Demystifying Thunderbolt 3 Security Levels

Since Thunderbolt 3 presents some unique security considerations, and there are now several different “security levels” for a system's Thunderbolt 3 controller that can be configured in the system’s BIOS setup, I thought I’d write an explainer for anyone who might be confused about or simply interested in the differences.

Key Technical Background

First, it’s important to understand that a USB-C port that supports Thunderbolt 3 can carry different types of data traffic, since this will be relevant to what will or will not work under various security modes and why.

• USB 2.0 – USB-C connectors contain dedicated pins for USB 2.0 traffic.
  
  
• USB 3.x – Support for USB 3.x is technically optional, but when available, a USB 3.x device plugged into a USB-C port would use two of the four “high speed lanes” in a USB-C connector.  The other two remain unused, at least as of USB 3.x Gen 1 and Gen 2 (5 Gbps and 10 Gbps, respectively.)
  
  
• DisplayPort – Support for DisplayPort over USB-C, technically referred to as “DisplayPort Alt Mode”, is also optional on USB-C ports, but is mandatory on all USB-C ports that support Thunderbolt 3. DisplayPort can be run either within a Thunderbolt signal or as regular DisplayPort traffic, and it also uses the high speed lanes in a USB-C connector. When using something like a USB-C to DisplayPort cable, all four lanes would carry video. When using something like a USB-C dock that wished to support video and USB 3.x data, only two lanes would carry video since the other two would be allocated to USB 3.x – and consequently you’d have half the video bandwidth available compared to the USB-C to DP cable scenario. In a Thunderbolt connection, DisplayPort would be multiplexed with PCIe, more detail below.
  
  
• PCIe – This is only available on USB-C ports that support Thunderbolt 3 and when running in Thunderbolt 3 mode. PCIe support is mandatory for Thunderbolt 3 – at least a PCIe x2 interface, with a PCIe x4 interface being optional in the spec. Note that when Thunderbolt is in use, all four high speed lanes in the USB-C connector are tasked with carrying a "Thunderbolt signal", which consists of PCIe and DisplayPort multiplexed together. This means Thunderbolt makes efficient use of available total bandwidth since the PCIe/DisplayPort composition of the Thunderbolt signal can be adjusted dynamically. This is in contrast to using regular USB-C for both DisplayPort and USB 3.x simultaneously, where each signal type is allocated two lanes, regardless of how much bandwidth they need at any given time. The upcoming USB4 spec will switch to a dynamic bandwidth allocation model like Thunderbolt.

Important: When a Thunderbolt 3 port is actually running in Thunderbolt mode rather than as a basic USB port or DisplayPort video output, the only data types that are running across the Thunderbolt link are DisplayPort and PCIe.  USB 3.x is not natively carried.  If you’re connected to a Thunderbolt 3 dock that offers USB 3.x ports, the dock contains a PCIe-based USB controller, meaning that USB traffic is PCIe along the Thunderbolt link. This would be just like having a desktop PC and installing a USB expansion card into a PCI Express slot on the motherboard.  The Thunderbolt link is exactly equivalent to the PCIe segment of that data path in the desktop scenario. Typically other dock devices, such as Ethernet controllers and audio ports, would also run through the USB controller within the dock. This will matter later.

Thunderbolt 3 Security Levels

No Security (SL0) – You can connect any Thunderbolt 3 device and it will immediately start working. The danger to this mode is that since Thunderbolt 3 supports PCIe, and PCIe allows direct access to system memory, a malicious Thunderbolt 3 device could access potentially sensitive data in your system’s memory, and in SL0 mode, the device would simply need to be plugged in to do so. The typical threat model here would involve an attacker doing this while you had left your system unattended somewhere. This may not be a practical risk for everyone, but it's why the higher security levels exist.

User Authorization (SL1) – When a Thunderbolt 3 device is connected, the user must respond to a popup dialog box to explicitly allow the connection. The user can choose to allow once or to always allow that particular device. This mitigates the SL0 risk described above.

Secure Connection (SL2) – Same as SL1 except that if the user chooses to always allow a particular device, the system writes a cryptographic key to that device and also records it in its own firmware in order to perform a more robust "identity verification" of that device on subsequent connections, using a challenge/response mechanism. This prevents an attacker from taking the Device ID of a peripheral that had been granted "always allow" access and cloning it onto a malicious device, which under SL1 mode would allow that malicious device to gain "always allow" access. However, not all Thunderbolt 3 peripherals support SL2.

DisplayPort and USB only (SL3) – DisplayPort traffic is allowed over Thunderbolt 3, but PCIe is not. This is still different from a regular USB-C DisplayPort connection because an actual Thunderbolt link is still established, which means that if the Thunderbolt controller has two DisplayPort interfaces wired to it from the system's GPU (which is optional in the Thunderbolt spec), they would both be available, thereby offering more display bandwidth than a regular USB-C DisplayPort connection where at most one full DisplayPort interface of bandwidth is available. But the “USB” portion of this security level is where it gets tricky. If you plug a garden variety USB 3.x device or a regular USB-C dock (i.e. non-Thunderbolt dock) into your Thunderbolt 3 port, it will work as normal, since that scenario doesn’t involve an actual Thunderbolt link. However, as mentioned in the “Important" note above, USB 3.x is not natively carried over an actual Thunderbolt 3 link. This means that if your system is set to SL3 and you connect to an actual Thunderbolt 3 dock, you will get video output, but you will NOT be able to use any USB 3.x ports or other dock functionality that runs through the dock's USB controller, which is typically all other ports (Ethernet, audio, etc.).  The reason is that all of that would have to use PCIe between the dock and the system, and SL3 blocks PCIe. The only USB functionality you could potentially get from a Thunderbolt dock would be anything that runs as USB 2.0, since as mentioned earlier, a USB-C connector contains dedicated pins for USB 2.0, and that traffic runs completely independently of Thunderbolt.  However, even USB 2.0 devices connected to the dock's USB ports and internal dock devices that run on USB 2.0 (possibly the dock's audio controller) would still typically run through the dock's own PCIe-based USB controller rather than being passed straight through to the attached system as native USB 2.0.

Daisy chaining disabled / USB docks only (SL4) – This mode refers to Thunderbolt daisy chaining, not DisplayPort daisy chaining. In this mode, PCIe is allowed, but only for the first Thunderbolt 3 device in the chain. Thunderbolt devices farther down the chain would not be allowed to use PCIe – so for example if you had a Thunderbolt 3 eGPU enclosure plugged into an “upstream” Thunderbolt port on your Thunderbolt 3 dock, and you connected that dock to your system while it was set to SL4, the dock would be allowed and fully functional, but the eGPU would be blocked. This mode is designed to prevent a malicious Thunderbolt peripheral from gaining access to your system through a trusted device such as a dock.

Kernel DMA Protection – This mode requires support from the system firmware, OS, drivers, and Thunderbolt 3 peripheral, and it's meant to allow Thunderbolt 3 to operate at full functionality in a secure fashion without requiring user approvals. Again, the normal risk with Thunderbolt 3 is that it makes PCIe available, which in turn allows peripherals to gain direct access to system memory. Kernel DMA Protection allows the system to grant the peripheral direct access only to an assigned portion of system memory, thereby mitigating the risk. So when all of the components mentioned above support Kernel DMA Protection, a Thunderbolt peripheral starts working as soon as it’s plugged in, even if it wants to use PCIe, with no user consent required. When the system supports Kernel DMA Protection but the specific Thunderbolt peripheral being connected doesn’t support it, the system falls back to one of the “legacy” security levels above for that particular device connection, typically SL1.  SL0 would technically be possible but would be a security risk. Fallback to SL2 is not supported, at least currently.  I doubt SL3 fallback would work since that wouldn’t allow PCIe at all, and I’m not sure whether SL4 fallback is available. It might vary from system to system.

Hopefully this is helpful or at least interesting to someone!