It seems like a long time ago that we published our blog on automating UEFI firmware updates. A lot has happened since then with the disclosure of several significant security vulnerabilities that continue to highlight the importance of making firmware updates readily available and easy to automate. The most notable of these being patches for SPECTRE and MELTDOWN.
In our previous blog posts, we focused on automating UEFI firmware updates on Windows devices. We thought that in this blog post we would widen the discussion to include firmware updates on Linux devices. Many of our customers use Linux devices, and can use the Linux Vendor Firmware Service (LVFS) to access available firmware updates. Even if you don’t use Linux, the LVFS can still help determine how well supported the devices are for firmware updates.
What is the LVFS?
LVFS is a free service that provides the ability for vendors to securely publish firmware updates, and for customers to subsequently download those firmware updates to their devices. This is coupled with a client application that runs on Linux devices to easily discover, download, and apply those updates. At approximately 3 million firmware updates downloaded to date, and at an average of 12 thousand downloads per day, the number of users of the service is growing quickly.
However, in addition to these features, LVFS also contains a whole raft of metadata about the packages it hosts as well as the devices those packages apply to. We can use that metadata to answer several questions about devices that we might be thinking about using in our organisation.
Does LVFS have updates for my device?
The first thing you need to find out is if firmware for your devices is included in the LVFS. The LVFS provides a list of all devices currently supported (by LVFS), as well as current vendor engagement providing up-to-date information on vendor support for firmware updates through the LVFS. A snapshot of the graph showing the current number of unique devices models supported per manufacturer is shown below. Whilst this data will be somewhat skewed towards manufacturers with many different device models when compared to a manufacturer that only has a few different device models of device, it still provides a basic indicator of vendor support.
Is my device vendor still releasing updates for my device?
The LVFS also provides the release history of firmware updates for a given device. An example is shown below for system firmware updates released for Dell XPS 13 9360 that shows the number of firmware updates released in each quarter.
We believe data such as this can help determine the firmware support lifetimes for a device or whether a device is still receiving regular firmware updates. It can also be used to aid in predicting typical support lifetimes for future devices. These may be important factors when considering whether your device should still be considered ‘in support’. You might consider looking at this data when making future procurement decisions, so you can take into account expected support lifetimes for devices based on their vendor’s past performance.
Given that the LVFS is still a relatively new service, these analytics are still limited by the amount of historical data currently available, but as time goes on, these kinds of insights should become more powerful.
In summary, we have highlighted the LVFS as a solution to the problem of automating firmware updates on Linux. Beyond that though, the data that it makes available has the benefit of allowing Linux users to make informed decisions about the hardware they choose and whether it supports automatic firmware updates out of the box. However, it can also provide insights to all operating system users on historic firmware support lifetimes for a given device.
As recent events have shown, we are all now much more acutely aware of the need for seamless mechanisms to apply firmware updates, a problem which the LVFS is helping to solve for Linux.
Platform Security Researcher