How to update BIOS UEFI offline by USB?

On the latest version of Qubes, what is the process and any CLI command inputs needed to

  1. formate & download onto a USB drive (not while on Qubes btw, using a different computer)
  2. check the hash of the download (if supported)
  3. mount/dock, run/execute, installation of a BIOS/UEFI firmware update on my bare metal Qubes machine

I have a Star Labs StarBook that was sadly shipped to me a couple weeks ago with an extremely outdated BIOS/UEFI version
(older than the time Star Labs has been in business ironically).

One laptop has Coreboot.
The other has AMI (American MegaTrends).

Both require firmware BIOS/UEFI updates as both the AMI and the Coreboot are out of date (not the latest version)

My issue is,
I have NOT yet built out my LAN and gotten a new ISP connection to get back online, so other than my cellphone I lack internet access for the 2 laptops currently at this moment. I could however make a way to get access to a public computer or something akin so to load the BIOS/UEFI update(s) onto a USB stick and then insert that into my still currently offline StarBook so to finish hardening it before taking it online and only after I harden my LAN too (I am trying to harden it as much as I can before connecting to the internet).

Also, I know Coreboot provides Hash integrity checks but does AMI (American MegaTrends) have a Hash check or no?

UPDATE:

So despite me worrying over placing anything not up to par online, it sounds like it is still within context of QubesOS more risky to perform a firmware update through sneakernet than it is by just having sys-net handle the internet update install method to update American MegaTrends UEFI (AMI).

I found that AMI has its own verify tool:


source:

However, I am unsure if such a tool runs on QubesOS? Does anyone know if AMI has a tool for Qubes distro?

According to the instructions from that URL source I may have a hurtle to get over in that the BIOS doesn’t seem to list the serial number needed to perform the AMI update.
Merely says “Default String”
:weary:


Is there any way around this?

Found this with a simple google search: EFI Shell - Star Labs

But still, I don’t use Star Labs laptops so I can’t confirm this will work…

If it verifies and measures stuff to PCR registers of TPM, perhaps you could in theory check your measurements on every boot to detect changes in firmware (with tpm2_pcrread). But thats a big if

1 Like

Well I searched for UEFI not EFI so maybe that’s why it didn’t show in my results, I tried.

Thank you so much :blush:

1 Like