HP Sure Start
HP Endpoint
Security
Controller
Host
CPU
System flash
BIOS boot
block
BIOS
BIOS copy
Recovery BIOS
boot block copy
System board
power sequencing
and reset control
4
Technical white paper | HP Sure Start
protects against rmware replacement attacks regardless of their deployment method and serves as the foundation
upon which HP platform security is built.
Figure 1 illustrates the rmware integrity verication process. Once the HP ESC authenticates and starts executing the
HP Sure Start rmware, that rmware uses the same strong cryptographic operations to verify the integrity of the system
ash BIOS boot block. If a single bit is invalid, the HP ESC replaces the system ash contents with its own copy of the
HP BIOS boot block that is stored within an isolated nonvolatile memory (NVM) dedicated to the HP ESC.
The HP Sure Start design ensures that all the rmware and BIOS code running on both the HP ESC and the host CPU is the
code HP intended to be on the device.
Note: The system ash boot block integrity checking, and any needed recovery performed by the HP ESC, take place
while the host CPU is o. Therefore, from a user point of view, the entire operation takes place when the system is still o,
in sleep mode, or hibernate mode.
The system ash BIOS boot block is the foundation of the HP BIOS. The HP ESC hardware ensures that the BIOS boot
block is the rst code that the CPU executes after a reset. Once the HP ESC determines that the BIOS boot block contains
authentic HP code, it allows the system to boot as it normally would.
The HP ESC also checks the integrity of the system ash boot block code each time the system is turned o or put into a
hibernate or sleep mode. Since the CPU is powered o in each of these states and the CPU is therefore required to re-execute
BIOS boot block code to resume, it is crucial to re-verify the integrity of the BIOS boot block each time to check for tampering.
Figure 1. Firmware integrity verication process.