
Fwupd: Updating Firmware in Linux - sonnyp
http://www.fwupd.org/index.html
======
maggit
> By default, any users are able to install firmware to removable hardware.
> The logic here is that if the hardware can be removed, it can easily be
> moved to a device that the user already has root access on, and asking for
> authentication would just be security theatre.

\- [http://www.fwupd.org/users.html](http://www.fwupd.org/users.html)

But it is not given that a user has physical access to the machine, is it?

Well... I guess that's why it says "By default", and you can configure it?
Seems targeted at desktop installations?

~~~
Menge
> But it is not given that a user has physical access to the machine, is it?

Yes, I think the logic here is flawed. The only way to know someone can do
something in the physical security theatre is by their doing it. Needing to
cajole any normal user into running a script is a tad more optimal than
convincing them to physically move devices from the server room to the new
machine that they won in your raffle.

------
teddyh
The big question is, what vendors will use this system instead of their own
horrible systems?

------
padraic7a
Interesting development. Is there info anywhere of manufacturers who have
undertaken to provide updates through this system?

------
sandGorgon
this has come at a good time. nearly all thinkpads are undergoing bios updates
because of a security issue.. but cannot be done on Linux.

I wonder if someone can build a howto for Thinkpads on Linux.

~~~
josteink
> nearly all thinkpads are undergoing bios updates because of a security
> issue.. but cannot be done on Linux. I wonder if someone can build a howto
> for Thinkpads on Linux.

Nonsense. Thinkpads can update the firmware from a bootable CD whose ISO you
can download from the Lenovo website.

I did this just last week with my Carbon X1. I can guarantee you that no
Windows was ever involved.

~~~
sandGorgon
here's the last one I looked for -
[http://support.lenovo.com/us/en/downloads/ds001322](http://support.lenovo.com/us/en/downloads/ds001322)

Did I make a mistake ?

------
khaki54
This is actually pretty sweet. If you are running a non-linux OS you could
just reboot into a live disk and pull down all of the updates.

Take it a step further, you could just PXE-boot into a scripted image that
loads up and checks for FW updates, then reboots into the default OS when
complete.

------
weirdtunguska
Why can't this be done using standard ways, like deb packages?

~~~
the_why_of_y
Technically, LSB mandates RPM as the standard package format, so deb packages
would be non-standard.

For a more serious response, if you look at the architecture diagram, the
fwupd daemon is independent of any packaging or download mechanism so there
should be nothing preventing you from calling it from dpkg postinstall
scripts.

------
aexaey
This completely ignores the "evil maid" scenario.

~~~
mschuster91
Not if the firmware updater enforces digital signatures like the ucode update
does on CPUs.

------
weirdtunguska
Is it restricted to gnome?

~~~
padraic7a
Well gnome-software is obviously restricted to gnome,and it might be the only
current gui option but I don't think the system is. The page states that you
can interact using the D-bus api and that's not restricted to gnome:
[https://en.wikipedia.org/wiki/D-Bus](https://en.wikipedia.org/wiki/D-Bus)

