Updating firmware is hard. It is a process that is individual for every piece of hardware and requires a long downtime. Most vendors do not even provide updates for their BIOS. Also sometimes updates can make the system unstable and who wants to touch a running system? There is a rule to not do that.
But what if the process was easy?
Meltdown and Spectre have shown us that not only software is vulnerable. Hardware is so, too. Very often when we use that term, we are talking about vulnerabilities in software that is running very close to the hardware: The BIOS or other management functionality. In this Wiki, this is just firmware.
Keeping the firmware updated is a bit hard (no pun intended). Very often you need to prepare a special USB key. And when the system is remote, rebooting into that Key is not possible at all.
What if we just baked all this into one simple command? firmware-update update
On supported systems, this command will flash the latest firmware version onto the SPI flash of the board the system is running on. After a reboot, you are running the latest firmware. How much easier can it get?
Note: After version v4.19.0.1 no more APU firmware updates are being sponsored by PC Engines. The company that has been making the updates is looking at a donation approach to provide funding for creating future APU firmware updates. If this is successful the next version would not be available till near the end of 2023.
See request for help below.
We decided to not make this process automatic - although there are some reasons for that. Either way, it is just two commands away for all PC Engines APU-based systems:
Installation
firmware-update can be installed with the Pakfire web interface (WebUI) or via the console:
pakfire install firmware-update
Usage
There is no web interface for this Addon. To run this Addon open the client console or terminal and access the IPFire box via SSH.
pakfire remove pcengines-apu-firmware # if previously installed
pakfire install pcengines-apu-firmware # download current images
firmware-update update
reboot
Options
firmware-update { info | update | version }
[root@ipfire ~]# firmware-update info
Board : PC Engines apu4
HW Version : 1.0
Serial : 123456
BIOS Version: v4.12.0.1 (05/29/2020)
[root@ipfire ~]# firmware-update version
firmware-update: Version 20210107
Notes
- For APU firmware updates - Check the boot order after completing the firmware update. The boot order changes back to default. This will matter if you have an external drive (i.e., a backup drive).
Error Messages
These errors (below) are normal. The flashrom tool is searching for the firmware chip on a trial-and-error basis.
Error accessing GD25Q256D, 0x2000000 bytes at 0x00000000fe000000
/dev/mem mmap failed: Operation not permitted
Could not map flash chip GD25Q256D at 0x00000000fe000000.
Error accessing IS25LP256, 0x2000000 bytes at 0x00000000fe000000
/dev/mem mmap failed: Operation not permitted
Could not map flash chip IS25LP256 at 0x00000000fe000000.
Community Participation required
We, the developers, of course do not have access to all the hardware. We decided to go with the PC Engines boards, because they have a firmware that is regularly updated and extended and we also got a free sample of the board. Thank you very much to the people from PC Engines for that!
However, there is other boards that have a (freely distributable firmware) that could be integrated, too. If you have one of those and there is a larger user base of them in IPFire, please send patches.
It would be great if this would grow into a small collection of firmware so that many systems can easily be kept up to date. The tool would also support firmware updates for NICs and other parts that have firmware blobs.