Manualshelf

HP Sure Start for AMD Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 705 G5 Small Form Factor PC
12345678910
July 2019
L75214-001
HP Sure Start for AMD
© Copyright 2019 HP Development Company, L.P.
2 Architectural overview and capabilities 7
2 Architectural overview and capabilities
HP Sure Start for AMD consists of two major architectural components:
HP Endpoint Security Controller running HP Sure Start for AMD firmware
HP Sure Start for AMD BIOS working in conjunction with the HP Endpoint Security Controller hardware and firmware
2.1 Firmware integrity verificationthe core of HP Sure Start for AMD
The HP Endpoint Security Controller (HP ESC) is the first device in the system to execute firmware when the system powers up,
active well before the system boots. The HP ESC activities include, but are not limited to, monitoring the system power button and
power sequencing the start of the host CPU execution when the user presses the power button.
When power is first applied to the platform (before the system is turned on), the HP ESC validates that its own firmware is
authentic HP code before loading and executing the code. The HP ESC hardware uses industry-standard, strong cryptographic
methods to perform the integrity verification. The method employs a 2048-bit HP RSA public key contained within internal
permanent read-only memory. Therefore, the HP ESC is the built-in hardware-based Root of Trust (RoT) for the platform, used to
validate its firmware and the HP BIOS before they are executed. This hardware Root of Trust protects against firmware
replacement attacks regardless of their deployment method and serves as the foundation upon which HP platform security is
built.
Figure 1 illustrates the firmware integrity verification process. Once the HP ESC authenticates and starts executing the HP Sure
Start for AMD firmware, that firmware uses the same strong cryptographic operations to verify the integrity of the system flash
BIOS boot block. If a single bit is invalid, the HP ESC replaces the system flash contents with its own copy of the HP BIOS boot
block that is stored within an isolated nonvolatile memory (NVM) dedicated to the HP ESC.
Figure 1 Firmware integrity verification process
The HP Sure Start for AMD design ensures all the firmware and BIOS code running on both the HP ESC and the host CPU is the
code HP intended to be on the device.
HP Endpoint
Security
Controller
Host
CPU
System flash
BIOS boot
block
BIOS
BIOS copy
Recovery BIOS
boot block copy
System board
power sequencing
and reset control