Fedora 28 enables a number of power saving features by default for the first time. The changes are in base packages and so all users will automatically gain these improvements upon upgrading. As a result, laptops running Fedora will be able to last longer on battery power.
Fedora 28 adds support for Thunderbolt - an interface developed by Intel which allows connection of external peripherals to a computer.
Devices connected via Thunderbolt are DMA masters, which means they can read system memory directly without interference from the computer’s operating system or even CPU. To mitigate the security risk this type of access poses, there are four available security levels for communication, which are set by system firmware:
none - security is disabled, all devices are fully functional when connected
dponly - only pass the DisplayPort stream through to the connected device
user - connected devices must be manually authorized by the user
secure - same as
user, but also verify the device’s identy through a secret key
Starting with version 4.13, the Linux kernel provides an interface through
sysfs which enables userspace query about the security level, the status of any connected devices, and to authorize devices if the security level demands it. The active security level must normally be selected before booting via a BIOS/EFI option, but it is interesting to note that the
none option will likely be removed in the future. This would mean that connected Thunderbolt devices would not work unless authorized by the user from within the running operating system.
For this reason, Fedora 28 implements full Thunderbolt 3 support. In order to avoid compromising the security, there are two userspace components working together to enable Thunderbolt: a system service (
boltd) and a component in GNOME Shell. The shell component will automatically enroll (authorize and store in an internal database) any new connected devices using
boltd only if the current user is an administrator and if the session is unlocked. After the device has been authorized once, its information is stored in the database and it will be authorized automatically on subsequent connections.