ROCA TPM vulnerability verification and status
ROCA vulnerability was discovered (October 2017) in a software library, RSALib, provided by Infineon Technologies. That library is also used in TPM modules. When this vulnerability is present, a pair of prime numbers used for generating RSA keys is chosen from a small subset of all available prime numbers. This results in a great loss of entropy. Details and exact numbers can be found here.
Generating RSA key pairs with TPM
RSA keys can be generated with tpm2-tools. SLB 9665 used in TPM module doesn't support 512-bit RSA, so either 1024 or 2048-bit keys must be used. Context is used for key generation, so it must be generated first:
tpm2_createprimary -g 'sha1' -G 'rsa1024:null:aes128cfb' -o tpm.ctx
tpm2_create -C tpm.ctx -Grsa1024 -u key.pub -r key.priv
Only the public key is actually required by vulnerability check. It is a good idea to generate more than one pair, probably using different key sizes - chances for false positives are extremely low, but not zero.
TPM has limited internal RAM and runs out of memory after 3 operations with error:
ERROR: Tss2_Sys_CreatePrimary(0x902) - tpm:warn(2.0): out of memory for object contexts
In this case either rebooting or flushing open handles manually
helps. Only handles-transient need to be flushed:
$ tpm2_getcap -c handles-transient
- 0x80000000
- 0x80000001
- 0x80000002
$ tpm2_flushcontext -c 0x80000000
$ tpm2_flushcontext -c 0x80000001
$ tpm2_flushcontext -c 0x80000002
Extracting keys hashes
File key.pub is a binary file with a TPM-specific header. It is not supported
by the tool for checking for ROCA vulnerability, so the key needs to be
extracted and saved in one of the supported formats, e.g. hex coded number.
This can be done with the following script:
#!/bin/bash
rm -f keys.txt
for file in *.pub
do
dd if=${file} bs=1 skip=24 | hexdump -v -e '/1 "%02x"' >> keys.txt
echo "" >> keys.txt
done
Testing for ROCA vulnerability
A tool for checking for ROCA TPM vulnerability can be found here.
The easiest way is to install it with pip:
pip install roca-detect
All parsed keys can be checked using just one command:
roca-detect keys.txt
More use cases can be found on the main page of this tool, including tests for saved SSH hosts keys.
This operation should take no more than a couple of seconds, as it only checks if the key was generated from insecure prime numbers, without finding the exact numbers used. It does not generate private keys.
Results
This is output from test run on 2 different modules, with both 1024 and 2048-bit keys generated on each of them:
2019-03-25 18:31:17 [11915] WARNING Fingerprint found in modulus keys.txt idx 0
{"type": "mod-hex", "fname": "keys.txt", "idx": 0, "aux": null,
"n": "0x94b79a35a5d47040df1503670080a7714ae1ee751aeb32071b3db388b3bf80b11f661c4b8819ebd1c716239c9ec5a202b08a2aa3c17ad6cd17075ba49fcd005d8b8fa50c29433db35c1421727472deddd77bced7e6438db4d447008b11cdb018139bfef2e06c4b4a3e672543a7e9333040fd881815e14b1f1338e90180fd0865",
"marked": true, "time_years": 0.16104529886799998, "price_aws_c4": 70.5861544938444}
(...)
2019-03-25 18:31:17 [11915] INFO ### SUMMARY ####################
2019-03-25 18:31:17 [11915] INFO Records tested: 8
2019-03-25 18:31:17 [11915] INFO .. PEM certs: . . . 0
2019-03-25 18:31:17 [11915] INFO .. DER certs: . . . 0
2019-03-25 18:31:17 [11915] INFO .. RSA key files: . 0
2019-03-25 18:31:17 [11915] INFO .. PGP master keys: 0
2019-03-25 18:31:17 [11915] INFO .. PGP total keys: 0
2019-03-25 18:31:17 [11915] INFO .. SSH keys: . . . 0
2019-03-25 18:31:17 [11915] INFO .. APK keys: . . . 0
2019-03-25 18:31:17 [11915] INFO .. JSON keys: . . . 0
2019-03-25 18:31:17 [11915] INFO .. LDIFF certs: . . 0
2019-03-25 18:31:17 [11915] INFO .. JKS certs: . . . 0
2019-03-25 18:31:17 [11915] INFO .. PKCS7: . . . . . 0
2019-03-25 18:31:17 [11915] INFO Fingerprinted keys found: 4
2019-03-25 18:31:17 [11915] INFO WARNING: Potential vulnerability
2019-03-25 18:31:17 [11915] INFO ################################
It shows that ROCA vulnerability is present on this TPM module model. TPM firmware update will be required.
Note that ROCA is connected only with RSA, it doesn't affect any other security functions, as long as they don't use RSALib.
Updating TPM firmware
Tools for updating Infineon TPM firmware can be easily found, unfortunately, most of them are either UEFI or Windows applications. A Linux port of them can be found here.
First, check if TPMFactoryUpd was built successfully and TPM is detected
properly:
$ ./TPMFactoryUpd -info
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 *
**********************************************************************
TPM information:
----------------
Firmware valid : Yes
TPM family : 2.0
TPM firmware version : 5.61.2785.0
TPM platformAuth : Empty Buffer
Remaining updates : 64
Remember the current firmware version number, it will be needed later. Also note
what is the value of TPM platformAuth - it must be Empty Buffer in order to
perform an update. To do this, build and flash coreboot with TPM disabled in
config menu, or use older version of BIOS - none of the v4.8.0.* versions have
TPM support enabled. SeaBIOS doesn't need any modifications, it will not
initialize TPM unless coreboot does.
TPM firmwares are available with some of the UEFI and Windows images, like
these.
Only 9665FW update package_1.5/Firmware/TPM20_<old_version>_to_TPM20_5.63.3144.0.BIN
file is required. Extract this file to the same directory as the TPMFactoryUpd
and run:
$ ./TPMFactoryUpd -update tpm20-emptyplatformauth -firmware TPM20_<old_version>_to_TPM20_5.63.3144.0.BIN
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 *
**********************************************************************
TPM update information:
-----------------------
Firmware valid : Yes
TPM family : 2.0
TPM firmware version : 5.61.2785.0
TPM platformAuth : Empty Buffer
Remaining updates : 64
New firmware valid for TPM : Yes
TPM family after update : 2.0
TPM firmware version after update : 5.63.3144.0
Preparation steps:
TPM2.0 policy session created to authorize the update.
DO NOT TURN OFF OR SHUT DOWN THE SYSTEM DURING THE UPDATE PROCESS!
Updating the TPM firmware ...
Completion: 100 %
TPM Firmware Update completed successfully.
This can take 3-5 minutes, depending on the firmware update size. After it completes, TPM is not useful until the next reboot:
$ ./TPMFactoryUpd -info
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 *
**********************************************************************
TPM information:
----------------
Firmware valid : Yes
TPM family : 2.0
TPM firmware version : 5.63.3144.0
TPM platformAuth : N/A - System restart required
Remaining updates : N/A - System restart required
Reboot platform immediately. Using TPM functions in this state isn't safe. After successful reboot and flashing original coreboot firmware the result should be:
$ ./TPMFactoryUpd -info
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 *
**********************************************************************
TPM information:
----------------
Firmware valid : Yes
TPM family : 2.0
TPM firmware version : 5.63.3144.0
TPM platformAuth : Not Empty Buffer
Remaining updates : 63
Updating TPM firmware - automatic version detection
Assuming that a whole Firmware directory was extracted to directory containing
TPMFactoryUpd from the update package,
one can use single command to do the update. Appropriate file is chosen
automatically, depending on the old version. The command is:
$ ./TPMFactoryUpd -update config-file -config Firmware/TPM20_latest.cfg
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 *
**********************************************************************
TPM update information:
-----------------------
Firmware valid : Yes
TPM family : 2.0
TPM firmware version : 5.51.2098.0
TPM platformAuth : Empty Buffer
Remaining updates : 64
New firmware valid for TPM : Yes
TPM family after update : 2.0
TPM firmware version after update : 5.63.3144.0
Selected firmware image:
TPM20_5.51.2098.0_to_TPM20_5.63.3144.0.BIN
Preparation steps:
TPM2.0 policy session created to authorize the update.
DO NOT TURN OFF OR SHUT DOWN THE SYSTEM DURING THE UPDATE PROCESS!
Updating the TPM firmware ...
Completion: 100 %
TPM Firmware Update completed successfully.
Remember to use BIOS with TPM disabled, and re-flash newer BIOS firmware afterwards.
Results from new version of TPM firmware
Repeating all steps from generating TPM context to using roca-detect shows
that the vulnerability is no longer present:
2019-03-26 18:40:42 [4325] INFO ### SUMMARY ####################
2019-03-26 18:40:42 [4325] INFO Records tested: 8
2019-03-26 18:40:42 [4325] INFO .. PEM certs: . . . 0
2019-03-26 18:40:42 [4325] INFO .. DER certs: . . . 0
2019-03-26 18:40:42 [4325] INFO .. RSA key files: . 0
2019-03-26 18:40:42 [4325] INFO .. PGP master keys: 0
2019-03-26 18:40:42 [4325] INFO .. PGP total keys: 0
2019-03-26 18:40:42 [4325] INFO .. SSH keys: . . . 0
2019-03-26 18:40:42 [4325] INFO .. APK keys: . . . 0
2019-03-26 18:40:42 [4325] INFO .. JSON keys: . . . 0
2019-03-26 18:40:42 [4325] INFO .. LDIFF certs: . . 0
2019-03-26 18:40:42 [4325] INFO .. JKS certs: . . . 0
2019-03-26 18:40:42 [4325] INFO .. PKCS7: . . . . . 0
2019-03-26 18:40:42 [4325] INFO No fingerprinted keys found (OK)
2019-03-26 18:40:42 [4325] INFO ################################