Thunderbolt 3 and GNU/Linux
FOSDEM 2018
Christian Kellner, PhD Desktop Hardware Enablement 04/02/2018 What is this , anyway? “The USB-C that does it all” Intel*
* https://thunderbolttechnology.net/
3 Thunderbolt 3 — Overview
• USB type C connector (one port to confuse them all)
• 40 Gb/s
• 4 PCI Express (Gen 3) lanes
• 8 DisplayPort (1.2) lanes
• Native USB 3.1
• Daisy-chain up to 6 devices
• Up to 100 W for charging, 15W for devices
• Networking, external Graphic
• Docks, docks, docks
4 Thunderbolt 3 — Connection Modes
USB ONLY DISPLAYPORT ONLY Active when USB devices Switch pins of USB-C into are plugged in. DP alternate mode. TB will Behaves as a normal USB-C act as a router for DP data 3.1 port. from GFX to USB-C port
DP & USB MULTI-FUNCTION THUNDERBOLT 3 One high-speed pair is used All 4 high speeds links for DP. active (at 10/20 Gbps). The other high-speed pair is max 4 PCIe Gen 3 lanes used for USB 3.1 max 2 DisplayPort links
POWER DELIVERY & THUNDERBOLT CHARGING NETWORKIG
5 Thunderbolt — Security ???
Thunderbolt is PCIe → DMA→ DMA attacks
https://github.com/ufrisk/pcileech
6 Thunderbolt 3 — Security Modes
NONE DP ONLY No Security. Doh. Display Port only. All devices are authorized You guessed right. by default.
USER SECURE Thunderbolt devices need to Thunderbolt devices need authorized. Only then are to authorized. Their PCIe lanes activated. identity can be verifed via a key.
7 Thunderbolt 3 — Security Modes In the land of the dialogs … … no we are not doing that.
8 Thunderbolt and GNU/Linux Thunderbolt & GNU/Linux Overview
other DE integration Linux 4.13
sysfs/udev gnome-control-center
gnome-shell s u
boltd B System deaemon - D boltctl
10 Kernel Interface Linux kernel 4.13+ provide a sysfs interface
/sys/bus/thunderbolt//sys/bus/thunderbolt/ └──└── devicesdevices ├──├── domain0domain0 →→ 0-0/0-0/ securitysecurity subsystem@subsystem@ ueventuevent […][…] ├──├── 0-00-0 →→ 0-1/0-1/ authorizedauthorized devicedevice device_namedevice_name vendor_namevendor_name unique_idunique_id […][…] ├──├── 0-10-1 →→ 0-301/0-301/ authorizedauthorized […][…] keykey […][…] unique_idunique_id └──└── 0-3010-301 →→ […][…] nvm_active2/nvm_active2/ nvm_non_active2/nvm_non_active2/ nvm_versionnvm_version nvm_authenticatenvm_authenticate
## echoecho 11 >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/authorizedauthorized
## key=$(opensslkey=$(openssl randrand -hex-hex 32)32) ## echoecho $key$key >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/keykey ## echoecho 11 >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/authorizedauthorized
## echoecho $key$key >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/keykey ## echoecho 22 >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/authorizedauthorized
11 Thunderbolt frmware updates fwupd & Linux Vendor Firmware Service (LVFS)
## getget currentcurrent versionversion nvm_versionnvm_version
## writewrite newnew firmwarefirmware toto nvm_non_active2/nvmemnvm_non_active2/nvmem
## startstart updatingupdating nvm_authenticatenvm_authenticate
* https://fwupd.org/
12 Thunderbolt & GNU/Linux boltd s u
boltd B System deaemon - D
● System daemon, activated on demand ● D-Bus API to manage devices, signal device “changes” ● Authorize, enroll (authorize and store) ● Polkit to secure the D-Bus API ● Device “database” of previously enrolled devices and their policy ● Paranoid (now fortify) mode
● Needs a policy agent to do the initial authorization, enrollment
13 boltd D-Bus API: manager interface
14 boltd D-Bus API: manager interface
15 boltctl cli interface
16 gnome-shell Acts as a policy agent
Listen to “device-added” D-Bus signal from boltd
user logged in & session unlocked
yes no
Notifcation: new user is admin Unauthorized device
yes no
Enroll device admin Polkit authorization
17 gnome-shell Acts as a policy agent
18 gnome-shell provide UI feedback about thunderbolt bus activity
19 gnome-control-center manage devices, provide feedback
20 gnome-control-center manage devices, provide feedback
21 THANK YOU
github.com/gicmo/bolt
christian.kellner.me