Essential Linux Commands to Check Firmware State

November 13, 2024

Essential Linux Commands to Check Firmware State

Understanding the state of firmware is crucial for maintaining the security and performance of Linux systems. Outdated firmware can lead to vulnerabilities and operational issues. This blog post summarizes key commands that help check the firmware state on Linux systems, ensuring you stay informed and secure.

Secure Boot Commands

To check the Secure Boot state, use the following commands:

mokutil --sb-state

For a more detailed view including the setup mode:

bootctl status

BIOS/UEFI Information

To discover the current BIOS version and release date, run:

sudo dmidecode -s bios-version

sudo dmidecode -s bios-release-date

To get comprehensive BIOS information:

sudo dmidecode -t 0

Using inxi for a summary of system information:

inxi -M

Alternatively, you can use hwinfo:

sudo hwinfo --bios | less

Or lshw for firmware details:

sudo lshw | grep -A8 '*-firmware'

Firmware Updates with Fwupd

To manage firmware updates, utilize fwupd commands:

Get device information:

fwupdmgr get-devices

Check for updates:

fwupdmgr get-updates

Apply updates (use with caution):

fwupdmgr update

Perform security checks:

fwupdmgr security --force

Intel Management Engine (ME) Version

To check the Intel ME version, follow these steps:

Download the detection tool:

wget https://downloadmirror.intel.com/28632/CSME_Version_Detection_Tool_Linux.tar.gz

Extract and navigate into the directory:

mkdir intel_csme && cd intel_csme/
tar zxvf ../CSME_Version_Detection_Tool_Linux.tar.gz

Run the detection tool:

sudo python3 ./intel_csme_version_detection_tool

CPU Microcode Information

To check CPU microcode updates, use these commands:

View logs for microcode updates:

sudo journalctl --no-hostname -o short-monotonic --boot -0 | sed -n '1,/PM: Preparing system for sleep/p' | grep 'microcode\|smp'

Get detailed CPU information with inxi:

sudo inxi -C -a

Or simply check the microcode version directly from /proc/cpuinfo:

head -n7 /proc/cpuinfo

Trusted Platform Module (TPM) Checks

To check TPM details, use:

sudo dmidecode -t 43

For vulnerability checks, first obtain the TPM vulnerability checker from GitHub and run it:

sudo ./tpm-vuln-checker check

Additional System Information Commands

For comprehensive system information, execute:

sudo inxi -a -v 8

To check memory details, use:

lshw -class memory

For PCI devices information, run:

sudo lspci -nnmmvkD | less

And to list available storage devices, simply use:

lsblk

Conclusion

These commands provide essential insights into your Linux system's firmware state. Regularly checking this information helps mitigate risks associated with outdated firmware and enhances overall system security. Keep these commands handy as part of your system maintenance routine!

Citations: [1] https://eclypsium.com/blog/linux-commands-to-check-the-state-of-firmware/