Thunderbolt 3 and GNU/Linux FOSDEM 2018 hri!tian "ellner# $hD De!%to& Hard(are Enablement 04/02/2018 What is this , an,(a,- .The USB-C that does it all1 Intel* * http!3//thunderbolttechnolog,.net/ 3 Thunderbolt 3 — Overvie( 9 USB t,&e connector :one &ort to con;u!e them all< 9 40 Gb/! 9 4 $ = Expre!! (Gen 3) lanes 9 8 Di!&la,$ort :162< lanes 9 Nati8e USB 361 9 Dai!,-chain u& to > de8i4e! 9 Up to 100 + ;or char5in5# 1?+ ;or de8ices 9 Net(orkin5# external Gra&hi4 9 Do4%!# do4%!# do4%! * Thunderbolt 3 — Conne4tion Mode! USB ONL@ D=SPLA@$OBT ONL@ A4ti8e (hen USB de8i4e! Swit4h &ins o; USB-C into are plugged in. D$ alternate )ode6 T/ (ill /eha8e! a! a nor)al US/0 a4t a! a router for D$ data 361 port6 ;ro) GFX to US/0 port D$ C USB MULT=-FUN T=ON THUNDER/OLT 3 One high-speed pair i! used All 4 high !peed! link! ;or D$6 a4ti8e (at 10/20 Gb&!<6 The other high-s&eed &air i! )ax * $ =e Gen 3 lane! used for USB 361 )ax 2 Di!pla,$ort link! $O+ER DEL=EER@ & T'UNDER/OLT 'ABGING NETWOB"=G ? Thunderbolt — Security ??? Thunderbolt i! $ =e F DMAF DMA atta4%! htt&!3//5ithub6com/u;ri!%/&cileech > Thunderbolt 3 — Se4urity Modes NONE DP ONL@ No Se4urit,6 Doh6 Di!&la, Port onl,6 All de8i4e! are authoriHed @ou gue!!ed ri5ht6 b, de;ault6 USER SE URE Thunderbolt de8i4e! need to Thunderbolt de8i4e! need authoriHed6 Onl, then are to authoriHed6 Their $ =e lane! a4ti8ated6 identit, 4an be veriIed 8ia a ke,6 G Thunderbolt 3 — Se4urity Modes =n the land of the dialo5! J J no (e are not doin5 that6 8 Thunderbolt and GNU/Linux Thunderbolt & GNU/Linux O8er8ie( other DE integration Linux *613 sysfs/udev 5no)e-control04enter 5no)e-shell ! u boltd / Sy!te) deae)on 0 D boltctl 10 "ernel Inter;ace Linux %ernel *613K &ro8ide a !,!;! interface /sys/bus/thunderbolt//sys/bus/thunderbolt/ └──└── devicesdevices ├──├── domain0domain0 →→ 0-0/0-0/ securitysecurity subsystem@subsystem@ ueventuevent […][…] ├──├── 0-00-0 →→ 0-1/0-1/ authorizedauthorized devicedevice device_namedevice_name vendor_namevendor_name unique_idunique_id […][…] ├──├── 0-10-1 →→ 0-301/0-301/ authorizedauthorized […][…] keykey […][…] unique_idunique_id └──└── 0-3010-301 →→ […][…] nvm_active2/nvm_active2/ nvm_non_active2/nvm_non_active2/ nvm_versionnvm_version nvm_authenticatenvm_authenticate ## echoecho 11 >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/authorizedauthorized ## key=$(opensslkey=$(openssl randrand -hex-hex 32)32) ## echoecho $key$key >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/keykey ## echoecho 11 >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/authorizedauthorized ## echoecho $key$key >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/keykey ## echoecho 22 >> /sys/bus/thunderbolt/devices/0-1//sys/bus/thunderbolt/devices/0-1/authorizedauthorized 11 Thunderbolt fr)(are update! fwupd & Linux Eendor Fir)(are Service :LEFS) ## getget currentcurrent versionversion nvm_versionnvm_version ## writewrite newnew firmwarefirmware toto nvm_non_active2/nvmemnvm_non_active2/nvmem ## startstart updatingupdating nvm_authenticatenvm_authenticate * http!3//;(u&d6or5/ 12 Thunderbolt & GNU/Linux boltd ! u boltd / Sy!te) deae)on 0 D ● Sy!tem daemon# a4ti8ated on demand ● D-Bu! A$= to )ana5e de8ices# !i5nal device .chan5es1 ● Authorize, enroll :authorize and !tore) ● $ol%it to !ecure the D-Bu! A$= ● De8ice .databa!e1 of &reviou!l, enrolled de8ices and their &oli4, ● Paranoid :no( fortify< )ode ● Need! a policy agent to do the initial authorization# enroll)ent 13 boltd D-Bu! A$=3 )ana5er interfa4e 1* boltd D-Bu! A$=3 )ana5er interfa4e 1? boltctl cli interface 1> gnome-shell A4t! a! a policy agent Li!ten to .device-added1 D-Bu! !i5nal fro) boltd u!er lo55ed in C !es!ion unlo4%ed ,es no NotiI4ation3 ne( u!er i! ad)in Unauthorized devi4e ,es no Enroll device ad)in $ol%it authorization 1G gnome-shell A4t! a! a policy agent 18 gnome-shell &ro8ide UI ;eedba4% about thunderbolt bu! a4ti8it, 1L gnome-control-center )ana5e de8ices# &ro8ide ;eedba4% 20 gnome-control-center )ana5e de8ices# &ro8ide ;eedba4% 21 THANK YOU github.com/gicmo/bolt christian.kellner.me.