IOMMU configuration directive
An XCCDF Rule
Description
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. Configure the default Grub2 kernel command line to contain iommu=force as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force"
warning alert: Functionality Warning
Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.
Rationale
On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by hardware devices.
- ID
- xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
- Severity
- Unknown
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --args=iommu=force
else
Remediation - OS Build Blueprint
[customizations.kernel]
append = "iommu=force"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_enable_iommu_force
- low_disruption