Updating a vulnerable TPM
An unsigned long long time
ago, a mass amount of TPMs and smartcards were hit by a flaw in the Infineon codebase. They have released an update, but still, we can see unpatched modules in the wild.
Who uses discrete TPMs nowadays? LUKS, Windows Hello, BitLocker, OpenSSH through p11? I see that SSH CA signing with p11 isn't really uncommon, people may fall for TPMs if there's one avail. The rise of fTPM may remedy and eventually exterminate the need of dTPMs, but until this moment, it doesn't. So we are stuck with TPM 1.2/2.0 devices, and we gotta patch'em all.
Update
The large majority of oem updates are intended for Windows administrators only, the remainders however assumes that you can reboot the server to a UEFI command line.
We will do it in this Linux way.
I found this random updater code on Github, not only it includes the infamous google patch, but also does it patched up to the OpenSSL 1.1:
https://github.com/iavael/infineon-firmware-updater
It could be frustrating to get the actual firmware, mine is a supermicro, it's not as hard as a HP, but they changed download base url from ftp://ftp.supermicro.com
to https://www.supermicro.com/wftp
Therefore, the old link
ftp://ftp.supermicro.com/wftp/driver/TPM
becomes
https://www.supermicro.com/wftp/driver/TPM
Compiling TPMFactoryUpd
This is simple as of early 2020.
git clone https://github.com/iavael/infineon-firmware-updater
cd infineon-firmware-updater/TPMFactoryUpd
make
It compiles to a single binary TPMFactoryUpd
, and you are ready.
Upgrade Path
If you have ls'd the Firmware dir, you'll find quite a mess:
License_FW_Images.pdf TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN TPM20_5.61.2785.0_to_TPM12_4.43.258.0.BIN
TPM12_4.40.119.0_to_TPM12_4.43.257.0.BIN TPM20_5.50.2022.0_to_TPM20_5.62.3126.2.BIN TPM20_5.61.2785.0_to_TPM20_5.62.3126.0.BIN
TPM12_4.40.119.0_to_TPM12_4.43.258.0.BIN TPM20_5.50.2022.2_to_TPM20_5.62.3126.2.BIN TPM20_5.61.2785.0_to_TPM20_5.63.3144.0.BIN
TPM12_4.40.119.0_to_TPM20_5.62.3126.0.BIN TPM20_5.51.2098.0_to_TPM12_4.43.257.0.BIN TPM20_5.61.2785.2_to_TPM20_5.62.3126.2.BIN
TPM12_4.40.119.0_to_TPM20_5.63.3144.0.BIN TPM20_5.51.2098.0_to_TPM12_4.43.258.0.BIN TPM20_5.61.2789.0_to_TPM12_4.43.257.0.BIN
TPM12_4.42.132.0_to_TPM12_4.43.257.0.BIN TPM20_5.51.2098.0_to_TPM20_5.62.3126.0.BIN TPM20_5.61.2789.0_to_TPM12_4.43.258.0.BIN
TPM12_4.42.132.0_to_TPM12_4.43.258.0.BIN TPM20_5.51.2098.0_to_TPM20_5.63.3144.0.BIN TPM20_5.61.2789.0_to_TPM20_5.62.3126.0.BIN
TPM12_4.42.132.0_to_TPM20_5.62.3126.0.BIN TPM20_5.51.2098.2_to_TPM20_5.62.3126.2.BIN TPM20_5.61.2789.0_to_TPM20_5.63.3144.0.BIN
TPM12_4.42.132.0_to_TPM20_5.63.3144.0.BIN TPM20_5.60.2561.2_to_TPM20_5.62.3126.2.BIN TPM20_5.62.3126.0_to_TPM12_4.43.257.0.BIN
TPM12_4.43.257.0_to_TPM12_4.43.258.0.BIN TPM20_5.60.2677.0_to_TPM12_4.43.257.0.BIN TPM20_5.62.3126.0_to_TPM12_4.43.258.0.BIN
TPM12_4.43.257.0_to_TPM20_5.62.3126.0.BIN TPM20_5.60.2677.0_to_TPM12_4.43.258.0.BIN TPM20_5.62.3126.0_to_TPM20_5.63.3144.0.BIN
TPM12_4.43.257.0_to_TPM20_5.63.3144.0.BIN TPM20_5.60.2677.0_to_TPM20_5.62.3126.0.BIN TPM20_5.63.3144.0_to_TPM12_4.43.258.0.BIN
TPM12_4.43.257.0_to_TPM20_5.80.2910.2.BIN TPM20_5.60.2677.0_to_TPM20_5.63.3144.0.BIN TPM20_latest.cfg
TPM12_4.43.258.0_to_TPM20_5.63.3144.0.BIN TPM20_5.60.2677.2_to_TPM20_5.62.3126.2.BIN TPMFactoryUpd.efi
TPM12_latest.cfg TPM20_5.61.2785.0_to_TPM12_4.43.257.0.BIN TPMFactoryUpd.log
This is for the 9665 module, it ships with a config file, which it supports converting a 1.2 module to 2.0, which is very good.
But for the 9655 module, there's only one option:
License_FW_Images.pdf
TPM12_4.32.879.0_to_TPM12_4.34.1010.2.BIN TPM12_4.33.949.0_to_TPM12_4.34.1010.2.BIN TPM12_latest.cfg TPMFactoryUpd.efi
Update to the latest.
Upgrading Process
The .cfg
files can be directly supplied to TPMFactoryUpd
supplying it to TPMFactoryUpd -config
as a argument.
If you take a look inside those files, both uses takeownership mode for updating.
If you are using 1.2 module, you should stop anything else from locking it. Like tcsd
systemctl stop trousers.service
sudo ./TPMFactoryUpd -update -firmware ## insert file with full path here
It has progress bar, which is nice.
Only error during update is saved to TPMFactoryUpd.log