Appendix: points to note when updating SNS firewalls on which the TPM has been initialized

This section provides important points to note when updating SNS firewalls on which the TPM has been initialized.

Context

If there is any indication in the SNS Release Notes that the TPM will need to be resealed following an update, we strongly recommend that you read the information in this section before updating the SNS firewall.

Depending on the changes made to the new SNS version, PCR hash values may change after the update, and access to the TPM may then be denied.

If access to the TPM is denied, SNS firewall features that use certificates with protected private keys will no longer function after the update, as long as access to the TPM has not been restored. For example, you may no longer be able to set up VPN tunnels with the SNS firewall, or manage it through an SMC server.

For more information on PCRs and access to the TPM, see the section Platform configuration registers.

Incremental versions to apply

This table summarizes the incremental versions that need to be taken into account when updating to version 4.8 or higher from the latest available 4.3 LTSB version. When a version is skipped, the contents of intermediate versions apply.

Version Description
4.8.0

Access to the TPM denied. Reseal the TPM.
4.8.3

Access to the TPM denied. Reseal the TPM.
4.8.7

If certificates with a protected private key are used for VPN SSL and IPsec services, reseal the TPM. This issue has been fixed in version 4.8.9.

Access to the TPM still possible, but its sealing policy has changed.

  • Reseal the TPM to benefit from the new sealing policy. When you log in to the SNS firewall web administration interface, a window will ask you to do so.
  • With the new sealing policy, the integrity of the SNS firewall and its TPM will be compromised if Secure Boot is not enabled. As such, you are advised to enable it before resealing the TPM.
As of version 4.8.9

Update blocked if these three conditions are combined:

  • The SNS firewall is managed by an SMC server,
  • The private key of the certificate that is used to communicate with the SMC server is protected,
  • The TPM sealing policy will be changed when the update is complete.

Recommendations to follow when updating SNS firewalls on which the TPM has been initialized

  1. If you are unsure whether the TPM has been initialized on your SNS firewall, refer to the section Checking the status of the TPM.
  2. Check whether the version that you wish to install requires the TPM to be resealed. To do so, refer to the section Incremental versions to apply and information provided in SNS Release Notes.
  3. If the TPM is initialized and needs to be sealed after the update, check that the private key of the certificate that is used to communicate with the SMC server, or that of the certificate presented by the SNS firewall's VPN services, is not protected. For the SMC server, see the section Firewall pools managed by an SMC server. For VPN services, see the section Using certificates with TPM-protected private keys.
  4. If the private key in these certificates is protected, remove this protection before updating the SNS firewall. For the SMC server, see the section Firewall pools managed by an SMC server. For VPN services, see the section Managing protection on private keys in a certificate that already exists.
  5. Once these private keys are no longer protected, the SNS firewall can be updated.
  6. Once the SNS firewall is updated, reseal the TPM. When you log in to the SNS firewall web administration interface, a window will ask you to do so. Refer to the Sealing the TPM whenever necessary.
  7. Once the TPM has been sealed, private keys on which protection was removed earlier can be protected again. For the SMC server, see the section Firewall pools managed by an SMC server. For VPN services, see the section Managing protection on private keys in a certificate that already exists.