For the most part I never cared much about upgrading firmware because if it
works don’t mess with it is usually my rule.
I also don’t care much about having installed the latest version of Intel “““NSA botnet””” Management Engine, it is a piece of trash anyway so I might as well not have the latest updates.
But since I have some issues with the NVME drive (very slow reads, it is most definitely dying) I figured a system wide firmware upgrade wouldn’t be a bad thing.
The interwebz says the best way to upgrade firmware on Linux is using a tool called
fwupd; it basically gives the user access to a massive repository of
firmware which are provided and signed by hardware companies themselves.
Dealing with closed source crapware and binary blobs always gives some headhace, of course having
fwupd working was not free of any hassle: it
downloads everything, gives no error/warning, but after rebooting nothing gets
FWUPD: HOW TO
First thing first,
fwupd can be installed on Fedora with the following
$ sudo dnf install fwupd
It also installs a few systemd services, it isn’t required to activate them
because their activation is triggered by
fwupd* commands themselves.
$ fwupdmgr refresh
Show hardware devices for which firmware are handled by
$ fwupdmgr get-devices --show-all-devices
Get a list of of upgradable firmware:
$ fwupdmgr get-updates
Download and install firmware updates from
$ fwupdmgr update
Install upgrade manually, requires firmware to be in
cab file format:
$ fwupdmgr --allow-older --allow-reinstall install Lenovo-ThinkPad-T480-CorporateMEFirmware-184.108.40.20609.cab
To be able to flash firmware from Linux it is required to enable the following features in BIOS:
Security --> Flash BIOS Updating by End-Users | ENABLED
Security --> Windows UERI Fimrware Update | ENABLED
I also disabled Secure boot just to be safe (or unsafe):
Security --> Secure Boot | DISABLED
ISSUE: Firmware are downloaded but not installed at reboot
After having downloaded the firmware
fwupd asks the user to reboot the
system, which is required to actually install the updates.
But for some reason in my case it wouldn’t automagically start the flash procedure.
I noticed a boot entry called
Linux-Firmware-Updater has been added, I even
manually selected it (F12 during POST) but it did nothing.
fwupd githus issue tracker is full of people complaining about having
similar issues but I could not find much.
The trick in my case was changing the boot order prior to rebooting the system using
To check the current boot order use:
$ efibootmgr -v
Linux-Firmware-Updater as first boot device run:
$ sudo efibootmgr -o 2 1 1A
NOTE: in my case
Don’t forget to add
<your OS of choice> and also
<your boot drive>
otherwise it might be impossible to boot up the system later on.
POST UPGRADE CONSIDERATIONS
I would definitely revert the changed made into the BIOS, closed source blobs are already trash as they are, opening even more possible security holes is not a good idea:
Security --> Flash BIOS Updating by End-Users | DISABLED
Security --> Windows UERI Fimrware Update | DISABLED
Security --> Secure Boot | ENABLED