• Finding the latest firmware releases
• Infineon OPTIGA™ SLB 9665 TPM2.0
  • Firmware Bundle
• Updating the SLB 9665
  • Part 1: Error 0xE0295507
  • Part 2: Success
• References
• Adjacent notes

I’ve recently started building a 2U rack server, and went to install the 20pin TPM that I had spare. While the unit worked fine, I noticed the firmware was the original/oldest possible firmware version.

Finding the latest firmware releases

The Trusted Computing Group has a list of verified firmware releases for all of the known TPM chips.

For example, my chip is a Infineon, SLB 9665, and that show’s the latest firmware is 5.63

Infineon OPTIGA™ SLB 9665 TPM2.0

Data Sheet: https://www.infineon.com/dgdl/Infineon-data-sheet-SLB9665_2.0_Rev1.2-DS-v01_02-EN.pdf?fileId=5546d462689a790c016929d1d3054feb

I was able to find both 5.62.3126.2 / 5.63.3353.0, but the upgrade path from 5.0.1089.2 is not perfect. As my firmware ends in .2 and the latest upgrade supports `.0` and I have no idea if that’s a problem.

TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN then in theory TPM20_5.62.3126.0_to_TPM20_5.63.3353.0.BIN?

Firmware Bundle

Infineon TPM Firmware Update Tools release version is 01.01.2481.00.
TPMFactoryUpd in this release is version 01.01.2212.00.
IFXTPMUpdate.efi in this release is version 01.01.2212.00.
TVicPort.sys in this release is version 4.0.

This file contains what I believe is the (unmodified) Infineon TPM Firmware Update Tools, but I cannot give any guarantee for this. (I’ve added additional firmware to this 7z).

If you have a more recent version of this package, please forward it to me.

Updating the SLB 9665

Part 1: Error 0xE0295507

I tried to patch the TPM unit I had from the oldest firmware to the latest, and kept hitting this platformAuth is not the Empty Buffer error.

This seems to be because the TPM (even after it’s been cleared) has been accessed by the computer you’ve attached it too, and you seem to have to clear and then flash the TPM chip before the BIOS/Kernel/OS gets’ it’s grubby little fingers into it…

There is a forum post about people disabling the TPM in the BIOS before they can flash, but this didn’t help me using the SuperMicro server motherboard, as it just makes the TPMFactoryUpd tool fail with a missing TPM error.

Untested: I’ve heard Windows has a powershell Disable-TpmAutoProvisioning to stop windows from activating any TPM it sees. (I have no idea if that works to resolve the issue above).

Part 2: Success

<TO BE CONTINUED>

References

• https://github.com/iavael/infineon-firmware-updater (Infineon TPM firmware updater for Linux with Google patches / openssl 1.1.0 patches)
  
• https://github.com/jeffqchen/DIY-Asus-TPM-M-r2.0-Module
  
• https://qzhou.dev/blog/updating-a-vulnerable-tpm/
  
• https://silvenga.com/upgrading-firmware-infineon-tpm/
  
• https://www.supermicro.com/wftp/driver/TPM (Seems to contain some outdated firmware and tooling)
  
• https://github.com/pcengines/apu2-documentation/blob/master/docs/research/ROCA.md

Adjacent notes

• Disable-TpmAutoProvisioning https://learn.microsoft.com/en-us/powershell/module/trustedplatformmodule/disable-tpmautoprovisioning?view=windowsserver2022-ps
  
• https://www.dell.com/support/kbdoc/en-au/000103639/how-to-troubleshoot-and-resolve-common-issues-with-tpm-and-bitlocker

Categories: TECHNICAL

Tagged as: Infineon TPM

shlee