HP Sure Start with Runtime Intrusion Detection - White Paper
As implemented on HP EliteBook products equipped with  
7th generation AMD processors 
January 2017 
 HP Sure Start with Runtime Intrusion Detection 
© Copyright 2017 HP Inc. 
2 Appendix A 7 
1.4.2 BIOS setting protection overview 
HP Sure Start BIOS setting protection provides the capability to configure the system such that the HP Sure Start hardware 
is used to back up and provide integrity-checking of all the BIOS settings preferred by the user.  
When this feature is enabled on the platform, all policy settings used by BIOS are subsequently backed up and an integrity 
check is performed on each boot to ensure that none of the BIOS policy settings have been modified. In the event a change 
is detected, the system uses the backup from the HP Sure Start protected back area to automatically revert back to the user 
defined setting. 
1.4.3 Events 
The HP Sure Start BIOS setting protection feature will generate events to the HP Sure Start hardware when an attempt to 
modify the BIOS Settings is detected. The event will be logged in the HP Sure Start audit log and the local user will receive a 
notification from BIOS during boot. 
1.4.4 Policy controls 
The BIOS setting protection policy is disabled by default. 
To enable the feature, the owner/administrator of the client device should first configure all BIOS policies to the preferred 
setting. The owner/administrator also needs to configure a BIOS setup administrator password to use HP Sure Start BIOS 
setting protection. 
Once that is completed, the BIOS setting protection policy should be changed to “enabled.” At this point, a backup copy of all 
BIOS settings is created in the HP Sure Start protected storage. Going forward, none of the BIOS settings can be modified 
locally or remotely. On each boot, the BIOS policy settings will be verified to be in the desired state, and if there is any 
discrepancy, the BIOS Settings will be restored from the HP Sure Start protected storage.  
To modify a BIOS setting, the BIOS administrator password must be provided and BIOS setting protection subsequently 
disabled, at which point changes can be made to the BIOS settings. 
2 Appendix A 
2.1 System Management Mode (SMM) overview 
System Management Mode (SMM) is an industry-standard approach used for PC advanced power-management features 
and other OS-independent functions while the OS is running. While the SMM term and implementation is specific to x86 
architectures, many modern computing architectures use a similar architectural concept. 
SMM is configured by the BIOS at boot time. The SMM code is populated into the main (DRAM) memory and then BIOS uses 
special (lockable) configuration registers within the chipset to block access to this area when the microprocessor is not 
executing in an SMM context. At runtime, entry into SMM mode is event-driven. The chipset is programmed to recognize 
many types of events and timeouts. When such an event occurs, the chipset hardware asserts the System Management 
Interrupt (SMI) input pin. At the next instruction boundary, the microprocessor saves its entire state and enters SMM. 








