extensions icon indicating copy to clipboard operation
extensions copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

firmware update extension using fwupd

Open rgl opened this issue 3 years ago • 1 comments
trafficstars

It would be really nice to have a way to manage the physical nodes firmware using https://fwupd.org/.

For example, in fedora, this can be typically used as:

# add support for installing firmware/bios/uefi/intel-me updates.
dnf install -y fwupd-efi

# list the system devices that can be updated.
fwupdmgr get-devices

# list the available firmware updates.
fwupdmgr get-updates

# update the firmwares.
fwupdmgr update

# reboot to apply the update (required for bios/firmware/uefi/intel-me).
reboot

# check the result.
fwupdmgr get-updates

rgl avatar May 19 '22 07:05 rgl

There was also a small discussion on slack about firmware updates on talos some time ago. Since messages older than 90 days are hidden on slack here are the (relevant) messages from that thread:

by @stereobutter Has anybody opinions/experience on firmware updates of talos nodes? fwupd depends on systemd (although some people appear to have been able to build this for use without systemd , see https://github.com/fwupd/fwupd/issues/1408#issuecomment-583615169). I image one could bundle the appropriate firmware for the node and use fwupdtool to manually update (e.g. from a daemonset with appropriate permissions) instead of running the fwupd daemon.

by @rothgar I found this but tldr the answer is no https://github.com/fwupd/fwupd/discussions/4020

by @rothgar FWIW a long time ago I flashed HP firmware from a daemonset. It was using the HP RHEL installer and mounted the hardware into the pod. It worked great (even HDD firmware) but fwupd would be even better

by @stereobutter What you did for the HP firmware sounds similar to what I had in mind using fwupdtool which is just a standalone CLI that does the installation without the fwupd daemon.

by @stereobutter Another consideration is how this works together with secureboot when updating the EFI. At least according to https://wiki.archlinux.org/title/fwupd#:~:text=the%20operating%20system.-,Secure%20Boot,-Currently%2C%20fwupd there is a shim involved that will do the update during the next boot. I'd image one would have to include this in the talos rootfs as well? Seems like a really big can of worms unfortunately.

stereobutter avatar Apr 05 '24 19:04 stereobutter