T h u n d e r b o l t 3 a n d G N U / L i n u x F O S D E M 2 0 1 8 C h r i s t i a n K e l l n e r , P h D D e s k t o p H a r d w a r e E n a b l e m e n t 0 4 / 0 2 / 2 0 1 8
W h a t i s t h i s , a n y w a y ?
“ T h e U S B - C t h a t d o e s i t a l l ” I n t e l * * h t t p s : / / t h u n d e r b o l t t e c h n o l o g y . n e t / 3
T h u n d e r b o l t 3 — O v e r v i e w • U S B t y p e C c o n n e c t o r ( o n e p o r t t o c o n f u s e t h e m a l l ) • 4 0 G b / s • 4 P C I E x p r e s s ( G e n 3 ) l a n e s • 8 D i s p l a y P o r t ( 1 . 2 ) l a n e s • N a t i v e U S B 3 . 1 • D a i s y - c h a i n u p t o 6 d e v i c e s • U p t o 1 0 0 W f o r c h a r g i n g , 1 5 W f o r d e v i c e s • N e t w o r k i n g , e x t e r n a l G r a p h i c • D o c k s , d o c k s , d o c k s 4
T h u n d e r b o l t 3 — C o n n e c t i o n M o d e s U S B O N L Y D I S P L A Y P O R T O N L Y A c t i v e w h e n U S B d e v i c e s S w i t c h p i n s o f U S B - C i n t o a r e p l u g g e d i n . D P a l t e r n a t e m o d e . T B w i l l B e h a v e s a s a n o r m a l U S B - C a c t a s a r o u t e r f o r D P d a t a 3 . 1 p o r t . f r o m G F X t o U S B - C p o r t D P & U S B M U L T I - F U N C T I O N T H U N D E R B O L T 3 O n e h i g h - s p e e d p a i r i s u s e d A l l 4 h i g h s p e e d s l i n k s f o r D P . a c t i v e ( a t 1 0 / 2 0 G b p s ) . T h e o t h e r h i g h - s p e e d p a i r i s m a x 4 P C I e G e n 3 l a n e s u s e d f o r U S B 3 . 1 m a x 2 D i s p l a y P o r t l i n k s P O W E R D E L I V E R Y & T H U N D E R B O L T C H A R G I N G N E T W O R K I G 5
T h u n d e r b o l t — S e c u r i t y ? ? ? T h u n d e r b o l t i s P C I e → D M A → D M A a t t a c k s h t t p s : / / g i t h u b . c o m / u f r i s k / p c i l e e c h 6
T h u n d e r b o l t 3 — S e c u r i t y M o d e s N O N E D P O N L Y N o S e c u r i t y . D o h . D i s p l a y P o r t o n l y . Y o u g u e s s e d r i g h t . A l l d e v i c e s a r e a u t h o r i z e d b y d e f a u l t . U S E R S E C U R E T h u n d e r b o l t d e v i c e s n e e d t o T h u n d e r b o l t d e v i c e s n e e d a u t h o r i z e d . O n l y t h e n a r e t o a u t h o r i z e d . T h e i r P C I e l a n e s a c t i v a t e d . i d e n t i t y c a n b e v e r i fi e d v i a a k e y . 7
T h u n d e r b o l t 3 — S e c u r i t y M o d e s I n t h e l a n d o f t h e d i a l o g s … … n o w e a r e n o t d o i n g t h a t . 8
T h u n d e r b o l t a n d G N U / L i n u x
T h u n d e r b o l t & G N U / L i n u x O v e r v i e w o t h e r D E i n t e g r a t i o n L i n u x 4 . 1 3 s y s f s / u d e v g n o m e - c o n t r o l - c e n t e r g n o m e - s h e l l s u b o l t d B - S y s t e m d e a e m o n D b o l t c t l 1 0
K e r n e l I n t e r f a c e L i n u x k e r n e l 4 . 1 3 + p r o v i d e a s y s f s i n t e r f a c e /sys/bus/thunderbolt/ /sys/bus/thunderbolt/ └── devices └── devices ├── domain0 → 0-0/ security subsystem@ uevent […] ├── domain0 → 0-0/ security subsystem@ uevent […] ├── 0-0 → 0-1/ authorized device device_name vendor_name unique_id […] ├── 0-0 → 0-1/ authorized device device_name vendor_name unique_id […] ├── 0-1 → 0-301/ authorized […] key […] unique_id ├── 0-1 → 0-301/ authorized […] key […] unique_id └── 0-301 → […] nvm_active2/ nvm_non_active2/ nvm_version nvm_authenticate └── 0-301 → […] nvm_active2/ nvm_non_active2/ nvm_version nvm_authenticate # echo 1 > /sys/bus/thunderbolt/devices/0-1/ authorized # echo 1 > /sys/bus/thunderbolt/devices/0-1/ authorized # key=$(openssl rand -hex 32) # key=$(openssl rand -hex 32) # echo $key > /sys/bus/thunderbolt/devices/0-1/ key # echo $key > /sys/bus/thunderbolt/devices/0-1/ key # echo 1 > /sys/bus/thunderbolt/devices/0-1/ authorized # echo 1 > /sys/bus/thunderbolt/devices/0-1/ authorized # echo $key > /sys/bus/thunderbolt/devices/0-1/ key # echo $key > /sys/bus/thunderbolt/devices/0-1/ key # echo 2 > /sys/bus/thunderbolt/devices/0-1/ authorized # echo 2 > /sys/bus/thunderbolt/devices/0-1/ authorized 1 1
T h u n d e r b o l t fi r m w a r e u p d a t e s f w u p d & L i n u x V e n d o r F i r m w a r e S e r v i c e ( L V F S ) # get current version # get current version nvm_version nvm_version # write new firmware to # write new firmware to nvm_non_active2/nvmem nvm_non_active2/nvmem # start updating # start updating nvm_authenticate nvm_authenticate * h t t p s : / / f w u p d . o r g / 1 2
T h u n d e r b o l t & G N U / L i n u x b o l t d s u b o l t d B - S y s t e m d e a e m o n D ● S y s t e m d a e m o n , a c t i v a t e d o n d e m a n d ● D - B u s A P I t o m a n a g e d e v i c e s , s i g n a l d e v i c e “ c h a n g e s ” ● A u t h o r i z e , e n r o l l ( a u t h o r i z e a n d s t o r e ) ● P o l k i t t o s e c u r e t h e D - B u s A P I ● D e v i c e “ d a t a b a s e ” o f p r e v i o u s l y e n r o l l e d d e v i c e s a n d t h e i r p o l i c y ● P a r a n o i d ( n o w f o r t i f y ) m o d e ● N e e d s a p o l i c y a g e n t t o d o t h e i n i t i a l a u t h o r i z a t i o n , e n r o l l m e n t 1 3
b o l t d D - B u s A P I : m a n a g e r i n t e r f a c e 1 4
b o l t d D - B u s A P I : m a n a g e r i n t e r f a c e 1 5
b o l t c t l c l i i n t e r f a c e 1 6
g n o m e - s h e l l A c t s a s a p o l i c y a g e n t L i s t e n t o “ d e v i c e - a d d e d ” D - B u s s i g n a l f r o m b o l t d u s e r l o g g e d i n & s e s s i o n u n l o c k e d n o y e s N o t i fi c a t i o n : n e w u s e r i s a d m i n U n a u t h o r i z e d d e v i c e n o y e s a d m i n E n r o l l d e v i c e P o l k i t a u t h o r i z a t i o n 1 7
g n o m e - s h e l l A c t s a s a p o l i c y a g e n t 1 8
g n o m e - s h e l l p r o v i d e U I f e e d b a c k a b o u t t h u n d e r b o l t b u s a c t i v i t y 1 9
g n o m e - c o n t r o l - c e n t e r m a n a g e d e v i c e s , p r o v i d e f e e d b a c k 2 0
g n o m e - c o n t r o l - c e n t e r m a n a g e d e v i c e s , p r o v i d e f e e d b a c k 2 1
T H A N K Y O U g i t h u b . c o m / g i c m o / b o l t c h r i s t i a n . k e l l n e r . m e
Recommend
More recommend