Fwupd: Updating Firmware in Linux (opens in new tab)

(fwupd.org)

75 pointssonnyp10y ago21 comments

21 comments

21 comments · 8 top-level

sandGorgon10y ago· 5 in thread

this has come at a good time. nearly all thinkpads are undergoing bios updates because of a security issue.. but cannot be done on Linux.

I wonder if someone can build a howto for Thinkpads on Linux.

josteink10y ago

> nearly all thinkpads are undergoing bios updates because of a security issue.. but cannot be done on Linux. I wonder if someone can build a howto for Thinkpads on Linux.

Nonsense. Thinkpads can update the firmware from a bootable CD whose ISO you can download from the Lenovo website.

I did this just last week with my Carbon X1. I can guarantee you that no Windows was ever involved.

sandGorgon10y ago

here's the last one I looked for - http://support.lenovo.com/us/en/downloads/ds001322

Did I make a mistake ?

discreditable10y ago

BIOS updates for security issues are not new by any means. With the advent of EFI firmwares, we're seeing more security issues than ever.

Here's a revision history[1] for a laptop model I work with. The previous model's history is much the same[2], except the updates stopped after Sept. 2014.

[1] http://h20565.www2.hp.com/hpsc/swd/public/detail?sp4ts.oid=5...

[2] http://h20564.www2.hp.com/hpsc/swd/public/detail?sp4ts.oid=4...

vetinari10y ago

I'm very wary of updating Thinkpad BIOS, since one such update bricked a X230. It ended up by having to get a new mainboard.

For a computer outside warranty, that can be pretty expensive.

darkr10y ago

http://www.thinkwiki.org/wiki/ThinkWiki

aexaey10y ago· 3 in thread

This completely ignores the "evil maid" scenario.

mschuster9110y ago

Not if the firmware updater enforces digital signatures like the ucode update does on CPUs.

1 more reply

88589510y ago

How so?

yrro10y ago

> The firmware updates themselves are signed and have a checksum, and the metadata describing this checksum is provided by the distribution either as GPG-signed repository metadata, or installed from a package, which is expected to also be signed.

Maybe if your maid is also a distro developer...

maggit10y ago· 2 in thread

> By default, any users are able to install firmware to removable hardware. The logic here is that if the hardware can be removed, it can easily be moved to a device that the user already has root access on, and asking for authentication would just be security theatre.

- http://www.fwupd.org/users.html

But it is not given that a user has physical access to the machine, is it?

Well... I guess that's why it says "By default", and you can configure it? Seems targeted at desktop installations?

Menge10y ago

> But it is not given that a user has physical access to the machine, is it?

Yes, I think the logic here is flawed. The only way to know someone can do something in the physical security theatre is by their doing it. Needing to cajole any normal user into running a script is a tad more optimal than convincing them to physically move devices from the server room to the new machine that they won in your raffle.

yrro10y ago

> Well... I guess that's why it says "By default", and you can configure it? Seems targeted at desktop installations?

Yes, it uses polkit: https://github.com/hughsie/fwupd/tree/master/policy

weirdtunguska10y ago· 2 in thread

Why can't this be done using standard ways, like deb packages?

the_why_of_y10y ago

Technically, LSB mandates RPM as the standard package format, so deb packages would be non-standard.

For a more serious response, if you look at the architecture diagram, the fwupd daemon is independent of any packaging or download mechanism so there should be nothing preventing you from calling it from dpkg postinstall scripts.

teddyh10y ago

Probably because firmware vendors are not accustomed to working that way. Maybe they are more willing to submit their firmware this way? Time will tell.

weirdtunguska10y ago· 1 in thread

Is it restricted to gnome?

padraic7a10y ago

Well gnome-software is obviously restricted to gnome,and it might be the only current gui option but I don't think the system is. The page states that you can interact using the D-bus api and that's not restricted to gnome: https://en.wikipedia.org/wiki/D-Bus

teddyh10y ago

The big question is, what vendors will use this system instead of their own horrible systems?

padraic7a10y ago

Interesting development. Is there info anywhere of manufacturers who have undertaken to provide updates through this system?

khaki5410y ago

This is actually pretty sweet. If you are running a non-linux OS you could just reboot into a live disk and pull down all of the updates.

Take it a step further, you could just PXE-boot into a scripted image that loads up and checks for FW updates, then reboots into the default OS when complete.

j / k navigate · click thread line to collapse

21 comments

21 comments · 8 top-level

sandGorgon10y ago· 5 in thread

this has come at a good time. nearly all thinkpads are undergoing bios updates because of a security issue.. but cannot be done on Linux.

I wonder if someone can build a howto for Thinkpads on Linux.

josteink10y ago

> nearly all thinkpads are undergoing bios updates because of a security issue.. but cannot be done on Linux. I wonder if someone can build a howto for Thinkpads on Linux.

Nonsense. Thinkpads can update the firmware from a bootable CD whose ISO you can download from the Lenovo website.

I did this just last week with my Carbon X1. I can guarantee you that no Windows was ever involved.

sandGorgon10y ago

here's the last one I looked for - http://support.lenovo.com/us/en/downloads/ds001322

Did I make a mistake ?

discreditable10y ago

BIOS updates for security issues are not new by any means. With the advent of EFI firmwares, we're seeing more security issues than ever.

Here's a revision history[1] for a laptop model I work with. The previous model's history is much the same[2], except the updates stopped after Sept. 2014.

[1] http://h20565.www2.hp.com/hpsc/swd/public/detail?sp4ts.oid=5...

[2] http://h20564.www2.hp.com/hpsc/swd/public/detail?sp4ts.oid=4...

vetinari10y ago

I'm very wary of updating Thinkpad BIOS, since one such update bricked a X230. It ended up by having to get a new mainboard.

For a computer outside warranty, that can be pretty expensive.

darkr10y ago

http://www.thinkwiki.org/wiki/ThinkWiki

aexaey10y ago· 3 in thread

This completely ignores the "evil maid" scenario.

mschuster9110y ago

Not if the firmware updater enforces digital signatures like the ucode update does on CPUs.

1 more reply

88589510y ago

How so?

yrro10y ago

Maybe if your maid is also a distro developer...

maggit10y ago· 2 in thread

- http://www.fwupd.org/users.html

But it is not given that a user has physical access to the machine, is it?

Well... I guess that's why it says "By default", and you can configure it? Seems targeted at desktop installations?

Menge10y ago

> But it is not given that a user has physical access to the machine, is it?

yrro10y ago

> Well... I guess that's why it says "By default", and you can configure it? Seems targeted at desktop installations?

Yes, it uses polkit: https://github.com/hughsie/fwupd/tree/master/policy

weirdtunguska10y ago· 2 in thread

Why can't this be done using standard ways, like deb packages?

the_why_of_y10y ago

Technically, LSB mandates RPM as the standard package format, so deb packages would be non-standard.

teddyh10y ago

Probably because firmware vendors are not accustomed to working that way. Maybe they are more willing to submit their firmware this way? Time will tell.

weirdtunguska10y ago· 1 in thread

Is it restricted to gnome?

padraic7a10y ago

teddyh10y ago

The big question is, what vendors will use this system instead of their own horrible systems?

padraic7a10y ago

Interesting development. Is there info anywhere of manufacturers who have undertaken to provide updates through this system?

khaki5410y ago

This is actually pretty sweet. If you are running a non-linux OS you could just reboot into a live disk and pull down all of the updates.

Take it a step further, you could just PXE-boot into a scripted image that loads up and checks for FW updates, then reboots into the default OS when complete.

j / k navigate · click thread line to collapse