summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Documentation/mainboard/hp/hp_sure_start.md57
-rw-r--r--Documentation/mainboard/index.md1
2 files changed, 58 insertions, 0 deletions
diff --git a/Documentation/mainboard/hp/hp_sure_start.md b/Documentation/mainboard/hp/hp_sure_start.md
new file mode 100644
index 0000000000..2c25ca3bf7
--- /dev/null
+++ b/Documentation/mainboard/hp/hp_sure_start.md
@@ -0,0 +1,57 @@
+# HP Sure Start
+
+According to the [HP Sure Start Technical Whitepaper], HP Sure Start is a chipset
+and processor independent firmware intrusion detection and automatic repair system.
+It is implemented in HP notebooks since 2013, and desktops since 2015.
+
+This document talks about some mechanism of HP Sure Start on some machines, and
+the method to bypass it.
+
+## Laptops with SMSC MEC1322 embedded controller
+
+Haswell EliteBook and ProBook 600 series use SMSC MEC1322 as their embedded controller.
+The EC firmware implements HP Sure Start. A Haswell EliteBook has two flash chips.
+According to the strings in the EC firmware, the 16MB flash chip that stores the
+BIOS firmware is called the *system flash*, and the 2MB flash chip that stores part
+of the system flash content is called the *private flash*.
+
+The private flash is connected to the EC, and is not accessible by the OS.
+It contains the following:
+
+- HP Sure Start policy header (starting with the string "POLI")
+- A copy of the Intel Flash Descriptor
+- A copy of the GbE firmware
+- Machine Unique Data (MUD)
+- Hashes of the IFD, GbE firmware and MUD, the hash algorithm is unknown
+- A copy of the bootblock, UEFI PEI stage, and microcode
+
+If the IFD of the system flash does not match the hash in the private flash, for example,
+modifying the IFD with ``ifdtool -u`` or ``me_cleaner -S``, the EC will recover the IFD.
+
+If the content of the private flash is lost. The EC firmware will still copy the IFD,
+bootblock and PEI to the private flash. However, the IFD is not protected after that.
+
+HP Sure Start also verifies the bootblock and PEI without using the private flash.
+EC firmware reads the PEI from an absolute address of the system flash chip, which is
+hardcoded in the EC firmware. It looks like this verification is done with a digital
+signature. If the PEI volume is modified, EC firmware will recover it using the copy
+in the private flash. If the private flash has no valid copies of the PEI volume, and
+the PEI volume is modified, the machine will refuse to boot with the CapsLock LED blinking.
+
+## Bypassing HP Sure Start
+
+First search the mainboard for the flash chips. If there are two flash chips, then the
+smaller one may be the private flash.
+
+For Intel boards, try to modify the IFD with ``ifdtool -u``, power on and shut down
+the machine, then read the flash again. If the IFD is not modified, it is likely to
+be recovered from the private flash. Find the private flash and erase it, then the IFD
+can be modified.
+
+To bypass the bootblock and PEI verification, we can modify the IFD to make the
+BIOS region not overlap with the protected region. Since the EC firmware is usually
+located at the high address of the flash chip (and in the protected region),
+we can leave it untouched, and do not need to extract the EC firmware to put it in
+the coreboot image.
+
+[HP Sure Start Technical Whitepaper]: http://h10032.www1.hp.com/ctg/Manual/c05163901
diff --git a/Documentation/mainboard/index.md b/Documentation/mainboard/index.md
index 0eefee82ab..335eae237c 100644
--- a/Documentation/mainboard/index.md
+++ b/Documentation/mainboard/index.md
@@ -61,6 +61,7 @@ The boards in this section are not real mainboards, but emulators.
### EliteBook series
- [HP Laptops with KBC1126 EC](hp/hp_kbc1126_laptops.md)
+- [HP Sure Start](hp/hp_sure_start.md)
- [EliteBook 2560p](hp/2560p.md)
- [EliteBook 8760w](hp/8760w.md)