Updating the firmware when using Qubes

Firmware updates are an essential part of the security of a device. On regular laptops running Windows as far as I know Windows takes care of installing firmware updates. Is it possible to update the firmware properly on a laptop running Qubes? If so what is the best way to do it? Would dual booting Qubes and Windows and then using the Windows installation only to update the firmware be a good option?

Windows does not take care of the firmware updates (unless you specifically have the manufacturers update utility installed.) You do not get firmware updates for your motherboard, GPU, SSD, memory (usually only memory with RGB) etc. via Windows. You have to do it manually.
One of the easiest firmware upgrades is BIOS update that contains motherboards firmware, EC firmware and possibly CPU firmware (depending on your config.) This is usually done through the device’s BIOS/UEFI and can be obtained from your manufacturers site.
SSD:s also have firmware updates but not a lot of manufacturers let you install them on Linux (Samsung is the only one that I know of and they do it via fwupd or bootable USB.)

With other firmware updates (for example GPU, memory, USB-C/Thunderbolt, HDMI chipsets, docks/dongles, keyboards, mice, headphones) you are usually out of luck without Windows. Check your manufacturers site for the specific components that you have and see if there are any firmware updates available.

1 Like

Probably it would be the best to tell what exactly you are trying to achieve, what is your full configuration, bios versions, etc…

I don’t use Qubes but I’m I might potentially want to switch to it. I’m asking because I know that firmware plays a significant role in security.

I am considering switching to Qubes (I would have to buy a new machine for it because my current one can’t run Qubes). I know that firmware plays a big part in security so I want to know how I can keep the firmware up to date

Yes i did this, without windows installed, looks like everything in my laptop not fully functional.

I don’t have a computer that is able to run Qubes but I am considering buying a laptop to try Qubes and make it my main system if I like it. Keeping the firmware of a device up to date is important for security so that’s why I’m asking.

If you’re looking for a suitable laptop, have a look here: Community-recommended computers.

Concerning the firmware updates, AFAIK Fedora and Debian are doing that, so it should be there in Qubes.

Unfortunately at the moment, it is safe to say that you will likely not be able to perform BIOS/firmware upgrades from within Qubes OS.

It depends how the manufacturer distributes updates in assessing how difficult it may be in upgrading proprietary firmware.

In order of increasing difficulty and objections to using Windows, they might be distributed as:

  • easy: Bootable CD/ISO image provided by manufacturer, or a BIOS (UEFI) application to upgrade within BIOS setup/diagnostics
  • medium: UEFI capsules (.cab files), that might be as simple as using fwupd while booted into another Linux distro
  • harder: Windows binary that runs and extracts updates to a USB, that can then be booted
  • hard: Windows binary that installs the updates while within Windows

And a note about a bootable ISO, most of these want an actual CD/DVD; don’t try to outsmart them by writing the ISO to a USB drive, 'cause it probably won’t work.

Unfortunately, in my opinion, none of these are great options to stay “secure”, but I’d rather err on the side of having a BIOS without known vulnerabilities.

If you’re fortunate to use a machine that boots open-source firmware based on Heads, its update mechanism fits into the first, “easy”, category.