search

Silvenga / comments.silvenga.com

Hosts the comments for Silvenga.com.
MIT License
0 stars 0 forks source link

upgrading-firmware-infineon-tpm/ #4

Open utterances-bot opened 4 years ago

utterances-bot commented 4 years ago

Upgrading the Firmware on Infineon TPM's

Upgrading the Infineon TPM firmware on Asus (and friends) motherboards.

https://silvenga.com/upgrading-firmware-infineon-tpm/

andykirwin commented 4 years ago

Looks like a great guide but the Supermicro FTP link doesn't seem to work anymore. Any chance you can host a copy of the files?

Silvenga commented 4 years ago

I could, if I had a copy. 😹

I'm hoping this is a transient error, a lot of drivers/firmwares are hosting on that FTP. I've reached out to SuperMicro.

Silvenga commented 4 years ago

SuperMicro got back to me impressively fast - post updated with new site. Thanks @andykirwin!

andykirwin commented 4 years ago

Thanks. This worked perfectly, great guide! Used it to downgrade one of the ASUS branded TPMs from 2.0 to 1.2 and the latest firmware. My motherboard would only support the 1.2 variety.

azagramac commented 3 years ago

Thanks for the tutorial, and those of us who have Linux?

My hardware: TPM2.0_S Gigabyte (SLB9665) Motherboard Aorus X570 Elite, BIOS version F31l OS: Ubuntu 20.04.1

andykirwin commented 3 years ago

@AzagraMac Try https://www.supermicro.com/wftp/driver/TPM/TPM_FU_v1.01.2529.00_ToolsOnly_Linux_SourceCode.tar.gz. There is a Readme.txt file in there with instructions. Not tried it myself.

Silvenga commented 3 years ago

No idea @AzagraMac, I don't use TPM's on Linux, since secure boot is incredibly questionable - which means I can't trust the TPM sealing the keys correctly. I generally have all my servers run Windows hypervisors if I need hardware encryption that's protected by a TPM.

Out of curiosity - what are you using the TPM for under Linux?

azagramac commented 3 years ago

@Silvenga Well 2 functions I have to use TPM, one is to encrypt a partition... and that the TPM has the keys to the /home partition, and the other is hardware requirement of the work client, for security issues the computer must have TPM enabled and working in order to connect to the corporate network of the work.

maurice-w commented 3 years ago

I found this excellent blog post while trying to figure out how to update my laptop's TPM from 1.2 to 2.0 (because Windows 11).

Don't.

The Infineon tool performed its job flawlessly: Checked the current firmware version, selected the correct image, flashed it successfully. After the next reboot, the laptop was bricked irreversibly. Stuck in an endless reset loop during early hardware initialization. My guess is that the UEFI firmware lacks TPM 2.0 support and crashes when trying to communicate with it.

There is no-one to blame but me. Just don't make the same mistake.

I'm going shopping now.

[Update] I disassembled the laptop and manually pulled the TPM's reset pin to ground. Turned the laptop on and it booted! Then released the reset pin and used the Infineon tool to flash TPM 1.2 firmware. Success! Well, mostly. The laptop boots normally, but I can't take ownership of the TPM anymore. Maybe I've triggered some anti-tempering mechanism. [/Update]

Silvenga commented 3 years ago

Oh, whoa. Good to know!

davidlieberman commented 3 years ago

Thank you so much @Silvenga for this excellent walkthrough! Following the steps above on my Asus X99 board, I was able to update my SLB9665 from 5.62.3126.0 to 5.63.3144.0, and everything worked brilliantly!

My Asus Z97 board though hasn't gotten a BIOS update to support TPM2.0 yet, so on my other SLB9665 module I needed to revert from 5.62.3126.0 to 4.43.258.0, downgrading to TPM1.2 for it to show up in BIOS. There were a few minor complications with this that I figured I'd document in case it helps someone else.

--Simply running .\TPMFactoryUpd.exe -update config-file -config TPM12_latest.cfg throws "The current TPM firmware version is already up to date!" and errors out; instead, I was able to downgrade with .\TPMFactoryUpd.exe -update tpm20-emptyplatformauth -firmware TPM20_5.62.3126.0_to_TPM12_4.43.258.0.BIN --After downgrading from TPM2.0 to TPM1.2, I got what I think might be the same ownership errors @maurice-w ran into above:

Error detected:
Final code: 0xE0295511
Final message: TPM1.2: The TPM is disabled or deactivated. The firmware cannot be updated.
    Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_PrepareTPM12Ownership; Line: 1070
    Code: 0xE0295511
    Message: Take Ownership failed!
    Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_PrepareTPM12Ownership; Line: 994
    Code: 0xE0280007
    Message: Read Public Endorsement Key failed!
    Reason: TPM_DISABLED: The TPM is disabled.

Run Disable-TpmAutoProvisioning from an elevated Powershell. Reboot to BIOS and enable TPM. Boot to Windows and use tpm.msc to Clear TPM and reboot. Then from Powershell Enable-TpmAutoProvisioning and reboot. Not sure if every one of these steps is strictly necessary, but afterwards "TPM is not ready for use" changed to "TPM is ready for use" in tpm.msc, and resolved the above TPMFactoryUpd.exe Take Ownership error that would throw when I would try and update. And about that... --When on 4.43.258.0, running .\TPMFactoryUpd.exe -update config-file -config TPM12_latest.cfg doesn't return "The current TPM firmware version is already up to date!" like it does on 5.62.3126.0, but updates all the way to 5.63.3144.0 :roll_eyes: . Had to redo the entire process over again to get back to 4.43.258.0 and TPM1.2 :rofl:

But in the end, everything turned out perfectly: X99 w/ TPM2.0 5.63.3144.0 and Z97 w/ TPM1.2 4.43.258.0!

montye35 commented 2 years ago

please i want help !! after upgrade my tpm from 1.2 tp 2.0

PS C:\Windows\system32> Get-Tpm

TpmPresent : False TpmReady : False TpmEnabled : False TpmActivated : False TpmOwned : False RestartPending : False ManufacturerId : 0 ManufacturerIdTxt : ManufacturerVersion : ManufacturerVersionFull20 : ManagedAuthLevel : Full OwnerAuth : OwnerClearDisabled : True AutoProvisioning : NotDefined LockedOut : False LockoutHealTime : LockoutCount : LockoutMax : SelfTest :

and not working !!

any fix for that??

sandrotan commented 2 years ago

Nice tutorial but it seems not everything applies to my case. First of all I am upgrading a TPM 1.2 card. I found the necessary files, but it seems I am stuck in a conundrum where I can have TPM disabled and with no owner but the firmware upgrade can't happen because it's disabled, or otherwise I can have it enabled and it always comes up with an owner, even if I cleared TPM. What should I do?

My TPMFactoryUpd.exe -info result is:

davidlieberman commented 2 years ago

@sandrotan If I'm remembering correctly, what you're describing are the same kind of "permissions issues" mentioned above, which I managed to resolve via the later steps outlined in my previous comment.

felipemottan commented 2 years ago

Hi,

I have a AsRock X99 Extreme6/ac motherboard and I bought an Infineon TPM 2.0 (SLB9665TT20) 18-pin module to use with. Its original firmware version was 5.51.2098.0. I've run the update like the tutorial and everything was fine, updating the firmware to version 5.63.3144.0. However, after rebooting my system to enable TPM on UEFI, the TPM is not recognized by the BIOS anymore, so I'm not able to enable it again.

Before the update I'd run the TPMFactoryUpd.exe -info and the result was:

   TPM information:
   ----------------
   Firmware valid                    :    Yes
   TPM family                        :    2.0
   TPM firmware version              :    5.51.2098.0
   TPM platformAuth                  :    Empty Buffer
   Remaining updates                 :    64

After the update I ran the TPMFactoryUpd.exe -info and the result now is:

   TPM information:
   ----------------
   Firmware valid                    :    Yes
   TPM family                        :    2.0
   TPM firmware version              :    5.63.3144.0
   TPM platformAuth                  :    Empty Buffer
   Remaining updates                 :    63

Does anyone know what I can do to make it work again with my motherboard?

UPDATE 1:

I figured it out! I only cleared CMOS so the TPM module was recognized by the UEFI again. Afterwards, I could enable it again. The motherboard BIOS is really buggy. Now the TPM is working fine on Windows 11 (version 5.63.3144.0), although the Windows still alerts me the TPM needs a firmware update.

UPDATE 2:

After weeks digging through the internet, I found another site with newer Infineon TPM binaries. Password for the files is in the website disclaimer. Using this same tutorial, I've managed to upgrade the TPM to version 5.63.3353.0, which, according to Windows 11, is not a vulnerable firmware.

   TPM information:
   ----------------
   Firmware valid                    :    Yes
   TPM family                        :    2.0
   TPM firmware version              :    5.63.3353.0
   TPM platformAuth                  :    Not Empty Buffer
   Remaining updates                 :    60
Brutus3691 commented 2 years ago

Hi. I have been working on this update for FW 5.0.1089 to 5.62.3126 which is in the 1.5 update package I received from Infineon. Here is the resulting output: PS C:\Windows\system32\9665FW update package_1.5\workspace> .\TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg

And the output from the logfile:

Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00 [2022-04-20 16:26:42.896]

Error detected: Final code: 0xE0295518 Final message: Could not find a firmware image to update the configured target firmware version. Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_ProceedUpdateConfig; Line: 1559 Code: 0xE0295518 Message: No firmware image found to update the current TPM firmware. (.\TPM20_5.0.1089.2_to_TPM20_5.63.3144.0.BIN)

The FW image file is there in the update package. I have made two attempts and done a bit of reading to try and solve this myself, but I am lost. I also have not been able to clear the TPM through the BIOS or through windows. Would it help to try to downgrade then upgrade as davidlieberman outlined in a recent post. Also, felipemottan, the file from the download you linked is password protected, I can't begin to guess it, any help there? Thanks in advance for your response.

felipemottan commented 2 years ago

Hi. I have been working on this update for FW 5.0.1089 to 5.62.3126 which is in the 1.5 update package I received from Infineon. Here is the resulting output: PS C:\Windows\system32\9665FW update package_1.5\workspace> .\TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg

  • Infineon Technologies AG TPMFactoryUpd Ver 01.01.2212.00 *

  • Error Information *

Error Code: 0xE0295518 Message: Could not find a firmware image to update the configured target firmware version.

See the log file (TPMFactoryUpd.log) for further information.

And the output from the logfile:

Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00 [2022-04-20 16:26:42.896]

Error detected: Final code: 0xE0295518 Final message: Could not find a firmware image to update the configured target firmware version. Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_ProceedUpdateConfig; Line: 1559 Code: 0xE0295518 Message: No firmware image found to update the current TPM firmware. (.\TPM20_5.0.1089.2_to_TPM20_5.63.3144.0.BIN)

The FW image file is there in the update package. I have made two attempts and done a bit of reading to try and solve this myself, but I am lost. I also have not been able to clear the TPM through the BIOS or through windows. Would it help to try to downgrade then upgrade as davidlieberman outlined in a recent post. Also, felipemottan, the file from the download you linked is password protected, I can't begin to guess it, any help there? Thanks in advance for your response.

There are some steps you should follow to upgrade your TPM firmware:

1 - To clear the TPM, first you must to disable TPM Auto Provisioning (Run Disable-TPMAutoProvisioning on Powershell as administrator). Afterwards, you clear the TPM using Windows, reboot to UEFI and disable it. After the TPM update, enable the TPM Auto Provisioning again (Enable-TPMAutoProvisioning), so Windows can provide it automatically and generates another key.

2 - In some cases, the config file TPM20_latest,cfg doesn't do its job, and you must upgrade the TPM by choosing the correct file yourself. See @davidlieberman post as reference and choose the firmware suitable to your TPM, paying attention to your current version. You don't have to downgrade your TPM, from 2.0 to 1.2, unless your motherboard does not support the 2.0 version. Check it first. I guess in your case, the command will be this: .\TPMFactoryUpd.exe -update tpm20-emptyplatformauth -firmware TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN

3 - The password for the zip file containing the TPM binaries I've mentioned is available in the website disclaimer.

4 - Sometimes you must clear CMOS so the UEFI can recognize the TPM module.

Brutus3691 commented 2 years ago

Hello again. I have run into a different problem with a different PC (an MSI motherboard with TPM 1.2 support). I am working on downgrading a 2.0 module with current firmware 5.62.3126.2 to whatever latest 1.2 firmware. Posted below are the responses from TPMFactoryupd.exe-

PS C:\Windows\system32\9665FW update package_1.5\workspace> .\TPMFactoryUpd.exe -update tpm20-emptyplatformauth -firmware TPM20_5.62.3126.0_to_TPM12_4.43.257.0.BIN

Error detected: Final code: 0xE0295517 Final message: An invalid value was passed on the command line option. Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_ProceedUpdateConfig; Line: 1371 Code: 0xE0295517 Message: The config file 'TPM20_5.63.3126.0_to_TPM12_4.43.257.0.BIN' does not exist

Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00 [2022-05-05 18:53:27.223]

Error detected: Final code: 0xE0295516 Final message: The firmware image cannot be used to update this TPM (decrypt key mismatch). Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_IsTpmUpdatableWithFirmware; Line: 201 Code: 0xE0295516 Message: The provided firmware image is not valid for the TPM. (0xE0295516)

So my question is: is it going to be possible to "downgrade" firmware when there is a version mismatch? Is there a way to determine which firmware file might work? There is no firmware image to do this I just tried the two (3126.0 to 257.0 or 258.0 of the 1.2 FW) that were closest to the current firmware. Any help will be appreciated. Thanks

felipemottan commented 2 years ago

Hello again. I have run into a different problem with a different PC (an MSI motherboard with TPM 1.2 support). I am working on downgrading a 2.0 module with current firmware 5.62.3126.2 to whatever latest 1.2 firmware. Posted below are the responses from TPMFactoryupd.exe-

PS C:\Windows\system32\9665FW update package_1.5\workspace> .\TPMFactoryUpd.exe -update tpm20-emptyplatformauth -firmware TPM20_5.62.3126.0_to_TPM12_4.43.257.0.BIN

  • Infineon Technologies AG TPMFactoryUpd Ver 01.01.2212.00 *
   TPM update information:
   -----------------------
   Firmware valid                    :    Yes
   TPM family                        :    2.0
   TPM firmware version              :    5.62.3126.2
   Remaining updates                 :    63
   New firmware valid for TPM        :    No
  • Error Information *

Error Code: 0xE0295516 Message: The firmware image cannot be used to update this TPM (decrypt key mismatch). and from the log file: Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00 [2022-05-05 18:36:36.647]

Error detected: Final code: 0xE0295517 Final message: An invalid value was passed on the command line option. Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_ProceedUpdateConfig; Line: 1371 Code: 0xE0295517 Message: The config file 'TPM20_5.63.3126.0_to_TPM12_4.43.257.0.BIN' does not exist

Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00 [2022-05-05 18:53:27.223]

Error detected: Final code: 0xE0295516 Final message: The firmware image cannot be used to update this TPM (decrypt key mismatch). Module: CommandFlow_TpmUpdate.c; Function: CommandFlow_TpmUpdate_IsTpmUpdatableWithFirmware; Line: 201 Code: 0xE0295516 Message: The provided firmware image is not valid for the TPM. (0xE0295516)

So my question is: is it going to be possible to "downgrade" firmware when there is a version mismatch? Is there a way to determine which firmware file might work? There is no firmware image to do this I just tried the two (3126.0 to 257.0 or 258.0 of the 1.2 FW) that were closest to the current firmware. Any help will be appreciated. Thanks

@Brutus3691 Unfortunately, you must have the binary file matching your current firmware version, otherwise it will not be possible to upgrade or downgrade.

txigreman commented 1 year ago

Thanks a lot! I've purchased a "new" (supposedly) TPM module, and it came with FW version 5.0.1089.2. I've managed to update it, and now it works like a charm.

KickerGreen commented 1 year ago

Found IFX fw 540.1971.0/2 here update first http://dl2.epsondirect.co.jp/support/tpm/tpm_fw_5_62_td160e.zip

update to latest 5.62

enjoy

KickerGreen commented 1 year ago

where is Fw 5.63.3353.2 link download but note code Zero - "0" and only "2" ?

KickerGreen commented 1 year ago

guide how downgrade to TPM1.2 ?

Brutus3691 commented 1 year ago

I don't think it is possible to roll back to to a version 1.2 FW. The packages I have seen do not include a path from a 5.62.3126.2 to any older FW.
"Unfortunately, you must have the binary file matching your current firmware version, otherwise it will not be possible to upgrade or downgrade." ([felipemottan])(https://github.com/felipemottan)

maurice-w commented 1 year ago

@KickerGreen All ".2" versions are FIPS compliant TPM 2.0 firmware. There is no way to go back from FIPS to non-FIPS. There is no FIPS compliant TPM 1.2 firmware, so unfortunately you're out of luck.

KickerGreen commented 1 year ago

So it doesn't convert "2" to "0"

maurice-w commented 1 year ago

@KickerGreen Correct. Converting ".2" to ".0" is impossible.

KickerGreen commented 1 year ago

There is another suggestion, programming the LPC to SPi TPM IFX via the USB CH43 prog ?

cheyo2 commented 1 year ago

Hello, I would like to know if it is possible to update a TPM 1.2 specification version 3.17 to tmp 2.0, since it does not appear in the packages in the post and I need to update it, is there another place where there are older tpm updates

Silvenga commented 1 year ago

@cheyo2 I doubt it, that's not a security update, that's a much larger update that requires better hardware in the TPM.

maurice-w commented 1 year ago

@cheyo2 Firmware version 3.17 indicates an SLB9635 TPM, which is different from the SLB9660 discussed here. The SLB9635 is an older chip which can't be updated to TPM 2.0, unlike the SLB9660.

AndreLOWestphal commented 5 months ago

pode me ajudar? estou tendo esse erro Error Code: 0xE029550B Message: TPM1.2: The TPM has an owner. The firmware cannot be updated.

See the log file (TPMFactoryUpd.log) for further information.

Silvenga commented 5 months ago

@AndreLOWestphal I don't remember the nuances of how Windows takes ownership of the TPM (which is typically done automatically). The ultimately solution would be to clear the TPM first, resetting ownership.

So I would try:

AndreLOWestphal commented 5 months ago

Tks for help, i can do it, but i have a new problem, in tpm.msc my TPM dont ative, in BIOS when i turn Enable and restart my PC the TPM's configurations dont appear, nothing. do you know what happen? any solution?

maurice-w commented 5 months ago

@AndreLOWestphal Did you update your TPM 1.2 to a newer firmware or did you convert it to TPM 2.0?

AndreLOWestphal commented 5 months ago

But now with this new problem I don't know what to do, when I do a Get-Tpm, it gives me the perfect TPM and everything else, however, when I activate the TPM slot in the BIOS it doesn't appear for me, neither in the BIOS nor in Security Windows 11. I simply don't have access, I will remove it and replace it to see if anything changes. I'm waiting for the Aliexpress resellers too, to see if they can find a solution, otherwise I'll return it.

maurice-w commented 5 months ago

@AndreLOWestphal If you did upgrade to TPM 2.0: Your BIOS needs to explicitly support this. Many older BIOSes only support TPM 1.2.

Silvenga commented 5 months ago

@AndreLOWestphal if you got the TPM from Aliexpress - I would assume it's fake. TPM's handle sensitive data, I would only use a genuine TPM from a reputable seller - so from your motherboard vendor's website.

AndreLOWestphal commented 5 months ago

@maurice-w Interesting, my board is a gigabyte h87-d3h, my Bios is currently F8, when I run tpm.msc, it says it doesn't identify tpm 1.2 or higher, even then it wouldn't support it? I can't find anything about it on the manufacturer's website.

AndreLOWestphal commented 5 months ago

@Silvenga Ok, where would I find the genuine part because in all places and websites I find the same SLB9665TT20 chip which also seems to be the one used by the manufacturer gigabyte, however, I can't find an original anywhere.

maurice-w commented 5 months ago

@AndreLOWestphal That's a 11 years old consumer mainboard, it's unlikely to support TPM 2.0. If there's a newer BIOS version available, try it. But unless the release notes explicitly mention TPM 2.0 support, don't get your hopes up.

felipemottan commented 5 months ago

@AndreLOWestphal I had some issues similar to yours when I plugged in my new TPM on my Asrock X99 Motherboard for the first time. What worked for me was to clear the whole CMOS (UEFI) and configure everything from the scratch. Do not restore a save UEFI profile. Afterwards, Windows could properly recognize the TPM for use and updates.

AndreLOWestphal commented 5 months ago

@felipemottan So at first I returned to Windows 10 because of studies, now I'm going to try to resolve it again, Gigabyte gave me feedback, saying that even though the board is 11 years old, it is capable of reading TPM 2.0 when updating the BIOS for the 2015 f10 firmware. , in this case mine is the 2011 f8, so I'll give it another study and check the update and I'll try this way if new errors appear.