This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.
Librem13v2 TPM upgrade
I have upgraded my TPM firmware on my Librem13v2. Its keys are now safe. \o/
Back in 2017 we had the Infineon disaster (aka ROCA). I’ve written about it before about how bad it is and how to check if you’re affected with a simple tool.
I TAKE NO RESPONSIBILITY IF YOU BRICK YOUR DEVICE OR FOR ANYTHING ELSE BAD HAPPENING FROM YOU FOLLOWING MY NOTES.
Before the upgrade
$ tpm_version | grep Chip
Chip Version: 1.2.4.40 # <--- Example vulnerable version
$ cbmem -c | grep Purism # I upgraded coreboot/SeaBIOS just before doing this.
coreboot-4.9-10-g123a4c6101-4.9-Purism-2 Wed Nov 13 19:54:43 UTC 2019 […]
[…]
Found mainboard Purism Librem 13 v2
Download upgrade tool
$ wget https://repo.pureos.net/pureos/pool/main/t/tpmfactoryupd/tpmfactoryupd_1.1.2459.0-0pureos9_amd64.deb
[…]
$ alien -t tpmfactoryupd_1.1.2459.0-0pureos9_amd64.deb
[…]
$ tar xfz tpmfactoryupd-1.1.2459.0.tgz
$ mv usr/bin/TPMFactoryUpd .
$ sudo systemctl stop trousers.service # Need to turn off tcsd for TPMFactoryUpd to work in its default mode.
[…]
$ ./TPMFactorUpd -info
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 *
**********************************************************************
TPM information:
----------------
Firmware valid : Yes
TPM family : 1.2
TPM firmware version : 4.40.119.0
TPM enabled : Yes
TPM activated : Yes
TPM owner set : Yes
TPM deferred physical presence : No (Not settable)
Remaining updates : 64
Note the status of the TPM: enabled, active, owner set, and not “physical presence”. This is not the state we want to be in for our upgrade.
Get TPM into state ready to upgrade.
The TPM must be enabled and active. If it’s not then you need to get into your BIOS to fix that. You may need to enter from a clean power off. A “reboot” may not be enough.
There are two TPM chip states where an upgrade will work:
- Deferred physical presence is set to “yes”. You may be able to get
into this state on some machines by using
tpm_clear, and then rebooting. Your BIOS will then ask you “do you confirm TPM physical presence?”. I believe one of my other machines did this, but it’s been too long for me to be sure. This uses the-update tpm-PPoption with the updater. It looks like this is not possible with the Librem13v2, so I won’t talk about this option any further. - The “Owner” must be cleared, and
-update tpm-takeownershipis used with the updater.
Clearing the TPM
If any of the steps fail, just continue. As long as you get to the
state shown, as per TPMFactoryUpd -info it should work fine.
tpm_clear- Reboot
- When the Purism screen shows, press ESC
- Press
tto enter the TPM menu - Choose
cto clear the TPM - Choose
eto enable the TPM - Choose
ato activate the TPM. The machine automatically reboots - At the grub menu, press
eon your normal boot option - Go to the end of the kernel line and add
iomem=relaxedat the end - Press F10 to boot
-
Confirm TPM state is enabled, activated, owner NOT set:
$ ./TPMFactoryUpd -info ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * ********************************************************************** TPM information: ---------------- Firmware valid : Yes TPM family : 1.2 TPM firmware version : 4.40.119.0 TPM enabled : Yes <--- correct TPM activated : Yes <--- correct TPM owner set : No <--- correct TPM deferred physical presence : No (Not settable) Remaining updates : 64
Upgrade
- Download and unzip the firmware.
-
Upgrade the TPM
$ sudo ./TPMFactoryUpd -update tpm12-takeownership -firmware TPM12_4.40.119.0_to_TPM12_4.43.257.0.BIN ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * ********************************************************************** TPM update information: ----------------------- Firmware valid : Yes TPM family : 1.2 TPM enabled : Yes TPM activated : Yes TPM owner set : No TPM deferred physical presence : No (Not settable) TPM firmware version : 4.40.119.0 Remaining updates : 64 New firmware valid for TPM : Yes TPM family after update : 1.2 TPM firmware version after update : 4.43.257.0 Preparation steps: TPM1.2 Ownership preparation was successful. DO NOT TURN OFF OR SHUT DOWN THE SYSTEM DURING THE UPDATE PROCESS! Updating the TPM firmware ... Completion: 100 % TPM Firmware Update completed successfully. -
Confirm upgrade
$ ./TPMFactorUpd -info ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * ********************************************************************** TPM information: ---------------- Firmware valid : Yes TPM family : 1.2 TPM firmware version : 4.43.257.0 <--- new version TPM enabled : Yes TPM activated : No TPM owner set : Yes TPM deferred physical presence : No (Settable) <--- huh? ok Remaining updates : 63 $ tpm_version | grep Chip Chip Version: 1.2.4.43 - Reboot
- Press ESC, t to enter TPM menu again
- Enable & active the TPM, reboot.
tpm_takeownership -z
Confirming generated keys are good
Using my tool mentioned here.
$ ./check-srk
Running self test…
Size: 2048
Modulus:
2357823904823904723[…]4782347892347238913
--------------
The key is fine.
Links
For more troubleshooting, see this.
Thanks
Huge thanks to MrChromebox on #purism for the help.