After attaining a couple of Supermicro 1U Rackmount Servers I ran into a couple of problems with the NIC drivers and Ubuntu. While the latest version of ubuntu has the necessary drivers for the nics included in the system, older versions of Ubuntu have a hard time picking them up. In a nutshell what I was trying to accomplish was to move raided drives with Ubuntu 12.04 server installed on them to the new system, unfortunately no network connection was available due to the drivers not being loaded. The following helped in solving the problem with the i354 Ubuntu Drivers:
First of all ensure that make and gcc or g++ is installed in order to compile and install some files that we’ll be using.
Supermicro is dedicated to providing the quality, reliability, and environments that their consumer base expects. The team at Supermicro complies to meticulous design implementation, manufacturing standards, and ISO standards to safeguard their product line to industry standards. Learn about Supermicro, the premier provider of advanced Server Building Block Solutions® for 5G/Edge, Data Center, Cloud, Enterprise, Big Data, HPC and Embedded markets worldwide. Download Supermicro C2SBC-Q Bios 1.0 (BIOS) It is highly recommended to always use the most recent driver version available. Based on this idea, One could use the linux driver w83795 to control the speed. The driver will directly poke the hardware to get information and configure it's fan mode. W83795 has an experimental fan mode. It will stay experimental forever, as it has been for the last 5 years. From what I looked at the code, it is incomplete and undocumented. AMI BIOS ID Motherboard manufacturer, model, PCB revision; 51-0100-01111-0822-P: Supermicro P54VL-PCI: 51-0400-01111-101094-TRITONO.
sudo apt-get install make gcc g++
Next, tell the kernel to load some necessary modules at boot time.
sudo modprobe igb
sudo echo igb >> /etc/modules
You’ll now need to download these drivers for the Network Adapter Driver for 82575/6, 82580, I350, and I210/211-Based Gigabit Network Connections for Linux*, if you’re on the machine itself with no network connection you’ll have to save them to a drive and mount them up.
After downloading the drivers follow the steps below:
Move the base driver tar file to the directory of your choice. For example, use “/home/username/igb” or “/usr/local/src/igb”.
Untar/unzip the archive, where is the version number for the driver tar file: tar zxf igb-.tar.gz
Change to the driver src directory, where is the version number for the driver tar: cd igb-/src/
Compile the driver module:
Command To Use: make install
The binary will be installed as: /lib/modules//kernel/drivers/net/igb/igb.[k]o The install location listed above is the default location. This may differ for various Linux distributions.
Load the module using either the insmod or modprobe command:
modprobe igb insmod igb
That’s it! Drives with older Ubuntu versions should now be able to pick up the NICS, ensure your ip addresses are set and the devices on the interfaces are also properly defined.
I hope I saved others some hours of researching like I did.
Security researchers have uncovered vulnerabilities affecting the firmware of Supermicro server products.
Discovered by the Eclypsium team, these vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues.
These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware.
Malware can modify Descriptor Region settings
The first of the flaws uncovered by Eclypsium researchers is not an actual vulnerability in the firmware's code, but in the configuration of some Supermicro products.
Researchers say that some of these products come with firmware that uses an improper setting for the 'Descriptor Region.'
Supermicro Driver Pack
The Descriptor Region is a security feature of Intel-based chipsets. This setting tells the chipset what areas of its own flash storage external parties can access to store data such as firmware or configuration files.
According to Eclypsium researchers, some Supermicro products had an incorrectly set Descriptor Region that allowed software running on the OS (such as malware) to modify the Descriptor Region and then tamper with local firmware.
'Eclypsium researchers have observed vulnerable descriptor access controls through runtime examination of various server firmware models,' the Eclypsium team wrote in a report published today.
'This manual analysis uncovered multiple server models that allowed writes to the flash descriptor from host software. According to Supermicro, some of the products we reviewed date back to 2008 and are currently EOL and no longer supported.'
No firmware authentication for some products
But while modifying the Descriptor Region setting may be possible on some Supermicro products, tampering with the local firmware isn't as easy as it sounds, as several security mechanisms prevent malicious actors from altering a computer or server's most important code.
Here is where the second series of issues that the Eclypsium team discovered came into play.
'We have observed insecure firmware updates through runtime examination of various systems. This manual analysis uncovered that Supermicro X9DRi-LN4F+ and X10SLM-F systems did not securely authenticate firmware updates,' the research team said.
'We confirmed this result by intentionally modifying the binary in official Supermicro firmware images and observing that the system firmware still accepted and installed the modified package.'
No firmware rollback protection
But the issues didn't stop here, and the Eclypsium team also noted a lack of anti-rollback protections for firmware images.
This anti-rollback protection is crucial for situations where the vendor checks for firmware authenticity.
A firmware anti-rollback protection would prevent attackers from replacing newer firmware with an older (legitimate) firmware image that contains flaws that attackers can exploit and gain a foothold on all-of-a-sudden vulnerable systems.
Supermicro working on fixes
Eclypsium says it notified Supermicro about all the issues they discovered in the firmware of their products back in January.
'Supermicro has been supportive of our efforts and prioritized understanding and mitigating the issues we have discovered,' Eclypsium says,
'For the current generation of products, Supermicro indicated that they have already implemented a signed firmware update for several products and are making this update generally available for all future systems.
'Similarly, for OEM customers who require rollback capability for their customized and locked firmware versions to ensure business continuity, Supermicro indicated that they are supporting anti-rollback as an option for their X11 generation firmware.
'The SPI flash descriptor is read-only on most boards and we are helping Supermicro identify specific models where this may be incorrectly set.'
Impacted models
For owners of Supermicro server hardware, Eclypsium has released instructions on how to check the descriptor access controls of their own systems.
These procedures require installing and running the CHIPSEC Framework, a tool co-created by one of Eclypsium founders while working for Intel. All the server owner has to do is to run the following command:
If an attacker were to exploit insecure firmware updates, the obvious goal would be to somehow alter the firmware. This enables very stealthy and persistent malware that can bypass many security controls. However, it may be possible to detect such malware (if it has not taken explicit steps to prevent this).
To defend against these attacks, it is possible to collect hashes of firmware modules. These can be validated against a whitelist from firmware provided by the vendor. If unexpected changes are discovered, expert analysis will be needed to manually assess them.
Bleeping Computer has sent a request for comment to Supermicro days before this article's publication. We asked Supermicro to confirm the Eclypsium research and inquired for a list of Supermicro platforms affected by the reported security issues, but we have not heard back before this article's publication time.
Until Supermicro responds or publishes an official security advisory with a list of affected models, Eclypsium CEO and Founder Yuriy Bulygin was kind enough to share with Bleeping Computer the list of Supermicro products they believe to be affected.
'For the missing UEFI update protections, it appears that a majority or all of X8, X9, X10 generation server products, and a majority of X11 generation server products are affected,' Bulygin told Bleeping Computer via email. 'We don’t know exact number of affected models but we found 1184 unique firmware images for at least 233 unique X8-X11 server models.'
'For the flash descriptor issue we found close to 500 firmware images with this issue which translates to about 110 different models (some of them may be old). The list is below:'