fwupd 1.8.4 and later include the ability to modify BIOS settings on systems that support the Linux kernel’s firmware-attributes API.
Drivers included with the Linux kernel on supported machines will advertise all BIOS settings that the OS can change. The fwupd daemon uses this API create an abstraction that fwupd clients can use to offer BIOS settings to change to end users.
Interactive command line usage
Both fwupdmgr and fwupdtool have support for the fwupd BIOS settings API both for interactive use.
Using fwupdgmr will require PolicyKit authentication as only authorized users can view the current BIOS settings.
Using fwupdtool will require running the tool as root, as fwupdtool only works as root.
Getting available BIOS settings
To fetch available BIOS settings for a machine:
# fwupdmgr get-bios-setting
This will provide a listing of all available settings. If you would like to just see a subset of attributes, you can list them space delimited on the command line. For example:
$ fwupdmgr get-bios-setting WindowsUEFIFirmwareUpdate MmioAbove4GLimit
Authenticating… [ - ]
WindowsUEFIFirmwareUpdate:
Setting type: Enumeration
Current Value: Enable
Description: BIOS updates delivered via LVFS or Windows Update
Read Only: False
Possible Values:
0: Disable
1: Enable
MmioAbove4GLimit:
Setting type: Enumeration
Current Value: Auto
Description: MmioAbove4GLimit
Read Only: False
Possible Values:
0: Auto
1: 40
2: 42
3: 44
4: 46
5: 48
When using BASH as your shell, bash-completion can be used to discover BIOS settings. In the above example, those settings could be found from this series of tab actions:
$ sudo fwupdmgr get-bios-setting W
WakeonLAN WakeUponAlarm WindowsUEFIFirmwareUpdate
130 $ sudo fwupdmgr get-bios-setting WindowsUEFIFirmwareUpdate
Display all 131 possibilities? (y or n)
AbsolutePersistenceModule CStateSupport M2Slot2Port PCIeSlot3Bifurcation PXEIPV6NetworkStack SetStrongPassword
AccessSecuritySettings DASHSupport MaxPasswordAttempts PCIeSlot3DLFSupport QuadM2PCIeCardFanControl SmartUSBProtection
AfterPowerLoss DataScrambling MCRUSBHeader PCIeSlot3LinkSpeed RealtimeDIAG SMT
AlarmDate(MM\DD\YYYY) DeviceGuard MediaCardReader PCIeSlot3Port RearAudioController SRIOVSupport
AlarmDayofWeek DevicePowerupDelay MmioAbove4GLimit PCIeSlot4Bifurcation RearUSBPorts StartupSequence
AlarmTime(HH:MM:SS) DeviceResetTimeout --no-authenticate PCIeSlot4DLFSupport RemoteSetSMP USBChargingPortInS4S5
AllowJumperClearSVP DIAG7SegMode NUMA PCIeSlot4LinkSpeed RequireHDPonSystemBoot USBPortAccess
AMDMemoryGuard EnhancedPowerSavingMode NVMeRAIDMode PCIeSlot4Port RequireSVPwhenFlashing USBTransferTimeout
AMDSecureVirtualMachine ErrorBootSequence OnboardEthernetController PCIeSlot5Bifurcation SATAController UserDefinedAlarmFriday
ASPMSupport FanControlStepping OptionKeysDisplay PCIeSlot5DLFSupport SATADrive1 UserDefinedAlarmMonday
AutomaticBootSequence FrontUSBPorts PasswordChangeTime PCIeSlot5LinkSpeed SATADrive2 UserDefinedAlarmSaturday
BIOSPasswordAtBootDeviceList HardDiskPre-delay PasswordCountExceededError PCIeSlot5Port SATADrive3 UserDefinedAlarmSunday
BIOSPasswordAtReboot InternalUSB2Port PatroScrub PCIeSlot6Bifurcation SATADrive4 UserDefinedAlarmThursday
BIOSPasswordAtSystemBoot InternalUSB3Port PatroScrubInterval PCIeSlot6DLFSupport SATADrive5 UserDefinedAlarmTime
BootUpNumLockStatus IOMMU PCIeSlot1Bifurcation PCIeSlot6LinkSpeed SATADrive6 UserDefinedAlarmTuesday
CardLocation --json PCIeSlot1DLFSupport PCIeSlot6Port SATADrive6HotPlugSupport UserDefinedAlarmWednesday
ClearDIAGLog KeyboardLayout PCIeSlot1LinkSpeed pending_reboot SecureBoot --verbose
ConfigurationChangeDetection M2Slot1DLFSupport PCIeSlot1Port PhysicalPresenceforClear SecureRollBackPrevention WakeonLAN
ConfigureSATAas M2Slot1LinkSpeed PCIeSlot2Bifurcation POPChangeablebyUser SecurityChip WakeUponAlarm
CoverTamperDetected M2Slot1Port PCIeSlot2DLFSupport PostPackageRepair SelectActiveVideo WindowsUEFIFirmwareUpdate
CPBMode M2Slot2DLFSupport PCIeSlot2LinkSpeed PrimaryBootSequence SerialPort1Address XHCIHandoff
CPUC6Report M2Slot2LinkSpeed PCIeSlot2Port PXEIPV4NetworkStack SetMinimumLength
130 $ fwupdmgr get-bios-setting WindowsUEFIFirmwareUpdate MmioAbove4GLimit
Setting BIOS settings
To set one or more BIOS settings for a machine:
# fwupdmgr set-bios-setting SETTING VALUE
For supported attributes, fwupdmgr will also use tab completion in BASH for filling out a value.
For example to enable an enumeration attribute:
$ sudo fwupdmgr set-bios-setting W
WakeonLAN WakeUponAlarm WindowsUEFIFirmwareUpdate
130 $ sudo fwupdmgr set-bios-setting WindowsUEFIFirmwareUpdate
Disable Enable
130 $ sudo fwupdmgr set-bios-setting WindowsUEFIFirmwareUpdate Enable
After setting an attribute you may be prompted to reboot as most settings will require a reboot to take effect.
$ fwupdmgr set-bios-setting WakeonLAN Primary
Authenticating… [ - ]
Set BIOS setting 'WakeonLAN' using 'Primary'.
An update requires a reboot to complete. Restart now? [y|N]:
If you would like to program multiple attributes, list them in pairs of the name of the attribute followed by the desired value.
Programmatic command line usage
fwupdmgr offers support for the fwupd BIOS settings API programmatically as well for use in scripts. To use the programmatic API you will add the --json argument to your calls. The output or input will then be expected to be JSON payloads.
Fetching BIOS settings programmatically
Below is an example of fetching the WakeonLAN setting.
# fwupdmgr get-bios-setting WakeonLAN --json
{
"BiosSettings" : [
{
"Name" : "WakeonLAN",
"Description" : "WakeonLAN",
"Filename" : "/sys/class/firmware-attributes/thinklmi/attributes/WakeonLAN",
"BiosSettingId" : "com.thinklmi.WakeonLAN",
"BiosSettingCurrentValue" : "Primary",
"BiosSettingReadOnly" : "false",
"BiosSettingType" : 1,
"BiosSettingPossibleValues" : [
"Primary",
"Automatic",
"Disable"
]
}
]
}
Similar to the interactive usage, if no parameters are provided all settings are fetched, and if desired multiple settings can be listed on the command line.
Error messages won’t be emitted, you’ll have to rely on the return code to tell if this was successful.
NOTE: To debug errors, use the --verbose argument to see messages related to the error.
Setting BIOS settings programmatically
To set BIOS settings, a JSON payload will need to be crafted in advance. The path to this payload is used as an argument.
# fwupdmgr set-bios-setting ~/foo.json --json
An important return code to know for programmatic usage is that 2 means nothing was done because all settings are already programmed. This message will also be emitted.
NOTE: To debug errors, use the --verbose argument to see messages related to the error.
Firmware setting policies
fwupd has the ability to enforce the BIOS settings policy of a system administrator. To use this feature, create a json payload using fwupdmgr get-bios-setting --json that reflects the settings you would like to see enforced.
Then copy this payload into /etc/fwupd/bios-settings.d with a filename ending in .json. The next time that the fwupd daemon is started (such as a system bootup) it will ensure that all BIOS settings are programed to your desired values. It will also mark those settings as read-only so no fwupd clients will be able to modify them.
This does not stop the kernel firmware-attributes API from working. So a determined user with appropriate permissions would be able to modify settings from the kernel API directly, but they would be changed again on fwupd daemon startup.
Settings types
The Linux kernel will offer the following types of BIOS settings:
- Enumeration: The setting will only accept a limited list of possible values
- Integer: The setting will accept a limited range of integer values
- String: The setting will accept a limited length UTF-8 string
All of those setting types are accepted by fwupd. It is expected that drivers or firmware will validate the input, but where possible fwupd will do validation of the input to give better error messages and avoid failures.
fwupd will also do a mapping where it can accept multiple cases or synonyms for words that are obviously positive or negative. So for example if the setting expects Enabled but the user passes tRUE fwupd will map this into Enabled before sending it to the driver and the driver sending it to the firmware.
libfwupd
fwupdmgr internally uses FwupdClient to manage BIOS settings. Any other clients that are interested in managing BIOS settings can use this library as well. A sample python application is included in the contrib/ directory in the fwupd source tree.