[coreboot] INT 13, real mode, block write commands and coreboot

Sun Sep 3 00:32:47 CEST 2017

Hello guys,

First of all I want to thank everyone for the answers, suggestions and links you have sent me.
Maybe I was wrong to ask my questions without clarifying the problem 
I'm analyzing, leaving you doubts about why I did some sort of 
questions about INT13, real mode, and so on.

As you well know, when connecting a memory device (hard drive, USB stick) to a PC, user data may be subject to change.
Just think of the variation under the "date modified" field of the timestamp of a file.

In the forensic field, this is not accepted. As a result, it is necessary to capture the image of the suspect drive, frozen at the time of the police seizure.

For this reason, devices known as Write Blocker are used, which 
allow the acquisition of information on a drive without creating the 
possibility of accidentally damaging (writing) the drive contents.

I'm studying the implementation of such a device on a PC. Actually, the writing block at kernel level at this time has been resolved.
But there remains the doubt that, for any accidental event (that i don't know), the suspect device may be affected by user data.

For this reason I asked, in my previous email, if there is interaction between BIOS and KERNEL. Correctly Zoran, adding the picture, has shown that there may be
 cases where the Kernel grants the BIOS the ability to perform some 
services (I think using the INT13).

Then I ask you:

is there a way to disable this BIOS function? More precisely, coreboot can be set to avoid receiving commands from GRUB and Ubuntu KERNEL?

I hope I've been clear this time.

Thanks for your patience

Best Regards.

Vincenzo.

Forensic Consultant
Tribunale di Lecce

Studio: Strada di Garibaldi - Contrada Paradisi
73010 Lequile (LE)

cell: 339.7968555
skype: vincenzo.di_salvo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170903/8a6c5ae9/attachment.html>