[mmmaaaxxx]

It is my understanding that verifying the BootROM is not possible once infected with sufficiently malicious code. I talked with Trammell about this briefly and my takeaway was that once you have code on the BootROM, you can control how code is read from the BootROM, making it possible to present the appearance of a non-compromised ROM image.

To the best of my knowledge, the only solution is something sitting on top of the BootROM chip, monitoring for writes. It may also be possible to alter the write-protect/write-enable pin (forget which it has) on the ROM to prevent all writes.

[bravo22]

Thanks! I'll email him and ask for details.

However, I can't see how that would be possible. While it is possible for the BootROM to block reads to ROM once it is done executing or not execute external Optional ROMs but both of those would be detectable by the external accessory.

It is not possible for the ROM however to return a different set of data than what is in the ROM.

The only thing I can think of is if the PCIe bridge had aperture/remapping registers and it would alter those to point to RAM instead of ROM and copy a "good" ROM into that range but that would be detectable by writing to the address over PCIe and seeing if the region is writable.

[13]

I'll have to find the data sheet, but it should be very possible to pull a pin high or low to disable writing to the chip itself. I doubt they do any checks for being able to write to the chip in software, that would just wear out the flash unnecessarily.

[bravo22]

SPI flash has a write disable pin but that would also prevent Apple updates.

[13]

Could bodge in a physical switch for write protect.