cancel
Showing results for 
Search instead for 
Did you mean: 

Asus / Infineon TPM firmware update?

lightknightrr
Level 8
So, is Asus going to issue a firmware update for the Infineon TPM modules produced under its name, in light of the recently released security bulletin from our friends at Microsoft, or is this a case where we will have to so without, or buy entirely new modules?

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012


Infineon doesn't seem to be issuing the update to the masses, when it is available. It wants to do it through OEM channels, and Asus does qualify as an OEM (Original Equipment Manufacturer).

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
2,037 Views
119 REPLIES 119

dyni00 wrote:
hi. i have tpm2.0 asus module http://a.co/4X8qGSb



its not possible to create admin ownership in windows 10 because firmware is not safe





tpm.msc and click on second option CLEAR TPM - reboot - and this same window CLEAR TPM..
no option to PREPARE!

but......... in uefi i turn off (disable) STORAGE HIERARCHY in SECURITY OPTION and work! PREPARE IS POSSIBLE! :cool:
but STORAGE HIERARCHY - what this. i study of 10 pages with try to explain and my head are overheat 😉

will anyone explain to me if turning off this option is crucial to secure a computer using a bitlocker?

and ASUS!!! please update firmware of this module!! :mad: im going to reddit #asustpm



Your problem is not about firmware. Yes, of course, Asus must release a firmware update, but is nothing about your problem.

Windows 10, in latest updates (i believe that since Redstone 1), dont use by default ownauth. Well, in really is used, but completely transparent for the user, TPM is autoprovisioned by Windows. If you need or want really use OwnAuth, you must configure it in group policy: Administrative Templates -> System ->Trusted Platform Module Services

About "STORAGE HIERARCHY", is a feature in TPM 2.0, if you disable it, them Windows can't use autoprovisioning, so you are forcing to use the old system (ManagedAuthLevel = Full, instead delegated), much more insecure, you are removing features from 2.0 specifications. You can force Windows to use Full AuthLevel if you need it, without removing any feature, but is not recommended,

And again, is nothing about firmware

Fahrenhe1t
Level 9
I'd like an ASUS TPM 2.0 module firmware update please.

lightknightrr
Level 8
I'd like a working TPM module, update or otherwise. Really dropping the ball here guys.

Oh, and hats off to CyberLink, who requires Intel security features to play Blu-Rays at 4K. Thanks guys.

I too am still waiting - remember we PAID for these devices, using actual money.

In case it is helpful to someone, I found a way to update my Asus TPM-M R2.0 14-1 Pin TPM Module to the latest 5.62.3126.0 firmware (previously the TPM had the 5.61.2785.0 firmware with the vulnerability).

Supermicro (a great server company) sells Infineon-based TPMs - e.g., see http://supermicro.com/products/accessories/addon/AOM-TPM-9665V.cfm. Unlike Asus (:mad:) Supermicro has issued the latest firmware security updates for their Infineon TPM modules. Their update packages appear to be general Infineon updates, so I figured it'd be worth a try to update my Asus module using one.

Note that you should only attempt this sort of update if you know what you are doing!! If you aren't adept at the command line or if this is all new to you, then DO NOT ATTEMPT THIS. YOU CAN LOSE DATA IF YOU ARE USING BITLOCKER, etc.!!!

I'll explain what I did and if you want to try with your system/TPM module you will need to adapt as appropriate for your system.

1. You can find TPM update packages by browsing to ftp://ftp.supermicro.com/driver/TPM/. In my case I looked at the various firmwares included, and the "9665FW update package_1.1.zip" bundle contained firmware that matched my Asus TPM. So be sure to pick the right update bundle for your TPM (?).

2. I completely turned OFF and disable Bitlocker and Windows Hello. You must decrypt your drive so that the TPM is NOT in use!

3. I ran "tpm.msc" and executed the "Clear TPM..." option in Action. This rebooted the machine and the Asus BIOS had me press F12 to clear the TPM.

4. After rebooting again, I then booted into the BIOS and turned the TPM completely OFF in the BIOS settings. You must completely disable Windows' use of the TPM in order to update the firmware.

5. I booted back into Windows, and extracted the firmware update package bundle. For ease of operation I then copied the Windows update executable from the "...\Tools\WinPE\Bin\x64\" directory into the "...\Firmware\" directory.

6. I then ran an Administrator command prompt, and changed to the "...\Firmware\" directory. Then I ran "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg". The updater detected my TPM, and flash updated to the latest firmware in the bundle. Again, if you try this your command line may need to be different (use "TPMFactoryUpd.exe -?" for command line help with the tool).

70491

7. Then I rebooted back to the BIOS, turned the TPM back on, and re-enabled everything, and "tpm.msc" shows that my Asus TPM has been updated and no longer has the vulnerability.

70492

Note that the update bundle also includes a UEFI updater that you can run from the BIOS, but I didn't bother doing that because I didn't have time to figure it out.

Anyway I hope this is helpful to others!

rasmorthil wrote:
In case it is helpful to someone, I found a way to update my Asus TPM-M R2.0 14-1 Pin TPM Module to the latest 5.62.3126.0 firmware (previously the TPM had the 5.61.2785.0 firmware with the vulnerability).

Supermicro (a great server company) sells Infineon-based TPMs - e.g., see http://supermicro.com/products/accessories/addon/AOM-TPM-9665V.cfm. Unlike Asus (:mad:) Supermicro has issued the latest firmware security updates for their Infineon TPM modules. Their update packages appear to be general Infineon updates, so I figured it'd be worth a try to update my Asus module using one.

Note that you should only attempt this sort of update if you know what you are doing!! If you aren't adept at the command line or if this is all new to you, then DO NOT ATTEMPT THIS. YOU CAN LOSE DATA IF YOU ARE USING BITLOCKER, etc.!!!

I'll explain what I did and if you want to try with your system/TPM module you will need to adapt as appropriate for your system.

1. You can find TPM update packages by browsing to ftp://ftp.supermicro.com/driver/TPM/. In my case I looked at the various firmwares included, and the "9665FW update package_1.1.zip" bundle contained firmware that matched my Asus TPM. So be sure to pick the right update bundle for your TPM (?).

2. I completely turned OFF and disable Bitlocker and Windows Hello. You must decrypt your drive so that the TPM is NOT in use!

3. I ran "tpm.msc" and executed the "Clear TPM..." option in Action. This rebooted the machine and the Asus BIOS had me press F12 to clear the TPM.

4. After rebooting again, I then booted into the BIOS and turned the TPM completely OFF in the BIOS settings. You must completely disable Windows' use of the TPM in order to update the firmware.

5. I booted back into Windows, and extracted the firmware update package bundle. For ease of operation I then copied the Windows update executable from the "...\Tools\WinPE\Bin\x64\" directory into the "...\Firmware\" directory.

6. I then ran an Administrator command prompt, and changed to the "...\Firmware\" directory. Then I ran "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg". The updater detected my TPM, and flash updated to the latest firmware in the bundle. Again, if you try this your command line may need to be different (use "TPMFactoryUpd.exe -?" for command line help with the tool).

70491

7. Then I rebooted back to the BIOS, turned the TPM back on, and re-enabled everything, and "tpm.msc" shows that my Asus TPM has been updated and no longer has the vulnerability.

70492

Note that the update bundle also includes a UEFI updater that you can run from the BIOS, but I didn't bother doing that because I didn't have time to figure it out.

Anyway I hope this is helpful to others!


Thanks this worked for me.

Thanks @RASMORTHIL this worked for me as well, now running 5.62.3126.0 and the warning is gone.

I'd previously tried finding straight-up Infineon firmware files but had no luck, the Supermicro FTP site was a great find. I didn't decrypt my drives, just suspended BitLocker, cleared the TPM, disabled it in the BIOS, next boot ran the update tool, another reboot and enabled the TPM in the BIOS, BitLocker then re-enabled itself after taking ownership on the next and final boot.

Cheers!

Lugusto wrote:
Thanks @RASMORTHIL this worked for me as well, now running 5.62.3126.0 and the warning is gone.

I'd previously tried finding straight-up Infineon firmware files but had no luck, the Supermicro FTP site was a great find. I didn't decrypt my drives, just suspended BitLocker, cleared the TPM, disabled it in the BIOS, next boot ran the update tool, another reboot and enabled the TPM in the BIOS, BitLocker then re-enabled itself after taking ownership on the next and final boot.

Cheers!


I don't think it is a good idea to just suspend since the insecure key (if the key is generated by the TPM with the old firmware it is insecure) is still the same, it is recommended to decrypt the drive, get the TPM to regenerate a new key and re-encrypt the whole drive using the new key.

Clement Chong wrote:
I don't think it is a good idea to just suspend since the insecure key (if the key is generated by the TPM with the old firmware it is insecure) is still the same, it is recommended to decrypt the drive, get the TPM to regenerate a new key and re-encrypt the whole drive using the new key.


Yes, agreed. Given the nature of the vulnerability, it's best to regenerate a new key.

The TPM is a 'protector' of the volume master key which in turn protects the software generated full-volume encryption key, which is used to encrypt data sector by sector. The vulnerability affects any TPM 1.2 (not 2.0) seal/unseal operations on the volume master key. The recovery password is also a protector of the volume master key in the same way as the TPM, this allows the volume to be decrypted in the absence of the TPM - the TPM is just an automatic way of doing this based on lots of integrity checks.

Microsoft's articles suggest suspending BitLocker, clearing the TPM, then re-enabling BitLocker as being the correct remediation process:
https://support.microsoft.com/en-ca/help/4046783/bitlocker-mitigation-plan-for-vulnerability-in-tpm
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

Other refs:
http://www.forensicswiki.org/wiki/BitLocker_Disk_Encryption
https://technet.microsoft.com/en-us/library/2007.06.bitlocker.aspx