Linux 6.13 To Enhance Logic For Trusting Built-In Thunderbolt Controllers
Due to the possibility of DMA attacks from connected Thunderbolt devices, Linux and other platforms have built up safeguards over the years and different security levels for Thunderbolt to better protect systems having this high speed interface exposing PCIe. With the upcoming Linux 6.13 kernel, the logic of the kernel is being enhanced to better detect and trust built-in Thunderbolt controllers.
Esther Shimanovich with Google prepared the patch for detecting and trusting built-in Thunderbolt chips. Esther explains with the patch queued into the PCI subsystem's "thunderbolt" branch ahead of the Linux 6.13 merge window:
Thus this change expected for Linux 6.13 should fix the issue of USB-C/Thunderbolt ports sometimes not being properly enumerated under Linux.
The Linux 6.13 merge window will be opening later this month while the stable Linux 6.13 kernel will debut in February.
Esther Shimanovich with Google prepared the patch for detecting and trusting built-in Thunderbolt chips. Esther explains with the patch queued into the PCI subsystem's "thunderbolt" branch ahead of the Linux 6.13 merge window:
Some computers with CPUs that lack Thunderbolt features use discrete Thunderbolt chips to add Thunderbolt functionality. These Thunderbolt chips are located within the chassis; between the Root Port labeled ExternalFacingPort and the USB-C port.
These Thunderbolt PCIe devices should be labeled as fixed and trusted, as they are built into the computer. Otherwise, security policies that rely on those flags may have unintended results, such as preventing USB-C ports from enumerating.
Detect the above scenario through the process of elimination.
1) Integrated Thunderbolt host controllers already have Thunderbolt implemented, so anything outside their external facing root port is removable and untrusted.
Detect them using the following properties:
- Most integrated host controllers have the "usb4-host-interface" ACPI property.
- Integrated Thunderbolt PCIe root ports before Alder Lake do not have the usb4-host-interface ACPI property. Identify those with their PCI IDs instead.
2) If a root port does not have integrated Thunderbolt capabilities, but has the "ExternalFacingPort" ACPI property, that means the manufacturer has opted to use a discrete Thunderbolt host controller that is built into the computer.
This host controller can be identified by virtue of being located directly below an external-facing root port that lacks integrated Thunderbolt. Label it as trusted and fixed.
Everything downstream from it is untrusted and removable.
Thus this change expected for Linux 6.13 should fix the issue of USB-C/Thunderbolt ports sometimes not being properly enumerated under Linux.
The Linux 6.13 merge window will be opening later this month while the stable Linux 6.13 kernel will debut in February.
12 Comments