================================================================================ Intel(R) Server Board S2600WF, Intel(R) Server System R1000WF Product Family and Intel(R) Server System R2000WF Product Family Firmware Update Package for Intel(R) One Boot Flash Update Utility ================================================================================ Intel(R) Server Boards and Systems Intel Corporation 2111 N.E. 25th Avenue, Hillsboro, OR 97124 USA ================================================================================ DATE : December 11, 2023 TO : Intel(R) Server Board S2600WF Family ================================================================================ LEGAL INFORMATION ================================================================================ Information in this document is provided in connection with Intel Products and for the purpose of supporting Intel developed server boards and systems. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Intel is a registered trademark of Intel Corporation. *Other names and brands are the property of their respective owners. Copyright (C) 2023 Intel Corporation. SUBJECT : Release Notes for System Firmware Update Package ================================================================================ ABOUT THIS RELEASE ================================================================================ BIOS : 02.01.0017 ME : 04.01.05.002 BMC : 2.88.e172ff67 FRUSDR : 2.04 PMEM : 01.02.00.5446 ================================================================================ Supported Platforms ================================================================================ Intel(R) Server Board S2600WF Family Intel(R) Server System R1000WF Family Intel(R) Server System R2000WF Family ================================================================================ BIOS COMPONENTS/CONTENTS ================================================================================ Processors supported: 1st and 2nd Generation Intel(R) Xeon(R) Processor Scalable families Microcode versions: CPUID Version Status 0x50654 0x02007006 (1st Generation Intel(R) Xeon(R) Scalable H0) 0x50656 0x04003604 (2nd Generation Intel(R) Xeon(R) Scalable B0) 0x50657 0x05003604 (2nd Generation Intel(R) Xeon(R) Scalable B1) This update process must be followed to ensure a trouble free update. 1. Manageability Engine (ME) firmware 2. BIOS 3. FD 4. FRUSDR 5. BMC firmware 6. PMEM (if installed) ================================================================================ IMPORTANT NOTES!!! ================================================================================ - OFU utility with flashupdt tool does not support PMEM FW update, please refer to "PMEM_Update_Intructions.txt" part of this package for instructions to update PMEM. - This SFUP package includes the FW 01.02.00.5446 for Intel® Optane™ DC Persistent Memory (PMEM), if you received your PMEM DIMMs with a different FW, please install this one. - This Update package must be installed using Intel(R) One-boot Flash Update (OFU) V14.1 Build 31 - Starting from BMC v2.86, BMC does not allow upload .key files and only accepts .pem file for SSL certificate. If uploaded SSL Certificate or Key files fail to format checking, BMC will remove the invalid format file before starting BMC EWS and re-generate a self-signed certificate to ensure the BMC EWS can boot up successfully. Please consult TA-1176 for more details - Starting from BMC v2.88, Purley platfomrs only support SSL certificate which is equal to or longer than 2048 bit. - A security issue was fixed in Purley platforms. BMC credential is required to access files in internal virtual media from BMC v2.88. Issue:[Internal Virtual Media] Files in internal virtual media are accessible without BMC credential - Starting from BMC v2.88, EWS Active Directory should allow domain name and user name longer than 16 characters. The AD Setting will be cleared after downgrade to v2.86 or lower BMC versions if the Domain Name is equal to or longer than 32 characters. - Starting from BMC 2.22.59c3b83a, when KCS Policy Control Mode is configured as "Deny ALL" on BMC EWS, BMC and FRUSDR cannot be upgraded/downgraded as expected behavior. Updates can still be performed via Redfish or BMC EWS - Starting from BIOS R02.01.0016, online flash BIOS/ME/FD need to add Password parameter when Admin PWD is set. e.g. (1) Online flash BIOS/ME/FD at EFI Shell using iflash32 tool: iflash32.efi -u BIOS/ME/FD.cap UpdateBackupBios+Password=xxxx -ni; (2) Use OFU tool to update BIOS/ME/FD at OS, please add parameter at CFG file as below: IMENAME "ME.cap" Password=xxxx BIOSNAME "BIOS.cap" UpdateBackupBios+Password=xxxx BIOSNAME "FD.cap" Password=xxxx (3) Online Update BIOS/ME/FD through EWS, need enable BIOS setup Option: Server Management->Enforce Password Support. xxxx is the BIOS Admin password which set by user. - Please don't use Ctrl-Alt-Del to reboot system if user made any BIOS changes, because that method will trigger a warm reboot but BIOS changes need a cold reboot to take effect. ================================================================================ PREREQUISITES ================================================================================ To update PMEM FW the following pre-requisites are required: BEFORE RUNNING WINDOWS AND LINUX UPDATE SCRIPTS -Install "ipmctl" tool in both LINUX* and WINDOWS* -Windows* : Download "ipmctl_windows_install_xx.xx.xx.xxxx.exe" which is avilable in the following github page (use latest) : https://github.com/intel/ipmctl/ -Linux* : RHEL8 1. Set proxy in your RHEL OS (if required) 2. ipmctl is available in epel-release, add the latest epel-release to your repolist 3. Install ipmctl using following commands : a. yum install epel-release or b. dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm c. yum install ipmctl SLES15 SPx 1. set proxy in your SLES15 OS (if required) 2. ipmctl is avilable in the following github page (use latest): https://github.com/intel/ipmctl/ a. Dependencies may include the following: i. libipmctl (available in the above github) 3. ipmctl may have dependencies, find dependencies in the following opensuse repositories: a. http://ftp.opensuse.org/update/leap/15.2/oss/x86_64/ b. Dependencies may include the following : i. libndctl ii. ndctl 4. For SLES15 SP2 a. wget http://ftp.opensuse.org/update/leap/15.2/oss/x86_64/ndctl-70.1-lp152.7.12.1.x86_64.rpm --no-check-certificate b. wget http://ftp.opensuse.org/update/leap/15.2/oss/x86_64/libndctl6-70.1-lp152.7.12.1.x86_64.rpm --no-check-certificate c. zypper install ndctl-70.1-lp152.7.12.1.x86_64.rpm d. zypper install libndctl6-70.1-lp152.7.12.1.x86_64.rpm e. zypper install libipmctl-02.00.00.3878-1.el8.x86_64.rpm f. zypper install ipmctl-02.00.00.3878-1.el8.x86_64.rpm ================================================================================ SYSTEM FIRMWARE UPDATE PACKAGE USAGE INSTRUCTIONS ================================================================================ This package can be updated using the following method: - Windows* or Linux* operating system using Intel(R) One-boot Flash Update (OFU) V14.1 Build 31 GENERAL INSTALLATION PROCEDURE a. Unzip the contents of the SFUP package to any directory b. Windows*: From SFUP directory open a command prompt or poweshell and execute startup.bat. i. When startup.bat is executed from SFUP, OFU drivers will be installed. The update order is ME, BIOS, FD, FRUSDR, BMC and PMEM (if any) followed by a system reset. c. Linux*: From SFUP directory open a terminal and execute "startup.sh". i. When "sh startup.sh" is executed from SFUP, it uninstalls existing OFU (if any) and installs latest OFU from SFUP. The update order is ME, BIOS, FD, FRUSDR, BMC and PMEM (if any) followed by a system reset. Note: The Intel(R) OFU utility is case sensitive. Therefore, when you transfer the Firmware Update Package using USB flash drive from a Microsoft Windows* system to a Linux environment, you must first extract under the Linux* environment. Otherwise, you will need to mount the USB flash drive manually with 'vfat' option under Linux to avoid conversion from upper case to lower case and vice versa. To make Intel(R) OFU utility run properly under x64 OS, you have to read OFU release notes on known issues for OFU installation. ================================================================================ SYSTEM HARDWARE & SOFTWARE REQUIREMENTS/REVISIONS ================================================================================ - S2600WFT, S2600WF0, S2600WFQ baseboards families only. To update the system firmware stack to the versions included in this update package, the currently loaded system firmware stack on the system must meet the following: System BIOS - R02010016 or later ME Firmware - 04.01.04.804 or later BMC Firmware - 2.88.71773d70 or later FRUSDR - 2.04 or later PMEM - 01.02.00.5446 or later If the system doesn't currently meet the above system firmware requirements, you must download a previously-posted System Update Package (SUP) and update the system to the preceding described firmware revisions before updating the system to the firmware stack included in this package. ================================================================================ BIOS 02.01.0017 (This release) ================================================================================ [HSD-ES] :[22016215079] PurleySktPkg/Library/ProcMemInit: Merge patch for PSU hot plug hang issue with SKX 512GB LRDIMM [HSD-ES] :[15013087092] Remove ITK or replace it with BIOS for ccs message since ITK has EOL [HSD-ES] :[22015684413][IPU2023.1] [CVE-2022-26343] Force LT Lock MSR regardless of CSM, Secure Boot or TXT [HSD-ES] :[14017005750][IPU2023.1] Inject uce into the micro failing DIMM bad row, the failure row can not be detected by type 18 and EWL type4 is not printed [HSD-ES] :[16016328984][IPU2023.1] [CVE-2022-32231] ESPI SMI LOCK enable ESPI SMI LOCK is not set. The purpose of this changes is to enable ESPI SMI Lock. [HSD-ES] :[14017767843][IPU2023.2] Hit IERR error during power off the host when channel was disabled - DIMMMTR and AMAP register did not have the map-out information [HSD-ES] :[16018928401][IPU2023.2] [CVE-2022-38087] Need RSB mitigation in SMM (SmmCpuFeaturesLib and PiSmmCpuDxeSmm).BIOS mitigation for FirmwareBleed/SpectreRSB/retpoline [HSD-ES] :[22016016266][IPU2023.2] P-CATERR observed while creating the goal with non-interleaved AD mode [HSD-ES] :[16019037085][IPU2023.2] [CVE-2018-25032] [CVE-2022-37434] Purely : CRC32 library in BIOS builds is not part of the approved bill of materials. [HSD-ES] :[16019440912][IPU2023.3] [CVE-2022-43505] [PurleyR]Harden SMM rendezvous before write to flash. [HSD-ES] :[15011874031][IPU2023.3] Purley:Set PRR3 PRR4 Lock-Down registers values to 1 to avoid Self Test erors. [HSD-ES] :[14018436300][IPU2023.3] PurleySktPkg/Library/ProcMemInit: Update AMT MiscVendor to 3.7 version [HSD-ES] :[14017550021][IPU2023.3] PurleySktPkg/MemRas: CMCI will not be informed to OS when eMCADis&VLS created [HSD-ES] :[14017397075][IPU2023.3] PurleySktPkg/WheaSiliconHooksLib: When UC happen in VLS region on IMC1, BIOS not enter "Bank is in VLS" flow, 2 PPR entry generated [HSD-ES] :[14018107051][IPU2023.3] CpRcPkg/BaseMemoryCoreLib: Adding Manufacturer ID Code CXMT [HSD-ES] :[16016328984][IPU2023.3] [CVE-2022-32231]ServerSiliconPkg/Pch/SouthClusterLbg/PchInit/Smm: ESPI SMI LOCK enable [HSD-ES] :[15011664636][IPU2023.3] PurleyPlatPkg\Library\OemProcMemInitLib: Fix the platform will hang if there is no KM/BPM when TXT is enabled. [HSD-ES] :[14016313622][IPU2023.3] [Purley-R][CPX][TARGET_22.3] Re-add Micron AMT Type18 Update [HSD-ES] :[PurleyPC][IPU2023.3] PurleyPcPkg/StitchingPkg:Update ME SPS,E5_04_01_05_002_0 [HSD-ES] :[PurleyPC][IPU2023.3] PurleyPcPkg/StitchingPkg:Update ucode to SKX H0 mb750654_02007006/ CLX B0 mbf50656_04003604/ CLX B1 mbf50657_05003604 [HSD-ES] :Add third-party-programs_PurleyR.txt file for license compliance RP release Reference code version:CP_PURLEY_0628_P50 =============================================================================== BMC v2.88.e172ff67 -(This release) =============================================================================== ? ============================================================================= FRUSDR 2.04 ============================================================================= - HSD 14017396176 PSU fans running high RPM - Change the Riser 2 Sensor (2Ch) as clamp sensor instead of HSBP 4 Sensor (E0). - HSD 15012037399 change the BIOS Sensor from "ADDDC Error" to "ADDDC VLS Event". =============================================================================== KNOWN ISSUES/WORKAROUNDS/REQUIREMENTS =============================================================================== WARNING: This release has the BMC PCIe bridge disabled. This will cause the majority of operating systems to fail at boot as they stall during video driver initialization Steps to recover a failing operating system: Linux variants (one of the below): A. Ensure the "modprobe.blacklist=ast" parameter is set in your boot loader (grub) B. Ensure you are using a kernel version v4.10 or newer For Red Hat* Enterprise Linux* v7.3, please refer to the included "RHEL73_InstallationGuide_Rev1.1.pdf" For SUSE* Linux* Enterprise Server v12 SP1 or SP2, please refer to the included "SLES12_InstallationGuide_Rev1.00.pdf" Windows variants: Boot to safe mode, and load aspeed video driver v1.03 or greater and reboot For Windows* Server 2016, please refer to the included "WinSrv16_InstallationGuide_Rev1.00.pdf" IPMI usage: This release disables RMCP authentication by default. ipmitool uses RMCP by default, so it will fail to authenticate. Add the '-I lanplus' parameter to all ipmitool commands to use RMCP+ instead. Cipher Suite 3 is disabled by default since BMC firmware 1.90 and only keep Cipher Suite 17 opened by default. Due to this the extra parameter "-C 17" is required for ipmitool to work via LAN. The Cipher Suite 17 was first introduced in ipmitool 1.8.18 on Oct 8th 2016, you have to update ipmitool to this version or newer one, earlier versions of ipmitool don’t have Cipher 17 support ipmitool is not working well when running in high load network. We recommend to add extra timeout by using “-N 5”. Default is 1 second for RMCP+, which is not enough. –N 5 will set 5 second as timeout. So the command will look like: ipmitool –I lanplus –H ip –U user –P password –C 17 –N 5 command Please refer to the included "TA-1143_Extra_parameters_needed_for_ipmitool.pdf" When using IPMI to establish a SOL session using KONSOLE: A. The "Delete" input cannot be captured when pressing "Backspace" Workaround: Modify the "Backspace" key to "0x08" in the KONSOLE profile keyboard settings. B. Resizing a KONSOLE window with an active SOL session can cause the content to overlap Workaround: None. Recommend using the Java SOL Viewer instead of KONSOLE Redfish API: Redfish API POST requests using a browser extension or plugin will fail if the extension manipulates the HTTP(S) Origin header. This affects REST clients which are implemented as browser (chrome, Firefox) plugins or extensions such as the older versions of Postman. It is recommended to use Postman version 6.0 or later. For security purposes, the BMC Redfish API requires that if a HTTP Origin header is present, the host portion of the Origin header must match the HTTP Host header. Some browser based REST clients alter the Origin header preventing their use with the BMC. On Windows OS if the "system PMEM FW" and "PMEM FW in the SFUP" package are the same versions then ipmictl tool may error out with following message : If "system PMEM FW" has production stack and "PMEM FW in the SFUP" in debug stack or vise versa then ipmictl tool will error out with following message : "Error 308 - FW Update authentication failure" ============================================================================= A portion of this firmware is open source code, which falls under the GPL 2.0 license.