cancel
Showing results for 
Search instead for 
Did you mean: 

Asus / Infineon TPM firmware update?

lightknightrr
Level 7
So, is Asus going to issue a firmware update for the Infineon TPM modules produced under its name, in light of the recently released security bulletin from our friends at Microsoft, or is this a case where we will have to so without, or buy entirely new modules?

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012


Infineon doesn't seem to be issuing the update to the masses, when it is available. It wants to do it through OEM channels, and Asus does qualify as an OEM (Original Equipment Manufacturer).

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
186,777 Views
119 REPLIES 119

Korth
Level 14
"Firmware updates are available for Infineon`s Trusted Platform Modules (TPMs) based on TCG specification family 1.2 and 2.0 and will be rolled out to end users by device and OS manufacturers (e.g. hardware OEMs such as PC manufacturers)."

The potential security vulnerability is correctable through motherboard/platform firmware updates. Which will rolled out to end users through the motherboard/platform manufacturers. So yes, ASUS will likely lump this security update, as needed, into their subsequent BIOS updates.

Infineon might have produced the code fix (for their Infineon TPM parts) but they do not produce firmware for motherboards. The TPMs themselves cannot have their core firmware reflashed/updated, removable TPMs can be replaced, embedded TPMs stay soldered on board. And "the masses" aren't aware of TPMs anyhow, unless perhaps they run BitLocker, so Infineon leaves deployment of this fix to the "OEM channels" (motherboard and laptop manufacturers) "the masses" already know.

Consumers who've obtained TPM-secured platforms through "other OEM channels" will have to update through those same "other OEM channels".

It's all explained in the two links you provided.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

lightknightrr
Level 7
Asus / Infineon TPM modules:

https://www.amazon.com/Asus-Accessory-Module-Connector-Motherboard/dp/B01EU542SG/ref=sr_1_2?ie=UTF8&...

https://www.amazon.com/Asus-TPM-M-R2-0-14-1-Module/dp/B01DQQLH74/ref=sr_1_3?ie=UTF8&qid=1508132451&s...

And supposedly TPMs can be upgraded.

BIOS update for firmware-based TPM sounds awesome (I'm using a TPM module), just a minor problem for other motherboards which don't have that option (like the KGPE-D16), and are reliant on TPM modules.

Korth
Level 14
There's many different kinds of TPMs. The whole point is that they're unique and "unhackable" cryptomodules, "one-of-a-kind" keys which sometimes also contain part of the lock mechanism. The ones I'm familiar with cannot be reflashed, by design, so there's no chance their firmware can be compromised by an attacker. Other types exist and some of these might have flashable firmwares.

The exact technical details of this exploit are not public. The summarized vulnerability metrics show that this is a pre-emptive "official fix" for a "highly confidential" "highly technical" "proof-of-concept" "low overall threat" network exploit. Specifically noted to not affect Windows Clients unless they run BitLocker, and already corrected by Microsoft in all affected consumer Windows versions except Win7 (which still needs the firmware security update). It's basically not a consumer issue and primarily affects only HP, Lenovo, Fujitsu, and WinMagic enterprise products - unless, as a consumer, you obtained an Infineon TPM meant to be deployed in these specific enterprise platforms.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

Korth wrote:
There's many different kinds of TPMs. The whole point is that they're unique and "unhackable" cryptomodules, "one-of-a-kind" keys which sometimes also contain part of the lock mechanism. The ones I'm familiar with cannot be reflashed, by design, so there's no chance their firmware can be compromised by an attacker. Other types exist and some of these might have flashable firmwares.

The exact technical details of this exploit are not public. The summarized vulnerability metrics show that this is a pre-emptive "official fix" for a "highly confidential" "highly technical" "proof-of-concept" "low overall threat" network exploit. Specifically noted to not affect Windows Clients unless they run BitLocker, and already corrected by Microsoft in all affected consumer Windows versions except Win7 (which still needs the firmware security update). It's basically not a consumer issue and primarily affects only HP, Lenovo, Fujitsu, and WinMagic enterprise products - unless, as a consumer, you obtained an Infineon TPM meant to be deployed in these specific enterprise platforms.


This is partly accurate, but I'm not sure you understand the group of affected users here. As the OP showed above, ASUS manufactures TPMs that are vulnerable to this exploit. HP, Lenovo, Fujitsu, etc aren't the only affected platforms, they are just the manufacturers who have acknowledged the vulnerability and are working on updating their firmware with Infineon's fix. It's not accurate to say that this isn't a consumer issue, and these TPMs are certainly not only meant to be deployed in those specific enterprise platforms. Microsoft has a workaround in place, but it's not a fix. ASUS needs to update the firmware on their motherboards with TPM slots to address this.

CodeSlicer wrote:
This is partly accurate, but I'm not sure you understand the group of affected users here. As the OP showed above, ASUS manufactures TPMs that are vulnerable to this exploit. HP, Lenovo, Fujitsu, etc aren't the only affected platforms, they are just the manufacturers who have acknowledged the vulnerability and are working on updating their firmware with Infineon's fix. It's not accurate to say that this isn't a consumer issue, and these TPMs are certainly not only meant to be deployed in those specific enterprise platforms. Microsoft has a workaround in place, but it's not a fix. ASUS needs to update the firmware on their motherboards with TPM slots to address this.


Absolutely.

Any TPM user, use TPM for security reasons, so security is pretty important. Whether businesses or home users. We talked about a vulnerability that broke the very utility of the TPM module. Asus update its obligatory.

lightknightrr
Level 7
Fair enough.

+1
same here, absolutely, we need a TPM firmware upgrade for discrete TPMs

Korth
Level 14
@CodeSlicer, @Theliel -

I suppose I should agree, lol. As long as ASUS still maintains warranty on motherboards which use these TPMs they should provide active support for the latest TPM security updates. But updating EOL ASUS motherboards would be optional, not required.

That being said, ASUS may elect not to do so unless they consider potential liability issues too risky or too costly.

Proof-of-concept hack vs my TPM, proof-of-concept hack vs my IME, in-the-wild hack vs my WiFi, another nasty broken new Windows build ... what an insecure world, lol.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

Korth wrote:
@CodeSlicer, @Theliel -

I suppose I should agree, lol. As long as ASUS still maintains warranty on motherboards which use these TPMs they should provide active support for the latest TPM security updates. But updating EOL ASUS motherboards would be optional, not required.

That being said, ASUS may elect not to do so unless they consider potential liability issues too risky or too costly.

Proof-of-concept hack vs my TPM, proof-of-concept hack vs my IME, in-the-wild hack vs my WiFi, another nasty broken new Windows build ... what an insecure world, lol.


Yes... some bad "times" for security... at least, IME was already solvied, and WPA2 too (for some/many vendors).

I do not know to it would be viable for ASUS to upgrade all motherboards with dTPM modules, but it really should not be complicated. If I remember well, ASUS only has 3-4 different TPM modules, and in principle there should be no problems in launching a tool to update only the TPM Modules themselves, without the need for a Bios Update. So in theory, maybe we can see a "generic" tool or couple of them, to update affected dTPM