From 07c6362f1aff2e151c51aa681a79c3ef650baa6d Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Sun, 23 Jun 2019 18:34:45 +0000
Subject: [PATCH 1/2] Blacklist thunderbolt and firewire

---
 etc/modprobe.d/blacklist-dma.conf | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 etc/modprobe.d/blacklist-dma.conf

diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf
new file mode 100644
index 0000000..3e2c7de
--- /dev/null
+++ b/etc/modprobe.d/blacklist-dma.conf
@@ -0,0 +1,3 @@
+# Blacklist thunderbolt and firewire to prevent some DMA attacks.
+blacklist firewire-core
+blacklist thunderbolt

From 641407c8e9c728429ec86e7c89e431896d88e116 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Sun, 23 Jun 2019 18:38:50 +0000
Subject: [PATCH 2/2] Enable IOMMU

---
 etc/default/grub.d/40_enable_iommu.cfg | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 etc/default/grub.d/40_enable_iommu.cfg

diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg
new file mode 100644
index 0000000..8e2baff
--- /dev/null
+++ b/etc/default/grub.d/40_enable_iommu.cfg
@@ -0,0 +1,2 @@
+# Enables IOMMU to prevent DMA attacks.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"