HP 8300 manual If Secure Boot verification fails, Bios Signing Key, TPM and measured boot

Page 12

Technical white paper UEFI Secure Boot on HP business notebooks, desktops, and workstations

If Secure Boot verification fails

The operating system’s boot loader file is signed in accordance with the Windows Authenticated Portable Executable Signature Format specification. The paths of the boot loader files are as follows:

ESP\Microsoft\boot\bootmgfw.efi

ESP\EFI\boot\Bootx64.efi

If the file is modified in any way without a corresponding signature update, the boot loader authentication will fail. Upon failure the firmware displays a dialog box with one of the following error messages:

On notebooks:

"Selected boot image did not authenticate."

On desktops/workstations:

“Secure Boot Violation. Invalid signature detected. Check Secure Boot Policy in Setup."

The dialog box requires acknowledgment, and once it is given, the system is shut down.

The BIOS Signing Key

The Windows 8 requirement “System.Fundamentals.Firmware. UEFI Secure Boot” makes it mandatory to sign all firmware components using RSA-2048 with SHA-256. This is the default policy for acceptable signature algorithms.2

TPM and measured boot

For systems with the Trusted Platform Module (TPM) hardware chip, Windows 8 will perform a comprehensive chain of measurements, called measured boot, during the boot process. These measurements can be used to authenticate the boot process to ensure that the operating system is not compromised by root kits and other malware. Each component is measured from firmware up through the boot start drivers. These measurements are stored in the TPM on the machine. This log is then available remotely so that the boot state of the client can be verified.

Windows 8 BitLocker Platform Configuration Register (PCR) Sealing

The Windows 8 hardware certification requirements require native UEFI boot.

On a native UEFI boot system BitLocker will seal by default to the PCRs [0,2,4,11].

On Connected Standby systems, BitLocker will seal to PCRs [7,11].

Note

Conflicting Connected Standby System requirements: The WHQL demands Connected Standby systems are required to implement measurements of Secure Boot policy information into PCR [7]. The TCG requires Secure Boot policy information in PCR [6]. To reference the PCR measurement numbers, refer to Table A1 in the Appendix of this paper.

Physical presence

The TCG PPI spec 1.2 includes a new NoPPIProvision flag, with a recommended BIOS default of True. The preinstall team should set this flag to True for Windows 8 and newer OSs and set it to “False” for any other OSs. When NoPPIProvision is True and there is no TPM owner, the BIOS will not prompt for physical presence when the first Enable/Activate command is received.

When the NoPPIProvision flag is False the BIOS will prompt for physical presence.

The default for NoPPIProvision Flag

The required default for the NoPPIProvision flag is True for Windows 8. This default allows Windows 8 to take ownership of the TPM without any user confirmation.

Special China requirement with Windows 8

For China, the legal requirement is that the TPM must be shipped in a disabled state and can only be enabled with the user's physical presence.

For a physical presence prompt, if the TPM presence is enabled, the BIOS will display the message below. Otherwise, the physical presence prompt will be the normal (F1, F2) message.

惠普特别提醒:在您在系统中启用TPM功能前,请您务必确认,您将要对TPM的使用遵守相关的当地法律、

2A section of the Windows Hardware Certification Kit (WHCK, formerly called the Windows Logo Kit) http://msdn.microsoft.com/en-us/windows/hardware/gg487530.aspx

12

Image 12
Contents Table of contents Page Uefi pre-boot guidelines Hptools for HP Uefi and pre-boot applicationsSupported models HP business notebooks HP business desktops HP workstationsHP System Diagnostics during startup Bios recoveryVolume name Uefi and custom imagingRecovery partition HPTools partition Partition ESP WinRE partition C ESP C OS partitionC Recovery partition DDirectories and descriptions Disk LayoutsHow Bios launches Uefi applications For HP-signed Uefi applicationsNon-HP-signed Uefi applications Pre-boot security requirements notebooks only Signed pre-boot applicationsAdditional F10 Policies for Pre-boot Environment Secure Boot overview Secure Boot = DisabledFirmware policies Firmware policies for notebooksFirmware boot policy for desktops and workstations Boot Mode/ Secure Boot Disable EnableSecure Boot Key management for notebooks HP Platform Key Management for notebooksSecure Boot Key management for desktops and workstations Key Ownership HP Keys Fast Boot EnabledIf Secure Boot verification fails Bios Signing KeyTPM and measured boot Physical presenceWindows 8 Hybrid Boot and flash TPM auto-provisioningPost time for notebooks Post time for desktops and workstationsBoot order Boot Order for notebooksBitLocker USBLegacy Boot Order USB Floppy USB CD-ROMBoot order for desktops and workstations SATA2Network Controller Bios functionality HP Bios configuration Repset functionalityMicrosoft Digital Marker Key injection F10 Restore Default Behavior ComputracePhysical Presence Check System Configuration Device ConfigurationsUtilities Built-In Device Options Port OptionsPage PCR boot measurements for notebook products AppendixGeneral Uefi requirements PCRFor more information Resource description Web address
Related manuals
Manual 4 pages 56.97 Kb Manual 4 pages 39.59 Kb Manual 4 pages 4.61 Kb Manual 9 pages 43 Kb Manual 4 pages 30.57 Kb Manual 208 pages 14.06 Kb

8300 specifications

The HP 8300 is a versatile and efficient desktop computer designed for business environments and power users. As part of the HP Elite series, the 8300 is tailored to deliver robust performance, security, and manageability.

One of the key features of the HP 8300 is its selection of Intel processors. Users can opt for third-generation Intel Core i3, i5, or i7 CPUs, providing a range of performance levels suitable for various workloads, from basic office tasks to more intensive applications. This adaptability makes the 8300 a suitable choice for organizations needing reliable computing power.

The system supports up to 32GB of DDR3 RAM, allowing for smooth multitasking and improved efficiency in handling resource-heavy applications. The flexibility in memory options ensures that businesses can configure the machine to meet their specific needs.

For storage, the HP 8300 offers various choices including traditional Hard Disk Drives (HDD) and Solid State Drives (SSD), significantly enhancing data access speeds and system responsiveness. With multiple configuration options, users can select from up to 1TB of storage capacity, providing ample room for files and applications.

Connectivity is also a strong point for the HP 8300. The desktop is equipped with multiple USB 3.0 ports, facilitating quick file transfers and easy peripheral connectivity. Additional ports, including USB 2.0, VGA, DP, and serial ports, ensure compatibility with a wide array of devices and legacy equipment.

Security technologies are integrated within the HP 8300 framework, including features like BIOS protection, HP Client Security, and optional fingerprint readers. These security measures help safeguard sensitive data and provide an additional layer of protection against unauthorized access.

The HP 8300 also supports various operating systems, including Windows 10 Pro, ensuring organizations can deploy the desktop within their existing IT ecosystem. Furthermore, the machine’s compatibility with HP tools for remote management enhances administrators' ability to oversee multiple devices efficiently.

In summary, the HP 8300 embodies a blend of powerful hardware, extensive configuration options, robust security features, and effective management capabilities, making it a compelling desktop solution for businesses aiming for productivity and reliability. With its comprehensive feature set, it stands out as an exceptional choice for both individual and organizational computing needs.