fwupd
fwupd is a simple daemon allowing to update some devices firmware, including UEFI BIOS for several machines.
Supported devices are listed here and more are to come.
Contents
Installation
See #Setup for UEFI BIOS upgrade if you intend such an use.
Usage
You can get available devices by running:
$ fwupdmgr get-devices
To refresh metadata on available updates:
$ fwupdmgr refresh
To check which devices have updates:
$ fwupdmgr get-updates
To install updates:
$ fwupdmgr update
Setup for UEFI BIOS upgrade
- Make sure you are booted in UEFI mode.
- Verify your EFI variables are accessible.
- Mount your EFI system partition (ESP) properly.
esp
is used to denote the mountpoint in this article.
Secure Boot
Currently, fwupd relies on shim to chainload the fwupd EFI binary on systems with Secure Boot enabled. For this to work, shim has to be installed correctly.
Using your own keys
Alternatively, you have to manually sign the UEFI executable used to perform upgrades, which is located in /usr/lib/fwupd/efi/fwupdx64.efi
.
The signed UEFI executable is expected in /usr/lib/fwupd/efi/fwupdx64.efi.signed
.
Using sbsigntools, this can be achieved by running:
# sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi
To automatically sign this file when installed or upgraded, a Pacman hook can be used:
/etc/pacman.d/hooks/sign-fwupd-secureboot.hook
[Trigger] Operation = Install Operation = Upgrade Type = File Target = usr/lib/fwupd/efi/fwupdx64.efi [Action] When = PostTransaction Exec = /usr/bin/sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi Depends = sbsigntools
Make sure to replace <keyfile>
and <certfile>
with the corresponding paths of your keys.
Finally, you have to change the line containing RequireShimForSecureBoot
in /etc/fwupd/uefi.conf
to RequireShimForSecureBoot=false
.