Firmware updates are an essential part of the security of a device. On regular laptops running Windows as far as I know Windows takes care of installing firmware updates. Is it possible to update the firmware properly on a laptop running Qubes? If so what is the best way to do it? Would dual booting Qubes and Windows and then using the Windows installation only to update the firmware be a good option?
Windows does not take care of the firmware updates (unless you specifically have the manufacturers update utility installed.) You do not get firmware updates for your motherboard, GPU, SSD, memory (usually only memory with RGB) etc. via Windows. You have to do it manually.
One of the easiest firmware upgrades is BIOS update that contains motherboards firmware, EC firmware and possibly CPU firmware (depending on your config.) This is usually done through the device’s BIOS/UEFI and can be obtained from your manufacturers site.
SSD:s also have firmware updates but not a lot of manufacturers let you install them on Linux (Samsung is the only one that I know of and they do it via fwupd or bootable USB.)
With other firmware updates (for example GPU, memory, USB-C/Thunderbolt, HDMI chipsets, docks/dongles, keyboards, mice, headphones) you are usually out of luck without Windows. Check your manufacturers site for the specific components that you have and see if there are any firmware updates available.
Probably it would be the best to tell what exactly you are trying to achieve, what is your full configuration, bios versions, etc…
I don’t use Qubes but I’m I might potentially want to switch to it. I’m asking because I know that firmware plays a significant role in security.
I am considering switching to Qubes (I would have to buy a new machine for it because my current one can’t run Qubes). I know that firmware plays a big part in security so I want to know how I can keep the firmware up to date
Yes i did this, without windows installed, looks like everything in my laptop not fully functional.
I don’t have a computer that is able to run Qubes but I am considering buying a laptop to try Qubes and make it my main system if I like it. Keeping the firmware of a device up to date is important for security so that’s why I’m asking.
If you’re looking for a suitable laptop, have a look here: Community-recommended computers.
Concerning the firmware updates, AFAIK Fedora and Debian are doing that, so it should be there in Qubes.
Unfortunately at the moment, it is safe to say that you will likely not be able to perform BIOS/firmware upgrades from within Qubes OS.
It depends how the manufacturer distributes updates in assessing how difficult it may be in upgrading proprietary firmware.
In order of increasing difficulty and objections to using Windows, they might be distributed as:
- easy: Bootable CD/ISO image provided by manufacturer, or a BIOS (UEFI) application to upgrade within BIOS setup/diagnostics
- medium: UEFI capsules (.cab files), that might be as simple as using
fwupdwhile booted into another Linux distro
- harder: Windows binary that runs and extracts updates to a USB, that can then be booted
- hard: Windows binary that installs the updates while within Windows
And a note about a bootable ISO, most of these want an actual CD/DVD; don’t try to outsmart them by writing the ISO to a USB drive, 'cause it probably won’t work.
Unfortunately, in my opinion, none of these are great options to stay “secure”, but I’d rather err on the side of having a BIOS without known vulnerabilities.
If you’re fortunate to use a machine that boots open-source firmware based on Heads, its update mechanism fits into the first, “easy”, category.
Do you perhaps know what way to use to update firmware on a system with qubes os installed. I mean choosing the right livecd system. Unfortunately lenovo does not offer the possibility to update this firmware with its own livecd. I tried to use fedora and ubuntu, but the live releases of these distributions have very small EFI partitions (about 9-12 mb) and fwupdmgr cannot write the corresponding .cab files to this partition. Portable distributions such as slax are not a solution either, as they do not have a separate EFI partition. Tails is not an option because root has no way to connect to the network and there is no separate EFI partition. I haven’t tried installing fwupd on dom0, but the version of this package is outdated and I don’t know if it will work and if something will break. Could I ask for some hints?
Lenovo have ISO releases of their firmware.
If you use the geteltorito script, you can convert the ISO to IMG and boot it using a USB device.
Unfortunately not for all cases…
Please follow link below. No ISO there.
This ISO includes only UEFI BIOS and ECP (Embedded Controller Program), but not Intel Management Engine 11.8 Firmware. Already installed first one (UEFI and ECP). Can’t deal with second one (IME).
Don’t know if the vendor specific version is needed for IME, but they do provide the bin file.
I think the OS normally updates IME if needed, by the normal update channel.
Working environment with fwupdmgr is needed. That’s my point and that’s why I’ve asked about live distro with this attribute.
From manual to this bin file (also mentioned previously above in 11 post).
Make sure the AC adapter is firmly connected to the target computer
Extract package zip file
Login as root user
Navigate to the directory where the cabinet file was placed
Execute as below:
fwupdmgr --allow-older --allow-reinstall install <cab_filename.cab>
Restart the system manually if system did not restart automatically
After restart, “Please wait while we install a system update” will be displayed
Wait for the system update to complete then system will automatically restart
I have finally managed to solve the IME update problem. I created a separate environment for fwupdmgr on a portable ssd usb drive. This is a qubes-independent regular installation of fedora 36 on the usb drive, with its own EFI boot partition. I did the fedora 36 installation so as not to overwrite the boot partition on the local drive. I used a way to install fedora on an external usb drive after first disabling the ESP flags of the local drive so that the fedora installer would not change anything there.After the installation I restored the ESP flag on the appropriate partition of the local drive. Installing the fwupdmgr environment required the UEFI only boot option to be enabled during installation and operation. For fwupdmgr operation the boot order lock option needed to be disabled.
As someone mentioned, booting into a live OS with a usb stick could work for updates with fwupd. There may not be Linux firmware directly uploaded to the manufacturer’s website, but they could have released it to LVFS. If you don’t see new firmware on either one, you’re up to date as much as you can be for Linux IMO. Dual-booting with Windows is risky.
In my experience, when a distro website give you an ISO to download, just burn it into a USB stick with something like Etcher (not that privacy respecting) or simply copy the ISO into the USB after installing a multi-boot program like Ventoy in the USB. No CD/DVD needed. I just updated my T480’s intel ME with a live fedora distro. Once I downloaded Ventoy and copied in the ISO, I only needed a couple minutes to start updating firmware because fwupd is simple to use.
I tried Debian GNOME but it didn’t come with the wifi driver (perhaps firmware-iwlwifi, which helps sys-net work on Debian). Fedora came with wifi capabilities and fwupd already installed. Don’t bother checking your hardware versions with dom0 since it won’t show all the devices for some reason. App VMs and templates don’t show any devices. But the live distro did for me after connecting to wifi.