My Profile Photo

Sheogorath's Blog

Updating the UEFI/BIOS of a Lenovo t450s using Fedora

on

A year ago, my Lenovo X1 Carbon running Fedora was greeting me with firmware updates for the first time, using fwupd, an awesome service for integrated firmware updates on Linux. A service that the Linux community was lacking for way too long and probably due to it’s absence causes millions of Linux setups to be vulnerable to firmware flaws of unpatched hardware running underneath the system.1

Nowadays I own a Lenovo t450s which brings me back to those times without fwupd support and the duty to take care of the firmware updates myself.

A basic task to do are UEFI/BIOS updates. Thankfully Lenovo provides an bootable ISO, besides the installer for Windows, that can be used from Linux but not without some quirks.

Lenovo Firmware update page

IMPORTANT HINT: Whatever you do, this guide might bricks your device. When you follow this guide, be aware of possible problem and use your brain. I’m documenting my progress here, don’t consider this guide complete, safe or well-tested. You use it at your own risk.

Prepare the USB stick

First of all, you need a USB stick. The whole UEFI/BIOS image has around 40MB, so every stick you get these days should do. Then follow these steps:

  1. Insert the USB stick into your computer
  2. Open the Lenovo support page and download the firmware
  3. Check the firmware with the checksum provides by the firmware page: echo "<sha256 checksum> <downloaded iso file>" | sha256sum -c
  4. Install the tooling sudo dnf install geteltorito genisoimage 2
  5. Extract the boot.img: geteltorito -o bios.img '<downloaded iso file>'
  6. Write boot.img to the USB stick: sudo dd if=bios.img "of=<your usb device>" bs=1M status=progress
  7. Make sure changes are written: sync
  8. Shutdown your device: systemctl poweroff

Prepare your UEFI/BIOS settings

Lenovo is a bit special when it comes to the settings it needs to successfully update the UEFI/BIOS. I tried multiple configurations to figure those details out, don’t quote on me when they don’t work for the next update, you might have to tweak things yourself.

  1. Enter the BIOS setup by pressing F1 during boot and entering your “supervisor password”
  2. Switch to the “Security”-tab and select the “Secure Boot” section at the bottom and disable the “Secure Boot” setting
  3. Go back to the “Security”-tab, select the “UEFI BIOS Update Option” and enable “Flash BIOS Updating by End-Users” as well as the “Secure RollBack Prevention”3
  4. Go back to the “Security”-tab and switch to the “Startup”-tab and switch “UEFI/Legacy Boot” to “Legacy Only”
  5. Select the “Boot” section on the “Startup”-tab now and put “USB CD” followed by your USB stick at first position of the boot order
  6. Finally switch to the “Restart”-tab and select “Exit Saving Changes”

Update your UEFI/BIOS

Your computer should boot again and look a bit dated with the BIOS message. Then flicker and maybe start over, but this time actually showing a new, grey screen that provides you 3 options.

  1. Press the number “1” on your keyboard and read the instructions carefully.
  2. Exit the dialogue and press “2” to start the UEFI/BIOS update. It’ll tell you what to do and that you have to wait and be careful
  3. Your notebook will look like it’s turned off, but turns on after a second or two, this time loading the Updater which will either show up or an error message
  4. After a successful update it’ll show a short message and reboot or shutdown

Change back to production settings

Once Update was successful, it’s time to get back out of this weird upgrade configuration back to production ready settings.

  1. Enter the Setup menu by pressing F1 and entering your “supervisor password” during boot
  2. Select the “Security”-tab and enter the “Secure Boot” menu, re-enable “Secure Boot” (this will disable the legacy-boot option and save you the change of this setting)
  3. Switch to the “Security”-tab and select “UEFI BIOS Update Option” and disable “Flash BIOS Updating by End-Users” while keeping the “Secure RollBack Prevention” option enabled
  4. Switch to the “Startup”-tab and open the “Boot” settings. Remove all entries except of “Fedora” (or your boot disk) from the boot order
  5. Have a quick look at the “UEFI/Legacy Boot”, you shouldn’t be able to edit it
  6. Switch to the “Restart”-tab and confirm all changes with “Exit Saving Changes”
  7. Boot into Fedora

Conclusion

It needs a bit of tinkering in order to get it work, but it’s important to keep the UEFI up-to-date. Attacks that focus on those low-level components become a persistent threat to your system, because even a re-install of the entire OS won’t get rid of malware that persisted itself in your UEFI. Therefore updates are essential to your system’s security.

With this workflow it becomes possible to take care of the need of firmware updates without running Windows or FreeDOS in order to install the new notebook firmware.

Pro tip: Use the RSS feed from the product page to keep yourself up-to-date when it comes to updates.

Photo by Alexandre Debiève on Unsplash

  1. The one I installed fixed 3 CVEs from 2018 (CVE-2018-12126, CVE-2018-12127, and CVE-2018-12130

  2. For other operating systems nixCraft provides an awesome tutorial 

  3. “Secure Flash Authentication Failed”: This was the result of the missing tweaks for the “UEFI BIOS Update Option” settings. While some articles suggested to disable “Secure RollBack Prevention” for older firmware updates, it seems like here it was required to enable it.