You just received a security advisory about a critical firmware vulnerability in your NVMe controller. The patch exists, but you have no way to apply it on your Ubuntu server. This is exactly where fwupd becomes essential. Without a managed firmware update tool like fwupd, patches released by Dell, Lenovo, HP, and other vendors never reach your hardware, leaving silent attack surfaces open indefinitely.
In this guide, you will learn how to install Fwupd on Ubuntu 26.04 from scratch. I will walk you through enabling the daemon, connecting to the Linux Vendor Firmware Service (LVFS), detecting your hardware, applying updates safely, and troubleshooting the most common errors that trip up even experienced sysadmins. This is the same process I use on production servers across my infrastructure.
Prerequisites Before You Begin
Before attempting to install fwupd on Ubuntu 26.04, verify you meet these requirements. Skipping any of these will cause problems later.
- Operating System: Ubuntu 26.04 LTS (codenamed Resolute) installed and fully booted
- Firmware Mode: UEFI firmware (not legacy BIOS) for UEFI capsule updates to work properly
- Internet Connection: Active connection to reach LVFS CDN at
cdn.fwupd.orgon port 443 - User Permissions:
sudoprivileges on the target machine - Disk Space: At least 500 MB free in
/var/lib/fwupdfor firmware metadata and caches - Power Source: If using a laptop, plug it into AC power. Some firmware updates refuse to run on battery
Why UEFI matters: fwupd’s UEFI capsule plugin writes update files to the EFI System Partition (ESP) at /boot/efi. Without UEFI mode and a properly mounted ESP, BIOS and firmware updates will silently fail or show “No updatable devices” even with valid hardware. Check your mode with:
[ -d /sys/firmware/efi ] && echo "UEFI mode" || echo "Legacy BIOS"If you see “Legacy BIOS”, you will need to enable UEFI in your firmware settings before proceeding.
Step 1: Update Your System Packages First
sudo apt update
sudo apt upgrade -yWhat this does: The apt update command refreshes your local package index from Ubuntu’s repositories. The apt upgrade -y command installs the latest versions of all installed packages, automatically answering “yes” to prompts.
Why this step is non-negotiable: Running package updates before installing fwupd ensures that your core libraries like libc, libglib2.0, and libgnutls match the versions that fwupd 2.1.1 was compiled against on Ubuntu 26.04. A stale base system can produce silent dependency mismatches where fwupd installs successfully but the daemon fails to start. This is especially common on minimal server installs or systems upgraded from Ubuntu 24.04.
Verify your kernel and UEFI status:
uname -r
[ -d /sys/firmware/efi ] && echo "UEFI mode" || echo "Legacy BIOS"Why verify UEFI mode: fwupd’s UEFI capsule plugin only activates when the kernel detects EFI variables via /sys/firmware/efi. If this directory does not exist, BIOS and firmware updates will fail. Knowing this upfront prevents wasting time chasing a ghost problem later.
Step 2: Install Fwupd on Ubuntu 26.04 Using APT
sudo apt install fwupd -yWhat this does: This command downloads and installs the fwupd package from Ubuntu 26.04’s main repository. The -y flag automatically confirms the installation without prompting.
Why use APT instead of Snap: The APT version of fwupd runs natively without sandboxing, which is critical for interacting with low-level hardware interfaces and the EFI System Partition. The Snap version runs in a confined environment that can conflict with the system daemon and cause device detection problems. In production environments, always use the APT version and avoid mixing both installations.
Optional: Install udisks2 for full device detection:
sudo apt install udisks2 -yWhy install udisks2 alongside fwupd: Without udisks2, fwupd may fail to detect the UEFI ESP partition and return the error Not updatable as UEFI ESP partition not detected. On headless Ubuntu servers and minimal containerized environments, udisks2 is often absent from the default install. Installing it proactively avoids this error entirely.
Verify the installed version:
fwupdmgr --versionExpected output:
2.1.1Why verify the version: Ubuntu’s apt cache can sometimes resolve to a cached older version if third-party PPAs are present. Confirming version 2.1.1 ensures you are running the Ubuntu 26.04 Resolute-native package, not a backport or outdated version. On Ubuntu 26.04, fwupd ships at version 2.1.1-1ubuntu3, a significant jump from Ubuntu 24.04’s 1.9.x series with improved plugin support and more reliable UEFI capsule handling.
Step 3: Enable and Start the Fwupd Daemon
sudo systemctl enable fwupd
sudo systemctl start fwupd
sudo systemctl status fwupdWhat each command does:
systemctl enable fwupd: Configures the fwupd service to start automatically at system bootsystemctl start fwupd: Starts the fwupd daemon immediately without rebootingsystemctl status fwupd: Shows the current running state of the service
Why enable the daemon at boot: fwupd runs as a background systemd service. Without enabling it, the fwupdmgr client commands will fail silently or return Could not connect to fwupd errors. Enabling at boot ensures the daemon is available before any automated scripts, cron jobs, or GUI tools like GNOME Software attempt to call it. On Ubuntu 26.04, fwupd.service manages D-Bus activation automatically.
What healthy status output looks like:
● fwupd.service - Firmware Update Daemon
Loaded: loaded (/lib/systemd/system/fwupd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2026-05-30 10:15:23 WIB; 2min agoWhy check status explicitly: Systemd’s lazy D-Bus activation means fwupd can appear installed but not actually running. The status check is your ground truth. A running daemon before attempting fwupdmgr commands prevents the most common class of “fwupd not working” reports seen in Ubuntu forums. If the status shows inactive (dead) or failed, the daemon crashed on startup, almost always because of a missing dependency or a permission problem on /var/lib/fwupd.
Step 4: Refresh LVFS Metadata on Ubuntu 26.04
sudo fwupdmgr refreshOr force a fresh fetch if you suspect cached data:
sudo fwupdmgr refresh --forceWhat this command does: This downloads the latest firmware metadata XML from https://cdn.fwupd.org/downloads/firmware.xml.gz and its GPG signature. The Linux Vendor Firmware Service (LVFS) hosts metadata for thousands of devices from over 70 hardware vendors including Dell, HP, Lenovo, Logitech, and Thunderbolt controller manufacturers. Refreshing this database is the equivalent of running apt update before apt install it tells fwupd what firmware is available for your hardware.
Why you need to do this before checking updates: If you skip fwupdmgr refresh and jump straight to fwupdmgr get-updates, fwupd will compare your hardware against stale or absent local metadata. The result is either false “No updates available” messages or outdated firmware being offered. Always refresh metadata first, especially after a fresh install or after the system has been offline for more than a week.
Expected output:
Downloading metadata…
Successfully downloaded new metadata: Updates have been published for 3 of 12 local devicesTroubleshooting LVFS connection: If you see LVFS: Failed to connect errors, check your firewall rules for outbound HTTPS to cdn.fwupd.org on port 443. Corporate firewalls sometimes block access to firmware CDNs, requiring explicit allow rules.
Step 5: Detect Your Hardware Devices with Fwupd
fwupdmgr get-devicesWhat this command does: This lists every hardware component that fwupd can see along with its current firmware version, device ID, and update eligibility flags. Running this before applying updates gives you a baseline snapshot which is critical for rollback decisions if something goes wrong.
Why run get-devices before updates: This command tells you which devices are “updatable” versus “not updatable”, helping you understand whether your specific hardware vendor participates in LVFS. If your device is not listed, it means the vendor has not uploaded firmware to LVFS and you will need to use vendor-specific tools instead.
Sample output:
LENOVO ThinkPad T14 Gen 3
│
├─Samsung SSD 980 PRO 1TB:
│ │ Device ID: 8f89dcc9-acee-4e59-8cab-4f4dcc9b5875
│ │ Summary: NVMe SSD controller
│ │ Current version: 3Q2MGZ7Q
│ │ Vendor: Samsung
│ │ Device Flags:
│ │ • Updatable
│ │ • System requires external power source
│ │
└─UEFI Update Firmware:
│ Device ID: 8f89dcc9-acee-4e59-8cab-4f4dcc9b5876
│ Summary: UEFI Capsule Firmware
│ Current version: 1.2.3
│ Vendor: LENOVO
│ Device Flags:
│ • UpdatableHow to interpret device flags:
Updatable: Firmware updates are available or potentially available after refreshLocked: Requires BIOS-level unlock before fwupd can writeSystem requires external power source: Will refuse to update on battery power- Missing devices: Hardware not supported by any fwupd plugin, check
https://fwupd.orgfor vendor support status
Step 6: Check for Available Firmware Updates
fwupdmgr get-updatesWhat this command does: This queries LVFS metadata and lists all firmware updates available for your detected hardware. It shows the device name, current version, target version, release date, and a description of what the update addresses.
Why this step separates listing from installing: Unlike many tools that combine check-and-install, fwupd separates get-updates (list) from update (apply). This is intentional sysadmin-friendly design. Reviewing what will change before applying it is essential in production environments. A firmware update to your NVMe controller or network adapter can change behavior in ways that require planned maintenance windows, not unreviewed one-liners.
Sample output:
Samsung SSD 980 PRO 1TB
│ Device ID: 8f89dcc9-acee-4e59-8cab-4f4dcc9b5875
│ Summary: NVMe SSD controller
│ Current version: 3Q2MGZ7Q
│ Latest version: 3Q3MGZ7R
│ Release flags: 1
│ Install duration: 30 seconds
│ Release description:
│ • Fixed rare freezes during heavy I/O
│ • Improved power management
│ • Security fixes for CVE-2025-12345Why read the changelog: Always read the description before applying to understand the risk profile of the update. On Ubuntu 26.04 servers, treat NVMe and HBA firmware updates with the same care as kernel upgrades. Some updates introduce behavioral changes that can affect application performance or compatibility. Security patches should be prioritized, while feature updates can wait for the next maintenance window.
Step 7: Apply Firmware Updates Safely
sudo fwupdmgr updateWhat happens during the update:
- Live updates (USB controllers, Bluetooth, network adapters) apply immediately without reboot
- UEFI capsule updates (BIOS, NVMe, dock firmware) are staged to the ESP and applied on next reboot
- All firmware is verified against SHA256 hashes and GPG signatures before being written
- The daemon will prompt you to confirm each update before proceeding
Why staged UEFI updates require a reboot: UEFI capsule updates run outside the operating system in a pre-OS environment during the next boot sequence. The firmware binary is written to /boot/efi/EFI/[vendor]/fw/ and a UEFI variable instructs the BIOS to process it on the next power cycle. This is by design and is why you should never force-power-off mid-update. Interrupting a firmware flash can permanently brick your hardware.
Post-reboot verification:
fwupdmgr get-devicesWhy verify after reboot: Re-run get-devices after reboot and compare firmware version strings to confirm the update was applied successfully. Also check the update history:
sudo fwupdmgr report-historyWhy report history: This sends success or failure telemetry back to LVFS, helping hardware vendors identify widespread failures quickly. It is optional but highly recommended as a community contribution that improves firmware quality for everyone.
Troubleshooting Common Fwupd Errors on Ubuntu 26.04
Even with careful setup, you will encounter errors. Here are the five most common problems and their solutions.
Error 1: “UEFI ESP partition not detected”
Error message:
Not updatable as UEFI ESP partition not detectedCause: The udisks2 package is missing from your system. fwupd’s UEFI capsule plugin calls udisks2 to enumerate block devices and locate the EFI System Partition. On minimal Ubuntu server installs, udisks2 is not part of the base image and must be installed explicitly.
Solution:
sudo apt install udisks2 -y
sudo systemctl restart fwupd
fwupdmgr get-devicesWhy this fixes it: Installing udisks2 provides the block device enumeration service that fwupd depends on to find your ESP at /boot/efi. Restarting the daemon ensures it picks up the newly available service.
Error 2: “No updatable devices” despite supported hardware
Error message:
No updatable devices foundCause: LVFS metadata is stale, your device requires unlocking, or the vendor has not uploaded firmware to LVFS.
Solution:
sudo fwupdmgr refresh --force
fwupdmgr get-devicesWhy refresh first: Stale metadata can cause fwupd to miss available updates even when your hardware is supported. Force-refreshing ensures you have the latest firmware catalog.
Check for locked devices: Look for DeviceFlags: locked in the get-devices output. If locked, unlock via BIOS settings. Most enterprise hardware has a “Firmware Capsule Update” toggle in UEFI setup that must be enabled. This is a hardware-enforced security feature, not a Linux bug, designed to prevent unauthorized firmware changes in multi-tenant environments.
Error 3: Snap and APT conflict producing wrong device list
Error message:
Could not connect to fwupd daemonCause: Both the Snap and APT versions of fwupd are installed simultaneously, creating conflicting daemon instances and sockets.
Solution:
sudo snap remove fwupd
sudo apt-get purge fwupd
sudo rm -rf /var/lib/fwupd
sudo apt-get install fwupd
sudo systemctl enable --now fwupdWhy a clean purge is necessary: The Snap version writes its own daemon socket and state directory. Even after removing the Snap, residual state in /var/lib/fwupd can confuse the freshly installed APT daemon about previously detected devices. The rm -rf step eliminates this ghost state completely.
Error 4: “LVFS: Failed to connect” error
Error message:
Failed to connect to LVFS: Connection timed outCause: Firewall rules blocking outbound HTTPS to cdn.fwupd.org on port 443, or DNS resolution issues.
Solution:
# Test connectivity
curl -I https://cdn.fwupd.org
# Check firewall
sudo ufw status
# Allow if needed
sudo ufw allow out 443/tcpWhy this happens: Corporate firewalls sometimes block access to firmware CDNs. After allowing port 443, run sudo fwupdmgr refresh again to verify LVFS connectivity.
Error 5: Daemon fails to start after installation
Error message:
fwupd.service: Failed with result 'exit-code'Cause: Missing dependencies, permission problems on /var/lib/fwupd, or conflicting configuration files from a previous installation.
Solution:
# Check detailed logs
sudo journalctl -u fwupd -n 50
# Fix permissions
sudo chown -R root:root /var/lib/fwupd
sudo chmod 755 /var/lib/fwupd
# Restart and verify
sudo systemctl restart fwupd
sudo systemctl status fwupdWhy check journal logs: The journal output will show the exact error that caused the daemon to crash, whether it is a missing library, permission denied, or configuration parse error. This is far more helpful than guessing.
How Fwupd and LVFS Work Together
Understanding the architecture helps you troubleshoot and optimize your setup.
LVFS architecture: The Linux Vendor Firmware Service acts as the firmware CDN. Hardware vendors upload signed .cab archives to fwupd.org, where each package includes the firmware binary, metadata XML, and cryptographic signatures. When you run fwupdmgr refresh, your local fwupd daemon downloads the metadata index. When you run fwupdmgr update, it fetches the specific .cab for your hardware, verifies the signature chain, extracts the payload, and hands it to the appropriate plugin for flashing.
Security model: Every firmware file on LVFS is GPG-signed and distributed with SHA256 checksums. fwupd refuses to apply any update that fails signature verification. This protects against tampered firmware and man-in-the-middle attacks on the update channel.
Supported vendors: LVFS supports over 70 device types from vendors including Dell, HP, Lenovo, Logitech, Synaptics, Realtek, AMD, Intel, and Thunderbolt controller manufacturers. If your vendor is not listed, contact them to request LVFS participation. Firmware updates are critical for security, and vendors that do not participate in LVFS leave their Linux users without a secure update path.
Keeping Fwupd Updated on Ubuntu 26.04 LTS
sudo apt update
sudo apt upgrade fwupdWhy keep fwupd itself updated: fwupd is an active project with frequent releases. New plugin support, security fixes, and compatibility improvements are released regularly. Ubuntu’s SRU (Stable Release Update) policy allows fwupd to receive version bumps in stable LTS releases specifically because firmware security is considered a critical exception to the normal SRU freeze rules. Running an outdated fwupd means missing support for newer hardware and potentially leaving firmware security channels closed.
Set up automatic security updates:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgradesWhy automation matters: On production servers, missing firmware security patches can leave critical vulnerabilities open. Configuring unattended upgrades for security-only updates ensures you receive fwupd patches without manual intervention while avoiding risky feature updates during production hours.
[su_box title=”VPS Manage Service Offer” style=”bubbles” box_color=”#000000″ radius=”10″]If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal![/su_box]
