can you make a hard disk read-only?

From: Andy Baxter (
Date: 10/09/03

Date: Thu, 09 Oct 2003 01:17:30 +0100

I'm wondering if there's some way of making a hard disk drive read-only
using a hardware device which would go between the cable and the drive data
connector, with a switch you could use to make it writeable only under user

I was thinking this might be useful in building a cheap, relatively secure
linux system. The way I'm thinking this could work, for a debian system is
like this:
-install a base system from woody CDs with the switch set to writeable.
-Then you'd close the switch and set up a firewall which only allowed access
to and download the security updates to a seperate
read-write partition.
-Then reboot again, check them against debian's gpg key, and install them.
-Then you set the switch to read-only and open the firewall to all IPs.
For a small server or firewall, you could have all the binaries run from
this disk, or else just use it as a secure basis from which to check all
the other files on the system at boot time using md5sums or similar.

This wouldn't stop someone from breaking in altogether, as they could still
modify code and data structures in the memory, but it would stop them
modifying key system files, and as long as you didn't mind rebooting and
repeating the above process fairly often it would either lock them out
again after the reboot, or else if parts of the system were run from a
normal disk, these could at least be checked automatically from a secure
basis to warn you that you had been cracked.

You could even do this semi-automatically, if the hardware was designed so
that the disk was always read-write on bootup, but could be switched
irreversibly to read-only mode by a software command, e.g. through the
serial port, or trying to write to a sector that doesn't exist. Then all
the above steps would happen automatically on bootup, and the only thing
you'd have to do is make sure it really was rebooting when it was meant to.

The reason I'm asking, is I've had a look at the specs for ATA version 2,
and from my limited knowledge of electronics it looks like you could do
this for these older drives just by preventing the DIOW- (write data) line
being asserted when the register address was set to 0 (data transfer).
However, I don't think I know enough to be sure I wouldn't damage the
computer building something like this, and for the newer ATA specs it gets
much more complex, so I'd like to know if there is anything like this you
can buy, or an open hardware design which I could build myself?

If this is all incredibly naive, please tell me, as I'm no kernel hacker.

andy baxter.

remove 'n-u-l-l' to email me. html mail or attachments will go in the spam
bin unless notified with [html] or [attachment] in the subject line.