• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
HP Recommended
Z820
Linux

Question: What can be done to secure an older HP workstation against firmware based malware?

Notes:

1) Secure Boot doesn’t protect against the UEFI LoJax rootkit.
2) Secure Boot is a feature that is found in the UEFI setup utility but not the BIOS setup - see attached image.
3) Security community recommends keeping UEFI firmware up-to-date and, if possible, have a processor with a hardware root of trust.
4) Intel processors have Intel Boot Guard (from the Haswell family of Intel processors onwards) introduced in 2013.
5) The exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008).

 

In summary, Boot Guard is a hardware-based technology designed to prevent malware and other unauthorized software from replacing or tampering with the low-level UEFI firmware. If the UEFI firmware isn’t signed by the OEM—that is, created by the OEM—the computer will halt and refuse to boot. That’s why you can’t modify the UEFI firmware or change it to something else. Systems targeted by LoJax usually also showed signs of these three examples of Sednit malware:
 SedUploader, a first-stage backdoor
 XAgent, Sednit’s flagship backdoor
 Xtunnel, a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network

 

HP SetupHP Setup

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

the HP "z" series of workstations for the most part (some low end models like the z210 may not have this feature) have a checksumed bios that prevents any modified bios from being installed if you try to install a modified bios, the update program will report sucesses, but the bios is not actually updated

 

to date there are no known tools that allow a modified bios to be installed om HP systems that implement this feature short of perhaps desoldering the bios and reprograming it using a eprom programer to burn a new image onto the chip and then reinstallin said chip

View solution in original post

2 REPLIES 2
HP Recommended

the HP "z" series of workstations for the most part (some low end models like the z210 may not have this feature) have a checksumed bios that prevents any modified bios from being installed if you try to install a modified bios, the update program will report sucesses, but the bios is not actually updated

 

to date there are no known tools that allow a modified bios to be installed om HP systems that implement this feature short of perhaps desoldering the bios and reprograming it using a eprom programer to burn a new image onto the chip and then reinstallin said chip

HP Recommended

Thanks for the reply. This was the type of answer I was hoping for.

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.