HP Sure Start
Inform
The
Enforcer
Chipset
embedded
hardware
HP Endpoint
Security Controller
System BIOS
System flash
Main memory (DRAM)
Private Sure Start
flash
Secure copy
of BIOS
Runtime
BIOS
ESC verifies signature
Copy BIOS if
tampered
CPU loads
BIOS at
startup
Monitor
7
Technical white paper | HP Sure Start
• Signature database (db)
• Revoked signatures database (dbx)
• Key Enrollment Key (KEK)
• Platform Key (PEK) updated dynamically at runtime by the OS
Runtime Intrusion Detection (RTID)
On each boot, the BIOS code starts execution from ash memory at a xed address. This is known as the BIOS boot
code and provides capabilities needed before the OS starts. However, a portion of BIOS remains in DRAM that is needed
to provide advanced power-management features, OS services, and other OS-independent functions while the OS is
running. This BIOS code, referred to as System Management Mode (SMM) code, resides in a special area within the DRAM
that is hidden from the OS. We also refer to this code as “runtime” BIOS code in the context of HP Sure Start’s Runtime
Intrusion Detection feature. (For more details on SMM and how it works, please see Appendix B on page 14).
The integrity of SMM code is critical to the client device security posture. HP Sure Start checks to make sure HP SMM BIOS code
is intact at OS start. By adding new protection capabilities and/or providing a means to detect any attack to that code, Runtime
Intrusion Detection provides mechanisms to ensure that the SMM BIOS code remains intact while the OS is running.
Figure 2. Runtime Intrusion Detection uses specialized hardware embedded within the platform chipset to monitor SMM code for any changes.