Manualshelf

HP Sure Start for AMD Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 705 G5 Small Form Factor PC
12345678910
July 2019
L75214-001
HP Sure Start for AMD
© Copyright 2019 HP Development Company, L.P.
2 Architectural overview and capabilities 8
NOTE: The system flash boot block integrity checking, and any needed recovery performed by the HP ESC, take place while the
host CPU is off. Therefore, from a user point of view, the entire operation takes place when the system is still off, in sleep mode,
or hibernate mode.
The system flash BIOS boot block is the foundation of the HP BIOS. The HP ESC hardware ensures that the BIOS boot block is the
first code that the CPU executes after a reset. Once the HP ESC determines that the BIOS boot block contains authentic HP code, it
allows the system to boot as it normally would.
The HP ESC also checks the integrity of the system flash boot block code each time the system is turned off or put into a
hibernate or sleep mode. Since the CPU is powered off in each of these states and the CPU is therefore required to re-execute
BIOS boot block code to resume, it is crucial to re-verify the integrity of the BIOS boot block each time to check for tampering.
2.2 Machine-unique data integrity
The HP ESC and BIOS work together to provide advanced protection of factory-configured critical variables unique to each
machine that are intended to be constant over the life of any specific platform. In the factory, a backup copy of this variable data is
saved in the HP ESC nonvolatile memory store. The backup is made available to the HP Sure Start for AMD BIOS component on a
read-only basis to perform integrity checking of the data on every boot. If any setting in the shared flash is different from the
factory settings, the HP Sure Start for AMD BIOS components will automatically restore the data in the System Flash from the
backup copy provided by the HP ESC.
2.3 BIOS setting protection
As previously described, HP Sure Start for AMD verifies the integrity and authenticity of the HP BIOS code. Since this code is static
after it is created by HP, digital signatures can be used to confirm both attributes of the code. The dynamic and user-configurable
nature of BIOS settings, however, create additional challenges to protecting those settings. Digital signatures cannot be
generated by HP and used by the HP Sure Start for AMD ESC hardware to verify those settings.
HP Sure Start for AMD BIOS setting protection provides the capability to configure the system so the HP ESC hardware is used to
back up and check the integrity of all the BIOS settings preferred by the user.
When this feature is enabled on the platform, all policy settings used by BIOS are subsequently backed up and an integrity check is
performed on each boot to ensure that none of the BIOS policy settings have been modified. If a change is detected, the system
uses the backup from the HP Sure Start for AMDprotected storage to automatically revert to the user-defined setting.
The HP Sure Start for AMD BIOS setting protection feature generates events to the HP Sure Start for AMD ESC hardware when an
attempt to modify the BIOS settings is detected. The event is logged in the HP Sure Start for AMD audit log, and the local user will
receive a notification from BIOS during boot.
2.4 HP Sure Start for AMD-protected storage
Protected storage rooted in the HP Endpoint Security Controller hardware provides the highest level of protection for
BIOS/firmware data and settings protected by HP Sure Start for AMD. HP Sure Start for AMDprotected storage is designed to
provide confidentiality, integrity, and tamper detection even if an attacker disassembles the system and establishes a direct
connection to the nonvolatile storage device on the circuit board.
2.4.1 Data integrity
The integrity of the dynamic data stored in nonvolatile memory by firmware and used to control the state of various capabilities is
critical to the security posture of the overall platform. Dynamic data includes all BIOS settings that can be modified by the end
user or administrator of the device. Examples include (but are not limited to) boot options such as the secure boot feature, BIOS
administrator password and related policies, Trusted Platform Modulestate control, and HP Sure Start for AMD policy settings.
Any successful attack that bypasses the existing access restrictions designed to prevent unauthorized modifications to these
settings could defeat the platform security. As an example, consider a scenario where an attacker makes an unauthorized