Ratcheting

There is a chance that the boot code may be updated due to a system flaw. It may also be possible that a security breach is identified in the software and that it is fixed in a newer version. The known vulnerabilities in the older versions of software can be leveraged by attackers to exploit the system security. Hence, the obsolete binaries must be prohibited from running on the chip.

Nonetheless, those antiquated binaries used to possess effective credentials to pass the secure boot authentication. Therefore, a version control mechanism is required to preclude the old binaries from passing the authentication so that these cannot be utilized by the attackers to exploit the system flaws. Rollback prevention checks, during the boot, the version of the software binaries against a known hardware version stored in a fuse and blocks the binaries from continuing if the software versions are found to be unacceptably old. Ratcheting is NVIDIA's rollback prevention mechanism.

The software checks for a monotonically increasing counter in the hardware that cannot be decreased once it is increased to a certain level. Ratcheting prevents binaries designed for an old chip from executing on a new chip. But the binaries designed for a new chip can run on an old chip to maintain the backward compatibility.