We are looking into updating the TPM firmware, however note that the impact of ROCA against something like Heads is far less than something like Yubikeys.
With a vulnerable Yubikey 4 an attacker could figure out the user’s private GPG key based on the public key they posted to a public key server.
With something like Heads, the process whereby a user could use ROCA vulnerabilities to defeat tamper-evident boot is certainly theoretically possible but if you think through how to do it practically, the attack is complicated and requires pretty specific targeting.
That said, it’s still important to patch this, not just for further assurance for Heads, but for users who want to use the TPM for other purposes.
@Kyle_Rankin: If you have a vulnerable Yubikey 4, you can replace it. Simply send it to Yubico and you will get a new one without any issues. In case of a soldered TPM, that should be a bit more complicated.
Just wondering why you use the vulnerable TPMs from Infineon? So hopefully a firmware upgrade will be possible.
Very likely that is the utility, yes. But it also requires the firmware itself, and as I understand it only Purism can provide that firmware.
I tried getting an updated firmware for an ASUS motherboard directly from Infineon, and at least Infineon’s story in that case is that they actually don’t have it, that it’s made by ASUS (presumably from an SDK supplied by Infineon).
Damn that really sucks, do you think the firmware is actually going to be different depending on the motherboard? Perhaps we can get different firmware from different vendors and diff them to see if there is much difference, maybe something already out there is close enough? Or perhaps the changes are simple enough we can update it.