linux: Enable Intel DMA Remapping Devices by default on x86_64

If available, the kernel will enable IOMMU (a/k/a DMA remapping) by
default on boot. To tools making use of that, particularly hypervisors,
this provides better security without any downsides.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 06d98e3250da1ad9d5f4a67ca71e7cb538a7f32c..a5c5a4e2939e3f5e8495ed8d4068067c1d53ecd8 100644 (file)
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6488,7 +6488,7 @@ CONFIG_AMD_IOMMU_V2=y
 CONFIG_DMAR_TABLE=y
 CONFIG_INTEL_IOMMU=y
 CONFIG_INTEL_IOMMU_SVM=y
-# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
 CONFIG_INTEL_IOMMU_FLOPPY_WA=y
 # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
 CONFIG_IRQ_REMAP=y

diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index f81b5589d5fe0a8a74dfe0780cfb26f9314468ed..b25f85a3ab335c5ffa1f94a77ac004efe9add736 100644 (file)
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -8075,6 +8075,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/INTEL_INT0002_VGPIO
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOATDMA
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU
+#lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_DEFAULT_ON
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_FLOPPY_WA
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_SVM
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IPS