Manualshelf

HP Sure Start with Runtime Intrusion Detection - White Paper

ManualsBrandsHP ManualsDesktopsHP EliteBook 850 G4 Notebook PC
12345678
As implemented on HP EliteBook products equipped with
7th generation AMD processors
January 2017
HP Sure Start with Runtime Intrusion Detection
© Copyright 2017 HP Inc.
1 HP Sure Start with Runtime
Intrusion Detection 4
Note that the focus is on monitoring the BIOS code in the system flash that is executed by the host CPU at boot. This is an
important distinction from BIOS code that remains resident in the main (DRAM) memory to provide power management and
other critical services after the system has booted to OS. Next, we explore that distinction in greater detail.
Figure 1 Baseline HP Sure Start overview (applies to HP EliteBook products equipped with 6th generation AMD processors and higher)
1.3.2 Runtime BIOS code versus startup BIOS code
On each boot, the CPU starts execution of BIOS code from the flash memory at a fixed address. This BIOS code then
initializes the hardware including the DRAM memory and copies all routines from flash into volatile (DRAM) memory. A large
portion of that BIOS code is used to provide “Pre-OS” capabilities that are needed before the OS is started. Examples of
“Pre-OS” BIOS support include video drivers, PXE boot support, keyboard and mouse drivers, pre-boot authentication, and
unlocking of mass storage encryption, to name a few. Most of these routines are no longer needed once the OS is running,
since the capabilities are either only relevant before handoff to the OS, or the OS has its own drivers.
However, there is a portion of BIOS that remains in DRAM that is needed to provide advanced power-management
features, OS services, and other OS-independent functions while the OS is running. This BIOS code, referred to as System
Management Mode (SMM) code, resides in a special area within the DRAM that is hidden from the OS.
2
We also refer to this
code as “Runtime” BIOS code in the context of HP Sure Start Runtime Intrusion Detection.
The integrity of SMM code is critical to the client device security posture. The baseline HP Sure Start implementation
provides assurance that all code is Genuine HP BIOS each time the system starts, including the SMM code that is present in
DRAM when the OS starts.
The opportunity that remains is to move beyond not only ensuring that that starting place for HP SMM BIOS code is good at
OS start, but to provide mechanisms to ensure that it remains good while the OS is running by providing a means to detect
any attack that manages to bypass the existing mechanisms providing protection for the HP SMM BIOS code.