How it Works
HP
Loading...
C
Loading...
Loading...
Compaq Elite 8300
White Paper
23 pgs539.11 Kb0
White Paper
9 pgs371.7 Kb0
Service and Maintain
208 pgs16.99 Mb0
Reference Guide
4 pgs1.6 Mb0
Getting Started Guide
28 pgs1.27 Mb0
Table of contents
Loading...

HP Compaq Elite 8300, 6300, Compaq Pro 6300, Compaq Pro 6305 White Paper

Technical white paper
UEFI pre-boot guidelines and Microsoft® Windows® 8 UEFI Secure Boot for HP Business PCs
PPS business notebooks, desktop, and workstations
Table of contents
UEFI pre-boot guidelines ...................................................................................................................................................... 3
Secure Boot overview ........................................................................................................................................................... 8
Firmware policies .................................................................................................................................................................. 8
Appendix .............................................................................................................................................................................. 22
For more information ........................................................................................................................................................ 23
Click here to verify the latest version of this document
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations
2
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations

UEFI pre-boot guidelines

As computer technology has advanced, the BIOS has expanded to handle new components, larger and more complex chipsets, add-in cards, and other enhancements. This expansion has made the BIOS increasingly intricate. Development of the Unified Extensible Firmware Interface (UEFI ) is the computer industry’s solution to BIOS limitations. UEFI is a set of modular interfaces that replaces the set of traditional BIOS interfaces between the OS and platform firmware.
UEFI is derived from high-level C language and is driver-based, scalable, and easy to debug and upgrade. UEFI uses a modular, platform-independent architecture that can perform boot and other BIOS functions. HP employs this technology to implement an UEFI partition on all of its business notebook and desktop computers. BIOS interface, the HP UEFI partition adds tools to the pre-boot system environment.
The HP UEFI partition is viewable on the hard drive, labeled as HP_TOOLS. Starting with 2008, HP business notebook and desktop platforms that included the UEFI BIOS, HP created the UEFI partition as a FAT32 primary partition, due to UEFI limitations with accessing other partition formats. These guidelines include specifications for the Microsoft® Windows® 8 operating system (OS).
All mention of notebooks, desktops, and workstations in this document refer to HP business products only. For more information about UEFI, go to http://www.hp.com/go/techcenter

Supported models

Table 1 shows the HP business notebooks, desktop computers, and workstations that support UEFI Pre-boot Guidelines and Windows 8 UEFI Secure Boot. Unless otherwise indicated, the information in this document applies to the notebooks, desktops, and workstations listed in Table 1. Differences in UEFI pre-boot or Secure Boot implementation between HP business products are noted where appropriate.
1
Along with replacing the traditional
.
Table 1. HP business PCs supporting UEFI pre-boot guidelines and Windows 8 UEFI Secure Boot.
HP business notebooks HP business desktops HP workstations
HP Elitebook p series HP Compaq 8300 Elite series EliteBook 8570w, 8770w
HP ProBook b/m/s series HP Compaq 6300 and 6305 Pro series Workstations Z1, Z220 (CMT/SFF), Z420, Z620, Z820

HP_TOOLS for HP UEFI and pre-boot applications

Partitions and directory paths for pre-boot deliverables have changed in Windows 8. Table 2 shows the Windows 8 changes.
Table 2. Pre-boot deliverables with partition and directory paths for Windows 8 on GPT-formatted notebooks and desktops/workstations
Component Partition name and path
on GPT-formatted notebook HDD
BIOS images [ESP] /UEFI/HP/BIOS [/New, /Current,
/Previous]
UEFI BIOS Update [ESP] /UEFI/HP/ BiosUpdate n/a
System Diagnostics [ESP] /UEFI/HP/SystemDiags [ESP] /UEFI/HP/SystemDiags
Language [HP_TOOLS] /HEWLETT-PACKARD /Language n/a
Custom Logo [HP_TOOLS] /HEWLETT-PACKARD/Logo n/a
Partition name and path on GPT-formatted desktop/workstation HDD
ESP] /UEFI/HP/BIOS [/New, /Current, /Previous]
SpareKey Language [HP_TOOLS] /HEWLETT-PACKARD/SpareKey n/a
SecureHV [HP_TOOLS] /HEWLETT-PACKARD/SecureHV [HP_TOOLS] /HEWLETT-PACKARD/SecureHV
1
Except for the HP 2133 Mini-Note PC.
3
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations
The HP UEFI applications and pre-boot applications provide extensive pre-boot functions to the system BIOS residing in the flash ROM. You can find information for GUID Partition Table (GPT) formatted disks in the document. On notebooks, UEFI applications are available through the F9 boot menu. On desktops and workstations, UEFI applications can be launched from the Start menu: Startup Menu > Run UEFI Application.
Note
Do not encrypt the HP_TOOLS partition using software encryption programs such as Windows BitLocker or Full Volume Encryption for HP ProtectTools. When the partition is encrypted, the HP pre-boot applications cannot function.

HP System Diagnostics during startup

The HP System Diagnostics allows you to perform tests on the primary hard drive and system memory modules. You can also use this tool to obtain computer-related information such as model number, processor type, total memory, and serial number. To access System Diagnostic during startup, press the displayed. Then press F2 to launch System Diagnostics. F2 will not wake the system from the off state or the Sleep/Hibernation state.
F2 can be used only during POST when the BIOS keys are displayed.

BIOS recovery

For notebooks
The BIOS Recovery utility is a notebooks-only feature that allows you to recover the BIOS image if it becomes corrupted. Initially, the BIOS recovery directory contains the first released version of the BIOS for the platform. As HP releases BIOS updates, two HP BIOS flash utilities (HPQFlash and SSMflash) will automatically perform updates with the most current version of the BIOS. Note that the current version of the eROMPAQ flash utility does not support this function. You can use BIOS Recovery in two ways:
Disk layouts section of this
Esc key when the “Press Esc for startup menu” message is
Automatic detection and repair of a corrupted BIOS by flashing the BIOS image.
Manually launch the BIOS Recovery utility by holding down the four arrow keys and press and release the power button.
For desktops and workstations
Desktops and workstations do not depend on a separate BIOS recovery utility. If the BIOS on a desktop or workstation is corrupted during a flash, the system will automatically enter a recovery mode (signaled by an 8-blink/beep POST error indication). During the next boot, the system will look for a valid BIOS binary file in the root directory of a USB storage device or the HDD. If a valid BIOS binary is found, the system will use it to update the BIOS.

UEFI and custom imaging

If you use your own custom image and you want to maintain system partition functionality, you must create a FAT32 partition named HP_TOOLS. Failure to do so results in the loss of the following features:
Automatic BIOS corruption detection and recovery
Ability to use all System Diagnostics functions

UEFI architecture

CAUTION
Use caution when modifying the HP_TOOLS partition. The partition is not protected and can be deleted. Backing up the computer using the Windows Complete PC Backup does not back up the UEFI partition. With no UEFI partition backup, corruption or failure of the partition will result in loss of all data on the partition, plus loss of UEFI functionality. HP recommends that you do not place additional data on the UEFI partition.

Volume name

The volume name is HP_TOOLSxxxx.HP_TOOLS in the initial release and the version number (represented here by “xxxx”) at the end of the volume name is for future expansion and is under the control of the HP Preinstall team and subject to change. Software should not hard code the volume version. Instead, software should search for the “HP_TOOLS” prUEFIx and identify the Fat32 HP partition using the prUEFIx only.
The HP_TOOLs partition is not assigned a drive letter. Any application that accesses the partition first mounts the partition. HP CASL provides the interface for mount/un-mount.
4
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations
UEFI System
OS Partition:
Data Partition 1 – n
HP_TOOLS partition:
Recovery partition:

Directories and descriptions

The HP_TOOLS UEFI partition file and folder structure are similar to the Windows file and folder structure. During the installation of an UEFI application, the HP UEFI Application SoftPaqs unbundle into the C:\swsetup directory. The UEFI software installation then searches for the FAT32 partition labeled HP_TOOLS and installs itself into the following directory:
:\Hewlett-Packard\<softwarename>

Disk Layouts

The disk layouts vary between notebooks, desktops, and workstations as shown in the following figures:
Figure 1. Disk layouts for notebooks .
GPT-based layout
partition (ESP):
File system: NTFS
File system: Fat32
MBR-based layout
System partition (Where applicable):
OS Partition:
File system: NTFS
File system: NTFS
Figure 2. Disk layouts for desktops.
GPT-based layout
UEFI System partition (ESP):
File system: Fat32
WinRE Partition
MBR-based layout
UEFI System partition (ESP):
File system: NTFS
WinRE Partition:
OS Partition:
File system: NTFS
OS Partition:
File system: NTFS
(Where applicable): File system: NTFS
Data partition 1 – n
(Where applicable): File system: NTFS
Data partition 1 – n (Where applicable): File system: NTFS
Data partition 1 – n (Where applicable): File system: NTFS
File system: Fat32
HP_TOOLS partition:
File system: Fat32
Recovery partition:
File system: NTFS
Recovery partition:
File system: NTFS
File system: NTFS
Recovery partition:
File system: NTFS
HP_Tools partition:
File system: Fat32
HP_Tools partition:
File system: Fat32
Figure 3. Disk layouts for workstations.
GPT-based layout (requires UEFI/GPT boot, no data partitions on C: drive)
WinRE partition (C:)
File system: Fat32, (1023MB)
ESP (C:)
360MB
OS partition(C:)
File system: Fat32 (remainder of drive)
Recovery partition (D:)
File system: NTFS (about 8GB)

HP_TOOLS Partition directories and descriptions

The HP_TOOLS partition structure should mirror what we already have for NTFS file system. And the UEFI application and pre-boot application installation should follow the rules for other HP software.
Web-released pre-boot deliverables require current softpaqs. When a softpaq is run, it will extract into the “C:\swsetup directory”, the same as other softpaqs. Then the pre-boot software installation should search for the Fat 32 partition with the “HP_TOOLS” label and install itself under the directory “:\HEWLETT-PACKARD\softwarename.”
For example, you place the HP System Diagnostic and its digital signature under “:\HEWLETT­PACKARD\SYSTEMDIAGS\SystemDiags.UEFI” and “SystemDiags.Sig.”
5
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations

ESP partition for HP UEFI and Pre-boot applications for GPT formatted disks

When a native UEFI-aware operating system is installed, the ESP partition is automatically created. One of the elements the ESP contains is the boot loader image for the operating system. The ESP is an enumerable Fat32 partition and does not have a drive letter assigned. The ESP must follow the format defined in the “UEFI System Partition Subdirectory Registry,” please refer to http://www.UEFI.org/specs/esp_registry for details.
Starting with 2012 platforms, a preinstall image of UEFI Windows 8 is available. Several HP components now reside on the ESP instead of the HP_TOOLS partition. The advantage of residing in ESP partition vs. HP_TOOLS is that components are available when you are not using the HP preinstall image. However, the default size of the ESP is 100MB so HP’s overall component size is limited.
Installation software for these UEFI components should first enumerate all Fat32 partitions, and copy the firmware packages to the ESP. The ESP can be located comparing the partition GUID to the ESP GUID definition, see the UEFI Specification version 2.3.1 for details. If the installation software cannot find the ESP, This indicates that the ESP is a legacy MBR system, not the GPT system.

How BIOS launches UEFI applications

When an UEFI application is launched, it has as much control of the system resources as the BIOS does. Because UEFI applications reside on a publicly accessible drive partition, they are not secure. The BIOS launches only UEFI applications that are considered BIOS extensions such as HP Advanced Diagnostics and the BIOS Recovery utility.
On desktops and workstations, If Secure Boot is disabled, the user may launch any UEFI application from the Run UEFI Application option of the BIOS Startup Menu.
Note
To reduce security vulnerability, execute only HP-signed UEFI applications.

For HP-signed UEFI applications

All HP UEFI applications contain two files stored under the same subdirectory as the UEFI application: filename.EFI and filename.sig.

Non–HP-signed UEFI applications

For notebooks
Non-HP-signed UEFI applications can be launched by booting to the UEFI Shell or other UEFI Applications by using the Boot from UEFI File option. Boot from UEFI File is invoked by pressing the F9 Key to launch Boot Manager. All available boot options are list under the Boot Option Menu. Selecting Boot from UEFI File presents the File Explorer Screen which lists all available file system mappings. Each entry allows viewing it’s volume structure. Once the desired UEFI Application is found, highlight the entry followed by pressing the enter key will launch the application. For security reasons, the function can be disabled by the BIOS administrator.
For desktops/workstations
Non-HP-signed UEFI applications can be launched from the Run UEFI Application option of the BIOS Startup Menu.
6
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations

Creating or restoring an HP_TOOLS partition on the hard drive

Use the following steps to create an HP_TOOLS partition and install related SofPaqs onto the partition:
1. Use Partition Magic to create a partition on a local hard drive that has a System partition with the following characteristics.
Partition type: FAT32
Partition size: 2 GB
Volume name: HP_TOOLS
2. In the new partition, create a folder called HEWLETT-PACKARD.
3. Refer to Table 1 for pre-boot deliverables and directory paths.

Errors when launching the pre-boot applications (notebooks only)

If the application launch keys fail to operate, the partition may have become corrupt. Reinstall the application using the related SoftPaq from http://www.hp.com/support. If a re-installed application does not function, contact technical support.
The following errors may be displayed if a problem occurs when launching UEFI applications:
HP_TOOLS Partition not found: can’t find Fat 32 partition starting with “HP_TOOLS”
Application not found: can’t find pre-boot application in directory
Invalid signature: BIOS fails to verify the signature of the pre-boot application.
If there is a backup version of the application in BIOS flash (for example, HP System Diagnostics). BIOS will launch the backup. Otherwise, BIOS displays an error message.

Pre-boot security requirements (notebooks only)

Signed pre-boot applications

When a pre-boot application is launched, it has as much control of the system resource as the BIOS. Since these applications reside on the public hard drive partition that is easily accessible and thus hacked, BIOS will only launch HP-signed pre-boot applications.

Additional F10 Policies for Pre-boot Environment

BIOS F10 provides several policies to control the availability of “Boot from UEFI File” option in the Boot Manager when F9 is pressed (for details, see How UEFI Launches UEFI Applications).
To access polices use the following path. System Configuration Device Configurations
The following policies are presented to the user by the Boot Manager:
UEFI Boot Mode
“Disable (for legacy OS)”
“Hybrid (with CSM) (for Windows 7 64 UEFI)”
“Native (without CSM) (for WINDOWS 8 64)”
The following policy controls (settings) whether the BIOS allows to boot to an UEFI file:
Customized Logo
“Enable/Disable” (Default: Disable)
When UEFI Boot Mode is disabled, the “Boot from UEFI File” option will not show up in the Boot Manager when F9 is pressed. In such a case, the only way to launch HP UEFI applications is to use the hot key.
The UEFI BIOS provides the nice feature for the user to customize the logo displaying during the boot. The logo is a bitmap file that a customer can add/change on the HP_TOOLS partition.
Since BIOS can’t check the signature of the customized logo bitmap files, it may be used as an attack tool of the BIOS post process. Thus an option is needed to disable this capability for the highly sensitive security environment.
7
Loading...
+ 16 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use