TITLE: HPE Superdome Flex Server Firmware Bundle (for installation from
RMC)
VERSION:
Bundle Version: 3.80.24
VERSION
3.80.24
contains:
Expected: 3.80.24
COMPLEX_METADATA: 3.80.24
FWU: 2.50.0-20220104-073421
NPAR_METADATA: 3.80.24
RMC: 2.110.91
RMC_EMMC: 2.110.91
UV400_BIOS: 7.9.6.20230812_173339
UV400_BMC: 2.110.91
UV400_BMC_BASEIO_P0003171_002_PLD: 12.2.32
UV400_BMC_BASEIO_P0003171_003_PLD: 12.3.36
UV400_BMC_BMC_P0004912_001_PLD: 10.1.8
UV400_BMC_EMMC: 2.110.91
UV400_BMC_FWU_TOOLS: 2.110.91
UV400_BMC_HARP_P0003240_001_PLD: 11.1.19
UV400_BMC_NODE_P0001924_003_PLD: 13.3.61
UV400_BMC_PWR_BRD_1_ENV_PSOC: 36.1.1
UV400_BMC_PWR_BRD_1_PS_PSOC: 35.1.16
UV400_HARP_FPGA_1590_B100: 1590_b100-0a
UV400_HARP_FPGA_1590_B101: 1590_b101-0a
UV400_HARP_FPGA_1590_B102: 1590_b102-0a
Chassis r001i01b: 3.80.24
UV400_BIOS: 7.9.6.20230812_173339
FWU: 2.50.0-20220104-073421
UV400_BMC_FWU_TOOLS: 2.110.91
UV400_BMC_BASEIO_P0003171_003_PLD: 12.3.36
UV400_BMC_HARP_P0003240_001_PLD: 11.1.19
UV400_BMC_NODE_P0001924_003_PLD: 13.3.61
UV400_BMC_PWR_BRD_1_PS_PSOC: 35.1.16
UV400_BMC_PWR_BRD_1_ENV_PSOC: 36.1.1
UV400_HARP_FPGA_1590_B101: 1590_b101-0a
UV400_BMC_EMMC: 2.110.91
UV400_BMC: 2.110.91
NPAR_METADATA: 3.80.24
COMPLEX_METADATA: 3.80.24
DESCRIPTION:
This
bundle contains the firmware file for updating the HPE Superdome Flex server
firmware from the RMC. This file updates the server BIOS firmware as well as
firmware on the RMC (Rack Management Controller) and on the BMCs (Board
Management Controller).
Note:
·
To comply with Open Source requirements, the Open
Source used in Superdome Flex RMC/BMC firmware is provided in the tar file
foss_SDFlex_2.9.tar.gz available at this link
UPDATE RECOMMENDATION: Recommended
[ ]
Critical
[ ] Panic,
[ ] Hang, [ ] Abort, [ ] Corruption, [ ] Memory Leak, [ ] Performance
[] Security
[ ]
Hardware Enablement, [ ] Software Enablement
[ ] Required
[X ] Recommended
[ ] Optional
[ ]
Hardware Enablement, [ ] Software Enablement, [ ] non-critical
[ ] Initial Customer Release
SUPERSEDES:
Version: 3.70.34
PRODUCT MODEL(S):
HPE
Superdome Flex Server
OPERATING SYSTEMS:
Supported on Superdome Flex
systems with Intel Xeon® Scalable processors
62XX/82XX:
Supported
with DDR4 and PMEM
1 Oracle Linux 7.5 (or
later) with PMEM support (kernel 4.14.35-1902.7.2 or higher, storage mode
only) with UEK 5
2 Windows Server 2016 Not supported
with PMEM
3
Windows
Server 2019, 2022 - up to 16 socket/24TB HPE
Persistent Memory
(*) Note:
- UEK6
was first released with Oracle Linux 8.2 and 7.9 and was included in the install media. The Oracle Linux 7.8 (and earlier) install media contains UEK5. The Oracle Linux 7.9 install media contains UEK6. When updating to Oracle Linux
7.9 you can choose whether to remain on UEK5 or upgrade to UEK6. For more
information, see UEK Linux documentation from Oracle.
- Secure boot mode with Oracle UEK 6 is supported with Oracle
Linux UEK 6 Update 3 (or later)
(**) Note:
- Support of Oracle Linux 9 with UEK 7 requires using HFS
2.4.5(B) or later
- For support
of Oracle Linux 8.6 with UEK 7, see Customer Notice a00127601
- HPE does not support secure boot mode with
Oracle UEK 7 at this time. This is due to a known
issue with Oracle UEK 7 with secure boot and vendor signed kernel modules. HPE
is working with Oracle to resolve the issue. Customers needing a secure boot
environment with Oracle Linux are advised to use Oracle Linux with Red Hat
Compatible Kernel versions.
Note: For
latest information on configurations supported with PMM (HPE Persistent
Memory), see the HPE
Persistent Memory Guide for HPE Superdome Flex as well as the white papers “Installing and
Running Microsoft Windows Server 2019 and Windows Server 2022 on HPE Superdome
Flex Server” and “Running
Linux on HPE Superdome Flex Server”.
Supported on Superdome Flex systems with Intel
Xeon® Scalable processors
61XX/81XX
Supported with DDR4 DIMMs only (no
support of PMM):
·
VMware 6.5 U1/U2/U3, 6.7, 6.7 U1/U2/U3, 7.0, 7.0
U1/U2/U3, 8.0, 8.0 U1
Note: For more details
on VMware support and certifications, check the “Running VMware vSphere
on HPE Superdome Flex Server” white
paper.
LANGUAGES:
International
English
ENHANCEMENTS:
· Added Support for push-based firmware update through RMC redfish interface
FIXES:
·
Firmware includes Intel Reference
Code IPU 2023.3
·
Firmware includes
latest revision of Intel Microcode 05003604 (50657), 04003604 (50656) and
02007006 (50654), that provides mitigation for CVE-2022-40982.
Details
can be found here.
·
While running MemOfflineTest,
firmware completes the Post Package Repair(PPR)
gracefully even when the reported DIMM row faults exceed the clump limit.
·
OpenSSL upgrade (1.0.2zh )
addressed security vulnerabilities CVE-2023-2650, CVE-2023-0465, CVE-2023-0466,
CVE-2023-0464, CVE-2023-0286, CVE-2023-0215, CVE-2022-4304, CVE-2022-2068 and
CVE-2022-1292
· Fixed
an issue where CLI ‘show uvdmp’ command failing
with error “Error: 'utf-8' codec can't decode byte”
·
Fixed an issue where the CLI ‘show fabric’
command was not showing proper data until next successful test fabric command.
·
Fixed an issue where RMC reporting BMC as not
configured.
·
Fixed an issue where the chassis details are not
getting populated in RMC redfish after chassis AC cycle.
COMPATIBILITY:
· OneView supported features:
o
OneView version 5.00 (or later) allows monitoring and management of
HPE Superdome Flex servers with firmware version 3.20.186 or later.
o
OneView version 7.1 (or later) can now notify users when a new Superdome
Flex server firmware version (3.60.x or later) becomes available on HPESC (HPE
Support Center).
o
OneView version 7.2 (or later) allows to create/edit/delete Superdome
Flex partitions with Superdome Flex server firmware version 3.40.x or later.
·
It is
recommended to use this firmware along with HPE Superdome Flex I/O Service Pack
version 2022.09 and HFS (HPE
Foundation Software) version 2.4.6 (Linux only) as well as the latest DCD
version 3.6.4.1:
o See the Superdome Flex support matrix: HPE Superdome
Flex Release Sets
· For additional OS specific information,
please see:
o For VMware, the “Running VMware vSphere
on HPE Superdome Flex Server” white paper.
o For Windows, the “Running Microsoft
Windows Server on HPE Superdome Flex Server” white paper (for Windows 2016)
and “Installing
and Running Microsoft Windows Server 2019 and Windows Server 2022 on HPE
Superdome Flex Server” (for Windows 2019 and 2022).
o
For Linux, the
“Running Linux on HPE
Superdome Flex Server” white paper as well as the “HPE Superdome Flex
Server OS Installation Guide” at https://www.hpe.com/support/superdome-flex-os
PREREQUISITES:
IMPORTANT:
·
For systems running with Secure Boot enabled, all vulnerable signed UEFI
OS boot loaders and applications that are expected to boot must be updated
before applying or installing the default DBX key.
Note: Failure to install application
updates before the new DBX installation may result in a situation where the
server will not boot. If that situation occurs, Secure Boot will need to be
disabled until the vulnerable applications and bootloaders are updated.
Note:
1.
Isolate the management network from the normal
corporate LAN. This management network should limit and restrict access to your
RMC management interfaces using firewall, Accesses control lists (ACLs), or
VPN. This will greatly reduce a large group of security risks, (for
example Denial of Service attacks).
2.
Patch and maintain web servers.
3.
Run the up-to-date virus and malware scanners in your network environment
4.
Apply HPE firmware updates as recommended.
INSTALLATION INSTRUCTIONS:
Please review all instructions and the "Hewlett
Packard Enterprise Support Tool License Terms" or your Hewlett Packard
Enterprise support terms and conditions for precautions, scope of license,
restrictions, and limitation of liability and warranties, before installing
this package. It is important that you read and understand these instructions
completely before you begin. This can determine your success in completing the
firmware update.
Note: HPE provides three methods for updating the server firmware, from the RMC CLI, using SUM or using OneView. If you need help selecting a method, please see the “Firmware Update” section in the Superdome Flex Server Manageability white paper.
Online firmware update support:
·
Online firmware update is only supported when updating from version
3.40.106 or later.
·
Online
firmware update support matrix:
|
From: \ To: |
3.40.106 |
3.40.122 |
3.40.126 |
3.50.58 |
3.55.8 |
3.60.50 |
3.65.8 |
3.70.34 |
3.80.24 |
|
3.40.106 |
N/A |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
3.40.122 |
No |
N/A |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
3.40.126 |
No |
No |
N/A |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
3.50.58 |
No |
No |
No |
N/A |
Yes |
Yes |
Yes |
Yes |
Yes |
|
3.55.8 |
No |
No |
No |
No |
N/A |
Yes |
Yes |
Yes |
Yes |
|
3.60.50 |
No |
No |
No |
No |
No |
N/A |
Yes |
Yes |
Yes |
|
3.65.8 |
No |
No |
No |
No |
No |
No |
N/A |
Yes |
Yes |
|
3.70.34 |
No |
No |
No |
No |
No |
No |
No |
N/A |
Yes |
|
3.80.24 |
No |
No |
No |
No |
No |
No |
No |
No |
N/A |
Complex versus partition firmware:
·
Firmware update
with mixed complex/partition firmware is supported, provided that the complex
firmware version is always greater than or equal to the partition firmware.
Important:
· DO NOT abort the firmware update once started as
this may cause the system to get in an un-usable
state. In particular, DO NOT turn off system AC power
during a Firmware update.
· In case a firmware mismatch is displayed after the
update, retry the update. If you continue to see failures, please contact HPE support
INSTALLATION
IMPORTANT:
-
For systems running with Secure Boot enabled, in order
to address the “BootHole” (CVE-2020-10713)
security vulnerability, an extra step is needed if the firmware is updated from
version 3.25.46 (or earlier). See step i. at the end
of the installation instructions.
To update server firmware from the RMC CLI:
1. Copy
the firmware file sd-flex-<version>-fw.tars to your local computer.
2. Follow the instructions below to install the new
firmware on your system.
Note: Online firmware update to this version is only supported when updating
from version 3.40.106 or later.
a.
Please verify that the system date is set. If not, set
it and check if you have a NTP server up and running
as it is used to set the date.
b. Step b. is
for offline firmware update only:
Log into the HPE Superdome Flex Server operating system as the root user,
and enter the following command to stop the operating system:
#
shutdown
c. Login to the RMC
as administrator user, provide the password when prompted.
d. Use of DNS is
recommended:
- If using DNS, verify that the RMC is configured to
use DNS access by running:
RMC
cli> show dns
If not, you
may use the command “add dns ipaddress=<RMC
IP>” to configure DNS access (or you can’t use DNS).
- If not using DNS, you will need to specify IP
address in the <path_to_firmware>
e. Step e. is
for offline firmware update only:
Enter the following command to power off the system
- If
there is only 1 partition, partition 0 is the default:
RMC cli> power off npar pnum=0
- In
case of multiple partitions, enter show npar to find
the partition number, then enter:
RMC cli> power off npar pnum=x, where x is the
partition number
f.
Update the firmware by
running the command:
RMC
cli> update
firmware url=<path_to_firmware>
[exclude_npar_fw]
Where <path_to_firmware> specifies the location to the firmware
file that you previously
downloaded. You can use https, sftp or scp
with an optional port. For instance:
RMC cli> update firmware url=scp://username@myhost.com/sd-flex-<version>-fw.tars
RMC cli> update firmware url=sftp://username@myhost.com/sd-flex-<version>-fw.tars
RMC cli> update firmware url=https://myhost.com/sd-flex-<version>-fw.tars
RMC cli> update firmware url=https://myhost.com:123/sd-flex-<version>-fw.tars
And where exclude_npar_fw is used to not update the BIOS firmware
running on an nPar.
Note: The CLI does not accept
clear text password, the password has to be manually typed in.
Note: To use a hostname like
‘myhost.com’, RMC must be configured for DNS for name
resolution,
otherwise you need to specify the IP address of ‘myhost.com’ instead. See
the command ‘add dns’ for more information.
g. Wait for RMC to reboot after a successful firmware update, then check
the new firmware version installed by running:
RMC cli> show firmware verbose
Note: The nPar
firmware version will not be updated until the next nPar
reboot. See output under “DETERMINING CURRENT VERSION” below.
h. For online
FW update, reboot
the Partition when convenient to activate the new nPar
firmware:
- To reboot a partition or multiple partitions,
enter:
RMC cli>
reboot npar pnum=x,
where x is the partition number or 0 for a single
partition
chassis numbered 0
For
offline FW update, Power on
the system or partition:
- To power on a
system configured with all chassis in one large nPartition
numbered 0, enter:
RMC cli> power on npar pnum=0
i. For
systems running with secured boot enabled, follow the steps below in order to address the “BootHole” (CVE-2020-10713) security vulnerability:
a.
All vulnerable signed UEFI OS boot loaders and
applications that are expected to boot must be updated before applying or
installing the default DBX key.
Note: Failure to install application
updates before the new DBX installation may result in a situation where the
server will not boot. If that situation occurs, Secure Boot will need to be
disabled until the vulnerable applications and bootloaders are updated.
b.
Once above step is
completed, after firmware version
3.30.140 (or later) is installed, follow the steps below in BIOS menu to
install new DBX default keys:
UEFI Boot
Manager-> Device Manager-> Secure Boot Configuration->Install Default
Keys
UEFI Boot Manager->
Device Manager-> Secure Boot Configuration->Attempt Secure Boot
DETERMINING CURRENT VERSION:
To check or verify the current firmware levels on
the system, from the CLI, enter the RMC command:
RMC
cli> show firmware
Configured complex bundle version: 3.80.24
Configured npar bundle version: 3.80.24
Firmware on all devices matches the configured version.
Note: If you want to see all the components’ versions,
you may use “show firmware verbose”.
Downgrading
firmware:
Note: Downgrading firmware is not recommended as it may cause a loss of functionality and expose the system to vulnerabilities fixed in later versions.
Downgrading guidelines (online downgrade supported where online upgrade
is supported):
- After online downgrade completes, you will need to reboot the nPAR using the “reboot npar pnum=x” command to activate the newly installed BIOS.
- After offline downgrade completes, power on the system or nPAR using the “power on” command.
KNOWN ISSUES & WORKAROUNDS:
·
System may report
PCH_RTC_POWER_FAILURE IEL event and “Battery logic fault” service event during
first boot when Complex Firmware is updated from FW 3.30.144 or lower version
to FW 3.60.50 or higher version.
· Exception during boot may lead to BIOS Halt with SMRAM_DISTRIBUTION_TIMEOUT.
Workaround: Rebooting the server
will clear the error.
·
"show sensor" or "ipmi
sensor" command output in uvdmp does not always
report the fan speed of RMC's PSU
·
On systems
running with SLES 15 SP1 or 15 SP2, an IO card may rarely go offline with the
console log showing a message “Device recovery failed”. An OS reboot is
required to recover.
·
Installation
of Windows Server 2019 on a 16 socket partition with
Hyper-Threading enabled may take hours on servers with hundreds of logical
processors. Workaround: Either
disable Hyper-Threading prior to installing the OS (and re-enable it after OS
is installed), or modify to an 8 (or less) socket
partition, install the OS, and change back to a 16 socket partition after the
OS is installed.
·
On systems (8 or 16
socket) configured with PMM (HPE Persistent Memory) and running with Windows
2019, a BSOD (Blue Screen of Death) may be intermittently encountered while
creating or deleting namespaces using new-pmemdisk or
remove-pmemdisk powershell
cmdlets. When this occurs, the following bug check happens: STOP 0x00000101
CLOCK_WATCHDOG_TIMEOUT. Workaround: Retry the operation after the system comes back up.
·
After a RMC reboot, Insight Remote Support (IRS) may not collect
all the inventory data. Workaround:
Rediscover the missing device in IRS (in IRS console, under Devices, check all
the devices from the Device Summary TAB and select Discover); for information
on Insight Remote Support, see “Manage Your Devices” in “HPE
Insight Online”.
·
Firmware update
with certificate checking enabled is
not supported with OneView or SUM (SUM does not support providing a certificate
for client verification). Workaround:
disable certificate checking
prior to updating firmware with SUM or OneView.
·
Superdome
Flex server registration with IRS fails if the system is configured with certificate checking enabled.
Workaround: Install IRS patch 7.10
to fix the issue.
·
After a
PMM becomes deconfigured, Windows Server 2019 may not
be able to access PMM logical devices if the PMM region is setup in the default
AppDirect (interleaved) mode, causing the PMM disk
data to be inaccessible. Workaround:
Do not use the interleaved mode. Also
call HPE Support to check on the reason for the deconfigured
PMM and get it addressed.
· Whenever an nPAR is created,
removed, or modified that results in a change in
monarch chassis, all existing Redfish sessions will immediately expire. Redfish
client will need to re-authenticate with the Superdome Flex Redfish to
establish a new Redfish session.
·
The UEFI shell accepts invalid directory names such as
‘..’ appended to a valid directory name. Workaround: Retry using a proper directory name.
· The UEFI shell command ‘dh’ fails to display EFI_DEVICE_PATH_PROTOCOL information for some device handles. It also displays “IPv6 (Not Available)” for devices including IPv6 device path node information.
·
If the BMC
stops responding, a watchdog timer resets it to recover automatically with an
event BMC_RESET_BY_WATCHDOG. This event reflects that normal BMC operation has
resumed and it may be ignored.
·
The BMC may occasionally reboot to recover from a
software error condition. If a BMC_KERNEL_PANIC is logged,
you may ignore it as it does not affect system operation.
· Virtual Media connection may cause slow-boot. Workaround:
Disconnect Virtual Media to resolve the slow boot. In general, it is
recommended to disable Virtual Media when not needed.
·
Virtual Media does not support UEFI reconnect -r
command.
Workaround:
After attaching Virtual Media to the partition, use POWER RESET to reset the
partition and activate Virtual Media.
·
By default, the
Virtual Media instance setting for CD/DVD and hard disk are set to 0. To use
virtual media, CD/DVD must be set to at least 1. For more details, refer to the
Superdome Flex OS installation guide (http://www.hpe.com/support/superdome-flex-os)
·
The JViewer application VMedia hard disk size must be between 4 MB and 512 MB. If
any larger size is needed, create an ISO and mount it
via the CD/DVD tab.
· Mac OS browsers (Safari, etc) are not supported on KVM and JViewer. Use Windows Internet Explorer, Firefox and Chrome instead.
·
Right
after nPar creation, the partition status may show as
Unknown due to a delay in status update. Workaround:
Run SHOW NPAR command to check the nPar status.
·
A BIOS ASSERT may be encountered
when performing PXE boot from Microsoft Windows Deployment Services, if the
user attempts to select ESC in the menu displayed by Windows Boot Manager. Workaround: Do not exit the menu using
the ESC key.
·
Failure
due to timeout during directed pxe boot when directed
PXE boot is requested and the PXE server is not enabled to respond to the
DHCPINFORM message request. You must use a PXE server that supports DHCPINFORM
message requests.
· The CLI provides a convenient ‘ipmi’ wrapper script. However, serial over lan (SOL) is not supported by this convenient ‘ipmi’ command. Attempting to activate partition console via
‘ipmi command=”sol activate”’ will fail with the
message: “Error: This command is only available over the lanplus
interface”. User should use CLI ‘connect npar’ or ‘uvcon’ to connect to
partition console.
For more details on accessing and managing the system,
see the HPE Superdome Flex user documentation located at this link.
FEEDBACK
As we are
continuing to improve the firmware management process we welcome your feedback
on this document and on the firmware update process:
TEAM-FWupdateFeedback@groups.ext.hpe.com
DISCLAIMER:
The
information in this document is subject to change without notice.
Hewlett Packard Enterprise makes no warranty of any
kind with regard to this material, including, but not
limited to, the implied warranties of merchantability and fitness for a
particular purpose. Hewlett Packard Enterprise shall not be liable for errors
contained herein or for incidental or consequential damages in connection with
the furnishing, performance, or use of this material.
This document contains proprietary information that is
protected by copyright. All rights are reserved. No part of this document may
be reproduced, photocopied, or translated to another language without the prior
written consent of Hewlett Packard Enterprise.
(C) Copyright 2017-2023 Hewlett Packard Enterprise
Development L.P.
SUPERSEDES HISTORY:
Version : 3.70.34:
ENHANCEMENTS:
Revision 1 :
· Added support for RHEL 8.8, 9.2
·
Added
support for Oracle Linux 8.8 (UEK6 and UEK7) , 9.2
(UEK 7)
Revision 0:
·
RMC LDAP
usernames are made case insensitive whereas local usernames continue to be case sensitive.
·
A new
CLI option introduced to allow transfer of rsyslog
events to remote server based on selected severity.
·
Added
an option to enable or disable the system on-board LAN devices. By default, the
on-board LAN devices are enabled. Refer create/modify npar
documentation in admin guide for more details.
·
Added
an option to enable or disable the built-in physical USB ports for the system.
By default, all 4 built-in physical USB ports are enabled. Refer create/modify npar command documentation in admin Guide.
·
Added
retry count option to UEFI boot order list. The retry count value range from 0 to 255. The default value is 0 and 255 is a
special value where system would get into infinite
boot loop mode until the system is successfully booted with one of the UEFI
boot options configured in the system. Refer create/modify npar
documentation admin Guide.
FIXES:
· Firmware includes Intel Reference Code revision IPU 2023.2 with microcode updated to revisions 05003501 (50657), 04003501 (50656) and 02006f05 (50654).
· Fixed an
issue where PPR Persistence data stored in BMC cleared after
Chassis AC power cycle.
· Fixed
discrete RMC Out of Memory issue due to /var/log filling.
·
Fixed an issue where RMC reboot would sometimes
cause chassis in the npar gets powered off.
· Fixed an
issue where IEL daemon was not able to start due to a corruption in IEL event
file.
· Firmware includes updated UEFI Secure Boot revocation list dated March 14, 2023
ENHANCEMENTS:
·
None
FIXES:
·
Fixed frequent NFS/CIFS disconnect issue when OS image or IO
bundle is presented through remote media option from GUI or Redfish.
Revision
1 :
·
Addressed CVE-2022-37939
Version
3.60.50:
ENHANCEMENTS:
·
Added support for 1600W and 2130W
Titanium PSUs (Power Supply Units)
· Added support for RHEL 8.7 and RHEL 9.1
· Added support for Oracle Linux 8.7 and 9.1
· Added support for VMware 8.0
·
Added
ability to delete multiple SecureBoot DBX entries at once
·
Includes
enhancements to improve corrected memory error handling with respect to Post
Package Repair
·
Added support of simultaneous
IO Firmware update operations on multiple npars
·
Supports up to Cipher Suite ID 17 in IPMI
over LAN connection to the RMC
·
Added
support for SFTP/SCP protocols for firmware update through Redfish
·
Added support for collecting IDC logs from CLI, Redfish and Remote
Support
FIXES:
January 2023 updates to release notes only
· Addressed CVE-2022-37933 to fix potential security vulnerability
Revision 2 :
·
Addressed CVE-2022-38087
December 2022 updates
· Firmware includes Intel Reference Code revision IPU 2022.2 and 2022.3 with Skylake microcode updated to revision 02006e05
·
Zlib has been upgraded to the latest stable version 1.2.12 to address the
vulnerability CVE-2018-25032
·
Python has
been upgraded the to 3.7(3.7.11) to address
security vulnerability CVE-2022-0391
·
libexpat has been upgraded from 2.4.1 to 2.4.7 to address security
vulnerabilities CVE-2022-25315, CVE-2022-25236, CVE-2022-25235, CVE-2022-23852,
CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-23990, CVE-2022-25314,
CVE-2021-45960, CVE-2021-46143, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827,
CVE-2022-25313
·
Addressed
an issue where a system running VMware with specific IO configurations would
crash with timeout during boot
· New UEFI BIOS attribute “EnableExtendedMmiohNext”
enables support for extended MMIOH ranges for IO devices
· Fixed an issue where some OS drivers were not getting attached to the device due to un-programmed PCI interrupt registers
·
“Link
Down” warnings are now cleared after an npar reboot
·
Spurious
“Link Down” SNMP/Redfish alerts are no longer reported after a BMC disconnect
and reconnect
·
"ATTN:
Needs Refresh” message is cleared in the “show chassis info” output for the LSI
MegaRAID SAS 9361-4i Controller when the npar is powered on
·
Fixed an
issue where retrieving the CPU and Memory utilization metric reports via
Redfish would fail with a gateway timeout error
·
Fixed an
error reported by the SNMP MIB compiler due to an error implementing the MIB specification
·
“show complex” no longer reports a non-partitionable system
as partitionable when the BMC on the expansion chassis is not available or not
reachable
Version 3.55.8:
ENHANCEMENTS:
· Added support for RHEL
8.6, RHEL 9 and Oracle Linux 8.6
· Added support for SLES
15 SP4
· Added support for Oracle
Linux 9 with UEK 7
· Added support for Oracle
Linux 8.6 with UEK 7 (provided in HFS 2.4.5 patch on the SDR)
FIXES:
· Firmware includes latest
Intel Reference Code (IPU 2022.1) addressing CVE-2021-0189
· Firmware
includes latest revision of Intel Microcode that provides mitigation for security
vulnerabilities CVE-2022-21166, CVE-2022-21131 and CVE-2022-21136
· OpenSSL upgrade
addressed security vulnerabilities CVE-2022-0778, CVE-2021-3711, CVE-2021-3712
· Curl upgrade addressed
security vulnerabilities CVE-2021-22922, CVE-2021-22923, CVE-2021-22924,
CVE-2018- 1000007
· OpenSSH upgrade addressed
security vulnerabilities CVE-2016-20012, CVE-2020-14145, CVE-2021-41617
· Fixed an issue where
power commands would sometimes fail with an internal error
· Addressed
a PCIe fatal error detected during Windows 2019 installation under
certain scenarios
Version 3.50.58:
ENHANCEMENTS:
· DIMM
pre-fail is a new feature that may be used to monitor DDR4 DIMMs and notify
users if there is a risk of failure (disabled by default). To manage the DIMM
pre-fail feature, commands enable/disable/show predictive_mem_health are
added in the CLI interface, see details in the HPE Superdome Flex
Administration Guide
·
Removed unsupported inband IPMI command for configuring user id 1
· Added support
for Out of band PMEM health monitoring through Redfish
· Enhanced CLI
create/modify npar command with new
parameter pmem_auto_fwu to control the PMEM
auto firmware update
· Added new user role ‘custom_cli’ with read/write access privileges only to
the npar console
· Added support for
communicating securely with LDAP server using the combination of LDAP and TLS
· Added Redfish API
support to enable/disable telemetry collection
· Provides better security
through improved password hashing
For PMEM management
details, see the HPE
Persistent Memory Guide for HPE Superdome Flex
FIXES:
· Included IPU 2021.2 update
from Intel that addresses vulnerabilities CVE-2021-0127, CVE-2021-0092,
CVE-2021-0093, CVE-2021-0144
· Addressed vulnerability
CVE-2021-26691
· Addressed vulnerability
CVE-2022-23702
· Fixed an issue where Superdome
Flex server would rarely crash during Bios boot due to processor related timeouts
· The “acquit” command may
now be used to clear the “Link Down: Warning” that may be displayed in “Show
Health” status after disconnecting and reconnecting an Ethernet or FC cable
attached to an Ethernet or FC card
· Increased a timeout
value to prevent the RMC CLI command 'set ldap bindpw' from failing with timeout
· Fixed an issue when RMC
is connected through a serial port and npar console
is launched, where cached console data would be displayed continuously if
cached data was large
· Fixed an issue where RMC
would send duplicate records to remote log server after reboot. Remote logging
feature now supports TCP protocol along with UDP
Version 3.40.126:
ENHANCEMENTS:
· User confirmation is now requested prior to adding or
removing any IPMI commands to/from the restricted list
·
Replaced VMware 7.0 U3
support with VMware 7.0 U3c support (see details from VMware in
https://kb.vmware.com/s/article/86398)
FIXES:
· Fixed an issue where, after performing a firmware
update to version 3.40.122, the system would fail with a critical HARP Board
VDD voltage fault, or an Integrated Event Log (IEL) THERMAL_FAULT_DETECTED
event would be logged on one or more Chassis
·
When IPMI
BT is disabled, npar OS boot/shutdown no longer takes
longer time and the Linux kernel no longer logs many error messages on boot
(see Customer Advisory a00119330)
Version 3.40.122:
ENHANCEMENTS:
Version 3.40.106 (factory release):
·
Added support for
VMware 7.0 U3
·
Added support for
Windows 2022
·
Secure boot mode with Oracle UEK 6 is supported with Oracle
Linux UEK 6 Update 3 (or later)
·
Firmware includes the latest revision of the Intel Reference Code
(IPU2021.1).
·
Upgraded
to Python version 3.5.10
· Hub Write Flush Optimization
feature is now enabled by default. That feature provides better balance between
memory writes and memory reads and ensures more consistent memory latencies on
systems running under heavy workload; for details, see the Customer Notice a00110429
· Added support to enable extended Memory tests during nPar boot
·
Added support for automatic NVDIMM firmware update. NVDIMMs are now
updated to the supported firmware version upon nPar
boot. The functionality is enabled by default but configurable by System
administrator. Refer to the nPar attributes section
in the HPE
Superdome Flex Server Administration guide.
·
Added
support for disabling IPMI BT (Block Transfer) interface and to allow only
permitted set of IPMI commands. Please refer to the HPE
Superdome Flex Server Administration Guide for more details
·
Provide
ability to configure the default RMC password length to a value from 6 to 64
(now set to 8 by default)
·
A new DIMM
pre-fail feature can be enabled to allow flagging early DDR4 DIMMs with
potential health issues
·
Login
delay is now imposed after 3 failed login attempts with delay of 10 sec, which
is user configurable
·
The show
health CLI command now includes the message and resolution for faults
·
Added
support for BaseIO, BMC Board, and Power Board FRU indictment
·
Added
support to preserve Post package Repair(PPR)
information in BMC across DIMM movement
November 2021:
·
Added support for RHEL
8.5 and Oracle Linux 8.5
December 2021:
·
Added known issue about critical HARP0/1 VDD_VR_FAULT
or THERMAL_FAULT_DETECTED event occurring due to thermal monitoring sometimes
erroneously set to OFF after firmware update to
version 3.40.122
·
Added a step in the installation instructions to
prevent running into the above issue
FIXES:
Version 3.40.122:
·
Fixed an issue where Post
Package Repair (PPR) of faulty rows in a DRAM would not be persistent across reboots with
firmware version 3.40.106; for details, see Customer Advisory a00118886
Version 3.40.106 (factory only release):
·
Fixed an issue
where the system would crash with DIMM de-configuration during recovery action
when multiples corrected errors are encountered on a channel
·
This firmware includes an updated
revocation Signature Database (DBX) used when UEFI secure boot is enabled.
The updated DBX in this firmware will revoke HPE signed images that were
vulnerable to UEFI Secure Boot Evasion Vulnerability (CVE-2021-20233,
CVE-2020-25632, CVE-2020-27779, CVE-2021-20225,
CVE-2020-27749, CVE-2020-25647). However this
firmware does not include the UEFI Microsoft DBX which will revoke UEFI signed
images vulnerable to the Secure Boot Evasion Vulnerability. This is because
some Linux distributions have not released updates that will boot at the time
of this release. If your OS has released fixes for this vulnerability, UEFI Microsoft DBX hashes may be applied manually.
They are available from uefi.org's UEFI
DBX Revocation List.
·
Firmware includes the latest revision of Microcode from Intel which
provides mitigation for CVE-2020-24511
·
Firmware includes the latest revision of the Intel Reference code
(IPU2021.1) which addresses CVE-2020-12358, CVE-2020-12360 and CVE-2020-24486
·
Addressed
security vulnerability CVE-2018-20843 and CVE-2019-15903
in libexpat
·
Addressed
security vulnerability CVE-2021-23841 and CVE-2020-1971 in OpenSSL
·
Addresses security vulnerability CVE-2021-0144
· The CLI show uvdmp
command no longer terminates with UNEXPECTED PROGRAM ERROR when parsing
non-ASCII characters
· The partition Real Time Clock (RTC) no
longer drifts by a few minutes at each AC power cycle
or when the PLD firmware version has been updated.
·
The
command “create npar default" now prompts for
user confirmation before proceeding to removing an existing npar
·
A BMC
(Base Management Controller) reboot no longer generates a Critical Alert to
Remote Support Monitoring Tools (see Customer Advisory a00113826)
·
Addressed
a rare case where a MEM_DIMM_MEMTEST_FAILURE service event would not be
generated by CAE and a DIMM, although disabled for the boot, would not be
scheduled for de-configuration
·
Fixed an
issue where the system boot would fail with a rendezvous timeout while memory
test is in progress
Version 3.30.144:
ENHANCEMENTS:
·
Added support for RHEL
8.4
June 2021:
·
Added support for SLES
15 SP3
FIXES in
firmware version 3.30.144:
·
Fixed an issue
where a system running a Windows Operating System would crash unexpectedly with
a BSOD (Blue Screen Of Death) accompanied with events
“Fatal OS run-time critical shutdown occurred” in CAE (Core Analysis Engine)
and Event ID 6008/1001 (Bugcheck 101) in the Windows
OS System Event Logs.
Version 3.30.142:
ENHANCEMENTS:
April 2021:
·
Added
support for Windows Server 2019 on systems with Intel Xeon® Scalable processors
61XX/81XX
·
Added
support for VMware 7.0 U2 on systems Intel Xeon® Scalable processors 61XX/81XX
and 62XX/82XX
FIXES in
firmware version 3.30.142:
· Addressed an issue in firmware versions
3.30.130/3.30.140 where setting the Memory refresh
rate to 2x was not effective at completely reducing the susceptibility to the RowHammer security vulnerability CVE-2020-10255
o
To be
effective, the memory refresh rate must be set to 2x again after updating to
firmware version 3.30.142; for that, run the RMC CLI command:
modify npar pnum=PARTITION_ID memrefreshrate=x2
· Addressed a potential security vulnerability that could be exploited to
cause Denial of Service to the web interface (see Security Bulletin hpesbhf04102)
Version 3.30.140:
ENHANCEMENTS:
·
Added support for
VMware 7.0, 7.0 U1 and for RHEL 8.3 and Oracle Linux 7.9, 8.2, 8.3 on systems running with Intel Xeon® Scalable processors
62XX/82XX
·
Added support for VMWare 6.5
U3, 6.7 U2, 7.0 and 7.0 U1 on systems running
with Intel
Xeon® Scalable processors 61XX/81XX
·
To mitigate against “Rowhammer” attacks (security vulnerability CVE-2020-10255),
a new user configurable ‘memrefreshrate’ option was added
to the RMC “modify npar” and “create npar” commands. It allows changing the DDR4 memory refresh
rate from the default 1x rate to 2x. Note: The 2x memory refresh rate might
affect the performance and resiliency of the server memory.
·
A “delay after failed login” can now be configured
from the RMC CLI to fight against brute force attacks. To set a delay value,
use the command “set failed_login delay=<secs>”;
supported delay values are 0 to 240 seconds.
·
Added support for
logging of system events on a remote server using the new “set remote_log_server_address <address>” command.
·
PCIe Live Error
Recovery (LER) can now be enabled or disabled for the specified HPE supported
I/O cards from the RMC CLI; associated commands:
o
disable ler vendor_id=VENDOR_ID device_id=DEVICE_ID
o
enable ler vendor_id=VENDOR_ID device_id=DEVICE_ID
o
show ler [enable] [disable]
·
A new asset_tag option was added to the “modify chassis” and
“modify RMC” commands to allow configuring the asset tag for chassis and RMC
·
Enabled support for
power operations from KVM console
·
Added support for
chassis power, thermal and fan speed reading in Redfish
·
Added SNMP alert on
power state change
·
Enabled Directed lanboot without DHCP support for Windows Deployment Server
(WDS)
·
System now reports an
error when eRMC UPOS does not match bmc_id 0 UPOS, which is an invalid configuration that
should be corrected
·
Added capability to
tune a new Hub Write Flush Optimization feature EFI variable using setvar, allowing to provide better balance between memory
writes and memory reads and ensure more consistent memory latencies on systems
running under heavy workload; for details, see the Customer Notice a00110429
·
Added capability to
disable the Flush WpqFlushHintAddress
locations available to the OS using a setvar command to set a new MrcWpqFlushSupportNext
variable. for more details, see Customer Advisory a00110427
·
Firmware can now
identify and report the presence of memory types not supported on the platform
·
Firmware
now generates a non-critical event 1261 instead of a fatal MCA event when the
system is able to recover from the MCA
·
Soft PPR
(Post Package Repair) is now enabled for Samsung DIMMs
February 2021:
·
Added links to the
Customer Notice for tuning the Write Flush Optimization feature and to the
Customer Advisory for Disabling the Flush WpqFlushHintAddress locations
·
Clarified the process
for the DBX key updates in the Installation Instructions
·
Clarified that online
firmware update to version 3.30.140 is not supported (except from version
3.30.130) due to a PLD version change in version 3.30.130
·
Changed bundle entitlement to "Firmware (Login
Required) - System"
Note: See more
details on new commands in the CLI Help and in HPE Superdome Flex User Guide and Administration
Guide.
FIXES in
firmware version 3.30.140:
· Addressed security vulnerability OpenSSL CVE-2020-1971
FIXES in
firmware version 3.30.130:
·
New
Forbidden Signature Database (DBX) from HPE & Microsoft are included in
this firmware to mitigate the GRUB2 bootloader security vulnerability CVE-2020-10713 (also known as “BootHole”). The vulnerability affects only system running with UEFI secure boot enabled. For details,
see Security Bulletin hpesbhf04019
and Customer Bulletin a00109427
o
Warning: See Pre-Requisites and installation sections for required DBX update
steps
·
Addressed security vulnerabilities CVE-2020-8764,
CVE-2020-8738, CVE-2020-8740 by making changes that eliminate the potential
local escalation of privilege (Security Bulletin HPESBHF04058)
·
Updated Intel
microcode to IPU2020.2 (addresses some hang issues)
·
Addressed a rare
system hang at boot when a single faulty DIMM is present in the system
·
Improved BMC (Board
Management Controller) stability by significantly reducing occurrences of Out Of Memory errors
·
Prevents occurrence of
PCIe soft errors on some I/O devices (GPUs, Base IO, NICs) on systems running
with high workloads
·
Disabling the Flush WpqFlushHintAddress locations using “setvar
MrcWpqFlushSupportNext” command prevents a “BIOS HALT
detected” error during boot on systems with HPE persistent memory and under
heavy workload; for more details, see Customer Advisory a00110427
·
Addressed an issue
where system would sometimes fail to boot after a system
initiated reset caused by internal link errors, and where
BMC_RELEASE_TO_BIOS_FAIL and/or CPU_SOCKET_RESET_FAIL events on non-failing
chassis could result in disabled sockets.
·
While attempting to
recover from a failed reset on a systems with 2-socket
clumps enabled, CPU 0 and 1 would boot successfully but CPU 2 and 3 would be indicted. With this fix, CPU 2 and 3 are now reset correctly
and no longer indicted.
·
Addressed an issue
where, after configuring namespace7.0 for fsdax mode,
an 8 socket partition with 128GB DIMM and 256GB of
persistent memory would fail to boot to OS with the error: “SW EXCEPTION: BIOS
HALT detected!”
·
Fixed an issue where a
DIMM failure would not cause the faulty DIMM to be de-configured or a service
event to be generated.
·
Fixed an issue where
firmware would sometimes indict the wrong DIMM when generating service event 1210
·
When using
“Add an attempt” to create iSCSI boot attempt entries in the Device Manager’s
iSCSI configuration menu, a firmware assert is no longer seen when adding a 9th entry.
Version 3.25.46:
ENHANCEMENTS:
· Added support for RHEL 7.8
·
Added iSCSI software initiator based boot support with
HPE InfiniBand EDR/Ethernet 100Gb 2-port 841QSFP28 Adapter (872726-B21) on SLES
12 SP3, SP4 , SLES 15 SP1 and supported RHEL releases
·
Support Openstack HTTP boot
and Openstack T release
·
Support sector mode for HPE Persistent Memory
·
Supports Windows Server 2019 with 16 socket/24 TB of
HPE Persistent Memory
·
Added IPMI
watchdog functionality; the CLI command 'set ipmi_watchdog
os_managed' command may be used to enable it
·
Support in-band IPMI power operations such as power
cycle, power off, power soft
·
Includes some uvdmp improvements
·
June 2020 update:
o Added support for RHEL 8.2
o Added support for OL 7.8 and OL 8.1 with
UEK6
o Removed Windows 2019 support on
61XX/81XX (unsupported)
FIXES:
· The BIOS in firmware version 3.25.46 includes updated Intel
microcode that addresses some crashes
caused by DDR4 memory errors. In particular, this
updated microcode addresses a Machine Check Exception timeout failure when Fast
Fault Tolerant Memory Mode (ADDDC) is enabled. This issue is not unique to HPE
servers.
·
The updated microcode
(0x2f00 on systems with 62xx/82xx processors and 0x6901 for systems with
61xx/81xx processors) also addresses security vulnerability
CVE-2020_0549
· System now reports event 1210 in case of MCA due to
some uncorrected memory errors
· The grub2 boot loader menu now
successfully launches when booting grub2 boot loader via UEFI HTTP boot and
when booted via either fully qualified domain name URL or via IP address URL
· Addressed boot issues. Monarch chassis would fail to boot with erroneous "PLD or PSOC not detected" message. Other chassis would boot but nPar would be missing the chassis resources
·
Users can
now successfully mount ISO images in Jviewer when the
RMC/eRMC password contains one or more of %, #, or
& characters
·
Dot (.)
character is now accepted as part of LDAP User/Group names in
Superdome Flex Server RMC/eRMC CLI
·
FRU data
for HPE PCIe cards installed in slot 16 are now properly read and "SHOW
CHASSIS INFO” no longer returns fields as “Unknown”
Version
3.20.186/3.20.206:
ENHANCEMENTS:
February 2020 update:
·
Server firmware 3.20.186 and later supports
also Oracle VM 3.4.6
December 17, 2019 update:
·
Firmware version 3.20.186 and later includes
mitigation for CVE-2019-14607 in the Intel Microcode.
In firmware version 3.20.206:
·
POWER_SUPPLY_INPUT_LOST (event 1106) is now generated
in case of loss of AC input to the chassis power supply.
·
When inserting a power supply,
POWER_SUPPLY_TYPE_PROBE_FAILED (event 1111) is now generated in case the power
supply is detected but FRU data cannot be read, likely because the power supply
needs reseating.
In Firmware version 3.20.186 (not available as web
release):
· Supports
128/256/512 GB Intel PMM (HPE Persistent
Memory Module):
o
For
details on supported PMM configurations, see the HPE Persistent
Memory Guide for HPE Superdome Flex.
§ Supported with
Intel Xeon processors 82xx/62xx only
§ Support
of App direct mode on 4/8/16 socket systems
§ For OS support,
see the Operating Systems section above
o
Supports
management and configuration of PMM’s
o Supports PMM related events and logging as well as health monitoring and reporting
o Supports creation of XFS
root file system for Linux on PMM
·
Supports additional CPUs: 6226, 8253
·
Supports
additional OS’es: RHEL 8.1, Oracle UEK 7.7, SLES 12
SP5
·
Supports
new I/O cards:
o
RTx 8000 GPU
o
HPE Infiniband
HDR/Ethernet 200GB 1-port
& HDR100/Ethernet 100GB 1-port/2-port 940QSFP56
· Improved manageability using
Redfish and Openstack Ironic release (see HPE
Superdome Flex Manageability white paper)
·
Improved
security: supports certificate checking on web console and Redfish connections
o
Note:
Certificate checking is not supported with SUM or OneView; you need to disable
certificate checking prior to updating firmware
·
Improved
BMC stability by significantly reducing occurrences of random BMC reboots
·
Improved
diagnosing of damaged cables while preventing mis-diagnosis
of other parts
·
Improved chassis power supply AC loss handling and
reporting
·
Improved power supply redundancy reporting
·
Supports RMC power supply fault as well as thermal
fault reporting
FIXES:
Fixes in 3.20.206:
· Addresses an issue where an error occurring on PMMs (HPE Persistent
Memory) in the expansion chassis would rarely result in unexpected behavior,
including an OS crash
·
Fixed an issue where deconfigured PMMs in any chassis would prevent Windows Server 2019
from accessing any PMM devices (physical or logical),
resulting in users being unable to see any physical or logical PMM
devices in device manager, or in the output of Windows PowerShell cmdlets Get-PmemPhysicalDevice or Get-PmemDisk,
and PMM disk data being inaccessible.
Fixes in 3.20.186 (not available as web
release):
·
Critical - Addressed an issue seen with 64GB
DDR4 DIMMs in socket 0 and using 2 DIMMs per channel, where ADDDC (Adaptive
Double Device Data Correction) bank sparing would result in a crash due to an
uncorrected memory error.
·
The System
ROM in firmware version 3.20.186 or later includes the latest revision of the
Intel Reference Code that provides mitigations for security vulnerabilities.
The following vulnerability has been addressed in this release: CVE-2019-0152.
This issue is not unique to HPE servers.
·
The system ROM in firmware version 3.20.186 or later
includes the latest revision of the Intel microcode which provides mitigation
for CVE-2017-5715, CVE-2019-11135, CVE-2019-11139 and CVE-2019-14607, as well
as mitigation for an Intel sighting where under complex micro-architectural
conditions, executing X87 or AVX or integer divide instructions may result in
unpredictable system behavior. These issues are not unique to HPE servers.
·
Addressed an issue where, after power cycling all the
chassis in the complex, the system boot would fail with a BIOS ASSERT DETECTED
due to an ASSERT EFI ERROR
·
Indicted or deconfigured
FRUs are now acquitted upon AC power-cycling of the entire complex (all BMCs
and RMC)
·
Firmware now sends service events or SNMP traps when a
Rack Management Controller (RMC) hardware error occurs
·
Superdome Flex now supports IPMI over LAN via any IPv6
IP address listed within the subnet, not just the first one configured
·
Fixed an issue where uncorrected memory errors would
rarely occur without deconfiguration or indictment
Version 3.10.164/3.10.174:
ENHANCEMENTS:
Note: System firmware
3.10.164 includes all of the enhancements defined for
3.10.174.
Enhancements in
firmware 3.10.164 / 3.10.174:
FIXES:
Note: System firmware 3.10.164 includes all
of the fixes defined for 3.10.174.
Fixes in version 3.10.164 / 3.10.174:
· Fixed an issue
where web console login would fail if the RMC network was not properly
configured or not connected to the site network prior to RMC boot
Version 3.0.542:
ENHANCEMENTS:
June 2019: Release notes were updated to add some fixes and known
issues and add a link to the Superdome Flex Support Matrix (Release Sets).
FIXES:
Version 3.0.542:
Version 3.0.512:
ENHANCEMENTS:
·
Added support for Intel Xeon® Scalable processors 8280, 8276, 8270, 8268, 8260, 8256, 6254, 6252, 6248, 6244,
6242, 6240, 6230; requires firmware version 3.0.512 or later
·
Added
support for Windows 2019 on systems with Intel Xeon®
Scalable processors 62XX/82XX
·
Added
support for IPv6 USGv6
· On 4 socket systems, TEST FABRIC now displays a
warning instead of an error message when the 3 Numa Link loop back cables are
not installed.
· Superdome Flex internal management network
uses by default 172.16.0.0/16, 172.30.50.0/24 and
172.30.60.0/24 subnets. However, the RMC “set network internal” command now
allows to change these subnets to any legal subnet.
·
APPWT limit has been increased to the 29 WT (Weighted
Teraflops) threshold, effective since October 2018
Note:
·
Default NIC naming differs on
systems with Intel Xeon® Scalable processors 62XX/82XX versus 61XX/81XX. On
servers with 62XX/82XX processors, NIC naming is based on udev
property “ID_NET_NAME_SLOT”. This was introduced with firmware 3.0.542. On
systems with 61XX/81XX processors, NIC naming continues to be based on
“ID_NET_NAME_PATH” and there is no impact after updating to 3.0.542. However,
if customers wish to use the consistent device naming standard on systems
with 61XX/81XX processors, then they can follow the steps in the DETAILS
section of the customer notice https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00075568en_us
·
The RMC factory default password has been changed from
a common password to a random password, unique on each system, provided on a
label on the rear of the RMC or eRMC base chassis.
For details, see advisory a00073630.
·
The web console,
virtual media, and JViewer default login now use the
RMC/eRMC administrator account and password. The user
'admin' can no longer login to the web console.
FIXES:
· Provided enhancements and multiple fixes in memory and IO error handling
to help prevent MCAs
·
Addressed occurrences of MCAs, BIOS HALTs due to
HWERR, and ASSERTs at boot time
·
Addressed a number of false critical alerts that were
seen at boot or after a power cycle
·
Addressed an eRMC hang after
a MC warm reset is triggered from ipmitool
SUM 8.4.0 fixes:
·
SUM version 8.4.0 fixed an issue where SUM would
falsely report that update had completed less than 2
minutes after deployment had started.
Version 2.5.314:
ENHANCEMENTS:
·
None
FIXES:
·
CRITICAL: Fixed an issue where a system under heavy
workload would sometimes MCA with error messages such as "Fatal Link
Timeout to PCIe Device" and "LER_ENTERED".
·
CRITICAL: Optimized memory controller for RAS
features to prevent MCA’s when a system is under a heavy workload and a DIMM
sparing operation is required.
·
Addressed
the privilege escalation vulnerability CVE-2018-12204
Version 2.5.300:
ENHANCEMENTS:
FIXES:
· Updated to latest Intel microcode
·
Firmware update no longer reports an error when updating chassis with
rack number greater than 9
·
Extended range of rack numbers supported from 0 to 254
Version 2.5.90:
FIXES:
· Firmware version 2.5.290 resolves certain potential unexpected
system behavior when operating the Superdome Flex system or nPar(s)
in HPC mode. For systems or partitions
running in HPC mode, the frequency of system memory errors may increase after
the update. These memory errors will be fully visible in memlog.
HPE strongly recommends that customers run in RAS mode, but if they elect to
continue using HPC mode, they should update to this firmware version to
eliminate the risk of unintended side effects from memory correction including
possible system crashes. Refer to this advisory
for more details.
Version 2.5.80:
ENHANCEMENTS:
FIXES:
The following issue has been addressed in firmware version 2.5.280:
·
Fixed an issue where a bugcheck
or unexpected process termination would be seen after an uncorrectable memory
error on systems running Microsoft Windows Server 2016.
The following issues have been addressed in firmware
version 2.5.270 and later:
Version 2.5.256:
FIXES:
-
L1 Terminal Fault
- OS, SMM (CVE-2018-3620). Please note this mitigation also requires operating
system software updates.
-
L1 Terminal Fault
- OS, VMM (CVE-2018-3646). Please note this mitigation also requires operating
system software updates, and VMM software updates.
- For
more information, see the bulletin a00055017en
Version 2.5.246:
ENHANCEMENTS:
· Added support for CPU models 8170M, 8170, 8168, 6140, 6140M,
6150, 6142M, 6142, 6138
·
Added support for 24 and 28 socket
configurations (in addition to 4, 8, 12, 16, 20 and 32)
· Added partitioning (nPAR) support with ability to convert non partitioned
systems to partitionable
· Added support for HPE
Ethernet 10Gb 2-port 562T adapter, 32Gb Fibre Channel
SN1600Q, SN1600E HBAs
·
Added support for Windows Server
2016 with up to 16 sockets
·
Added support for RHEL 7.5
·
Added support for VMware 6.5 U2
·
Added support for Oracle VM 3.4.4
· Added new security and
management features (secure boot, SSH upgrade, reduced port usage)
· Added support for
offline firmware update via SUM (Smart Update Manager)
·
Added support for OneView monitoring (requires OneView version 4.1 or
later)
·
Added support for provisioning OS with redfish using
the OpenStack Ironic (Requires Openstack Ironic version ‘Pike’ or later)
· Enhances security with SSH
FIXES:
·
New BIOS addresses the following known
vulnerabilities, CVE-2018-3639 and CVE-2018-3640.
·
Fixed an issue where the firmware update would fail on
rare occasions to update the BIOS image.
·
Some IO errors no longer cause an incorrect decoding
to be logged in the Integrated Event Log with the string “[physloc_err=5]”.
·
Fixed an issue where rebooting the Board
Management Controller (BMC) when the Operating System was Running would cause
the BMC to stop responding.
·
Fixed an issue on 2-socket
clump systems (i.e. chassis with Intel Intel Xeon® Scalable 61xx series processors installed) where the fans would jump to maximum speed and remain
there if the BMC was rebooted with the system power on.
·
The ‘SHOW UVDMP’ command always displayed one screen at a time and require user to interact with the keyboard to move to the
next page, even with the CLI in script mode. This is now fixed.
·
IPMI watchdog is unsupported and can no longer be enabled. This prevents
an issue seen in prior versions where a multi-chassis reboot from OS would fail
when IPMI watchdog was enabled.
·
Fixed a syntax issue allowing to use the CLI ADD LOCATION command with
“module=rmc” on eRMC.
Version
2.4.98:
FIXES:
BIOS:
·
Updated Intel microcode to address CVE-2017-5715
·
Some I/O
Fatal errors (e.g. Malformed TLP, RxOverflow, FlowCntl, DLLP, etc) detected at
the End Point device no longer cause an MCA and the system now allows OS
recovery instead of rebooting.
Version 2.3.132:
FIXES:
·
Removed the Intel microcode that was issued to address
the Spectre/Meltdown security vulnerability, which
Intel then asked vendors not to use (see Intel guidance here).
Version 2.3.122: REMOVED due to
Intel microcode issue.
FIXES:
·
Fixed an issue where the eRMC
SET FACTORY command could cause the eRMC to become unusable
while trying to initialize the configuration flash partition. The SET FACTORY
command is now supported on eRMC.
·
Fixed an issue where CAE service event id #306
(uncorrectable memory data read error) incorrectly encoded DIMM group number,
causing the wrong DIMM to be indicted.
Version 2.3.110: REMOVED due to Intel microcode issue.
FIXES:
The
following issues were fixed:
·
Addresses security vulnerability CVE-2017-5715; see
updates in this advisory.
·
DCD was not supported with firmware version 2.3.94.
·
The eRMC uses NTP daemon internally
to keep the management times synchronized. The internal NTP daemon usage is
very limited in scope, but is of older ntpd version (4.2.6p5). As a result of older
ntpd version, security scanner may falsely flag
vulnerabilities that are not applicable to Superdome Flex eRMC
system. To mitigate security impact, follow HPE required security best
practices.
·
When BIOS
de-configures a DIMM, the eRMC will correctly record
the data, but will incorrectly return no de-configuration the next time BIOS
boots. This incorrect information causes BIOS to retrain the DIMM and attempt
to use it. Marginal DIMM may sometime pass the retrain and be included in the
system for OS use. Because the DIMM is marginal, it may fail at
a later time and cause the OS to crash. To minimize the chance of
marginal DIMM being used at next boot, run SHOW
DECONFIG and SHOW INDICT after the system is booted and replace any DIMM that
has been indicted and de-configured.
·
Memory on some sockets may be in SDDC mode instead of
the intended ADDDC mode
Version: 2.3.94: Initial version.