diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64 index 1aa3e441e..8966d38ba 100644 --- a/kernel/build/config-amd64 +++ b/kernel/build/config-amd64 @@ -1984,7 +1984,7 @@ CONFIG_EFI_DEV_PATH_PARSER=y CONFIG_APPLE_PROPERTIES=y CONFIG_RESET_ATTACK_MITIGATION=y # CONFIG_EFI_RCI2_TABLE is not set -CONFIG_EFI_DISABLE_PCI_DMA=y +# CONFIG_EFI_DISABLE_PCI_DMA is not set CONFIG_EFI_EARLYCON=y CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y # CONFIG_EFI_DISABLE_RUNTIME is not set diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py index f7f521b15..e08e7563e 100644 --- a/kernel/build/scripts/filter-hardened-check.py +++ b/kernel/build/scripts/filter-hardened-check.py @@ -30,6 +30,7 @@ 'CONFIG_CFI_PERMISSIVE', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/91 'CONFIG_SECURITY_SELINUX_DEVELOP', # SELinux enabled, but permissive unless enforcing=1. TODO: force enforcing mode when complete 'CONFIG_SPECULATION_MITIGATIONS', # Renamed in the kernel to 'CONFIG_CPU_MITIGATIONS' + 'CONFIG_EFI_DISABLE_PCI_DMA', # enabling this breaks boot with no visible error messages to debug (https://github.com/siderolabs/talos/issues/8743) } """ @@ -38,7 +39,6 @@ IGNORE_VIOLATIONS_BY_ARCH = { 'arm64': { 'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918 - 'CONFIG_EFI_DISABLE_PCI_DMA', # for arm64, enabling this breaks boot with no visible error messages to debug. }, 'amd64': {}, }