[rolandr]

Once upon a time, most/many PCs had physical BIOS protection in the form of a jumper on the motherboard that would allow you to put the BIOS into a read-only state. However, we have now had many years where such control cannot be manually asserted by the end user, and the flash just sits there writable (although there are chipset-level firmware write protections, various hacks, like Dark Jedi, have found ways around them). Plus, apparently even when you pull down the WO pin on some flash chips, the hardware setting can still be overridden by software commands. The paper suggests, particularly with the more recent versions of Intel ME, that the PC architecture has now evolved to expect, and perhaps require, access to a writable BIOS (in part, because the ROM stores not only firmware, but also things like configuration settings and data for the new ME-implemented TPM).

Thus, we may not be able to simply go back to a ROM with today's architectures. However, we can give today's systems something that behaves like a writeable flash chip, but is readily (and automatically) reset to a clean/factory state.

[mehrdada]

Some Chromebooks have a "flash write-protect screw"[1] that basically makes the firmware read-only. Acts as a physical protection for flashrom by software (though I am not sure if there are ways to work around it).

[1]: https://www.chromium.org/chromium-os/developer-information-f...

[informatimago]

Well, you can have a BOOT ROM, and then a BIOS in flash. You can always wrap your machines in one more virtual level.