01AM770_123_032.html Power7 System Firmware
Applies to: 8248-L4T, 8408-E8D, 9109-RMD, 9117-MMC and 9179-MHC This document
provides information about the installation of Licensed Machine or Licensed
Internal Code, which is sometimes referred to generically as microcode or
firmware.
----------------------------------------------------------------------------------
Contents
* 1.0 Systems Affected
* 1.1 Minimum HMC Code Level
* 2.0 Important Information
* 3.0 Firmware Information and Description
* 4.0 How to Determine Currently Installed Firmware Level
* 5.0 Downloading the Firmware Package
* 6.0 Installing the Firmware
* 7.0 Firmware History
----------------------------------------------------------------------------------
1.0 Systems Affected
This package provides firmware for Power 750 (8408-E8D), Power 760
(9109-RMD), Power 770 (9117-MMC), Power 780 (9179-MHC) and PowerLinux 7R4
(8248-L4T) serversonly.
The firmware level in this package is:
* AM770_123 / FW770.93
----------------------------------------------------------------------------------
1.1 Minimum HMC Code Level
This section is intended to describe the "Minimum HMC Code Level" required
by the System Firmware to complete the firmware installation process. When
installing the System Firmware, the HMC level must be equal to or higher than
the "Minimum HMC Code Level" before starting the system firmware update. If
the HMC managing the server targeted for the System Firmware update is running
a code level lower than the "Minimum HMC Code Level" the firmware update will
not proceed.
Note: Due to security enhancements and their impact on the ability to use ASM
at older HMC levels, the Minimum and Recommended HMC Code level for this
firmware is listed below:
HMC V7 R7.9.0 Service Pack 3 (PTF MH01546) with ifix (PTF MH01699) or higher
is recommended.
Important: To avoid vulnerability to security or known HMC issues, the HMC
should be updated to the above recommended level (or higher), prior to
installing this server firmware level.
Note: V7 R790 SP3 : HMC V7.R790 is the last HMC release to support HMC
Models CR4, CR3, C07, C06, C05
For information concerning HMC releases and the latest PTFs, go to the
following URL to access Fix Central.
http://www-933.ibm.com/support/fixcentral/
For specific fix level information on key components of IBM Power Systems
running the AIX, IBM i and Linux operating systems, we suggest using the Fix
Level Recommendation Tool (FLRT):
http://www14.software.ibm.com/webapp/set2/flrt/home
NOTES:
-You must be logged in as hscroot in order for the firmware
installation to complete correctly.
- Systems Director Management Console (SDMC) does not support
this System Firmware level.
2.0 Important Information
Downgrading firmware from any given release level to an earlier release level
is not recommended.
If you feel that it is necessary to downgrade the firmware on your system to
an earlier release level, please contact your next level of support.
IPv6 Support and Limitations
IPv6 (Internet Protocol version 6) is supported in the System Management
Services (SMS) in this level of system firmware. There are several limitations
that should be considered.When configuring a network interface card (NIC) for
remote IPL, only the most recently configured protocol (IPv4 or IPv6) is
retained. For example, if the network interface card was previously configured
with IPv4 information and is now being configured with IPv6 information, the
IPv4 configuration information is discarded.
single network interface card may only be chosen once for the boot device
list. In other words, the interface cannot be configured for the IPv6 protocol
and for the IPv4 protocol at the same time.
Concurrent Firmware Updates
Concurrent system firmware update is only supported on HMC Managed Systems
only.
Memory Considerations for Firmware Upgrades
Firmware Release Level upgrades and Service Pack updates may consume
additional system memory.
Server firmware requires memory to support the logical partitions on the
server. The amount of memory required by the server firmware varies according
to several factors.
Factors influencing server firmware memory requirements include the following:
* Number of logical partitions
* Partition environments of the logical partitions
* Number of physical and virtual I/O devices used by the logical
partitions
* Maximum memory values given to the logical partitions
Generally, you can estimate the amount of memory required by server firmware
to be approximately 8% of the system installed memory. The actual amount
required will generally be less than 8%. However, there are some server models
that require an absolute minimum amount of memory for server firmware,
regardless of the previously mentioned considerations.
Additional information can be found at:
https://www.ibm.com/support/knowledgecenter/8408-E8D/p7hat/iphatlparmemory.htm
----------------------------------------------------------------------------------
3.0 Firmware Information and Description
Use the following examples as a reference to determine whether your
installation will be concurrent or disruptive.For systems that are not managed
by an HMC, the installation of system firmware is always disruptive.
Note: The concurrent levels of system firmware may, on occasion, contain
fixes that are known as Deferred and/or Partition-Deferred. Deferred fixes can
be installed concurrently, but will not be activated until the next IPL.
Partition-Deferred fixes can be installed concurrently, but will not be
activated until a partition reactivate is performed. Deferred and/or
Partition-Deferred fixes, if any, will be identified in the "Firmware Update
Descriptions" table of this document. For these types of fixes (Deferred and/or
Partition-Deferred) within a service pack, only the fixes in the service pack
which cannot be concurrently activated are deferred.
Note: The file names and service pack levels used in the following examples
are for clarification only, and are not necessarily levels that have been, or
will be released.
System firmware file naming convention:
01AMXXX_YYY_ZZZ
* XXX is the release level
* YYY is the service pack level
* ZZZ is the last disruptive service pack level NOTE: Values of service pack
and last disruptive service pack level (YYY and ZZZ) are only unique within a
release level (XXX). For example, 01AM720_067_045 and 01AM740_067_053 are
different service packs. An installation is disruptive if:
* The release levels (XXX) are different. Example: Currently installed
release is AM710, new release is AM720
* The service pack level (YYY) and the last disruptive service pack level
(ZZZ) are the same. Example: AM720_120_120 is disruptive, no matter what level
of AM720 is currently installed on the system
* The service pack level (YYY) currently installed on the system is lower
than the last disruptive service pack level (ZZZ) of the service pack to be
installed. Example: Currently installed service pack is AM720_120_120 and new
service pack is AM720_152_130An installation is concurrent if:
The release level (XXX) is the same, and
The service pack level (YYY) currently installed on the system is the same or
higher than the last disruptive service pack level (ZZZ) of the service pack to
be installed.
Example: Currently installed service pack is AM720_126_120, new service pack
is AM720_143_120.
Firmware Information and Update Description
Filename Size Checksum md5sum 01AM770_123_032.rpm 44038392
23266
f6546a8a2a31b331973cab411f84d476
Note: The Checksum can be found by running the AIX sum command against the
rpm file (only the first 5 digits are listed).
ie: sum 01AM770_123_032.rpm
AM770
For Impact, Severity and other Firmware definitions, Please refer to the below
'Glossary of firmware terms' url:
http://www14.software.ibm.com/webapp/set2/sas/f/power5cm/home.html#termdefs
The following Fix description table will only contain the N (current) and N-1
(previous) levels.
The complete Firmware Fix History (including HIPER descriptions) for this
Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
AM770_123_032 / FW770.93
03/02/18 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPESystem firmware changes that affect
certain systems
* On systems running IBM i partitions at IBM i V6R1 or V7R1 at less than TR5,
a problem was fixed for IBM i partitions failing to boot with SRC B600690B. If
the IBMi partition is running, a DLPAR add of I/O may fail. This problem was
introduced with FW770.90 and is present in FW770.91 and FW770.92 and always
happens at these levels. The problem can be resolved by moving up to OS IBM i
7.1 TR5 or later level, if the update to the fixed firmware level is not
wanted. This problem only pertains to the following models that are able to
run IBM i partitions:
1) IBM Power 750 Express (8408-E8D)
2) IBM Power 760 (9109-RMD)
3) IBM Power 770 (9117-MMC)
4) IBM Power 780 (9179-MHC)
For more information, see the following IBM Tech Note:
https://www.ibm.com/support/docview.wss?uid=nas8N1022482
AM770_122_032 / FW770.92
01/31/18 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Security Severity: SPEResponse for Recent Security
Vulnerabilities
* In response to recently reported security vulnerabilities, this firmware
update is being released to address Common Vulnerabilities and Exposures issue
number CVE-2017-5715. In addition, Operating System updates are available to
mitigate the CVE-2017-5753 and CVE-2017-5754 security issues. This pertains to
the following models:
1) IBM Power 770 (9117-MMC)
2) IBM Power 780 (9179-MHC)
This firmware update also addresses CVE-2017-5715 for IBM i, along with
updates for AIX and Linux, for the following models:
1) IBM Power 750 Express (8408-E8D)
2) IBM Power 760 (9109-RMD)
3) IBM PowerLinux 7R4 (8248-L4T)
AM770_120_032 / FW770.91
01/09/18 Systems 8408-E8D; 8248-L4T; and 9109-RMD ONLY Impact: Security
Severity: SPENew features and functions
* In response to recently reported security vulnerabilities, this firmware
update is being released to address Common Vulnerabilities and Exposures issue
numbers CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754. Note that a
subsequent FW release is required and will replace this FW update for
CVE-2017-5715 for IBMi when available. In addition, Operating System updates
are required in conjunction with this FW level for CVE-2017-5753 and
CVE-2017-5754.
The models addressed by this service pack update have the P7+ processor:
1) IBM Power 750 Express (8408-E8D)
2) IBM Power 760 (9109-RMD)
3) IBM PowerLinux 7R4 (8248-L4T)
AM770_119_032 / FW770.90
12/13/17 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPE AM770_116_032 / FW770.80
05/23/17 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPE AM770_112_032 / FW770.70
07/27/16 Only Deferred fix descriptions are displayed for this service pack.
The complete Firmware Fix History for this Release Level can be reviewed at
the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Performance Severity: SPE
Concurrent hot add/repair maintenance (CHARM) firmware fixes
* DEFERRED: A problem was fixed for a I/O performance slow-down that can
occur after a concurrent repair of a GX bus I/O adapter with a Feature Code of
#1808 or #1914. A re-IPL of the system after the concurrent repair operation
corrects the I/O performance issue. This fix requires an IPL of the system to
take effect.
This problem only pertains to the IBM Power 770 (9117-MMC) and the IBM Power
780 (9179-MHC).
AM770_110_032 / FW770.61
12/16/15 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: ATT AM770_109_032 / FW770.60
08/05/15 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPE AM770_101_032 / FW770.51
04/21/15 Only HIPER fix descriptions are displayed for this service pack.
The complete Firmware Fix History for this Release Level can be reviewed at
the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Security Severity: HIPER System firmware changes that affect
all systems
* On systems using Virtual Shared Processor Pools (VSPP), a problem was fixed
for an inaccurate pool idle count over a small sampling period.
A problem was corrected for a defect in an earlier service pack (AM770_098)
that potentially caused an undetected corruption of firmware when the fix was
concurrently activated. If the earlier service pack(AM770_098) was concurrently
installed, a platform IPL will mitigate potential future exposure to the
problem.
AM770_098_032 / FW770.50
01/12/15 Only HIPER and Deferred fix descriptions are displayed for this
service pack.
The complete Firmware Fix History for this Release Level can be reviewed at
the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Security Severity: HIPER
System firmware changes that affect certain systems
* HIPER/Pervasive: On systems using PowerVM firmware, a performance problem
was fixed that may affect shared processor partitions where there is a mixture
of dedicated and shared processor partitions with virtual IO connections, such
as virtual ethernet or Virtual IO Server (VIOS) hosting, between them. In high
availability cluster environments this problem may result in a split brain
scenario.
* DEFERRED: A performance problem was fixed for PCIe slot C4 which was
missing a dedicated internal data buffer, making it a bottleneck when using
certain high-performance IO adapters. The PCIe slot C4 is now assigned a data
capability of 16 GB. This fix pertains only to the IBM Power 750 Express
(8408-E8D), IBM Power 760 (9109-RMD), and IBM PowerLinux 7R4 (8248-L4T)
systems. This deferred fix addresses a potential performance problem but not
an error condition. As such, customers may wait for the next planned service
window to activate the deferred fix via a system reboot. AM770_092_032 /
FW770.41
09/26/14 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPE AM770_090_032 / FW770.40
06/26/14 Only HIPER fix descriptions are displayed for this service pack.
The complete Firmware Fix History for this Release Level can be reviewed at
the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Security Severity: HIPER System firmware changes that affect
all systems
* HIPER/Pervasive: A security problem was fixed in the OpenSSL (Secure
Socket Layer) protocol that allowed clients and servers, via a specially
crafted handshake packet, to use weak keying material for communication. A
man-in-the-middle attacker could use this flaw to decrypt and modify traffic
between the management console and the service processor. The Common
Vulnerabilities and Exposures issue number for this problem is CVE-2014-0224.
* HIPER/Pervasive: A security problem was fixed in OpenSSL for a buffer
overflow in the Datagram Transport Layer Security (DTLS) when handling invalid
DTLS packet fragments. This could be used to execute arbitrary code on the
service processor. The Common Vulnerabilities and Exposures issue number for
this problem is CVE-2014-0195.
* HIPER/Pervasive: Multiple security problems were fixed in the way that
OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode
was enabled to prevent denial of service. These could cause the service
processor to reset or unexpectedly drop connections to the management console
when processing certain SSL commands. The Common Vulnerabilities and Exposures
issue numbers for these problems are CVE-2010-5298 and CVE-2014-0198.
* HIPER/Pervasive: A security problem was fixed in OpenSSL to prevent a
denial of service when handling certain Datagram Transport Layer Security
(DTLS) ServerHello requests. A specially crafted DTLS handshake packet could
cause the service processor to reset. The Common Vulnerabilities and Exposures
issue number for this problem is CVE-2014-0221.
* HIPER/Pervasive: A security problem was fixed in OpenSSL to prevent a
denial of service by using an exploit of a null pointer de-reference during
anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially
crafted handshake packet could cause the service processor to reset. The
Common Vulnerabilities and Exposures issue number for this problem is
CVE-2014-3470. AM770_076_032 / FW770.32
04/18/14 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Security Severity: HIPER
System firmware changes that affect all systems
* HIPER/Pervasive: A security problem was fixed in the OpenSSL Montgomery
ladder implementation for the ECDSA (Elliptic Curve Digital Signature
Algorithm) to protect sensitive information from being obtained with a flush
and reload cache side-channel attack to recover ECDSA nonces from the service
processor. The Common Vulnerabilities and Exposures issue number is
CVE-2014-0076. The stolen ECDSA nonces could be used to decrypt the SSL
sessions and compromise the Hardware Management Console (HMC) access password
to the service processor. Therefore, the HMC access password for the managed
system should be changed after applying this fix.
* HIPER/Pervasive: A security problem was fixed in the OpenSSL Transport
Layer Security (TLS) and Datagram Transport Layer Security (DTLS) to not allow
Heartbeat Extension packets to trigger a buffer over-read to steal private keys
for the encrypted sessions on the service processor. The Common
Vulnerabilities and Exposures issue number is CVE-2014-0160 and it is also
known as the heartbleed vulnerability. The stolen private keys could be used
to decrypt the SSL sessions and and compromise the Hardware Management Console
(HMC) access password to the service processor. Therefore, the HMC access
password for the managed system should be changed after applying this fix.
AM770_063_032 / FW770.31
01/14/14 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Serviceability Severity: SPE
AM770_062_032 / FW770.30
12/10/13 Only Deferred fix descriptions are displayed for this service pack.
The complete Firmware Fix History for this Release Level can be reviewed at
the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPE
System firmware changes that affect certain systems
* DEFERRED: On Power7 systems, a problem was fixed that caused a system
checkstop during hypervisor time keeping services. This deferred fix addresses
a problem that has a very low probability of occurrence. As such customers may
wait for the next planned service window to activate the deferred fix via a
system reboot.
* DEFERRED: On Power7 systems, a problem was fixed that caused a system
checkstop with SRC B113E504 for a recoverable hardware fault. This deferred
fix addresses a problem that has a very low probability of occurrence. As such
customers may wait for the next planned service window to activate the deferred
fix via a system reboot. AM770_052_032 / FW770.21
08/07/13 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPE AM770_048_032 / FW770.20
05/17/13 Systems 8408-E8D; 8248-L4T; 9109-RMD; 9117-MMC and 9179-MHC ONLY
Impact: Availability Severity: SPE AM770_038_032 / FW770.10
03/21/13 Systems 8408-E8D and 9109-RMD ONLY
Impact: New Severity: New
The complete Firmware Fix History (including HIPER descriptions) for this
Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
----------------------------------------------------------------------------------
4.0 How to Determine Currently Installed Firmware Level
For HMC managed systems: From the HMC, select Updates in the navigation
(left-hand) pane, then view the current levels of the desired server(s).
Alternately, use the Advanced System Management Interface (ASMI) Welcome pane.
The current server firmware appears in the top right corner. Example:
AM760_yyy.
----------------------------------------------------------------------------------
5.0 Downloading the Firmware Package
Follow the instructions on Fix Central. You must read and agree to the
license agreement to obtain the firmware packages.Note: If your HMC is not
internet-connected you will need to download the new firmware level to a CD-ROM
or ftp server.
----------------------------------------------------------------------------------
6.0 Installing the Firmware
The method used to install new firmware will depend on the release level of
firmware which is currently installed on your server. The release level can be
determined by the prefix of the new firmware's filename.Example: AMXXX_YYY_ZZZ
Where XXX = release level
* If the release level will stay the same (Example: Level AM710_075_075 is
currently installed and you are attempting to install level AM710_081_075) this
is considered an update.
* If the release level will change (Example: Level AM710_081_075 is currently
installed and you are attempting to install level AM720_097_096) this is
considered an upgrade.
(http://publib.boulder.ibm.com/infocenter/powersys/v3r1m5/index.jsp?topic=/p7ha1/updupdates.htm)
HMC Managed Systems:
Instructions for installing firmware updates and upgrades on systems managed
by an HMC can be found at:
(http://publib.boulder.ibm.com/infocenter/powersys/v3r1m5/index.jsp?topic=/p7ha1/updupdates.htm)
https://www.ibm.com/support/knowledgecenter/8408-E8D/p7ha1/updupdates.htm
Systems not Managed by an HMC:
Power Systems:
Instructions for installing firmware on systems that are not managed by an HMC
can be found at:
(http://publib.boulder.ibm.com/infocenter/powersys/v3r1m5/index.jsp?topic=/p7ha5/fix_serv_firm_kick.htm)
https://www.ibm.com/support/knowledgecenter/8408-E8D/p7ha5/fix_serv_firm_kick.htm
IBM i Systems:
See "IBM Server Firmware and HMC Code Wizards":
http://www-912.ibm.com/s_dir/slkbase.NSF/DocNumber/408316083
NOTE: For all systems running with the IBM i Operating System, the following
IBM i PTFs must be applied to all IBM i partitions prior to installing
AM770_123:
* V7R1M0 - MF51869
* V6R1M1 - MF51864 These PTFs can be ordered through Fix Central
(http://www-933.ibm.com/support/fixcentral/).
When ordering firmware for IBM i Operating System managed systems from Fix
Central, choose "Select product", under Product Group specify "System i", under
Product specify "IBM i", then Continue and specify the desired firmware PTF
accordingly
7.0 Firmware History
The complete Firmware Fix History (including HIPER descriptions) for this
Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html