Updating UEFI BIOS via fwupd on ThinkPad T14 Gen3

I had a lot of trouble understanding how to do firmware updates on my new ThinkPad T14 Gen3 AMD which now serves as a replacement for my trusty T470. Using fwupdmgr appears to be confirmed, even for UEFI BIOS. But getting it to work was another thing. I encountered three pain points. The fwupdmgr --version I used:

compile   org.freedesktop.fwupd         1.9.3
compile   com.hughsie.libxmlb           0.3.11
compile   com.hughsie.libjcat           0.1.14
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.6
runtime   com.hughsie.libjcat           0.1.14
runtime   com.dell.libsmbios            2.4
runtime   org.freedesktop.gusb          0.4.6
runtime   org.freedesktop.fwupd         1.9.3
runtime   org.kernel                    6.4.4-arch1-1

Prerequisite

If for any obscure reasons you run your ThinkPad T14 Gen3 in Legacy BIOS mode (if that is even possible), you encounter the WARNING: Firmware can not be updated in legacy BIOS mode error and updating UEFI BIOS via fwupdmgr is not supported.

Also, some users report the GPT layout is required, but I did not find hard evidence and did not test. In any case you run MBR layout and updating works, let me know.

Note on GPT layout

User Reinhold has emailed me some time later that for them, the GPT layout "was absolutely necessary". They also stated that using gdisk as described in the answer to this question worked, so I am putting this information here, should someone else find themselves in the same place, looking for the way to go.

BIOS settings

To make sure fwupdmgr sees UEFI BIOS option in the first place, few BIOS settings that interfere with the process must be set up properly:

sudo fwupdmgr get-bios-setting BIOSUpdateByEndUsers WindowsUEFIFirmwareUpdate BootOrderLock

WindowsUEFIFirmwareUpdate:
  Setting type:         Enumeration
  Current Value:        Enable
  Description:          BIOS updates delivered via LVFS or Windows Update
  Read Only:            False
  Possible Values:
    0:                  Disable
    1:                  Enable

BootOrderLock:
  Setting type:         Enumeration
  Current Value:        Disable
  Description:          BootOrderLock
  Read Only:            False
  Possible Values:
    0:                  Disable
    1:                  Enable

BIOSUpdateByEndUsers:
  Setting type:         Enumeration
  Current Value:        Enable
  Description:          BIOSUpdateByEndUsers
  Read Only:            False
  Possible Values:
    0:                  Disable
    1:                  Enable

Make sure these three are correct value and update them manually or via fwupdmgr set-bios-setting. Otherwise, the problem manifests differently based on the combinations of the three settings. One of the outputs could lead to an error No supported devices found or No updatable devices which has some light shed onto in this comment.

Capsules not found

Okay, next step. The UEFI BIOS is finally shown under System Firmware branch:

sudo fwupdmgr get-devices --show-all-devices

Trying to update it appears to be working in the console:

Perform operation? [Y|n]:
Updating System Firmware…[  -                                    ]
Waiting…                 [***************************************]
Successfully installed firmware
Do not turn off your computer or remove the AC adapter while the update is in progress.
Do not turn off your computer or remove the AC adapter while the update is in progress.
An update requires a reboot to complete. Restart now? [y|N]: y

However, I got this error after rebooting (when the actual firmware flashing should be happening):

fwupd-efi version 1.4
WARNING: QueryCapsuleCapabilities failed, assuming EfiResetWarm: Unsupported
WARNING: Could not apply capsule update: Not Found
WARNING: Could not apply capsules: Not Found
Reset System

I tried updating a few times, always getting the same result. No update, reboot. Fortunately, this problem is especially well documented.

ESP partition flag

After paying better attention to the fwupdmgr commands output, I noticed the little obscure messages like WARNING: UEFI ESP partition not detected or configured or WARNING: UEFI ESP partition may not be set up correctly followed by See https://github.com/fwupd/fwupd/wiki/PluginFlag:esp-not-valid for more information. The link above however does not show anything apart from Header. Sigh.

Solutions related to this problem could be tracked to the wiki. I simply used GParted to set the esp flag on the boot partition, but I will reiterate also the command from the link above, for a record:

parted /dev/nvme0nXXX set 1 esp on

Did the trick. Now the UEFi BIOS update via fwupdmgr really works. No need to fiddle with Windows to get any drivers up-to-date. Enjoy!

Links

• https://github.com/fwupd/firmware-lenovo/issues/20#issuecomment-538004411
• https://github.com/fwupd/fwupd/discussions/2637
• https://github.com/fwupd/fwupd/issues/1220
• https://github.com/fwupd/fwupd/issues/2198
• https://github.com/fwupd/fwupd/issues/3238
• https://github.com/fwupd/fwupd/issues/4631
• https://github.com/fwupd/fwupd/issues/6012
• https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported
• https://github.com/fwupd/fwupd/wiki/PluginFlag:esp-not-valid