This is another topic, as mentioned here:
Boot ROM with WP (Write Protection) pin and related protection technics
To better understand ideas stand behind, recommend to read this (with replacing words laptop or PC to phone):
Evil Maid Attack:
State considered harmful - A proposal for a stateless laptop:
That is easily to keep phone out of reach (physically) malicious than PC and much more easily to keep microSD/MMCmicro out of reach malicious then the phone,
so keep private data in external SD/MMC is better. So despite other boot option mutability it need to be external SD/MMC slot for user data and/or booting.
Many boot options available on i.MX8, let review some practically usable:
-
WP NAND/NOR + SD/MMC (internal or external)
Porvide protection from on-line viruses because there is no possible to write in executable part of storage media (boot or FS).
But more vulnerable to Evil Maid Attack. -
SD/MMC only (internal or external)
Solve Rutkowska problem with stateless computer HW. But lack of on-line virus protection, which can write in executable part of storage media (boot or FS).
(SD/MMC has no WP pin ) -
Factory load. Serial downloader. From (external or internal) USB to recover or examine ROM content or HW overall.
External host with special SW required. Not usable for every day boot unless you have specialized uController stick. -
HAB. Secure boot with signed SW images. Require irreversible eFUSE programing and maintaining host with keys and managing/compiling SW.
This solution is mainly as secure as secure host with keys and require handling more points (in security view) of trust.
IMHO this is not very suitable for ordinary not very rich and technically experienced user. More perspective for centralized management in organizations.
So 1 and 2 is most appropriate for everyday use but preferences between them depends on use case.
Best is to implement NAND/NOR boot capability and ability to select (by HW switch) boot device (NAND/NOR of SD/MMC).
If the phone has internal (replacing require case disassembly) and external (easy replacing without case disassembly) SD/MMC slots
there is question (for 1,2,4) about of load priority between internal and external SD/MMC.
This not evident which is best and this is not changeable in 2 and maybe 4 (at least easily) without PCB rerouting or special hi-speed bus switches,
but for my personal preferences external slot is primary (should be tried to boot first).
In this case more trusted external card can check state of internal if needed (if we think of Evil Maid Attack scenario)
Out of topic. Protection SD/MMC card used for external boot and examining.
Probably some NAND chip based normal sized SD/MMC can be upgraded to fit out WP switch and then connect to micro slot via adapter.
This is sufficient protection from somehow survived malicious code on phone or wrong boot option setup.
To resume, required:
Selectable boot devices (one of three options selectable by HW switch (without case disassembly)):
- NAND/NOR
- SD/MMC (external slot (primary) first try, internal slot second try)
- Optional. Second NAND/NOR
Note. No any other ROM (except i.MX internal) must be used in boot process. And boot device selection is making by switching strap pins of i.MX.
HW - hardware
SW - software
WP - write protect (pin, signal, switch)
FS - file system
SD - secure digital flash card
MMC - MultiMediaCard flash card
PCB - printed circuit board
ROM - read only memory