summaryrefslogtreecommitdiff
path: root/chromium/docs/website/site/chromium-os/tpm_firmware_update/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/docs/website/site/chromium-os/tpm_firmware_update/index.md')
-rw-r--r--chromium/docs/website/site/chromium-os/tpm_firmware_update/index.md467
1 files changed, 0 insertions, 467 deletions
diff --git a/chromium/docs/website/site/chromium-os/tpm_firmware_update/index.md b/chromium/docs/website/site/chromium-os/tpm_firmware_update/index.md
deleted file mode 100644
index e26e225b854..00000000000
--- a/chromium/docs/website/site/chromium-os/tpm_firmware_update/index.md
+++ /dev/null
@@ -1,467 +0,0 @@
----
-breadcrumbs:
-- - /chromium-os
- - Chromium OS
-page_name: tpm_firmware_update
-title: 'Trusted Platform Module firmware vulnerability: technical documentation'
----
-
-[TOC]
-
-## Vulnerability description
-
-There is a bug in certain Infineon TPM firmware versions which results in RSA
-keys generated by the TPM being vulnerable to an attack that allows to recover
-the private half of the RSA key from just the public key. The researchers who
-found the vulnerability have published high-level information here:
-<https://crocs.fi.muni.cz/public/papers/rsa_ccs17>. Currently known exploits are
-computationally expensive; specifically, for RSA keys of bit size 2048, the
-researchers give an estimate of 140.8 CPU years to break a single key. Note that
-this figure might drop as more researchers look at the attack. At the current
-point in time, it means TPM-generated RSA keys can't be broken at large scale,
-but targeted attacks are possible. To summarize: There exists a practical attack
-against TPM-generated RSA keys, but it doesn't allow large-scale exploitation of
-Chrome OS devices.
-
-## Impacted features
-
-Chrome OS relies on TPM-generated RSA keys for a number of features:
-
- Slowing down brute-force attacks against encrypted user data. The page
- [Protecting Cached User
- Data](/chromium-os/chromiumos-design-docs/protecting-cached-user-data)
- describes this in more detail. The vulnerability allows the attacker to
- brute-force the encryption key (bit size 2048) off-device. However, note
- that off-device brute-force attacks are only advantageous against strong
- passwords - weak passwords are still less expensive to brute-force against
- the TPM regardless of whether it runs vulnerable firmware or not.
-
- Hardware-backed encryption keys / certificates. Chrome OS allows users to
- generate and import RSA keys that are protected by the TPM so the main OS
- can't access the private key. These keys are typically accompanied by a
- certificate and then used in network authentication, such as WPA2-EAP, HTTPS
- client authentication, etc. The vulnerability allows attackers to determine
- the private key. The bit size of generated and imported keys depends on
- parameters. The bit sizes supported by Chrome OS for TPM-backed keys are
- 1024 or 2048. You can check key sizes for certificates backed by TPM keys at
- chrome://settings/certificates.
-
- Chrome OS [Verified
- Access](https://support.google.com/chrome/a/answer/7156268) allows network
- services to verify client device integrity and identity. TPM-generated RSA
- keys (bit size 2048) are used in the certification process. Attackers can
- exploit the vulnerability to break an "Attestation Identity Key", which
- allows them to impersonate a legit device from an endpoint of their choice.
-
-## Mitigations
-
-In Chrome OS M60, we strengthened Chrome OS user data protection using the
-scrypt password hashing scheme to act as a second line of defense even in case
-the brute-force protection afforded by the TPM is lost. Users were automatically
-upgraded to the new scheme behind the scenes without user-observable effects.
-This measure guarantees adequate protection of encrypted user data for users
-that use strong passwords. If your password isn't strong, now is a good time to
-fix this - the risk involved with using a weak password generally transcends
-Chrome OS and affects other places that store sensitive data.
-
-For hardware-backed encryption keys and Verified Access, mitigations are
-technically infeasible without losing the hardware binding, and thus breaking
-the feature. The only supported path to restore the designed security strength
-for these features is to update TPM firmware.
-
-See below for advice on whether and when to update TPM firmware.
-
-## Affected TPM firmware versions
-
-You can check the TPM firmware running on your device by looking at the
-firmware_version line of the tpm_version entry in chrome://system. If the
-tpm_version entry is absent, this is likely because you are running an old
-Chrome OS version which doesn't report this information. Upgrade to a newer
-version and check again.
-
-Vulnerable firmware versions used on Chrome OS are (listing the firmware_version
-value from chrome://system as well as the human-readable version number):
-
-* 000000000000041f - 4.31
-* 0000000000000420 - 4.32
-* 0000000000000628 - 6.40
-* 0000000000008520 - 133.32
-
-Fixed firmware versions are as follows:
-
-* 0000000000000422 - 4.34
-* 000000000000062b - 6.43
-* 0000000000008521 - 133.33
-
-## Affected devices
-
-With the exception of older devices that use the Infineon SLB 9635 TPM, all
-Chrome OS devices that include an Infineon TPM chip are affected. Here is the
-complete list of affected devices with code names and marketing names:
-
-* asuka - Dell Chromebook 13 3380
-* auron-paine - Acer Chromebook 11 (C740)
-* auron-yuna - Acer Chromebook 15 (CB5-571)
-* banjo - Acer Chromebook 15 (CB3-531)
-* banon - Acer Chromebook 15 (CB3-532)
-* buddy - Acer Chromebase 24
-* candy - Dell Chromebook 11 (3120)
-* caroline - Samsung Chromebook Pro
-* cave - ASUS Chromebook Flip C302
-* celes - Samsung Chromebook 3
-* chell - HP Chromebook 13 G1
-* clapper - Lenovo N20 Chromebook
-* cyan - Acer Chromebook R11 (CB5-132T / C738T)
-* daisy-skate - HP Chromebook 11 2000-2099 / HP Chromebook 11 G2
-* daisy-spring - HP Chromebook 11 1100-1199 / HP Chromebook 11 G1
-* edgar - Acer Chromebook 14 (CB3-431)
-* elm - Acer Chromebook R13 (CB5-312T)
-* enguarde - ASI Chromebook
-* enguarde - Crambo Chromebook
-* enguarde - CTL N6 Education Chromebook
-* enguarde - Education Chromebook
-* enguarde - eduGear Chromebook R
-* enguarde - Edxis Education Chromebook
-* enguarde - JP Sa Couto Chromebook
-* enguarde - Lenovo N21 Chromebook
-* enguarde - M&A Chromebook
-* enguarde - RGS Education Chromebook
-* enguarde - Senkatel C1101 Chromebook
-* enguarde - True IDC Chromebook
-* enguarde - Videonet Chromebook
-* expresso - Bobicus Chromebook 11
-* expresso - Consumer Chromebook
-* expresso - Edxis Chromebook
-* expresso - HEXA Chromebook Pi
-* falco - HP Chromebook 14
-* gandof - Toshiba Chromebook 2 (2015 Edition)
-* glimmer - Lenovo ThinkPad 11e Chromebook
-* gnawty - Acer Chromebook 11 (C730 / C730E)
-* gnawty - Acer Chromebook 11 (C735)
-* guado - ASUS Chromebox CN62
-* hana - Lenovo N23 Yoga/Flex 11 Chromebook
-* hana - Poin2 Chromebook 14
-* heli - Haier Chromebook 11 G2
-* kefka - Dell Chromebook 11 Model 3180
-* kefka - Dell Chromebook 11 3189
-* kevin - Samsung Chromebook Plus
-* kip - HP Chromebook 11 2100-2199 / HP Chromebook 11 G3
-* kip - HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE
-* kip - HP Chromebook 14 ak000-099 / HP Chromebook 14 G4
-* lars - Acer Chromebook 11 (C771, C771T)
-* lars - Acer Chromebook 14 for work (CP5-471)
-* leon - Toshiba Chromebook
-* link - Google Chromebook Pixel
-* lulu - Dell Chromebook 13 7310
-* mccloud - Acer Chromebox
-* monroe - LG Chromebase 22CB25S
-* monroe - LG Chromebase 22CV241
-* ninja - AOPEN Chromebox Commercial
-* nyan-big - Acer Chromebook 13 (CB5-311)
-* nyan-blaze - HP Chromebook 14 x000-x999 / HP Chromebook 14 G3
-* nyan-kitty - Acer Chromebase
-* orco - Lenovo 100S Chromebook
-* panther - ASUS Chromebox CN60
-* peach-pi - Samsung Chromebook 2 13"
-* peach-pit - Samsung Chromebook 2 11"
-* peppy - Acer C720 Chromebook
-* quawks - ASUS Chromebook C300
-* reks - Lenovo N22 (Touch) Chromebook
-* reks - Lenovo N23 Chromebook
-* reks - Lenovo N23 Chromebook (Touch)
-* reks - Lenovo N42 (Touch) Chromebook
-* relm - Acer Chromebook 11 N7 (C731)
-* relm - CTL NL61 Chromebook
-* relm - Edxis Education Chromebook
-* relm - HP Chromebook 11 G5 EE
-* relm - Mecer V2 Chromebook
-* rikku - Acer Chromebox CXI2
-* samus - Google Chromebook Pixel (2015)
-* sentry - Lenovo Thinkpad 13 Chromebook
-* setzer - HP Chromebook 11 G5 / HP Chromebook 11-vxxx
-* squawks - ASUS Chromebook C200
-* sumo - AOpen Chromebase Commercial
-* swanky - Toshiba Chromebook 2
-* terra - ASUS Chromebook C202SA
-* terra - ASUS Chromebook C300SA/C301SA
-* tidus - Lenovo ThinkCentre Chromebox
-* tricky - Dell Chromebox
-* ultima - Lenovo ThinkPad 11e Chromebook 3rd Gen (Yoga/Clamshell)
-* veyron-fievel - AOpen Chromebox Mini
-* veyron-jaq - Haier Chromebook 11
-* veyron-jaq - Medion Akoya S2013
-* veyron-jaq - True IDC Chromebook 11
-* veyron-jaq - Xolo Chromebook
-* veyron-jerry - CTL J2 / J4 Chromebook for Education
-* veyron-jerry - eduGear Chromebook K Series
-* veyron-jerry - Epik 11.6" Chromebook ELB1101
-* veyron-jerry - HiSense Chromebook 11
-* veyron-jerry - Mecer Chromebook
-* veyron-jerry - NComputing Chromebook CX100
-* veyron-jerry - Poin2 Chromebook 11
-* veyron-jerry - Positivo Chromebook CH1190
-* veyron-jerry - VideoNet Chromebook BL10
-* veyron-mickey - ASUS Chromebit CS10
-* veyron-mighty - Chromebook PCM-116E
-* veyron-mighty - eduGear Chromebook M Series
-* veyron-mighty - Haier Chromebook 11e
-* veyron-mighty - Lumos Education Chromebook
-* veyron-mighty - MEDION Chromebook S2015
-* veyron-mighty - Nexian Chromebook 11.6-inch
-* veyron-mighty - Prowise 11.6" Entry Line Chromebook
-* veyron-mighty - Sector 5 E1 Rugged Chromebook
-* veyron-mighty - Viglen Chromebook 11
-* veyron-minnie - ASUS Chromebook Flip C100PA
-* veyron-speedy - ASUS Chromebook C201PA
-* veyron-tiger - AOpen Chromebase Mini
-* winky - Samsung Chromebook 2 11 - XE500C12
-* wizpig - CTL J5 Chromebook
-* wizpig - Edugear CMT Chromebook
-* wizpig - Haier Convertible Chromebook 11 C
-* wizpig - PCMerge Chromebook PCM-116T-432B
-* wizpig - Prowise ProLine Chromebook
-* wizpig - Viglen Chromebook 360
-* wolf - Dell Chromebook 11
-* zako - HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox
- for Meetings
-
-## TPM firmware update
-
-Recent Chrome OS builds of version M61 and later include functionality to
-install a TPM firmware update on the affected devices. After installing the
-update, RSA keys generated by the TPM are no longer vulnerable against the
-attack described above.
-
-### Chrome OS versions including the firmware update
-
-The following Chrome OS versions include the TPM firmware update for affected
-devices (note that chromium OS builds do not contain firmware files):
-
-* Chrome OS M61 - build 9765.81.0 and later
-* Chrome OS M62 - build 9901.42.0 and later
-* Chrome OS M63 - build 10020.0.0 and later
-
-The one exception is link / Google Chromebook Pixel, for which the TPM firmware
-update functionality is not enabled yet. There is a problem with firmware update
-installation on that device, we intend to ship an update with a fix to enable
-the TPM firmware update as soon as possible.
-
-### Things to know about the update process
-
-Installing the TPM firmware update requires a hardware reset of the TPM chip.
-This means that all data held by the TPM will be discarded. This includes disk
-encryption keys, implying all user data stored locally on the device will be
-lost. Thus, you need to carefully backup any important data before you install
-the update.
-
-We are actively working on ways to allow updated TPM firmware to be installed
-without losing all data on the device. Launch dates for these non-destructive
-update flows are not confirmed at this point though.
-
-There is also a risk that the update will fail e.g. due to loss of power while
-installing the update. See **below** for more information on how to recover from
-this situation. You'll need Chrome OS recovery media in order to invoke the
-recovery flow. You will want to make sure that you either prepare it before
-starting the TPM firmware update just in case or have another computer available
-to create recovery media in case you need it.
-
-### Deciding whether to install the update
-
-There is no one-size-fits-all advice on whether to install the update or not. As
-described above, there are inherent inconveniences and risks associated with the
-update process and a limited set of features is impacted by the vulnerability.
-In order to help make an informed decision, here is some guidance. If any of the
-following applies, consider installing the update:
-
- You rely on the highest level of protection that Chrome OS can offer for
- your encrypted user data (TPM-backed protection against password
- brute-forcing attacks).
-
- You are using hardware-backed encryption keys and corresponding certificates
- to access network services such as corporate web sites, VPNs. etc. If you're
- unsure you can check the "your certificates" section in
- chrome://settings/certificates to see whether you have any hardware-backed
- certificates.
-
- You are using [Verified
- Access](https://support.google.com/chrome/a/answer/7156268) for device
- authentication on your enterprise-managed Chrome OS devices. When in doubt,
- ask your administrator.
-
-If none of the bullets above apply to you, you don't benefit from the update and
-can safely skip it, thus avoiding potential complications due to failing updates
-as described above.
-
-### Installing the update
-
-Due to the implied loss of data, users must trigger the update explicitly. To do
-so, users can opt in to installing the TPM firmware update as part of the
-[factory reset flow](https://support.google.com/chromebook/answer/183084) also
-known as "powerwash". Note that for enterprise-managed devices, the powerwash UI
-is not regularly available. We have added a TPM firmware update device policy
-though which admins can set to make the TPM firmware update via powerwash
-available to their users.
-
-The steps are as follows:
-
- Trigger the powerwash flow, either via Ctrl+Alt+Shift+r on the login screen,
- or via the powerwash option in chrome://settings &gt; Advanced.
-
- The flow will ask you to reboot unless you have just restarted your device
- anyways.
-
- In the powerwash dialog, there will be a checkbox "Update firmware for added
- security." Check it in order to request the TPM firmware update to be
- installed.
- If you don't see a checkbox, this can be due to a number of reasons:
-
- Your device already runs updated firmware, check chrome://system as
- described above to confirm.
-
- You are running an older Chrome OS version that doesn't include
- functionality to update TPM firmware. Upgrade to a newer OS version.
-
- Once you click the "Powerwash" button and confirm, the device will reboot.
-
- After the reboot, you'll see a message indicating that the powerwash is in
- progress. Wait for it to complete, after which the device will reboot again.
-
- After the second reboot, the device will show a message screen when
- installing the firmware update. There is a progress bar that will be updated
- as the update progresses. The device will reboot once more after installing
- the update.
-
- After the third reboot, you'll see the familiar Chrome OS UI again showing
- the out of box experience. Your device is just as new, so you can go through
- the setup flow again and then log in as usual.
-
- It’s worth double-checking you are running fixed TPM firmware by checking
- the tpm_version entry in chrome://system. See the **Affected TPM firmware
- versions** section for details.
-
-### Retrying a failed update
-
-There is a risk that the device will no longer boot if the update fails. This
-happens when the update installation gets interrupted while on the installation
-progress screen, for example due to power loss. The device will show a screen
-saying "Chrome OS is missing or damaged". If you press Tab on this screen,
-you'll see some additional information including a line labelled
-"recovery_reason". If the boot failure was due to an earlier failed TPM firmware
-update, you'll likely see "Secure NVRAM (TPM) initialization error" as
-"recovery_reason".
-
-Devices in this state can be recovered via [Chrome OS
-recovery](https://support.google.com/chromebook/answer/1080595). Recovery images
-for versions that have the TPM firmware update (see above) include functionality
-to retry a TPM firmware update that has previously failed. Follow these steps to
-recover:
-
- Make absolutely sure that your device is connected to a reliable power
- source and has a charged battery (if applicable).
-
- Press Esc+Refresh+Power (keep holding Esc+Refresh for a while after
- releasing power) in order to start recovery mode. The device will boot to a
- screen that says "Chrome OS is missing or damaged" (older devices) or
- "Please insert a recovery USB stick or SD card" (newer devices).
-
- Plug the recovery media.
-
- The device will launch the recovery procedure, starting with verification of
- the recovery media.
-
- If the recovery software determines the TPM has encountered a previous
- failed update, it will automatically launch the TPM firmware update
- installation process. You'll see a screen indicating the update is getting
- installed, with a progress bar getting updated as the update progresses.
-
- After successful installation of the update, the device will reboot.
- Afterwards, the device should boot to the familiar Chrome OS UI again
- showing the out-of-box experience.
-
-### Troubleshooting recovery failure
-
-The recovery software will show a screen saying "The security module on this
-device is not working" if it encounters a bug or a condition that the recovery
-software is unable to fix. If you see this, you'll want to ask for help either
-via [Chromebook Central Help
-Forum](https://productforums.google.com/forum/#!forum/chromebook-central) or via
-EDU / enterprise support channels (if applicable). There are some important
-pieces of evidence to gather that are helpful in figuring out the root cause of
-the failure:
-
- Hold on to recovery media. The recovery software stores diagnostic
- information on it, so do not use it for recovery attempts on other devices
- and do not overwrite otherwise. The log files can be found on the first
- partition under "recovery_logs" and contain a trace of the recovery software
- execution flow which is invaluable in tracking down the root cause for the
- failure.
-
- Take note of the information shown by pressing Tab on the "Chrome OS is
- missing or damaged screen" e.g. by snapping a photo. The recovery_reason
- line is particularly interesting as it may indicate clues as to what state
- the TPM is in.
-
-### Subsequent TPM firmware update prompt
-
-Due to a [bug](https://bugs.chromium.org/p/chromium/issues/detail?id=872746) in
-the original implementation of the TPM firmware update flow, a vulnerable
-Storage Root Key (a key held in the TPM that is used to encrypt other keys) from
-before the update may remain even after completing the update. This affects a
-small number of devices that did not finish the TPM firmware update in normal
-boot mode but only after retry using a recovery image. This can be addressed by
-performing another powerwash to clear the TPM again and thus regenerate a new
-Storage Root Key that is not vulnerable. Chrome OS M70 and later will show a
-one-time system notification saying "Security upgrade available" / "Reset your
-Chromebook to upgrade your security" for each user to alert of them of the
-situation. Users should re-evaluate their situation per the
-[advice](/chromium-os/tpm_firmware_update#TOC-Things-to-know-about-the-update-process)
-[above](/chromium-os/tpm_firmware_update#TOC-Deciding-whether-to-install-the-update)
-to decide whether they want to perform the powerwash, which can be triggered by
-invoking the firmware update flow again via chrome://chrome.
-
-### Manually Updating
-
-If you want to apply the update manually for any reason (e.g. you're using a
-Chromebook Pixel (link)), here's the steps required.
-
-1. Put the device into dev mode
- * See the [official list of
- devices](/chromium-os/developer-information-for-chrome-os-devices)
- for more details
-2. If you're already in dev mode, you'll need to
- [Powerwash](https://support.google.com/chromebook/answer/183084) or
- go through
- [recovery](https://support.google.com/chromebook/answer/1080595) to
- reset the TPM back to the correct initial state
-3. Boot the device until you get to the initial OOBE screen (where you
- select network/etc...)
- * Don't sign in!
-4. Switch to a console by pressing Ctrl-Alt-F2 (the -&gt; key is the
- same as F2)
-5. Log in using the "root" username (there should be no password)
-6. Type this command (all on one line):
- `dbus-send --system --dest=org.chromium.SessionManager --type=method_call
- /org/chromium/SessionManager
- org.chromium.SessionManagerInterface.StartTPMFirmwareUpdate
- string:first_boot`
-7. After a few seconds, the device should reboot
- * If the device doesn't reboot, check `/var/log/messages`. If it
- says something about a user already having logged in, go back to
- step 2.
-8. Press Ctrl-D to boot
-9. Wait for the powerwash step to finish and reboot (should be quick)
-10. Press Ctrl-D to boot
-11. Wait for the installing update step to finish
-12. If the device reboots and takes you back to the login screen, you're
- done
-13. If you get an error, perform the steps described above to [retry a
- failed
- update](/chromium-os/tpm_firmware_update#TOC-Retrying-a-failed-update).
- Note that there is a known issue with original Chromebook Pixel
- (link) devices:The original TPM firmware version fails installing
- the firmware update just before completion. The device may or may
- not boot normally after turning it off and on again. It is critical
- to go through Chrome OS recovery again to reset the TPM into a good
- state and flush out all weak keys. You have been warned!
-14. If things still aren't working, then review the troubleshooting
- sections above \ No newline at end of file
View Lorry Controller Status