<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p><tt>I have not had much experience with ARM booting but with
        Intel devices a normal linux kernel has the ability to write any
        and all devices.</tt></p>
    <p><tt>If you boot with something like Xen then you should be able
        to lock out some devices because the Xen kernel is actually
        managing the system security.</tt></p>
    <p><tt>There is a Xen kernel available for ARM but I have never
        worked with it.</tt></p>
    <p>Likely the easiest would be to put the boot into a write
      protected USB device.</p>
    <p>Take a look at
<a class="moz-txt-link-freetext" href="http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/">http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/</a></p>
    <p>It appears that my suggestion of an SD card may have a bad one
      since from the above article SD cards are using the switch only as
      a signal to the OS of write-protectedness.</p>
    <p><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 01/05/2017 09:15 AM, David
      Collier-Brown via talk wrote:<br>
    </div>
    <blockquote
      cite="mid:58a17db6-aace-ba5f-77bd-b9f9c1837607@rogers.com"
      type="cite">
      <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
      <div class="moz-cite-prefix">The intention is to put the device
        setup into the boot ROM, so it can't (easily) change, but the
        working assumption is that one can<br>
        <ul>
          <li>discard the privilege used to set up the device , or</li>
          <li>be physically unsettable after it is initialized</li>
        </ul>
        I don't know the  privilege primitives  for intel/ARM, or if one
        needs a latch somewhere to make the device write-once: I'd love
        to talk to someone who does.<br>
        <br>
        --dave<br>
        <br>
        <br>
        <br>
        On 05/01/17 08:47 AM, Alvin Starr via talk wrote:<br>
      </div>
      <blockquote
        cite="mid:62dd60d0-05ef-e0e4-17a9-b165e8332dee@netvel.net"
        type="cite">
        <meta content="text/html; charset=utf-8"
          http-equiv="Content-Type">
        <p><tt>You need a write only device.</tt></p>
        <p><tt>You could boot from a CD/DVD which is write only.</tt></p>
        <p><tt>Or possibly an SD card that has the write-lock enabled.</tt></p>
        <p><tt>If the computer does not support an SD card you could use
            usb card reader to boot from.</tt></p>
        <p><tt>Of course in the worst case situation someone smart
            enough could rewrite the BIOS and get around any boot
            device.</tt></p>
        <p><tt><br>
          </tt></p>
        <div class="moz-cite-prefix">On 01/05/2017 08:38 AM, David
          Collier-Brown via talk wrote:<br>
        </div>
        <blockquote
          cite="mid:23225a26-bd1c-8552-85b9-5ecda6bec0a7@rogers.com"
          type="cite">
          <meta http-equiv="content-type" content="text/html;
            charset=utf-8">
          <p><font size="-1">Who can talk about (intel or arm) boot? I'm
              looking at a problem that can be solved by setting up a
              device at boot time and not letting the OS have the
              privilege or perhaps the physical ability to change it...</font></p>
          <p><font size="-1">--dave</font><br>
          </p>
          <pre class="moz-signature" cols="72">-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:davecb@spamcop.net">davecb@spamcop.net</a>           |                      -- Mark Twain
</pre>
          <br>
          <fieldset class="mimeAttachmentHeader"></fieldset>
          <br>
          <pre wrap="">---
Talk Mailing List
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:talk@gtalug.org">talk@gtalug.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gtalug.org/mailman/listinfo/talk">https://gtalug.org/mailman/listinfo/talk</a>
</pre>
        </blockquote>
        <br>
        <pre class="moz-signature" cols="72">-- 
Alvin Starr                   ||   voice: (905)513-7688
Netvel Inc.                   ||   Cell:  (416)806-0133
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:alvin@netvel.net">alvin@netvel.net</a>              ||
</pre>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">---
Talk Mailing List
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:talk@gtalug.org">talk@gtalug.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gtalug.org/mailman/listinfo/talk">https://gtalug.org/mailman/listinfo/talk</a>
</pre>
      </blockquote>
      <br>
      <p><br>
      </p>
      <pre class="moz-signature" cols="72">-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:davecb@spamcop.net">davecb@spamcop.net</a>           |                      -- Mark Twain
</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">---
Talk Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:talk@gtalug.org">talk@gtalug.org</a>
<a class="moz-txt-link-freetext" href="https://gtalug.org/mailman/listinfo/talk">https://gtalug.org/mailman/listinfo/talk</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Alvin Starr                   ||   voice: (905)513-7688
Netvel Inc.                   ||   Cell:  (416)806-0133
<a class="moz-txt-link-abbreviated" href="mailto:alvin@netvel.net">alvin@netvel.net</a>              ||
</pre>
  </body>
</html>