breadcrumbs: Chromium OS >
There is a bug in certain Infineon TPM firmware versions which results in RSA keys generated by the TPM being vulnerable to an attack that allows to recover the private half of the RSA key from just the public key. The researchers who found the vulnerability have published high-level information here: https://crocs.fi.muni.cz/public/papers/rsa_ccs17. Currently known exploits are computationally expensive; specifically, for RSA keys of bit size 2048, the researchers give an estimate of 140.8 CPU years to break a single key. Note that this figure might drop as more researchers look at the attack. At the current point in time, it means TPM-generated RSA keys can‘t be broken at large scale, but targeted attacks are possible. To summarize: There exists a practical attack against TPM-generated RSA keys, but it doesn’t allow large-scale exploitation of Chrome OS devices.
Chrome OS relies on TPM-generated RSA keys for a number of features:
Slowing down brute-force attacks against encrypted user data. The page [Protecting Cached User Data](/chromium-os/chromiumos-design-docs/protecting-cached-user-data) describes this in more detail. The vulnerability allows the attacker to brute-force the encryption key (bit size 2048) off-device. However, note that off-device brute-force attacks are only advantageous against strong passwords - weak passwords are still less expensive to brute-force against the TPM regardless of whether it runs vulnerable firmware or not. Hardware-backed encryption keys / certificates. Chrome OS allows users to generate and import RSA keys that are protected by the TPM so the main OS can't access the private key. These keys are typically accompanied by a certificate and then used in network authentication, such as WPA2-EAP, HTTPS client authentication, etc. The vulnerability allows attackers to determine the private key. The bit size of generated and imported keys depends on parameters. The bit sizes supported by Chrome OS for TPM-backed keys are 1024 or 2048. You can check key sizes for certificates backed by TPM keys at chrome://settings/certificates. Chrome OS [Verified Access](https://support.google.com/chrome/a/answer/7156268) allows network services to verify client device integrity and identity. TPM-generated RSA keys (bit size 2048) are used in the certification process. Attackers can exploit the vulnerability to break an "Attestation Identity Key", which allows them to impersonate a legit device from an endpoint of their choice.
In Chrome OS M60, we strengthened Chrome OS user data protection using the scrypt password hashing scheme to act as a second line of defense even in case the brute-force protection afforded by the TPM is lost. Users were automatically upgraded to the new scheme behind the scenes without user-observable effects. This measure guarantees adequate protection of encrypted user data for users that use strong passwords. If your password isn't strong, now is a good time to fix this - the risk involved with using a weak password generally transcends Chrome OS and affects other places that store sensitive data.
For hardware-backed encryption keys and Verified Access, mitigations are technically infeasible without losing the hardware binding, and thus breaking the feature. The only supported path to restore the designed security strength for these features is to update TPM firmware.
See below for advice on whether and when to update TPM firmware.
You can check the TPM firmware running on your device by looking at the firmware_version line of the tpm_version entry in chrome://system. If the tpm_version entry is absent, this is likely because you are running an old Chrome OS version which doesn't report this information. Upgrade to a newer version and check again.
Vulnerable firmware versions used on Chrome OS are (listing the firmware_version value from chrome://system as well as the human-readable version number):
Fixed firmware versions are as follows:
With the exception of older devices that use the Infineon SLB 9635 TPM, all Chrome OS devices that include an Infineon TPM chip are affected. Here is the complete list of affected devices with code names and marketing names:
Recent Chrome OS builds of version M61 and later include functionality to install a TPM firmware update on the affected devices. After installing the update, RSA keys generated by the TPM are no longer vulnerable against the attack described above.
The following Chrome OS versions include the TPM firmware update for affected devices (note that chromium OS builds do not contain firmware files):
The one exception is link / Google Chromebook Pixel, for which the TPM firmware update functionality is not enabled yet. There is a problem with firmware update installation on that device, we intend to ship an update with a fix to enable the TPM firmware update as soon as possible.
Installing the TPM firmware update requires a hardware reset of the TPM chip. This means that all data held by the TPM will be discarded. This includes disk encryption keys, implying all user data stored locally on the device will be lost. Thus, you need to carefully backup any important data before you install the update.
We are actively working on ways to allow updated TPM firmware to be installed without losing all data on the device. Launch dates for these non-destructive update flows are not confirmed at this point though.
There is also a risk that the update will fail e.g. due to loss of power while installing the update. See below for more information on how to recover from this situation. You'll need Chrome OS recovery media in order to invoke the recovery flow. You will want to make sure that you either prepare it before starting the TPM firmware update just in case or have another computer available to create recovery media in case you need it.
There is no one-size-fits-all advice on whether to install the update or not. As described above, there are inherent inconveniences and risks associated with the update process and a limited set of features is impacted by the vulnerability. In order to help make an informed decision, here is some guidance. If any of the following applies, consider installing the update:
You rely on the highest level of protection that Chrome OS can offer for your encrypted user data (TPM-backed protection against password brute-forcing attacks). You are using hardware-backed encryption keys and corresponding certificates to access network services such as corporate web sites, VPNs. etc. If you're unsure you can check the "your certificates" section in chrome://settings/certificates to see whether you have any hardware-backed certificates. You are using [Verified Access](https://support.google.com/chrome/a/answer/7156268) for device authentication on your enterprise-managed Chrome OS devices. When in doubt, ask your administrator.
If none of the bullets above apply to you, you don't benefit from the update and can safely skip it, thus avoiding potential complications due to failing updates as described above.
Due to the implied loss of data, users must trigger the update explicitly. To do so, users can opt in to installing the TPM firmware update as part of the factory reset flow also known as “powerwash”. Note that for enterprise-managed devices, the powerwash UI is not regularly available. We have added a TPM firmware update device policy though which admins can set to make the TPM firmware update via powerwash available to their users.
The steps are as follows:
Trigger the powerwash flow, either via Ctrl+Alt+Shift+r on the login screen,
or via the powerwash option in chrome://settings > Advanced.
The flow will ask you to reboot unless you have just restarted your device
anyways.
In the powerwash dialog, there will be a checkbox "Update firmware for added
security." Check it in order to request the TPM firmware update to be
installed.
If you don't see a checkbox, this can be due to a number of reasons:
Your device already runs updated firmware, check chrome://system as
described above to confirm.
You are running an older Chrome OS version that doesn't include
functionality to update TPM firmware. Upgrade to a newer OS version.
Once you click the "Powerwash" button and confirm, the device will reboot.
After the reboot, you'll see a message indicating that the powerwash is in
progress. Wait for it to complete, after which the device will reboot again.
After the second reboot, the device will show a message screen when
installing the firmware update. There is a progress bar that will be updated
as the update progresses. The device will reboot once more after installing
the update.
After the third reboot, you'll see the familiar Chrome OS UI again showing
the out of box experience. Your device is just as new, so you can go through
the setup flow again and then log in as usual.
It’s worth double-checking you are running fixed TPM firmware by checking
the tpm_version entry in chrome://system. See the **Affected TPM firmware
versions** section for details.
There is a risk that the device will no longer boot if the update fails. This happens when the update installation gets interrupted while on the installation progress screen, for example due to power loss. The device will show a screen saying “Chrome OS is missing or damaged”. If you press Tab on this screen, you‘ll see some additional information including a line labelled “recovery_reason”. If the boot failure was due to an earlier failed TPM firmware update, you’ll likely see “Secure NVRAM (TPM) initialization error” as “recovery_reason”.
Devices in this state can be recovered via Chrome OS recovery. Recovery images for versions that have the TPM firmware update (see above) include functionality to retry a TPM firmware update that has previously failed. Follow these steps to recover:
Make absolutely sure that your device is connected to a reliable power source and has a charged battery (if applicable). Press Esc+Refresh+Power (keep holding Esc+Refresh for a while after releasing power) in order to start recovery mode. The device will boot to a screen that says "Chrome OS is missing or damaged" (older devices) or "Please insert a recovery USB stick or SD card" (newer devices). Plug the recovery media. The device will launch the recovery procedure, starting with verification of the recovery media. If the recovery software determines the TPM has encountered a previous failed update, it will automatically launch the TPM firmware update installation process. You'll see a screen indicating the update is getting installed, with a progress bar getting updated as the update progresses. After successful installation of the update, the device will reboot. Afterwards, the device should boot to the familiar Chrome OS UI again showing the out-of-box experience.
The recovery software will show a screen saying “The security module on this device is not working” if it encounters a bug or a condition that the recovery software is unable to fix. If you see this, you'll want to ask for help either via Chromebook Central Help Forum or via EDU / enterprise support channels (if applicable). There are some important pieces of evidence to gather that are helpful in figuring out the root cause of the failure:
Hold on to recovery media. The recovery software stores diagnostic information on it, so do not use it for recovery attempts on other devices and do not overwrite otherwise. The log files can be found on the first partition under "recovery_logs" and contain a trace of the recovery software execution flow which is invaluable in tracking down the root cause for the failure. Take note of the information shown by pressing Tab on the "Chrome OS is missing or damaged screen" e.g. by snapping a photo. The recovery_reason line is particularly interesting as it may indicate clues as to what state the TPM is in.
Due to a bug in the original implementation of the TPM firmware update flow, a vulnerable Storage Root Key (a key held in the TPM that is used to encrypt other keys) from before the update may remain even after completing the update. This affects a small number of devices that did not finish the TPM firmware update in normal boot mode but only after retry using a recovery image. This can be addressed by performing another powerwash to clear the TPM again and thus regenerate a new Storage Root Key that is not vulnerable. Chrome OS M70 and later will show a one-time system notification saying “Security upgrade available” / “Reset your Chromebook to upgrade your security” for each user to alert of them of the situation. Users should re-evaluate their situation per the advice above to decide whether they want to perform the powerwash, which can be triggered by invoking the firmware update flow again via chrome://chrome.
If you want to apply the update manually for any reason (e.g. you‘re using a Chromebook Pixel (link)), here’s the steps required.
dbus-send --system --dest=org.chromium.SessionManager --type=method_call /org/chromium/SessionManager org.chromium.SessionManagerInterface.StartTPMFirmwareUpdate string:first_boot/var/log/messages. If it says something about a user already having logged in, go back to step 2.