-------------------------------------------------------------------------------- Infineon TPM Professional Package 4.3.200.3390 Release Notes -------------------------------------------------------------------------------- Contents: 1. Welcome 2. Installation 3. Infineon Security Platform Software 3.1 Security Platform Settings Tool 3.2 Security Platform Quick Initialization Wizard 3.3 Security Platform Initialization Wizard 3.4 Security Platform User Initialization Wizard 3.5 Security Platform Migration Wizard 3.6 Security Platform Backup Wizard 3.7 Security Platform Password Reset Wizard 3.8 Security Platform PKCS #12 Import Wizard 3.9 Security Platform Certificate Viewer and Certificate Selection 3.10 Security Platform Taskbar Notification Icon 3.11 Security Platform Integration Services 3.12 Security Platform Services 4. If you have questions 5. Release Info 5.1 About this Release 5.2 Hardware and Software Platform Requirements 5.3 Version Information 5.4 Trusted Platform Module Firmware Upgrade 5.5 Known Bugs and Limitations ================================================================================ 1. Welcome Welcome to the Infineon Security Platform Software 4.3.200.3390. The Infineon Security Platform Software is required to use your Trusted Platform Module. The Infineon Security Platform Software is a TCG-compliant security solution for PCs. For further information about TCG (Trusted Computing Group): https://www.trustedcomputinggroup.org 2. Installation The Infineon Security Platform Software installation - "Setup.exe" installs: - Security Platform Help - Security Platform Settings Tool - Security Platform Quick Initialization Wizard - Security Platform Initialization Wizard - Security Platform User Initialization Wizard - Security Platform Migration Wizard - Security Platform Backup Wizard - Security Platform Password Reset Wizard - Security Platform PKCS #12 Import Wizard - Security Platform Certificate Viewer and Certificate Selection - Security Platform Taskbar Notification Icon - Security Platform Integration Services * Microsoft® Outlook® Integration * Mozilla Firefox and Thunderbird Integration * Encrypted File System Integration * Personal Secure Drive * Policy Administration - Security Platform Services * TSS (TCG Software Stack) Service Provider * TSS Core Service * TSS Device Driver Library Notes: To install this software, administrative rights are required. On systems with disabled Trusted Platform Module and Physical Presence Interface support you can enable the Trusted Platform Module via option "Prepare TPM Enrollment". This will allow you to initialize your platform later, without having to reboot your system again. Unattended Installation: Silent installation can be done by calling the setup.exe with the following command line parameters: - Installation for all users: setup.exe /s /v"/qn" Upgrade: The upgrade from older product versions is described in ReadmeUpgrade.txt. 3. Infineon Security Platform Software 3.1 Security Platform Settings Tool With the Security Platform Settings Tool, you can get various information about the Trusted Platform Module of your system. Also, you are able to carry out several administrative tasks. This component is designed as a Control Panel Applet. It provides a central access point for administrating the Infineon Security Platform. 3.2 Security Platform Quick Initialization Wizard The Infineon Security Platform Quick Initialization Wizard is intended for most users to quickly initialize the Security Platform and User with default settings. These operations are needed to enable the Infineon Security Platform functionality and provide the basis for all further activities on the Infineon Security Platform. 3.3 Security Platform Initialization Wizard The Infineon Security Platform Initialization Wizard is intended for expert users to initialize the Security Platform and to configure Security Platform Features (backup including Emergency Recovery, Password Reset, Enhanced Authentication). These operations are needed to enable the Infineon Security Platform functionality and provide the basis for all further activities on the Infineon Security Platform. 3.4 Security Platform User Initialization Wizard The Infineon Security Platform User Initialization Wizard is intended for expert users to initialize the Security Platform Users and to configure the user-specific features (secure e-mail, file and folder encryption with EFS and PSD, Enhanced Authentication). This wizard has to be started for each computer user, who is intended to use the personalized Infineon Security Platform Features (i.e., who will be Infineon Security Platform User). 3.5 Security Platform Migration Wizard The Infineon Security Platform Migration Wizard is used to transfer Infineon Security Platform user-specific keys and certificates from one Infineon Security Platform to another in a secure way. 3.6 Security Platform Backup Wizard The Infineon Security Platform Backup Wizard is used to perform the backup or restore operations of Security Platform related data. These operations are needed to protect the data from accidental loss in case of an emergency. 3.7 Security Platform Password Reset Wizard The Infineon Security Platform Password Reset Wizard is used to reset Basic User Passwords. Resetting a Basic User Password comprises administrative steps and user steps. The Password Reset Wizard contains both. 3.8 Security Platform PKCS #12 Import Wizard The Infineon Security Platform PKCS #12 Import Wizard is used to import Personal Information Exchange files into the Security Platform. 3.9 Security Platform Certificate Viewer and Certificate Selection Infineon Security Platform Certificate Viewer and Certificate Selection are used to manage certificates. 3.10 Security Platform Taskbar Notification Icon The Taskbar Notification Icon is a status-sensitive entry point for Security Platform administrative tasks. Via this icon you can access the Taskbar Notification Menu. Furthermore, balloons and tool tips assist you with status-sensitive information. 3.11 Security Platform Integration Services The Security Platform Integration Services enable standard applications to use the Trusted Platform Module functionality. This is possible for applications supporting the Microsoft Crypto-API or the PKCS #11 Crypto-API. The following Integration Service components are provided: - Infineon TPM Platform Cryptographic Provider (Platform CSP) - Infineon TPM Cryptographic Provider (User CSP, without AES support) - Infineon TPM Strong Cryptographic Provider (Strong User CSP, without AES support) - Infineon TPM RSA and AES Cryptographic Provider (User CSP, including AES support) - Infineon TPM PKCS #11 Provider (also called "TPM Cryptoki Token") - Infineon TPM Key Storage Provider (KSP) 3.12 Security Platform Services The Security Platform Services provide you with a Trusted Computing Group (TCG) compliant software stack. The TCG Software Stack (TSS) is built by the following modules: - TSS (TCG Software Stack) Service Provider - TSS Core Service - TSS Device Driver Library The TCG Software Stack is an integral part of a TCG compliant platform, and provides functions that can be used by enhanced operating systems and applications. Recommendation: Contact your product support to check whether a firmware update for your Trusted Platform Module is available. 4. If you have questions If you have any questions or problems, please contact your dealer first. Further information and support is available under http://www.infineon.com/tpm/software 5. Release Info 5.1 About this Release This release contains the following components to enable access to the Trusted Platform Module by application (utilizing the interfaces as specified by TCG, Microsoft® Crypto-API and PKCS #11): - Security Platform Help - Security Platform Settings Tool - Security Platform Quick Initailization Wizard - Security Platform Initialization Wizard - Security Platform User Initialization Wizard - Security Platform Migration Wizard - Security Platform Backup Wizard - Security Platform Password Reset Wizard - Security Platform PKCS #12 Import Wizard - Security Platform Certificate Viewer and Certificate Selection - Security Platform Taskbar Notification Icon - Security Platform Integration Services * Microsoft® Outlook® Integration * Mozilla Firefox and Thunderbird Integration * Encrypted File System Integration (not supported by all Microsoft Windows editions) * Personal Secure Drive * Policy Administration (not supported by all Microsoft Windows editions) - Security Platform Services * TSS (TCG Software Stack) Service Provider * TSS Core Service * TSS Device Driver Library 5.2 Hardware and Software Platform Requirements 5.2.1 Hardware Requirements: A PC capable to run one of the mentioned operating systems and equipped with a Trusted Platform Module. Hard Disk: Standard Installation: 120 MB; a portion of this disk space will be freed after installation (approximately 20 MB). PSD with default settings: 200 MB, plus 5000 MB on system partition (due to policy "Minimum free space after PSD creation"). Memory: - Microsoft Windows XP Professional and Home 32-bit Editions: 128 MB - Microsoft Windows XP Professional x64 Edition: 256 MB - Microsoft Vista Home Basic: 512 MB - Microsoft Vista Home Premium, Business, Enterprise and Ultimate Editions: 1 GB - Microsoft Windows 7 Home Premium, Professional, Enterprise and Ultimate Editions: 1 GB - Microsoft Windows 8, Windows 8 Pro and Windows 8 Enterprise Editions: 1GB - Microsoft Windows 8.1, Windows 8.1 Pro and Windows 8.1 Enterprise Editions: 1GB 5.2.2 Software Requirements: Operating Systems (only for 32-bit product version): - Microsoft Windows XP Professional Service Pack 3 - Microsoft Windows XP Home Edition Service Pack 3 - Microsoft Windows XP Media Center Edition 2005 Service Pack 3 - Microsoft Windows XP Tablet PC Edition 2005 Service Pack 3 - Microsoft Windows Vista Service Pack 2 (Home Basic, Home Premium, Business, Enterprise, Ultimate) - Microsoft Windows Server 2008 Service Pack 2 - Microsoft Windows 7 Service Pack 1 (Home Premium, Professional, Enterprise, Ultimate) - Microsoft Windows 8, Windows 8 Pro, Windows 8 Enterprise - Microsoft Windows 8.1, Windows 8.1 Pro, Windows 8.1 Enterprise Operating Systems (only for 64-bit product version): - Microsoft Windows XP Professional x64 Edition Service Pack 2 (AMD64) - Microsoft Windows Vista Service Pack 2 (Home Basic, Home Premium, Business, Enterprise, Ultimate) - Microsoft Windows 7 Service Pack 1 (Home Premium, Professional, Enterprise, Ultimate) - Microsoft Windows Server 2008 R2 Service Pack 1 - Microsoft Windows 8, Windows 8 Pro, Windows 8 Enterprise - Microsoft Windows Server 2012 - Microsoft Windows 8.1, Windows 8.1 Pro, Windows 8.1 Enterprise Microsoft Office: - Microsoft Office 2003 - Microsoft Office 2007 - Microsoft Office 2010 - Microsoft Office 2013 E-mail Clients: - Mozilla Thunderbird 17.0 - Microsoft Office Outlook 2003 - Microsoft Office Outlook 2007 - Microsoft Office Outlook 2010 - Microsoft Office Outlook 2013 Web Browsers: - Mozilla Firefox 17.0.1 - Microsoft Internet Explorer 8 - Microsoft Internet Explorer 9 - Microsoft Internet Explorer 10 - Microsoft Internet Explorer 11 5.3 Version Information Infineon TPM Professional Package 4.3.200.3390 5.4 Trusted Platform Module Firmware Upgrade After installation, it is recommended to check whether a firmware update is available provided by http://www.infineon.com/tpm/software 5.5 Known Bugs and Limitations 5.5.1 Problems with the Trusted Platform Module In case an application using the Trusted Platform Module fails, resetting the Trusted Platform Module may solve the problem. To reset the Trusted Platform Module, shut down the PC (turn off the computer after the system has shut down) and start the PC again. 5.5.2 Known Online Help Error After installation of Microsoft security updates, the Security Platform Help may not function correctly when the .chm file is opened from a remote location. Further information is available in the Microsoft Knowledge Base, e.g. in Microsoft Security Bulletin MS05-026 and in Microsoft Knowledge Base Article 896358. 5.5.3 No support for saving Personal Secure Drive content to a CD data disc on Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 8.1 On Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 8.1, Explorer supports to write data directly to CD data discs with Joliet and ISO-9660 file systems. During the process of deleting a Personal Secure Drive, it is not supported to select such a CD data disc for saving the content of the Personal Secure Drive. If you want to save the content of a Personal Secure Drive to a CD data disc, use Windows Explorer directly before deleting the Personal Secure Drive. 5.5.4 Personal Secure Drive and Windows XP System Restore If you enabled System Restore please note that Personal Secure Drive is like any other drive on your computer monitored by System Restore. To ensure that System Restore is working properly with your Personal Secure Drive consider the following: a) Personal Secure Drive with a size up to 200 MB You need to install Microsoft Hotfix WindowsXP-KB888402-x86-xxx.exe (where xxx is the language specific version). This hotfix is only available for Windows XP SP2 via Microsoft support (http://support.microsoft.com). Please refer to KB888402. If you do not install this hotfix, System Restore Points are deleted every time you load your PSD drive. b) Personal Secure Drive with a size bigger than 200 MB Personal Secure Drive bigger than 200 MB will be handled as every other drive which is of "local disk" type. To ensure that System Restore is working properly please consider the disk space requirements of System Restore. Following these requirements leave at least 80 MB free disk space on a Personal Secure Drive. 5.5.5 Personal Secure Drive and Microsoft Volume Shadow Copy Service (VSS) Personal Secure Drive does currently not support Microsoft VSS, nor the services which depend on VSS. If you observe problems with VSS or any dependant service, then make sure that no Personal Secure Drive is loaded while utilizing VSS. 5.5.6 Timeout in user authentication for WLAN client connection You need to authenticate to establish a WLAN client connection. Security Platform User Authentication is displayed. Please authenticate within 30 seconds. Else the WLAN client connection might fail. To enable the WLAN client connection after a timeout, click "Repair" in the WLAN connection's context menu. You do not need to logoff, logon and authenticate again in this case. 5.5.7 Possible user authentication problem in "Run as" mode Under certain circumstances, an internal error will be returned when the user authentication dialog is expected. This error might occur if all of the following conditions are met: - The program requiring the user authentication (e.g. User Initialization Wizard) was started in "Run as" mode. - A certain version of the software "PGP" is installed, e.g. 9.04. - There was no preceding user authentication in the current logon session. 5.5.8 Dictionary Attack behavior after upgrade from versions prior to V4.3 This version of Infineon TPM Professional Package features dictionary attack behavior optimized for Windows 8.1, 8. If Infineon TPM Professional Package is installed on a Security Platform that has been already initialized with an earlier version of Infineon TPM Professional Package, the new dictionary attack defense parameters values have to be explicitly configured. Otherwise, the dictionary attack behavior will not be as described in the online help, specifically, dictionary attack defense parameters will stay as they were set by an earlier version of Infineon TPM Professional Package. For information on how to change the dictionary attack defense parameters please refer to the ”Dictionary Attack Defense” section of the online help. 5.5.9 Changing the system time may cause unexpected behavior Rolling back the system time may cause unexpected behavior of the Infineon Security Platform software. Restarting the system will correct this behavior. 5.5.10 Performing Emergency Recovery from a given Backup Archive more than once has the following restriction Users which were not selected to be restored during Emergency Recovery and users which were selected but did not complete the restoration process cannot be selected during subsequent restorations. Create a copy of the backup archive to circumvent this. 5.5.11 Setup Repair Mode under restricted administrative account in Windows Vista Users with restricted administrative account in Windows Vista will get an error message stating "Installation of Security Platform Software requires administrative permissions" while trying to repair the Infineon Security Platform Solution software through Control Panel, and the setup will abort. Please start setup repair mode by clicking on setup.exe in the CD-image. 5.5.12 Operating System upgrade to Windows Vista If you currently have a lower Infineon TPM Professional Package than V3.0 installed on your system, then you cannot directly upgrade the operating system to Windows Vista. First you need to upgrade your Infineon TPM Professional Package to this version and then the operating system to Windows Vista. 5.5.13 Policies are not displayed correctly after upgrade If you upgrade from an operating system that does not support group policy (e.g. Windows Media Center, Windows XP Home) to an operating system that supports group policy (e.g. Windows Vista Ultimate, Windows Vista Business), policies are not displayed as expected. To work around this problem, uninstall and freshly install the Infineon TPM Professional Package Software after operating system upgrade. 5.5.14 Security Platform Integration Services not registered any more after Operating System Upgrade In some special Operating System Upgrade scenarios, parts of Security Platform Integration Services might not be registered any more (for example after an upgrade from Windows Vista Home Basic 64-bit Edition to Windows Vista Ultimate 64-bit Edition). As a consequence, features like file and folder encryption with EFS and PSD might not work as expected any more. To resolve this, run setup repair mode by clicking on setup.exe in the CD-image. 5.5.15 Installation and Uninstallation of required prerequisite software Please note that the Infineon Security Platform Software requires certain prerequisite software (e.g. Microsoft Visual Studio C++ 2005 SP1 Redistributable Package). The setup installs all prerequisite software which is not yet installed on your computer. If you try to install this prerequisite software without administrative rights, the installation might fail and display some inexpressive error message. Please do not uninstall any prerequisite software, as long as Infineon Security Platform Software is installed. Else you might not be able to use or uninstall Infineon Security Platform Software any more. Note that the prerequisite software is not automatically uninstalled if the main software installation fails. 5.5.16 Installation on not recommended operating systems It is not recommended to install Infineon Security Platform Software on certain operating systems (e.g. Windows XP without Service Pack 2 or higher), since the software has been optimized for newer operating system versions. A corresponding message is displayed at the beginning of the installation. If prerequisite software must be installed on your system before the main setup starts (see chapter "Installation and Uninstallation of required prerequisite software"), this warning will only be displayed after the prerequisite installation. 5.5.17 PKCS#11 functionality after upgrade After an upgrade of Security Platform Solution Software, applications that use Security Platform Solution through the PKCS#11 interface may not work as expected, because the PKCS#11 DLL (ifxtpmck.dll) is now located in the Security Platform Solution Software installation directory. In former product versions, it was located in the system32 directory. Applications have to be reconfigured to load ifxtpmck.dll from the new location. 5.5.18 RSA SecurID Software Token compatiblity Infineon TPM Professional Package is compatible with RSA SecurID Software Token 3.05 or lower. 5.5.19 Microsoft VPN connection when using EAP-TLS with certificates In case the Infineon TPM Cryptographic Provider or Infineon TPM Strong Cryptographic Provider or Infineon TPM RSA and AES Cryptographic Provider are used for a VPN certificate, that certificate must be requested without strong private key protection. In case the certificate has been requested with strong private key protection and an Infineon TPM Cryptographic Provider, and later on this certificate is selected in a VPN connection, this VPN connection will fail. 5.5.20 Windows is reporting "The TPM is ready for use, but with reduced functionality" This message generally indicates that the Owner Password is not known to the operating system. This situation could happen in several circumstances, for example: - A platform with an initialized Trusted Platform Module has been upgraded to Windows 8.1, 8 - A new instance of Windows 8.1, 8 has been installed on a platform with an initialized Trusted Platform Module To resolve this situation you need to know the Owner Password or have the Owner Password Backup File created during the original TPM initialization. If the TPM was initialized with Infineon Security Platform Quick Initialization Wizard, see chapter "Secret Data" of the online help for more details about the Owner Password. Perform the following steps: - Launch Microsoft Trusted Platform Module (TPM) Management application (for example by searching for "tpm.msc") - Click on "Prepare the TPM" action - Enter the Owner Password or provide the Owner Password Backup File to proceed