summaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorMika Westerberg <mika.westerberg@linux.intel.com>2018-01-21 12:08:04 +0200
committerMika Westerberg <mika.westerberg@linux.intel.com>2018-03-09 12:54:11 +0300
commit9aaa3b8b4c56d24210acef37b7c800ca218c3d40 (patch)
treed974db9578dc47b0157aa65c30aa3ddfbbb9d9e5 /Documentation
parent14862ee308bbcaae0ac9927b6cbccccb51386b6c (diff)
downloadlinux-9aaa3b8b4c56d24210acef37b7c800ca218c3d40.tar.bz2
thunderbolt: Add support for preboot ACL
Preboot ACL is a mechanism that allows connecting Thunderbolt devices boot time in more secure way than the legacy Thunderbolt boot support. As with the legacy boot option, this also needs to be enabled from the BIOS before booting is allowed. Difference to the legacy mode is that the userspace software explicitly adds device UUIDs by sending a special message to the ICM firmware. Only the devices listed in the boot ACL are connected automatically during the boot. This works in both "user" and "secure" security levels. We implement this in Linux by exposing a new sysfs attribute (boot_acl) below each Thunderbolt domain. The userspace software can then update the full list as needed. Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/ABI/testing/sysfs-bus-thunderbolt23
1 files changed, 23 insertions, 0 deletions
diff --git a/Documentation/ABI/testing/sysfs-bus-thunderbolt b/Documentation/ABI/testing/sysfs-bus-thunderbolt
index 1f145b727d76..4ed229789852 100644
--- a/Documentation/ABI/testing/sysfs-bus-thunderbolt
+++ b/Documentation/ABI/testing/sysfs-bus-thunderbolt
@@ -1,3 +1,26 @@
+What: /sys/bus/thunderbolt/devices/.../domainX/boot_acl
+Date: Jun 2018
+KernelVersion: 4.17
+Contact: thunderbolt-software@lists.01.org
+Description: Holds a comma separated list of device unique_ids that
+ are allowed to be connected automatically during system
+ startup (e.g boot devices). The list always contains
+ maximum supported number of unique_ids where unused
+ entries are empty. This allows the userspace software
+ to determine how many entries the controller supports.
+ If there are multiple controllers, each controller has
+ its own ACL list and size may be different between the
+ controllers.
+
+ System BIOS may have an option "Preboot ACL" or similar
+ that needs to be selected before this list is taken into
+ consideration.
+
+ Software always updates a full list in each write.
+
+ If a device is authorized automatically during boot its
+ boot attribute is set to 1.
+
What: /sys/bus/thunderbolt/devices/.../domainX/security
Date: Sep 2017
KernelVersion: 4.13