minimum. User needs to authorize each device.
dponly: Automatically tunnel Display port (and USB). No
PCIe tunnels are created.
+ usbonly: Automatically tunnel USB controller of the
+ connected Thunderbolt dock (and Display Port). All
+ PCIe links downstream of the dock are removed.
What: /sys/bus/thunderbolt/devices/.../authorized
Date: Sep 2017
Security levels and how to use them
-----------------------------------
Starting with Intel Falcon Ridge Thunderbolt controller there are 4
-security levels available. The reason for these is the fact that the
-connected devices can be DMA masters and thus read contents of the host
-memory without CPU and OS knowing about it. There are ways to prevent
-this by setting up an IOMMU but it is not always available for various
-reasons.
+security levels available. Intel Titan Ridge added one more security level
+(usbonly). The reason for these is the fact that the connected devices can
+be DMA masters and thus read contents of the host memory without CPU and OS
+knowing about it. There are ways to prevent this by setting up an IOMMU but
+it is not always available for various reasons.
The security levels are as follows:
USB. No PCIe tunneling is done. In BIOS settings this is
typically called *Display Port Only*.
+ usbonly
+ The firmware automatically creates tunnels for the USB controller and
+ Display Port in a dock. All PCIe links downstream of the dock are
+ removed.
+
The current security level can be read from
``/sys/bus/thunderbolt/devices/domainX/security`` where ``domainX`` is
the Thunderbolt domain the host controller manages. There is typically
[TB_SECURITY_USER] = "user",
[TB_SECURITY_SECURE] = "secure",
[TB_SECURITY_DPONLY] = "dponly",
+ [TB_SECURITY_USBONLY] = "usbonly",
};
static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
struct tb *tb = container_of(dev, struct tb, dev);
+ const char *name = "unknown";
- return sprintf(buf, "%s\n", tb_security_names[tb->security_level]);
+ if (tb->security_level < ARRAY_SIZE(tb_security_names))
+ name = tb_security_names[tb->security_level];
+
+ return sprintf(buf, "%s\n", name);
}
static DEVICE_ATTR_RO(security);
* @TB_SECURITY_USER: User approval required at minimum
* @TB_SECURITY_SECURE: One time saved key required at minimum
* @TB_SECURITY_DPONLY: Only tunnel Display port (and USB)
+ * @TB_SECURITY_USBONLY: Only tunnel USB controller of the connected
+ * Thunderbolt dock (and Display Port). All PCIe
+ * links downstream of the dock are removed.
*/
enum tb_security_level {
TB_SECURITY_NONE,
TB_SECURITY_USER,
TB_SECURITY_SECURE,
TB_SECURITY_DPONLY,
+ TB_SECURITY_USBONLY,
};
/**
projects / linux.git / commitdiff