The challenge of updating InsydeH2O UEFI with Linux

Fun fact about me: I am the weirdo who always updates the UEFI even though it is not technically necessary. It just makes me feel better to know everything is up to date. Particularly because every update’s changelog always lists an impressive collection of security bug fixes.

The problem is that my laptop does not support updating the UEFI from within Linux. Lenovo does not submit updates to LVFS for my laptop. Additionally, they do not release a Linux version of the update tool or a generic UEFI shell version.

This is especially annoying because Lenovo does all of that for other laptops. Unfortunately, my laptop uses InsydeH2O UEFI, and it seems that Lenovo laptops with this firmware do not support updates without Windows.

This leaves me in quite a predicament if I want to update my laptop’s UEFI.

Why not just use Windows?

Now, I am sure you are thinking “just swallow your pride and use Windows.” And that is what I did… the first time.

Sadly, because the InsydeH2O update tool does not support running in Windows PE, I had to create a full-blown Windows installation. This was a lengthy process that involved setting up a Windows VM and then using Rufus (a Windows-only tool) to create a Windows To Go USB.

This worked! I had successfully updated my laptop’s UEFI.

Then, an update broke my Windows To Go USB and I was not willing to go through that whole process again. So, I began to search for a better solution.

Attempt #1: The Ubuntu Wiki

The first resource I found was this page on the Ubuntu Community Help Wiki. My hopes were quickly dashed when I realized the page was last updated in 2021 and the instructions section only contained a placeholder: “This paragraph is yet to be written.” This is, frankly, pretty consistent with the rest of the wiki.

It did give me an idea though: the page revealed that a Linux version of the update tool existed. I thought that if I could find a copy, I could use it on my laptop! I was eventually able to find a copy of this tool (version 200.01.00.10) in the Steam Deck’s software. That is when I learned a devastating truth: a Linux version of the updater exists, but only for the “server/embedded” platform.

You see, there are two versions of the InsydeH2O update tool. There is the “server/embedded” platform (with versions like 200.02.00.08) for devices like the Steam Deck, and the “client” platform (with versions like 6.60) for devices like my laptop. Additionally, the “client” platform only supports updates via Windows or the UEFI shell.

Attempt #2: InterToolx64.efi

After that failure, I continued searching for a solution. Eventually, I found a glimmer of hope!

A Reddit comment claimed that if I extracted the InterToolx64.efi file from the Windows update tool, I could make my own bootable UEFI update USB.

Unfortunately, this did not work. The InterTool.Log file reported an issue with platform.ini, and I could not determine the cause. I found a forum post from someone experiencing a similar issue, but Lenovo support was… less than helpful.

Attempt #3: Scavenging

My last hope was simple: find a manufacturer that offered the UEFI shell version of the “client” platform update tool and use that.

The Framework Laptop also uses InsydeH2O and provides a UEFI shell version of the update tool. So, I extracted H2OFFT-Sx64.efi from their update package and combined it with firmware extracted from my laptop’s update package to create my own UEFI update USB.

Finally, I had managed to update my laptop’s UEFI!

However, I was not out of the woods yet…

Enter: Intel ME

You see, the Intel ME requires its own firmware, which must be updated separately. Once again, Lenovo only provided the Windows update tool.

Thankfully, this time the Arch Wiki provided a solution! Unfortunately, this solution is highly problematic. However, I did not have any better options.

The recommended solution is as follows:

1. Go to this specific internet forum.
2. Find the thread that corresponds to your version of Intel ME (v16.1 for me).
3. Find someone in that thread offering a download link to the Linux version of FWUpdLcl.
4. Download it and run it as root with the firmware extracted from the Windows version of the update tool.

It is well known that downloading binaries from unverified sources (and running them as root) is a significant security risk. Sadly, Intel does not allow downloading the update tool standalone, so I had no other option.

This could potentially lead to severe system compromise, including malware or unauthorized access. I was lucky not to encounter any issues, but I would strongly advise against this approach.

Thankfully, in this case, it worked.

Conclusion

Normally, I understand why companies do not support Linux, even though I may not like it. Because it does cost money to maintain and support a Linux port.

However, in this case, I do not understand it. Especially because they already maintain one! Intel already has a Linux version of the Intel ME update tool! And Insyde has a UEFI shell version of their update tool!

Ultimately, I successfully updated my laptop’s UEFI. However, this required scouring the internet for update tools and downloading them from potentially untrustworthy sources. Nothing prevents Lenovo from adding these tools to their driver download page.

But Lenovo is not solely responsible for this situation. Intel could also allow downloading their update tool standalone! And so could Insyde! Any of these three companies could make this situation better by just adding a download link to their website. An official download, even if it was not supported, would be a vast improvement simply because it would nullify the risk of malware.

There is no technical reason this situation exists. There is no port that has to be written or compatibility issues to fix. This situation exists solely because these companies do not care.