UECgwDSFBF\nMRAwDgYDVQQLDAdDb21wdXRlMScwJQYDVQQDDB50b3lib3guZXRjLmZyLmNvbW0u\naHBlY29ycC5uZXQxJTAjBgkqhkiG9w0BCQEWFmZyYW5jb2lzLmRvbnplQGhwZS5j\nb20wHhcNMjEwNDE0MTQxMzQxWhcNMzEwNDEyMTQxMzQxWjCBvTELMAkGA1UEBhMC\nRlIxIzAhBgNVBAgMGlByb3ZlbmNlLUFscGVzLUNvdGUgZCdBenVyMRkwFwYDVQQH\nDBBTb3BoaWEtQW50aXBvbGlzMQwwCgYDVQQKDANIUEUxEDAOBgNVBAsMB0NvbXB1\ndGUxJzAlBgNVBAMMHnRveWJveC5ldGMuZnIuY29tbS5ocGVjb3JwLm5ldDElMCMG\nCSqGSIb3DQEJARYWZnJhbmNvaXMuZG9uemVAaHBlLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAMhZynGPIBE4VhIqjka9RoGJ1gSrYMceHOcj7Qzz\nGqbBoPwD3H0QZYgVczrAkwrLM229oRzpPfjc4OAZXP8ZE6mgkFAtqEPyf1V8G2/L\nKqIIIWoW8Pk158FgN/+IJAgTx3HkKg3Fg8r/7gaFItCuf9isvOqvcX7F3jur+g52\njKVqWGNlfKWVHZ5EEUQm6Yubt0kmflZ1FAgFMYYWZDVfTY63yrndgHIXDhGeqI00\nTz4KLIXltWEjXQHICzl14GOv1flTAJsjaH+Psryd0hFinJMyu6qtF8NCzVhbJCVn\nFtrIDOzU1cjTXrNt4sVyzRImYjAdB3nIEnY1DBS+pFbuTQ8CAwEAAaNTMFEwHQYD\nVR0OBBYEFB98Krx8h49jHuNMb5NNQTgRfwfZMB8GA1UdIwQYMBaAFB98Krx8h49j\nHuNMb5NNQTgRfwfZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAE1YqMXR1VemcmFSsYWzjQEo37Os1YtkpJcuEQALAYeRWCpyWjiDnId7ThxP8GJ+\nryTbv1AtHf32QKXvNr/h6zGpKfvGb45ukMJeSDOH4ftI+f9bgRMbTuS5what3Db6\nYCH0/iAyelL3wA+sT86jsp+AqMoxgdOeCEM093sLtFTBvymm+yoqH6aFmz1l7ZwT\nJci63n1K9flpt9qlHifdlJkdZ2TVAbspoULvmlA1yeqG9j6OgPLBvB/fr+cz4p/b\nB6ct0HDuXtSoWPAiRALXF5S50Zvp5Y4Z8H+6Z02akGE68xYCE1WeNC85LuqflifD\nSXPaDWGLb9dFM2VkSjo9P7c=\n-----END CERTIFICATE-----\n", "CertificateType": "PEM" } ``` ### Deleting SecureBoot keys To remove a certificate/signature in the non-default database, perform `DELETE` on the particular member from either the `Certificate` or `Signature` collection URI: - `/redfish/v1/Systems/1/SecureBoot/SecureBootDatabases/{@SecureBootDatabaseId}/Certificates/{@CertificateId}` - `/redfish/v1/Systems/1/SecureBoot/SecureBootDatabases/{@SecureBootDatabaseId}/Signatures/{@SignatureId}` NOTE - The value of SecureBootMode under `/redfish/v1/systems/1/secureboot/securebootdatabases/` does not affect the ability to delete certificates. - The SecureBootMode value can be set to either `SetupMode` or `UserMode`. - You can delete multiple certificates using one API call. Ensure that you reboot the system after enrollment to apply the changes. You don't need additional API calls for multiple operations. Once system reboots, BIOS will process these tasks one by one. ### Enable VSP logs from HPE iLO GUI #### Prerequisites - Virtual Serial Port (VSP) logs must be available in the production setup. Enabling VSP causes the BIOS to post the error messages to the VSP. To enable VSP logs, perform the following procedure: 1) Click `iLO Settings` in the left navigation pane and click `Access`. For HPE iLO 6 users, click `Security` in the left navigation pane and click `Access` under `iLO Settings` section. 2) Click `Edit` icon next to the `Virtual Serial Port` section. 3) Select the following options: - `View Log` - `Virtual Serial Port Log Over CLI` 1) Click `Update`. ### Download VSP logs from HPE iLO GUI #### Prerequisites - You have enabled both the `View Log` and `Virtual Serial Port Log Over CLI` options in the `Virtual Serial Port` section. To download VSP logs, perform the following procedure: 1) Click `iLO Settings` in the left navigation pane and click `Access`. For HPE iLO 6 users, click `Security` in the left navigation pane and click `Access` under `iLO Settings` section. 2) Click `Edit` icon next to the `Virtual Serial Port` section. 3) Select the `Download Log` option. 4) Click `Update`. ### Extract VSP Logs using CLI When an HPE iLO operator enables VSP log settings, the system logs a serial output activity using VSP. This activity is logged into a 150-page circular buffer in the HPE iLO memory. The virtual serial port buffer size is 128 KB. This setting is disabled by default. A license is required to use this feature. If a license that supports this feature is not installed, this option is not displayed. The HPE iLO CLI command `vsp log` shows the status of the VSP log (`Enabled` or `Disabled`). Note For information about the available license types, VSP Logs functionality, and its supported features, refer to the HPE iLO documents located at HPE iLO Documentation Quick Links. ### Asynchronous task creation for the SecureBoot keys To perform either the enroll or delete operations, HPE iLO creates an asynchronous task and a process flow as described in the following steps: 1) A user sends a Redfish request to enroll or delete a security key. 2) HPE iLO responds with HTTPS `202` `Accepted` status code. 3) The system creates a task under the following URI: `/redfish/v1/taskservice/tasks/` The task contains the following attributes: - `Payload`- Provided by the user. - `TargetUri`- The resource to be created or deleted after reboot. - `TaskState`- Initially set to `New`. 4) On the next reboot, HPE BIOS picks up this task and performs one of the requested operations: - Enroll the key - Delete the key 5) Monitor the task status at the following URI: - `/redfish/v1/taskservice/taskmonitors/` 6) After processing the request, the `TaskState` changes to the following values: - `Completed` - Operation succeeded - `Exception` - Operation failed NOTE - If the task remains in an `Exception` state, perform the following actions: 1) Retry enrolling or deleting certificates. Generally, a task gets into an `Exception` state when the certificate that's enrolled already exists in the database. 2) Enable VSP and then retry to enroll or delete certificates. 3) Send the VSP logs to the HPE support representative for further investigate the nature of the exception. - If the task remains in the `New` state, ensure the following points 1) System was powered off during the enroll or delete operation. 2) System is not at the `POST` state. 3) Ignore the task that is not consumed by BIOS. ### Perform sequential API execution 1) Ensure that the system is not at `POST`. 2) Perform multiple HTTPS requests to enroll or delete SecureBoot keys. Examples: - To enroll SecureBoot keys, see the following examples: - Perform HTTP `POST` request on the `Certificate` URI: `/redfish/v1/Systems/1/SecureBoot/SecurebootDatabases/{database_type}/Certificates/` Supported `DatabaseType` values: PK, KEK, db, dbx,dbr,dbt. ```json { "CertificateString": "-----BEGIN CERTIFICATE-----\n***CertificateData***\n-----END CERTIFICATE-----\n", "CertificateType": "PEM" } ``` - Perform HTTP `POST` request on the `Signature` URI: `/redfish/v1/Systems/1/SecureBoot/SecurebootDatabases/{database_type}/Signatures/` Supported `DatabaseType` values: db, dbx, dbr, dbt. ```json { "SignatureString": "{HashValue}", "SignatureType": "EFI_CERT_{Algorithm}_GUID", "SignatureTypeRegistry": "UEFI" } ``` The `{HashValue}`depends on hash algorithms such as `SHA256`, `SHA384`, `SHA512`, and so on. - To delete SecureBoot keys, see the following examples: - Perform HTTP `DELETE` request on the `Certificate` URI: `/redfish/v1/Systems/1/SecureBoot/SecurebootDatabases/{database_type}/Certificates/{Id}` where {id} is the target to be deleted in the certificate collection. Supported `DatabaseType` values: PK, KEK, db, dbx, dbr, dbt. - Perform HTTP `DELETE` request on the `Signature` URI: `/redfish/v1/Systems/1/SecureBoot/SecurebootDatabases/{database_type}/Signatures/{Id}` where {id} is the target to be deleted in the signature collection Supported `DatabaseType` values: db, dbx, dbr, dbt. 1) Restart the host system. ## Bios defaults Bios attributes and OEM Bios resources present factory and user-defined default values. This paragraph explains how to get and set them. The [next paragraph](#bios-resets) explains how to reset them to factory and user defaults. ### Default Bios attributes The current configuration Bios attributes URI contains a link to a `BaseConfigs[]` array property that holds the factory attributes, and eventually, custom user defined attributes. Default OEM Bios resources (i.e. Bios TLS) are described in the next paragraph. The Bios attribute list depends on the server architectures (Intel, AMD, Ampere). It may depend, as well, on the ROM version installed in the system. For these reasons, it is not possible to publish their factory default values with a long-term validity. Instead, you will find the below methods to retrieve them from live systems or from registries available online. #### Retrieving factory Bios attributes from a live system Factory Bios attributes and their values are located in the `default` member of the `BaseConfigs[]` array . Bios custom user-defined attributes are part of the `default.user` member of this array. The following example retrieves factory Bios attributes from a live system using a generic GET request or iLOrest. NOTE The `BaseConfig[]` URI is different in Gen10, Gen10 Plus, and Gen11 servers. Refer to the following example for detail. Generic requests ```shell Gen 10 GET /redfish/v1/Systems/1/Bios/BaseConfigs | jq '.BaseConfigs[] | .default' Gen10 Plus and Gen11 GET /redfish/v1/Systems/1/Bios/Oem/Hpe/BaseConfigs | jq '.BaseConfigs[] | .default' ``` iLOrest ```shell ilorest login -u -p password ilorest get BaseConfigs/default --json --selector=HpeBaseConfigs ilorest logout ``` #### Saving and retrieving user-defined Bios attributes The following example sets various Bios attributes (Gen10, Gen10 Plus, or Gen11) and requests the saving in the `BaseConfigs[]` array. This modification requires a reboot of the server to be visible in the `default.user` array member. NOTE A PATCH request to the Bios settings URI with a body containing `"SaveUserDefaults": "Yes"` saves Bios attributes **and Service Bios attributes** in the `default.user` member of their respective `BaseConfigs[]` array. Look for the string "Service Bios" in this documentation section for more info concerning this HPE Bios extension. Generic request ```shell PATCH /redfish/v1/Systems/1/Bios/Settings/ ``` Body request ```json { "Attributes": { "AdminName": "Toto Content", "AdminEmail": "toto.content@koulapic.com", "AdminPhone": "+3306789012340", "WorkloadProfile": "TransactionalApplicationProcessing", "SaveUserDefaults": "Yes" } } ``` cURL ```shell curl --insecure --silent --location -u :passsword \ --header 'Content-Type: application/json' \ --request PATCH \ 'https:///redfish/v1/Systems/1/Bios/Settings/' \ --data '{"Attributes": { "AdminName": "Toto Content", "AdminEmail": "toto.content@koulapic.com", "AdminPhone": "+3306789012340", "WorkloadProfile": "TransactionalApplicationProcessing", "SaveUserDefaults": "Yes" } }' ``` iLOrest ```shell ilorest login -u -p password ilorest select Bios. ilorest set "AdminName=Toto Content" \ AdminEmail="toto.content@koulapic.com" \ AdminPhone="+3306789012340" \ WorkloadProfile="TransactionalApplicationProcessing" \ SaveUserDefaults=Yes ilorest commit ilorest reboot ForceRestart ilorest logout ``` Body response ```json { "error": { "code": "iLO.0.10.ExtendedInfo", "message": "See @Message.ExtendedInfo for more information.", "@Message.ExtendedInfo": [ { "MessageId": "iLO.2.25.SystemResetRequired" } ] } } ``` The following example reads the Bios attributes `BaseConfigs[]` array members from Gen10, Gen10 Plus or Gen11 systems, that has been modified with the payload of the previous example. It contains two members: `default` and `default.user`. Refer to the [Bios resets](#bios-resets) paragraph below to apply user defined attributes. Generic request ```text # Gen10 GET /redfish/v1/Systems/{item}/Bios/BasConfigs # Gen 10 Plus and Gen11 GET /redfish/v1/Systems/{item}/Bios/Oem/Hpe/BaseConfigs ``` cURL ```shell # Gen10 curl --include --insecure -u username:password --location \ https://{iLO6-ip}/redfish/v1/systems/1/bios/BaseConfigs/ # Gen10 Plus and Gen11 curl --include --insecure -u username:password --location \ https://{iLO-ip}/redfish/v1/systems/1/bios/Oem/Hpe/BaseConfigs/ ``` iLOrest ```shell # Gen10 ilorest login -u -p password ilorest rawget --silent /redfish/v1/systems/1/bios/BaseConfigs/ ilorest logout # Gen10 Plus and Gen10 ilorest login -u -p password ilorest rawget --silent /redfish/v1/systems/1/bios/Oem/Hpe/BaseConfigs/ ilorest logout ``` Response (truncated) ```json { "@odata.context": "/redfish/v1/$metadata#HpeBaseConfigs.HpeBaseConfigs", "@odata.etag": "W/\"D3544D1E7B21CACACAB99143115A5971\"", "@odata.id": "/redfish/v1/systems/1/bios/oem/hpe/baseconfigs/", "@odata.type": "#HpeBaseConfigs.v2_0_0.HpeBaseConfigs", "BaseConfigs": [ { "default": { "AMDPerformanceWorkloadProfile": "Disabled", "AccessControlService": "Enabled", "AcpiHpet": "Enabled", "AcpiRootBridgePxm": "Enabled", "AcpiSlit": "Enabled", "AdminEmail": "", "AdminName": "", "AdminOtherInfo": "", "AdminPhone": "", "AdvCrashDumpMode": "Disabled", ... ... "VlanControl": "Disabled", "VlanId": 0, "VlanPriority": 0, "WakeOnLan": "Enabled", "WorkloadProfile": "GeneralPowerEfficientCompute", "XGMIForceLinkWidth": "Auto", "XGMIMaxLinkWidth": "Auto", "iSCSISoftwareInitiator": "Enabled" } }, { "default.user": { "AMDPerformanceWorkloadProfile": "Disabled", "AccessControlService": "Enabled", "AcpiHpet": "Enabled", "AcpiRootBridgePxm": "Enabled", "AcpiSlit": "Enabled", "AdminEmail": "toto.content@koulapic.com", "AdminName": "Toto Content", "AdminOtherInfo": "Toto est Content", "AdminPhone": "+3306789012340", "AdvCrashDumpMode": "Disabled", ... "SaveUserDefaults": "No", ... "VlanId": 0, "VlanPriority": 0, "WakeOnLan": "Enabled", "WorkloadProfile": "TransactionalApplicationProcessing", "XGMIForceLinkWidth": "Auto", "XGMIMaxLinkWidth": "Auto", "iSCSISoftwareInitiator": "Enabled" } } ], "Capabilities": { "BaseConfig": true, "BaseConfigs": false }, "Id": "baseconfigs", "Name": "BIOS Default Settings" } ``` #### Retrieving default Bios attributes from a registry file NOTE The method described in this paragraph for retrieving factory default Bios attribute values is only valid for Gen10 Plus and Gen11 servers. Bios attribute registries can be downloaded from the HPE Support Center. Depending on the server you are focusing on, enter a string similar to this one in the search box of the HPE Support Center: `RESTful API BIOS Schemas/Registries dl365`. Download the Schemas/Registry `.zip` file that suites your needs and extract its content. Drill down to the `RegistryStore/en` subdirectory and retrieve the `DefaultValue` property for each Bios attribute. The following example retrieves the Bios default values (and other properties) from a DL385 Gen11 server (A55) Bios registry file downloaded from the HPE Support site. bash ```shell jq '.RegistryEntries.Attributes[] | {AttributeName, ReadOnly, Type, MenuPath, DefaultValue}'\ BiosAttributeRegistryA55.v1_1_60_en.json ``` Output (truncated) ```json { "AttributeName": "WorkloadProfile", "DefaultValue": "GeneralPowerEfficientCompute", "MenuPath": "./", "ReadOnly": false, "Type": "Enumeration" } { "AttributeName": "DynamicPowerCapping", "DefaultValue": "Disabled", "MenuPath": "./SystemOptions/BootTime", "ReadOnly": false, "Type": "Enumeration" } { "AttributeName": "ExtendedMemTest", "DefaultValue": "Disabled", "MenuPath": "./SystemOptions/BootTime", "ReadOnly": false, "Type": "Enumeration" } .... { "AttributeName": "EraseUserDefaults", "DefaultValue": "No", "MenuPath": "./SysDefaultOptions/UserDefaultOptions", "ReadOnly": false, "Type": "Enumeration" } { "AttributeName": "UserDefaultsState", "DefaultValue": "Disabled", "MenuPath": "./SysDefaultOptions/UserDefaultOptions", "ReadOnly": true, "Type": "Enumeration" } { "AttributeName": "UtilityLang", "DefaultValue": "English", "MenuPath": "./LangSettings", "ReadOnly": false, "Type": "Enumeration" } ``` ### Default HPE Bios resources In addition to the HPE Bios attributes and their defaults described in the previous paragraph, other Bios related resources can be managed and reset to their factory defaults. Depending on the iLO generation, they may have a different location. Hence, you will have to use a generic script to locate and retrieve them. Refer to the following sections for additional information concerning some of those resources: - [HTTPS Boot TLS Configuration](/docs/redfishservices/ilos/supplementdocuments/biostlsconf/#https-boot-tls-configuration) - [iSCSI Software Initiator Configuration](/docs/redfishservices/ilos/supplementdocuments/iscsiconf/) - [Secureboot databases](/docs/concepts/securebootdatabases/) The following script retrieves the location and data type of Bios configuration attributes and resources, except HPE Service Bios attributes for the reason mentioned earlier in this section. iLOrest script ```bash # The following script retrieves HPE Bios configuration links, prints them as well # as their respective data type. # Login remote iLO ilorest login -u -p password # Retrieve HPE Bios configuration links BiosLinksURI='/redfish/v1/systems/1/bios/?$select=Oem/Hpe/Links' BiosConfigLinks=$(ilorest rawget --silent $BiosLinksURI | \ jq '.Oem.Hpe.Links') # Exract HPE Bios configuration URIs URIs=$(echo $BiosConfigLinks | jq -r '..|."@odata.id"?' | grep -v null) # Print HPE Bios URIs and their data type for uri in $URIs ; do echo -n -e "Resource type of ${uri}:\t\t" ilorest rawget --silent "${uri}" | \ jq '."@odata.type"' | \ awk -F. '{print $NF}' | \ tr -d "\"" done # logout ilorest logout ``` iLO 5 output ```text Resource type of /redfish/v1/systems/1/bios/baseconfigs/: HpeBaseConfigs Resource type of /redfish/v1/systems/1/bios/boot/: HpeServerBootSettings Resource type of /redfish/v1/systems/1/bios/kmsconfig/: HpeKmsConfig Resource type of /redfish/v1/systems/1/bios/mappings/: HpeBiosMapping Resource type of /redfish/v1/systems/1/bios/serverconfiglock/: HpeServerConfigLock Resource type of /redfish/v1/systems/1/bios/tlsconfig/: HpeTlsConfig Resource type of /redfish/v1/systems/1/bios/iscsi/: HpeiSCSISoftwareInitiator ``` iLO 6 Output ```text Resource type of /redfish/v1/systems/1/bios/oem/hpe/baseconfigs/: HpeBaseConfigs Resource type of /redfish/v1/systems/1/bios/oem/hpe/boot/: HpeServerBootSettings Resource type of /redfish/v1/systems/1/bios/oem/hpe/kmsconfig/: HpeKmsConfig Resource type of /redfish/v1/systems/1/bios/oem/hpe/mappings/: HpeBiosMapping Resource type of /redfish/v1/systems/1/bios/oem/hpe/serverconfiglock/: HpeServerConfigLock Resource type of /redfish/v1/systems/1/bios/oem/hpe/tlsconfig/: HpeTlsConfig Resource type of /redfish/v1/systems/1/bios/oem/hpe/iscsi/: HpeiSCSISoftwareInitiator ``` HPE OEM Bios resources (except `HpeMappings`, but including the Service Bios extension) contain a link to a `BaseConfigs` URI. This URI contains the factory default configuration of the related resource. This configuration is in the `default` member of a `BaseConfigs[]` array. The following example retrieves the HPE Bios TLS default configuration URI from an iLO 6. iLOrest ```shell ilorest login -u -p password ilorest select HpeTlsConfig. ilorest list Oem/Hpe/Links/BaseConfigs --json | \ jq -r '..|."@odata.id"?' | grep -v null # Or ilorest rawget --silent "/redfish/v1/Systems/1/bios/oem/hpe/tlsconfig" | \ jq '.Oem.Hpe.Links.BaseConfigs' ilorest logout ``` cURL ```shell curl --silent --insecure -u :password \ 'https:///redfish/v1/systems/1/bios/oem/hpe/tlsconfig' | \ jq '.Oem.Hpe.Links.BaseConfigs' ``` Response body ```json { "@odata.id": "/redfish/v1/systems/1/bios/oem/hpe/tlsconfig/baseconfigs/" } ``` ## BIOS resets This paragraph explains how to reset Bios attributes and OEM Bios related resources to factory defaults and user defaults. TIP The iLOrest user guide contains a [dedicated section](/docs/redfishclients/ilorest-userguide/bioscommands/) to Bios related commands. ### Reset Bios attributes to factory defaults The generic [concepts/BIOS data model](/docs/concepts/biosdatamodel/#reset-bios-settings-action) section contains an example to reset the Bios attributes to their factory default values, using the `Bios.ResetBios` standard Redfish [action](/docs/concepts/performing_actions/) against an **HPE iLO 6** based server. After performing this action and a reboot of the server, the Bios attributes are reset to the values contained in the `default` member of the `BaseConfigs[]` array mentioned in the [Default Bios attributes](#default-bios-attributes) paragraph. The following example resets Bios attributes to factory defaults using the `Bios.ResetBios` action and cURL against an **iLO 6** based server. Refer to the [iLOrest user guide](/docs/redfishclients/ilorest-userguide/bioscommands/#biosdefaults-command) for performing the same action with iLOrest. Generic request ```text POST /redfish/v1/Systems/1/Bios/Actions/Bios.ResetBios Payload: {} ``` cURL ```shell curl --insecure --silent --location -u :password \ '/redfish/v1/systems/1/bios/Actions/Bios.ResetBios/' \ --request POST \ --header 'Content-Type: application/json' \ --data '{}' ``` The following example resets Bios attributes to factory defaults using the `Bios.ResetBios` action and cURL against an **HPE iLO 5** based server. Refer to the [iLOrest user guide](/docs/redfishclients/ilorest-userguide/bioscommands/#biosdefaults-command) for performing the same action with iLOrest. Generic request ```text POST /redfish/v1/Systems/1/Bios/Settings/Actions/Bios.ResetBios Payload: { "Action": "Bios.ResetBios" } ``` cURL ```shell curl --insecure --silent --location -u :password \ 'https:///redfish/v1/Systems/1/Bios/Settings/Actions/Bios.ResetBios' \ --request POST \ --header 'Content-Type: application/json' \ --data '{ "Action": "Bios.ResetBios" }' ``` NOTE A Python example using the `Bios.ResetBios` action and the HPE Python Library is available on GitHub. The following example resets Bios attributes to factory defaults using a PUT request against the Bios attributes settings location. This example is valid for both HPE iLO 5 and iLO 6 based servers. Generic request ```text PUT /redfish/v1/Systems/1/Bios/Settings Payload: { "Attributes": { "BaseConfig": "default" } } ``` cURL ```shell curl --insecure --silent -u :password --location \ --request PUT '/redfish/v1/systems/1/bios/settings' \ --header 'Content-Type: application/json' \ --data '{ "Attributes": { "BaseConfig": "default" } }' ``` TIP You can easily view the attribute values that will be restored with iLOrest and its `pending` [command](/docs/redfishclients/ilorest-userguide/ilocommands/#pending-command) before restarting the server. NOTE The `BaseConfig` Bios attribute might not be visible in the current BIOS or BIOS settings resources. ### Reset Bios attributes to user defaults HPE allows the saving of custom Bios attributes of iLO based systems. As mentioned [earlier](/docs/redfishservices/ilos/supplementdocuments/biosdoc/#default-bios-attributes), these user-defined Bios attributes are stored in the `default.user` member of the `BaseConfigs[]` array . NOTE The HPE Service Bios HPE extension also contains a `default.user` object under the `/redfish/v1/Sytems/1/Bios/Oem/Hpe/Baseconfigs` URI that can be customized as mentioned earlier in this documentation section. The following example retrieves the default user-defined Bios attributes from an HPE iLO 6. Generic request ```text GET /redfish/v1/systems/1/bios/Oem/Hpe/BaseConfigs/ ``` cURL ```shell curl --insecure --silent --location -u :password \ 'https:///redfish/v1/systems/1/bios/Oem/Hpe/BaseConfigs' | \ jq '.BaseConfigs[] | ."default.user"' ``` iLOrest ```shell ilorest login ilorest rawget --silent /redfish/v1/systems/1/bios/Oem/Hpe/BaseConfigs | \ jq '.BaseConfigs[] | ."default.user"' ilorest logout ``` Output (truncated) ```json null { "AMDPerformanceWorkloadProfile": "Disabled", "AccessControlService": "Enabled", "AcpiHpet": "Enabled", "AcpiRootBridgePxm": "Enabled", "AcpiSlit": "Enabled", "AdminEmail": "titi.content@koulapic.com", "AdminName": "Titi Content", "AdminOtherInfo": "Toto est Content", "AdminPhone": "+3306789012340", ... ... "WakeOnLan": "Enabled", "WorkloadProfile": "TransactionalApplicationProcessing", "XGMIForceLinkWidth": "Auto", "XGMIMaxLinkWidth": "Auto", "iSCSISoftwareInitiator": "Enabled" } ``` The following example resets the Bios attributes to the user default settings. This PUT request is valid against iLO 5 and iLO 6 based servers. Generic request ```text PUT /redfish/v1/systems/1/bios/settings Payload: { "Attributes": { "BaseConfig": "default.user" } } ``` cURL ```shell curl --insecure --silent --location -u :password \ --header "Content-Type: application/json" \ --request PUT --data {"Attributes":{"BaseConfig": "default.user"}} \ https:///redfish/v1/Systems/1/bios/settings/ ``` iLOrest ```shell ilorest login -u -p password ilorest biosdefaults --userdefaults ilorest reboot ForceRestart ilorest logout ``` NOTE To reset the Service Bios extension attributes to the `default.user` values, send a PUT request with same workload as in the previous example to the corresponding settings area (`/redfish/v1/systems/1/Bios/Oem/Hpe/Service/Settings`) ### Reset Bios attributes and HPE Bios resources HPE iLO offers the possibility to reset both Bios attributes and Bios related properties in a single operation to their factory defaults using the OEM HPE property `RestoreManufacturingDefaults` : From the `BiosSettingsUri` end point, you only need to PATCH the `RestoreManufacturingDefaults` property in the request body with the `Yes` value and then reset the server. The following example resets Bios attributes and Bios related properties to their factory defaults using cURL and iLOrest. TIP As shown in the following example, you can use the `ilorest biosdefaults --manufacturingdefaults` [command](/docs/redfishclients/ilorest-userguide/bioscommands/#biosdefaults-command) to perform this operation, and then reboot the server. Generic request ```text PATCH /redfish/v1/Systems/1/Bios/Settings/ Payload: { "Attributes":{ "RestoreManufacturingDefaults":"Yes" } } ``` cURL ```shell curl --insecure --silent --location -u :password \ --header "Content-Type: application/json" \ --request PATCH --data {"Attributes":{"RestoreManufacturingDefaults":"Yes"}} \ https:///redfish/v1/Systems/1/bios/settings/ ``` iLOrest ```shell ilorest login -u -p password ilorest biosdefaults --manufacturingdefaults ilorest reboot ForceRestart ilorest logout ``` If you just need to reset a single Bios resource set, send a PUT request to its settings URI and then restart the server. The following example resets the `TlsConfig` Bios resources using cURL and iLOrest against an HPE iLO 6 based system. Generic request ```text PUT /redfish/v1/systems/1/bios/oem/hpe/tlsconfig/settings Workload: { "BaseConfig": "default" } ``` cURL ```shell curl --insecure --silent --location \ --request PUT '/redfish/v1/systems/1/bios/oem/hpe/tlsconfig/settings' \ --header 'Content-Type: application/json' \ --header 'X-Auth-Token: a9fb364e8fc6eb9f33dfb7c7910bed1c' \ --data '{ "BaseConfig": "default" }' ``` iLOrest ```shell ilorest login -u -p password ilorest rawput TlsDefault.json ilorest pending ilorest reboot ForceRestart ilorest logout cat TlsDefault.json { "/redfish/v1/systems/1/bios/oem/hpe/tlsconfig/settings": { "BaseConfig": "default" } } ``` TIP The reset to the default `BaseConfig` configuration can be combined with other property values changes. This allows to first reset everything to default and then apply some specific settings with only one system reboot. The following example resets to defaults the Bios TLS configuration and configures the `VerifyMode` to a specific value (different from the default), on an HPE iLO 5 based system. Generic request ```text PUT /redfish/v1/systems/1/bios/tlsconfig/settings Workload: { "BaseConfig": "default", "VerifyMode": "NONE" } ``` cURL ```shell curl --insecure --silent --location -u username:password \ --header "Content-Type: application/json" \ -X PUT --data '{"BaseConfig": "default", "VerifyMode": "NONE"}' \ https://{iLO}/redfish/v1/systems/1/bios/tlsconfig/settings ``` iLOrest ```shell ilorest login -u -p password ilorest PUT TLSdata.json ilorest reboot ColdBoot ilorest logout cat TLSdata.json { "/redfish/v1/systems/1/bios/tlsconfig/settings": { "BaseConfig": "default", "VerifyMode": "NONE" } } ``` TIP Use the Action specified in the Service Bios extension URI to reset these attributes to their factory defaults.