|
 |
a8c580 |
From 84136d85e60245b1871ac5d058d4963e8a086940 Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: Watson Sato <wsato@redhat.com>
|
|
|
a8c580 |
Date: Thu, 6 May 2021 09:05:54 +0200
|
|
|
a8c580 |
Subject: [PATCH] Move rule to grub2_bootloader_argument template
|
|
|
a8c580 |
|
|
|
a8c580 |
Implement content for grub2_enable_iommu_force via template
|
|
|
a8c580 |
grub2_bootloader_argument.
|
|
|
a8c580 |
|
|
|
a8c580 |
Also adds warning about possible instabilities depending on hardware,
|
|
|
a8c580 |
devices and operating system used.
|
|
|
a8c580 |
Support for IOMMU is broad and generally well tested, so I assume
|
|
|
a8c580 |
automated remediation for this rule should not be a problem in general.
|
|
|
a8c580 |
---
|
|
|
a8c580 |
.../grub2_enable_iommu_force/oval/shared.xml | 42 -------------------
|
|
|
a8c580 |
.../grub2_enable_iommu_force/rule.yml | 11 +++++
|
|
|
a8c580 |
2 files changed, 11 insertions(+), 42 deletions(-)
|
|
|
a8c580 |
delete mode 100644 linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
|
|
|
a8c580 |
deleted file mode 100644
|
|
|
a8c580 |
index 0552ef2a644..00000000000
|
|
|
a8c580 |
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
|
|
|
a8c580 |
+++ /dev/null
|
|
|
a8c580 |
@@ -1,42 +0,0 @@
|
|
|
a8c580 |
-<def-group>
|
|
|
a8c580 |
- <definition class="compliance" id="grub2_enable_iommu_force" version="1">
|
|
|
a8c580 |
- {{{ oval_metadata("Ensure iommu=force is configured in the kernel line in /etc/default/grub.") }}}
|
|
|
a8c580 |
- <criteria operator="AND">
|
|
|
a8c580 |
- <extend_definition definition_ref="grub2_default_exists" comment="check for GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub" />
|
|
|
a8c580 |
- <criteria operator="OR">
|
|
|
a8c580 |
- <criterion test_ref="test_grub2_enable_force_iommu_default" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
|
|
|
a8c580 |
- <criterion test_ref="test_grub2_enable_force_iommu" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX" />
|
|
|
a8c580 |
- </criteria>
|
|
|
a8c580 |
- </criteria>
|
|
|
a8c580 |
- </definition>
|
|
|
a8c580 |
-
|
|
|
a8c580 |
-
|
|
|
a8c580 |
- comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX"
|
|
|
a8c580 |
- check="all" check_existence="all_exist" version="1">
|
|
|
a8c580 |
- <ind:object object_ref="object_grub2_enable_force_iommu" />
|
|
|
a8c580 |
- <ind:state state_ref="state_grub2_enable_force_iommu" />
|
|
|
a8c580 |
- </ind:textfilecontent54_test>
|
|
|
a8c580 |
-
|
|
|
a8c580 |
- <ind:textfilecontent54_object id="object_grub2_enable_force_iommu" version="1">
|
|
|
a8c580 |
- <ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
a8c580 |
- <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
|
|
|
a8c580 |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
a8c580 |
- </ind:textfilecontent54_object>
|
|
|
a8c580 |
-
|
|
|
a8c580 |
-
|
|
|
a8c580 |
- comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
|
|
|
a8c580 |
- check="all" check_existence="all_exist" version="1">
|
|
|
a8c580 |
- <ind:object object_ref="object_grub2_enable_force_iommu_default" />
|
|
|
a8c580 |
- <ind:state state_ref="state_grub2_enable_force_iommu" />
|
|
|
a8c580 |
- </ind:textfilecontent54_test>
|
|
|
a8c580 |
-
|
|
|
a8c580 |
- <ind:textfilecontent54_object id="object_grub2_enable_force_iommu_default" version="1">
|
|
|
a8c580 |
- <ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
a8c580 |
- <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
|
|
|
a8c580 |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
a8c580 |
- </ind:textfilecontent54_object>
|
|
|
a8c580 |
-
|
|
|
a8c580 |
- <ind:textfilecontent54_state id="state_grub2_enable_force_iommu" version="1">
|
|
|
a8c580 |
- <ind:subexpression datatype="string" operation="pattern match">^.*iommu=force.*$</ind:subexpression>
|
|
|
a8c580 |
- </ind:textfilecontent54_state>
|
|
|
a8c580 |
-</def-group>
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
|
|
a8c580 |
index b560e8d2376..c1f77e21c36 100644
|
|
|
a8c580 |
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
|
|
a8c580 |
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
|
|
a8c580 |
@@ -20,3 +20,14 @@ references:
|
|
|
a8c580 |
anssi: BP28(R11)
|
|
|
a8c580 |
|
|
|
a8c580 |
platform: machine
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+warnings:
|
|
|
a8c580 |
+ - functionality:
|
|
|
a8c580 |
+ Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities.
|
|
|
a8c580 |
+ Proper function and stability should be assessed before applying remediation to production systems.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+template:
|
|
|
a8c580 |
+ name: grub2_bootloader_argument
|
|
|
a8c580 |
+ vars:
|
|
|
a8c580 |
+ arg_name: iommu
|
|
|
a8c580 |
+ arg_value: 'force'
|