From 87eb0134fab2aa7e6a3d52d541a84847dd265329 Mon Sep 17 00:00:00 2001
From: Nico Berlee <nico.berlee@on2it.net>
Date: Sun, 18 Feb 2024 18:13:12 +0100
Subject: [PATCH] feat: disable PCI busmastering on bridges during boot

Enables CONFIG_EFI_DISABLE_PCI_DMA to improve boot security to protect from
malicious PCI hardware.

Not sure where CONFIG_TOOLS_SUPPORT_RELR comes from, this was added after
make kernel-olddefconfig

Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
Signed-off-by: Noel Georgi <git@frezbo.dev>
---
 kernel/build/config-amd64 | 3 ++-
 kernel/build/config-arm64 | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64
index 4a83da45a..0052d57cb 100644
--- a/kernel/build/config-amd64
+++ b/kernel/build/config-amd64
@@ -15,6 +15,7 @@ CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
 CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
+CONFIG_TOOLS_SUPPORT_RELR=y
 CONFIG_CC_HAS_ASM_INLINE=y
 CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
 CONFIG_PAHOLE_VERSION=125
@@ -1985,7 +1986,7 @@ CONFIG_EFI_DEV_PATH_PARSER=y
 CONFIG_APPLE_PROPERTIES=y
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_EFI_RCI2_TABLE is not set
-# CONFIG_EFI_DISABLE_PCI_DMA is not set
+CONFIG_EFI_DISABLE_PCI_DMA=y
 CONFIG_EFI_EARLYCON=y
 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
 # CONFIG_EFI_DISABLE_RUNTIME is not set
diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
index c0abee647..220bb2173 100644
--- a/kernel/build/config-arm64
+++ b/kernel/build/config-arm64
@@ -2125,7 +2125,7 @@ CONFIG_EFI_BOOTLOADER_CONTROL=y
 CONFIG_EFI_CAPSULE_LOADER=y
 CONFIG_EFI_TEST=y
 CONFIG_RESET_ATTACK_MITIGATION=y
-# CONFIG_EFI_DISABLE_PCI_DMA is not set
+CONFIG_EFI_DISABLE_PCI_DMA=y
 CONFIG_EFI_EARLYCON=y
 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
 # CONFIG_EFI_DISABLE_RUNTIME is not set