Difference between revisions of "Fwupd"

From ArchWiki
Jump to: navigation, search
(add zh-hans page)
(Add note on restoring bootloader UEFI entry)
 
Line 38: Line 38:
 
# Verify [[Unified_Extensible_Firmware_Interface#Requirements_for_UEFI_variable_support|your EFI variables are accessible]].
 
# Verify [[Unified_Extensible_Firmware_Interface#Requirements_for_UEFI_variable_support|your EFI variables are accessible]].
 
# Mount your [[EFI system partition]] (ESP) properly. {{ic|''esp''}} is used to denote the mountpoint in this article.
 
# Mount your [[EFI system partition]] (ESP) properly. {{ic|''esp''}} is used to denote the mountpoint in this article.
 +
 +
=== Reinstall bootloader ===
 +
 +
If after updating the firmware you find the Arch boot entry is missing you can add it back with [[efibootmgr]]. For example, if you use GRUB:
 +
 +
$ efibootmgr --create --disk /dev/nvme0n1 --part 1 --loader /EFI/GRUB/grubx64.efi --label "Arch Linux"
 +
 +
(It is just the UEFI entry missing, so it should be possible to restore it with any UEFI shell, such as those in the BIOS setup utility?)
  
 
=== Secure Boot ===
 
=== Secure Boot ===

Latest revision as of 13:41, 2 December 2018

fwupd is a simple daemon allowing to update some devices firmware, including UEFI BIOS for several machines.

Supported devices are listed here and more are to come.

Installation

Install fwupd.

See #Setup for UEFI BIOS upgrade if you intend such an use.

Usage

You can get available devices by running:

$ fwupdmgr get-devices
Note: Some returned devices might not be updatable through fwupd, e.g. Intel integrated graphics.

To refresh metadata on available updates:

$ fwupdmgr refresh

To check which devices have updates:

$ fwupdmgr get-updates

To install updates:

$ fwupdmgr update
Note: Some updates might require root rights.

Setup for UEFI BIOS upgrade

Warning: An update to your UEFI firmware may discard your boot loader installation, so it may be necessary to reinstall your boot loader after the firmware update is finished. If your system only applies the firmware update on a reboot, then you may need to have an Arch installation on a removable media ready to reinstall your boot loader so your system bootable again.
  1. Make sure you are booted in UEFI mode.
  2. Verify your EFI variables are accessible.
  3. Mount your EFI system partition (ESP) properly. esp is used to denote the mountpoint in this article.

Reinstall bootloader

If after updating the firmware you find the Arch boot entry is missing you can add it back with efibootmgr. For example, if you use GRUB:

$ efibootmgr --create --disk /dev/nvme0n1 --part 1 --loader /EFI/GRUB/grubx64.efi --label "Arch Linux"

(It is just the UEFI entry missing, so it should be possible to restore it with any UEFI shell, such as those in the BIOS setup utility?)

Secure Boot

Currently, fwupd relies on shim to chainload the fwupd EFI binary on systems with Secure Boot enabled. For this to work, shim has to be installed correctly.

Using your own keys

Note: The following description is based on a future version of fwupd that is not yet released. See [1].

Alternatively, you have to manually sign the UEFI executable used to perform upgrades, which is located in /usr/lib/fwupd/efi/fwupdx64.efi. The signed UEFI executable is expected in /usr/lib/fwupd/efi/fwupdx64.efi.signed. Using sbsigntools, this can be achieved by running:

# sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi

To automatically sign this file when installed or upgraded, a Pacman hook can be used:

/etc/pacman.d/hooks/sign-fwupd-secureboot.hook
[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/lib/fwupd/efi/fwupdx64.efi

[Action]
When = PostTransaction
Exec = /usr/bin/sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi
Depends = sbsigntools

Make sure to replace <keyfile> and <certfile> with the corresponding paths of your keys.

Finally, you have to change the line containing RequireShimForSecureBoot in /etc/fwupd/uefi.conf to RequireShimForSecureBoot=false.