Thunderbolt Security
The settings below configure the Thunderbolt adapter security settings within the operating system. Security Levels are not applicable or
enforced in the Pre-boot environment.
•
No Security: Automatically connect to devices plugged into the Thunderbolt port.
•
User Authorization: Approval is required for any new devices connected to the Thunderbolt port.
•
Secure Connect: The Thunderbolt adapter port will only allow connection to devices that have been configured with a shared key.
NOTE:
The first time a Thunderbolt peripheral’s Unique ID is granted “always connect” PCIe access, a secure
encrypted key is written to the peripheral controller’s non-volatile memory and added to the host PC’s ACL list. Each
time a peripheral’s Unique ID is found on the ACL, the PC’s controller sends a security challenge and the response
from the peripheral is then verified before the PCIe connection is allowed. If the response is not valid, the user
receives a connection permission prompt. This capability, when enabled, prevents pre-SL2 capable peripherals from
connecting to a PC; thereby preventing a potential HW spoofing of an approved device to generate a DMA exploit
(beyond what is prevented with SL1).
•
DisplayPort Only: Automatically connect to DisplayPort devices only. No Thunderbolt adapter or PCIe devices are allowed to connect.
In the BIOS of a Dell Thunderbolt-enabled PC, you will be able to configure the security settings of the Thunderbolt connection. You can
find the configuration options in the BIOS path:
System Configuration
>
USB / Thunderbolt Configuration
.
Table 2. Thunderbolt configuration
Security setting
Description
No security
Allow legacy Thunderbolt devices to auto-connect – the CM auto
connects a new device plugged in.
User Authorization
Allow User Notification devices at minimum – the CM requests
connection approval from the host SW and auto-approval may be
given based on the Unique ID of the connecting device.
Secure Connect
Allow one-time saved key devices at minimum – the CM requests
connection approval from the host SW and auto-approval is only
given if the host challenge to the device is acceptable.
DisplayPort Only
Allow DisplayPort sinks to be connected (re-driver or DP tunnel, no
PCIe tunneling).
20
Thunderbolt Settings and Security Options