HP Sure Start Automatic Firmware Intrusion Detection and Repair System - White Paper
May 2016
902696-002
HP Sure Start Technical White Paper
© Copyright 2016 HP Development Company, L.P.
3 Architectural Overview & Capabilities 10
3.7 HP Sure Start Policy Controls
Out of the box, the HP system BIOS enables and optimizes HP Sure Start policies for the typical user. Since HP Sure Start is
enabled by default, there is no need for the typical user to modify the settings to be protected by HP Sure Start. For
advanced users, the system BIOS provides some control of Sure Start behavior, using policy settings in the (F10) BIOS
Setup. Unless otherwise noted, these settings and functions are located under “Security->BIOS Sure Start”
NOTE:
Policies are stored within the HP Sure Start Embedded Controller Non-Volatile Memory that is not directly accessible by the
Host CPU; therefore, a reboot is required before any Sure Start settings take effect.
The following Sure Start settings & functions are available:
Verify Boot Block on Every Boot
BIOS Data Recovery Policy
Prompt on Network Controller Configuration Change
Restore Network Controller Configuration to the factory defaults
Lock BIOS Version
Verify Boot Block On Every Boot
HP Sure Start always verifies the integrity of the System Flash BIOS Boot Block before resuming from Sleep, Hibernate or
Power-off. When set to enable, this setting has HP Sure Start also verify the integrity of the boot block on each warm boot
(Windows restart.) The trade-off to consider is faster restart time versus more security. The default setting of this feature is
disable.
BIOS Data Recovery Policy
When set to Automatic, HP Sure Start automatically repair the BIOS or the Machine Unique Data when necessary. When set
to Manual, HP Sure Start requires a special key sequence to proceed with the repair. In the case of an issue with the Boot
block code, the system will refuse to boot and a unique blink sequence will flash on system LED. In the case of an issue with
the Machine Unique Data, the system will display a message on the screen. The key sequence required and the blink
sequence displayed vary depending on the system being a notebook, a desktop or a tablet. See the table below for details.
Manual mode is useful to users that have the ability to perform forensics on the system flash contents before repair. Typical
users are not encouraged to use manual mode. The default setting of this feature is Automatic.
Prompt on Network Controller Configuration Change
This setting is available on Intel systems only. HP provides a factory defined network controller configuration which includes
the MAC address. When this setting is set to enable, the system will monitor the state of the network controller
configuration and prompt the user in the event of a change from the factory configured state. The default setting of this
feature is disable.
Restore Network Controller Configuration to the factory defaults
This restores network controller configuration stored in System Flash to factory defaults. Unlike other machine unique data,
HP Sure Start does not validate and protect network controller configuration on each boot, nor does it automatically repair
this parameter region, because there are valid reasons for changing network controller configuration such as the MAC
address. This feature is useful for recovering the network controller from an unknown state that may be unreliable.
Lock BIOS Version
In the (F10) BIOS setup, this feature is located in Main->Update System BIOS.
When set to disable, update the BIOS using any supported process. When the Sure Start Embedded Controller detects a
valid Boot Block update in the System Flash, it will update the backup copy of the Boot Block.
When set to enable, all HP BIOS update tools refuse to update the BIOS. In addition, HP Sure Start protects the BIOS from
attempts to change the BIOS version by removing the system flash via an un-authorized method. The Sure Start Embedded
Controller records the locked down version of BIOS. When the Sure Start Embedded Controller detects that the BIOS in the
system flash changed, the Embedded Controller will overwrite the BIOS Boot Block with the Embedded Controller copy of