Blog

Linux Commands To Check The State Of Firmware

Whether you are new to Linux or a seasoned Linux systems administrator, knowing the hardware and firmware on your systems is essential. Firmware that is out-of-date can pose security and operational risks. I advise you to keep up with firmware updates before you are impacted by an attacker with a shiny new exploit or some elusive crash of your system. While there are numerous utilities and commands that can provide insight into the state of your firmware, with some being included in your distribution and others available from your favorite package manager, keeping them handy or even scripting them can make your job that much easier. What follows is a fairly comprehensive list, with examples, of commands that allow you to discover the state of various hardware and firmware.

Secure Boot

To report the state of Secure Boot the mokutil command is the most straightforward:

$ mokutil --sb-state
SecureBoot disabled

Of course, on certain platforms mokutil will also report the configuration state of Secure Boot:

$ mokutil --sb-state
SecureBoot disabled
Platform is in Setup Mode

I also like the “bootctl” command because it will report the Secure Boot state in addition to the setup mode value (with more consistency) and currently active bootloaders:

$ bootctl status
systemd-boot not installed in ESP.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
  Setup Mode: setup
Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074)
Boot Loaders Listed in EFI Variables:
        Title: Manjaro
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074
         File: └─/EFI/MANJARO/GRUBX64.EFI
        Title: UEFI OS
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074
         File: └─/EFI/BOOT/BOOTX64.EFI

BIOS/UEFI

Discover the current BIOS version and release date using dmidecode:

$ sudo dmidecode -s bios-version
E16S3IMS.108
$ sudo dmidecode -s bios-release-date
11/18/2019

Use the following command to learn a little more information about the BIOS:

$ sudo dmidecode -t 0
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 3.1.1 present.
Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
	Vendor: American Megatrends Inc.
	Version: P1.00
	Release Date: 01/09/2019
	Address: 0xF0000
	Runtime Size: 64 kB
	ROM Size: 16 MB
	Characteristics:
		PCI is supported
		BIOS is upgradeable
		BIOS shadowing is allowed
		Boot from CD is supported
		Selectable boot is supported
		BIOS ROM is socketed
		EDD is supported
		5.25"/1.2 MB floppy services are supported (int 13h)
		3.5"/720 kB floppy services are supported (int 13h)
		3.5"/2.88 MB floppy services are supported (int 13h)
		Print screen service is supported (int 5h)
		8042 keyboard services are supported (int 9h)
		Serial services are supported (int 14h)
		Printer services are supported (int 17h)
		ACPI is supported
		USB legacy is supported
		BIOS boot specification is supported
		Targeted content distribution is supported
		UEFI is supported
	BIOS Revision: 5.12

Inxi is a utility that reads information from places such as /proc/cpu and presents it in a nice format while also allowing you to easily manipulate the command line switches to show different information. To get some basic information run inxi as follows:

$ inxi -M
Machine:
  Type: Desktop System: ASUS product: N/A v: N/A serial: 
  Mobo: ASUSTeK model: PRIME TRX40-PRO v: Rev 1.xx
    serial:  UEFI: American Megatrends v: 1502
    date: 07/13/2021

Inxi typically is not installed by default on many Linux distributions. Try using hwinfo as well:

$ sudo hwinfo --bios | less
01: None 00.0: 10105 BIOS                                       
  [Created at bios.186]
  Unique ID: rdCR.lZF+r4EgHp4
  Hardware Class: bios
  BIOS Keyboard LED Status:
    Scroll Lock: off
    Num Lock: off
    Caps Lock: off
  SMBIOS Version: 3.2
  BIOS Info: #0
    Vendor: "American Megatrends Inc."
    Version: "1502"
    Date: "07/13/2021"
    Start Address: 0xf0000
    ROM Size: 16384 kB

lshw is yet another alternative:

$ sudo lshw | grep -A8 '*-firmware'
      *-firmware
          description: BIOS
          vendor: American Megatrends Inc.
          physical id: 0
          version: 1502
          date: 07/13/2021
          size: 64KiB
          capacity: 16MiB

Fwupd

Fwupd is maintained by Richard Hughes (See Below The Surface Episode #8 for our interview with Richard). Fwupd allows you to enumerate the devices on your system and apply updates where available. You can find more documentation on the project’s website. Here are the basics:

Get all device information:

$ fwupdmgr get-devices

Get updates (downloads the latest metadata and checks for updates on supported devices):

$ fwupdmgr get-updates

Apply updates to supported devices (CAUTION: Applies firmware updates!):

$ fwupdmgr update

Note: Will also update the UEFI Secure Boot dbx.

Security checks:

$ fwupdmgr security --force

Intel ME

$ wget https://downloadmirror.intel.com/28632/CSME_Version_Detection_Tool_Linux.tar.gz
$  mkdir intel_csme
$  cd intel_csme/
$  tar zxvf ../CSME_Version_Detection_Tool_Linux.tar.gz
$  sudo python3 ./intel_csme_version_detection_tool
Intel(R) CSME Version Detection Tool
Copyright(C) 2017-2022, Intel Corporation, All rights reserved.
Application Version: 8.0.1.0
Scan date: 2023-07-26 16:58:34 GMT
*** Host Computer Information ***
Name: SPIDER
Manufacturer: Micro-Star International Co., Ltd.
Model: MS-7B98
Processor Name: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz
OS Version: Ubuntu 20.04.6 LTS (5.15.0-78-generic)
*** Intel(R) ME Information ***
Engine: Intel(R) Converged Security and Management Engine
Version: 12.0.70.1652
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
  The detected version of the Intel(R) Converged Security and Management Engine firmware
  has a vulnerability listed in one or more of the public Security Advisories.
  Contact your system manufacturer for support and remediation of this system.
For more information refer to the Intel(R) CSME Version Detection Tool User Guide
or the related Intel Security Advisory list at:
https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html

CPU Microcode

Typically CPU microcode updates will be applied when you apply a UEFI update. You will find instructions on how to apply these updates manually, however, I recommend you wait until the OEM has released the microcode updates via UEFI (unless there is some pressing reason to apply them manually which should be a rare exception). Below are some ways to enumerate the microcode version:

$ sudo journalctl --no-hostname -o short-monotonic --boot -0 | sed -n '1,/PM: Preparing system for sleep/p' | grep 'microcode\|smp'
[    0.000000] kernel: smpboot: Allowing 128 CPUs, 80 hotplug CPUs
[    0.123246] kernel: smpboot: CPU0: AMD Ryzen Threadripper 3960X 24-Core Processor (family: 0x17, model: 0x31, stepping: 0x0)
[    0.123341] kernel: smp: Bringing up secondary CPUs ...
[    0.243441] kernel: smp: Brought up 1 node, 48 CPUs
[    0.243441] kernel: smpboot: Max logical packages: 3
[    0.243441] kernel: smpboot: Total of 48 processors activated (364269.00 BogoMIPS)
[    0.455115] kernel: smpboot: Estimated ratio of average max frequency by base frequency (times 1024): 1127
[    0.475388] kernel: microcode: microcode updated early to new patch_level=0x08301072
[    0.475403] kernel: microcode: CPU0: patch_level=0x08301072

[    0.475678] kernel: microcode: Microcode Update Driver: v2.2.
$ sudo inxi -C -a
CPU:
  Info: model: AMD Ryzen Threadripper 3960X socket: SP3r2 (sTRX4) note: check bits: 64
    type: MT MCP arch: Zen 2 gen: 3 level: v3 note: check built: 2020-22 process: TSMC n7 (7nm)
    family: 0x17 (23) model-id: 0x31 (49) stepping: 0 microcode: 0x8301072

Note: Also displays a subset of CPU vulnerabilities and indicates if the CPU is vulnerable or not.

$ head -n7 /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 23
model : 49
model name : AMD Ryzen Threadripper 3960X 24-Core Processor
stepping : 0
microcode : 0x8301072

TPM

$ sudo dmidecode -t 43
# dmidecode 3.5
Getting SMBIOS data from sysfs.
SMBIOS 3.2.0 present.
Handle 0x0035, DMI type 43, 31 bytes
TPM Device
	Vendor ID: 
	Specification Version: 2.0
	Firmware Revision: 3.37
	Description: AMD
	Characteristics:
		Family configurable via platform software support
	OEM-specific Information: 0x00000000

Obtain the latest version of the tpm-vuln-checker from the Github repo: https://github.com/immune-gmbh/tpm-vuln-checker. Then you can run the command as follows to determine the version of TPM on your system and if it contains any vulnerabilities:

$ sudo ./tpm-vuln-checker check
[sudo] password for paulda: 
TPM Manufacturer: AMD
TPM Spec Revision: 1.38
TPM Family: 2.0
TPM Type: dTPM
Starting TPM vulnerabilities checks.. This may take few seconds!
CVE 2023-1017/2023-1018: Vulnerable
Please apply the latest BIOS update to update the TPM firmware. OEMs/ODMs ship TPM updates as part of BIOS updates.
CVE 2017-15361: Not Vulnerable

Other Commands

Full system info:

$ sudo inxi -a -v 8
System:    Host: SPIDER Kernel: 5.15.0-76-generic x86_64 bits: 64 compiler: N/A 
           parameters: BOOT_IMAGE=/boot/vmlinuz-5.15.0-76-generic root=UUID=f9013c95-32a3-4829-967a-8a15dd918388 ro quiet 
           splash vt.handoff=7 
           Console: tty 2 wm: gnome-shell dm: GDM3 3.36.3 Distro: Ubuntu 20.04.6 LTS (Focal Fossa) 
Machine:   Type: Desktop System: Micro-Star product: MS-7B98 v: 1.0 serial: N/A 
           Mobo: Micro-Star model: Z390-A PRO (MS-7B98) v: 1.0 serial: 07B9812_L11E392535 UEFI: American Megatrends v: 1.D0 
           date: 01/19/2021 

Memory:

$ lshw -class memory
*-memory
       description: System Memory
       physical id: 39
       slot: System board or motherboard
       size: 64GiB
     *-bank:0
          description: DIMM DDR4 Synchronous 2667 MHz (0.4 ns)
          product: F4-3200C16-16GVK
          vendor: Fujitsu
          physical id: 0
          serial: 00000000
          slot: ChannelA-DIMM0
          size: 16GiB
          width: 64 bits
          clock: 2667MHz (0.4ns)
$ sudo inxi -m -a
Memory:    RAM: total: 62.74 GiB used: 2.42 GiB (3.9%) 
           Array-1: capacity: 64 GiB slots: 4 EC: None max module size: 16 GiB note: est. 
           Device-1: ChannelA-DIMM0 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits 
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A 
           Device-2: ChannelA-DIMM1 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits 
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A 
           Device-3: ChannelB-DIMM0 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits 
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A 
           Device-4: ChannelB-DIMM1 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits 
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A

PCI:

$ sudo lspci -nnmmvkD | less
Slot:   0000:00:00.0
Class:  Host bridge [0600]
Vendor: Intel Corporation [8086]
Device: 8th Gen Core 8-core Desktop Processor Host Bridge/DRAM Registers [Coffee Lake S] [3e30]
SVendor:        Micro-Star International Co., Ltd. [MSI] [1462]
SDevice:        8th Gen Core 8-core Desktop Processor Host Bridge/DRAM Registers [Coffee Lake S] [7b98]
Rev:    0d
Driver: skl_uncore
Module: ie31200_edac
$ sudo inxi --slots -a
PCI Slots: Slot: 0 type: x16 PCI Express J6B2 status: In Use length: Long 
           Slot: 1 type: x1 PCI Express J6B1 status: In Use length: Short 
           Slot: 2 type: x1 PCI Express J6D1 status: In Use length: Short 
           Slot: 3 type: x1 PCI Express J7B1 status: In Use length: Short 
           Slot: 4 type: x1 PCI Express J8B4 status: In Use length: Short 
           Slot: 5 type: x1 PCI Express J8D1 status: In Use length: Short 
           Slot: 6 type: 32-bit PCI J8B3 status: In Use length: Short

Storage Devices:

Tip: Use “lsblk” to list the available storage devices.

$ sudo smartctl --xall /dev/nvme0 | grep -i firmware
Firmware Version:                   4B2QEXM7
Firmware Updates (0x16):            3 Slots, no Reset required

CPU Information:

$ cpuid | less
CPU 0:
   vendor_id = "GenuineIntel"
   version information (1/eax):
      processor type  = primary processor (0)
      family          = 0x6 (6)
      model           = 0xe (14)
      stepping id     = 0xd (13)
      extended family = 0x0 (0)
      extended model  = 0x9 (9)
      (family synth)  = 0x6 (6)
      (model synth)   = 0x9e (158)
      (simple synth)  = Intel Core (unknown type) (Kaby Lake / Coffee Lake) {Skylake}, 14nm

Summary

Running all of these commands manually, and then manually checking if the latest firmware updates are applied is a resource-intensive task. While some open-source projects like Fwupd help automate this process there is a wide variety of hardware and firmware included with computers and servers. Eclypsiums’ software platform helps automate this task and provides enterprises with a full solution to manage and maintain the firmware supply chain in your environment.