Linux 4.21 Will Better Protect Against Malicious Thunderbolt Devices
The new protection with Linux 4.21 is the enabling of IOMMU-based direct memory access (DMA) protection from devices connected via Thunderbolt. PCI Express Address Translation Services (PCIe ATS) is also disabled to prevent possibly bypassing that IOMMU protection, per this pull.
DMA protection via IOMMU has appeared on systems/motherboards beginning this year and ensures that Thunderbolt devices cannot access memory regions outside of where they should be permitted. On supported systems, this protection will be automatically enabled. Likewise, the PCIe ATS support is automatically going to be disabled for all "untrusted" Thunderbolt devices.
These latest kernel enhancements paired with the other efforts namely Red Hat's Bolt initiative have led to much better Thunderbolt device safety on Linux this year.