Blob Blame History Raw
From 84136d85e60245b1871ac5d058d4963e8a086940 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 6 May 2021 09:05:54 +0200
Subject: [PATCH] Move rule to grub2_bootloader_argument template

Implement content for grub2_enable_iommu_force via template
grub2_bootloader_argument.

Also adds warning about possible instabilities depending on hardware,
devices and operating system used.
Support for IOMMU is broad and generally well tested, so I assume
automated remediation for this rule should not be a problem in general.
---
 .../grub2_enable_iommu_force/oval/shared.xml  | 42 -------------------
 .../grub2_enable_iommu_force/rule.yml         | 11 +++++
 2 files changed, 11 insertions(+), 42 deletions(-)
 delete mode 100644 linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
deleted file mode 100644
index 0552ef2a644..00000000000
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-<def-group>
-  <definition class="compliance" id="grub2_enable_iommu_force" version="1">
-    {{{ oval_metadata("Ensure iommu=force is configured in the kernel line in /etc/default/grub.") }}}
-    <criteria operator="AND">
-      <extend_definition definition_ref="grub2_default_exists" comment="check for GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub" />
-      <criteria operator="OR">
-        <criterion test_ref="test_grub2_enable_force_iommu_default" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
-        <criterion test_ref="test_grub2_enable_force_iommu" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX" />
-      </criteria>
-    </criteria>
-  </definition>
-
-  <ind:textfilecontent54_test id="test_grub2_enable_force_iommu"
-  comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX"
-  check="all" check_existence="all_exist" version="1">
-    <ind:object object_ref="object_grub2_enable_force_iommu" />
-    <ind:state state_ref="state_grub2_enable_force_iommu" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_grub2_enable_force_iommu" version="1">
-    <ind:filepath>/etc/default/grub</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test id="test_grub2_enable_force_iommu_default"
-  comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
-  check="all" check_existence="all_exist" version="1">
-    <ind:object object_ref="object_grub2_enable_force_iommu_default" />
-    <ind:state state_ref="state_grub2_enable_force_iommu" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_grub2_enable_force_iommu_default" version="1">
-    <ind:filepath>/etc/default/grub</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_grub2_enable_force_iommu" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^.*iommu=force.*$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index b560e8d2376..c1f77e21c36 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -20,3 +20,14 @@ references:
     anssi: BP28(R11)
 
 platform: machine
+
+warnings:
+  - functionality:
+      Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities.
+      Proper function and stability should be assessed before applying remediation to production systems.
+
+template:
+    name: grub2_bootloader_argument
+    vars:
+        arg_name: iommu
+        arg_value: 'force'