Print | Rate this content

アドバイザリ:Linux - HPEサーバを「セキュアブート」モードで起動すると、Linux用HPE Mellanox InfiniBand Online Firmware Upgrade Utilityが特定ネットワークアダプターのファームウェアを更新しない

サポート情報 - CUSTOMER ADVISORY

ドキュメント ID: a00041652en_us

バージョン: 1

Advisory: Linux - HPE Mellanox InfiniBand Online Firmware Upgrade Utility for Linux Does Not Update the Firmware on Certain Network Adapters When the HPE Server is Booted in "Secure Boot" Mode
注意: この文書の情報 (製品およびソフトウェアのバージョンを含む) は、リリース日の時点において最新であるものとします。 この文書は予告なく変更される場合があります。

リリース日付: 2018-02-13

最終更新日: 2018-05-22


概要

When "secure boot" mode is enabled on an HPE ProLiant server, the HPE Mellanox InfiniBand Online Firmware Upgrade Utility for Linux does not update the firmware on the InfiniBand and Ethernet adapters listed in the Scope section.

Below is an example of the message displayed when attempting to update the firmware on an HPE InfiniBand EDR/Ethernet 100Gb 2-port 840QSFP28 Adapter when the Linux firmware component is run manually from the command line:



> ./hpsetup
######################################################################
HPE Mellanox InfiniBand Online Firmware Upgrade Utility for Linux
Copyright (c) 2011 Hewlett-Packard Enterprise Development Company,L.P.
######################################################################

List of Network Adapters detected on the Server.................
[0] 0000:05:00.0 Intel Corporation
[1] 0000:81:00.0 Mellanox Technologies

If PSID or FW_Version is not found for some interfaces, please check /tmp/datadSmjj5
Interface 0000:05:00.0 is not Mellanox one.
NIC firmware update did not complete. Check log for errors.

When Smart Update Manager (SUM) is used to update the network adapter firmware on a server booted in secure boot mode, the SUM inventory process will display the message "Node up to date, No applicable component found" although the baseline includes an applicable firmware smart component.

範囲

Any HPE system when "secure boot" mode is enabled attempting to update the network adapter firmware using the following:

The following Linux firmware smart components are affected:

  • firmware-nic-mellanox-ethernet-only-1.0.6-1.1.x86_64.rpm (and older versions with ConnectX-4 Ethernet card support)
  • firmware-hca-mellanox-vpi-connectx4-1.0.2-1.1.x86_64.rpm (and older versions)
  • firmware-nic-mellanox-ib-cx4-cx5-1.0.0-1.1.x86_64.rpm


The following network adapters are affected:

  • HPE InfiniBand EDR 100Gb 1-port 841QSFP28 Adapter (HPE Part Number: 872725-B21)
  • HPE Apollo InfiniBand EDR 100Gb 2-port 840z Mezzanine FIO Adapter (HPE Part Number: 843400-B21)
  • HPE Ethernet 25Gb 2-port 640SFP28 Adapter (HPE Part Number: 817753-B21)
  • HPE Ethernet 25Gb 2-port 640FLR-SFP28 Adapter (HPE Part Number: 817749-B21)
  • HPE InfiniBand EDR/Ethernet 100Gb 1-port 840QSFP28 Adapter (HPE Part Number: 825110-B21)
  • HPE InfiniBand EDR/Ethernet 100Gb 2-port 840QSFP28 Adapter (HPE Part Number: 825111-B21)
NOTE: Windows and VMware ESXi firmware smart components are not affected by this issue.

解決策

The Linux smart components for Mellanox network adapters use a user space firmware tool "mstflint". To access the network adapters firmware listed in the Scope section above, in secure boot mode, a kernel space tool (flint) along with signed kernel module (MST) is needed. This enhancement will be included in a future release of affected smart components.

As a workaround, use HPE signed "mst" kernel module and "flint" tool from HPE MLNX-OFED Software Delivery Repository to manually update firmware on the network adapters listed in the Scope section above when the server has booted in secure boot mode. The HPE MLNX-OFED Software Delivery Repository is available at the following URL:

https://downloads.linux.hpe.com/SDR/project/mlnx_ofed/

A worked example for the firmware upgrade on an HPE InfiniBand EDR/Ethernet 100Gb 2-port 840QSFP28 Adapter (HPE Part Number: 825111-B21) is shown below for reference:

  1. To Verify SecureBoot status on the server:
    [root@localhost ~]# mokutil --sb-state
    SecureBoot enabled
  2. Subscribe to MLNX-OFED repository following MLNX-OFED SDR documentation and install the relevant RPMs by typing the following command:[root@localhost ~]# yum install mft kmod-kernel-mft-mlnx
    Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
    This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
    Resolving Dependencies
    --> Running transaction check
    ---> Package kmod-kernel-mft-mlnx.x86_64 0:4.8.0-1.rhel7u3 will be installed
    ---> Package mft.x86_64 0:4.8.0-26 will be installed
    --> Finished Dependency Resolution

    Dependencies Resolved

    ==============================================================================================================================================================
    Package Arch Version Repository Size
    ==============================================================================================================================================================
    Installing:
    kmod-kernel-mft-mlnx x86_64 4.8.0-1.rhel7u3 MLNX_OFED 12 k
    mft x86_64 4.8.0-26 MLNX_OFED 59 M

    Transaction Summary
    ==============================================================================================================================================================
    Install 2 Packages

    Total download size: 60 M
    Installed size: 132 M
    Is this ok [y/d/N]: y
    Downloading packages:
    (1/2): kmod-kernel-mft-mlnx-4.8.0-1.rhel7u3.x86_64.rpm | 12 kB 00:00:01
    (2/2): mft-4.8.0-26.x86_64.rpm | 59 MB 00:04:23
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total 231 kB/s | 60 MB 00:04:23
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
    Warning: RPMDB altered outside of yum.
    Installing : kmod-kernel-mft-mlnx-4.8.0-1.rhel7u3.x86_64 1/2
    Installing : mft-4.8.0-26.x86_64 2/2
    Verifying : mft-4.8.0-26.x86_64 1/2
    Verifying : kmod-kernel-mft-mlnx-4.8.0-1.rhel7u3.x86_64 2/2

    Installed:
    kmod-kernel-mft-mlnx.x86_64 0:4.8.0-1.rhel7u3 mft.x86_64 0:4.8.0-26

    Complete!
  3. Start MST modules and identify device name by typing the following command:

    [root@localhost ~]# service mst start
    Starting MST (Mellanox Software Tools) driver set
    Loading MST PCI module - Success
    Loading MST PCI configuration module - Success
    Create devices
    Unloading MST PCI module (unused) - Success

    [root@localhost ~]# service mst status
    MST modules:
    ------------
    MST PCI module is not loaded
    MST PCI configuration module loaded

    MST devices:
    ------------
    /dev/mst/mt4115_pciconf0 - PCI configuration cycles access.
    domain:bus:dev.fn=0000:81:00.0 addr.reg=88 data.reg=92
    Chip revision is: 00
  4. Use the ⿿flint⿝ command to query the current firmware version and PSID of the device:

    [root@localhost ~]# flint -d /dev/mst/mt4115_pciconf0 q
    Image type: FS3
    FW Version: 12.21.1000
    FW Release Date: 29.10.2017
    Product Version: rel-12_21_1000
    Rom Info: type=UEFI version=14.14.22 cpu=AMD64
    type=PXE version=3.5.305 devid=4115 cpu=AMD64
    Description: UID GuidsNumber
    Base GUID: e0071bffff68d0bc 4
    Base MAC: 0000e0071b68d0bc 4
    Image VSD: N/A
    Device VSD: N/A
    PSID: HP_2190110032
    Security Attributes: N/A
  5. Download latest firmware binary for the adapter from HPE.com Support Center.
  6. Query the firmware binary to ensure that PSID matches with the device by typing the following command:

    [root@localhost ~]# flint -i fw-ConnectX4-rel-12_21_2010-825111-B21_Ax_Bx-UEFI-14.14.25-FlexBoot-3.5.305.bin q
    Image type: FS3
    FW Version: 12.21.2010
    FW Release Date: 27.11.2017
    Product Version: rel-12_21_2010
    Rom Info: type=UEFI version=14.14.25 cpu=AMD64
    type=PXE version=3.5.305 devid=4115 cpu=AMD64
    Description: UID GuidsNumber
    Base GUID: N/A 4
    Base MAC: N/A 4
    Image VSD: N/A
    Device VSD: N/A
    PSID: HP_2190110032
    Security Attributes: N/A
  7. After PSID is verified, run the following command to update the device firmware:
    [root@localhost ~]# flint -d /dev/mst/mt4115_pciconf0 -i fw-ConnectX4-rel-12_21_2010-825111-B21_Ax_Bx-UEFI-14.14.25-FlexBoot-3.5.305.bin burn

    Current FW version on flash: 12.21.1000
    New FW version: 12.21.2010

    Burning FW image without signatures - OK
    Restoring signature - OK
    -I- To load new FW run mlxfwreset or reboot machine.
  8. Reboot the server for firmware update to take effect.
  9. After the server is back online, query the device and verify firmware version by typing the following command:
    [root@localhost ~]# flint -d /dev/mst/mt4115_pciconf0 q
    Image type: FS3
    FW Version: 12.21.2010
    FW Release Date: 27.11.2017
    Product Version: rel-12_21_2010
    Rom Info: type=UEFI version=14.14.25 cpu=AMD64
    type=PXE version=3.5.305 devid=4115 cpu=AMD64
    Description: UID GuidsNumber
    Base GUID: e0071bffff68d0bc 4
    Base MAC: 0000e0071b68d0bc 4
    Image VSD: N/A
    Device VSD: N/A
    PSID: HP_2190110032
    Security Attributes: N/A




RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document .

To search for additional advisories related to Linux, use the following search string:

+Advisory +ProLiant -"Software and Drivers" +Linux


影響のあるハードウェア プラットフォーム: HPE InfiniBand EDR/Ethernet 100Gb 1-port 840QSFP28 Adapter, HPE InfiniBand EDR/Ethernet 100Gb 2-port 840QSFP28 Adapter, HPE Ethernet 10/25Gb 2-port 640FLR-SFP28 Adapter, HPE Ethernet 10/25Gb 2-port 640SFP28 Adapter, HPE InfiniBand EDR 100Gb 1-port 841QSFP28 Adapter
影響のあるオペレーティング システム: Red Hat Enterprise Linux (Itanium), SUSE Linux Enterprise Server 11 (x86-64), Red Hat Enterprise Linux 7 (AMD64/EM64T), SUSE Linux Enterprise Server 12 (AMD64/EM64T)
影響のあるソフトウェア: なし
サポート通信の相互参照 ID: SIK2937
©Copyright 2018 Hewlett Packard Enterprise Development LP
本書の内容につきましては万全を期しておりますが、本書の技術的あるいは校正上の誤り、省略に対して責任を負いかねますのでご了承ください。 本書の内容は「現状通り」に提供されるものとし、いずれの保証の対象にもならないものとします。 法律で許可される範囲に限り、Hewlett Packard Enterprise Development またはその関連会社、下請け業者、供給業者は、不稼働時間の費用、利益の損失、代替品または代替サービスの調達にかかわる損害、データの消失またはソフトウェアの復元による損害を含む、偶発的、間接的または特別の損害について責任を負いません。 本書の情報は予告なしに変更されることがあります。 Hewlett Packard Enterprise Development およびここで参照されている Hewlett Packard Enterprise 製品の名称は、Hewlett Packard Enterprise Development の米国およびその他の国における商標です。 本書に掲載されている会社名、製品名は、それぞれ各社の商標または登録商標です。

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!