Note: Flashing UEFI/BIOS firmware may cause abnormal computer operation, please proceed with caution.

Let me provide you with a simple explanation. In recent years, computers are typically using UEFI for booting, although some manufacturers may still refer to it as BIOS. However, in reality, it might be using UEFI.

There are various methods to update UEFI firmware. Some manufacturers provide ISO images for updating programs, or UEFI firmware can read content from external storage or download update programs from the network.

However, not every manufacturer offers these convenient methods. Some may only provide executable programs for Windows, posing challenges for Linux users.

Install fwupd

fwupd is a program for device updates that defaults to downloading update programs from the Linux Vendor Firmware Service (LVFS).

Installation methods vary for different Linux distributions. Here’s an example using Arch Linux:

Firstly, install the fwupd package:

1

sudo pacman -S fwupd

If your device has Secure Boot enabled, you need to sign the UEFI program provided by fwupd-efi. Here, we’ll use the sbsigntools package, but you can also use tools like sbctl.

1
2
3

sudo pacman -S sbsigntools

sudo sbsign --key keyfile --cert certfile /usr/lib/fwupd/efi/fwupdx64.efi

You can use a Pacman Hook to automate the signing process.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# /etc/pacman.d/hooks/sign-fwupd-secureboot.hook

[Trigger]
Operation = Install
Operation = Upgrade
Type = Path
Target = usr/lib/fwupd/efi/fwupdx64.efi

[Action]
When = PostTransaction
Exec = /usr/bin/sbsign --key keyfile --cert certfile /usr/lib/fwupd/efi/fwupdx64.efi
Depends = sbsigntools

If you’re not using Shim, set DisableShimForSecureBoot to true in /etc/fwupd/uefi_capsule.conf and restart fwupd.service.

Obtain Update Program

If the manufacturer supports LVFS for your device, you can use fwupdmgr update to directly install updates. Check the list of supported devices.

This passage mainly covers another scenario. If your device manufacturer (e.g., Lenovo Ideapad) only provides an executable program for Windows, you need to download this program and extract the UEFI Capsule file.

There are various methods to extract the UEFI Capsule file. Typically, you can use the innoextract program.

1
2

sudo pacman -S innoextract
innoextract /path/to/update.exe

Find the UEFI Capsule file in the extracted files, usually with a .cap file extension.

Install Update

This is the key part of the process. Firstly, get the ID of the System Firmware (device ID and GUID are both acceptable) by executing the following command and searching for relevant content in the output.

1

sudo fwupdmgr get-devices

Then, use fwupdtool to install the UEFI Capsule file.

1

sudo fwupdtool install-blob /path/to/uefi_capsule.cap <id>

After successful installation, you’ll be prompted to restart the computer. After restarting, usually set the ‘Linux-Firmware-Updater’ as the first boot option and restart the computer.

Your computer should now enter the UEFI Capsule update program. Make sure to connect to the power source to prevent interruptions during the update.

Wait for some time, and the update should be complete. Don’t forget to revert the boot order.

References

• fwupd - ArchWiki
• Flash your Lenovo Ideapad laptop BIOS from Linux using UEFI capsule updates | by Christophe Beyls | Medium