Problem / Justification

TrueNAS Community and Enterprise both rely heavily on modern security features such as encrypted datasets, TPM‑based unlocking, secure boot, and external key‑interchange systems. Despite this, the platform still lacks a consistent, OS‑native method for updating the firmware of the hardware it depends on.

Today, NICs, HBAs, NVMe drives, expanders, TPMs, and system firmware all require different vendor‑specific tools — many of which only run on Windows or require bootable ISOs. This leaves users without a safe, unified, or auditable way to keep critical firmware current.

With TrueNAS Connect now providing multi‑appliance visibility, the absence of firmware lifecycle management is becoming more noticeable. fwupd already supports many of these device classes (including TPM firmware) and uses signed metadata that aligns with TrueNAS’s existing trust and security model. Integrating it would close a long‑standing gap and bring firmware into the same lifecycle as software updates, encryption, and key‑management.

Impact

A unified firmware‑update mechanism would:

• reduce uncertainty for Community users

• give Enterprise deployments a predictable, auditable way to maintain security‑critical components

• strengthen the overall trust chain by ensuring TPM firmware updates follow the same signed‑metadata model used for secure boot and dataset encryption

• allow TrueNAS Connect to display firmware status across appliances, highlight drift, and support update policies

• provide Plus and Business tiers with policy controls such as maintenance windows, staged rollouts, and HA‑aware sequencing

Involvement with fwupd/LVFS or the Linux Foundation would also help ensure long‑term sustainability and give iXsystems influence over standards that TrueNAS increasingly depends on.

The main drawback is the engineering effort required to integrate fwupd safely with ZFS and HA workflows — but the long‑term benefits outweigh the cost.

User Story

A user managing several TrueNAS appliances logs into TrueNAS Connect and sees a clear list of firmware versions for each system: NICs, HBAs, NVMe drives, TPM, and system firmware. One appliance shows outdated TPM firmware with a security fix available.

The user opens the appliance view, reviews the fwupd‑provided details, and schedules the update for the next maintenance window. In a Plus or Business tier, the user applies a policy so that firmware and software updates only occur during defined hours and roll out to one node at a time.

The update runs with the usual TrueNAS safeguards — pools exported, HA node idle — and the TPM firmware is updated using signed metadata. The appliance reports back to Connect, and the fleet view shows all systems back in compliance.

Proposed Implementation

1. Integrate fwupd as a system service within TrueNAS SCALE

• Package fwupd as part of the base OS, running in a restricted, non‑networked mode.

• Expose only the necessary device‑update functionality, with iX‑controlled configuration.

• Disable unsupported or risky plugins by default to ensure predictable behaviour.

2. Add a TrueNAS middleware layer for safe orchestration

• Middlewared would act as the gatekeeper, validating update metadata, device compatibility, and system state.

• Updates would only proceed when pools are exported, HA nodes are idle, and no critical tasks are running.

• Middleware would log all firmware actions for auditability.

3. Extend the Web UI with a dedicated Firmware Management page

• Show detected devices, current firmware versions, and available updates.

• Provide per‑device update controls and a unified “Check for Updates” action.

• Include warnings, rollback notes (where supported), and links to vendor advisories.

4. Integrate with TrueNAS Connect for fleet‑level visibility

• Connect would collect firmware inventory from each appliance.

• Drift detection would highlight systems with outdated or mismatched firmware.

• Policies could define maintenance windows, staged rollouts, and HA‑aware sequencing for Plus/Business tiers.

5. Use LVFS as the trusted upstream source

• TrueNAS would rely on LVFS’s signed metadata, which aligns with the platform’s existing trust model.

• iXsystems could optionally maintain a curated mirror or whitelist to ensure only approved updates are offered.

• For devices not yet supported by LVFS, iX could work with vendors to onboard them.

6. Provide a safe fallback path for unsupported hardware

• For devices without fwupd support, TrueNAS could offer guidance or vendor‑specific instructions.

• Over time, iX could help expand fwupd plugin support for common TrueNAS hardware.

Can I suggest that you vote for your own feature request.

Also - I think this is a damned good idea - I just don’t have any votes left atm

Thanks, really appreciate the support!

I’ve added my vote now.

I’ve also refined the request a little to make the use‑case clearer, so hopefully that helps others see the value as well.

Cheers,
John

Hi,

Another thought that might help with feasibility: since TrueNAS is open‑core and the entire SCALE codebase is on GitHub, this could also be a strong candidate for community‑assisted development.

If iX defines the architecture and scope, a lot of the surrounding work — fwupd plugin support, LVFS metadata contributions, hardware‑specific testing, and even some middleware/UI pieces — could be tackled collaboratively by community developers alongside iX engineers.

Programs like Google Summer of Code (GSoC), Google Season of the Web (GSoW), and even Hacktoberfest often bring in contributors who are specifically looking for impactful, well‑defined open‑source projects. Firmware lifecycle management is exactly the kind of feature that attracts that kind of interest because it’s modular, widely useful, and touches multiple layers of the system.

With iX providing the design direction and the community helping with device coverage and testing, the pace of implementation could be significantly accelerated — especially given how diverse the hardware ecosystem is across TrueNAS users.

Hi,

It’s also worth noting that the timing for this kind of community‑assisted feature development is unusually good. There’s been a huge surge of interest in open‑source and open‑core platforms across both business and home users — especially after the changes following Broadcom’s acquisition of VMware and the resulting licensing shifts.

A lot of organisations are actively moving away from closed ecosystems and toward platforms where they can participate, contribute, and influence the roadmap. TrueNAS is in a strong position here because the code is open, the development model is transparent, and the community is already deeply engaged.

A feature like firmware lifecycle management is exactly the kind of improvement that benefits from that momentum. With iX providing the architectural direction and community contributors helping with fwupd plugins, LVFS metadata, and hardware‑specific testing, this could be implemented and validated much faster than if it were a purely internal effort. The diversity of hardware across the TrueNAS user base is a huge advantage in this case.

@fayelund A thought: if iX implements fwupd support in TrueNAS and then follows up by publishing complete, consistent SBOM‑related firmware metadata to LVFS, they could effectively set the standard for the storage‑appliance industry. Being the first vendor to do this would likely push others to follow, and it would make your work on the security side much easier.

For everyone else using TrueNAS — Community or Enterprise — the benefits would be similar: better transparency, easier auditing, and more reliable firmware lifecycle visibility across the board.

Even though iX already publishes SBOMs inside the Security app, publishing the same metadata to LVFS would make it externally visible and machine‑discoverable. That’s something analysts like Gartner can independently verify, and it’s something procurement and supply‑chain tools actively scan for. Vendors who consistently publish SBOM‑related firmware metadata to LVFS tend to score higher in risk assessments, which can directly increase adoption and sales. It also strengthens iX’s own internal dogfooding story — something a CTO will notice — because the same LVFS‑published metadata becomes usable across internal services, customer deployments, and compliance workflows.