Generally I would go about this by placing something(s) unique and random in the ROM image and use that as a seed to encrypt the EEPROM content to stop extraction and reprogram after image mod.
An obvious flaw seems to be that this doesn’t stop tampering in the form of replacing the EEPROM external chip with a blank one… oh look were back to first time used state, lets ask for keys to save!
Selecting components is not an option for me, the hardware platform is already defined. The EEPROM is programmed during the lifetime of the device as configuration and state change so disconnecting the erase line is also a no-go.
I was seeking opinion on possible solutions to prevent the faking of a virgin (first run) state since this would allow functionality to save the sensitive data and unlock the device.
I am confident a block cipher (ECB mode) is sufficient to secure the sensitive data, maybe over the top! This approach along with multiple copies, salting one and not the other should make it financially unrewarding to place money and time to counter these measures.
Some thoughts: if by ‘securing against modification’ you mean that you can detect such tampering, then you can
But if you want to prevent the tampering in the first place, you have to use mechanical guards – hot glue the whole chip, lock the housing of your pcb, …