IBM HMC on Power Firmware

Applies to:  7063-CR2

This document provides information about the installation of Licensed Machine or Licensed Internal Code, which is sometimes referred to generically as microcode or firmware.

 

Contents

1.0 Systems Affected

1.1 Minimum ipmitool Code Level

1.2 Fix level Information on IBM Power HMC Components and Operating systems

2.0 Important Information

3.0 Firmware Information

3.1 Firmware Information and Description

4.0 Operating System Information

4.1 HMC on Power Operating System

4.2 How to Determine the Level of the HMC

5.0 How to Determine The Currently Installed Firmware Level

6.0 Downloading the Firmware Package

7.0 Installing the Firmware

7.1 Updating Firmware Using OpenBMC GUI

7.1.1 Update the BMC image

7.1.2 Update the PNOR image

7.2 Updating Firmware Using openbmctool

8.0 System Management and Virtualization

8.1 BMC Service Processor IPMI

8.1.1 Security Risks Associated with Using IPMI

8.2 OpenPOWER Abstraction Layer (OPAL)

8.3 Petitboot bootloader

9.0 Change History

 

1.0 Systems Affected

This package provides firmware for IBM HMC on Power 7063-CR2 only with minimum HMC version level of HMC V9 R2 M950 or later.

The firmware level in this package is:

 

Note:  A rare timing event during boot of the 7063-CR2 HMC can result in different conditions depending on the version of BMC FW currently functional on the HMC.Please refer here for workarounds and symptoms: https://www.ibm.com/support/pages/node/6520826

 

1.1 Minimum ipmitool Code Level

This section specifies the "Minimum ipmitool Code Level" required by the System Firmware for managing the system.   OpenPOWER requires ipmitool level v1.8.15 or later to execute correctly on the OP910  and later firmware.  It must be capable of establishing a IPMI v2 session with the ipmi support on the BMC.

 Verify your ipmitool level on your Linux workstation using the following command:

 

bash-4.1$ ipmitool -V

ipmitool version 1.8.15

 

If you are need to update or add impitool to your Linux workstation , you can compile ipmitools (current level 1.8.15) for Linux as follows from Sourceforge:

 

1.1.1  Download impitool tar from http://sourceforge.net/projects/ipmitool/  to  your linux system

1.1.2  Extract tarball on Linux system

1.1.3  cd to top-level directory

1.1.4 ./configure

1.1.5  make

1.1.6  ipmitool will be under src/ipmitool        

 

You may also get the ipmitool package directly from your workstation Linux packages.

 

1.2 Fix level Information on IBM Power HMC Components and Operating systems

For specific fix level information on key components of IBM HMC model 7063-CR2 and the HMC software, please refer to the documentation in the IBM Knowledge Center.

https://www.ibm.com/docs/en/power9/0000-FUL?topic=code-upgrading-your-hmc-software

 

2.0 Important Information


Downgrading firmware from any given release level to an earlier release level is not recommended.

If you feel that it is necessary to downgrade the firmware on your system to an earlier release level, please contact your next level of support.

Concurrent Firmware Updates not available for Power HMC.

Concurrent system firmware update is not supported on the Power HMC.

 

3.0 Firmware Information

Use the following examples as a reference to determine whether your installation will be concurrent or disruptive.

For the Power HMC, the installation of system firmware is always disruptive.

 

3.1 Firmware Information and Description

The BMC and PNOR image tar files are used to update the primary side of the PNOR and the primary side of the BMC only, leaving the golden sides unchanged.

 

Filename

Size

Checksum

obmc-mowgli-op940.hmc-27.ubi.mtd.tar

 

 22712320

6a4d7d8bc3d433880deee3676a399187

mowgli-IBM-OP9_v2.5_4.125_prod.pnor.squashfs.tar

 

31672320

086b5f71ef7d152e478ec0e320058035

 

Note: The Checksum can be found by running the Linux/Unix/AIX md5sum command against the Hardware Platform Management (hpm) file (all 32 characters of the checksum are listed), ie: md5sum <filename>

 

After a successful update to this firmware level, the PNOR components and BMC should be at the following levels.  

 

To display the PNOR level, use the following BMC command:  "cat /var/lib/phosphor-software-manager/pnor/ro/VERSION | grep -A 12 IBM"

And the BMC command line command "cat" can be used to display the BMC level:  "cat /etc/os-release".

 

Note:  FRU information for the PNOR level does not show the updated levels via the fru command until the system has been booted once at the updated level.

 

PNOR firmware level:  

 

IBM-mowgli-ibm-OP9_v2.5_4.125-prod

 op-build-v2.3-rc2-1422-g93749fa

 buildroot-2019.05.3-20-g4a064c9

 skiboot-v6.7.3

 hostboot-0896112-pff7c72c

 occ-9047e57

 linux-5.4.107-openpower1-ped277d2

 petitboot-v1.13

 machine-xml-59f3878

 hostboot-binaries-hw101520a.op940

 capp-ucode-p9-dd2-v4

 sbe-47abe2a-p6b32bb4

 hcode-hw090921a.op940

 

           

BMC firmware level:  

id:          openbmc-phosphor

name:        Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)

version:     op940.hmc-27

version_id:  op940.hmc-27-0-g3e9d24f2fd

pretty_name: Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro) op940.hmc-27

build_id:    op940.hmc-27

BMC Primary side version:

 

 op940.hmc-27

 

Alternatively access the OpenBMC UI by directly pointing a browser to the IP or hostname of the BMC:

Example: https://<ip or hostname>

In the “Server overview” panel, locate the “FIRMWARE VERSION” fields under “Server information”(PNOR), and “BMC information (BMC).

 

 

OP940
For Impact, Severity and other Firmware definitions, Please refer to the below 'Glossary of firmware terms' url:
http://www14.software.ibm.com/webapp/set2/sas/f/power5cm/home.html#termdefs

PNOR OP9_v2.5_4.125 with OpenBMC op940.hmc-27

OP940.60

 

10/12/2023

 

Impact: Security      Severity: SPE

System firmware changes that affect all systems

Security exposures were fixed for the BMC/eBMC for security vulnerabilities CVE-2022-4304 (attacker who can send a high volume of requests to the BMC/eBMC and has large amounts of processing power can retrieve a plaintext password) and CVE-2022-4450 (the administrator can crash web server when uploading an HTTPS certificate). For CVE-2022-4304, the vulnerability is exposed whenever the BMC/eBMC is on the network. For CVE-2022-4450, the vulnerability is exposed if the BMC/eBMC administrator uploads a malicious certificate.

      The Common Vulnerabilities and Exposures issue numbers for these problems are CVE-2022-4304 and CVE-2022-4450.

 

A fix was made to an algorithm used in processing data from the power supply.

 

PNOR OP9_v2.5_4.125 with OpenBMC op940.hmc-25

OP940.50

 

12/07/2022

 

 


Impact: Security      Severity: SPE

System firmware changes that affect all systems

A security problem was fixed for the BMC HTTPS server. With this vulnerability, a defect in the web server causes the web server to crash if a BMC administrator user uploads too many CA certificates in a short period of time. A reboot of the BMC will recover from the problem. The Common Vulnerability and Exposure number for this problem is CVE-2022-22488.
To avoid this problem, wait 10 seconds between uploading CA certificates.
To recover from this problem, restart the BMC's HTTPS service. This can be performed in one of two ways:
1. Remove power from the BMC and then reapply power, OR
2. Use root access to the BMC's command shell, and use the "reboot" command to reset the BMC.

A problem was fixed for the network IP and MAC information not showing in the BMC gui for the eth0 and eth1 ethernet interfaces when both are configured. Information was being displayed for only one of the active interfaces. The BMC "Server overview page" is now able to display information about each ethernet's MAC, IPv4 and IPv6 addresses.

 

PNOR OP9_v2.5_4.125 with OpenBMC op940.hmc-21

OP940.40

 

05/20/2022

 

New features and functions

Support was added in Petitboot GRUB2 to allow empty paths in the (device)/path syntax.  Also added support for "test -e" with an empty path - this tests for the presence of the device itself.

Linux-aspeed updated to version v5.4.173.


System firmware changes that affect all systems

A security problem was fixed for the BMC OpenSSL certificate parsing where a specially crafted certificate with invalid parameters could cause an infinite loop, and result in a denial of service condition on the BMC.  The recovery is to reboot the BMC.  The Common Vulnerability and Exposure number for this problem is CVE-2022-0778.

A problem was fixed in Petitboot discovery to log a warning message in the status log when a duplicate filesystem (FS) for a device is detected.  The message is needed to alert the user that the new device will be ignored, as Petitboot suppresses the second (and subsequent identical) FS.

 

A problem was fixed for an issue with the clock date not rolling over correctly at the end of the day when a BMC reset occurred at the same time. For example, if the date/time was set forward to 5/21/2032 23:59:00 and a BMC reset was performed, the date afterward may show 6/5/2032 instead of the expected 5/22/2032 00:00:10.

 

PNOR OP9_v2.5_4.124 with OpenBMC op940.hmc-16

OP940.16

 

12/07/2021

 

New features and functions

 

Support added to increase the host console log size to 256K.

 

System firmware changes that affect all systems

 

HIPER/Pervasive:  A problem was fixed for error recovery for an intermittent BMC hang that causes a flash side switch on reset of the BMC with loss of profile settings (including network settings).  The intermittent BMC hang can occur while the host is rebooting as part of a host firmware update. With the fix, the recovery for a BMC hang is a BMC reset that is done without switching the BMC flash side, allowing the BMC to reboot cleanly.

 

A problem was fixed for a system going to Safe mode during the IPL with SRCs logged of BC8A2AD3 and BC702616 when the On-Chip Controller (OCC) did not reach the active state.  The fans will be running at full speed in this mode.  The error is triggered by a storm of updates to the Power Management Control Register (PMCR) during the IPL that cause a timeout between the PGPE engine and OCC for a heartbeat message.  The problem is intermittent, so a possible recovery is to re-IPL the system.

 

A problem was fixed to change the factory reset to not clear the secure boot file.

 

A security problem was fixed for a flaw in ICMP packets in the Linux kernel that may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. This vulnerability is CVE-2020-25705.

 

A security problem was fixed that allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network Random Number Generator (RNG).  This vulnerability is CVE-2020-16166.

 

A security problem was fixed for OpenSSL X509 certificates to prevent a possible denial of service (DOS) attack with a NULL pointer de-reference and BMC crash. This vulnerability is CVE-2020-1971.

 

A security problem was fixed for OpenSSL TLS to prevent a maliciously crafted Client Hello message from causing a possible denial of service (DOS) attack with a NULL pointer de-reference and BMC crash. This vulnerability is CVE-2021-3449.

 

 

 

PNOR OP9_v2.5_4.123 with OpenBMC op940.hmc-11.1

OP940.11

 

09/30/2021

 

Impact: Security       Severity:  HIPER

 

 

New features and functions

 

Support removed for multiple KVM sessions.  The maximum number of KVM sessions is 1.

 

Support added for "Model" to the asset interface

 

Support was changed to limit the maximum PCI Host Bridge (PHB) speed to PCIe3 for the first PHB on the device tree.

 

System firmware changes that affect all systems

 

HIPER/Pervasive:  A security problem was fixed that allowed a network attacker to use specially crafted IPMI messages to bypass authentication and gain full control of the system.  This is security vulnerability CVE-2021-39296.

 

HIPER/Non-Pervasive:   A problem was fixed for a potential problem with I/O adapters that could result in undetected data corruption.

 

A number of important fixes for bounds checks and data validation were made for the secure boot (verified boot) feature that checks that OS kernels are valid before allowing them to boot. These fixes include corrections for memory leaks, over reads of data, improved error checking, more thorough input data validation, and removal of redundant print error messages for certificate chain errors.

 

A problem was fixed to prevent EEH recovery on an I/O adapter from causing an escalated PCI Host Bridge (PHB) reset on some adapters where it is not needed.

 

A problem was fixed during the OPAL boot to only remove the nest In-Memory Collection (IMC) counter devices from the device tree if the microcode state is not running or paused.  Without the fix, all of the IMC devices are removed from the device tree if a pause of the microcode fails.

 

A problem was fixed to prevent In-Memory Collection (IMC) counter devices from getting removed from the device tree on larger systems if there is a delay for the microcode download from the On-Chip Controller (OCC).

 

A problem was fixed for "CPU Hardlock UP", memory re-free, and kernel crash errors during the boot when the BT (IPMI message link from OPAL to the BMC) timer is preempted by the BMC, causing the following error log:

[29006114.163785853,3] BT: seq 0x81 netfn 0x0a cmd 0x23: Timeout sending message

[29006114.288029290,3] BT: seq 0x81 netfn 0x0b cmd 0x23: Timeout sending message

[29006114.288917798,3] IPMI: Incorrect netfn 0x0b in response

 

A problem was fixed for Self Boot Engine (SBE) timer requests expiring immediately when re-trying canceled timer requests.  This can cause delays in SBE operations and excessive messaging to the SBE.

 

A problem was fixed for excessive and continuous Self Boot Engine (SBE) timer requests that prevent the SBE from processing normal operation messages.  With this fix, the number of continuous timer updates is limited and there is a wait for the timer expiry interrupt to restart sending timer requests.

 

A problem was fixed for not checking for busy timer messages to the Self Boot Engine (SBE) that can result in lost timer messages, causing the need to resend messages to the SBE.

 

A problem was fixed for XSCOM read/write errors being written into OPAL log as PR_ERROR instead of PR_INFO as the severity of these logs should be informational.

 

A problem was fixed to prevent a system crash from a denial of service attack when starting a guest.  With the fix, if a corrupt guest request occurs with an invalid XIVE VP structure, only the new guest will abort, not the whole system..

 

A problem was fixed to prevent a hang on a failed fast reboot request.  With the fix, a failed fast reboot will cause the system to do a normal reboot after logging an error message.

 

A problem was fixed for a failed fast reboot after guarding a failed processor.

 

PNOR OP9_v2.5_4.115 with  OpenBMC op940.hmc-5

OP940.00

 

05/21/2021

Impact:  New    Severity:  New

 

New features and functions:

 

Support for the IBM 7063 Model CR2 HMC appliance that has a HMC minimum level requirement of V9R2M950.

 

Support of Secure and Trusted boot for the firmware.

 

Host firmware support for anti-rollback protection.  This feature implements firmware rollback protection as described in NIST SP 800-147B “BIOS Protection Guidelines for Servers”.  All host firmware is signed with a "secure version".  The secure boot verification process will block any firmware secure version that is less than the "minimum secure version" that is maintained in the processor hardware.  During the system power on the host firmware will update the "minimum secure version" to match the currently running firmware.

 

 

4.0 Operating System Information

OS levels supported by the 7063-CR2 server:

- HMC V9 R2 M950 or later

 

4.1 HMC on Power Operating System

The HMC stack runs on an embedded Linux distribution. The HMC on Power version V9 R2 M950 or later is supported on the 7063-CR2.

 

4.2 How to Determine the Level of the HMC

 

Use the following steps in the below link to navigate the HMC GUI to determine the HMC level:

 

https://www.ibm.com/docs/en/power9/9009-42A?topic=code-determining-your-hmc-machine-version-release

 

From the HMC command line use “lshmc -V”.

 

 

 

https://www.ibm.com/support/knowledgecenter/8247-21L/p8hai/p8hai_viewcodelevel_enh.htm

 

5.0 How to Determine The Currently Installed Firmware Level

 

See Section 3.1 “Firmware Information and Description”.

 

6.0 Downloading the Firmware Package

Follow the instructions on Fix Central. You must read and agree to the license agreement to obtain the firmware packages.

7.0 Installing the Firmware

The updating and upgrading of system firmware depends on several factors, such as the current firmware that is installed, and what operating systems is running on the system.

These scenarios and the associated installation instructions are comprehensively outlined in the firmware section of Fix Central, found at the following website:

http://www.ibm.com/support/fixcentral/

Any hardware failures should be resolved before proceeding with the firmware updates to help insure the system will not be running degraded after the updates.

 

The 7063-CR2 firmware is made up of two separate components

A boot priority system, allows for the selection of a previous image to be used. This is useful when there is a need to revert to a prior image.

On the OpenBMC UI, the image file that is listed at the top (for each stack, BMC and PNOR), the image with the highest boot priority, is used the next time that the device is booted. You can change the boot order for the image file by clicking the arrow icons.

Image State Definitions

The OpenBMC UI or the openbmctool commands can be used to both view or update the firmware images.

The HMC must be shut down prior to updating firmware.

It is recommended that both BMC and PNOR be updated prior to restarting the HMC.

7.1 Updating Firmware Using OpenBMC GUI

7.1.1 Update the BMC image

1. Access Server configuration -> Firmware

2. Scroll down on the page to locate the section to upload the firmware image.

3. Click on Choose a file and browse your local filesystem for the location of the BMC image.

4. Click on Upload firmware

The “Upload in progress...” message is displayed  

A confirmation message is displayed when the upload is complete.

 

5. The new image is now in a Ready state. Click Activate, under the Action column to activate it.

 

6. The user is presented with a confirmation panel with the options to "ACTIVATE FIRMWARE FILE WITHOUT REBOOTING BMC" and "ACTIVATE FIRMWARE FILE AND AUTOMATICALLY REBOOT BMC".

7. Select ACTIVATE FIRMWARE FILE AND AUTOMATICALLY REBOOT BMC and click Continue

8. The image state will show Activating

 

9. The image will then transition to Functional state (the running image on the device)

10.  If successful, a message is displayed on the upper right of the session, showing Success! BMC is rebooting.

11  After the BMC comes back up and the UI is refreshed, the new image is now listed on the top line (first in boot priority) and the previous image is now listed second. The original second image was removed.

12.  This concludes the BMC part of the update.

7.1.2 Update the PNOR image

The next firmware image to update is the PNOR (also known as Server) image.

1. Scroll down on the page to locate the section to upload the firmware image.

2. Click on Choose a file and browse your local filesystem for the location of the PNOR image.

3. Click on Upload firmware

The “Upload in progress... “message is displayed

 confirmation message is displayed when the upload is complete:

4. The new image is now in a Ready state. Click Activate, under the Action column to activate it.

5. The user is presented with a confirmation panel  Confirm server firmware file activation”.with the options to "ACTIVATE FIRMWARE FILE WITHOUT BOOTING SERVER" and "ACTIVATE FIRMWARE FILE AND AUTOMATICALLY BOOT SERVER".

6. Select ACTIVATE FIRMWARE FILE AND AUTOMATICALLY BOOT SERVER and click Continue

7. The image state will show Activating

8. The image will then transition to Functional state (the running image on the device)

9. After a UI refresh, the new image is now listed on the top line (first in boot priority) and the previous image is now listed second. Any original second image is removed (there wasn't one in this example).

10. This concludes the PNOR part of the update.

11. The system is automatically started following PNOR update.

7.2 Updating Firmware Using openbmctool

The process of updating firmware on the OpenBMC Power HMC is documented below.

The sequence of events that must happen is the following:

 

•Power off the Host

•Update and Activate BMC

•Update and Activate PNOR

•Reboot the BMC (applies new BMC image)

•Power on the Host (applies new PNOR image)

 

The OpenBMC firmware updates (BMC and PNOR)  for the Power HMC can be managed via the command line with the openbmctool.

 

The openbmctool is obtained using the IBM Support Portal.

 

  1. 1.Go to the IBM Support Portal. 

  2. 2.In the search field, enter your machine type and model.  Then click the correct product support entry for your system. 

  3. 3.From the Downloads list, click the openbmctool for your machine type and model. 

  4. 4.Follow the instructions to install and run the openbmctool.  You will need to provide the file locations of the BMC firmware image tar and PNOR firmware image tar that must be downloaded from Fix Central for the update level needed. 

 

 

Information on the openbmctool and the firmware update process can be found in the IBM Knowledge Center:  

https://www.ibm.com/support/knowledgecenter/POWER9/p9ei8/p9ei8_update_firmware_openbmctool.htm

8.0 System Management and Virtualization

The service processor, or baseboard management controller (BMC), provides a hypervisor and operating system-independent layer that uses the robust error detection and self-healing functions that are built into the POWER processor and memory buffer modules. OpenPOWER application layer (OPAL) is the system firmware in the stack of POWER processor-based Linux-only servers.

 

8.1  BMC Service Processor IPMI

The service processor, or baseboard management controller (BMC), is the primary control for autonomous sensor monitoring and event logging features on the Power HMC.

The BMC supports the Intelligent Platform Management Interface (IPMI) for system monitoring and management.  The BMC monitors the operation of the firmware during the boot process and also monitors the OPAL hypervisor for termination.

 

8.1.1  Security Risks Associated with Using IPMI

Various risks that are associated with the Intelligent Platform Management Interface (IPMI) have been identified and documented in the information technology (IT) security community.

Possible risks includes the following three common vulnerabilities and exposures (CVEs):

1) CVE-2013-4037:

The Remote Authenticated Key-Exchange Protocol (RAKP), which is specified by the IPMI standard for authentication, has flaws. Although the system does not allow the use of null passwords, a hacker might reverse engineer the RAKP transactions to determine a password. The authentication process for IPMI requires the management controller to send a hash of the requested password of the user to the client before the client authenticates. This process is a key part of the IPMI specification. The password hash can be broken by using an offline brute force or dictionary attack.

2) CVE-2013-4031:

IBM Power Systems and OpenPower Systems are preconfigured with one IPMI user account, which has the same default login name and password on all affected systems. If a malicious user gains access to the IPMI interface by using this preconfigured account, the user can power off or on, or restart the host server, and create or change user accounts possibly preventing legitimate users from accessing the system. On OpenPower Systems, the default IPMI user name is root.  Additionally, if a user fails to change the default user name and password on each of the systems that is deployed, the user has the same login information for each of those systems.

3) CVE-2013-4786:

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the hash-based message authentication code (HMAC) from a RAKP message 2 response from a BMC.

If a user is not managing a server by using the IPMI, one can configure the system to disallow IPMI network access from the user accounts. This task can be accomplished by using the IPMItool utility or a similar utility for managing and configuring the IPMI management controllers.  Use the following IPMItool command to disable the network access for an IPMI user:

ipmitool channel setaccess 1 #user_slot# privilege=15

For more information on the IPMI security vulnerabilities and configuration options and best practices to minimize the risks of this interface, go to the IBM Knowledge Center at the following URL:

https://www.ibm.com/support/knowledgecenter/POWER9/p9eih/p9eih_openbmc_security.htm

8.2 OpenPOWER Abstraction Layer (OPAL)

The OpenPOWER Abstraction Layer (OPAL) provides hardware abstraction and run time services to the running host Operating System.

For the 7063-CR2 server, only the OPAL bare-metal installs of the Hardware Management Console are supported.

 

Find out more about OPAL skiboot here:

https://github.com/open-power/skiboot

8.3 Petitboot bootloader

Petitboot is a kexec based bootloader used by IBM POWER9 systems for doing the bare-metal installs.

After the POWER system powers on, the petitboot bootloader scans local boot devices and network interfaces to find boot options that are available to the system. Petitboot returns a list of boot options that are available to the system. If you are using a static IP or if you did not provide boot arguments in your network boot server, you must provide the details to petitboot. You can configure petitboot to find your boot with the following instructions:

https://www.ibm.com/support/knowledgecenter/linuxonibm/liabw/liabppetitbootadvanced.html

 

You can edit petitboot configuration options, change the amount of time before Petitboot automatically boots, etc. with these instructions:

https://www.ibm.com/support/knowledgecenter/linuxonibm/liabw/liabppetitbootconfig.html

 

After you select to boot the ISO media for the Linux distribution of your choice, the installer wizard for that Linux distribution walks you through the steps to set up disk options, your root password, time zones, and so on.

You can read more about the petitboot bootloader program here:

https://www.kernel.org/pub/linux/kernel/people/geoff/petitboot/petitboot.html

 

 

9.0 Change History

Date

Description

10/12/2023

OP940.60 release

12/07/2022

OP940.50 release

05/20/2022

OP940.40 release

12/08/2021

Added warning for possible BMC boot error in Section 1.0

12/07/2021

OP940.16 release

09/30/2021

OP940.11 release

05/21/2021

New for Power HMC 7063-CR2 for the OP940.00 release