Announcement

Collapse
No announcement yet.

Red Hat's Latest Project: "Bolt" To Deal With Linux Thunderbolt Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Red Hat's Latest Project: "Bolt" To Deal With Linux Thunderbolt Security

    Phoronix: Red Hat's Latest Project: "Bolt" To Deal With Linux Thunderbolt Security

    "Bolt" is a new project by Red Hat / GNOME developers in dealing with Thunderbolt 3 security levels on Linux...

    http://www.phoronix.com/scan.php?pag...derbolt-Secure

  • #2
    Is that notification a concept or real? If real, what project generated it? I can't find "Uknown" in bolt or bolt-extension...

    Comment


    • #3
      Originally posted by tildearrow View Post
      Is that notification a concept or real? If real, what project generated it? I can't find "Uknown" in bolt or bolt-extension...
      I think it was a developer mockup.
      Michael Larabel
      http://www.michaellarabel.com/

      Comment


      • #4
        Hi,

        Originally posted by tildearrow View Post
        Is that notification a concept or real? If real, what project generated it? I can't find "Uknown" in bolt or bolt-extension...
        As mentioned in the blog-post "I am locally running a Proof-of-Concept gnome-shell extension that implements the user session bits to complete the aforementioned : It uses bolt's D-Bus interface"

        Note that the example dialog is very real, thunderbolt may be an attack vector for those with physical access to an unattended laptop at e.g. a conference, so the plan is to deny access to devices plugged in while the session is locked. Unfortunately things work in such a way that allowing access later requires unplugging and replugging the device.

        Regards,

        Hans

        Comment


        • #5
          Originally posted by tildearrow View Post
          Is that notification a concept or real? If real, what project generated it? I can't find "Uknown" in bolt or bolt-extension...
          The screenshot Michael posted is a mockup from Jimmac. But the proof of concept shell extension has a similar message. You an find it at extension.js:99. The exact phrasing is subject to change.

          Comment


          • #6
            Ugh, that unplugging and replugging.
            Is it possible to use USB PPPS or similar (for hardware that supports it) to avoid this?

            Also will this recognize already authorized devices after a topology change? What about docks with extra TB ports, one authorization for the whole thing or individual ones per device/function?

            Comment


            • #7
              Originally posted by chithanh View Post
              Ugh, that unplugging and replugging.
              Is it possible to use USB PPPS or similar (for hardware that supports it) to avoid this?
              Afaik no.

              Also will this recognize already authorized devices after a topology change? What about docks with extra TB ports, one authorization for the whole thing or individual ones per device/function?
              From the blog, if you choose "security" mode it says it writes a key on the device, so it should be able to recognize it later on connecting again.

              And I think you need to authorize both the dock and the downstream TB devices you connect to it.

              Comment


              • #8
                This will be a good thing to have, even if it doesn't get much use due to consumers passing on Thunderbolt, in favor of USB 3.x/USB-C.

                Comment


                • #9
                  Originally posted by TheLexMachine View Post
                  This will be a good thing to have, even if it doesn't get much use due to consumers passing on Thunderbolt, in favor of USB 3.x/USB-C.
                  It's not over yet.
                  Once Intel integrates Thunderbolt controllers in their CPU/Chipsets (as they said they will next year afaik), more USB-C ports will be Thunderbolt-capable.

                  Comment


                  • #10
                    Originally posted by starshipeleven View Post
                    And I think you need to authorize both the dock and the downstream TB devices you connect to it.
                    I hope so, lest TB security is undermined by attackers inserting rogue TB hubs/docks/active cables.

                    Originally posted by starshipeleven View Post
                    It's not over yet.
                    Once Intel integrates Thunderbolt controllers in their CPU/Chipsets (as they said they will next year afaik), more USB-C ports will be Thunderbolt-capable.
                    Thunderbolt peripherals are still several times as expensive as USB 3 hardware, with only limited benefits. Plus Thunderbolt mandates wiring up DisplayPort and Power to the port, which is an additional cost factor. So I don't see this technology taking off just yet.

                    Comment

                    Working...
                    X