Hubbry Logo
FwupdFwupdMain
Open search
Fwupd
Community hub
Fwupd
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Fwupd
Fwupd
Fwupd
View on Wikipedia
from Wikipedia
fwupd
Original authorRichard Hughes[1]
Initial release17 March 2015; 10 years ago (2015-03-17)[2]
Stable release
2.0:2.0.16Edit this on Wikidata / 12 September 2025; 38 days ago (12 September 2025)
Repositorygithub.com/fwupd/fwupd/
Written inC
Operating systemLinux
Typefirmware updates for Linux-based systems
LicenseLGPL v2.1
Websitefwupd.org Edit this at Wikidata

fwupd is an open-source daemon for managing the installation of firmware updates on Linux-based systems, developed by GNOME maintainer Richard Hughes.[1] It is designed primarily for servicing the Unified Extensible Firmware Interface (UEFI) firmware on supported devices via EFI System Resource Table (ESRT) and UEFI Capsule, which is supported in Linux kernel 4.2 and later. Previously, the initiation of UEFI firmware updates within an operating system could, on most systems, only be performed using Microsoft Windows or DOS-specific software. ESRT allows the firmware to expose updatable components to the operating system, which can pass a UEFI capsule with updated firmware for processing and installation on the next boot.[3][4][5] fwupd can also process other types of firmware update, for example SSD firmware. Updates can be exposed via a command line tool, or within graphical package managers (such as GNOME Software) via a D-Bus interface.[6]

Linux Vendor Firmware Service

[edit]

The Linux Vendor Firmware Service (LVFS) provides resources and support for helping vendors package their firmware updates to support the use of this framework, and serves as an online repository for obtaining these updates.[1][7] To provide a test case on systems where ESRT is not yet supported, fwupd is also able to update firmware on the ColorHug color calibrator.[6]

Adoption

[edit]

Several Linux distributions use fwupd, including:

In December 2015, it was revealed that Hughes had been working with a Dell developer to test the system on actual hardware, and that its Dell Edge Gateway product will support firmware servicing via fwupd. Hughes reported that the company was also "considering expanding out the LVFS support to all new models supporting UEFI updates".[1] In August 2018, Lenovo joined the project and provides update support for a wide range of their devices.[9]

In September 2019, Acer joined the project, with initial support for their Aspire A315 model.[10] Starting from December 2019, Google requires that firmware updates can be applied with fwupd for certified Chromebooks.[11]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Fwupd

View on Grokipedia
from Grokipedia
fwupd is an open-source daemon designed to facilitate the secure and reliable updating of device firmware on Linux-based systems, allowing session software such as graphical user interfaces to manage updates for hardware components like keyboards, mice, and system boards without requiring specialized vendor tools. Developed primarily by Richard Hughes and hosted on GitHub, it integrates with the Linux Vendor Firmware Service (LVFS), a centralized repository where hardware vendors upload signed firmware images in a standardized .cab format, enabling automatic checks and installations via command-line tools like fwupdmgr or desktop environments such as GNOME Software and KDE Discover. Initiated in 2015 by Hughes, then working at , fwupd addressed the longstanding challenge of firmware updates on , which traditionally required booting into Windows or using outdated tools, by providing a standards-compliant framework that supports multiple protocols through extensible plugins, including , DFU, , and USB devices. The project has grown under the auspices of the Linux Foundation's LVFS initiative, with contributions from dozens of developers across companies like and , resulting in support for 1,800 devices from 140 vendors as of May 2025. Key features include explicit user consent for updates to prevent unintended changes, cryptographic verification using GnuPG and for authenticity, and compatibility with major distributions such as (since version 22), (since 16.04), (since 9), and (since 7.4), often requiring only non-root privileges for removable devices. It emphasizes safety through rigorous testing, including scans and security audits, and has evolved through major releases like version 2.0 in October 2024, which introduced enhanced device support and improvements for embedded systems.

History

Development origins

fwupd was created by Richard Hughes, a maintainer of the GNOME desktop environment, during 2014 and 2015 to address the absence of a standardized, open-source tool for managing firmware updates on Linux systems. At the time, Linux users relied on vendor-specific or proprietary utilities, which were often incompatible or insecure, leaving desktops and other devices vulnerable to outdated firmware. The primary motivation was to enable safe, automatic firmware updates without requiring proprietary software, initially targeting desktop environments while designing the system to be extensible to embedded and server hardware. Early development involved prototyping update mechanisms for open hardware devices, with the ColorHug color calibrator serving as a key proof-of-concept. Hughes tested fwupd using the device's HID interface to query firmware versions and enter mode via commands like GET_VERSION and RESET, demonstrating a standardized approach to enumeration and flashing without custom GUIs for each project. This work stemmed from challenges in distributing updates for the ColorHug, highlighting the need for a centralized, secure method to handle metadata on fixes and device compatibility. The project saw its first in early 2015, with initial code shared on and discussions focusing on integration with session software for seamless user experiences. To promote widespread adoption across distributions, Hughes licensed fwupd under the GNU Lesser General Public License version 2.1 or later (LGPL v2.1+). This choice allowed vendors and developers to incorporate the daemon into both open and closed-source projects, fostering collaboration; concurrently, the Vendor Firmware Service (LVFS) was developed as a complementary repository for hosting updates.

Major releases

The initial stable release of fwupd, version 0.1, occurred on March 17, 2015, marking the project's debut as an open-source daemon for managing firmware updates. This early version laid the foundation for safe, automated firmware deployment, initially focusing on USB and DFU-based devices while integrating with the emerging Vendor Firmware Service (LVFS). In 2017, fwupd reached version 1.0 on October 9, introducing broader capsule support to enable seamless firmware updates during system reboots without requiring proprietary tools. This milestone enhanced compatibility with x86 platforms, allowing vendors to distribute UEFI-compliant updates via LVFS, and bumped the library to reflect API stability. Version 1.5 arrived on October 26, 2020, bringing significant improvements to LVFS metadata handling, including support for the new Jcat format for signed metadata verification and expanded parsing capabilities for remote repositories. These changes improved update reliability and security by enabling better validation of firmware artifacts before installation, alongside support for additional hardware protocols like CCIX and WAC. The 2.0 series began with version 2.0.0 on October 4, 2024, featuring a redesigned device prober for more efficient hardware enumeration and enhanced measures, such as improved handling of Secure Boot databases and stricter validation of update payloads. This overhaul prioritized robustness against malformed firmware, expanding support for modern interfaces like and NVMe while maintaining . A notable recent milestone is version 2.0.17, released on November 5, 2025, which added client-side phased update deployment for gradual rollouts and support for post-quantum signatures to future-proof against threats. These features enhance deployment control and cryptographic resilience, with the project hosted on at fwupd/fwupd and primarily implemented in C for performance and portability. Fwupd follows semantic versioning, evolving from early triplet formats (major.minor.patch) to support flexible schemes like branch and plain for diverse firmware vendors, with a typical release cadence of approximately one stable update per month to incorporate bug fixes, hardware support, and security enhancements.

Design and functionality

Core components

The fwupd daemon serves as the central background service responsible for managing updates on systems. It performs device enumeration by scanning hardware through kernel interfaces, parses metadata to identify available updates, and schedules update operations accordingly. The daemon exposes its functionality to client applications via a interface, enabling seamless integration with desktop environments and software managers. Key libraries underpin the daemon's operations, with libfwupd providing the core logic for firmware handling and device interactions. This library, built on GObject-2.0, Gio-2.0, and Json-1.0, exports essential APIs for client applications to query and initiate updates. Complementing it is libfwupdplugin, which facilitates the implementation of modular plugins for device-specific support, ensuring extensibility without altering the core codebase. Fwupd maintains an internal device database using Globally Unique Identifiers (GUIDs) to uniquely identify hardware components. GUIDs are 128-bit values generated via a UUID v5 algorithm from device instance IDs, such as USB vendor-product strings, allowing precise matching of firmware to devices. This system supports multiple GUIDs per device for varying levels of specificity, enabling robust enumeration and update targeting. The daemon integrates with for service management, leveraging s and units like fwupd-refresh. to automate metadata refreshes and update checks. It also relies on kernel interfaces, including the efivar library for accessing variables, which is essential for firmware operations on EFI-based systems. Modularity is a cornerstone of fwupd's architecture, achieved through its plugin system powered by libfwupdplugin. Plugins are loaded at daemon startup, hotplug events, or update triggers, each handling specific device protocols or policies via virtual functions. This allows vendors or developers to extend support for new hardware by adding plugins, ordered by dependencies, without recompiling the core daemon.

Update mechanisms

Fwupd facilitates firmware updates through a combination of standardized protocols and modular plugins, enabling the daemon to handle diverse hardware without requiring user intervention for low-level details. The primary protocols include UEFI Capsule updates, which leverage the EFI System Resource Table (ESRT) to expose updatable firmware components to the operating system; this mechanism has been supported in the since version 4.2, allowing the creation of capsule files that are processed during the boot process. For non-UEFI devices, fwupd employs direct flash methods, such as those using vendor-specific commands over USB, PCI, or other buses, often implemented via plugins that abstract the . These protocols ensure compatibility across embedded controllers, / systems, and peripherals like keyboards or network cards. The update workflow begins with device enumeration, where fwupd plugins scan for supported hardware using system interfaces like for USB and PCI devices, generating unique identifiers and globally unique identifiers (GUIDs) for each device. Next, the daemon downloads metadata from the Linux Vendor Firmware Service (LVFS), typically via the fwupdmgr refresh command, which fetches compressed archives containing device compatibility information and available versions. Upon identifying applicable updates, fwupd creates update payloads—such as UEFI capsules for offline updates that are placed on the and applied at reboot, or direct payloads for online updates executed while the system is running. The process concludes with verification steps, including checksums and version comparisons, before invoking the appropriate plugin functions like write_firmware to apply the update. Safety is prioritized through several built-in mechanisms to minimize risks during updates. Atomic updates are supported where the underlying protocol allows, ensuring that is written in a way that either completes fully or reverts without partial states, particularly for capsules which are designed to be idempotent. Rollback capabilities are provided for devices that support version downgrades or dual-bank flashing, with fwupd preventing unsupported downgrades by enforcing minimum version thresholds defined in device metadata. Hardware-specific checks include requirements for (FWUPD_DEVICE_FLAG_REQUIRE_AC) to avoid interruptions on battery-powered systems, as well as pre-update validations like sufficient battery levels for laptops or thermal safeguards for SSDs. These features are enforced via plugin flags and virtual functions such as prepare and cleanup, which handle environmental preconditions. Since version 2.0.17, fwupd also supports client-side phased update deployments, enabling gradual rollouts to reduce the risk of widespread issues. Vendor-provided firmware is distributed in .cab files, which encapsulate binary payloads (e.g., .bin or .dfu files) alongside metadata in .metainfo.xml format detailing GUID matches, version , and update requirements. The fwupd daemon verifies the and compatibility of these files against enumerated devices before proceeding, using libraries like libarchive for extraction and GPG for , ensuring only trusted updates are applied. This format allows seamless integration with LVFS while supporting offline installations via local .cab files. Fwupd's extensibility relies on its plugin architecture, which allows developers to implement custom protocols for specialized hardware without altering the core daemon. Plugins can override functions like detach (to enter update mode) and attach (to return to normal operation), supporting protocols beyond standards like DFU or , such as NVMe commands for SSD or HID over USB for peripherals. For instance, the nvme plugin handles direct ATA or NVMe passthrough for storage devices, while peripheral-specific plugins like wacomhid manage or touch controller updates. This modular design has enabled support for over 90 protocols as of 2025.

Linux Vendor Firmware Service

Role and operation

The Vendor Firmware Service (LVFS) serves as a secure, open metadata repository hosted by the , enabling hardware vendors to distribute firmware updates for users. It functions as the backend infrastructure for the fwupd tool, providing a centralized platform where vendors can upload firmware packages without cost, ensuring broad accessibility for end-user devices such as desktops, laptops, and embedded systems. The service emphasizes standards-compliant updates, focusing exclusively on individual user scenarios rather than enterprise-scale deployment tools. In operation, vendors upload signed .cab archive files containing firmware binaries and associated metadata through a secure web console that requires username and password authentication. These .cab files are processed and made available via endpoints, allowing fwupd clients—such as the fwupdmgr command-line tool—to query the LVFS for device-specific metadata and initiate downloads. For instance, users can refresh metadata periodically using the fwupdmgr refresh command, which fetches the latest updates from the service over a secure connection. The fwupd daemon then interacts with this metadata on the client side to match and apply updates to supported hardware, presenting options through graphical interfaces like Software with user consent required before installation. The metadata structure within LVFS .cab files includes essential elements such as device flags (e.g., for update requirements like display access), checksums to verify file integrity (e.g., SHA-256 hashes for content), and detailed outlining changes, bug fixes, and urgency levels (low to critical). These components are formatted in AppStream-compatible .metainfo.xml files, which also incorporate GUIDs for precise device identification and protocol specifications for update mechanisms. This structured metadata ensures compatibility and transparency, enabling fwupd to filter and prioritize relevant updates without downloading unnecessary data. LVFS infrastructure is built on a GitLab-based platform, incorporating automated testing and validation pipelines to maintain reliability. Upon upload, firmware undergoes rigorous checks, including header validation, CRC computations, and protocol-specific tests (e.g., for Capsules or DFU), with failures potentially blocking progression from embargoed testing remotes to stable release channels. End-to-end validation involves vendors configuring private remotes for simulated updates using fwupd, ensuring seamless integration before public availability; metadata regeneration for stable branches can take up to 24 hours. This pipeline-driven approach supports 179 vendors (as of October 2025) and millions of monthly updates, with over 135 million total firmware downloads delivered to date, prioritizing and correctness for end-user management.

Vendor participation

Hardware vendors participate in the Vendor Firmware Service (LVFS) by creating an account on the fwupd.org website, which serves as the primary portal for submissions. Original design manufacturers (ODMs) can affiliate with original equipment manufacturers (OEMs) upon admin approval, allowing shared access for collaborative . Vendors then submit updates either through the web interface on the LVFS upload page or via the using authentication tokens, such as with commands for automated processes. The LVFS repackages submissions into a standardized .cab archive format, signs the with a detached GPG or signature, and supports reuse of existing signatures to streamline compatibility. Firmware submissions must adhere to specific requirements to ensure compatibility with fwupd clients across distributions. Each .cab file, limited to 2 GB, contains the binary image (e.g., firmware.bin) and a Linux-specific metadata file (firmware.metainfo.xml) that includes device identifiers like GUIDs and versioning information in a semantic format such as 1.2.3. All must be digitally signed prior to , with the LVFS adding its own verification signatures during processing to maintain . Vendors provide detailed metadata to map devices correctly, enabling fwupd to identify applicable updates without proprietary tools. Once uploaded, firmware enters a structured review process managed by the vendor and LVFS administrators. Initial uploads go to a private remote visible only to the submitting vendor, allowing internal testing and edits. Approved files can then move to an embargoed remote for vendor group review, followed by a testing remote where public users opt-in for early access, and finally to the stable remote for broad distribution. This staged approach ensures compliance with LVFS guidelines before release, with ODMs able to transfer ownership to OEMs as needed. In August 2025, the introduced a sustainability plan for LVFS, establishing vendor funding quotas based on the volume of updates distributed through the service to support its ongoing operations and development. Participation in LVFS offers vendors significant benefits, including a unified packaging format that supports both via fwupd and , thereby reducing development and maintenance costs for cross-platform delivery. By uploading to LVFS, vendors enable seamless over-the-air updates for users, expanding market reach without custom distribution channels and fostering broader hardware support in open-source ecosystems. Vendors also engage in the open-source community surrounding fwupd and LVFS, contributing code and plugins to enhance functionality. For instance, has provided substantial development input, including support for their hardware protocols and active participation in firmware integration efforts. These contributions help refine the ecosystem, ensuring robust compatibility for diverse devices. A key challenge for vendors is ensuring firmware compatibility across varied Linux distributions, as the process requires adapting updates to work independently of Windows-specific utilities, though the standardized .cab format and metadata guidelines mitigate much of this complexity.

Supported hardware

Device categories

fwupd categorizes supported hardware into several key types, enabling firmware updates through specialized plugins that interface with device protocols such as UEFI capsules, USB, and network-based methods. These categories encompass consumer and enterprise devices, with a primary emphasis on improving system stability, security, and performance on Linux systems. Laptops and desktops form a core category, where fwupd facilitates UEFI BIOS and UEFI firmware updates for systems from multiple original equipment manufacturers (OEMs), including , , and HP. This support leverages the UEFI UpdateCapsule mechanism, allowing updates to be staged during boot without requiring vendor-specific Windows tools or external media. For instance, users can refresh system firmware on models like the T14 or workstations directly from the environment, enhancing compatibility and reducing boot-time risks. Storage devices, particularly solid-state drives (SSDs), represent another major category, with fwupd providing firmware updates for NVMe drives integrated into OEM configurations. Examples include Intel's Solidigm NVMe SSDs and NVMe models like the PM9B1, often distributed through vendor channels such as Lenovo's LVFS contributions. These updates address issues like suspend-resume reliability and performance degradation, applied via the NVMe Management Interface without interrupting data access. Peripherals constitute a diverse group, including input devices and connectivity hardware, where fwupd enables over-the-air or USB-based firmware refreshes. Key examples encompass keyboards and mice from , USB-C docking stations from HP (e.g., USB-C 100W G6 Dock) and (e.g., Thunderbolt 4 Dock), and specialized tools like color calibrators such as the Hughski ColorHug. This category extends to wireless peripherals and media controllers, allowing seamless integration with desktop environments. Embedded and IoT devices receive limited but growing support, primarily through custom plugins for tablets, phones, and servers. While designed mainly for desktops, fwupd operates on -based tablets and phones via protocols like DFU, and on headless servers using for remote management. This extends to IoT scenarios on compatible hardware, focusing on x86 and architectures to broaden Linux's ecosystem. Overall, fwupd's scope covers thousands of device models as of 2025, spanning these categories and emphasizing modular plugin architecture for future expansion.

Vendor support

was an early adopter of fwupd and the Linux Vendor Firmware Service (LVFS), joining in December 2015 and providing firmware updates for models such as the XPS and series. The company has uploaded over 8,000 firmware files to the LVFS, with more than 500 in the last six months alone, supporting protocols like Capsule and . has contributed custom plugins to fwupd, including support for the ESRT table to enable updates on systems without full ESRT retrofitting. Lenovo joined the LVFS in August 2018, offering firmware updates primarily for laptops, with additional coverage for models. Over 3,500 firmware files are available, including recent uploads for UEFI Capsule and NVMe protocols, focusing on enterprise and consumer laptops. Lenovo maintains regular release cycles, ensuring timely security and feature updates for supported hardware. Other key vendors include Acer, which began participation in 2019 with initial support for models like the Aspire A315, though activity has been limited to just a few firmware files with no recent uploads. HP provides comprehensive support with over 400 firmware files, including 68 recent ones for UEFI Capsule updates across laptops and docks. Framework has emerged as a recent contributor, adding keyboard firmware support in 2025 for the Laptop 16 via fwupd version 2.0.17. has required fwupd compatibility for certified Chromebooks since December 2019, enabling peripheral and system updates on devices running Chrome OS. Vendors like and HP also collaborate on security enhancements, such as integration with Binarly for vulnerability scanning, and provide Product Security Incident Response Teams (PSIRT) for coordinated disclosures. These contributions include ongoing releases to address hardware-specific issues, expanding fwupd's utility beyond standard protocols. Despite broad adoption, coverage gaps persist, particularly with Apple, which offers no fwupd support for its hardware due to update mechanisms. Similarly, many ARM-based vendors, such as those producing mobile SoCs, provide limited or no integration, restricting fwupd's applicability on non-x86 architectures.

Adoption and integration

In Linux distributions

fwupd is packaged as a standard component in major distributions, enabling users to manage firmware updates through native package managers and services. The package typically includes dependencies such as libgusb for handling USB-based device interactions, along with other libraries for metadata parsing and network operations. A service, fwupd.service, is provided to run the daemon automatically upon boot or when needed via activation, facilitating seamless integration with desktop environments. In , fwupd has been included by default since Fedora 22 in 2015 and is tightly integrated with Software, allowing for automatic detection and notification of available firmware updates during routine system checks. The fwupd-refresh.timer is enabled by default in Server, IoT, and CoreOS editions since Fedora 39 to periodically refresh metadata from the Linux Vendor Firmware Service (LVFS), ensuring timely update availability. Ubuntu has provided fwupd since version 16.04 (Xenial Xerus) through the universe repository, where it can be installed via apt and configured for use with Software or the command-line tool fwupdmgr. Users must enable the universe repository if not already active, and the service operates on an opt-in basis to align with 's security update policies. Other distributions offer fwupd with varying default configurations: includes it in the official extra repository, installable via without additional setup. packages it in the main section, available since Debian 9 (Stretch), with the service requiring manual enabling for automated checks to prioritize security. provides fwupd in its main repositories, integrated with YaST and Software for straightforward deployment on and Leap editions. For enterprise or customized environments, distributions can define distro-specific metadata remotes in /etc/fwupd/remotes.d to override or supplement the default LVFS source, such as proxying updates through internal servers like . Proxy configurations are supported via environment variables or fwupd.conf to accommodate corporate networks.

By hardware vendors

has been a pioneer in supporting fwupd and the Linux Vendor Firmware Service (LVFS) since December 2015, when it became one of the first major vendors to publish updates to the repository, facilitating seamless firmware management on systems. For its Linux-certified models, such as those pre-installed with , ensures fwupd is available out-of-the-box, allowing users to apply updates without additional tools or Windows dependencies. This strategy includes dedicated resources for LVFS integration, prioritizing UEFI-capable devices to expand coverage across new product lines. Lenovo joined the LVFS ecosystem in August 2018, integrating fwupd for updates on its and other systems, which required modifications to core libraries and the update portal to handle Lenovo's firmware formats. This implementation enables users to perform updates directly via fwupd, complementing Lenovo's remote management tools like XClarity for enterprise environments. By providing capsule-based updates, Lenovo ensures compatibility with verified boot processes and reduces reliance on proprietary executables. Google maintains a custom fork of fwupd within OS, adapted since 2019 to align with 's verified architecture for secure peripheral and system firmware updates. This integration allows devices to leverage LVFS metadata while enforcing hardware-backed security checks, supporting a range of external devices without compromising the platform's integrity model. Broader industry trends reflect growing vendor commitment to firmware ecosystems, with companies like and offering dedicated documentation and testing protocols for fwupd compatibility on their hardware. This marks a significant shift from Windows-centric update tools, as vendors increasingly prioritize cross-platform standards to serve users. As of November 2025, 149 vendors participate in the LVFS, collectively enabling updates for millions of devices and serving more than 135 million downloads to systems worldwide as of October 2025.

Security features

Firmware signing and verification

Fwupd ensures the integrity and authenticity of firmware updates through cryptographic signing and verification mechanisms integrated into its update pipeline. Vendors prepare firmware in cabinet (.cab) format, optionally signing payload files such as the binary image with detached GPG or PKCS#7 signatures to attest to their origin. These archives are uploaded to the Linux Vendor Firmware Service (LVFS), which verifies the submission for security compliance, repackages the .cab if needed, and applies its own detached GPG or PKCS#7 signature before distribution. This dual-signing process—vendor on payloads and LVFS on the archive—prevents unauthorized modifications during transit or storage. The verification workflow occurs in stages to maintain a . Upon refreshing metadata, fwupd downloads and verifies LVFS-signed catalogs using public keys from configured keyrings, ensuring the listed updates are legitimate. For a selected update, fwupd retrieves the .cab file, validates its LVFS , and then inspects any embedded vendor signatures on the before staging the update for application. This process supports multiple keyring types, including GPG keys in /etc/pki/fwupd-gpg/ and certificates in /etc/pki/fwupd-pkcs7/, allowing verification against both LVFS community keys and local custom sets for enhanced flexibility. A key recent advancement came in fwupd version 2.0.17, released in November 2025, which added support for post-quantum signatures. This lattice-based scheme provides resistance to quantum attacks that could compromise classical signatures like RSA or ECDSA, future-proofing verification as advances. The implementation integrates seamlessly with existing GPG and workflows, enabling gradual adoption without disrupting current deployments. Key management defaults to the LVFS remote, relying on pre-distributed keys for automatic trust establishment across consumer devices. In enterprise settings, administrators can configure custom remotes via /etc/fwupd/remotes.d/ or add keys to keyring directories, supporting air-gapped networks or organization-specific certificate authorities while maintaining compatibility with LVFS metadata. This modular approach allows fine-grained control over trusted sources without altering core fwupd behavior. If signatures are missing, invalid, or indicate tampering, fwupd halts the update process and rejects the firmware, preventing potentially malicious installations. Errors are logged comprehensively to the with details on the failure type—such as key mismatch or hash discrepancies—enabling administrators to diagnose issues like expired certificates or network interference. This strict policy underscores fwupd's commitment to secure-by-default operations.

Host Security ID

The Host Security ID (HSI) is a standardized framework in fwupd that assesses and reports the overall posture of a device's by evaluating key hardware and features. It defines discrete levels—HSI-1, HSI-2, and HSI-3—focusing on protections such as , safeguards, and integrity mechanisms, enabling end users to measure without specialized hardware or disabling protections. This system is primarily designed for x86-based laptops and desktops, though applicable to some server or embedded systems. fwupd implements HSI by querying hardware via tables, variables, and kernel interfaces to detect enabled features, then aggregates results into a report generated by the fwupdmgr security command (introduced in fwupd 1.5.0 and enhanced in later versions). These reports detail passed or failed checks, such as Secure Boot status or DMA protection, providing transparency into potential weaknesses. Firmware signing acts as a prerequisite for reliable HSI reporting, as it verifies the authenticity of the firmware under evaluation. HSI-1 represents a basic security state with foundational protections like enabled Secure Boot and BIOS update capabilities. HSI-2 builds on this with intermediate features, including (TXT), (SMM) lockdown, or (PSP) verification. HSI-3 achieves the highest level through full measured boot, incorporating TPM-based attestation and advanced memory encryption, though not all hardware supports this tier. In practice, HSI empowers users to identify firmware vulnerabilities, such as disabled , and facilitates compliance auditing in enterprise environments. distributions like integrate HSI reporting into their security tools for automated checks during system maintenance. Introduced in fwupd 1.5.0 in October 2020, the HSI framework initially targeted x86 UEFI systems but has plans to expand support to and architectures in future versions.

Usage

Command-line interface

The primary command-line interface for fwupd is provided by the fwupdmgr binary, a client utility designed for interactive firmware management on systems. It allows users to discover devices, retrieve metadata, check for updates, and apply upgrades without requiring a graphical environment, making it suitable for servers, headless systems, and scripted automation. The tool communicates with the fwupd daemon and requires root privileges or authorization for most operations to ensure secure access to hardware. To synchronize the latest firmware metadata from configured remotes, such as the Linux Vendor Firmware Service (LVFS), users run fwupdmgr refresh, which downloads and verifies update catalogs. Forcing a refresh bypasses caching with the --force option, useful when troubleshooting stale data: fwupdmgr refresh --force. The fwupdmgr get-devices command lists all supported devices, displaying details like GUIDs, current versions, and capabilities, with optional filtering via --filter for targeted output. Similarly, fwupdmgr get-updates shows available releases for each device, including changelog summaries and required actions like reboots. Applying updates is handled by fwupdmgr upgrade, which stages and installs the latest for eligible devices, potentially requiring a to complete. Options like --no-reboot enable offline mode for environments where immediate restarts are undesirable, while --allow-reboot permits automatic ing if needed: fwupdmgr upgrade --no-reboot. For scripted or automated use, the --json flag outputs results in parseable format, facilitating integration with tools like or custom scripts. On headless systems, fwupdmgr supports SSH execution, allowing remote firmware management over secure connections. Device outputs from these commands include structured lists with version numbers, update statuses, and error diagnostics, such as failures or unsupported hardware. Best practices include running as root via or configuring for non-root access, and scheduling periodic refresh and get-updates checks via jobs for proactive maintenance, e.g., 0 2 * * 0 sudo fwupdmgr refresh --force. For desktop users preferring visual interfaces, graphical alternatives exist but are not covered in CLI operations.

Graphical interfaces

GNOME Software provides native integration with fwupd as the default graphical frontend for firmware updates in -based environments, enabling users to discover, download, and apply updates directly within the software center since version 3.22 released in 2016. This integration allows for seamless one-click application of updates alongside regular software packages, leveraging fwupd's interface to query available updates from the Linux Vendor Firmware Service (LVFS). In , Discover serves as the primary graphical interface for fwupd, with support added in Plasma 5.14 in 2018 to handle firmware updates similarly to application updates. For users preferring or distributions, Discover can manage fwupd-related updates through its backend plugins, ensuring compatibility across different packaging formats. In environments, fwupd functionality is accessible via lightweight GUI wrappers such as installed alongside the desktop or dedicated tools like firmware-manager, providing a simple interface without requiring a full stack. Common features across these graphical interfaces include notification badges that alert users to available firmware updates in the system tray or software center, and progress bars that visually track the download and installation process for transparency during updates. These elements enhance user experience by making firmware management intuitive and non-intrusive, with the fwupd daemon serving as the backend to handle the actual update mechanics. For cross-desktop compatibility, the standalone Firmware Updater application offers a dedicated GTK-based tool for managing fwupd updates independently of any software center, supporting upgrade, downgrade, and reinstall operations on compatible devices. Available via Flathub, it includes accessibility enhancements such as themed icons for better visual consistency, full internationalization with translations in multiple languages, and support for offline queuing to schedule updates for later application without an internet connection.

References

  1. https://fwupd.org/
  2. https://github.com/fwupd/fwupd
  3. https://fwupd.org/lvfs/docs/users
  4. https://hughsie.com/
  5. https://fwupd.org/lvfs/docs/developers
  6. https://developers.redhat.com/articles/2023/10/06/use-fwupd-deploy-linux-firmware-updates-and-more
  7. https://people.freedesktop.org/~hughsient/temp/Prem%27Day%20LVFS%20and%20fwupd.pdf
  8. https://9to5linux.com/fwupd-2-0-open-source-linux-firmware-updater-released-with-major-changes
  9. https://www.phoronix.com/news/fwupd-UEFI-Firmware-Update
  10. https://blogs.gnome.org/hughsie/2015/04/28/updating-openhardware-firmware/
  11. https://blogs.gnome.org/hughsie/2021/09/23/colorhug-openhardware-and-fwupd/
  12. https://blogs.gnome.org/hughsie/2017/10/09/fwupd-hits-1-0-0/
  13. https://blogs.gnome.org/hughsie/2020/10/26/new-fwupd-1-5-0-release/
  14. https://www.phoronix.com/news/Fwupd-1.5-Released
  15. https://blogs.gnome.org/hughsie/2024/10/04/fwupd-2-0-0/
  16. https://www.colocrossing.com/blog/fwupd-2-0-released-for-open-source/
  17. https://www.phoronix.com/news/Fwupd-2.0.17-Released
  18. https://www.webpronews.com/fwupds-quantum-shield-decoding-the-2-0-17-linux-firmware-revolution/
  19. https://github.com/fwupd/fwupd/discussions/5337
  20. https://fwupd.github.io/libfwupdplugin/fwupdmgr.html
  21. https://fwupd.github.io/libfwupd/index.html
  22. https://fwupd.github.io/libfwupdplugin/index.html
  23. https://lvfs.readthedocs.io/en/latest/metainfo.html
  24. https://blogs.gnome.org/hughsie/2018/07/02/fwupdate-is-nearly-dead-long-live-fwupd/
  25. https://fwupd.github.io/libfwupdplugin/tutorial.html
  26. https://fwupd.github.io/libfwupdplugin/uefi-capsule-README.html
  27. https://fwupd.github.io/libfwupdplugin/uefi-esrt-README.html
  28. https://github.com/fwupd/fwupd/releases/tag/2.0.17
  29. https://blogs.gnome.org/hughsie/2019/02/14/using-fwupd-and-updating-firmware-without-using-the-lvfs/
  30. https://blogs.gnome.org/hughsie/2025/05/05/premday-2025-firmware-update-management-with-lvfs-fwupd/
  31. https://www.linuxfoundation.org/blog/blog/lvfs-project-announcement
  32. https://lvfs.readthedocs.io/en/latest/intro.html
  33. https://wiki.archlinux.org/title/Fwupd
  34. https://fwupd.org/lvfs/docs/metainfo
  35. https://gitlab.com/fwupd/lvfs-website
  36. https://lvfs.readthedocs.io/en/latest/testing.html
  37. https://www.phoronix.com/news/LVFS-Fwupd-135-Million-Download
  38. https://lvfs.readthedocs.io/en/latest/upload.html
  39. https://www.omgubuntu.co.uk/2025/08/lvfs-sustainability-plan-vendor-funding
  40. https://opensource.com/article/17/11/firmware-updates-and-lvfs
  41. https://people.freedesktop.org/~hughsient/temp/UNC-FaMAF.pdf
  42. https://lwn.net/Articles/832550/
  43. https://www.dell.com/support/kbdoc/en-us/000131486/update-the-dell-bios-in-a-linux-or-ubuntu-environment
  44. https://peterbabic.dev/blog/updating-uefi-bios-via-fwupd-on-thinkpad-t14-gen3/
  45. https://www.phoronix.com/news/Fwupd-NVMe-SSD-Support-Start
  46. https://github.com/fwupd/firmware-lenovo/issues/308
  47. https://www.reddit.com/r/linuxhardware/comments/13zffhp/what_ssd_brand_is_pushing_firmware_updates/
  48. https://blogs.gnome.org/hughsie/2017/05/22/updating-logitech-hardware-on-linux/
  49. https://www.phoronix.com/news/Fwupd-2.0.13-Released
  50. https://www.linuxfoundation.jp/blog/2019/03/lvfs-project-announcement/
  51. https://developer.arm.com/community/arm-community-blogs/b/servers-and-cloud-computing-blog/posts/fwupd-daemon-prototype-on-arm-systemready-devices
  52. https://fwupd.org/lvfs/vendors/
  53. https://blogs.gnome.org/hughsie/2015/12/10/the-linux-vendor-firmware-service-welcomes-dell/
  54. https://www.dell.com/support/kbdoc/en-us/000122025/how-to-update-firmware-under-linux
  55. https://blogs.gnome.org/hughsie/2018/08/06/please-welcome-lenovo-to-the-lvfs/
  56. https://9to5linux.com/fwupd-2-0-17-released-with-support-for-lexar-and-maxio-nvme-ssds
  57. https://blogs.gnome.org/hughsie/2019/11/18/google-and-fwupd/
  58. https://github.com/fwupd/fwupd/discussions/7310
  59. https://github.com/fwupd/fwupd/issues/1866
  60. https://wiki.gentoo.org/wiki/Fwupd
  61. https://bodhi.fedoraproject.org/updates/?packages=fwupd&page=19
  62. https://fedoraproject.org/wiki/Changes/EnableFwupdRefreshByDefault
  63. https://launchpad.net/ubuntu/xenial/amd64/fwupd/0.7.0-0ubuntu4
  64. https://archlinux.org/packages/extra/x86_64/fwupd/
  65. https://packages.debian.org/fwupd
  66. https://software.opensuse.org/package/fwupd
  67. https://access.redhat.com/articles/5215571
  68. https://support.lenovo.com/us/en/solutions/ht507913-how-to-update-firmware-and-drivers-using-the-lenovo-xclarity-management-tools
  69. https://chromium.googlesource.com/chromiumos/third_party/fwupd/
  70. https://developers.google.com/chromeos/peripherals/fwupd-guide-for-peripherals
  71. https://lwn.net/Articles/832436/
  72. https://fwupd.github.io/libfwupdplugin/only-trusted.html
  73. https://github.com/fwupd/fwupd/security
  74. https://blogs.gnome.org/hughsie/2017/08/18/shipping-pkcs7-signed-metadata-and-firmware/
  75. https://github.com/fwupd/fwupd/issues/5681
  76. https://github.com/fwupd/fwupd/issues/3294
  77. https://fwupd.github.io/libfwupdplugin/hsi.html
  78. https://manpages.debian.org/unstable/fwupd/fwupdmgr.1.en.html
  79. https://www.phoronix.com/news/KDE-Discover-Fwupd-Upgrades
  80. https://apps.kde.org/discover/
  81. https://forum.endeavouros.com/t/firmware-updates-in-linux-fwupd-and-firmware-manager/4656
  82. https://gitlab.gnome.org/World/gnome-firmware
  83. https://flathub.org/en/apps/org.gnome.Firmware
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.