Use community header for firmware-update instead of inline banner

Move the ASCII art into tools/headers/firmware-update and load it via
APP/Firmware-Update + APP_TYPE=tools + core.func header_info, matching
pve-privilege-converter and add-iptag instead of a local header_info
override.

tools/headers/firmware-update

@@ -0,0 +1,6 @@
+    _______                                      __  __          __      __
+   / ____(_)________ _      ______ _________     / / / /___  ____/ /___ _/ /____
+  / /_  / / ___/ __ `/ | /| / / __ `/ ___/ _ \   / / / / __ \/ __  / __ `/ __/ _ \
+ / __/ / / /  / /_/ /| |/ |/ / /_/ / /  /  __/  / /_/ / /_/ / /_/ / /_/ / /_/  __/
+/_/   /_/_/   \__,_/ |__/|__/\__,_/_/   \___/   \____/ .___/\__,_/\__,_/\__/\___/
+                                                    /_/

tools/pve/firmware-update.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT
+# https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/refs/heads/main/misc/core.func)
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
+load_functions
+declare -f init_tool_telemetry &>/dev/null && init_tool_telemetry "firmware-update" "pve"
+
+APP="Firmware-Update"
+APP_TYPE="tools"
+header_info "$APP"
+
+# Must run as root
+if [ "$(id -u)" -ne 0 ]; then
+  msg_error "This script must be run as root."
+  exit 1
+fi
+
+# Must run on Proxmox VE 8.x or 9.x
+if ! command -v pveversion >/dev/null 2>&1; then
+  msg_error "No Proxmox VE detected!"
+  exit 1
+fi
+if ! pveversion | grep -Eq "pve-manager/(8\.[0-4]|9\.[0-9]+)(\.[0-9]+)*"; then
+  msg_error "This version of Proxmox Virtual Environment is not supported."
+  msg_error "Requires Proxmox Virtual Environment Version 8.0-8.4 or 9.x."
+  exit 1
+fi
+
+# Firmware updates only make sense on bare metal. systemd-detect-virt prints
+# "none" but exits non-zero on bare metal, so a `|| echo none` fallback would
+# duplicate the value; capture the output as-is instead.
+virt=$(systemd-detect-virt 2>/dev/null)
+if [ -n "$virt" ] && [ "$virt" != "none" ]; then
+  msg_error "Firmware updates can only be applied on bare metal. Detected: $virt"
+  exit 1
+fi
+
+# Only x86_64/arm64 with UEFI/LVFS support; fwupd itself handles capability checks
+whiptail --backtitle "Proxmox VE Helper Scripts" --title "Firmware Update (fwupd / LVFS)" \
+  --yesno "This tool uses fwupd to check for and optionally install firmware updates (UEFI/BIOS and supported devices) from the Linux Vendor Firmware Service (LVFS).\n\nWARNING: Flashing firmware carries risk. Ensure stable power and do not interrupt the process. Some updates require a reboot to be applied.\n\nProceed?" 16 70 || exit 0
+
+# Install fwupd if missing
+if ! command -v fwupdmgr >/dev/null 2>&1; then
+  msg_info "Installing fwupd"
+  apt-get update &>/dev/null
+  if ! apt-get install -y fwupd &>/dev/null; then
+    msg_error "Failed to install fwupd"
+    exit 1
+  fi
+  msg_ok "Installed fwupd"
+else
+  msg_ok "fwupd is already installed"
+fi
+
+# Refresh metadata from LVFS
+msg_info "Refreshing firmware metadata from LVFS"
+if fwupdmgr refresh --force &>/dev/null; then
+  msg_ok "Refreshed firmware metadata"
+else
+  # A failed refresh is not fatal (cached metadata may still be usable)
+  msg_error "Could not refresh metadata (continuing with cached data)"
+fi
+
+# Show detected, updatable devices. --no-metadata-check / -y keep fwupd from
+# prompting interactively (e.g. the "metadata is 30 days old, update now?"
+# question) which would otherwise block and garble the output.
+echo -e "\n${YW}Detected devices with firmware management support:${CL}\n"
+fwupdmgr get-devices --no-unreported-check --no-metadata-check 2>/dev/null || true
+echo
+
+# Check for available updates (non-interactive)
+msg_info "Checking for available firmware updates"
+updates_output=$(fwupdmgr get-updates --no-unreported-check --no-metadata-check -y 2>&1)
+updates_rc=$?
+msg_ok "Checked for firmware updates"
+
+# Many Proxmox hosts have no permanently mounted EFI System Partition (e.g.
+# ZFS root managed by proxmox-boot-tool). Without it, fwupd cannot stage
+# UEFI/BIOS capsule updates, so make that explicit instead of burying it.
+if echo "$updates_output" | grep -qi "ESP partition not detected"; then
+  echo -e "${YW}Note:${CL} No mounted EFI System Partition (ESP) was detected."
+  echo -e "      UEFI/BIOS capsule firmware updates cannot be staged on this host."
+  echo -e "      Device firmware (e.g. NVMe/SSD) can still be updated if offered.\n"
+fi
+
+if [ "$updates_rc" -ne 0 ] || echo "$updates_output" | grep -qiE "No (updates|upgrades) available|Devices with no available firmware updates|No updatable devices"; then
+  whiptail --backtitle "Proxmox VE Helper Scripts" --title "No Firmware Updates" \
+    --msgbox "No applicable firmware updates were found for this system." 10 68
+  echo -e "${GN}Nothing to do.${CL}"
+  exit 0
+fi
+
+echo -e "\n${YW}Available firmware updates:${CL}\n"
+echo "$updates_output"
+echo
+
+whiptail --backtitle "Proxmox VE Helper Scripts" --title "Apply Firmware Updates" \
+  --yesno "Firmware updates are available (see terminal output).\n\nDo you want to apply them now?\n\nNOTE: Some updates schedule a flash on the next reboot. Do NOT power off during the process." 14 70 || {
+  echo -e "${YW}Skipped applying updates.${CL}"
+  exit 0
+}
+
+msg_info "Applying firmware updates (this may take a while)"
+echo
+if fwupdmgr update -y; then
+  msg_ok "Firmware update process completed"
+  echo -e "\n${YW}A reboot may be required to finalize some firmware updates.${CL}\n"
+else
+  msg_error "Firmware update reported an error. Review the output above."
+  exit 1
+fi