> In our case there's a hard requirement to make it impossible for the end-user, which is some business, to run modified software on the devices.
I guess you're working on credit card terminals?
Anyway: why not have a secure hardware element / TPM that has a GPIO with a pull-up resistor that can be queried by the device? Then, have the bootloader check as part of the boot if the TPM attests with a digital signature that the GPIO is still high, and the application also regularly checking the TPM? Or an e-fuse similar to Samsung's Knox Guard?
That way, a user can remove the pullup resistor (and thus, as it's a hardware modification, has to break the seal of the device) to "unlock" custom firmware loading to fulfill the GPL requirement, but at the same time your application can be reasonably certain at run-time the device hasn't been tampered with.
In our case tampering with the sealed parts of the hardware by the user would be illegal. I'm not sure if providing an illegal method to load the firmware fulfills the GPLv3 requirements.
EDIT: So, I don't think this is actually a technical question. It's a legal question that boils down to the fact that a premise and its inverse can not both be true at the same time.
the hard part when enabling self-tinkering is the forensics and the burden of proof for accidents, especially lethal accidents.
how do you ensure beyond doubt that the vehicle was not "tampered with" by an "unauthorized unqualified third party"?
would I want to own a car where the oem can turn around burden of proof and can easily claim I have modified the vehicle software, and thus broke vehicle behaviour?
oem: you've patched coreutils, that's what killed your wife, your fault!
me: no. that's technically impossible. the drm disables third party modifications.
now if you provide means to do it anyhow, you'd need to make forensics crystal clear.
so you as a customer want the physical modification to be dead obvious even on a burnt vehicle. especially on a burnt vehicle. so you as a customer can show that you did in fact not unlock software modification.
and state regulations for that reason require drm from car makers, to make it impossible to evade responsibility with flakey claims of third party modifications.
I guess you're working on credit card terminals?
Anyway: why not have a secure hardware element / TPM that has a GPIO with a pull-up resistor that can be queried by the device? Then, have the bootloader check as part of the boot if the TPM attests with a digital signature that the GPIO is still high, and the application also regularly checking the TPM? Or an e-fuse similar to Samsung's Knox Guard?
That way, a user can remove the pullup resistor (and thus, as it's a hardware modification, has to break the seal of the device) to "unlock" custom firmware loading to fulfill the GPL requirement, but at the same time your application can be reasonably certain at run-time the device hasn't been tampered with.