The LVFS project

The LVFS is a simple Flask web service using a MySQL database and the code is available for review at GitLab. This is also the place to file vendor feature requests and also where you can request existing vendors on the LVFS update specific models of hardware. You can run your own test instance by doing:

$ git clone https://gitlab.com/fwupd/lvfs-website.git
$ ./app.wsgi

There is a low-volume lvfs-announce mailing list for the Linux Vendor Firmware Service, which will only be used to make announcements about new features and planned downtime. If you are interested in what’s happening with the LVFS you can subscribe to lvfs-announce here.

The fwupd project

The fwupd code is available at GitHub and this is also the place to file bugs or feature requests to add support for new firmware flashing methods. You can get the code by doing:

$ git clone https://github.com/fwupd/fwupd.git

Various plugins are included to update devices, which includes native support for UEFI, DFU, Unifying, ThunderBolt and ColorHug.

Is updating firmware secure?

In both the LVFS and fwupd, GPG crypto is being performed using GnuPG and PKCS#7 crypto is using GnuTLS. The fwupd daemon has no network access and only acts as the mechanism for clients using D-DBus and PolicyKit. Some devices also have additional hardware signature verification schemes implemented by the device manufacturer.

The LVFS and fwupd codebases have had several independent security audits. The LVFS has a huge number of tests run for each commit, and fwupd has a comprehensive test suite, and is regularly scanned using both clang and Coverity.

LVFS © 2015 Richard Hughes with icons from Font Awesome and GeoIP data from IP2Location.

Linux Vendor Firmware Service Project a Series of LF Projects, LLC :: Charter