Hello Iru Cai,
I'd like you to do a code review. Please visit
https://review.coreboot.org/c/coreboot/+/45577
to review the following change.
Change subject: Documentation: Introduce HP Sure Start and the method to bypass it ......................................................................
Documentation: Introduce HP Sure Start and the method to bypass it
Change-Id: Id198afdaa13b4c361e1b77a56d5a2436ed1c4c86 Signed-off-by: Iru Cai mytbk920423@gmail.com --- A Documentation/mainboard/hp/hp_sure_start.md M Documentation/mainboard/index.md 2 files changed, 58 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/45577/1
diff --git a/Documentation/mainboard/hp/hp_sure_start.md b/Documentation/mainboard/hp/hp_sure_start.md new file mode 100644 index 0000000..d1f3f67 --- /dev/null +++ b/Documentation/mainboard/hp/hp_sure_start.md @@ -0,0 +1,57 @@ +# HP Sure Start + +According to the [HP Sure Start Technical Whitepaper], HP Sure Start is a chipset +and processor independent firmware intrusion detection and automatic repair system. +It is implemented in HP notebooks since 2013, and desktops since 2015. + +This document talks about some mechanism of HP Sure Start on some machines, and +the method to bypass it. + +## Laptops with SMSC MEC1322 embedded controller + +Haswell EliteBook, ZBook and ProBook 600 series use SMSC MEC1322 embedded controller. +The EC firmware implements HP Sure Start. A Haswell EliteBook has two flash chips. +According to the strings in the EC firmware, the 16MB flash chip that stores the +BIOS firmware is called the *system flash*, and the 2MB flash chip that stores part +of the system flash content is called the *private flash*. + +The private flash is connected to the EC, and is not accessible by the OS. +It contains the following: + +- HP Sure Start policy header (starting with the string "POLI") +- A copy of the Intel Flash Descriptor +- A copy of the GbE firmware +- Machine Unique Data (MUD) +- Hashes of the IFD, GbE firmware and MUD, the hash algorithm is unknown +- A copy of the bootblock, UEFI PEI stage, and microcode + +If the IFD of the system flash does not match the hash in the private flash, for example, +modifying the IFD with ``ifdtool -u`` or ``me_cleaner -S``, the EC will recover the IFD. + +If the content of the private flash is lost. The EC firmware will still copy the IFD, +bootblock and PEI to the private flash. However, the IFD is not protected after that. + +HP Sure Start also verifies bootblock, PEI, and microcode without using the private flash. +EC firmware reads them from an absolute address of the system flash chip, which is +hardcoded in the EC firmware. It looks like this verification is done with a digital +signature. If the PEI volume is modified, EC firmware will recover it using the copy +in the private flash. If the private flash has no valid copies of the PEI volume, and +the PEI volume is modified, the machine will refuse to boot with the CapsLock LED blinking. + +## Bypassing HP Sure Start + +First search the mainboard for the flash chips. If there are two flash chips, +the smaller one may be the private flash. + +For Intel boards, try to modify the IFD with ``ifdtool -u``, power on and shut down +the machine, then read the flash again. If the IFD is not modified, it is likely to +be recovered from the private flash. Find the private flash and erase it, then the IFD +can be modified. + +To bypass the bootblock and PEI verification, we can modify the IFD to make the +BIOS region not overlap with the protected region. Since the EC firmware is usually +located at the high address of the flash chip (and in the protected region), +we can leave it untouched, and do not need to extract the EC firmware to put it in +the coreboot image. + +[HP Sure Start Technical Whitepaper]: http://h10032.www1.hp.com/ctg/Manual/c05163901 diff --git a/Documentation/mainboard/index.md b/Documentation/mainboard/index.md index 0eefee8..335eae2 100644 --- a/Documentation/mainboard/index.md +++ b/Documentation/mainboard/index.md @@ -61,6 +61,7 @@ ### EliteBook series
- [HP Laptops with KBC1126 EC](hp/hp_kbc1126_laptops.md) +- [HP Sure Start](hp/hp_sure_start.md) - [EliteBook 2560p](hp/2560p.md) - [EliteBook 8760w](hp/8760w.md)