himkiet wrote:Is it possible to get some protection if we use on board EMMC storage rather than using an SD card ?
Yes and no.
Yes, because it's not physically possible to remove the hardware. The compute modules are designed for industrial applications where folks don't want to faff about with SDCards and want to remove some of the risk of root filesystem failure. They are not designed for high security.
No, because the RPis with EMMC are the CM1 or CM3 compute modules and there's a very high probabilty that when I insert that into my compute module developer kit I'll be able to read and steal all of your secrets (in just the same way that I can steal your secrets from an SDCard). So physical security becomes ever more important than logical security.
A CM3L with the eMMC on the carrier would prevent the "move the CM to a CMIO board" route. Since such a carrier could be designed without a way to program the eMMC (and least after the board leaves the factory) it would afford *some* physical protection. The logical/software route in is a whole 'nother kettle of fish.
As previously noted...it really comes down to how much time and expense is it worth to "secure" whatever code has been written, and that--in part--depends on how much of the device in question is really software and how much is hardware. At the very least, the software will be under copyright (that is automatic these days under the Berne Convention, but--at least in the US--you need to register the copyright in order to have a big stick if you sue someone for violating it). Hardware designs, if they fall within the rules, can be patented--but that requires disclosing the design in the patent application. In any case, it can all be held as trade secrets, but if it gets revealed in a legal manner, the trade secret goes "Poof!" and the device is unprotected. That's not a genie you can put back in the bottle, though many companies have tried.
And even *if* all protection measures are taken, and no one succeeds in breaking in, the whole device could still be subject to "clean room" reverse engineering. Ultimately, the real answer is: How much money is someone willing to devote to duplicating the device? The developer/manufacturer is attempting to make that cost higher than any reward that could be reaped by doing so. However, even then, devoted amateurs can throw enough *time* at the effort to break in/reverse engineer/whatever and make all the protections moot.