[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Install fwupd on a default installation

Hey Mario,

On 2018-12-27 03:52, Mario.Limonciello@dell.com wrote:
Something I think worth mentioning is that LVFS is being transitioned
to being run
and managed by the Linux Foundation.

yeah, that's great news.

Interestingly enough the vendor signs a blob (CAB file) and LVFS throws
it away and re-signs the blob with its own key. But then again I think
the base assumption is that the contained firmware images are themselves
signed as well and the BIOS does a check before ingesting them.

Speaking on behalf of one of the biggest distributors of firmware on LVFS (Dell)
I can say that all of the firmware images are signed by Dell PKI
infrastructure and
will not flash on the system if modified.

LVFS is currently in the process of plumbing this information through to the U/I
as well.

Just the fact that the update claims that the hardware only accepts signed updates or something else? :)

Obviously you end up with the usual concerns like the repository being
able to hold back updates from certain clients. The website's code is
supposedly available on https://github.com/hughsie/lvfs-website/ though and I suppose a transparency effort could solve that particular problem,

LVFS is able to prevent distributing updates in two situations:

1) when there are known bad SW combinations (say vendor knew bug
existed in fwupd
1.0.x but was fixed in 1.1.x - set minimum version for the update to be 1.1.x).
or need to update device XYZ before device ABC.

2) rate limiting of updates
To stage rollouts and monitor optional feedback in the event of a problem.

I will note - although slightly off-topic to the discussion at hand - that it would be useful to people to be able to run their own repository of updates and control the rollouts (and staging percentages) themselves. I'm not actually suggesting that Debian would need to run their own, but it'd be a useful service to the users who don't want to send telemetry to the Linux Foundation - and furthermore have a significant deployment where it's worth canarying the updates.

Oh yes. Not just that, also finding the right image to apply and then
figuring out how the hell to apply it is a solved problem with EFI-based

Please keep in mind it's much much more than EFI updates now too.
There are updates
that can apply "in Debian" without a reboot for things like
Thunderbolt controllers, docks,
MST hubs, and various USB devices.

Fair enough. Do you have a pointer for examples of such updates? Unfortunately I updated my own Dell dock recently from Windows, so I can't easily check. Mostly I'm interested if it's a proprietary binary run on the host. That's its own can of worms. (Which technically is true for the EFI update too, but it's staged from outside of Linux on boot-up.)

Kind regards and thanks
Philipp Kern

Reply to: