This is the “cost” of DMA with untrusted external connections. If you’re basically allowing some device to sit on your PCI bridge, that’s an insane amount of trust of course. But we live with it because we like performance.

There are EFI/BIOS level “workarounds” like on Dell laptops: they have a setting to only negotiate thunderbolt with approriate dell docks.

Sadly, their thunderbolt dock is entirely garbage because they used a really crappy USB3 controller which has the habit of dropping devices and corrupting CRC checksums on Ethernet packets. Additionally, this defies the _point_ of thunderbolt itself. But if we assume we can disable thunderbolt capability while the host OS is running then that’s already a huge win.

FWIW I already do this with USB, the ports are disabled until I run a command to enable them in Linux. Because I’m one of those “paranoid” types.

As long as Thunderbolt is enabled. If I'm not mistaken disabling Thunderbolt completely should be a viable workaround. It's essentially the same situation we had with Firewire: Just blacklist the driver and all should be good.

As DisplayPort Alternate Mode for USB-C is nowadays used a lot to connect to external displays, instead of the approach Apple chose to tunnel DisplayPort over Thunderbolt, Thunderbolt is probably not even relevant for most users outside of the Apple universe.

> Thunderbolt is probably not even relevant for most users outside of the Apple universe.

Actually not the case -- the TB chipsets are from Intel and promoted by them.

TB drives are pretty fast and great to use if you can afford them. TB external GPUs are useful for ML too (not sure if anyone is using them for actual rendering; that's outside my field of experience).

To an extent - many laptops and nearly all desktops don't have Thunderbolt at all. TB external GPUs are probably the main use-case for the technology today (people indeed do use them for rendering)