Preboot Security Requirements; Signed Preboot Applications; Additional F10 Policies For Preboot Environment - HP 2230s - Compaq Business Notebook Manuallines

7. Preboot Security Requirements

Signed Preboot Applications

When a preboot application is launched, it has as much control of the system
resource as the BIOS. Since these applications reside on the public hard drive
partition which are easily accessible and thus hacked, it's necessary for BIOS to
only launch HP signed preboot applications.

Additional F10 Policies for Preboot Environment

BIOS F10 provides several policies to control the availability of Boot from EFI File
option in the Boot Manager when F9 is pressed (for details, see How EFI Launches
EFI Applications)
System Configuration ‐> Device Configurations
UEFI Boot Mode Enable/Disable Default: Disable
This policy controls whether the BIOS allows to boot to an EFI file. For security,
it's recommended to be disabled.
When UEFI Boot Mode is disabled, the "Boot from EFI File" option will not show
up in the Boot Manager when F9 is pressed. In such a case, the only way to
launch HP EFI applications is to use the hot key.
Customized Logo
The EFI BIOS provides the nice feature for the user to customize the logo
displaying during the boot. The logo is a bitmap file that a customer can
add/change on the HP_TOOLS partition.
Since BIOS can't check the signature of the customized logo bitmap files, it may
be used as an attack tool of the BIOS post process. Thus an option is needed to
disable this capability for the highly sensitive security environment.
HP QuickLook E nable/Disable
The EFI BIOS provides the following policy to control the availability of the
QuickLook application option.
HP QuickWeb Enable/Disable
Enable/Disable
Default: Enable
Default: Enable
Default: Disable
5