A.Z.O.S - Arch Zechert Operating System A.Z.O.S - Arch Zechert Operating System

Firmware Setup#

Missing Firmware for initramfs Generation#

During the initramfs creation with command mkinitcpio -P you might have seen some warnings about potentially missing firmware.

We can try to fix these warnings by installing required firmware packages.

Hint

Warnings from mkinitcpio are just warnings, and can be safely ignored in most situations. The below steps are optional.

Run mkinitcpio -P to see the current set of warnings, then install the missing firmware packages where possible. You can ignore warnings generated by the fallback image creation. Consider only the warnings that are generated during the generation of the normal image.

Here is a list of packages I found useful on my own systems.

  • xhci_pcie: Install yay -S upd72020x-fw from AUR.

Firmware Update#

fwupd is a daemon to simply update firmware of your device - if it is supported by the vendor of your device.

Install sudo pacman -S fwupd udisks2. Enable and start the udisk service systemctl enable udisks2; systemctl start udisks2, then restart fwupd systemctl restart fwupd.

Run the following commands

  • sudo fwupdmgr get-devices list all devices detected by the firmware update tool.
  • sudo fwupdmgr refresh to update with the latest metadata available from the Linux Vendor firmware Service.
  • sudo fwupdmgr get-updates to list all available updates for the systme.
  • sudo fwupdmgr update to perform the updates. WARNING: Before you do this, read the next chapter on Secure Boot!

Secure Boot#

fwupd relies on shim to chainload the fwupd EFI binary on systems with Secure Boot enabled. Since we do not use shim for Secure Boot, this will not work on our system. We need to sign the firmware update binaries with our own keys.

List binaries for UEFI firmware updates with ls /usr/lib/fwupd/efi/fwupdx64.efi. Then sign it and store it at the location /usr/lib/fwupd/efi/fwupdx64.efi.signed:

sbctl sign /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed -s

Create the following hook to sign the file automatically in the future, when pacman updates it.

/etc/pacman.d/hooks/sign-fwupd-secureboot.hook

[Trigger]
Operation = Install
Operation = Upgrade
Type = Path
Target = usr/lib/fwupd/efi/fwupdx64.efi

[Action]
When = PostTransaction
Exec = /usr/bin/sbctl /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed
Depends = sbctl

Finally disabled the unused shim mechanism. Create or modify /etc/fwupd/fwupd.conf

[uefi_capsule]
DisableShimForSecureBoot=true

Restart systemctl restart fwupd.service. You can now run fwupdmgr update to update the firmware on the device.