Hacker News new | past | comments | ask | show | jobs | submit login

Thunderbolt is basically "external PCIe" so you wouldn't want to plug in anything that you wouldn't plug into a PCIe slot on the motherboard of a desktop... it's not like USB where communication has to go through a special controller that requires drivers, this is the raw system bus itself.

As cool as the raw power you get from Thunderbolt is, I wonder if externalizing an internal bus was a fundamental design flaw. PCIe descends from PCI, which descends from ISA, bringing along all sorts of backward compatible cruft, including the Option ROM support used by this exploit.




Option ROMs are certainly useful - for example, every GPU has one to initialise it, and it's how devices like RAID controllers can be used for booting or network cards adding PXE support. Things like putting a standard GPU over Thunderbolt would've been very difficult to do otherwise.

However, you're right that the security characteristics of an external bus are quite different from an internal one. I haven't looked in detail at the specs but I've worked with PCI/PCIe and it should certainly be possible to distinguish between a device plugged into the external port (it likely appears as a separate bus with a PCI-PCI bridge) and an internal one, allowing a BIOS (EFI, whatever it's called these days) option to control it. Something like "Execute Thunderbolt Option ROM [Yes/No/Prompt]"? But then, knowing Apple, they'd be more inclined to want everything to "just work" and default it to Yes without allowing the user to change it...


That's not surprising since Intel's whole business is built on backwards compatibility. And the benefits are pretty clear: Thunderbolt devices can use existing PCIe chips and drivers. If it was an incompatible protocol then it would require new TB-to-X chips for all X, and since the Thunderbolt market probably isn't large enough to support those chips then it would just fail.


It's s huge problem, and another curse Apple has gotten the rest of the laptop industry to adopt. Newer ThinkPads ship with Thunderbolt instead of DisplayPort. So if I want external monitors, I'm screwed. I can't just epoxy the port, like I did with FireWire.


AFAIK, it's not Thunderbolt on Lenovos, just Mini DisplayPort+Audio, which has similar connectors and cables but excludes the PCI-alike interface for high-speed general purpose IO which this exploits.


The W540 has Thunderbolt, but also miniDP. I guess that's OK. But seeing as how they try to ape Apple, who knows what the next gen will bring.


Ah, okay. I looked at a few models and only saw MiniDP, I guess some of them actually are Thunderbolt, Interesting.


I suppose it may depend on the model, but all the modern Thinkpads I've seen rolling around the office in the past year or so come with thunderbolt.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: