Microsoft's Component Firmware Update Is Their Latest Short-Sighted Spec

Written by Michael Larabel in Microsoft on 15 August 2019 at 08:03 AM EDT. 13 Comments
Microsoft's newest specification is the "Component Firmware Update" that they envision as a standard for OEMs/IHVs to be able to handle device firmware/microcode updating in a robust and secure manner. While nice in theory, the actual implementation has a number of issues that complicate the process and could quickly evolve into another troubling specification from Microsoft in the hardware space.

Red Hat's Richard Hughes who is the lead developer on Fwupd and LVFS for firmware updating on Linux has written a lengthy blog post with his thoughts after studying the specification. Now that vendors have begun asking him about CFU, he's getting his opinions out there now and there are issues with the specification. Ultimately though if there is enough interest/adoption, he could support Component Firmware Update via Fwupd but he certainly isn't eager to do so.

Among the issues Richard takes with the Component Firmware Update specification is its pre-download phase with offloading dependency resolution to the micro-controller, the scope of the resolution handling being difficult for multi-component SoCs/devices, greater flash storage requirements for devices, and the concept of CFU updates happening in the background without any user interaction.

Richard ended his blog post with "Not a fan, but could support in fwupd if required."

The CFU protocol specification is at least open and available on GitHub.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week