1fwupd.conf(5)              Configuration File Format             fwupd.conf(5)
2
3
4

NAME

6       fwupd.conf — configuration file for the fwupd daemon.
7

SYNOPSIS

9       The  /etc/fwupd/fwupd.conf  file is the main configuration file for the
10       fwupd daemon.  The complete description of the file format and possible
11       parameters are documented here for reference purposes.
12

FILE FORMAT

14       The  file consists of a multiple sections with optional parameters. Pa‐
15       rameters are of the form:
16
17       [section]
18       key = value
19
20
21       The file is line-based, each newline-terminated line represents  either
22       a comment, a section name or a parameter.
23
24       Section and parameter names are case sensitive.
25
26       Only  the  first equals sign in a parameter is significant.  Whitespace
27       before or after the first equals sign is discarded as  is  leading  and
28       trailing whitespace in a parameter value.  Internal whitespace within a
29       parameter value is retained.
30
31       Any line beginning with a hash (#) character is ignored, as  are  lines
32       containing only whitespace.
33
34       The  values  following  the  equals sign in parameters are all either a
35       string (no quotes needed), unsigned integers, or a boolean,  which  may
36       be  given as true or false.  Case is not significant in boolean values,
37       but is preserved in string values.
38

DAEMON PARAMETERS

40       The [fwupd] section can contain the following parameters:
41
42       DisabledDevices=
43
44       Allow blocking specific devices by their GUID, using semicolons as delimiter.
45
46
47       DisabledPlugins=test;test_ble
48
49       Allow blocking specific plugins by name.
50       Use fwupdmgr get-plugins to get the list of plugins.
51
52
53       ArchiveSizeMax=
54
55       Maximum archive size that can be loaded in Mb, with 25% of the total system memory as the default.
56
57
58       IdleTimeout=
59
60       Idle time in seconds to shut down the daemon, where a value of 0 specifies “never”.
61
62
63       NOTE: some plugins might inhibit the auto-shutdown, for instance thunderbolt.
64
65
66       VerboseDomains=
67
68       Comma separated list of domains to log in verbose mode.
69       If unset, no domains are set to verbose.
70       If set to “*”, all domains are verbose, which is the same as running the daemon with --verbose --verbose.
71
72
73       UpdateMotd=true
74
75       Update the message of the day (MOTD) on device and metadata changes.
76
77
78       EnumerateAllDevices=true
79
80       For some plugins, enumerate only devices supported by metadata.
81
82
83       ApprovedFirmware=
84
85       A list of firmware checksums that has been approved by the site admin
86       If unset, all firmware is approved.
87
88
89       BlockedFirmware=
90
91       Allow blocking specific devices by their cabinet checksum, either SHA-1 or SHA-256.
92
93
94       UriSchemes=file;https;http;ipfs
95
96       Allowed URI schemes in the preference order; failed downloads from the first scheme will be retried with the next in order until no choices remain.
97
98
99       IgnorePower=false
100
101       Ignore power levels of devices when running updates.
102
103
104       OnlyTrusted=true
105
106       Only support installing firmware signed with a trusted key.
107       Do not set this to false on a production or trusted system.
108
109
110       ShowDevicePrivate=true
111
112       Show data such as device serial numbers which some users may consider private.
113
114
115       AllowEmulation=false
116
117       Allow capturing and loading device emulation by logging all USB transfers.
118       Enabling this will greatly increase the amount of memory fwupd uses when upgrading devices.
119
120
121       TrustedUids=
122
123       UIDs matching these values that call the D-Bus interface should marked as trusted.
124
125
126       HostBkc=
127
128       Comma separated list of best known configuration IDs to be used when using fwupdmgr sync.
129       This can downgrade firmware to factory versions or upgrade firmware to a supported config level. e.g. vendor-factory-2021q1,mycompany-2023
130
131
132       ReleaseDedupe=true
133
134       Deduplicate duplicate releases by the archive checksum are available from more than one source.
135
136
137       ReleasePriority=local
138
139       When the same version release is available from more than one source this option can be used to
140       either prefer the local version (avoiding a potentially expensive download) or to prefer the
141       remote version (which may have updated metadata such as release notes).
142
143
144       The possible options are local or remote or empty to not make any adjustment to the policy,
145       relying on the OrderAfter and OrderBefore sections in the remote.
146
147
148       EspLocation=
149
150       Override the location used for the EFI system partition (ESP) path.
151       This is typically used if UDisks is not available, or was not able to automatically identify the location for any reason.
152
153
154       Manufacturer=
155
156       ProductName=
157
158       ProductSku=
159
160       Family=
161
162       EnclosureKind=
163
164       BaseboardProduct=
165
166       BaseboardManufacturer=
167
168       Override values for SMBIOS or Device Tree data on the local system.
169       These are only required when the SMBIOS or Device Tree data is invalid, missing, or to simulate running on another system.
170       Empty values should be used to populate blank entries or add values to populate specific entries.
171
172
173       TrustedReports=VendorId=$OEM
174
175       Vendor reports matching these expressions will have releases marked as trusted-report.
176       Each *OR* section is delimited by a ; and each *AND* section delimited by &, e.g.
177
178
179DistroId=chromeos
180
181       Any report uploaded from ChromeOS is trusted.
182
183
184DistroId=chromeos&RemoteId=lvfs
185
186       Any report found in the lvfs remote uploaded from a ChromeOS machine is trusted.
187
188
189DistroId=fedora&VendorId=19
190
191       Any report uploaded from Fedora 19 is trusted.
192
193
194DistroId=fedora&VendorId=$OEM
195
196       Any report uploaded from Fedora by the hardware OEM is trusted.
197
198
199DistroId=fedora;DistroId=rhel&DistroVersion=9
200
201       Any report uploaded from Fedora (any version) or from RHEL 9 is trusted.
202
203
204       NOTE: a VendorId of $OEM represents the OEM vendor ID of the vendor that owns the firmware,
205       for example, where Lenovo QA has generated a signed report for a Lenovo laptop.
206
207
208       There are also three os-release values available, $ID, $VERSION_ID and $VARIANT_ID, which
209       allow expressions like:
210
211
212DistroId=$ID
213
214DistroId=$ID,DistroVersion=$VERSION_ID
215
216       P2pPolicy=metadata
217
218       This tells the daemon what peer-to-peer policy to use. For instance, using Passim, an optional
219       local caching service. Using peer-to-peer data might reduce the amount of bandwidth used on your
220       network considerably.
221
222
223       There are three possible values:
224
225
226none: Do not publish any files
227
228metadata: Only publish shared metadata that is  common  to  each  ma‐
229         chine.
230
231firmware: Only publish firmware archives after the next reboot of the
232         machine.
233
234       At some point in the future fwupd will change the default to metadata,firmware.
235
236

UEFI_CAPSULE PARAMETERS

238       The [uefi_capsule] section can contain the following parameters:
239
240       EnableGrubChainLoad=false
241
242       Configure GRUB to launch fwupdx64.efi instead of using other methods such as NVRAM or Capsule-On-Disk.
243
244
245       DisableShimForSecureBoot=false
246
247       The shim loader is required to chainload the fwupd EFI binary unless the fwupd.efi file has been self-signed manually.
248
249
250       RequireESPFreeSpace=0
251
252       Amount of free space required on the ESP, for example using 32 for 32Mb.
253       By default this is dynamically set to at least twice the size of the payload.
254
255
256       DisableCapsuleUpdateOnDisk=false
257
258       Allow ignoring the CapsuleOnDisk support advertised by the firmware.
259
260
261       EnableEfiDebugging=false
262
263       Enable the low-level debugging of fwupdx64.efi to the FWUPDATE_DEBUG_LOG EFI variable.
264
265
266       NOTE: enabling this option is going to fill up the NVRAM store much more quickly and
267       should only be enabled when debugging an issue with the EFI binary.
268
269
270       This value also has no affect when using Capsule-on-Disk as the EFI helper binary is
271       not being used.
272
273
274       RebootCleanup=true
275
276       Delete any capsule files copy to the ESP, and remove any EFI variables set for the update.
277
278
279       NOTE: disabling this option is only required when debugging the flash process and normal
280       users should not need to change this setting.
281
282

MSR PARAMETERS

284       The [msr] section can contain the following parameter:
285
286       MinimumSmeKernelVersion=5.18.0
287
288       Minimum kernel version to allow probing for sme flag.
289
290
291       This only needs to be modified by enterprise kernels that have cherry picked the feature into a
292       kernel with an old version number.
293
294

REDFISH PARAMETERS

296       The [redfish] section can contain the following parameters:
297
298       Uri=
299
300       The URI to the Redfish service in the format scheme://ip:port for instance https://192.168.0.133:443
301
302
303       Username=
304
305       The username to use when connecting to the Redfish service.
306
307
308       Password=
309
310       The password to use when connecting to the Redfish service.
311
312
313       CACheck=false
314
315       Whether to verify the server certificate or not. This is turned off by default.
316       BMCs using self-signed certificates will not work unless the plugin does not verify it against the system CAs.
317
318
319       IpmiDisableCreateUser=false
320
321       Do not use IPMI KCS to create an initial user account if no SMBIOS data.
322       Setting this to true prevents creating user accounts on the BMC automatically.
323
324
325       ManagerResetTimeout=1800
326
327       Amount of time in seconds to wait for a BMC restart.
328
329

THUNDERBOLT PARAMETERS

331       The [thunderbolt] section can contain the following parameters:
332
333       MinimumKernelVersion=4.13.0
334
335       Minimum kernel version to allow use of this plugin.
336
337
338       This only needs to be modified by enterprise kernels that have cherry picked the feature into a
339       kernel with an old version number.
340
341
342       DelayedActivation=false
343
344       Forces delaying activation until shutdown/logout/reboot.
345
346

NOTES

348       /etc/fwupd/fwupd.conf may contain  either  hardcoded  or  autogenerated
349       credentials  and  must only be readable by the user that is running the
350       fwupd process, which is typically root.
351

SEE ALSO

353       fwupdmgr(1) fwupd-remotes.d(5)
354
355
356
3571.9.9                                                            fwupd.conf(5)
Impressum