How to Update BIOS Safely on Linux
Your laptop’s been running fine for a couple of years, then you notice your distro is flagging a critical firmware vulnerability. Or maybe your system just started behaving oddly after a kernel update. Either way, you’re now wondering: can you update BIOS safely on Linux without booting into Windows?
The short answer is yes — and it’s gotten much easier. This guide covers everything you need to know about how to update BIOS safely on Linux, from the recommended fwupd method to manual flashing via USB, along with what to check beforehand and how to recover if something goes wrong.
What Is BIOS (and UEFI)?

BIOS stands for Basic Input/Output System. It’s the firmware that runs before your operating system loads — it initializes your hardware, checks memory, finds a bootable drive, and hands control over to your OS loader.
Modern systems use UEFI (Unified Extensible Firmware Interface) instead of traditional BIOS. UEFI is essentially the successor: it supports larger drives, faster boot times, Secure Boot, and a graphical setup interface. Most systems made after 2012 use UEFI, though manufacturers still call the setup screen “BIOS” out of habit.
Firmware is the low-level software stored on a chip on your motherboard (or other hardware components). When people say “update BIOS,” they almost always mean updating this firmware image.
Why do firmware updates matter?
- They patch security vulnerabilities (like Spectre/Meltdown mitigations, CVEs in UEFI drivers)
- They fix hardware compatibility bugs
- They improve stability and power management
- They sometimes add support for newer CPUs or RAM speeds
Should You Update Your BIOS?
This is the most common question — and the honest answer is: it depends.
Update your BIOS when:
- A security advisory specifically mentions your hardware (check your vendor’s security bulletins)
- You’re experiencing a known bug that a firmware update fixes
- You’re adding new hardware (CPU, RAM) that requires a newer BIOS to work
- Your vendor explicitly recommends it for your use case
- fwupd flags an update with “Critical” or “High” urgency
Skip the update when:
- Your system is stable and working correctly
- The update only adds features you don’t need
- The release notes don’t mention anything relevant to your setup
- You’re in the middle of critical work with no backup plan
⚠️ Warning: BIOS updates carry a small but real risk. If the flash fails mid-process — power cut, crash, whatever — you can end up with an unbootable machine. Never update firmware just because an update exists.
| Reason to Update | Reason to Skip |
|---|---|
| Critical CVE fix | System is stable |
| Hardware compatibility | Update is cosmetic |
| Bug affecting your use case | No documentation of changes |
| Vendor recommendation | Beta/unstable release |
Before Updating BIOS on Linux
Don’t skip this section. A few minutes of prep can save you from a very bad day.
Check that you’re in UEFI mode
The fwupd tool (the recommended method) only works in UEFI mode, not legacy BIOS mode. Check with:
test -d /sys/firmware/efi && echo "UEFI mode — OK" || echo "Legacy BIOS — fwupd won't work"
If you see “Legacy BIOS,” you’ll need to use a USB or ISO method instead.
Find your current BIOS version
sudo dmidecode -s bios-version
sudo dmidecode -s bios-release-date
Note these down. You’ll want to confirm the version changed after the update.
Identify your motherboard/system model
sudo dmidecode -s system-product-name
sudo dmidecode -s baseboard-product-name
Cross-check this with the firmware file you intend to use. Wrong model = bricked board.
Power requirements
- Laptops: Plug in AC power. fwupd will refuse to flash if battery is below 30%, and that’s the right call.
- Desktops: Consider a UPS. A power cut during flashing is the most common cause of brick.
- Disable any overclocking — XMP/EXPO profiles are fine to leave on, but manual CPU voltage tweaks or extreme memory OC should be reset to defaults first.
Back up your BIOS settings
BIOS updates sometimes reset settings to factory defaults. Take a photo of your BIOS setup screens (boot order, fan curves, custom settings). Some vendors offer a “Save Profile” feature in the UEFI interface itself.
Secure Boot note
fwupd works fine with Secure Boot enabled on most systems — it uses signed firmware capsules. However, in June 2026 there’s an active situation around the Microsoft UEFI CA 2023 certificate replacing the old 2011 certificate. If you’re running Secure Boot, this is exactly the kind of firmware update you should be applying via fwupd — it’s how Linux systems get the updated certificates enrolled. See the Secure Boot guide for more context.
Method 1 — Update BIOS Using fwupd (Recommended)
fwupd is an open-source daemon that manages firmware updates on Linux. It pulls updates from the Linux Vendor Firmware Service (LVFS) — a secure portal where hardware vendors upload signed firmware packages.
LVFS is a secure portal that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions to provide metadata for clients like fwupdmgr and GNOME Software — and there’s no charge to vendors for hosting or distribution.
The actual flash for BIOS/UEFI updates doesn’t happen while Linux is running. Instead, the update payload (a UEFI Capsule) is written to the EFI System Partition, and a variable is set in NVRAM instructing the motherboard to apply the firmware on the next boot. This is a much safer mechanism than trying to flash a chip while the OS is live.
Install fwupd
Most modern distros ship with fwupd pre-installed. If yours doesn’t:
Ubuntu/Debian:
sudo apt update && sudo apt install fwupd
Fedora/RHEL:
sudo dnf install fwupd
Arch Linux:
sudo pacman -S fwupd
Refresh firmware metadata
sudo fwupdmgr refresh --force
This pulls the latest firmware metadata from LVFS. The --force flag bypasses the local cache so you get fresh data.
List detected devices
sudo fwupdmgr get-devices
This shows every device fwupd knows about — your system firmware, embedded controller, NVMe SSD, Thunderbolt controller, and more. Look for devices flagged as updatable.
Check for available updates
sudo fwupdmgr get-updates
The output groups your devices into three categories: no available updates, already on the latest firmware, and updates available. Devices with updates show the current version, new version, urgency level, and a changelog summary.
Apply updates
sudo fwupdmgr update
fwupd will download, verify the GPG signature, and stage the firmware capsule. For BIOS/UEFI updates, it will prompt you to reboot to complete the flash.
⚠️ Warning: Once you confirm the reboot, don’t touch the machine. Don’t close the lid. Don’t pull the power. The screen may go dark or show a vendor splash for several minutes. Multiple automatic reboots are normal — this is the firmware doing its job.
Verify the update
After the machine comes back up:
sudo dmidecode -s bios-version
Compare this against the version number from before. You can also run sudo fwupdmgr get-history to see a log of past updates and whether they succeeded.
Method 2 — Update BIOS Using the Manufacturer’s UEFI Utility
Most major vendors include a built-in flashing utility directly in their UEFI firmware. This doesn’t require a working OS at all — you boot into the UEFI setup and flash from there.
Prepare a FAT32 USB drive
The UEFI needs to read the firmware file, and most implementations only understand FAT32. Format a USB drive as FAT32 and copy the firmware file to the root of the drive.
sudo mkfs.vfat -F 32 /dev/sdX
Replace /dev/sdX with your actual USB device (check with lsblk first).
Download the correct firmware
Go to your manufacturer’s support page, search by your exact model number, and download the BIOS/UEFI firmware file. Never use firmware from third-party sites.
| Vendor | Built-in Flash Utility | Notes |
|---|---|---|
| ASUS | EZ Flash | Found in Advanced Mode → Tool |
| MSI | M-Flash | Dedicated M-Flash button or BIOS menu |
| Gigabyte | Q-Flash | Press End at POST screen or Q-Flash button |
| Dell | Dell BIOS Flash | Available via UEFI or dell-bios-fan-control on Linux |
| Lenovo (ThinkPad) | ThinkPad BIOS Update | Capsule via fwupd is preferred |
| HP | HP System BIOS Update | HP BIOS update utility in UEFI |
| Framework | fwupd / UEFI capsule | Framework heavily supports LVFS |
Flash from UEFI
- Plug in the FAT32 USB with the firmware file
- Reboot and enter UEFI setup (usually Del, F2, or F10 during POST)
- Navigate to the flash utility (EZ Flash, M-Flash, Q-Flash, etc.)
- Select the firmware file from your USB
- Confirm and wait — don’t power off
💡 Tip: If you’re on a Dell or Lenovo business machine, check LVFS first. Many business laptops have excellent fwupd support, which is safer and simpler than the manual USB method.
Method 3 — Using a Bootable USB or ISO
Some manufacturers provide a bootable ISO specifically for firmware updates. This is less common now, but you’ll still encounter it on older hardware or vendors that don’t participate in LVFS.
When you’d use this:
- Your system is in legacy BIOS mode (fwupd won’t work)
- The vendor only provides a bootable update utility
- You need to recover from a failed flash using a recovery image
Download the ISO from the manufacturer’s official support page, write it to USB with dd or Ventoy, and boot from it. Follow the on-screen instructions — the process is usually automated.
sudo dd if=firmware-update.iso of=/dev/sdX bs=4M status=progress oflag=sync
⚠️ Warning: Double-check your
of=target withlsblkbefore runningdd. Writing to the wrong device will overwrite data irreversibly.
How to Verify the BIOS Update
After any update method, confirm the new version is active:
sudo dmidecode -s bios-version
sudo dmidecode -s bios-release-date
If you used fwupd, check the update history:
sudo fwupdmgr get-history
You can also compare against your vendor’s support page — the version string displayed should match what they published.
For a broader security check, fwupd can report your system’s Host Security ID (HSI) score:
sudo fwupdmgr security
This checks Secure Boot status, TPM version, Intel BootGuard, and other firmware-level security features.
⚠️ Common BIOS Update Mistakes to Avoid
Most BIOS update failures are caused by simple mistakes rather than faulty hardware. Avoid the issues below to reduce the risk of a failed firmware update or an unusable motherboard.
🔌 Power Loss During the Update
Never interrupt a BIOS flash. Keep laptops connected to AC power and consider using a UPS on desktop PCs to prevent unexpected shutdowns.
📁 Installing the Wrong BIOS File
Always verify your motherboard or laptop model before downloading firmware. Even similar model numbers often require completely different BIOS files.
🧪 Using Beta Firmware
Beta BIOS releases may contain unfinished features or stability issues. Unless you’re fixing a specific bug, install only stable firmware versions.
📄 Ignoring Release Notes
Read the official changelog before updating. Only install a new BIOS if it fixes issues affecting your hardware, security, or system stability.
💾 No Recovery Plan
Check whether your motherboard supports BIOS Flashback, Dual BIOS, or another recovery method before starting the update process.
🐧 Skipping Linux Firmware Tools
Before using a USB flash drive, run fwupdmgr get-updates. Many Linux systems receive official firmware updates directly through LVFS and fwupd.
fwupd can install the update automatically before attempting a manual BIOS flash.
Troubleshooting BIOS Updates
fwupd shows no updates or no devices
Check that you’re actually in UEFI mode (see the pre-flight check above). If you are, check whether your hardware vendor participates in LVFS — not everyone does. You can search the device list at fwupd.org.
fwupdmgr update fails with a battery error
In 2026, the --ignore-battery CLI flag is deprecated. If you need to override the battery check (e.g. on a server that lacks a battery), you must edit the fwupd daemon config directly and set IgnorePower=true. Only do this if you have confirmed UPS backing.
EFI System Partition is full
fwupd writes the capsule to /boot/efi. If that partition is full, the update will fail. Check with:
df -h /boot/efi
Clean out old files if needed. 100MB free is a reasonable minimum.
System won’t boot after update
First, try the BIOS reset/recovery option. Most modern motherboards have one of these:
- Dual BIOS chip (common on Gigabyte): hold the recovery button during power-on to boot from the backup chip
- BIOS flashback (ASUS, MSI): allows flashing a recovery image from USB without a working CPU or RAM
- CMOS reset: remove the CMOS battery or use the clear-CMOS jumper. This resets settings but doesn’t reflash firmware.
For laptops, check your vendor’s support documentation for recovery mode procedures. Lenovo ThinkPads, for example, have a recovery BIOS that can be triggered by specific key combinations at boot.
Secure Boot issues after update
A BIOS update can sometimes reset Secure Boot to factory defaults or clear custom keys. If your system won’t boot Linux after a firmware update:
- Enter UEFI setup
- Check if Secure Boot is enabled and what key database is active
- Re-enroll your distro’s shim if necessary, or temporarily disable Secure Boot to get back in
See the Secure Boot troubleshooting guide for detailed steps.
Best Practices Checklist
Before you flash:
- [ ] System is plugged into AC power (laptop) or UPS (desktop)
- [ ] Confirmed UEFI mode with
test -d /sys/firmware/efi - [ ] Noted current BIOS version with
sudo dmidecode -s bios-version - [ ] Verified the firmware file matches your exact model
- [ ] Read the release notes — update is actually relevant
- [ ] Not flashing a beta release without good reason
- [ ] Backed up critical data (extreme caution)
- [ ] Overclocking settings reset to defaults
- [ ] EFI partition has enough free space (
df -h /boot/efi)
After flashing:
- [ ] Confirmed new version with
sudo dmidecode -s bios-version - [ ] Checked
sudo fwupdmgr get-historyfor success status - [ ] Re-verified BIOS settings (boot order, fan profiles, etc.)
- [ ] Re-enabled any settings that got reset
Frequently Asked Questions
Can you update BIOS on Linux?
Yes, absolutely. The fwupd tool makes it straightforward on systems whose vendors publish to LVFS. For hardware not covered by LVFS, most manufacturers provide a built-in UEFI flash utility that works without any OS.
Is fwupd safe to use?
Very. The LVFS has distributed over 10 million firmware updates with a greater than 99% success rate. fwupd verifies GPG signatures on every update before staging it, and the actual flash happens via the UEFI capsule mechanism rather than from inside a running OS.
What is LVFS?
The Linux Vendor Firmware Service is a secure portal that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions, and there’s no charge to vendors for hosting or distribution.
Should you always update BIOS?
No. Update when there’s a specific reason — a security fix, a bug affecting your system, or new hardware compatibility. Don’t update just because an update exists. The risk of a flash failure, however small, isn’t worth it for changes that don’t apply to you.
What vendors are supported by fwupd/LVFS?
Well-supported vendors include Lenovo, Dell (business lines), HP, Framework, Star Labs, System76, Logitech (peripherals), and Intel. Consumer-grade boards from ASUS, MSI, and Gigabyte have more variable coverage — check the LVFS device list for your specific model.
Wrapping Up
Updating firmware on Linux used to mean creating bootable DOS USBs and hoping for the best. Now, for most hardware, knowing how to update BIOS safely on Linux just means running a few fwupdmgr commands and confirming a reboot.
The key things to remember: always check whether fwupd supports your hardware before reaching for the manual USB method, never flash without reliable power, and don’t update just for the sake of it. A stable, older BIOS version beats a freshly-flashed one that introduced new bugs.
If you’re on supported hardware from Lenovo, Dell, HP, Framework, or System76, fwupd makes this genuinely painless. For everyone else, the manufacturer’s built-in UEFI flash utility is the next best option.
Disclaimer
This article is for informational purposes only. Firmware updates carry inherent risks, including the possibility of rendering your system unbootable if the process is interrupted or if incorrect firmware is applied. Always verify your hardware model, download firmware only from official manufacturer sources, and ensure stable power before proceeding. The authors and TechRefreshing.com are not responsible for any damage, data loss, or hardware failure resulting from following this guide.
