HP Sure Start

ManualsBrandsHP ManualsComputersEliteDesk 705 G4 Mini Desktop Computer

Technical white paper

HP Sure Start

Automatic rmware intrusion detection and repair

HP Sure Start can automatically detect, stop, and recover from a BIOS attack or

corruption without IT intervention and with little or no interruption to user

productivity. Every time the PC powers on, HP Sure Start automatically validates

the integrity of the BIOS code to help ensure that the PC is safeguarded from

malicious attacks. Once the PC is operational, runtime intrusion detection

constantly monitors memory. In the case of an attack, the PC can self-heal

using an isolated “golden copy” of the BIOS in less than a minute.

Table of contents

Why is BIOS protection important? ............................................................................................................................... 2

HP Sure Start provides superb rmware protection ................................................................................................. 2

Architectural overview and capabilities ...................................................................................................................... 3

Firmware integrity verication—the core of HP Sure Start .............................................................................. 3

Machine unique data integrity ................................................................................................................................. 5

Descriptor region ........................................................................................................................................................ 5

Network controller protection ................................................................................................................................. 5

BIOS setting protection ............................................................................................................................................. 5

HP Sure Start–protected storage ............................................................................................................................ 5

Secure boot keys protection ................................................................................................................................... 6

Runtime Intrusion Detection (RTID) ........................................................................................................................ 7

User notications, event logging, and policy management .................................................................................... 8

HP Sure Start end user notications....................................................................................................................... 8

HP Sure Start event logging ..................................................................................................................................... 8

HP Sure Start policy controls ................................................................................................................................... 9

Remote management of HP Sure Start policy controls ................................................................................... 12

Conclusion ....................................................................................................................................................................... 12

Appendix A—HP Sure Start, Gen by Gen .................................................................................................................. 13

Appendix B—System Management Mode (SMM) overview .................................................................................. 14

Appendix C—NIST SP 800-193: Platform Firmware Resiliency Guidelines ........................................................ 15

Summary of content (19 pages)

PAGE 1
Technical white paper HP Sure Start Automatic firmware intrusion detection and repair HP Sure Start can automatically detect, stop, and recover from a BIOS attack or corruption without IT intervention and with little or no interruption to user productivity. Every time the PC powers on, HP Sure Start automatically validates the integrity of the BIOS code to help ensure that the PC is safeguarded from malicious attacks. Once the PC is operational, runtime intrusion detection constantly monitors memory.
PAGE 2
Technical white paper | HP Sure Start Why is BIOS protection important? As our world becomes more connected, cyber-attacks are targeting client device firmware and hardware with increasing frequency and sophistication. Tools and techniques to attack firmware were once theoretical and thought only to be available to nation-states. Such tools and techniques have since been shown to not only exist, but to be readily available in the public domain.
PAGE 3
Technical white paper | HP Sure Start Third-party security certification The HP Endpoint Security Controller hardware used in HP Sure Start has undergone third-party security assessment and has been certified to provide hardware enforcement so that only authorized firmware can start on the target PC.1 Assurance that a security solution works as stated is a critical piece of any purchase decision related to security products.
PAGE 4
Technical white paper | HP Sure Start System ﬂash HP Endpoint Security Controller Recovery BIOS boot block copy BIOS boot block Host CPU BIOS BIOS copy System board power sequencing and reset control Figure 1. Firmware integrity verification process. protects against firmware replacement attacks regardless of their deployment method and serves as the foundation upon which HP platform security is built. Figure 1 illustrates the firmware integrity verification process.
PAGE 5
Technical white paper | HP Sure Start Additionally, for HP Intel models, HP Sure Start checks the integrity of the system flash BIOS boot block every 15 minutes while the system is running.2 Machine-unique data integrity The HP ESC and BIOS work together to provide advanced protection of factory-configured critical variables unique to each machine that are intended to be constant over the life of any specific platform.
PAGE 6
Technical white paper | HP Sure Start capabilities is critical to the security posture of the overall platform. Dynamic data includes all BIOS settings that can be modified by the end user or administrator of the device. Examples include (but are not limited to) boot options such as the secure boot feature, BIOS administrator password and related policies, Trusted Platform Module–state control, and HP Sure Start policy settings.
PAGE 7
Technical white paper | HP Sure Start • Signature database (db) • Revoked signatures database (dbx) • Key Enrollment Key (KEK) • Platform Key (PEK) updated dynamically at runtime by the OS Runtime Intrusion Detection (RTID) On each boot, the BIOS code starts execution from flash memory at a fixed address. This is known as the BIOS boot code and provides capabilities needed before the OS starts.
PAGE 8
Technical white paper | HP Sure Start Runtime Intrusion Detection architecture The RTID feature utilizes specialized hardware in the platform chipset to detect anomalies in the Runtime HP SMM BIOS. Detection of any anomalies results in a notification to the HP Endpoint Security Controller, which can take the configured policy action independent of the CPU.
PAGE 9
Technical white paper | HP Sure Start Note: Events are persistent in the HP Endpoint Security Controller even after being copied to the Windows Event Viewer. If the Windows Event Viewer is cleared, the HP Notifications Software application will replace all HP Sure Start entries on the next event that triggers it to check for HP Sure Start event logs. Types of HP Sure Start Windows Event Viewer events Event Level Definition Info Events that are expected to occur during the normal course of operation (e.
PAGE 10
Technical white paper | HP Sure Start Verify Boot Block on Every Boot HP Sure Start always verifies the integrity of the system flash BIOS boot block before resuming from sleep, hibernate, or power-off. When set to enable, HP Sure Start will also verify the integrity of the boot block on each warm boot (Windows restart). The trade-off to consider is faster restart time versus more security. The default setting of this feature is disable.
PAGE 11
Technical white paper | HP Sure Start OS is running. There are three possible configurations for this policy: • Log event only: When this setting is selected, the HP ESC logs detection events, which can be viewed in the Applications and Services Logs/HP Sure Start path of the Microsoft Windows Event Viewer.3 • Log event and notify user: This is the default setting.
PAGE 12
Technical white paper | HP Sure Start Remote management of HP Sure Start policy controls Out of the box, HP Sure Start policies are optimized for the typical user. Since HP Sure Start is enabled by default, there is no need for the remote administrator to take any action to enable (“deploy”) HP Sure Start.
PAGE 13
Technical white paper | HP Sure Start Appendix A—HP Sure Start, Gen by Gen HP introduced Sure Start in 2014. Since that time, HP has enhanced Sure Start and expanded the number of products that use it. The table below provides a summary of the capabilities that were added with each generation.
PAGE 14
Technical white paper | HP Sure Start Appendix B—System Management Mode (SMM) overview System Management Mode (SMM) is an industry-standard approach used for PC advanced power-management features and other OS-independent functions while the OS is running. While the SMM term and implementation is specific to x86 architectures, many modern computing architectures use a similar architectural concept. SMM is configured by the BIOS at boot time. The SMM code is populated into the main (DRAM) memory.
PAGE 15
Technical white paper | HP Sure Start Appendix C—NIST SP 800-193: Platform Firmware Resiliency Guidelines Released in May 2018, the NIST SP 800-193: Platform Firmware Resiliency Guidelines describe guidelines for security mechanisms to protect platform firmware against unauthorized changes, detect unauthorized changes that occur, and recover from these unauthorized changes. These guidelines outline three different resiliency properties: 1. Protected: meets all Protection and Secure Update requirements 2.
PAGE 16
Technical white paper | HP Sure Start Table 1: Critical Platform Device Firmware Protected by HP Sure Start or other technology NIST SP 800-193 Platform Architecture Reference HP Commercial PC critical platform device firmware Protected by 1. HP ESC firmware HP Sure Start Gen3 and Gen4 Embedded Controller (EC)/Super I/O (SIO) HP UEFI BIOS firmware 4. Host Processor 6. Graphics Processing Unit (GPU) when implemented as Unified Memory Architecture (UMA) 8.
PAGE 17
Technical white paper | HP Sure Start Table 2: Required functions for Host Processor Boot Firmware The table below provides a summary of each function described by NIST SP 800-193. NIST SP 800-193 HP Sure Start Roots of Trust (Section 4.1) Meets all Resiliency Requirements Gen3+ uses a hardware-based RoT (the HP ESC) with immutable boot firmware, which cryptographically verifies subsequent firmware before launching it, creating a Chain of Trust.
PAGE 18
Technical white paper | HP Sure Start NIST SP 800-193 HP Sure Start Detection of Corrupted Critical Data (Section 4.3.2) Meets all Resiliency Requirements A successful attack on the Active Critical Data will not impact Gen3+’s RTD. The RTD is maintained in a private flash area inaccessible to the system software that might compromise Active Critical Data.
PAGE 19
Technical white paper | HP Sure Start NIST SP 800-193 HP Sure Start Rollback prevention Exceeds all Resiliency Requirements Gen3+ and the UEFI boot block both have controls in place to protect against recovery to an earlier firmware version with security weaknesses. Runtime Intrusion Detection Additional Functionality not required in NISTSP800-193 NIST SP 800-193 is silent on what happens to firmware once it is loaded from nonvolatile storage (flash) into volatile storage (RAM) for execution.