[This is a copy of a reply I sent to another list.] | From: David Collier-Brown <davec-b@rogers.com> | Who can talk about (intel or arm) boot? I'm looking at a problem that can be | solved by setting up a device at boot time and not letting the OS have the | privilege or perhaps the physical ability to change it... Not enough information for me to understand the constraints. What's your threat model? - Are you scared of the OS, the user of the OS, or something else? - Are you scared of random misbehaviour or an intentional attack - Can you control physical access to all or part of the system? What would enforce change prevention? Some things come to mind: - the device itself could be set in an unchangeable mode after setup + eg. a physical switch that latches until "reset" (but this becomes a recursive problem: how to prevent the OS from resetting the device). - security through obscurity: ability to change the device is hidden behind a secret handshake only known to the initiates. We generally distrust this kind of approach. - security through a layer of indirection that implements the protection policy that you require + put a little controller (Raspberry Pi?) between the device and the computer. You would probably need physical protection of the device from the Bad Guys (an OS? A bad operator?) + run the OS under a VM system that implements the policy. + Conventional PCs have a mysterious "SMM" that overrides anything that the OS thinks it can do. It is part of the firmware commonly called the BIOS and isn't easily mucked with by mortals. With a high enough budget, SMM might be a useful vector. But maybe you already have a solution in mind, with some blank bits, and haven't sketched this for us.