Manualshelf

HP Sure Start for AMD Technical whitepaper

ManualsBrandsHP ManualsDesktopsHP EliteDesk 705 G5 Small Form Factor PC
12345678910
July 2019
L75214-001
HP Sure Start for AMD
© Copyright 2019 HP Development Company, L.P.
2 Architectural overview and capabilities 9
modification to the secure boot state to disable it without being detected. In this scenario, the platform would boot the attacker’s
root kit before the OS starts, without the user’s knowledge.
Industry-standard Unified Extensible Firmware Interface (UEFI) BIOS does implement access restrictions that should prevent
unauthorized modifications to these variables, and HP implements these just like the rest of the PC industry. However, given the
risks a breach of these mechanisms poses to the platform, HP Sure Start for AMD provides secondary defenses that are stronger
than the baseline industry standard.
BIOS settings and other dynamic data used by firmware to control the state that is protected by HP Sure Start for AMD are stored
in the isolated nonvolatile memory of the HP Endpoint Security Controller that is not directly accessible to software running on the
host CPU.
Additionally, the HP ESC creates and appends unique integrity measurements each time a data element is stored in this
nonvolatile memory store. The integrity measurements are based on a strong cryptographic algorithm (hashed-based message
authentication code utilizing SHA-256 hashing) that is rooted to a secret contained within the HP ESC. The secret is unique to each
HP ESC, such that each controller generates a unique integrity measurement given an identical element. When the data element is
read back from the nonvolatile memory, the HP ESC recalculates the integrity measurement for that data element and compares
it to the integrity measurement that is appended to the data. Any unauthorized changes to the data in the nonvolatile memory
store result in a mis-compare. Using this approach, the HP ESC can detect tampering with data elements stored in the nonvolatile
memory store.
2.4.2 Data Confidentiality
For many of the data elements stored by the platform, maintaining confidentiality is critical. Examples include BIOS administrator
password hashes, user credentials, and secrets optionally stored by firmware on behalf of the user for firmware-based features
such as HP Sure Run and HP Sure Recovery.
Protection of these secrets is challenging when industry-standard UEFI BIOS approaches are used, since the nonvolatile storage is
typically readable by software running on the host processor. HP Sure Start for AMDprotected storage is intended to provide
much greater protection of this confidential data than a standard UEFI BIOS implementation.
In addition to a separate isolated storage, HP Sure Start for AMD leverages the Advanced Encryption Standard (AES) hardware
block contained within the HP ESC to perform AES-256 encryption on all confidential data elements stored in the HP Sure Start for
AMD nonvolatile memory, in addition to the data integrity measurements for those elements. The encryption key used is unique
to each HP ESC and never leaves that controller, so data encrypted by any individual HP ESC component can only be decrypted by
that same HP ESC.
2.5 Secure boot keys protection
Compared to the industry-standard UEFI secure boot implementation, HP Sure Start for AMD provides enhanced protection of the
UEFI secure boot key databases that are stored by the firmware. These variables are critical to proper operation of the UEFI secure
boot feature that verifies integrity and authenticity of the OS bootloader before allowing it to start at boot.
HP Sure Start for AMD protects UEFI secure boot key databases by maintaining a master copy in HP Sure Start for AMDprotected
storage.
Any authorized modifications to the UEFI standard secure boot key databases by the OS during runtime are tracked by HP Sure
Start for AMD and applied to the master copy by the HP ESC. HP Sure Start for AMD then uses the master copy in HP Sure Start for
AMD protected storage to identify and reject any unauthorized changes to the UEFI standard secure boot keys databases.
This capability, enabled by default, covers the following databases:
Signature database (db)
Revoked signatures database (dbx)
Key Enrollment Key (KEK)
Platform Key (PEK) updated dynamically at runtime by the OS