The LVFS project
The LVFS is a simple Flask web service using a MySQL database and the code is available for review at GitLab. This is also the place to file vendor feature requests and also where you can request existing vendors on the LVFS update specific models of hardware. You can run your own test instance by doing:
$ git clone https://gitlab.com/fwupd/lvfs-website.git $ ./app.wsgi
There is a low-volume lvfs-announce
mailing list for the Linux Vendor
Firmware Service, which will only be used to make announcements about new
features and planned downtime.
If you are interested in what’s happening with the LVFS you can
subscribe to lvfs-announce here.
The fwupd project
The fwupd code is available at GitHub and this is also the place to file bugs or feature requests to add support for new firmware flashing methods. You can get the code by doing:
$ git clone https://github.com/fwupd/fwupd.git
Various plugins are included to update devices, which includes native support for UEFI, DFU, Unifying, ThunderBolt and ColorHug.
Is updating firmware secure?
In both the LVFS and fwupd, GPG crypto is being performed using GnuPG and PKCS#7 crypto is using GnuTLS. The fwupd daemon has no network access and only acts as the mechanism for clients using D-DBus and PolicyKit. Some devices also have additional hardware signature verification schemes implemented by the device manufacturer.
The LVFS and fwupd codebases have had several independent security audits. The LVFS has a huge number of tests run for each commit, and fwupd has a comprehensive test suite, and is regularly scanned using both clang and Coverity.
LVFS © 2015 Richard Hughes with icons from Font Awesome and GeoIP data from IP2Location.
Linux Vendor Firmware Service Project a Series of LF Projects, LLC :: Charter