Locking down the Thunderbolt interface
Lightning Protection
The Thunderbolt interface supports extremely fast data transfer rates, but be careful about what you plug into your port, because Thunderbolt devices access memory directly. We'll show you some Linux tools for locking down your Thunderbolt interface.
The Thunderbolt interface is an interface used for connecting peripheral devices to many modern computers. Thunderbolt connections (with the familiar lightning arrow symbol – see Figure 1) support fast transfer of audio, video, and other data over a single cable and can also charge devices connected through the same interface.
The Thunderbolt specification was developed by Intel in collaboration with Apple. Many users might think of Thunderbolt in the context of Apple hardware. Apple actually started shipping MacBook Pro models with the interface back in 2011 (see the box entitled "Thunderbolt Through the Years"). Thunderbolt has become a common feature on MacBook computers, as well as many other Intel-based systems.
Thunderbolt Through the Years
The first version of Thunderbolt had a maximum transfer rate of 10Gbps, with two bidirectional channels for data transfer. Two years later, version 2 arrived with a maximum speed of 20Gbps.
In 2015, version 3 replaced the Mini Display Port connector used in previous versions with a rotatable USB-C connector. Version 3 also saw the introduction of four PCIe wires for data transfer to enable transfer rates of 40Gbps. Version 3 could supply power to devices with consumption of up to 100 watts.
Today's devices use version 4 of the Thunderbolt technology. Version 4 does not support faster transfer rates, but it does offer some other interesting new features. For example, the USB4 standard is now used. Support for USB hubs in alternate mode is also very interesting; it lets you connect an 8K display, or optionally two 4K displays, several external hard disk drives, and a power supply to your computer with only one cable.
Through the years, however, the power and speed of Thunderbolt has led to some security issues. Like other technologies that communicate with a system via PCI Express (PCIe), Firewire, or similar protocols, Thunderbolt supports direct access to system memory. Directly accessing memory enables fast data transfer rates, but it also poses a security risk, because many different components access memory at the same time, which creates the potential for a DMA attack. (A DMA attack involves unauthorized access to the system memory in order to read arbitrary data.)
Security concerns have led to a new approach with recent Thunderbolt versions. Some of the basic security features available in Thunderbolt 3 have been enhanced for version 4. Thunderbolt now uses the Intel Virtualization Technology for Directed I/O (VT-d) to provide protection against DMA attacks.
The Linux kernel supports Thunderbolt out of the box, but to use Thunderbolt 3's security features, you need to have kernel version 4.13 or later. If you want to use I/O virtualization in combination with Thunderbolt 4, you'll need at least kernel 4.21. This article offers some tips on how to secure your Thunderbolt ports in Linux.
Security in Thunderbolt 4
Current Intel processors have an Input/Output Memory Management Unit (IOMMU) that supports I/O data virtualization. Each device connected via Thunderbolt 4 can therefore be assigned a private memory area, effectively preventing one device from accessing the data or memory area of any other. This feature is also known as direct memory access remapping (DMA-r). Further information on this can be found in an Intel white paper [1] on the subject of DMA protection with IOMMU.
To use I/O virtualization, you also need to enable the IOMMU option in the system BIOS. You can then use the Linux dmesg
utility in a terminal to check whether the option is actually active (Listing 1).
Listing 1
IOMMU Option in the BIOS
0.000000] DMAR: IOMMU enabled 0.301602] DMAR: Host address width 39 0.301603] DMAR: DRHD base: 0x000000fed90000 flags: 0x0 0.301612] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap 1c0000c40660462 ecap 19e2ff0505e 0.301616] DMAR: DRHD base: 0x000000fed91000 flags: 0x1 0.301621] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap d2008c40660462 ecap f050da 0.301624] DMAR: RMRR base: 0x000000a869a000 end: 0x000000a86b9fff 0.301626] DMAR: RMRR base: 0x000000ab000000 end: 0x000000af7fffff 0.301627] DMAR: RMRR base: 0x000000a86cb000 end: 0x000000a874afff
Use the sysfs filesystem to configure the Linux kernel's Thunderbolt subsystem. A description of the individual configuration options is included in the Linux kernel documentation [2]. For example, to find out whether your Thunderbolt devices each use their own virtualized memory area, you just need to read the file called:
/sys/bus/thunderbolt/devices/domain0/iommu_dma_protection
If the file contains a value of 1
, DMA protection based on VT-d is active. If the value is
, the IOMMU option in the BIOS might not be active, you might have an old kernel installed, or you are not using Thunderbolt 4 hardware. If you are not using Thunderbolt hardware, you can still fall back on the security features available with version 3.
Five Possible Security Levels
The Thunderbolt specification supports five different security levels: none
, dponly
, user
, secure
, and usbonly
. You can set the desired level for the Thunderbolt interface in your system's BIOS. To find out which level is currently active, ask the Linux sysfs filesystem by typing:
cat /sys/bus/thunderbolt/devices/domain0/security
If you want to use the user
or secure
security level, you first need to authorize a device to establish a channel between the device and your system. The secure
level also creates a shared key that the device must use to authenticate itself against the system each time. This key is stored on the device itself and also in the sysfs filesystem.
You can authorize a device and store a key manually on the sysfs filesystem or use the bolt [3] tool instead. The bolt tool consists of a service (boltd
) that interacts with the sysfs filesystem and makes the Thunderbolt devices registered there available to other applications via the D-Bus message bus. Use boltctl
to manage your Thunderbolt devices. Calling boltctl
only shows you the registered devices. You can then authorize a device using the following command:
boltctl authorize <UUID>
If the security level is set to secure
, a key for the device is also generated and distributed. The software is available in most Linux distributions, but you can also download it from the GitHub repository [3].
Conclusions
Thunderbolt is great for quickly transferring large volumes of data: The downside is that the interface allows direct access to a system's memory. If you support Thunderbolt devices, additional security measures are very much recommended if you want to stop unauthorized devices from accessing your system and reading sensitive data. Starting in Thunderbolt 3, you can use security levels to ensure that a device needs to be manually authorized first before it can talk to your system. The current Thunderbolt 4 assigns a private memory area to each device, which stops the device from accessing the entire system memory through I/O virtualization.
Infos
- A Tour Beyond BIOS: Using IOMMU for DMA Protection in UEFI Firmware: https://www.intel.com/content/dam/develop/external/us/en/documents/intel-whitepaper-using-iommu-for-dma-protection-in-uefi.pdf
- Linux kernel Thunderbolt documentation: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-thunderbolt
- bolt: https://github.com/gicmo/bolt/
Buy this article as PDF
(incl. VAT)