This talk was held at 9elements Cyber Security’s Open Source Firmware Conference in Silicon Valley.
Presenter: Richard Hughes
The LVFS is a website which allows hardware vendors to upload firmware updates. This site is used by all major Linux distributions to securely provide metadata for clients such as fwupdmgr and GNOME Software. There is no charge to vendors for the hosting or distribution of content, and both the website and client-side mechanism are free software.
Since its inception nearly three years ago, the LVFS has shipped over 7 million firmware files to Linux users, and now updates over 500,000 devices a month. Over the last few years the LVFS has grown from a hobby project with a monthly budget of $22 to a supported project managed by the Linux Foundation. Using the power of open source, reverse engineering and determination we’ve convinced Dell, Logitech, Lenovo, HP (and dozens more vendors) to ship both free and proprietary firmware to Linux users, greatly improving the security of all of our hardware. The LVFS is so ingrained into our ecosystem that increasingly big companies like Google and government departments are requiring hardware to be supported by the LVFS before purchases are approved. Dell even requires all hardware suppliers to use the LVFS too.
Far from being just a giant FTP archive of blobs, the LVFS actually validates and checks the uploaded firmware using tools like CHIPSEC and MEA for common issues. This ensures that firmware problems are caught before being sent to millions of computers. With this analysis, we can also make sure the vendors include all the security issues fixed in the update description without accidentally missing anything out. Users can also provide optional automated and anonymous success/failure reports back to the vendor, so many real-world problems can be quickly identified.
This talk will cover some of the history of LVFS, and detail how we got to where we are today. I’ll show the workflow for an OEM or ODM, and also explain how the automated tests work. They’ll be lots of screenshots and not much writing.