Power7 System Firmware
Applies to: 8202-E4D; 8205-E6D;
8231-E1D; 8231-E2D; 8246-L1D; 8246-L2D;
8246-L1T; 8246-L2T, 8268-E1D and 8493-SV6.
This document provides information about the installation of
Licensed
Machine or Licensed Internal Code, which is sometimes referred to
generically
as microcode or firmware.
Contents
1.0
Systems Affected
This
package provides firmware for Power 710 (8231-E1D, 8268-E1D), Power
720 (8202-E4D), Power 730
(8231-E2D), Power 740 (8205-E6D, 8493-SV6), PowerLinux 7R1 (8246-L1D,
8246-L1T)
and PowerLinux
7R2 (8246-L2D, 8246-L2T) servers only.
The firmware level in this package is:
1.1 Minimum HMC Code Level
This section is intended to describe the "Minimum HMC Code Level"
required by the System Firmware to complete the firmware installation
process. When installing the System Firmware, the HMC level must be
equal to or higher than the "Minimum HMC Code Level" before starting
the system firmware update. If the HMC managing the server
targeted for the System Firmware update is running a code level lower
than the "Minimum HMC
Code Level" the firmware update will not proceed.
The
Minimum HMC Code level for
this firmware is: HMC V7 R7.7.0
(PTF MH01343) with Mandatory efix (PTF MH01345).
Although
the Minimum HMC Code level for this firmware is listed
above, HMC V7 R7.9.0
Service Pack 3
(PTF MH01546) with ifix (PTF
MH01699) or higher is
recommended.
Important: To prevent vulnerability to security issues, the HMC
should be updated to the above recommended level, prior to
installing this server firmware
level.
For information concerning HMC
releases and the latest PTFs,
go
to the following URL to access Fix Central:
http://www-933.ibm.com/support/fixcentral/
For specific fix level
information on key components of IBM
Power Systems running the AIX, IBM i and Linux operating systems, we
suggest using the Fix Level Recommendation Tool (FLRT):
http://www14.software.ibm.com/webapp/set2/flrt/home
NOTES:
-You must be logged in as hscroot in order for the
firmware
installation to complete correctly.
- Systems Director Management Console (SDMC) does not support this
System Firmware level.
2.0 Important
Information
F/C 5260, 5899, and EL11 (4-Port
Gigabit Ethernet PCI-Express Adapter) added to a system running AL770
system
firmware
If
a 4-Port Gigabit Ethernet PCI-Express Adapter (F/C 5260, 5899, or EL11)
is taken
from an existing system and installed in an 8202-E4D, 8205-E6D,
8231-E1D, 8231-E2D, 8246-L1D, 8246-L2D, 8246-L1T, or 8246-L2T system
running AL770 system firmware, there is a potential issue with the
adapter microcode. To resolve this issue, install the latest
Ethernet adapter firmware, version 10050160 (or higher), feature codes
5260, 5899, EL11.
This adapter firmware addresses a problem that causes IBM i network
install to fail (with SRC B2006110) on partitions running with AL770
system firmware on the models listed above. This fix is also
recommended for partitions running AIX, VIOS, and Linux operating
systems.
Downgrading firmware from any
given release level to an earlier release level is not recommended.
If you feel that it is
necessary to downgrade the firmware on
your system to an earlier release level, please contact your next level
of support.
IPv6 Support and Limitations
IPv6 (Internet Protocol version 6) is supported in the System
Management
Services (SMS) in this level of system firmware. There are several
limitations
that should be considered.
When configuring a network interface card (NIC) for remote IPL, only
the most recently configured protocol (IPv4 or IPv6) is retained. For
example,
if the network interface card was previously configured with IPv4
information
and is now being configured with IPv6 information, the IPv4
configuration
information is discarded.
A single network interface card may only be chosen once for the boot
device list. In other words, the interface cannot be configured for the
IPv6 protocol and for the IPv4 protocol at the same time.
Concurrent Firmware Updates
Concurrent system firmware update is only supported on HMC Managed
Systems
only.
Memory Considerations for
Firmware Upgrades
Firmware Release Level upgrades and Service Pack updates may consume
additional system memory.
Server firmware requires memory to support the logical partitions on
the server. The amount of memory required by the server firmware varies
according to several factors.
Factors influencing server firmware memory requirements include the
following:
- Number of logical partitions
- Partition environments of the logical
partitions
- Number of physical and virtual I/O devices
used by the logical partitions
- Maximum memory values given to the logical
partitions
Generally, you can estimate the amount of memory required by server
firmware to be approximately 8% of the system installed memory. The
actual amount required will generally be less than 8%. However, there
are some server models that require an absolute minimum amount of
memory for server firmware, regardless of the previously mentioned
considerations.
Additional information can be found at:
http://www.ibm.com/support/knowledgecenter/8202-E4D/p7hat/iphatlparmemory.htm
3.0 Firmware
Information
and Description
Use the following examples as a reference to determine whether your
installation
will be concurrent or disruptive.
For systems that are not managed by an HMC, the installation
of
system
firmware is always disruptive.
Note: The concurrent levels
of system firmware may, on occasion,
contain
fixes that are known as Deferred and/or Partition-Deferred. Deferred
fixes can be installed
concurrently, but will not be activated until the next IPL.
Partition-Deferred fixes can be installed concurrently, but will not be
activated until a partition reactivate is performed. Deferred
and/or Partition-Deferred
fixes,
if any, will be identified in the "Firmware Update Descriptions" table
of this document. For these types of fixes (Deferred and/or
Partition-Deferred) within a service pack, only the
fixes
in the service pack which cannot be concurrently activated are
deferred.
Note: The file names and service pack levels used in the
following
examples are for clarification only, and are not
necessarily levels that have been, or will be released.
System firmware file naming convention:
01ALXXX_YYY_ZZZ
- XXX is the release level
- YYY is the service pack level
- ZZZ is the last disruptive service pack level
NOTE: Values of service pack and last disruptive service pack
level
(YYY and ZZZ) are only unique within a release level (XXX). For
example,
01AL720_067_045 and 01AL770_098_032 are different service
packs.
An installation is disruptive if:
- The release levels (XXX) are different.
Example: Currently installed release is AL710, new release is AL720
- The service pack level (YYY) and the last disruptive
service
pack level (ZZZ) are the same.
Example: AL720_120_120 is disruptive, no matter what level of AL720 is
currently
installed on the system
- The service pack level (YYY) currently installed on the
system
is
lower than the last disruptive service pack level (ZZZ) of the service
pack to be installed.
Example: Currently installed service pack is AL720_120_120 and new
service
pack is AL720_152_130
An installation is concurrent if:
The release level (XXX) is the same, and
The service pack level (YYY) currently installed on the system
is the same or higher than the last disruptive service pack level (ZZZ)
of the service pack to be installed.
Example: Currently installed service pack is AL720_126_120,
new
service pack is AL720_143_120.
Firmware Information and Update Description
Filename |
Size |
Checksum |
md5sum |
01AL770_122_032.rpm
|
41720513
|
26893
|
dad54d1d26bc4ed3725b0f91029f94d4 |
Note: The Checksum can be found by running the AIX sum
command against
the rpm file (only the first 5 digits are listed).
ie: sum 01AL770_122_032.rpm
AL770
For Impact, Severity and other Firmware definitions, Please
refer to the below 'Glossary of firmware terms' url:
http://www14.software.ibm.com/webapp/set2/sas/f/power5cm/home.html#termdefs
The following Fix description table will
only contain the N (current) and N-1 (previous) levels.
The
complete Firmware Fix History
(including HIPER descriptions) for
this
Release Level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html
|
AL770_122_032 / FW770.92
01/31/18 |
Impact: Security
Severity: SPE
Response for Recent Security Vulnerabilities
- In response to recently reported security vulnerabilities,
this firmware update is being released to address Common
Vulnerabilities and Exposures issue number CVE-2017-5715 for IBM i,
along with updates for AIX and Linux, for the following models:
1) IBM Power 720 Express (8202- E4D)
2) IBM Power 740 Express (8205- E6D)
3) IBM Smart Analytics System 7700 R1.1 (8493-SV6)
4) IBM Power 710 Express (8231- E1D)
5) IBM Power 710 Express (8268-E1D)
6) IBM Power 730 Express (8231- E2D)
7) IBM PowerLinux 7R1 (8246-L1D)
8) IBM PowerLinux 7R1 (8246-L1T)
9) IBM PowerLinux 7R2 (8246-L2D)
10) IBM PowerLinux 7R2 (8246-L2T)
|
AL770_120_032 / FW770.91
01/09/18 |
Impact: Security
Severity: SPE
New features and functions
- In response to recently reported security vulnerabilities,
this firmware update is being released to address Common
Vulnerabilities and Exposures issue numbers CVE-2017-5715,
CVE-2017-5753 and CVE-2017-5754. Note that a subsequent FW
release is required and will replace this FW update for CVE-2017-5715
for IBMi when available. In addition, Operating System updates are
required in conjunction with this FW level for CVE-2017-5753 and
CVE-2017-5754.
The models addressed by this service pack update have the P7+ processor:
1) IBM Power 720 Express (8202- E4D)
2) IBM Power 740 Express (8205- E6D)
3) IBM Smart Analytics System 7700 R1.1 (8493-SV6)
4) IBM Power 710 Express (8231- E1D)
5) IBM Power 710 Express (8268-E1D)
6) IBM Power 730 Express (8231- E2D)
7) BM PowerLinux 7R1 (8246-L1D)
8) IBM PowerLinux 7R1 (8246-L1T)
9) IBM PowerLinux 7R2 (8246-L2D)
10) IBM PowerLinux 7R2 (8246-L2T)
|
AL770_119_032 / FW770.90
12/13/17 |
Impact: Availability
Severity: SPE |
AL770_116_032 / FW770.80
05/23/17 |
Impact: Availability
Severity: SPE |
AL770_112_032 / FW770.70
07/27/16 |
Impact: Availability
Severity: SPE |
AL770_110_032 / FW770.61
12/16/15 |
Impact: Availability
Severity: ATT
|
AL770_109_032 / FW770.60
08/05/15 |
Impact: Availability
Severity: SPE |
AL770_101_032 / FW770.51
04/21/15 |
Impact: Security
Severity: HIPER
System firmware changes that affect all systems
- On systems using Virtual Shared Processor Pools (VSPP), a
problem was fixed for an inaccurate pool idle count over a small
sampling period.
A problem was corrected for a defect in an earlier service pack
(AL770_098) that potentially caused an undetected corruption of
firmware when the fix was concurrently activated. If the earlier
service pack(AL770_098) was concurrently installed, a platform IPL will
mitigate potential future exposure to the problem.
|
AL770_098_032 / FW770.50
01/12/15 |
Impact: Security
Severity: HIPER
System firmware changes that affect certain systems
- HIPER/Pervasive:
On systems using PowerVM firmware, a performance problem was fixed that
may affect shared processor partitions where there is a mixture of
dedicated and shared processor partitions with virtual IO connections,
such as virtual ethernet or Virtual IO Server (VIOS) hosting, between
them. In high availability cluster environments this problem may
result in a split brain scenario.
|
AL770_092_032 / FW770.41
09/26/14 |
Impact: Availability
Severity: SPE
|
AL770_090_032 / FW770.40
06/26/14 |
Impact: Security
Severity: HIPER
System firmware changes that affect all systems
- HIPER/Pervasive:
A
security problem was fixed in the OpenSSL (Secure Socket Layer)
protocol that allowed clients and servers, via a specially crafted
handshake packet, to use weak keying material for communication.
A
man-in-the-middle attacker could use this flaw to decrypt and modify
traffic between the management console and the service processor.
The
Common Vulnerabilities and Exposures issue number for this problem is
CVE-2014-0224.
- HIPER/Pervasive:
A
security problem was fixed in OpenSSL for a buffer overflow in the
Datagram Transport Layer Security (DTLS) when handling invalid DTLS
packet fragments. This could be used to execute arbitrary code on
the
service processor. The Common Vulnerabilities and Exposures issue
number for this problem is CVE-2014-0195.
- HIPER/Pervasive:
Multiple security problems were fixed in the way that OpenSSL handled
read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was
enabled to prevent denial of service. These could cause the
service
processor to reset or unexpectedly drop connections to the management
console when processing certain SSL commands. The Common
Vulnerabilities and Exposures issue numbers for these problems are
CVE-2010-5298 and CVE-2014-0198.
- HIPER/Pervasive:
A
security problem was fixed in OpenSSL to prevent a denial of service
when handling certain Datagram Transport Layer Security (DTLS)
ServerHello requests.
A specially crafted DTLS handshake packet could cause the service
processor to reset. The Common Vulnerabilities and Exposures
issue
number for this problem is CVE-2014-0221.
- HIPER/Pervasive:
A
security problem was fixed in OpenSSL to prevent a denial of service by
using an exploit of a null pointer de-reference during anonymous
Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially
crafted
handshake packet could cause the service processor to reset. The
Common Vulnerabilities and Exposures issue number for this problem is
CVE-2014-3470.
|
AL770_076_032 / FW770.32
04/18/14 |
Impact: Security
Severity: HIPER
System firmware changes that affect all systems
- HIPER/Pervasive:
A security problem was fixed in the OpenSSL Montgomery ladder
implementation for the ECDSA (Elliptic Curve Digital Signature
Algorithm) to protect sensitive information from being obtained with a
flush and reload cache side-channel attack to recover ECDSA nonces from
the service processor. The Common Vulnerabilities and Exposures
issue number is CVE-2014-0076. The stolen ECDSA nonces could be
used to decrypt the SSL sessions and compromise the Hardware Management
Console (HMC) access password to the service processor.
Therefore, the HMC access password for the managed system should be
changed after applying this fix.
- HIPER/Pervasive:
A security problem was fixed in the OpenSSL Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS) to not
allow Heartbeat Extension packets to trigger a buffer over-read to
steal private keys for the encrypted sessions on the service
processor. The Common Vulnerabilities and Exposures issue number
is CVE-2014-0160 and it is also known as the heartbleed
vulnerability. The stolen private keys could be used to decrypt
the SSL sessions and and compromise the Hardware Management Console
(HMC) access password to the service processor. Therefore, the
HMC access password for the managed system should be changed after
applying this fix.
|
AL770_063_032 / FW770.31
01/14/14 |
Impact: Serviceability
Severity: SPE |
AL770_062_032 / FW770.30
12/10/13 |
Impact: Availability
Severity: SPE |
AL770_052_032 / FW770.21
08/07/13 |
Impact: Availability
Severity: SPE |
AL770_048_032 / FW770.20
05/17/13 |
Impact: Availability
Severity: SPE
|
AL770_038_032 / FW770.10
03/21/13 |
Impact:
Availability
Severity: SPE |
AL770_032_032 / FW770.00
02/20/13 |
Impact:
New
Severity: New |
|
The
complete Firmware Fix History (including HIPER descriptions) for this
Release Level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html |
4.0
How to Determine Currently Installed Firmware Level
For HMC managed systems:
From the HMC, select Updates in the navigation (left-hand) pane, then
view the current levels of the desired server(s).
For
standalone system running IBM i
without an HMC:
From a command line, issue DSPFMWSTS.
For standalone system running IBM AIX
without an HMC:
From a command line, issue lsmcode.
Alternately, use the Advanced System
Management Interface (ASMI) Welcome pane. The current server
firmware appears in the top right
corner.
Example: AL710_yyy.
5.0
Downloading the Firmware Package
Follow the instructions on Fix Central. You must read and agree to
the
license agreement to obtain the firmware packages.
Note: If your HMC is not internet-connected you will need
to
download
the new firmware level to a CD-ROM or ftp server.
6.0 Installing the
Firmware
The method used to install new firmware will depend on the release
level
of firmware which is currently installed on your server. The release
level
can be determined by the prefix of the new firmware's filename.
Example: ALXXX_YYY_ZZZ
Where XXX = release level
- If the release level will stay the same (Example: Level
AL710_075_075
is
currently installed and you are attempting to install level
AL710_081_075)
this is considered an update.
- If the release level will change (Example: Level AL710_081_075 is
currently
installed and you are attempting to install level AL720_096_096) this
is
considered an upgrade.
HMC Managed Systems:
Instructions for installing firmware updates and upgrades on
systems
managed by an HMC can be found at:
http://www.ibm.com/support/knowledgecenter/8202-E4D/p7ha1/updupdates.htm
Systems not Managed by an HMC:
p Systems:
Instructions for installing firmware on systems that are not
managed
by an HMC can be found at:
http://www.ibm.com/support/knowledgecenter/8202-E4D/p7ha5/fix_serv_firm_kick.htm
IBM i Systems:
See "IBM Server Firmware and HMC Code Wizard":
http://www-912.ibm.com/s_dir/slkbase.NSF/DocNumber/408316083
NOTE: For all systems running
with
the IBM i Operating System, the following IBM i PTFs must be applied to
all IBM i partitions prior to installing AL770_122:
- V7R1M0 - MF51869
- V6R1M1 - MF51864
NOTE: For all systems running
with the IBM i Operating System and without an HMC attached, the
following IBM i PTFs must be applied to all IBM i partitions in
addition to the PTFs listed above, prior to installing AL770_122:
- V7R1M0 - MF51814 and SI41153:
- V6R1M1 - MF51225
These PTFs can be ordered through Fix Central.
When ordering firmware for IBM i Operating System managed systems from
Fix Central, choose "Select product", under Product Group specify
"System i", under Product specify "IBM i", then Continue and specify
the desired firmware PTF accordingly
7.0 Firmware History
The complete Firmware Fix History (including HIPER descriptions)
for this Release level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AL-IOCp-Firmware-Hist.html