9sphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget+/translations/zh_CN/admin-guide/thunderboltmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/zh_TW/admin-guide/thunderboltmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/it_IT/admin-guide/thunderboltmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/ja_JP/admin-guide/thunderboltmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/ko_KR/admin-guide/thunderboltmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/sp_SP/admin-guide/thunderboltmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhhE/var/lib/git/docbuild/linux/Documentation/admin-guide/thunderbolt.rsthKubhsection)}(hhh](htitle)}(hUSB4 and Thunderbolth]hUSB4 and Thunderbolt}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh paragraph)}(hX1USB4 is the public specification based on Thunderbolt 3 protocol with some differences at the register level among other things. Connection manager is an entity running on the host router (host controller) responsible for enumerating routers and establishing tunnels. A connection manager can be implemented either in firmware or software. Typically PCs come with a firmware connection manager for Thunderbolt 3 and early USB4 capable systems. Apple systems on the other hand use software connection manager and the later USB4 compliant devices follow the suit.h]hX1USB4 is the public specification based on Thunderbolt 3 protocol with some differences at the register level among other things. Connection manager is an entity running on the host router (host controller) responsible for enumerating routers and establishing tunnels. A connection manager can be implemented either in firmware or software. Typically PCs come with a firmware connection manager for Thunderbolt 3 and early USB4 capable systems. Apple systems on the other hand use software connection manager and the later USB4 compliant devices follow the suit.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hXThe Linux Thunderbolt driver supports both and can detect at runtime which connection manager implementation is to be used. To be on the safe side the software connection manager in Linux also advertises security level ``user`` which means PCIe tunneling is disabled by default. The documentation below applies to both implementations with the exception that the software connection manager only supports ``user`` security level and is expected to be accompanied with an IOMMU based DMA protection.h](hThe Linux Thunderbolt driver supports both and can detect at runtime which connection manager implementation is to be used. To be on the safe side the software connection manager in Linux also advertises security level }(hhhhhNhNubhliteral)}(h``user``h]huser}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhubh which means PCIe tunneling is disabled by default. The documentation below applies to both implementations with the exception that the software connection manager only supports }(hhhhhNhNubh)}(h``user``h]huser}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhubhU security level and is expected to be accompanied with an IOMMU based DMA protection.}(hhhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hhh](h)}(h#Security levels and how to use themh]h#Security levels and how to use them}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhKubh)}(hThe interface presented here is not meant for end users. Instead there should be a userspace tool that handles all the low-level details, keeps a database of the authorized devices and prompts users for new connections.h]hThe interface presented here is not meant for end users. Instead there should be a userspace tool that handles all the low-level details, keeps a database of the authorized devices and prompts users for new connections.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj hhubh)}(hMore details about the sysfs interface for Thunderbolt devices can be found in Documentation/ABI/testing/sysfs-bus-thunderbolt.h]hMore details about the sysfs interface for Thunderbolt devices can be found in Documentation/ABI/testing/sysfs-bus-thunderbolt.}(hj,hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj hhubh)}(hThose users who just want to connect any device without any sort of manual work can add following line to ``/etc/udev/rules.d/99-local.rules``::h](hjThose users who just want to connect any device without any sort of manual work can add following line to }(hj:hhhNhNubh)}(h$``/etc/udev/rules.d/99-local.rules``h]h /etc/udev/rules.d/99-local.rules}(hjBhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj:ubh:}(hj:hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK!hj hhubh literal_block)}(hTACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"h]hTACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"}hj\sbah}(h]h ]h"]h$]h&]hhuh1jZhhhK%hj hhubh)}(hThis will authorize all devices automatically when they appear. However, keep in mind that this bypasses the security levels and makes the system vulnerable to DMA attacks.h]hThis will authorize all devices automatically when they appear. However, keep in mind that this bypasses the security levels and makes the system vulnerable to DMA attacks.}(hjjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK'hj hhubh)}(hXStarting with Intel Falcon Ridge Thunderbolt controller there are 4 security levels available. Intel Titan Ridge added one more security level (usbonly). The reason for these is the fact that the connected devices can be DMA masters and thus read contents of the host memory without CPU and OS knowing about it. There are ways to prevent this by setting up an IOMMU but it is not always available for various reasons.h]hXStarting with Intel Falcon Ridge Thunderbolt controller there are 4 security levels available. Intel Titan Ridge added one more security level (usbonly). The reason for these is the fact that the connected devices can be DMA masters and thus read contents of the host memory without CPU and OS knowing about it. There are ways to prevent this by setting up an IOMMU but it is not always available for various reasons.}(hjxhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK+hj hhubh)}(htSome USB4 systems have a BIOS setting to disable PCIe tunneling. This is treated as another security level (nopcie).h]htSome USB4 systems have a BIOS setting to disable PCIe tunneling. This is treated as another security level (nopcie).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK2hj hhubh)}(h#The security levels are as follows:h]h#The security levels are as follows:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK5hj hhubh block_quote)}(hXnone All devices are automatically connected by the firmware. No user approval is needed. In BIOS settings this is typically called *Legacy mode*. user User is asked whether the device is allowed to be connected. Based on the device identification information available through ``/sys/bus/thunderbolt/devices``, the user then can make the decision. In BIOS settings this is typically called *Unique ID*. secure User is asked whether the device is allowed to be connected. In addition to UUID the device (if it supports secure connect) is sent a challenge that should match the expected one based on a random key written to the ``key`` sysfs attribute. In BIOS settings this is typically called *One time saved key*. dponly The firmware automatically creates tunnels for Display Port and USB. No PCIe tunneling is done. In BIOS settings this is typically called *Display Port Only*. usbonly The firmware automatically creates tunnels for the USB controller and Display Port in a dock. All PCIe links downstream of the dock are removed. nopcie PCIe tunneling is disabled/forbidden from the BIOS. Available in some USB4 systems. h]hdefinition_list)}(hhh](hdefinition_list_item)}(hnone All devices are automatically connected by the firmware. No user approval is needed. In BIOS settings this is typically called *Legacy mode*. h](hterm)}(hnoneh]hnone}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK:hjubh definition)}(hhh]h)}(hAll devices are automatically connected by the firmware. No user approval is needed. In BIOS settings this is typically called *Legacy mode*.h](hAll devices are automatically connected by the firmware. No user approval is needed. In BIOS settings this is typically called }(hjhhhNhNubhemphasis)}(h *Legacy mode*h]h Legacy mode}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK8hjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhhhK:hjubj)}(hXuser User is asked whether the device is allowed to be connected. Based on the device identification information available through ``/sys/bus/thunderbolt/devices``, the user then can make the decision. In BIOS settings this is typically called *Unique ID*. h](j)}(huserh]huser}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK@hjubj)}(hhh]h)}(hUser is asked whether the device is allowed to be connected. Based on the device identification information available through ``/sys/bus/thunderbolt/devices``, the user then can make the decision. In BIOS settings this is typically called *Unique ID*.h](h~User is asked whether the device is allowed to be connected. Based on the device identification information available through }(hj hhhNhNubh)}(h ``/sys/bus/thunderbolt/devices``h]h/sys/bus/thunderbolt/devices}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj ubhQ, the user then can make the decision. In BIOS settings this is typically called }(hj hhhNhNubj)}(h *Unique ID*h]h Unique ID}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK=hjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhhhK@hjubj)}(hX8secure User is asked whether the device is allowed to be connected. In addition to UUID the device (if it supports secure connect) is sent a challenge that should match the expected one based on a random key written to the ``key`` sysfs attribute. In BIOS settings this is typically called *One time saved key*. h](j)}(hsecureh]hsecure}(hjMhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKGhjIubj)}(hhh]h)}(hX0User is asked whether the device is allowed to be connected. In addition to UUID the device (if it supports secure connect) is sent a challenge that should match the expected one based on a random key written to the ``key`` sysfs attribute. In BIOS settings this is typically called *One time saved key*.h](hUser is asked whether the device is allowed to be connected. In addition to UUID the device (if it supports secure connect) is sent a challenge that should match the expected one based on a random key written to the }(hj^hhhNhNubh)}(h``key``h]hkey}(hjfhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj^ubh< sysfs attribute. In BIOS settings this is typically called }(hj^hhhNhNubj)}(h*One time saved key*h]hOne time saved key}(hjxhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj^ubh.}(hj^hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKChj[ubah}(h]h ]h"]h$]h&]uh1jhjIubeh}(h]h ]h"]h$]h&]uh1jhhhKGhjubj)}(hdponly The firmware automatically creates tunnels for Display Port and USB. No PCIe tunneling is done. In BIOS settings this is typically called *Display Port Only*. h](j)}(hdponlyh]hdponly}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKLhjubj)}(hhh]h)}(hThe firmware automatically creates tunnels for Display Port and USB. No PCIe tunneling is done. In BIOS settings this is typically called *Display Port Only*.h](hThe firmware automatically creates tunnels for Display Port and USB. No PCIe tunneling is done. In BIOS settings this is typically called }(hjhhhNhNubj)}(h*Display Port Only*h]hDisplay Port Only}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKJhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhhhKLhjubj)}(husbonly The firmware automatically creates tunnels for the USB controller and Display Port in a dock. All PCIe links downstream of the dock are removed. h](j)}(husbonlyh]husbonly}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKQhjubj)}(hhh]h)}(hThe firmware automatically creates tunnels for the USB controller and Display Port in a dock. All PCIe links downstream of the dock are removed.h]hThe firmware automatically creates tunnels for the USB controller and Display Port in a dock. All PCIe links downstream of the dock are removed.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKOhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhhhKQhjubj)}(h[nopcie PCIe tunneling is disabled/forbidden from the BIOS. Available in some USB4 systems. h](j)}(hnopcieh]hnopcie}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKUhj ubj)}(hhh]h)}(hSPCIe tunneling is disabled/forbidden from the BIOS. Available in some USB4 systems.h]hSPCIe tunneling is disabled/forbidden from the BIOS. Available in some USB4 systems.}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKThjubah}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ]h"]h$]h&]uh1jhhhKUhjubeh}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jhhhK7hj hhubh)}(hThe current security level can be read from ``/sys/bus/thunderbolt/devices/domainX/security`` where ``domainX`` is the Thunderbolt domain the host controller manages. There is typically one domain per Thunderbolt host controller.h](h,The current security level can be read from }(hjGhhhNhNubh)}(h1``/sys/bus/thunderbolt/devices/domainX/security``h]h-/sys/bus/thunderbolt/devices/domainX/security}(hjOhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjGubh where }(hjGhhhNhNubh)}(h ``domainX``h]hdomainX}(hjahhhNhNubah}(h]h ]h"]h$]h&]uh1hhjGubhv is the Thunderbolt domain the host controller manages. There is typically one domain per Thunderbolt host controller.}(hjGhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKWhj hhubh)}(hIf the security level reads as ``user`` or ``secure`` the connected device must be authorized by the user before PCIe tunnels are created (e.g the PCIe device appears).h](hIf the security level reads as }(hjyhhhNhNubh)}(h``user``h]huser}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjyubh or }(hjyhhhNhNubh)}(h ``secure``h]hsecure}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjyubhs the connected device must be authorized by the user before PCIe tunnels are created (e.g the PCIe device appears).}(hjyhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK\hj hhubh)}(hEach Thunderbolt device plugged in will appear in sysfs under ``/sys/bus/thunderbolt/devices``. The device directory carries information that can be used to identify the particular device, including its name and UUID.h](h>Each Thunderbolt device plugged in will appear in sysfs under }(hjhhhNhNubh)}(h ``/sys/bus/thunderbolt/devices``h]h/sys/bus/thunderbolt/devices}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh{. The device directory carries information that can be used to identify the particular device, including its name and UUID.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK`hj hhubeh}(h]#security-levels-and-how-to-use-themah ]h"]#security levels and how to use themah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hAAuthorizing devices when security level is ``user`` or ``secure``h](h+Authorizing devices when security level is }(hjhhhNhNubh)}(h``user``h]huser}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh or }(hjhhhNhNubh)}(h ``secure``h]hsecure}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhjhhhhhKfubh)}(h@When a device is plugged in it will appear in sysfs as follows::h]h?When a device is plugged in it will appear in sysfs as follows:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKghjhhubj[)}(hX}/sys/bus/thunderbolt/devices/0-1/authorized - 0 /sys/bus/thunderbolt/devices/0-1/device - 0x8004 /sys/bus/thunderbolt/devices/0-1/device_name - Thunderbolt to FireWire Adapter /sys/bus/thunderbolt/devices/0-1/vendor - 0x1 /sys/bus/thunderbolt/devices/0-1/vendor_name - Apple, Inc. /sys/bus/thunderbolt/devices/0-1/unique_id - e0376f00-0300-0100-ffff-ffffffffffffh]hX}/sys/bus/thunderbolt/devices/0-1/authorized - 0 /sys/bus/thunderbolt/devices/0-1/device - 0x8004 /sys/bus/thunderbolt/devices/0-1/device_name - Thunderbolt to FireWire Adapter /sys/bus/thunderbolt/devices/0-1/vendor - 0x1 /sys/bus/thunderbolt/devices/0-1/vendor_name - Apple, Inc. /sys/bus/thunderbolt/devices/0-1/unique_id - e0376f00-0300-0100-ffff-ffffffffffff}hjsbah}(h]h ]h"]h$]h&]hhuh1jZhhhKihjhhubh)}(hThe ``authorized`` attribute reads 0 which means no PCIe tunnels are created yet. The user can authorize the device by simply entering::h](hThe }(hj hhhNhNubh)}(h``authorized``h]h authorized}(hj(hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj ubhu attribute reads 0 which means no PCIe tunnels are created yet. The user can authorize the device by simply entering:}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKphjhhubj[)}(h6# echo 1 > /sys/bus/thunderbolt/devices/0-1/authorizedh]h6# echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized}hj@sbah}(h]h ]h"]h$]h&]hhuh1jZhhhKshjhhubh)}(hBThis will create the PCIe tunnels and the device is now connected.h]hBThis will create the PCIe tunnels and the device is now connected.}(hjNhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKuhjhhubh)}(hIf the device supports secure connect, and the domain security level is set to ``secure``, it has an additional attribute ``key`` which can hold a random 32-byte value used for authorization and challenging the device in future connects::h](hOIf the device supports secure connect, and the domain security level is set to }(hj\hhhNhNubh)}(h ``secure``h]hsecure}(hjdhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj\ubh!, it has an additional attribute }(hj\hhhNhNubh)}(h``key``h]hkey}(hjvhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj\ubhl which can hold a random 32-byte value used for authorization and challenging the device in future connects:}(hj\hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKwhjhhubj[)}(hX/sys/bus/thunderbolt/devices/0-3/authorized - 0 /sys/bus/thunderbolt/devices/0-3/device - 0x305 /sys/bus/thunderbolt/devices/0-3/device_name - AKiTiO Thunder3 PCIe Box /sys/bus/thunderbolt/devices/0-3/key - /sys/bus/thunderbolt/devices/0-3/vendor - 0x41 /sys/bus/thunderbolt/devices/0-3/vendor_name - inXtron /sys/bus/thunderbolt/devices/0-3/unique_id - dc010000-0000-8508-a22d-32ca6421cb16h]hX/sys/bus/thunderbolt/devices/0-3/authorized - 0 /sys/bus/thunderbolt/devices/0-3/device - 0x305 /sys/bus/thunderbolt/devices/0-3/device_name - AKiTiO Thunder3 PCIe Box /sys/bus/thunderbolt/devices/0-3/key - /sys/bus/thunderbolt/devices/0-3/vendor - 0x41 /sys/bus/thunderbolt/devices/0-3/vendor_name - inXtron /sys/bus/thunderbolt/devices/0-3/unique_id - dc010000-0000-8508-a22d-32ca6421cb16}hjsbah}(h]h ]h"]h$]h&]hhuh1jZhhhK|hjhhubh)}(h#Notice the key is empty by default.h]h#Notice the key is empty by default.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hIf the user does not want to use secure connect they can just ``echo 1`` to the ``authorized`` attribute and the PCIe tunnels will be created in the same way as in the ``user`` security level.h](h>If the user does not want to use secure connect they can just }(hjhhhNhNubh)}(h ``echo 1``h]hecho 1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh to the }(hjhhhNhNubh)}(h``authorized``h]h authorized}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubhJ attribute and the PCIe tunnels will be created in the same way as in the }(hjhhhNhNubh)}(h``user``h]huser}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh security level.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hIf the user wants to use secure connect, the first time the device is plugged a key needs to be created and sent to the device::h]hIf the user wants to use secure connect, the first time the device is plugged a key needs to be created and sent to the device:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj[)}(h# key=$(openssl rand -hex 32) # echo $key > /sys/bus/thunderbolt/devices/0-3/key # echo 1 > /sys/bus/thunderbolt/devices/0-3/authorizedh]h# key=$(openssl rand -hex 32) # echo $key > /sys/bus/thunderbolt/devices/0-3/key # echo 1 > /sys/bus/thunderbolt/devices/0-3/authorized}hjsbah}(h]h ]h"]h$]h&]hhuh1jZhhhKhjhhubh)}(hkNow the device is connected (PCIe tunnels are created) and in addition the key is stored on the device NVM.h]hkNow the device is connected (PCIe tunnels are created) and in addition the key is stored on the device NVM.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hbNext time the device is plugged in the user can verify (challenge) the device using the same key::h]haNext time the device is plugged in the user can verify (challenge) the device using the same key:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj[)}(hi# echo $key > /sys/bus/thunderbolt/devices/0-3/key # echo 2 > /sys/bus/thunderbolt/devices/0-3/authorizedh]hi# echo $key > /sys/bus/thunderbolt/devices/0-3/key # echo 2 > /sys/bus/thunderbolt/devices/0-3/authorized}hj&sbah}(h]h ]h"]h$]h&]hhuh1jZhhhKhjhhubh)}(hIf the challenge the device returns back matches the one we expect based on the key, the device is connected and the PCIe tunnels are created. However, if the challenge fails no tunnels are created and error is returned to the user.h]hIf the challenge the device returns back matches the one we expect based on the key, the device is connected and the PCIe tunnels are created. However, if the challenge fails no tunnels are created and error is returned to the user.}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hIf the user still wants to connect the device they can either approve the device without a key or write a new key and write 1 to the ``authorized`` file to get the new key stored on the device NVM.h](hIf the user still wants to connect the device they can either approve the device without a key or write a new key and write 1 to the }(hjBhhhNhNubh)}(h``authorized``h]h authorized}(hjJhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjBubh2 file to get the new key stored on the device NVM.}(hjBhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubeh}(h]9authorizing-devices-when-security-level-is-user-or-secureah ]h"]9authorizing devices when security level is user or secureah$]h&]uh1hhhhhhhhKfubh)}(hhh](h)}(hDe-authorizing devicesh]hDe-authorizing devices}(hjmhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjjhhhhhKubh)}(hXIt is possible to de-authorize devices by writing ``0`` to their ``authorized`` attribute. This requires support from the connection manager implementation and can be checked by reading domain ``deauthorization`` attribute. If it reads ``1`` then the feature is supported.h](h2It is possible to de-authorize devices by writing }(hj{hhhNhNubh)}(h``0``h]h0}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj{ubh to their }(hj{hhhNhNubh)}(h``authorized``h]h authorized}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj{ubhr attribute. This requires support from the connection manager implementation and can be checked by reading domain }(hj{hhhNhNubh)}(h``deauthorization``h]hdeauthorization}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj{ubh attribute. If it reads }(hj{hhhNhNubh)}(h``1``h]h1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj{ubh then the feature is supported.}(hj{hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjjhhubh)}(hXWhen a device is de-authorized the PCIe tunnel from the parent device PCIe downstream (or root) port to the device PCIe upstream port is torn down. This is essentially the same thing as PCIe hot-remove and the PCIe toplogy in question will not be accessible anymore until the device is authorized again. If there is storage such as NVMe or similar involved, there is a risk for data loss if the filesystem on that storage is not properly shut down. You have been warned!h]hXWhen a device is de-authorized the PCIe tunnel from the parent device PCIe downstream (or root) port to the device PCIe upstream port is torn down. This is essentially the same thing as PCIe hot-remove and the PCIe toplogy in question will not be accessible anymore until the device is authorized again. If there is storage such as NVMe or similar involved, there is a risk for data loss if the filesystem on that storage is not properly shut down. You have been warned!}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjjhhubeh}(h]de-authorizing-devicesah ]h"]de-authorizing devicesah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hDMA protection utilizing IOMMUh]hDMA protection utilizing IOMMU}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hXRecent systems from 2018 and forward with Thunderbolt ports may natively support IOMMU. This means that Thunderbolt security is handled by an IOMMU so connected devices cannot access memory regions outside of what is allocated for them by drivers. When Linux is running on such system it automatically enables IOMMU if not enabled by the user already. These systems can be identified by reading ``1`` from ``/sys/bus/thunderbolt/devices/domainX/iommu_dma_protection`` attribute.h](hXRecent systems from 2018 and forward with Thunderbolt ports may natively support IOMMU. This means that Thunderbolt security is handled by an IOMMU so connected devices cannot access memory regions outside of what is allocated for them by drivers. When Linux is running on such system it automatically enables IOMMU if not enabled by the user already. These systems can be identified by reading }(hjhhhNhNubh)}(h``1``h]h1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh from }(hjhhhNhNubh)}(h=``/sys/bus/thunderbolt/devices/domainX/iommu_dma_protection``h]h9/sys/bus/thunderbolt/devices/domainX/iommu_dma_protection}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh attribute.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hXThe driver does not do anything special in this case but because DMA protection is handled by the IOMMU, security levels (if set) are redundant. For this reason some systems ship with security level set to ``none``. Other systems have security level set to ``user`` in order to support downgrade to older OS, so users who want to automatically authorize devices when IOMMU DMA protection is enabled can use the following ``udev`` rule::h](hThe driver does not do anything special in this case but because DMA protection is handled by the IOMMU, security levels (if set) are redundant. For this reason some systems ship with security level set to }(hj*hhhNhNubh)}(h``none``h]hnone}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj*ubh+. Other systems have security level set to }(hj*hhhNhNubh)}(h``user``h]huser}(hjDhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj*ubh in order to support downgrade to older OS, so users who want to automatically authorize devices when IOMMU DMA protection is enabled can use the following }(hj*hhhNhNubh)}(h``udev``h]hudev}(hjVhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj*ubh rule:}(hj*hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj[)}(hvACTION=="add", SUBSYSTEM=="thunderbolt", ATTRS{iommu_dma_protection}=="1", ATTR{authorized}=="0", ATTR{authorized}="1"h]hvACTION=="add", SUBSYSTEM=="thunderbolt", ATTRS{iommu_dma_protection}=="1", ATTR{authorized}=="0", ATTR{authorized}="1"}hjnsbah}(h]h ]h"]h$]h&]hhuh1jZhhhKhjhhubeh}(h]dma-protection-utilizing-iommuah ]h"]dma protection utilizing iommuah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(h4Upgrading NVM on Thunderbolt device, host or retimerh]h4Upgrading NVM on Thunderbolt device, host or retimer}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hX Since most of the functionality is handled in firmware running on a host controller or a device, it is important that the firmware can be upgraded to the latest where possible bugs in it have been fixed. Typically OEMs provide this firmware from their support site.h]hX Since most of the functionality is handled in firmware running on a host controller or a device, it is important that the firmware can be upgraded to the latest where possible bugs in it have been fixed. Typically OEMs provide this firmware from their support site.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hZThere is also a central site which has links where to download firmware for some machines:h]hZThere is also a central site which has links where to download firmware for some machines:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj)}(hC`Thunderbolt Updates `_ h]h)}(hB`Thunderbolt Updates `_h](h reference)}(hjh]hThunderbolt Updates}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameThunderbolt Updatesrefuri)https://thunderbolttechnology.net/updatesuh1jhjubhtarget)}(h, h]h}(h]thunderbolt-updatesah ]h"]thunderbolt updatesah$]h&]refurijuh1j referencedKhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubah}(h]h ]h"]h$]h&]uh1jhhhKhjhhubh)}(hBefore you upgrade firmware on a device, host or retimer, please make sure it is a suitable upgrade. Failing to do that may render the device in a state where it cannot be used properly anymore without special tools!h]hBefore you upgrade firmware on a device, host or retimer, please make sure it is a suitable upgrade. Failing to do that may render the device in a state where it cannot be used properly anymore without special tools!}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(h0Host NVM upgrade on Apple Macs is not supported.h]h0Host NVM upgrade on Apple Macs is not supported.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hXOnce the NVM image has been downloaded, you need to plug in a Thunderbolt device so that the host controller appears. It does not matter which device is connected (unless you are upgrading NVM on a device - then you need to connect that particular device).h]hXOnce the NVM image has been downloaded, you need to plug in a Thunderbolt device so that the host controller appears. It does not matter which device is connected (unless you are upgrading NVM on a device - then you need to connect that particular device).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hNote an OEM-specific method to power the controller up ("force power") may be available for your system in which case there is no need to plug in a Thunderbolt device.h]hNote an OEM-specific method to power the controller up (“force power”) may be available for your system in which case there is no need to plug in a Thunderbolt device.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hAfter that we can write the firmware to the non-active parts of the NVM of the host or device. As an example here is how Intel NUC6i7KYK (Skull Canyon) Thunderbolt controller NVM is upgraded::h]hAfter that we can write the firmware to the non-active parts of the NVM of the host or device. As an example here is how Intel NUC6i7KYK (Skull Canyon) Thunderbolt controller NVM is upgraded:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj[)}(hU# dd if=KYK_TBT_FW_0018.bin of=/sys/bus/thunderbolt/devices/0-0/nvm_non_active0/nvmemh]hU# dd if=KYK_TBT_FW_0018.bin of=/sys/bus/thunderbolt/devices/0-0/nvm_non_active0/nvmem}hj.sbah}(h]h ]h"]h$]h&]hhuh1jZhhhKhjhhubh)}(h_Once the operation completes we can trigger NVM authentication and upgrade process as follows::h]h^Once the operation completes we can trigger NVM authentication and upgrade process as follows:}(hj<hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj[)}(h<# echo 1 > /sys/bus/thunderbolt/devices/0-0/nvm_authenticateh]h<# echo 1 > /sys/bus/thunderbolt/devices/0-0/nvm_authenticate}hjJsbah}(h]h ]h"]h$]h&]hhuh1jZhhhKhjhhubh)}(hIf no errors are returned, the host controller shortly disappears. Once it comes back the driver notices it and initiates a full power cycle. After a while the host controller appears again and this time it should be fully functional.h]hIf no errors are returned, the host controller shortly disappears. Once it comes back the driver notices it and initiates a full power cycle. After a while the host controller appears again and this time it should be fully functional.}(hjXhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hUWe can verify that the new NVM firmware is active by running the following commands::h]hTWe can verify that the new NVM firmware is active by running the following commands:}(hjfhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj[)}(hs# cat /sys/bus/thunderbolt/devices/0-0/nvm_authenticate 0x0 # cat /sys/bus/thunderbolt/devices/0-0/nvm_version 18.0h]hs# cat /sys/bus/thunderbolt/devices/0-0/nvm_authenticate 0x0 # cat /sys/bus/thunderbolt/devices/0-0/nvm_version 18.0}hjtsbah}(h]h ]h"]h$]h&]hhuh1jZhhhKhjhhubh)}(hIf ``nvm_authenticate`` contains anything other than 0x0 it is the error code from the last authentication cycle, which means the authentication of the NVM image failed.h](hIf }(hjhhhNhNubh)}(h``nvm_authenticate``h]hnvm_authenticate}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh contains anything other than 0x0 it is the error code from the last authentication cycle, which means the authentication of the NVM image failed.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hNote names of the NVMem devices ``nvm_activeN`` and ``nvm_non_activeN`` depend on the order they are registered in the NVMem subsystem. N in the name is the identifier added by the NVMem subsystem.h](h Note names of the NVMem devices }(hjhhhNhNubh)}(h``nvm_activeN``h]h nvm_activeN}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh and }(hjhhhNhNubh)}(h``nvm_non_activeN``h]hnvm_non_activeN}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh~ depend on the order they are registered in the NVMem subsystem. N in the name is the identifier added by the NVMem subsystem.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubeh}(h]3upgrading-nvm-on-thunderbolt-device-host-or-retimerah ]h"]4upgrading nvm on thunderbolt device, host or retimerah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(h?Upgrading on-board retimer NVM when there is no cable connectedh]h?Upgrading on-board retimer NVM when there is no cable connected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubh)}(hXDIf the platform supports, it may be possible to upgrade the retimer NVM firmware even when there is nothing connected to the USB4 ports. When this is the case the ``usb4_portX`` devices have two special attributes: ``offline`` and ``rescan``. The way to upgrade the firmware is to first put the USB4 port into offline mode::h](hIf the platform supports, it may be possible to upgrade the retimer NVM firmware even when there is nothing connected to the USB4 ports. When this is the case the }(hjhhhNhNubh)}(h``usb4_portX``h]h usb4_portX}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh& devices have two special attributes: }(hjhhhNhNubh)}(h ``offline``h]hoffline}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh and }(hjhhhNhNubh)}(h ``rescan``h]hrescan}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubhR. The way to upgrade the firmware is to first put the USB4 port into offline mode:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhjhhubj[)}(h># echo 1 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/offlineh]h># echo 1 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/offline}hj1sbah}(h]h ]h"]h$]h&]hhuh1jZhhhM hjhhubh)}(hThis step makes sure the port does not respond to any hotplug events, and also ensures the retimers are powered on. The next step is to scan for the retimers::h]hThis step makes sure the port does not respond to any hotplug events, and also ensures the retimers are powered on. The next step is to scan for the retimers:}(hj?hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM hjhhubj[)}(h=# echo 1 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/rescanh]h=# echo 1 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/rescan}hjMsbah}(h]h ]h"]h$]h&]hhuh1jZhhhMhjhhubh)}(hXEThis enumerates and adds the on-board retimers. Now retimer NVM can be upgraded in the same way than with cable connected (see previous section). However, the retimer is not disconnected as we are offline mode) so after writing ``1`` to ``nvm_authenticate`` one should wait for 5 or more seconds before running rescan again::h](hThis enumerates and adds the on-board retimers. Now retimer NVM can be upgraded in the same way than with cable connected (see previous section). However, the retimer is not disconnected as we are offline mode) so after writing }(hj[hhhNhNubh)}(h``1``h]h1}(hjchhhNhNubah}(h]h ]h"]h$]h&]uh1hhj[ubh to }(hj[hhhNhNubh)}(h``nvm_authenticate``h]hnvm_authenticate}(hjuhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj[ubhC one should wait for 5 or more seconds before running rescan again:}(hj[hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhjhhubj[)}(h=# echo 1 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/rescanh]h=# echo 1 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/rescan}hjsbah}(h]h ]h"]h$]h&]hhuh1jZhhhMhjhhubh)}(hXThis point if everything went fine, the port can be put back to functional state again::h]hWThis point if everything went fine, the port can be put back to functional state again:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubj[)}(h># echo 0 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/offlineh]h># echo 0 > /sys/bus/thunderbolt/devices/0-0/usb4_port1/offline}hjsbah}(h]h ]h"]h$]h&]hhuh1jZhhhMhjhhubeh}(h]?upgrading-on-board-retimer-nvm-when-there-is-no-cable-connectedah ]h"]?upgrading on-board retimer nvm when there is no cable connectedah$]h&]uh1hhhhhhhhMubh)}(hhh](h)}(h2Upgrading NVM when host controller is in safe modeh]h2Upgrading NVM when host controller is in safe mode}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhM!ubh)}(hX0If the existing NVM is not properly authenticated (or is missing) the host controller goes into safe mode which means that the only available functionality is flashing a new NVM image. When in this mode, reading ``nvm_version`` fails with ``ENODATA`` and the device identification information is missing.h](hIf the existing NVM is not properly authenticated (or is missing) the host controller goes into safe mode which means that the only available functionality is flashing a new NVM image. When in this mode, reading }(hjhhhNhNubh)}(h``nvm_version``h]h nvm_version}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh fails with }(hjhhhNhNubh)}(h ``ENODATA``h]hENODATA}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubh6 and the device identification information is missing.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhM"hjhhubh)}(hTo recover from this mode, one needs to flash a valid NVM image to the host controller in the same way it is done in the previous chapter.h]hTo recover from this mode, one needs to flash a valid NVM image to the host controller in the same way it is done in the previous chapter.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM(hjhhubeh}(h]2upgrading-nvm-when-host-controller-is-in-safe-modeah ]h"]2upgrading nvm when host controller is in safe modeah$]h&]uh1hhhhhhhhM!ubh)}(hhh](h)}(h!Networking over Thunderbolt cableh]h!Networking over Thunderbolt cable}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhM,ubh)}(hhThunderbolt technology allows software communication between two hosts connected by a Thunderbolt cable.h]hhThunderbolt technology allows software communication between two hosts connected by a Thunderbolt cable.}(hj) hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM-hj hhubh)}(hIt is possible to tunnel any kind of traffic over a Thunderbolt link but currently we only support Apple ThunderboltIP protocol.h]hIt is possible to tunnel any kind of traffic over a Thunderbolt link but currently we only support Apple ThunderboltIP protocol.}(hj7 hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM0hj hhubh)}(hX7If the other host is running Windows or macOS, the only thing you need to do is to connect a Thunderbolt cable between the two hosts; the ``thunderbolt-net`` driver is loaded automatically. If the other host is also Linux you should load ``thunderbolt-net`` manually on one host (it does not matter which one)::h](hIf the other host is running Windows or macOS, the only thing you need to do is to connect a Thunderbolt cable between the two hosts; the }(hjE hhhNhNubh)}(h``thunderbolt-net``h]hthunderbolt-net}(hjM hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjE ubhQ driver is loaded automatically. If the other host is also Linux you should load }(hjE hhhNhNubh)}(h``thunderbolt-net``h]hthunderbolt-net}(hj_ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjE ubh5 manually on one host (it does not matter which one):}(hjE hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhM3hj hhubj[)}(h# modprobe thunderbolt-neth]h# modprobe thunderbolt-net}hjw sbah}(h]h ]h"]h$]h&]hhuh1jZhhhM9hj hhubh)}(hThis triggers module load on the other host automatically. If the driver is built-in to the kernel image, there is no need to do anything.h]hThis triggers module load on the other host automatically. If the driver is built-in to the kernel image, there is no need to do anything.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM;hj hhubh)}(hX The driver will create one virtual ethernet interface per Thunderbolt port which are named like ``thunderbolt0`` and so on. From this point you can either use standard userspace tools like ``ifconfig`` to configure the interface or let your GUI handle it automatically.h](h`The driver will create one virtual ethernet interface per Thunderbolt port which are named like }(hj hhhNhNubh)}(h``thunderbolt0``h]h thunderbolt0}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj ubhM and so on. From this point you can either use standard userspace tools like }(hj hhhNhNubh)}(h ``ifconfig``h]hifconfig}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj ubhD to configure the interface or let your GUI handle it automatically.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhM>hj hhubeh}(h]!networking-over-thunderbolt-cableah ]h"]!networking over thunderbolt cableah$]h&]uh1hhhhhhhhM,ubh)}(hhh](h)}(h Forcing powerh]h Forcing power}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhMDubh)}(hMany OEMs include a method that can be used to force the power of a Thunderbolt controller to an "On" state even if nothing is connected. If supported by your machine this will be exposed by the WMI bus with a sysfs attribute called "force_power".h]hMany OEMs include a method that can be used to force the power of a Thunderbolt controller to an “On” state even if nothing is connected. If supported by your machine this will be exposed by the WMI bus with a sysfs attribute called “force_power”.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMEhj hhubj)}(hhh]j)}(hXFor example the intel-wmi-thunderbolt driver exposes this attribute in: /sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power To force the power to on, write 1 to this attribute file. To disable force power, write 0 to this attribute file. h](j)}(hGFor example the intel-wmi-thunderbolt driver exposes this attribute in:h]hGFor example the intel-wmi-thunderbolt driver exposes this attribute in:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhMNhj ubj)}(hhh](h)}(hE/sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_powerh]hE/sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341/force_power}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMKhj ubh)}(hqTo force the power to on, write 1 to this attribute file. To disable force power, write 0 to this attribute file.h]hqTo force the power to on, write 1 to this attribute file. To disable force power, write 0 to this attribute file.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMMhj ubeh}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ]h"]h$]h&]uh1jhhhMNhj ubah}(h]h ]h"]h$]h&]uh1jhj hhhhhNubh)}(hONote: it's currently not possible to query the force power state of a platform.h]hQNote: it’s currently not possible to query the force power state of a platform.}(hj2 hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMPhj hhubeh}(h] forcing-powerah ]h"] forcing powerah$]h&]uh1hhhhhhhhMDubeh}(h]usb4-and-thunderboltah ]h"]usb4 and thunderboltah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerjs error_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}refids}nameids}(jM jJ jjjgjdjjjj~jjjjjjj j j j jE jB u nametypes}(jM jjgjjjjjj j jE uh}(jJ hjj jdjjjjj~jjjjjjjj jj j jB j u footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}Rparse_messages]transform_messages] transformerN include_log] decorationNhhub.