HP Sure Start - Technical white paper
2
Technical white paper | HP Sure Start
Why is BIOS protection important?
As our world becomes more connected, cyber-attacks are targeting client device rmware and hardware with increasing
frequency and sophistication. Tools and techniques to attack rmware were once theoretical and thought only to be
available to nation-states. Such tools and techniques have since been shown to not only exist, but to be readily available
in the public domain.
The device rmware (or BIOS) is an attractive target for attackers because of the potential advantages a successful
breach could provide:
• Persistence: Firmware resides in a nonvolatile memory on the circuit board and can’t be removed simply by erasing the
hard drive.
• Control: Firmware executes at the highest privilege level—outside of the OS domain—which enables the possibility of
OS-independent malware.
• Stealth: Firmware occupies a region of memory that is completely inaccessible to the operating system and system
software; since it can’t be scanned by antivirus it may never be detected.
• Diculty of recovery: All these aspects make it extremely dicult to recover from this type of infection without resorting
to a service event that includes a system board replacement.
The ideal solution to protect devices against this type of attack is designed from the hardware up using “cyber resiliency”
principles. These principles acknowledge that it is extremely dicult, if not impossible, to foresee and prevent every
possible attack. The ideal solution not only provides enhanced protection of the rmware, but also includes a hardware-
rooted ability to both detect a successful attack and recover from it.
HP Sure Start provides superb rmware protection
HP Sure Start is HP’s unique and groundbreaking approach to provide advanced rmware protection and resiliency to
HP PCs. It uses hardware enforcement via the HP Endpoint Security Controller (HP ESC) to provide protection of the BIOS
that reaches well beyond the industry standard and ensures that the system will only boot Genuine HP BIOS. Additionally,
if HP Sure Start detects tampering with BIOS, rmware, or runtime System Management Mode (SMM) BIOS code, it can
recover using a protected backup copy.
Summary of HP Sure Start features
• HP core platform rmware authenticity enforcement and tamper protection—HP Endpoint Security Controller hardware
enforcement of the system boot, so only authentic and unmodied HP rmware and HP BIOS are loaded
• Firmware health monitoring and compliance—Logging of rmware health-related events via isolated HP Endpoint
Security Controller; presents the platform rmware state along with any anomalies that could indicate thwarted attacks
• Self-healing—Automatic repair of HP BIOS and HP rmware corruption, using the HP Endpoint Security Controller
isolated backup copy of HP BIOS and HP rmware
• BIOS setting protection—Extension of the HP Endpoint Security Controller protection of the BIOS code to include HP ESC
backup and integrity-checking of all user or admin-congured BIOS settings
• Runtime Intrusion Detection—Ongoing monitoring of critical BIOS code in runtime memory (SMM) while the OS is
running
• Secure boot keys protection—Signicantly enhanced protection of databases and keys stored by the BIOS that are
critical to the integrity of the OS secure boot feature versus standard UEFI BIOS implementation
• Protected storage—Strong cryptographic methods to store BIOS settings, user credentials, and other settings in the HP
Endpoint Security Controller hardware to provide integrity protection, tamper detection, and condentially protection
for that data
• Intel® Management Engine rmware protection—Enhanced protection and recovery of the Intel Management Engine
rmware
• Manageability—Administrator management of HP Sure Start capabilities with the Manageability Integration Kit (MIK)
plug-in for Microsoft® System Center Conguration Manager (SCCM)
For a summary of capabilities added in each generation of HP Sure Start, see Appendix A on page 13.