Infineon Tpm

In early October of 2017, researchers announced, publicly, a cryptographic vulnerability in the RSA generation algorithms found within practically every TPM, using Infineon's RSA library. This vulnerability would effectively allow an attacker to easily guess the private key component of the RSA key stored within the TPM - rendering the protections and insurances granted by the TPM useless. Turns out, many TPM's actually use Infineon's technologies, meaning many TPM's are vulnerability - including all Asus and Gigabyte TPM's (that I know of).

tl;dr - TPM broke, I sad, TPM need fix.

SuperMicro AOM-TPM-9665V (Vertical) Trusted Platform Module with Infineon 9665, TPM 2.0, uses TCG 2.0. Specifications: Physical Dimensions (W x L x H): Vertical Design / 8mm x 26mm x 25mm Supported Platforms: X10 motherboards with 20-pin TPM header. 'TPM 1.2/2.0 (Infineon, soldered down); ' I have not found any TPM upgrade to version 2.0 anywhere.' He has advised that I ' investigate whether HP EliteBook Folio 1040 G2 Notebook PC has TPM upgrade to ver. Check the firmware version. Follow these steps to check the currently installed firmware version of the TPM: Hold down the Windows key and press the R key. The 'Run' dialogue box will open up. In the 'Run' dialog box, enter 'tpm.msc' and select 'OK'. Check if the Manufacturer Name is 'IFX' and Manufacturer Version is '4.31' or '4.32'. TPM chip Infineon SLB9656 TPM1.2 This chip doesn't support update to TPM ver. Detailed description of TPM is in this thread: HP TPM Configuration Utility - Updating TPM Firmware and Converting Between TPM HPSBHF03568 rev. 7 - Infineon TPM Security Update Last updated: 21-May-2018 Advisory. The Infineon TPM 2.0 Application Note shows how the TPM device driver can be set up (e.g. For Linux Kernel 4.14). Usage of ELTT2 2.1 Generic Usage. ELTT2 is operated as follows: Call:./eltt2 For example:./eltt2 -g or./eltt2 -gc. For getting an overview of the possible commands, run./eltt2 -h.

Since the point of TPM's is to perform key protection inside hardware, a software fix is impossible. This is so difficult to mitigate that Window's just resorts to emitting a warning in the Event Logs like the one below:

Output

Now, 6 months later and over a year since Infineon was notified of this issue, Asus and Gigabyte have yet to release updates for their TPM's. Although, I'm not particularly surprised considering most consumers would likely brick their machine's when trying to update (or not need to update to begin with). Thankfully, many enterprise-centered company's use these Infineon based TPM's, meaning we, the consumers, can piggyback off of enterprise clients shouting for a fix.

In this case, it turns out that the Asus and Gigabyte TPM's are effectively the same one's found in some Supermicro servers, and of course, Supermicro had to release firmware updates - updates that we can use.

Getting Started

Before I get started, I want to make sure the TPM is working in my device. I can ask Window's about it via the Get-TPM command.

Output

Getting the Firmware

Everything looks good! Now to get the firmware. I found a compatible version on Supermicro's driver site (Driver FTP).

Looking through the files extracted files, there are two directories:

PowerShell

The important files are these:

Code

I'm going to copy the above to the same folder, because I'm lazy.

Now .workspace contains the following files:

PowerShell

Now to upgrading the firmware!

Upgrading the Firmware

Let's make sure TPMFactoryUpd.exe detects the TPM.

PowerShell

And it does, sweet! Now to run the upgrade.

PowerShell

Sad panda, it turns out we need to disable the TPM module in the BIOS/UEFI before we can flash the firmware update. Time to connect my Spider KVM and boot into the UEFI menu. BTW, Spiders are awesome, but don't pay full price!

Now to disable the TPM.

After booting back into Windows, it looks like disabling the TPM fixes the Empty Buffer problem:

PowerShell

Now I can try to update the TPM again.

PowerShell

And it works!

Wrapping Things Up

A disabled TPM is rather useless, time to boot back into the UEFI menus to enable it.

And since this vulnerability is for RSA key generation, it's best to reset all generated keys. I used a TPM clear to do this, plus a reboot.

After getting back into Windows, I'm greeted with a lovely success message.

PowerShell

And as a final check, it looks like the ManufacturerVersion was updated to 5.62.

PowerShell

Infineon Tpm Slb 9665 Tpm2.0

Yeah, no more weak keys!

Infineon tpm professional package remove

Infineon TPM Vulnerability

The information below includes a description of the vulnerability and details the steps recommended by Infineon and Fujitsu that users should take to secure affected product lines.

Summary:
A vulnerability in Infineon TPM hardware has been discovered recently with outdated TPM firmware using an algorithm that generates weaker RSA keys. This page provides information on how to update outdated TPM firmware.

For more detailed information please refer to the Infineon web site.

emptyMicrosoft has published additional information relating to operating systems. For detailed information please refer to the Microsoft web site.

Recommended steps:

  1. To download the respective updates for your system, please go to the Fujitsu Support page and perform the following steps:
    • Select Product.
    • Select Series.
    • Select Model.
    • Press Go.
    • Download and install the latest BIOS and/or firmware update package.

Infineon Tpm

Affected Products:
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

Fujitsu is providing an easy to use Windows-based tool for end customers to identify whether a TPM is installed in their system. If the tool finds a TPM in the system, then it will show the relevant TPM and firmware version. This tool can be found here: TPM Information Tool
Please note: for some affected products, TPM was sold as an optional component. This means that not all systems are affected by this issue.

An overview of the affected Client Computing Devices can be found here:

Infineon Tpm

Model NameOriginal FW VersionUpdated FW VersionMinimum BIOS VerUpdate TypeUpdate Tool1
LIFEBOOK E544
LIFEBOOK E554
FW4.32FW4.34No DependencyFW Update UtilityFPC48-2383-01 Infineon TPM1.2 Firmware Update V4.34
LIFEBOOK E546
LIFEBOOK E556
FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
LIFEBOOK E546
LIFEBOOK E556
FW5.51FW5.62vPro V1.18
non-vPro V1.25
BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK E547
LIFEBOOK E557
FW5.61FW5.62vPro V1.13
non-vPro V1.09
BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK E734
LIFEBOOK E744
LIFEBOOK E754
FW4.32FW4.34No DependencyFW Update UtilityFPC48-2383-01 Infineon TPM1.2 Firmware Update V4.34
LIFEBOOK E736
LIFEBOOK E746
LIFEBOOK E756
FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
LIFEBOOK E736
LIFEBOOK E746
LIFEBOOK E756
FW5.51FW5.62vPro V1.21
non-vPro V1.27
BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK P727FW5.61FW5.62V1.12BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK T725FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
LIFEBOOK T726FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
LIFEBOOK T726FW5.51FW5.62V1.15BIOS update and FW Tool2FPC48-2381-01 Infineon TPM2.0 Firmware Update Tool V1.0.0
LIFEBOOK T734FW4.32FW4.34No DependencyFW Update UtilityFPC48-2383-01 Infineon TPM1.2 Firmware Update V4.34
LIFEBOOK T904FW4.32FW4.34No DependencyFW Update UtilityFPC48-2383-01 Infineon TPM1.2 Firmware Update V4.34
LIFEBOOK T935FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
LIFEBOOK T936FW5.51FW5.62V1.14BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK T936FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
LIFEBOOK T937FW5.61FW5.62V1.13BIOS update and FW Tool2FPC48-2381-01 Infineon TPM2.0 Firmware Update Tool V1.0.0
LIFEBOOK U727FW5.61FW5.62V1.18BIOS update and FW Tool2FPC48-2381-01 Infineon TPM2.0 Firmware Update Tool V1.0.0
LIFEBOOK U727 6th GenFW5.61FW5.62V1.06BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK U745FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
LIFEBOOK U745FW5.51FW5.62V1.20BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK U747
LIFEBOOK U757
FW5.61FW5.62V1.18BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK U747 6th Gen
LIFEBOOK U757 6th Gen
FW5.61FW5.62V1.06BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
LIFEBOOK U904FW4.32FW4.34No DependencyFW Update UtilityFPC48-2383-01 Infineon TPM1.2 Firmware Update V4.34
LIFEBOOK U937FW5.61FW5.62V1.10BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
STYLISTIC Q616FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
STYLISTIC Q616FW5.51FW5.62V1.12BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
STYLISTIC Q665FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
STYLISTIC Q704FW4.32FW4.34No DependencyFW Update UtilityFPC48-2383-01 Infineon TPM1.2 Firmware Update V4.34
STYLISTIC Q736FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
STYLISTIC Q736FW5.51FW5.62V1.15BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
STYLISTIC Q737FW5.61FW5.62V1.11BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
STYLISTIC Q775FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
STYLISTIC R726FW4.40FW4.43No DependencyFW Update UtilityFPC48-2382-01 Infineon TPM1.2 Firmware Update V4.43.257.0
STYLISTIC R726FW5.61FW5.62vPro V1.18
non-vPro V1.18
BIOS update and FW Tool2FPC48-2381-01_Infineon_TPM2.0_Firmware_Update_Tool_V1.0.0
1. Please see FAI Mobile Downloads site for postings.
2. The FW Tool must be used with BIOS update, although the BIOS update can be applied separately.

WARNING:
Clearing the TPM resets it to factory defaults. All created keys will be deleted and you will therefore lose access to any data encrypted by those keys. For more detailed information regarding TPM Clear please refer also to the following Microsoft site.

Infineon Tpm Professional Package Remove

* Please note that this information is subject to change without any prior notice.