Feature #5463

Support Thunderbolt 3 in a security-conscious way

Added by Tails 2013-07-18 07:41:27 . Updated 2019-08-18 09:07:07 .

Status:
Rejected
Priority:
Normal
Assignee:
intrigeri
Category:
Hardware support
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
Type of work:
Communicate
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Debian Buster supports Thunderbolt in a nice and security-conscious way:

Let’s try to make it work in Tails.


Subtasks

Feature #5850: Research security implications of thunderbolt Resolved

100


Related issues

Related to Tails - Feature #5547: Deactivate PCMCIA, ExpressCard and FireWire if unused after 5 minutes Confirmed
Related to Tails - Bug #16749: Call for testing: feature/buster (May 2019 edition) Resolved 2019-05-24
Related to Tails - Bug #16755: Call for testing: feature/buster (June 2019 edition) Resolved 2019-06-18
Blocked by Tails - Bug #15857: Make feature/buster build Resolved 2018-08-29
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

History

#1 Updated by Tails 2013-07-18 10:35:34

#2 Updated by intrigeri 2013-07-19 01:54:51

  • Type of work set to Code

Type of work: Code

#3 Updated by BitingBird 2014-06-09 10:51:39

  • Subject changed from disable thunderbolt to Disable thunderbolt
  • Description updated
  • Starter set to No

#4 Updated by BitingBird 2014-06-09 10:52:11

  • Subject changed from Disable thunderbolt to Disable thunderbolt?

#5 Updated by intrigeri 2014-06-21 14:52:33

  • Subject changed from Disable thunderbolt? to Disable Thunderbolt?

#6 Updated by BitingBird 2015-01-02 23:25:00

  • related to Feature #5547: Deactivate PCMCIA, ExpressCard and FireWire if unused after 5 minutes added

#7 Updated by intrigeri 2017-03-20 10:29:41

Note that some laptop docking stations are connected over Thunderbolt.

#8 Updated by intrigeri 2018-02-23 13:47:18

  • Subject changed from Disable Thunderbolt? to Support Thunderbolt in a security-conscious way
  • Type of work changed from Code to Debian

The next GNOME release will support Thunderbolt in a nice and security-conscious way:

… but this requires the bolt system daemon which is not in Debian yet (RFP.

#9 Updated by intrigeri 2018-03-14 15:41:04

intrigeri wrote:
> The next GNOME release will support Thunderbolt in a nice and security-conscious way:

This is included in GNOME 3.28.

> … but this requires the bolt system daemon which is not in Debian yet (RFP.

Someone took ownership of that bug report and turned into an ITP. Fingers crossed :)

#11 Updated by intrigeri 2018-08-18 07:09:15

  • Target version set to Tails_4.0
  • Type of work changed from Debian to Test

The bolt daemon is now in testing/sid :)

#12 Updated by intrigeri 2018-08-18 07:16:19

  • Description updated

muri, I see that you filed the ITP for bolt initially. Do you have access to a machine with Thunderbolt? If yes, could you please test how this work in GNOME on Debian testing, e.g. with a live system https://tails.boum.org/doc/first_steps/bug_reporting/#debian? If this works fine, the following step will be to test in Tails/Buster, I’ll provide a link to the relevant test ISO once we’re there.

#13 Updated by intrigeri 2018-08-18 07:16:41

  • Category set to Hardware support

#14 Updated by muri 2018-08-28 06:32:27

hi,

intrigeri wrote:
> muri, I see that you filed the ITP for bolt initially. Do you have access to a machine with Thunderbolt?

i did a little research:

> Description: system daemon to manage thunderbolt 3 devices
> Thunderbolt 3 features different security modes that require devices to be authorized before they can be used.

though i have an old macbook (from 2011 or 2013) with a thunderbolt/displayport port, thunderbolt 3 is much younger and uses an usb-c port.

wikipedia writes:
> Thunderbolt 3 was developed by Intel and uses USB-C connectors […] Support was added to Intel’s Skylake architecture chipsets, shipping during late 2015 into early 2016.

#15 Updated by intrigeri 2018-09-06 13:37:16

  • Assignee set to CyrilBrulebois
  • Type of work changed from Test to Communicate

Let’s send a call for testing on tails-testers@ (+ possibly Twitter) once we have a feature/buster ISO on https://nightly.tails.boum.org/build_Tails_ISO_feature-buster/lastSuccessful/archive/build-artifacts/ that boots and has bolt installed. hefee & kibi, please ensure bolt is installed on feature/buster: it seems to be merely recommended by gnome-shell so we probably need to explicitly add it to our packages list :)

#16 Updated by intrigeri 2018-09-06 13:37:31

  • blocked by Bug #15857: Make feature/buster build added

#17 Updated by intrigeri 2018-09-06 13:38:07

#18 Updated by intrigeri 2018-10-25 09:02:20

… and worst case, if that call for testing does not yield good enough feedback or if it shows that we need to test/debug things ourselves: I know have access to a computer with Thunderbolt 3 support (on USB-C ports); now, to test this, I would need a device that I can actually plug in there so let’s hope we don’t have to go this way.

#19 Updated by CyrilBrulebois 2018-12-30 14:59:48

#20 Updated by CyrilBrulebois 2018-12-30 14:59:54

  • blocked by deleted (Feature #15506: Core work 2018Q4: Foundations Team)

#21 Updated by CyrilBrulebois 2018-12-30 15:04:24

  • related to deleted (Feature #15507: Core work 2019Q1: Foundations Team)

#22 Updated by CyrilBrulebois 2018-12-30 15:04:28

#23 Updated by intrigeri 2019-02-06 14:14:43

#24 Updated by intrigeri 2019-02-06 14:14:46

  • blocked by deleted (Feature #15507: Core work 2019Q1: Foundations Team)

#25 Updated by intrigeri 2019-04-02 15:33:11

#26 Updated by intrigeri 2019-04-02 15:33:31

  • Assignee deleted (CyrilBrulebois)
  • Target version deleted (Tails_4.0)

#27 Updated by intrigeri 2019-04-02 15:34:52

  • Target version set to Tails_4.0

Blocker for 4.0 is: make sure there’s no regression. Bonus points if we ship bolt.

#28 Updated by CyrilBrulebois 2019-04-03 09:38:50

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|a101de8c00f5ac8069e5efb258610d33fc8fd6d3.

#29 Updated by CyrilBrulebois 2019-04-03 09:40:42

  • Status changed from In Progress to Confirmed
  • Assignee set to segfault

I’ve just pushed a commit to feature/buster to make sure we install the bolt daemon.

@segfault: assigning it to you as you mentioned you could get your hands on a Thunderbolt device. If that doesn’t work out, I guess we’ll send a call for testing.

#30 Updated by CyrilBrulebois 2019-04-03 09:41:04

  • Status changed from Confirmed to In Progress

I’ve just pushed a commit to feature/buster to make sure we install the bolt daemon.

@segfault: assigning it to you as you mentioned you could get your hands on a Thunderbolt device. If that doesn’t work out, I guess we’ll send a call for testing.

#31 Updated by intrigeri 2019-04-03 10:19:29

  • QA Check set to Ready for QA

Great :)

#32 Updated by segfault 2019-04-19 15:41:21

  • Assignee deleted (segfault)

Unfortunately I don’t have access to a Thunderbolt device :(

#33 Updated by intrigeri 2019-05-23 15:12:12

  • QA Check deleted (Ready for QA)

Next step: send a call for testing about this. IMO we should do include it in a call for testing at the end of the ongoing sprint, along with Feature #14991 and possibly Feature #14580.

#34 Updated by intrigeri 2019-05-23 15:14:42

  • related to Bug #16749: Call for testing: feature/buster (May 2019 edition) added

#35 Updated by intrigeri 2019-05-24 09:56:48

  • related to Bug #16755: Call for testing: feature/buster (June 2019 edition) added

#36 Updated by intrigeri 2019-05-24 09:58:03

  • Assignee set to intrigeri

Included in my draft for Bug #16749, will triage the feedback.

#37 Updated by intrigeri 2019-06-18 16:57:48

  • Status changed from In Progress to Confirmed

#38 Updated by intrigeri 2019-07-06 17:44:16

#39 Updated by intrigeri 2019-07-06 17:47:14

  • Status changed from Confirmed to Rejected

I’ve explicitly asked test results in our last 2 calls for testing of feature/buster and got no feedback. I don’t think this is worth purchasing hardware specifically to test this. So I’m giving up for now. We’ll see what happens once 4.0 is out and users try using Thunderbolt devices.

Dear help desk, if you find this ticket by searching our Redmine: in theory, on Tails 4.0, Thunderbold devices should be nicely supported, with a GUI that looks like what’s show in the URLs in the ticket description. If this does not work, please reopen this ticket and provide debugging info :)

#40 Updated by intrigeri 2019-08-18 09:07:07

  • Subject changed from Support Thunderbolt in a security-conscious way to Support Thunderbolt 3 in a security-conscious way

One failure report on 4.0~beta1: https://lists.autistici.org/message/20190811.040316.a1cbd602.en.html (but I think that laptop does not support Thunderbolt 3 so it’s expected it does not work).