HP Sure Start Automatic Firmware Intrusion Detection and Repair System - White Paper
May 2016
902696-002
HP Sure Start Technical White Paper
© Copyright 2016 HP Development Company, L.P.
3 Architectural Overview & Capabilities 7
NOTE:
For added redundancy, the HP BIOS Boot Block code is able to recover from a recovery image available on the HP_TOOLS
partition (included as part of the default shipping configuration) or a recovery image on a USB thumb drive. While not strictly
required for HP Sure Start, the same HP BIOS Block code is leveraged for non – HP Sure Start platforms where this capability
is crucial.
The HP Sure Start Embedded Controller will also check the integrity of the System Flash Boot Block code each time the
system is turned off, put into a Hibernate, or Sleep mode. Since the CPU is powered off in each of these states and the CPU
is therefore required to re-execute BIOS Boot Block code to resume, it is crucial to re-verify the integrity of the BIOS Boot
Block each time to check for tampering. Additionally, starting in Intel 6
th
generation processor platforms, Sure Start with
Dynamic Protection will periodically (every 15 minutes) check the integrity of the System Flash BIOS Boot Block while the
system is running.
3.3 Machine Unique Data Integrity
The HP Sure Start Embedded Controller and BIOS work together to provide advanced protection of factory configured
critical variables unique to each machine that are intended to be constant over the life of any specific platform. A backup
copy of this variable data is saved in the HP Sure Start Embedded Controller Non-Volatile Memory store while in the factory
environment that is then made available to the HP Sure Start BIOS component on a read only basis to perform integrity
checking of the data on every boot. If any setting in the Shared Flash has changed versus the factory settings, the HP Sure
Start BIOS components will automatically restore the data in the System Flash from the backup copy provided by the Sure
Start Embedded Controller.
3.4 Descriptor Region
For HP Intel models, HP Sure Start protects the Descriptor Region of the System Flash. Unique to Intel architecture, the
descriptor region contains critical configuration parameters that are sampled by the Intel core logic at reset and used
thereafter to configure the core logic. The descriptor region also includes partitioning information for the system flash that
is used by the Intel core logic to determine where the BIOS region resides within the flash and therefore where there CPU
will start fetching code for execution from reset. HP Sure Start will monitor the integrity of this region and recover it to the
intended configuration in the event of tampering or corruption.
3.5 Network controller Protection
In addition, for HP Intel models, HP Sure Start protects the network controller (NIC) settings contained with the System
Flash. Some HP customers have use cases that require legitimate changes to factory configured NIC settings. Therefore, HP
Sure Start does not prevent changes to NIC settings by default. Instead, HP Sure Start provides a feature that, when
enabled, warns the user that NIC settings changed. In addition, HP Sure Start provides a method to restore the NIC settings
to factory values. Some of the protected settings are the following: the MAC address, the Pre-boot Execution Environment
(PXE) settings, and the remote Initial program load (RPL). This restoration is possible via a read-only backup copy provided
by the Sure Start Embedded Controller.
3.6 HP Sure Start Event Logging
The HP Sure Start Embedded Controller records critical events related to HP Sure Start monitored firmware/BIOS code and
data. These events are stored within the Sure Start Non-Volatile Memory Store. These events will be copied from the Sure
Start Embedded Controller to the Windows Event Viewer when HP Notifications Software in installed in order to facilitate
access to these events by the local user as well as the customers’ preferred manageability agent.