Re: Install fwupd on a default installation
first of all thanks for your pointers!
On 27/12/2018 20:28, Mario.Limonciello@dell.com wrote:
Just the fact that the update claims that the hardware only accepts
signed updates or something else? :)
At a minimum a claim.
I will note - although slightly off-topic to the discussion at hand -
that it would be useful to people to be able to run their own repository
of updates and control the rollouts (and staging percentages)
themselves. I'm not actually suggesting that Debian would need to run
their own, but it'd be a useful service to the users who don't want to
send telemetry to the Linux Foundation - and furthermore have a
significant deployment where it's worth canarying the updates.
Entirely doable. LVFS can be set up locally with the firmware that is interesting
uploaded to that "instance". This will mean setting up a GPG key pair and signing
the firmware with that instance as well.
On fwupd clients a "remote" needs to be registered for that instance with the public
key and instance location.
So I suppose mirroring would entail fetching the firmware.xml.gz from
LVFS' CDN and then downloading and rewriting the release locations -
plus dealing with signing the metadata. That seems fairly straightforward.
If there would be a way to check the provenance of an updater package
(i.e. not just rely on arbitrary vendor authentication on the backend),
that'd still be nice.
(Plus percentage-based rollouts, but that's just yet another feature
Thanks, I found a note on  and if it's indeed per remote, it should
be fairly easy to manage.
FYI: Telemetry related to the update is entirely optional and "opt-in" after you've
performed an update.
Fair enough. Do you have a pointer for examples of such updates?
Unfortunately I updated my own Dell dock recently from Windows, so I
can't easily check. Mostly I'm interested if it's a proprietary binary
run on the host. That's its own can of worms. (Which technically is true
for the EFI update too, but it's staged from outside of Linux on
Executing proprietary binaries distributed in the CAB file is against fwupd
philosophy and prohibited. All code for the plugin that executes in Linux and
is distributed with fwupd must be open source.
fwupd only pulls "payloads" from the CAB files.
Regarding the examples I called out:
You can review the fwupd tree in the plugins/ directory to see the
* thunderbolt/ plugin which uses the kernel Thunderbolt interface
* dell-dock/ plugin which uses kernel USB interfaces
* dell/ plugin which uses a EFI binary for TPM and dock updates
* ebitdo/ plugin which uses kernel USB interfaces
* rts54hid/ rts54hub/ plugins which use kernel USB interfaces
There are many more, you can look more closely at your leisure.
The matching binaries that are on LVFS.
Here's some examples:
I cannot tell you how happy this makes me. This is awesome. Thank you
(and everyone else who contributed to this effort) for doing the right
thing! And obviously kudos to Dell for staffing this.
The plugin library seems to be on  and there's a sizable set of them.
Even an AMT updater. :o
Kind regards and thanks