Thunderbolt

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Thunderbolt 3 works out of the box with recent Linux kernel versions [1]. The Linux kernel, starting with version 4.13, supports Thunderbolt Security, too.

Obtain firmware updates

Manufacturers often release firmware updates for Thunderbolt ports and devices to function properly, visit https://thunderbolttechnology.net/updates for more details how to obtain upgrades for certain vendors.

Note: Some vendors use fwupd to push firmware updates on Linux.

User device authorization

Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware (see Thunderstrike 2).

The modes currently supported on Linux are:

none - No security, all devices are connected and initialized by default. In BIOS settings this is typically called Legacy mode.
user - User authorization is required every time a device is connected. In BIOS settings this is typically called Unique ID.
secure - User authorization is required, but the device is then remembered and does not require re-authorization. In BIOS settings this is typically called One time saved key.
dponly - DisplayPort functionality only, no other devices are allowed. In BIOS settings this is typically called Display Port Only.

The security level is normally configured at firmware level; it is recommended to set it to at least secure.

Tip: User-space solutions are available such as bolt or tbt^AUR to authorize devices.

Graphical front-ends

GNOME has native support for authorizing devices from the UI since version 3.30
Plasma integration is available from this git repository and from plasma-thunderbolt package

Automatically connect any device

Users who just want to connect any device without any sort of manual work can create a udev rule as in 99-removable.rules:

/etc/udev/rules.d/99-removable.rules

ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"

Forcing power

Many OEMs include a method that can be used to force the power of a Thunderbolt controller to an On state. If supported by the machine this will be exposed by the WMI bus with a sysfs attribute called force_power [2].

Forcing power may especially be useful when a connected device loses connection or the controller that switches itself off.

To force the power to be on/off, write 1 or 0 to this attribute, e.g. to force power:

# echo 1 > /sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power

Note: It is not possible to query the current force_power state.

Troubleshooting

PCI buses are not registered

Sometimes when connecting a Thunderbolt device PCI buses might not be registered. This is apparent by having screens working while USB devices fail to register on your computer. This can be solved by issuing a PCI rescan:

# echo 1 > /sys/bus/pci/rescan