Hi, Wolf wrote: > I have an illuminated keyboard, so I detected 3 changes when thunderbolt > security set to user authorization. > > 1. the keyboard is activated and I can interact with EFI > 2. the keyboard is switched off for a moment > 3. the keyboard is switched on and I can interact with grub. > > When thunderbolt security is turned OFF (not thunderbolt turned off!) all 3 > steps are skipped, I can use keyboard only after Linux image is loaded.
It's not easy to find information about Thunderbolt security. This here seems to match somewhat: https://www.pugetsystems.com/support/guides/thunderbolt-security-to-the-rescue-bios-2205/ "User Authorization (SL1)" would be what works for you. (Although the text talks of a "popup dialog box to explicitly allow the connection".) But "No Security (SL0)" should let Thunderbolt devices just work and "Secure Connection (SL2)" is unlikely to be called "OFF" in your BIOS user interface. > I think "security OFF" value read from EFI is ignored by the last > bootloader, but "user authorization" is respected. I understand from the sparse info that this is a firmware thing. An unauthorized Thunderbolt device should simply not be connected to the system bus (because it can access the memory directly, IIUC). So i perceive it as counter-intuitive that "OFF" keeps EFI and GRUB from using the device. The fact that it works with Linux lets me think that the failure with EFI and GRUB is not an intended security feature. ----------------------------------------------------------------------- Whatever, the Debian question is whether "apt upgrade" changed this EFI setting forth and back. One could accuse package "grub2" of not working well with "OFF". But as long as the firmware does not work with the keyboard, GRUB has a good excuse. Have a nice day :) Thomas
