Question
At Linux boot, is there an option I can add to the “vmlinuz…” line that will prevent the OS from ever (at least in that session) being able to see or access NVMe SSDs - while keeping all other hardware discoverable and mountable?
Context
I am fairly new to Linux and still learning. I want to create a multiboot set up (from different drives, not different partitions) where each OS instance is effectively “air gaped” from the other. I can then select which drive to boot from in BIOS at start up and whichever drive boots, that OS won’t be able to see the other drive.
I am using a laptop where it is not practical to physically swap drives (at least not often) and I want to run Win 10 Pro off my NVMe drive (with the SATA drive disabled in Device Manager) and tinker around with various Linux distros, running them off my SATA drive or a Live CD (with the NVMe drive invisible to them) - while keeping the data on my NVMe drive secure.
Some system info
- BIOS
AMI Aptio 2.18.126
Firmware Ver 1.05.03 - Chipset
Intel Z170 - Processor Family
Skylake - NVMe drive
Samsung 950 Pro - SATA drive
Samsung 850 Pro
A big thank you to @EugenRieck, @davidgo, @TwistyImpersonator, @dirkt, @KamilMaciorowski and everyone who took the time to respond.
In response to Dirk’s question. What I was aiming for was a multi-boot setup where “drive a” with its data and OS, was isolated from anything that ran on “drive b.” Ideally, it would be handy to disable a select drive (or drive port) in BIOS or better yet, via a hardware switch, but my system doesn’t have that option. I saw some things referencing configuring Linux kernel options at boot via a command line so I wondered if I could disable a drive that way. That approach seamed like it might be handy as it would more easily apply to something like a pre-configured Live CD as well anything I might install and set up on “drive b.” (Thank you again Eugen for the details on how to do that). From what David said in his post, it sounds like such kernel commands are not overriding and it would still be fairly trivial under such an approach for a bit of malware to get at my NVMe drive if I, say, missconfigure IPTables or missconfigure a VM or install a package that looked it had some unique creative features but was actually corrupt. Is that correct?