Manualshelf

HP Sure Start Automatic Firmware Intrusion Detection and Repair System - White Paper

ManualsBrandsHP ManualsDesktopsHP EliteBook 820 G3 Notebook PC
12345678910
May 2016
902696-002
HP Sure Start Technical White Paper
© Copyright 2016 HP Development Company, L.P.
3 Architectural Overview & Capabilities 5
3 Architectural Overview & Capabilities
HP Sure Start consists of two major architectural components:
HP Sure Start Embedded Controller consisting of HP unique hardware and firmware
HP Sure Start BIOS working in conjunction with the HP Sure Start Embedded Controller
3.1 HP Sure Start Embedded Controller
The Sure Start Embedded Controller is the first device in the system to execute firmware when the system powers up,
active well before the system boots. The Sure Start Embedded Controllers activities include, but are not limited to,
monitoring the system power button and power sequencing the start of the host CPU execution when the user presses the
power button.
Figure 2 Firmware Integrity Verification Process
When power is first applied to the platform (before the system is turned on), the HP Sure Start Embedded Controller
validates that its own firmware is authentic HP code before loading and executing the code. The Sure Start Embedded
Controller hardware uses industry standard, strong cryptographic methods to perform the integrity verification. The method
employs a 2048 bit HP RSA Public key contained within internal permanent read only memory. Therefore, the Sure Start
Embedded Controller is the built-in hardware based Root of Trust (RoT) for the platform, used to validate its firmware and
the HP BIOS before they are executed. This hardware Root of Trust protects against firmware replacement attacks
regardless of their deployment method and serves as the foundation upon which all platform security is built.
Figure 2 illustrates the firmware integrity verification process. Once the HP Sure Start Embedded Controller authenticates
and starts executing the HP Sure Start firmware, that firmware uses the same strong cryptographic operations to verify the
integrity of the System Flash BIOS Boot Block. If a single bit is invalid, the HP Sure Start Embedded Controller replaces the
System Flash contents with its own copy of the HP BIOS Boot Block that is stored within an isolated Non-Volatile Memory
(NVM) dedicated to the Sure Start Embedded Controller.
BIOS Boot
Block
BIOS
System Flash
Sure Start
Embedded
Controller
BIOS Copy
Host CPU
Recovery
BIOS Boot
Block Copy