================================================================================ Intel(R) Server Board S1200SP Product Family Firmware Update Package for Intel(R) One Boot Flash Update Utility and Windows* Preboot Execution Environment ================================================================================ INTEL(R) Server Boards and Systems Intel Corporation 2111 N.E. 25th Avenue, Hillsboro, OR 97124 USA ================================================================================ DATE : June 24, 2020 TO : Intel(R) Server Board S1200SP Product Family customers SUBJECT : Release Notes for System Firmware Update Package ================================================================================ ABOUT THIS RELEASE ================================================================================ BIOS: 03.01.0049 ME: 04.01.04.109 BMC: 01.18.12306 FRUSDR: V0.28 ================================================================================ IMPORTANT: PLEASE READ ================================================================================ Due to additional integrated BIOS features, the Intel(r) Server Board S1200SP BIOS binary regions have surpassed their original design sizes. Install bridge BIOS version 03.01.2032 to redefine the binary regions before attempting to update the BIOS firmware to version 03.01.0038 or later. Prior to update your system to BIOS version 03.01.0038 or later, is required to update the system to bridge BIOS version 03.01.2032. If you update BIOS version from 03.01.0038 over to 03.01.0042, the bridge BIOS version is not required. System will fail to update the BIOS FW to version 03.01.0042 if the currently BIOS FW installed on the system is not 03.01.2032 or 03.01.0038. We apologize for the inconvenience. ================================================================================ Support Platforms and Dependency ================================================================================ Processors supported: Intel(R) Xeon(R) processor E3-1200 v5 series Intel(R) Xeon(R) processor E3-1200 v6 series Microcode update versions: CPUID Version Status 0x506E3 000000D6 (E3-1200v5 UP R0/S0) (Intel(R) Xeon(R) processor E3-1200 v5 series B0) 0x906E9 000000CA (E3-1200v6 B0) (Intel(R) Xeon(R) processor E3-1200 v6 series B0) The following update process must be followed to ensure a trouble free update. 1. BMC firmware 2. BIOS 3. Manageability Engine (ME) firmware 4. FRUSDR ================================================================================ Supported Operating Systems ================================================================================ Windows* Server 2012 R2 EM64T Windows* Server 2016 Standard/Datacenter Windows* 10 EM64T RHEL* 6.x and 7.x EM64T CentOS* 7.x EM64T SuSE* 11.x and 12.x EM64T ================================================================================ IMPORTANT NOTICE ================================================================================ - This Update package must be installed using Intel(R) One-boot Flash Update (OFU) V14.0 Build 15 - This BIOS has included CCB108 implementation(Aperture size), suggesting to press F9 to load default if BIOS is updated via online method. - BIOS downgrade from this release only can be done by using the BIOS recovery mode - Please press F9 to make SGX enabled by default when BIOS is online upgraded from Intel(R) Xeon(R) processor E3-1200 v5 series based SGX BIOS(01.01.xxxx) to Intel(R) Xeon(R) processor E3-1200 v5 series based SGX BIOS(03.01.xxxx), due to limitation on Intel(R) Xeon(R) processor E3-1200 v5 series based SGX BIOS. - This BIOS has updated Security Revision to 2.0 following SPRD requirement, causing BIOS can't be downgraded to previous version with Security Revision 01.00 under normal mode. No impact under Recovery Mode. The same limitation when downgrade BIOS to non-SGX BIOS and downgrade BIOS to SGX BIOS with lower security revision. - This BIOS has SMM communication buffer fix with Security Revision updated to 01.01 following SPRD requirement. Two impacts should be noted: >> 1. Security Revision upgrade: causing BIOS can't be downgraded to previous version with Security Revision 01.00 under normal mode. No impact under Recovery Mode. >> 2. SMM communication buffer fix: causing older version of utilities are not functional, only version equal or newer than below ones can be used together with this new BIOS. Sysinfo V14.0 Build 18, Selviewer V14.0 Build 17, Syscfg V14.0 Build 15, iFlash32 v14.0 Build10, FWPIAUPD v14.0 Build 8, FRUSDR v14.0 Build 8, OFU v14.0 Build 15 ================================================================================ System Firmware Update Package Usage instructions ================================================================================ This package can be updated using one of the following methods: - Windows* or Linux* operating system using Intel(R) One-boot Flash Update (OFU) V14.0 Build 15 - Windows* Preboot Execution Environment (WinPE) To update from Windows* and Linux* or operating systems using the Intel(R) One Boot Flash Update Utility (OFU) Intel(R) One boot Flash Update utility can be downloaded from http://downloadcenter.intel.com/ and it is part of the "BIOS, Firmware Update & Configuration Utilities" for Windows* and Linux*. Please refer to Intel(R) OFU user guide about the details of installation and usage of OFU. Use OFU to update system firmware by the following steps: - Install OFU on Windows* or Linux* system - Download the latest firmware update package from http://downloadcenter.intel.com/ - Unzip package to a folder - Run the following command in Windows* command line/Linux* terminal window: :\flashupdt -u \flashupdt.cfg To update from Windows* Preboot Execution Environment (WinPE) The System Firmware Update Package can be inserted to Windows* PE customized image for creating a bootable Windows* PE CD. User is able to update system firmware from customized WinPE CD by the following steps: - Boot server with customized WinPE CD - Run script "WinPE21_x64_Update.bat" or "WinPE20_x86_Update.bat" (name may be varied depends on your own customization) Note: 1. The Intel(R) OFU utility is case sensitive. Therefore, when you transfer the Firmware Update Package using USB flash drive from a Microsoft Windows* system to a Linux environment, you must first extract under the Linux* environment. Otherwise, you will need to mount the USB flash drive manually with 'vfat' option under Linux to avoid conversion from upper case to lower case and vice versa. 2. To make Intel(R) OFU utility run properly under x86 or x64 OS, you have to read OFU release notes on known issues for OFU installation. 3. In this SFUP package, Intel only provide batch file "WinPE_x86_Update.bat" for WinPE2.0 32 bit solution "WinPE_x64_Update.bat" for WinPE2.1/3.0 64 bit solution as an example. Please refer to white paper "White Paper-Intel Server Utilities Procedure for WinPE.pdf" for details on building your own customized WinPE CD. 4. Windows PE 2.0 - built from Windows Vista SP1 32bit or EM64T 5. Windows PE 2.1 - built from Windows Vista SP1 or Windows Server 2008, EM64T 6. Windows PE 3.1 - built from Windows Server 2008R2, EM64T 7. Microsoft IPMI driver is loaded by default from WinPE CD, if you want to use Intel IPMI driver instead of MS IPMI driver for firmware update, you can un-install Microsoft IPMI driver by: Devicesetup.exe ¨Cv remove *IPI0001 Note: IPI0001 is the device ID for Microsoft IPMI driver. 8. If to update backup BIOS region or NVRAM, you need to customize the OFU update scripts (eg.flashupdt.cfg) and add "UpdateBackupBios" or "UpdateNvram" parameter. ================================================================================ 03.01.R0049 ================================================================================ Production sign. [HSD-ES][2103632646] The BMC Firmware Revision&SDR Revision not hidden in POST Information under KCS Deny All mode. [HSD-ES][2103633189] FDD always are attached to the end of boot options after F9 under UEFI mode. [HSD-ES][1507958726] Run command "chipsec_main.py" and find module "igd_config0" failed. [HSD-ES][1507966668] [S1200SP][Point Release]S1200SP Point release based on 03.01.R4042 +Fixed the Overclocking MSR lock issue. Update RC code to 4.1.1.3 [HSD-ES][1508038822] [S1200SP]Failed to set BIOS Knobs using syscfg in OS level. [HSD-ES][2103632569] Most changed settings return default when online update BIOS from D03.01.0042 to D03.01.0046. [HSD-ES][1507959325] Add new KCS policy done_core flage in BT. [HSD-ES][2103632613] [KCS] “Set Fan Profile” and “Fan PWM Offset” options not be Suppressed under Deny All mode [HSD-ES][1507032908][S1200SP][D0040]System become unresponsive when flash the modified BIOS capsule that change offset 0x70 value from 00 to 4F [HSD-ES][1507197468] FW-UEFI-Vuln-2019-115 [BDBA] Intel Server Board S1200SP Family - System Firmware Update Package Bridge SFUP for Intel OFU - BIOS 03.01.2032, ME FW 04.01.04.054 [HSD-ES][1507218688] Include PRT patch Intel Server and Workstation Processors Microcode Update Rev. Production SRV_P_285 to Silver Pass 2019 QSBR [HSD-ES][1507195984] [Security] Race conditions in VariableInterface() allow arbitrary writes inside of SMRAM [HSD-ES][1507238750] The copyright should be Copyright (c) 2010-2019 instead of Copyright(c)2010-2018 [HSD-ES][1607385130] Update Security version to 8 [HSD-ES][1607423701] Silver Pass debug BIOS will assert in DXE FwBlockService Update for IPU 2019.2. [HSD-ES][1507689912]The copyright should be Copyright (c) 2010-2020 instead of Copyright(c) 2010-2019 ================================================================================ ME 04.01.04.109 ================================================================================ Please follow the below procedure to update ME using UEFI iFlash32 14.0 Build 11 1. Boot the system to EFI Shell 2. Download ME release package 3. Unzip the ME release package to HD or USB Flash Drive 3. Map the respective storage device in system with the command Shell> map -r 4. Change the Shell to mapped device file system Example: Shell> fs0: (or fs1:) 5. Run the IFlash32 utility on the prompt. Use ME_xx_xx_xx_xxx.cap file when ME operational Image update is required. Use MEComplete_xx_xx_xx_xxx.cap file when Only whole ME Image update is required. fs0:\> IFlash32 [File Name] /u /ni 6. Reboot system after the update is completed. 1. 111153 SPS ME FW sometimes stop send E2 get OEM power reading cmd to BMC 2. IPMI F5h - Get PMBus Readings command may result in non-zero Completion Code 3. 1808702257 Policy ID 0 disappear after OS restart when parameter Domain HW Protection Enabled is set to False 4. 1808695866 ME FW is non responsive on SMLink0 in S5 after G3 after SPI image flash followed by CMOS clear =============================================================================== BMC 01.18.12306 =============================================================================== - This BMC FW update package is to be used only on Intel server baseboards and does NOT support customer reference boards (CRB) or silicon reference platforms (SRP) - The BMC FW image file in this package is to be used only with the provided FWPIAUPD update utility. Using the FW image file with a SPI flash device programmer will result in a non-functional system. 01.18.12306: -BDBA fix  - kernel  and  busybox  upgrade a. Kernel upgrade from 3.2.59 to 3.2.102 b. Busybox upgrade from 1.20.2 to 1.31.1 -BDBA fix : libs and application upgrade (libbz2, libgcrypto, libgpg-error, libsasl2, openssl, zlib, openssh, stunnel, dhclient, glibc, /usr/bin/unzip and /sbin/lsof removed,libldap to 2.4.49,openssl from 1.1.1d to 1.1.1e,libtasn1 to v4.16, libkrb5.so-keberos upgrade to 1.18.0) -KCS PSIRT problem -Only support Cipher suite 17 for IPMI over lan - SSH weak cipher remove -USBanywhere security problem , need to disable unsecure port about KVM -CCB 2880  Add IPMI commands and Web interface for user to select SSL Cipher -expl_fdserver problem, need to fix bypass auth issue -DCG RED team reported  about 20 vulnerabilities. a. KVM HID packets attack b. 10 Buffer overflow  issues in different features. c. 6 Cross Site Scripting vulnerabilities  through /goform URL  for web service feature. d. two issues that caused by JSLibrary bypass  for web service feature. -klockwork problem fix  including  about 2000  Critical and Error issues  in different  features. Leverage grantley fix into silverpas : -2103632312 web page copyright date wrong problem. -2103632313 [BMC]The SSH connection will be closed automatically after issuing some commands. -2209994497 [BMC][H1 761356] buffer overflow in usbe.ko leads to remote code execution. -always https by default. -Similar fix with 2103632313:[Grantley][BMC]The SSH connection will be closed automatically after issuing some commands. -RED team report 2 security issues (File upload and Authentication Bypass) -2103632553 It can not receive the DHCP IPv6 IP when update the BMC_1.17.12281 version -KCS PSIRT enhancement that is for core-bios-done possible security attack -Implement 2 features: one is Cipher suite 3 support option in web console, second one is RMCP enable/disable option in web console ================================================================================ FRUSDR 0.28 FEATURES ADDED ================================================================================ S1200SP_028: S1200SP_026: 2103618193 Display version 0.24 in flash interface when flash Frusdr version 0.25. ============================================================================= LEGAL INFORMATION ============================================================================= Information in this document is provided in connection with Intel products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Intel is a registered trademark of Intel Corporation. *Other names and brands are the property of their respective owners. Copyright (c) 2020 Intel Corporation. A portion of this firmware is open source code, which falls under the GPL 2.0 license. For BMC the OSS source code that the customer is entitled to per OSS license has been posted on the Intel support website at the following link: http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21081 This open source code falls under the GPL 2.0 license, please see the license at the following link: http://www.opensource.org/licenses/gpl-2.0.php