How relevant are PC Firmware Updates?

sleep_legacy

I heard that many desktop and Laptop pc devices only get firmware updates for one year and beyond that only OS-updates.
How relevant is that for many people out there (or what does it do to their security), that use such devices for many years for casual things and work?
Or are there only relevant concerns for targeted people?

raccoondad

sleep_legacy I would check every once in a while for BIOS updates by your vendor and read the changelog if one comes out. If there's a serious vulnerability then I would update it.

I personally update my BIOS whenever there is an update pushed, but that's just me

Monero_lover

Interesting question

freezet

Most vendors give longer updates, dont know about difference between driver and firmware updates, most of them come with automatic updates from microsoft or others with vendor specific updaters for example lenovo or hp, also didnt even know that intel has their own updater. If you have a mainboard with say a wifi card or bluetooth from them you can update it from their website.

bookreader

What kind of firmware are you referring to? BIOS (or whatever they want to call it now)? Or peripheral devices? Have you even considered external devices like mouse/keyboard/printer?

Most of the time peripheral devices like wifi adapters, will have some minimal baked in firmware that typically can't be updated for loading the main firmware, and a more substantial piece of firmware that is loaded at runtime by the kernel/driver. Of course some won't, like your SSD.

Main firmware is typically kept here and updated periodically;
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/

sleep_legacy

bookreader

I refer mostly to BIOS. Or, at least that was what I was mainly thinking about.

But how it is with peripheral devices is also an interesting question.

bookreader

So as far as BIOS goes, once its finished doing its job and handed control off to the operating system, it goes completely out of the loop. No security impact at that point.

So really, the main thing you'd be looking at is if there is a vulnerability in the implementation of secure boot, which could allow the bios to load an unsigned OS kernel. But some bad actor would have to either be there to interact with it, or set something up at the OS level first, since these vulnerabilities can only be taken advantage of during early boot.

https://www.howtogeek.com/124711/what-does-my-bios-do-after-booting/

de0u

bookreader So as far as BIOS goes, once its finished doing its job and handed control off to the operating system, it goes completely out of the loop. No security impact at that point.

This is true for a traditional BIOS and also an EFI BIOS, narrowly construed, but since the rise of APM and ACPI the OS is expected to run lots of motherboard firmware throughout its lifetime. Also, on Intel machines, various things happen via SMM, which runs code installed by the BIOS. All in all there is plenty of attack surface.