= Proposed Self Contained Change: Thunderbolt Enablement = https://fedoraproject.org/wiki/Changes/ThunderboltEnablement Change owner(s): * Christian Kellner <ckellner AT redhat DOT com> Support Thunderbolt 3 peripherals in a secure way hardware out of the box. == Detailed Description == Thunderbolt™ is the brand name of a hardware interface developed by Intel® that allows the connection of external peripherals to a computer. Devices connected via Thunderbolt can be DMA masters and thus read system memory without interference of the operating system (or even the CPU). Version 3 of the interface provides 4 different security levels, in order to mitigate the aforementioned security risk that connected devices pose to the system. The security level is set by the system firmware. The four security levels are: * none: Security disabled, all devices will fully functional on connect. * dponly: Only pass the display-port stream through to the connected device. * user: Connected devices need to be manually authorized by the user. * secure: As 'user', but also challenge the device with a secret key to verify its identity. The Linux kernel, starting with version 4.13, provides an interface via sysfs that enables userspace query the security level, the status of connected devices and, most importantly, to authorize devices, if the security level demands it. The active security level can normally be selected prior boot via a BIOS option, but it is interesting to note that in the future the none option is likely to go away. This of course means connected thunderbolt devices wont work at all unless they are authorized by the user from with the running operating system. The solution to automatically enable thunderbolt 3 devices to work with Fedora without compromising the security of the computer consists of two user space compoments: a system daemon (boltd) and a component in GNOME shell. For new devices the shell will automatically enroll (= authorize and store in the database) new devices via the daemon if (and only if) the current user is a system administrator and the session is unlocked. On subsequent connections of the same device the daemon will then automatically authorize the device. == Scope == * Proposal owners: Stablize bolt and integrate the current GNOME Shell extension proof-of-concept into GNOME Shell upstream. * Other developers: Nothing * Release engineering: #7238: https://pagure.io/releng/issue/7238 * List of deliverables: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
