From 8a6333467a6d44b9186671565e99531c53b623db Mon Sep 17 00:00:00 2001
From: Sumit Garg <sumit.garg@oss.qualcomm.com>
Date: Fri, 2 May 2025 15:16:26 +0530
Subject: [PATCH 1/3] debos: rootfs: Install fwupd

fwupd allows to perform over the air EFI firmware capsule updates.

Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
---
 debos-recipes/qualcomm-linux-debian-rootfs.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debos-recipes/qualcomm-linux-debian-rootfs.yaml b/debos-recipes/qualcomm-linux-debian-rootfs.yaml
index acd82160..4f9b8b7c 100644
--- a/debos-recipes/qualcomm-linux-debian-rootfs.yaml
+++ b/debos-recipes/qualcomm-linux-debian-rootfs.yaml
@@ -36,6 +36,8 @@ actions:
       - dosfstools
       # ext4 tools, notably e2fsck for the root filesystem
       - e2fsprogs
+      # fwupd tools, enable OTA EFI firmware capsule updates
+      - fwupd
       # defaults to "systemd-sysv"; perhaps not needed
       - init
       # Ethernet, Wi-Fi, WWAN; built-in DHCP client

From e1e982bf9b04198f16ae3868289aba4ab9d8d7c7 Mon Sep 17 00:00:00 2001
From: Sumit Garg <sumit.garg@oss.qualcomm.com>
Date: Wed, 14 May 2025 15:49:07 +0530
Subject: [PATCH 2/3] scripts: u-boot-rb1: Support building EFI firmware
 updates

U-Boot qcom-mainline branch now got support for EFI firmware capsule
updates. So let's add support to build EFI firmware capsule updates
using tooling provided by U-Boot as well as fwupdtool to generate LVFS
cabinet archive.

Once that's done, the EFI firmware capsule updates can be installed and
triggered on RB1 using fwupdtool as follows:

$ sudo fwupdtool install u-boot.cab

Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
---
 .github/workflows/u-boot.yml |  2 ++
 scripts/build-u-boot-rb1.sh  | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/.github/workflows/u-boot.yml b/.github/workflows/u-boot.yml
index 91bb80c0..fb681c92 100644
--- a/.github/workflows/u-boot.yml
+++ b/.github/workflows/u-boot.yml
@@ -70,6 +70,8 @@ jobs:
               u-boot/u-boot-nodtb.bin.gz-dtb \
               u-boot/u-boot.bin \
               u-boot/rb1-boot.img \
+              u-boot/u-boot-cap.bin \
+              u-boot/u-boot.cab \
               ${BUILD_DIR}
           # perhaps help NFS sync
           sync
diff --git a/scripts/build-u-boot-rb1.sh b/scripts/build-u-boot-rb1.sh
index d9d12b37..08cedfc3 100755
--- a/scripts/build-u-boot-rb1.sh
+++ b/scripts/build-u-boot-rb1.sh
@@ -13,6 +13,8 @@ U_BOOT_DEVICE_TREE="qcom/qrb2210-rb1"
 ABOOT_BASE_ADDRESS="0x80000000"
 ABOOT_PAGE_SIZE="4096"
 ABOOT_OUTPUT="rb1-boot.img"
+CAPSULE_OUTPUT="u-boot-cap.bin"
+CABINET_OUTPUT="u-boot.cab"
 
 log_i() {
     echo "I: $*" >&2
@@ -34,6 +36,8 @@ packages="${packages} make bison flex bc libssl-dev gnutls-dev xxd"
 packages="${packages} coreutils"
 # needed to pack resulting u-boot binary into an Android boot image
 packages="${packages} gzip mkbootimg"
+# needed to build fwupd cabinet archive for EFI firmware capsule updates
+packages="${packages} fwupd"
 
 log_i "Checking build-dependencies ($packages)"
 missing=""
@@ -89,3 +93,25 @@ mkbootimg --base "${ABOOT_BASE_ADDRESS}" \
     --ramdisk empty-ramdisk \
     --output "${ABOOT_OUTPUT}"
 
+# EFI firmware capsule and fwupd cabinet files generation. Note that currently
+# only U-Boot firmware can be updated using capsule updates without support for
+# dual bank (A/B) capsule updates. The next steps is to add support for dual
+# bank capsule updates as well as support to update Qualcomm downstream boot
+# firmware too.
+
+# The GUID used below for U-Boot firmware can be generated dynamically via:
+# $ ./tools/mkeficapsule guidgen dts/upstream/src/arm64/qcom/qrb2210-rb1.dtb UBOOT_BOOT_PARTITION
+# Generating GUIDs for qcom,qrb2210-rb1 with namespace 8c9f137e-91dc-427b-b2d6-b420faebaf2a:
+# UBOOT_BOOT_PARTITION: 77F90B51-588C-5EF0-AAB9-046AEB2AC8C5
+
+./tools/mkeficapsule \
+    --index 1 \
+    --instance 0 \
+    --guid 77F90B51-588C-5EF0-AAB9-046AEB2AC8C5 \
+    "${ABOOT_OUTPUT}" \
+    "${CAPSULE_OUTPUT}"
+rm -f "${CABINET_OUTPUT}"
+fwupdtool build-cabinet \
+    "${CABINET_OUTPUT}" \
+    "${CAPSULE_OUTPUT}" \
+    board/qualcomm/u-boot-cap.metainfo.xml

From 89a10c4f2a6a49d5ca81be40c6c04c4376f58fec Mon Sep 17 00:00:00 2001
From: Sumit Garg <sumit.garg@oss.qualcomm.com>
Date: Tue, 13 May 2025 11:05:57 +0530
Subject: [PATCH 3/3] README: Document firmware updates

Document firmware updates for Qualcomm Linux Debian images. The devices
are expected to support UEFI firmware capsule updates. On the OS side,
the standard mechanism for firmware updates known as LVFS or fwupd is
leverage to update firmware on devices.

Note here that currently firmware for devices supported by Qualcomm
Linux isn't yet available/pushed on LVFS (WIP). Hence, the fwupdtool is
used currently for testing purposes.

Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
---
 README.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/README.md b/README.md
index c91796a2..8ce4016a 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,35 @@ Initially, this repository provides [debos](https://github.com/go-debos/debos) r
 
 We are also working towards providing ready-to-use, pre-built images – stay tuned!
 
+## Firmware updates
+
+On standard Linux distros like Debian, firmware updates are generally delivered via Linux Vendor Firmware Service ([LVFS](https://fwupd.org/)). The OEM/ODM vendors usually upload latest firmware releases on LVFS (refer [here](https://lvfs.readthedocs.io/en/latest/upload.html)) as cabinet (.cab) firmware archive files containing at least one metadata (.metainfo.xml) file describing the firmware update. On the device, fwupd is installed which provides a system-activated daemon listening on D-Bus for installing any firmware updates.
+
+### Firmware delivery
+
+On a Desktop system, its usually GNOME Software which monitors LVFS for any firmware updates and pushes to fwupd if any. On a headless system like most embedded devices, the fwupdmgr command line tool can be used to monitor LVFS for firmware updates as follows:
+
+```bash
+# Download latest metadata from LVFS
+fwupdmgr refresh
+
+# Fetch device specific firmware updates from LVFS
+fwupdmgr get-updates
+
+# Install firmware updates
+fwupdmgr update
+```
+
+### Firmware on devices supported by Qualcomm Linux
+
+The firmware on Qualcomm devices is expected to support UEFI UpdateCapsule plugin for fwupd daemon. However, currently firmware for Qualcomm devices in not available in LVFS which is a work in progress as of now. In order to play with UEFI firmware capsule updates, one can use fwupdtool to locally update firmware like on RB1 as follows:
+
+```bash
+# Transfer U-Boot firmware cabinet archive build from scripts/build-u-boot-rb1.sh to RB1
+sudo fwupdtool install u-boot.cab
+# It will ask for a reboot for the UEFI firmware capsule update to happen
+```
+
 ## Branches
 
 main: Primary development branch. Contributors should develop submissions based on this branch, and submit pull requests to this branch.