Thunderbolt 3 hardware enablement for GNU/Linux
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 50 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/43129 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
SpacetimeMusical ensembleComputer animation
00:33
System programmingPCI ExpressGame controllerInclusion mapElectronic visual displayIntelStandard deviationProcess capability indexExpressionAsynchronous Transfer ModeInformation securityData storage deviceGame controllerElectronic visual displayInformation securityData storage deviceStandard deviationSynchronizationRevision controlLaptopVideoconferencingNetwork topologyBefehlsprozessorComputing platform2 (number)BitPCI ExpressGraph (mathematics)Asynchronous Transfer ModeFreewareProcess capability index
05:45
Lenovo GroupPower (physics)Multiplication signElectronic visual display1 (number)BitFlash memorySoftware
07:38
Electronic visual displayFunction (mathematics)Link (knot theory)Bit rateAsynchronous Transfer ModeNormal (geometry)Router (computing)Power (physics)Computer networkDifferent (Kate Ryan album)Exterior algebraAsynchronous Transfer ModeElectronic visual display
07:56
Electronic visual displayMultiplicationFunction (mathematics)Asynchronous Transfer ModePower (physics)Computer networkSystem programmingPole (complex analysis)Game controllerInformation securityMemory managementInformation securityAsynchronous Transfer ModePhysical systemFreewareKernel (computing)Game controllerPower (physics)Process capability indexElectronic visual displayPatch (Unix)Data managementFirmwareBitStochastic kernel estimationPersonal digital assistantPerturbation theoryTheoryNeuroinformatikMeasurementDifferent (Kate Ryan album)Virtual machine
09:35
Error messageInformation securityMemory managementElectronic visual displayLink (knot theory)Process capability indexAsynchronous Transfer ModeIdentity managementPCI ExpressDefault (computer science)Semiconductor memoryPCI ExpressWritingNeuroinformatikInformation securityProcess capability indexGame controllerAsynchronous Transfer ModePhysical systemRevision controlPersonal area networkSource codeXMLComputer animation
11:00
Core dumpInformation securityWindowCuboidRight angleXML
11:30
Information securityAsynchronous Transfer ModeSystem programmingStack (abstract data type)Right angleVideo projectorKernel (computing)Decision theoryXML
12:10
Stack (abstract data type)DisintegrationPhysical systemDemonNetwork topologyEvent horizonInteractive televisionGame controllerGastropod shellGraphical user interfaceIntegrated development environmentDemonDiagramProgram flowchart
12:55
Kernel (computing)Interface (computing)Stochastic kernel estimationInterface (computing)Event horizonTime domainBootingInformation securityUniqueness quantificationKey (cryptography)AuthorizationKernel (computing)Category of beingComputer fileWind tunnelGame controllerDomain nameEnergy levelProcess capability indexNeuroinformatikAsynchronous Transfer ModeBus (computing)Non-volatile memoryKey (cryptography)Interface (computing)Information securityOperator (mathematics)Computer animation
14:11
Stochastic kernel estimationInterface (computing)System programmingUniqueness quantificationIdentity managementLaptopAsynchronous Transfer ModeInformation securityDefault (computer science)Key (cryptography)Formal verificationMultiplication signCategory of beingMatching (graph theory)Revision controlAuthentication
15:07
AuthorizationPhysical systemDemonDatabaseForcePower (physics)Game controllerHoaxDemonUniqueness quantificationComputer hardwarePersonal digital assistantEnergy levelGame controllerKey (cryptography)Power (physics)Data managementSoftware development kitComputer filePhysical systemInformation securityDatabaseLecture/ConferenceUML
16:25
DemonPhysical systemTablet computerDatabaseInterface (computing)System programmingInterface (computing)Data storage deviceFirmwareGame controllerPower (physics)DemonRevision controlDecision theoryKernel (computing)Bus (computing)Multiplication sign
17:36
Connected spaceData storage deviceExecution unitAuthorizationComputer configurationInterface (computing)InformationDatabaseDemonState of matterGastropod shellCellular automatonSystem administratorCuboidProgram flowchart
18:23
Port scannerFeedbackActive contour modelBit2 (number)Computer animation
18:42
Gastropod shellSystem programmingFeedbackPrice indexSet (mathematics)
19:03
FirmwareService (economics)Non-volatile memoryRevision controlCoefficient of determinationFirmwareMereologyXMLComputer animation
19:30
Service (economics)FirmwareNon-volatile memoryRevision controlPower (physics)Computer networkDuality (mathematics)FirmwareAuthenticationNetzwerkverwaltungSoftwareNeuroinformatikHeat transferComputer fileComputer animation
19:53
BootingKernel (computing)FirmwareAsynchronous Transfer ModeBootingRight angleVirtual machineDevice driverDemonKernel (computing)Keyboard shortcutPasswordOcean currentTheoryAsynchronous Transfer ModeMultiplication signKey (cryptography)FirmwareFormal verification
21:27
System programmingIdentity managementAsynchronous Transfer ModeRight angleEmailComputer fileInformation securityKey (cryptography)Multiplication signWindowGodCategory of beingNeuroinformatik
23:40
System programming
Transcript: English(auto-generated)
00:06
Right, so I'm just gonna dive into it and then we can be done with this quickly so what is the Thunderbolt anyway and According to Intel it is the USB-C that does it all
00:20
Which hints to a few things first of all that is a IO technology that it's fast maybe because it's USB-C that it uses the USB-C connector and that it might be a bit confusing because you know It's a thunderbolt technology, but it's a USB-C that does it all
00:41
But we get to that so It was first introduced in 2009 a slight peak It was first shipping in a MacBook Pro in 2011 It was initially based on like fiber optics and you know like sending the signal over Over the wire in like light signals, but they backtrack on this and now everything is like just electric signals
01:03
It was already back then quite fast with like PCI Express Gen 2 and DisplayPort 1.1 and it used the mini DisplayPort connector at the very beginning and then there's a second version of that in 2013 Which actually kept the same speed on the PCI Express
01:22
Bumped the DisplayPort to 1.2, but still use the same connector And I think you know the Thunderbolt 3 that we're currently at Is implemented by the Alpine rich controller that I think isn't currently in most laptops that you know ship Thunderbolt 3 Which is the standard I now I think
01:43
And there they upped the specs and there's a new version of the Thunderbolt controller of the Thunderbolt 3 controller out there called Titan rich, which is being rolled out now after after more, but it's not that widespread yet oh Yeah, and Intel made it because the adoption of Thunderbolt still is not as great as I think Intel wanted it to be they made it
02:06
in 2007 and now from 2018 on it is a royalty free standard and they even gonna put it I think with whiskey lake or so. I'm not entirely sure with some with some new chip They're gonna put the Thunderbolt controller on the CPU die
02:21
So basically forcing adoption because you will get it anyway Yeah, and so the current version is Thunderbolt 3 and it uses the USB type-c connector Which will it's you it's confusing people I can tell you It's the speed got up to like double the speed of the former
02:40
Former one so it's like 40 gigabits per second. It can up to deliver up to four PCI Express Gen 3 lanes It can do DisplayPort 1.2 or in Titan rich 1.4 Which you know if you think about like this the speed is gonna stay the same but
03:02
DisplayPort 1.4 can actually drive 8k displays So there's actually a bottleneck So if you do that over Thunderbolt, you might not be able to drive the display at full speeds and have a dock At all, so this is a bit of a funny thing, but whatever
03:20
It does to native USB 3.1 you can daisy chain up to six devices and you can also Charge your laptop While you're connecting your IO, which is really cool So you have potentially only one cable to the laptop and charge the laptop and also have the dock and the display and everything running Also, what is new with version 3 is you got security modes, which if you think about that, it's actually PCI Express
03:47
That's over the you know, that's going over Thunderbolt is actually maybe not a bad idea And the main usage is I think docks, you know, you can also use it for external graphics if people already do You can do it for networking and a lot of people
04:02
I mean some people use it for collecting a shit ton of storage when they're like on the road and doing video editing or something And I mean this very simple graph of how that actually is connected So you have the CPU and you have your platform controller hub, I think And so the display port either comes directly from the internal graphics
04:22
Or if you have an Nvidia or something You can also go from the external graphic and you get the PCI lanes It cannot like in some models. They don't connect the full four lanes You can also be only two and sometimes can be very tricky to find out what you actually have You might have to actually ask the manufacturer because they don't specify
04:41
And then it all goes over this you know, Thunderbolt IO and then on the Thunderbolt controller on the device It can split out the PCI Express lanes Or the display port or both depending on what device you have
05:01
One funny thing is that you know currently with the with the Alpine rich controller if you have an open rich controller in in a Device like a dock and you connect it to a USB C port. Nothing will work. Nothing will happen because it's a different technology But if you have a Titan rich USB dock
05:22
There's a fallback mode, which I think I have somewhere here. Yeah in Titan rich to have a fallback mode So it can act as a USB sync So if you connect your Titan rich Thunderbolt dock to a USB C port Which is not a Thunderbolt port It will also work in a fallback mode, which I think adds to the confusion like I mean, it's yeah
05:45
I think it's it's it's a hell of a confusion sometimes because Here's my prime example for why this thing is really confusing and this is the current t4 ATS from Lenovo And you see that there is the USB type-c port
06:02
That has this power logo next to it, and then you see this kind of Whatever it is. It's the proprietary thing and here you see this flash thing next to it and You know if you were to connect this thing to your dock Where would you connect it to I mean?
06:23
You know, this is the type-c connector, right so you would maybe connect it to this thing But you know this is actually not a Thunderbolt port this is just a plain USB port and This is the actual Thunderbolt port which doesn't even look like a USB C port because it's their proprietary whatever thing
06:43
So yeah, I've got I'm not kidding I've got people writing to me like you know my Thunderbolt is broken or your software is broken doesn't work And I'm like trying to debug the first time actually tried to debug the whole thing and it was like wait Just a stupid question did you plug it into The left port or the next to the left port and he was like oh shit
07:03
I plugged it into this thing and everything's working now. It's like oh, yeah shit Yeah, so I mean for example here also this USB type-c is not a Thunderbolt one these two are Thunderbolt ones right so Logos matter which is really yeah, and the ironic bit now if you had a Titan rich
07:23
Thunderbolt dock and you would do the same mistake it will somewhat work But it would not work at full speed because you would be using USB But not Thunderbolt speed so you get the display and you get the dock, but you don't get the full yeah, it's You know anyone It's confusing because Thunderbolt also has different connection modes different alternate modes as you know
07:45
USB plain USB type-c also has so it can be USB only if you plug in the USB device it can be Display port only if you plug in a display port device It can do both or it can run at full Thunderbolt free speed
08:01
And you can even like in most computers Firmware and BIOS way if you whatever you can actually set the Thunderbolt controller in these modes You can say like I want the Thunderbolt controller to be only USB And then if you connect the Thunderbolt device it won't work I can say I want only display port for security measurements if you go to conference whatever defconf, and you don't wanna
08:23
Yeah and To make things even worse. There's also different controller modes So like in your currently if you're running Linux on your machine You should make sure it's running in BIOS assist mode which means that the a CPI is controlling the power the Thunderbolt controller
08:41
It's powering it and powering it down If you connect if you connect the device it will The a CPI will power the Thunderbolt controller if you D connected the a CPI will actually shut the whole thing off It will disappear from the system if you like to LS PCI It will be it will look as if there is no Thunderbolt device in the computer
09:02
and in the future We will have native PCI hot plug which is good because in theory it's this gives us more control We can actually save a bit more power, but currently with current kernels You will actually consume a lot of power because we don't have the full power management patches merged into the kernel so if you if you haven't turned your
09:23
Thunderbolt controller into bias as a smote it will always be there and will always eat power. So don't do that Yeah, and the security most of it added to Thunderbolt 3 is the main thing that I actually Worked on because you know PCI Express can do DMA So we can read and write memory from like stuff that you just plugged into your computer
09:45
Which actually some people did a proof-of-concept. I think with a MacBook Pro and the Thunderbolt 2 port or so so now The Thunderbolt 3 there's new security modes that you can also Set in the BIOS everything this can be said so you can have no security
10:03
Which is basically what the old version was Thunderbolt 2 did that and Thunderbolt 1 did that? So like you connect the device it will if you if the device supports it You will get the full PCI Express lanes and you can do DMA to whatever you want and then there is
10:21
Two more Thunderbolt modes one is called user and one is called secure and In both of these modes what is new is basically that you as the user or as the system has to authorize Devices before they can actually work So you have the connected device and it will show up, but it won't connect the PCI lanes
10:42
Before the system actually says to the controller. Yes, please connect the PCI Express lanes And in the secure mode there's an additional step that we can actually Authorize the device and also verify is the is the device that We connected before
11:02
In Windows that's basically what it looks like so in Windows it you you get a bunch of dialog boxes because you know How how do you then verify that the thing is actually, you know, how do you authorize the device? You ask the user right so you get a box and say that there's a new Thunderbolt device connected you click on
11:21
Okay, you get this thing like okay pluggable whatever something comes connected and then what do you want to do? Don't connect connect once connect always whatever But yeah, that's not that's not what we did because you know, our designers basically said that yeah Most people just gonna click yes Anyway, because you cannot make an informed decision on this because as a normal person who doesn't even know what PCI Express lanes are
11:47
What you know, whatever what do you what? but you but you want to answer to this right if you go to a conference and you connect your Like projector you want to project her to work and even if this was called like evil device
12:00
But it makes a projector work then it will you will just click OK, right because you want to project her to work so Yeah, so how is the house the stack on Linux? Well, first of all, you have the kernel the kernel exposes Assess of s the Yeah device tree basically it poses
12:22
The host and all the devices that you connect to under sis of s and then There's a small little tool that we wrote called bolt which basically listens to you events and then exposes the devices on on divas and then you can
12:41
from the command line interact with the thing called ball control or Why a GUI by the gnome shell or gnome settings? And I'm the idea was that other desktop environments could also use this demon I'm not sure if anyone actually integrated it yet So, how does the kernel interface look so the the thunderbolt controller gets exposed as to device nodes actually first as domains
13:05
As the domain controller and here you can actually read out the security level that it was set in the BIOS but you cannot influence it, but you can just read it out and Then this is the there's always one device that represents the host Which will always be authorized but you can read the name of the computer and stuff
13:22
and then any other device that is attached to the thunderbolt bus will appear as the child of this device and it has this node called authorized on this property called authorized and If you are in secure mode, it also has this property called key and then you authorize the device by just
13:45
Writing one into this file and once you have done this The device will actually connect the controller will connect the PCI tunnels and the device will work This is irreversible. So once you connected the PCI tunnels, there's no way of going back
14:01
so you cannot unconnected an unauthorized device once it's authorized authorized and If you are in secure mode, so the more secure Operation mode what you can also do is you can imprint a key into the non-volatile memory of the device And the first time you do this you just basically imprint this and on any subsequent connect you can
14:25
Write your version of the key Into like the device into the property and then say to the kernel, please connect this device But only if the key matches what we've previously written into the device So this is basically an identity verification of the device
14:43
But I have to say most laptops Actually, all that does that I've ever had in my hands ship in secure mode So by default what you add in in user mode, so but by default you don't get this key verification by default You only get the you know
15:00
No normal authentication. So I mean the device exposes a unique ID which we used to identify it But if if you were, you know malicious you could fake this device The unique ID and then we would authorize your evil device if it has the same unique ID as Something that you previously authorized
15:23
Yes, so the bolt demon Is a very small system demon. It is normally not running It only gets activated on demand by system to you if it if and you'd have if we find you have a thunderbolt hardware So if you don't have thunderbolt hub and nothing is running And you have a divorce API to manage devices
15:43
Like for example authorize or you know enroll devices We use poll kit to secure the divorce API We have a very simple database which is basically file based where we store device names and device keys Then we have
16:01
Recently, I've added the divorce API also to force power the Thunderbolt controller because so there's there's one hack in hardware Because if it's an if the Thunderbolt hardware is in this BIOS assist mode, which is currently default, you know The hardware will just complete disappear and we won't even know that there's a Thunderbolt controller in the system So we cannot find out which security level the Thunderbolt controller is in which we sometimes need to know or the firmware update
16:27
Demon needs to know what firmware version the Thunderbolt controller is having so we need to somehow Like power the controller and there is a In most laptops, there's a way to basically force power the controller
16:41
You just flip it on and then the BIOS will activate the Thunderbolt controller Even though nothing is plugged in and this is now exposed on divas because the kernel API is not reference counted So if I switch it on and the thunder like both demons switches is on and the firmware update even switches is on and Then I switch it off, but the firmware update even wasn't done yet
17:02
Then it's hanging right? And that's exactly what's happened a lot of times. So there's a bunch of Fuck reports about this. Anyway, now there's a demon API to force power the thunder controller controller But the demon itself doesn't do any policy decisions So we just expose like if you connect a new device, it will just show up on the bus
17:23
But it won't be authorized by the demon by itself because like bolt is only provide the API but it doesn't do any policy decisions Yeah, this is the API I skip over this Yeah, that's a small command line to a control where you can see what is currently connected and you can manage it
17:41
You can forget devices or enroll devices. Yeah but the important thing is that we have Like the shell is for GNOME. The shell is the policy maker What that means is that it will listen to the device edit signal of the demon and Then based on the current state of the cell of the sessions
18:03
it will either authorize the device or not and Currently, it means that if the user is locked in and the session is unlocked and the user is an admin We will just automatically enroll your device and connect it if the user is not an admin you get a dialog box or
18:22
If the session is locked you get a notification like this you get like Thunderbolt device was connected but not authorized and then Yeah, you there's also little Little cable snake I can hear Because to connect the PCI lanes this can actually take quite a bit
18:41
It can take up to 20 seconds on some docks because some cables are active cables And then you need to authorize the cable before you authorize the dock So it can take a while. So we had this little status indicator that actually something is happening And then there's also a settings plug-in where you can see the devices that have been previously authorized and you if you
19:04
If you connected it while you were locked you can also authorize the device from there We also do firmware updates so You can update the firmware in your cables and in your dogs It's not a joke sadly enough
19:23
Yeah, there's also SFS Interface for that. So you basically write in your firmware into like the non active part and then you Write another authenticate and then we update the firmware and this works hopefully And there's also recently added into network manager host to host and
19:45
networking so if you have a fundable cable you can Connect to computers and it will create a network between them And then you can transfer files or something And that is basically the end. There's one more thing obviously because you know, for example If you have a looks password set on your machine
20:02
Then you're in early boot and an early boot a demon doesn't run So you cannot enter your looks password wire keyboard is attached to a demon to a dock There is a new so you need a very new kernel and a new firmware then there is a new thing called boot ACL where we can from Linux, right
20:22
UUIDs into the BIOS and say to the firmware, please this device of this UUID Please authorize it already on boot. So it works even in the BIOS not only in early boot But the problem is it's only as you can see there is only the UUID is no key So there is no key verification done. So this is basically only available in user mode
20:43
So if you actually want to make sure that is the dock that you initially authorized Then you can forget about this and you would have to go back to typing in the password on your normal keyword not on your dock keyword and Yeah, I'm currently looking into I mean, this is my current work, but I'm also looking into
21:03
EGPU support it should in theory work. But of course in reality, it doesn't really Like last time I tried nouveau nouveau and nvidia drivers were both crashing when I connected the dock with the eGPU in it Intel supposedly AMD supposedly is a bit better, but I haven't tested this yet
21:21
Yeah And that's it Yeah, if anyone is interested in helping out on this, you know, currently I'm the only one working on that stuff. So Yeah, and I'm gonna be done with it soon and then I'm gonna move on to something else. So if someone wants to help out Yeah, anyway, thank you
21:47
One minute one question two questions one. Yeah Ah
22:01
Sorry, I just dropped in basically so most likely missed it if you said it but Did you do any work or have any looks on pro audio hardware? That is also Thunderbolt ready because there is but most likely it's not supported. Okay. Yeah, nope That would be nice
22:20
Write me an email. I see you. Okay We'll do okay. Thank you. I was just wondering with the these security keys Do you start generating for every device regardless of whether secure mode is enabled or do you only?
22:41
Do that when secure mode is enabled only if yeah, so if the secure mode is not enabled There is not there's no device file. So that the sysfs key Property is only there if secure mode is enabled So
23:01
mute So if you set a key on your cable, and then you use it for another computer Depending on how to stop working It depends on device. So some devices support multiple keys, you know But for example the eGPU dock every time I put two windows and offer us in windows I have to reauthorize it in Linux because it can only hold one key. Oh, I see you can like reset it
23:25
Yeah, so it's not like no no useless and no No, you reset it. Okay. Yeah, it's still annoying though, because you basically it's basically like oh my god This device has changed identity because it can only hold one key, but whatever All right