Thunderbolt

Thunderbolt 3 works out of the box with recent Linux kernel versions [1]. The Linux kernel, starting with version 4.13, supports Thunderbolt Security as well.

Obtain firmware updates

Manufacturers often release firmware updates for Thunderbolt ports and devices to function properly, visit https://thunderbolttechnology.net/updates for more details how to obtain upgrades for certain vendors.

Note: Some vendors use fwupd to push firmware updates on Linux.

User device authorization

Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware (see Thunderstrike 2).

The modes currently supported on Linux are:

none - No security, all devices are connected and initialized by default. In BIOS settings this is typically called Legacy mode.
user - User authorization is required every time a device is connected. In BIOS settings this is typically called Unique ID.
secure - User authorization is required, but the device is then remembered and does not require re-authorization. In BIOS settings this is typically called One time saved key.
dponly - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called Display Port Only.

The security level is normally configured at firmware level; it is recommended to set it to at least secure. The state of this setting can be queried with:

$ cat /sys/bus/thunderbolt/devices/domain0/security

Tip: User-space solutions are available such as bolt or tbt^AUR to authorize devices.

Graphical front-ends

GNOME has native support for authorizing devices from the UI since version 3.30
Plasma integration is available from this git repository and from plasma-thunderbolt package

Automatically connect any device

Users who just want to connect any device without any sort of manual work can create a udev rule as in 99-removable.rules:

/etc/udev/rules.d/99-removable.rules

ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"

Forcing power

Many OEMs include a method that can be used to force the power of a Thunderbolt controller to an On state. If supported by the machine this will be exposed by the WMI bus with a sysfs attribute called force_power [2].

Forcing power may especially be useful when a connected device loses connection or the controller that switches itself off.

To force the power to be on/off, write 1 or 0 to this attribute, e.g. to force power:

# echo 1 > /sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power

Note: It is not possible to query the current force_power state.

Troubleshooting

PCI buses are not registered

Sometimes when connecting a Thunderbolt device PCI buses might not be registered. This is apparent by having screens working while USB devices fail to register on your computer. This can be solved by issuing a PCI rescan:

# echo 1 > /sys/bus/pci/rescan

Increasing hot-plug bus size and memory

Some BIOS can report too little bus size and memory to the kernel, causing the drivers fail to load. Add the following to kernel command line to manually set the size.

pci=hpbussize=0x33,hpmemsize=256M