Skip to content

Commit

Permalink
feat: disable PCI busmastering on bridges during boot
Browse files Browse the repository at this point in the history
Enables CONFIG_EFI_DISABLE_PCI_DMA to improve boot security to protect from
malicious PCI hardware.

Not sure where CONFIG_TOOLS_SUPPORT_RELR comes from, this was added after
make kernel-olddefconfig

Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
nberlee authored and frezbo committed Feb 19, 2024
1 parent 30f18c8 commit 87eb013
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
3 changes: 2 additions & 1 deletion kernel/build/config-amd64
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ CONFIG_CC_CAN_LINK=y
CONFIG_CC_CAN_LINK_STATIC=y
CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
CONFIG_TOOLS_SUPPORT_RELR=y
CONFIG_CC_HAS_ASM_INLINE=y
CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
CONFIG_PAHOLE_VERSION=125
Expand Down Expand Up @@ -1985,7 +1986,7 @@ CONFIG_EFI_DEV_PATH_PARSER=y
CONFIG_APPLE_PROPERTIES=y
# CONFIG_RESET_ATTACK_MITIGATION is not set
# CONFIG_EFI_RCI2_TABLE is not set
# CONFIG_EFI_DISABLE_PCI_DMA is not set
CONFIG_EFI_DISABLE_PCI_DMA=y
CONFIG_EFI_EARLYCON=y
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
# CONFIG_EFI_DISABLE_RUNTIME is not set
Expand Down
2 changes: 1 addition & 1 deletion kernel/build/config-arm64
Original file line number Diff line number Diff line change
Expand Up @@ -2125,7 +2125,7 @@ CONFIG_EFI_BOOTLOADER_CONTROL=y
CONFIG_EFI_CAPSULE_LOADER=y
CONFIG_EFI_TEST=y
CONFIG_RESET_ATTACK_MITIGATION=y
# CONFIG_EFI_DISABLE_PCI_DMA is not set
CONFIG_EFI_DISABLE_PCI_DMA=y
CONFIG_EFI_EARLYCON=y
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
# CONFIG_EFI_DISABLE_RUNTIME is not set
Expand Down

0 comments on commit 87eb013

Please sign in to comment.