[pve-docs.git] / firmware-updates.adoc

[[chapter_firmware_updates]]
Firmware Updates
----------------
ifdef::wiki[]
:pve-toplevel:
endif::wiki[]

Firmware updates from this chapter should be applied when running {pve} on a
bare-metal server. Whether configuring firmware updates is appropriate within
guests, e.g. when using device pass-through, depends strongly on your setup and
is therefore out of scope.

Regular firmware updates for devices are just as important for proper operation
as regular software updates. There are several ways to obtain and apply those
updates. The methods listed in this chapter can also be combined to minimize the
chance of missing an important update.

TIP: When a firmware was updated, a system reboot is the safest way to apply the
new version.


[[sysadmin_firmware_persistent]]
Persistent Firmware
~~~~~~~~~~~~~~~~~~~
The following methods write the new firmware permanently to the respective
device. The firmware therefore remains up to date regardless of the booted
operating system.

TIP: When using a user space application or 'fwupd', the hardware must usually
have been manufactured after 2014, the system must have been booted with UEFI
and the EFI partition manually mounted.

CAUTION: When updating the BIOS/UEFI itself, its settings are usually reset. Be
prepared to reconfigure them afterwards.


[[sysadmin_firmware_persistent_vendor_specific]]
Vendor-specific
^^^^^^^^^^^^^^^
Firmware updates are usually available from the vendor directly. Please check
with your vendor what options are available.

Depending on the platform and vendor, there are convenient methods available.
For servers, for example, Dell's Lifecycle Manager or Service Packs from HPE.
Sometimes there are Linux utilities available as well. Examples are
https://network.nvidia.com/support/firmware/mlxup-mft/['mlxup'] for NVIDIA
ConnectX or
https://techdocs.broadcom.com/us/en/storage-and-ethernet-connectivity/ethernet-nic-controllers/bcm957xxx/adapters/software-installation/updating-the-firmware/manually-updating-the-adapter-firmware-on-linuxesx.html['bnxtnvm'/'niccli']
for Broadcom network cards.


[[sysadmin_firmware_persistent_lvfs_fwupd]]
Linux Vendor Firmware Service (LVFS) via fwupd
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
On https://fwupd.org['LVFS'], vendors can make their firmware updates available
in a standardized way to a wide range of Linux hosts. Here is the growing list
of participating https://fwupd.org/lvfs/vendors/[vendors] and their currently
supported https://fwupd.org/lvfs/devices/[devices].

To use 'fwupd', manually mount your
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysboot_installer_part_scheme[EFI System Partition]
(ESP) you booted from on `/boot/`. After installing the package 'fwupd', update
firmware with the following commands:
----
# fwupdmgr refresh
# fwupdmgr get-updates
# fwupdmgr update
# reboot
----


[[sysadmin_firmware_runtime_files]]
Runtime Firmware Files
~~~~~~~~~~~~~~~~~~~~~~
The following methods keep the firmware files available at the {pve} host and do
not persist it on the device itself. Whenever a device is initialized, usually
during the boot process, the corresponding firmware is loaded into the RAM of
the respective device. These methods do not provide and can not update firmware
that is used in the very early boot process (e.g. BIOS/UEFI, hard disks).

In {pve} the package `pve-firmware` is already installed by default. Therefore,
with the normal system updates (APT), the included firmware of common hardware
is automatically kept up to date. Be aware that CPU microcode updates are
located in a separate Debian repository component, which is not configured by
default.


[[sysadmin_firmware_runtime_files_debian_repo]]
Debian Firmware Repository
^^^^^^^^^^^^^^^^^^^^^^^^^^
Starting with Debian Bookworm ({pve} 8) non-free firmware (as defined by
https://www.debian.org/social_contract#guidelines[DFSG]) has been moved to the
newly created Debian repository component `non-free-firmware`. It contains
firmware for CPUs (called microcode) as well as other firmware. In the past,
CPUs repeatedly had security vulnerabilities beside other issues. Using this
update method (additional) to apply microcode updates is convenient, safe and
fast.

To be able to install microcode updates or other firmware from the
`non-free-firmware` component, edit the file `/etc/apt/sources.list`, append
`non-free-firmware` to the end of each of the three Debian repository lines and
run `apt-get update`.

To keep the CPU microcode up to date, depending on the vendor, install the
package `intel-microcode` or `amd64-microcode` and reboot your {pve} host
afterwards.
Commit	Line	Data
16b31cc9 AZ	1	[[chapter_firmware_updates]]
	2	Firmware Updates
	3	----------------
	4	ifdef::wiki[]
	5	:pve-toplevel:
	6	endif::wiki[]
	7
	8	Firmware updates from this chapter should be applied when running {pve} on a
	9	bare-metal server. Whether configuring firmware updates is appropriate within
	10	guests, e.g. when using device pass-through, depends strongly on your setup and
	11	is therefore out of scope.
	12
	13	Regular firmware updates for devices are just as important for proper operation
	14	as regular software updates. There are several ways to obtain and apply those
	15	updates. The methods listed in this chapter can also be combined to minimize the
	16	chance of missing an important update.
	17
	18	TIP: When a firmware was updated, a system reboot is the safest way to apply the
	19	new version.
	20
	21
	22	[[sysadmin_firmware_persistent]]
	23	Persistent Firmware
	24	~~~~~~~~~~~~~~~~~~~
	25	The following methods write the new firmware permanently to the respective
	26	device. The firmware therefore remains up to date regardless of the booted
	27	operating system.
	28
	29	TIP: When using a user space application or 'fwupd', the hardware must usually
	30	have been manufactured after 2014, the system must have been booted with UEFI
	31	and the EFI partition manually mounted.
	32
	33	CAUTION: When updating the BIOS/UEFI itself, its settings are usually reset. Be
	34	prepared to reconfigure them afterwards.
	35
	36
	37	[[sysadmin_firmware_persistent_vendor_specific]]
	38	Vendor-specific
	39	^^^^^^^^^^^^^^^
	40	Firmware updates are usually available from the vendor directly. Please check
	41	with your vendor what options are available.
	42
	43	Depending on the platform and vendor, there are convenient methods available.
	44	For servers, for example, Dell's Lifecycle Manager or Service Packs from HPE.
	45	Sometimes there are Linux utilities available as well. Examples are
	46	https://network.nvidia.com/support/firmware/mlxup-mft/['mlxup'] for NVIDIA
	47	ConnectX or
	48	https://techdocs.broadcom.com/us/en/storage-and-ethernet-connectivity/ethernet-nic-controllers/bcm957xxx/adapters/software-installation/updating-the-firmware/manually-updating-the-adapter-firmware-on-linuxesx.html['bnxtnvm'/'niccli']
	49	for Broadcom network cards.
	50
	51
	52	[[sysadmin_firmware_persistent_lvfs_fwupd]]
	53	Linux Vendor Firmware Service (LVFS) via fwupd
	54	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	55	On https://fwupd.org['LVFS'], vendors can make their firmware updates available
	56	in a standardized way to a wide range of Linux hosts. Here is the growing list
	57	of participating https://fwupd.org/lvfs/vendors/[vendors] and their currently
	58	supported https://fwupd.org/lvfs/devices/[devices].
	59
	60	To use 'fwupd', manually mount your
	61	https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysboot_installer_part_scheme[EFI System Partition]
	62	(ESP) you booted from on `/boot/`. After installing the package 'fwupd', update
	63	firmware with the following commands:
	64	----
65	# fwupdmgr refresh
66	# fwupdmgr get-updates
67	# fwupdmgr update
68	# reboot
69	----
70
71
72	[[sysadmin_firmware_runtime_files]]
73	Runtime Firmware Files
74	~~~~~~~~~~~~~~~~~~~~~~
75	The following methods keep the firmware files available at the {pve} host and do
76	not persist it on the device itself. Whenever a device is initialized, usually
77	during the boot process, the corresponding firmware is loaded into the RAM of
78	the respective device. These methods do not provide and can not update firmware
79	that is used in the very early boot process (e.g. BIOS/UEFI, hard disks).
80
81	In {pve} the package `pve-firmware` is already installed by default. Therefore,
82	with the normal system updates (APT), the included firmware of common hardware
83	is automatically kept up to date. Be aware that CPU microcode updates are
84	located in a separate Debian repository component, which is not configured by
85	default.
86
87
88	[[sysadmin_firmware_runtime_files_debian_repo]]
89	Debian Firmware Repository
90	^^^^^^^^^^^^^^^^^^^^^^^^^^
91	Starting with Debian Bookworm ({pve} 8) non-free firmware (as defined by
92	https://www.debian.org/social_contract#guidelines[DFSG]) has been moved to the
93	newly created Debian repository component `non-free-firmware`. It contains
94	firmware for CPUs (called microcode) as well as other firmware. In the past,
95	CPUs repeatedly had security vulnerabilities beside other issues. Using this
96	update method (additional) to apply microcode updates is convenient, safe and
97	fast.
98
99	To be able to install microcode updates or other firmware from the
100	`non-free-firmware` component, edit the file `/etc/apt/sources.list`, append
101	`non-free-firmware` to the end of each of the three Debian repository lines and
102	run `apt-get update`.
103
104	To keep the CPU microcode up to date, depending on the vendor, install the
105	package `intel-microcode` or `amd64-microcode` and reboot your {pve} host
106	afterwards.