[coreboot] INT 13, real mode, block write commands and coreboot
Zoran Stojsavljevic
zoran.stojsavljevic at gmail.com
Mon Sep 4 10:05:20 CEST 2017
> is there a way to disable this BIOS function? More precisely, coreboot
can be set to avoid
> receiving commands from GRUB and Ubuntu KERNEL?
If you build the following structure (please, do understand that this is
very high level of presentation, which does not reflect reality 100%) on
x86 architecture: FSP -> Coreboot -> Tiano Core [as payload], you might be
able to avoid any/entirely legacy INT services.
In nutshell, Tiano Core dies after it passes control to the GRUB2. But...
There are so called "run-time services" that Tiano Core sets, and passes
them to Linux/WIN and these are alive through the life of the entire system.
I have no idea what these run time services are, actually (might be
reminiscences of INT legacy...)! :-(
The similar use case if you use UEFI (so CSM is set OFF). Still, the same
question remains: what are (WTF/WTH) "run time services"?
The other use cases are to do NSF mounting to these devices, but with Read
ONLY attributes (on remote ARM system). So then you can copy files over to
x86 based host system (having admin/root privileges) and inspect them,
preserving (not compromising) originals.
All respective to x86 use cases.
You can also use Rpi 3, and mount these devices as RO (as already
suggested). But this will not give you NTFS clear file accesses (for WIN
HDD/SSD and USB storage systems).
> I hope I've been clear this time.
Well... I hope this clearly helps this time.
Zoran
On Sun, Sep 3, 2017 at 12:32 AM, ingegneriaforense at alice.it <
ingegneriaforense at alice.it> wrote:
> Hello guys,
>
> First of all I want to thank everyone for the answers, suggestions and
> links you have sent me.
> Maybe I was wrong to ask my questions without clarifying the problem I'm
> analyzing, leaving you doubts about why I did some sort of questions about
> INT13, real mode, and so on.
>
> As you well know, when connecting a memory device (hard drive, USB stick)
> to a PC, user data may be subject to change.
> Just think of the variation under the "date modified" field of the
> timestamp of a file.
>
> In the forensic field, this is not accepted. As a result, it is necessary
> to capture the image of the suspect drive, frozen at the time of the police
> seizure.
>
> For this reason, devices known as Write Blocker are used, which allow the
> acquisition of information on a drive without creating the possibility of
> accidentally damaging (writing) the drive contents.
>
> I'm studying the implementation of such a device on a PC. Actually, the
> writing block at kernel level at this time has been resolved.
> But there remains the doubt that, for any accidental event (that i don't
> know), the suspect device may be affected by user data.
>
> For this reason I asked, in my previous email, if there is interaction
> between BIOS and KERNEL. Correctly Zoran, adding the picture, has shown
> that there may be cases where the Kernel grants the BIOS the ability to
> perform some services (I think using the INT13).
>
> Then I ask you:
>
> is there a way to disable this BIOS function? More precisely, coreboot
> can be set to avoid receiving commands from GRUB and Ubuntu KERNEL?
>
> I hope I've been clear this time.
>
> Thanks for your patience
>
> Best Regards.
>
> Vincenzo.
>
>
> Forensic Consultant
> Tribunale di Lecce
>
> Studio: Strada di Garibaldi - Contrada Paradisi
> 73010 Lequile (LE)
>
> cell: 339.7968555 <(339)%20796-8555>
> skype: vincenzo.di_salvo
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170904/46babf91/attachment.html>
More information about the coreboot
mailing list