e545f0d8a5
If secure authentication of a devices fails, either because the device already has another key uploaded, or there is some other error sending challenge to the device, and the user only wants to approve the device just once (without a new key being uploaded to the device) the current implementation does not allow this because the key cannot be cleared once set even if we allow it to be changed. Make this scenario possible and allow clearing the key by writing empty string to the key sysfs file. Signed-off-by: Yehezkel Bernat <yehezkel.bernat@intel.com> Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
113 lines
4.2 KiB
Plaintext
113 lines
4.2 KiB
Plaintext
What: /sys/bus/thunderbolt/devices/.../domainX/security
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: This attribute holds current Thunderbolt security level
|
|
set by the system BIOS. Possible values are:
|
|
|
|
none: All devices are automatically authorized
|
|
user: Devices are only authorized based on writing
|
|
appropriate value to the authorized attribute
|
|
secure: Require devices that support secure connect at
|
|
minimum. User needs to authorize each device.
|
|
dponly: Automatically tunnel Display port (and USB). No
|
|
PCIe tunnels are created.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../authorized
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: This attribute is used to authorize Thunderbolt devices
|
|
after they have been connected. If the device is not
|
|
authorized, no devices such as PCIe and Display port are
|
|
available to the system.
|
|
|
|
Contents of this attribute will be 0 when the device is not
|
|
yet authorized.
|
|
|
|
Possible values are supported:
|
|
1: The device will be authorized and connected
|
|
|
|
When key attribute contains 32 byte hex string the possible
|
|
values are:
|
|
1: The 32 byte hex string is added to the device NVM and
|
|
the device is authorized.
|
|
2: Send a challenge based on the 32 byte hex string. If the
|
|
challenge response from device is valid, the device is
|
|
authorized. In case of failure errno will be ENOKEY if
|
|
the device did not contain a key at all, and
|
|
EKEYREJECTED if the challenge response did not match.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../key
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: When a devices supports Thunderbolt secure connect it will
|
|
have this attribute. Writing 32 byte hex string changes
|
|
authorization to use the secure connection method instead.
|
|
Writing an empty string clears the key and regular connection
|
|
method can be used again.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../device
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: This attribute contains id of this device extracted from
|
|
the device DROM.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../device_name
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: This attribute contains name of this device extracted from
|
|
the device DROM.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../vendor
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: This attribute contains vendor id of this device extracted
|
|
from the device DROM.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../vendor_name
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: This attribute contains vendor name of this device extracted
|
|
from the device DROM.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../unique_id
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: This attribute contains unique_id string of this device.
|
|
This is either read from hardware registers (UUID on
|
|
newer hardware) or based on UID from the device DROM.
|
|
Can be used to uniquely identify particular device.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../nvm_version
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: If the device has upgradeable firmware the version
|
|
number is available here. Format: %x.%x, major.minor.
|
|
If the device is in safe mode reading the file returns
|
|
-ENODATA instead as the NVM version is not available.
|
|
|
|
What: /sys/bus/thunderbolt/devices/.../nvm_authenticate
|
|
Date: Sep 2017
|
|
KernelVersion: 4.13
|
|
Contact: thunderbolt-software@lists.01.org
|
|
Description: When new NVM image is written to the non-active NVM
|
|
area (through non_activeX NVMem device), the
|
|
authentication procedure is started by writing 1 to
|
|
this file. If everything goes well, the device is
|
|
restarted with the new NVM firmware. If the image
|
|
verification fails an error code is returned instead.
|
|
|
|
When read holds status of the last authentication
|
|
operation if an error occurred during the process. This
|
|
is directly the status value from the DMA configuration
|
|
based mailbox before the device is power cycled. Writing
|
|
0 here clears the status.
|