Field of the Invention
The present invention relates to an information processing apparatus and a control method therefor and, more particularly, to a technique preferably used to prevent firmware as the basic software of the information processing apparatus from being returned (to be referred to as rollback hereinafter) to an older version.
Description of the Related Art
In an information processing apparatus such as a personal computer (PC), there is provided a conventional technique of preventing rollback of the firmware of an information processing apparatus using a TPM (Trusted Platform Module) serving as a tamper-resistant security chip. For example, U.S. Pat. No. 8,745,612 (to be referred to as patent literature 1 hereinafter) describes such technique. According to patent literature 1, rollback is detected/prevented by comparing the version number of the current firmware saved in the NVRAM (nonvolatile memory) of a TPM chip with that of delivered firmware used for update. For example, if the version number of the delivered firmware is “5” and the version number of the current firmware saved in the NVRAM of the TPM is “10”, rollback is detected to cancel the update of the firmware. As another conventional technique, there is known a technique of detecting/preventing rollback by managing the version number of the current firmware by a counter (monotonically increasing counter) which is included in a TPM and only monotonically increases, and comparing the version number with the version number of a delivered firmware. For example, TCG Mobile Trusted Module Specification (Version 1.0, Revision 7.02) describes such technique (to be referred to as non-patent literature 1 hereinafter). By preventing rollback, it is possible to protect the information processing apparatus from an attack made by taking advantage of the vulnerability of old firmware.
In patent literature 1, however, since the version number of the current firmware is saved in the NVRAM of the TPM, rollback becomes possible by accessing the NVRAM and rewriting the version number in the NVRAM by an older version number. For example, by rewriting the version number in the NVRAM from “10” to “2”, it is possible to return the firmware to that of one of versions “3” to “9” older than the current version number “10”. On the other hand, in non-patent literature 1, since the version number is managed by the monotonically increasing counter, it is physically impossible to rewrite the version number by an older value. However, since non-patent literature 1 does not mention a timing of increasing the monotonically increasing counter, the following problem is assumed. That is, even if the update of the firmware fails and an attempt is made to return the version number of the monotonically increasing counter, the version number cannot be returned. Thus, if the timing of increasing the monotonically increasing counter is inappropriate, subsequent update becomes impossible. For example, consider a case in which firmware of a version number “2” is updated to firmware of a version number “11”. In this case, the update processing increases the version number “2” managed by the monotonically increasing counter to “11”. If, however, the firmware fails to be rewritten after increasing the version number, only the monotonically increasing counter is updated to “11” and the actual firmware is not updated. Therefore, even if an attempt is made again to update the firmware to that of the version number “11”, this version number is not larger than that managed by the monotonically increasing counter, and thus update may become impossible.