Uncategorized

fwupd / LVFS and user privacy

There’s been a few blog posts from the LVFS project and the System76 team regarding firmware updates.

https://firmwaresecurity.com/2018/05/10/dont-buy-system76-hardware-and-expect-to-get-firmware-updates-from-the-lvfs/

https://firmwaresecurity.com/2018/05/11/system76-system76-and-lvfs-what-really-happened/

The latest article is from FOSSpost.org by M.Hanny Sabbagh, which focuses on privacy issues of LVFS, from the last System76 article. While privacy issues are important, don’t forget that firmware update privacy issues exist with ALL other OSes, and LVFS team mentions transition to Linux Foundation for hosting. Most firmware updates come from OEM, so each will have their own CDN/privacy/security issues. I’m hoping the LVFS project gets picked up by the Qubes/TAILS/Subgraph/GNUHardenedLinux or some other privacy/security-centric distro, and can integrate with latest security and privacy techniques, making it Tor-friendly, etc.

See threads here and comments in fosspost.org blog post, and in Twitter feed:

https://lists.debian.org/debian-efi/2018/05/threads.html

https://fosspost.org/analytics/privacy-security-concern-regarding-gnome-software

Standard
Uncategorized

Linux OEMs: support fwupd.org

FWupd.org is a Linux firmware update service, roughly like Windows Update, but for Linux.

https://fwupd.org/
https://github.com/hughsie/fwupd
https://blogs.gnome.org/hughsie/2017/08/08/building-local-firmware-in-fwupd/
https://blogs.gnome.org/hughsie/2017/10/09/fwupd-hits-1-0-0/

It is nice to have a central place for firmware updates, so you don’t have to rely on the tools from a single OEM. Right now, most OEMs force you to use their firmware upedate tools. Windows OEMs mostly don’t bother to use Windows Update. And it looks like that problem is not OS-centric: Linux OEMs mostly don’t bother to use fwupd. However, many Linux vendors are not helping customers with firmware updates, look at second half of this page for all the vendors that suck:

https://fwupd.org/lvfs/vendorlist

It looks like Purism is heading toward supporting fwupd:

https://puri.sm/posts/coreboot-on-the-skylake-librems-part-2/

I am suprised that System76 is going their own route and not supporting fwupd, they claimed they were going to support it, but they’ve gone their own direction, sad.

https://github.com/system76/firmware-update

Before you buy a system from a Linux OEM, ask them if they support fwupd for firmware updates. If they do not, ask them when they are going to support it.

Standard
Uncategorized

OEMs: support Linux firmware updates via fwupd

OEMs: users install Linux on some of the Windows boxes you sell. It is a PITA to update firmware from Linux if you only ship Windows EXEs. Rebooting into an ISO is slightly better. The proper solution for Linux is to support FWUpd.

(And the proper solution for Windows is to support Windows Update. But I heard that only a few OEMs support this, and still require OEM-centric tools to update their firmware. Sigh…)

https://fwupd.org/vendors

Standard
Uncategorized

Linux OEMs/VARs: use FwUpd

If you build a Linux-based system, you should be putting your firmware updates on fwupd. Dell is the only vendor currently doing this.

What about: System76, ThinkPenguin, Purism, HP, etc??

Hmm, it looks like System76 might be working on it!

 

Standard
Uncategorized

Dell info on Linux firmware updates

Regarding the new firmware update service available for Linux OEMs:

https://firmwaresecurity.com/tag/fwupd/

There is a new article from Dell on this topic:

(Published on behalf of Mario Limonciello, OS Architect of Dell Client Solutions Group’s Linux Engineering team.)

I’m happy to announce that starting with the Dell Edge Gateway 5000 we will be introducing support to natively flash UEFI firmware under Linux.  To achieve this we’re supporting the standards based UEFI capsule functionality from UEFI version 2.5.  Furthermore, the entire tool chain used to do this is open source. Red Hat has developed the tools that enable this functionality: fwupd, fwupdate, & ESRT support in the Linux kernel.  For the past year we have been working closely with Red Hat, Intel, & Canonical to jointly fix hundreds of issues related to the architecture, tools, process, and metadata on real hardware.  Dell will be publishing BIOS updates to the Red Hat created Linux Vendor Firmware Service (LVFS).  Red Hat provides LVFS as a central OS agnostic repository for OEMs to distribute firmware to all Linux customers. […]

http://en.community.dell.com/techcenter/b/techcenter/archive/2016/02/02/dell-firmware-updating-under-linux

Dell — along with Red Hat, apparently — are setting a great example, I hope other OEMs do as well with Linux. 🙂 It makes me think Dell is working to deal with this recent comment of William (of Dell):

Standard
Uncategorized

Ubuntu to opt-out of fwupd?

Not only do you have to study your Linux distribution to see if/how it uses Secure Boot, you also need to research if/how it gets firmware updates.

http://www.linux.com/news/software/applications/877661-ubuntu-1604-lts-might-get-the-option-of-updating-firmware-directly-from-the-os/

https://blueprints.launchpad.net/ubuntu/+spec/foundations-w-uefi-capsule-update

“Ubuntu should support updating firmware for systems and components (but not peripherals) via EFI UpdateCapsule (see EFI Capsule specification, in Related Links), so that users do not require Windows or DOS to apply BIOS/component firmware updates, and as such updates are easily available to all Ubuntu users. Peripheral firmware updates are not technically supported by the UEFI Capsule specification, and so are out of the scope of this blueprint.”

http://www.fwupd.org/

I also wonder about non-GNOME systems, how do KDE systems get firmware updates?

Standard