How to Upgrade ThinkPad Firmware on Linux (fwupd)

Read the full article: How to Upgrade ThinkPad Firmware on Linux (fwupd)

Two days ago I ran the command hostnamectl status and noticed that my laptop’s firmware date was Tue 2023-08-08. I purchased this ThinkPad T14s laptop 2 years ago. So it seems, since removing Windows 11, the firmware remained on the same version. No cool! However, updating your ThinkPad’s firmware (BIOS/UEFI and other controller firmware) on… continue reading.
1 Like

Just a note, this should work the same or similarly on most laptops. If you are successful, please let us know. As per usual, the Arch Wiki was helpful. I’ve linked to it in the article. If you are on Arch / Arch-based, refer to the Arch Wiki:

Edit: Here’s the full update log I grabbed from my PC at the time:

hydn@hydn:~$ sudo fwupdmgr get-updates
Devices with no available firmware updates: 
 • ELAN0678:00 04F3:3195
 • Fingerprint Sensor
 • Integrated Camera
 • KEK CA
 • SHPP41-1000GM
 • ThinkPad Product CA
 • UEFI CA
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • Windows Production PCA

LENOVO ThinkPad T14s Gen 3
│
├─Embedded Controller:
│ │   Device ID:          [redacted]
│ │   Summary:            UEFI System Resource Table device (updated via NVRAM)
│ │   Current version:    0.1.29
│ │   Minimum Version:    0.1.29
│ │   Vendor:             Lenovo
│ │   Update State:       Success
│ │   GUID:               [redacted]
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Device is usable for the duration of the update
│ │ 
│ └─ThinkPad X13/T14s Gen 3 AMD Embedded Controller Update:
│       New version:      0.1.32
│       Remote ID:        lvfs
│       Release ID:       76049
│       Summary:          Lenovo ThinkPad X13/T14s Gen 3 AMD Embedded Controller Firmware
│       License:          Proprietary
│       Size:             1.2 MB
│       Created:          2023-12-19
│       Urgency:          High
│       Vendor:           Lenovo
│       Release Flags:    • Trusted metadata
│                         • Is upgrade
│       Description:      
│       This stable release fixes the following issues:
│       
│       * change to permit fan rotation after fan error happen.
│       Checksum:         [redacted]
│     
├─KEK CA:
│ │   Device ID:          [redacted]
│ │   Current version:    2011
│ │   Vendor:             Microsoft (UEFI:Microsoft)
│ │   GUIDs:              [redacted]
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Device is usable for the duration of the update
│ │                       • Signed Payload
│ │                       • Can tag for emulation
│ │ 
│ └─Secure Boot KEK Configuration Update:
│       New version:      2023
│       Remote ID:        lvfs
│       Release ID:       114062
│       Summary:          UEFI Secure Boot Key Exchange Key
│       Variant:          Lenovo
│       License:          Proprietary
│       Size:             2.9 kB
│       Created:          2025-04-29
│       Urgency:          High
│       Vendor:           Linux Foundation
│       Release Flags:    • Trusted metadata
│                         • Is upgrade
│       Description:      
│       This updates the UEFI Signature Database (the "KEK") to the latest release.
│       Checksum:         [redacted]
│     
├─System Firmware:
│ │   Device ID:          [redacted]
│ │   Summary:            UEFI System Resource Table device (updated via NVRAM)
│ │   Current version:    0.1.35
│ │   Vendor:             Lenovo
│ │   Update State:       Success
│ │   GUID:               [redacted]
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Device is usable for the duration of the update
│ │ 
│ ├─ThinkPad X13/T14s Gen 3 AMD System Update:
│ │     New version:      0.1.46
│ │     Remote ID:        lvfs
│ │     Release ID:       110296
│ │     Summary:          Lenovo ThinkPad X13/T14s Gen 3 AMD System Firmware
│ │     License:          Proprietary
│ │     Size:             34.6 MB
│ │     Created:          2021-07-13
│ │     Urgency:          High
│ │     Vendor:           Lenovo
│ │     Release Flags:    • Trusted metadata
│ │                       • Is upgrade
│ │     Description:      
│ │     • Enhancement to address security vulnerability.
│ │     Issue:            LEN-183952
│ │     Checksum:         [redacted]
│ │   
│ ├─ThinkPad X13/T14s Gen 3 AMD System Update:
│ │     New version:      0.1.45
│ │     Remote ID:        lvfs
│ │     Release ID:       105049
│ │     Summary:          Lenovo ThinkPad X13/T14s Gen 3 AMD System Firmware
│ │     License:          Proprietary
│ │     Size:             34.6 MB
│ │     Created:          2021-07-13
│ │     Urgency:          High
│ │     Vendor:           Lenovo
│ │     Release Flags:    • Trusted metadata
│ │                       • Is upgrade
│ │     Description:      
│ │     • Enhancement to address security vulnerability.
│ │     • Update CopyRight to 2025.
│ │     • Fixed potential BSOD issue.
│ │     Issue:            LEN-167201
│ │     Checksum:         [redacted]
│ │   
│ ├─ThinkPad X13/T14s Gen 3 AMD System Update:
│ │     New version:      0.1.44
│ │     Remote ID:        lvfs
│ │     Release ID:       101225
│ │     Summary:          Lenovo ThinkPad X13/T14s Gen 3 AMD System Firmware
│ │     License:          Proprietary
│ │     Size:             34.6 MB
│ │     Created:          2021-07-13
│ │     Urgency:          High
│ │     Vendor:           Lenovo
│ │     Release Flags:    • Trusted metadata
│ │                       • Is upgrade
│ │     Description:      
│ │     • Enhancement to address security vulnerability.
│ │     Issues:           LEN-163019
│ │                       LEN-141563
│ │                       LEN-127392
│ │     Checksum:         [redacted]
│ │   
│ ├─ThinkPad X13/T14s Gen 3 AMD System Update:
│ │     New version:      0.1.42
│ │     Remote ID:        lvfs
│ │     Release ID:       96578
│ │     Summary:          Lenovo ThinkPad X13/T14s Gen 3 AMD System Firmware
│ │     License:          Proprietary
│ │     Size:             34.6 MB
│ │     Created:          2021-07-13
│ │     Urgency:          High
│ │     Vendor:           Lenovo
│ │     Release Flags:    • Trusted metadata
│ │                       • Is upgrade
│ │     Description:      
│ │     • Enhancement to address security vulnerability.
│ │     • Enable TW WIFI6E for TP products
│ │     Issue:            LEN-130032
│ │     Checksum:         [redacted]
│ │   
│ └─ThinkPad X13/T14s Gen 3 AMD System Update:
│       New version:      0.1.40
│       Remote ID:        lvfs
│       Release ID:       87876
│       Summary:          Lenovo ThinkPad X13/T14s Gen 3 AMD System Firmware
│       License:          Proprietary
│       Size:             34.6 MB
│       Created:          2024-05-20
│       Urgency:          High
│       Vendor:           Lenovo
│       Release Flags:    • Trusted metadata
│                         • Is upgrade
│       Description:      
│       • Notice that BIOS can't be downgraded to older BIOS version after upgrade to R22ET70W(1.40).
│       • Enhancement to address security vulnerability.
│       • Fixed issue System takes time to Boot to BIOS Setup Menu and Boot Menu when Kingston Data Traveler Duo is attached to system.
│       • Fixed platform profile stuck on power-saver under linux MS resume.
│       • Fixed customer issue that boot time is long time attached with DisplayLink Dock.
│       • Fixed an issue where system might take a minute to boot when user attached Docking/Monitor with Realtek USB Ethernet device.
│       
│       Some new functionality has also been added:
│       • Enable WiFi 6E for Japan on T14s Gen 3 AMD.
│       • Changed fan error is not displayed.
│       Issues:           811862
│                         LEN-123536
│                         LEN-119523
│                         LEN-118373
│                         LEN-123534
│                         LEN-115697
│                         LEN-128083
│                         LEN-123535
│                         CVE-2023-5058
│       Checksum:         [redacted]
│     
└─UEFI dbx:
  │   Device ID:          [redacted]
  │   Summary:            UEFI revocation database
  │   Current version:    20230301
  │   Minimum Version:    20230301
  │   Vendor:             UEFI:Microsoft
  │   GUIDs:              [redacted]
  │   Device Flags:       • Internal device
  │                       • Updatable
  │                       • Supported on remote server
  │                       • Needs a reboot after installation
  │                       • Device is usable for the duration of the update
  │                       • Only version upgrades are allowed
  │                       • Signed Payload
  │                       • Can tag for emulation
  │ 
  ├─Secure Boot dbx Configuration Update:
  │     New version:      20250507
  │     Remote ID:        lvfs
  │     Release ID:       115586
  │     Summary:          UEFI Secure Boot Forbidden Signature Database
  │     Variant:          x64
  │     License:          Proprietary
  │     Size:             24.0 kB
  │     Created:          2025-01-17
  │     Urgency:          High
  │       Tested:         2025-06-11
  │       Distribution:   fedora 42 (workstation)
  │       Old version:    20241101
  │       Version[fwupd]: 2.0.11
  │     Vendor:           Linux Foundation
  │     Duration:         1 second
  │     Release Flags:    • Trusted metadata
  │                       • Is upgrade
  │                       • Tested by trusted vendor
  │     Description:      
  │     This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
  │     
  │     Some insecure versions of BiosFlashShell and Dtbios by DT Research Inc were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
  │     Issues:           806555
  │                       CVE-2025-3052
  │     Checksum:         [redacted]
  │   
  └─Secure Boot dbx Configuration Update:
        New version:      20241101
        Remote ID:        lvfs
        Release ID:       105821
        Summary:          UEFI Secure Boot Forbidden Signature Database
        Variant:          x64
        License:          Proprietary
        Size:             15.1 kB
        Created:          2025-01-17
        Urgency:          High
        Vendor:           Linux Foundation
        Duration:         1 second
        Release Flags:    • Trusted metadata
                          • Is upgrade
        Description:      
        This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
        
        An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
        Issues:           529659
                          CVE-2024-7344
        Checksum:         [redacted]

I hadn’t planned on writing about this, so I didn’t take any screenshots. But I always export output like this so I can refer to it later if needed. Imagine all this started because of changing my laptop’s hostname and noticing the old firmware, lol!

1 Like

Thank you for the in depth article!

This new “fwupd” process makes me long for the days of old when it was as easy as writing the correct floppy disk or CD-R, booting from it, and updating the firmware.

1 Like

Thanks. I have to make a small correction. Regarding the use of sudo a reader sent me the feedback. I will update the original article and also edit this message once it’s added. I emailed him back yesterday requesting his information so I can add credit. I see this morning he has responded. Will update.

Updated the article with the corrected feedback from Thomas Koch.

1 Like