Intel® Ethernet Adapters and Devices User Guide

ID Date Version Classification
705831 11/27/2024 Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

Firmware Security

Intel or your equipment manufacturer will occasionally release a firmware security patch. We recommend that you update your firmware to the latest version available for your device to take advantage of these security patches. Firmware updates for Intel Ethernet devices will have a Security Revision number (SRev).

Minimum Security Revision Enforcement

Firmware security updates can be undone if you install a previous version of the firmware onto your device. Intel firmware releases include a Minimum Security Revision (MinSRev) enforcement feature. This means you can block someone from installing a lower revision of the firmware onto your device. This will limit the rollback capabilities of your device. The firmware update process will block the update if the supplied firmware has a lower security revision (SRev) than the MinSRev value of the firmware currently loaded on the device. Only update the MinSRev value if you are certain you will not need to roll the firmware back to an earlier version.

You can update the MinSRev value during the firmware update process, locking the current security version in as the new MinSRev baseline, by using the -optinminsrev command line option.

Important:

The MinSRev value on a device can never be decreased. Once the MinSRev is increased, NVM downgrades attempting to install a lower Security revision (SRev) than the current MinSRev will be rejected by the device. Users who want to downgrade firmware without regard to security revisions should not use this feature.

SRev and MinSRev Examples

To view your device’s current SRev and MinSRev:

You can use the nvmupdate tool’s inventory mode to view your device’s current SRev and MinSRev values as follows:

  • Windows:

    nvmupdatew64e -i  -l update.log -o results.xml -c nvmupdate.cfg -optinminsrev
    
  • Linux:

    nvmupdate64e -i  -l update.log -o results.xml -c nvmupdate.cfg
    

Where:

-i

Sets nvmupdate to inventory mode.

-l update.log

Specifies the name of the log file.

-o results.xml

Specifies the name of the results file. This is an XML file that contains the inventory/update results.

-c nvmupdate.cfg

Specifies the name of the configuration file. This is a text file that contains descriptions of networking devices and firmware versions for those devices.

-optinminsrev

Specifies that the MinSRev and SRev values are included in the results.xml file.

Examine the results.xml file for the SRev and MinSRev values.

Note:

Make sure you specify -i for inventory mode. If you specify -u, the tool will update the MinSRev value, rather than simply disclose it. You can achieve the same results by specifying MINSREV:TRUE in the configuration file.

See Intel® Ethernet NVM Update Tool for more information on how to use the nvmupdate tool.

To update your device’s MinSRev:

  1. Download and extract the NVM Update Package for your device.

  2. Use the command line to update your device’s MinSRev:

    • Windows:

      nvmupdatew64e -u -optinminsrev -l update.log -o results.xml -c nvmupdate.cfg
      
    • Linux:

      nvmupdate64e -u -optinminsrev -l update.log -o results.xml -c nvmupdate.cfg
      

Where:

-u

Sets nvmupdate to update mode.

-optinminsrev

Tells the tool to update the MinSRev value.

-l update.log

Specifies the name of the log file.

-o results.xml

Specifies the name of the results file. This is an XML file that contains the inventory/update results.

-c nvmupdate.cfg

Specifies the name of the configuration file. This is a text file that contains descriptions of networking devices and firmware versions for those devices.

See Intel® Ethernet NVM Update Tool for more information on how to use the nvmupdate tool.