HP’s Endpoint Security Controller: More Details About A New Chip in HP Notebooks
by Anton Shilov on May 2, 2019 2:00 PM EST
One of HP’s key announcements this spring was its revamped security initiative for PCs that includes hardware, software, and deep learning-based approaches. The software and DL parts of the things were discussed earlier this month, but the hardware-based Endpoint Security Controller remained more or less a mystery. This is why we asked HP to talk about it in more detail.
When it was announced, the company said that the HP Endpoint Security Controller is indeed a separate piece of silicon that sits inside HP’s PCs and performs certain security-based tasks. The ESC features a general-purpose processor core, HP’s custom hardware IP blocks, and embedded software. What is interesting is that HP has been installing the controller into its laptops since the EliteBook 800 G1 series launched in 2013, but has been very secretive about it until recently.
Initially, HP used the Endpoint Security Controller only for its Sure Start technology that can 'heal'/recover the system BIOS. Fast forward to 2019, and the controller has gained capabilities. HP now uses it to protect Intel’s Management Engine, and to enable its Sure Run and Sure Recover capabilities.
HP stresses that it is focused to continue to explore features of its ESC to make its HP Elite as well as select HP Pro business computers and select ZBook workstations the most secure mobile PCs on the market. Without disclosing any future plans, HP essentially implies that in the future it can use the Endpoint Security Controller for other security-related features.
HP’s ESC with all the bells and whistles is currently used in the company's sixth-generation EliteBook 800-series as well as HP ZBook 14u and 15u workstations. Eventually, capabilities of the Endpoint Security Controller will migrate to other systems too.
One of the key things about the ESC disclosure is that it shows PC makers are prepared to implement their own hardware-based methods to improve security of their premium PCs aimed at professionals. One would hope that this is a good news, assuming the controllers are sufficiently audited and not just obfuscated, but it will be interesting to see when and if HP incorporates its Endpoint Security Controller into premium consumer and mainstream consumer PCs.
Related Reading
- HP’s Security Push: Sure Sense & Endpoint Security Controller
- New HP ZBook 14u & ZBook 15u Portable Workstations
- HP’s Cascade Lake Z6 & Z8 Xeon Scalable Workstations with Up to 6 TB Optane
- HP Launches ProBook 400 G6 Series: Thinner & Sleeker Workhorses
Source: HP
Facebook
Twitter
RSS
33 Comments
View All Comments
DigitalFreak - Friday, May 3, 2019 - link
I just ran into that issue after a BIOS update on the in-law's HP computer. After the update, the Samsung SSD that had been in there for years was no longer recognized. Come to find out HP purposefully blocked 3rd party SSDs with that update. I will never buy another HP PC.leexgx - Friday, May 3, 2019 - link
More then likely be the update reset bios defaults and made the system unbootable (probably need to set secure boot back on witch enables uefi mode or the update reset the bios to cms/standard mode)An hp bios update has never turned it into an apple pc before
Ashinjuka - Friday, May 3, 2019 - link
Anecdotally, I had something similar happen to me a month or two ago, refitting a HP desktop with a Samsung 860 Evo. I installed the new SSD, installed Windows, all was fine. Then I updated the BIOS and the machine wouldn't boot anymore. I put the drive in another machine, it was fine. I put other drives in the HP, it was fine & would boot. But nothing could get the Evo back to working with that HP. I posted on the Anatech forums and on the HP forums. Ultimately I just stuck a different, older SSD that I had lying around in there, installed Windows again, and deployed it to the user.I didn't have to to really drill down into what happened exactly, but I can definitely confirm that following a BIOS update, that 860 Evo no longer worked in that machine, while working in other machines, and other drives worked in that machine.
Ashinjuka - Friday, May 3, 2019 - link
^Didn't have time toAlso FWIW I tried every sort of setting including changes to Secure Boot and resetting the BIOS. I just ran out of time to keep futzing with it, slapped another SSD in there and deployed.
StrangerGuy - Thursday, May 2, 2019 - link
Something NSA something backdoors.jay.t - Thursday, May 2, 2019 - link
To which is say HELL NO! I don't want undocumented, non-free stuff running behind the scenes on my PC's. If this was FOSS software, and allowed you to customise + turn it off, maybe it'd be interested, but otherwise, a hard no from me.69369369 - Thursday, May 2, 2019 - link
lol u triggered m8?nandnandnand - Thursday, May 2, 2019 - link
u a shill m9?leexgx - Friday, May 3, 2019 - link
You do have to actually enable this security feature to be able to use it (disabled by default)peevee - Friday, May 3, 2019 - link
But can you be sure it is actually disabled and does not spy on your every IP packet and/or camera and or mic feed without your knowledge?