As you may know from the previous blog post, the qubes-fwupd is the wrapper that allows you to update the firmware of your devices in the Qubes OS. This time I will briefly describe the new features, whereby you will securely update your system firmware.
UEFI update capsule
During the UEFI update process, fwupd daemon decompresses the cabinet archive and extracts a firmware blob in the EFI capsule file format. The main difference between the firmware update of the external USB devices and the UEFI is GUID generation. The GUIDs are the labels used by fwupd daemon to recognize a device. The UEFI GUID is generated from the information contained in the ESRT tables. That causes trouble. Qubes OS is a fully virtualized operating system that works under the Xen hypervisor. The admin VM - dom0 is a PVH domain, that has limited access to the memory tables. In default, dom0 kernel has blocked read access of the ESRT, though the dom0 cannot create sysfs entries. In that case, the fwupd daemon assigns the default GUID value for the system firmware and sets the error flag. To work around this problem we need to add the patch to the dom0 kernel that gives access to the ESRT tables if the OS is paravirtualized. Big kudos to Marek Marczykowski-Górecki, who helped us solve this problem.
|
|
If you want to reproduce our results, have a look at the documentation.
Heads update
Referring to the Heads documentation, it is an open source custom firmware and
OS configuration for laptops and servers that aims to provide slightly better
physical security and protection for data on the system. The Qubes OS is the
preferred operating system that should be used under the Heads. If you are
installing Heads for the first time, you need to take apart your laptop. Then
you need to use the SPI programmer to flash BIOS chips. A firmware update could
be done in the same way, but there are easier ways to provide it. The first
option is to build the Heads update file from the source and deliver the
firmware with a USB drive. qubes-fwupd wrapper offers another way to update the
Heads firmware. The fwupd daemon reads BIOS information from the DMI. Then the
wrapper compares the current version of firmware with the latest one that exists
in the LVFS. If the update is available, the qubes-fwupd
downloads and extracts the cabinet archive. The wrapper verifies and copies the
ROM file to /boot
directory. During the update process, Heads detects the
update file and asks the user if he wants to flash the BIOS.
|
|
If you want to reproduce our results, have a look at the documentation.
Whonix support
Last but not least feature we added is the Whonix flag. It allows a user to use
sys-whonix
as a updateVM. sys-whonix
ensures advanced anonymity during the
downloads due to the TOR connection.
|
|
Summary
If you have any questions, suggestions, or ideas, feel free to share them in the comment section. If you are interested in similar content, I encourage you to sign up for our newsletter.