IOMMU configuration directive
An XCCDF Rule
Description
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
of the system critical units such as the memory.
To ensure that iommu=force is added as a kernel command line
argument to newly installed kernels, add iommu=force to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... iommu=force ..."Run the following command to update command line for already installed kernels:
# update-grub
warning alert: Functionality Warning
Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.
Rationale
On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by hardware devices.
- ID
- xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
- Severity
- Unknown
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "iommu=force"
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*iommu=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an iommu= arg already exists