Red Hat's Latest Project: "Bolt" To Deal With Linux Thunderbolt Security
"Bolt" is a new project by Red Hat / GNOME developers in dealing with Thunderbolt 3 security levels on Linux.
With Thunderbolt allowing unfettered access to PCI Express, it's super fast but opens up the plug-and-play port to DMA attacks and more. Thus with Thunderbolt 3 they introduced the concept of security levels, which Bolt is part of the equation for supporting this security feature on Linux.
Thunderbolt 3 security levels include none (no security), dponly (DisplayPort with no PCI-E), user (requiring authorization by the user to enable), and secure (similar to user but introducing a key).
In order to deal with these Thunderbolt 3 security levels, Linux 4.13 introduced the kernel-side work for supporting these levels while the new Bolt process handles the user-space integration.
Bolt consists of a generic system daemon on D-Bus for managing the attached Thunderbolt devices and their security levels while there is also a new GNOME component that's part of the GNOME Shell to deal with the UI/UX side.
When running with GNOME and having administrator rights, there will then be integration in the GNOME Shell for informing the user of a newly-attached Thunderbolt 3+ device and needing to take action if wishing to grant it PCI-E access to the system, etc.
More details on the Bolt project and its initial v0.1 bits can be found via Christian Kellner's blog while the GNOME integration bits are outlined in this Wiki whiteboard. It looks like the GNOME bits could be ready for GNOME 3.28 and then we'll see in the future if KDE decides to make use of Bolt's D-Bus daemon for then building their own Plasma integration.
With Thunderbolt allowing unfettered access to PCI Express, it's super fast but opens up the plug-and-play port to DMA attacks and more. Thus with Thunderbolt 3 they introduced the concept of security levels, which Bolt is part of the equation for supporting this security feature on Linux.
Thunderbolt 3 security levels include none (no security), dponly (DisplayPort with no PCI-E), user (requiring authorization by the user to enable), and secure (similar to user but introducing a key).
In order to deal with these Thunderbolt 3 security levels, Linux 4.13 introduced the kernel-side work for supporting these levels while the new Bolt process handles the user-space integration.
Bolt consists of a generic system daemon on D-Bus for managing the attached Thunderbolt devices and their security levels while there is also a new GNOME component that's part of the GNOME Shell to deal with the UI/UX side.
When running with GNOME and having administrator rights, there will then be integration in the GNOME Shell for informing the user of a newly-attached Thunderbolt 3+ device and needing to take action if wishing to grant it PCI-E access to the system, etc.
More details on the Bolt project and its initial v0.1 bits can be found via Christian Kellner's blog while the GNOME integration bits are outlined in this Wiki whiteboard. It looks like the GNOME bits could be ready for GNOME 3.28 and then we'll see in the future if KDE decides to make use of Bolt's D-Bus daemon for then building their own Plasma integration.
10 Comments