8

I know that a TPM includes ROM, nonvolatile (e.g. EEPROM), and volatile (e.g. SRAM) memories. The executable firmware is stored in ROM, such as various drivers and commands.

But this time, I want to know how the firmware in ROM can be protected from tampering.
For example, I heard that device authentication may protect TPMs from tampering and other faults during firmware updating. ​ What kind of ROM do TPMs normally use? ​ One-time programmed,
or mask programmed so that it is impossible to change the contents after fabrication?

TJCLK
  • 818
  • 8
  • 23
  • I remember updating the firmware of a Broadcom TPM, so it's definitely not a read-only chip. I hope there are firmware signature checks in place but I wouldn't count on that. – André Borie Nov 23 '15 at 08:42

1 Answers1

1

That's a pretty involved question.

First of all: If it actually is ROM, it's tamper-proof. ROM is, electrically, read-only memory. It cannot be changed.

Now, it's perfectly possible that the TPM chip runs firmware that is, in fact, in writable memory.

There's lots of way that can be protected: For example, by only making the firmware memory accessible via command coming from the firmware itself – in that case, the firmware has the job to check whether a firmware update is to be accepted, eg. by checking the electronic signature of who's trying to update the firmware.

Loadable Firmware could also, by the ROM-resident bootloader, be checked e.g. for digital signatures matching the manufacturer key in a piece of ROM.

Other methods involve getting special signal lines from the CPU that are only high when the CPU is in SMM (system management mode, something that usually only the UEFI can enter).

What kind of ROM do TPMs normally use? ​ One-time programmed, or mask programmed so that it is impossible to change the contents after fabrication?

I can't even tell you whether it's actually ROM, as you can see above. It's an implementation detail, and I'm sure you can learn about the different approaches the manufacturers chose from their datasheet.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
  • One of the biggest problems with hardware TPMs (as opposed to those in firmware, called iTPMs) is that they communicate over the low-speed LPC bus. A man-in-the-middle attack is not difficult in this case. – guest Nov 19 '17 at 04:45