6 comments

[ 2.3 ms ] story [ 25.0 ms ] thread
Summary:

> Lenovo Security Advisory: LEN-15552

> Potential Impact: RSA keys generated by the Infineon TPM using certain firmware levels are insecure

> Severity: Varies: None to High

> Scope of Impact: Industry-Wide

---

FYI, when submitting this I linked to Lenovo's informational page about this issue instead of the original vendor's page [0] since it doesn't really contain much useful information. (mods: feel free to change the URL)

I also found some technical information (although mostly ChromeOS-specific) about this issue in a Google document [1].

Links to information from other vendors: Fujitsu [2], HP [3], Microsoft Windows [4].

[0]: https://www.infineon.com/TPM-update

[1]: https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_...

[2]: http://www.fujitsu.com/global/support/products/software/secu...

[3]: https://support.hp.com/us-en/document/c05792935

[4]: https://portal.msrc.microsoft.com/en-us/security-guidance/ad...

Will upgrading the firmware fix already generated keys?
No, any keys generated on the TPM need to be re-generated (cf. Microsoft's advisory).
That's interesting. The Windows firmware update works by entirely bypassing the hardware. I wonder if other fabricators could have licensed the same core ip.?

> Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys.