In this episode of “Nerding Out with Viktor,” I’m joined by Richard Hughes and Mario Limonciello from the Firmware Update Project. We dive deep into the intricacies of firmware in the Linux world, discussing their backgrounds, the origins of the Firmware Update Project, and their vision for its future.

Richard Hughes kicks things off by introducing himself, sharing his extensive experience at Red Hat and his contributions to various open-source projects over the years. Mario Limonciello, currently with AMD and formerly with Dell, talks about his background in Linux and his focus on power management and hardware enablement.

They recount their initial collaboration around 2015 when they sought to create a firmware update solution for Linux, which led to the development of the LVFS (Linux Vendor Firmware Service) and the fwupd (Firmware Update) project. Richard shares an interesting story about his early work in firmware with Colorhug, a free software and hardware color sensor, which made him realize the need for a standardized firmware update mechanism. This realization was the catalyst for creating fwupd, aiming to simplify the deployment of firmware updates across various devices.

Mario elaborates on how the project began at Dell, where they were trying to replicate the capsule updates done through Windows Update but for Linux systems. This effort led to the integration of the LVFS, allowing vendors to upload firmware, which is then verified and distributed to users through a standardized process.

We explore the technical aspects of firmware updates, including how the ESRT (EFI System Resource Table) is used to identify and match firmware with the correct hardware. We also discuss the importance of having a centralized service like LVFS, which streamlines the process of notifying users about critical security updates and ensuring firmware integrity.

Richard and Mario also touch on the challenges of ensuring firmware security, such as verifying the provenance of updates and preventing unauthorized or malicious firmware from being deployed. They emphasize the importance of supply chain security and runtime security, highlighting projects like Tetragon, which use eBPF for efficient kernel-level event filtering and enforcement.

Our discussion covers the adoption of fwupd and LVFS by major vendors like Dell, Lenovo, and HP, and the impact of the “Works with Chromebook” initiative by Google, which significantly boosted the project’s adoption. While consumer devices have seen broad support, the server landscape is still catching up, with ongoing efforts to integrate Redfish for firmware updates in servers.

We also talk about the concept of SBOM (Software Bill of Materials) for firmware, stressing its importance in tracking dependencies and vulnerabilities in firmware components. Richard and Mario mention the challenges and ongoing efforts to include comprehensive SBOM entries in firmware updates.

Finally, we share some interesting and unusual use cases of the firmware update project, ranging from smart mirrors to underground oil and gas nodes. The episode wraps up with Richard expressing gratitude to Mario for his continued support and contributions to the project.

This episode provides an in-depth look at the complexities and advancements in firmware updates for Linux, highlighting the collaborative efforts driving the project and its impact on the broader open-source ecosystem.