Next up on the Scruffy City Hall stage of @BSidesKnoxville is @bxsays. Drop what you are doing and catch this talk!

In Bx' view, a bootloader is just another type of executable loader. ELF, PE or Uboot, they are still loading a program into memory before jumping into it.

A few years back, Bx found a way to make an ELF loader parse its own output as metadata. This and a fancy trick for calling I/O functions gave a complete brainfuck implementation that runs before loading completes!
github.com/bx/elf-bf-tools

Generally all of these IO registers are available to the bootloader, even at times when they aren't needed. Bx proposes that an MMU might enforce access to these pages, just as it does to RAM pages.

You can even have your image be loaded *into I/O*!

"What you are loading tells you what it needs, and it is the loader's responsibility to know whether this is safe."

Her toolsuite instruments a real bootloader process through GCC, as a way to measure and test write restrictions.
typedregions.com

She logs all memcpy()-type calls, then works backward from that to divide them by purpose. (Reading SD card, zeroing the .bss region, etc.)

Combining this with uboot's call graph, she can divide uboot's behavior into stages behaviorally, more accurately than by reading the code.

And knowing the stages, she can measure which resources each stage accesses, in order to know the implicit rules for what good page permissions might be.