From ArchWiki

Thunderbolt 3 works out of the box with recent Linux kernel versions [1]. The Linux kernel, starting with version 4.13, supports Thunderbolt Security as well.

Obtain firmware updates

Manufacturers often release firmware updates for Thunderbolt ports and devices to function properly, visit for more details how to obtain upgrades for certain vendors.

Note: Some vendors use fwupd to push firmware updates on Linux.

User device authorization

Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware (see Thunderstrike 2).

The modes currently supported on Linux are:

  • none - No security, all devices are connected and initialized by default. In BIOS settings this is typically called Legacy mode.
  • user - User authorization is required every time a device is connected. In BIOS settings this is typically called Unique ID.
  • secure - User authorization is required, but the device is then remembered and does not require re-authorization. In BIOS settings this is typically called One time saved key.
  • dponly - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called Display Port Only.

The security level is normally configured at firmware level; it is recommended to set it to at least secure. The state of this setting can be queried with:

$ cat /sys/bus/thunderbolt/devices/domain0/security
Tip: User-space solutions are available such as bolt or tbtAUR to authorize devices.

Graphical front-ends

Automatically connect any device

Users who just want to connect any device without any sort of manual work can create a udev rule as in 99-removable.rules:

ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"

Forcing power

Many OEMs include a method that can be used to force the power of a Thunderbolt controller to an On state. If supported by the machine this will be exposed by the WMI bus with a sysfs attribute called force_power [2].

Forcing power may especially be useful when a connected device loses connection or the controller that switches itself off.

To force the power to be on/off, write 1 or 0 to this attribute, e.g. to force power:

# echo 1 > /sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power
Note: It is not possible to query the current force_power state.


PCI buses are not registered

Sometimes when connecting a Thunderbolt device PCI buses might not be registered. This is apparent by having screens working while USB devices fail to register on your computer. This can be solved by issuing a PCI rescan:

# echo 1 > /sys/bus/pci/rescan

Increasing hot-plug bus size and memory

Some motherboards' firmware does not report enough bus and memory sizes to the kernel, causing drivers loading to fail. Add the following to kernel command line to manually set the size.


See also