Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Document Version Release Date Details 3 07/21/2021 Updated Resolution, updated Smart Component HPE Trusted Platform Module 2.0 Option firmware update for HPE ProLiant m510/m710x Server Cartridges to 5.62(a). 2 08/30/2018 Updated Resolution, added steps to update the TPM firmware and System ROM on multiple server cartridges. 1 11/16/2017 Original Document Release. A vulnerability (CVE-2017-15361) has been identified in HPE ProLiant m510 and HPE ProLiant m710x server cartridges configured with Infineon Trusted Platform Module (TPM) 2.0 with firmware version 5.51. An algorithm within the TPM firmware has been discovered to generate weaker RSA keys. The vulnerability is within the TPM firmware and not with the TPM module. This is not HPE-specific. Please refer to the Infineon advisory located at the following Infineon website for details: https://www.infineon.com/TPM-update NOTE : The link above will take you outside the HPE website. HPE is not responsible for content outside of the HPE website.
Any HPE ProLiant m510 and m710x server cartridge with the HPE TPM 2.0 with firmware version 5.51 (TPM firmware version 5.62 or later is not affected). Perform the following to identify the TPM firmware version, if the TPM is set to Hidden (default): Note : If the TPM is set to Visible, skip to Step 10. Step 1) Power on the server cartridge. Step 2) Press "F9" to launch the "System Utilities." Step 3) Select "System Configuration." Step 4) Select "BIOS/Platform Configuration (RBSU)." Step 5) Select "Server Security." Step 6) Select "Trusted Platform Module Options." Step 7) Select "TPM 2.0 Visibility", change from "Hidden" to "Visible." Step 8) Press "F10" to save changes. Step 9) Reboot the server cartridge and press "F9" to launch the "System Utilities." Step 10) Select "System Information." Step 11) Select "Firmware Information." Step 12) Under "Firmware Information", the "Trusted Platform Module (TPM)" version number is displayed.
To correct this issue, update the "HPE Trusted Platform Module 2.0" to firmware version 5.62. After the firmware upgrade, the TPM will generate RSA keys using an improved algorithm. Revoking the weak TPM generated RSA keys will still be required. Refer to the OS documentation for OS-specific instructions. In addition, before updating the TPM 2.0 firmware, a System ROM update to version 1.50 (or later) is required. Note : The Customer Bulletin," (Revision) HPE ProLiant Gen9 Servers - Potential Vulnerability in the HPE Trusted Platform Module 2.0 Option Firmware Version 5.51 for HPE ProLiant Gen9 Servers " is also available. The TPM firmware and System ROM update must be performed on each individual server cartridge. The latest version of the System ROM is available as follows: Click the following link: https://support.hpe.com/hpesc/public/home Enter a product name (e.g., "m510" or "m710x) in the text search field. Click the Magnifying Glass icon. Select the appropriate product model from the Results list (if prompted). Click the "Drivers & Software" hyperlink under the Filter Results. Select the specific operating system from the Operating Environment dropdown menu on the left side of the page. Select the Software Type, BIOS - System ROM from the dropdown menu on the left side of the page. Select the latest release of HPE System ROM Version 1.50 (or later). a. For updating cartridges in a Moonshot chassis, select the latest release of System ROM Flash Binary - HPE ProLiant m510 (H05) Server Cartridge or HPE ProLiant m710x (H07) Server Cartridge . b. For updating cartridges in an Edgeline chassis, select the latest release of Online ROM Flash Component - HPE ProLiant m510 (H05) Server Cartridge or HPE ProLiant m710x (H07) Server Cartridge . Click Download . The latest version of the TPM firmware is available as follows: Click the following link: https://support.hpe.com/hpesc/public/home Enter a product name (e.g., "m510" or "m710x) in the text search field. Click the Magnifying Glass icon. Select the appropriate product model from the Results list (if prompted). Click the "Drivers & Software" hyperlink under the Filter Results. Select the specific operating system from the Operating Environment dropdown menu on the left side of the page. Select the Software Type, Firmware from the dropdown menu on the left side of the page. Select the latest release of HPE Trusted Platform Module 2.0 Option firmware update for HPE ProLiant m510/m710x Server Cartridges Version 5.62a (or later). Click Download . Note : Only use the TPM FW component named HPE Trusted Platform Module 2.0 Option firmware update for HPE ProLiant m510/m710x Server Cartridges that includes cp048823.exe (Windows) and hp-firmware-tpm20-5.62-1.1.x86_64.rpm (Linux). Do NOT use the TPM FW component named HPE Trusted Platform Module 2.0 Option firmware update for HPE Gen9 Servers that includes cp033802.exe (Windows) and hp-firmware-tpm20-5.62-2.1.x86_64.rpm (Linux). The Windows and Linux firmware components downloaded during the above steps can be used to update an HPE ProLiant m510 or HPE ProLiant m710x server cartridge in an HPE Moonshot 1500 chassis, HPE Edgeline EL4000 Converged Edge System, or HPE Edgeline EL1000 Converged Edge System. For HPE ProLiant m510 and m710x Server Cartridges in an HPE Moonshot 1500 Chassis or running Windows 7 SP1 or Red Hat Enterprise Linux 6.9 in an HPE Edgeline EL4000 Converged Edge System or HPE Edgeline EL1000 Converged Edge System : Download the System ROM component following the steps above. Install the System ROM component. a. Install the component using the instructions located on the corresponding component download page. Ensure all documented prerequisites are noted. The iLO Channel Interface driver is required to be installed prior to updating the System ROM. Download the TPM firmware component following the steps above. Install the TPM firmware Component. a. Extract RunIFXTPMUpdate4Moonshot.efi from the TPM firmware Component. b. Mount the folder IRC which has RunIFXTPMUpdate4Moonshot.efi. c. GO to UEFI shell. d. Run RunIFXTPMUpdate4Moonshot.efi. Reboot the cartridge for the TPM firmware to take effect. For HPE ProLiant m510 and m710x Server Cartridges in an HPE Edgeline EL4000 Converged Edge System or HPE Edgeline EL1000 Converged Edge System: Download the System ROM component following the steps above. Install the System ROM component. a. Install the component using the instructions located on the corresponding component download page. Ensure all documented prerequisites are noted. The iLO Channel Interface driver is required to be installed prior to updating the System ROM. Download the TPM firmware component following the steps above. Install the TPM firmware component. a. Install the component using the instructions located on the corresponding component download page. Ensure all documented prerequisites are noted. Reboot the cartridge for the TPM firmware to take effect. Note : If the TPM firmware is installed and the System ROM firmware is not version 1.50 (or later), an error message indicating an update to the BIOS is required. The message will erroneously state "v2.50 or later" instead of "v1.50 or later". Below are the steps to update the TPM firmware and System ROM on multiple server cartridges. To update on multiple HPE cartridges in HPE Moonshot chassis, create a target file (targets.txt) with following entry: <ILO CM IP>, Administrator, password Go to command prompt -> change path to where the target file is kept -> run following command: tpmmu.py -<web serverip>/RunIFXTPMUpdate4Moonshot.efi To update on multiple HPE cartridges on HPE Edgeline server, create entry for each Edgeline server in the target file: <ILO IP 1>, Administrator, password <ILO IP 2>, Administrator, password Go to command prompt -> change path to where the target file is kept -> run following command: tpmmu.py -<web serverip>/RunIFXTPMUpdate4Moonshot.efi RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.