diff options
author | Mika Westerberg <mika.westerberg@linux.intel.com> | 2017-06-06 15:25:16 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-06-09 11:42:43 +0200 |
commit | f67cf491175a315ca86c9b349708bfed7b1f40c1 (patch) | |
tree | 7b9b16deadbf5941b14cc16086eababa2dc70523 /drivers/thunderbolt/Kconfig | |
parent | bdccf295d7cdf6f28ceec1dcc31a79d0a1697d21 (diff) |
thunderbolt: Add support for Internal Connection Manager (ICM)
Starting from Intel Falcon Ridge the internal connection manager running
on the Thunderbolt host controller has been supporting 4 security
levels. One reason for this is to prevent DMA attacks and only allow
connecting devices the user trusts.
The internal connection manager (ICM) is the preferred way of connecting
Thunderbolt devices over software only implementation typically used on
Macs. The driver communicates with ICM using special Thunderbolt ring 0
(control channel) messages. In order to handle these messages we add
support for the ICM messages to the control channel.
The security levels are as follows:
none - No security, all tunnels are created automatically
user - User needs to approve the device before tunnels are created
secure - User need to approve the device before tunnels are created.
The device is sent a challenge on future connects to be able
to verify it is actually the approved device.
dponly - Only Display Port and USB tunnels can be created and those
are created automatically.
The security levels are typically configurable from the system BIOS and
by default it is set to "user" on many systems.
In this patch each Thunderbolt device will have either one or two new
sysfs attributes: authorized and key. The latter appears for devices
that support secure connect.
In order to identify the device the user can read identication
information, including UUID and name of the device from sysfs and based
on that make a decision to authorize the device. The device is
authorized by simply writing 1 to the "authorized" sysfs attribute. This
is following the USB bus device authorization mechanism. The secure
connect requires an additional challenge step (writing 2 to the
"authorized" attribute) in future connects when the key has already been
stored to the NVM of the device.
Non-ICM systems (before Alpine Ridge) continue to use the existing
functionality and the security level is set to none. For systems with
Alpine Ridge, even on Apple hardware, we will use ICM.
This code is based on the work done by Amir Levy and Michael Jamet.
Signed-off-by: Michael Jamet <michael.jamet@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Yehezkel Bernat <yehezkel.bernat@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Andreas Noever <andreas.noever@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/thunderbolt/Kconfig')
-rw-r--r-- | drivers/thunderbolt/Kconfig | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/drivers/thunderbolt/Kconfig b/drivers/thunderbolt/Kconfig index d35db16aa43f..a9cc724985ad 100644 --- a/drivers/thunderbolt/Kconfig +++ b/drivers/thunderbolt/Kconfig @@ -1,15 +1,15 @@ menuconfig THUNDERBOLT - tristate "Thunderbolt support for Apple devices" + tristate "Thunderbolt support" depends on PCI depends on X86 || COMPILE_TEST select APPLE_PROPERTIES if EFI_STUB && X86 select CRC32 + select CRYPTO + select CRYPTO_HASH help - Cactus Ridge Thunderbolt Controller driver - This driver is required if you want to hotplug Thunderbolt devices on - Apple hardware. - - Device chaining is currently not supported. + Thunderbolt Controller driver. This driver is required if you + want to hotplug Thunderbolt devices on Apple hardware or on PCs + with Intel Falcon Ridge or newer. To compile this driver a module, choose M here. The module will be called thunderbolt. |