How to isolate a drive?

Question

Question

At Linux boot, is there an option I can add to the “vmlinuz…” line that will prevent the OS from ever (at least in that session) being able to see or access NVMe SSDs - while keeping all other hardware discoverable and mountable?

Context

I am fairly new to Linux and still learning. I want to create a multiboot set up (from different drives, not different partitions) where each OS instance is effectively “air gaped” from the other. I can then select which drive to boot from in BIOS at start up and whichever drive boots, that OS won’t be able to see the other drive.

I am using a laptop where it is not practical to physically swap drives (at least not often) and I want to run Win 10 Pro off my NVMe drive (with the SATA drive disabled in Device Manager) and tinker around with various Linux distros, running them off my SATA drive or a Live CD (with the NVMe drive invisible to them) - while keeping the data on my NVMe drive secure.

Some system info

• BIOS
  AMI Aptio 2.18.126
  Firmware Ver 1.05.03
• Chipset
  Intel Z170
• Processor Family
  Skylake
• NVMe drive
  Samsung 950 Pro
• SATA drive
  Samsung 850 Pro

---

A big thank you to @EugenRieck, @davidgo, @TwistyImpersonator, @dirkt, @KamilMaciorowski and everyone who took the time to respond.

In response to Dirk’s question. What I was aiming for was a multi-boot setup where “drive a” with its data and OS, was isolated from anything that ran on “drive b.” Ideally, it would be handy to disable a select drive (or drive port) in BIOS or better yet, via a hardware switch, but my system doesn’t have that option. I saw some things referencing configuring Linux kernel options at boot via a command line so I wondered if I could disable a drive that way. That approach seamed like it might be handy as it would more easily apply to something like a pre-configured Live CD as well anything I might install and set up on “drive b.” (Thank you again Eugen for the details on how to do that). From what David said in his post, it sounds like such kernel commands are not overriding and it would still be fairly trivial under such an approach for a bit of malware to get at my NVMe drive if I, say, missconfigure IPTables or missconfigure a VM or install a package that looked it had some unique creative features but was actually corrupt. Is that correct?

Answer 1

This is rather easy: a boot command line parameter of modprobe.blacklist=nvme will do the job.

EDIT

As asked for in the comments, here is some background:

• modprobe is the mechanism, by which drivers are automatically loaded, when a device is detected. So when your NVMe drive is detected on the PCIe bus, it will be called to try and load the drivers.
• Since there are a few situations, where you do not want a driver to be loaded automatically (the canonical example is nouveau vs. the vendor binary nvidia driver), this mechanism contains a "blacklist" feature, thet will stop autoloading for a driver.
• This blacklisting can be kicked off either by editing a file in /etc/modprobe.d or via the kernel command line. I used the latter, as your question explicitly statet the boot command line.
• The driver (kernel module), that makes NVMe drives accessible as block devices is unsurprisingly called "nvme"

Putting all this together results in the mentioned command line - it is absolutly not uncommon to use such a parameter, especially with quirky laptops. Basically it is the exact analogon to disabling the SATA drivers in Windows device manager.