Knowledge Search


×
 

[SRX] Upgrading TPM Firmware on SRX-Devices

  [KB32288] Show Article Properties


Summary:
This article provides directions on how to upgrade the TPM Firmware for SRX 300, 320, 340, 345 devices
Symptoms:
TPM Firmware recommended upgrade from 4.40 to 4.43 based on JSA10809
Systems with TPM enabled are unable to upgrade TPM Firmware
Cause:
Systems currently using TPM will encounter the following error when attempting to upgrade TPM firmware
 
Triggering TPM firmware update to revision 4.43.257.0 ...
  **********************************************************************
  *    Infineon Technologies AG   TPMFactoryUpd   Ver 01.01.2168.00    *
  **********************************************************************
       TPM update information:
       -----------------------
       Firmware valid                    :    Yes
       TPM family                        :    1.2
       TPM enabled                       :    Yes
       TPM activated                     :    Yes
       TPM owner set                     :    Yes
       TPM deferred physical presence    :    No (Settable)
       TPM firmware version              :    4.40.119.0
       Remaining updates                 :    64
       New firmware valid for TPM        :    N/A
 
  ----------------------------------------------------------------------
  *    Error Information                                               *
  ----------------------------------------------------------------------
  Error Code:     0xE029550B
  Message:        TPM1.2: The TPM has an owner. The firmware cannot be
                  updated.
Solution:
Prerequisites:
  • Copy of Junos 15.1X49-D111 (junos-srxsme-15.1X49-D111-domestic.tgz) or higher versions. 
    • Note: Junos 17.3 versions do not support the TPM feature
  • Copy of JTPM firmware (jtpm-15.1X49-D111-signed.tgz)
    • NOTE:  The JTPM firmware update file is not directly associated to Junos X49-D111 and may be used with higher Junos versions including 17.4+
  • Console Access to Device
  • Copy of installed CA certificates (if using CA certificates)
      

Process Steps:
    1. Verify if TPM is currently owned.
If Output of Owned line reflects 'no' skip to Step 16
       
root> show security tpm status
TPM Status:

Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
       

    2.   Export Key-pairs / Certificates
This step is optional and may be skipped if device is only using device self-signed certificates

NOTE: 'Passphrase'  keyword is optional when exporting key-pairs.
             If used, please record the passphrase as it will be needed in later step
>request security pki key-pair export filename <location/name> type pem certificate-id <name> [passphrase <passphrase>]
>request security pki local-certificate export filename <locaton/name> certificate-id <name>
 

    3.  Remove master-password from configuration
#delete system master-password
#commit

    4. Save copy of configuration
>show configuration | save /var/tmp/config.txt

    5. Collect saved configuration, certificates and key-pairs from device

    6. Zeroize device
NOTE:   All configuration, certificates, and files on device will be lost
 
>request system zeroize

    7. Via console, interrupt boot process
Clearing DRAM...... done
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
PCIe: Port 0 link active, 1 lanes, speed gen2
PCIe: Link timeout on port 1, probably the slot is empty
PCIe: Port 2 not in PCIe mode, skipping
Net:   octeth0
Interface 0 has 1 ports (SGMII)
Type the command 'usb start' to scan for USB storage devices.
Boot Media: eUSB usb
Found TPM SLB9660 TT 1.2 by Infineon
TPM initialized
Hit any key to stop autoboot:  0  <--  You may press spacebar a few times during bootup to avoid missing this line
    

    8. Clear TPM ownership and reset device
Octeon srx_3x0_ram# tpm force_clear
Octeon srx_3x0_ram# tpm physical_enable
Octeon srx_3x0_ram# reset

    9. Upon reboot, login to device and verify TPM Ownership has been cleared
Note:  Device will be in Amnesic Mode allowing login of user 'root' without a password
Note:  If Owned is still showing Yes then repeat steps 6 - 8
 
root> show security tpm status
TPM Status:
Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
TPM Family: 1.2
TPM Firmware version: 4.40
        
    10. Provide minimal configuration to allow reachability to SRX
>configure
#set interfaces ge-0/0/x unit 0 family inet address xxx.xxx.xxx.xxx/yy
#set routing-options static route xxx.xxx.xxx.xxx next-hop yyy.yyy.yyy.yyy
#set security zones security-zone <name> interfaces <name> host-inbound-traffic system-services all
#set system root-authentication plain-text-password
#commit
 
For Chassis clusters
>configure shared
#set chassis cluster redundancy-group 0 node 0 priority 200
#set chassis cluster redundancy-group 0 node 1 priority 100
#delete interfaces

#set interfaces ge-0/0/x unit 0 family inet address xxx.xxx.xxx.xxx/yy
#set routing-options static route xxx.xxx.xxx.xxx next-hop yyy.yyy.yyy.yyy
#set security zones security-zone <name> interfaces <name> host-inbound-traffic system-services all
#set system root-authentication plain-text-password
#commit
               
    11. Transfer configuration and certificates/key-pair exports back to device

    12. Load configuration file
#load override <location/file>
#commit

    13. Re-enable master-password (if previously using and removed in step 3)
#set system master-password

    14 Load exported certificates
This step is optional and may be skipped if device is only using device self-signed certificates

 
     NOTE: The 'passphrase'  keyword is needed when importing key-pairs only if a 'passphrase' was used when exporting key-pair.
>request security pki local-certificate load <location/filename> certificate-id <name> key <location/filename> [passphrase <passphrase>]
       
    15. Load CA certificates
This step is optional and may be skipped if device is only using device self-signed certificates
 
>request security pki ca-certificate load ca-profile <name> filename <location/filename>
    
    16. Transfer Junos and JTPM images to device

    17. Upgrade Junos to X49-D111 or higher versions (Exception is 17.3Rx versions which do not support TPM)
>request system software add <location/filename>

    18. Reboot Device
>request system reboot

    19. Upgrade JTPM firmware
root>request system software add jtpm-15.1X49-D111-signed.tgz
            Triggering TPM firmware update to revision 4.43.257.0 ...
              **********************************************************************
              *    Infineon Technologies AG   TPMFactoryUpd   Ver 01.01.2168.00    *
              **********************************************************************

                   TPM update information:
                   -----------------------
                   Firmware valid                    :    Yes
                   TPM family                        :    1.2
                   TPM enabled                       :    Yes
                   TPM activated                     :    Yes
                   TPM owner set                     :    No
                   TPM deferred physical presence    :    No (Settable)
                   TPM firmware version              :    4.40.119.0
                   Remaining updates                 :    64
                   New firmware valid for TPM        :    Yes
                   TPM family after update           :    1.2
                   TPM firmware version after update :    4.43.257.0

                   Preparation steps:
                   TPM1.2 Deferred Physical Presence preparation successful.

                DO NOT TURN OFF OR SHUT DOWN THE SYSTEM DURING THE UPDATE PROCESS!
                   Updating the TPM firmware ...
                   Completion: 100
                   TPM Firmware Update completed successfully.
                   TPM firmware updated successfully.

            WARNING:   Reboot is needed to finish firmware update.
            WARNING:   Use 'request system reboot' command immediately

    20. Reboot Device
>request system reboot

    21. Verify TPM version
root> show security tpm status
TPM Status:
Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
TPM Family: 1.2
TPM Firmware version: 4.43

    22. Re-enable TPM if previously used
>request security tpm master-encryption-password set plain-text-password

 
Related Links: