================================================================================ Intel(R) Server Platform BIOS Release Notes ================================================================================ INTEL(R) Server Boards and Systems Intel Corporation 2111 N.E. 25th Avenue, Hillsboro, OR 97124 USA ================================================================================ DATE : Mar. 04, 2022 TO : Multi-Core Intel(R) Xeon(R) Processor-Based Server Platform customers SUBJECT : BIOS Release notes for version 01.01.3029 ================================================================================ LEGAL INFORMATION ================================================================================ INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm Intel is a registered trademark of Intel Corporation. *Other names and brands are the property of their respective owners. Copyright (C) 2022 Intel Corporation. ================================================================================ ABOUT THIS RELEASE ================================================================================ Build Stamp : SE5C610.86B.01.01.3029 Build Date : Feb. 24, 2022 ================================================================================ Supported Platforms ================================================================================ S2600WT Family S2600KP Family S2600TP Family S2600CW Family ================================================================================ BIOS COMPONENTS/CONTENTS ================================================================================ Processors supported: Intel(R) Xeon(R) processor E5-2600 v3 series Processor Intel(R) Xeon(R) processor E5-2600 v4 series Processor Microcode update versions: CPUID Version Status 0x306f2 0x00000049 Production (Haswell EP C0/C1) 0x406f1 0x0b000040 Production (Broadwell EP B0) On-Board Component Option ROM Versions: all_gigabit_pxe_v1.5.70.LOM - 1G PXE OpROM v1.5.70 (for all Intel Sever gigabit controllers, including LOMs and I/O modules) all_10g_pxe_v2.3.41.LOM - 10G PXE OpROM v2.3.41(for all Intel Sever 10G controllers, including LOMs and I/O modules) all_iscsi_v3.0.48.LOM - iSCSI Boot OpROM v3.0.48(for all Intel Sever gigabit and 10G PCSD controllers, including LOMs and I/O modules) all_10g_fcoe_v1.8.17.LOM - 10G FCoE OpROM v1.8.17(for Intel Sever 10G Niantic I/O module) X540_Fcoe.LOM - 10G FCoE OpROM v1.8.24(for Intel Sever 10G X540 controllers, including LOMs and I/O module) E4702X4.EFI - 10G PCIe gigabit controller UEFI driver ver 4.7.02 E6604X3.EFI - 1G controller UEFI driver ver 6.6.04 sSataOrom.bin - sSata RAID OpROM V4.3.0.1018 SataOrom.bin - Sata RAID OpROM V4.3.0.1018 SataDriver.efi - Sata UEFI RAID OpROM V4.3.0.1018 sSataDriver.efi - sSata UEFI RAID OpROM V4.3.0.1018 ESRT2.ROM - ESRT II legacy OpROM A.14.10171446I EfiSasDriver.efi - ESRT II UEFI RAID OpROM 03250000 ACM : v03.01.06 Reference Code Version : v4.3.0 Management Engine Firmware Version : 03.01.03.072 Security Revision : 1111 ================================================================================ INSTALLATION NOTES ================================================================================ WARNING: It is very important to follow these instructions as they are written. Failure to update using the proper procedure may cause damage to your system. Firmware flash utility: iFlash32_V14.1_Build15 1.User can update BIOS flash image via either one of the follow methods... A. UEFI iFlash32 1.) Copy the entire contents of the Package file to the HDD or USB flash drive (All of the files must reside in the same directory) 2.) Boot to UEFI Shell, then change the Shell to the mapped device file system Example: Shell> fs0: (or fs1:) 3.) Run Startup.nsh for update BIOS (ME and FD included), BMC, and FRUSDR all-together or select one of the folllowing options to upgrade components independently updALL.nsh for BIOS, ME and FD region upgrades only updBIOS.nsh, updME.nsh and updFD.nsh for each region upgrade respectively updBMC.nsh to update BMC only updFRUSDR.nsh to update the FRUSDR only 4.) Reboot system after the update is completed 5.) Do *NOT* interrupt the BIOS POST during the first boot 2.BIOS update under recovery mode as below methods The USB media is necessary for primary BIOS upgrade and must contain the following files under the root directory, you can capture all the ingredients from BIOS release package: Copy the entire contents of the Package file to the HDD or USB flash drive (All of the files must reside in the same directory) A: USB media inserted AFTER performing a recovery boot 1.) Under Shell, type "map -r" to map all Drives/USB devices 2.) Change the Shell to the mapped USB device Example: Shell> fs0: (or fs1:) 3.) Execute the Startup.nsh scripts, wait for the update to complete 4.) Power OFF the system, and revert the recovery jumper position back to "normal operation" 5.) Power ON the system 6.) Do *NOT* interrupt the BIOS POST during the first boot B: USB media inserted PRIOR performing a recovery boot 1.) Power ON the system, it will boot automatically into EFI Shell to invoke the Startup.nsh script 2.) After the update is completed, there will be a message displayed that the "ME Firmware and BIOS updates have completed" indicating the recovery process is finished. Then Power OFF the system, switch the recovery jumper back to normal operation, and finally, Power ON the system 3.) Do *NOT* interrupt the BIOS POST during the first boot Notes: If to update backup BIOS region, you need to customize the iflash32 update scripts and add "UpdateBackupBios" parameter Notes: Setup variable structure has been changed in E5-2600V4 BIOS. If downgrading E5-2600V4 BIOS to lower versions or E5-2600V3 BIOS, please add 'UpdateNvram' parameter in BIOS Recovery Mode. Note: Removed 'UpdateNvram' support for iflash32 tool for security reason. Note: If User customizes ITK capsule and BIOS admin password is set, BIOS SMI handler requires extra parameter of "password" in iFlash32 mail box: e.g. iFlash32.efi -u Bios.cap Password=intel@123 -ni, no requirement when BIOS admin password is not set or standard BIOS release capsule is used. Note: If BIOS version on SUT is older than R01.01.0009, then please update to R01.01.0009 firstly for further update. Note: If downgrade to BIOS version R01.01.0008 or older, please switch to Recovery Mode if online method is used. Note: If downgrade to BIOS version R01.01.0028 or older, please switch to Recovery Mode if online method is used(becuase of security revision is updated). ================================================================================ BIOS RECOVERY INSTRUCTIONS ================================================================================ The Recovery process can be initiated by setting the recovery jumper (called BIOS Recovery Boot Jumper) A BIOS recovery can be accomplished from the backup BIOS region. BIOS starts the recovery process by first loading and booting to the recovery image from backup BIOS region. This process takes place before any video or console is available. Once the system boots to recovery image. The following steps demonstrate this recovery process: 1. Power OFF the system 2. Switch the recovery jumper. Details regarding the jumper ID and location can be obtained from the Server Board TPS for that Platform 3. Power ON the system 4. The BIOS POST screen will appear displaying the progress and the system will automatically boot to the EFI SHELL 5. Follow the BIOS recovery update manual for BIOS recovery. ================================================================================ ME FW Capsule INSTALLATION NOTES ================================================================================ WARNING: It is very important to follow these instructions as they are written. Failure to update using the proper procedure may cause damage to your system. !!!!! Please make sure AC Power is plugged in during the update !!!!! !!!!! AC Power failure during the update may, unrecoverably, damage your system !!!!! User can update ME image via either of the follow methods: 1.) Copy the entire contents of the Package file to the HDD or USB flash drive (All of the files must reside in the same directory) 2.) Boot to UEFI Shell, then change the Shell to mapped device file system Example: Shell> fs0: (or fs1:) 3.) Use updME.nsh and updFD.nsh for ME and FD FW upgrade 4.) Reboot system after the update is completed ================================================================================ IMPORTANT NOTICE ================================================================================ 1. The BIOS R01.01.0002 auto scripts will force to update both normal and backup BIOS region since security revision was updated, once user upgrade BIOS to R01.01.0002, it will prevent BIOS downgrade to previous version that with low security revision, user can use BIOS recovery mode for BIOS downgrade 2. The BIOS R01.01.0003 included security fix and security revision upgrade, refer to item #1 3. If doing online BIOS update to R01.01.0003, user must use the auto scripts enabled in the release package which will force update BIOS NVRAM and backup region 4. BIOS R01.01.0004 requires update of NVRAM and backup region 5. BIOS R01.01.0009 and R01.01.0011 will enable UEFI Secure Boot and include below limitations: - Please read "BIOS UEFI SECURE BOOT IMPACT AND MITIGATION METHOD" section in this BIOS release notes - All customer settings saved in BIOS NVRAM will be lost after new BIOS upgrade. - BIOS downgrade is not allowed if user has enabled BIOS secure boot. All customer setting will be lost also if downgrade to previous BIOS release. - Backup BIOS region is also required to be updated to prevent recovery failure please use release package to update BIOS. - There is downgrade hang risk if you don't follow above rules. - Further BIOS release will not suffer from these side effects as the NVRAM region is formatted as authenticated variable storage 6. System will hang 0xbf after downgrading BIOS from R01.01.0013(E5-2600V4 code tree) to R01.01.0011/R01.01.0009(E5-2600V3 code tree) randomly. -Set SUT to recovery mode to power on, then set it back to normal boot to see whether it is recovered. 7. BIOS R01.01.0013 The iFlash32 utility parameter of 'UpdateNvram' is not supported under Normal Mode, however it is only supported under Recovery Mode. 8. BIOS R01.01.0015 Design change from D076 for to change default setting from to <10>. Need to press to see the new default string. 9. BIOS R01.01.0015 Suggest to press 'F9' to load default if using the 'IOU Non-posted prefetch control' setup options in the first time. 10.BIOS R01.01.0016 BIOS had added command line support to clean ITK customization settings with below notes. 1) Require iflash32 utility updated (>=V13.1 Build 8) to support command line. 2) Run ¡®iflash32 -ccs' to clear ITK customization setting. After reboot to BIOS setup, need to press F9 to load default to see the clear operation. 11. If updating BIOS to R01.01.0013 to R01.01.0016 version, it is required to 'load default' to make the new setup option 'Snooped Response Wait Time for Posted Prefetch' work. 12. Security revision upgrade on R01.01.0018, it will prevent BIOS downgrade via normal mode to previous version that with lower security revision, user can use BIOS recovery mode for BIOS downgrade 13. The BIOS R01.01.0018 included security fix and security revision upgrade. Once user upgrade BIOS to R01.01.0018, it will prevent BIOS downgrade to previous version that with low security revision, user can use BIOS recovery mode for BIOS downgrade 14. Security revision upgrade on R01.01.020, it will prevent BIOS downgrade via normal mode to previous version that with lower security revision, user can use BIOS recovery mode for BIOS downgrade 15. iFlash32 need to upgrade to latest revision v14.0 build10 from BIOS R01.01.020 16. Use I/O Quick Data(also known as CBDMA) feature to access PCIe MMIO space, such as NTB or PCIe bridge, user may observe I/O performance drop during stress test. The reason is under debug, the workaround is to disable Relax Ordering feature. 17 iFlash32 need to upgrade to latest revision v14.0 build11 or later version if user want to downgrade BIOS from BIOS D0181 to earlier version 18. Old revision Iflash32 ,syscfg ,OFU utility, SELViewer, Sysinfo will lead to system hang on R0021 or further BIOS release. These utilities need to upgrade to latest revision iFlash32_V14_0_Build11, Syscfg_V14_0_Build15, OFU_V14_0_Build14, SELViewer_v14_0_Build18, Sysinfo_V14_0_Build18. 19. Security revision upgrade on R01.01.0024 it will prevent BIOS downgrade via normal mode to previous version that with lower security revision, user can use BIOS recovery mode for BIOS downgrade 20. Security revision upgrade on R01.01.0027 it will prevent BIOS downgrade via normal mode to previous version that with lower security revision, user can use BIOS recovery mode for BIOS downgrade ================================================================================ BIOS UEFI SECURE BOOT IMPACT AND MITIGATION METHOD ================================================================================= 1. Customer Setting Loss Issue and Mitigation Method When user upgrades BIOS with secure boot feature, the NVRAM will be automatically formatted as authenticated variable physical storage. However, all previous customer settings storage in NVRAM will be lost even if user does not enable UEFI secure boot feature. Users can take the follow recipe to save and restore their settings based on the actual NVRAM usage if they wish to upgrade or downgrade between BIOS with or without secure boot feature. Supposing customer requires to save & restore their specific NVRAM named 'var': Steps: 1. Prepare FAT partition USB key (or HDD). 2. Boot to EFI shell. 3. Check the file system mapping (e.g. fs0:) of the USB key with 'map -r' command. 4. Use 'dmpstore var -s fs0:\var.bin' to save the variable to the physical file. 5. Perform BIOS update and reboot system. 6. Boot to EFI shell. 7. Use 'dmpstore var -l fs0:\var.bin' to restore the variable. 8. Reboot the system if the customer setting requires reboot to take effect. Notes: 1. Immediate reboot after BIOS update is mandatory. Or the restore operation will not take effect. 2. Customers can repeat step 4 and step 7 for several times if they need to save & restore multiple NVRAM variables. 3. Most of BIOS customer settings by SysCfg can also be restored in this way. Customers can follow previous step1~8 by substituting 'Setup' for 'var' in the sample. 4. For BIOS downgrade case, step7 cannot be used to restore authenticate variables (e.g. PK, KEK, DB, DBX) to non-authenticated NVRAM storage 2. Recovery Mode Failure There is known bug that it cannot POST successfully with authenticated NVRAM storage. This will cause platform recovery failure and permanent deny of service (PDOS) if the primary BIOS region gets corrupted for some reason. It is required to update backup BIOS region when upgrade BIOS capsule with secure boot feature. Notes: For downgrade case, user is not required to update backup BIOS region as new BIOS with secure boot feature can handle NVRAM with old storage format: it will format it to new authenticated variable storage automatically. However, care must be taken when downgrading BIOS in recovery mode: After flashing BIOS without secure boot feature, user should restore recovery HW jumper immediately before platform reset.If platforms reset occurs before restoring recovery HW jumper, the backup BIOS will once again format NVRAM to new storage format, which will cause newly flashed BIOS (without secure boot feature) POST failure after user restores recovery HW jumper. ================================================================================ KNOWN ISSUES/WORKAROUND ================================================================================ [HSD-ES][2103649934] No display installing RHEL8.4/SUSE15SP3 in legacy mode. No issue with RH8.1/SLES15SP1 [HSD-ES][2103650040] After loading BIOS defaults and changing to UEFI mode, there is no UEFI Linux boot option in Boot Manager, and system can't boot to Linux OS HDD. ================================================================================ FEATURES ADDED/REMOVED ================================================================================ R3029 ================================================================================ [IPU 2020.2] [CVE-2020-0592] SMM accessing memory outside of SMRAM and not validating the memory [CVE-2020-8738] Unsecure write to SMRAM because of missing buffer validation [CVE-2020-8740] Out of Bounds memory writes [CVE-2020-8764] TPM Platform Auth Security Vulnerability [IPU 2021.1] [CVE-2020-12357] FW-UEFI-Vuln-2020-006 SMM-module - MemRas - Missing pointer validation [CVE-2020-12360] SMI 0x9a mEinjParam address is not correctly passed to OS [IPU 2021.2] [CVE-2021-0092] Add "Core Bios Done Message" setting in ITK Update OpenSSL to 1.1.1j ================================================================================ CVES OMITTED ================================================================================ These systems are not vulnerable to the below CVEs. No mitigation is required. [CVE-2020-0591] Systems use alternate Decompress function [CVE-2020-8673] SMB connection between PCH and VR not connected [CVE 2021-0144] Systems do not support BSSA