ChromeOS TPM Firmware Updates


    Full Information of Firmware Issues from the Chromium Project: LINK

    Vulnerable firmware versions used on Chrome OS are (listing the firmware_version value from chrome://system as well as the human-readable version number):

    • 000000000000041f - 4.31
    • 0000000000000420 - 4.32
    • 0000000000000628 - 6.40
    • 0000000000008520 - 133.32

    Fixed firmware versions are as follows:

    • 0000000000000422 - 4.34
    • 000000000000062b - 6.43
    • 0000000000008521 - 133.33

    See below to allow updates via the Admin console in Device Management.  

    Installing the update

    Due to the implied loss of data, users must trigger the update explicitly. To do so, users can opt in to installing the TPM firmware update as part of the factory reset flow also known as "powerwash". Note that for enterprise-managed devices, the powerwash UI is not regularly available. We have added a TPM firmware update device policy though which admins can set to make the TPM firmware update via powerwash available to their users.

    The steps are as follows:

    1. Trigger the powerwash flow, either via Ctrl+Alt+Shift+r on the login screen, or via the powerwash option in chrome://settings > Advanced.

    2. The flow will ask you to reboot unless you have just restarted your device anyways.

    3. In the powerwash dialog, there will be a checkbox "Update firmware for added security." Check it in order to request the TPM firmware update to be installed.
      If you don't see a checkbox, this can be due to a number of reasons:

      1. Your device already runs updated firmware, check chrome://system as described above to confirm.

      2. You are running an older Chrome OS version that doesn't include functionality to update TPM firmware. Upgrade to a newer OS version.

    4. Once you click the "Powerwash" button and confirm, the device will reboot.

    5. After the reboot, you'll see a message indicating that the powerwash is in progress. Wait for it to complete, after which the device will reboot again.

    6. After the second reboot, the device will show a message screen when installing the firmware update. There is a progress bar that will be updated as the update progresses. The device will reboot once more after installing the update.

    7. After the third reboot, you'll see the familiar Chrome OS UI again showing the out of box experience. Your device is just as new, so you can go through the setup flow again and then log in as usual.

    8. It’s worth double-checking you are running fixed TPM firmware by checking the tpm_version entry in chrome://system. See the Affected TPM firmware versions section for details.

    ADMIN Console to allow users to udpate

    This may be the way to help with the update process.  In the Chrome Device Settings - TPM Firmware Update - Set to "Allow users to perform TPM firmware updates".

    Additional updates info from Google: LINK
    Was this article helpful?
    0 out of 0 found this helpful