diff --git a/hosts/sarien/boot.nix b/hosts/sarien/boot.nix
index 55bdeb6..2da552d 100644
--- a/hosts/sarien/boot.nix
+++ b/hosts/sarien/boot.nix
@@ -11,6 +11,21 @@
     # kernelPackages = pkgs.linuxPackages_latest;
     kernelPackages = pkgs.linuxPackages_cachyos;
     kernelModules = ["kvm-intel"];
+    kernelParams = [
+      "debugfs=off"
+      "efi=disable_early_pci_dma"
+      # "gather_data_sampling=force"
+      "intel_iommu=on"
+      "iommu.passthrough=0"
+      "iommu.strict=1"
+      "iommu=force"
+      # "lockdown=confidentiality"
+      # "module.sig_enforce=1"
+      "page_alloc.shuffle=1"
+      # "reg_file_data_sampling=on"
+      # "spec_rstack_overflow=safe-ret"
+      "vsyscall=none"
+    ];
     loader.efi.canTouchEfiVariables = true;
     loader.systemd-boot = {
       enable = true;