Trusted Computing (TC) technologies are becoming pervasive in

emerging computing devices. 

A fundamental step or process in TC is to ensure the integrity 

of the platform by a secure boot process

--- i.e., a code image is signed by a trusted party and later it's integrity is verified by

the processor before loading and running it. 

For cost-effective purposes, a trend can be observed to store

the authenticated code in an \emph{external}, i.e., non-embedded, 

Non-Volatile Memory (NVM) such as a standard FLASH or EEPROM memory. 

For verification purposes the corresponding processor will also have a small internal

protected ROM to store some secrets (i.e., encryption keys, fixed hash-values, etc.). 

The main contribution of this paper is the proof of a fundamental security problem in the former abstract mechanism. 

That is, under the assumption of a ``non-embedded" NVM, i.e., embedded inside the processor itself,

which prevents a ``simple" probing of the bus between the processor and the NVM storage, 

we prove that so called \emph{replay attacks} cannot be prevented.

This attack confirms the impossibility of a secure boot process for the above and abstract platform architecture. 

However, our result has also other far reaching consequences applicable to security mechanisms such like 

DRM security, the monotonic counters inside the TPM, and or other attempts 

relying on an external NVM as a ``total equivalent" for a more expensive embedded NVM solution ---

as used within a real discrete TPM and specified by the Trusted Computing Group (TCG).