Power7 System Firmware

Applies to:   8202-E4D;  8205-E6D;  8231-E1D;  8231-E2D;  8246-L1D;  8246-L2D;  8246-L1T; 8246-L2T, 8268-E1D and 8493-SV6.

This document provides information about the installation of Licensed Machine or Licensed Internal Code, which is sometimes referred to generically as microcode or firmware.


Contents


1.0 Systems Affected

This package provides firmware for Power 710 (8231-E1D, 8268-E1D), Power 720 (8202-E4D), Power 730 (8231-E2D), Power 740 (8205-E6D, 8493-SV6), PowerLinux 7R1 (8246-L1D, 8246-L1T) and PowerLinux 7R2 (8246-L2D, 8246-L2T) servers only.

The firmware level in this package is:

1.1 Minimum HMC Code Level

This section is intended to describe the "Minimum HMC Code Level" required by the System Firmware to complete the firmware installation process. When installing the System Firmware, the HMC level must be equal to or higher than the "Minimum HMC Code Level" before starting the system firmware update.  If the HMC managing the server targeted for the System Firmware update is running a code level lower than the "Minimum HMC Code Level" the firmware update will not proceed.

The Minimum HMC Code level for this firmware is:  HMC V7 R7.7.0 (PTF MH01343) with Mandatory efix (PTF MH01345).

Although the Minimum HMC Code level for this firmware is listed above,  HMC V7 R7.9.0 Service Pack 3  (PTF MH01546) with ifix (PTF MH01699) or higher is recommended.

Important: To prevent vulnerability to security issues, the HMC should be updated to the above recommended level,  prior to installing this server firmware level.


For information concerning HMC releases and the latest PTFs,  go to the following URL to access Fix Central:
http://www-933.ibm.com/support/fixcentral/

For specific fix level information on key components of IBM Power Systems running the AIX, IBM i and Linux operating systems, we suggest using the Fix Level Recommendation Tool (FLRT):
http://www14.software.ibm.com/webapp/set2/flrt/home

NOTES:
                -You must be logged in as hscroot in order for the firmware installation to complete correctly.
                - Systems Director Management Console (SDMC) does not support this System Firmware level.

2.0 Important Information

F/C 5260, 5899, and EL11 (4-Port Gigabit Ethernet PCI-Express Adapter) added to a system running AL770 system firmware

If a 4-Port Gigabit Ethernet PCI-Express Adapter (F/C 5260, 5899, or EL11) is taken from an existing system and installed in an 8202-E4D, 8205-E6D, 8231-E1D, 8231-E2D, 8246-L1D, 8246-L2D, 8246-L1T, or 8246-L2T system running AL770 system firmware, there is a potential issue with the adapter microcode.  To resolve this issue, install the latest Ethernet adapter firmware, version 10050160 (or higher), feature codes 5260, 5899, EL11.

This adapter firmware addresses a problem that causes IBM i network install to fail (with SRC B2006110) on partitions running with AL770 system firmware on the models listed above.  This fix is also recommended for partitions running AIX, VIOS, and Linux operating systems.


Downgrading firmware from any given release level to an earlier release level is not recommended.

If you feel that it is necessary to downgrade the firmware on your system to an earlier release level, please contact your next level of support.

IPv6 Support and Limitations

IPv6 (Internet Protocol version 6) is supported in the System Management Services (SMS) in this level of system firmware. There are several limitations that should be considered.

When configuring a network interface card (NIC) for remote IPL, only the most recently configured protocol (IPv4 or IPv6) is retained. For example, if the network interface card was previously configured with IPv4 information and is now being configured with IPv6 information, the IPv4 configuration information is discarded.

A single network interface card may only be chosen once for the boot device list. In other words, the interface cannot be configured for the IPv6 protocol and for the IPv4 protocol at the same time.

Concurrent Firmware Updates

Concurrent system firmware update is only supported on HMC Managed Systems only.

Memory Considerations for Firmware Upgrades

Firmware Release Level upgrades and Service Pack updates may consume additional system memory.
Server firmware requires memory to support the logical partitions on the server. The amount of memory required by the server firmware varies according to several factors.
Factors influencing server firmware memory requirements include the following:
Generally, you can estimate the amount of memory required by server firmware to be approximately 8% of the system installed memory. The actual amount required will generally be less than 8%. However, there are some server models that require an absolute minimum amount of memory for server firmware, regardless of the previously mentioned considerations.

Additional information can be found at:
http://www.ibm.com/support/knowledgecenter/8202-E4D/p7hat/iphatlparmemory.htm


3.0 Firmware Information and Description 

Use the following examples as a reference to determine whether your installation will be concurrent or disruptive.

For systems that are not managed by an HMC, the installation of system firmware is always disruptive.

Note: The concurrent levels of system firmware may, on occasion, contain fixes that are known as Deferred and/or Partition-Deferred. Deferred fixes can be installed concurrently, but will not be activated until the next IPL. Partition-Deferred fixes can be installed concurrently, but will not be activated until a partition reactivate is performed. Deferred and/or Partition-Deferred fixes, if any, will be identified in the "Firmware Update Descriptions" table of this document. For these types of fixes (Deferred and/or Partition-Deferred) within a service pack, only the fixes in the service pack which cannot be concurrently activated are deferred.

Note: The file names and service pack levels used in the following examples are for clarification only, and are not necessarily levels that have been, or will be released.

System firmware file naming convention:

01ALXXX_YYY_ZZZ

NOTE: Values of service pack and last disruptive service pack level (YYY and ZZZ) are only unique within a release level (XXX). For example, 01AL720_067_045 and 01AL770_098_032 are different service packs.

An installation is disruptive if:

Example: Currently installed release is AL710, new release is AL720 Example: AL720_120_120 is disruptive, no matter what level of AL720 is currently installed on the system Example: Currently installed service pack is AL720_120_120 and new service pack is AL720_152_130

An installation is concurrent if:

The release level (XXX) is the same, and
The service pack level (YYY) currently installed on the system is the same or higher than the last disruptive service pack level (ZZZ) of the service pack to be installed.

Example: Currently installed service pack is AL720_126_120,  new service pack is AL720_143_120.

Firmware Information and Update Description

 
Filename Size Checksum md5sum
01AL770_122_032.rpm
41720513
26893
dad54d1d26bc4ed3725b0f91029f94d4

Note: The Checksum can be found by running the AIX sum command against the rpm file (only the first 5 digits are listed).
ie: sum 01AL770_122_032.rpm

AL770
For Impact, Severity and other Firmware definitions, Please refer to the below 'Glossary of firmware terms' url:
http://www14.software.ibm.com/webapp/set2/sas/f/power5cm/home.html#termdefs

The following Fix description table will only contain the N (current) and N-1 (previous) levels.
The complete Firmware Fix History (including HIPER descriptions) for this Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html
AL770_122_032 / FW770.92

01/31/18
Impact: Security         Severity:  SPE

Response for Recent Security Vulnerabilities

  • In response to recently reported security vulnerabilities, this firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE-2017-5715 for IBM i, along with updates for AIX and Linux, for the following models:
    1)  IBM Power 720 Express (8202- E4D)
    2)  IBM Power 740 Express (8205- E6D)
    3)  IBM Smart Analytics System 7700 R1.1 (8493-SV6)
    4)  IBM Power 710 Express (8231- E1D)
    5)  IBM Power 710 Express (8268-E1D)
    6)  IBM Power 730 Express (8231- E2D)
    7)  IBM PowerLinux 7R1 (8246-L1D)
    8)  IBM PowerLinux 7R1 (8246-L1T)
    9)  IBM PowerLinux 7R2 (8246-L2D)
    10)  IBM PowerLinux 7R2 (8246-L2T)
AL770_120_032 / FW770.91

01/09/18
Impact: Security         Severity:  SPE

New features and functions

  • In response to recently reported security vulnerabilities, this firmware update is being released to address Common Vulnerabilities and Exposures issue numbers CVE-2017-5715,  CVE-2017-5753 and CVE-2017-5754.  Note that a subsequent FW release is required and will replace this FW update for CVE-2017-5715 for IBMi when available. In addition, Operating System updates are required in conjunction with this FW level for CVE-2017-5753 and CVE-2017-5754.
    The models addressed by this service pack update have the P7+ processor:
    1)  IBM Power 720 Express (8202- E4D)
    2)  IBM Power 740 Express (8205- E6D)
    3)  IBM Smart Analytics System 7700 R1.1 (8493-SV6)
    4) IBM Power 710 Express (8231- E1D)
    5) IBM Power 710 Express (8268-E1D)
    6) IBM Power 730 Express (8231- E2D)
    7) BM PowerLinux 7R1 (8246-L1D)
    8) IBM PowerLinux 7R1 (8246-L1T)
    9) IBM PowerLinux 7R2 (8246-L2D)
    10) IBM PowerLinux 7R2 (8246-L2T)
AL770_119_032 / FW770.90

12/13/17
Impact: Availability         Severity:  SPE
AL770_116_032 / FW770.80

05/23/17
Impact: Availability         Severity:  SPE
AL770_112_032 / FW770.70

07/27/16
Impact: Availability         Severity:  SPE
AL770_110_032 / FW770.61

12/16/15
Impact: Availability         Severity:  ATT
AL770_109_032 / FW770.60

08/05/15
Impact: Availability         Severity:  SPE
AL770_101_032 / FW770.51

04/21/15
Only HIPER fix descriptions are displayed for this service pack. 
The complete Firmware Fix History for this Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html
Impact: Security         Severity:  HIPER

System firmware changes that affect all systems
  • On systems using Virtual Shared Processor Pools (VSPP), a problem was fixed for an inaccurate pool idle count over a small sampling period.

    A problem was corrected for a defect in an earlier service pack (AL770_098) that potentially caused an undetected corruption of firmware when the fix was concurrently activated. If the earlier service pack(AL770_098) was concurrently installed, a platform IPL will mitigate potential future exposure to the problem.
AL770_098_032 / FW770.50

01/12/15
Only HIPER fix descriptions are displayed for this service pack. 
The complete Firmware Fix History for this Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html
Impact: Security         Severity:  HIPER

System firmware changes that affect certain systems
  • HIPER/Pervasive:  On systems using PowerVM firmware, a performance problem was fixed that may affect shared processor partitions where there is a mixture of dedicated and shared processor partitions with virtual IO connections, such as virtual ethernet or Virtual IO Server (VIOS) hosting, between them.  In high availability cluster environments this problem may result in a split brain scenario.
AL770_092_032 / FW770.41

09/26/14
Impact: Availability         Severity:  SPE
AL770_090_032 / FW770.40

06/26/14
Only HIPER fix descriptions are displayed for this service pack. 
The complete Firmware Fix History for this Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html
Impact: Security         Severity:  HIPER

System firmware changes that affect all systems
  • HIPER/Pervasive:  A security problem was fixed in the OpenSSL (Secure Socket Layer) protocol that allowed clients and servers, via a specially crafted handshake packet, to use weak keying material for communication.  A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between the management console and the service processor.  The Common Vulnerabilities and Exposures issue number for this problem is CVE-2014-0224.
  • HIPER/Pervasive:  A security problem was fixed in OpenSSL for a buffer overflow in the Datagram Transport Layer Security (DTLS) when handling invalid DTLS packet fragments.  This could be used to execute arbitrary code on the service processor.  The Common Vulnerabilities and Exposures issue number for this problem is CVE-2014-0195.
  • HIPER/Pervasive:  Multiple security problems were fixed in the way that OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled to prevent denial of service.  These could cause the service processor to reset or unexpectedly drop connections to the management console when processing certain SSL commands.  The Common Vulnerabilities and Exposures issue numbers for these problems are CVE-2010-5298 and CVE-2014-0198.
  • HIPER/Pervasive:  A security problem was fixed in OpenSSL to prevent a denial of service when handling certain Datagram Transport Layer Security (DTLS) ServerHello requests. A specially crafted DTLS handshake packet could cause the service processor to reset.  The Common Vulnerabilities and Exposures issue number for this problem is CVE-2014-0221.
  • HIPER/Pervasive:  A security problem was fixed in OpenSSL to prevent a denial of service by using an exploit of a null pointer de-reference during anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange.  A specially crafted handshake packet could cause the service processor to reset.  The Common Vulnerabilities and Exposures issue number for this problem is CVE-2014-3470.
AL770_076_032 / FW770.32

04/18/14
Only HIPER fix descriptions are displayed for this service pack. 
The complete Firmware Fix History for this Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html
Impact: Security         Severity:  HIPER

System firmware changes that affect all systems
  • HIPER/Pervasive:  A  security problem was fixed in the OpenSSL Montgomery ladder implementation for the ECDSA (Elliptic Curve Digital Signature Algorithm) to protect sensitive information from being obtained with a flush and reload cache side-channel attack to recover ECDSA nonces from the service processor.  The Common Vulnerabilities and Exposures issue number is CVE-2014-0076.  The stolen ECDSA nonces could be used to decrypt the SSL sessions and compromise the Hardware Management Console (HMC) access password to the service processor.  Therefore, the HMC access password for the managed system should be changed after applying this fix.
  • HIPER/Pervasive:  A  security problem was fixed in the OpenSSL Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) to not allow Heartbeat Extension packets to trigger a buffer over-read to steal private keys for the encrypted sessions on the service processor.  The Common Vulnerabilities and Exposures issue number is CVE-2014-0160 and it is also known as the heartbleed vulnerability.  The stolen private keys could be used to decrypt the SSL sessions and and compromise the Hardware Management Console (HMC) access password to the service processor.  Therefore, the HMC access password for the managed system should be changed after applying this fix.
AL770_063_032 / FW770.31

01/14/14
Impact: Serviceability         Severity:  SPE
AL770_062_032 / FW770.30

12/10/13
Impact: Availability         Severity:  SPE
AL770_052_032 / FW770.21

08/07/13
Impact: Availability         Severity:  SPE
AL770_048_032 / FW770.20

05/17/13
Impact: Availability         Severity:  SPE
AL770_038_032 / FW770.10

03/21/13
Impact:  Availability      Severity:  SPE
AL770_032_032 / FW770.00

02/20/13
Impact:  New      Severity:  New

The complete Firmware Fix History (including HIPER descriptions) for this Release Level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html

4.0 How to Determine Currently Installed Firmware Level

For HMC managed systems:  From the HMC, select Updates in the navigation (left-hand) pane, then view the current levels of the desired server(s).

For standalone system running IBM i without an HMC: From a command line, issue DSPFMWSTS.

For standalone system running IBM AIX without an HMC: From a command line, issue lsmcode.

Alternately, use the Advanced System Management Interface (ASMI) Welcome pane. The current server firmware  appears in the top right corner. Example: AL710_yyy.


5.0 Downloading the Firmware Package

Follow the instructions on Fix Central. You must read and agree to the license agreement to obtain the firmware packages.

Note: If your HMC is not internet-connected you will need to download the new firmware level to a CD-ROM or ftp server.


6.0 Installing the Firmware

The method used to install new firmware will depend on the release level of firmware which is currently installed on your server. The release level can be determined by the prefix of the new firmware's filename.

Example: ALXXX_YYY_ZZZ

Where XXX = release level

HMC Managed Systems:

Instructions for installing firmware updates and upgrades on systems managed by an HMC can be found at:
http://www.ibm.com/support/knowledgecenter/8202-E4D/p7ha1/updupdates.htm

Systems not Managed by an HMC:

p Systems:
Instructions for installing firmware on systems that are not managed by an HMC can be found at:
http://www.ibm.com/support/knowledgecenter/8202-E4D/p7ha5/fix_serv_firm_kick.htm

IBM i Systems:
See "IBM Server Firmware and HMC Code Wizard":
http://www-912.ibm.com/s_dir/slkbase.NSF/DocNumber/408316083

NOTE: For all systems running with the IBM i Operating System, the following IBM i PTFs must be applied to all IBM i partitions prior to installing AL770_122:
NOTE: For all systems running with the IBM i Operating System and without an HMC attached, the following IBM i PTFs must be applied to all IBM i partitions in addition to the PTFs listed above, prior to installing AL770_122:
These PTFs can be ordered through Fix Central.

When ordering firmware for IBM i Operating System managed systems from Fix Central, choose "Select product", under Product Group specify "System i", under Product specify "IBM i", then Continue and specify the desired firmware PTF accordingly

7.0 Firmware History

The complete Firmware Fix History (including HIPER descriptions)  for this Release level can be reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html