TPM Firmware Update Utility -ThinkPad

Software name TPM Firmware Update Utility

Support model ThinkPad T460, T460s, T460p, T470, T470s, T470p
ThinkPad T560, T570
ThinkPad L460, L470, L560, L570
ThinkPad P40, P50, P50s, P51, P51s, P70, P71
ThinkPad X1 Carbon 4th, X1 Carbon 5th
ThinkPad X1 Yoga, X1 Yoga 2nd,
ThinkPad X1 Tablet, X1 Tablet Gen2
ThinkPad X260, X270,
ThinkPad Yoga 14, Yoga 460, S1, S3, Yoga 260, Yoga 370,
ThinkPad E460/E560, E465/E565, E470/E570, E475/E575
ThinkPad 25
ThinkPad 11e/Yoga 11e, 13e

Operating Systems Microsoft Windows 10 64-bit
Microsoft Windows 8.1 64-bit
Microsoft Windows 7 32-bit, 64-bit

Refer to marketing materials to find out what computer models
support which Operating Systems.

Version 1.00

--------------------------------------------------------------------------------
WHAT THIS PACKAGE DOES

This package is prepared to fix the vulnerability of the Infineon TPM chip
reffered as Lenovo Security Advisory: LEN-15552.

This package updates the firmware in the Infineon TPM to the following version
on the ThinkPad computer.

TPM 2.0 (SLB9670) : FW 7.62.3126
TPM 1.2 (SLB9670) : FW 6.43.243
TPM 1.2 (SLB9660) : FW 4.43.257

This program is language independent and can be used with any language system.


--------------------------------------------------------------------------------
CHANGES IN THIS RELEASE
Version 1.00

[Important updates]
- Fix a security issue.

[New functions or enhancements]
Nothing.

[Problem fixes]
Nothing.


--------------------------------------------------------------------------------
IMPORTANT INFORMATION

- The utility is supported on 2015, 2016 and 2017 ThinkPad platforms that have
Infineon TPM chip. Please refer to the section below to identify the TPM
manufacturer and its firmware version on your system.

- Applying TPM firmware update will erase information stored in the TPM chip.
In case customer uses any software(such as disk encryption software) which stores
created keys to TPM chip, customer needs to stop using those software temporarily
before applying TPM firmware update. This tool has the built-in function to
suspend Microsoft Bitlocker during TPM firmware update, for other software,
customer needs to follow the instructions of software to avoid the data loss.

--------------------------------------------------------------------------------
DETERMINING TPM MANUFACTURER AND CURRENT FIRMWARE VERSION

There are two ways to determine the TPM manufacturer and firmware version.

[Checking with TPM management console]
1. Run tpm.msc on Windows.
2. On the TPM Management Console window, check the following TPM information.
- Manufacturer Name : IFX
- Manufacturer Version : Firmware version
3. Make sure the Manufacturer Name is IFX (Infineon).

Note: If TPM manufacturer is not Infineon, no need to update the TPM firmware.

[Checking with the TPM firmware update utility]
1. Run the TPM firmware update utility with an administrator privilege.
2. Select 'Check current TPM firmware' check box.
3. Press Next.
4. The dialog displays current TPM manufacturer and firmware version.
5. Check if the message indicates that the TPM firmware update is required.


--------------------------------------------------------------------------------
UPDATING THE TPM FIRMWARE

Notes:

- Before updating the TPM firmware, make sure the TPM is enabled or activated
in BIOS setup. This can be done by the following steps.
1. Power on system, enter BIOS setup by pressing F1 key.
2. Move to "Security -> Security Chip" page.
3. For TPM 1.2, set "Security Chip" option to "Active".
4. For TPM 2.0, set "Security Chip" option to "Enabled".

- Before attempting to update the TPM firmware, make sure the system BIOS has
been updated to the latest version.

- You need an AC adapter and a charged battery pack.


Attention:
Do not turn off or suspend the computer during the TPM firmware update.
IF YOU DO THAT WHILE THE UPDATE IS STILL IN PROGRESS, THE TPM DEVICE ON YOUR
SYSTEM MAY BE DAMAGED.


Manual Update

This section assumes to use Internet Explorer and Windows Explorer.

Downloading file
1. Click once on the underlined file name. Once this is done, some pop-up
windows will appear.
2. Follow the instructions on the screen.
3. In the window to choose Run or Save, click Save.
4. Choose the folder you would like to download the file to and click Save.
A different window will appear and the download will begin and complete.
Once the download has completed, there may or may not be a message
stating that the download completed successfully.

Extracting file
5. Make sure to be logged on with an administrator account on the target
computer.
6. Make sure the AC adapter is firmly connected to the target computer.
7. Locate the folder where the file was downloaded.
8. Extract zip file to the folder you would like to select.

Updating the TPM firmware
9. Double click TPMUPDT.EXE. (TPMUPDT64.EXE for 64-bit)
10. Select 'Update TPM firmware to new version" and follow the instructions on the screen.
11. The program shows a message 'TPM firmware update is continued by BIOS at the next boot.'
12. Click OK.
13. The computer will be restarted automatically.
14. If the system BIOS displays a confirmation screen at startup, press F9 key.
15. The TPM firmware will be updated by the system BIOS.

Finally delete files saved in the step 4 and 8.


Unattended Update

This is for system administrators' use only.

1. Refer to the Manual Update section, and download and extract the file.
2. At the command line, execute TPMUPDT.EXE with the -s option.
Example: [Path where the files were extracted]\TPMUPDT -s
3. Restart or fully shut down the computer.

Note:
When an ownership of TPM is taken by OS, physical presence is required to update
the TPM firmware at startup. If you need to skip the physical presence confirmation
for the unattended update, use 'TPMUPDT -s -suc password' command. The -suc option
is available only when the supervisor password is installed in the system, and
the correct supervisor password must be provided for this option.

To view the update result, refer to the TPMUPDT.log file created at the same
directory of the package.


--------------------------------------------------------------------------------
VERSION INFORMATION

The following versions of TPM firmware have been released to date.

TPM 2.0 (SLB9670) : FW 7.62.3126
TPM 1.2 (SLB9670) : FW 6.43.243
TPM 1.2 (SLB9660) : FW 4.43.257


Package (ID) Firmware Rev. Issue Date
-------------------- ------------------- ---- ----------
1.00 (N1CZT01W) 7.62 / 6.43 / 4.43 01 2017/10/11

Note: Revision number (Rev.) is for administrative purpose of this README
document and is not related to software version. There is no need to
upgrade this software when the revision number changes.

To check the version of TPM firmware, refer to the Determining TPM manufacturer and
current firmware version section.


Summary of Changes

Where: < > Package version
TPM12: TPM 1.2 Firmware version
TPM20: TPM 2.0 Firmware version
[Important] Important update
(New) New function or enhancement
(Fix) Correction to existing function

<1.00>
TPM12: 4.43 / TPM12: 6.43 / TPM20: 7.62
- [Important] Fix a security issue.

* What is a TPM?

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessors that can securely store critical data such as passwords, certificates and encryption keys. TPM is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes within computing devices as well as for secured storage of critical data. TPMs are typically used in business laptops, routers and embedded and IoT devices. The technical TPM specification was written by an industry consortium called Trusted Computing Group (TCG).