dynabook Knowledge Base Article
Thunderbolt 3 and Security on Microsoft Windows 10 Operating system
Information on the Intel(R) Thunderbolt(TM) 3 controller security features on Microsoft* Windows 10 operating system. Focus on the PCI express I/O related security features.
This document is intended for Thunderbolt(TM) 3 users who may have questions or concerns regarding Thunderbolt(TM) security and would like more information.
RESOLUTION | Short
The Thunderbolt(TM) controller is a PCIe device, which means that it has Direct Memory Access (DMA) IO (via PCIe), and exposes the PCIe protocol externally through USB-C ports for a range of usages.
This potentially allows access to system memory from a physical IO device that is being connected and utilizing the PCIe protocol. In order to mitigate potential malicious access to system memory from an external PCIe device, there is security protection with Thunderbolt(TM) 3 that prevents unauthorized Thunderbolt(TM) PCIe-based devices from connecting without user authorization. For instance, this will prevent unauthorized access when the system is locked.
This is achieved by the following set of capabilities:
- Software based authorization of Thunderbolt(TM) 3 Ports: Thunderbolt(TM) 3 ports are controlled by a utility software and driver provided by Intel, that allows the user to decide whether a device's PCIe data path can connect to the system or not.
- Policy management (also referred to as Security Levels): This capability allow the user to decide between multiple levels of restricting policies such as disabling the Thunderbolt(TM) 3 port, allowing it but only with explicit approval of the user each time a device is connected, allowing only devices with cryptographic authentication or allowing it in a Display Port or USB only mode (more details below)
- Pre-boot protection Thunderbolt(TM) devices are allowed to be enumerated and connected during boot time only if they have been approved by the user before.
Further details about the various security features that help protect** the PC from potential known Thunderbolt(TM) 3 related PCIe IO vulnerabilities below.
RESOLUTION | Detailed
Thunderbolt(TM) 3 Security Features details and definitions
Authenticating newly attached device
Firmware and software supported feature that requires user approval before allowing a PCIe capable Thunderbolt(TM) connection for the first time, supported on Thunderbolt(TM) starting in 2013
Cryptographic authentication of connection to help prevent a peripheral device to be spoofed to masquerade as an "approved" device to the user (authentication of the connection), supported from Thunderbolt(TM) 2 products onward, starting in 2014
Separating Thunderbolt(TM) data stream
Separating Thunderbolt(TM) data stream from display tunneling to help prevent walk-up access of PCIe unless it is specifically allowed.
Unique ID number
Every Thunderbolt(TM) 3 Controller has a unique ID fused in silicon during production, this allows to identify a specific device
ACL - Accepted Components List
A list of Thunderbolt(TM) devices ("components") that the user has already approved to enumerate and can connect automatically
Security Levels (SLx)
Thunderbolt(TM) enables implementation of different security policies.
These modes apply to PCIe protocol, while DisplayPort connects by default as it has no DMA capability exposure
- SL 0:
No limitations, everything enumerates and connects (2011 and newer)
- SL 1:
Ask for permission to connect device (2013 and newer) | the default mode
Require (admin level) user permission to add new PCIe enabled devices (SL1 security)
The Thunderbolt(TM) software on the PC maintains a list of the Unique IDs for every Thunderbolt(TM) peripheral that has received user permission to "always connect" (Access Control List) If the Unique ID of the Thunderbolt(TM) peripheral is not on the ACL, the PCIe connection is not allowed until the user responds to a connection prompt, typically with the following options:
( 1 ) - Connect one time
( 2 ) - Always connect
( 3 ) - Do not connect
Connection permissions are managed per PC, and not per user login.
- SL 2:
Only devices with HW cryptographic authentication are added (2014 and newer)
Hardware based challenge / response - The first time a Thunderbolt(TM) peripheral's Unique ID is granted "always connect" PCIe access, a key is written to the peripheral controller's non-volatile memory and added to the host PC's ACL list. Each time a peripheral's Unique ID is found on the ACL, the PC's controller sends a security challenge. The response from the peripheral is then verified before the PCIe connection is allowed. If the response is not valid, the user receives a connection permission prompt.
Beyond the new hardware cryptographic authentication the user experience is the same as SL1
- SL 3:
TBT mode is set to "Display Port only" and will not tunnel or transmit PCIe data. (2013 and newer)
(C) Intel Corporation - Information of this document by https://thunderbolttechnology.net/
* Other names and brands may be claimed as the property of others
** No computer system is absolute secure
Windows 10 - 32 Bit, Windows 10 - 64 Bit
Info, Docking Device, Interface, Thunderbolt
Dynabook provides this information "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Dynabook shall not be responsible for the topicality, correctness, completeness or quality of the information or software provided. Dynabook is not liable for any damage caused by the use of any information or software provided, including information that is incomplete or incorrect. Any trademarks used herein belong to their respective owners.
Copyright Dynabook Europe GmbH. All rights reserved.
Back to top