IOMMU configuration directive

An XCCDF Rule

Description

On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. Configure the default Grub2 kernel command line to contain iommu=force as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force"

warning alert: Functionality Warning

Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.

Rationale

On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by hardware devices.

ID: xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
Severity: Unknown
References: BP28(R11)

CCE-91532-2
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91532-2
  - grub2_enable_iommu_force  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy
  - unknown_severity

- name: Check iommu argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=.*iommu=' /etc/default/grub
  failed_when: false
  register: argcheck
  when:
  - '"grub2" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91532-2
  - grub2_enable_iommu_force
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy
  - unknown_severity

- name: Check iommu argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
  failed_when: false
  register: linecheck
  when:
  - '"grub2" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91532-2
  - grub2_enable_iommu_force
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy
  - unknown_severity

- name: Add iommu argument
  ansible.builtin.lineinfile:
    line: GRUB_CMDLINE_LINUX="iommu=force "
    state: present
    dest: /etc/default/grub
    create: true
    mode: '0644'
  when:
  - '"grub2" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc != 0
  tags:
  - CCE-91532-2
  - grub2_enable_iommu_force
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy
  - unknown_severity

- name: Replace existing iommu argument
  replace:
    path: /etc/default/grub
    regexp: iommu=[a-zA-Z0-9,]+
    replace: iommu=force
  when:
  - '"grub2" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
    linecheck.rc == 0
  tags:
  - CCE-91532-2
  - grub2_enable_iommu_force
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy
  - unknown_severity

- name: Add iommu argument
  replace:
    path: /etc/default/grub
    regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
    replace: \1 iommu=force"
  when:
  - '"grub2" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc == 0
  tags:
  - CCE-91532-2
  - grub2_enable_iommu_force
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy
  - unknown_severity

- name: Update grub defaults and the bootloader menu
  command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
  when:
  - '"grub2" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91532-2
  - grub2_enable_iommu_force
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy
  - unknown_severity

[customizations.kernel]
append = "iommu=force"

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2 && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*iommu=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an iommu= arg already exists       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)iommu=[^[:space:]]\+\(.*\"\)/\1iommu=force\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no iommu=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 iommu=force\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"iommu=force\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub2.cfg

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

IOMMU configuration directive

Description

Rationale

Remediation - Ansible

Remediation - OS Build Blueprint

Remediation - Shell Script