fwupd wrapper for QubesOS
Operating System: Qubes OS R4.1 or Qubes OS R4.0
Admin VM (dom0): Fedora 25 or higher
Template VM: Fedora 30
Whonix VM: whonix-gw-15
fwupd version - dom0: 0.9.5 or higher
fwupd version - VMs: 1.2.6 or higher
qubes-fwupd does not support dom0 updates and downgrades for fwupd 0.9.5 and older. Use sys-usb to update external devices.
==========================================================================================
Usage:
==========================================================================================
Command: qubes-fwupdmgr [OPTION…][FLAG..]
Example: qubes-fwupdmgr refresh --whonix --url=<url>
Options:
==========================================================================================
get-devices: Get all devices that support firmware updates
get-updates: Get the list of updates for connected hardware
refresh: Refresh metadata from remote server
update: Update chosen device to latest firmware version
update-heads: Updates heads firmware to the latest version
downgrade: Downgrade chosen device to chosen firmware version
clean: Delete all cached update files
Flags:
==========================================================================================
--whonix: Download firmware updates via Tor
--device: Specify device for heads update (default - x230)
--url: Address of the custom metadata remote server
Help:
==========================================================================================
-h --help: Show help options
For development purpose:
- Clone qubes-builder. Make sure that you have enough space in your VM. You will need at least 10GB.
$ git clone https://github.com/QubesOS/qubes-builder.git
$ cd qubes-builder
- Copy specific config file from the
example-configs
directory
cp example-configs/qubes-os-master.conf builder.conf
- Add the following to the
builder.conf
GIT_URL_fwupd = https://github.com/3mdeb/qubes-fwupd
NO_CHECK += fuwpd
...
COMPONENTS = ...
builder \
builder-debian \
builder-rpm \
fwupd
- Download sources
$ make get-sources
- Install dependencies
$ make install-deps
- Install python2
# dnf install python2
- You may need to remount the current filesystem
$ make remount
- Build packages (First build takes close to 30 min, so you can grab some coffee)
$ make fwupd
-
The build artifacts are placed in: -- dom0 package -
qubes-builder/qubes-src/fwupd/pkgs/dom0-fc32/x86_64
-- vm package -qubes-builder/qubes-src/fwupd/pkgs/vm-fc32/x86_64
-- whonix package -qubes-builder/qubes-src/fwupd/pkgs/vm-buster
-
Run fedora template VM and copy VM package from qubes builder:
$ qvm-copy qubes-fwupd-vm-0.2.0-1.fc32.x86_64.rpm
- Install package dependencies
# dnf install cabextract fwudp
- Run terminal in the template VM and go to
~/QubesIncoming/<qubes-builderVM>
. Compare sha sums of the package in TemplateVM and qubes-builder VM. If they match, install the package:
# rpm -U qubes-fwupd-vm-0.2.0-1.fc32.x86_64.rpm
-
Shutdown TemplateVM
-
Run whonix-gw-15 and copy whonix a package from qubes builder VM
$ qvm-copy qubes-fwupd-vm-whonix_0.2.0+deb10u1_amd64.deb
- Download dependencies
# apt install cabextract fwudp
- Run terminal in the whonix-gw-15 and go to
~/QubesIncoming/qubes-builder
. Compare sha sums of the package in TemplateVM and qubes-builder VM. If they match, install the package:
# dpkg -i qubes-fwupd-vm-whonix_0.2.0+deb10u1_amd64.deb
-
Shutdown whonix-gw-15
-
Run dom0 terminal in the dom0 and copy package
$ qvm-run --pass-io <qubes-builder-vm-name> \
'cat <qubes-builder-repo-path>/qubes-src/fwupd/pkgs/dom0-fc32/x86_64/qubes-fwupd-dom0-0.2.0-1.fc32.x86_64.rpm' > \
qubes-fwupd-vm-0.2.0-1.fc32.x86_64.rpm
- Install package dependencies
# qubes-dom0-update cabextract fwudp python36
-
Make sure that sys-firewall, sys-whonix, and sys-usb (if exists) are running.
-
Compare the sha sums of the package in dom0 and qubes-builder VM. If they match, install the package:
# rpm -U qubes-fwupd-dom0-0.2.0-1.fc32.x86_64.rpm
-
Reboot system (or reboot sys-firewall, sys-whonix, and sys-usb)
-
Run the tests to verify the installation process
A test case covers the whole qubes_fwupdmgr script. It could be run outside the Qubes OS. If the requirements of a single test are not met, it will be omitted. To run the tests, move to the repo directory and type the following:
$ python3 -m unittest -v test.test_qubes_fwupdmgr
test_clean_cache (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_downgrade_firmware (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'Required device not connected'
test_download_firmware_updates (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'requires Qubes OS'
test_download_metadata (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'requires Qubes OS'
test_get_devices (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'requires Qubes OS'
test_get_devices_qubes (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'requires Qubes OS'
test_get_updates (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'requires Qubes OS'
test_get_updates_qubes (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'requires Qubes OS'
test_help (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_output_crawler (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_parse_downgrades (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_parse_parameters (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_parse_updates_info (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_refresh_metadata (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... skipped 'requires Qubes OS'
test_user_input_choice (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_user_input_downgrade (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_user_input_empty_list (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_user_input_n (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_verify_dmi (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_verify_dmi_argument_version (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_verify_dmi_version (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
test_verify_dmi_wrong_vendor (test.test_qubes_fwupdmgr.TestQubesFwupdmgr) ... ok
----------------------------------------------------------------------
Ran 22 tests in 0.003s
OK (skipped=8)
In the dom0, move to:
$ cd /usr/share/qubes-fwupd/
Run the tests with sudo privileges:
# python3 -m unittest -v test.test_qubes_fwupdmgr
Note: If the whonix tests failed, make sure that you are connected to the Tor
Make sure that you are using Python 3.6!
# python36 -m unittest -v test.test_qubes_fwupdmgr
Note: If the whonix tests failed, make sure that you are connected to the Tor
# qubes-fwupdmgr [refresh/update/downgrade] --whonix [FLAG]
More specified information you will find in the whonix documentation.
# qubes-fwupdmgr [update/downgrade]
Requirements and more specified information you will find in the UEFI capsule update documentation.
# qubes-fwupdmgr update-heads --device=x230 --url=<custom-metadata-url>
Requirements and more specified information you will find in the heads update documentation.