> is there a way to disable this BIOS function? More precisely, coreboot can be set to avoid
> receiving commands from GRUB and Ubuntu KERNEL?

If you build the following structure (please, do understand that this is very high level of presentation, which does not reflect reality 100%) on x86 architecture: FSP -> Coreboot -> Tiano Core [as payload], you might be able to avoid any/entirely legacy INT services.

In nutshell, Tiano Core dies after it passes control to the GRUB2. But... There are so called "run-time services" that Tiano Core sets, and passes them to Linux/WIN and these are alive through the life of the entire system.

I have no idea what these run time services are, actually (might be reminiscences of INT legacy...)! :-(

The similar use case if you use UEFI (so CSM is set OFF). Still, the same question remains: what are (WTF/WTH) "run time services"?

The other use cases are to do NSF mounting to these devices, but with Read ONLY attributes (on remote ARM system). So then you can copy files over to x86 based host system (having admin/root privileges) and inspect them, preserving (not compromising) originals.

All respective to x86 use cases.

You can also use Rpi 3, and mount these devices as RO (as already suggested). But this will not give you NTFS clear file accesses (for WIN HDD/SSD and USB storage systems).

> I hope I've been clear this time.

Well... I hope this clearly helps this time.


On Sun, Sep 3, 2017 at 12:32 AM, ingegneriaforense@alice.it <ingegneriaforense@alice.it> wrote:
Hello guys,

First of all I want to thank everyone for the answers, suggestions and links you have sent me.
Maybe I was wrong to ask my questions without clarifying the problem I'm analyzing, leaving you doubts about why I did some sort of questions about INT13, real mode, and so on.

As you well know, when connecting a memory device (hard drive, USB stick) to a PC, user data may be subject to change.
Just think of the variation under the "date modified" field of the timestamp of a file.

In the forensic field, this is not accepted. As a result, it is necessary to capture the image of the suspect drive, frozen at the time of the police seizure.

For this reason, devices known as Write Blocker are used, which allow the acquisition of information on a drive without creating the possibility of accidentally damaging (writing) the drive contents.

I'm studying the implementation of such a device on a PC. Actually, the writing block at kernel level at this time has been resolved.
But there remains the doubt that, for any accidental event (that i don't know), the suspect device may be affected by user data.

For this reason I asked, in my previous email, if there is interaction between BIOS and KERNEL. Correctly Zoran, adding the picture, has shown that there may be cases where the Kernel grants the BIOS the ability to perform some services (I think using the INT13).

Then I ask you:

is there a way to disable this BIOS function? More precisely, coreboot can be set to avoid receiving commands from GRUB and Ubuntu KERNEL?

I hope I've been clear this time.

Thanks for your patience

Best Regards.


Forensic Consultant
Tribunale di Lecce

Studio: Strada di Garibaldi - Contrada Paradisi
73010 Lequile (LE)

cell: 339.7968555
skype: vincenzo.di_salvo

coreboot mailing list: coreboot@coreboot.org