cancel
Showing results for 
Search instead for 
Did you mean: 

Asus / Infineon TPM firmware update?

lightknightrr
Level 8
So, is Asus going to issue a firmware update for the Infineon TPM modules produced under its name, in light of the recently released security bulletin from our friends at Microsoft, or is this a case where we will have to so without, or buy entirely new modules?

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012


Infineon doesn't seem to be issuing the update to the masses, when it is available. It wants to do it through OEM channels, and Asus does qualify as an OEM (Original Equipment Manufacturer).

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
1,810 Views
119 REPLIES 119

Hi CodeSlicer,
Sorry if my comments seem to diverge from the thread, but everything I mentioned has happened since the installation of the TPM on a R5E10. I have a C6H that hand the TPM installed before the October Microsoft patch. It is not experiencing the same problems.
To answer your question, I have activated “LocalGroup Policy and appropriate biometric settings to allow the connection of Windows Hello and facial recognition hardware, but when I go to Sign-in options I see the comment: “Windows Hello isn’t available on this device.” So I guess I ran into an error.
The problems with Windows Hello are not germane to this thread, but removing the TPM is. Before deactivating in the UEFI and physically removing it I also cleared it. I have no way to set up a password or ownership (the original process I went through was: I installed the chip and the computer immediately booted into windows when I turned it on. I verified that it was installed first via TPM.msc, and after that I shut down and looked in the UEIF and saw that the chip was installed and enabled; no problem was reported in the UEFI. I suspect this to be a Firmware problem manifesting in a unique way involving the TPM and Windows 10.
This computer runs with a UEFI and I have never seen a reference to BIOS. I have created and then installed image backups a few times on this computer and have never seen a reference to BIOS. I don’t know about TPM and locking hardware if it does not match to the last accepted value, but I think I have seen something about BIOS and this operation. When it comes to this I have no idea what is going on and I do apologize if this is chaff tossed into the Firmware update need discussion.
Perhaps I am doing damage to this threads by branching out with tangents that I suspect are related. What I think we can all agree on is that the Asus TPM-M R2.0 (14-1 pin chip) has a problem and either needs a firmware update or replacement and is not fixed by Microsoft’s temporary patch.
I am starting a new thread to reduce my perhaps inappropriate digressions.
Asus TPM-M R2.0 (14-1 pin chip) https://rog.asus.com/forum/showthread.php?97287-Asus-TPM-M-R2-0-(14-1-pin-chip)&p=685174#post685174

Hi,

I have an ASUS TPM Module (https://www.amazon.co.uk/FW3-19-Trusted-Platform-Hardware-Security/dp/B007V9RQLY) which reports itself as v3.19:

PS C:\WINDOWS\system32> get-tpm

TpmPresent : True
TpmReady : True
ManufacturerId : 1229346816
ManufacturerVersion : 3.19
ManagedAuthLevel : Delegated
OwnerAuth :
OwnerClearDisabled : True
AutoProvisioning : Enabled
LockedOut : False
LockoutCount : Not Supported for TPM 1.2
LockoutMax : Not Supported for TPM 1.2
SelfTest : {191, 191, 245, 191...}


I went through the checks issued by Microsoft here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

* I do not have any entries in my system log
* tpm.msc does not report the tpm as vunerable
* I ran the powershell script provided by Microsoft and got the following reponse:

PS C:\users\joe\Desktop> ./check
This Infineon firmware version 3.19 TPM is safe.


I also ran this script here: https://github.com/iadgov/Detect-CVE-2017-15361-TPM/blob/master/windows/Detect-CVE-2017-15361-TPM.ps...

PS C:\users\joe\Downloads> .\Detect-CVE-2017-15361-TPM.ps1
False


Am I just lucky that I've got any ancient version that is not vulnerable? The only way to truly test is to generate some key pairs with the tpm and run them through the tester online but I haven't figured out how to do this yet.

Joe456 wrote:
Hi,

I have an ASUS TPM Module (https://www.amazon.co.uk/FW3-19-Trusted-Platform-Hardware-Security/dp/B007V9RQLY) which reports itself as v3.19:

PS C:\WINDOWS\system32> get-tpm

TpmPresent : True
TpmReady : True
ManufacturerId : 1229346816
ManufacturerVersion : 3.19
ManagedAuthLevel : Delegated
OwnerAuth :
OwnerClearDisabled : True
AutoProvisioning : Enabled
LockedOut : False
LockoutCount : Not Supported for TPM 1.2
LockoutMax : Not Supported for TPM 1.2
SelfTest : {191, 191, 245, 191...}


I went through the checks issued by Microsoft here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

* I do not have any entries in my system log
* tpm.msc does not report the tpm as vunerable
* I ran the powershell script provided by Microsoft and got the following reponse:

PS C:\users\joe\Desktop> ./check
This Infineon firmware version 3.19 TPM is safe.


I also ran this script here: https://github.com/iadgov/Detect-CVE-2017-15361-TPM/blob/master/windows/Detect-CVE-2017-15361-TPM.ps...

PS C:\users\joe\Downloads> .\Detect-CVE-2017-15361-TPM.ps1
False


Am I just lucky that I've got any ancient version that is not vulnerable? The only way to truly test is to generate some key pairs with the tpm and run them through the tester online but I haven't figured out how to do this yet.



In first instance, Vulnerability only affect to Infineon TPM, not others manufacturers.
In second instance, only certain FW versions:

4.0 - 4.33, 4.40 - 4.42
5.0 - 5.61 (My case)
6.0 - 6.42
7.0 - 7.61
133.0 - 133.32

In your case:

ManufacturerId : 1229346816 = Infineon, You meet the first requirement
ManufacturerVersion : 3.19 = Safe, you don't meet the second requirement, your FW is fine.

Korth
Level 14
Not lucky. The firmware vulnerability/exploit does not affect all TPMs or all platforms. It doesn't even affect all the ASUS platforms being discussed in this thread, yours included.

I'm not saying this is a trivial security breach which can or should be casually dismissed. But the reality for most of us is that it really is a non-issue.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

no1yak
Level 8
The problem is that Asus doesn't care. The number of people that use TPM moduals is so small that they cannot be bothered to fix it. The product is not fit for use.
When Asus puts their name on anything they have a duty to make sure that product works as it should. The fix is out there Asus, now do something about it.

I have also bought an TPM-M 2.0 module from Asus.

Windows 10 event viewer (system logs) and tpm.msc is telling me that this module has a security issue in the firmware. Windows tells me to contact the manufacturer for updated firmware. Is Asus working on this or not?

goran69 wrote:
I have also bought an TPM-M 2.0 module from Asus.

Windows 10 event viewer (system logs) and tpm.msc is telling me that this module has a security issue in the firmware. Windows tells me to contact the manufacturer for updated firmware. Is Asus working on this or not?


In theory, yes, ASUS send me a mail with some info, but without any estimated timeline

Theliel wrote:
In theory, yes, ASUS send me a mail with some info, but without any estimated timeline


Thanks. Well then, let's wait and see whats most plausible. New firmware or buy a new fixed module. I talked to the store that sold the module to me and they want to be sure future deliveries of modules are fixed as customers are somewhat aware of this. As it is right now most stock are sold out over here, maybe ASUS has stopped all deliveries temporarily.

lightknightrr
Level 8
Any movement on this?>

hi. i have tpm2.0 asus module http://a.co/4X8qGSb



its not possible to create admin ownership in windows 10 because firmware is not safe





tpm.msc and click on second option CLEAR TPM - reboot - and this same window CLEAR TPM..
no option to PREPARE!

but......... in uefi i turn off (disable) STORAGE HIERARCHY in SECURITY OPTION and work! PREPARE IS POSSIBLE! :cool:
but STORAGE HIERARCHY - what this. i study of 10 pages with try to explain and my head are overheat 😉

will anyone explain to me if turning off this option is crucial to secure a computer using a bitlocker?

and ASUS!!! please update firmware of this module!! :mad: im going to reddit #asustpm