can you make a hard disk read-only?

From: Andy Baxter (news2_at_earthsong.null.free-online.co.uk)
Date: 10/09/03


Date: Thu, 09 Oct 2003 01:17:30 +0100

I'm wondering if there's some way of making a hard disk drive read-only
using a hardware device which would go between the cable and the drive data
connector, with a switch you could use to make it writeable only under user
control?

I was thinking this might be useful in building a cheap, relatively secure
linux system. The way I'm thinking this could work, for a debian system is
like this:
-install a base system from woody CDs with the switch set to writeable.
-Then you'd close the switch and set up a firewall which only allowed access
to security.debian.org and download the security updates to a seperate
read-write partition.
-Then reboot again, check them against debian's gpg key, and install them.
-Then you set the switch to read-only and open the firewall to all IPs.
For a small server or firewall, you could have all the binaries run from
this disk, or else just use it as a secure basis from which to check all
the other files on the system at boot time using md5sums or similar.

This wouldn't stop someone from breaking in altogether, as they could still
modify code and data structures in the memory, but it would stop them
modifying key system files, and as long as you didn't mind rebooting and
repeating the above process fairly often it would either lock them out
again after the reboot, or else if parts of the system were run from a
normal disk, these could at least be checked automatically from a secure
basis to warn you that you had been cracked.

You could even do this semi-automatically, if the hardware was designed so
that the disk was always read-write on bootup, but could be switched
irreversibly to read-only mode by a software command, e.g. through the
serial port, or trying to write to a sector that doesn't exist. Then all
the above steps would happen automatically on bootup, and the only thing
you'd have to do is make sure it really was rebooting when it was meant to.

The reason I'm asking, is I've had a look at the specs for ATA version 2,
and from my limited knowledge of electronics it looks like you could do
this for these older drives just by preventing the DIOW- (write data) line
being asserted when the register address was set to 0 (data transfer).
However, I don't think I know enough to be sure I wouldn't damage the
computer building something like this, and for the newer ATA specs it gets
much more complex, so I'd like to know if there is anything like this you
can buy, or an open hardware design which I could build myself?

If this is all incredibly naive, please tell me, as I'm no kernel hacker.

andy baxter.

-- 
remove 'n-u-l-l' to email me. html mail or attachments will go in the spam
bin unless notified with [html] or [attachment] in the subject line.


Relevant Pages

  • Re: ad0 READ_DMA TIMEOUT errors on install of 7.0-RELEASE
    ... It does not matter how new/old the disk is, ... I always figured it was due to the rotational speed increase in commodity drives. ... I'm assuming that it is total power on time since the drive was manufactured. ... Help me or I switch to DragonFly BSD/Desktop BSD/Linux which is perfect and has no problems!" ...
    (freebsd-stable)
  • Re: OT: RAID retrofit
    ... It seems the built in raid stuff won't do what I want. ... approach using disk images (take image, add disk, convert disks to RAID ... If your hardware is failing, using mdadm raid isn't really going to ... drives into completely new hardware. ...
    (uk.rec.motorcycles)
  • Re: OT: RAID retrofit
    ... approach using disk images (take image, add disk, convert disks to RAID ... drives into completely new hardware. ... As far as I'm concerned it is a waste of time and money adding to hardware of that vintage, especially when it is making odd noises. ... All capable of being fired up in minutes on any spare PC that he's got around that can run Virtualbox or VMWare or whatever virtual host environment he cares to try. ...
    (uk.rec.motorcycles)
  • Re: Foolish project: a fault tolerant disk array
    ... >> hardware hooked between the computer and the disk drives that will ... It is THAT hardware that causes the ... or we use Raid-1 Parallel ATA IDE PCI cards. ...
    (comp.os.linux.hardware)
  • Re: External hard drive
    ... is busy. ... because the "safely remove hardware" tool would always ... That's why I began to think it was correct to just flick the off switch. ... because it has no effect on NTFS formatted drives. ...
    (microsoft.public.windowsxp.basics)