One of HP’s key announcements this spring was its revamped security initiative for PCs that includes hardware, software, and deep learning-based approaches. The software and DL parts of the things were discussed earlier this month, but the hardware-based Endpoint Security Controller remained more or less a mystery. This is why we asked HP to talk about it in more detail.

When it was announced, the company said that the HP Endpoint Security Controller is indeed a separate piece of silicon that sits inside HP’s PCs and performs certain security-based tasks. The ESC features a general-purpose processor core, HP’s custom hardware IP blocks, and embedded software. What is interesting is that HP has been installing the controller into its laptops since the EliteBook 800 G1 series launched in 2013, but has been very secretive about it until recently.

Initially, HP used the Endpoint Security Controller only for its Sure Start technology that can 'heal'/recover the system BIOS. Fast forward to 2019, and the controller has gained capabilities. HP now uses it to protect Intel’s Management Engine, and to enable its Sure Run and Sure Recover capabilities.

This video cannot be played because of a technical error.(Error Code: 102006)

HP stresses that it is focused to continue to explore features of its ESC to make its HP Elite as well as select HP Pro business computers and select ZBook workstations the most secure mobile PCs on the market. Without disclosing any future plans, HP essentially implies that in the future it can use the Endpoint Security Controller for other security-related features.

HP’s ESC with all the bells and whistles is currently used in the company's sixth-generation EliteBook 800-series as well as HP ZBook 14u and 15u workstations. Eventually, capabilities of the Endpoint Security Controller will migrate to other systems too.

One of the key things about the ESC disclosure is that it shows PC makers are prepared to implement their own hardware-based methods to improve security of their premium PCs aimed at professionals. One would hope that this is a good news, assuming the controllers are sufficiently audited and not just obfuscated, but it will be interesting to see when and if HP incorporates its Endpoint Security Controller into premium consumer and mainstream consumer PCs.

Related Reading

Source: HP

Comments Locked

33 Comments

View All Comments

  • satai - Thursday, May 2, 2019 - link

    Dear HP (Intel...), have I asked you to install undocumented HW and SW on my devices?
  • peevee - Friday, May 3, 2019 - link

    You did not. But government and enterprise customers might choose HP over competitors just because it sounds good.
    What benefits it brings over ubiquitous TPC and ME is a question. What is for sure is that it is yet another attack surface, and security support of it will not be quick/consistent/long (or even exist) after it is sold.
  • satai - Sunday, May 5, 2019 - link

    I am pretty sure enterprises and gov had not asked for undocumented chips too...
  • GreenReaper - Friday, May 3, 2019 - link

    Your best defence is to not buy those devices. Money talks loudest of all.
  • satai - Sunday, May 5, 2019 - link

    It's easy to say.
    It's hard to do.

    How can I avoid such a thing that is installed for years without public disclosure?

    Open hardware is an possible way out but the options are limited now.
  • willis936 - Thursday, May 2, 2019 - link

    Things that make you go “yikes”, for 500.
  • PeachNCream - Thursday, May 2, 2019 - link

    Whether or not its interesting to learn about the endpoint security controller's integration into various HP notebooks if its just Google levels of creepy depends a lot on what ESC does.
  • fazalmajid - Thursday, May 2, 2019 - link

    To quote Count Dooku: "Twice the pride, double the fall".
  • BurntMyBacon - Monday, May 6, 2019 - link

    Wasn't that just before he got both hands cut off?
  • austinsguitar - Thursday, May 2, 2019 - link

    just seems like another way hp can use hardware to lock people from using hdd and sdd that they want... not to metion ddr4 and other things. they did it in the past!

Log in

Don't have an account? Sign up now