Introducing the Linux Vendor Firmware Service
Richard Hughes Principal Software Engineer, Red Hat [email protected] The Introduction Story
● What hardware? ● What updates? ● Where from? ● How to apply? The Introduction Story : ColorHug The Introduction Story : BIOS Easiest way to infect hardware?
Missing protections Failed root-of-trust Implanted updates Unsigned updater Malicious devices ??? The Grand Design™
● fwupd – 100% free software (LGPLv2+) – Mechanism – Used by users, typically with a GUI ● lvfs-website – 100% free software (GPLv2+) – Data source – Used by vendors: OEMs and ODMs
The Grand Design™ : Architecture
The Grand Design™ : GNOME Software
The Grand Design™ : GNOME Software
Layers of Security
LVFS : It’s just a website...
Bi-directional Feedback : User Reports
Bi-directional Feedback : Auto Demotion
Bi-directional Feedback : Signed Reports
Privacy Concerns : Trust Me
● Mirror the LVFS using PULP ● Vendor secrecy
Vendor Relationships : User Permissions
Firmware Analysis
Firmware Analysis : Comparing Shards
Firmware Analysis : UpdateCapsule
Firmware Analysis : Certificates
Firmware Analysis : Raising the Bar
Firmware Analysis : Device Lifecycle
Vendor Relationships : Complicated
● OBV → ODM → OEM → User ● “Trade secret” update protocols
Attestation and Dashboards
World Domination : Green Ticks
● Increasing requirement for “3 LVFS ticks” – Dell, Lenovo, Google, Red Hat, various UK and US governmental departments ● Change in tone
World Domination : Vendor Support
User Search Results
Looking to the Future
● Dashboard, albeit with caveats ● The few remaining vendors, ASUS, Microsoft, etc. ● More tests, possibly using external companies
Thank you!
● Question Everything! – (except asking what vendors are testing in secret!) – https://www.fwupd.org/ – https://github.com/fwupd/lvfs-website