## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Enables IOMMU to prevent DMA attacks.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"

## Disable the busmaster bit on all PCI bridges during very
## early boot to avoid holes in IOMMU.
##
## https://mjg59.dreamwidth.org/54433.html
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"

## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0 iommu.strict=1"