Manualshelf

HP Sure Start

ManualsBrandsHP ManualsComputersEliteDesk 705 G4 Mini Desktop Computer
12345678910
3
Technical white paper | HP Sure Start
Third-party security certication
The HP Endpoint Security Controller hardware used in HP Sure Start has undergone third-party security assessment and
has been certied to provide hardware enforcement so that only authorized rmware can start on the target PC.
1
Assurance that a security solution works as stated is a critical piece of any purchase decision related to security products.
And because a reputation for quality can only go so far, HP has exposed the HP Endpoint Security Controller inner
workings for review and testing by an independent and accredited laboratory to validate that it works as claimed per
publicly available criteria, methodology, and processes.
Cyber-resilient design
Not only does HP Sure Start provide enhanced BIOS protection beyond the industry standard approach, but it is
designed from the hardware up to provide unmatched platform cyber-resilience to ensure BIOS recovery even in the
event of a breach or destructive attack. HP business PCs with HP Sure Start exceed the National Institute of Standards
and Technology (NIST) Platform Firmware Resiliency guidelines (Special Publication 800-193) for host processor boot
rmware and other critical platform device rmware, as discussed in Appendix C. NIST SP 800-193 is one of the leading
public sector eorts to formalize requirements for cyber-resilient platforms. For more details about HP Sure Start and
NIST 800-193, see Appendix C.
HP Sure Start–supported models
HP introduced Sure Start in 2014. Since that time, HP has enhanced Sure Start and expanded the number of products that
include it. HP Sure Start is provided across the entire 2018 Elite product lineup, including tablets, notebooks, desktops,
and all-in-ones (AIOs). HP Sure Start Gen4 is available on HP Elite and HP Pro 600 products equipped with 8th generation
Intel or AMD® processors.
Architectural overview and capabilities
HP Sure Start consists of two major architectural components:
HP Endpoint Security Controller running HP Sure Start rmware
HP Sure Start BIOS working in conjunction with the HP Endpoint Security Controller hardware and rmware
Firmware integrity verication—the core of HP Sure Start
The HP Endpoint Security Controller (HP ESC) is the rst device in the system to execute rmware when the system
powers up, active well before the system boots. The HP ESC activities include, but are not limited to, monitoring the
system power button and power sequencing the start of the host CPU execution when the user presses the power button.
When power is rst applied to the platform (before the system is turned on), the HP ESC validates that its own rmware
is authentic HP code before loading and executing the code. The HP ESC hardware uses industry-standard, strong
cryptographic methods to perform the integrity verication. The method employs a 2048-bit HP RSA public key contained
within internal permanent read-only memory. Therefore, the HP ESC is the built-in hardware-based Root of Trust (RoT)
for the platform, used to validate its rmware and the HP BIOS before they are executed. This hardware Root of Trust
1
The HP Sure Start controller hardware has been certied per the CSPN certication framework.