 I'll start quickly because I'm already quite late after the display port and actually also the Thunderbolt failed to actually get a picture on this thing. We're back to VGA, which always works, yay. All right. My name is Christian. I work for Red Hat in the desktop hardware enablement group. How do I get to the next slide? What is the Thunderbolt anyway? I'm going to be really fast now. It's according to Intel, the USB-C that does it all, which is already very confusing because I said Thunderbolt and now I said USB-C, and I think that's probably going to happen the next five years for a lot of people, especially sys admins and stuff, because it's actually the same port. This little, this newish port is also a Nintendo Switch and everything, and it can be a USB-C, plain USB-C port, but it can also be a Thunderbolt port, and normally you can distinguish them if there's a little error next to it, a little flash, yes, Hans? What is a plain USB-C port? Like there are ports out there, laptops out there that have only a USB-C port that don't have a Thunderbolt port. Two or one? Hi. Two or a 3.1 Gen 1 or 3.1 Gen 1? I don't know. You can distinguish them by the little icon that is next to them if there's space for all the icons. Anyway, so if it's an actual Thunderbolt 3 port, you would have a little bolt next to it, and if it's a Thunderbolt 3 port, it's very fast, it can do up to 40 gigabits per second, it can support up to four PCI express lanes, sometimes not on all chips, so this is also up to, it's also up to 8 display port lanes, and it always supports USB 3.1 if it's a Thunderbolt 3 device, and you can daily change up to 60 devices, and then it's done. It supports charging your laptop, and the devices can use up to 15 watts, and there are people, I mean the most use case I think for now, which the hardware is mostly available for is docks, docks, and docks, like this guy here, this is a Thunderbolt 3 docks from Lenovo, but there's also for example from Razer, an external enclosure where you can have a GeForce graphics card for all your Ethereum mining, how do I do the next thing, yeah. So the confusing part about the connection mode is that the one port can be actually four ports, it can be an USB only mode, which if you connect the USB, plug a USB device in it, the Thunderbolt actually switches into USB only mode and it acts as a normal USB port. If you plug in the display port device, then it can be also just a display port, and it can also be a combination of display port and USB, and only if you have the right cable, the cable also needs to have a little flash thingy on it, like this, like a little, little flash thingy, if you have the right Thunderbolt USB-C cable, whatever you call it, then you get actually the Thunderbolt controller into its native Thunderbolt mode, where you get the high speed and the full, you know, PCI Express bridges to the device and you get all those super nice features and yeah, including of course, because it's PCI Express, DMA, which means that someone can just read your memory or write into your memory, whatever, right? And it took until apparently three revisions to realize this problem, or the CIA leaks or something. So in Thunderbolt 3, we actually have security modes, and the security modes, like there's four of them, and you can set them in the BIOS in most computers. Not all four might be supported, I think Lenovo started not enabling the non-mode anymore, because non-mode is basically legacy mode, which means that you don't get any security, and then you have display port only, which only gets to display port if it actually is working. And then there's two secure modes, which means that the user mode and the secure mode, and in both of these modes, in user space, we actually have to tell the device to like, work, we have to like, you know, plug the device in the device registers within the kernel, but we have to say like, okay, we want this device to be activating, and only then we get the PCI express lanes, and only then we get the malicious attacks. Hopefully not, but maybe. And the difference between the user mode and the secure mode is that in the secure mode, you can also apply a key to the device, which then you can later use to re-identify the device. So like, if someone fiddles with your dock and installs something in there, then, you know, hopefully this is caught by the secure mode, or replaces your dock, you know, with a different one. And on Windows, you know, the land of dialogues, when you actually plug in a new Thunderbolt device, you get a bunch of dialogues, like, okay, there's a new Thunderbolt device, what do you want to do with it? Do you want to connect it? Don't you want to connect it? And, you know, our designers, I mean, Ignom designers thought that this was a very, very bad idea, because what most of the time happens, people just click on it because it will make your beamer work, or it will make you whatever, and you know, your present is already in a hurry because nothing works, and then, of course, you click everything, you click okay, okay, okay. Anyway, so how do we do this? In Linux land, we have the kernel, which gained Thunderbolt support, or Thunderbolt 3 support in 4.13. It exposes the devices via SysFS and UDF. There's a small system daemon, which gets activated by UDF rules, and then we have the GNOME shell and the GNOME control center talking to it. It's a deepest API, so other people can talk to it, too. I'm not sure if it actually happened yet. And there's a command line tool, if you want to actually fiddle around with any of the great stuff, which I don't expect most people to actually want to do. How much time is left? Can I slow down? No, no, no, I have to be fast up. Okay, this is the kernel interface, not so interesting, because normally you shouldn't actually use it, but just of interest, if you plug a device in, it will show up under SysFS Thunderbolt, and there's one file called authorized. If you just put a one in there, the device will work. It will connect the PCI Express lanes and everything. And then for the secure mode, this is how you would, on the command line, do it. You create a key, you write it into the device. The key will actually get stored in the non-volatile RAM on the device. And then with the one, you actually authorize the device and store the key in the device. And then on the next connect, you supply the key, and only then if the device responds with the right challenge to the key, the device will be activated by the kernel. Just a very quick intermet. So, there's also firmware for the Thunderbolt host controllers and also for the devices. So, I have a Dell doc to test in Munich. And also there, the cable actually has its own firmware, so you can update your cable firmware. And it works all, I mean, this is all done. There's a plugin for the Linux firmware vendor service and for FWRT, and it will, you know, you can magically via GUI update your cable. So, the little daemon that I wrote in the last few months is just exposing the Sys-of-S, where it's a very small daemon actually, via Divos API. And the main use of this daemon is basically for the GNOME shell to, yeah, thank you, you know, to speak to it or for other clients to speak to it. You can use it to authorize and enroll the device from the user space. It uses PaulKits and once the device initially was enrolled, it has a little database, just files in the file system, to remember them. And then, on the next time you plug the device in it, which is automatically, like even before, like GNOME shell is loaded or something, will automatically authorize the device. If you said it should do that. Exactly. So, the Daemon API is also very simple. So, it has only, you can get the devices, you can enroll the device, you can forget the device anymore. And there's one little thing there, which is called the 45 mode. So, normally, yeah, this is not so super, I skipped this. Yeah, there's also the command line, which, you know, does the same thing, authorize devices, enroll devices, list devices, money for changes. But the way we normally think what users are going to do with it is that it just magically works. So, if you are logged in and your session is unlocked, and you plug a device in, and you are also the admin, like you are in the real group, then we will basically ask policy kit, but there's a special policy code that will check, it will check that you are, if you're an admin. And if you are an admin, it will just automatically authorize the device. And if not, you will get the usual policy kit dialogue, like, you know, wanting to enter your password, and if you have the admin password, you know, you can go and also will authorize the device. And then remember it for the future. If you're not logged in, or the session is locked, then we don't do anything because it might be someone else trying to steal your main memory and, you know, by just plugging the device in. And what we do is we throw up a dialogue, basically, yeah, like this, where you say, ah, there's a new Thunderbolt device that has been attached to your computer, and what you need to do is to basically replug the device. So, there's not even, like, in the GUI, there's no way to actually afterwards authorize the device via click or something. What you need to do is physically take the cable, unplug and replug it while the session is unlocked, which is what our designers came up with the solution to not, you know, have another dialogue that says authorize the device. Yeah, there's also a little user, like, a little snake thingy icon when something's actually happening in the Thunderbolt bus, because for the Dell dock, for example, it takes up to 10 seconds from you plugging the device in until your network card in the dock is actually working, because, you know, network has to do its magic, and the cable has to first be authorized, and after the cable is authorized, the dock has to be authorized, and this, you know, like, this takes forever. Yeah. So, the authorization, you mean, if you're in second mode... You can give it a key, right? Yeah, if you give it a key, yeah. How does it work? So, you give it a key, and then it's basically, like, hash something, you know, you have the key in the device stored, and you challenge the device with some random data, and it sends you, like, some HMAC, whatever thing back, and the kernel does the same thing and compares the hashes, and if they match, it's the same device. Okay, so you use HMAC? Yeah. There you go. And then there's also a little control center thing, which basically allows you to manage the devices. So, you know, where you can remove the device again once you've done it, and it will also help you, like, once, if you're plugged in a device while the screen was locked, you would also, you know, find a mod descriptive, hopefully message there, like, when you click on the little notification thing, you can go there, and it will tell you that you have to reconnect the device. Yeah, and that's it. Yeah, made it. There's not much time for questions, but I think, yeah. Very short one. Very short. If you want to share a kind of device between multiple computers, so each of them has its own key. There's, yeah, they have more, the non-volta RAM has support for more than one key, yeah. But I think, I haven't tried it. I used, like, four or five computers and it still worked, but I guess at some point it will overwrite the keys and, but three or four at least work.