March 27, 2019

Linux Foundation Welcomes LVFS Project

lvfs.png

LVFS
LVFS is a secure website that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions to provide metadata for clients, such as fwupdmgr, GNOME Software and KDE Discover.

The Linux Foundation welcomes the Linux Vendor Firmware Service (LVFS) as a new project. LVFS is a secure website that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions to provide metadata for clients, such as fwupdmgr, GNOME Software and KDE Discover.

To learn more about the project’s history and goals, we talked with Richard Hughes, upstream maintainer of LVFS and Principal Software Engineer at Red Hat.

Linux Foundation: Briefly, what is Linux Vendor Firmware Service (LVFS)? Can you give us a little background on the project?

Richard Hughes:  A long time ago I wanted to design and build an OpenHardware colorimeter (a device used to measure the exact colors on screen) as a weekend hobby. To update the devices, I also built a command line tool and later a GUI tool to update just the ColorHug firmware, downloading a list of versions as an XML file from my personal homepage. I got lots of good design advice from Lapo Calamandrei for the GUI (a designer from GNOME), but we concluded it was bad having to reinvent the wheel and build a new UI for each open hardware device.

A few months prior, Microsoft made UEFI UpdateCapsule a requirement for the “Windows 10 sticker.” This meant vendors had to start supporting system firmware updates via a standardized format that could be used from any OS. Peter Jones (a colleague at Red Hat) did the hard work of working out how to deploy these capsules on Linux successfully. The capsules themselves are just binary executables, so what was needed was the same type of metadata that I was generating for ColorHug, but in a generic format.

Some vendors like Dell were already generating some kinds of metadata and trying to support Linux. A lot of the tools for applying the firmware updates were OEM-specific, usually only available for Windows, and sometimes made dubious security choices. By using the same container file format as proposed by Microsoft (the reason we use a cabinet archive, rather than .tar or .zip) vendors could build one deliverable that worked on Windows and Linux.

Dell has been a supporter ever since the early website prototypes. Mario Limonciello (Senior Principal Software Development Engineer from Dell) has worked with me on both the lvfs-website project and fwupd in equal measure, and I consider him a co-maintainer of both projects. Now the LVFS supports firmware updates on 72 different devices, from about 30 vendors, and has supplied over 5 million firmware updates to Linux clients.

The fwupd project is still growing, supporting more hardware with every release. The LVFS continues to grow, adding important features like 2 factor authentication, OAuth and various other tools designed to get high-quality metadata from the OEMs and integrate it into ODM pipelines. The LVFS is currently supported by donations, which funds the two server instances and some of the test hardware I use when helping vendors.

Hardware vendors upload redistributable firmware to the LVFS site packaged up in an industry-standard .cab archive along with a Linux-specific metadata file. The fwupd daemon allows session software to update device firmware on the local machine. Although fwupd and the LVFS were designed for desktops, both are also usable on phones, tablets, IoT devices and headless servers.

The LVFS and fwupd daemon are open source projects with contributions from dozens of people from many different companies. Plugins allow many different update protocols to be supported.

Linux Foundation: What are some of the goals of the LVFS project?

Richard Hughes: The short-term goal was to get 95% of updatable consumer hardware supported. With the recent addition of HP that’s now a realistic target, although you have to qualify the 95% with “new consumer non-enterprise hardware sold this year” as quite a few vendors will only support hardware no older than a few years at most, and most still charge for firmware updates for enterprise hardware. My long-term goal is for the LVFS to be seen like a boring, critical part of infrastructure in Linux, much like you’d consider an NTP server for accurate time, or a PGP keyserver for trust.

With the recent Spectre and Meltdown issues hitting the industry, firmware updates are no longer seen as something that just adds support for new hardware or fixes the occasional hardware issue. Now the EFI BIOS is a fully fledged operating system with networking capabilities, companies and government agencies are realizing that firmware updates are as important as kernel updates, and many are now writing in “must support LVFS” as part of any purchasing policy.

Linux Foundation: How can the community learn more and get involved?

Richard Hughes: The LVFS is actually just a Python Flask project, and it’s all free code. If there’s a requirement that you need supporting, either as an OEM, ODM, company, or end user we’re really pleased to talk about things either privately in email, or as an issue or pull request on GitHub. If a vendor wants a custom flashing protocol added to fwupd, the same rules apply, and we’re happy to help.

Quite a few vendors are testing the LVFS and fwupd in private, and we agree to only do the public announcement when everything is working and the legal and PR teams gives the thumbs up. From a user point of view, we certainly need to tell hardware vendors to support fwupd and the LVFS, before the devices are sitting on shelves.

We also have a low-volume LVFS announce mailing list, or a user fwupd mailing list for general questions. Quite a few people are helping to spread the word, by giving talks at local LUGs or conferences, or presenting information in meetings or elsewhere. I’m happy to help with that, too.

This article originally appeared at Linux Foundation

Click Here!