Thunderbolt Security
The settings below configure the Thunderbolt adapter security settings within the operating system. Security Levels are not applicable or
enforced in the Pre-boot environment.
•
No Security: Automatically connect to devices plugged into the Thunderbolt port.
•
User Authorization: Approval is required for any new devices connected to the Thunderbolt port.
•
Secure Connect: The Thunderbolt adapter port will only allow connection to devices that have been configured with a shared key.
NOTE:
The first time a Thunderbolt peripheral's Unique ID is granted "always connect" PCIe access, a secure encrypted key
is written to the peripheral controller's non-volatile memory and added to the host PC's ACL list. Each time a peripheral's
Unique ID is found on the ACL, the PC's controller sends a security challenge and the response from the peripheral is then
verified before the PCIe connection is allowed. If the response is not valid, the user receives a connection permission prompt.
This capability, when enabled, prevents pre-SL2 capable peripherals from connecting to a PC; thereby preventing a potential
HW spoofing of an approved device to generate a DMA exploit (beyond what is prevented with SL1).
•
DisplayPort Only: Automatically connect to DisplayPort devices only. No Thunderbolt adapter or PCIe devices are allowed to connect.
In the BIOS of a Dell Thunderbolt-enabled PC, you will be able to configure the security settings of the Thunderbolt connection. You can
find the configuration options in the BIOS path: System Configuration > USB / Thunderbolt Configuration.
No security
User Authorization
Secure Connect
DisplayPort Only
18
Thunderbolt Settings and Security Options
Allow legacy Thunderbolt devices to auto-connect – the CM auto
connects a new device plugged in.
Allow User Notification devices at minimum – the CM requests
connection approval from the host SW and auto-approval may be
given based on the Unique ID of the connecting device.
Allow one-time saved key devices at minimum – the CM requests
connection approval from the host SW and auto-approval is only
given if the host challenge to the device is acceptable.
Allow DisplayPort sinks to be connected (re-driver or DP tunnel, no
PCIe tunneling).