OMG! Ubuntu!

Bolt Will Tackle Thunderbolt 3 Security on Linux

A Thunderbolt 3 security prompt on GNOME Shell

Ah, you gotta love Red Hat — they’re never not busy working on something that might make our lives a little easier.

Latest case in point: Thunderbolt 3.

This alternative to USB and other peripheral port technologies (including the older Thunderbolt 2) is fast gaining traction in the tech industry (especially since Intel made it royalty free).

The I/O technology is incredibly versatile, able to handle out-put to multiple 4K monitors or drive a VR headset experience, to super fast file transfers from external devices.

But this versatility has a drawback, as GNOME’s Jakub Steiner explains:

“Unlike USB, [Thunderbolt 3] allows wide access to devices or memory for example. It is speculated that a malicious device could be attached to a PC and copy memory or inject malicious spyware. This has been successfully achieved in the past, over a similar I/O port, Firewire.”

To mitigate against malicious use there are various Thunderbolt 3 security levels, which govern what it can/can’t do when connected.

While the latest Linux kernel has support for these security levels there’s work to be done on integrating them at the desktop level (‘user space’).

Which is where the fine folks at Red Hat come in. Their devs are working on new project called Bolt that aims to cleanly handle Thunderbolt security levels on Linux desktops while keeping us, the user, fully informed about what’s going on.

Example of Thunderbolt 3 initialising status in the GNOME Status Menu

My desktop PC has a pair of Thunderbolt 3 ports but alas I’ve no Thunderbolt 3 devices to use with ’em! But when I do — and it is a case of when, not if, given the sheer versatility of the protocol — I will want them to work on Linux as safely and securely as they do on other operating systems.

Red Hat’s Christian Kellner details more about the Bolt project in a blog post, who explains:

“[Bolt] provides a D-Bus API to list devices, enroll them (authorize and store them in the local database) and forget them again (remove previously enrolled devices). It also emits signals if new devices are connected (or removed). During enrollment devices can be set to be automatically authorized as soon as they are connected.”

There’s also a GNOME wiki page that delves into more detail about how things work and lists possible user scenarios.

While the work isn’t likely to hit Ubuntu and other Linux distros right away (Bolt 0.1 has only just been released) the work may feature as part of the GNOME 3.28 release in March 2018 (and possibly feature in Ubuntu 18.04 LTS as a result).

Related: USB Type-C_onfusion

Thunderbolt 3 uses everyone’s new favourite connector USB Type-C. While this is great on the one hand — reversible connector, uniform look, and so on — it could make cable swapping incredibly confusing!

Right now it’s hard to differentiate the protocol support between a tangle of USB-C cables in your drawer (unless you’re clever and label them. You might you pick up a cable that is a plain USB cable, or one that supports Thunderbolt 3 devices…

Where USB-C cable are limited to around 5 Gbps (max; typically less) using USB protocols, Thunderbolt 3 can pass PCIe at up to 40 Gbps and supports a much broader range of capabilities. I suspect there’ll be plenty of end-user frustration about things “not just working” as they should as a result of the wrong cable!

To fully swat up on the differences between USB C and Thunderbird 3 hit play on this delightfully straightforward video.