2

I want to be able to block updating my system's firmware with fwupd as later BIOS versions block the ability to undervolt the CPU (yes I'm aware this leaves my system susceptible to plundervolt and later security vulnerabilities).

I am running KDE Plasma on Ubuntu 20.04 (where the fwupdmgr version is 1.7.5) and typically update via Discover. Previously I just disabled the LVFS remote in Discover but this has the unintended consequences of blocking all updates (including for other devices) from the LVFS.

Looking at the output of fwupdmgr --help, I can see there is a block-firmware [CHECKSUM] subcommand but, as far as I can see, this only blocks specific firmware versions from being installed whereas I want to block any updates to the 'System Firmware' device. Is this possible?

Improve this question
3
  • Similar problem, where I'll have an external devices that has issues after a certain firmware version. Would like to prevent the update from showing up too.
    – xorinzor
    Commented May 10, 2022 at 13:22
  • askubuntu.com/a/18656/128292
    – Martin Zeitler
    Commented May 15, 2022 at 8:06
  • I don't think that's relevant as fwupd is separate from the normal Ubuntu package manager (dpkg/apt).
    – Miren Radia
    Commented May 16, 2022 at 9:03

1 Answer 1

Reset to default
2

I'm on fwupdmgr 1.8.1. This works for me: check the 'GUIDs' listed in the 'System Firmware' section:

$ fwupdmgr get-updates
Devices with no available firmware updates: 
 • SSD 970 EVO 2TB
 • UEFI dbx
Devices with the latest available firmware version:
 • Package level of Dell dock
 • RTS5413 in Dell dock
 • RTS5487 in Dell dock
 • VMM5331 in Dell dock
 • WD19
 • KXG60ZNV256G NVMe TOSHIBA 256GB
Precision 7730
│
└─System Firmware:
  │   Device ID:          deadbeefc0e948deadbeef16a5f703f3deadbeef
  │   Summary:            UEFI ESRT device
  │   Current version:    1.10.1
  │   Minimum Version:    1.10.1
  │   Vendor:             Dell (DMI:Dell Inc.)
  │   Update State:       Success
  │   GUIDs:              db72c932-b3c6-beef-b382-3fdeadbeef7b
  │                       230c8b18-dead-53ec-838b-6deadbeef93a ← main-system-firmware
  │   Device Flags:       • Internal device

In the /etc/fwupd/daemon.conf file, add them to the DisabledDevices var:

--- /etc/fwupd/daemon.conf.bak  2022-06-17 11:03:12.910125870 +0200
+++ /etc/fwupd/daemon.conf      2022-06-17 11:13:42.965451740 +0200
@@ -2,7 +2,7 @@
 
 # Allow blocking specific devices by their GUID
 # Uses semicolons as delimiter
-DisabledDevices=
+DisabledDevices=db72c932-b3c6-4640-b382-3f4619ab447b;230c8b18-dead-53ec-838b-6deadbeef93a
 
 # Allow blocking specific plugins
 # Uses semicolons as delimiter

(One of them may be enough, didn't test)

Restart fwupd and refresh:

$ sudo systemctl restart fwupd

$ fwupdmgr refresh --force
Updating lvfs
Downloading…             [***************************************]
Successfully downloaded new metadata: 6 local devices supported

I used to see 7 supported devices in there.

Verify:

$ fwupdmgr get-updates
Devices with no available firmware updates: 
 • SSD 970 EVO 2TB
 • UEFI dbx
Devices with the latest available firmware version:
 • Package level of Dell dock
 • RTS5413 in Dell dock
 • RTS5487 in Dell dock
 • VMM5331 in Dell dock
 • WD19
 • KXG60ZNV256G NVMe TOSHIBA 256GB
No updates available

Yay!

Improve this answer
1
  • Thanks! This worked perfectly for me with v1.7.5 as well (once I stopped being an idiot and realised that a semicolon is ; and not : or ,).
    – Miren Radia
    Commented Jun 23, 2022 at 22:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .