For the recently identified security loophole in microprocessors, which globally came to be known as Meltdown & Spectre, just like the other vendors, HP too has released an updated microcode for the microprocessors.

For Proliant Gen8/9/10, HP has released a new firmware (ROM) to mitigate the impact of Meltdown and Spectre. Here, we are showing the process to patch HP ProLiant DL380 (p) Gen8 and Gen9 server.

 

Why Should we Patch ROM Firmware?

It is important to update the firmware (Also called – flashing the ROM) as part of the regular server maintenance. In addition, checking for specific firmware updates in between regular updates helps to keep the server performing optimally.
ROM Firmware updates are created for the following reasons:
ROM Firmware update is to protect the system from vulnerabilities.
A new firmware has been released with a new feature set or bug fixes.
For troubleshooting purpose, the firmware has to be updated or downgraded.

 

Update Process:

Currently, there are two different methods for updating firmware on HPE servers and options: the traditional Offline ROM Flash, and the innovative Online ROM Flash.

Here we are going to explain the Offline method to update ROM with ESXi 6.5 running on top of it.

Steps to update firmware from VMware ESXi 6.5 operating system on the target server:

1. Launch HPE support URL to download the flash.
For HP ProLiant DL380p Gen8 server:
https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=5194969&swItemId=MTX_55ec51da12454989aca28da159&swEnvOid=4184#

For HP ProLiant DL380 Gen9 server:
https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1009087943&swItemId=MTX_bacf7c13e05d4e38afe6c2d964&swEnvOid=4184#

2. Login to ESXi server from vSphere web client.

3. Go to Storage > Datastores and select a Datastore to upload the ROM.

4. Upload the ROM (zip file downloaded from HPE website) to the Datastore.

5. Copy the location of the Datastore and save on a notepad.

 

 

HEX64 Cyber threat solution

 

 

6. Go to Manage > Services > Select TSM and click Start, this will enable the Tech Support Mode also known as the ESXi Shell in ver. 6 and above.

7. Also enable TSM-SSH service, if not enabled already.

8. Power off all virtual machines and enable the Maintenance Mode.

9. Launch SSL Client like Putty and Login ESXi server as root. (You must be the root in order to apply the update).

10. Navigate to the Datastore containing the ROM zip file, using the command
cd /< Datastore Location which was copied an step 5 >

11. Unzip the component to the same Datastore using command.
Unzip CPxxxxxx.zip.

Datastore

12. To verify the rights to execute the update command.
chmod +x CPxxxxxx.vmexe

To verify the rights

13. To initiate the ROM update, execute the command.
./ CPxxxxxx.vmexe

ROM update

14. Type Y to start the update process.

15. Below message will appear on successful completion

update process

16. Reboot the system either through SSH or vSphere Client.

17. Exit the maintenance mode and start the VMs.

18. Check BIOS to verify the ROM version.

Reboot the system