How to isolate a drive?
Question
At Linux boot, is there an option I can add to the “vmlinuz…” line that will prevent the OS from ever (at least in that session) being able to see or access NVMe SSDs - while keeping all other hardware discoverable and mountable?
Context
I am fairly new to Linux and still learning. I want to create a multiboot set up (from different drives, not different partitions) where each OS instance is effectively “air gaped” from the other. I can then select which drive to boot from in BIOS at start up and whichever drive boots, that OS won’t be able to see the other drive.
I am using a laptop where it is not practical to physically swap drives (at least not often) and I want to run Win 10 Pro off my NVMe drive (with the SATA drive disabled in Device Manager) and tinker around with various Linux distros, running them off my SATA drive or a Live CD (with the NVMe drive invisible to them) - while keeping the data on my NVMe drive secure.
Some system info
- BIOS
AMI Aptio 2.18.126
Firmware Ver 1.05.03 - Chipset
Intel Z170 - Processor Family
Skylake - NVMe drive
Samsung 950 Pro - SATA drive
Samsung 850 Pro
A big thank you to @EugenRieck, @davidgo, @TwistyImpersonator, @dirkt, @KamilMaciorowski and everyone who took the time to respond.
In response to Dirk’s question. What I was aiming for was a multi-boot setup where “drive a” with its data and OS, was isolated from anything that ran on “drive b.” Ideally, it would be handy to disable a select drive (or drive port) in BIOS or better yet, via a hardware switch, but my system doesn’t have that option. I saw some things referencing configuring Linux kernel options at boot via a command line so I wondered if I could disable a drive that way. That approach seamed like it might be handy as it would more easily apply to something like a pre-configured Live CD as well anything I might install and set up on “drive b.” (Thank you again Eugen for the details on how to do that). From what David said in his post, it sounds like such kernel commands are not overriding and it would still be fairly trivial under such an approach for a bit of malware to get at my NVMe drive if I, say, missconfigure IPTables or missconfigure a VM or install a package that looked it had some unique creative features but was actually corrupt. Is that correct?
security multi-boot sata linux-kernel nvme
asked Dec 3 at 20:46
user969571
134
add a comment |
Question
At Linux boot, is there an option I can add to the “vmlinuz…” line that will prevent the OS from ever (at least in that session) being able to see or access NVMe SSDs - while keeping all other hardware discoverable and mountable?
Context
I am fairly new to Linux and still learning. I want to create a multiboot set up (from different drives, not different partitions) where each OS instance is effectively “air gaped” from the other. I can then select which drive to boot from in BIOS at start up and whichever drive boots, that OS won’t be able to see the other drive.
I am using a laptop where it is not practical to physically swap drives (at least not often) and I want to run Win 10 Pro off my NVMe drive (with the SATA drive disabled in Device Manager) and tinker around with various Linux distros, running them off my SATA drive or a Live CD (with the NVMe drive invisible to them) - while keeping the data on my NVMe drive secure.
Some system info
- BIOS
AMI Aptio 2.18.126
Firmware Ver 1.05.03 - Chipset
Intel Z170 - Processor Family
Skylake - NVMe drive
Samsung 950 Pro - SATA drive
Samsung 850 Pro
A big thank you to @EugenRieck, @davidgo, @TwistyImpersonator, @dirkt, @KamilMaciorowski and everyone who took the time to respond.
In response to Dirk’s question. What I was aiming for was a multi-boot setup where “drive a” with its data and OS, was isolated from anything that ran on “drive b.” Ideally, it would be handy to disable a select drive (or drive port) in BIOS or better yet, via a hardware switch, but my system doesn’t have that option. I saw some things referencing configuring Linux kernel options at boot via a command line so I wondered if I could disable a drive that way. That approach seamed like it might be handy as it would more easily apply to something like a pre-configured Live CD as well anything I might install and set up on “drive b.” (Thank you again Eugen for the details on how to do that). From what David said in his post, it sounds like such kernel commands are not overriding and it would still be fairly trivial under such an approach for a bit of malware to get at my NVMe drive if I, say, missconfigure IPTables or missconfigure a VM or install a package that looked it had some unique creative features but was actually corrupt. Is that correct?
security multi-boot sata linux-kernel nvme
asked Dec 3 at 20:46
user969571
134
Against which scenario you are protecting? Someone accidentally accessing an NVMe drive? Someone purposely circumventing your protection measures? Also note that if you want to play around with various distros, a virtual machine (VM) may be a simpler solution. And in principle, all Linux distros should be well-behaved and don't overwrite harddisks/NVMe on install unless you tell them to.
– dirkt
Dec 4 at 8:46
add a comment |
Question
At Linux boot, is there an option I can add to the “vmlinuz…” line that will prevent the OS from ever (at least in that session) being able to see or access NVMe SSDs - while keeping all other hardware discoverable and mountable?
Context
I am fairly new to Linux and still learning. I want to create a multiboot set up (from different drives, not different partitions) where each OS instance is effectively “air gaped” from the other. I can then select which drive to boot from in BIOS at start up and whichever drive boots, that OS won’t be able to see the other drive.
I am using a laptop where it is not practical to physically swap drives (at least not often) and I want to run Win 10 Pro off my NVMe drive (with the SATA drive disabled in Device Manager) and tinker around with various Linux distros, running them off my SATA drive or a Live CD (with the NVMe drive invisible to them) - while keeping the data on my NVMe drive secure.
Some system info
- BIOS
AMI Aptio 2.18.126
Firmware Ver 1.05.03 - Chipset
Intel Z170 - Processor Family
Skylake - NVMe drive
Samsung 950 Pro - SATA drive
Samsung 850 Pro
A big thank you to @EugenRieck, @davidgo, @TwistyImpersonator, @dirkt, @KamilMaciorowski and everyone who took the time to respond.
In response to Dirk’s question. What I was aiming for was a multi-boot setup where “drive a” with its data and OS, was isolated from anything that ran on “drive b.” Ideally, it would be handy to disable a select drive (or drive port) in BIOS or better yet, via a hardware switch, but my system doesn’t have that option. I saw some things referencing configuring Linux kernel options at boot via a command line so I wondered if I could disable a drive that way. That approach seamed like it might be handy as it would more easily apply to something like a pre-configured Live CD as well anything I might install and set up on “drive b.” (Thank you again Eugen for the details on how to do that). From what David said in his post, it sounds like such kernel commands are not overriding and it would still be fairly trivial under such an approach for a bit of malware to get at my NVMe drive if I, say, missconfigure IPTables or missconfigure a VM or install a package that looked it had some unique creative features but was actually corrupt. Is that correct?
security multi-boot sata linux-kernel nvme
asked Dec 3 at 20:46
user969571
134
Question
At Linux boot, is there an option I can add to the “vmlinuz…” line that will prevent the OS from ever (at least in that session) being able to see or access NVMe SSDs - while keeping all other hardware discoverable and mountable?
Context
I am fairly new to Linux and still learning. I want to create a multiboot set up (from different drives, not different partitions) where each OS instance is effectively “air gaped” from the other. I can then select which drive to boot from in BIOS at start up and whichever drive boots, that OS won’t be able to see the other drive.
I am using a laptop where it is not practical to physically swap drives (at least not often) and I want to run Win 10 Pro off my NVMe drive (with the SATA drive disabled in Device Manager) and tinker around with various Linux distros, running them off my SATA drive or a Live CD (with the NVMe drive invisible to them) - while keeping the data on my NVMe drive secure.
Some system info
- BIOS
AMI Aptio 2.18.126
Firmware Ver 1.05.03 - Chipset
Intel Z170 - Processor Family
Skylake - NVMe drive
Samsung 950 Pro - SATA drive
Samsung 850 Pro
A big thank you to @EugenRieck, @davidgo, @TwistyImpersonator, @dirkt, @KamilMaciorowski and everyone who took the time to respond.
In response to Dirk’s question. What I was aiming for was a multi-boot setup where “drive a” with its data and OS, was isolated from anything that ran on “drive b.” Ideally, it would be handy to disable a select drive (or drive port) in BIOS or better yet, via a hardware switch, but my system doesn’t have that option. I saw some things referencing configuring Linux kernel options at boot via a command line so I wondered if I could disable a drive that way. That approach seamed like it might be handy as it would more easily apply to something like a pre-configured Live CD as well anything I might install and set up on “drive b.” (Thank you again Eugen for the details on how to do that). From what David said in his post, it sounds like such kernel commands are not overriding and it would still be fairly trivial under such an approach for a bit of malware to get at my NVMe drive if I, say, missconfigure IPTables or missconfigure a VM or install a package that looked it had some unique creative features but was actually corrupt. Is that correct?
security multi-boot sata linux-kernel nvme
security multi-boot sata linux-kernel nvme
asked Dec 3 at 20:46
user969571
134
asked Dec 3 at 20:46
user969571
134
edited Dec 4 at 18:35
asked Dec 3 at 20:46
user969571
134
asked Dec 3 at 20:46
user969571
134
asked Dec 3 at 20:46
user969571
134
134
Against which scenario you are protecting? Someone accidentally accessing an NVMe drive? Someone purposely circumventing your protection measures? Also note that if you want to play around with various distros, a virtual machine (VM) may be a simpler solution. And in principle, all Linux distros should be well-behaved and don't overwrite harddisks/NVMe on install unless you tell them to.
– dirkt
Dec 4 at 8:46
add a comment |
Against which scenario you are protecting? Someone accidentally accessing an NVMe drive? Someone purposely circumventing your protection measures? Also note that if you want to play around with various distros, a virtual machine (VM) may be a simpler solution. And in principle, all Linux distros should be well-behaved and don't overwrite harddisks/NVMe on install unless you tell them to.
– dirkt
Dec 4 at 8:46
Against which scenario you are protecting? Someone accidentally accessing an NVMe drive? Someone purposely circumventing your protection measures? Also note that if you want to play around with various distros, a virtual machine (VM) may be a simpler solution. And in principle, all Linux distros should be well-behaved and don't overwrite harddisks/NVMe on install unless you tell them to.
– dirkt
Dec 4 at 8:46
Against which scenario you are protecting? Someone accidentally accessing an NVMe drive? Someone purposely circumventing your protection measures? Also note that if you want to play around with various distros, a virtual machine (VM) may be a simpler solution. And in principle, all Linux distros should be well-behaved and don't overwrite harddisks/NVMe on install unless you tell them to.
– dirkt
Dec 4 at 8:46
add a comment |
1 Answer
1
active
oldest
votes
This is rather easy: a boot command line parameter of modprobe.blacklist=nvme will do the job.
EDIT
As asked for in the comments, here is some background:
modprobeis the mechanism, by which drivers are automatically loaded, when a device is detected. So when your NVMe drive is detected on the PCIe bus, it will be called to try and load the drivers.- Since there are a few situations, where you do not want a driver to be loaded automatically (the canonical example is
nouveauvs. the vendor binary nvidia driver), this mechanism contains a "blacklist" feature, thet will stop autoloading for a driver. - This blacklisting can be kicked off either by editing a file in
/etc/modprobe.dor via the kernel command line. I used the latter, as your question explicitly statet the boot command line. - The driver (kernel module), that makes NVMe drives accessible as block devices is unsurprisingly called "nvme"
Putting all this together results in the mentioned command line - it is absolutly not uncommon to use such a parameter, especially with quirky laptops. Basically it is the exact analogon to disabling the SATA drivers in Windows device manager.
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
@TwistyImpersonator prevents the "nmve" module (think driver) from being loaded by the Linux kernel. Note that this is a practical solution to avoid mistakes, of-course, if you really want to you can always load the driver manually, then access the drive, provided you have root.
– davidgo
Dec 4 at 0:42
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380515%2fhow-to-isolate-a-drive%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is rather easy: a boot command line parameter of modprobe.blacklist=nvme will do the job.
EDIT
As asked for in the comments, here is some background:
modprobeis the mechanism, by which drivers are automatically loaded, when a device is detected. So when your NVMe drive is detected on the PCIe bus, it will be called to try and load the drivers.- Since there are a few situations, where you do not want a driver to be loaded automatically (the canonical example is
nouveauvs. the vendor binary nvidia driver), this mechanism contains a "blacklist" feature, thet will stop autoloading for a driver. - This blacklisting can be kicked off either by editing a file in
/etc/modprobe.dor via the kernel command line. I used the latter, as your question explicitly statet the boot command line. - The driver (kernel module), that makes NVMe drives accessible as block devices is unsurprisingly called "nvme"
Putting all this together results in the mentioned command line - it is absolutly not uncommon to use such a parameter, especially with quirky laptops. Basically it is the exact analogon to disabling the SATA drivers in Windows device manager.
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
@TwistyImpersonator prevents the "nmve" module (think driver) from being loaded by the Linux kernel. Note that this is a practical solution to avoid mistakes, of-course, if you really want to you can always load the driver manually, then access the drive, provided you have root.
– davidgo
Dec 4 at 0:42
add a comment |
This is rather easy: a boot command line parameter of modprobe.blacklist=nvme will do the job.
EDIT
As asked for in the comments, here is some background:
modprobeis the mechanism, by which drivers are automatically loaded, when a device is detected. So when your NVMe drive is detected on the PCIe bus, it will be called to try and load the drivers.- Since there are a few situations, where you do not want a driver to be loaded automatically (the canonical example is
nouveauvs. the vendor binary nvidia driver), this mechanism contains a "blacklist" feature, thet will stop autoloading for a driver. - This blacklisting can be kicked off either by editing a file in
/etc/modprobe.dor via the kernel command line. I used the latter, as your question explicitly statet the boot command line. - The driver (kernel module), that makes NVMe drives accessible as block devices is unsurprisingly called "nvme"
Putting all this together results in the mentioned command line - it is absolutly not uncommon to use such a parameter, especially with quirky laptops. Basically it is the exact analogon to disabling the SATA drivers in Windows device manager.
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
@TwistyImpersonator prevents the "nmve" module (think driver) from being loaded by the Linux kernel. Note that this is a practical solution to avoid mistakes, of-course, if you really want to you can always load the driver manually, then access the drive, provided you have root.
– davidgo
Dec 4 at 0:42
add a comment |
This is rather easy: a boot command line parameter of modprobe.blacklist=nvme will do the job.
EDIT
As asked for in the comments, here is some background:
modprobeis the mechanism, by which drivers are automatically loaded, when a device is detected. So when your NVMe drive is detected on the PCIe bus, it will be called to try and load the drivers.- Since there are a few situations, where you do not want a driver to be loaded automatically (the canonical example is
nouveauvs. the vendor binary nvidia driver), this mechanism contains a "blacklist" feature, thet will stop autoloading for a driver. - This blacklisting can be kicked off either by editing a file in
/etc/modprobe.dor via the kernel command line. I used the latter, as your question explicitly statet the boot command line. - The driver (kernel module), that makes NVMe drives accessible as block devices is unsurprisingly called "nvme"
Putting all this together results in the mentioned command line - it is absolutly not uncommon to use such a parameter, especially with quirky laptops. Basically it is the exact analogon to disabling the SATA drivers in Windows device manager.
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
This is rather easy: a boot command line parameter of modprobe.blacklist=nvme will do the job.
EDIT
As asked for in the comments, here is some background:
modprobeis the mechanism, by which drivers are automatically loaded, when a device is detected. So when your NVMe drive is detected on the PCIe bus, it will be called to try and load the drivers.- Since there are a few situations, where you do not want a driver to be loaded automatically (the canonical example is
nouveauvs. the vendor binary nvidia driver), this mechanism contains a "blacklist" feature, thet will stop autoloading for a driver. - This blacklisting can be kicked off either by editing a file in
/etc/modprobe.dor via the kernel command line. I used the latter, as your question explicitly statet the boot command line. - The driver (kernel module), that makes NVMe drives accessible as block devices is unsurprisingly called "nvme"
Putting all this together results in the mentioned command line - it is absolutly not uncommon to use such a parameter, especially with quirky laptops. Basically it is the exact analogon to disabling the SATA drivers in Windows device manager.
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
edited Dec 4 at 8:10
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
answered Dec 3 at 23:30
Eugen Rieck
9,65022127
9,65022127
@TwistyImpersonator prevents the "nmve" module (think driver) from being loaded by the Linux kernel. Note that this is a practical solution to avoid mistakes, of-course, if you really want to you can always load the driver manually, then access the drive, provided you have root.
– davidgo
Dec 4 at 0:42
add a comment |
@TwistyImpersonator prevents the "nmve" module (think driver) from being loaded by the Linux kernel. Note that this is a practical solution to avoid mistakes, of-course, if you really want to you can always load the driver manually, then access the drive, provided you have root.
– davidgo
Dec 4 at 0:42
@TwistyImpersonator prevents the "nmve" module (think driver) from being loaded by the Linux kernel. Note that this is a practical solution to avoid mistakes, of-course, if you really want to you can always load the driver manually, then access the drive, provided you have root.
– davidgo
Dec 4 at 0:42
@TwistyImpersonator prevents the "nmve" module (think driver) from being loaded by the Linux kernel. Note that this is a practical solution to avoid mistakes, of-course, if you really want to you can always load the driver manually, then access the drive, provided you have root.
– davidgo
Dec 4 at 0:42
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380515%2fhow-to-isolate-a-drive%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Against which scenario you are protecting? Someone accidentally accessing an NVMe drive? Someone purposely circumventing your protection measures? Also note that if you want to play around with various distros, a virtual machine (VM) may be a simpler solution. And in principle, all Linux distros should be well-behaved and don't overwrite harddisks/NVMe on install unless you tell them to.
– dirkt
Dec 4 at 8:46