Linux Support Is Coming To Allow De-Authorizing Thunderbolt Devices
While in recent years there has been growing interest in enhancing Linux's Thunderbolt security with offering security levels and other functionality to authorize supported/known Thunderbolt devices, surprisingly it's taken until 2021 to see the ability for Linux's Thunderbolt software connection manage to handle de-authorizing devices.
If wanting to de-authorize a previously authorized Thunderbolt device for whatever reason or if wanting to establish policies like where on user log-out that devices would be automatically de-authorized, it's looking like Linux 5.12 will support this ability.
Queued this past week into the Thunderbolt dev tree is the subsystem support for de-authorizing Thunderbolt devices. The de-authorization support relies upon the Thunderbolt software connection manager being active as it's able to directly control the PCIe tunnels.
A new "deauthorization" sysfs attribute is exposed to indicate whether the system supports de-authorization of Thunderbolt devices. Specific devices can then be deauthorized by writing "0" to the "authorized" sysfs attribute.
This is the kernel side support while we will see once landed if any user-space policies are proposed for automatically de-authorizing Thunderbolt devices on log-out or other changes in the name of system security.