For the most part I never cared much about upgrading firmware because if it works don’t mess with it is usually my rule.
I also don’t care much about having installed the latest version of Intel “““NSA botnet””” Management Engine, it is a piece of trash anyway so I might as well not have the latest updates.
But since I have some issues with the NVME drive (very slow reads, it is most definitely dying) I figured a system wide firmware upgrade wouldn’t be a bad thing.
The interwebz says the best way to upgrade firmware on Linux is using a tool called fwupd; it basically gives the user access to a massive repository of firmware which are provided and signed by hardware companies themselves.
Dealing with closed source crapware and binary blobs always gives some headhace, of course having fwupd working was not free of any hassle: it downloads everything, gives no error/warning, but after rebooting nothing gets installed.

FWUPD: HOW TO

First thing first, fwupd can be installed on Fedora with the following command:

$ sudo dnf install fwupd

It also installs a few systemd services, it isn’t required to activate them because their activation is triggered by fwupd* commands themselves.
Update fwupd repos:

$ fwupdmgr refresh

Show hardware devices for which firmware are handled by fwupd:

$ fwupdmgr get-devices --show-all-devices

Get a list of of upgradable firmware:

$ fwupdmgr get-updates

Download and install firmware updates from fwupd repositories:

$ fwupdmgr update

Install upgrade manually, requires firmware to be in cab file format:

$ fwupdmgr --allow-older --allow-reinstall install Lenovo-ThinkPad-T480-CorporateMEFirmware-11.8.86.3909.cab

BIOS settings

To be able to flash firmware from Linux it is required to enable the following features in BIOS:

Security --> Flash BIOS Updating by End-Users | ENABLED
Security --> Windows UERI Fimrware Update     | ENABLED

I also disabled Secure boot just to be safe (or unsafe):

Security --> Secure Boot                      | DISABLED

ISSUE: Firmware are downloaded but not installed at reboot

After having downloaded the firmware fwupd asks the user to reboot the system, which is required to actually install the updates.
But for some reason in my case it wouldn’t automagically start the flash procedure.
I noticed a boot entry called Linux-Firmware-Updater has been added, I even manually selected it (F12 during POST) but it did nothing.
fwupd githus issue tracker is full of people complaining about having similar issues but I could not find much.
The trick in my case was changing the boot order prior to rebooting the system using efibootmgr.
To check the current boot order use:

$ efibootmgr -v

To select Linux-Firmware-Updater as first boot device run:

$ sudo efibootmgr -o 2 1 1A

NOTE: in my case 2 –> Linux-Firmware-Updater, 1 –> Fedora and 1a –> NVMe0.
Don’t forget to add <your OS of choice> and also <your boot drive> otherwise it might be impossible to boot up the system later on.

POST UPGRADE CONSIDERATIONS

I would definitely revert the changed made into the BIOS, closed source blobs are already trash as they are, opening even more possible security holes is not a good idea:

Security --> Flash BIOS Updating by End-Users | DISABLED
Security --> Windows UERI Fimrware Update     | DISABLED
Security --> Secure Boot                      | ENABLED