Locking down the Thunderbolt interface
Lightning Protection

© Photo by Micah Tindell on Unsplash
The Thunderbolt interface supports extremely fast data transfer rates, but be careful about what you plug into your port, because Thunderbolt devices access memory directly. We'll show you some Linux tools for locking down your Thunderbolt interface.
The Thunderbolt interface is an interface used for connecting peripheral devices to many modern computers. Thunderbolt connections (with the familiar lightning arrow symbol – see Figure 1) support fast transfer of audio, video, and other data over a single cable and can also charge devices connected through the same interface.
The Thunderbolt specification was developed by Intel in collaboration with Apple. Many users might think of Thunderbolt in the context of Apple hardware. Apple actually started shipping MacBook Pro models with the interface back in 2011 (see the box entitled "Thunderbolt Through the Years"). Thunderbolt has become a common feature on MacBook computers, as well as many other Intel-based systems.
Thunderbolt Through the Years
The first version of Thunderbolt had a maximum transfer rate of 10Gbps, with two bidirectional channels for data transfer. Two years later, version 2 arrived with a maximum speed of 20Gbps.
In 2015, version 3 replaced the Mini Display Port connector used in previous versions with a rotatable USB-C connector. Version 3 also saw the introduction of four PCIe wires for data transfer to enable transfer rates of 40Gbps. Version 3 could supply power to devices with consumption of up to 100 watts.
Today's devices use version 4 of the Thunderbolt technology. Version 4 does not support faster transfer rates, but it does offer some other interesting new features. For example, the USB4 standard is now used. Support for USB hubs in alternate mode is also very interesting; it lets you connect an 8K display, or optionally two 4K displays, several external hard disk drives, and a power supply to your computer with only one cable.
Through the years, however, the power and speed of Thunderbolt has led to some security issues. Like other technologies that communicate with a system via PCI Express (PCIe), Firewire, or similar protocols, Thunderbolt supports direct access to system memory. Directly accessing memory enables fast data transfer rates, but it also poses a security risk, because many different components access memory at the same time, which creates the potential for a DMA attack. (A DMA attack involves unauthorized access to the system memory in order to read arbitrary data.)
Security concerns have led to a new approach with recent Thunderbolt versions. Some of the basic security features available in Thunderbolt 3 have been enhanced for version 4. Thunderbolt now uses the Intel Virtualization Technology for Directed I/O (VT-d) to provide protection against DMA attacks.
The Linux kernel supports Thunderbolt out of the box, but to use Thunderbolt 3's security features, you need to have kernel version 4.13 or later. If you want to use I/O virtualization in combination with Thunderbolt 4, you'll need at least kernel 4.21. This article offers some tips on how to secure your Thunderbolt ports in Linux.
Security in Thunderbolt 4
Current Intel processors have an Input/Output Memory Management Unit (IOMMU) that supports I/O data virtualization. Each device connected via Thunderbolt 4 can therefore be assigned a private memory area, effectively preventing one device from accessing the data or memory area of any other. This feature is also known as direct memory access remapping (DMA-r). Further information on this can be found in an Intel white paper [1] on the subject of DMA protection with IOMMU.
To use I/O virtualization, you also need to enable the IOMMU option in the system BIOS. You can then use the Linux dmesg
utility in a terminal to check whether the option is actually active (Listing 1).
Listing 1
IOMMU Option in the BIOS
0.000000] DMAR: IOMMU enabled 0.301602] DMAR: Host address width 39 0.301603] DMAR: DRHD base: 0x000000fed90000 flags: 0x0 0.301612] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap 1c0000c40660462 ecap 19e2ff0505e 0.301616] DMAR: DRHD base: 0x000000fed91000 flags: 0x1 0.301621] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap d2008c40660462 ecap f050da 0.301624] DMAR: RMRR base: 0x000000a869a000 end: 0x000000a86b9fff 0.301626] DMAR: RMRR base: 0x000000ab000000 end: 0x000000af7fffff 0.301627] DMAR: RMRR base: 0x000000a86cb000 end: 0x000000a874afff
Use the sysfs filesystem to configure the Linux kernel's Thunderbolt subsystem. A description of the individual configuration options is included in the Linux kernel documentation [2]. For example, to find out whether your Thunderbolt devices each use their own virtualized memory area, you just need to read the file called:
/sys/bus/thunderbolt/devices/domain0/iommu_dma_protection
If the file contains a value of 1
, DMA protection based on VT-d is active. If the value is
, the IOMMU option in the BIOS might not be active, you might have an old kernel installed, or you are not using Thunderbolt 4 hardware. If you are not using Thunderbolt hardware, you can still fall back on the security features available with version 3.
Five Possible Security Levels
The Thunderbolt specification supports five different security levels: none
, dponly
, user
, secure
, and usbonly
. You can set the desired level for the Thunderbolt interface in your system's BIOS. To find out which level is currently active, ask the Linux sysfs filesystem by typing:
cat /sys/bus/thunderbolt/devices/domain0/security
If you want to use the user
or secure
security level, you first need to authorize a device to establish a channel between the device and your system. The secure
level also creates a shared key that the device must use to authenticate itself against the system each time. This key is stored on the device itself and also in the sysfs filesystem.
You can authorize a device and store a key manually on the sysfs filesystem or use the bolt [3] tool instead. The bolt tool consists of a service (boltd
) that interacts with the sysfs filesystem and makes the Thunderbolt devices registered there available to other applications via the D-Bus message bus. Use boltctl
to manage your Thunderbolt devices. Calling boltctl
only shows you the registered devices. You can then authorize a device using the following command:
boltctl authorize <UUID>
If the security level is set to secure
, a key for the device is also generated and distributed. The software is available in most Linux distributions, but you can also download it from the GitHub repository [3].
Conclusions
Thunderbolt is great for quickly transferring large volumes of data: The downside is that the interface allows direct access to a system's memory. If you support Thunderbolt devices, additional security measures are very much recommended if you want to stop unauthorized devices from accessing your system and reading sensitive data. Starting in Thunderbolt 3, you can use security levels to ensure that a device needs to be manually authorized first before it can talk to your system. The current Thunderbolt 4 assigns a private memory area to each device, which stops the device from accessing the entire system memory through I/O virtualization.
Infos
- A Tour Beyond BIOS: Using IOMMU for DMA Protection in UEFI Firmware: https://www.intel.com/content/dam/develop/external/us/en/documents/intel-whitepaper-using-iommu-for-dma-protection-in-uefi.pdf
- Linux kernel Thunderbolt documentation: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-thunderbolt
- bolt: https://github.com/gicmo/bolt/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
CarbonOS: A New Linux Distro with a Focus on User Experience
CarbonOS is a brand new, built-from-scratch Linux distribution that uses the Gnome desktop and has a special feature that makes it appealing to all types of users.
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.