Re: Install fwupd on a default installation
On 2018-12-27 03:52, Mario.Limonciello@dell.com wrote:
Something I think worth mentioning is that LVFS is being transitioned
to being run
and managed by the Linux Foundation.
yeah, that's great news.
Interestingly enough the vendor signs a blob (CAB file) and LVFS
it away and re-signs the blob with its own key. But then again I think
the base assumption is that the contained firmware images are
signed as well and the BIOS does a check before ingesting them.
Speaking on behalf of one of the biggest distributors of firmware on
I can say that all of the firmware images are signed by Dell PKI
will not flash on the system if modified.
LVFS is currently in the process of plumbing this information through
to the U/I
Just the fact that the update claims that the hardware only accepts
signed updates or something else? :)
Obviously you end up with the usual concerns like the repository being
able to hold back updates from certain clients. The website's code is
supposedly available on https://github.com/hughsie/lvfs-website/
and I suppose a transparency effort could solve that particular
LVFS is able to prevent distributing updates in two situations:
1) when there are known bad SW combinations (say vendor knew bug
existed in fwupd
1.0.x but was fixed in 1.1.x - set minimum version for the update to be
or need to update device XYZ before device ABC.
2) rate limiting of updates
To stage rollouts and monitor optional feedback in the event of a
I will note - although slightly off-topic to the discussion at hand -
that it would be useful to people to be able to run their own repository
of updates and control the rollouts (and staging percentages)
themselves. I'm not actually suggesting that Debian would need to run
their own, but it'd be a useful service to the users who don't want to
send telemetry to the Linux Foundation - and furthermore have a
significant deployment where it's worth canarying the updates.
Oh yes. Not just that, also finding the right image to apply and then
figuring out how the hell to apply it is a solved problem with
Please keep in mind it's much much more than EFI updates now too.
There are updates
that can apply "in Debian" without a reboot for things like
Thunderbolt controllers, docks,
MST hubs, and various USB devices.
Fair enough. Do you have a pointer for examples of such updates?
Unfortunately I updated my own Dell dock recently from Windows, so I
can't easily check. Mostly I'm interested if it's a proprietary binary
run on the host. That's its own can of worms. (Which technically is true
for the EFI update too, but it's staged from outside of Linux on
Kind regards and thanks