Lenovo Companion app doesn’t notify you about TPM firmware updates

New Lenovo devices come pre-installed with the Lenovo Companion; an app that manages device maintenance and warranty, and is responsible for updating your Lenovo drivers, firmware, and software. However, the Companion app doesn’t take its responsibility too seriously and fails to notify you about security updates to your device’s firmware.

My significant other bought a new Lenovo ThinkPad Carbon X1 (5 gen.) and I may have seized it so I could compare it to my old first generation model. One of the differences I noticed was that it had the new Lenovo Companion app, the modern replacement for the old Lenovo OneKey Optimizer app I reviewed back in .

At first glance, I was quite pleased to see that Lenovo Companion now finds, downloads, and installs updates to Lenovo drivers, firmware, and software. The Companion app organizes available updates in three categories: Critical, Recommended, and Optional. Two restarts and a couple of minutes later, I thought I’d gotten every available firmware update in one go. It turns out, that wasn’t the case despite this reassuring message in the Lenovo Companion app:

No updates are available. Your system is up-to-date.

On closer inspection, I also noticed a box down in the bottom right corner labeled “Additional updates” that links you off to the product support page for your product on Lenovo’s website. I found three additional updates available, but the one that caught my interest was the only update in the “Security” section.

I found a security update for the trusted platform module (TPM) firmware that addressed a vulnerability in its random number generator (CVE-2017-15361 or “ROCA.”) The vulnerability allows attackers to extract the TPM’s private encryption keys, and thus gain the ability to decrypt, e.g. BitLocker Device Encryption that protects Windows by default on this device.

Windows TPM Management identifying Infineon vulnerability

Neither Windows Update nor Lenovo Companion nor automatically installed or informed me about the availability of this security update. Windows Update did kind-of-but-not-really address this issue with an update that added a notice about the outdated firmware in the Windows Trusted Platform Module (TPM) Management utility.

I doubt many users (if any) ever open this program, and even fewer would notice the update-prompt that Microsoft have hidden there.

Why wasn’t this auto-updated?

Updating a hardware encryption module is risky, and this update was no exception. Updating the TPM firmware also removes the private keys stored on it; meaning that you would loose the ability to decrypt data stored in Windows BitLocker and other decryption software. This isn’t a flaw in the design of the module; it’s supposed to make it hard to recover any data from it by tampering with its firmware.

The firmware update notices mention that the updater is capable of dealing with BitLocker on its own, but the needs of any other encryption software would need to be handled by the user. To cite the firmware update utility release notes:

Applying TPM firmware update will erase information stored in the TPM chip. In case customer uses any software (such as disk encryption software) which stores created keys to TPM chip, customer needs to stop using those software temporarily before applying TPM firmware update. This tool has the built-in function to suspend Microsoft BitLocker during TPM firmware update, for other software, customer needs to follow the instructions of software to avoid the data loss.

In other words, you can’t just install this update automatically without informing the user. The updater could have included detection tools for other common software that use the TPM, and it could have displayed warnings about backing up any encrypted data before installing the update.

This doesn’t fully mitigate the potential of data loss in cases where the users didn’t understand the message, didn’t know they relied on software that used the TPM, or the TPM firmware update outright failed. A staged-update approach could have helped mitigate these issues.

The update utility could have first disabled the TPM on reboot, and displayed a message on every boot thereafter prompting the user to check that all their software still works and then reboot, re-enable the module, and update its firmware.

My point is that it’s not beyond the wit of man to handle this update process in a better way than what Lenovo and Infineon (the TPM vendor) decided on. At the very least, the user should be notified and made aware about the availability of new firmware rather than being falsely reassured by the Companion app that their “system is up to date.”