1BOLTD(8)                          bolt Manual                         BOLTD(8)
2
3
4

NAME

6       boltd - thunderbolt device managing system daemon
7

SYNOPSIS

9       boltd [OPTIONS]
10

DESCRIPTION

12       boltd is the thunderbolt device manager daemon. Its goal is to enable
13       the secure and convenient use of thunderbolt devices by using the
14       security features of modern thunderbolt controllers. It provides the
15       org.freedesktop.bolt name on the system bus. boltd is autostarted via
16       systemd/udev if a thunderbolt devices is connected.
17
18       The thunderbolt I/O technology works by bridging PCIe between the
19       controllers on each end of the connection, which in turn means that
20       devices connected via Thunderbolt are ultimately connected via PCIe.
21       Therefore thunderbolt can achieve very high connection speeds, fast
22       enough to even drive external graphics cards. The downside is that it
23       also makes certain attacks possible. To mitigate these security
24       problems, the latest version — known as Thunderbolt 3 — supports
25       different security levels: none: No security. The behavior is identical
26       to previous Thunderbolt versions. dponly: No PCIe tunnels are created
27       at all, but DisplayPort tunnels are allowed and will work. user:
28       Connected devices must be authorized by the user. Only then will the
29       PCIe tunnels be activated. secure: Basically the same as user mode, but
30       additionally a key will be written to the device the first time the
31       device is connected. This key will then be used to verify the identity
32       of the connected device.
33
34       The primary task of boltd is to authorize thunderbolt peripherals if
35       the security level is either user or secure. It provides a D-Bus API to
36       list devices, enroll them (authorize and store them in the local
37       database) and forget them again (remove previously enrolled devices).
38       It also emits signals if new devices are connected (or removed). During
39       enrollment devices can be set to be automatically authorized as soon as
40       they are connected. A command line tool, called boltctl(1), can be used
41       to control the daemon and perform all the above mentioned tasks.
42
43       The pre-boot access control list (BootACL) feature is active when
44       supported by the firmware and when boltd is running on a new enough
45       Linux kernel (>= 4.17). The BootACL is a a list of UUIDs, that can be
46       written to the thunderbolt controller. If enabled in the BIOS, all
47       devices in that list will be authorized by the firmware during
48       pre-boot, which means these devices can be used in the BIOS setup and
49       also during Linux early boot. NB: no device verification is done, even
50       when the security level is set to secure mode in the BIOS, i.e. the
51       maximal effective security level for devices in the BootACL is only
52       user. If BootACL support is present, all new devices will be
53       automatically added. Devices that are forgotten (removed from boltd)
54       will also be removed from the BootACL. When a controller is offline,
55       changes to the BootACL will be written to a journal and synchronized
56       back when the controller is online again.
57

OPTIONS

59       -h, --help
60           Prints a short help text and exits.
61
62       --version
63           Shows the version number and exits.
64
65       -r, --replace
66           Replace the currently running boltd instance.
67
68       --journal
69           Froce logging to the journal.
70
71       -v, --verbosee
72           Print debug output.
73

ENVIRONMENT

75       BOLT_DBPATH
76           Specifies the path where the daemon stores device information,
77           including the keys used for authorization. Overwrites the path that
78           was set at compile time.
79

EXIT STATUS

81       On success 0 is returned, a non-zero failure code otherwise.
82

AUTHOR

84       Written by Christian Kellner <ckellner@redhat.com>.
85

SEE ALSO

87       boltctl(1)
88
89
90
91bolt 0.7                          01/01/2019                          BOLTD(8)
Impressum