ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

Spectre and Meltdown

jbruns2006
Occasional Contributor

Spectre and Meltdown

The world is going to want to know from HP, where the firmware and BIOS updates are that mitigate the Spectre and Meltdown exploits on 5 years plus of server models.

We need to hear from you HP and soon.

45 REPLIES
parnassus
Honored Contributor

Re: Spectre and Meltdown

Why, before blindly asking, don't you look simply at HPE Community main page?

Don't you think that such important subject already deserved an entire HPE Blog entry?

Here one to start with:

https://community.hpe.com/t5/Servers-The-Right-Compute/Resources-to-help-mitigate-Speculative-Execution-vulnerability/ba-p/6992955
jbruns2006
Occasional Contributor

Re: Spectre and Meltdown

Thanks for the link.

So, no support for machines older than G8?

leemillward
Occasional Visitor

Re: Spectre and Meltdown

We have an array of HP Proliant DL360 and 380 servers all G7 and below will these never receive the ROM updates?

Re: Spectre and Meltdown

I don't think, that HP can afford to let the G7 and even the G6 Servers unpatched - this would be outrageous and forcing many many customers away from HP since G6 and G7 Servers are widely spread in the field out there. Also I don't think that it's legal to require an entitlement for a security issue like that - this already feels wrong...

Let's wait that HP will do once the patches came out.

Jimmy Vance
HPE Pro

Re: Spectre and Meltdown


JuniperChris929 wrote:

I don't think, that HP can afford to let the G7 and even the G6 Servers unpatched - this would be outrageous and forcing many many customers away from HP since G6 and G7 Servers are widely spread in the field out there. Also I don't think that it's legal to require an entitlement for a security issue like that - this already feels wrong...

Let's wait that HP will do once the patches came out.


While I dont' have answers to your G6 and G7 questions, I can state that security fixes do not require an entitlement to download. This is clearly stated in the document : HPE ProLiant Servers Firmware Access Update  This is the document normally displayed when you try to access a locked download

" “Critical” related firmware updates (addressing safety and security fixes) will be made available to all ProLiant customers outside of a warranty or support contract and are governed by "customer terms of use".

 




__________________________________________________
No support by private messages. Please ask the forum!      I work for HPE

If you feel this was helpful please click the KUDOS! thumb below!   
Torsten.
Acclaimed Contributor

Re: Spectre and Meltdown

>> Also I don't think that it's legal to require an entitlement for a security issue like that

For all the BIOS (microcode) updates released so far you don't need an entitlement, because they are "critical".


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Robert Hawle
Advisor

Re: Spectre and Meltdown

Hi.

i already installed Bios 2.54 on my Dl380 Gen9 and MS Patches but i still get a negative response from the "Speculation Control Validation PowerShell Script"

this is what i did:

- apply Regestry keys (QualityCompat, FeatureSettingsOverride and FeatureSettingsOverrideMask)

- install Bios 2.54

- install MS Patches (KB4056898 + KB4056568)

- reboot

seems to me as if there is someting wrong... Bios update or Script!? what is your experience?

here is the output from the script:

spectre.png

JP_KIWI
Occasional Visitor

Re: Spectre and Meltdown

Did you try a second reboot?

I noticed during applying firmware updates to our Gen9 servers that a second reboot was required.

I believe the correct process is to do firmware first then reboot, then apply OS updates and reboot again.

I tried a couple of times to install both the firmware and OS updates at the same time and do a single reboot but it never worked, always needed the second reboot.

 

Robert Hawle
Advisor

Re: Spectre and Meltdown

n1! second reboot did the trick! thx!

 

next problem are our ESX Servers on Dl380 gen9 (latest 6.5201712101 and 6.0 201711101) also with Bios 2.54 (more times rebootet).

all VMs running telling that a Bios update is needed! (HW version 11 used Speculation Control Validation PowerShell Script)

what to do?

RLFNetserv
Occasional Visitor

Re: Spectre and Meltdown

We are in the same boat.  DL360 Gen9's running 2.54 bios, VMware esxi 6.5 with the patches applied, and VM-guest Windows OS' with the Patches/Registry entries, rebooted multiple times.

In-guest Get-SpeculationControlSettings gives the followingCapture.PNG

CVE-2017-5754 is all green

CVE-2017-5715 shows no hardware support.  Recommendation is to "Install BIOS/firmware update provided ...".

I tried upgrading a VM to hardware v13, no change.

Robert Hawle
Advisor

Re: Spectre and Meltdown

Vmware released new Patches:

here is the microcode we have bben waiting for...

https://esxi-patches.v-front.de/ESXi-6.0.0.html

https://esxi-patches.v-front.de/ESXi-6.5.0.html

 

happy patching

RLFNetserv
Occasional Visitor

Re: Spectre and Meltdown

Got it working!  Upgraded my VC Appliance, patched the hosts, and still was showing unprotected.  Powered off, and on the VM, it's now all green.

 

Robert Hawle
Advisor

Re: Spectre and Meltdown

same here after Patch and PowerOFF/On all are green.

PeterGriffin
Occasional Visitor

Re: Spectre and Meltdown

Again, the main Question: What about Firmware Updates for Gen7 Servers and below?

Sorry, but the update process of a Gen9 doesn't matter. Now, everyone knows that nobody needs an entitlement, but needs a statement if an update will be released for older hardware and when does it happen. 

StubRouting
Occasional Visitor

Re: Spectre and Meltdown

Thanks...

 

DataCzar
Occasional Visitor

Re: Spectre and Meltdown

When will the GEN7 patch be available?  Im scrambling here...

PeterGriffin
Occasional Visitor

Re: Spectre and Meltdown

Ok, despite i have the same question, i think i can give the right answer. Up to now, Intel said they‘ll patch every CPU which was released 2013 and later. Since G7 servers usually have older CPUs (mine have Westmere CPUs), HP won‘t be able to patch them.
QuiteTrite
Occasional Visitor

Re: Spectre and Meltdown

You obviously don't understand HP's licensing and profit model.  G6 and G7 are so far out of support that you can get an almost fully populated DL360 G6 for less than $300 pretty much anywhere.  Unless you're willing to pay more than that (3-4 times as much as that, actually) for support, they could care less that you have problems with the hardware.  The answer is to upgrade your hardware and repeat the cycle in another three years.

Robert Hawle
Advisor

Re: Spectre and Meltdown

Robert Hawle
Advisor

Re: Spectre and Meltdown

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us

 

also HP pulled back their Bios 2.54 for Gen9...

Kent Blair
Occasional Visitor

Re: Spectre and Meltdown

@QuiteTrite

OK so can I assume you are using sarcasm? Your statement is kind of ridiculous, servers and infrastructure replacement isn't quite the same as sheeple jonesing the latest iPhone. The amount of G6 and G7 kit still in service in IT/IS departments is enormous. Even when you replace critical performance components and servers most IT departments will frequently re-purpose for lower performance requirements and cold type storage. That's why you can still buy HP Carepacks for G7 gear and I suspect you could probably find carepacks for G6 kit too.

Please put me down for notification of G6 and G7 mitigation of the Spectre vulnerability for BIOS ROM updates please.

 

alextrippa2
Occasional Visitor
grinningdevil
Valued Contributor

Re: Spectre and Meltdown

Perfect ! 

So now we have Dell pulling back their updates, HPE pulling back their G9 updates ( G8 still under investigation), and no news from HPE on Gen 7 (coordinating with HPE TAM on our end ). Cisco on their hand have played safe, no updates till 18th Feb 2018 ! 

We have hundreds of Gen 7 servers in production !! 

And ideally speaking, Gen 7 was retired on 30th April 2013 - so the support with regard to critical patches should be entertained till 30th April 2018 ... no ?! 

 

 

 

alextrippa2
Occasional Visitor

Re: Spectre and Meltdown

Got a link to the Dell pulls?