forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2024-10-12 a5969cabbb4660eab42b6ef0412cbbd1200cf14d 
 kernel/Documentation/admin-guide/thunderbolt.rst
....@@ -1,6 +1,28 @@
1
-=============
2
- Thunderbolt
3
-=============
1
+.. SPDX-License-Identifier: GPL-2.0
2
+
3
+======================
4
+ USB4 and Thunderbolt
5
+======================
6
+USB4 is the public specification based on Thunderbolt 3 protocol with
7
+some differences at the register level among other things. Connection
8
+manager is an entity running on the host router (host controller)
9
+responsible for enumerating routers and establishing tunnels. A
10
+connection manager can be implemented either in firmware or software.
11
+Typically PCs come with a firmware connection manager for Thunderbolt 3
12
+and early USB4 capable systems. Apple systems on the other hand use
13
+software connection manager and the later USB4 compliant devices follow
14
+the suit.
15
+
16
+The Linux Thunderbolt driver supports both and can detect at runtime which
17
+connection manager implementation is to be used. To be on the safe side the
18
+software connection manager in Linux also advertises security level
19
+``user`` which means PCIe tunneling is disabled by default. The
20
+documentation below applies to both implementations with the exception that
21
+the software connection manager only supports ``user`` security level and
22
+is expected to be accompanied with an IOMMU based DMA protection.
23
+
24
+Security levels and how to use them
25
+-----------------------------------
426 The interface presented here is not meant for end users. Instead there
527 should be a userspace tool that handles all the low-level details, keeps
628 a database of the authorized devices and prompts users for new connections.
....@@ -18,8 +40,6 @@
1840 keep in mind that this bypasses the security levels and makes the system
1941 vulnerable to DMA attacks.
2042 
21
-Security levels and how to use them
22
------------------------------------
2343 Starting with Intel Falcon Ridge Thunderbolt controller there are 4
2444 security levels available. Intel Titan Ridge added one more security level
2545 (usbonly). The reason for these is the fact that the connected devices can
....@@ -133,8 +153,28 @@
133153 the device without a key or write a new key and write 1 to the
134154 ``authorized`` file to get the new key stored on the device NVM.
135155 
136
-Upgrading NVM on Thunderbolt device or host
137
--------------------------------------------
156
+DMA protection utilizing IOMMU
157
+------------------------------
158
+Recent systems from 2018 and forward with Thunderbolt ports may natively
159
+support IOMMU. This means that Thunderbolt security is handled by an IOMMU
160
+so connected devices cannot access memory regions outside of what is
161
+allocated for them by drivers. When Linux is running on such system it
162
+automatically enables IOMMU if not enabled by the user already. These
163
+systems can be identified by reading ``1`` from
164
+``/sys/bus/thunderbolt/devices/domainX/iommu_dma_protection`` attribute.
165
+
166
+The driver does not do anything special in this case but because DMA
167
+protection is handled by the IOMMU, security levels (if set) are
168
+redundant. For this reason some systems ship with security level set to
169
+``none``. Other systems have security level set to ``user`` in order to
170
+support downgrade to older OS, so users who want to automatically
171
+authorize devices when IOMMU DMA protection is enabled can use the
172
+following ``udev`` rule::
173
+
174
+  ACTION=="add", SUBSYSTEM=="thunderbolt", ATTRS{iommu_dma_protection}=="1", ATTR{authorized}=="0", ATTR{authorized}="1"
175
+
176
+Upgrading NVM on Thunderbolt device, host or retimer
177
+----------------------------------------------------
138178 Since most of the functionality is handled in firmware running on a
139179 host controller or a device, it is important that the firmware can be
140180 upgraded to the latest where possible bugs in it have been fixed.
....@@ -145,9 +185,10 @@
145185 
146186   `Thunderbolt Updates <https://thunderbolttechnology.net/updates>`_
147187 
148
-Before you upgrade firmware on a device or host, please make sure it is a
149
-suitable upgrade. Failing to do that may render the device (or host) in a
150
-state where it cannot be used properly anymore without special tools!
188
+Before you upgrade firmware on a device, host or retimer, please make
189
+sure it is a suitable upgrade. Failing to do that may render the device
190
+in a state where it cannot be used properly anymore without special
191
+tools!
151192 
152193 Host NVM upgrade on Apple Macs is not supported.
153194