Bug#916036: Install fwupd on a default installation

Philipp Kern pkern at debian.org
Thu Dec 27 18:58:45 GMT 2018 

Hey Mario,

On 2018-12-27 03:52, Mario.Limonciello at dell.com wrote:
> Something I think worth mentioning is that LVFS is being transitioned
> to being run
> and managed by the Linux Foundation.

yeah, that's great news.

>> Interestingly enough the vendor signs a blob (CAB file) and LVFS 
>> throws
>> it away and re-signs the blob with its own key. But then again I think
>> the base assumption is that the contained firmware images are 
>> themselves
>> signed as well and the BIOS does a check before ingesting them.
> 
> Speaking on behalf of one of the biggest distributors of firmware on 
> LVFS (Dell)
> I can say that all of the firmware images are signed by Dell PKI
> infrastructure and
> will not flash on the system if modified.
> 
> LVFS is currently in the process of plumbing this information through 
> to the U/I
> as well.

Just the fact that the update claims that the hardware only accepts 
signed updates or something else? :)

>> Obviously you end up with the usual concerns like the repository being
>> able to hold back updates from certain clients. The website's code is
>> supposedly available on https://github.com/hughsie/lvfs-website/ 
>> though
>> and I suppose a transparency effort could solve that particular 
>> problem,
>> too.
> 
> LVFS is able to prevent distributing updates in two situations:
> 
> 1) when there are known bad SW combinations (say vendor knew bug
> existed in fwupd
> 1.0.x but was fixed in 1.1.x - set minimum version for the update to be 
> 1.1.x).
> or need to update device XYZ before device ABC.
> 
> 2) rate limiting of updates
> To stage rollouts and monitor optional feedback in the event of a 
> problem.

I will note - although slightly off-topic to the discussion at hand - 
that it would be useful to people to be able to run their own repository 
of updates and control the rollouts (and staging percentages) 
themselves. I'm not actually suggesting that Debian would need to run 
their own, but it'd be a useful service to the users who don't want to 
send telemetry to the Linux Foundation - and furthermore have a 
significant deployment where it's worth canarying the updates.

>> Oh yes. Not just that, also finding the right image to apply and then
>> figuring out how the hell to apply it is a solved problem with 
>> EFI-based
>> fwupdate.
> 
> Please keep in mind it's much much more than EFI updates now too.
> There are updates
> that can apply "in Debian" without a reboot for things like
> Thunderbolt controllers, docks,
> MST hubs, and various USB devices.

Fair enough. Do you have a pointer for examples of such updates? 
Unfortunately I updated my own Dell dock recently from Windows, so I 
can't easily check. Mostly I'm interested if it's a proprietary binary 
run on the host. That's its own can of worms. (Which technically is true 
for the EFI update too, but it's staged from outside of Linux on 
boot-up.)

Kind regards and thanks
Philipp Kern

More information about the pkg-gnome-maintainers mailing list