Provided by: bolt_0.8-4_amd64 bug


       boltd - thunderbolt device managing system daemon


       boltd [OPTIONS]


       boltd is the thunderbolt device manager daemon. Its goal is to enable the secure and
       convenient use of thunderbolt devices by using the security features of modern thunderbolt
       controllers. It provides the org.freedesktop.bolt name on the system bus. boltd is
       autostarted via systemd/udev if a thunderbolt device is connected.

       The thunderbolt I/O technology works by bridging PCIe between the controllers on each end
       of the connection, which in turn means that devices connected via Thunderbolt are
       ultimately connected via PCIe. Therefore thunderbolt can achieve very high connection
       speeds, fast enough to even drive external graphics cards. The downside is that it also
       makes certain attacks possible. To mitigate these security problems, the latest version —
       known as Thunderbolt 3 — supports different security levels:

           No security. The behavior is identical to previous Thunderbolt versions.

           No PCIe tunnels are created at all, but DisplayPort tunnels are allowed and will work.

           Connected devices must be authorized by the user. Only then will the PCIe tunnels be

           Basically the same as user mode, but additionally a key will be written to the device
           the first time the device is connected. This key will then be used to verify the
           identity of the connected device.

       The primary task of boltd is to authorize thunderbolt peripherals if the security level is
       either user or secure. It provides a D-Bus API to list devices, enroll them (authorize and
       store them in the local database) and forget them again (remove previously enrolled
       devices). It also emits signals if new devices are connected (or removed). During
       enrollment devices can be set to be automatically authorized as soon as they are
       connected. A command line tool, called boltctl(1), can be used to control the daemon and
       perform all the above mentioned tasks.

       The pre-boot access control list (BootACL) feature is active when supported by the
       firmware and when boltd is running on a new enough Linux kernel (>= 4.17). The BootACL is
       a list of UUIDs, that can be written to the thunderbolt controller. If enabled in the
       BIOS, all devices in that list will be authorized by the firmware during pre-boot, which
       means these devices can be used in the BIOS setup and also during Linux early boot. NB: no
       device verification is done, even when the security level is set to secure mode in the
       BIOS, i.e. the maximal effective security level for devices in the BootACL is only user.
       If BootACL support is present, all new devices will be automatically added. Devices that
       are forgotten (removed from boltd) will also be removed from the BootACL. When a
       controller is offline, changes to the BootACL will be written to a journal and
       synchronized back when the controller is online again.

       IOMMU support: if the hardware and firmware support using the input–output memory
       management unit (IOMMU) to restrict direct memory access to certain safe regions, boltd
       will detect that feature and change its behavior: As long as iommu support is active, as
       inidcated by the iommu_dma_protection sysfs attribute of the domain controller, new
       devices will be automatically enrolled with the iommu policy and existing devices with
       iommu (or auto) policy will be automatically authorized by boltd without any user
       interaction. When iommu is not active, devices that were enrolled with the iommu policy
       will not be authorized automatically. The status of iommu support can be inspected by
       using boltctl domains.


       -h, --help
           Prints a short help text and exits.

           Shows the version number and exits.

       -r, --replace
           Replace the currently running boltd instance.

           Force logging to the journal.

       -v, --verbosee
           Print debug output.


           Specifies the path where the daemon stores data that only has to live as long as the
           current boot. Will be set automatically when started via systemd (>= 240). If not set
           the default path for runtime data is /run/boltd.

           Specifies the path where the daemon stores device information, including the keys used
           for authorization. Overwrites the path that was set at compile time. Will be set
           automatically when started via systemd (>= 240).

           Same as STATE_DIRECTORY but takes precedence over that, if set.


       On success 0 is returned, a non-zero failure code otherwise.


       Written by Christian Kellner <>.