This article provides directions on how to upgrade the TPM Firmware for SRX 300, 320, 340, 345 devices
TPM Firmware recommended upgrade from 4.40 to 4.43 based on
JSA10809
Systems with TPM enabled are unable to upgrade TPM Firmware
Systems currently using TPM will encounter the following error when attempting to upgrade TPM firmware
Triggering TPM firmware update to revision 4.43.257.0 ...
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2168.00 *
**********************************************************************
TPM update information:
-----------------------
Firmware valid : Yes
TPM family : 1.2
TPM enabled : Yes
TPM activated : Yes
TPM owner set : Yes
TPM deferred physical presence : No (Settable)
TPM firmware version : 4.40.119.0
Remaining updates : 64
New firmware valid for TPM : N/A
----------------------------------------------------------------------
* Error Information *
----------------------------------------------------------------------
Error Code: 0xE029550B
Message: TPM1.2: The TPM has an owner. The firmware cannot be
updated.
Prerequisites:
- Copy of Junos 15.1X49-D111 (junos-srxsme-15.1X49-D111-domestic.tgz) or higher versions.
- Note: Junos 17.3 versions do not support the TPM feature
- Copy of JTPM firmware (jtpm-15.1X49-D111-signed.tgz)
- NOTE: The JTPM firmware update file is not directly associated to Junos X49-D111 and may be used with higher Junos versions including 17.4+
- Console Access to Device
- Copy of installed CA certificates (if using CA certificates)
Process Steps:
1. Verify if TPM is currently owned.
If Output of Owned line reflects 'no' skip to Step 16
root> show security tpm status
TPM Status:
Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
2. Export Key-pairs / Certificates
This step is optional and may be skipped if device is only using device self-signed certificates
NOTE: 'Passphrase' keyword is optional when exporting key-pairs.
If used, please record the passphrase as it will be needed in later step
>request security pki key-pair export filename <location/name> type pem certificate-id <name> [passphrase <passphrase>]
>request security pki local-certificate export filename <locaton/name> certificate-id <name>
3. Remove master-password from configuration
#delete system master-password
#commit
4. Save copy of configuration
>show configuration | save /var/tmp/config.txt
5. Collect saved configuration, certificates and key-pairs from device
6. Zeroize device
NOTE: All configuration, certificates, and files on device will be lost
>request system zeroize
7. Via console, interrupt boot process
Clearing DRAM...... done
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
PCIe: Port 0 link active, 1 lanes, speed gen2
PCIe: Link timeout on port 1, probably the slot is empty
PCIe: Port 2 not in PCIe mode, skipping
Net: octeth0
Interface 0 has 1 ports (SGMII)
Type the command 'usb start' to scan for USB storage devices.
Boot Media: eUSB usb
Found TPM SLB9660 TT 1.2 by Infineon
TPM initialized
Hit any key to stop autoboot: 0 <-- You may press spacebar a few times during bootup to avoid missing this line
8. Clear TPM ownership and reset device
Octeon srx_3x0_ram# tpm force_clear
Octeon srx_3x0_ram# tpm physical_enable
Octeon srx_3x0_ram# reset
9. Upon reboot, login to device and verify TPM Ownership has been cleared
Note: Device will be in Amnesic Mode allowing login of user 'root' without a password
Note: If Owned is still showing Yes then repeat steps 6 - 8
root> show security tpm status
TPM Status:
Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
TPM Family: 1.2
TPM Firmware version: 4.40
10. Provide minimal configuration to allow reachability to SRX
>configure
#set interfaces ge-0/0/x unit 0 family inet address xxx.xxx.xxx.xxx/yy
#set routing-options static route xxx.xxx.xxx.xxx next-hop yyy.yyy.yyy.yyy
#set security zones security-zone <name> interfaces <name> host-inbound-traffic system-services all
#set system root-authentication plain-text-password
#commit
For Chassis clusters
>configure shared
#set chassis cluster redundancy-group 0 node 0 priority 200
#set chassis cluster redundancy-group 0 node 1 priority 100
#delete interfaces
#set interfaces ge-0/0/x unit 0 family inet address xxx.xxx.xxx.xxx/yy
#set routing-options static route xxx.xxx.xxx.xxx next-hop yyy.yyy.yyy.yyy
#set security zones security-zone <name> interfaces <name> host-inbound-traffic system-services all
#set system root-authentication plain-text-password
#commit
11. Transfer configuration and certificates/key-pair exports back to device
12. Load configuration file
#load override <location/file>
#commit
13. Re-enable master-password (if previously using and removed in step 3)
#set system master-password
14 Load exported certificates
This step is optional and may be skipped if device is only using device self-signed certificates
NOTE: The 'p
assphrase' keyword is needed when importing key-pairs only if a '
passphrase' was used when exporting key-pair.
>request security pki local-certificate load <location/filename> certificate-id <name> key <location/filename> [passphrase <passphrase>]
15. Load CA certificates
This step is optional and may be skipped if device is only using device self-signed certificates
>request security pki ca-certificate load ca-profile <name> filename <location/filename>
16. Transfer Junos and JTPM images to device
17. Upgrade Junos to X49-D111 or higher versions (Exception is 17.3Rx versions which do not support TPM)
>request system software add <location/filename>
18. Reboot Device
>request system reboot
19. Upgrade JTPM firmware
root>request system software add jtpm-15.1X49-D111-signed.tgz
Triggering TPM firmware update to revision 4.43.257.0 ...
**********************************************************************
* Infineon Technologies AG TPMFactoryUpd Ver 01.01.2168.00 *
**********************************************************************
TPM update information:
-----------------------
Firmware valid : Yes
TPM family : 1.2
TPM enabled : Yes
TPM activated : Yes
TPM owner set : No
TPM deferred physical presence : No (Settable)
TPM firmware version : 4.40.119.0
Remaining updates : 64
New firmware valid for TPM : Yes
TPM family after update : 1.2
TPM firmware version after update : 4.43.257.0
Preparation steps:
TPM1.2 Deferred Physical Presence preparation successful.
DO NOT TURN OFF OR SHUT DOWN THE SYSTEM DURING THE UPDATE PROCESS!
Updating the TPM firmware ...
Completion: 100
TPM Firmware Update completed successfully.
TPM firmware updated successfully.
WARNING: Reboot is needed to finish firmware update.
WARNING: Use 'request system reboot' command immediately
20. Reboot Device
>request system reboot
21. Verify TPM version
root> show security tpm status
TPM Status:
Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
TPM Family: 1.2
TPM Firmware version: 4.43
22. Re-enable TPM if previously used
>request security tpm master-encryption-password set plain-text-password