PieFedHow do I manually check for BIOS security updates from my motherboard manufacturer?
submitted by
edited
FlagstaffI read somewhere on Reddit that people who use Linux should periodically, manually check for security updates to their computers’ BIOS from their motherboard manufacturers, because Linux apparently ends automatic updates once you leave Windows. I have no idea of where to look on the ASUS website for my Zenbook 14, or if that’s even the right place. Could anyone give any guidance on this matter? Is this a thing that we should indeed be doing semiannually or something?
And what else should I be doing on a schedule (even if annually), while I’m at it? Haha.
Edit: thanks, everyone!
Share on Mastodon
Share on Reddit
Share on WhatsAppANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86
Asus seems to be supported by fwupd, at least they are listed on the vendors list, so I suppose (?) it can manage the update for you. Depending on your distro this might event be automatic by default, otherwise depending on your DE this might be available from the graphical software store or just from the cli.
They are supported, but they only push updates to a few models (typically server models).
For desktop motherboards, its better to go to ASUS’s support website, look up your board, download the latest BIOS, and install it per their instructions.
Also, if you have ANY custom settings in your BIOS, such as overclocked CPU, mem timings, IOMMU enabled, SecureBoot keys, etc, BE SURE TO BACK THEM UP before upgrading your BIOS. I have a notes.txt file of all my BIOS settings because I have to reapply everything after an update since it sets everything to default.
So, folks who responded are conflating BIOS with UEFI. It’s a common mistake - but they are very different things that serve the same purpose.
BIOS is older technology. It usually wasn’t risky unless the board was somehow faulty, but there was always some risk because you were directly reflashing the CMOS.
UEFI is the current technology. If your board is less than 10 years old, you almost definitely have UEFI and not BIOS. It’s stored in NOR flash memory on the motherboard.
UEFI’s nature and design make it much simpler and safer to update. UEFI can be updated automatically within Linux; BIOS requires the board manufacturer’s utility to reprogram the CMOS.
I’m simplifying some of this. But this should help explain the conflicting responses of what gets updated under Linux.
If you see your bios/uefi firmware, piece of cake.
However, fwupd generally runs at boot and as a daemon and will check automatically so you don’t have to do this.
But, if you don’t have it running for whatever reason, use those commands.
If that doesn’t work, you might have to use a usb formatted to fat32 and have freedos installed on it along with your bios.exe file and boot to the usb to flash your bios.
Hmm, yeah, it found nothing. I have no idea of how to check whether it runs at boot, though. I suppose I’ll just assume so… thanks!
I was genuinely surprised to see my Dell laptop get firmware updates thru fwupd
Turn your laptop around and look for a sticker with a model number. Go to your vendor’s support website, search for the model number and check their BIOS/UEFI downloads. Usually it’s a file you put on a USB stick, then you boot into BIOS/UEFI (press F12 or DEL ob boot, check manual if in doubt), select BIOS/UEFI update and select the file on the USB stick.
It’s the same for desktop components. There are very few vendors/models that get BIOS/UEFI updates via Windows Update (or fwupd under Linux).
I don’t think my old Windows PC ever did an automatic update…
You just go to the support site and download and install them? Same as on Windows.
And no, you can get automatic firmware updates under Linux too, through fwupdmgr and similar tools.
I… Haven’t actually seen Windows ever push auto updates to my BIOS either except through enterprise utilities by companies like Dell. I have always had to manually update BIOS firmware.
Generally speaking though, BIOS is one of those things where if it is working, you don’t mess with it. Occasionally chipset security patches get pushed in BIOS updates but that’s about the only reason to update.
Search for your specific model, it may or may not be this link, but for a Zenbook 14 this came up after searching “ASUS Zenbook 14 support”.
https://www.asus.com/supportonly/ux3402za/helpdesk_bios/
You’ll need to format a flash drive and save the BIOS update to it, then boot into BIOS and run the update. For many laptops, instead of saving a BIOS update to the drive you may need to run a setup tool (usually a .exe, so may need compatibility tool) and boot to the USB.
As for frequency, just periodically check the notes for the BIOS releases and determine whether to update based on the features or patches in it. Not necessary to update for everyone one, and many security updates will be more for servers than general purpose personal computers, but that’s up to your own risk analysis.
Depending on your motherboard, a BIOS update could either be completely painless or very painful. You could probably live without updating at all on a home PC. If you’re running a server with a WAN connection then you probably only need to look out for critical security updates, though I’ve never had anything pop up myself.
You don’t need anything but a USB with the update files downloaded to them. Boot to BIOS, choose update, point to USB, done.
Definitely don’t reset or power off while it’s updating itself, though.
ASUS will have the steps and files for your mobo model on their site. It’s very simple.
Google something like “BIOS update Asus” plus your computer model, then download the file from the official Asus site if out of date.