Firmware Security

Intel® Ethernet Adapters and Devices User Guide

ID	Date	Version	Classification
705831	11/12/2024		Public

Intel or your equipment manufacturer will occasionally release a firmware security patch. We recommend that you update your firmware to the latest version available for your device to take advantage of these security patches. Firmware updates for Intel Ethernet devices will have a Security Revision number (SRev).

Minimum Security Revision Enforcement

Firmware security updates can be undone if you install a previous version of the firmware onto your device. Intel firmware releases include a Minimum Security Revision (MinSRev) enforcement feature. This means you can block someone from installing a lower revision of the firmware onto your device. This will limit the rollback capabilities of your device. The firmware update process will block the update if the supplied firmware has a lower security revision (SRev) than the MinSRev value of the firmware currently loaded on the device. Only update the MinSRev value if you are certain you will not need to roll the firmware back to an earlier version.

You can update the MinSRev value during the firmware update process, locking the current security version in as the new MinSRev baseline, by using the -optinminsrev command line option.

Important:

The MinSRev value on a device can never be decreased. Once the MinSRev is increased, NVM downgrades attempting to install a lower Security revision (SRev) than the current MinSRev will be rejected by the device. Users who want to downgrade firmware without regard to security revisions should not use this feature.

SRev and MinSRev Examples

To view your device’s current SRev and MinSRev:

You can use the nvmupdate tool’s inventory mode to view your device’s current SRev and MinSRev values as follows:

Windows:

nvmupdatew64e -i  -l update.log -o results.xml -c nvmupdate.cfg -optinminsrev

Linux:

nvmupdate64e -i  -l update.log -o results.xml -c nvmupdate.cfg

Where:

-i: Sets nvmupdate to inventory mode.

-l update.log: Specifies the name of the log file.
-o results.xml: Specifies the name of the results file. This is an XML file that contains the inventory/update results.
-c nvmupdate.cfg: Specifies the name of the configuration file. This is a text file that contains descriptions of networking devices and firmware versions for those devices.

-optinminsrev: Specifies that the MinSRev and SRev values are included in the results.xml file.

Examine the results.xml file for the SRev and MinSRev values.

Note:

Make sure you specify -i for inventory mode. If you specify -u, the tool will update the MinSRev value, rather than simply disclose it. You can achieve the same results by specifying MINSREV:TRUE in the configuration file.

See Intel® Ethernet NVM Update Tool for more information on how to use the nvmupdate tool.

To update your device’s MinSRev:

Download and extract the NVM Update Package for your device.

Use the command line to update your device’s MinSRev:

Windows:

nvmupdatew64e -u -optinminsrev -l update.log -o results.xml -c nvmupdate.cfg

Linux:

nvmupdate64e -u -optinminsrev -l update.log -o results.xml -c nvmupdate.cfg

Where:

-u: Sets nvmupdate to update mode.
-optinminsrev: Tells the tool to update the MinSRev value.

-l update.log: Specifies the name of the log file.
-o results.xml: Specifies the name of the results file. This is an XML file that contains the inventory/update results.
-c nvmupdate.cfg: Specifies the name of the configuration file. This is a text file that contains descriptions of networking devices and firmware versions for those devices.

See Intel® Ethernet NVM Update Tool for more information on how to use the nvmupdate tool.