1BOLTCTL(1) bolt Manual BOLTCTL(1)
2
3
4
6 boltctl - control the thunderbolt device manager
7
9 boltctl authorize DEVICE
10 boltctl config
11 boltctl domains
12 boltctl enroll DEVICE
13 boltctl forget DEVICE
14 boltctl info DEVICE
15 boltctl list
16 boltctl monitor
17 boltctl power
18
20 boltctl is the command line interface to interact with boltd, the
21 system daemon that manages Thunderbolt 3(TM) devices. It can be used to
22 query the state of devices as well as manage them.
23
24 Devices can be globally identified via their unique identifier (uuid).
25 All commands that take a DEVICE identifier expect this unique id.
26
27 If no command is given, it is equivalent to boltctl list.
28
30 --version
31 Print version information and exit.
32
33 -U | --uuid {full | short | alias | N}
34 Control how UUIDs are printed. Since they are somewhat sensitive
35 data it is not advisable to share them publicly in full length.
36 Instead short or alias can and should be used when sharing the
37 output of boltctl.
38
39 full
40 Print all UUIDs in full length.
41
42 short
43 Truncate all UUIDs so only the first 13 characters are printed.
44
45 alias
46 All UUIDs are replaced by a random string that is derived from
47 the UUID, therefore the devices can be uniquely identified
48 without revealing the original UUID.
49
50 N
51 If a integer N is specified, all UUIDs are truncated to only
52 show up to N.
53
55 authorize [-F | --first-time] DEVICE
56 Authorize a currently unauthorized device identified via its unique id
57 (uuid) DEVICE. If a key is stored in the database it will be used,
58 given the security level of the domain supports secure device
59 connection. Use boltctl list to find out the uuid of a device.
60
61 -F | --first-time
62 Normally, when attempting to authorize an already authorized device
63 boltctl will do nothing and return a successful status code. When
64 using this option, the attempt will fail and result in a negative
65 exit code if the device is already authorized.
66
67 config --describe [global|domain|device]
68 List global, domain, or all (if nothing is specified) properties. The
69 format is 3 columns: permission, name, description. Permission
70 indicates if the property is only readable or can also be written.
71
72 config KEY [VALUE]
73 Get or set, if VALUE is specified, a global property.
74
75 config <domain|device>.KEY TARGET [VALUE]
76 Get or set, if VALUE is specified, a domain or device property, where
77 TARGET is the unique id of the domain or the device.
78
79 domains [-v | --verbose]
80 List all currently active Thunderbolt domains. A Thunderbolt domain
81 represents the Thunderbolt controller hardware. There will be one
82 domain (and host device) for each Thunderbolt controller present in the
83 system. The security property shows the security level of the
84 controller. If iommu support is active (see the boltd man page) it will
85 be indicated by a +iommu suffix for "secure" or "user" mode, or just
86 plain iommu in case the security level is "none" (sl0). bootacl shows
87 the used and total slots of the boot access control list (BootACL) and
88 the content of all non-empty entries. NB: if BootACL is unsupported it
89 will show 0 for both (0/0). The online property shows if the
90 thunderbolt controller is currently powered by the firmware. NB: if the
91 controller is currently offline the BootACL list will reflect what
92 boltd estimates the list will look like once the controller is back
93 online and local changes have been synchronized to the controller. This
94 might not be accurate if the list was modified in the meantime, e.g.
95 from a different installation or OS.
96
97 enroll [--policy policy] DEVICE
98 Authorize and record the device with the unique id DEVICE in the
99 database. If the domain supports secure connection a new key will be
100 generated and stored in the database alongside the device name and
101 vendor name. The key, if created, will be used in the future to
102 securely authorize the device.
103
104 --policy {default | auto | manual}
105 Specify the policy to be used for the newly enrolled device.
106
107 default
108 Use the global default policy of the daemon; this can be
109 changed, but is normally also auto.
110
111 auto
112 Automatically authorize this device whenever it is connected.
113
114 manual
115 Do not automatically authorize the device; instead require
116 manual authorization via boltctl authorize.
117
118 forget DEVICE
119 Remove the information about the device with the unique id DEVICE from
120 the database. This includes the key, if one was previously generated.
121 If you pass --all instead of the DEVICE all devices are removed instead
122 of just one.
123
124 info DEVICE
125 Display information about the device with the unique id DEVICE.
126
127 list [-a | --all]
128 List and print information about all connected and stored devices.
129
130 -a | --all
131 Normally, the only the device type that will be shown is
132 peripherals. Therefore the device that represents the host itself
133 will be omitted. Using this option will instead include all device
134 types in the list.
135
136 monitor
137 Listen for and show changes in connected devices.
138
139 power [-t | --timeout seconds] [-q | --query]
140 Power up the Thunderbolt controller. If the Thunderbolt controller is
141 not in "native enumeration mode" it can be completely powered down by
142 the host firmware/BIOS. On supported systems there is an interface to
143 "force" power the thunderbolt controller. If supported this command
144 will request the daemon to do so. The daemon will keep track of all
145 client requests and will release the force power override when the last
146 request is released.
147
148 -t | --timeout seconds
149 Release the force power request after the specified amount of
150 seconds and exit.
151
152 -q | --query
153 Query the current force power status of the daemon.
154
156 Written by Christian Kellner <ckellner@redhat.com>.
157
158
159
160bolt 0.9.6 09/13/2023 BOLTCTL(1)