Linux UEFI firmware updates via LVFS at Linaro Connect

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

Firmware is responsible for low-level platform initialization, establishing root-of-trust, and loading the operating system (OS). Signed UEFI Capsules define an OS-agnostic process for verified firmware updates, utilizing the root-of-trust established by firmware. The open source FmpDevicePkg in TianoCore provides a simple method to update system firmware images and device firmware images using UEFI Capsules and the Firmware Management Protocol (FMP). This session describes the EFI Development Kit II (EDK II) capsule implementation, implementing FMP using FmpDevicePkg, creating Signed UEFI Capsules using open source tools, and an update workflow based on the Linux Vendor Firmware Service (fwupd.org).

https://yvr18.pathable.com/meetings/740447

http://connect.linaro.org/schedule/

https://fwupd.org/

fwupd / LVFS and user privacy

There’s been a few blog posts from the LVFS project and the System76 team regarding firmware updates.

https://firmwaresecurity.com/2018/05/10/dont-buy-system76-hardware-and-expect-to-get-firmware-updates-from-the-lvfs/

https://firmwaresecurity.com/2018/05/11/system76-system76-and-lvfs-what-really-happened/

The latest article is from FOSSpost.org by M.Hanny Sabbagh, which focuses on privacy issues of LVFS, from the last System76 article. While privacy issues are important, don’t forget that firmware update privacy issues exist with ALL other OSes, and LVFS team mentions transition to Linux Foundation for hosting. Most firmware updates come from OEM, so each will have their own CDN/privacy/security issues. I’m hoping the LVFS project gets picked up by the Qubes/TAILS/Subgraph/GNUHardenedLinux or some other privacy/security-centric distro, and can integrate with latest security and privacy techniques, making it Tor-friendly, etc.

See threads here and comments in fosspost.org blog post, and in Twitter feed:

https://lists.debian.org/debian-efi/2018/05/threads.html

https://fosspost.org/analytics/privacy-security-concern-regarding-gnome-software

Linux OEMs: support fwupd.org

FWupd.org is a Linux firmware update service, roughly like Windows Update, but for Linux.

https://fwupd.org/
https://github.com/hughsie/fwupd
https://blogs.gnome.org/hughsie/2017/08/08/building-local-firmware-in-fwupd/
https://blogs.gnome.org/hughsie/2017/10/09/fwupd-hits-1-0-0/

It is nice to have a central place for firmware updates, so you don’t have to rely on the tools from a single OEM. Right now, most OEMs force you to use their firmware upedate tools. Windows OEMs mostly don’t bother to use Windows Update. And it looks like that problem is not OS-centric: Linux OEMs mostly don’t bother to use fwupd. However, many Linux vendors are not helping customers with firmware updates, look at second half of this page for all the vendors that suck:

https://fwupd.org/lvfs/vendorlist

It looks like Purism is heading toward supporting fwupd:

https://puri.sm/posts/coreboot-on-the-skylake-librems-part-2/

I am suprised that System76 is going their own route and not supporting fwupd, they claimed they were going to support it, but they’ve gone their own direction, sad.

https://github.com/system76/firmware-update

Before you buy a system from a Linux OEM, ask them if they support fwupd for firmware updates. If they do not, ask them when they are going to support it.

OEMs: support Linux firmware updates via fwupd

OEMs: users install Linux on some of the Windows boxes you sell. It is a PITA to update firmware from Linux if you only ship Windows EXEs. Rebooting into an ISO is slightly better. The proper solution for Linux is to support FWUpd.

(And the proper solution for Windows is to support Windows Update. But I heard that only a few OEMs support this, and still require OEM-centric tools to update their firmware. Sigh…)

https://fwupd.org/vendors

Linux OEMs/VARs: use FwUpd

If you build a Linux-based system, you should be putting your firmware updates on fwupd. Dell is the only vendor currently doing this.

What about: System76, ThinkPenguin, Purism, HP, etc??

Hmm, it looks like System76 might be working on it!

 

Dell info on Linux firmware updates

Regarding the new firmware update service available for Linux OEMs:

https://firmwaresecurity.com/tag/fwupd/

There is a new article from Dell on this topic:

(Published on behalf of Mario Limonciello, OS Architect of Dell Client Solutions Group’s Linux Engineering team.)

I’m happy to announce that starting with the Dell Edge Gateway 5000 we will be introducing support to natively flash UEFI firmware under Linux.  To achieve this we’re supporting the standards based UEFI capsule functionality from UEFI version 2.5.  Furthermore, the entire tool chain used to do this is open source. Red Hat has developed the tools that enable this functionality: fwupd, fwupdate, & ESRT support in the Linux kernel.  For the past year we have been working closely with Red Hat, Intel, & Canonical to jointly fix hundreds of issues related to the architecture, tools, process, and metadata on real hardware.  Dell will be publishing BIOS updates to the Red Hat created Linux Vendor Firmware Service (LVFS).  Red Hat provides LVFS as a central OS agnostic repository for OEMs to distribute firmware to all Linux customers. […]

http://en.community.dell.com/techcenter/b/techcenter/archive/2016/02/02/dell-firmware-updating-under-linux

Dell — along with Red Hat, apparently — are setting a great example, I hope other OEMs do as well with Linux. 🙂 It makes me think Dell is working to deal with this recent comment of William (of Dell):

Ubuntu to opt-out of fwupd?

Not only do you have to study your Linux distribution to see if/how it uses Secure Boot, you also need to research if/how it gets firmware updates.

http://www.linux.com/news/software/applications/877661-ubuntu-1604-lts-might-get-the-option-of-updating-firmware-directly-from-the-os/

https://blueprints.launchpad.net/ubuntu/+spec/foundations-w-uefi-capsule-update

“Ubuntu should support updating firmware for systems and components (but not peripherals) via EFI UpdateCapsule (see EFI Capsule specification, in Related Links), so that users do not require Windows or DOS to apply BIOS/component firmware updates, and as such updates are easily available to all Ubuntu users. Peripheral firmware updates are not technically supported by the UEFI Capsule specification, and so are out of the scope of this blueprint.”

http://www.fwupd.org/

I also wonder about non-GNOME systems, how do KDE systems get firmware updates?

Dell joins Linux Vendor Firmware Service

Richard Hughes has a new blog post on Dell joining Linux Vendor Firmware Service (LVFS).

https://blogs.gnome.org/hughsie/2015/12/10/the-linux-vendor-firmware-service-welcomes-dell/

Dell has a poll about the service, asking it’s users which models to target next, which Linux distros they use, etc. If you have a Dell system, please be sure to check out the survey.

https://docs.google.com/forms/d/1Hkh13Xh14yUxUciEFqqYiOfPfzR4y5F1xLFgTbs_FU4/viewform?c=0&w=1

http://www.fwupd.org/

So, I guess I need to check fwupd.org before buying a new Linux system, to see if the vendor supports firmware updates or  not. Hmm, I wish fwupd.org had a list of supported OEMs/IHVs: if it does, I missed it, I’ll have to just watch Richard’s blog for new OEM announcements, I guess.

Linux firmware update

As pointed out on Phoronix, there’s a new blog post by Peter Jones of Red Hat on the status of firmware updates on Linux.

http://blog.uncooperative.org/blog/2015/09/16/an-update-on-firmware-updates/

Phoronix has been covering this much better than I have:

http://www.phoronix.com/scan.php?page=search&q=ESRT

http://www.phoronix.com/scan.php?page=search&q=fwupd

http://www.phoronix.com/scan.php?page=news_item&px=Linux-UEFI-Firmware-Sept

fwupd and Linux Vendor Firmware Service

I haven’t been covering LVFS and fwupd much. Luckily, Michael Larabel of Phoronix.com has been doing a good job. Richard Hughes has built a Firmware Update for GNOME-based Linux systems. Excerpting from some of Richard’s posts, including his asking for help getting word out to vendors to support it:

fwupd is a simple daemon to allow session software to update device firmware on your local machine. It’s designed for desktops, but this project is also usable on phones, tablets and on headless servers. You can either use a GUI software manager like GNOME Software to view and apply updates, the command-line tool or the system D-Bus interface directly.

I’ve spent the last couple of months talking with various Red Hat partners and other OpenHardware vendors that produce firmware updates. These include most of the laptop vendors that you know and love, along with a few more companies making very specialized hardware. We’ve now got a process, fwupd, that is capable of taking the packaged update and applying it to the hardware using various forms of upload mechanism. We’ve got a specification, AppStream, which is used to describe the updates and provide metadata for what firmware updates are available to be installed. What we were missing was to “close the circle” and provide a web service for small and medium size vendors to use to upload new firmware and make it available to Linux users. Microsoft already provides such a thing for vendors to use, and it’s part of the Microsoft Update service. From the vendors I’ve talked to, the majority don’t want to run any tools on their firmware to generate metadata. Most of them don’t even want to commit to hosting the metadata or firmware files in the same place forever, and with a couple of exceptions actually like the Microsoft Update model. I’ve created a simple web service that’s being called Linux Vendor Firmware Service (perhaps not the final name). You can see the site in action here, although it’s not terribly useful or exciting if you’re not a hardware vendor. If you are vendor that produces firmware and want an access key for the beta site, please let me know. All firmware uploaded will be transferred to the final site, although I’m still waiting to hear back from Red Hat legal about a longer version of the redistribution agreement.

Over the last couple of months I’ve been emailing various tech companies trying to get hold of the right people to implement this. So far the reaction from companies has been enthusiastic and apathetic in equal measures. I’ve had a few vendors testing the process, but I can’t share those names just yet as most companies have been testing with unreleased hardware. This is where you come in. On your Linux computer right now, think about what hardware you own that works in Linux that you know has user-flashable firmware? What about your BIOS, your mouse, or your USB3 hub? Your network card, your RAID card, or your video card? Things I want you to do:

* Find the vendor on the internet, and either raise a support case or send an email. Try and find a technical contact, not just some sales or marketing person
* Tell the vendor that you would like firmware updates when using Linux, and that you’re not able to update the firmware booting to Windows or OS-X
* Tell the vendor that you’re more likely to buy from them again if firmware updates work on Linux
* Inform the vendor about the LVFS project : https://beta-lvfs.rhcloud.com/

At all times I need you to be polite and courteous, after all we’re asking the vendor to spend time (money) on doing something extra for a small fraction of their userbase. Ignoring one email from me is easy, but getting tens or hundreds of support tickets about the same issue is a great way to get an issue escalated up to the people that can actually make changes. So please, spend 15 minutes opening a support ticket or sending an email to a vendor now.

If you know of any vendors, please try to help Richard out with his above request. I hope Richard has contacts at the USB and UEFI trade groups, to directly get word out to their member-vendors.

http://www.fwupd.org/
https://beta-lvfs.rhcloud.com/
https://github.com/hughsie/fwupd
http://www.freedesktop.org/software/appstream/docs/

https://blogs.gnome.org/hughsie/2015/08/13/linux-vendor-firmware-project-we-need-your-help/
https://blogs.gnome.org/hughsie/2015/06/24/introducing-the-linux-vendor-firmware-service/
https://blogs.gnome.org/hughsie/2015/08/21/embargoed-firmware-updates-in-lvfs/
http://www.phoronix.com/scan.php?page=news_item&px=Linux-LVFS-Embargoed
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Vendor-Firmware-S
http://www.phoronix.com/scan.php?page=news_item&px=linux-lvfs-embargoed

Two Linux firmware articles

1) Linux Vendor Firmware Service launches

In a Phoronix article today, Michael Larabel describes the new Linux Vendor Firmware Service (LVFS) has been announced.

“This site provides a place for hardware vendors to submit packaged firmware updates, typically .cab files. This fire-and-forget service allows vendors to submit firmware updates without generating and hosting AppStream metadata themselves.”

More information:
https://beta-lvfs.rhcloud.com/
http://www.phoronix.com/scan.php?page=news_item&px=Linux-Vendor-Firmware-S
https://github.com/hughsie/fwupd

2) Intel on Linux firmware updates

Brian Richardson posted a blog yesterday, with information on Linux fwupdate, UEFI Capsule (firmware updates), UEFI 2.5 ESRT, and the Fedora firmware update mechanism.

More information:
http://blogs.intel.com/evangelists/2015/06/23/better-firmware-updates-in-linux-using-uefi-capsules/

Fedora proposal for UEFI 2.5 Capsule Update support

As reported on Fedora devel-announce and on Softpedia, a proposal for Red Hat’s Fedora has been added to support UEFI Capuse Updates via UEFI 2.5’s ESRT.

“This adds the ability to perform updates of system firmware, as well as some peripheral firmware, on machines supporting the UEFI Capsule Update mechanism and UEFI 2.5’s “ESRT” feature. Right now this is generic support—the number of machines for which we actually have firmware updates available is very small, as the underlying technology is quite new—and it doesn’t include any actual delivery mechanism for such firmware images. But if they’re put at the right place for fwupd to notice them, and the system supports the right features, they’ll show up as updates in gnome-software.”

It will very be interesting to see how different distributions expose firmware updates to users.

More Information:

http://news.softpedia.com/news/Fedora-23-Linux-Might-Allows-Users-to-Perform-Firmware-Updates-on-UEFI-Machines-483390.shtml
https://lists.fedoraproject.org/pipermail/devel-announce/2015-June/001595.html
https://fedoraproject.org/wiki/Changes/SystemFirmwareUpdates