fwupd 0.9.5 and new goodies

I’ve just released the latest version of fwupd from the development branch. 0.9.5 has the usual bug fixes, translation updates and polish, but also provides two new goodies:

We now support for updating Logitech peripherals over a protocol helpfully called DFU, which is not to be confused with the standard USB DFU protocol. This allows us to update devices such as the K780 keyboard over the Unifying layer. Although it takes a few minutes to complete, it works reliably and allows us to finally fix the receiver end of the MouseJack vulnerability. Once the user has installed the Unifying dongle update and in some cases a peripheral update they are secure again. The K780 update is in “testing” on the LVFS if anyone wants to try this straight away. You should send huge thanks to Logitech as they have provided me access to the documentation, hardware and firmware engineers required to make this possible. All the released Logitech firmwares will move to the “stable” state once this new fwupd release has hit Fedora updates-testing.

The other main feature in this release is the Intel Management Engine plugin. The IME is the source of the recent AMT vulnerability that affects the “ME blob” that is included in basically every consumer PC sold in the last decade. Although we can’t flash the ME blob using this plugin, it certainly makes it easy to query the hardware and find out if you are running a very insecure system. This plugin is more that inspired by the AMT status checker for Linux by Matthew Garrett, so you should send him cookies, not me. Actually updating the ME blob would be achieved using the standard UEFI UpdateCapsule, but it would mean your vendor does have to upload a new system firmware to the LVFS. If you’ve got a Dell you are loved, other vendors are either still testing this and don’t want to go public yet (you know who you are) or don’t care about their users. If you still don’t know what the LVFS is about, see the whitepaper and then send me an email. Anyway, obligatory technical-looking output:

$ fwupdmgr get-devices
  Guid:                 2800f812-b7b4-2d4b-aca8-46e0ff65814c
  DeviceID:             /dev/mei
  DisplayName:          Intel AMT (unprovisioned)
  Plugin:               amt
  Flags:                internal
  Version:              9.5.30
  VersionBootloader:    9.5.30

If the AMT device is present, and the display name has provisioned and the AMT version is between 6.0.x and 11.2.x, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689 and you should disable AMT in your system firmware. I’ve not yet decided if this should bubble up to the session in the form of a notification bubble, ideas welcome.

The new release is currently building for Fedora, and might be available in other distributions at some point.

Published by

hughsie

Richard has over 10 years of experience developing open source software. He is the maintainer of GNOME Software, PackageKit, GNOME Packagekit, GNOME Power Manager, GNOME Color Manager, colord, and UPower and also contributes to many other projects and opensource standards. Richard has three main areas of interest on the free desktop, color management, package management, and power management. Richard graduated a few years ago from the University of Surrey with a Masters in Electronics Engineering. He now works for Red Hat in the desktop group, and also manages a company selling open source calibration equipment. Richard's outside interests include taking photos and eating good food.

12 thoughts on “fwupd 0.9.5 and new goodies”

  1. The Fedora RPMs from Koji work for me just fine. The only downside to all of this is that Dell doesn’t support my Latitude E5570…

    Anyway just one thing:
    > If the AMT device is present, and the display name has
    > provisioned and the AMT version is between 6.0.x and
    > 11.2.x, you are vulnerable to CVE-2017-5689 […]

    > I’ve not yet decided if this should bubble up to the session
    > in the form of a notification bubble, ideas welcome.

    If you can determine reliably if a system is vulnerable I think a (one time?) notification is a good thing. Ideally the user can access some dialog in Gnome (at any time) to verify that everything is fine (e.g. you dismissed the notification too fast or after updating you want to see that it worked…

    Just one caveat: According to Dell their AMT is also secure after the latest Bios updates even though it has version number 11.0.26.x.

  2. Thanks for all your hard work! This is the piece of Linux software that I love following the most!

  3. It’s great to see the hardware support expanding.

    I have a Crucial SSD that could do with a firmware update. I’m sure it would be a lot simpler to update it through fwupd than the vendor process of making a live disk. Is there any likelihood of fwupd supporting SSDs? Should I contact Crucial and tell them how great it would be if they joined fwupd?

  4. When trying to update an unifying receiver on Fedora 25 I get this error:
    Updating RQR12.07_B0029 on Unifying Receiver…
    Writing… failed to erase fw @0x00: failed to send data: Device 046d:aaaa has not been opened

    fwupd version is 0.9.5-1 from the testing repository.
    Any idea what goes wrong?

    Thanks for your hard work on making firmware updates easy.

    1. Is this reproducible? If so, please open an issue against fwupd on github and provide the fwupd –verbose output. Thanks!

  5. Well, the receiver update went fine, but my Logitech K780 seems bricked now with a red/green flashing light.

    The updates appeared in the Update section and it hang during the process. I don’t think it is a good idea to have firmware updates in the software section (Fedora 26).

    So far the searches on usual engines did not offer any hints on the bricked K780.

    1. It’s not bricked, it’s in bootloader mode. If you turn it off, turn it on, run “fwupdmgr update” it should complete the update.

Comments are closed.