HP Business Desktops BIOS
Securing the Trusted Platform State (TPS)
Administrator authentication is enabled by setting a setup password or by creating an administrator
smart card. Administrator authentication provides controls over important BIOS functions and security
policies. HP recommends that a company’s IT department establish administrator authentication on all
machines to control all changes to the BIOS. The IT department can establish a common,
organization-wide setup password or administrator smart card credential to provide easy access to all
machines by system administrators.
If no setup password or administrator smart card is established, then administrator authentication is
disabled, and anyone or any program can change BIOS settings and anyone can make BIOS flash
upgrades. A few security policy settings, however, cannot be enabled without first enabling
administrator authentication.
The first feature of administrator authentication is that it can override user authentication (see below).
This allows administrators access to a machine even if the user has a user smartcard, power-on
password or TPM preboot authentication set and the user forgets the password, or does not have the
user smart card, or the administrator needs access to the machine in the user’s absence. The setup
password can be entered at the password prompt in place of the power-on password, or the
administrator smart card can be inserted at the smart card prompt in place of the user smart card.
Administrator authentication also protects BIOS flash upgrades. If the setup password is set, the BIOS
cannot be upgraded without providing that setup password or an administrator smart card. This helps
the administrator maintain a common BIOS image and prevent undesired upgrades.
All other BIOS configuration settings, including security policies, are also protected by administrator
authentication. This includes all settings in F10 setup, except the time and date. The time and date is
the only function that is allowed to be changed without administrator privileges. By default, all BIOS
settings are protected by administrator authentication even while the OS is running. As a security
policy option, the administrator can set the BIOS to allow the OS to change legacy resources even
when administrator authentication is enabled. BIOS administrator authentication also protects setting
made via the new HP CMI interface. BIOS settings made via HP CMI are also protected by the
normal OS administrator rights and WMI security policies. For example, remote access to WMI
settings can be disabled from within Windows.
Securing the BIOS flash
The computer BIOS image is stored in a nonvolatile memory device on the motherboard known as
flash memory. In order for the computer to start and run correctly, this flash memory must contain a
valid BIOS image. The image in the flash memory may be reprogrammed from time to time to update
the BIOS version. Virus software, such as the Chernobyl virus, has been able to corrupt nonvolatile
memory, including flash memory, on some computers. When this happens, the computer motherboard
may have to be replaced because the computer may not be able to restart. The HP BIOS uses
hardware mechanisms on most HP Business Desktops to prevent access to the BIOS flash memory by
any software other than the BIOS. This hardware traps any attempts to update the flash memory that
do not originate from the BIOS itself.
BIOS images that work with HP Windows-based BIOS update tools (flash tools), such as HPQFlash
and SSM, contain a digital signature that allows the flash tools to authenticate the BIOS image. This
ensures that the image originated from HP and has not been corrupted or tampered with in any way.
As mentioned earlier, administrator authorization allows the system administrator to control all BIOS
image updates.
BIOSes on select newer products also now support TCG (Trusted Computing Group) BIOS metrics.
This is an industry standard method of measuring the BIOS and OS bootloader and storing the
measurements securely in the TPM (Trusted Platform Module). For more information on the TPM, see
white paper HP ProtectTools Embedded Security Guide. Software can then detect if the BIOS image
changes in any way.
10