Intel Working On Thunderbolt Security Levels For Linux, Firmware Updates
Intel is continuing to improve the Thunderbolt support within the Linux kernel.
Mika Westerberg of Intel has posted a series of 24 patches for implementing security levels and NVM firmware upgrades for Thunderbolt. Thunderbolt security levels are used to fend off direct memory access (DMA) attacks when PCI Express is being used over Thunderbolt and IOMMU isn't available or working on the system. The firmware upgrade portion of the work is allowing NVM firmware upgrades on the host or device by writing the new firmware file to an nvmem entry over sysfs.
The Thunderbolt security level handling within the Linux driver allows for managing the security levels as otherwise users need to disable the security support from the BIOS if needing a PCI-E tunnel. Under this new code, Thunderbolt devices can be authorized by writing to a file via sysfs.
The developers hope user-space/desktops will add GUI functionality for wrapping around this security authorization functionality when new Thunderbolt devices are added whether it should be allowed, etc, rather than leaving users to dealing with the sysfs entries from the terminal.
This set of patches adding five thousand lines of code to the kernel also adds MSI-X support to the Thunderbolt driver for potentially greater performance over MSI / legacy interrupts, PCI IDs for the Intel Alpine Ridge Thunderbolt 3 controller, and other improvements. Perhaps we'll see this code ready for Linux 4.13 but in the mean time can be found via the kernel mailing list.
Mika Westerberg of Intel has posted a series of 24 patches for implementing security levels and NVM firmware upgrades for Thunderbolt. Thunderbolt security levels are used to fend off direct memory access (DMA) attacks when PCI Express is being used over Thunderbolt and IOMMU isn't available or working on the system. The firmware upgrade portion of the work is allowing NVM firmware upgrades on the host or device by writing the new firmware file to an nvmem entry over sysfs.
The Thunderbolt security level handling within the Linux driver allows for managing the security levels as otherwise users need to disable the security support from the BIOS if needing a PCI-E tunnel. Under this new code, Thunderbolt devices can be authorized by writing to a file via sysfs.
The developers hope user-space/desktops will add GUI functionality for wrapping around this security authorization functionality when new Thunderbolt devices are added whether it should be allowed, etc, rather than leaving users to dealing with the sysfs entries from the terminal.
This set of patches adding five thousand lines of code to the kernel also adds MSI-X support to the Thunderbolt driver for potentially greater performance over MSI / legacy interrupts, PCI IDs for the Intel Alpine Ridge Thunderbolt 3 controller, and other improvements. Perhaps we'll see this code ready for Linux 4.13 but in the mean time can be found via the kernel mailing list.
15 Comments