HP Sure Start Gen3 Available on HP Elite products equipped with 7th generation Intel® Core™ processors - White Paper

Available on HP Elite products equipped with

7th generation Intel® Core™ processors

January, 2017

HP Sure Start Gen3

2 Appendix A 7

1.4.2 BIOS setting protection overview

HP Sure Start Gen3 BIOS setting protection provides the capability to configure the system such that the HP Sure Start

hardware is used to back up and provide integrity-checking of all the BIOS settings preferred by the user.

When this feature is enabled on the platform, all policy settings used by BIOS are subsequently backed up and an integrity

check is performed on each boot to ensure that none of the BIOS policy settings have been modified. In the event a change

is detected, the system uses the backup from the HP Sure Start protected back area to automatically revert back to the user

defined setting.

1.4.3 Events

The HP Sure Start BIOS setting protection feature will generate events to the HP Sure Start hardware when an attempt to

modify the BIOS Settings is detected. The event will be logged in the HP Sure Start audit log and the local user will receive a

notification from BIOS during boot.

1.4.4 Policy controls

The BIOS setting protection policy is disabled by default.

To enable the feature, the owner/administrator of the client device should first configure all BIOS policies to the preferred

setting. The owner/administrator also needs to configure a BIOS setup administrator password to use HP Sure Start BIOS

setting protection.

Once that is completed, the BIOS setting protection policy should be changed to “enabled.” At this point, a backup copy of all

BIOS settings is created in the HP Sure Start protected storage. Going forward, none of the BIOS settings can be modified

locally or remotely. On each boot, the BIOS policy settings will be verified to be in the desired state, and if there is any

discrepancy, the BIOS Settings will be restored from the HP Sure Start protected storage.

To modify a BIOS setting, the BIOS administrator password must be provided and BIOS setting protection subsequently

disabled, at which point changes can be made to the BIOS settings.

2 Appendix A

2.1 System Management Mode (SMM) overview

System Management Mode (SMM) is an industry-standard approach used for PC advanced power-management features

and other OS-independent functions while the OS is running. While the SMM term and implementation is specific to x86

architectures, many modern computing architectures use a similar architectural concept.

SMM is configured by the BIOS at boot time. The SMM code is populated into the main (DRAM) memory and then BIOS uses

special (lockable) configuration registers within the chipset to block access to this area when the microprocessor is not

executing in an SMM context. At runtime, entry into SMM mode is event-driven. The chipset is programmed to recognize

many types of events and timeouts. When such an event occurs, the chipset hardware asserts the System Management

Interrupt (SMI) input pin. At the next instruction boundary, the microprocessor saves its entire state and enters SMM.