This might also be a good time to lock down the uefi settings on one's machine to make sure someone with physical access can't just disable iommu.