
Product
Support
Support
Infineon TPM Vulnerability (ROCA)
Advisory note: Infineon TPM vulnerability (Reference: CVE-2017-15361) | ||||||
Recently, an academic research team developed advanced mathematical methods to analyze and exploit weaknesses in acceleration algorithms for prime number finding, which are commonly used today for RSA secure key generation. | ||||||
The information below includes a description of the vulnerability and details the steps recommended by Infineon and Fujitsu that users should take to secure affected product lines. (ROCA: “The Return of Coppersmith's Attack”) | ||||||
Summary: | ||||||
TPM (Trusted Platform Module) is an international standard for a secure crypto processor, used to secure hardware through the integration of cryptographic keys into devices. A vulnerability in Infineon TPM hardware has been discovered recently with outdated TPM firmware using an algorithm that generates weaker RSA keys. This page provides information on how to update outdated TPM firmware. Updating the TPM firmware prevents the generation of weak TPM keys - after the update, the TPM will generate keys using an improved hardware algorithm. However, it will also still be necessary to revoke weak TPM keys that were generated by the outdated firmware. Please note that while this discovery is noteworthy, the vulnerability does not negate the benefits of hardware encryption, as these do not depend on algorithm generation. Overall, the historical benefits of hardware encryption (OS independence, performance and permanence) remain and should be taken into account when deciding an encryption solution. | ||||||
For more detailed information please refer to the Infineon web site: | ||||||
http://www.infineon.com/TPM-update | ||||||
Microsoft has published additional information relating to operating systems. | ||||||
For detailed information please refer to the Microsoft web site: | ||||||
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012 | ||||||
Affected Products: | ||||||
An overview of the Fujitsu affected products can be found here: | ||||||
https://docs.ts.fujitsu.com/dl.aspx?id=73e19226-97b4-49aa-85c9-c387c86511f6 | ||||||
Fujitsu is providing an easy to use Windows-based tool for end customers to identify whether a TPM is installed in their system. If the tool finds a TPM in the system, then it will show the relevant TPM and firmware version. This tool can be found here:TPM Information Tool | ||||||
Please note: for some affected products, TPM was sold as an optional component. This means that not all systems are affected by this issue. | ||||||
Technical Background Information: | ||||||
The following TPM products in combination with the Firmware are affected: | ||||||
TPM1.2 - FW133.32, FW149.32 (SLB9645) TPM1.2 - FW4.00 up to FW4.33 (SLB9655/9656) TPM1.2 - FW4.40 up to FW4.42 (SLB9660) TPM1.2 - FW6.00 up to FW6.42 (SLB9670) TPM2.0 - FW 5.00 up to FW5.61 (SLB9665) TPM2.0 - FW7.00 up to FW7.61 (SLB9670) | ||||||
How can I find out which TPM I am using? | ||||||
Fujitsu recommends using the Windows based tool (as mentioned above).: | ||||||
Alternatively, identify the TPM version by using the Trusted Platform Module Management on Local Computer (TPM Management Console). | ||||||
Access it by
|
||||||
Depending on the actual user rights within the operating system, users might need to right-click on “tpm.msc” within the search results and then select “Start as Administrator”. | ||||||
![]() | ||||||
Check the following information: | ||||||
|
||||||
Recommended steps: | ||||||
|
||||||
Windows 10 (from version 1607) | ||||||
A dedicated procedure is necessary to clear the TPM. Details of how this can be done are described in the file “Readme.html”, which is provided with the firmware update package. | ||||||
For more detailed information regarding TPM Clear please refer also to the following Microsoft site: | ||||||
https://docs.microsoft.com/en-us/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm | ||||||
After the TPM firmware update, the TPM Chip will generate new secure keys. Nevertheless, even after the firmware update, old “weak” keys are still stored within the TPM chip and will continue to be used by related software products. The only exception is if the TPM 1.2 was cleared before the firmware update due to a missing Owner Password. Clearing the TPM resets it to its factory default and deletes all keys stored inside the TPM. | ||||||
To encrypt your data in a safe way, Fujitsu recommends the following steps after the firmware update: | ||||||
a) Decrypt your encrypted data b) Delete the old keys inside the TPM c) Generate new keys d) Encrypt your data with the new keys | ||||||
For details how to decrypt / encrypt your data, please refer to the instructions from your software vendor. | ||||||
Should you require any further information at this stage, please contact: G02D-psirt@fujitsu.com. |