[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package identification



Hi,

Wolf wrote:
> I have an illuminated keyboard, so I detected 3 changes when thunderbolt
> security set to user authorization.
>
> 1. the keyboard is activated and I can interact with EFI
> 2. the keyboard is switched off for a moment
> 3. the keyboard is switched on and I can interact with grub.
> 
> When thunderbolt security is turned OFF (not thunderbolt turned off!) all 3
> steps are skipped, I can use keyboard only after Linux image is loaded.

It's not easy to find information about Thunderbolt security.
This here seems to match somewhat:
  https://www.pugetsystems.com/support/guides/thunderbolt-security-to-the-rescue-bios-2205/

"User Authorization (SL1)" would be what works for you. (Although the
text talks of a "popup dialog box to explicitly allow the connection".)

But "No Security (SL0)" should let Thunderbolt devices just work
and "Secure Connection (SL2)" is unlikely to be called "OFF" in your
BIOS user interface.


> I think "security OFF" value read from EFI is ignored by the last
> bootloader, but "user authorization" is respected.

I understand from the sparse info that this is a firmware thing.
An unauthorized Thunderbolt device should simply not be connected
to the system bus (because it can access the memory directly, IIUC).

So i perceive it as counter-intuitive that "OFF" keeps EFI and GRUB
from using the device. The fact that it works with Linux lets me think
that the failure with EFI and GRUB is not an intended security feature.

-----------------------------------------------------------------------

Whatever, the Debian question is whether "apt upgrade" changed this EFI
setting forth and back.

One could accuse package "grub2" of not working well with "OFF".
But as long as the firmware does not work with the keyboard, GRUB has
a good excuse.


Have a nice day :)

Thomas


Reply to: