
RSA Keys Generated by Infineon TPMs Are Insecure - jlgaddis
https://support.lenovo.com/us/en/product_security/len-15552
======
jlgaddis
Summary:

> _Lenovo Security Advisory: LEN-15552_

> _Potential Impact: RSA keys generated by the Infineon TPM using certain
> firmware levels are insecure_

> _Severity: Varies: None to High_

> _Scope of Impact: Industry-Wide_

\---

FYI, when submitting this I linked to Lenovo's informational page about this
issue instead of the original vendor's page [0] since it doesn't really
contain much useful information. _(mods: feel free to change the URL)_

I also found some technical information (although mostly ChromeOS-specific)
about this issue in a Google document [1].

Links to information from other vendors: Fujitsu [2], HP [3], Microsoft
Windows [4].

[0]: [https://www.infineon.com/TPM-update](https://www.infineon.com/TPM-
update)

[1]: [https://sites.google.com/a/chromium.org/dev/chromium-
os/tpm_...](https://sites.google.com/a/chromium.org/dev/chromium-
os/tpm_firmware_update)

[2]:
[http://www.fujitsu.com/global/support/products/software/secu...](http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html)

[3]: [https://support.hp.com/us-
en/document/c05792935](https://support.hp.com/us-en/document/c05792935)

[4]: [https://portal.msrc.microsoft.com/en-us/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/ADV170012)

------
julian_1
Will upgrading the firmware fix already generated keys?

~~~
jlgaddis
No, any keys generated on the TPM need to be re-generated (cf. Microsoft's
advisory).

~~~
julian_1
That's interesting. The Windows firmware update works by entirely bypassing
the hardware. I wonder if other fabricators could have licensed the same core
ip.?

> Microsoft is releasing Windows security updates to help work around the
> vulnerability by logging events and by allowing the generation of software
> based keys.

------
mtgx
Wasn't Infineon bought by Intel?

~~~
jlgaddis
Just part of it, AFAICT:

> _On 31 January 2011, the sale of the business segment of wireless solutions
> to Intel was completed._ [0]

[0]:
[https://en.wikipedia.org/wiki/Infineon_Technologies#Acquisit...](https://en.wikipedia.org/wiki/Infineon_Technologies#Acquisitions_and_divestitures)

