TPM Firmware update

We have learned of a security vulnerability in Trusted Platform Modules (TPM) Chipset. The vulnerability causes issues with key strength, system stability and security concerns or incompatibilities. This vulnerability is not based in the operating system or any particular software but is instead based entirely on the firmware of the TPM. Once the firmware update has been applied the security keys will need to be regenerated and the system will need to be enrolled in any security services currently running.

Vulnerability location

TPM vulnerability is seen in the “Infineon” vendor product firmware based on the Trusted Computing Guidelines (TCG) family 1.2 and 2.0 and not in the TPM standard or any operating system. Many Windows security features and 3rd party software will rely on a TPMs generated keys. Microsoft has released a few ‘Windows security updates’ in an effort to work around the vulnerability by logging events and temporarily allowing generating software based security keys. If a current TPM encryption is in place it is required that you fully remove all encryption before proceeding with the TPM vulnerability remedy in order to avoid data loss or drive corruption and unavailability.

Let us begin!

1. We will start by applying the Windows OS updates. **NOTICE** Absolutely do NOT apply the TPM firmware update prior to applying Windows OS mitigation updates.

The mitigation and detection update for Windows (Posted by Microsoft on 10/26/2017):

• Addresses the vulnerability by preventing the generation of weak keys by the TPM hardware. New keys are generated using a software algorithm. Microsoft recommends that customers running systems that use affected TPM chipsets install the Windows security update as an interim measure until a firmware update is available from the system manufacturer.

• Generates event log entries when a vulnerable TPM is detected.

• Does NOT reduce BitLocker risk.

Many users already have Windows updating set to automatically install so may not need to take any action as the updates were likely downloaded and installed previously. If the system is not set to automatically receive Windows updates then the necessary updates will need to be applied manually. This can be done using the Microsoft update service and will be listed in the ‘Required updates’ field as it is not listed by Microsoft as optional if a TPM is detected in the system. 

Using the event log

All types of systems are going to be affected here including desktop, laptop, server and tablet. Anything with a TPM module manufactured by Infineon. Microsoft recommends using the following method to determine if your system is affected by the TPM vulnerability issue. 

Once the appropriate Windows update has been applied the system will begin generating Event ID 1794 in the Event Viewer after each restart of the system. Located within the Windows Logs>System. A vulnerable firmware is identified as follows:

– Type: Value

– Event Log: Windows Log>System

– Event Source: TPM-WMI

– Event ID: 1794

Once the system has been identified as ‘affected’ you can apply the firmware update. If you are unsure which firmware product to download please contact Puget Systems support and reference this article. We can pull up your order information to determine which product you have installed and point you directly to the appropriate download location.