策略引擎>> bolt>> 返回
项目作者: gicmo

项目描述 :
⚡🐧 - Thunderbolt 3 device manager | This is a MIRROR of bolt from fd.o
高级语言: C
项目地址: git://github.com/gicmo/bolt.git
创建时间: 2017-07-23T18:14:08Z
项目社区:https://github.com/gicmo/bolt
开源协议:GNU Lesser General Public License v2.1
下载


bolt

Userspace system daemon to enable security levels for Thunderbolt™
on GNU/Linux®.

Introduction

Thunderbolt™ is the brand name of a hardware interface developed by
Intel® that allows the connection of external peripherals to a
computer.

Devices connected via Thunderbolt can be DMA masters and thus read
system memory without interference of the operating system (or even
the CPU). Version 3 of the interface introduced 5 different security
levels, in order to mitigate the aforementioned security risk that
connected devices pose to the system. The security level is set by the
system firmware.

The five security levels are:

  • none: Security disabled, all devices will fully functional
    1.        on connect.
  • dponly: Only pass the display-port stream through to the
    1.        connected device.
  • user: Connected devices need to be manually authorized by
    1.        the user.
  • secure: As ‘user’, but also challenge the device with a secret
    1.        key to verify its identity.
  • usbonly: One PCIe tunnel is created to a usb controller in a
    1.        thunderbolt dock; no other downstream PCIe tunnels are
    2.        authorized (needs 4.17 kernel and recent hardware).

The Linux kernel, starting with version 4.13, provides an interface via
sysfs that enables userspace query the security level, the status of
connected devices and, most importantly, to authorize devices, if the
security level demands it.

boltd - the system daemon

The core of bolt is a system daemon (boltd) that interfaces with
sysfs and exposes devices via D-Bus to clients. It also has a database
of previously authorized devices (and their keys) and will, depending
on the policy set for the individual devices, automatically authorize
newly connected devices without user interaction. The daemon supports
syncing the devices database with the pre-boot access control list
firmware feature. It also adapts its behavior when iommu support is
detected.

boltctl - command line client

The boltctl command line can be used to manage thunderbolt devices
via boltd. It can list devices, monitor changes and initiate
authorization of devices.

Installation

The meson build system is used to configure and compile bolt.

  1. meson build           # configure bolt, use build as buildir
  2. ninja -C build        # compile it
  3. ninja -C build test   # run the tests

See INSTALL for more information, BUGS for how to
file issues and HACKING how to contribute.