UEFI capsule works exactly the same (for board firmware updates), it sends the firmware to the UEFI, the machine will reboot and then the UEFI will do the update. You are just starting the process from the OS, anything dangerous is done by the UEFI alone with no OS loaded at all.

This is what the HP and Dell and whatnot firmware update windows applications did since years ago.

Only lazy dumbfucks like mobo manufacturers kept using the horribly unsafe shit applications actually flashing the board firmware from Windows, and on some boards that's still a possibility, but afaik it's thankfully dying out in favor of doing it through the UEFI interface only.
Same as it took a way too long time to actually get the fuckers to drop the requirement to use a DOS boot disk (or even a floppy) to flash manually the firmware as the only alternative to Windows flashing, and this is still a thing for their server offering afaik. I don't even know if the more new Supermicro (which isn't a shit brand) have migrated to a non-stupid way of firmware updating.

Which is one of the reasons why Intel in their infinite Wisdom has decided that the CSM (the legacy boot module, to boot in BIOS mode) will go away in a few years. That way board manufacturers will either have to implement UEFI updates from inside the UEFI firmware itself, or through the capsules, as you won't be able to boot FreeDOS anymore.

And that's exactly what LVFS does, it tells your firmware to update from the UEFI capsule the next time the system reboots. It never attempts an UEFI update from a running system.

It would be nice if ASUS/Gigabyte/MSI got on-board but there's also the potential for some big problems. I'm not sure I would want emerge -uv world or dnf -y update to install a new BIOS (or other firmware for that matter). There has been some bugs like https://bugzilla.redhat.com/show_bug.cgi?id=1608242#c17 where my machine didn't even boot Linux after upgrading the BIOS.

Also pay attention to the news on other sites about how ASUS was serving signed malware to millions of users for years - malware which is right now on a very large percentage of ASUS Windows computers.. https://www.theinquirer.net/inquirer...ackdoor-hijack ..LVFS has the potential to be a major large-scale disaster. It really does. I am not saying it will be or that it is likely or that anything indicates that it is or will be. What I am saying is that LVFS is absolutely a single point of failure which could, if compromised, cause issues.

That's not a bug of the LVFS but a firmware bug. Updating through LVFS does not make UEFI updates bug-free. Also afaik it does not happen automatically.

Nah, it's just distributing blobs from vendors, they don't sign themselves, so even if LVFS itself is compromised none can add malware on it (it would fail the signature check on flashing).

Now, if the vendor's own security is so fucking bad that they manage to get hacked and host malware signed with their own key on their own servers, then this can also be loaded on LVFS too, but at this point you can only blame the vendor.

LVFS is a great thing in my opinion and one of the areas where Linux is miles ahead of other OS's, I love being able to update firmware without running heaps of vendor software in the background as you would on windows.

I was quite surprised recently when I plugged an old mouse into a machine running Ubuntu and it promoted me to update the firmware on it.

FUJITSU (server mobos), anyone?

Just a matter of time for HP to officially support majority of consumer HP hardware.

According to LVFS vendor list, currently under testing

Thank's for the hint!

Intel decides UEFI specification, and CSM will disappear from 2020 onward on both Intel and AMD boards. https://www.zdnet.com/article/intel-...pport-by-2020/

I guess you won't be able to clone your drives anymore.