Power7 System Firmware
Applies to: 8248-L4T, 8408-E8D, 9109-RMD, 9117-MMC
and
9179-MHC
This document provides information about the installation of
Licensed
Machine or Licensed Internal Code, which is sometimes referred to
generically
as microcode or firmware.
Contents
1.0
Systems Affected
This package provides firmware for Power 750 (8408-E8D), Power
760 (9109-RMD), Power 770 (9117-MMC), Power
780 (9179-MHC) and PowerLinux 7R4 (8248-L4T) servers
only.
The firmware level in this package is:
1.1 Minimum HMC Code Level
This section is intended to describe the "Minimum HMC Code Level"
required by the System Firmware to complete the firmware installation
process. When installing the System Firmware, the HMC level must be
equal to or higher than the "Minimum HMC Code Level" before starting
the system firmware update. If the HMC managing the server
targeted for the System Firmware update is running a code level lower
than the "Minimum HMC
Code Level" the firmware update will not proceed.
Note: Due to security enhancements and
their impact on the ability to use ASM at older HMC levels, the Minimum
and Recommended HMC Code level for this firmware is listed below:
HMC V7 R7.9.0
Service Pack 3
(PTF MH01546) with ifix (PTF
MH01699) or higher is
recommended.
Important:
To avoid
vulnerability to security or known HMC issues, the HMC
should be updated to the above recommended level (or higher),
prior to
installing this server firmware
level.
Note: V7 R790 SP3 : HMC V7.R790 is the
last HMC release to support HMC Models CR4, CR3, C07, C06, C05
For
information
concerning HMC releases and the latest PTFs,
go
to the following URL to access Fix Central.
http://www-933.ibm.com/support/fixcentral/
For specific fix level
information on key components of IBM
Power Systems running the AIX, IBM i and Linux operating systems, we
suggest using the Fix Level Recommendation Tool (FLRT):
http://www14.software.ibm.com/webapp/set2/flrt/home
NOTES:
-You must be logged in as hscroot in order for the
firmware
installation to complete correctly.
- Systems Director Management Console (SDMC) does not support this
System Firmware level.
2.0 Important
Information
Downgrading firmware from any
given release level to an earlier release level is not recommended.
If you feel that it is
necessary to downgrade the firmware on
your system to an earlier release level, please contact your next level
of support.
IPv6 Support and Limitations
IPv6 (Internet Protocol version 6) is supported in the System
Management
Services (SMS) in this level of system firmware. There are several
limitations
that should be considered.
When configuring a network interface card (NIC) for remote IPL, only
the most recently configured protocol (IPv4 or IPv6) is retained. For
example,
if the network interface card was previously configured with IPv4
information
and is now being configured with IPv6 information, the IPv4
configuration
information is discarded.
single network interface card may only be chosen once for the
boot
device list. In other words, the interface cannot be configured for the
IPv6 protocol and for the IPv4 protocol at the same time.
Concurrent Firmware Updates
Concurrent system firmware update is only supported on HMC
Managed
Systems
only.
Memory Considerations for Firmware Upgrades
Firmware Release Level upgrades and Service Pack updates may consume
additional system memory.
Server firmware requires memory to support the logical partitions on
the server. The amount of memory required by the server firmware varies
according to several factors.
Factors influencing server firmware memory requirements include the
following:
- Number of logical partitions
- Partition environments of the logical
partitions
- Number of physical and virtual I/O devices
used by the logical partitions
- Maximum memory values given to the logical
partitions
Generally, you can estimate the amount of memory required by server
firmware to be approximately 8% of the system installed memory. The
actual amount required will generally be less than 8%. However, there
are some server models that require an absolute minimum amount of
memory for server firmware, regardless of the previously mentioned
considerations.
Additional information can be found at:
https://www.ibm.com/support/knowledgecenter/8408-E8D/p7hat/iphatlparmemory.htm
3.0 Firmware
Information
and Description
Use the following examples as a reference to determine whether your
installation
will be concurrent or disruptive.
For systems that are not managed by an HMC, the installation
of
system
firmware is always disruptive.
Note: The concurrent levels
of system firmware may, on occasion,
contain
fixes that are known as Deferred and/or Partition-Deferred. Deferred
fixes can be installed
concurrently, but will not be activated until the next IPL.
Partition-Deferred fixes can be installed concurrently, but will not be
activated until a partition reactivate is performed. Deferred
and/or Partition-Deferred
fixes,
if any, will be identified in the "Firmware Update Descriptions" table
of this document. For these types of fixes (Deferred and/or
Partition-Deferred) within a service pack, only the
fixes
in the service pack which cannot be concurrently activated are
deferred.
Note: The file names and service pack levels used in the
following
examples are for clarification only, and are not
necessarily levels that have been, or will be released.
System firmware file naming convention:
01AMXXX_YYY_ZZZ
- XXX is the release level
- YYY is the service pack level
- ZZZ is the last disruptive service pack level
NOTE: Values of service pack and last disruptive service pack
level
(YYY and ZZZ) are only unique within a release level (XXX). For
example,
01AM720_067_045 and 01AM740_067_053 are different service
packs.
An installation is disruptive if:
- The release levels (XXX) are different.
Example: Currently installed release is AM710, new release is AM720
- The service pack level (YYY) and the last disruptive
service
pack level (ZZZ) are the same.
Example: AM720_120_120 is disruptive, no matter what level of AM720 is
currently
installed on the system
- The service pack level (YYY) currently installed on the
system
is
lower than the last disruptive service pack level (ZZZ) of the service
pack to be installed.
Example: Currently installed service pack is AM720_120_120 and new
service
pack is AM720_152_130
An installation is concurrent if:
The release level (XXX) is the same, and
The service pack level (YYY) currently installed on the system
is the same or higher than the last disruptive service pack level (ZZZ)
of the service pack to be installed.
Example: Currently installed service pack is AM720_126_120,
new
service pack is AM720_143_120.
Firmware Information and Update Description
Filename |
Size |
Checksum |
md5sum |
01AM770_122_032.rpm |
44044710
|
29613
|
d31e9088fc5e6503562b460e81e404f5
|
Note: The Checksum can be found by running the AIX sum
command against
the rpm file (only the first 5 digits are listed).
ie: sum 01AM770_122_032.rpm
AM770
For Impact, Severity and other Firmware definitions, Please
refer to the below 'Glossary of firmware terms' url:
http://www14.software.ibm.com/webapp/set2/sas/f/power5cm/home.html#termdefs
The following Fix description table will
only contain the N (current) and N-1 (previous) levels.
The complete Firmware Fix History
(including HIPER descriptions) for this
Release Level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
|
AM770_122_032 / FW770.92
01/31/18 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Security
Severity: SPE
Response for Recent Security Vulnerabilities
- In response to recently reported security vulnerabilities,
this firmware update is being released to address Common
Vulnerabilities and Exposures issue number CVE-2017-5715. In
addition, Operating System updates are available to mitigate the
CVE-2017-5753 and CVE-2017-5754 security issues. This pertains to the
following models:
1) IBM Power 770 (9117-MMC)
2) IBM Power 780 (9179-MHC)
This firmware update also addresses CVE-2017-5715 for IBM i, along with
updates for AIX and Linux, for the following models:
1) IBM Power 750 Express (8408-E8D)
2) IBM Power 760 (9109-RMD)
3) IBM PowerLinux 7R4 (8248-L4T)
|
AM770_120_032 / FW770.91
01/09/18 |
Systems
8408-E8D; 8248-L4T; and 9109-RMD ONLY
Impact: Security
Severity: SPE
New features and functions
- In response to recently reported security vulnerabilities,
this firmware update is being released to address Common
Vulnerabilities and Exposures issue numbers CVE-2017-5715,
CVE-2017-5753 and CVE-2017-5754. Note that a subsequent FW
release is required and will replace this FW update for CVE-2017-5715
for IBMi when available. In addition, Operating System updates
are required in conjunction with this FW level for CVE-2017-5753 and
CVE-2017-5754.
The models addressed by this service pack update have the P7+
processor:
1) IBM Power 750 Express (8408-E8D)
2) IBM Power 760 (9109-RMD)
3) IBM PowerLinux 7R4 (8248-L4T)
|
AM770_119_032 / FW770.90
12/13/17 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Availability
Severity: SPE |
AM770_116_032 / FW770.80
05/23/17 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Availability
Severity: SPE |
AM770_112_032 / FW770.70
07/27/16 |
Impact: Performance
Severity: SPE
Concurrent hot add/repair
maintenance (CHARM) firmware fixes
- DEFERRED: A
problem was fixed for a I/O performance slow-down that can occur after
a concurrent repair of a GX bus I/O adapter with a Feature Code of
#1808 or #1914. A re-IPL of the system after the concurrent
repair operation corrects the I/O performance issue. This fix
requires an IPL of the system to take effect.
This problem only pertains to the IBM Power 770 (9117-MMC) and the IBM
Power 780 (9179-MHC).
|
AM770_110_032 / FW770.61
12/16/15 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Availability
Severity: ATT |
AM770_109_032 / FW770.60
08/05/15 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Availability
Severity: SPE |
AM770_101_032 / FW770.51
04/21/15 |
Impact: Security
Severity: HIPER
System firmware changes that affect all systems
- On systems using Virtual Shared Processor Pools (VSPP), a
problem was fixed for an inaccurate pool idle count over a small
sampling period.
A problem was corrected for a defect in an earlier service pack
(AM770_098) that potentially caused an undetected corruption of
firmware when the fix was concurrently activated. If the earlier
service pack(AM770_098) was concurrently installed, a platform IPL will
mitigate potential future exposure to the problem.
|
AM770_098_032 / FW770.50
01/12/15 |
Impact: Security
Severity: HIPER
System firmware changes that affect certain systems
- HIPER/Pervasive:
On systems
using PowerVM firmware, a performance problem was fixed that may affect
shared processor partitions where there is a mixture of dedicated and
shared processor partitions with virtual IO connections, such as
virtual ethernet or Virtual IO Server (VIOS) hosting, between
them. In
high availability cluster environments this problem may result in a
split brain scenario.
- DEFERRED: A
performance
problem was fixed for PCIe slot C4 which was missing a dedicated
internal data buffer, making it a bottleneck when using certain
high-performance IO adapters. The PCIe slot C4 is now assigned a
data
capability of 16 GB. This fix pertains only to the IBM Power 750
Express (8408-E8D), IBM Power 760 (9109-RMD), and IBM PowerLinux 7R4
(8248-L4T) systems. This deferred fix addresses a potential
performance problem but not an error condition. As such,
customers
may wait for the next planned service window to activate the deferred
fix via a system reboot.
|
AM770_092_032 / FW770.41
09/26/14 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Availability
Severity: SPE |
AM770_090_032 / FW770.40
06/26/14 |
Impact: Security
Severity: HIPER
System firmware changes that affect all systems
- HIPER/Pervasive:
A
security problem was fixed in the OpenSSL (Secure Socket Layer)
protocol that allowed clients and servers, via a specially crafted
handshake packet, to use weak keying material for communication.
A
man-in-the-middle attacker could use this flaw to decrypt and modify
traffic between the management console and the service processor.
The
Common Vulnerabilities and Exposures issue number for this problem is
CVE-2014-0224.
- HIPER/Pervasive:
A
security problem was fixed in OpenSSL for a buffer overflow in the
Datagram Transport Layer Security (DTLS) when handling invalid DTLS
packet fragments. This could be used to execute arbitrary code on
the
service processor. The Common Vulnerabilities and Exposures issue
number for this problem is CVE-2014-0195.
- HIPER/Pervasive:
Multiple security problems were fixed in the way that OpenSSL handled
read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was
enabled to prevent denial of service. These could cause the
service
processor to reset or unexpectedly drop connections to the management
console when processing certain SSL commands. The Common
Vulnerabilities and Exposures issue numbers for these problems are
CVE-2010-5298 and CVE-2014-0198.
- HIPER/Pervasive:
A
security problem was fixed in OpenSSL to prevent a denial of service
when handling certain Datagram Transport Layer Security (DTLS)
ServerHello requests.
A specially crafted DTLS handshake packet could cause the service
processor to reset. The Common Vulnerabilities and Exposures
issue
number for this problem is CVE-2014-0221.
- HIPER/Pervasive:
A
security problem was fixed in OpenSSL to prevent a denial of service by
using an exploit of a null pointer de-reference during anonymous
Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially
crafted
handshake packet could cause the service processor to reset. The
Common Vulnerabilities and Exposures issue number for this problem is
CVE-2014-3470.
|
AM770_076_032 / FW770.32
04/18/14 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Security
Severity: HIPER
System firmware changes that affect all systems
- HIPER/Pervasive:
A security problem was fixed in the OpenSSL Montgomery ladder
implementation for the ECDSA (Elliptic Curve Digital Signature
Algorithm) to protect sensitive information from being obtained with a
flush and reload cache side-channel attack to recover ECDSA nonces from
the service processor. The Common Vulnerabilities and Exposures
issue number is CVE-2014-0076. The stolen ECDSA nonces could be
used to decrypt the SSL sessions and compromise the Hardware Management
Console (HMC) access password to the service processor.
Therefore, the HMC access password for the managed system should be
changed after applying this fix.
- HIPER/Pervasive:
A security problem was fixed in the OpenSSL Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS) to not
allow Heartbeat Extension packets to trigger a buffer over-read to
steal private keys for the encrypted sessions on the service
processor. The Common Vulnerabilities and Exposures issue number
is CVE-2014-0160 and it is also known as the heartbleed
vulnerability. The stolen private keys could be used to decrypt
the SSL sessions and and compromise the Hardware Management Console
(HMC) access password to the service processor. Therefore, the
HMC access password for the managed system should be changed after
applying this fix.
|
AM770_063_032 / FW770.31
01/14/14 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Serviceability
Severity: SPE
|
AM770_062_032 / FW770.30
12/10/13 |
Impact: Availability
Severity: SPE
System firmware changes that affect certain systems
- DEFERRED: On
Power7 systems, a problem was fixed that caused a system checkstop
during hypervisor time keeping services. This deferred fix addresses a
problem that has a very low probability of occurrence. As such
customers may wait for the next planned service window to activate the
deferred fix via a system reboot.
- DEFERRED: On Power7
systems, a problem was fixed that caused a system checkstop with SRC
B113E504 for a
recoverable hardware fault. This deferred fix addresses a problem
that has a very low probability of occurrence. As such customers
may wait for the next planned service window to activate the deferred
fix via a system reboot.
|
AM770_052_032 / FW770.21
08/07/13 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Availability
Severity: SPE |
AM770_048_032 / FW770.20
05/17/13 |
Systems
8408-E8D; 8248-L4T; 9109-RMD;
9117-MMC and
9179-MHC ONLY
Impact: Availability
Severity: SPE |
AM770_038_032 / FW770.10
03/21/13 |
Systems
8408-E8D and 9109-RMD ONLY
Impact:
New
Severity: New |
|
The
complete Firmware Fix History (including HIPER descriptions) for this
Release Level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html |
4.0
How to Determine Currently Installed Firmware Level
For HMC managed systems:
From the HMC, select Updates in the navigation (left-hand) pane, then
view the current levels of the desired server(s).
Alternately,
use the Advanced System
Management Interface (ASMI) Welcome pane. The current server
firmware appears in the top right
corner.
Example: AM760_yyy.
5.0
Downloading the Firmware Package
Follow the instructions on Fix Central. You must read and agree to
the
license agreement to obtain the firmware packages.
Note: If your HMC is not internet-connected you will need
to
download
the new firmware level to a CD-ROM or ftp server.
6.0 Installing the
Firmware
The method used to install new firmware will depend on the release
level
of firmware which is currently installed on your server. The release
level
can be determined by the prefix of the new firmware's filename.
Example: AMXXX_YYY_ZZZ
Where XXX = release level
- If the release level will stay the same (Example: Level
AM710_075_075
is
currently installed and you are attempting to install level
AM710_081_075)
this is considered an update.
- If the release level will change (Example: Level AM710_081_075 is
currently
installed and you are attempting to install level AM720_097_096) this
is
considered an upgrade.
HMC Managed Systems:
Instructions for installing firmware updates and upgrades on
systems
managed by an HMC can be found at:
https://www.ibm.com/support/knowledgecenter/8408-E8D/p7ha1/updupdates.htm
Systems not Managed by an HMC:
Power Systems:
Instructions for installing firmware on systems that are not
managed
by an HMC can be found at:
https://www.ibm.com/support/knowledgecenter/8408-E8D/p7ha5/fix_serv_firm_kick.htm
IBM i Systems:
See "IBM Server Firmware and HMC Code Wizards":
http://www-912.ibm.com/s_dir/slkbase.NSF/DocNumber/408316083
NOTE:
For all systems running with
the IBM i Operating System, the following IBM i PTFs must be applied to
all IBM i partitions prior to installing AM770_122:
- V7R1M0 - MF51869
- V6R1M1 - MF51864
These PTFs can be ordered through Fix Central.
When ordering firmware for IBM i Operating System managed systems from
Fix Central, choose "Select product", under Product Group specify
"System i", under Product specify "IBM i", then Continue and specify
the desired firmware PTF accordingly
7.0 Firmware History
The complete Firmware Fix History (including HIPER descriptions) for
this Release Level can be
reviewed at the following url:
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/AM-IOC-Firmware-Hist.html
8.0
Change History
Date
|
Description
|
February 26, 2018 |
Fix Description update for
AM770_122 / FW770.92.
|