Technical whitepaper HP Sure Start for AMD July 2019 L75214-001
HP Sure Start for AMD July 2019 L75214-001 Table of contents 1 Introduction ........................................................................................................................... 5 1.1 Why is BIOS protection important? ................................................................................................................. 5 1.2 HP Sure Start for AMD provides superb firmware protection .......................................................................... 5 1.
HP Sure Start for AMD July 2019 L75214-001 List of figures Figure 1 Firmware integrity verification process ............................................................................................. 7 © Copyright 2019 HP Development Company, L.P.
HP Sure Start for AMD July 2019 L75214-001 List of tables Table 1 Types of HP Sure Start for AMD Windows Event Viewer events .................................................. 11 Table 2 Critical Platform Device Firmware protected by HP Sure Start for AMD or other technology . 16 Table 3 Required functions for Host Processor Boot Firmware ................................................................. 17 © Copyright 2019 HP Development Company, L.P.
HP Sure Start for AMD July 2019 L75214-001 1 Introduction HP Sure Start for AMD®1 can automatically detect, stop, and recover from a BIOS attack or corruption without IT intervention and with little or no interruption to user productivity. Every time the PC powers on, HP Sure Start for AMD automatically validates the integrity of the BIOS code to help ensure that the PC is safeguarded from malicious attacks.
HP Sure Start for AMD July 2019 L75214-001 • Protected storage—Strong cryptographic methods to store BIOS settings, user credentials, and other settings in the HP Endpoint Security Controller hardware to provide integrity protection, tamper detection, and confidentially protection for that data • Manageability—Administrator management of HP Sure Start for AMD capabilities with the Manageability Integration Kit (MIK) plug-in for Microsoft® System Center Configuration Manager (SCCM) 1.
HP Sure Start for AMD July 2019 L75214-001 2 Architectural overview and capabilities HP Sure Start for AMD consists of two major architectural components: • HP Endpoint Security Controller running HP Sure Start for AMD firmware • HP Sure Start for AMD BIOS working in conjunction with the HP Endpoint Security Controller hardware and firmware 2.
HP Sure Start for AMD July 2019 L75214-001 NOTE: The system flash boot block integrity checking, and any needed recovery performed by the HP ESC, take place while the host CPU is off. Therefore, from a user point of view, the entire operation takes place when the system is still off, in sleep mode, or hibernate mode. The system flash BIOS boot block is the foundation of the HP BIOS. The HP ESC hardware ensures that the BIOS boot block is the first code that the CPU executes after a reset.
HP Sure Start for AMD July 2019 L75214-001 modification to the secure boot state to disable it without being detected. In this scenario, the platform would boot the attacker’s root kit before the OS starts, without the user’s knowledge. Industry-standard Unified Extensible Firmware Interface (UEFI) BIOS does implement access restrictions that should prevent unauthorized modifications to these variables, and HP implements these just like the rest of the PC industry.
HP Sure Start for AMD July 2019 L75214-001 3 User notifications, event logging, and policy management 3.1 HP Sure Start for AMD end user notifications Under normal operating conditions, HP Sure Start for AMD is invisible to the user. When HP Sure Start for AMD identifies a problem, recovery operations are automatic, using the default settings with no end user or IT interaction usually required.
HP Sure Start for AMD July 2019 L75214-001 Table 1 Types of HP Sure Start for AMD Windows Event Viewer events Event Level Definition Info Events that are expected to occur during the normal course of operation (e.g., updating the BIOS). Warning Unexpected events that have occurred but were fully recovered from by HP Sure Start for AMD and no user/admin action is required for the platform to be fully operational.
HP Sure Start for AMD July 2019 L75214-001 notebook, a desktop, or a tablet. Manual mode is useful to users who can perform forensics on the system flash contents before repair. Typical users are not encouraged to use manual mode. The default setting of this feature is Automatic. 3.3.3 HP Sure Start BIOS Setting Protection The BIOS setting protection policy is disabled by default.
HP Sure Start for AMD July 2019 L75214-001 When set to disable, you can update the BIOS using any supported process. When the HP ESC detects a valid boot block update in the system flash, it updates the backup copy of the boot block. When set to enable, all HP BIOS update tools refuse to update the BIOS. In addition, HP Sure Start for AMD protects the BIOS from attempts to change the BIOS version by removing the system flash via an unauthorized method. The HP ESC records the lockeddown version of BIOS.
HP Sure Start for AMD July 2019 L75214-001 4 Conclusion HP Sure Start for AMD delivers these key benefits: • Uninterrupted productivity—HP Sure Start for AMD maintains business continuity in the event of an attack or accidental corruption by eliminating downtime waiting for an IT/Service event. • Lower cost—HP Sure Start for AMD’s ability to recover automatically reduces calls to the IT Help Desk and enhances productivity, which ultimately helps lower the maintenance cost for the platform.
HP Sure Start for AMD July 2019 L75214-001 5 Appendix A–NIST SP 800-193: Platform Firmware Resiliency Guidelines Released in May 2018, the NIST SP 800-193: Platform Firmware Resiliency Guidelines describe guidelines for security mechanisms to protect platform firmware against unauthorized changes, detect unauthorized changes that occur, and recover from these unauthorized changes. These guidelines outline three different resiliency properties: 1.
HP Sure Start for AMD July 2019 L75214-001 Table 2 Critical Platform Device Firmware protected by HP Sure Start for AMD or other technology NIST SP 800-193 Platform Architecture Reference 1. Embedded Controller (EC)/Super I/O (SIO) 4. Host Processor 6. Graphics Processing Unit (GPU) when implemented as Unified Memory Architecture (UMA) 8. Host Controller (HC) for mass storage device 9.
HP Sure Start for AMD July 2019 L75214-001 • POST – Power-On Self-Test • RoT – Root of Trust (defined in NIST SP 800-193) • RTD – Root of Trust for Detection (defined in NIST SP 800-193) • RTRec – Root of Trust for Recovery (defined in NIST SP 800-193) • SMM – System Management Mode • UEFI – Unified Extensible Firmware Interface Table 3 Required functions for Host Processor Boot Firmware The table below provides a summary of each function described by NIST SP 800-193.
HP Sure Start for AMD Protection of Critical Data (Section 4.2.4) July 2019 L75214-001 Meets all Resiliency Requirements HP Sure Start for AMD Critical Data, such as Secure Boot authenticated variables, are only modifiable through defined APIs provided by device firmware. These APIs employ a mechanism to authenticate that the data is originating from an authorized source before applying the change.
HP Sure Start for AMD Logging and notification July 2019 L75214-001 Exceeds all Resiliency Requirements HP Sure Start for AMD will notify user of corruption and log the event. HP Sure Start for AMD’s detection mechanism is capable of logging events when corruption is detected. HP Sure Start for AMD will notify user of a recovery event and log the event. HP Sure Start for AMD’s detection mechanism is capable of logging events when a recovery action has taken place.
