Power8 System Firmware
Applies to: 8247-22L;
8284-22A; 8286-41A and 8286-42A.
This document provides information about the installation of
Licensed
Machine or Licensed Internal Code, which is sometimes referred to
generically
as microcode or firmware.
Contents
1.0
Systems Affected
This
package provides firmware for Power System S822L (8247-22L), Power
System S822
(8284-22A), Power System S814 (8286-41A) and Power System S824
(8286-42A) servers
only.
The firmware level in this package is:
1.1 Minimum HMC Code Level
This section is intended to describe the "Minimum HMC Code Level"
required by the System Firmware to complete the firmware installation
process. When installing the System Firmware, the HMC level must be
equal to or higher than the "Minimum HMC Code Level" before starting
the system firmware update. If the HMC managing the server
targeted for the System Firmware update is running a code level lower
than the "Minimum HMC
Code Level" the firmware update will not proceed.
The
Minimum HMC Code level for
this firmware is: HMC V8 R8.1.0
(PTF MH01419) with Mandatory efix (PTF MH01421).
Although
the Minimum HMC Code level for this firmware is listed
above, HMC V8 R8.1.0
(PTF MH01419) with Mandatory efix (PTF MH01421) and security fix (PTF
MH01436), or higher is
recommended.
For information concerning HMC
releases and the latest PTFs,
go
to the following URL to access Fix Central:
http://www-933.ibm.com/support/fixcentral/
For specific fix level
information on key components of IBM
Power Systems running the AIX, IBM i and Linux operating systems, we
suggest using the Fix Level Recommendation Tool (FLRT):
http://www14.software.ibm.com/webapp/set2/flrt/home
NOTES:
-You must be logged in as hscroot in order for the
firmware
installation to complete correctly.
- Systems Director Management Console (SDMC) does not support this
System Firmware level.
2.0 Important
Information
Downgrading firmware from any
given release level to an earlier release level is not recommended.
If you feel that it is
necessary to downgrade the firmware on
your system to an earlier release level, please contact your next level
of support.
IPv6 Support and
Limitations
IPv6 (Internet Protocol version 6)
is supported in the System
Management
Services (SMS) in this level of system firmware. There are several
limitations
that should be considered.
When configuring a network interface
card (NIC) for remote IPL, only
the most recently configured protocol (IPv4 or IPv6) is retained. For
example,
if the network interface card was previously configured with IPv4
information
and is now being configured with IPv6 information, the IPv4
configuration
information is discarded.
A single network interface card
may only be chosen once for the boot
device list. In other words, the interface cannot be configured for the
IPv6 protocol and for the IPv4 protocol at the same time.
Concurrent Firmware Updates
Concurrent system firmware update is only supported on HMC Managed
Systems
only.
Memory
Considerations for
Firmware Upgrades
Firmware Release Level upgrades
and Service Pack updates may consume
additional system memory.
Server firmware requires memory to
support the logical partitions on
the server. The amount of memory required by the server firmware varies
according to several factors.
Factors influencing server
firmware memory requirements include the
following:
- Number of logical partitions
- Partition environments of the logical
partitions
- Number of physical and virtual I/O devices
used by the logical partitions
- Maximum memory values given to the logical
partitions
Generally, you can estimate the
amount of memory required by server
firmware to be approximately 8% of the system installed memory. The
actual amount required will generally be less than 8%. However, there
are some server models that require an absolute minimum amount of
memory for server firmware, regardless of the previously mentioned
considerations.
Additional information can be
found at:
http://www-01.ibm.com/support/knowledgecenter/8286-42A/p8hat/p8hat_lparmemory.htm
3.0 Firmware
Information
Use the following examples as a reference to determine whether your
installation
will be concurrent or disruptive.
For systems that are not managed by an HMC, the installation
of
system
firmware is always disruptive.
Note: The concurrent levels
of system firmware may, on occasion,
contain
fixes that are known as Deferred and/or Partition-Deferred. Deferred
fixes can be installed
concurrently, but will not be activated until the next IPL.
Partition-Deferred fixes can be installed concurrently, but will not be
activated until a partition reactivate is performed. Deferred
and/or Partition-Deferred
fixes,
if any, will be identified in the "Firmware Update Descriptions" table
of this document. For these types
of fixes (Deferred and/or
Partition-Deferred) within a service pack, only the
fixes
in the service pack which cannot be concurrently activated are
deferred.
Note: The file names and service pack levels used in the
following
examples are for clarification only, and are not
necessarily levels that have been, or will be released.
System firmware file naming convention:
01SVxxx_yyy_zzz
- xxx is the release level
- yyy is the service pack level
- zzz is the last disruptive service pack level
NOTE: Values of service pack and last disruptive service pack
level
(yyy and zzz) are only unique within a release level (xxx). For
example,
01SV810_040_040 and 01SV820_040_045 are different service
packs.
An installation is disruptive if:
- The release levels (xxx) are
different.
Example:
Currently installed release is 01SV810_040_040,
new release is 01SV820_050_050.
- The service pack level (yyy) and the last disruptive
service
pack level (zzz) are the same.
Example:
SV810_040_040 is disruptive, no matter what
level of SV810 is currently
installed on the system.
- The service pack level (yyy) currently installed on the
system
is
lower than the last disruptive service pack level (zzz) of the service
pack to be installed.
Example:
Currently installed service pack is SV810_040_040 and new service
pack is SV810_040_045.
An installation is concurrent if:
The release level (xxx) is the same, and
The service pack level (yyy) currently installed on the system
is the same or higher than the last disruptive service pack level (zzz)
of the service pack to be installed.
Example: Currently installed service pack is SV810_040_040, new
service pack is SV810_058_040.
3.1 Firmware
Information
and Description
Filename |
Size |
Checksum |
01SV810_058_054.rpm
|
91813475
|
28286 |
Note: The Checksum can be found by running the AIX sum
command against
the rpm file (only the first 5 digits are listed).
ie: sum 01SV810_058_054.rpm
SV810
For Impact, Severity and other Firmware definitions, Please
refer to the below 'Glossary of firmware terms' url:
http://www14.software.ibm.com/webapp/set2/sas/f/power5cm/home.html#termdefs
The complete Firmware Fix History for this
Release Level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/SV-Firmware-Hist.html
|
SV810_058_054 / FW810.01
06/23/14 |
Impact: Security
Severity: HIPER
System firmware changes that affect all systems
- HIPER/Pervasive:
A security problem was fixed in the OpenSSL (Secure Socket Layer)
protocol that allowed clients and servers, via a specially crafted
handshake packet, to use weak keying material for communication.
A man-in-the-middle attacker could use this flaw to decrypt and modify
traffic between the management console and the service processor.
The Common Vulnerabilities and Exposures issue number for this problem
is CVE-2014-0224.
- HIPER/Pervasive:
A security problem was fixed in OpenSSL for a buffer overflow in the
Datagram Transport Layer Security (DTLS) when handling invalid DTLS
packet fragments. This could be used to execute arbitrary code on
the service processor. The Common Vulnerabilities and Exposures
issue number for this problem is CVE-2014-0195.
- HIPER/Pervasive:
Multiple security problems were fixed in the way that OpenSSL handled
read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was
enabled to prevent denial of service. These could cause the
service processor to reset or unexpectedly drop connections to the
management console when processing certain SSL commands. The
Common Vulnerabilities and Exposures issue numbers for these problems
are CVE-2010-5298 and CVE-2014-0198.
- HIPER/Pervasive:
A security problem was fixed in OpenSSL to prevent a denial of service
when handling certain Datagram Transport Layer Security (DTLS)
ServerHello requests. A specially crafted DTLS handshake packet could
cause the service processor to reset. The Common Vulnerabilities
and Exposures issue number for this problem is CVE-2014-0221.
- HIPER/Pervasive:
A security problem was fixed in OpenSSL to prevent a denial of service
by using an exploit of a null pointer de-reference during anonymous
Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially
crafted handshake packet could cause the service processor to
reset. The Common Vulnerabilities and Exposures issue number for
this problem is CVE-2014-3470.
- A problem was fixed for hardware dumps on the service
processor so that valid dump data could be collected from multiple
processor checkstops. Previously, the hardware data from multiple
processor checkstops would only be correct for the first processor.
- A problem was fixed for platform dumps so that certain
operations would work after the platform dump completed.
Operations such as firmware updates or reset/reloads of the service
processor after a platform dump would cause the service processor to
become inaccessible.
|
SV810_054_054 / FW810.00
06/10/14 |
Impact:
New
Severity: New
New Features and Functions
- GA Level
NOTE:
- POWER8 firmware
addresses the security problem in the OpenSSL Transport Layer Security
(TLS) and Datagram Transport Layer Security (DTLS) to not allow
Heartbeat Extension packets to trigger a buffer over-read to steal
private keys for the encrypted sessions on the service processor.
The Common Vulnerabilities and Exposures issue number is CVE-2014-0160
and it is also known as the heartbleed vulnerability.
- POWER8 (and later) servers include an “update access key”
that is checked when system firmware updates are applied to the
system. The initial update access keys include an expiration date
which is tied to the product warranty. System firmware updates will not
be processed if the calendar date has passed the update access key’s
expiration date, until the key is replaced. As these update
access keys expire, they need to be replaced using either the Hardware
Management Console (HMC) or the Advanced Management Interface (ASMI) on
the service processor. Update access keys can be obtained via the
key management website: http://www.ibm.com/servers/eserver/ess/index.wss
.
|
4.0
How to Determine The Currently Installed Firmware Level
For HMC managed systems:
From the HMC, select Updates in the navigation (left-hand) pane, then
view the current levels of the desired server(s).
For
standalone system running IBM i
without an HMC:
From a command line, issue DSPFMWSTS.
For standalone system running IBM AIX
without an HMC:
From a command line, issue lsmcode.
Alternately, use the Advanced System
Management Interface (ASMI) Welcome pane. The current server
firmware appears in the top right
corner.
Example: SV810_yyy.
5.0
Downloading the Firmware Package
Follow the instructions on Fix Central. You must read and agree to
the
license agreement to obtain the firmware packages.
Note: If your HMC is not internet-connected you will need
to
download
the new firmware level to a USB flash memory device or ftp server.
6.0 Installing the
Firmware
The method used to install new firmware will depend on the release
level
of firmware which is currently installed on your server. The release
level
can be determined by the prefix of the new firmware's filename.
Example: SVxxx_yyy_zzz
Where xxx = release level
- If the release level will stay the same (Example: Level
SV810_040_040 is
currently installed and you are attempting to install level
SV810_058_040)
this is considered an update.
- If the release level will change (Example: Level SV810_040_040 is
currently
installed and you are attempting to install level SV820_050_050) this
is
considered an upgrade.
HMC Managed Systems:
Instructions for installing firmware updates and upgrades on
systems
managed by an HMC can be found at:
http://www-01.ibm.com/support/knowledgecenter/8286-42A/p8ha1/updupdates.htm
Systems not
Managed by an HMC:
Power Systems:
Instructions for installing firmware on systems that are not
managed
by an HMC can be found at:
http://www-01.ibm.com/support/knowledgecenter/8286-42A/p8ha5/fix_serv_firm_kick.htm
IBM i Systems:
Refer to "IBM i Support: Recommended Fixes":
http://www-912.ibm.com/s_dir/slkbase.nsf/recommendedfixes
7.0 Firmware History
The complete Firmware Fix History for this Release Level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/SV-Firmware-Hist.html