From a0037fdb0fe4673f8389dbf7f27822933065583f Mon Sep 17 00:00:00 2001
From: unexplrd <unexplrd@linerds.us>
Date: Wed, 2 Apr 2025 15:10:09 +0300
Subject: [PATCH] hosts/sarien/boot.nix: add security kernel params

Signed-off-by: unexplrd <unexplrd@linerds.us>
---
 hosts/sarien/boot.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/hosts/sarien/boot.nix b/hosts/sarien/boot.nix
index 55bdeb6..2da552d 100644
--- a/hosts/sarien/boot.nix
+++ b/hosts/sarien/boot.nix
@@ -11,6 +11,21 @@
     # kernelPackages = pkgs.linuxPackages_latest;
     kernelPackages = pkgs.linuxPackages_cachyos;
     kernelModules = ["kvm-intel"];
+    kernelParams = [
+      "debugfs=off"
+      "efi=disable_early_pci_dma"
+      # "gather_data_sampling=force"
+      "intel_iommu=on"
+      "iommu.passthrough=0"
+      "iommu.strict=1"
+      "iommu=force"
+      # "lockdown=confidentiality"
+      # "module.sig_enforce=1"
+      "page_alloc.shuffle=1"
+      # "reg_file_data_sampling=on"
+      # "spec_rstack_overflow=safe-ret"
+      "vsyscall=none"
+    ];
     loader.efi.canTouchEfiVariables = true;
     loader.systemd-boot = {
       enable = true;