fwupd is a simple daemon allowing to update some devices firmware, including UEFI BIOS for several machines.
See #Setup for UEFI BIOS upgrade if you intend such an use.
You can get available devices by running:
$ fwupdmgr get-devices
To refresh metadata on available updates:
$ fwupdmgr refresh
To check which devices have updates:
$ fwupdmgr get-updates
To install updates:
$ fwupdmgr update
Setup for UEFI BIOS upgrade
- Make sure you are booted in UEFI mode.
- Verify your EFI variables are accessible.
- Mount your EFI system partition (ESP) properly.
espis used to denote the mountpoint in this article.
If after updating the firmware you find the Arch boot entry is missing you can add it back with efibootmgr. For example, if you use GRUB:
$ efibootmgr --create --disk /dev/nvme0n1 --part 1 --loader /EFI/GRUB/grubx64.efi --label "Arch Linux"
(It is just the UEFI entry missing, so it should be possible to restore it with any UEFI shell, such as those in the BIOS setup utility?)
Using your own keys
Alternatively, you have to manually sign the UEFI executable used to perform upgrades, which is located in
The signed UEFI executable is expected in
Using , this can be achieved by running:
# sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi
To automatically sign this file when installed or upgraded, a Pacman hook can be used:
[Trigger] Operation = Install Operation = Upgrade Type = File Target = usr/lib/fwupd/efi/fwupdx64.efi [Action] When = PostTransaction Exec = /usr/bin/sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi Depends = sbsigntools
Make sure to replace
<certfile> with the corresponding paths of your keys.
Finally, you have to change the line containing