Release Notes for Intel® One Boot Flash Update (Intel® OFU) Version 14.1 Build 31 March 20, 2023 Copyright© 2023 Intel Corporation. ================================== Contents -------- 1. Introduction 2. Supported Products 3. Supported Operating Systems 4. Prerequisites 5. Installation and Removal 6. Usage 7. Known Issues 8. Unsupported Features 9. Change List 10. Instructions for end-user 11. Legal Information 1. Introduction --------------- The Intel® One Boot Flash Update (Intel® OFU) utility is a program used for updating BIOS, BMC, and Intel® Management Engine (Intel® ME) Firmware, as well as Sensor Data Records (SDR) and Field-Replaceable Unit (FRU) configuration in a supported Intel system. 2. Supported Products ---------------------- Intel® Server Boards supporting the following Intel® processor families: * 2nd Generation Intel® Xeon® Scalable processor family * Intel® Xeon® Scalable processor family * Intel® Xeon® Platinum 9200 processor family * Intel® Xeon® processor E5-2600 v3/v4 product family (S2600WT, S2600TP, S2600KP, S2600CW) * Intel® Xeon® processor E3-1200 v2/v3/v4/v5/v6 product family 3. Supported Operating Systems ------------------------------ UEFI shell Windows Server* 2019 and 2022 Windows* 10 Red Hat Enterprise Linux* (RHEL*) 8.x and 9.x-64 bit SUSE Linux Enterprise Server* (SLES*) 15, 12 service pack 3-64 bit Ubuntu* 20.04 and 22.04 Note : Users who want to use Utilities on Older versions of OS will have to use the previous versions of the Utility which has the OS Support. 4. Prerequisites ---------------- 1. Install the development and optional packages during RHEL* and SUSE* operating system installation. 2. This utility works only if it is executed with administrator privileges on Windows* and with root privileges on Linux* operating systems. 3. Updating BIOS, Intel® ME, FRUSDR, and BMC is not supported by the utility if the BMC firmware is in Transfer Mode. 4. It is recommended to do a direct FRU update in EFI/WinPE* before doing a FRU resize with a customized CFG file. 5. Troubleshooting ---------------- For the following operating systems/environments: • RHEL* • SLES* • UEFI-aware Linux*, or other supported Linux* distributions: -Install the necessary libraries if the utility fails with one of the following error messages: a. If the utility fails with the error message: "Error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory" Then, use the command "rpm -ivh xxxx.rpm" to install the libstdc++ and ncurses packages. b. If the utility fails with the error message: "Error: /lib/ld-linux.so.2: Bad ELF interpreter: No such file or directory" This indicates that development and optional packages were not added during OS installation. Install the necessary packages accordingly. c. If the utility installation fails with the error message: "Depends on libncurses5 (>= 6); however: Version of libncurses5:amd64 on system is 5.9+20140913-1+deb8u2." This indicates that the libncurses version must be >= 6. Remove libncurses and reinstall the latest libncurses package. -There might be a driver conflict between internal driver and kernel. Initialize the OpenIPMI driver. If the utility fails with any of the following errors: a. "FW interface failed" when updating BMC b. "terminate called after throwing an instance of 'ResultStatus' Aborted (core dumped)" when updating SDR with CFG file Then, initialize the OpenIPMI driver and make sure that "/dev/ipmi0" device exists. A BMC update cannot continue if the OpenIPMI driver is not started. For RHEL*, run the following command and make sure that the device "/dev/ipmi0" exists. #modprobe ipmi_devintf or #modprobe ipmi_si For SLES*, run the following command and make sure that the device "/dev/ipmi0" exists. #service ipmi start -After enabling OpenIPMI, if the utility reports any of the following errors during BMC, FRU, and SDR updates, there might be a BMC watchdog conflict with the OpenIPMI driver. a. "Failed to write SDR file." b. "SDR auto-update failed" c. "Error : Error while parsing the cfg file" Disable the BMC watchdog, update, and then re-enable it after the update is finished. -For updates based on HTTP and FTP, if the system does not have cURL, download the cURL package from https://curl.haxx.se/. 6. Installation and Removal --------------------------- Installation: ------------- Windows* 1. Copy the OFU zip package to a local folder. 2. Unzip to local folder (example: .\flashupdt). Navigate to the flashupdt folder (cd Flashupdt). 3. Under the flashupdt folder, navigate to the "Win_x64\Drivers" folder. 4. Run "install.cmd" as administrator to install the drivers. 5. Navigate to the "Win_x64" folder to execute the flashupdt utility. Run flashupdt.exe as an administrator. 6. To test, run a command with options (for example, "flashupdt -i"). 7. For updates based on HTTP and FTP, download curl.exe from https://curl.haxx.se/download.html and copy to the same folder that contains flashupdt.exe. Linux* I. Package Installation: -------------------- 1. Copy the flashupdt rpm package from the corresponding folder to a local folder. -> For RHEL* older than 8.0, copy from Linux_x64\RHEL -> For RHEL* 8.0 and above, copy from Linux_x64\RHEL\RHEL8 -> For SLES* older than 15, copy from Linux_x64\SLES -> For SLES* 15 and above, copy from Linux_x64\SLES\SLES15 2. Uninstall and remove any previous versions of the utility. 3. Install the flashupdt utility by using the distribution's package manager installation command, e.g., "sudo yum localinstall flashupdtxx.rpm" or "sudo apt install ./flashupdtxx.deb". This will install the utility in "/usr/bin/flashupdt/". 4. After installing the rpm, close the terminal from which rpm was installed and then open a new terminal session to run the utility (for example, "# flashupdt -u /tmp/flashupdt.cfg"). 5. For updates based on HTTP and FTP, first cd to the "/usr/bin/flashupdt/" directory, then launch the command, as 'chaff2l.sh' file is needed for these updates. II. Manual Installation: --------------------- 1. Copy the OFU zip package (for RHEL or SLES) to local folder. 2. Unzip to a local folder (example: .\flashupdt). Navigate to the flashupdt folder (cd flashupdt). 3. Change file permissions by running # chmod 755 install.sh flashupdt 4. Install the utility using the command "sudo ./install.sh" 5. Navigate to the /usr/bin/flashupdt directory. 6. Issue the command: sudo chmod 755 chaff2l.sh. 7. Unzip the file flashupdt.zip to get the flashupdt executable for Linux* operating systems. 8. To test the installation, run a command with options (for example: sudo ./flashupdt -i ). Removal: ---------- Windows* 1. Run uninstall.cmd to remove all the drivers. 2. Delete the "Flashupdt" folder. Linux* RPM Removal: ------------ 1. To remove the utility, use the "sudo rpm -e flashupdt" command. Regular Removal: ---------------- 1. Delete the "Flashupdt" folder using the following command: "sudo rm -rf /usr/bin/flashupdt" DEB Removal: ------------ 1. sudo dpkg -r flashupdt 7. Usage -------- Syntax: flashupdt [-h] [-i] [-u {URL or path of update package}] -h : (or -?) Display command line help. -i : Displays the current BIOS, BMC, and SDR versions of the system. This option can also be used in conjunction with -u to display the version information contained in the update package files. -u : Updates the BIOS, BMC and SDR as specified in the CFG file. The URL or path, if any, of the update package must immediately follow this option. If the BIOS administrator password is set then follow the below format for BIOS and ME inside the CFG File BIOSNAME "BIOS_File" Password= IMENAME "ME_File" Password= The package files can reside on a local drive. The current directory is used if no location is specified. -set: Sets different FRU areas, as: flashupdt /set "area name" "frufield" "value" Where "area name" can be "product" or "chassis", depending on the FRU area to be modified. The following are the FRU field parameters: Pn - Indicates product name. Pver - Indicates product version. Pnum - Indicates the part number. Snum - Indicates the serial number. Mn - Indicates the manufacturer name. At - Asset tag . Note: For the chassis area, the fields "at", "pn", and "pver" are not supported. -u fru : Will do a direct update of the product-specific FRU file. 8. Known Issues --------------- 1. While using the tags "@ENV:TYPE:NAME" and "@ENVFILE:TYPE:NAME:#", make sure that the environment variable values are longer than one character. If only one character is used, the FRU might get corrupted. 2. In Windows* 7, BIOS update percentage might not be shown at the beginning of BIOS update. After a few seconds, the percentage will be shown as greater than 50%. This is a known issue. 3. In Linux*, the OpenIPMI driver needs to be started up manually. 4. The utilities SNMP-SA and IASC cannot run at the same time due to a KCS port conflict. The following error will be displayed: "Error: Application Cannot Communicate to the BMC." Follow these steps as a work around: a. Disable services related to SNMP-SA and IASC. b. Enable the OpenIPMI driver. c. Execute the flashupdt utility to update BIOS/BMC/FRUSDR on the server. 5. Updating the BMC with the force update jumper set is not supported. It is applicable only to UEFI update tools (FWPIAUPD). 6. I/O port access is not allowed in Linux* when UEFI secure boot is enabled. Disable UEFI secure boot in the F2 menu before running the utility. 7. In RHEL*, BMC update might fail intermittently due to OpenIPMI driver conflict. Try again if it happens. 8. Debian* and SLES* 15 operating systems do not allow I/O memory map by default. Add "iomem=relaxed" to the grub boot options to enable I/O memory map. Otherwise, some features may not work. 9. While the BMC is in restricted mode, by default, none of the upgrades will go through by using flashupdt /u flashupdt.cfg. This is because in default flashupdt.cfg, the BMC is the first package attempted to get upgraded, which is expected to be blocked in restricted mode. And then the utility will show insufficient privilege message and exit the update process. If the user still wants to do a BIOS/Intel® ME/FD upgrade while in restricted mode, modify the cfg file to comment out the line for BMC update. 9. Unsupported Features ------------------------ This Utility cannot be executed successfully when UEFI secure boot is enabled under Linux* because Linux* closes all I/O port access when UEFI secure boot is enabled. To use it under Linux* environment, ensure that UEFI secure boot is disabled in the BIOS F2 menu. 10. Change List -------------- Build 31 Fix 16020059638 - [Utilities] [OFU] [PTK0003617] dll preloading in DeviceSetup.exe Fix 16020059642 - [Utilities] [OFU] [PTK0003568] Intel(R) OFU Utility for Intel(R) Server Boards ... dll planting vulnerabilities Fix 16020059651 - [Utilities] [OFU] [PTK0003540] LPE of FLASHUD.sys on Win32 platform Fix 16020084228 - [Utilities] [OFU] [PTK0003583] LPE of imbdrv.sys on win32 platform Fix 16020084335 - [Utilities] [OFU] [PTK0003540] LPE of FLASHUD.sys on Win32 platform Build 30 Fix 16018480108 - [Utilities] Remote code execution through System Firmware Update Utility Fix 16018402709 - [Utilities] LPE of FLASHUD.sys Fix 16018373136 - [Utilities] IBSMUtil Windows Driver Kernel Privilege Escalation Fix 16018346553 - [Utilities] imbdrv Windows Driver Kernel Privilege Escalation Fix 16018278921 - [Utilities] LPE of IBSMUtil.sys Build 29 Support CCB3708 - [Intel server boards based on the 1st or 2nd Gen Intel® Xeon® Scalable processors families] [Utilities] Updated syscfg and flashupdt for security. Fix 16015351886 - [Utilities] [flashupdt] [Agnostic] Setting the path for flashupdt to /usr/bin/. Build 28 Fix 16015351886 - [Utilities] [flashupdt] [Agnostic] Setting the path for flashupdt to /usr/bin/. Fix 22014439329 - Intel® One Boot Flash Update utility requires libncurses5, but does not work with libncurses6. Fix 16013416107 - [PSIRT][PTK0001487][PTK0001492][Mitigation Planning] Intel® One Boot Flash Update (Intel® OFU) utility escalation of privilege. Build 26 Support CCB3093 - Auto set sdr. Fix 1507953533 - Update EPS to refelct current /i /u case. Build 25 Support SLES15&Sp1 Support KCS policy for Intel server systems based on Intel® Xeon® Processors E5 v3 & v4 Families. Support KCS policy for Intel® Server Board S1200SP Family. Fix 14011287768 - SFUP OFU unprompted reboot of systems during firmware update. Build 24 Enable new build variant of Linux* to support 64-bit RHEL 8. Build 23 Fix BMC KCS privilege issue. Build 22 Fix BDBA issue by removing cURL from OFU package. Build 21 Updated cURL for Linux* to new version. Build 20 Support new SKU. Build 19 Rebuild for Windows*. Build 18 Support BIOS security version check. Build 17 Add deb package for Debian*. Build 16 Fix "Product Area" update failure when checksum is 0xC1. Build 15 Support new SKU. Build 14 Fix maximum length defect of "BMCCONFIG" command. Build 13 Support BBS version display. Build 12 Support new BMC version format Fix the issue of random BMC update failure. Build 11 Support new SKU. Support area checksum generation for FRU update. Build 10 Fix the defect that asset tag cannot be modified. Support "BMCCONFIG" in CFG file. Support new SKU. Build 9 a. Add "ccs" command option. b. Support BIOS security fix. Build 8 Add USB device polling for BMC update. Add "restore" to CFG file to restore BMC default for BMC update. Build 7 Fix incorrect version of "/i /u". Build 6 Support a new SKU. Update supported operating systems list . Build 5 Improve USB failover to KCS for BMC update. Support auto detection of FANs. Build 4 Add wildcard letter support in *.cfg file. 11. Instructions for end-user ---------------------------- 1. After performing a CFG-based update using the flashupdt utility, it is highly recommended to perform a power cycle. Continuous updates through CFG file without a power cycle or reboot in between could cause system instability. 2. For a CFG-based update, it is assumed that the HTTP/FTP server does not require any username and password. In order to access password-protected servers, change the chaff2l.sh or the batch file and include the username and password. The default value in the .sh file is: curl $1 -o $2 -s For password-protected servers, change the this line to: curl $1 --user admin:pwd -o $2 -s Where "admin" and "pwd" are the username and password, respectively. 12. Legal Information --------------------- ==================================================================================== LEGAL INFORMATION ==================================================================================== Information in this document is provided in connection with Intel Products and for the purpose of supporting Intel developed server boards and systems. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Intel is a registered trademark of Intel Corporation. *Other names and brands are the property of their respective owners. Copyright© 2023 Intel Corporation. (end)