<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><tt>I have not had much experience with ARM booting but with
Intel devices a normal linux kernel has the ability to write any
and all devices.</tt></p>
<p><tt>If you boot with something like Xen then you should be able
to lock out some devices because the Xen kernel is actually
managing the system security.</tt></p>
<p><tt>There is a Xen kernel available for ARM but I have never
worked with it.</tt></p>
<p>Likely the easiest would be to put the boot into a write
protected USB device.</p>
<p>Take a look at
<a class="moz-txt-link-freetext" href="http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/">http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/</a></p>
<p>It appears that my suggestion of an SD card may have a bad one
since from the above article SD cards are using the switch only as
a signal to the OS of write-protectedness.</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 01/05/2017 09:15 AM, David
Collier-Brown via talk wrote:<br>
</div>
<blockquote
cite="mid:58a17db6-aace-ba5f-77bd-b9f9c1837607@rogers.com"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">The intention is to put the device
setup into the boot ROM, so it can't (easily) change, but the
working assumption is that one can<br>
<ul>
<li>discard the privilege used to set up the device , or</li>
<li>be physically unsettable after it is initialized</li>
</ul>
I don't know the privilege primitives for intel/ARM, or if one
needs a latch somewhere to make the device write-once: I'd love
to talk to someone who does.<br>
<br>
--dave<br>
<br>
<br>
<br>
On 05/01/17 08:47 AM, Alvin Starr via talk wrote:<br>
</div>
<blockquote
cite="mid:62dd60d0-05ef-e0e4-17a9-b165e8332dee@netvel.net"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<p><tt>You need a write only device.</tt></p>
<p><tt>You could boot from a CD/DVD which is write only.</tt></p>
<p><tt>Or possibly an SD card that has the write-lock enabled.</tt></p>
<p><tt>If the computer does not support an SD card you could use
usb card reader to boot from.</tt></p>
<p><tt>Of course in the worst case situation someone smart
enough could rewrite the BIOS and get around any boot
device.</tt></p>
<p><tt><br>
</tt></p>
<div class="moz-cite-prefix">On 01/05/2017 08:38 AM, David
Collier-Brown via talk wrote:<br>
</div>
<blockquote
cite="mid:23225a26-bd1c-8552-85b9-5ecda6bec0a7@rogers.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<p><font size="-1">Who can talk about (intel or arm) boot? I'm
looking at a problem that can be solved by setting up a
device at boot time and not letting the OS have the
privilege or perhaps the physical ability to change it...</font></p>
<p><font size="-1">--dave</font><br>
</p>
<pre class="moz-signature" cols="72">--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:davecb@spamcop.net">davecb@spamcop.net</a> | -- Mark Twain
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">---
Talk Mailing List
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:talk@gtalug.org">talk@gtalug.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gtalug.org/mailman/listinfo/talk">https://gtalug.org/mailman/listinfo/talk</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Alvin Starr || voice: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:alvin@netvel.net">alvin@netvel.net</a> ||
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">---
Talk Mailing List
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:talk@gtalug.org">talk@gtalug.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gtalug.org/mailman/listinfo/talk">https://gtalug.org/mailman/listinfo/talk</a>
</pre>
</blockquote>
<br>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:davecb@spamcop.net">davecb@spamcop.net</a> | -- Mark Twain
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">---
Talk Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:talk@gtalug.org">talk@gtalug.org</a>
<a class="moz-txt-link-freetext" href="https://gtalug.org/mailman/listinfo/talk">https://gtalug.org/mailman/listinfo/talk</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Alvin Starr || voice: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
<a class="moz-txt-link-abbreviated" href="mailto:alvin@netvel.net">alvin@netvel.net</a> ||
</pre>
</body>
</html>