Puget Systems print logo
https://www.pugetsystems.com
Read this article at https://www.pugetsystems.com/guides/2205
Article Thumbnail

Thunderbolt Security, to the rescue(BIOS)

Written on August 18, 2021 by Chad Warmenhoven
Share:

Introduction

Thunderbolt can be an extremely useful technology but when there's a problem, it can be equally frustrating. Thunderbolt is the brand name of a hardware interface developed by Intel in collaboration with Apple that allows the connection of external peripherals to a computer. Thunderbolt 3 and 4 reuse the USB-C connector from USB which makes life easier, and occasionally confusing :)

Thunderbolt combines PCI Express (PCIe) and DisplayPort (DP) into two serial signals, and additionally provides DC power, all in one cable. Up to six peripherals may be supported by one connector through various topologies and Thunderbolt is capable of audio pass through as well. Here lies the problem. When Gigabyte boards Thunderbolt security is set 'just right' it can prevent daisy chaining or audio transmission. This article will explain the different security protocols as well as how to fix if you've encountered issues with Daisy Chaining or audio transmission.

Thunderbolt 3 Security Levels

No Security (SL0)

You can connect any Thunderbolt 3 device and it will immediately start working. The danger to this mode is that since Thunderbolt 3 supports PCIe, and PCIe allows direct access to system memory, a malicious Thunderbolt 3 device could access potentially sensitive data in your system’s memory, and in SL0 mode, the device would simply need to be plugged in to do so. The typical threat model here would involve an attacker doing this while you had left your system unattended somewhere. This may not be a practical risk for everyone, but it's why the higher security levels exist.

User Authorization (SL1)

When a Thunderbolt 3 device is connected, the user must respond to a popup dialog box to explicitly allow the connection. The user can choose to allow once or to always allow that particular device. This mitigates the SL0 risk described above.

Secure Connection (SL2)

Same as SL1 except that if the user chooses to always allow a particular device, the system writes a cryptographic key to that device and also records it in its own firmware in order to perform a more robust "identity verification" of that device on subsequent connections, using a challenge/response mechanism. This prevents an attacker from taking the Device ID of a peripheral that had been granted "always allow" access and cloning it onto a malicious device, which under SL1 mode would allow that malicious device to gain "always allow" access. However, not all Thunderbolt 3 peripherals support SL2.

Thunderbolt 3 Boot Support

Windows doesn't natively handle Daisy-chaining very well so sometimes Thunderbolt 3 Boot Support is required. Although we are able to reproduce this as a solution, the logic of why it works doesn't make a lot of sense. This setting is designed to allow booting from an external Thunderbolt device and is required for security configurations such as Bitlocker. There's no reason it should be required for general operation or Daisy-chaining of Thunderbolt devices...but here we are. It works when the security fix does not.

  • Boot into the BIOS by rapidly pressing the 'Delete' key
  • Once in the BIOS, navigate to the 'Peripherals' tab.
  • Navigate to Thunderbolt(TM) Configuration

Conclusion

Since its introduction a few years ago, Thunderbolt 3 has quickly made its impact on the technology world. Designed to deliver outstanding performance, Thunderbolt 3 continues to expand its adoption and can be found in some of the latest and most advanced hardware. Just like any new technology, there is the potential for problems. When you have issues with Daisychain or audio transmission, check here first! Hopefully you found this article useful; if you're still having issues please feel free to reach out to our Support department.

Need help with your Puget Systems PC?

If something is wrong with your Puget Systems PC. We are readily accessible, and our support team comes from a wide range of technological backgrounds to better assist you!

Contact Puget Systems Support

Looking for more support guides?

If you are looking for a solution to a problem you are having with your PC, we also have a number of other support guides that may be able to assist you with other issues.

Puget Systems Online Help Guides