TWeed - Trying to boot from a Thunderbolt-attached SSD

Hello everyone! :smiley:

I just installed TWeed on an external SSD connected to my apple mac mini 8.1 2018, Intel i7-8700b, 16 Go RAM (can’t use the internal SSD), for now the only way I found to make things work is to use the USB3 interface.

If I put my SSD inside a thunderbolt 2 box connected to one of the four TB3 (USB-C) connectors of the mini, using the Apple TB2 to TB3 converter (100% compatible), in the goal to enjoy speed and low latency offered by the TB protocol, Dracut cannot find (even if explicitly indicated by a “mount” command, followed by the UUID of the partition) and so cannot mount my root TWeed partition.

So to sum up briefly: with USB, no problems. With Thunderbolt, TWeed cannot boot.

Please take into account the fact that I haven’t a single problem to boot macOS Mojave or Windows 10 installed on external drives connected - exactly the same way - to the other TB3 ports of the mini, everything is flawless and bug-free.

Note also that all my thunderbolt partitions (I have a dozen of different type of disk units installed inside different TB boxes connected to the mini, that I use daily since years without a single glitch) are recognized and authorized by Tumbleweed - I use the graphical Plasma-thunderbolt extension in KDE system settings to authorize all these boxes, so all my partitions are mounted, trusted and running perfectly well with TWeed.

On the web I have found many topics talking about TB, so despite being a n00b I know now there’s different levels of security to protect user from a potential DMA attack, and AFAIK the removable / external TB partitions are most of the time mounted in user-space: the mounting operation use udev, which call the bolt daemon, so that the mounting becomes possible, but only in user-space, once logged in.

What I’ve done:

  1. (Not strictly related, but very useful - Thanks to a nice forum member who’ve shared this solution!)
    Created a rule in /etc/polkit-1/rules.d called 10-udisks2.rules containing:

// See the polkit(8) man page for more information about configuring polkit.

// Allow udisks2 to mount devices without authentication for users in the "wheel" group.

polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks2.filesystem-mount") &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});

  1. According to this guide: USB4 and Thunderbolt — The Linux Kernel documentation, I created a file called 99-removable.rules in /etc/udev/rules.d containing:

ACTION=="add", SUBSYSTEM=="thunderbolt", ATTRS{iommu_dma_protection}=="1", ATTRS{iommu_dma_protection}=="0", ATTR{authorized}=="0", ATTR{authorized}="1"

The result of both is that all my thunderbolt partitions are auto-magically mounted and ready to rock each time I log in to Plasma (Wayland).

Please note that SIP (System Integrity Protection, an Apple thing) is deactivated, and, normally, secure boot too, but I’m not able to access to this parameter to verify anymore: Apple have updated the recovery environment, in a way that each time I try to access to the setting supposed to allow me to disable S-Boot, it generates an error saying “no administrator have been found” or something like that. So the result is: I cannot verify the status, nor activate, nor deactivate secure boot.

So, to sum up: I’m looking for a non-specific (I mean, that other users could apply even if they don’t have the same gear as me) and - if possible - easy solution to be able to boot my external (removable) TWeed partition, once connected to a TB port of my box, as easily as I boot other OSes since years.

(Please indulge the eventual errors I made in this long (sorry!) and boring (double sorry!) message, English is not my native language, so I often make mistakes, that is the real reason why this post is so long, I wanted to make sure the problem is correctly exposed, and I’m not sure to have succeeded in this hard task)

THANK YOU A MILLION in advance to have read my stupid and n00bish gibberish, and for all the infos and solutions you could bring to the table - not only for me, but for anyone interested.

Create user with administrator rights in BIOS.
Upgrade firmwares.
Set security level to Thunderbolt = none or legacy or 0 or…
https://docs.kernel.org/admin-guide/thunderbolt.html
Maybe it is possible to put /boot folder on USB device and all other folders - to Thunderbolt device.

IMHO USB 10Gb/s is good enough.

1 Like

Hello @Svyatko, thanks a LOT for your answer! :smiley:

Concerning the BIOS, macs are very, very different from PCs: i don’t have access to anything comparable to a real BIOS. And only Apple itself could upgrade firmware, but it’s exactly what it doesn’t do, considering my model of mac mini (2018 model with an Intel processor) is now a thing of the past, since longtime there is no more updates concerning this (abandoned) model in particular… No more fashion. It’s why after this I ceased to be interested in apple things and work since a while exclusively with win10.

Thanks for your tip to put the /boot folder on a USB device ! It seems a little complicated for a noobie like me, but I’m sure it could interest more experienced users!

As said in my first message, I already taken care of the TB security level (though I don’t fully understand why there’s a double equal (==) for some parameters values, and a simple equal (=) at others… ???), my TB devices are fully authorized (“enrolled”) and working.

Yes, for most usages, USB 3 (5 or 10 Gb/s, depending of the version of the protocol) looks perfect… Except when you make music with Ardour and are looking for the best latency available.

This is THE big difference between USB and TB: with USB (whatever the version), there is an uncompressible latency due to the protocol himself and the standard chips used in today’s computer.

It’s why, for example, you can still find external audio interfaces (indispensable for recording and mixing in (home) studio in the best conditions) with USB2 only. Whatever the version of the USB protocol you have, you still have the same latency. And for professional audio, latency is absolutely paramount.

It’s why some audio pros have opted for Thunderbolt interfaces, in the goal to reduce the latency of the whole audio chain (instrument or voice → microphone → audio interface → computer → hard drive).

We often minimize the importance of the last link of the chain, the hard drive. Though when you record HR audio or use a loads of samples loops playing / recording at the same time, its speed and latency are absolutely primordial. Thunderbolt is directly connected to the PCIe bus of the computer, so with it you can enjoy a nearly imperceptible latency.

On my mac mini, the internal NVME SSD is almost entirely occupied by macOS, so I needed a lot of external, fast SSD units, to save my audio works and - very important - to backup them safely.

I work most of the time with Cubase on Windows 10, but since some times I would like to experiment with Linux - in the goal to discover if a professional audio workflow is possible… with only 100% Libre software.

Unfortunately, this boot problem prevents me to have a real comparison basis. For example, I would like to measure the total latency obtained with Linux and Ardour, and compare it to the latency I get when I use Windows and Cubase.

USB4 is based on Thunderbolt.

Your settings for working Linux OS are not applicable during boot.
If you want to solve problem - create bug report.
It is possible that TB boot doesn’t work yet with openSUSE installer.
To lower latencies exclude drive from work process by using RAM disk. New consumer systems can handle up to 128/192 GiB of RAM.
There is no need to use 100% open/libre software, just throw away Windows.
To lower latencies use preempt=full setting or real-time (RT) kernel.
https://wiki.linuxfoundation.org/realtime/documentation/start

1 Like

@Svyatko, thank you again for your answer! :+1: Just a little precision:

USB4 is based on Thunderbolt.

It’s not totally exact, it would be more accurate to say that the USB4 protocol integrates a TB mode… TB mode that is not activated by default, for that you must have a TB-certified device(s) and cable(s).

Most of the time, USB4 behaves exactly like USB3… with the same latency.

If you want to solve problem - create bug report.
It is possible that TB boot doesn’t work yet with openSUSE installer.

In fact, it is not exactly a bug, it’s a feature. On Linux (whatever the distro, and I have tested a lot of them), there is a security measure that prevents booting operation from an external TB drive, by design.

I already installed a rt-kernel, and it’s a really good measure that effectively improves daily work with Tumbleweed.

For the rest, I keep on investigate for solutions, knowing that in my mac mini, the quantity of RAM is fixed / glued forever, there’s absolutely no possibility to change / improve anything internal.

So of course I plan on changing my gear, but whatever machine I could choose, this boot issue will be exactly the same. The only solution (for now) could be to install TWeed on the main, internal NVME drive. But it’s not exactly ideal for me.