Introducing the Vendor Service

Richard Hughes Principal Software Engineer, Red Hat [email protected] The Introduction Story

● What hardware? ● What updates? ● Where from? ● How to apply? The Introduction Story : ColorHug The Introduction Story : BIOS Easiest way to infect hardware?

Missing protections Failed root-of-trust Implanted updates Unsigned updater Malicious devices ??? The Grand Design™

● fwupd – 100% free software (LGPLv2+) – Mechanism – Used by users, typically with a GUI ● lvfs-website – 100% free software (GPLv2+) – Data source – Used by vendors: OEMs and ODMs

The Grand Design™ : Architecture

The Grand Design™ : GNOME Software

The Grand Design™ : GNOME Software

Layers of Security

LVFS : It’s just a website...

Bi-directional Feedback : User Reports

Bi-directional Feedback : Auto Demotion

Bi-directional Feedback : Signed Reports

Privacy Concerns : Trust Me

● Mirror the LVFS using PULP ● Vendor secrecy

Vendor Relationships : User Permissions

Firmware Analysis

Firmware Analysis : Comparing Shards

Firmware Analysis : UpdateCapsule

Firmware Analysis : Certificates

Firmware Analysis : Raising the Bar

Firmware Analysis : Device Lifecycle

Vendor Relationships : Complicated

● OBV → ODM → OEM → User ● “Trade secret” update protocols

Attestation and Dashboards

World Domination : Green Ticks

● Increasing requirement for “3 LVFS ticks” – Dell, , Google, Red Hat, various UK and US governmental departments ● Change in tone

World Domination : Vendor Support

User Search Results

Looking to the Future

● Dashboard, albeit with caveats ● The few remaining vendors, ASUS, Microsoft, etc. ● More tests, possibly using external companies

Thank you!

● Question Everything! – (except asking what vendors are testing in secret!) – https://www.fwupd.org/ – https://github.com/fwupd/lvfs-website