Introduction

To update a BIOS or network card firmware in Linux traditionally meant rebooting into Microsoft Windows, or preparing a MS-DOS floppy disk (!) and hoping that everything would work after the update. Periodically searching a vendor website for updates is a manual and error-prone task and not something we should ask users to do.

fwupd is a simple daemon to allow session software to update device firmware on your local machine. It's designed for desktops, but also usable on phones and headless servers. You can either use a GUI software manager like GNOME Software to view and apply updates, the command-line tool or the system D-Bus interface directly. Updating firmware on Linux is now automatic, safe and reliable.

Using GNOME Software

gnome-software updates panel
New versions of GNOME Software will show and auto-download updates automatically.
gnome-software details panel
Double clicking on the cab file is also supported.

Using the command line

fwupd ships a command line fwupdmgr program. This allows administrators to get the list of upgradable devices, schedule offline updates or installing firmware on the live system. You can manually download released firmware updates from the LVFS device list.

$ fwupdmgr get-devices
Unifying Receiver
  DeviceId:             /sys/devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1.2
  Guid:                 77d843f7-682c-57e8-8e29-584f5b4f52a1
  Guid:                 cc4cbfa9-bf9d-540b-b92b-172ce31013c1
  Summary:              A miniaturised USB wireless receiver
  Plugin:               unifying
  Flags:                updatable|supported|registered
  Vendor:               Logitech
  VendorId:             USB:0x046D
  Version:              RQR24.05_B0029
  VersionBootloader:    BOT03.01_B0008
  Icon:                 preferences-desktop-keyboard
  Created:              2017-11-02

You can see all the command line options using --help:

Using the D-Bus API

The fwupd daemon is launched when queried for the first time. This exports an interface that can be queried from any language with a D-Bus binding such as C, Python or Java.

d-feet screenshot
$ $ gdbus call --system --dest org.freedesktop.fwupd --object-path / --method org.freedesktop.fwupd.GetDevices 
({'ro__sys_devices_pci0000_00_0000_00_1d_0_usb2_2_1_2_1_4_2_1_4_1_0':
  'CHug-usb:00:01:04:04':
   {'Guid': <'84f40464-9272-4ef7-9399-cd95f12da696'>,
    'DisplayName': <'ColorHugALS'>,
    'Provider': <'ColorHug'>,
    'Version': <'4.0.0'>,
    'Flags': }},)

Security

By default, any users are able to update firmware for removable hardware. The logic here is that if the hardware can be removed, it can easily be moved to a device that the user already has root access on, and asking for authentication would just be security theatre.

For non-removable devices, e.g. UEFI firmware, admin users are able to update trusted firmware without the root password. By default, we already let admin user and root update glibc and the kernel without additional authentication, and these would be a much easier target. The firmware updates and metadata are signed either with GPG or a PKCS-7 certificate.

User Interaction

No user interaction should be required when actually applying updates. Making it prohibited means we can do the upgrade with a graphical splash screen, without having to deal with locales or input methods.

Trusted Keys

Installing a public key to /etc/pki/fwupd allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files. By default trusted firmware can be upgraded (but not downgraded) without the user or administrator password. Only very few keys are installed by default.