From a47922ad28fc9ebba93615a6ffdaaeb4887cc140 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Wed, 13 Jul 2022 04:47:07 +1000
Subject: [PATCH] enforce of IOMMU TLB invalidation

---
 etc/default/grub.d/40_enable_iommu.cfg | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg
index f4aa582..8d395d2 100644
--- a/etc/default/grub.d/40_enable_iommu.cfg
+++ b/etc/default/grub.d/40_enable_iommu.cfg
@@ -10,3 +10,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
 ## https://mjg59.dreamwidth.org/54433.html
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
+
+## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
+## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
+## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0 iommu.strict=1"