Configuring HP Sure Admin

HP Sure Admin is a password free modern security technology used to control access to PC firmware via remote administration and/or local management for field support personnel. Sure Admin leverages digital certificates and public-key cryptography, thus eliminating the risks that are associated with legacy password-based approaches.

Remote administration leverages public key pairs to provide remote access whereas field personnel receive one-time codes through the HP Sure Admin mobile application to access the BIOS. HP Sure Admin leverages HP Secure Platform Management on supported HP commercial devices with Endorsement and Signing key certificates. The Signing Key, endorsed by the Endorsement Key, is used to sign all access to the Firmware, remotely and locally. 

We would like to thank HP’s Dan Felman and Juergen Bayer for their support and contributions in helping develop this blog. 

What is HP Secure Platform Management?

HP Secure Platform Management (SPM) is a certificate-based encryption technology that eliminates the need for passwords. SPM serves as the cryptographic foundation on which other features are built, for example Sure Admin. SPM is the foundation of Sure Admin, Sure Recover and Sure Run. 

Now we will walk through the steps to configure HP Sure Admin.

How to set up HP Sure Admin?

  • Create Endorsement, Signing and Local Access Keys
  • Anti-Replay Tactics
  • Provision the Device
  • Enable Sure Admin
  • Configure Local Access
  • Leverage Sure Admin to make BIOS changes and perform BIOS updates
  • Locally Accessing the BIOS
  • Disable Sure Admin
  • Deprovision the Device
  • Deployment Options

Pre-Requisites:

Create Endorsement, Signing and Local Access Keys

We will be using OpenSSL in our example to create the key pairs and certificates, but you can leverage the cryptographic technology in your environment to create these keys. First, we'll create the Endorsement Key pair and then the Signing Key pair. Next, we'll sign the Signing Key’s public key with the Endorsement Key’s private key, which will help prevent any unauthorized changes to the Signing Key. Finally, a Local Access Key pair will be created to prevent local BIOS access. In total, three certificates containing public-private key pairs will be created. 

Endorsement Key: The Endorsement Key is the secure foundation for the platform. It protects the Signing Key and is also required to provision or de-provision the device.
Signing Key: The Signing Key is required to authorize commands to the BIOS. The private key can sign (encrypt) command payloads. The public key verifies the integrity of the private key and if accepted, tasks (in the BIOS) are allowed to be performed.
Local Access Key: The provisioned LAK public key is used to confirm access to BIOS. The private key is used to decrypt the QR code (as displayed on the device's screen) by authenticating the user.

Note: While creating the keys below we used a password for additional security. However, it is not necessary for provisioning Sure Admin and can be changed or removed all together as needed in your environment. The password we have used is “test”. If used, will be required when signing all payloads.  

 

Endorsement Key -

openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -subj "/C=US/ST=State/L=City/O=Company/OU=Org/CN=SPMdemo"
openssl pkcs12 -inkey key.pem -in cert.pem -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out kek.pfx -name "HP Secure Platform Endorsement Key Certificate" -passout pass:test

 

Signing Key -

openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -subj "/C=US/ST=State/L=City/O=Company/OU=Org/CN=SPMdemo"
openssl pkcs12 -inkey key.pem -in cert.pem -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out sk.pfx -name "HP Secure Platform Signing Key Certificate" -passout pass:test

 

Local Access Key -

openssl req -x509 -nodes -newkey rsa:2048 -keyout LAKpriv.pem -out LAKcert.crt -days 3650 -subj "/C=US/ST=State/L=City/O=Company/OU=Org/CN=SPMdemo"
openssl pkcs12 -inkey LAKpriv.pem -in LAKcert.crt -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out lak.pfx -name "EBAM Local Access Key Certificate" -passout pass:test

Note: For mass deployments, the same keys will be re-used on all platforms.

Anti-Replay Tactics

Each request to the BIOS has an incremental counter (referred to as a “nonce”). A nonce prevents someone from replaying an older command to roll back the state of the system. To prevent replay attacks, new commands (payloads) are only accepted with a nonce greater than the value stored in the BIOS setting Secure Platform Management Counter, whereas the same payloads can be replayed if they are equal to the previous payload. If a Nonce is not specified, the caller should use its own Nonce derivation to prevent the same counter being used for two or more commands.

Provision the Device

Note: All of the following commands require a PowerShell command window to be run with administrative rights. Only the cmdlets that have “Set-*” must be run on each managed device. 

If the Secure Platform State is not provisioned on this device, a new Endorsement Key Payload and Signing Key Payload will need to be created and applied. The following steps will require the device to be restarted and enter the PIN displayed on the screen known as Physical Presence Interface. To avoid the on-screen prompt during Sure Admin deployment with non-touch scenarios PPI can be turned off in the BIOS within the Security Menu. By default, PPI is set to enabled. When PPI is turned off, there will be an on-screen prompt to confirm this action. You can disable it using the following CMSL cmdlet -

Set-HPBIOSSettingValue -Name "Physical Presence Interface" -Value "Disable" 

 

Let's begin by confirming the Secure Platform Management (SPM) State -

Get-HPSecurePlatformState

Note: If you previously completed this step and the State shows “Configured”, skip this section and move to the “Configure Sure Admin” section. 

New-HPSecurePlatformEndorsementKeyProvisioningPayload -EndorsementKeyFile kek.pfx -EndorsementKeyPassword test
Set-HPSecurePlatformPayload
New-HPSecurePlatformSigningKeyProvisioningPayload -EndorsementKeyFile kek.pfx -EndorsementKeyPassword test -SigningKeyFile sk.pfx -SigningKeyPassword test
Set-HPSecurePlatformPayload

 

After applying the payloads, we can view the status of the Secure Platform State -

Get-HPSecurePlatformState

The provisioning state should now be ‘ProvisioningInProgress’. Restart the device to finish the provisioning process. Enter the on-screen PIN if PPI wasn't disabled either.

 

After restarting the device and verifying the pin, we can now take another look at the Secure Platform State -

Get-HPSecurePlatformState

The device will now say ‘Provisioned’

 

Enable Sure Admin

After the device is provisioned with SPM, Sure Admin can now be enabled with the following commands (e.g., set the BIOS’ EBAM (Enhanced BIOS Authentication Management setting to Enable) – using a CMSL command:

New-HPSureAdminEnablePayload -SigningKeyFile sk.pfx -OutputFile SAEnablepayload.dat -SigningKeyPassword test
Set-HPSecurePlatformPayload -PayloadFile SAEnablepayload.dat

 

After Sure Admin is enabled, the status can be verified with -

Get-HPSureAdminState

 

Configure Local Access

We will now discuss steps to configure Local Access Key (LAK). This would be useful for field technicians to access the BIOS on the device when physically in front of it. This is not mandatory but highly recommended. Once LAK is provisioned, any attempt to enter the BIOS will be interrupted with a QR code and a response box to enter an access code on the screen.

There are two different ways in which LAK can be accessed by the Sure Admin application – with KMS Server or locally. We will be using the LAK file generated in the initial key creation steps. Depending on your environment, follow either option 1 or 2 below.

Option #1: Key Management Service (KMS): The most secure method to access the LAK Private key is by setting up a remote KMS. The HP Softpaq SP136698 is required for setting up an Azure KMS service provider. When configured, the QR code will be scanned and then the Local Access KMS in Azure exposes web APIs used by the HP Sure Admin Local Access Authenticator application to obtain one-time-access PIN (entered at BIOS screen) for authorized users without exposing the private Local Access Key. HP Client Management Script Library has a cmdlet for uploading a Local Access Key into the Azure KMS.

Note: If the company choses the KMS method, the LAK provisioning payload will also contain information pointing to the Azure KMS service module via the “KeyEnrollmentData” argument below
 

New-HPSureAdminLocalAccessKeyProvisioningPayload -SigningKey SK.pfx ` -LocalAccessKeyFile LAK.pfx -OutputFile LAKPayload.DAT ` -KeyEnrollmentData "2?{'V':'2','KMS':{'URL':'https://myKMS.azurewebsites.net/api'}}"
Set-HPSecurePlatformPayload -PayloadFile LAKPayload.dat
​Send-HPSureAdminLocalAccessKeyToKMS -LocalAccessKeyFile LAK.pfx

 

Option #2: LAK is stored in the Sure Admin App (For non KMS environment)
 

New-HPSureAdminLocalAccessKeyProvisioningPayload -LocalAccessKeyFile lak.pfx -SigningKeyFile sk.pfx -LocalAccessKeyPassword test -OutputFile LAKpayload.dat -SigningKeyPassword test
Set-HPSecurePlatformPayload -PayloadFile LAKPayload.dat

We generate the QR code for the Phone Certificate below using LAK. Scan this QR code generated in the Sure Admin application to save the key in the application to authorize access to the BIOS.

Convert-HPSureAdminCertToQRCode -LocalAccessKeyFile lak.pfx -LocalAccessKeyPassword test OutputFile LAK_QRCode.jpg -Passphrase test

Note: This QR code must be scanned to generate a key for a non KMS setup to provide access to the BIOS locally. There is no other way for the Sure Admin application to recognize that the owner of the application should be granted access to the BIOS. This key will be saved within the application in “View My Keys” section.

After the local access is configured using either method, we can verify the state with the following command -

Get-HPSureAdminState

At this stage, Sure Admin is configured and any attempts to access the BIOS locally or remotely will be interrupted and will not be permitted without the Sure Admin key pair.

Now we will look at how to make BIOS setting change with Sure Admin configured.

Leverage Sure Admin to make BIOS changes and perform BIOS updates

Perform a BIOS Setting Change

To make a BIOS setting change with Sure Admin enabled, a signed payload needs to be created and applied. For example, we will be enabling the Fast Charge setting with the commands below -

New-HPSureAdminBIOSSettingValuePayload -Name ”Fast Charge” -Value Enable -SigningKeyFile sk.pfx -OutputFile payload.dat -SigningKeyPassword test
Set-HPSecurePlatformPayload -PayloadFile payload.dat

 


Perform a BIOS Update

To perform a BIOS update, the .bin file is required, and the path will need to be specified when creating a new payload. See below for an example -

New-HPSureAdminFirmwareUpdatePayload -File bios.bin -SigningKeyFile sk.pfx -SigningKeyPassword test -OutputFile payload.dat
Update-HPFirmware -File bios.bin -PayloadFile payload.dat

 

Locally Accessing the BIOS

When a technician is physically present in front of a device and wants to enter the BIOS on a device, they can leverage the Sure Admin App to scan the QR code, displayed when Sure Admin is enabled and pressing F10 at power on.

Open the Sure Admin app and click on Scan QR code to scan the code.

Depending on whether KMS or LAK local storage method was used while Configuring Local Access scanning the QR code will show a pin to enter in the “Enter Response Code” box below the QR code.

 

 

For KMS systems, this works using Azure account permissions and for Local Setup it works through the key stored on the application that was generated leveraging the original key and is part of the pair to provide access.

Now we will cover disabling Sure Admin and deprovisioning Secure Platform Management

Disable Sure Admin

If you no longer wish to use Sure Admin on a device, we need to follow the steps below to disable Sure Admin.

Before disabling Sure Admin, let’s verify the state of it -

Get-HPSureAdminState

 

If Sure Admin is enabled, we can continue to disable it with the steps below –

  • Disable Enhanced BIOS Authentication Mode (EBAM)
  • Deprovision Local Access Key
  • Deprovision Signing Key
  • Deprovision Endorsement Key
New-HPSureAdminBIOSSettingValuePayload -SigningKeyFile sk.pfx -Name "Enhanced BIOS Authentication Mode Local Access Key 1" -Value "" -OutputFile LAKDepropayload.dat -SigningKeyPassword test
Set-HPSecurePlatformPayload -PayloadFile LAKDepropayload.dat
New-HPSureAdminDisablePayload -SigningKeyFile sk.pfx -OutputFile SADisablePayload.dat -SigningKeyPassword test
Set-HPSecurePlatformPayload -PayloadFile SADisablePayload.dat

 

Deprovision the Device

If you would like the device to be deprovisioned, this can be achieved with the commands below -

New-HPSecurePlatformDeprovisioningPayload -EndorsementKeyFile kek.pfx -EndorsementKeyPassword test
Set-HPSecurePlatformPayload

 

To verify that the device is deprovisioned, let’s check the Secure Platform State -

Get-HPSecurePlatformState

 

Deployment Options

So far, we have covered how to setup and use Sure Admin on a single device. To replicate this for multiple devices in your environment you have the following options:

  • Configuration Manager: Within Configuration Manager you can take advantage of MIK (HP’s plugin for SCCM) to deploy Sure Admin or alternatively use the steps above with the Client Management Script Library (CMSL). For using CMSL it will need to be pushed to each device prior to following the steps mentioned above.  You can use any Manageability tool capable of pushing out scripts to take advantage of Sure Admin.  
  • Microsoft Endpoint Manager/Intune: For cloud customers HP offers HP Connect  for deploying and managing Sure Admin along with all BIOS Configuration. This is a simple and fast solution to manage your BIOS and protect it.
  • Manage devices individually: If none of the above options are applicable to you then you can always configure and manage devices individually by replicating the setup above using the same keys.

Authored By Casey Monroe and Meghna Gupta

Author : meghna.gupta