Thunderbolt

From ArchWiki
Jump to navigation Jump to search

Thunderbolt 3 works out of the box with recent Linux kernel versions [1]. The Linux kernel, starting with version 4.13, supports Thunderbolt Security, too.

Obtain firmware updates

Manufacturers often release firmware updates for Thunderbolt ports and devices to function properly, visit https://thunderbolttechnology.net/updates for more details how to obtain upgrades for certain vendors.

Note: Some vendors use fwupd to push firmware updates on Linux.

User device authorization

Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware (see Thunderstrike 2).

The modes currently supported on Linux are:

  • none - No security, all devices are connected and initialized by default. In BIOS settings this is typically called Legacy mode.
  • user - User authorization is required every time a device is connected. In BIOS settings this is typically called Unique ID.
  • secure - User authorization is required, but the device is then remembered and does not require re-authorization. In BIOS settings this is typically called One time saved key.
  • dponly - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called Display Port Only.

The security level is normally configured at firmware level; it's recommended to set it to at least secure.

Tip: User-space solutions are available such as bolt or tbtAUR to authorize devices.

Graphical front-ends

GNOME has native support for authorizing devices from the UI since version 3.30; Plasma integration is in the works ([2], [3]).

Automatically connect any device

Users who just want to connect any device without any sort of manual work can create a udev as in 99-removable.rules:

/etc/udev/rules.d/99-removable.rules
ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"

See also