How are you guys handling BIOS and UEFI updates?
Some devices do not support coreboot so we are stuck with manufacturers firmware. How are you guys updating it? Some manufacturers require you to download their own software like Lenovo vantage which is only for windows. Would you have to run a standalone windows VM or dual boot windows to upgrade the BIOS/UEFI?
Which approaches would you recommend? Im more worried about exploits in past firmware versions than manufacturer installing backdoors
I think all vendors have an option to update the BIOS/UEFI from BIOS/UEFI menu by specifying the update file from the disk.
Is there no such option in your BIOS/UEFI?
UPD:
I guess some Lenovo models indeed only support updating from WIndows.
You can try this:
https://wiki.archlinux.org/title/Flashing_BIOS_from_Linux#Lenovo
Try sudo qubes-fwupdmgr in dom0. Sadly no documentation yet and there’s an issue open on the --update flag.
if i installed a standalone windows VM, could i install bios updates via lenovo vantage?
command not found
No.
You can try to extract the firmware from the installer and use fwupd tool in dom0 to update it as stated in the link.