Open Firmware Macros Tips, and a Closer Look at Power10 Servers
There are several ways to boot LPARs on IBM Power Systems servers. For example, you can boot to your OS of choice—AIX, IBM i, or Linux—or to SMS or open firmware. While most of us are familiar with all of these options, if you're not, check out this IBM Support document. I'll highlight the section on booting to the open firmware prompt:
Booting the LPAR to the Open Firmware (OK) prompt
1. Make sure the LPAR is not activated. If it is hung, go to the HMC GUI, and under Systems Management -> Servers -> server name, check the box next to the LPAR. Then, from the arrow on the right side of the LPAR name, activate the menu and select "Operations -> shutdown".
2. Wait until the LPAR is in a "Not Activated" state, and the Reference Code shows all zeros.
3. Mouse click the arrows to the right of the LPAR name again to display the menu. Click "Operations -> Activate -> Profile"
4. From the Activate Logical Partition window, click the "Advanced" button.
5. From the Activate Logical Partition – Advanced button window, select "Open Firmware OK Prompt" from the "Boot Mode" drop down list.
Chris Engel has information about the firmware chain of trust for PowerVM, while Colleen Stoufer explains the restricted OF prompt.
Access privileges at the Open Firmware prompt must be restricted to preserve the secure boot status of the PFW code loaded on the partition. The new Restricted OF Prompt will limit input and execution to a defined set of macros. The option to access the Restricted OF Prompt will be displayed on the splash screen. You will see that the “8 = Open Firmware Prompt” option has been replaced with the “9 = Restricted Open Firmware Prompt” option.
Once you've booted to the restricted OF prompt, you can do many things, as you'll discover by consulting the Restricted OF Prompt User Guide. (Hat tip: Chris Gibson on Twitter.) This is one handy doc, because it allows you to learn more about your system before you've even loaded an actual OS:
“When a partition is booted in Firmware Secure Boot mode, normal access to the Open Firmware prompt is disabled. A new Restricted OF prompt is provided that allows access to a set of macros that will allow customers to continue to perform many of the functions that they rely upon without jeopardizing the security of the firmware. This prompt will not allow execution of any commands that are not part of this documented set of macros. Existing tools will require updates to function in this new environment."
The set of macros defined in this section will execute at the Restricted OF prompt. The inputs and expected output are described. In most cases, the macros will output a string which indicates the success or failure of the execution of the macro.
** The set of macros is subject to change. New macros will be added as required, and defunct macros will be removed. This document will be updated when changes are made.
In the following sections that describe the macros, the following will apply:
• All input at the Restricted OF prompt is case insensitive.
• Square brackets are used to enclose any optional items.
• All parameters for the macros MUST be on the same input line as the macro name.
• The default language for the macros is English (no translations).
Try running macro_help. This macro displays the list of the currently supported macros and the required parameters.
0 > macro_help
>> BOOT_FROM_SEQ [ADDPARMS]
where:
[ADDPARMS] = additional parameters such as debug flags
(if not provided, boot from devices in boot-device list without debug)
>> DISPLAY_BOOTSEQ
>> SET_DEFAULT_BOOTSEQ
>> BOOT_FROM_DEVICE <DEVTYPE> <ADDRESS> [BOOTPARMS]
where:
DEVTYPE = { #disk | #cd/dvd | #san | #network | #tape }
ADDRESS = location-code
[BOOTPARMS] = specific to the device type
(see Restricted OF Prompt User Guide for examples)
>> DISPLAY_BOOT_DEVICES <DEVTYPE>
where:
DEVTYPE = { #disk | #cd/dvd | #san | #network | #tape | #all }
>> DISPLAY_MAC_ADDRESS <ADDRESS>
where:
ADDRESS = location-code
>> DISPLAY_NETWORK_PATHNAME <ADDRESS>
where:
ADDRESS = location-code
>> PING <ADDRESS> [PINGPARMS]
where:
ADDRESS = location-code
[PINGPARMS] = required and optional parameters
(see Restricted OF Prompt User Guide for examples)
>> DISPLAY_PCI_PROPS [ADDRESS]
where:
[ADDRESS] = location-code
(if not provided, all adapter PCI properties will be displayed)
>> DISPLAY_ADAPTER_WWPN [ADDRESS]
where:
[ADDRESS] = location-code
(if not provided, all adapter WWPNs will be displayed)
>> LUN_ATTACHED? <ADDRESS>
where:
ADDRESS = location-code
Usage examples are also included, so be sure to check it out. Download the PDF.
More Power10 Deep Dives
During a recent Power Systems Virtual User Group webcast, Nigel Griffiths covered the Power10 scale-out and midrange systems. Listen to the replay and download the presentation.
Nigel has another webcast coming up this week. He takes a closer look at the Power10 S1024 scale-out system. In addition to displaying tons of photos, Nigel will discuss the new service processor and eBMC. He'll also touch on the mandatory HMC v10, which is used on Power10 hardware, including the new S1022/S1024 and E1050 and the previously released E1080.
Best Practices Doc Updated
The latest version of the Power Implementation Quality Standard document is now available. I've mentioned Fredrik Lundholm's work before, most recently here. Most slides have a headline in red noting the most recent update. This being Version 2.6, the most recent updates are labeled "Upd 2.6." And be sure to check out the notes at the bottom of many of the slides; you'll find good information there as well.
Recent AIX Security Bulletins
I assume you are keeping up with AIX security bulletins. Three recently caught my eye:
- AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL
- IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643)
- AIX is affected by multiple vulnerabilities in Python
Be sure to keep your systems patched, and sign up for these security bulletins if you are not already receiving them.