Skip to content

IOMMU configuration directive

An XCCDF Rule

Description

On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. To ensure that iommu=force is added as a kernel command line argument to newly installed kernels, add iommu=force to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... iommu=force ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="iommu=force"

warning alert: Functionality Warning

Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.

Rationale

On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by hardware devices.

ID
xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
Severity
Unknown
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "iommu=force"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_enable_iommu_force
  - low_disruption

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

grubby --update-kernel=ALL --args=iommu=force

else