fwupd is a program to update your PC (and its devices’) firmware, and LVFS is the Linux Vendor Firmware Service which you can think of a repository where vendors upload firmware updates to. fwupd can detect devices on your PC with firmware update capability, and look for updates on LVFS, fetch and install them for you.

Firmware types that can be updated that way can be critical and non-critical things alike, like your PC’s UEFI firmware, HDD/SSD firmware or even things like your Logitech USB receiver.

Today we’ll be updating my Lenovo ThinkPad A485 UEFI firmware from version 1.28 to 1.31 using fwupd and LVFS.

Now, I should tell you that for security reasons, I disabled OS UEFI updates so that some casual malicious application cannot easily install malicious firmware. This can be enabled or disabled in the UEFI settings itself, called something like “Windows UEFI Firmware Update” but really, this should be called “OS UEFI Firmware Update”, as this setting isn’t specific to Windows. It can be found in the UEFI settings under Security > UEFI BIOS Update Option, at least on my machine.

So first, I have to reboot and enable UEFI updates from OS, then we’ll update the firmware, reboot and disable the setting again and then reboot once more, and we should be done. So let’s reboot and enable UEFI updates, and we’ll be right back! Of course, unless you changed the default settings you don’t have to do this and can go right ahead to updating in the next part.

One reboot later (doing the update)…

Now that we enabled updating of the UEFI firmware (you probably didn’t have to do that), we can proceed to do the actual updating…

First make sure you have installed fwupd, which on Ubuntu can be done with:

sudo apt install fwupd

Next thing, fetch the latest “repo data” from LVFS with:

sudo fwupdmgr refresh

You should see the progress of the download, and once complete, run:

sudo fwupdmgr get-devices

Which will display all devices with firmware update capability (which does not necessarily reflect whether an update is available or that device is even in the repo).

If you disabled UEFI firmware updates, and did not enable, it will not show your board when running this command. So make sure UEFI updates are enabled in the UEFI settings.

So let’s run the update now:

sudo fwupdmgr update

Which will output something like:

Downloading 0.1.43 for 20MU000DMZ System Firmware...
Fetching firmware https://fwupd.org/downloads/a983c4cb18a8d43754e0c83955c6ad68fc14b0015ddb286a70029fd92512034d-Lenovo-ThinkPad-A485-SystemFirmware-1.31.cab
Downloading…             [***************************************]
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Updating 20MU000DMZ System Firmware…                             ]
Scheduling…              [***************************************]

An update requires a reboot to complete. Restart now? [Y|n]:

As you can see it will automatically detect and fetch updates and prompt for a restart to apply the update.

Make sure you have saved all your work and closed your applications and confirm the reboot with yes (Y) and then wait for it to complete the update.

Update failed…

Uh oh! I remember having the same issue last time… Nothing happened!

Here’s how to fix it: Go back to UEFI settings and where you enabled “Windows UEFI Firmware Update” you should also disable “Secure RollBack Prevention” and press F10 to save and exit, reboot and go back into UEFI settings, press F9 to load default settings and reboot (security settings get preserved) and now try the update again. Worked for me!

Updated successful!

After reboot, you will see a little text message in the top left corner about a firmware update file, then it will boot into a flash utility and it will do a lot of obnoxious beeping while flashing. So, you probably don’t want to do this in the middle of the night… Be patient, perhaps leave the room and take your cat with you while it beeps if it’s too loud for you. After it’s done it will reboot and you can manually go back into the UEFI settings and check that it is indeed running the new firmware version.

Post update tasks…

Now after updating and being back up in Linux, you want to run:

sudo fwupdmgr get-devices

Which will output a long (or short) list of devices, and a message at the end with something like:

________________________________________________

Devices that have been updated successfully:

 • 20MU000DMZ System Firmware (0.1.40 → 0.1.43)

Uploading firmware reports helps hardware vendors to quickly identify failing and successful updates on real devices.
Upload report now? (Requires internet connection) [Y|n]:

I would (and did) choose yes (Y). Which will show the data it would upload and ask for confirmation once more:

Target:                  https://fwupd.org/lvfs/firmware/report
Payload:                 {
                           "ReportVersion" : 2,
                           "MachineId" : "****REDACTED FOR THIS BLOG POST****",
                           "Metadata" : {
                             "DistroId" : "linuxmint",
                             "DistroVersion" : "19.3"
                           },
                           "Reports" : [
                             {
                               "Checksum" : "****REDACTED FOR THIS BLOG POST****",
                               "UpdateState" : 2,
                               "Guid" : "****REDACTED FOR THIS BLOG POST****",
                               "Plugin" : "uefi",
                               "VersionOld" : "0.1.40",
                               "VersionNew" : "0.1.43",
                               "Flags" : 299,
                               "Created" : 1592124131,
                               "Modified" : 0,
                               "Metadata" : {
                                 "CpuArchitecture" : "x86_64",
                                 "RuntimeVersion(org.freedesktop.fwupd)" : "1.2.10",
                                 "DistroId" : "linuxmint",
                                 "CompileVersion(org.freedesktop.fwupd)" : "1.2.10",
                                 "CompileVersion(com.redhat.fwupdate)" : "12",
                                 "SecureBoot" : "Disabled",
                                 "BootMgrDesc" : "legacy",
                                 "CompileVersion(org.freedesktop.gusb)" : "0.2.11",
                                 "DistroVersion" : "19.3",
                                 "RuntimeVersion(org.freedesktop.appstream-glib)" : "0.7.14",
                                 "ESPMountPoint" : "/boot/efi",
                                 "KernelVersion" : "5.3.0-59-generic",
                                 "UEFIUXCapsule" : "Disabled",
                                 "CompileVersion(com.redhat.efivar)" : "34",
                                 "RuntimeVersion(com.dell.libsmbios)" : "2.4",
                                 "BootTime" : "1592124050",
                                 "RuntimeVersion(com.redhat.fwupdate)" : "12"
                               }
                             }
                           ]
                         }
Proceed with upload? [Y|n]: 

And if you’re sure, confirm with yes (Y) again. I did provide this data in the hope that it will be useful, and so that the vendor can see people really are using Linux and the firmware update service. Shouldn’t hurt too much. ;)

But because we had to change the security settings and load the default UEFI settings, we should now reboot again, change the security settings back to how they were (hardened) and save, reboot, load default settings, reboot and then start customizing our settings. Why loading default settings again? It’s good practice after a firmware update to do a settings “reset” and then customize them to our liking afterwards. But the security settings, at least on my machine, get preserved when loading default settings.

That’s all there is to it! I hope this helped you out.

PS If you run sudo fwupdmgr update again, you will see something like:

No upgrades for 20MU000DMZ System Firmware, current is 0.1.43: 0.1.43=same, 0.1.40=older

So, we’re good and up to date. ;)