[Linux-Desktops] Easy firmware update for non-MS-Windows users

Mario_Limonciello at Dell.com Mario_Limonciello at Dell.com
Tue Sep 13 09:47:51 CDT 2016


> Thank you for your reply.


> On 09/13/16 16:13, Mario_Limonciello at Dell.com wrote:
> > First off let me say that Flashrom is an unsecured flashing mechanism.
> > On Dell systems the SPI rom is only unlocked after the signature of the
> flashing payload is validated.
> It wouldn’t be hard to extend a program like flashrom, or write a
> wrapper around it, to check the signature.

The big concern you get here is that you can't fully trust that anything else
hasn't interfered with the payload when you support natively 
flashing directly within an OS.

The updates that happen on client systems for Windows actually protect
against that concern.  The actual flashing doesn't occur within the OS.  It's
written to memory and the system is warm rebooted with a special flag to
tell the BIOS to not clear memory.  The signature and payload are verified 
and the flash occurs in the UEFI environment.

> > The strategies offered for client systems and servers vary.
> >
> > On supported client and IoT systems Dell has started to offer UEFI capsule
> updates (www.fwupd.org).
> >
> > On other client systems that don't yet support UEFI capsule update, you
> can flash by placing
> > the binary on a FAT32 USB stick and pressing F12 at POST.  You will see an
> option to "Flash BIOS".
> > It will let you select the binary and flash it.
> > You actually don't need a FAT32 USB stick if the machine is already booting
> in UEFI mode.  You
> > can also place it on the EFI system partition and browse that from the F12
> menu.
> I am well aware of these methods, and can only say, that they aren’t as
> user friendly as running a program from the running operating system.

I agree that flashing in the F12 menu isn't as user friendly as a native OS
update.  UEFI capsule however is executed natively from within the OS.

A GUI tool (Gnome Software is the only supported frontend right now)
will use fwupd to check LVFS for updated UEFI capsules.  If there is an update
it will be offered in the GUI.  When the user accepts it fwupd uses fwupdate
to stage the update.  Upon reboot fwupdate will use the BIOS UpdateCapsule
method to perform the update.

This ensures that every step of the process is secure, but still provides a
user friendly quick interface to use.

> > For server systems there are a lot of other components that need to be
> updated (such as LCC
> > and iDRAC).  DUP packages that can be run in Linux are released for these
> systems.
> Last time I tried it, this was very cumbersome.
> > It's also possible to do updates from bootable media
>  > (http://www.dell.com/Support/Article/us/en/04/SLN296511)
> Creating a new boot media, although I am already running an operating
> system, which provides the same environment, is a waste of time and
> resources.
> So back to the original question, will Dell provide the customers an
> *easy* way, that means it takes less than two minutes, to update the
> firmware from their operating system of choice?
> Who is the right person to contact?

At least in the client and IoT world, that's what we're doing with UEFI capsule updates.
We're the only OEM doing it right now for Linux.

I'm not the right person to talk about this strategy for the server space.  
You'll probably need to try one of the other mailing lists.  This one is desktop oriented.


> Kind regards,
> Paul Menzel
> _______________________________________________
> Linux-Desktops mailing list
> Linux-Desktops at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-desktops
> Please read the FAQ at http://lists.us.dell.com/faq

More information about the Linux-Desktops mailing list