Boot ROM with WP (Write Protection) pin and related protection technics

I (as end user) need ability to protect from modification software set (executable part first) after installation (e.g. install & protect own (user) distribution)
This will be nice to have protected, secured and trusted (to end user) computing platform.

For example, Novena miss this though use i.MX 6Q. (There is no NAND and/or NOR ROM and NAND pins is not routed at all !)

i.MX6 & i.MX8M support boot (internal boot mode) from NOR and NAND which often equipped with WP pin and provide good bus speed.

Second Boot ROM, same NAND/NOR in parallel switchable by CS with HW switch is also desired To recover or monitor opposite ROM.

IMHO HAB (High Assurance Boot), the crypto based code protection (secure boot) is suited when Manufacturer (of device) wana protect code from modification by other agents (including owner (of device, end user)).
HAB looks useless for protection when SW is assembled and/or compiled and/of packaged by owner/user itsef.
For two main reasons : 1.Less reliable protection than WP pin, 2. Much more efforts to install/upgrade SW.
And last, it require irreversible programming of eFUSE bits, which is OTP.
i.MX support strap pins to select boot options.

Modern software stack ready to separation to RO and RW parts.
There is list of SW which (IMHO) must be placed to ROM with WP:
1.Initial (pre - U-boot) stage
5.Most FS (except /var & user data, wich in their order mounted with noexec option))
(from 1 to 4 must undoubtedly !)
So, with 5 rest of FS will be placed on writable flash.

One more step farther. Rest part of FS or whole FS should be placed on MMC/SD card (accessible to install/remove without case disassemble). But this for another topic.

As resume: if librem 5 will be equipped boot ROM with WP pin and HW switch it will be many more benefit and popular (IMHO)
Ideal: Two switchable (with HW switch) boot ROMs with WP pins and RW flash for rest of FS.
Ideal HW switch is small HW switch accessible with paper clip pin without disassembling case, but at least resistor footprint on PCB.

What are/will planned ?

1 Like

HW - hardware
SW - software
WP - write protect (pin, signal, switch)
ROM - read only memory (Flash here, mostly NAND)
CS - chip select (pin or signal)
OTP - one time programmable
FS - file system
SD - secure digital flash card
MMC - MultiMediaCard flash card
PCB – printed circuit board