Support Thunderbolt 3 peripherals in a secure way out of the box.
Thunderbolt™ is the brand name of a hardware interface developed by Intel® that allows the connection of external peripherals to a computer.
Devices connected via Thunderbolt can be DMA masters and thus read system memory without interference of the operating system (or even the CPU). Version 3 of the interface provides 4 different security levels, in order to mitigate the aforementioned security risk that connected devices pose to the system. The security level is set by the system firmware.
The four security levels are:
- none: Security disabled, all devices will fully functional on connect.
- dponly: Only pass the display-port stream through to the connected device.
- user: Connected devices need to be manually authorized by the user.
- secure: As 'user', but also challenge the device with a secret key to verify its identity.
The Linux kernel, starting with version 4.13, provides an interface via sysfs that enables userspace query the security level, the status of connected devices and, most importantly, to authorize devices, if the security level demands it.
The active security level can normally be selected prior boot via a BIOS option, but it is interesting to note that in the future the none option is likely to go away. This of course means connected thunderbolt devices wont work at all unless they are authorized by the user from with the running operating system.
The solution to automatically enable thunderbolt 3 devices to work with Fedora without compromising the security of the computer consists of two user space compoments: a system daemon (boltd) and a component in GNOME shell. For new devices the shell will automatically enroll (= authorize and store in the database) new devices via the daemon if (and only if) the current user is a system administrator and the session is unlocked. On subsequent connections of the same device the daemon will then automatically authorize the device.
Benefit to Fedora
Thunderbolt 3 peripherals can be used in a convenient and secure way.
- Proposal owners: Stablize bolt and integrate the current GNOME Shell extension proof-of-concept into GNOME Shell upstream.
- Other developers: Nothing
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
GNOME shell should depend on bolt so it gets pulled in automatically as a dependency on upgrade.
How To Test
- A computer with Thunderbolt 3 controller and a Thunderbolt 3 device is required to test.
- Install bolt
- Plug in the device
- Check that the device is listed with boltctl list
- Enroll the device with boltctl enroll <uuid>
GNOME Shell will display a little icon indicating that thunderbolt 3 devices are being connected and also show notifications in the case of errors.
- Linux kernel version greater then 4.13 is required.
- GNOME shell needs to be modified to work with boltd
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
- Blocks product? Workstation