Infineon Tpm

Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack.

Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack. TPM stands for Trusted Platform Module (TPM), which is. The purpose of this software is to update the firmware of Infineon Technologies Trusted Platform Module v2.0. Procedure WARNING: Before starting this update, it is strongly recommended that you backup your computer. If you are required to clear the TPM owner, note that the TPM will be reset back to factory defaults and you will lose created. Global Trusted Platform Module (TPM) Market By Type (TPM 1.2, TPM 2.0), By Application (Mobile Security, Automotive, Banking, Transport, Pay TV & ID, Wearable, Security in IoT Connectivity, Others), By Region and Key Companies - Industry Segment Outlook, Market Assessment, Competition Scenario, Trends and Forecast 2019–2028. This guide is for Infineon TPM 1.2 and 2.0 which is found in PCs, laptops and motherboards manufactured by SAGER/CLEVO, ASUS, TOSHIBA, LENOVO, FUJITSU, etc. Background TPM (Trusted Platform Module) is a microchip in your computer which generates and stores encryption keys.

Infineon Tpm

TPM stands for Trusted Platform Module (TPM), which is an international standard for secure cryptoprocessors that are used to store critical data such as passwords, certificates, and encryption keys.

At the hardware level, TPMs are dedicated microcontrollers that co-exist on the main system board (motherboard) and provide hardware isolation and generate and store artifacts used to authenticate the platform, such as passwords, certificates, or encryption keys.

Vulnerability affects only Infineon TPMs

According to a security alert issued by Infineon last week, a vulnerability in the Infineon TPM firmware results in the generation of weak RSA keys. Only Infineon TPMs based on the TCG specification family 1.2 and 2.0 are affected.

The vulnerability allows for an attack on RSA1024 and RSA2048, and affects chips manufactured as early as 2012. RSA encryption works by encrypting data with a dual private and public key. The attack allows an attacker to determine the private key.

Infineon, a German semiconductor company, is one of the many TPM vendors currently used in production, so not all motherboards are affected.

Infineon issued a firmware update last week and has forwarded the update to motherboard vendors which are now working on integrating the Infineon TPM firmware update into all their products.

Long list of affected vendors

TPMs are typically used in business laptops, routers, embedded and IoT devices. Known affected vendors include Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba, and other smaller Chromebook vendors.

'The information in this security bulletin should be acted upon as soon as possible,' says HP in a security alert issued today.

'The vulnerability weakens public key resistance against attacks that are used to deduce the corresponding [RSA] private key,' said Fujitsu in a similar alert.

'RSA public keys generated by the Infineon TPM for use by certain software programs should be considered insecure,' said Lenovo. 'Only software that uses RSA keys generated by the TPM is affected by this vulnerability.'

The three vendors are working on pushing out firmware updates, and they've published lists of affected products that use Infineon TPMs in their respective advisories.

OS vendors issue 'workarounds'

Microsoft and Google have also issued security updates that mitigate the flaw.

Microsoft categorized its updates as a 'workaround' that try to prevent exploitation. Users will have to check if their motherboard uses an Infineon TPM chipset and manually apply the firmware update when available, for each affected product.

The update is mitigated in different ways per Windows version. Points 8, 9, 10 in the Microsoft Advisory 170012 describes how each Windows version is affected and how users can protect themselves.

Chromebooks devices are also affected. Google has published a list of affected Chromebooks in a security advisory here. The company has also issued Chrome OS M60 to mitigate the flaw. Again, Google has released only a workaround and users will have to look for motherboard updates from their vendors.

Google also puts the vulnerability in perspective, explaining that normal users do not fit in the vulnerability's threat vector, but the issue could be exploited for targeted attacks on high-value targets.

'The currently known exploits are computationally expensive,' Google says. 'TPM-generated RSA keys can't be broken at large scale, but targeted attacks are possible. To summarize: There exists a practical attack against TPM-generated RSA keys, but it doesn't allow large-scale exploitation of Chrome OS devices.'

Infineon

Users will need to regenerate passwords, access tokens

Until motherboard vendors issue a new firmware update to include Infineon's TPM fix, the general recommendation is to move critical users and data handling operations to devices that have updated firmware or to devices not affected by this vulnerability.

Once users have received the firmware update, they should regenerate all TPM keys. This is done by changing all passwords for TPM-enabled apps.

Because it is hard to know what apps and OS features use the TPM, users can reset the TPM module by typing TPM.MSC in their Windows Search/Run field and resetting the TPM from there. More instructions are available in this Technet article.

UPDATE [October 16, 13:10 ET]: Post publication, the team behind this research has published a website with extra information on the attack, codenamed ROCA (Return of Coppersmith's Attack), and a website to test if RSA keys are vulnerable to the ROCA attack. A research paper will also be presented later this month at the ACM CCS security conference. The research paper will be named 'The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli,' and is authored by researchers from the IT Security Lab at Faculty of Informatics, Masaryk University, Czech Republic.

Related Articles:

The information below includes a description of the vulnerability and details steps recommended by Infineon and Fujitsu that users should take to secure affected product lines.

Summary:

A vulnerability in Infineon TPM hardware has been discovered recently with outdated TPM firmware using an algorithm that generates weaker RSA keys. This page provides information on how to update outdated TPM firmware.

For more detailed information please refer to the Infineon web site:
http://www.infineon.com/TPM-update

Microsoft has published additional information relating to operating systems. For detailed information please refer to the Microsoft web site: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

Affected Products:
An overview of the Fujitsu affected products can be found here:

LIFEBOOK
Model Name

Original
Version

Updated
Version

Update Type

Release Date

LIFEBOOK E544
LIFEBOOK E554
FW4.32FW4.34FW Update UtilityFeb. 2018
LIFEBOOK E546
LIFEBOOK E556
(come with TPM1.2)
FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
LIFEBOOK E546
LIFEBOOK E556
(come with TPM2.0)
FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK E547
LIFEBOOK E557
FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK E734
LIFEBOOK E744
LIFEBOOK E754
FW4.32FW4.34FW Update UtilityFeb. 2018
LIFEBOOK E736
LIFEBOOK E746
LIFEBOOK E756
(come with TPM1.2)
FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
LIFEBOOK E736
LIFEBOOK E746
LIFEBOOK E756
(come with TPM2.0)
FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK P727FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK S904FW4.32FW4.34FW Update UtilityFeb. 2018
LIFEBOOK S935FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
LIFEBOOK S936
(come with TPM1.2)
FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
LIFEBOOK S936
(come with TPM2.0)
FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK S937FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK T725FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
LIFEBOOK T726FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK T734FW4.32FW4.34FW Update UtilityFeb. 2018
LIFEBOOK T904FW4.32FW4.34FW Update UtilityFeb. 2018
LIFEBOOK T935FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
LIFEBOOK T936FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK T937FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK U536
(come with TPM1.2)
FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
LIFEBOOK U536
(come with TPM2.0)
FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK U537FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK UH554
LIFEBOOK UH574
FW4.32FW4.34FW Update UtilityFeb. 2018
LIFEBOOK U727FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK U745FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK U747
LIFEBOOK U757
FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
LIFEBOOK U937FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
STYLISTIC
Model Name

Original
Version

Updated
Version

Update Type

Release Date

STYLISTIC Q616FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
STYLISTIC Q665FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
STYLISTIC Q704FW4.32FW4.34FW Update UtilityFeb. 2018
STYLISTIC Q736FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
STYLISTIC Q737FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
STYLISTIC Q775FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
STYLISTIC R726
(come with TPM1.2)
FW4.40FW4.43FW Update UtilityAvailable for W7 & W10,
W8.1 Dec 2017
STYLISTIC R726
(come with TPM2.0)
FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018

Infineon Tpm Slb 9665 Tpm2.0

CELSIUS (Mobile)
Model Name

Original
Version

Updated
Version

Update Type

Release Date

CELSIUS H730FW4.32FW4.34FW Update UtilityFeb. 2018
CELSIUS H760FW5.51FW5.62BIOS update and FW Tool*2Jan. 2018
CELSIUS H770FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018
CELSIUS H970FW5.61FW5.62BIOS update and FW Tool*2Jan. 2018

Infineon Tpm Professional Package Uninstall

*1: Dates are subject to change
*2: The FW Tool must be used with BIOS update, although the BIOS update can be applied separately.

CELSIUS (WorkStation)Please refer to the following site.
http://support.ts.fujitsu.com/content/intel_firmware_SA86.asp
ESPRIMO (Desktop)
FUTRO (Thin Client)

Fujitsu is providing an easy to use Windows-based tool for end customers to identify whether a TPM is installed in their system. If the tool finds a TPM in the system, then it will show the relevant TPM and firmware version. This tool can be found here: TPM Information Tool

Please note: for some affected products, TPM was sold as an optional component. This means that not all systems are affected by this issue.

Recommended steps:

  • Consult the list of affected Fujitsu systems.
  • Before updating the TPM firmware, please make sure that you save your encryption keys, decrypt all your encrypted data and backup to an external storage device, to avoid any data loss.

For Notebook or Tablet to download the respective TPM firmware update package for your system, please go to the Fujitsu support page and perform the following steps:

1. Select “Product Type”.
2. Select “Series”.
3. Select “Model”.
4. Select “OS”.
5. Download and install the latest BIOS or TPM firmware update package from the “BIOS“ section.

For Desktop and Workstation and ThinClient, please go to Fujitsu support page and follow the instructions.

For inquiries related to this issue, please contact the following dedicated hotline:

WARNING: Clearing the TPM resets it to factory defaults. All created keys will be deleted and you will therefore lose access to any data encrypted by those keys.

Infineon Tpm 2.0

For more detailed information regarding TPM Clear please refer also to the following Microsoft site:
https://docs.microsoft.com/en-us/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm