Thunderbolt

Thunderbolt 3 works out of the box with recent Linux kernel versions [1]. The Linux kernel, starting with version 4.13, supports Thunderbolt Security, too.

Obtain firmware updates

Manufacturers often release firmware updates for Thunderbolt ports and devices to function properly, visit https://thunderbolttechnology.net/updates for more details how to obtain upgrades for certain vendors.

User device authorization

Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware (see Thunderstrike 2).

The modes currently supported on Linux are:

• none - No security, all devices are connected and initialized by default. In BIOS settings this is typically called Legacy mode.
• user - User authorization is required every time a device is connected. In BIOS settings this is typically called Unique ID.
• secure - User authorization is required, but the device is then remembered and does not require re-authorization. In BIOS settings this is typically called One time saved key.
• dponly - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called Display Port Only.

The security level is normally configured at firmware level; it is recommended to set it to at least secure.

Graphical front-ends

• GNOME has native support for authorizing devices from the UI since version 3.30
• Plasma integration is available from this git repository and from plasma-thunderbolt package

Automatically connect any device

Users who just want to connect any device without any sort of manual work can create a udev rule as in 99-removable.rules:

/etc/udev/rules.d/99-removable.rules

ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"

Forcing power

Many OEMs include a method that can be used to force the power of a Thunderbolt controller to an On state. If supported by the machine this will be exposed by the WMI bus with a sysfs attribute called force_power [2].

Forcing power may especially be useful when a connected device loses connection or the controller that switches itself off.

To force the power to be on/off, write 1 or 0 to this attribute, e.g. to force power:

# echo 1 > /sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power

Troubleshooting

PCI buses are not registered

Sometimes when connecting a Thunderbolt device PCI buses might not be registered. This is apparent by having screens working while USB devices fail to register on your computer. This can be solved by issuing a PCI rescan:

# echo 1 > /sys/bus/pci/rescan

USB controller failed to register

On some devices such as the Lenovo Yoga c940, the Thunderbolt controller's PCIe address space is marked as "reserved" by the BIOS (handled by the e820 kernel subsystem). By default, Linux ignore these addresses, thus making some devices (e.g. Thunderbolt docks) unable to operate correctly, and may even cause crash due to PCIe controller hanging, which in turn disconnects the NVMe SSD. A patch in the kernel (accompanied by a Bugzilla issue) is currently under review to handle properly this, but will likely not be part of the mainline source tree until at least 5.19. Installation of the package linux-zen-e820-patched^AUR which integrates this patch solves the bug.

See also

• Linux kernel user's and administrator's guide on Thunderbolt
• bolt GitHub page
• Introducing bolt: Thunderbolt 3 security levels for GNU/Linux
• Tunderbolt Support in GNOME
• tbtadm