HP Sure Start with Runtime Intrusion Detection - White Paper
As implemented on HP EliteBook products equipped with
7th generation AMD processors
January 2017
HP Sure Start with Runtime Intrusion Detection
© Copyright 2017 HP Inc.
1 HP Sure Start with Runtime
Intrusion Detection 3
1 HP Sure Start with Runtime
Intrusion Detection
1.1 Background
HP has a holistic view of client security that aims to address security at every layer of the client device computing stack. Our
focus is not just within the OS or on cloud-based security solutions—we believe that “Below the OS” device firmware and
hardware security are also crucial.
As our world becomes even more connected, cyber-attacks are targeting client device firmware and hardware with
increasing frequency and sophistication. Since the device firmware executes on the hardware first and is responsible for
securely booting the OS, you cannot trust the client device OS if you cannot trust the firmware.
It is extremely difficult, if not impossible, to foresee and therefore prevent every possible attack, which is why HP also
designs our client devices with “cyber-resiliency,” the ability to both detect a successful attack and recover from it.
HP Sure Start is HP’s unique and groundbreaking approach to provide advanced “Below the OS” protection to the client
device that uses hardware enforcement to ensure the system will only boot Genuine HP BIOS. Additionally, if HP Sure Start
detects tampering with HP BIOS, it has the ability to recover Genuine HP BIOS using a protected backup copy.
1.2 HP Sure Start with Runtime Intrusion Detection overview
HP Sure Start with Runtime Intrusion Detection includes the same baseline capabilities as previous generations of HP Sure
Start, plus new capabilities that significantly raise the bar for HP Sure Start advanced protection, detection of attack, and
recovery of HP system firmware.
1
There are two primary features that are added to the client device:
Runtime Intrusion Detection
BIOS Setting Protection
Additionally, HP will begin to offer a Manageability Integration Kit (MIK) including a Microsoft System Center Configuration
Manager (SCCM) plugin that will provide IT administrators with a straightforward mechanism to manage existing and new
HP Sure Start capabilities using their existing SCCM infrastructure. The focus of this whitepaper will be on the two new client
device capabilities rather than the turnkey remote management capabilities enabled by the MIK.
1.3 Runtime Intrusion Detection (RTID)
1.3.1 Context
To provide context for how the HP Sure Start with Runtime Intrusion Detection feature differs from the baseline capabilities
provided by HP Sure Start prior to RTID, it is helpful to review that baseline illustrated in Figure 1. This figure provides a
high-level view of what is provided by baseline HP Sure Start. Note that the focus of this baseline capability is to ensure that
(at boot) the host CPU will never start executing firmware code that has been replaced or modified. Thus, HP Sure Start
provides assurances that the system will only boot Genuine HP firmware that will securely configure the client device
hardware as required to securely boot the OS.