Why updating firmware manually is bad

(Nov 2021)

Modern (server)motherboards often come with onboard NICs, that are controlled by complex firmware. Firmware is software and software gets outdated.

I recently got my hands on an Asrock Rack E3C246D4I-2T which has an onboard Intel X550-T2 controller with firmware version 1.93. For security fixes and improvements on the SR-IOV system I wanted to upgrade it to a newer version. So I tried the NVM update packages from Intels official website. The flashing process didn't even start, because my X550-T2 seems to have a "wrong device id". In fact, Asrock Rack intentionally changed this ID and I was lucky, they did it for my mainboard model.

People over at servethehome.com [1] (half)bricked their onboard NICs by flashing the "official" Intel Update on some of their newer boards. It appears Asrock Rack forgot to change the device ID of the controller, so flashing it was possible. It also seems likely, they shipped their X550 in Debug Mode configuration, hence the onboard controller differs from retail cards. As a result it made one of the two NICs unusable.
So the firmware image creator has to take care of various things, just using Intels image won't work.
I flashed the firmware image from the Asrock Rack FAQ, that originally was intended for the ROMED8-2T and X570D4u-2L2T models.
before UEFI flashing process
afterUEFI flashing process
Flashing my controller did work, although its on a different motherboard model. All three boards use the same Aspeed 2500 BMC and other similarities, so I figured, this might work. After some hours of testing I found it stable. It is not the most recent version that Intel provides, but still better than the outdated version from June 2018. Obviously this solution is not supported by Asrock Rack.
Any manufacturer that uses an Intel NIC in a similar constellation has to maintain a firmware package, if they want to keep their users up-to-date.
In my case I just would have been happy, if Asrock Rack provided those files on my board's official support page.

A better way for updating firmware

Installing firmware (like BIOS) on Linux or other FOSS operating systems can be hard or impossible for many devices for several reasons. But in this case, Intel already provides the tools for most common OS like Windows, Linux and FreeBSD. So most of the work needed to make it usable with fwupd has already been done.
From an enduser's perspective, it would be much easier, if manufacturers just distributed their firmware via fwupd. This would make the process as comfortable as it gets, across all platforms. It would have spared many people from searching all over the internet to find one forum post, where someone has similar problems. Their OS could update their firmware to current versions in a verified process, given the device ID is set correctly. Of course vendors sometimes have good technical/support reasons to withhold recent firmware revisions. For cases like that a recent change [5] in fwupd made it possible to ensure a good configuration for a whole system (like a mainboard).

Sources:
[1] https://forums.servethehome.com/index.php?threads/nic-firmware-update-on-romed8-2t-failed.31432/ (where I found the most important pieces)
[2] https://www.intel.com/content/dam/www/public/us/en/documents/release-notes/ethernet-controller-x550-feature-support-matrix.pdf
[3] https://www.intel.com/content/www/us/en/download/19358/non-volatile-memory-nvm-update-utility-for-intel-ethernet-network-adapter-x550-series.html
[4] https://community.intel.com/t5/Ethernet-Products/X550-NVM-Firmware-changelog/m-p/677527
[5] https://blogs.gnome.org/hughsie/2021/11/29/firmware-best-known-configuration-in-fwupd/