Way to disable a disk or disk controller before OSX boots

Context:

I use a mac for data recovery forensic operations, and for compliance with my users' requirements, I need to guarantee that no disk writes will be performed on a physical hard disk attached to a mac until a user enables the disk.

Question:

Is it possible to disable all access to a disk, SATA port, or disk controller entirely outside of the OS, before the system boots?

Disabling only read access is acceptable, but tends to be harder to verify compared to "make the computer act like the disk itself isn't plugged in".

When we were doing data recovery with a Linux homemade tower, we would go into the BIOS and disable the SATA port with the sensitive disks on it.

It's OK to disable the entire disk controller as part of a solution; these systems are externally booted from USB devices, and internal hard disks will not be used until they are re-enabled.

The physical port to which the disks in question are connected will not change.

What I've Tried:

I've seen the solutions to this question. Those solutions all disable disks right after boot, which is not sufficient: disabling automount of the disk or hiding it from OSX's disk management does not satisfy the users' (admittedly silly) audit requirements.

Other Ideas:

Is it possible to do this from an EFI shell? I'm happy to install rEFInd or similar on the bootable USBs.

Are there nvram settings that can be changed to achieve this?

Are there kernel boot parameters that instruct OSX not to initialize or use a PCI device, tree, or disk?

Are there kernel modules that I could install that would achieve this? If so, they'd probably need to be open source so the users could audit them and make sure they're loaded early enough to not let any writes through.

Since the recovery OS is USB, are there kexts that I could uninstall in order to disable access to all disks/SATA devices?

Best Answer

A simple solution since you are booting off a USB/Recovery disk, you could mount the drive in "read only" via diskutil:

diskutil mountDisk readOnly /dev/diskX

Now, if your USB/Recovery disk has already mounted it when it loads, you will have to unmount it first:

diskutil unmountDisk /dev/diskX

diskX is the drive identifier of the disk you are attempting to (un)mount. You can find it by issuing the command diskutil list and finding the drive you are interested in.

From the manpage:

Mount a single volume. If readOnly is specified, then the file system is mounted read-only, even if the volume's underlying file system and/or device and/or media supports writing; even the super-user may not write to it; this is the same as the rdonly option to mount (8). If a -mountPoint is specified, then that path, rather than the standard path of /Volumes/VolumeName, will be used as the view into the volume file content; a directory at that path must already exist.

Best Answer

Related Solutions

MacOS – Tracking down frequent (every 20 seconds) SCSI hard disk drive access in 10.7

FusionDrive + Encrypted CoreStorage Volume – Problems writing to volume

Related Question