Thunderbolt on Windows Part 2: Intel's DZ77RE-K75 & ASUS' P8Z77-V Premium
by Anand Lal Shimpi on June 3, 2012 2:08 AM EST- Posted in
- Motherboards
- CPUs
- Intel
- Asus
- Thunderbolt
- Ivy Bridge
- Chipsets
Quad-core mobile Sandy Bridge, 2.5" SSDs and Thunderbolt together have allowed me to use a notebook as my primary work machine. I get all of the portability benefits of a notebook, but with almost none of the performance sacrifices. The only thing I'm really missing is a good, external discrete GPU solution but that's a problem being worked on either via Thunderbolt link aggregation or the second revision of the Thunderbolt spec.
Despite what it's done for me, Thunderbolt has to be one of the most strangely handled interface specs of recent history. Intel engineered the spec, but Apple helped with a lot of the connector and cable design and as a result received a year long exclusive on Thunderbolt. Since its introduction, Thunderbolt has received a reasonable amount of support on the Mac platform. Apple even builds a display designed exclusively for use with Thunderbolt equipped Macs. Companies like Promise, Seagate, Western Digital, LaCie and Elgato are all shipping Mac compatible Thunderbolt devices as well.
With the exclusivity agreement over, Intel's partners in the Windows PC space are allowed to ship Thunderbolt enabled motherboards and systems. Making things even more bizarre is the fact that all Thunderbolt devices have to go through Intel's certification program if they are to be approved for use under Windows. Technically only Promise's Pegasus is certified (or about to be certified) for use under Windows, despite the fact that all of these Thunderbolt devices have been available for use under Windows via Boot Camp on Macs.
The complications extend even further when you realize that Apple's own products aren't certified for use under Windows. The Thunderbolt Display is only officially supported under OS X and I don't see Apple being incredibly motivated to work on Windows certification for it. Interfaces like USB are great because you can generally count on anything that physically fits in the port just working. With Thunderbolt on Windows we now have a situation where you can't assume the same.
We got the first look at a Thunderbolt equipped PC motherboard with MSI's Z77A-GD80 a couple of weeks ago. The interface worked but was not without its quirks. To be totally fair however, the Thunderbolt experience under OS X isn't perfectly problem free either. It turns out that MSI sampled that motherboard prior to making it through the motherboard certification process. Since then, the motherboard has made it through cert and has an updated BIOS that should improve its behavior.
Both Intel and ASUS sent us their latest, fully certified, Thunderbolt equipped motherboards for another look at how the interface works under Windows. With motherboards available today, it's now time to take a complete look at what Thunderbolt is like outside of the Apple ecosystem.
The Motherboards
ASUS sent its P8Z77-V Premium motherboard with Thunderbolt support, while Intel sent its DZ77RE-75K Thunderbolt board. Only the ASUS board is publicly available and is priced at $450. ASUS will have a more affordable SKU with integrated Thunderbolt available in the future: the P8Z77-V Pro/Thunderbolt, which should be priced below $300. Other ASUS boards will be upgradeable to support Thunderbolt via an on-board header + add-in card.
The Intel board starts at $262 and goes as high as $278 depending on the in-box configuration (both include WiFi/BT dongles, while the $278 version comes with front panel USB 3.0 support).
Both boards branch the Thunderbolt controller off of the Z77 PCH, borrowing four PCIe 2.0 x1 lanes. Given how full featured these motherboards are, PCIe switches are employed to allow the use of all the remaining PCIe devices connected to the PCH.
Intel's Z77 Thunderbolt Motherboard Block Diagram
ASUS goes one step further and includes a PCIe 3.0 switch to enable quad-CF/SLI support despite the limited number (16) of PCIe lanes Intel's LGA-1155 CPUs provide. ASUS' board features all the bells and whistles including a 32GB Marvell based Liteon mSATA SSD:
The Thunderbolt port on both boards can serve as either a Thunderbolt port or a DisplayPort output, similar to the behavior on a Thunderbolt Mac. Discrete GPUs are supported through the on-board Thunderbolt/DisplayPort output, provided you have Lucid's Virtu software installed.
As Thunderbolt carries more bandwidth than USB 3.0, trace routing is very important to achieving max performance. You'll notice that on all Thunderbolt boards we've tested thus far, the Cactus Ridge controller and Thunderbolt port are very close to one another. The spec for max trace length between the Thunderbolt controller and port is two inches, compared to up to 10 inches for Intel's USB 3.0 controller.
ASUS tells us that in order to reduce crosstalk it spaced Thunderbolt traces 1.5x wider than traces for USB 3.0 on its boards. Finally, all Thunderbolt traces are on the same PCB layer and don't feature any sharp angles in their route—only gradual arcs, which further improves performance. There's an impressive amount of engineering that has to go into bringing Thunderbolt support to a motherboard.
BIOS/UEFI support for Thunderbolt appears to be identical across all of the third party board makers. ASUS' Thunderbolt options look identical to MSI's for example:
Interestingly enough, Intel doesn't actually expose any of the specific Thunderbolt settings. The Intel board just lets you enable/disable the interface itself:
Facebook
Twitter
RSS
116 Comments
View All Comments
ka_ - Monday, June 4, 2012 - link
The one thing that will keep me away from TB is the major problem that any device can access the DMA of any connected devices essentially removing all security of any system with TB - except if by disabling DMA while using the plug. I have come to notice that Apple have a undocumented method to disable DMA on TB <http://matt.ucc.asn.au/apple/>, though it indicates this method only apply to the Firewire over TB exploit, and it likely is not much time until someone have a better method. But if it is possible do disable DMA/restrict DMA access on the machines, then TB might even eventually get accepted by the security focused audience too?If possible do disable DMA under Windows/Linux how much would this degrade the TB performance?
repoman27 - Monday, June 4, 2012 - link
Disabling DMA for Thunderbolt is akin to disabling DMA for PCIe, i.e. not practical. IOMMU will hopefully provide security for these types of scenarios, but the driver implementation just isn't there yet.Does the fear of DMA attacks prevent you from using PC's with available PCIe slots, ExpressCard or IEEE 1394 ports? Hardware DMA attacks require physical access to the machine or some sort of social engineering ploy. If an attacker has physical access to your machine, they would most likely try many other vectors before resorting to a DMA attack. DMA attacks generally involve custom hardware which is time consuming and expensive to develop. Do you really see someone buying or creating a custom piece of Thunderbolt hardware just to attempt to compromise PCs under your control?
While these types of security vulnerabilities are real, exploitation of them is rather uncommon, and for the foreseeable future, far more likely to come in the form of FireWire or ExpressCard than Thunderbolt.
If someone ships you a shiny new Pegasus R6 with a note saying, "You're the lucky winner!" just sell it on eBay and move on.
ka_ - Monday, June 4, 2012 - link
"While these types of security vulnerabilities are real, exploitation of them is rather uncommon, and for the foreseeable future, far more likely to come in the form of FireWire or ExpressCard than Thunderbolt."Completely wrong - The firewire exploit is possible to do on any TB and the exploit is already in the wild: <http://www.breaknenter.org/2012/02/adventures-with...
Even script kiddies can apparently do this attack against TB and firewire already...
So yes - I would indeed sell the machine coming with this port unless there is a way to prevent DMA access for units connected through the TB port.
I think Asus UX32VD-DB71 or one of the UX31A's which does not have TB, Firewire, ExpressCard or any of the other easily exploitable ports.
repoman27 - Monday, June 4, 2012 - link
Did ya read the article you linked to? Did ya understand any of it? Because I had already done so, and came away with a very different assessment of the severity of the threat in question.The exploit as described is a FireWire DMA attack requiring physical access to the PC along with several bulky hardware devices costing many hundreds of dollars. The pointlessness of this exercise is especially extreme, because at the time it was written, the only PC with Thunderbolt but lacking FireWire was the 2011 MacBook Air.
I don't generally let script kiddies hang out in my house, but I'd probably notice if they left an Apple Thunderbolt Display or a Sonnet Echo ExpressCard/34 Thunderbolt Adapter, ExpressCard FireWire adapter, 2.0 m Apple Thunderbolt cable, FireWire cable and "attack" PC running Linux lying about attached to my MacBook Air. Just sayin'.
ka_ - Monday, June 4, 2012 - link
The article specify "or equivelent" - ebay got a thunderbird to firewire adaptor from USD 4.25And no - you dont need daisy chain except to test some of the more advanced hacks there...
http://www.ebay.com/itm/6-pin-Firewire-to-Thunderb...
repoman27 - Tuesday, June 5, 2012 - link
That's a 6-pin to 8-pin FireWire adapter you moron.I guess if you can fall for eBay listings like that, you need to protect yourself pretty darn well against potential social engineering attacks. Good luck with that.
repoman27 - Tuesday, June 5, 2012 - link
Sorry, I didn't really mean to call you a moron. I wish this site allowed editing of posts.ka_ - Tuesday, June 5, 2012 - link
No problem - I might have been to hasty including the first search result I found for "Thunderbolt to Firewire" converter/adapter. There are others too such as<http://istore.techtools.com.au/index.php?route=pro...
The real point I am trying to make is that you most certainly wont need expensive hubs or daisy chains to perform this attack - any adapter/converter will do.
In fact - Firewire was only used to demonstrate that the problem still persist with Thunderbolt. That particular exploit can be prevented by simply blacklisting Firewire / 1394 devices, however that is only keeping the currently known exploit from happening.
Since Thunderbolt have DMA access on its own, it is only a matter of time before an exploit can be made with no conversion at all!
I know there are USB2/3 to Firewire converters too, which might make USB3 vulnerable to the same exploit even though USB3 in itself does not have DMA access. So all firewire is indeed on my blacklist even though I don't have any firewire ports on my laptop.
jontech - Monday, June 4, 2012 - link
enthusiasts would have been tripping over themselves calling it the second coming.The fact is, Intel can ramp up TB to 100GB in the next couple of years. USB can't keep up.
The footprint is much smaller, mDP vs USB so it's perfect for Notebooks and allows for breakout and dock solutions that include many other technologies
It is here to stay, and the fact that Apple pushed it and has every one of their computers with it means that those companies who have made TB devices have been rewarded with sales.
rs2 - Tuesday, June 5, 2012 - link
You killed my interest in Thunderbolt when you said:"Interfaces like USB are great because you can generally count on anything that physically fits in the port just working. With Thunderbolt on Windows we now have a situation where you can't assume the same."
That is *not* the way to introduce a new connectivity standard. If I can't plug any Thunderbolt device into any Thunderbolt connector and *know* for a fact that it will work without issue, then something is very seriously wrong.