Manualshelf

HP Sure Start Gen3 Available on HP Elite products equipped with 7th generation Intel® Core™ processors - White Paper

ManualsBrandsHP ManualsDesktopsHP EliteBook 840 G4 Notebook PC
12345678
Available on HP Elite products equipped with
7th generation Intel® Core™ processors
January, 2017
HP Sure Start Gen3
© Copyright 2017 HP Inc.
1 HP Sure Start Gen3 6
1.3.4 Events
The HP Sure Start RTID feature will generate events to the HP Sure Start hardware when an attempt to modify the HP SMM
BIOS code or any SMM code behavioral anomaly is detected. The HP Sure Start hardware will take the action associated with
the event policy configured in BIOS setup.
Regardless of the event policy setting, the event will always be logged in to the HP Sure Start audit log, and the local user
will receive a notification from BIOS on the next boot subsequent to an RTID event.
1.3.5 Policy controls
The RTID feature is enabled by default for all platforms shipped from the HP factory. There is no need for the end
customer/administrator to enable or otherwise “deploy” the feature to take advantage of HP Sure Start RTID!
There are two BIOS policies related to the RTID feature that can optionally be configured by the platform
owner/administrator:
Enhanced HP Firmware Runtime Intrusion Prevention and Detection (enable/disable)
Sure Start Security Event Policy
1.3.5.1. Enhanced HP firmware Runtime Intrusion Prevention and Detection
This BIOS policy setting will enable or disable the RTID capability. The default setting for this policy is enabled.
1.3.5.2. Sure Start security event policy
This BIOS policy setting controls what action is taken when the RTID feature detects an attack or attempted attack. There
are three possible configurations for this policy:
Log event only: When this setting is selected, the HP Sure Start hardware will log detection events, which can be
viewed in the “Applications and Services Logs/HP Sure Start” path of the Microsoft Windows Event Viewer.
4
Log event and notify user: This is the default setting. When this setting is selected, the HP Sure Start hardware will
log detection events, which can be viewed in the “Applications and Services Logs/HP Sure Start” path of the
Microsoft Windows Event Viewer. Additionally, the user will be prompted within windows that the event occurred.
5
Log event and power off system: When this setting is selected, the HP Sure Start hardware will log detection
events, which can be viewed in the “Applications and Services Logs/HP Sure Start” path of the Microsoft Windows
Event Viewer. Additionally, the user will be prompted within windows that the event occurred and the system
shutdown is imminent.
1.4 BIOS setting protection
1.4.1 Context
The baseline HP Sure Start verifies the integrity and authenticity of the of the HP BIOS code. Since this code is static after it is
created by HP, digital signatures can be used to confirm both attributes of the code. The dynamic and user configurable
nature of BIOS settings creates additional challenges to protecting those settings as digital signatures cannot be generated
by HP and used by the HP Sure Start hardware to verify those settings.