Fwupd 2.1.6 Improves Firmware Update Handling on Linux

Fwupd 2.16 fixes several security-related issues, including safer manifest validation, sealed memfd input handling, and device-version checks.

Fwupd 2.1.6 was released as the latest maintenance update to the Linux firmware update daemon, with a new --filter-protocol option for both fwupdmgr and fwupdtool, allowing users and administrators to narrow firmware operations by protocol.

The release also adds a new Host Security ID (HSI) attribute for coreboot verified boot, extending fwupd’s ability to report platform security characteristics.

UEFI handling is also addressed as the release adds hashes for the latest DBX updates for offline machines, separates the UEFI Memory Protection HSI from NX compatibility, and fixes the display of the HP UEFI db certificate. It also fixes KEK update installation when using snapd by sending the correct blob and raises the parser item limit from 100 to 1000 for large KEKs.

There are also improvements for enterprise and server update flows. In particular, fwupd now handles HPE Redfish reset-required updates better and logs out of the Redfish session when required on HPE hardware. It also avoids checking efivar free space on VMware, Google Compute Engine, and Amazon EC2 virtual machines.

On the firmware parsing side, fwupd 2.1.6 adds support for parsing Hayden Bridge Thunderbolt firmware and introduces several validation fixes. These include avoiding integer overflow in the IFWI CPD manifest length check, fixing integer underflow when Elan firmware is smaller than one page, and validating Raydium touchpad buffer sizes before direct index access.

Apart from that, the release brings several device-specific fixes. These include fixing a possible NULL pointer dereference when updating SteelSeries firmware, a Genesys GL32xx device locker crash caused by an argument mismatch, AMD SME detection by checking the SMEE hardware bit directly, and avoiding truncation of the AMD Kria FRU board area offset.

On the security side, the tool now requires sealed memfd input to prevent possible TOCTOU attacks and sanitizes the Jabra GNP device version more securely. It also validates Lenovo dock device-reported program sizes before use, reducing the chance of bad device data causing update problems.

Hardware support has been expanded as well, though modestly. Fwupd 2.1.6 adds support for Lenovo dual-bank accessory dongles and paired peripherals, which should improve firmware update coverage for supported Lenovo accessories.

Other fixes include creating the ESP OS directory if missing, detecting the BCR device on Celeron LPC SPI controllers, falling back to binary firmware when no specific MTD image type is set, fixing fwupd-refresh service issues, improving USI dock progress reporting, re-processing device metadata when required after all devices are added, and showing “authenticating” only after a short delay.

For more details, check out the release notes.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Leave a Reply

Your email address will not be published. Required fields are marked *