!! TPM !! SECURITY UPDATE !!

:: This is different from the Intel ME or processor vulnerabilities ::

This guide will update your firmware to 5.63.3144.0

This guide is for Infineon TPM 1.2 and 2.0 which is found in PCs, laptops and motherboards manufactured by SAGER/CLEVO, ASUS, TOSHIBA, LENOVO, FUJITSU, etc.

Background

TPM (Trusted Platform Module) is a microchip in your computer which generates and stores encryption keys. These encryption keys are used to encrypt your hard disk, passwords, fingerprint, certificates, etc.

Recently a security vulnerability was discovered in TPM microchips produced by Infineon which weakens the RSA encryption keys generated by the TPM. This allowing an attacker to recovery the RSA private key by using your RSA public key.

Popular PC/laptop companies like SAGER/CLEVO, ASUS, TOSHIBA, LENOVO, FUJITSU, etc use TPM microchips made by Infineon.

Since this is a hardware based vulnerability, the fix requires updating the TPM firmware. Currently there is no official TPM firmware update available from SAGER/CLEVO. I have a SAGER NP9175 (CLEVO P775TM1-G) from Pro-Star which comes with the vulnerable Infineon TPM and have successfully updated my TPM firmware.

You can check your system if you have an Infineon TPM microchip and update your firmware using this guide.

Technical Details and Advisories

Infineon TPM Security Advisory
https://www.infineon.com/TPM-update

ADV170012 | Vulnerability in TPM could allow Security Feature Bypass
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

Vulnerability Note VU#307015
http://www.kb.cert.org/vuls/id/307015

Original TPM Vulnerability Research Document
https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

How to check your TPM Specification Version and if you have a vulnerable TPM?

1. Using Event Viewer to check if your TPM firmware is vulnerable

Launch Event Viewer and search for event from source "TPM-WMI" and look for events marked red with "Event ID 1794". The event should look like this:



2. Using TPM Management Console to check TPM Specification Version and TPM Firmware

Launch the TPM Managmenet Console by running "TPM.MSC" and the "Status" will look like this if you are vulnerable.



If Manufacture Name is IFX and Version is 5.50.xxxx / 5.51.xxxx / 5.60.xxxx or 5.61.xxxx then you are vulnerable and need to update your TPM firmware.

Make note of your Specification Version as it is required for the update process.

Update Process

HERE IS A GUIDE WHICH YOU SHOULD TRY ON YOUR OWN RISK. I DO NOT TAKE ANY RESPONSIBILITY IF YOUR SYSTEM NEVER BOOTS AGAIN.

1. Before proceeding, make sure you are not using BitLocker and your drives are not encrypted. This guide will reset your encryption keys/drives/fingerprint/etc!!!
2. Download https://onedrive.live.com/download?...=1E25BD0C9E57C3DA!607&authkey=ACgjjATq1YnBa8A and extract in a folder.
3. Run Microsoft Windows utility "TPM.MSC" and CLEAR TPM..windows will prompt you for a reboot
4. Once you are back in windows, reboot again and enter BIOS
5. Clear TPM keys in BIOS and then Disable TPM completely in BIOS as the TPM firmware cannot be updated while the TPM is running
6. Save settings in BIOS and boot into Windows
7. Open CMD.EXE with Administrative privileges and enter the folder where you extracted the downloaded file
8a. If your Specification Version is 1.2, execute "TPM1.bat" to begin the update process and go to Step 9 (skip Step 8b and Step 8c)
8b. If your Specification Version is 2.0 and firmware version is 5.50.xxxx, execute "TPM2.bat" to begin the update process and go to Step 9 (skip Step 8c)
8c. If your Specification Version is 2.0 and one of these firmware version (5.51.xxxx / 5.60.xxxx / 5.61.xxxx / 5.62.xxxx] execute "TPM3.bat" to begin the update process and go to Step 9 (firmware 5.50.xxxx will be updated to 5.62.3126.2)
9. The TPM firmware will be updated and a confirmation will be shown. Scroll down to the troubleshooting section if you see any errors.



10. Exit the command promot and reboot into BIOS to enable TPM again
11. Save settings in BIOS and boot into Windows
12. Run TPM.MSC to confirm your TPM version..it should show the update version and the warning message should be gone. Now you can reenter your fingerprints and start using encryption.



Troubleshooting

Problem: When trying to update TPM firmware, I get the following error:

Error Code: 0xE0295507
Message: TPM2.0: PlatformAuth is not the Empty Buffer. The firmware cannot be updated.

OR

Error Code: 0xE0295200
Message: No connection to the TPM or TPM not found.

Solution: You have not disabled TPM in BIOS. Clear your TPM keys and disable TPM in BIOS. Reboot and follow the process.

Problem: When running the TPM update command, I get the following error:

Error: open "TVicPort"-Driver failed !!!

Solution: This error is caused by missing "TVicPort.sys" file. Make sure you have copied both "TPMFactoryUpd.exe" and "TVicPort.sys" to the Firmware folder.

 

Nice guide, we have other threads for this issue, hope that it can be moved there so everyone get benefits from it.
@Prema @ hmscott @ Papusan

 

Currently there are no threads for the TPM vulnerability fix. I previously posted the guide on another thread but have moved to a new thread so this separate issue can be fixed here.

 

Have you seen the Prema Mod website? The TPM Firmware update download covers that.

 

5.50.x is not covered

Sent from my SM-G950F using Tapatalk

 

Thanks for the guide! Successfully updated the TPM on P775DM3-G from 5.51.2098.0 to 5.62.3126.0

 

I have updated the guide with following changes:

Added firmware 5.63.3144.0
Added update for 5.50.xxxx firmware
Added batch files for more convenience and less confusion (don't have to copy/paste commands or type long firmware names)
Simplified guide and updated screenshots

 

It's simply not covered because no Clevo system ever shipped with it. He's using an Asus.

You are aware that we have a sticky, as you simply took the latest files form there, (which I uploaded upon your own request) and yet re-wrap and double-post them again while even ignoring the T&C you got them under?! The files are not using factory time stamps for a reason...

Why should I even still help anyone the next time if this is always the result...hit'n'run, re-label & re-post.

 

Since this thread was locked, I had to give my replies in another thread which can be viewed here and here

• In summary, this thread is not a repost and was created on 1st February with the patched firmware..the first thread/post with a TPM fix on NBR.
  
• Updated firmwares have since been posted in other threads.
  
• These TPM firmwares are property of Infineon (manufacturer of TPM microchips). Me or anyone else are only distributing these firmwares to help users patch their systems and adding our own scripts to make the process easier. None of us distributing these can claim to have any ownership right.
• This post was originally created to help the CLEVO/SAGER laptops with Infineon TPM microchips but since the very same TPM microchips are being used in a lot of other manufacturers like ASUS, TOSHIBA, LENOVO, FUJITSU, etc. I have added additional firmwares to patch those systems also.
• I will keep this post updated with more firmwares as and when they are available.