1BOLTD(8) bolt Manual BOLTD(8)
2
3
4
6 boltd - thunderbolt device managing system daemon
7
9 boltd [OPTIONS]
10
12 boltd is the thunderbolt device manager daemon. Its goal is to enable
13 the secure and convenient use of thunderbolt devices by using the
14 security features of modern thunderbolt controllers. It provides the
15 org.freedesktop.bolt name on the system bus. boltd is autostarted via
16 systemd/udev if a thunderbolt device is connected.
17
18 The thunderbolt I/O technology works by bridging PCIe between the
19 controllers on each end of the connection, which in turn means that
20 devices connected via Thunderbolt are ultimately connected via PCIe.
21 Therefore thunderbolt can achieve very high connection speeds, fast
22 enough to even drive external graphics cards. The downside is that it
23 also makes certain attacks possible. To mitigate these security
24 problems, the latest version — known as Thunderbolt 3 — supports
25 different security levels:
26
27 none
28 No security. The behavior is identical to previous Thunderbolt
29 versions.
30
31 dponly
32 No PCIe tunnels are created at all, but DisplayPort tunnels are
33 allowed and will work.
34
35 user
36 Connected devices must be authorized by the user. Only then will
37 the PCIe tunnels be activated.
38
39 secure
40 Basically the same as user mode, but additionally a key will be
41 written to the device the first time the device is connected. This
42 key will then be used to verify the identity of the connected
43 device.
44
45 usbonly
46 One PCIe tunnel is created to a usb controller in a thunderbolt
47 dock; no other downstream PCIe tunnels are authorized (needs 4.17
48 kernel and recent hardware).
49
50 The primary task of boltd is to authorize thunderbolt peripherals if
51 the security level is either user or secure. It provides a D-Bus API to
52 list devices, enroll them (authorize and store them in the local
53 database) and forget them again (remove previously enrolled devices).
54 It also emits signals if new devices are connected (or removed). During
55 enrollment devices can be set to be automatically authorized as soon as
56 they are connected. A command line tool, called boltctl(1), can be used
57 to control the daemon and perform all the above mentioned tasks.
58
59 The pre-boot access control list (BootACL) feature is active when
60 supported by the firmware and when boltd is running on a new enough
61 Linux kernel (>= 4.17). The BootACL is a list of UUIDs, that can be
62 written to the thunderbolt controller. If enabled in the BIOS, all
63 devices in that list will be authorized by the firmware during
64 pre-boot, which means these devices can be used in the BIOS setup and
65 also during Linux early boot. NB: no device verification is done, even
66 when the security level is set to secure mode in the BIOS, i.e. the
67 maximal effective security level for devices in the BootACL is only
68 user. If BootACL support is present, all new devices will be
69 automatically added. Devices that are forgotten (removed from boltd)
70 will also be removed from the BootACL. When a controller is offline,
71 changes to the BootACL will be written to a journal and synchronized
72 back when the controller is online again.
73
74 IOMMU support: if the hardware and firmware support using the
75 input–output memory management unit (IOMMU) to restrict direct memory
76 access to certain safe regions, boltd will detect that feature and
77 change its behavior: As long as iommu support is active, as indicated
78 by the iommu_dma_protection sysfs attribute of the domain controller,
79 new devices will be automatically enrolled with the iommu policy and
80 existing devices with iommu (or auto) policy will be automatically
81 authorized by boltd without any user interaction. When iommu is not
82 active, devices that were enrolled with the iommu policy will not be
83 authorized automatically. The status of iommu support can be inspected
84 by using boltctl domains.
85
87 -h, --help
88 Prints a short help text and exits.
89
90 --version
91 Shows the version number and exits.
92
93 -r, --replace
94 Replace the currently running boltd instance.
95
96 --journal
97 Force logging to the journal.
98
99 -v, --verbose
100 Print debug output.
101
103 RUNTIME_DIRECTORY
104 Specifies the path where the daemon stores data that only has to
105 live as long as the current boot. Will be set automatically when
106 started via systemd (>= 240). If not set the default path for
107 runtime data is /run/boltd.
108
109 STATE_DIRECTORY
110 Specifies the path where the daemon stores device information,
111 including the keys used for authorization. Overwrites the path that
112 was set at compile time. Will be set automatically when started via
113 systemd (>= 240).
114
115 BOLT_DBPATH
116 Same as STATE_DIRECTORY but takes precedence over that, if set.
117
119 On success 0 is returned, a non-zero failure code otherwise.
120
122 Written by Christian Kellner <ckellner@redhat.com>.
123
125 boltctl(1)
126
127
128
129bolt 0.9.6 09/13/2023 BOLTD(8)