HP Sure Start - Technical white paper
2
Technical white paper | HP Sure Start 
Why is BIOS protection important?
As our world becomes more connected, cyber-attacks are targeting client device rmware and hardware with increasing 
frequency and sophistication. Tools and techniques to attack rmware were once theoretical and thought only to be 
available to nation-states. Such tools and techniques have since been shown to not only exist, but to be readily available 
in the public domain.
The device rmware (or BIOS) is an attractive target for attackers because of the potential advantages a successful 
breach could provide: 
• Persistence: Firmware resides in a nonvolatile memory on the circuit board and can’t be removed simply by erasing the 
hard drive. 
• Control: Firmware executes at the highest privilege level—outside of the OS domain—which enables the possibility of 
OS-independent malware. 
• Stealth: Firmware occupies a region of memory that is completely inaccessible to the operating system and system 
software; since it can’t be scanned by antivirus it may never be detected. 
• Diculty of recovery: All these aspects make it extremely dicult to recover from this type of infection without resorting 
to a service event that includes a system board replacement. 
The ideal solution to protect devices against this type of attack is designed from the hardware up using “cyber resiliency” 
principles. These principles acknowledge that it is extremely dicult, if not impossible, to foresee and prevent every 
possible attack. The ideal solution not only provides enhanced protection of the rmware, but also includes a hardware-
rooted ability to both detect a successful attack and recover from it. 
HP Sure Start provides superb rmware protection 
HP Sure Start is HP’s unique and groundbreaking approach to provide advanced rmware protection and resiliency to  
HP PCs. It uses hardware enforcement via the HP Endpoint Security Controller (HP ESC) to provide protection of the BIOS 
that reaches well beyond the industry standard and ensures that the system will only boot Genuine HP BIOS. Additionally,  
if HP Sure Start detects tampering with BIOS, rmware, or runtime System Management Mode (SMM) BIOS code, it can 
recover using a protected backup copy.
Summary of HP Sure Start features
• HP core platform rmware authenticity enforcement and tamper protection—HP Endpoint Security Controller hardware 
enforcement of the system boot, so only authentic and unmodied HP rmware and HP BIOS are loaded
• Firmware health monitoring and compliance—Logging of rmware health-related events via isolated HP Endpoint 
Security Controller; presents the platform rmware state along with any anomalies that could indicate thwarted attacks
• Self-healing—Automatic repair of HP BIOS and HP rmware corruption, using the HP Endpoint Security Controller 
isolated backup copy of HP BIOS and HP rmware
• BIOS setting protection—Extension of the HP Endpoint Security Controller protection of the BIOS code to include HP ESC 
backup and integrity-checking of all user or admin-congured BIOS settings
• Runtime Intrusion Detection—Ongoing monitoring of critical BIOS code in runtime memory (SMM) while the OS is 
running
• Secure boot keys protection—Signicantly enhanced protection of databases and keys stored by the BIOS that are 
critical to the integrity of the OS secure boot feature versus standard UEFI BIOS implementation
• Protected storage—Strong cryptographic methods to store BIOS settings, user credentials, and other settings in the HP 
Endpoint Security Controller hardware to provide integrity protection, tamper detection, and condentially protection 
for that data 
• Intel® Management Engine rmware protection—Enhanced protection and recovery of the Intel Management Engine 
rmware
• Manageability—Administrator management of HP Sure Start capabilities with the Manageability Integration Kit (MIK) 
plug-in for Microsoft® System Center Conguration Manager (SCCM)
For a summary of capabilities added in each generation of HP Sure Start, see Appendix A on page 13.










