Fujitsu

Österreich

  1. Home
  2. Support

Infineon TPM Vulnerability (ROCA)

Advisory note: Infineon TPM vulnerability (Reference: CVE-2017-15361)

Recently, an academic research team developed advanced mathematical methods to analyze and exploit weaknesses in acceleration algorithms for prime number finding, which are commonly used today for RSA secure key generation.
The information below includes a description of the vulnerability and details the steps recommended by Infineon and Fujitsu that users should take to secure affected product lines.
(ROCA: “The Return of Coppersmith's Attack”)

Summary:
TPM (Trusted Platform Module) is an international standard for a secure crypto processor, used to secure hardware through the integration of cryptographic keys into devices.
A vulnerability in Infineon TPM hardware has been discovered recently with outdated TPM firmware using an algorithm that generates weaker RSA keys. This page provides information on how to update outdated TPM firmware. Updating the TPM firmware prevents the generation of weak TPM keys - after the update, the TPM will generate keys using an improved hardware algorithm. However, it will also still be necessary to revoke weak TPM keys that were generated by the outdated firmware.

Please note that while this discovery is noteworthy, the vulnerability does not negate the benefits of hardware encryption, as these do not depend on algorithm generation. Overall, the historical benefits of hardware encryption (OS independence, performance and permanence) remain and should be taken into account when deciding an encryption solution.

For more detailed information please refer to the Infineon web site:
http://www.infineon.com/TPM-update

Microsoft has published additional information relating to operating systems.

For detailed information please refer to the Microsoft web site:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

Affected Products:
An overview of the Fujitsu affected products can be found here:
http://docs.ts.fujitsu.com/dl.aspx?id=73e19226-97b4-49aa-85c9-c387c86511f6

Fujitsu is providing an easy to use Windows-based tool for end customers to identify whether a TPM is installed in their system. If the tool finds a TPM in the system, then it will show the relevant TPM and firmware version. This tool can be found here:TPM Information Tool

Please note: for some affected products, TPM was sold as an optional component. This means that not all systems are affected by this issue.

Technical Background Information:
The following TPM products in combination with the Firmware are affected:
TPM1.2 - FW133.32, FW149.32 (SLB9645)
TPM1.2 - FW4.00 up to FW4.33 (SLB9655/9656)
TPM1.2 - FW4.40 up to FW4.42 (SLB9660)
TPM1.2 - FW6.00 up to FW6.42 (SLB9670)
TPM2.0 - FW 5.00 up to FW5.61 (SLB9665)
TPM2.0 - FW7.00 up to FW7.61 (SLB9670)

How can I find out which TPM I am using?

Fujitsu recommends using the Windows based tool (as mentioned above).:

Alternatively, identify the TPM version by using the Trusted Platform Module Management on Local Computer (TPM Management Console).

Access it by
  • Clicking Start
  • typing tpm.msc in the Search box
  • then pressing “Enter
This displays the TPM manufacturer information.

Depending on the actual user rights within the operating system, users might need to right-click on “tpm.msc” within the search results and then select “Start as Administrator”.



Check the following information:

Vendor information:“IFX”, “Infineon” or “Infineon Technologies AG” will indicate that you are using an Infineon TPM
TPM Version:“1.2” or “2.0” - this will indicate the type of update you need
Manufacturer Version:This will tell you the firmware version – please use the list of affected products above to see whether your firmware version requires an update and how to execute the update.


Recommended steps:
  1. Consult the list of affected Fujitsu systems. This provides an overview of affected Fujitsu systems.
    Or
    Check whether your system is equipped with an affected Infineon TPM (see above for the procedure)
  2. Before updating the TPM firmware, please make sure that you save your encryption keys, decrypt all your encrypted data and backup to an external storage device, to avoid any data loss.
  3. Download and install the suitable TPM firmware update package for your system. The correct update procedure for each system is noted in the list of the affected Fujitsu products. The list also includes the direct link to download the individual firmware update packages.

    Alternatively, to install and download the respective firmware update package, please go to the Fujitsu Support page http://support.ts.fujitsu.com/ and take the following steps:
    => Select “Browse For Product”.
    => Select your “product line”.
    => Select your “product group” and “product family”.
    => Select your operating system.
    => Download and install the latest TPM firmware update package from the section “Driver” – “TPM”
  4. Important information for TPM 1.2:
    For the TPM 1.2 firmware update, the Owner Password is required. If the Owner Password is not stored by the operating system then you need to know the Owner Password or you have a valid Owner Password Backup File. If the Owner Password is not stored by the operating system and you do not have a valid Owner Password Backup File, or you do not know the Owner Password, you must clear the TPM. You will be able to take ownership again later on.

    WARNING: Clearing the TPM resets it to factory defaults. All created keys will be deleted and you will therefore lose access to any data encrypted by those keys.

    How to clear TPM 1.2:

        Windows 7, 8.1, 10 (up to Windows 10 version 1607):
    1. Please close all applications before proceeding, as the system needs to reboot during the clearing process.
    2. Click Start
    3. type tpm.msc in the Search box then press “Enter”
    4. Press the button “Clear TPM…” on the right side under “Actions”


    5. The system needs to reboot. Please make sure that you have saved all your data and close all running applications before pressing the “Restart” button.


    6. A message will display after the reboot. Please confirm the execution of the TPM clear process either by pressing “F12” or the “Yes” button (depending on the system).
    7. If the TPM clear process has completed successfully, a notification will show (only for Windows 7, 8.1, 10 (up to version 1607)).
    8. If Windows starts the TPM Wizard automatically, press “Cancel”.
    9. The TPM firmware update procedure can now be executed.
Windows 10 (from version 1607)

A dedicated procedure is necessary to clear the TPM. Details of how this can be done are described in the file “Readme.html”, which is provided with the firmware update package.

For more detailed information regarding TPM Clear please refer also to the following Microsoft site:

https://docs.microsoft.com/en-us/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm

After the TPM firmware update, the TPM Chip will generate new secure keys. Nevertheless, even after the firmware update, old “weak” keys are still stored within the TPM chip and will continue to be used by related software products. The only exception is if the TPM 1.2 was cleared before the firmware update due to a missing Owner Password. Clearing the TPM resets it to its factory default and deletes all keys stored inside the TPM.

To encrypt your data in a safe way, Fujitsu recommends the following steps after the firmware update:

a)   Decrypt your encrypted data
b)   Delete the old keys inside the TPM
c)   Generate new keys
d)   Encrypt your data with the new keys



For details how to decrypt / encrypt your data, please refer to the instructions from your software vendor.


Should you require any further information at this stage, please contact: G02D-psirt@ts.fujitsu.com.