Intel(R) Server Board S2600TP Product Family Firmware Update Package for Intel(R) One Boot Flash Update Utility and Windows* Preboot Execution Environment ================================================================================ INTEL(R) Server Boards and Systems Intel Corporation 2111 N.E. 25th Avenue, Hillsboro, OR 97124 USA ================================================================================ DATE : July 1, 2020 TO : Intel(R) Server Board S2600TP Product Family customers SUBJECT : Release Notes for System Firmware Update Package ================================================================================ ABOUT THIS RELEASE ================================================================================ BIOS: 01.01.0029 ME: 03.01.03.072 BMC: 01.60.12335 FRUSDR: 1.18 ================================================================================ Support Platforms and Dependency ================================================================================ Processors supported: Intel(R) Xeon processor E5-2600 v3 series Intel(R) Xeon processor E5-2600 v4 series Microcode update versions: CPUID Version Status 0x306f2 0x00000043 Production (Haswell EP C0/C1) 0x406f1 0x0b000038 External (Broadwell EP B0) Production boards: Product Fab Version S2600TP Fab2 or above The following update process must be followed to ensure a trouble free update. 1. Manageability Engine (ME) firmware 2. FD 3. BMC firmware 4. BIOS 5. FRUSDR ================================================================================ IMPORTANT NOTE!!! ================================================================================ - This Update package must be installed using Intel(R) One-boot Flash Update (OFU) V14.1 Build 25 - BIOS downgrade from this release only can be done by using the BIOS recovery mode - Due to a fix in the BIOS R01.01.0020, older version of update utilities in older SFUP packages (R018 and older) can’t be used for downgrade even though under recovery mode, the customer needs to manually replace the utilities with the newer version utilities. ================================================================================ System Firmware Update Package Usage instructions ================================================================================ This package can be updated using one of the following methods: - Windows* or Linux* operating system using Intel(R) One-boot Flash Update (OFU) V14.1 Build 25 - Windows* Preboot Execution Environment (WinPE) To update from Windows* and Linux* or operating systems using the Intel(R) One Boot Flash Update Utility (OFU) Intel(R) One boot Flash Update utility can be downloaded from http://downloadcenter.intel.com/ and it is part of the "BIOS, Firmware Update & Configuration Utilities" for Windows* and Linux*. Please refer to Intel(R) OFU user guide about the details of installation and usage of OFU. Use OFU to update system firmware by the following steps: - Install OFU on Windows* or Linux* system - Download the latest firmware update package from http://downloadcenter.intel.com/ - Unzip package to a folder - Run the following command in Windows* command line/Linux* terminal window: :\flashupdt -u \flashupdt.cfg To update from Windows* Preboot Execution Environment (WinPE) The System Firmware Update Package can be inserted to Windows* PE customized image for creating a bootable Windows* PE CD. User is able to update system firmware from customized WinPE CD by the following steps: - Boot server with customized WinPE CD - Run script "WinPE21_x64_Update.bat" or "WinPE20_x86_Update.bat" (name may be varied depends on your own customization) Note: 1. The Intel(R) OFU utility is case sensitive. Therefore, when you transfer the Firmware Update Package using USB flash drive from a Microsoft Windows* system to a Linux environment, you must first extract under the Linux* environment. Otherwise, you will need to mount the USB flash drive manually with 'vfat' option under Linux to avoid conversion from upper case to lower case and vice versa. 2. To make Intel(R) OFU utility run properly under x86 or x64 OS, you have to read OFU release notes on known issues for OFU installation. 3. In this SFUP package, Intel only provide batch file "WinPE_x86_Update.bat" for WinPE2.0 32 bit solution "WinPE_x64_Update.bat" for WinPE2.1/3.0 64 bit solution as an example. Please refer to white paper "White Paper-Intel Server Utilities Procedure for WinPE.pdf" for details on building your own customized WinPE CD. 4. Windows PE 2.0 - built from Windows Vista SP1 32bit or EM64T 5. Windows PE 2.1 - built from Windows Vista SP1 or Windows Server 2008, EM64T 6. Windows PE 3.1 - built from Windows Server 2008R2, EM64T 7. Microsoft IPMI driver is loaded by default from WinPE CD, if you want to use Intel IPMI driver instead of MS IPMI driver for firmware update, you can un-install Microsoft IPMI driver by: Devicesetup.exe ¨Cv remove *IPI0001 Note: IPI0001 is the device ID for Microsoft IPMI driver. 8. If to update backup BIOS region or NVRAM, you need to customize the OFU update scripts (eg.flashupdt.cfg) and add "UpdateBackupBios" or "UpdateNvram" parameter. ================================================================================ IMPORTANT NOTICE ================================================================================ 1. BIOS R01.01.0018 will include a security revision upgraded. BIOS downgrade is not allowed from the OS and can only be performed on uEFI shell using the BIOS recovery jumper method. 2. BIOS R01.01.0009 will enable UEFI Secure Boot and include below limitations: - Please read "BIOS UEFI SECURE BOOT IMPACT AND MITIGATION METHOD" section in this BIOS release notes - All customer settings saved in BIOS NVRAM will be lost after new BIOS upgrade - BIOS downgrade is not allowed if user has enabled BIOS secure boot. All customer setting will be lost also if downgrade to previous BIOS release - Backup BIOS region is also required to be updated to prevent recovery failure please use release package to update BIOS - There is downgrade hang risk if you don't follow above rules - Further BIOS release will not suffer from these side effects as the NVRAM region is formatted as authenticated variable storage 3. System will hang 0xbf after downgrading BIOS (E5-2600V4 code tree) to R0011/R0009(E5-2600V3 code tree) randomly - Set SUT to recovery mode to power on, then set it back to normal boot to see whether it is recovered 4. The iFlash32 utility parameter of 'UpdateNvram' is not supported under Normal Mode, however it is only supported under Recovery Mode 5. Design change for to change default setting from to <10>. Need to press to see the new default string 6. Suggest to press 'F9' to load default if using the 'IOU Non-posted prefetch control' setup options in the first time ================================================================================ BIOS UEFI SECURE BOOT IMPACT AND MITIGATION METHOD ================================================================================= 1. Customer Setting Loss Issue and Mitigation Method When user upgrades BIOS with secure boot feature, the NVRAM will be automatically formatted as authenticated variable physical storage. However, all previous customer settings storage in NVRAM will be lost even if user does not enable UEFI secure boot feature. Users can take the follow recipe to save and restore their settings based on the actual NVRAM usage if they wish to upgrade or downgrade between BIOS with or without secure boot feature. Supposing customer requires to save & restore their specific NVRAM named 'var': Steps: 1. Prepare FAT partition USB key (or HDD). 2. Boot to EFI shell. 3. Check the file system mapping (e.g. fs0:) of the USB key with 'map -r' command. 4. Use 'dmpstore var -s fs0:\var.bin' to save the variable to the physical file. 5. Perform BIOS update and reboot system. 6. Boot to EFI shell. 7. Use 'dmpstore var -l fs0:\var.bin' to restore the variable. 8. Reboot the system if the customer setting requires reboot to take effect. Notes: 1. Immediate reboot after BIOS update is mandatory. Or the restore operation will not take effect. 2. Customers can repeat step 4 and step 7 for several times if they need to save & restore multiple NVRAM variables. 3. Most of BIOS customer settings by SysCfg can also be restored in this way. Customers can follow previous step1~8 by substituting 'Setup' for 'var' in the sample. 4. For BIOS downgrade case, step7 cannot be used to restore authenticate variables (e.g. PK, KEK, DB, DBX) to non-authenticated NVRAM storage 2. Recovery Mode Failure There is known bug that it cannot POST successfully with authenticated NVRAM storage. This will cause platform recovery failure and permanent deny of service (PDOS) if the primary BIOS region gets corrupted for some reason. It is required to update backup BIOS region when upgrade BIOS capsule with secure boot feature. Notes: For downgrade case, user is not required to update backup BIOS region as new BIOS with secure boot feature can handle NVRAM with old storage format: it will format it to new authenticated variable storage automatically. However, care must be taken when downgrading BIOS in recovery mode: After flashing BIOS without secure boot feature, user should restore recovery HW jumper immediately before platform reset.If platforms reset occurs before restoring recovery HW jumper, the backup BIOS will once again format NVRAM to new storage format, which will cause newly flashed BIOS (without secure boot feature) POST failure after user restores recovery HW jumper. ================================================================================ Issues Fixed in BIOS 01.01.0029 ================================================================================ [HSD-ES][1507032918][D0249]System become unresponsive when flash the modified BIOS capsule that change offset 0x70 value from 00 to 4F [HSD-ES][1507164194]0xFF transport failed on serial port [HSD-ES][1507197471]FW-UEFI-Vuln-2019-117 [BDBA] Intel Server Board S2600TP Family - System Update Package EFI - BIOS 01.01.0024, ME FW 03.01.03.043, BMC 1.51.11142, FRUSDR 1.17 [HSD-ES][1507218677]Include PRT patch Intel Server and Workstation Processors Microcode Update Rev. Production SRV_P_285 to Xeon® E5-2600v3,v4 Family Q3 2019 [HSD-ES][1507195983][Security] Race conditions in VariableInterface() allow arbitrary writes inside of SMRAM [HSD-ES][1507242883]CCB#2664:[BIOS] Add correctable error thresholds for 100 and 500 [HSD-ES][1507238702]The copyright should be Copyright (c) 2010-2019 instead of Copyright(c) 2010-2018 [HSD-ES][1507284801]Xeon® E5-2600v3,v4 Family Security version update to version 1111 [HSD-ES][2207342514]Injection of Malformed TLP into PCH slot shows no system reponse [HSD-ES][1507402292][S2600KP]Syscfg /fan command failed to change setting on S2600KP [HSD-ES][1607116940]Add two BIOS PCIe options for each PCIe slot's add-in card into BIOS setup/Syscfg/ITK options when PCIe Advance Error Reporting feature(AER) is enabled. [HSD-ES][1507689901]The copyright should be Copyright (c) 2010-2020 instead of Copyright(c) 2010-2019 [HSD-ES][1507349222]Unsecure write to SMRAM because of missing buffer validation [HSD-ES][1507801623][H1 #744766] SMM-module - MemRas - Missing pointer validatio S2600 Update 0x38 Microcode for IPU2019.2 Update ME to 03.01.03.072 for IPU2019.2 Update SINT ACM: 3.1.3 for IPU2019.2 [HSD-ES][1507430121]:Xeon® E5-2600v3,v4 Family BIOS KCS fix [HSD-ES][2103632349]SOL options in BIOS setup can be operated when KCS mode change to Restricted or Deny All. [HSD-ES][1507896793]SUT will halt at post code 0x81 when downgrade BIOS from D52 to R28. [HSD-ES][2103632353]Set KCS mode to Deny All or Restricted, change some option, press F10 and “Y” to save, there will show a message "Submit Fail for Form: UEFI Network Stack". [HSD-ES][2103632466]The BMC Firmware Revision&SDR Revision not hidden in POST Information under KCS Deny All mode. [HSD-ES][1507979683]Enable BT(SIO) in Pilot BMC [HSD-ES][1507959292]Add new KCS policy done_core flage in BT ================================================================================ Issues Fixed in ME 03.01.03.072 ================================================================================ QSR PSIRT-TA-201901-002 =============================================================================== Issues Fixed in BMC 1.60.12335 =============================================================================== -2103632883: [BMC]After offline update BMC to 1.58, SSH can't connect successfully by default port 22. -2103632890: [BMC]The EWS login Window can't be opened sometimes if offline update the BMC to 1.58. -2103632313: [BMC]The SSH connection will be closed automatically after issuing some commands. -2103632763: [BMC]The SEL for capture KCS policy control mode is incorrect. -2103632905: [BMC] KCS policy sensor will show "Unknown" health status after BMC reset for BMC 1.59. -2103632906: [BMC] There is no help information about new features "RMCP mode" and "RMCP+ Cipher Suite3" in the EWS. -2103632894: [BMC]Changed any secure port of KVM/CDROM/USB/Floppy, the KVM will hang up after mount any remote media. -2103632411: The KVM session will hang up when set the "USB key Emulation Type" to "Hard Disk" type and mount the redirected devices. -2103632398: It shows, "Description:Unname - Asserted" in the SELText.txt (SELLOG.zip) for all KCS control mode. -2103632317: [BMC]The SUT can't get the stateful IPv6 IP address from DHCPv6 server. -2103632763: [BMC]The SEL for capture KCS policy control mode is incorrect. -Replace 05A~08A 1600W PSU fw from 75 to 78 and add 09A~11A 1600W PSU FW version 78 -Upgrade openssl from 1.1.1e to 1.1.1g -KCS PSIRT enhancement that is for core-bios-done possible security attack -add Cipher Suite3 setting in EWS -add RMCP mode setting in EWS -fix RED team reported problems including Web File upload problem and Authentication Bypass for each ASP endpoint. -BDBA fix : libs and application upgrade (/usr/bin/unzip and /sbin/lsof removed,libldap to 2.4.49,openssl from 1.1.1d to 1.1.1e,libtasn1 to v4.16, libkrb5.so-keberos upgrade to 1.18.0) -2103632312 web page copyright date wrong problem. -2103632313 [BMC]The SSH connection will be closed automatically after issuing some commands. -1506367106 fail to dump system debug log with syscfg. -2209994497 [BMC][H1 761356] buffer overflow in usbe.ko leads to remote code execution. -DCG RED team reported vulnerabilities fix ID#19 and improvement on ID#4,8,9 fixes. -BDBA fix  - kernel  and  busybox  upgrade a. Kernel upgrade from 3.2.59 to 3.2.102 b. Busybox upgrade from 1.20.2 to 1.31.1 -BDBA Fix  - libs and application upgrade (libbz2, libgcrypto, libgpg-error, libsasl2, openssl, zlib, openssh, stunnel, dhclient, glibc) -KCS PSIRT problem (refer to Xeon® E5-2600v3,v4 Family BMC EPS 1.20) -Only support Cipher suite 17 for IPMI over lan(ipmitool -I lanplus .... -C 17) - SSH weak cipher remove -USBanywhere security problem , need to disable unsecure port about KVM -CCB 2880  Add IPMI commands and Web interface for user to select SSL Cipher -expl_fdserver problem, need to fix bypass auth issue -DCG RED team reported  about 20 vulnerabilities. a. KVM HID packets attack b. 10 Buffer overflow  issues in different features. c. 6 Cross Site Scripting vulnerabilities  through /goform URL  for web service feature. d. two issues that caused by JSLibrary bypass  for web service feature. -klockwork problem fix  including  about 2000  Critical and Error issues  in different  features. ================================================================================ Issues Fixed in FRUSDR 1.18 ================================================================================ - None. - Features added: Add KCS Ctrl Mode sensor & Update frusdr.efi and ipmi.efi utility to 14.1 build 18 ============================================================================= LEGAL INFORMATION ============================================================================= Information in this document is provided in connection with Intel products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Intel is a registered trademark of Intel Corporation. *Other names and brands are the property of their respective owners. Copyright (c) 2020 Intel Corporation. A portion of this firmware is open source code, which falls under the GPL 2.0 license. [END OF RELEASE NOTES]