Thunderbolt
Thunderbolt 3 works out of the box with recent Linux kernel versions [1]. The Linux kernel, starting with version 4.13, supports Thunderbolt Security as well.
Obtain firmware updates
Manufacturers often release firmware updates for Thunderbolt ports and devices to function properly, visit https://thunderbolttechnology.net/updates for more details how to obtain upgrades for certain vendors.
User device authorization
Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware (see Thunderstrike 2).
The modes currently supported on Linux are:
-
none
- No security, all devices are connected and initialized by default. In BIOS settings this is typically called Legacy mode. -
user
- User authorization is required every time a device is connected. In BIOS settings this is typically called Unique ID. -
secure
- User authorization is required, but the device is then remembered and does not require re-authorization. In BIOS settings this is typically called One time saved key. -
dponly
- DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called Display Port Only.
The security level is normally configured at firmware level; it is recommended to set it to at least secure
. The state of this setting can be queried with:
$ cat /sys/bus/thunderbolt/devices/domain0/security
Graphical front-ends
- GNOME has native support for authorizing devices from the UI since version 3.30
- Plasma integration is available from this git repository and from plasma-thunderbolt package
Automatically connect any device
Users who just want to connect any device without any sort of manual work can create a udev rule as in 99-removable.rules
:
/etc/udev/rules.d/99-removable.rules
ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"
Forcing power
Many OEMs include a method that can be used to force the power of a Thunderbolt controller to an On state. If supported by the machine this will be exposed by the WMI bus with a sysfs attribute called force_power [2].
Forcing power may especially be useful when a connected device loses connection or the controller that switches itself off.
To force the power to be on/off, write 1 or 0 to this attribute, e.g. to force power:
# echo 1 > /sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power
force_power
state.Troubleshooting
PCI buses are not registered
Sometimes when connecting a Thunderbolt device PCI buses might not be registered. This is apparent by having screens working while USB devices fail to register on your computer. This can be solved by issuing a PCI rescan:
# echo 1 > /sys/bus/pci/rescan
Increasing hot-plug bus size and memory
Some motherboards' firmware does not report enough bus and memory sizes to the kernel, causing drivers loading to fail. Add the following to kernel command line to manually set the size.
pci=hpbussize=0x33,hpmemsize=256M