fwupd
fwupd is an open-source daemon designed to facilitate the secure and reliable updating of device firmware on Linux-based systems, allowing session software such as graphical user interfaces to manage updates for hardware components like keyboards, mice, and system boards without requiring specialized vendor tools.[1] Developed primarily by Richard Hughes and hosted on GitHub, it integrates with the Linux Vendor Firmware Service (LVFS), a centralized repository where hardware vendors upload signed firmware images in a standardized.cab format, enabling automatic checks and installations via command-line tools like fwupdmgr or desktop environments such as GNOME Software and KDE Discover.[2][3]
Initiated in 2015 by Hughes, then working at Red Hat, fwupd addressed the longstanding challenge of firmware updates on Linux, which traditionally required booting into Windows or using outdated MS-DOS tools, by providing a standards-compliant framework that supports multiple protocols through extensible plugins, including UEFI, DFU, Thunderbolt, and USB devices.[4] The project has grown under the auspices of the Linux Foundation's LVFS initiative, with contributions from dozens of developers across companies like Red Hat and Dell, resulting in support for 1,800 devices from 140 vendors as of May 2025.[5][6][7]
Key features include explicit user consent for updates to prevent unintended changes, cryptographic verification using GnuPG and GnuTLS for authenticity, and compatibility with major distributions such as Fedora (since version 22), Ubuntu (since 16.04), Debian (since 9), and Red Hat Enterprise Linux (since 7.4), often requiring only non-root privileges for removable devices.[3] It emphasizes safety through rigorous testing, including Coverity scans and security audits, and has evolved through major releases like version 2.0 in October 2024, which introduced enhanced device support and improvements for embedded systems.[5][8]
History
Development origins
fwupd was created by Richard Hughes, a maintainer of the GNOME desktop environment, during 2014 and 2015 to address the absence of a standardized, open-source tool for managing firmware updates on Linux systems.[9][10] At the time, Linux users relied on vendor-specific or proprietary utilities, which were often incompatible or insecure, leaving desktops and other devices vulnerable to outdated firmware. The primary motivation was to enable safe, automatic firmware updates without requiring proprietary software, initially targeting desktop environments while designing the system to be extensible to embedded and server hardware.[9][10] Early development involved prototyping update mechanisms for open hardware devices, with the ColorHug color calibrator serving as a key proof-of-concept. Hughes tested fwupd using the device's HID interface to query firmware versions and enter bootloader mode via commands like GET_VERSION and RESET, demonstrating a standardized approach to enumeration and flashing without custom GUIs for each project.[10] This work stemmed from challenges in distributing firmware updates for the ColorHug, highlighting the need for a centralized, secure method to handle metadata on fixes and device compatibility.[11] The project saw its first public announcement in early 2015, with initial code shared on GitHub and discussions focusing on integration with GNOME session software for seamless user experiences.[9][2] To promote widespread adoption across Linux distributions, Hughes licensed fwupd under the GNU Lesser General Public License version 2.1 or later (LGPL v2.1+). This choice allowed vendors and developers to incorporate the daemon into both open and closed-source projects, fostering collaboration; concurrently, the Linux Vendor Firmware Service (LVFS) was developed as a complementary repository for hosting updates.[11]Major releases
The initial stable release of fwupd, version 0.1, occurred on March 17, 2015, marking the project's debut as an open-source daemon for managing Linux firmware updates.[9] This early version laid the foundation for safe, automated firmware deployment, initially focusing on USB and DFU-based devices while integrating with the emerging Linux Vendor Firmware Service (LVFS).[9] In 2017, fwupd reached version 1.0 on October 9, introducing broader UEFI capsule support to enable seamless firmware updates during system reboots without requiring proprietary tools.[12] This milestone enhanced compatibility with x86 platforms, allowing vendors to distribute UEFI-compliant updates via LVFS, and bumped the library soname to reflect API stability.[12] Version 1.5 arrived on October 26, 2020, bringing significant improvements to LVFS metadata handling, including support for the new Jcat format for signed metadata verification and expanded parsing capabilities for remote repositories.[13] These changes improved update reliability and security by enabling better validation of firmware artifacts before installation, alongside support for additional hardware protocols like CCIX and WAC.[14] The 2.0 series began with version 2.0.0 on October 4, 2024, featuring a redesigned device prober for more efficient hardware enumeration and enhanced security measures, such as improved handling of UEFI Secure Boot databases and stricter validation of update payloads.[15] This overhaul prioritized robustness against malformed firmware, expanding support for modern interfaces like Thunderbolt and NVMe while maintaining backward compatibility.[16] A notable recent milestone is version 2.0.17, released on November 5, 2025, which added client-side phased update deployment for gradual rollouts and support for post-quantum Dilithium signatures to future-proof against quantum computing threats.[17][18] These features enhance deployment control and cryptographic resilience, with the project hosted on GitHub at fwupd/fwupd and primarily implemented in C for performance and portability.[2] Fwupd follows semantic versioning, evolving from early triplet formats (major.minor.patch) to support flexible schemes like branch and plain for diverse firmware vendors, with a typical release cadence of approximately one stable update per month to incorporate bug fixes, hardware support, and security enhancements.[19]Design and functionality
Core components
The fwupd daemon serves as the central background service responsible for managing firmware updates on Linux systems. It performs device enumeration by scanning hardware through kernel interfaces, parses metadata to identify available updates, and schedules update operations accordingly. The daemon exposes its functionality to client applications via a D-Bus interface, enabling seamless integration with desktop environments and software managers.[20] Key libraries underpin the daemon's operations, with libfwupd providing the core logic for firmware handling and device interactions. This library, built on GObject-2.0, Gio-2.0, and Json-1.0, exports essential APIs for client applications to query and initiate updates. Complementing it is libfwupdplugin, which facilitates the implementation of modular plugins for device-specific support, ensuring extensibility without altering the core codebase.[21][22] Fwupd maintains an internal device database using Globally Unique Identifiers (GUIDs) to uniquely identify hardware components. GUIDs are 128-bit values generated via a UUID v5 algorithm from device instance IDs, such as USB vendor-product strings, allowing precise matching of firmware to devices. This system supports multiple GUIDs per device for varying levels of specificity, enabling robust enumeration and update targeting.[23] The daemon integrates with systemd for service management, leveraging timers and units like fwupd-refresh.timer to automate metadata refreshes and update checks. It also relies on kernel interfaces, including the efivar library for accessing UEFI variables, which is essential for firmware operations on EFI-based systems.[2][24] Modularity is a cornerstone of fwupd's architecture, achieved through its plugin system powered by libfwupdplugin. Plugins are loaded at daemon startup, hotplug events, or update triggers, each handling specific device protocols or policies via virtual functions. This design allows vendors or developers to extend support for new hardware by adding plugins, ordered by dependencies, without recompiling the core daemon.[25]Update mechanisms
Fwupd facilitates firmware updates through a combination of standardized protocols and modular plugins, enabling the daemon to handle diverse hardware without requiring user intervention for low-level details. The primary protocols include UEFI Capsule updates, which leverage the EFI System Resource Table (ESRT) to expose updatable firmware components to the operating system; this mechanism has been supported in the Linux kernel since version 4.2, allowing the creation of capsule files that are processed during the boot process.[26][27] For non-UEFI devices, fwupd employs direct flash methods, such as those using vendor-specific commands over USB, PCI, or other buses, often implemented via plugins that abstract the communication protocol.[25] These protocols ensure compatibility across embedded controllers, BIOS/UEFI systems, and peripherals like keyboards or network cards. The update workflow begins with device enumeration, where fwupd plugins scan for supported hardware using system interfaces like udev for USB and PCI devices, generating unique identifiers and globally unique identifiers (GUIDs) for each device.[2] Next, the daemon downloads metadata from the Linux Vendor Firmware Service (LVFS), typically via thefwupdmgr refresh command, which fetches compressed archives containing device compatibility information and available firmware versions.[6] Upon identifying applicable updates, fwupd creates update payloads—such as UEFI capsules for offline updates that are placed on the EFI System Partition and applied at reboot, or direct payloads for online updates executed while the system is running.[26] The process concludes with verification steps, including checksums and version comparisons, before invoking the appropriate plugin functions like write_firmware to apply the update.[25]
Safety is prioritized through several built-in mechanisms to minimize risks during updates. Atomic updates are supported where the underlying protocol allows, ensuring that firmware is written in a way that either completes fully or reverts without partial states, particularly for UEFI capsules which are designed to be idempotent.[25] Rollback capabilities are provided for devices that support version downgrades or dual-bank flashing, with fwupd preventing unsupported downgrades by enforcing minimum version thresholds defined in device metadata.[25] Hardware-specific checks include requirements for AC power (FWUPD_DEVICE_FLAG_REQUIRE_AC) to avoid interruptions on battery-powered systems, as well as pre-update validations like sufficient battery levels for laptops or thermal safeguards for SSDs.[25] These features are enforced via plugin flags and virtual functions such as prepare and cleanup, which handle environmental preconditions.[25] Since version 2.0.17, fwupd also supports client-side phased update deployments, enabling gradual rollouts to reduce the risk of widespread issues.[28]
Vendor-provided firmware is distributed in .cab archive files, which encapsulate binary payloads (e.g., .bin or .dfu files) alongside metadata in .metainfo.xml format detailing GUID matches, version information, and update requirements.[25] The fwupd daemon verifies the signature and compatibility of these files against enumerated devices before proceeding, using libraries like libarchive for extraction and GPG for authentication, ensuring only trusted updates are applied.[6] This format allows seamless integration with LVFS while supporting offline installations via local .cab files.[29]
Fwupd's extensibility relies on its plugin architecture, which allows developers to implement custom protocols for specialized hardware without altering the core daemon. Plugins can override functions like detach (to enter update mode) and attach (to return to normal operation), supporting protocols beyond standards like DFU or UEFI, such as NVMe commands for SSD firmware or HID over USB for peripherals.[25] For instance, the nvme plugin handles direct ATA or NVMe passthrough for storage devices, while peripheral-specific plugins like wacomhid manage Bluetooth or touch controller updates.[22] This modular design has enabled support for over 90 protocols as of 2025.[30]
Linux Vendor Firmware Service
Role and operation
The Linux Vendor Firmware Service (LVFS) serves as a secure, open metadata repository hosted by the Linux Foundation, enabling hardware vendors to distribute firmware updates for Linux users.[31][1] It functions as the backend infrastructure for the fwupd tool, providing a centralized platform where vendors can upload firmware packages without cost, ensuring broad accessibility for end-user devices such as desktops, laptops, and embedded systems.[32] The service emphasizes standards-compliant updates, focusing exclusively on individual user scenarios rather than enterprise-scale deployment tools.[1] In operation, vendors upload signed .cab archive files containing firmware binaries and associated metadata through a secure web console that requires username and password authentication.[32] These .cab files are processed and made available via HTTPS endpoints, allowing fwupd clients—such as the fwupdmgr command-line tool—to query the LVFS for device-specific metadata and initiate downloads.[2] For instance, users can refresh metadata periodically using thefwupdmgr refresh command, which fetches the latest updates from the service over a secure connection.[33] The fwupd daemon then interacts with this metadata on the client side to match and apply updates to supported hardware, presenting options through graphical interfaces like GNOME Software with user consent required before installation.[32]
The metadata structure within LVFS .cab files includes essential elements such as device flags (e.g., for update requirements like display access), checksums to verify file integrity (e.g., SHA-256 hashes for firmware content), and detailed release notes outlining changes, bug fixes, and urgency levels (low to critical).[23] These components are formatted in AppStream-compatible .metainfo.xml files, which also incorporate GUIDs for precise device identification and protocol specifications for update mechanisms.[23] This structured metadata ensures compatibility and transparency, enabling fwupd to filter and prioritize relevant updates without downloading unnecessary data.[34]
LVFS infrastructure is built on a GitLab-based platform, incorporating automated testing and validation pipelines to maintain reliability.[35] Upon upload, firmware undergoes rigorous checks, including header validation, CRC computations, and protocol-specific tests (e.g., for UEFI Capsules or DFU), with failures potentially blocking progression from embargoed testing remotes to stable release channels.[36] End-to-end validation involves vendors configuring private remotes for simulated updates using fwupd, ensuring seamless integration before public availability; metadata regeneration for stable branches can take up to 24 hours.[36] This pipeline-driven approach supports 179 vendors (as of October 2025) and millions of monthly updates, with over 135 million total firmware downloads delivered to date, prioritizing security and correctness for end-user firmware management.[32][37]
Vendor participation
Hardware vendors participate in the Linux Vendor Firmware Service (LVFS) by creating an account on the fwupd.org website, which serves as the primary portal for submissions.[38] Original design manufacturers (ODMs) can affiliate with original equipment manufacturers (OEMs) upon admin approval, allowing shared access for collaborative uploads.[38] Vendors then submit firmware updates either through the web interface on the LVFS upload page or via the API using authentication tokens, such as with curl commands for automated processes.[38] The LVFS repackages submissions into a standardized .cab archive format, signs the firmware with a detached GPG or PKCS#7 signature, and supports reuse of existing Windows Update signatures to streamline compatibility.[38][1] Firmware submissions must adhere to specific requirements to ensure compatibility with fwupd clients across Linux distributions. Each .cab file, limited to 2 GB, contains the binary firmware image (e.g., firmware.bin) and a Linux-specific metadata file (firmware.metainfo.xml) that includes device identifiers like GUIDs and versioning information in a semantic format such as 1.2.3.[38] All firmware must be digitally signed prior to upload, with the LVFS adding its own verification signatures during processing to maintain security.[38] Vendors provide detailed metadata to map devices correctly, enabling fwupd to identify applicable updates without proprietary tools.[1] Once uploaded, firmware enters a structured review process managed by the vendor and LVFS administrators. Initial uploads go to a private remote visible only to the submitting vendor, allowing internal testing and edits.[38] Approved files can then move to an embargoed remote for vendor group review, followed by a testing remote where public users opt-in for early access, and finally to the stable remote for broad distribution.[38] This staged approach ensures compliance with LVFS guidelines before release, with ODMs able to transfer ownership to OEMs as needed.[38] In August 2025, the Linux Foundation introduced a sustainability plan for LVFS, establishing vendor funding quotas based on the volume of firmware updates distributed through the service to support its ongoing operations and development.[39] Participation in LVFS offers vendors significant benefits, including a unified packaging format that supports both Linux via fwupd and Windows Update, thereby reducing development and maintenance costs for cross-platform firmware delivery.[38] By uploading to LVFS, vendors enable seamless over-the-air updates for Linux users, expanding market reach without custom distribution channels and fostering broader hardware support in open-source ecosystems.[1][40] Vendors also engage in the open-source community surrounding fwupd and LVFS, contributing code and plugins to enhance functionality. For instance, Dell has provided substantial development input, including support for their hardware protocols and active participation in firmware integration efforts.[1][41] These contributions help refine the ecosystem, ensuring robust compatibility for diverse devices.[1] A key challenge for vendors is ensuring firmware compatibility across varied Linux distributions, as the process requires adapting updates to work independently of Windows-specific utilities, though the standardized .cab format and metadata guidelines mitigate much of this complexity.[38][42]Supported hardware
Device categories
fwupd categorizes supported hardware into several key types, enabling firmware updates through specialized plugins that interface with device protocols such as UEFI capsules, USB, and network-based methods. These categories encompass consumer and enterprise devices, with a primary emphasis on improving system stability, security, and performance on Linux systems. Laptops and desktops form a core category, where fwupd facilitates UEFI BIOS and UEFI firmware updates for systems from multiple original equipment manufacturers (OEMs), including Dell, Lenovo, and HP. This support leverages the UEFI UpdateCapsule mechanism, allowing updates to be staged during boot without requiring vendor-specific Windows tools or external media. For instance, users can refresh system firmware on models like the ThinkPad T14 or Dell Precision workstations directly from the Linux environment, enhancing compatibility and reducing boot-time risks.[33][43][44] Storage devices, particularly solid-state drives (SSDs), represent another major category, with fwupd providing firmware updates for NVMe drives integrated into OEM configurations. Examples include Intel's Solidigm NVMe SSDs and Samsung NVMe models like the PM9B1, often distributed through vendor channels such as Lenovo's LVFS contributions. These updates address issues like suspend-resume reliability and performance degradation, applied via the NVMe Management Interface without interrupting data access.[45][46][47] Peripherals constitute a diverse group, including input devices and connectivity hardware, where fwupd enables over-the-air or USB-based firmware refreshes. Key examples encompass keyboards and mice from Logitech, USB-C docking stations from HP (e.g., USB-C 100W G6 Dock) and Lenovo (e.g., ThinkPad Thunderbolt 4 Dock), and specialized tools like color calibrators such as the Hughski ColorHug. This category extends to wireless peripherals and media controllers, allowing seamless integration with desktop environments.[48][49] Embedded and IoT devices receive limited but growing support, primarily through custom plugins for tablets, phones, and servers. While designed mainly for desktops, fwupd operates on ARM-based tablets and phones via protocols like DFU, and on headless servers using Redfish for remote management. This extends to IoT scenarios on compatible hardware, focusing on x86 and ARM architectures to broaden Linux's firmware ecosystem.[1][50][51] Overall, fwupd's scope covers thousands of device models as of 2025, spanning these categories and emphasizing modular plugin architecture for future expansion.[52]Vendor support
Dell was an early adopter of fwupd and the Linux Vendor Firmware Service (LVFS), joining in December 2015 and providing firmware updates for models such as the XPS and Latitude series.[53] The company has uploaded over 8,000 firmware files to the LVFS, with more than 500 in the last six months alone, supporting protocols like UEFI Capsule and Intel Thunderbolt.[52] Dell has contributed custom plugins to fwupd, including support for the UEFI ESRT table to enable updates on systems without full ESRT retrofitting.[54] Lenovo joined the LVFS in August 2018, offering firmware updates primarily for ThinkPad laptops, with additional coverage for IdeaPad models.[55] Over 3,500 firmware files are available, including recent uploads for UEFI Capsule and NVMe protocols, focusing on enterprise and consumer laptops.[52] Lenovo maintains regular release cycles, ensuring timely security and feature updates for supported hardware. Other key vendors include Acer, which began participation in 2019 with initial support for models like the Aspire A315, though activity has been limited to just a few firmware files with no recent uploads.[52] HP provides comprehensive support with over 400 firmware files, including 68 recent ones for UEFI Capsule updates across laptops and docks.[52] Framework has emerged as a recent contributor, adding keyboard firmware support in 2025 for the Laptop 16 via fwupd version 2.0.17.[56] Google has required fwupd compatibility for certified Chromebooks since December 2019, enabling peripheral and system updates on devices running Chrome OS.[57] Vendors like Dell and HP also collaborate on security enhancements, such as integration with Binarly for vulnerability scanning, and provide Product Security Incident Response Teams (PSIRT) for coordinated disclosures.[52] These contributions include ongoing firmware releases to address hardware-specific issues, expanding fwupd's utility beyond standard protocols. Despite broad adoption, coverage gaps persist, particularly with Apple, which offers no fwupd support for its hardware due to proprietary update mechanisms.[52] Similarly, many ARM-based vendors, such as those producing mobile SoCs, provide limited or no integration, restricting fwupd's applicability on non-x86 architectures.[58]Adoption and integration
In Linux distributions
fwupd is packaged as a standard component in major Linux distributions, enabling users to manage firmware updates through native package managers and system services. The package typically includes dependencies such as libgusb for handling USB-based device interactions, along with other libraries for metadata parsing and network operations.[59] A systemd service, fwupd.service, is provided to run the daemon automatically upon boot or when needed via D-Bus activation, facilitating seamless integration with desktop environments.[60] In Fedora, fwupd has been included by default since Fedora 22 in 2015 and is tightly integrated with GNOME Software, allowing for automatic detection and notification of available firmware updates during routine system checks.[61] The fwupd-refresh.timer is enabled by default in Server, IoT, and CoreOS editions since Fedora 39 to periodically refresh metadata from the Linux Vendor Firmware Service (LVFS), ensuring timely update availability.[62] Ubuntu has provided fwupd since version 16.04 (Xenial Xerus) through the universe repository, where it can be installed via apt and configured for use with GNOME Software or the command-line tool fwupdmgr.[63] Users must enable the universe repository if not already active, and the service operates on an opt-in basis to align with Ubuntu's security update policies. Other distributions offer fwupd with varying default configurations: Arch Linux includes it in the official extra repository, installable via pacman without additional setup.[64] Debian packages it in the main section, available since Debian 9 (Stretch), with the service requiring manual enabling for automated checks to prioritize security.[65] openSUSE provides fwupd in its main repositories, integrated with YaST and GNOME Software for straightforward deployment on Tumbleweed and Leap editions.[66] For enterprise or customized environments, distributions can define distro-specific metadata remotes in /etc/fwupd/remotes.d to override or supplement the default LVFS source, such as proxying updates through internal servers like Red Hat Satellite.[67] Proxy configurations are supported via environment variables or fwupd.conf to accommodate corporate networks.By hardware vendors
Dell has been a pioneer in supporting fwupd and the Linux Vendor Firmware Service (LVFS) since December 2015, when it became one of the first major vendors to publish BIOS updates to the repository, facilitating seamless firmware management on Linux systems.[53] For its Linux-certified models, such as those pre-installed with Ubuntu, Dell ensures fwupd is available out-of-the-box, allowing users to apply updates without additional tools or Windows dependencies.[54] This strategy includes dedicated resources for LVFS integration, prioritizing UEFI-capable devices to expand coverage across new product lines.[53] Lenovo joined the LVFS ecosystem in August 2018, integrating fwupd for BIOS updates on its ThinkPad and other systems, which required modifications to core libraries and the update portal to handle Lenovo's firmware formats.[55] This implementation enables Linux users to perform updates directly via fwupd, complementing Lenovo's remote management tools like XClarity for enterprise environments.[68] By providing capsule-based updates, Lenovo ensures compatibility with verified boot processes and reduces reliance on proprietary executables. Google maintains a custom fork of fwupd within Chromium OS, adapted since 2019 to align with ChromeOS's verified boot architecture for secure peripheral and system firmware updates.[69][70] This integration allows ChromeOS devices to leverage LVFS metadata while enforcing hardware-backed security checks, supporting a range of external devices without compromising the platform's integrity model. Broader industry trends reflect growing vendor commitment to Linux firmware ecosystems, with companies like Dell and Lenovo offering dedicated documentation and testing protocols for fwupd compatibility on their hardware.[71] This marks a significant shift from Windows-centric update tools, as vendors increasingly prioritize cross-platform standards to serve Linux users. As of November 2025, 149 vendors participate in the LVFS, collectively enabling firmware updates for millions of devices and serving more than 135 million downloads to Linux systems worldwide as of October 2025.[52][37]Security features
Firmware signing and verification
Fwupd ensures the integrity and authenticity of firmware updates through cryptographic signing and verification mechanisms integrated into its update pipeline. Vendors prepare firmware in cabinet (.cab) format, optionally signing payload files such as the binary image with detached GPG or PKCS#7 signatures to attest to their origin. These archives are uploaded to the Linux Vendor Firmware Service (LVFS), which verifies the submission for security compliance, repackages the .cab if needed, and applies its own detached GPG or PKCS#7 signature before distribution. This dual-signing process—vendor on payloads and LVFS on the archive—prevents unauthorized modifications during transit or storage.[38][72] The verification workflow occurs in stages to maintain a chain of trust. Upon refreshing metadata, fwupd downloads and verifies LVFS-signed JSON catalogs using public keys from configured keyrings, ensuring the listed updates are legitimate. For a selected update, fwupd retrieves the .cab file, validates its LVFS signature, and then inspects any embedded vendor signatures on the firmware payload before staging the update for application. This process supports multiple keyring types, including GPG keys in/etc/pki/fwupd-gpg/ and PKCS#7 certificates in /etc/pki/fwupd-pkcs7/, allowing verification against both LVFS community keys and local custom sets for enhanced flexibility.[73][74]
A key recent advancement came in fwupd version 2.0.17, released in November 2025, which added support for post-quantum Dilithium signatures. This lattice-based scheme provides resistance to quantum attacks that could compromise classical signatures like RSA or ECDSA, future-proofing firmware verification as quantum computing advances. The implementation integrates seamlessly with existing GPG and PKCS#7 workflows, enabling gradual adoption without disrupting current deployments.[17][18]
Key management defaults to the LVFS remote, relying on pre-distributed community keys for automatic trust establishment across consumer devices. In enterprise settings, administrators can configure custom remotes via /etc/fwupd/remotes.d/ or add proprietary keys to system keyring directories, supporting air-gapped networks or organization-specific certificate authorities while maintaining compatibility with LVFS metadata. This modular approach allows fine-grained control over trusted sources without altering core fwupd behavior.[72][75]
If signatures are missing, invalid, or indicate tampering, fwupd halts the update process and rejects the firmware, preventing potentially malicious installations. Errors are logged comprehensively to the systemd journal (journald) with details on the failure type—such as key mismatch or hash discrepancies—enabling administrators to diagnose issues like expired certificates or network interference. This strict policy underscores fwupd's commitment to secure-by-default operations.[73][76]
Host Security ID
The Host Security ID (HSI) is a standardized framework in fwupd that assesses and reports the overall security posture of a device's firmware by evaluating key hardware and firmware features. It defines discrete levels—HSI-1, HSI-2, and HSI-3—focusing on protections such as secure boot, memory safeguards, and boot integrity mechanisms, enabling end users to measure firmware security without specialized hardware or disabling protections. This system is primarily designed for x86-based laptops and desktops, though applicable to some server or embedded systems.[77] fwupd implements HSI by querying hardware via ACPI tables, UEFI variables, and kernel interfaces to detect enabled security features, then aggregates results into a report generated by thefwupdmgr security command (introduced in fwupd 1.5.0 and enhanced in later versions). These reports detail passed or failed checks, such as Secure Boot status or DMA protection, providing transparency into potential weaknesses. Firmware signing acts as a prerequisite for reliable HSI reporting, as it verifies the authenticity of the firmware under evaluation.[77]
HSI-1 represents a basic security state with foundational protections like enabled Secure Boot and BIOS update capabilities. HSI-2 builds on this with intermediate features, including Intel Trusted Execution Technology (TXT), System Management Mode (SMM) lockdown, or AMD Platform Security Processor (PSP) verification. HSI-3 achieves the highest level through full measured boot, incorporating TPM-based attestation and advanced memory encryption, though not all hardware supports this tier.[77]
In practice, HSI empowers users to identify firmware vulnerabilities, such as disabled rollback protection, and facilitates compliance auditing in enterprise environments. Linux distributions like Fedora integrate HSI reporting into their security tools for automated checks during system maintenance.[77]
Introduced in fwupd 1.5.0 in October 2020, the HSI framework initially targeted x86 UEFI systems but has plans to expand support to ARM and RISC-V architectures in future versions.[77][13]
Usage
Command-line interface
The primary command-line interface for fwupd is provided by thefwupdmgr binary, a client utility designed for interactive firmware management on Linux systems.[20] It allows users to discover devices, retrieve metadata, check for updates, and apply firmware upgrades without requiring a graphical environment, making it suitable for servers, headless systems, and scripted automation.[2] The tool communicates with the fwupd daemon and requires root privileges or polkit authorization for most operations to ensure secure access to hardware.[78]
To synchronize the latest firmware metadata from configured remotes, such as the Linux Vendor Firmware Service (LVFS), users run fwupdmgr refresh, which downloads and verifies update catalogs.[20] Forcing a refresh bypasses caching with the --force option, useful when troubleshooting stale data: fwupdmgr refresh --force. The fwupdmgr get-devices command lists all supported devices, displaying details like GUIDs, current versions, and capabilities, with optional filtering via --filter for targeted output.[20] Similarly, fwupdmgr get-updates shows available firmware releases for each device, including changelog summaries and required actions like reboots.[2]
Applying updates is handled by fwupdmgr upgrade, which stages and installs the latest firmware for eligible devices, potentially requiring a reboot to complete.[78] Options like --no-reboot enable offline mode for environments where immediate restarts are undesirable, while --allow-reboot permits automatic rebooting if needed: fwupdmgr upgrade --no-reboot.[2] For scripted or automated use, the --json flag outputs results in parseable JSON format, facilitating integration with tools like Ansible or custom scripts.[20] On headless systems, fwupdmgr supports SSH execution, allowing remote firmware management over secure connections.[2]
Device outputs from these commands include structured lists with version numbers, update statuses, and error diagnostics, such as checksum failures or unsupported hardware.[78] Best practices include running as root via sudo or configuring polkit for non-root access, and scheduling periodic refresh and get-updates checks via cron jobs for proactive maintenance, e.g., 0 2 * * 0 sudo fwupdmgr refresh --force.[2] For desktop users preferring visual interfaces, graphical alternatives exist but are not covered in CLI operations.[20]