Difference between revisions of "Thunderbolt"

From ArchWiki
Jump to navigation Jump to search
(Forcing power: Link to correct section)
m (use internal link; grammar, spelling)
Line 19: Line 19:
 
* {{ic|dponly}} - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called ''Display Port Only''.
 
* {{ic|dponly}} - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called ''Display Port Only''.
  
The security level is normally configured at firmware level; it's recommended to set it to at least {{ic|secure}}.
+
The security level is normally configured at firmware level; it is recommended to set it to at least {{ic|secure}}.
  
 
{{Tip|User-space solutions are available such as {{pkg|bolt}} or {{AUR|tbt}} to authorize devices.}}
 
{{Tip|User-space solutions are available such as {{pkg|bolt}} or {{AUR|tbt}} to authorize devices.}}
Line 29: Line 29:
 
=== Automatically connect any device ===
 
=== Automatically connect any device ===
  
Users who just want to connect any device without any sort of manual work can create an [https://wiki.archlinux.org/index.php/Udev#About_udev_rules udev rule] as in {{ic|99-removable.rules}}:
+
Users who just want to connect any device without any sort of manual work can create a [[Udev#About_udev_rules|udev rule]] as in {{ic|99-removable.rules}}:
  
 
{{hc|/etc/udev/rules.d/99-removable.rules|2=
 
{{hc|/etc/udev/rules.d/99-removable.rules|2=

Revision as of 13:24, 28 May 2019

Thunderbolt 3 works out of the box with recent Linux kernel versions [1]. The Linux kernel, starting with version 4.13, supports Thunderbolt Security, too.

Obtain firmware updates

Manufacturers often release firmware updates for Thunderbolt ports and devices to function properly, visit https://thunderbolttechnology.net/updates for more details how to obtain upgrades for certain vendors.

Note: Some vendors use fwupd to push firmware updates on Linux.

User device authorization

Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware (see Thunderstrike 2).

The modes currently supported on Linux are:

  • none - No security, all devices are connected and initialized by default. In BIOS settings this is typically called Legacy mode.
  • user - User authorization is required every time a device is connected. In BIOS settings this is typically called Unique ID.
  • secure - User authorization is required, but the device is then remembered and does not require re-authorization. In BIOS settings this is typically called One time saved key.
  • dponly - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called Display Port Only.

The security level is normally configured at firmware level; it is recommended to set it to at least secure.

Tip: User-space solutions are available such as bolt or tbtAUR to authorize devices.

Graphical front-ends

GNOME has native support for authorizing devices from the UI since version 3.30; Plasma integration is in the works ([2], [3]).

Automatically connect any device

Users who just want to connect any device without any sort of manual work can create a udev rule as in 99-removable.rules:

/etc/udev/rules.d/99-removable.rules
ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"

Forcing power

Many OEMs include a method that can be used to force the power of a Thunderbolt controller to an On state. If supported by the machine this will be exposed by the WMI bus with a sysfs attribute called force_power [4].

Forcing power may especially be useful when a connected device loses connection or the controller that switches itself off.

To force the power to be on/off, write 1 or 0 to this attribute, e.g. to force power:

# echo 1 > /sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power
Note: It is not possible to query the current force_power state.

See also