Logo

Thin Clients: HP TPM 

Acknowledgement

The information here has been provided by Ciprian.

The Issue

In 2017 researchers discovered a vulnerability in the generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG. HP is one of many manufacturers affected by this.

For those interested the research paper can be found here: https://crocs.fi.muni.cz/public/papers/rsa_ccs17

Affected HP Thin Clients

The HP Support page identifies affected Thin Clients as the t530, t620, t620 PLUS, t630, t730, t820, mt20, mt21, mt40, mt41, mt42 and mt43.

The HP support document linked below lists the appropriate SoftPaq# to use for a particular Thin Client model.

Links

In summary, here are the links describing the vulnerability and the solution:

Observations

Note: Ciprian's experience is explicitly with the t620 and any comments below relate to that thin client.

Whilst you might have thought a firmware update of the Infineon TPM would be part of a general BIOS update this is not actually the case. It is handled through a separate SoftPaq update.

Of note is that, although HP support document says to apply the SP82133 update for my t620, that update complains that it is not compatible with the particular Infineon TPM device I have. However I found that the SP82407 update did work - at least for me.

Also the update procedure isn't that straight-forward. For a start SP82407 unpacks to a Windows executable. There is no Linux alternative. There is not even a stand-alone bootable image. This means that you have to be running Windows on your t620 in order to apply the fix.

Moving on... Windows 10 complicates things further as by default it owns the TPM and consequently this conflicts with the TPM update. This is yet another obstacle you have to work around, the 'how to' being covered in an article on Microsoft's website.

I tried a Windows 7 "live USB" image that I found on the Internet Archive, but that turned out to lack a 'bcrypt.dll' file that the firmware update requires. In the end I had no choice but to install Windows 10 on the t620 and go from there.

As a final note, I have written up the exact steps I've taken on the t620 which you will find here: https://notes.volution.ro/v1/2024/07/remarks/95c2d5a6/