 Right, so I'm just going to dive into it and then we can be done with this quickly so what is the Thunderbolt anyway and According to Intel it is the USB-C that does it all Which hints to a few things first of all that is I owe technology That it's fast maybe because of the USB-C that it uses the USB-C connector And then it might be a bit confusing because you know, it's a Thunderbolt technology, but it's a USB-C that does it all But we get to that so It was first introduced in 2009 Slightpeak it was first chipping in a MacBook Pro in 2011 It was initially based on like fiber optics and you know like sending the signal over Over the wire in like light signals, but they backtrack on this and now everything is like just electric signals It was already back then quite fast with like PCI Express Gen 2 and Displayport 1 1 and it used a mini display for connector at the very beginning and then there's a second version of that in 2013 Which actually kept the same speeds on the PCI Express Bumped the display port to 1 2 but still use the same connector And I think you know the Thunderbolt 3 that we're currently at Is implemented by the Alpine Ridge controller that I think isn't currently in most laptops that you know ship Thunderbolt 3 Which is the standard I now I think There they upped the specs and there's a new version of the Thunderbolt controller of the Thunderbolt 3 controller out there called Titan Ridge, which is being rolled out now after after more But it's not that widespread yet oh Yeah, and Intel made it because the adoption of Thunderbolt still is not as great as I think Intel wanted it to be they made it in 2017 announced it from 2018 on it is a royalty-free standard and they even gonna put it I think with whiskey leg or so I'm not entirely sure with some with some new chip They're gonna put the Thunderbolt controller on the CPU die So basically forcing adoption because you will get it anyway Yeah, and so the current version is Thunderbolt 3 and it uses the USB type C connector, which will it's you it's confusing people I can tell you It's the speed got up to like double the speed of the former former one So it's like 40 gigabits per second it can up to deliver up to four PCI Express gen 3 lanes It can do display port one two one or two or in Titan Ridge one dot four Which you know if you think about like this the speed is gonna stay the same but This playport one dot four can actually drive 8k displays So there's actually a bottleneck So if you do it at over Thunderbolt, you might not be able to drive the display at full speeds and have a dock At all. So this is a bit of a funny thing, but whatever It does do native USB 3.1. You can they see chain up to six devices and you can also Charge your laptop While you're connecting your IO, which is really cool so you have potentially only one cable to the laptop and Charge the laptop and also have the dock and the display and everything running Also, what is new with version three is you got security modes Which if you think about that, it's actually PCI Express. That's over the you know, that's going over Thunderbolt is actually maybe not a bad idea And the main usage is I think docs, you know, you can also use it for external graphics with people already do You can do it for networking and a lot of people I mean some people use it for collecting a shit ton of storage when they're like on the road and doing video editing or something And I mean it's very simple graph of how that actually is connected So you have to CPU and you have your platform controller hub, I think And so the display port either comes directly from the internal graphics Or if you have an Nvidia or something you can also go from the external graphic and you get the PCI lanes It cannot like in some models They don't connect the full four lanes You can can also be only two and sometimes can be very tricky to find out what you actually have you might have to Actually ask the manufacturer because they don't specify And then it all goes over this your Thunderbolt IO and then on the Thunderbolt controller on The device it can split out the PCI Express lanes Or the display port or both depending on what device you have One funny thing is that you know Currently with the with the Alpine Ridge controller if you have an Alpine Ridge controller in in a DD device like a dock and you connect it to a USB C port nothing will work Nothing will happen because it's a different technology But if you have a Titan Ridge USB dock There's a fallback mode, which I think I have somewhere here Yeah, and Titan Ridge to have a fallback mode So it can act as a USB sink So if you connect your Titan Ridge Thunderbolt dock to a USB C port Which is not a Thunderbolt port it will also work in a fallback mode, which I think adds to the confusion like I mean is yeah I Think it's it's it's a hell of a confusion on time It's because here's my prime example for why this thing is really confusing and this is the current T for ATS from the novel And you see that there is the USB type C port that has this the power logo next to it and then you see this kind of Whatever it is. It's the proprietary thing and here you see this flash thing next to it And you know if you were to connect this thing to your dock Where would you connect it to I mean You know support this is the type C connector, right? So you would maybe connect it to this thing But you know this is actually not a Thunderbolt port this is just a plain USB port and This is the actual Thunderbolt port, which doesn't even look like a USB C port because it's their proprietary whatever thing So yeah, I've got I'm not kidding I've got people writing to me like you know my Thunderbolt is broken or your software is broken doesn't work And I'm like trying to debug the first time actually tried to debug the whole thing and it was like wait Just a stupid question. Did you plug it into the left part or the next to the left part? And he was like oh shit. I plugged it into this thing and everything's working now. It's like. Oh, yeah, shit Yeah, so I mean for example here also this USB type C is not a Thunderbolt one these two are Thunderbolt ones, right? So logos matter, which is really yeah And the ironic bit now if you had a Titan Ridge Thunderbolt dock and you would do the same mistake it will somewhat work But it would not work at full speed because you would be using USB, but not Thunderbolt speed So you get the display and you get the dock, but you don't get the full. Yeah, it's You know anyone It's confusing because Thunderbolt also has different connection modes also different alternate modes as you know USB Plain USB type C also has so it can be USB only if you plug in the USB device It can be Display port only if you plug in a display port device It can do both or it can run at full Thunderbolt free speed and You can even like in most computers Firmware and buyers or if you whatever you can actually set the Thunderbolt controller in these modes You can say like I want the Thunderbolt controller to be only USB And then if you connect the Thunderbolt device, it won't work Or I can say I want only display port for security measurements if you go to conference whatever deaf conference and you don't wanna Yeah and To make things even worse. There's also different controller modes So like in your currently if you're running Linux on your machine You should make sure it's running in BIOS assist mode Which means that the ACP I is controlling the power the Thunderbolt controller and sparring it and powering it down If you connect the if you connect the device it will The ACP I will power the Thunderbolt controller if you deconect it the ACP I will actually shut the whole thing off It will do disappear from the system if you like to LS PCI It will be it will look as if there is no Thunderbolt device in the computer and in the future We will have native PCI hot plug which is good because in theory it's this is gives us more control We can actually save a bit more power, but currently with current kernels You will actually consume a lot of power because we don't have the full power management patches merged into the kernel So if you if you haven't turned your Thunderbolt controller into BIOS assist mode it it will always be there and will always eat power So don't do that Yeah, and the security most that were added to Thunderbolt 3 is the main thing that I actually Worked on because you know PCI Express can do DMA So we can read and write memory from like stuff that you just plugged into your computer Which actually some people did a proof of concept. I think with a MacBook Pro and the Thunderbolt 2 port or so so now With Thunderbolt 3 there's new security modes that you can also Set in the BIOS everything this can be said So you can have no security, which is basically what the op version was Thunderbolt 2 did that and Thunderbolt 1 did that So like you connect the device it will if you if the device supports it You will get the full PCI Express Lens and you can do DMA to whatever you want and then there is Two more Thunderbolt modes one is called user and was called secure and In both of these modes what is new is basically that you as the user or as the system has to Authorize devices before they can actually work So you have connect the device and it will show up, but it won't connect the PCI Lens Before the system actually says to the controller. Yes, please connect the PCI Express Lens and in a secure mode there's an additional step that we can actually authorize The device and also verify is the is the device that we connected before In Windows that's basically what it looks like so in Windows that you you get a bunch of dialogue boxes because you know How how do you then verify that the thing is actually? You know, how do you authorize the device? You ask the user right so you get a box and say that there's a new Thunderbolt device connected You click on okay, you get this thing like okay pluggable whatever something can connect it And then what do you want to do don't connect connect once connect always whatever? But yeah, that's not that's not what we did because you know our designers basically said that you Most people just gonna click yes anyway because you cannot make an informed decision on this because as a normal person Who doesn't even know what PCI Express Lens are what you know, whatever what do you what what you? Want to answer to this right if you go to a conference and you connect your Like projector you want the projector to work and even if this was called like evil device But it makes your projector work, then it will you will just click okay, right because you want the projector to work so Yeah, so how's the how's the stack on Linux? Well first of all with the kernel the kernel exposes Assessive as Yeah device tree basically it poses the host and all the devices that you connect to under sysfs and then There's a small little tool that we wrote called bolt which basically listens to you events and then exposes the devices on on Divas and then you can from the command line interact with the thing called ball control or Why a GUI by the GNOME shell or GNOME settings and I'm the idea was that other desktop environments could also use this demon I'm not sure if anyone actually integrated it yet So how does the current interface look so the the Thunderbolt controller gets exposed as to device nodes actually first as domains as the Domain controller and here you can actually read out the security level that it was set in the bias But you cannot influence it, but you can just read it out and then this is the there's always one device that represents the host Which will always be authorized, but you can read the name of the computer and stuff and then any other device that is attached to the Thunderbolt bus will appear as the child of this device and it has This node called authorized or this property called authorized and if you are in secure mode it also has this property called key and then you authorize the device by just Writing one into this file and once you have done this The device will actually connect the controller will connect the PCI tunnels and the device will work This is irreversible. So once you connect to the PCI tunnels, there's no way of going back So you cannot unconnected unauthorized the device once it's authorized and If you are in secure mode, so the more secure Operation mode what you can also do is you can imprint a key into the non-volatile memory of the device And the first time you do this you just basically imprint this and on any subsequent connect you can Write your version of the key Into like the device and then into the property and then say to the colonel Please connect this device, but only if the key matches what we've previously written into the device So this is basically an identity verification of the device but I have to say Most laptops actually all laptops that I've ever had in my hands ship in secure mode So by default what you add in in user mode. So but by default you don't get this key verification by default you only get the you know No normal authentication So, I mean the device exposes a unique ID which we used to identify it But I'm if you were you know malicious you could fake this device I Unique ID and then we would authorize your evil device if it has the same unique ID as Something that you previously authorized Yes, so the bolt demon Is a very small system demon it is normally not running it only gets activated on demand by system D if it if when you deaf if we find you have a thunderbolt hardware So if you don't have thunderbolt hardware nothing is running And you have a divorce API to manage devices Like for example authorize or you know enroll devices We use Paul kid to secure the divorce API We have a very simple database, which is basically file based where we store device names and device keys Then we have Recently I've added the divorce API it also to force power the Thunderbolt controller because so there's there's one hack in Hardware because if it's an if the Thunderbolt hardware is in this bios assist mode, which is currently default You know the hardware will just completely disappear And we won't even know that there's a Thunderbolt controller in the system So we cannot find out which security level the Thunderbolt controller is in which we sometimes need to know or The firmware update demon needs to know what firmware version the Thunderbolt controller is having so we need to somehow Like power the controller and there is a the in on most laptops There's a way to basically force power the controller You just flip it on and then the bios will activate the Thunderbolt controller even though nothing is plugged in and this is now exposed on Divas because the kernel API is not reference counted So if I switch it on and the funder like both demon switches is on and the firmware update demon switches is on and then I switch it off, but the firmware update even wasn't done yet then It's hanging right and this exactly what's happened a lot of times. So there's a bunch of Yeah bug reports about this anyway now there's a demon API to force power the Thunderbolt controller But the demon itself doesn't do any policy decisions So we just expose like if you connect a new device it will just show up on the bus But it won't be authorized by the beam and by itself because like bolt is only provide the API But he doesn't do any policy decisions Yeah, this is the API I skip over this Yeah, there's a small command-line tool called ball control where you can see what is currently connected and you can manage it You can forget devices or enroll devices here but the important thing is that we have Like the shell is for known the shell is the policy maker What that means is that it will listen to the device added signal of the demon and then based on the current state of the cell of the sessions it will either authorize the device or not and Currently it means that if the user is locked in and the session is unlocked and the user is an admin We will just automatically and roll your device and connect it If the user is not an admin you get a dialogue box Or if the session is locked you get a notification like this you get like Thunderbolt device was connected but not authorized and then Yeah, there's also little little cable snake I can hear Because to connect the PCI lanes this can actually take quite a bit. It can take up to 20 seconds on some dogs because some cables are active cables and then you need to authorize the cable before you authorize the dog So it can take a while. So we had this little status indicator that actually something is happening and then there's also a Settings plug-in where you can see the devices that have been previously authorized and you if you if you connected it while you were Locked you can also authorize the device from there We also do firmware updates. So You can update the firmware in your cables and in your dogs Yeah, it's not a joke Sadly enough Yeah, there's also success interface for that. So you basically write a new firmware into like the non active part and then you Write another authenticate and then we update the firmware and this works hopefully And there's also recently added into network manager host-to-host and Networking so if you have a Thunderbolt cable you can Connect to computers and it will create a network between them and then you can transfer files or something And that is basically and there's one more thing obviously because you know For example, if you have a looks password set on your machine Then you're in early boot and an early boot the demon doesn't run So you cannot enter your looks password via a keyboard that's attached to even to a dog There is a new so you need a very new Colonel and a new firmware then there is a new thing called boot ACL where we can from Linux write UU IDs into the bios and say to the firmware, please This device of this UU ID, please authorize it already on boot So it works even in the bios not only in early boot But the problem is it's only as you can see there is only the UU ID is no key So there is no key verification done. So this is basically only available in user mode So if you actually want to make sure that it's the doc that you initially Authorized then you can forget about this and you would have to go back to typing in the password on your Normal keyword not on your dog keyword And yeah, I'm currently looking into I mean, this is my current work But I'm also looking into each EPU support it should inferior work But of course in reality it doesn't really Like last time I tried Nouveau and Nvidia drivers were both crashing when I connected the doc with the eGPU in it Intel supposedly and AMD supposedly is a bit better, but I haven't tested us yet Yeah And that's it Yeah, if anyone is interested in helping out on this, you know, currently I'm the only one working on that stuff so, yeah, and I'm gonna be done with it soon And then I'm gonna move on to something else. So if someone wants to help out Yeah, anyway, thank you One minute one question two questions one. Yeah Sorry, I just dropped in basically so I'm most likely missed it if you said it but Did you do any work or have any looks on pro audio hardware that is also thunderbolt ready? No, because there is but most likely it's not supported. Okay. Yeah, no, that would be nice Write me an email. I see you. Okay. Yeah, we'll do Okay. Thank you. I was just wondering with the these security keys Do you start generating for every device regardless of whether secure mode is enabled or do you only do that when secure mode is enabled? Only if yeah, so if the security is not enabled there is not there's no device file So that this is a fast key Property is only there if secure mode is enabled So unmute so if you Set a key on your cable and then you use it for another computer Depending on how does stop working. Yeah, it depends on device So some devices support multiple keys, you know But for example the eGPU dock every time I put two windows and offer us in windows I have to reauthorize it in Linux because it can only hold one key. Oh, I see so you can like reset it Yeah, so it's not like no useless and no No, you reset it. Okay. Yeah, it's still annoying though because you basically it's basically like oh my god This device has changed identity because it can only hold one key, but whatever All right