Trusted Platform Module firmware vulnerability: technical documentation
Vulnerability description
There is a bug in certain Infineon TPM firmware versions which results in RSA keys generated by the TPM being vulnerable to an attack that allows to recover the private half of the RSA key from just the public key. The researchers who found the vulnerability have published high-level information here: https://crocs.fi.muni.cz/public/papers/rsa_ccs17. Currently known exploits are computationally expensive; specifically, for RSA keys of bit size 2048, the researchers give an estimate of 140.8 CPU years to break a single key. Note that this figure might drop as more researchers look at the attack. At the current point in time, it means TPM-generated RSA keys can't be broken at large scale, but targeted attacks are possible. To summarize: There exists a practical attack against TPM-generated RSA keys, but it doesn't allow large-scale exploitation of Chrome OS devices.
Impacted features
Chrome OS relies on TPM-generated RSA keys for a number of features:
Slowing down brute-force attacks against encrypted user data. The page
[Protecting Cached User
Data](/chromium-os/chromiumos-design-docs/protecting-cached-user-data)
describes this in more detail. The vulnerability allows the attacker to
brute-force the encryption key (bit size 2048) off-device. However, note
that off-device brute-force attacks are only advantageous against strong
passwords - weak passwords are still less expensive to brute-force against
the TPM regardless of whether it runs vulnerable firmware or not.
Hardware-backed encryption keys / certificates. Chrome OS allows users to
generate and import RSA keys that are protected by the TPM so the main OS
can't access the private key. These keys are typically accompanied by a
certificate and then used in network authentication, such as WPA2-EAP, HTTPS
client authentication, etc. The vulnerability allows attackers to determine
the private key. The bit size of generated and imported keys depends on
parameters. The bit sizes supported by Chrome OS for TPM-backed keys are
1024 or 2048. You can check key sizes for certificates backed by TPM keys at
chrome://settings/certificates.
Chrome OS [Verified
Access](https://support.google.com/chrome/a/answer/7156268) allows network
services to verify client device integrity and identity. TPM-generated RSA
keys (bit size 2048) are used in the certification process. Attackers can
exploit the vulnerability to break an "Attestation Identity Key", which
allows them to impersonate a legit device from an endpoint of their choice.
Mitigations
In Chrome OS M60, we strengthened Chrome OS user data protection using the scrypt password hashing scheme to act as a second line of defense even in case the brute-force protection afforded by the TPM is lost. Users were automatically upgraded to the new scheme behind the scenes without user-observable effects. This measure guarantees adequate protection of encrypted user data for users that use strong passwords. If your password isn't strong, now is a good time to fix this - the risk involved with using a weak password generally transcends Chrome OS and affects other places that store sensitive data.
For hardware-backed encryption keys and Verified Access, mitigations are technically infeasible without losing the hardware binding, and thus breaking the feature. The only supported path to restore the designed security strength for these features is to update TPM firmware.
See below for advice on whether and when to update TPM firmware.
Affected TPM firmware versions
You can check the TPM firmware running on your device by looking at the firmware_version line of the tpm_version entry in chrome://system. If the tpm_version entry is absent, this is likely because you are running an old Chrome OS version which doesn't report this information. Upgrade to a newer version and check again.
Vulnerable firmware versions used on Chrome OS are (listing the firmware_version value from chrome://system as well as the human-readable version number):
- 000000000000041f - 4.31
- 0000000000000420 - 4.32
- 0000000000000628 - 6.40
- 0000000000008520 - 133.32
Fixed firmware versions are as follows:
- 0000000000000422 - 4.34
- 000000000000062b - 6.43
- 0000000000008521 - 133.33
Affected devices
With the exception of older devices that use the Infineon SLB 9635 TPM, all Chrome OS devices that include an Infineon TPM chip are affected. Here is the complete list of affected devices with code names and marketing names:
- asuka - Dell Chromebook 13 3380
- auron-paine - Acer Chromebook 11 (C740)
- auron-yuna - Acer Chromebook 15 (CB5-571)
- banjo - Acer Chromebook 15 (CB3-531)
- banon - Acer Chromebook 15 (CB3-532)
- buddy - Acer Chromebase 24
- candy - Dell Chromebook 11 (3120)
- caroline - Samsung Chromebook Pro
- cave - ASUS Chromebook Flip C302
- celes - Samsung Chromebook 3
- chell - HP Chromebook 13 G1
- clapper - Lenovo N20 Chromebook
- cyan - Acer Chromebook R11 (CB5-132T / C738T)
- daisy-skate - HP Chromebook 11 2000-2099 / HP Chromebook 11 G2
- daisy-spring - HP Chromebook 11 1100-1199 / HP Chromebook 11 G1
- edgar - Acer Chromebook 14 (CB3-431)
- elm - Acer Chromebook R13 (CB5-312T)
- enguarde - ASI Chromebook
- enguarde - Crambo Chromebook
- enguarde - CTL N6 Education Chromebook
- enguarde - Education Chromebook
- enguarde - eduGear Chromebook R
- enguarde - Edxis Education Chromebook
- enguarde - JP Sa Couto Chromebook
- enguarde - Lenovo N21 Chromebook
- enguarde - M&A Chromebook
- enguarde - RGS Education Chromebook
- enguarde - Senkatel C1101 Chromebook
- enguarde - True IDC Chromebook
- enguarde - Videonet Chromebook
- expresso - Bobicus Chromebook 11
- expresso - Consumer Chromebook
- expresso - Edxis Chromebook
- expresso - HEXA Chromebook Pi
- falco - HP Chromebook 14
- gandof - Toshiba Chromebook 2 (2015 Edition)
- glimmer - Lenovo ThinkPad 11e Chromebook
- gnawty - Acer Chromebook 11 (C730 / C730E)
- gnawty - Acer Chromebook 11 (C735)
- guado - ASUS Chromebox CN62
- hana - Lenovo N23 Yoga/Flex 11 Chromebook
- hana - Poin2 Chromebook 14
- heli - Haier Chromebook 11 G2
- kefka - Dell Chromebook 11 Model 3180
- kefka - Dell Chromebook 11 3189
- kevin - Samsung Chromebook Plus
- kip - HP Chromebook 11 2100-2199 / HP Chromebook 11 G3
- kip - HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE
- kip - HP Chromebook 14 ak000-099 / HP Chromebook 14 G4
- lars - Acer Chromebook 11 (C771, C771T)
- lars - Acer Chromebook 14 for work (CP5-471)
- leon - Toshiba Chromebook
- link - Google Chromebook Pixel
- lulu - Dell Chromebook 13 7310
- mccloud - Acer Chromebox
- monroe - LG Chromebase 22CB25S
- monroe - LG Chromebase 22CV241
- ninja - AOPEN Chromebox Commercial
- nyan-big - Acer Chromebook 13 (CB5-311)
- nyan-blaze - HP Chromebook 14 x000-x999 / HP Chromebook 14 G3
- nyan-kitty - Acer Chromebase
- orco - Lenovo 100S Chromebook
- panther - ASUS Chromebox CN60
- peach-pi - Samsung Chromebook 2 13"
- peach-pit - Samsung Chromebook 2 11"
- peppy - Acer C720 Chromebook
- quawks - ASUS Chromebook C300
- reks - Lenovo N22 (Touch) Chromebook
- reks - Lenovo N23 Chromebook
- reks - Lenovo N23 Chromebook (Touch)
- reks - Lenovo N42 (Touch) Chromebook
- relm - Acer Chromebook 11 N7 (C731)
- relm - CTL NL61 Chromebook
- relm - Edxis Education Chromebook
- relm - HP Chromebook 11 G5 EE
- relm - Mecer V2 Chromebook
- rikku - Acer Chromebox CXI2
- samus - Google Chromebook Pixel (2015)
- sentry - Lenovo Thinkpad 13 Chromebook
- setzer - HP Chromebook 11 G5 / HP Chromebook 11-vxxx
- squawks - ASUS Chromebook C200
- sumo - AOpen Chromebase Commercial
- swanky - Toshiba Chromebook 2
- terra - ASUS Chromebook C202SA
- terra - ASUS Chromebook C300SA/C301SA
- tidus - Lenovo ThinkCentre Chromebox
- tricky - Dell Chromebox
- ultima - Lenovo ThinkPad 11e Chromebook 3rd Gen (Yoga/Clamshell)
- veyron-fievel - AOpen Chromebox Mini
- veyron-jaq - Haier Chromebook 11
- veyron-jaq - Medion Akoya S2013
- veyron-jaq - True IDC Chromebook 11
- veyron-jaq - Xolo Chromebook
- veyron-jerry - CTL J2 / J4 Chromebook for Education
- veyron-jerry - eduGear Chromebook K Series
- veyron-jerry - Epik 11.6" Chromebook ELB1101
- veyron-jerry - HiSense Chromebook 11
- veyron-jerry - Mecer Chromebook
- veyron-jerry - NComputing Chromebook CX100
- veyron-jerry - Poin2 Chromebook 11
- veyron-jerry - Positivo Chromebook CH1190
- veyron-jerry - VideoNet Chromebook BL10
- veyron-mickey - ASUS Chromebit CS10
- veyron-mighty - Chromebook PCM-116E
- veyron-mighty - eduGear Chromebook M Series
- veyron-mighty - Haier Chromebook 11e
- veyron-mighty - Lumos Education Chromebook
- veyron-mighty - MEDION Chromebook S2015
- veyron-mighty - Nexian Chromebook 11.6-inch
- veyron-mighty - Prowise 11.6" Entry Line Chromebook
- veyron-mighty - Sector 5 E1 Rugged Chromebook
- veyron-mighty - Viglen Chromebook 11
- veyron-minnie - ASUS Chromebook Flip C100PA
- veyron-speedy - ASUS Chromebook C201PA
- veyron-tiger - AOpen Chromebase Mini
- winky - Samsung Chromebook 2 11 - XE500C12
- wizpig - CTL J5 Chromebook
- wizpig - Edugear CMT Chromebook
- wizpig - Haier Convertible Chromebook 11 C
- wizpig - PCMerge Chromebook PCM-116T-432B
- wizpig - Prowise ProLine Chromebook
- wizpig - Viglen Chromebook 360
- wolf - Dell Chromebook 11
- zako - HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings
TPM firmware update
Recent Chrome OS builds of version M61 and later include functionality to install a TPM firmware update on the affected devices. After installing the update, RSA keys generated by the TPM are no longer vulnerable against the attack described above.
Chrome OS versions including the firmware update
The following Chrome OS versions include the TPM firmware update for affected devices (note that chromium OS builds do not contain firmware files):
- Chrome OS M61 - build 9765.81.0 and later
- Chrome OS M62 - build 9901.42.0 and later
- Chrome OS M63 - build 10020.0.0 and later
The one exception is link / Google Chromebook Pixel, for which the TPM firmware update functionality is not enabled yet. There is a problem with firmware update installation on that device, we intend to ship an update with a fix to enable the TPM firmware update as soon as possible.
Things to know about the update process
Installing the TPM firmware update requires a hardware reset of the TPM chip. This means that all data held by the TPM will be discarded. This includes disk encryption keys, implying all user data stored locally on the device will be lost. Thus, you need to carefully backup any important data before you install the update.
We are actively working on ways to allow updated TPM firmware to be installed without losing all data on the device. Launch dates for these non-destructive update flows are not confirmed at this point though.
There is also a risk that the update will fail e.g. due to loss of power while installing the update. See below for more information on how to recover from this situation. You'll need Chrome OS recovery media in order to invoke the recovery flow. You will want to make sure that you either prepare it before starting the TPM firmware update just in case or have another computer available to create recovery media in case you need it.
Deciding whether to install the update
There is no one-size-fits-all advice on whether to install the update or not. As described above, there are inherent inconveniences and risks associated with the update process and a limited set of features is impacted by the vulnerability. In order to help make an informed decision, here is some guidance. If any of the following applies, consider installing the update:
You rely on the highest level of protection that Chrome OS can offer for
your encrypted user data (TPM-backed protection against password
brute-forcing attacks).
You are using hardware-backed encryption keys and corresponding certificates
to access network services such as corporate web sites, VPNs. etc. If you're
unsure you can check the "your certificates" section in
chrome://settings/certificates to see whether you have any hardware-backed
certificates.
You are using [Verified
Access](https://support.google.com/chrome/a/answer/7156268) for device
authentication on your enterprise-managed Chrome OS devices. When in doubt,
ask your administrator.
If none of the bullets above apply to you, you don't benefit from the update and can safely skip it, thus avoiding potential complications due to failing updates as described above.
Installing the update
Due to the implied loss of data, users must trigger the update explicitly. To do so, users can opt in to installing the TPM firmware update as part of the factory reset flow also known as "powerwash". Note that for enterprise-managed devices, the powerwash UI is not regularly available. We have added a TPM firmware update device policy though which admins can set to make the TPM firmware update via powerwash available to their users.
The steps are as follows:
Trigger the powerwash flow, either via Ctrl+Alt+Shift+r on the login screen,
or via the powerwash option in chrome://settings > Advanced.
The flow will ask you to reboot unless you have just restarted your device
anyways.
In the powerwash dialog, there will be a checkbox "Update firmware for added
security." Check it in order to request the TPM firmware update to be
installed.
If you don't see a checkbox, this can be due to a number of reasons:
Your device already runs updated firmware, check chrome://system as
described above to confirm.
You are running an older Chrome OS version that doesn't include
functionality to update TPM firmware. Upgrade to a newer OS version.
Once you click the "Powerwash" button and confirm, the device will reboot.
After the reboot, you'll see a message indicating that the powerwash is in
progress. Wait for it to complete, after which the device will reboot again.
After the second reboot, the device will show a message screen when
installing the firmware update. There is a progress bar that will be updated
as the update progresses. The device will reboot once more after installing
the update.
After the third reboot, you'll see the familiar Chrome OS UI again showing
the out of box experience. Your device is just as new, so you can go through
the setup flow again and then log in as usual.
It’s worth double-checking you are running fixed TPM firmware by checking
the tpm_version entry in chrome://system. See the **Affected TPM firmware
versions** section for details.
Retrying a failed update
There is a risk that the device will no longer boot if the update fails. This happens when the update installation gets interrupted while on the installation progress screen, for example due to power loss. The device will show a screen saying "Chrome OS is missing or damaged". If you press Tab on this screen, you'll see some additional information including a line labelled "recovery_reason". If the boot failure was due to an earlier failed TPM firmware update, you'll likely see "Secure NVRAM (TPM) initialization error" as "recovery_reason".
Devices in this state can be recovered via Chrome OS recovery. Recovery images for versions that have the TPM firmware update (see above) include functionality to retry a TPM firmware update that has previously failed. Follow these steps to recover:
Make absolutely sure that your device is connected to a reliable power
source and has a charged battery (if applicable).
Press Esc+Refresh+Power (keep holding Esc+Refresh for a while after
releasing power) in order to start recovery mode. The device will boot to a
screen that says "Chrome OS is missing or damaged" (older devices) or
"Please insert a recovery USB stick or SD card" (newer devices).
Plug the recovery media.
The device will launch the recovery procedure, starting with verification of
the recovery media.
If the recovery software determines the TPM has encountered a previous
failed update, it will automatically launch the TPM firmware update
installation process. You'll see a screen indicating the update is getting
installed, with a progress bar getting updated as the update progresses.
After successful installation of the update, the device will reboot.
Afterwards, the device should boot to the familiar Chrome OS UI again
showing the out-of-box experience.
Troubleshooting recovery failure
The recovery software will show a screen saying "The security module on this device is not working" if it encounters a bug or a condition that the recovery software is unable to fix. If you see this, you'll want to ask for help either via Chromebook Central Help Forum or via EDU / enterprise support channels (if applicable). There are some important pieces of evidence to gather that are helpful in figuring out the root cause of the failure:
Hold on to recovery media. The recovery software stores diagnostic
information on it, so do not use it for recovery attempts on other devices
and do not overwrite otherwise. The log files can be found on the first
partition under "recovery_logs" and contain a trace of the recovery software
execution flow which is invaluable in tracking down the root cause for the
failure.
Take note of the information shown by pressing Tab on the "Chrome OS is
missing or damaged screen" e.g. by snapping a photo. The recovery_reason
line is particularly interesting as it may indicate clues as to what state
the TPM is in.
Subsequent TPM firmware update prompt
Due to a bug in the original implementation of the TPM firmware update flow, a vulnerable Storage Root Key (a key held in the TPM that is used to encrypt other keys) from before the update may remain even after completing the update. This affects a small number of devices that did not finish the TPM firmware update in normal boot mode but only after retry using a recovery image. This can be addressed by performing another powerwash to clear the TPM again and thus regenerate a new Storage Root Key that is not vulnerable. Chrome OS M70 and later will show a one-time system notification saying "Security upgrade available" / "Reset your Chromebook to upgrade your security" for each user to alert of them of the situation. Users should re-evaluate their situation per the advice above to decide whether they want to perform the powerwash, which can be triggered by invoking the firmware update flow again via chrome://chrome.
Manually Updating
If you want to apply the update manually for any reason (e.g. you're using a Chromebook Pixel (link)), here's the steps required.
- Put the device into dev mode
- See the official list of devices for more details
- If you're already in dev mode, you'll need to Powerwash or go through recovery to reset the TPM back to the correct initial state
- Boot the device until you get to the initial OOBE screen (where you
select network/etc...)
- Don't sign in!
- Switch to a console by pressing Ctrl-Alt-F2 (the -> key is the same as F2)
- Log in using the "root" username (there should be no password)
- Type this command (all on one line):
dbus-send --system --dest=org.chromium.SessionManager --type=method_call /org/chromium/SessionManager org.chromium.SessionManagerInterface.StartTPMFirmwareUpdate string:first_boot
- After a few seconds, the device should reboot
- If the device doesn't reboot, check
/var/log/messages
. If it says something about a user already having logged in, go back to step 2.
- If the device doesn't reboot, check
- Press Ctrl-D to boot
- Wait for the powerwash step to finish and reboot (should be quick)
- Press Ctrl-D to boot
- Wait for the installing update step to finish
- If the device reboots and takes you back to the login screen, you're done
- If you get an error, perform the steps described above to retry a failed update. Note that there is a known issue with original Chromebook Pixel (link) devices:The original TPM firmware version fails installing the firmware update just before completion. The device may or may not boot normally after turning it off and on again. It is critical to go through Chrome OS recovery again to reset the TPM into a good state and flush out all weak keys. You have been warned!
- If things still aren't working, then review the troubleshooting sections above