{ "mode": "man", "parameter": "boltd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/boltd/8/json", "generated": "2026-06-02T21:25:54Z", "synopsis": "boltd [OPTIONS]", "sections": { "NAME": { "content": "boltd - thunderbolt device managing system daemon\n", "subsections": [] }, "SYNOPSIS": { "content": "boltd [OPTIONS]\n", "subsections": [] }, "DESCRIPTION": { "content": "boltd is the thunderbolt device manager daemon. Its goal is to enable the secure and\nconvenient use of thunderbolt devices by using the security features of modern thunderbolt\ncontrollers. It provides the org.freedesktop.bolt name on the system bus. boltd is\nautostarted via systemd/udev if a thunderbolt device is connected.\n\nThe thunderbolt I/O technology works by bridging PCIe between the controllers on each end of\nthe connection, which in turn means that devices connected via Thunderbolt are ultimately\nconnected via PCIe. Therefore thunderbolt can achieve very high connection speeds, fast\nenough to even drive external graphics cards. The downside is that it also makes certain\nattacks possible. To mitigate these security problems, the latest version — known as\nThunderbolt 3 — supports different security levels:\n", "subsections": [ { "name": "none", "content": "No security. The behavior is identical to previous Thunderbolt versions.\n" }, { "name": "dponly", "content": "No PCIe tunnels are created at all, but DisplayPort tunnels are allowed and will work.\n" }, { "name": "user", "content": "Connected devices must be authorized by the user. Only then will the PCIe tunnels be\nactivated.\n" }, { "name": "secure", "content": "Basically the same as user mode, but additionally a key will be written to the device the\nfirst time the device is connected. This key will then be used to verify the identity of\nthe connected device.\n" }, { "name": "usbonly", "content": "One PCIe tunnel is created to a usb controller in a thunderbolt dock; no other downstream\nPCIe tunnels are authorized (needs 4.17 kernel and recent hardware).\n\nThe primary task of boltd is to authorize thunderbolt peripherals if the security level is\neither user or secure. It provides a D-Bus API to list devices, enroll them (authorize and\nstore them in the local database) and forget them again (remove previously enrolled devices).\nIt also emits signals if new devices are connected (or removed). During enrollment devices\ncan be set to be automatically authorized as soon as they are connected. A command line tool,\ncalled boltctl(1), can be used to control the daemon and perform all the above mentioned\ntasks.\n\nThe pre-boot access control list (BootACL) feature is active when supported by the firmware\nand when boltd is running on a new enough Linux kernel (>= 4.17). The BootACL is a list of\nUUIDs, that can be written to the thunderbolt controller. If enabled in the BIOS, all devices\nin that list will be authorized by the firmware during pre-boot, which means these devices\ncan be used in the BIOS setup and also during Linux early boot. NB: no device verification is\ndone, even when the security level is set to secure mode in the BIOS, i.e. the maximal\neffective security level for devices in the BootACL is only user. If BootACL support is\npresent, all new devices will be automatically added. Devices that are forgotten (removed\nfrom boltd) will also be removed from the BootACL. When a controller is offline, changes to\nthe BootACL will be written to a journal and synchronized back when the controller is online\nagain.\n\nIOMMU support: if the hardware and firmware support using the input–output memory management\nunit (IOMMU) to restrict direct memory access to certain safe regions, boltd will detect that\nfeature and change its behavior: As long as iommu support is active, as indicated by the\niommudmaprotection sysfs attribute of the domain controller, new devices will be\nautomatically enrolled with the iommu policy and existing devices with iommu (or auto) policy\nwill be automatically authorized by boltd without any user interaction. When iommu is not\nactive, devices that were enrolled with the iommu policy will not be authorized\nautomatically. The status of iommu support can be inspected by using boltctl domains.\n" } ] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-h, --help", "content": "Prints a short help text and exits.\n", "flag": "-h", "long": "--help" }, { "name": "--version", "content": "Shows the version number and exits.\n", "long": "--version" }, { "name": "-r, --replace", "content": "Replace the currently running boltd instance.\n", "flag": "-r", "long": "--replace" }, { "name": "--journal", "content": "Force logging to the journal.\n", "long": "--journal" }, { "name": "-v, --verbose", "content": "Print debug output.\n", "flag": "-v", "long": "--verbose" } ] }, "ENVIRONMENT": { "content": "RUNTIMEDIRECTORY\nSpecifies the path where the daemon stores data that only has to live as long as the\ncurrent boot. Will be set automatically when started via systemd (>= 240). If not set the\ndefault path for runtime data is /run/boltd.\n\nSTATEDIRECTORY\nSpecifies the path where the daemon stores device information, including the keys used\nfor authorization. Overwrites the path that was set at compile time. Will be set\nautomatically when started via systemd (>= 240).\n\nBOLTDBPATH\nSame as STATEDIRECTORY but takes precedence over that, if set.\n", "subsections": [] }, "EXIT STATUS": { "content": "On success 0 is returned, a non-zero failure code otherwise.\n", "subsections": [] }, "AUTHOR": { "content": "Written by Christian Kellner .\n", "subsections": [] }, "SEE ALSO": { "content": "boltctl(1)\n\n\n\nbolt 0.9.2 02/07/2022 BOLTD(8)", "subsections": [] } }, "summary": "boltd - thunderbolt device managing system daemon", "flags": [ { "flag": "-h", "long": "--help", "arg": null, "description": "Prints a short help text and exits." }, { "flag": "", "long": "--version", "arg": null, "description": "Shows the version number and exits." }, { "flag": "-r", "long": "--replace", "arg": null, "description": "Replace the currently running boltd instance." }, { "flag": "", "long": "--journal", "arg": null, "description": "Force logging to the journal." }, { "flag": "-v", "long": "--verbose", "arg": null, "description": "Print debug output." } ], "examples": [], "see_also": [ { "name": "boltctl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/boltctl/1/json" } ] }