Infineon Tpm
Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack.
Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack. TPM stands for Trusted Platform Module (TPM), which is. The purpose of this software is to update the firmware of Infineon Technologies Trusted Platform Module v2.0. Procedure WARNING: Before starting this update, it is strongly recommended that you backup your computer. If you are required to clear the TPM owner, note that the TPM will be reset back to factory defaults and you will lose created. Global Trusted Platform Module (TPM) Market By Type (TPM 1.2, TPM 2.0), By Application (Mobile Security, Automotive, Banking, Transport, Pay TV & ID, Wearable, Security in IoT Connectivity, Others), By Region and Key Companies - Industry Segment Outlook, Market Assessment, Competition Scenario, Trends and Forecast 2019–2028. This guide is for Infineon TPM 1.2 and 2.0 which is found in PCs, laptops and motherboards manufactured by SAGER/CLEVO, ASUS, TOSHIBA, LENOVO, FUJITSU, etc. Background TPM (Trusted Platform Module) is a microchip in your computer which generates and stores encryption keys.
TPM stands for Trusted Platform Module (TPM), which is an international standard for secure cryptoprocessors that are used to store critical data such as passwords, certificates, and encryption keys.
At the hardware level, TPMs are dedicated microcontrollers that co-exist on the main system board (motherboard) and provide hardware isolation and generate and store artifacts used to authenticate the platform, such as passwords, certificates, or encryption keys.
Vulnerability affects only Infineon TPMs
According to a security alert issued by Infineon last week, a vulnerability in the Infineon TPM firmware results in the generation of weak RSA keys. Only Infineon TPMs based on the TCG specification family 1.2 and 2.0 are affected.
The vulnerability allows for an attack on RSA1024 and RSA2048, and affects chips manufactured as early as 2012. RSA encryption works by encrypting data with a dual private and public key. The attack allows an attacker to determine the private key.
Infineon, a German semiconductor company, is one of the many TPM vendors currently used in production, so not all motherboards are affected.
Infineon issued a firmware update last week and has forwarded the update to motherboard vendors which are now working on integrating the Infineon TPM firmware update into all their products.
Long list of affected vendors
TPMs are typically used in business laptops, routers, embedded and IoT devices. Known affected vendors include Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba, and other smaller Chromebook vendors.
'The information in this security bulletin should be acted upon as soon as possible,' says HP in a security alert issued today.
'The vulnerability weakens public key resistance against attacks that are used to deduce the corresponding [RSA] private key,' said Fujitsu in a similar alert.
'RSA public keys generated by the Infineon TPM for use by certain software programs should be considered insecure,' said Lenovo. 'Only software that uses RSA keys generated by the TPM is affected by this vulnerability.'
The three vendors are working on pushing out firmware updates, and they've published lists of affected products that use Infineon TPMs in their respective advisories.
OS vendors issue 'workarounds'
Microsoft and Google have also issued security updates that mitigate the flaw.
Microsoft categorized its updates as a 'workaround' that try to prevent exploitation. Users will have to check if their motherboard uses an Infineon TPM chipset and manually apply the firmware update when available, for each affected product.
The update is mitigated in different ways per Windows version. Points 8, 9, 10 in the Microsoft Advisory 170012 describes how each Windows version is affected and how users can protect themselves.
Chromebooks devices are also affected. Google has published a list of affected Chromebooks in a security advisory here. The company has also issued Chrome OS M60 to mitigate the flaw. Again, Google has released only a workaround and users will have to look for motherboard updates from their vendors.
Google also puts the vulnerability in perspective, explaining that normal users do not fit in the vulnerability's threat vector, but the issue could be exploited for targeted attacks on high-value targets.
'The currently known exploits are computationally expensive,' Google says. 'TPM-generated RSA keys can't be broken at large scale, but targeted attacks are possible. To summarize: There exists a practical attack against TPM-generated RSA keys, but it doesn't allow large-scale exploitation of Chrome OS devices.'
Users will need to regenerate passwords, access tokens
Until motherboard vendors issue a new firmware update to include Infineon's TPM fix, the general recommendation is to move critical users and data handling operations to devices that have updated firmware or to devices not affected by this vulnerability.
Once users have received the firmware update, they should regenerate all TPM keys. This is done by changing all passwords for TPM-enabled apps.
Because it is hard to know what apps and OS features use the TPM, users can reset the TPM module by typing TPM.MSC in their Windows Search/Run field and resetting the TPM from there. More instructions are available in this Technet article.
UPDATE [October 16, 13:10 ET]: Post publication, the team behind this research has published a website with extra information on the attack, codenamed ROCA (Return of Coppersmith's Attack), and a website to test if RSA keys are vulnerable to the ROCA attack. A research paper will also be presented later this month at the ACM CCS security conference. The research paper will be named 'The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli,' and is authored by researchers from the IT Security Lab at Faculty of Informatics, Masaryk University, Czech Republic.
Related Articles:
The information below includes a description of the vulnerability and details steps recommended by Infineon and Fujitsu that users should take to secure affected product lines.
Summary:
A vulnerability in Infineon TPM hardware has been discovered recently with outdated TPM firmware using an algorithm that generates weaker RSA keys. This page provides information on how to update outdated TPM firmware.
For more detailed information please refer to the Infineon web site:
http://www.infineon.com/TPM-update
Microsoft has published additional information relating to operating systems. For detailed information please refer to the Microsoft web site: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012
Affected Products:
An overview of the Fujitsu affected products can be found here:
Model Name | Original | Updated | Update Type | Release Date |
---|---|---|---|---|
LIFEBOOK E544 LIFEBOOK E554 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
LIFEBOOK E546 LIFEBOOK E556 (come with TPM1.2) | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
LIFEBOOK E546 LIFEBOOK E556 (come with TPM2.0) | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK E547 LIFEBOOK E557 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK E734 LIFEBOOK E744 LIFEBOOK E754 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
LIFEBOOK E736 LIFEBOOK E746 LIFEBOOK E756 (come with TPM1.2) | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
LIFEBOOK E736 LIFEBOOK E746 LIFEBOOK E756 (come with TPM2.0) | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK P727 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK S904 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
LIFEBOOK S935 | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
LIFEBOOK S936 (come with TPM1.2) | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
LIFEBOOK S936 (come with TPM2.0) | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK S937 | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK T725 | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
LIFEBOOK T726 | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK T734 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
LIFEBOOK T904 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
LIFEBOOK T935 | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
LIFEBOOK T936 | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK T937 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK U536 (come with TPM1.2) | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
LIFEBOOK U536 (come with TPM2.0) | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK U537 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK UH554 LIFEBOOK UH574 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
LIFEBOOK U727 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK U745 | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK U747 LIFEBOOK U757 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
LIFEBOOK U937 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
Model Name | Original | Updated | Update Type | Release Date |
---|---|---|---|---|
STYLISTIC Q616 | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
STYLISTIC Q665 | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
STYLISTIC Q704 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
STYLISTIC Q736 | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
STYLISTIC Q737 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
STYLISTIC Q775 | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
STYLISTIC R726 (come with TPM1.2) | FW4.40 | FW4.43 | FW Update Utility | Available for W7 & W10, W8.1 Dec 2017 |
STYLISTIC R726 (come with TPM2.0) | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
Infineon Tpm Slb 9665 Tpm2.0
Model Name | Original | Updated | Update Type | Release Date |
---|---|---|---|---|
CELSIUS H730 | FW4.32 | FW4.34 | FW Update Utility | Feb. 2018 |
CELSIUS H760 | FW5.51 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
CELSIUS H770 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
CELSIUS H970 | FW5.61 | FW5.62 | BIOS update and FW Tool*2 | Jan. 2018 |
Infineon Tpm Professional Package Uninstall
*1: Dates are subject to change
*2: The FW Tool must be used with BIOS update, although the BIOS update can be applied separately.
CELSIUS (WorkStation) | Please refer to the following site. http://support.ts.fujitsu.com/content/intel_firmware_SA86.asp |
---|---|
ESPRIMO (Desktop) | |
FUTRO (Thin Client) |
Fujitsu is providing an easy to use Windows-based tool for end customers to identify whether a TPM is installed in their system. If the tool finds a TPM in the system, then it will show the relevant TPM and firmware version. This tool can be found here: TPM Information Tool
Please note: for some affected products, TPM was sold as an optional component. This means that not all systems are affected by this issue.
Recommended steps:
- Consult the list of affected Fujitsu systems.
- Before updating the TPM firmware, please make sure that you save your encryption keys, decrypt all your encrypted data and backup to an external storage device, to avoid any data loss.
For Notebook or Tablet to download the respective TPM firmware update package for your system, please go to the Fujitsu support page and perform the following steps:
1. Select “Product Type”.
2. Select “Series”.
3. Select “Model”.
4. Select “OS”.
5. Download and install the latest BIOS or TPM firmware update package from the “BIOS“ section.
For Desktop and Workstation and ThinClient, please go to Fujitsu support page and follow the instructions.
For inquiries related to this issue, please contact the following dedicated hotline:WARNING: Clearing the TPM resets it to factory defaults. All created keys will be deleted and you will therefore lose access to any data encrypted by those keys.
Infineon Tpm 2.0
For more detailed information regarding TPM Clear please refer also to the following Microsoft site:
https://docs.microsoft.com/en-us/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm