Project

General

Profile

Feature #5463

Feature #5451: Protect against external bus exploitation

Support Thunderbolt 3 in a security-conscious way

Added by Tails over 6 years ago. Updated 3 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Hardware support
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
Type of work:
Communicate
Blueprint:
Starter:
No
Affected tool:

Description

Debian Buster supports Thunderbolt in a nice and security-conscious way:

Let's try to make it work in Tails.


Subtasks

Feature #5850: Research security implications of thunderboltResolved


Related issues

Related to Tails - Feature #5547: Deactivate PCMCIA, ExpressCard and FireWire if unused after 5 minutes Confirmed
Related to Tails - Bug #16749: Call for testing: feature/buster (May 2019 edition) Resolved 05/24/2019
Related to Tails - Bug #16755: Call for testing: feature/buster (June 2019 edition) Resolved 06/18/2019
Blocked by Tails - Bug #15857: Make feature/buster build Resolved 08/29/2018
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

Associated revisions

Revision a101de8c (diff)
Added by CyrilBrulebois 8 months ago

Add bolt to tails-common.list, needed for improved Thunderbolt support (refs: #5463).

gnome-shell only recommends this daemon, so let's add it explicitly to
make sure it ends up in our image.

History

#1 Updated by Tails over 6 years ago

  • Parent task set to #5451

#2 Updated by intrigeri over 6 years ago

  • Type of work set to Code

Type of work: Code

#3 Updated by BitingBird over 5 years ago

  • Subject changed from disable thunderbolt to Disable thunderbolt
  • Description updated (diff)
  • Starter set to No

#4 Updated by BitingBird over 5 years ago

  • Subject changed from Disable thunderbolt to Disable thunderbolt?

#5 Updated by intrigeri over 5 years ago

  • Subject changed from Disable thunderbolt? to Disable Thunderbolt?

#6 Updated by BitingBird almost 5 years ago

  • Related to Feature #5547: Deactivate PCMCIA, ExpressCard and FireWire if unused after 5 minutes added

#7 Updated by intrigeri over 2 years ago

Note that some laptop docking stations are connected over Thunderbolt.

#8 Updated by intrigeri over 1 year ago

  • Subject changed from Disable Thunderbolt? to Support Thunderbolt in a security-conscious way
  • Type of work changed from Code to Debian

The next GNOME release will support Thunderbolt in a nice and security-conscious way:

… but this requires the bolt system daemon which is not in Debian yet (RFP).

#9 Updated by intrigeri over 1 year ago

intrigeri wrote:

The next GNOME release will support Thunderbolt in a nice and security-conscious way:

This is included in GNOME 3.28.

… but this requires the bolt system daemon which is not in Debian yet (RFP).

Someone took ownership of that bug report and turned into an ITP. Fingers crossed :)

#11 Updated by intrigeri about 1 year ago

  • Target version set to Tails_4.0
  • Type of work changed from Debian to Test

The bolt daemon is now in testing/sid :)

#12 Updated by intrigeri about 1 year ago

  • Description updated (diff)

muri, I see that you filed the ITP for bolt initially. Do you have access to a machine with Thunderbolt? If yes, could you please test how this work in GNOME on Debian testing, e.g. with a live system https://tails.boum.org/doc/first_steps/bug_reporting/#debian? If this works fine, the following step will be to test in Tails/Buster, I'll provide a link to the relevant test ISO once we're there.

#13 Updated by intrigeri about 1 year ago

  • Category set to Hardware support

#14 Updated by muri about 1 year ago

hi,

intrigeri wrote:

muri, I see that you filed the ITP for bolt initially. Do you have access to a machine with Thunderbolt?

i did a little research:

Description: system daemon to manage thunderbolt 3 devices
Thunderbolt 3 features different security modes that require devices to be authorized before they can be used.

though i have an old macbook (from 2011 or 2013) with a thunderbolt/displayport port, thunderbolt 3 is much younger and uses an usb-c port.

wikipedia writes:

Thunderbolt 3 was developed by Intel and uses USB-C connectors [...] Support was added to Intel's Skylake architecture chipsets, shipping during late 2015 into early 2016.

#15 Updated by intrigeri about 1 year ago

  • Assignee set to CyrilBrulebois
  • Type of work changed from Test to Communicate

Let's send a call for testing on tails-testers@ (+ possibly Twitter) once we have a feature/buster ISO on https://nightly.tails.boum.org/build_Tails_ISO_feature-buster/lastSuccessful/archive/build-artifacts/ that boots and has bolt installed. hefee & kibi, please ensure bolt is installed on feature/buster: it seems to be merely recommended by gnome-shell so we probably need to explicitly add it to our packages list :)

#16 Updated by intrigeri about 1 year ago

  • Blocked by Bug #15857: Make feature/buster build added

#17 Updated by intrigeri about 1 year ago

#18 Updated by intrigeri about 1 year ago

… and worst case, if that call for testing does not yield good enough feedback or if it shows that we need to test/debug things ourselves: I know have access to a computer with Thunderbolt 3 support (on USB-C ports); now, to test this, I would need a device that I can actually plug in there so let's hope we don't have to go this way.

#19 Updated by CyrilBrulebois 11 months ago

#20 Updated by CyrilBrulebois 11 months ago

#21 Updated by CyrilBrulebois 11 months ago

  • Related to deleted (Feature #15507: Core work 2019Q1: Foundations Team)

#22 Updated by CyrilBrulebois 11 months ago

#23 Updated by intrigeri 9 months ago

#24 Updated by intrigeri 9 months ago

#25 Updated by intrigeri 8 months ago

#26 Updated by intrigeri 8 months ago

  • Assignee deleted (CyrilBrulebois)
  • Target version deleted (Tails_4.0)

#27 Updated by intrigeri 8 months ago

  • Target version set to Tails_4.0

Blocker for 4.0 is: make sure there's no regression. Bonus points if we ship bolt.

#28 Updated by CyrilBrulebois 8 months ago

  • Status changed from Confirmed to In Progress

#29 Updated by CyrilBrulebois 8 months ago

  • Status changed from In Progress to Confirmed
  • Assignee set to segfault

I've just pushed a commit to feature/buster to make sure we install the bolt daemon.

@segfault: assigning it to you as you mentioned you could get your hands on a Thunderbolt device. If that doesn't work out, I guess we'll send a call for testing.

#30 Updated by CyrilBrulebois 8 months ago

  • Status changed from Confirmed to In Progress

I've just pushed a commit to feature/buster to make sure we install the bolt daemon.

@segfault: assigning it to you as you mentioned you could get your hands on a Thunderbolt device. If that doesn't work out, I guess we'll send a call for testing.

#31 Updated by intrigeri 8 months ago

  • QA Check set to Ready for QA

Great :)

#32 Updated by segfault 7 months ago

  • Assignee deleted (segfault)

Unfortunately I don't have access to a Thunderbolt device :(

#33 Updated by intrigeri 6 months ago

  • QA Check deleted (Ready for QA)

Next step: send a call for testing about this. IMO we should do include it in a call for testing at the end of the ongoing sprint, along with #14991 and possibly #14580.

#34 Updated by intrigeri 6 months ago

  • Related to Bug #16749: Call for testing: feature/buster (May 2019 edition) added

#35 Updated by intrigeri 6 months ago

  • Related to Bug #16755: Call for testing: feature/buster (June 2019 edition) added

#36 Updated by intrigeri 6 months ago

  • Assignee set to intrigeri

Included in my draft for #16749, will triage the feedback.

#37 Updated by intrigeri 5 months ago

  • Status changed from In Progress to Confirmed

#38 Updated by intrigeri 4 months ago

#39 Updated by intrigeri 4 months ago

  • Status changed from Confirmed to Rejected

I've explicitly asked test results in our last 2 calls for testing of feature/buster and got no feedback. I don't think this is worth purchasing hardware specifically to test this. So I'm giving up for now. We'll see what happens once 4.0 is out and users try using Thunderbolt devices.

Dear help desk, if you find this ticket by searching our Redmine: in theory, on Tails 4.0, Thunderbold devices should be nicely supported, with a GUI that looks like what's show in the URLs in the ticket description. If this does not work, please reopen this ticket and provide debugging info :)

#40 Updated by intrigeri 3 months ago

  • Subject changed from Support Thunderbolt in a security-conscious way to Support Thunderbolt 3 in a security-conscious way

One failure report on 4.0~beta1: https://lists.autistici.org/message/20190811.040316.a1cbd602.en.html (but I think that laptop does not support Thunderbolt 3 so it's expected it does not work).

Also available in: Atom PDF