Trusted Platform Modules (TPMs)[1] are used in many (billions? of) desktop/embedded devices, mobile phones and tablets.
Why[2]?
- ▪ TPMs replace hardware security modules (HSM) and smart cards
- ▪ TPMs create a chain of trust - e.g. via programmable configuration registers (PCRs)
- ▪ TPMs protect sealed keys - only avail. to processor if system is healthy
- ▪ TPMs enable "strong" device identity - private/public key pairs stored in TPM
What are the relevant CVEs and responses from chip manufacturers[3]?
- ▪ CVE-2019-11090 for Intel fTPM vulnerabilitiesl[4]
- Response: INTEL-SA-00241[5]
- ▪ CVE-2019-16863 for STMicroelectronics TPM chipl[6]
- Response: Information on ST's TPM firmware update[7]
[1] https://en.wikipedia.org/wiki/Trusted_Platform_Module [2] http://blog.onboardsecurity.com/blog/trusted-computing-primary-use-cases [3] http://tpm.fail/ [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11090 [5] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html [6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16863 [7] https://www.st.com/content/st_com/en/campaigns/tpm-update.html
