Project

General

Profile

Feature #5463

Feature #5451: Protect against external bus exploitation

Support Thunderbolt in a security-conscious way

Added by Tails almost 6 years ago. Updated 30 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Category:
Hardware support
Target version:
Start date:
Due date:
% Done:

100%

QA Check:
Ready for QA
Feature Branch:
Type of work:
Communicate
Blueprint:
Starter:
No
Affected tool:

Description

Debian Buster supports Thunderbolt in a nice and security-conscious way:

Let's try to make it work in Tails.


Subtasks

Feature #5850: Research security implications of thunderboltResolved


Related issues

Related to Tails - Feature #5547: Deactivate PCMCIA, ExpressCard and FireWire if unused after 5 minutes Confirmed
Blocked by Tails - Bug #15857: Make feature/buster build Resolved 08/29/2018
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed 03/22/2019
Blocked by Tails - Feature #15944: Port Tails to Buster In Progress 09/12/2018

Associated revisions

Revision a101de8c (diff)
Added by CyrilBrulebois about 2 months ago

Add bolt to tails-common.list, needed for improved Thunderbolt support (refs: #5463).

gnome-shell only recommends this daemon, so let's add it explicitly to
make sure it ends up in our image.

History

#1 Updated by Tails almost 6 years ago

  • Parent task set to #5451

#2 Updated by intrigeri almost 6 years ago

  • Type of work set to Code

Type of work: Code

#3 Updated by BitingBird almost 5 years ago

  • Subject changed from disable thunderbolt to Disable thunderbolt
  • Description updated (diff)
  • Starter set to No

#4 Updated by BitingBird almost 5 years ago

  • Subject changed from Disable thunderbolt to Disable thunderbolt?

#5 Updated by intrigeri almost 5 years ago

  • Subject changed from Disable thunderbolt? to Disable Thunderbolt?

#6 Updated by BitingBird over 4 years ago

  • Related to Feature #5547: Deactivate PCMCIA, ExpressCard and FireWire if unused after 5 minutes added

#7 Updated by intrigeri about 2 years ago

Note that some laptop docking stations are connected over Thunderbolt.

#8 Updated by intrigeri about 1 year ago

  • Subject changed from Disable Thunderbolt? to Support Thunderbolt in a security-conscious way
  • Type of work changed from Code to Debian

The next GNOME release will support Thunderbolt in a nice and security-conscious way:

… but this requires the bolt system daemon which is not in Debian yet (RFP).

#9 Updated by intrigeri about 1 year ago

intrigeri wrote:

The next GNOME release will support Thunderbolt in a nice and security-conscious way:

This is included in GNOME 3.28.

… but this requires the bolt system daemon which is not in Debian yet (RFP).

Someone took ownership of that bug report and turned into an ITP. Fingers crossed :)

#11 Updated by intrigeri 9 months ago

  • Target version set to Tails_4.0
  • Type of work changed from Debian to Test

The bolt daemon is now in testing/sid :)

#12 Updated by intrigeri 9 months ago

  • Description updated (diff)

muri, I see that you filed the ITP for bolt initially. Do you have access to a machine with Thunderbolt? If yes, could you please test how this work in GNOME on Debian testing, e.g. with a live system https://tails.boum.org/doc/first_steps/bug_reporting/#debian? If this works fine, the following step will be to test in Tails/Buster, I'll provide a link to the relevant test ISO once we're there.

#13 Updated by intrigeri 9 months ago

  • Category set to Hardware support

#14 Updated by muri 9 months ago

hi,

intrigeri wrote:

muri, I see that you filed the ITP for bolt initially. Do you have access to a machine with Thunderbolt?

i did a little research:

Description: system daemon to manage thunderbolt 3 devices
Thunderbolt 3 features different security modes that require devices to be authorized before they can be used.

though i have an old macbook (from 2011 or 2013) with a thunderbolt/displayport port, thunderbolt 3 is much younger and uses an usb-c port.

wikipedia writes:

Thunderbolt 3 was developed by Intel and uses USB-C connectors [...] Support was added to Intel's Skylake architecture chipsets, shipping during late 2015 into early 2016.

#15 Updated by intrigeri 8 months ago

  • Assignee set to CyrilBrulebois
  • Type of work changed from Test to Communicate

Let's send a call for testing on tails-testers@ (+ possibly Twitter) once we have a feature/buster ISO on https://nightly.tails.boum.org/build_Tails_ISO_feature-buster/lastSuccessful/archive/build-artifacts/ that boots and has bolt installed. hefee & kibi, please ensure bolt is installed on feature/buster: it seems to be merely recommended by gnome-shell so we probably need to explicitly add it to our packages list :)

#16 Updated by intrigeri 8 months ago

  • Blocked by Bug #15857: Make feature/buster build added

#17 Updated by intrigeri 8 months ago

#18 Updated by intrigeri 7 months ago

… and worst case, if that call for testing does not yield good enough feedback or if it shows that we need to test/debug things ourselves: I know have access to a computer with Thunderbolt 3 support (on USB-C ports); now, to test this, I would need a device that I can actually plug in there so let's hope we don't have to go this way.

#19 Updated by CyrilBrulebois 5 months ago

#20 Updated by CyrilBrulebois 5 months ago

#21 Updated by CyrilBrulebois 5 months ago

  • Related to deleted (Feature #15507: Core work 2019Q1: Foundations Team)

#22 Updated by CyrilBrulebois 5 months ago

#23 Updated by intrigeri 3 months ago

#24 Updated by intrigeri 3 months ago

#25 Updated by intrigeri about 2 months ago

#26 Updated by intrigeri about 2 months ago

  • Assignee deleted (CyrilBrulebois)
  • Target version deleted (Tails_4.0)

#27 Updated by intrigeri about 2 months ago

  • Target version set to Tails_4.0

Blocker for 4.0 is: make sure there's no regression. Bonus points if we ship bolt.

#28 Updated by CyrilBrulebois about 2 months ago

  • Status changed from Confirmed to In Progress

#29 Updated by CyrilBrulebois about 2 months ago

  • Status changed from In Progress to Confirmed
  • Assignee set to segfault

I've just pushed a commit to feature/buster to make sure we install the bolt daemon.

@segfault: assigning it to you as you mentioned you could get your hands on a Thunderbolt device. If that doesn't work out, I guess we'll send a call for testing.

#30 Updated by CyrilBrulebois about 2 months ago

  • Status changed from Confirmed to In Progress

I've just pushed a commit to feature/buster to make sure we install the bolt daemon.

@segfault: assigning it to you as you mentioned you could get your hands on a Thunderbolt device. If that doesn't work out, I guess we'll send a call for testing.

#31 Updated by intrigeri about 2 months ago

  • QA Check set to Ready for QA

Great :)

#32 Updated by segfault 30 days ago

  • Assignee deleted (segfault)

Unfortunately I don't have access to a Thunderbolt device :(

Also available in: Atom PDF