How do I run firmware updates with the new snap store?

paddylandau · April 25, 2025, 4:25pm

SOLVED!

Ubuntu Version:

Ubuntu 22.04

Desktop Environment (if applicable):

Gnome

Problem Description:

Ubuntu 22.04 came with a version of snap-store that automatically handled firmware updates. When a firmware update arrived, the snap-store displayed it in the updates section. When I clicked the button to update, it would somehow implement the update so that when I restarted the computer, the BIOS would install the firmware update.

However, I have since updated the snap-store, so now I have the same version that’s in Ubuntu 24.04. The UI is completely different, and it appears to handle only snaps, not anything else — at least, as far as I can tell; I could be wrong!

So, I don’t know how to handle firmware updates.

Important background

I tell the system to check for firmware updates daily with this command:

fwupdmgr refresh

That’s the snap fwupd, version 2.0.7.

My questions

How do I check whether or not I have a pending firmware update? (The above-mentioned refresh is the only fwupdmgr command that I know!)
When I have a pending firmware update, how do I implement that update?

I am perfectly happy to use the command line instead of the GUI.

Hardware

Dell OptiPlex 5480 AIO

Thank you

1fallen · April 25, 2025, 4:40pm

I depend on CLI, and I just use:

fwupdmgr refresh
Updating lvfs
Downloading…             [************************************** ]

Successfully downloaded new metadata: Updates have been published for 1 local device
##Next I use
fwupdmgr get-updates
Devices with no available firmware updates: 
 • ELAN06FA:00 04F3:31DD
 • (null)
 • Broadcom BCM20702A0 Bluetooth
 • CT500P5SSD8
 • Hub
 • KEK CA
 • SSD PM871 2.5 7mm 256GB
 • System Firmware
 • UEFI Device Firmware
 • UOEOS Laptop Dock
 • WD Blue SN570 500GB
Devices with the latest available firmware version:
 • UEFI dbx
No updates available

More can be found in the help section:

fwupdmgr --help

fwupdmgr --help
Usage:
fwupdmgr [OPTION…]

activate [DEVICE-ID|GUID] Activate devices
block-firmware [CHECKSUM] Blocks a specific firmware from being installed
clear-results DEVICE-ID|GUID Clears the results from the last update
device-emulate [FILENAME1] [FILENAME2]
Emulate a device using a JSON manifest
device-test [FILENAME1] [FILENAME2]
Test a device using a JSON manifest
device-wait GUID|DEVICE-ID Wait for a device to appear
disable-remote REMOTE-ID Disables a given remote
downgrade [DEVICE-ID|GUID] Downgrades the firmware on a device
download LOCATION Download a file
emulation-load FILENAME Load device emulation data
emulation-save FILENAME Save device emulation data
emulation-tag [DEVICE-ID|GUID] Adds devices to watch for future emulation
emulation-untag [DEVICE-ID|GUID] Removes devices to watch for future emulation
enable-remote REMOTE-ID Enables a given remote
get-approved-firmware Gets the list of approved firmware
get-bios-setting [SETTING1] [SETTING2] [–no-authenticate]
Alias to get-bios-settings
get-bios-settings [SETTING1] [SETTING2] [–no-authenticate]
Retrieve BIOS settings. If no arguments are passed all settings are returned
get-blocked-firmware Gets the list of blocked firmware
get-details FILE Gets details about a firmware file
get-devices Get all devices that support firmware updates
get-history Show history of firmware updates
get-plugins Get all enabled plugins registered with the system
get-releases [DEVICE-ID|GUID] Gets the releases for a device
get-remotes Gets the configured remotes
get-results DEVICE-ID|GUID Gets the results from the last update
get-topology Alias to get-devices
get-updates [DEVICE-ID|GUID] Gets the list of updates for connected hardware
get-upgrades [DEVICE-ID|GUID] Alias to get-updates
inhibit [REASON] [TIMEOUT] Inhibit the system to prevent upgrades
install [DEVICE-ID|GUID] [VERSION]
Install a specific firmware file on all devices that match
local-install FILE [DEVICE-ID|GUID]
Install a firmware file in cabinet format on this hardware
modify-config [SECTION] KEY VALUE
Modifies a daemon configuration value
modify-remote REMOTE-ID KEY VALUE
Modifies a given remote
quit Asks the daemon to quit
refresh [FILE FILE_SIG REMOTE-ID]
Refresh metadata from remote server
reinstall [DEVICE-ID|GUID] Reinstall current firmware on the device
report-devices Upload the list of updatable devices to a remote server
report-export Export firmware history for manual upload
report-history Share firmware history with the developers
reset-config SECTION Resets a daemon configuration section
security Gets the host security attributes
security-fix [APPSTREAM_ID] Fix a specific host security attribute
security-undo [APPSTREAM_ID] Undo the host security attribute fix
set-approved-firmware FILENAME|CHECKSUM1[,CHECKSUM2][,CHECKSUM3]
Sets the list of approved firmware
set-bios-setting SETTING1 VALUE1 [SETTING2] [VALUE2]
Sets one or more BIOS settings
switch-branch [DEVICE-ID|GUID] [BRANCH]
Switch the firmware branch on the device
sync Sync firmware versions to the chosen configuration
sync-bkc Alias to sync
unblock-firmware [CHECKSUM] Unblocks a specific firmware from being installed
uninhibit INHIBIT-ID Uninhibit the system to allow upgrades
unlock DEVICE-ID|GUID Unlocks the device for firmware access
update [DEVICE-ID|GUID] Updates all specified devices to latest firmware version, or all devices if unspecified
upgrade [DEVICE-ID|GUID] Alias to update
verify [DEVICE-ID|GUID] Checks cryptographic hash matches firmware
verify-update [DEVICE-ID|GUID] Update the stored cryptographic hash with current ROM contents

Help Options:
-h, --help Show help options

Application Options:
-v, --verbose Show extra debugging information
–version Show client and daemon versions
–download-retries Set the download retries for transient errors
–allow-reinstall Allow reinstalling existing firmware versions
–allow-older Allow downgrading firmware versions
–allow-branch-switch Allow switching firmware branch
–force Force the action by relaxing some runtime checks
-y, --assume-yes Answer yes to all questions
–sign Sign the uploaded data with the client certificate
–no-unreported-check Do not check for unreported history
–no-metadata-check Do not check for old metadata
–no-remote-check Do not check if download remotes should be enabled
–no-reboot-check Do not check or prompt for reboot after update
–no-safety-check Do not perform device safety checks
–no-device-prompt Do not prompt for devices
–no-history Do not write to the history database
–show-all Show all results
–disable-ssl-strict Ignore SSL strict checks when downloading files
–p2p Only use peer-to-peer networking when downloading files
–filter Filter with a set of device flags using a ~ prefix to exclude, e.g. ‘internal,~needs-reboot’
–filter-release Filter with a set of release flags using a ~ prefix to exclude, e.g. ‘trusted-release,~trusted-metadata’
–json Output in JSON format
–no-security-fix Do not prompt to fix security issues
–no-authenticate Don’t prompt for authentication (less details may be shown)

This tool allows an administrator to query and control the fwupd daemon, allowing them to perform actions such as installing or downgrading firmware.

paddylandau · April 25, 2025, 5:36pm

Thank you.

My one returns almost two pages of data!

I’ll run through the fwupdmgr help to see what I can figure out. I’d like to be able to script this, if possible. Well, it must be possible seeing that the old snap-store did it!

1fallen · April 25, 2025, 5:45pm

I use this as my script::

fwupdmgr refresh --force \
    && fwupdmgr get-updates \
    && fwupdmgr update

Oh yes @paddylandau you do remember Topgrade right? GitHub - topgrade-rs/topgrade: Upgrade all the things

 topgrade

── 12:10:41 - System update ────────────────────────────────────────────────────
[sudo] password for me: 
Hit:1 https://ocean.surfshark.com/debian stretch InRelease
Hit:2 http://security.ubuntu.com/ubuntu plucky-security InRelease              
Hit:3 https://brave-browser-apt-release.s3.brave.com stable InRelease          
Hit:4 http://archive.ubuntu.com/ubuntu plucky InRelease                        
Hit:5 http://archive.ubuntu.com/ubuntu plucky-updates InRelease                
Hit:6 http://archive.ubuntu.com/ubuntu plucky-backports InRelease              
Hit:7 https://ppa.launchpadcontent.net/heyarje/makemkv-beta/ubuntu plucky InRelease
Hit:8 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu plucky InRelease
Hit:9 https://ppa.launchpadcontent.net/teejee2008/foss/ubuntu noble InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

── 12:10:51 - snap ─────────────────────────────────────────────────────────────
All snaps up to date.

── 12:10:51 - Firmware upgrades ────────────────────────────────────────────────
Metadata is up to date; use --force to refresh again.
Devices with no available firmware updates: 
 • ELAN06FA:00 04F3:31DD
 • (null)
 • Broadcom BCM20702A0 Bluetooth
 • CT500P5SSD8
 • Hub
 • SSD PM871 2.5 7mm 256GB
 • System Firmware
 • UEFI Device Firmware
 • UOEOS Laptop Dock
 • WD Blue SN570 500GB
Devices with the latest available firmware version:
 • UEFI dbx
No updates available

── 12:10:51 - Cargo ────────────────────────────────────────────────────────────
    Polling registry 'https://index.crates.io/'...

Package       Installed  Latest   Needs update
cargo-update  v16.3.0    v16.3.0  No
starship      v1.22.1    v1.22.1  No
topgrade      v16.0.3    v16.0.3  No

No packages need updating.
    Checking 0 git packages

Package  Installed  Latest  Needs update

No git packages need updating.
Overall updated 0 packages.

── 12:10:52 - Summary ──────────────────────────────────────────────────────────
System update: OK
config-update: OK
snap: OK
Firmware upgrades: OK
cargo: OK

elcste · April 25, 2025, 6:25pm

Have you see the separate Firmware Updater app that is installed by default in recent Ubuntu releases?

paddylandau · April 26, 2025, 12:24pm

Yes, indeed, I do, now that you mention it!

Thank you for this. I was less than successful with this

First, fwupdmgr refresh worked as usual. Here is the response:

Updating lvfs
Downloading…             [               /                       ]
Successfully downloaded new metadata: Updates have been published for 2 of 7 local devices

Second, fwupdmgr get-updates showed that there were available updates — at least, that’s how I understood it; I’m unsure how to interpret the results. See the results [1] below.

Third, fupdmgr update worked, partly, but then failed. See the results [2] below, and again [3] below from when I reran it.

So, I restarted the computer. Normally with firmware updates, the BIOS takes over and updates the firmware; this generally takes several minutes.

However, instead of this, a couple of error message showed briefly, and I was too slow to make a note of them, and I was returned to Grub.

I restarted a second time, and it went straight into Grub without error messages.

So, unfortunately, I don’t know how to proceed!

[1] fwupdmgr get-updates

Devices with no available firmware updates: 
 • PM981a NVMe Samsung 512GB
 • SBAT
 • TPM
 • UEFI Device Firmware
 • UEFI Device Firmware
Dell Inc. OptiPlex 5480 AIO
│
├─System Firmware:
│ │   Device ID:          a028c0ba959eb58c9dc46d85f282e504fc352e60
│ │   Summary:            UEFI System Resource Table device (updated via NVRAM)
│ │   Current version:    1.36.1
│ │   Minimum Version:    1.36.1
│ │   Vendor:             Dell (DMI:Dell Inc.)
│ │   Update State:       Success
│ │   GUID:               f5d534f4-f4c3-4821-a863-285d9dd3e013
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │   Device Requests:    • Message
│ │ 
│ ├─OptiPlex 5480 AIO System Update:
│ │     New version:      1.38.0
│ │     Remote ID:        lvfs
│ │     Release ID:       108546
│ │     Summary:          Firmware for the Dell OptiPlex 5480 AIO
│ │     License:          Proprietary
│ │     Size:             22.2 MB
│ │     Created:          2025-03-04
│ │     Urgency:          Critical
│ │     Vendor:           Dell
│ │     Release Flags:    • Trusted metadata
│ │                       • Is upgrade
│ │     Description:      
│ │     Dell Technologies highly recommends applying this important update as soon as possible.The update contains critical bug fixes and changes to improve functionality, reliability, and stability of your Dell system.It may include security fixes and other feature enhancements.
│ │     Issue:            DSA-2025-036
│ │     Checksum:         4eda1461d1c03b3d26ba8867cda18141373fff0a2b784fbbf386d69843f51993
│ │   
│ └─OptiPlex 5480 AIO System Update:
│       New version:      1.37.0
│       Remote ID:        lvfs
│       Release ID:       106411
│       Summary:          Firmware for the Dell OptiPlex 5480 AIO
│       License:          Proprietary
│       Size:             22.2 MB
│       Created:          2025-02-03
│       Urgency:          Critical
│       Vendor:           Dell
│       Release Flags:    • Trusted metadata
│                         • Is upgrade
│       Description:      
│       Dell Technologies highly recommends applying this important update as soon as possible.The update contains critical bug fixes and changes to improve functionality, reliability, and stability of your Dell system.It may include security fixes and other feature enhancements.
│       Issues:           DSA-2025-048
│                         DSA-2025-044
│                         DSA-2025-020
│                         DSA-2024-351
│       Checksum:         0f3eb84aa6ea6f9b4ee9cb806fea59e01cd77af05e938d7c551773da5bade16d
│     
└─UEFI dbx:
  │   Device ID:          362301da643102b9f38477387e2193e57abaa590
  │   Summary:            UEFI revocation database
  │   Current version:    20230501
  │   Minimum Version:    20230501
  │   Vendor:             UEFI:Microsoft
  │   Install Duration:   1 second
  │   GUIDs:              4a6cd2cb-8741-5257-9d1f-89a275dacca7 ← UEFI\CRT_E28D59CA489BD2AD580F2EA5D62D6A29BB9C02AE5A818434A37DA7FC11DFF9E9&ARCH_X64
  │                       f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
  │   Device Flags:       • Internal device
  │                       • Updatable
  │                       • Supported on remote server
  │                       • Needs a reboot after installation
  │                       • Cryptographic hash verification is available
  │                       • Device is usable for the duration of the update
  │                       • Only version upgrades are allowed
  │                       • Signed Payload
  │                       • Can tag for emulation
  │ 
  └─Secure Boot dbx Configuration Update:
        New version:      20241101
        Remote ID:        lvfs
        Release ID:       105821
        Summary:          UEFI Secure Boot Forbidden Signature Database
        Variant:          x64
        License:          Proprietary
        Size:             15.1 kB
        Created:          2025-01-17
        Urgency:          High
        Vendor:           Linux Foundation
        Duration:         1 second
        Release Flags:    • Trusted metadata
                          • Is upgrade
        Description:      
        This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
        
        An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
        Issues:           529659
                          CVE-2024-7344
        Checksum:         d661d4a0aaca09dfa9e56967ca2467b0575fc07cb704d182fa8c68225452957f

[2] fwupdmgr update (first time)

╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade System Firmware from 1.36.1 to 1.38.0?                               ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Dell Technologies highly recommends applying this important update as soon   ║
║ as possible.The update contains critical bug fixes and changes to improve    ║
║ functionality, reliability, and stability of your Dell system.It may         ║
║ include security fixes and other feature enhancements.                       ║
║                                                                              ║
║ OptiPlex 5480 AIO must remain plugged into a power source for the duration   ║
║ of the update to avoid damage.                                               ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: 
Waiting…                 [***************************************]
Successfully installed firmware
Do not turn off your computer or remove the AC adapter while the update is in progress.
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 20230501 to 20241101?                                  ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest      ║
║ release from Microsoft.                                                      ║
║                                                                              ║
║ An insecure version of Howyar's SysReturn software was added, due to a       ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot.  ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]:  
Verifying…               [                                       ]
Blocked executable in the ESP, ensure grub and shim are up to date: failed to load /boot/efi/EFI/ubuntu/shimx64.efi: Error opening file /boot/efi/EFI/ubuntu/shimx64.efi: Permission denied

[3] fwupdmgr update (second time)

╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 20230501 to 20241101?                                  ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest      ║
║ release from Microsoft.                                                      ║
║                                                                              ║
║ An insecure version of Howyar's SysReturn software was added, due to a       ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot.  ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: 
Verifying…               [                                       ]
Blocked executable in the ESP, ensure grub and shim are up to date: failed to load /boot/efi/EFI/ubuntu/shimx64.efi: Error opening file /boot/efi/EFI/ubuntu/shimx64.efi: Permission denied

paddylandau · April 26, 2025, 12:28pm

I hadn’t, so I installed it.

sudo snap install firmware-updater

When I run it, it simply says, “No devices found”.
Screenshot from 2025-04-26 13-25-53

1fallen · April 26, 2025, 3:01pm

paddylandau:

Blocked executable in the ESP, ensure grub and shim are up to date: failed to load /boot/efi/EFI/ubuntu/shimx64.efi: Error opening file /boot/efi/EFI/ubuntu/shimx64.efi: Permission denied

Permission denied," it indicates that the system is unable to update the UEFI database (dbx) due to permission issues with the shimx64.efi file. This can be resolved by executing the commands fwupdmgr refresh --force and fwupdmgr update --force to refresh and update the firmware forcefully.

So it runs as:

fwupdmgr refresh --force  ###: Refreshes the firmware metadata forcefully.
fwupdmgr update --force   ###: Updates the firmware forcefully.

paddylandau · April 26, 2025, 5:08pm

Thank you for the advice, @1fallen.

Unfortunately, I had the same result. This time, on restarting the machine, I managed to video the messages before Grub started:

Failed to open \EFI\fwupd\grubx64.efi - Not Found
Failed to open image ??: Not Found
start_image() returned Not Found, falling back to default loader
Failed to open \EFI\fwupd\grubx64.efi - Not Found
Failed to open image ??: Not Found
start_image() returned Not Found

The four question marks were white-on-black.

I wonder what the old snap-store used to do that the current commands aren’t doing?

As the messages are complaining about \EFI\fwupd\grubx64.efi, I listed the contents of /boot/efi/EFI/fwupd:

Permissions Links    Size User Group Date Modified    Name
drwx------      2       - root root  2025-04-26 18:00 fw
.rwx------      1  64,280 root root  2025-03-25 16:37 fwupdx64.efi
.rwx------      1 966,664 root root  2025-03-25 16:37 shimx64.efi

The fw directory is empty.

Do you think that using the snap version of fwupd is the problem? I’m using it, because the one in the repositories (version 1.7.9) has a bug that was affecting my machine.

1fallen · April 26, 2025, 5:39pm

Dang Paddy I can not say for certain, no snaps here. but sounds more related to the version used. Again I can not test my theory.
seems to be outdated though.

fwupd | 1.7.9-1~22.04.3                | jammy-updates     | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
fwupd | 1.9.16-1                       | noble             | source, amd64, arm

ogra · April 26, 2025, 5:49pm

Hmm, why are you on 1.9 ?

ogra@acheron:~$ snap info fwupd
name:      fwupd
summary:   Firmware updates for Linux
publisher: Richard Hughes
store-url: https://snapcraft.io/fwupd
contact:   https://github.com/fwupd/fwupd
license:   LGPL-2.1+
description: |
  The full fwupd firmware updating stack for Linux.  Can be used to perform updates on all supported
  devices via https://fwupd.org
snap-id: HpOj37PuyuaMUZY0NQhtwnp7oS5P8u5R
channels:
  latest/stable:    2.0.7               2025-04-03 (7172) 27MB -
  latest/candidate: 2.0.8               2025-04-09 (7213) 27MB -
  latest/beta:      ↑                                          
  latest/edge:      2.0.8-35-g821bb3169 2025-04-25 (7237) 27MB -
  1.9.x/stable:     1.9.29              2025-04-03 (7140) 24MB -
  1.9.x/candidate:  1.9.29              2025-03-18 (7140) 24MB -
  1.9.x/beta:       ↑                                          
  1.9.x/edge:       1.9.29-5-g35e479a71 2025-03-28 (7184) 24MB -

I’d try switching to the latest stable version:

sudo snap refresh --channel=latest/stable fwupd

If that also fails I’d open an issue at the contact URL from the info output above (seems this snap is actually maintained by upstream themselves …)

EDIT: LOL … I mis-read indeed, 1.9 is the deb in noble, paddy didn’t actually tell the version … sorry …

1fallen · April 26, 2025, 5:54pm

I assume me? If not kindly disregard.

apt policy fwupd
fwupd:
  Installed: 2.0.7-1
  Candidate: 2.0.7-1
  Version table:
 *** 2.0.7-1 500
        500 http://archive.ubuntu.com/ubuntu questing/main amd64 Packages
        100 /var/lib/dpkg/status

That was a rmadison return

I just saw your reply.

Brave how? Foolish Yes Sir, Testing is my passion…wee doggies…LOL

ogra · April 26, 2025, 5:55pm

WOW ! So brave !!!

PS: I missed that yours was a separate post, i thought it was the second half of paddy’s since i had scrolled too fast too far …

paddylandau · April 27, 2025, 11:25am

You might have missed it in my OP:

paddylandau · April 27, 2025, 11:28am

SOLVED!

Thank you everyone for your input.

Looking at your discussion of the fwupd versions, I uninstalled the snap one, and installed the one from the repository (version 1.7.9).

For whatever reason, this worked flawlessly!

What a weird thing.

I think that I should report this, but I don’t know where to report it. Do you have an idea?

ogra · April 27, 2025, 2:00pm

Since it is an issue with the snap, look at my paste of the snap info fwupd output above, the contact link points to a GitHub URL with an issue tracker…

paddylandau · April 27, 2025, 3:35pm

Thank you. The concern that I have is whether this should be reported to the fwupd developer, or to the person who packages it for snap.

Having said that, the link to the packager refers to the GitHub page, so probably that’s where I’ll need to report it.

paddylandau · April 27, 2025, 3:42pm

I see that this has already been reported!

I have added to the conversation.

ogra · April 27, 2025, 5:04pm

Richard Hughes is both (he packages the snap himself)

paddylandau · April 28, 2025, 3:30pm

Thank you, @ogra.

Update to the bug: They’re expecting it to be fixed “later this week”.