]>
Commit | Line | Data |
---|---|---|
16b31cc9 AZ |
1 | [[chapter_firmware_updates]] |
2 | Firmware Updates | |
3 | ---------------- | |
4 | ifdef::wiki[] | |
5 | :pve-toplevel: | |
6 | endif::wiki[] | |
7 | ||
8 | Firmware updates from this chapter should be applied when running {pve} on a | |
9 | bare-metal server. Whether configuring firmware updates is appropriate within | |
10 | guests, e.g. when using device pass-through, depends strongly on your setup and | |
11 | is therefore out of scope. | |
12 | ||
13 | Regular firmware updates for devices are just as important for proper operation | |
14 | as regular software updates. There are several ways to obtain and apply those | |
15 | updates. The methods listed in this chapter can also be combined to minimize the | |
16 | chance of missing an important update. | |
17 | ||
18 | TIP: When a firmware was updated, a system reboot is the safest way to apply the | |
19 | new version. | |
20 | ||
21 | ||
22 | [[sysadmin_firmware_persistent]] | |
23 | Persistent Firmware | |
24 | ~~~~~~~~~~~~~~~~~~~ | |
25 | The following methods write the new firmware permanently to the respective | |
26 | device. The firmware therefore remains up to date regardless of the booted | |
27 | operating system. | |
28 | ||
29 | TIP: When using a user space application or 'fwupd', the hardware must usually | |
30 | have been manufactured after 2014, the system must have been booted with UEFI | |
31 | and the EFI partition manually mounted. | |
32 | ||
33 | CAUTION: When updating the BIOS/UEFI itself, its settings are usually reset. Be | |
34 | prepared to reconfigure them afterwards. | |
35 | ||
36 | ||
37 | [[sysadmin_firmware_persistent_vendor_specific]] | |
38 | Vendor-specific | |
39 | ^^^^^^^^^^^^^^^ | |
40 | Firmware updates are usually available from the vendor directly. Please check | |
41 | with your vendor what options are available. | |
42 | ||
43 | Depending on the platform and vendor, there are convenient methods available. | |
44 | For servers, for example, Dell's Lifecycle Manager or Service Packs from HPE. | |
45 | Sometimes there are Linux utilities available as well. Examples are | |
46 | https://network.nvidia.com/support/firmware/mlxup-mft/['mlxup'] for NVIDIA | |
47 | ConnectX or | |
48 | https://techdocs.broadcom.com/us/en/storage-and-ethernet-connectivity/ethernet-nic-controllers/bcm957xxx/adapters/software-installation/updating-the-firmware/manually-updating-the-adapter-firmware-on-linuxesx.html['bnxtnvm'/'niccli'] | |
49 | for Broadcom network cards. | |
50 | ||
51 | ||
52 | [[sysadmin_firmware_persistent_lvfs_fwupd]] | |
53 | Linux Vendor Firmware Service (LVFS) via fwupd | |
54 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
55 | On https://fwupd.org['LVFS'], vendors can make their firmware updates available | |
56 | in a standardized way to a wide range of Linux hosts. Here is the growing list | |
57 | of participating https://fwupd.org/lvfs/vendors/[vendors] and their currently | |
58 | supported https://fwupd.org/lvfs/devices/[devices]. | |
59 | ||
60 | To use 'fwupd', manually mount your | |
61 | https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysboot_installer_part_scheme[EFI System Partition] | |
62 | (ESP) you booted from on `/boot/`. After installing the package 'fwupd', update | |
63 | firmware with the following commands: | |
64 | ---- | |
65 | # fwupdmgr refresh | |
66 | # fwupdmgr get-updates | |
67 | # fwupdmgr update | |
68 | # reboot | |
69 | ---- | |
70 | ||
71 | ||
72 | [[sysadmin_firmware_runtime_files]] | |
73 | Runtime Firmware Files | |
74 | ~~~~~~~~~~~~~~~~~~~~~~ | |
75 | The following methods keep the firmware files available at the {pve} host and do | |
76 | not persist it on the device itself. Whenever a device is initialized, usually | |
77 | during the boot process, the corresponding firmware is loaded into the RAM of | |
78 | the respective device. These methods do not provide and can not update firmware | |
79 | that is used in the very early boot process (e.g. BIOS/UEFI, hard disks). | |
80 | ||
81 | In {pve} the package `pve-firmware` is already installed by default. Therefore, | |
82 | with the normal system updates (APT), the included firmware of common hardware | |
83 | is automatically kept up to date. Be aware that CPU microcode updates are | |
84 | located in a separate Debian repository component, which is not configured by | |
85 | default. | |
86 | ||
87 | ||
88 | [[sysadmin_firmware_runtime_files_debian_repo]] | |
89 | Debian Firmware Repository | |
90 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
91 | Starting with Debian Bookworm ({pve} 8) non-free firmware (as defined by | |
92 | https://www.debian.org/social_contract#guidelines[DFSG]) has been moved to the | |
93 | newly created Debian repository component `non-free-firmware`. It contains | |
94 | firmware for CPUs (called microcode) as well as other firmware. In the past, | |
95 | CPUs repeatedly had security vulnerabilities beside other issues. Using this | |
96 | update method (additional) to apply microcode updates is convenient, safe and | |
97 | fast. | |
98 | ||
99 | To be able to install microcode updates or other firmware from the | |
100 | `non-free-firmware` component, edit the file `/etc/apt/sources.list`, append | |
101 | `non-free-firmware` to the end of each of the three Debian repository lines and | |
102 | run `apt-get update`. | |
103 | ||
104 | To keep the CPU microcode up to date, depending on the vendor, install the | |
105 | package `intel-microcode` or `amd64-microcode` and reboot your {pve} host | |
106 | afterwards. |