Manualshelf

HP Sure Start for AMD Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 705 G5 Small Form Factor PC
12345678910
July 2019
L75214-001
HP Sure Start for AMD
© Copyright 2019 HP Development Company, L.P.
1 Introduction 5
1 Introduction
HP Sure Start for AMD®
can automatically detect, stop, and recover from a BIOS attack or corruption without IT intervention and
with little or no interruption to user productivity. Every time the PC powers on, HP Sure Start for AMD automatically validates the
integrity of the BIOS code to help ensure that the PC is safeguarded from malicious attacks. In the case of an attack, the PC can
self-heal using an isolated “golden copy” of the BIOS in less than a minute.
1.1 Why is BIOS protection important?
As our world becomes more connected, cyber-attacks are targeting client device firmware and hardware with increasing
frequency and sophistication. Tools and techniques to attack firmware were once theoretical and thought only to be available to
nation-states. Such tools and techniques have since been shown to not only exist, but to be readily available in the public domain.
The device firmware (or BIOS) is an attractive target for attackers because of the potential advantages a successful breach could
provide:
Persistence: Firmware resides in a nonvolatile memory on the circuit board and can’t be removed simply by erasing the hard
drive.
Control: Firmware executes at the highest privilege leveloutside of the OS domainwhich enables the possibility of OS-
independent malware.
Stealth: Firmware occupies a region of memory that is completely inaccessible to the operating system and system software;
since it can’t be scanned by antivirus it may never be detected.
Difficulty of recovery: All these aspects make it extremely difficult to recover from this type of infection without resulting down
time and a potential system board replacement.
The ideal solution to protect devices against this type of attack is designed from the hardware up using “cyber resiliency”
principles. These principles acknowledge that it is extremely difficult, if not impossible, to foresee and prevent every possible
attack. The ideal solution not only provides enhanced protection of the firmware, but also includes a hardware rooted ability to
both detect a successful attack and recover from it.
1.2 HP Sure Start for AMD provides superb firmware protection
HP Sure Start for AMD is HP’s unique and groundbreaking approach to provide advanced firmware protection and resiliency to HP
PCs. It uses hardware enforcement via the HP Endpoint Security Controller (HP ESC) to provide protection of the BIOS that reaches
well beyond the industry standard and ensures that the system will only boot Genuine HP BIOS.
Summary of HP Sure Start for AMD features:
HP core platform firmware authenticity enforcement and tamper protectionHP Endpoint Security Controller hardware
enforcement of the system boot, so only authentic and unmodified HP firmware and HP BIOS are loaded
Firmware health monitoring and complianceLogging of firmware health-related events via isolated HP Endpoint
Security Controller; presents the platform firmware state along with any anomalies that could indicate thwarted attacks
Self-healingAutomatic repair of HP BIOS and HP firmware corruption, using the HP Endpoint Security Controller isolated
backup copy of HP BIOS and HP firmware
BIOS setting protectionExtension of the HP Endpoint Security Controller protection of the BIOS code to include HP ESC
backup and integrity-checking of all user or admin-configured BIOS settings
Secure boot keys protectionSignificantly enhanced protection of databases and keys stored by the BIOS that are critical to
the integrity of the OS secure boot feature versus standard UEFI BIOS implementation
HP Sure Start for AMD is available on select HP PCs with AMD processors. See product specifications for availability.