[coreboot] How to protect binary in flash chip? OTP?

Patrick Rudolph siro at das-labor.org
Fri May 6 09:49:26 CEST 2016

On 2016-05-06 02:45 AM, Zheng Bao wrote:
> Hi, All,
> Is there any way to protect the binary image in flash chip from being
> copied? Once the customers
> gets the image, they can produce millions of board and do not tell me.
> I just want to know the
> amount of the mass production.
> OTP seems to be a way, but it is not 100%. The data in OTP is readable
> and can be copied to a new chip's
> OTP erea.
> Do you guys have any more suggestion?
> Zheng

As you want to execute code from it, it needs to be readable.
Protecting it from software doesn't make much sense as you could just
de-solder the flash chip.

I guess what you want to know is: Should a copied image boot on another
board ?

I've got two solutions:
You could encrypt the binary and store the secret in a TPM.
That way every board would have the same encryption key.
No idea if this is possible on your platform and how much work it would
be to implement in coreboot.
That'd be a good GSoC project :-)

If you don't have a TPM you could use serial numbers of
That way every board would have it's own encryption key.
But I guess the decryption code could easily be reversed engineered.

An end user would be able to do a backup and would be able to reflash
the bios *on the same board*.


More information about the coreboot mailing list