HOWTO: Lenovo T480 (and others) BIOS update

barto · October 2, 2024, 11:44am

Lenovo have released a BIOS update for the older models, probably the last one for T480. Looking at the changelog here (note that Lenovo’s site is not reachable through Tor), there are quite a few CVE’s fixed in this 1.52 release, so I will install it.

How?

get your system details with dmidecode in Dom0

[user@dom0 ~]$ sudo dmidecode | grep -A4 "System Information"
System Information
	Manufacturer: LENOVO
	Product Name: 20L6XXXXXX
	Version: ThinkPad T480
	Serial Number: YYYYYYYY
[user@dom0 ~]$

Make sure that your Product Name prefix (in my case 20L6) matches the BIOS image you’ll download!
So start a disposable based on a Debian template (not a “minimal”), start Firefox, go to https://support.lenovo.com
Click on PC, type “T480” in the search field (note that T480 and T480s are different products!), click on Downloads, Manual Update.
(optional) put in your Serial Number from #1 above to be 100% sure you’re downloading the right image.
Type “BIOS” in the “Search by keywords” field.
Identify the Bootable CD entry

scr1935×79 9.26 KB
Download this and the copy the SHA256 checksum. Optional: read the changelog.
Open a Terminal in the disposable (from the “blue cube” Qube Manager icon in the top right, select your current disposable, and choose “Run Terminal”)
Optional but recommended: check the integrity of the downloaded file by running
sha256sum Downloads/*iso and make sure it matches the SHA256 from #8.
Install “genisoimage”
sudo apt install genisoimage
Run:

user@disp2323:~$ cd Downloads
user@disp2323:~/Downloads$ geteltorito -o t480_152.img *iso
Booting catalog starts at sector: 20 
Manufacturer of CD: NERO BURNING ROM VER 12
Image architecture: x86
Boot media type is: harddisk
El Torito image starts at sector 27 and has 67584 sector(s) of 512 Bytes

Image has been written to file "t480_152.img".

Good! now we have the “t480_152.img” file which can be written to a USB stick. Insert a USB stick THAT CAN BE SAFELY ERASED and connect it as a USB device to your disposable cube using the menu. Optionally, run “sudo dmesg” and make sure of the name, usually /dev/sda, under which it was connected. This being a disposable, 99.99% it will be /dev/sda.
copy the bootable image to the USB stick:
sudo dd if=t480_152.img of=/dev/sda
Optional, if you need to flash the same BIOS to more laptops later, use qvm-copy to copy the t480_152.img file to some other qube, like “Personal”.
Now you can reboot the laptop directly, from the top-right menu, then press Enter during boot, select to boot from the USB stick, follow the prompts, and there you are - on the next boot you’re all updated! the BIOS screen and dmidecode should show the new BIOS version.

Notes:

I use “*iso” instead the full name assuming you’re doing this in a disposable. If not, it is a good idea to use the file name, like “n24ur39w.iso”.
At #14, you’re already in ~/Downloads (from #12)
if you want to change the boot logo, for example with this @renehoj masterpiece, the readme.txt on the page at #7 explains how.

Enjoy.

barto · May 29, 2025, 1:00pm

Update (end of May 2025): Lenovo have released a new BIOS for T480, v1.54, so I guess that my prediction of “last BIOS update” from October 2024 … proved to be inaccurate.
There are new BIOSes for a flurry of other T and X models, however - they do not include mitigations for the latest Intel CPU exploits…

OvalZero · May 29, 2025, 1:08pm

Release date for my machines’ versions was April 16th 2025. The fixes are:



Version 1.54 (UEFI BIOS)

           1.22 (ECP)


[Important updates]

- Enhancement to address security vulnerability,CVE-2024-12533.

- Enhancement to address security vulnerability,CVE-2024-38796.

- Enhancement to address security vulnerability,LEN-167098.


[New functions or enhancements]

- Updated the Diagnostics module to version 04.38.001.


[Problem fixes]

  Nothing.

absent · May 29, 2025, 3:14pm

I am wondering how the mitigation is applied. The microcode in the intel repo for the t480 CPU was not changed in past 9 month (06-8e-0a). Are you aware of tools that can extract the microcode from the BIOS update files?
@OvalZero @barto

OvalZero · May 29, 2025, 4:05pm

First, it’s just a guess. I don’t know for sure.

Intel’s 7th and 8th generation CPUs are considered to be at the end of their service lifetime.
Lenovo doesn’t develop its own CPU microcode.

I see no use for the following as far as future CPU microcode updates are concerned, which I don’t expect to emerge. But Libreboot extracts the blobs from legacy firmware updates. Here is how:

In general, I disable HT/SMT in the BIOS and at the OS level on those machines. That’s all that can be done, as far as I know.

barto · May 29, 2025, 7:06pm

Yes, thank you @OvalZero , I did read the Changelog. And I did apply the update a couple of (3?) weeks ago. I just don’t have “updating the Forum” high up enough on my agenda.

absent · May 30, 2025, 5:20am

I am aware of libreboot but they extract me, gbe etc blobs but not the microcode as far as I know…
The mitigation of branch injecting vuln can be mitigated only with a microcode update. That is why I am so curious…

@barto @OvalZero
Edit: did the update changed your microcode version at /proc/cpuinfo? 1.54 vs 1.53

OvalZero · May 30, 2025, 2:03pm

No, not that I’m aware of.

barto · June 2, 2025, 9:17am

I didn’t check and am now on 1.54 on all my T480s. For what it’s worth, cpuinfo microcode is now 0xf6 … but this depends on what Linux kernel you run, too.