Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Upgrading TPM Firmware on SRX-Devices

0

0

Article ID: KB32288 KB Last Updated: 02 Jan 2018Version: 3.0
Summary:
This article provides directions on how to upgrade the TPM Firmware for SRX 300, 320, 340, 345 devices
Symptoms:
TPM Firmware recommended upgrade from 4.40 to 4.43 based on JSA10809
Systems with TPM enabled are unable to upgrade TPM Firmware
Cause:
Systems currently using TPM will encounter the following error when attempting to upgrade TPM firmware
 
Triggering TPM firmware update to revision 4.43.257.0 ...
  **********************************************************************
  *    Infineon Technologies AG   TPMFactoryUpd   Ver 01.01.2168.00    *
  **********************************************************************
       TPM update information:
       -----------------------
       Firmware valid                    :    Yes
       TPM family                        :    1.2
       TPM enabled                       :    Yes
       TPM activated                     :    Yes
       TPM owner set                     :    Yes
       TPM deferred physical presence    :    No (Settable)
       TPM firmware version              :    4.40.119.0
       Remaining updates                 :    64
       New firmware valid for TPM        :    N/A
 
  ----------------------------------------------------------------------
  *    Error Information                                               *
  ----------------------------------------------------------------------
  Error Code:     0xE029550B
  Message:        TPM1.2: The TPM has an owner. The firmware cannot be
                  updated.
Solution:
Prerequisites:
  • Copy of Junos 15.1X49-D111 (junos-srxsme-15.1X49-D111-domestic.tgz) or higher versions. 
    • Note: Junos 17.3 versions do not support the TPM feature
  • Copy of JTPM firmware (jtpm-15.1X49-D111-signed.tgz)
    • NOTE:  The JTPM firmware update file is not directly associated to Junos X49-D111 and may be used with higher Junos versions including 17.4+
  • Console Access to Device
  • Copy of installed CA certificates (if using CA certificates)
      

Process Steps:
    1. Verify if TPM is currently owned.
If Output of Owned line reflects 'no' skip to Step 16
       
root> show security tpm status
TPM Status:

Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
       

    2.   Export Key-pairs / Certificates
This step is optional and may be skipped if device is only using device self-signed certificates

NOTE: 'Passphrase'  keyword is optional when exporting key-pairs.
             If used, please record the passphrase as it will be needed in later step
>request security pki key-pair export filename <location/name> type pem certificate-id <name> [passphrase <passphrase>]
>request security pki local-certificate export filename <locaton/name> certificate-id <name>
 

    3.  Remove master-password from configuration
#delete system master-password
#commit

    4. Save copy of configuration
>show configuration | save /var/tmp/config.txt

    5. Collect saved configuration, certificates and key-pairs from device

    6. Zeroize device
NOTE:   All configuration, certificates, and files on device will be lost
 
>request system zeroize

    7. Via console, interrupt boot process
Clearing DRAM...... done
SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
PCIe: Port 0 link active, 1 lanes, speed gen2
PCIe: Link timeout on port 1, probably the slot is empty
PCIe: Port 2 not in PCIe mode, skipping
Net:   octeth0
Interface 0 has 1 ports (SGMII)
Type the command 'usb start' to scan for USB storage devices.
Boot Media: eUSB usb
Found TPM SLB9660 TT 1.2 by Infineon
TPM initialized
Hit any key to stop autoboot:  0  <--  You may press spacebar a few times during bootup to avoid missing this line
    

    8. Clear TPM ownership and reset device
Octeon srx_3x0_ram# tpm force_clear
Octeon srx_3x0_ram# tpm physical_enable
Octeon srx_3x0_ram# reset

    9. Upon reboot, login to device and verify TPM Ownership has been cleared
Note:  Device will be in Amnesic Mode allowing login of user 'root' without a password
Note:  If Owned is still showing Yes then repeat steps 6 - 8
 
root> show security tpm status
TPM Status:
Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
TPM Family: 1.2
TPM Firmware version: 4.40
        
    10. Provide minimal configuration to allow reachability to SRX
>configure
#set interfaces ge-0/0/x unit 0 family inet address xxx.xxx.xxx.xxx/yy
#set routing-options static route xxx.xxx.xxx.xxx next-hop yyy.yyy.yyy.yyy
#set security zones security-zone <name> interfaces <name> host-inbound-traffic system-services all
#set system root-authentication plain-text-password
#commit
 
For Chassis clusters
>configure shared
#set chassis cluster redundancy-group 0 node 0 priority 200
#set chassis cluster redundancy-group 0 node 1 priority 100
#delete interfaces

#set interfaces ge-0/0/x unit 0 family inet address xxx.xxx.xxx.xxx/yy
#set routing-options static route xxx.xxx.xxx.xxx next-hop yyy.yyy.yyy.yyy
#set security zones security-zone <name> interfaces <name> host-inbound-traffic system-services all
#set system root-authentication plain-text-password
#commit
               
    11. Transfer configuration and certificates/key-pair exports back to device

    12. Load configuration file
#load override <location/file>
#commit

    13. Re-enable master-password (if previously using and removed in step 3)
#set system master-password

    14 Load exported certificates
This step is optional and may be skipped if device is only using device self-signed certificates

 
     NOTE: The 'passphrase'  keyword is needed when importing key-pairs only if a 'passphrase' was used when exporting key-pair.
>request security pki local-certificate load <location/filename> certificate-id <name> key <location/filename> [passphrase <passphrase>]
       
    15. Load CA certificates
This step is optional and may be skipped if device is only using device self-signed certificates
 
>request security pki ca-certificate load ca-profile <name> filename <location/filename>
    
    16. Transfer Junos and JTPM images to device

    17. Upgrade Junos to X49-D111 or higher versions (Exception is 17.3Rx versions which do not support TPM)
>request system software add <location/filename>

    18. Reboot Device
>request system reboot

    19. Upgrade JTPM firmware
root>request system software add jtpm-15.1X49-D111-signed.tgz
            Triggering TPM firmware update to revision 4.43.257.0 ...
              **********************************************************************
              *    Infineon Technologies AG   TPMFactoryUpd   Ver 01.01.2168.00    *
              **********************************************************************

                   TPM update information:
                   -----------------------
                   Firmware valid                    :    Yes
                   TPM family                        :    1.2
                   TPM enabled                       :    Yes
                   TPM activated                     :    Yes
                   TPM owner set                     :    No
                   TPM deferred physical presence    :    No (Settable)
                   TPM firmware version              :    4.40.119.0
                   Remaining updates                 :    64
                   New firmware valid for TPM        :    Yes
                   TPM family after update           :    1.2
                   TPM firmware version after update :    4.43.257.0

                   Preparation steps:
                   TPM1.2 Deferred Physical Presence preparation successful.

                DO NOT TURN OFF OR SHUT DOWN THE SYSTEM DURING THE UPDATE PROCESS!
                   Updating the TPM firmware ...
                   Completion: 100
                   TPM Firmware Update completed successfully.
                   TPM firmware updated successfully.

            WARNING:   Reboot is needed to finish firmware update.
            WARNING:   Use 'request system reboot' command immediately

    20. Reboot Device
>request system reboot

    21. Verify TPM version
root> show security tpm status
TPM Status:
Enabled: yes
Owned: no
Master Binding Key: not-created
Master Encryption Key: not-configured
TPM Family: 1.2
TPM Firmware version: 4.43

    22. Re-enable TPM if previously used
>request security tpm master-encryption-password set plain-text-password

 

Related Links

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search