In my previous post, I explained how I install Arch on a Thinkpad X1 Carbon. This laptop has Thunderbolt 3 ports and I use a Thunderbolt 3 dock to connect monitor, keyboard, printer, etc with only 1 cable.

As per the Arch Wiki

Thunderbolt Uses DMA (Direct Memory Access) which can be a security risk. As such, Modern Thunderbolt devices implement security modes that require user authorization when connecting devices - this is to protect from malicious devices performing DMA attacks or otherwise interfering with the hardware

In a full GUI such as GNOME, you can authorise thunderbolt devices straight from settings. With my setup, I need to do this separately.

Bolt

Bolt is a CLI application that you can use to view and authorise connected Thunderbolt devices.

As always, install this from your package manager.

1
pacman -S bolt

To use bolt, you call boltctl

As you can see below, bolt has several options

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
boltctl -h
Usage:
  boltctl [OPTION…] [COMMAND]

Commands:
  authorize        Authorize a device
  config           Get or set global, device or domain properties
  domains          List the active thunderbolt domains
  enroll           Authorize and store a device in the database
  forget           Remove a stored device from the database
  info             Show information about a device
  list             List connected and stored devices
  monitor          Listen and print changes
  power            Force power configuration of the controller

Help Options:
  -h, --help       Show help options

Application Options:
  --version        Print version information and exit
  -U, --uuids      How to format uuids [*full, short, alias]

First, make sure your thunderbolt device is plugged in and on. Run boltctl list to get details of the device. You will need to copy the UUID.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
boltctl list
 ● CalDigit, Inc. TS3 Plus
   ├─ type:          peripheral
   ├─ name:          TS3 Plus
   ├─ vendor:        CalDigit, Inc.
   ├─ uuid:          0095a0c5-f126-3f00-f3ff-ff523f3fffffff
   ├─ status:        connected
   │  ├─ domain:     da010970-03b0-h718-239f-7c024512231a
   │  └─ authflags:  none
   ├─ connected:     Wed 12 Feb 2020 00:00:00 UTC
   └─ stored:        no

Next run boltctl authorise passing the UUID.

1
boltctl authorize <UUID>

Finally, re-running the list command, you will see the timestamp of the authorization.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
[andrew@falcon ~]$ boltctl list
 ● CalDigit, Inc. TS3 Plus
   ├─ type:          peripheral
   ├─ name:          TS3 Plus
   ├─ vendor:        CalDigit, Inc.
   ├─ uuid:          0095a0c5-f126-3f00-f3ff-ff523f3fffffff
   ├─ status:        authorized
   │  ├─ domain:     da010970-03b0-h718-239f-7c024512231a
   │  └─ authflags:  none
   ├─ authorized:    Wed 12 Feb 2020 00:00:00 UTC
   ├─ connected:     Wed 12 Feb 2020 00:00:00 UTC
   └─ stored:        no

The device is now ready to use