LVFS: checking for expired certs in UEFI

June 4, 2019 ~ hucktech ~ Leave a comment

Richard Hughes has two new blog posts, one with an update to LVFS, and one on how it parses firmware ‘blobs’:

[…]Specifically, firmware is now being checked for expired Authenticode certificates which expired more than 3 years before the upload date of the firmware. The LVFS is also looking for test signing certificates that really should not exist in production firmware. All existing firmware on the LVFS is being tested, and the test backlog should be complete by this afternoon. All test failures are currently waivable.[…]

LVFS 1.1.2 released: https://t.co/FOcDyYgfyQ

The LVFS is now analysing vast amounts of firmware in ever more detail, and working with OEMs, ODMs and OBVs I strongly believe we are raising the bar for firmware security.#lvfs #firmware
— Richard Hughes (@hughsient) June 3, 2019

https://lists.linuxfoundation.org/pipermail/lvfs-announce/2019-June/000022.html

Breaking apart Dell UEFI binaries for analysis: https://t.co/8WLxOjV4hD #lvfs #firmware
— Richard Hughes (@hughsient) June 2, 2019

https://blogs.gnome.org/hughsie/2019/06/02/breaking-apart-dell-uefi-firmware-capsuleupdate-packages/

Linux Foundation adopts the LVFS Project

March 27, 2019 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/08/linux-foundation-taking-over-linux-vendor-firmware-service-lvms/

The Linux Foundation welcomes the Linux Vendor Firmware Service (LVFS) as a new project. LVFS is a secure website that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions to provide metadata for clients, such as fwupdmgr, GNOME Software and KDE Discover. To learn more about the project’s history and goals, we talked with Richard Hughes, upstream maintainer of LVFS and Principal Software Engineer at Red Hat.[…]

https://www.linuxfoundation.org/blog/2019/03/lvfs-project-announcement/
https://www.linux.com/news/linux-foundation-welcomes-lvfs-project

see-also:
https://github.com/hughsie/fwupd
https://fwupd.org/lvfs/devicelist

Phoenix joins the LVFS (fwupd)

January 9, 2019 ~ hucktech ~ Leave a comment

Great! Welcome Phoenix!

#Firmware Vendor #Phoenix Tech Joins The #LVFS For Linux Firmware Updates https://t.co/qN53O006ub

— Phoronix (@phoronix) January 9, 2019

https://blogs.gnome.org/hughsie/2019/01/09/phoenix-joins-the-lvfs/

Linux Foundation taking over Linux Vendor Firmware Service (LVMS)

September 8, 2018 ~ hucktech ~ 1 Comment

Richard Hughes: 3 Million Firmware Files and Counting… https://t.co/dA3N7fGxbP #GNOME

— Kukuh Syafaat (@cho2MLHC) September 7, 2018

Linux Vendor Firmware Service (LVMS) is moving to @linuxfoundation https://t.co/Zo5CkCkDo0

— Platform Security Summit (@platformsec) September 7, 2018

https://blogs.gnome.org/hughsie/2018/09/07/3-million-firmware-files-and-counting/

Linux UEFI firmware updates via LVFS at Linaro Connect

August 14, 2018 ~ hucktech ~ Leave a comment

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

Firmware is responsible for low-level platform initialization, establishing root-of-trust, and loading the operating system (OS). Signed UEFI Capsules define an OS-agnostic process for verified firmware updates, utilizing the root-of-trust established by firmware. The open source FmpDevicePkg in TianoCore provides a simple method to update system firmware images and device firmware images using UEFI Capsules and the Firmware Management Protocol (FMP). This session describes the EFI Development Kit II (EDK II) capsule implementation, implementing FMP using FmpDevicePkg, creating Signed UEFI Capsules using open source tools, and an update workflow based on the Linux Vendor Firmware Service (fwupd.org).

https://yvr18.pathable.com/meetings/740447

http://connect.linaro.org/schedule/

https://fwupd.org/

fwupd / LVFS and user privacy

May 12, 2018 ~ hucktech ~ Leave a comment

There’s been a few blog posts from the LVFS project and the System76 team regarding firmware updates.

https://firmwaresecurity.com/2018/05/10/dont-buy-system76-hardware-and-expect-to-get-firmware-updates-from-the-lvfs/

https://firmwaresecurity.com/2018/05/11/system76-system76-and-lvfs-what-really-happened/

The latest article is from FOSSpost.org by M.Hanny Sabbagh, which focuses on privacy issues of LVFS, from the last System76 article. While privacy issues are important, don’t forget that firmware update privacy issues exist with ALL other OSes, and LVFS team mentions transition to Linux Foundation for hosting. Most firmware updates come from OEM, so each will have their own CDN/privacy/security issues. I’m hoping the LVFS project gets picked up by the Qubes/TAILS/Subgraph/GNUHardenedLinux or some other privacy/security-centric distro, and can integrate with latest security and privacy techniques, making it Tor-friendly, etc.

See threads here and comments in fosspost.org blog post, and in Twitter feed:

https://lists.debian.org/debian-efi/2018/05/threads.html

https://fosspost.org/analytics/privacy-security-concern-regarding-gnome-software

The other side of the story about System76 and LVFS. Honestly the whole thing seems to me as just a developer yelling at a company for not using his own code in their hardware on their Linux distro. https://t.co/T6rRWUgm3z

— M.Hanny Sabbagh (@realmhsabbagh) May 11, 2018

Razer doesn’t care about Linux [Firmware]

February 12, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/01/29/linux-oems-support-fwupd-org/

here’s the latest blog post by the fwupd developer, regarding the OEM Razer:

https://blogs.gnome.org/hughsie/2018/02/11/razer-doesnt-care-about-linux/

https://fwupd.org/lvfs/vendorlist#razer

This also pretty much sums things up:

http://support.razerzone.com/search?keywords=linux

Linux OEMs: support fwupd.org

January 29, 2018 ~ hucktech ~ 2 Comments

FWupd.org is a Linux firmware update service, roughly like Windows Update, but for Linux.

https://fwupd.org/
https://github.com/hughsie/fwupd
https://blogs.gnome.org/hughsie/2017/08/08/building-local-firmware-in-fwupd/
https://blogs.gnome.org/hughsie/2017/10/09/fwupd-hits-1-0-0/

It is nice to have a central place for firmware updates, so you don’t have to rely on the tools from a single OEM. Right now, most OEMs force you to use their firmware upedate tools. Windows OEMs mostly don’t bother to use Windows Update. And it looks like that problem is not OS-centric: Linux OEMs mostly don’t bother to use fwupd. However, many Linux vendors are not helping customers with firmware updates, look at second half of this page for all the vendors that suck:

https://fwupd.org/lvfs/vendorlist

It looks like Purism is heading toward supporting fwupd:

https://puri.sm/posts/coreboot-on-the-skylake-librems-part-2/

I am suprised that System76 is going their own route and not supporting fwupd, they claimed they were going to support it, but they’ve gone their own direction, sad.

To be honest, I've basically lost all hope that @system76 will use fwupd and the LVFS at this point. I've heard nothing in months, which is odd as vendors normally talk to me when work is ongoing.

— Richard Hughes (@hughsient) January 16, 2018

Can you discuss and contribute the needed changes for `fwupd` with its developer @hughsient ?!

`fwupd` already has wide adoption from big vendors so I hope we can agree on this single unified utility and implement needed changes instead of more fragmentation.

— أنس أحمد (@AnassAhmed) November 30, 2017

fwupd doesn't currently support the way we need to deliver firmware. We are investigating distro and DE agnostic delivery.

— Carl Richell (@carlrichell) November 30, 2017

Please provide the update through the `fwupd` utility, so any distribution (which also happens to offer GNOME Software) can use it.

Thanks.

— أنس أحمد (@AnassAhmed) November 30, 2017

check the thread at https://t.co/FCiDhySwu6, this was necessary to ship today, but we're open to getting things integrated into fwupd.

— Cassidy James Blædē (@CassidyJames) July 27, 2017

https://github.com/system76/firmware-update

Before you buy a system from a Linux OEM, ask them if they support fwupd for firmware updates. If they do not, ask them when they are going to support it.

OEMs: support Linux firmware updates via fwupd

November 28, 2017 ~ hucktech ~ Leave a comment

OEMs: users install Linux on some of the Windows boxes you sell. It is a PITA to update firmware from Linux if you only ship Windows EXEs. Rebooting into an ISO is slightly better. The proper solution for Linux is to support FWUpd.

(And the proper solution for Windows is to support Windows Update. But I heard that only a few OEMs support this, and still require OEM-centric tools to update their firmware. Sigh…)

https://fwupd.org/vendors

HI @lenovo is there a SANE way to update the BIOS and TPM firmware on a 5th Gen X1 Carbon running Linux?

— Ian Oliver 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇫🇮🇪🇺 (@i_j_oliver) November 28, 2017

Hi! The BIOS can be installed via bootable USB/disc. The TPM can be installed via Windows only (dual boot/VM ware). -Jerry_Lenovo

— Lenovo (@lenovo) November 28, 2017

Linux OEMs/VARs: use FwUpd

July 3, 2017 ~ hucktech ~ Leave a comment

Firmware updates via #Gnome Software end the need to boot into DOS/Windows. Is #Dell the only vendor doing this? This sets a new bar. pic.twitter.com/U0e268ztU8

— Chris Fisher (@ChrisLAS) July 2, 2017

If you build a Linux-based system, you should be putting your firmware updates on fwupd. Dell is the only vendor currently doing this.

What about: System76, ThinkPenguin, Purism, HP, etc??

Hmm, it looks like System76 might be working on it!

We're working on automated firmware updates. They'll be here by 17.10.

— Carl Richell (@carlrichell) July 2, 2017

Dell info on Linux firmware updates

February 2, 2016 ~ hucktech ~ Leave a comment

Regarding the new firmware update service available for Linux OEMs:

https://firmwaresecurity.com/tag/fwupd/

There is a new article from Dell on this topic:

"Dell Firmware Updating under Linux" https://t.co/R18t8zdEwd

— D. Jared Domínguez (@djdmngz) February 2, 2016

(Published on behalf of Mario Limonciello, OS Architect of Dell Client Solutions Group’s Linux Engineering team.)

I’m happy to announce that starting with the Dell Edge Gateway 5000 we will be introducing support to natively flash UEFI firmware under Linux. To achieve this we’re supporting the standards based UEFI capsule functionality from UEFI version 2.5. Furthermore, the entire tool chain used to do this is open source. Red Hat has developed the tools that enable this functionality: fwupd, fwupdate, & ESRT support in the Linux kernel. For the past year we have been working closely with Red Hat, Intel, & Canonical to jointly fix hundreds of issues related to the architecture, tools, process, and metadata on real hardware. Dell will be publishing BIOS updates to the Red Hat created Linux Vendor Firmware Service (LVFS). Red Hat provides LVFS as a central OS agnostic repository for OEMs to distribute firmware to all Linux customers. […]

http://en.community.dell.com/techcenter/b/techcenter/archive/2016/02/02/dell-firmware-updating-under-linux

Dell — along with Red Hat, apparently — are setting a great example, I hope other OEMs do as well with Linux. 🙂 It makes me think Dell is working to deal with this recent comment of William (of Dell):

Next step: people need to give Dell the benefit of the doubt… https://t.co/IfHLc2jHUi

— William Leara (@WilliamLeara) December 28, 2015

Ubuntu to opt-out of fwupd?

January 8, 2016 ~ hucktech ~ Leave a comment

Not only do you have to study your Linux distribution to see if/how it uses Secure Boot, you also need to research if/how it gets firmware updates.

Ubuntu 16.04 LTS Might Get the Option of Updating Firmware Directly from the OS: One of the most interesting f… https://t.co/V6xBc70Wr1

— linuxdevices (@linuxdevices) January 8, 2016

http://www.linux.com/news/software/applications/877661-ubuntu-1604-lts-might-get-the-option-of-updating-firmware-directly-from-the-os/

https://blueprints.launchpad.net/ubuntu/+spec/foundations-w-uefi-capsule-update

“Ubuntu should support updating firmware for systems and components (but not peripherals) via EFI UpdateCapsule (see EFI Capsule specification, in Related Links), so that users do not require Windows or DOS to apply BIOS/component firmware updates, and as such updates are easily available to all Ubuntu users. Peripheral firmware updates are not technically supported by the UEFI Capsule specification, and so are out of the scope of this blueprint.”

http://www.fwupd.org/

I also wonder about non-GNOME systems, how do KDE systems get firmware updates?

Dell joins Linux Vendor Firmware Service

December 10, 2015 ~ hucktech ~ Leave a comment

Richard Hughes has a new blog post on Dell joining Linux Vendor Firmware Service (LVFS).

"The Linux Vendor Firmware Service Welcomes Dell" https://t.co/JnOheAKpJp

— D. Jared Domínguez (@djdmngz) December 10, 2015

https://blogs.gnome.org/hughsie/2015/12/10/the-linux-vendor-firmware-service-welcomes-dell/

Dell has a poll about the service, asking it’s users which models to target next, which Linux distros they use, etc. If you have a Dell system, please be sure to check out the survey.

Survey: "Dell UEFI FW Update Support for Linux" https://t.co/VHJDFKuhgI

— D. Jared Domínguez (@djdmngz) December 10, 2015

https://docs.google.com/forms/d/1Hkh13Xh14yUxUciEFqqYiOfPfzR4y5F1xLFgTbs_FU4/viewform?c=0&w=1

http://www.fwupd.org/

So, I guess I need to check fwupd.org before buying a new Linux system, to see if the vendor supports firmware updates or not. Hmm, I wish fwupd.org had a list of supported OEMs/IHVs: if it does, I missed it, I’ll have to just watch Richard’s blog for new OEM announcements, I guess.

Linux firmware update

September 17, 2015 ~ hucktech ~ Leave a comment

As pointed out on Phoronix, there’s a new blog post by Peter Jones of Red Hat on the status of firmware updates on Linux.

http://blog.uncooperative.org/blog/2015/09/16/an-update-on-firmware-updates/

Phoronix has been covering this much better than I have:

http://www.phoronix.com/scan.php?page=search&q=ESRT

http://www.phoronix.com/scan.php?page=search&q=fwupd

http://www.phoronix.com/scan.php?page=news_item&px=Linux-UEFI-Firmware-Sept

fwupd and Linux Vendor Firmware Service

September 2, 2015 ~ hucktech ~ Leave a comment

I haven’t been covering LVFS and fwupd much. Luckily, Michael Larabel of Phoronix.com has been doing a good job. Richard Hughes has built a Firmware Update for GNOME-based Linux systems. Excerpting from some of Richard’s posts, including his asking for help getting word out to vendors to support it:

fwupd is a simple daemon to allow session software to update device firmware on your local machine. It’s designed for desktops, but this project is also usable on phones, tablets and on headless servers. You can either use a GUI software manager like GNOME Software to view and apply updates, the command-line tool or the system D-Bus interface directly.

I’ve spent the last couple of months talking with various Red Hat partners and other OpenHardware vendors that produce firmware updates. These include most of the laptop vendors that you know and love, along with a few more companies making very specialized hardware. We’ve now got a process, fwupd, that is capable of taking the packaged update and applying it to the hardware using various forms of upload mechanism. We’ve got a specification, AppStream, which is used to describe the updates and provide metadata for what firmware updates are available to be installed. What we were missing was to “close the circle” and provide a web service for small and medium size vendors to use to upload new firmware and make it available to Linux users. Microsoft already provides such a thing for vendors to use, and it’s part of the Microsoft Update service. From the vendors I’ve talked to, the majority don’t want to run any tools on their firmware to generate metadata. Most of them don’t even want to commit to hosting the metadata or firmware files in the same place forever, and with a couple of exceptions actually like the Microsoft Update model. I’ve created a simple web service that’s being called Linux Vendor Firmware Service (perhaps not the final name). You can see the site in action here, although it’s not terribly useful or exciting if you’re not a hardware vendor. If you are vendor that produces firmware and want an access key for the beta site, please let me know. All firmware uploaded will be transferred to the final site, although I’m still waiting to hear back from Red Hat legal about a longer version of the redistribution agreement.

Over the last couple of months I’ve been emailing various tech companies trying to get hold of the right people to implement this. So far the reaction from companies has been enthusiastic and apathetic in equal measures. I’ve had a few vendors testing the process, but I can’t share those names just yet as most companies have been testing with unreleased hardware. This is where you come in. On your Linux computer right now, think about what hardware you own that works in Linux that you know has user-flashable firmware? What about your BIOS, your mouse, or your USB3 hub? Your network card, your RAID card, or your video card? Things I want you to do:

* Find the vendor on the internet, and either raise a support case or send an email. Try and find a technical contact, not just some sales or marketing person
* Tell the vendor that you would like firmware updates when using Linux, and that you’re not able to update the firmware booting to Windows or OS-X
* Tell the vendor that you’re more likely to buy from them again if firmware updates work on Linux
* Inform the vendor about the LVFS project : https://beta-lvfs.rhcloud.com/

At all times I need you to be polite and courteous, after all we’re asking the vendor to spend time (money) on doing something extra for a small fraction of their userbase. Ignoring one email from me is easy, but getting tens or hundreds of support tickets about the same issue is a great way to get an issue escalated up to the people that can actually make changes. So please, spend 15 minutes opening a support ticket or sending an email to a vendor now.

If you know of any vendors, please try to help Richard out with his above request. I hope Richard has contacts at the USB and UEFI trade groups, to directly get word out to their member-vendors.

http://www.fwupd.org/
https://beta-lvfs.rhcloud.com/
https://github.com/hughsie/fwupd
http://www.freedesktop.org/software/appstream/docs/

https://blogs.gnome.org/hughsie/2015/08/13/linux-vendor-firmware-project-we-need-your-help/
https://blogs.gnome.org/hughsie/2015/06/24/introducing-the-linux-vendor-firmware-service/
https://blogs.gnome.org/hughsie/2015/08/21/embargoed-firmware-updates-in-lvfs/
http://www.phoronix.com/scan.php?page=news_item&px=Linux-LVFS-Embargoed
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Vendor-Firmware-S
http://www.phoronix.com/scan.php?page=news_item&px=linux-lvfs-embargoed

Two Linux firmware articles

June 24, 2015 ~ hucktech ~ Leave a comment

1) Linux Vendor Firmware Service launches

In a Phoronix article today, Michael Larabel describes the new Linux Vendor Firmware Service (LVFS) has been announced.

“This site provides a place for hardware vendors to submit packaged firmware updates, typically .cab files. This fire-and-forget service allows vendors to submit firmware updates without generating and hosting AppStream metadata themselves.”

More information:
https://beta-lvfs.rhcloud.com/
http://www.phoronix.com/scan.php?page=news_item&px=Linux-Vendor-Firmware-S
https://github.com/hughsie/fwupd

2) Intel on Linux firmware updates

Brian Richardson posted a blog yesterday, with information on Linux fwupdate, UEFI Capsule (firmware updates), UEFI 2.5 ESRT, and the Fedora firmware update mechanism.

More information:
http://blogs.intel.com/evangelists/2015/06/23/better-firmware-updates-in-linux-using-uefi-capsules/

Fedora proposal for UEFI 2.5 Capsule Update support

June 5, 2015 ~ hucktech ~ Leave a comment

As reported on Fedora devel-announce and on Softpedia, a proposal for Red Hat’s Fedora has been added to support UEFI Capuse Updates via UEFI 2.5’s ESRT.

“This adds the ability to perform updates of system firmware, as well as some peripheral firmware, on machines supporting the UEFI Capsule Update mechanism and UEFI 2.5’s “ESRT” feature. Right now this is generic support—the number of machines for which we actually have firmware updates available is very small, as the underlying technology is quite new—and it doesn’t include any actual delivery mechanism for such firmware images. But if they’re put at the right place for fwupd to notice them, and the system supports the right features, they’ll show up as updates in gnome-software.”

It will very be interesting to see how different distributions expose firmware updates to users.

More Information:

http://news.softpedia.com/news/Fedora-23-Linux-Might-Allows-Users-to-Perform-Firmware-Updates-on-UEFI-Machines-483390.shtml
https://lists.fedoraproject.org/pipermail/devel-announce/2015-June/001595.html
https://fedoraproject.org/wiki/Changes/SystemFirmwareUpdates