[remark] Infineon TPM firmware update on the HP t620 thin client

I'll try to keep this brief and technical (and not even slightly ranty), because it is a very niche subject, and if solving it hadn't been so convoluted and full of hidden gotchas (and consumed almost half a day), I would have just tucked the whole experience under the "another day in the IT paradise, which almost doesn't kill you, but certainly doesn't make you happier" category.

But, given how much grief and anguish it has caused me, I hope to spare the next unfortunate human being that tries to undertake it.

Some context:

• I have a few "HP t620 Flexible Thin Client", released almost 10 years ago, bought el-cheapo second-hand last year, that make some nice little Linux experimentation machines; for more details, David Parkinson (a sort of collector of years' past thin clients), has a very good set of articles at:
  Specifications and hardware description for a HP t620

• the HP t620 features an Infineon discrete security chip that supports TPM 1.2, one that I wanted to experiment with in relation to my previous article:
  Musing about a secure computer for sensitive data

• unfortunately, the Infineon security chip firmware (and not only for the TPM in my HP t620), is vulnerable to the ROCA vulnerability; for more details see:
  ROCA: Vulnerable RSA generation (CVE-2017-15361)

• even more unfortunately, updating the HP t620 firmware (i.e. BIOS), doesn't actually handle the TPM chip firmware, which requires a dedicated update procedure;

So, one would expect to just download some disk image, write it to a USB, boot it, follow the next-next-next instructions, hope the update doesn't brick your system (not that such a thing happened to me in the past), and be done with it.

Regrettably, it's not the case... (Else, our lives would have been boring and without enough heart pumping action to make us feel alive!)

Foremost, Infineon washed their hands of the whole debacle, and just pushed the device integrators under the bus leaving each of them doing their own stuff; see:
Information on TPM firmware update for Microsoft Windows systems as announced on Microsoft's patchday on October 10th 2017

What choose HP to do? What any reputable cost-savvy enterprise hardware manufacturer chooses to do when faced with a similar problem: provide you with a Windows executable (that works only on certain versions of said OS)...

Am I using Linux? Too bad...

So, what are the steps to update the Infineon TPM firmware?

• Warning

  Be warned, that doing any of these would wipe your TPM! Thus, if you are actively using it for something, stop and think about how to work around that.

• download (for free, I couldn't believe it either) the Windows 10 64bit installer ISO image:
  https://www.microsoft.com/software-download/windows10;

• burn it onto a DVD, and place it in the DVD drive of the thin client;

• what do you say? it's 2024 and the last time you've even seen a DVD burner you were pretending to be Neo with the latest Nokia slider phone? what else do you say? the thin client doesn't even have a DVD drive?

• well, at least there is Rufus that takes an ISO image and creates a bootable USB stick;
  what? it only works on Windows, and we are trying to install Windows because we don't actually have Windows in the first place?
  did the even more enshitified, sorry, recently AI-abled, search engine just told us there is this harmless project that would gladly run on our Linux laptop, if we were to just give it root access... (batteries and backdoors are obviously not included!)

• scratch that, just put Ventoy on a USB stick, boot it once and let it mangle the hell out of that stick, then place the Windows installer ISO on the "images partition", and boot it this way!

• torment yourself through the Windows installer; (and just ignore the 20th time the "just one more moment" message appears, I promise you it will be over in half an hour, after you see that message the 100th time!)

  • if you don't have a Windows license key, just skip it;
  • if you don't have a Microsoft Live account, just skip it;
  • if you don't want to sell your soul to Microsoft, just skip the 30-or-so other optional steps...

  once you are up-and-running and logged-in as a normal Windows user continue with the next steps;

• read the following article written by Microsoft on how to disable Windows 10 from taking over the TPM at first glance without even bothering to ask you about; (because you see, the HP / Infineon TPM firmware update will ask you about the TPM "owner password" / "owner password file", which I guarantee you don't have, because Windows 10 decided to create a random one, initialize the TPM with it, and nuke it out of existence!)

• reboot the system and enter the BIOS (by pressing F10):
  (!!!! as warned earlier, this step would wipe your TPM !!!!)

  • from the Security > Trusted Computing menu,
  • in the Pending operation option choose TPM Clear;
  • (if the Pending operation is grayed out or not available, check if the Security Device Support is set to Enable;)
  • save settings of the sub-menu (by pressing F10 before closing the menu),
  • save the settings of the BIOS (by pressing F10 another time, and then Enter),
  • and finally reboot;

• enter the BIOS again:

  • where from the same Trusted Computing menu,
  • in the TPM State option choose Enabled;
  • save settings (again mind the F10) and reboot;

• once back over in Windows, read and follow the instructions described by HP support in (but see below!):
  Infineon TPM Security Update

• the HP support says in the mentioned article, that for an HP t620 thin client, the appropriate update is SP82133, which apparently doesn't work on my unit; instead the update SP82407 does seem to work;

• by me it reads as follows:

  • download the SP82407 update (or perhaps try the SP82133 one first),
  • install it on Windows 10,
  • open the C:\SWSetup\SP82407 folder,
  • and from there run the IFXTPMUpdate_TPM12_v0434.exe (not the *.com file);

• once you run the IFXTPMUpdate_TPM12_v0434.exe:

  • it will ask for administrative rights,
  • then tell you that it recognizes (or not) the Infineon TPM security chip -- which in my case is Infineon SLB 9656 TT 1.2;
  • tell you that a firmware update is available (or not if you are already up-to-date),
  • and finally, if everything in the solar system was just aligned properly, you'll have the update button available;

• continue by:

  • pressing the update button,
  • waiting for the update completion,
  • and then reboot the system;

• !!!! you should then probably go through another TPM clear procedure just to be sure; !!!!

• and finally, you can now detach the M.2 SATA SSD on which you've installed Windows 10, drive a stake through it, smash it into smithereens, dunk it into holly water, and just for good measure toss it in a volcano! lest the Windows start menu plague, pardon, technically they call it "suggestions", escapes and infects your other computers...

Good job!

How do you check that your TPM isn't any more vulnerable to the ROCA attack?

You just need the public part of an RSA key generated on the TPM chip, and pass it to the online ROCA vulnerability checker available at:
https://keychest.net/roca

How do you get the public part of an RSA key generated on device?

Stay tuned for another rant... No, really, there isn't a straight-forward solution...

I've managed to checkout and compile the tpm-sign example from the (not sponsored by Google, but happens to be hosted on their GitHub account) Go-TPM project:
https://github.com/google/go-tpm/blob/main/examples/tpm-sign

You could then:

• after you tpm_takeownership -z -y,
• use tpm-sign generate, to get a publickey file in the current folder,
• which if you pass through certtool --pubkey-info --inder < ./publickey
• would get you the PEM formatted public key,
• that you can then paste in the online tool I've mentioned earlier.

How should you proceed in the future when another vulnerability is found in your HP t620?

Just recycle it, or stop relying on the TPM, because even as of today HP considers this device as end-of-life.