HP Sure Start Gen3 Available on HP Elite products equipped with 7th generation Intel® Core™ processors - White Paper
Available on HP Elite products equipped with
7th generation Intel® Core™ processors
January, 2017
HP Sure Start Gen3
© Copyright 2017 HP Inc.
1 HP Sure Start Gen3 3
1 HP Sure Start Gen3
1.1 Background
HP has a holistic view of client security that aims to address security at every layer of the client device computing stack. Our
focus is not just within the OS or on cloud-based security solutions—we believe that “Below the OS” device firmware and
hardware security are also crucial.
As our world becomes even more connected, cyber-attacks are targeting client device firmware and hardware with
increasing frequency and sophistication. Since the device firmware executes on the hardware first and is responsible for
securely booting the OS, you cannot trust the client device OS if you cannot trust the firmware.
It is extremely difficult, if not impossible, to foresee and therefore prevent every possible attack, which is why HP also
designs our client devices with “cyber-resiliency,” the ability to both detect a successful attack and recover from it.
HP Sure Start is HP’s unique and groundbreaking approach to provide advanced “Below the OS” protection to the client
device that uses hardware enforcement to ensure the system will only boot Genuine HP BIOS. Additionally, if HP Sure Start
detects tampering with HP BIOS, it has the ability to recover Genuine HP BIOS using a protected backup copy.
1.2 HP Sure Start Gen3 overview
HP Sure Start Gen3 includes the same baseline capabilities as previous generations of HP Sure Start, plus new capabilities
that significantly raise the bar for HP Sure Start advanced protection, detection of attack, and recovery of HP system
firmware.
1
There are two primary features that are added to the client device:
Runtime Intrusion Detection
BIOS Setting Protection
Additionally, HP will begin to offer a Manageability Integration Kit (MIK) including a Microsoft System Center Configuration
Manager (SCCM) plugin that will provide IT administrators with a straightforward mechanism to manage existing and new
HP Sure Start Gen3 capabilities using their existing SCCM infrastructure. The focus of this whitepaper will be on the two new
client device capabilities rather than the turnkey remote management capabilities enabled by the MIK.
1.3 Runtime Intrusion Detection (RTID)
1.3.1 Context
To provide context for how the HP Sure Start Gen3 Runtime Intrusion Detection feature differs from the baseline capabilities
provided by HP Sure Start prior to Gen3, it is helpful to review that baseline illustrated in Figure 1. This figure provides a
high-level view of what is provided by baseline HP Sure Start. Note that the focus of this baseline capability is to ensure that
(at boot) the host CPU will never start executing firmware code that has been replaced or modified. Thus, HP Sure Start
provides assurances that the system will only boot Genuine HP firmware that will securely configure the client device
hardware as required to securely boot the OS.