Lightning Protection

The Thunderbolt interface is an interface used for connecting peripheral devices to many modern computers. Thunderbolt connections (with the familiar lightning arrow symbol – see Figure 1) support fast transfer of audio, video, and other data over a single cable and can also charge devices connected through the same interface.

Figure 1: Thunderbolt ports marked with the lightning logo.CC By-SA 4.0 Wikipedia

The Thunderbolt specification was developed by Intel in collaboration with Apple. Many users might think of Thunderbolt in the context of Apple hardware. Apple actually started shipping MacBook Pro models with the interface back in 2011 (see the box entitled "Thunderbolt Through the Years"). Thunderbolt has become a common feature on MacBook computers, as well as many other Intel-based systems.

Through the years, however, the power and speed of Thunderbolt has led to some security issues. Like other technologies that communicate with a system via PCI Express (PCIe), Firewire, or similar protocols, Thunderbolt supports direct access to system memory. Directly accessing memory enables fast data transfer rates, but it also poses a security risk, because many different components access memory at the same time, which creates the potential for a DMA attack. (A DMA attack involves unauthorized access to the system memory in order to read arbitrary data.)

Security concerns have led to a new approach with recent Thunderbolt versions. Some of the basic security features available in Thunderbolt 3 have been enhanced for version 4. Thunderbolt now uses the Intel Virtualization Technology for Directed I/O (VT-d) to provide protection against DMA attacks.

The Linux kernel supports Thunderbolt out of the box, but to use Thunderbolt 3's security features, you need to have kernel version 4.13 or later. If you want to use I/O virtualization in combination with Thunderbolt 4, you'll need at least kernel 4.21. This article offers some tips on how to secure your Thunderbolt ports in Linux.

Security in Thunderbolt 4

Current Intel processors have an Input/Output Memory Management Unit (IOMMU) that supports I/O data virtualization. Each device connected via Thunderbolt 4 can therefore be assigned a private memory area, effectively preventing one device from accessing the data or memory area of any other. This feature is also known as direct memory access remapping (DMA-r). Further information on this can be found in an Intel white paper [1] on the subject of DMA protection with IOMMU.

To use I/O virtualization, you also need to enable the IOMMU option in the system BIOS. You can then use the Linux dmesg utility in a terminal to check whether the option is actually active (Listing 1).

0.000000] DMAR: IOMMU enabled
0.301602] DMAR: Host address width 39
0.301603] DMAR: DRHD base: 0x000000fed90000 flags: 0x0
0.301612] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap 1c0000c40660462 ecap 19e2ff0505e
0.301616] DMAR: DRHD base: 0x000000fed91000 flags: 0x1
0.301621] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap d2008c40660462 ecap f050da
0.301624] DMAR: RMRR base: 0x000000a869a000 end: 0x000000a86b9fff
0.301626] DMAR: RMRR base: 0x000000ab000000 end: 0x000000af7fffff
0.301627] DMAR: RMRR base: 0x000000a86cb000 end: 0x000000a874afff

Use the sysfs filesystem to configure the Linux kernel's Thunderbolt subsystem. A description of the individual configuration options is included in the Linux kernel documentation [2]. For example, to find out whether your Thunderbolt devices each use their own virtualized memory area, you just need to read the file called:

/sys/bus/thunderbolt/devices/domain0/iommu_dma_protection

If the file contains a value of 1, DMA protection based on VT-d is active. If the value is  , the IOMMU option in the BIOS might not be active, you might have an old kernel installed, or you are not using Thunderbolt 4 hardware. If you are not using Thunderbolt hardware, you can still fall back on the security features available with version 3.

Five Possible Security Levels

The Thunderbolt specification supports five different security levels: none, dponly, user, secure, and usbonly. You can set the desired level for the Thunderbolt interface in your system's BIOS. To find out which level is currently active, ask the Linux sysfs filesystem by typing:

cat /sys/bus/thunderbolt/devices/domain0/security

If you want to use the user or secure security level, you first need to authorize a device to establish a channel between the device and your system. The secure level also creates a shared key that the device must use to authenticate itself against the system each time. This key is stored on the device itself and also in the sysfs filesystem.

You can authorize a device and store a key manually on the sysfs filesystem or use the bolt [3] tool instead. The bolt tool consists of a service (boltd) that interacts with the sysfs filesystem and makes the Thunderbolt devices registered there available to other applications via the D-Bus message bus. Use boltctl to manage your Thunderbolt devices. Calling boltctl only shows you the registered devices. You can then authorize a device using the following command:

boltctl authorize <UUID>

If the security level is set to secure, a key for the device is also generated and distributed. The software is available in most Linux distributions, but you can also download it from the GitHub repository [3].

Conclusions

Thunderbolt is great for quickly transferring large volumes of data: The downside is that the interface allows direct access to a system's memory. If you support Thunderbolt devices, additional security measures are very much recommended if you want to stop unauthorized devices from accessing your system and reading sensitive data. Starting in Thunderbolt 3, you can use security levels to ensure that a device needs to be manually authorized first before it can talk to your system. The current Thunderbolt 4 assigns a private memory area to each device, which stops the device from accessing the entire system memory through I/O virtualization.