No authentication window pops up if thunderbolt device be plugged before booting

One thing that is not clear for your report: Is the dock authorized but you would rather have to authenticate it again; or is it not authorized and not working until you re-plug it?

Sorry for not clear enough. It is not authorized and not working until I re-plug it.

Although not ideal, the behaviour currently is kinda as designed[1], although the design itself does not mention the case where a unknown device is already plugged in at boot time.

Regardless of this, the bug is filed against the wrong component because bolt itself does not provide policy, i.e. the authority to manage devices, including initially authorizing them, is not in the hands of boltd[2]. On a GNOME Desktop the policy provider is the Shell: it is listening to events and if a user (with admin rights) is currently logged in and the screen is unlocked instructs boltd to authorize the new device. In short: the act of connecting a dock to an unlocked computer is interpreted as the intention of the current user to authorize the dock. Now if the device is already connected at boot, we can not be sure that was done by the same user that boots the machine and then proceeds to log in. So automatically authorizing an unknown device would create a security thread where a different evil person could have plugged in a small spy device to the computer and then forced the computer to shut down. The puzzled normal user would reboot and the evil device would automatically authorize the device.

That being said we should probably show a notification after log-in that there are devices connected that are not authorized (and a click could bring you to the control center to manually authorize it), very much as we do already when devices were connected while the screen was locked. In any way this bug should be against the Shell, not bolt.

[1] https://wiki.gnome.org/Design/Whiteboards/ThunderboltAccess
[2] with the exception of very modern hardware that provides hardware based DMA protection, aka iommu for thunderbolt support, but there we rely in the hardware to provide the security and thus this is a special case.

this is the correct behavior that plugs an unauthenticated TBT device after user logout (before login)
The message I feel useful is:

 十 15 18:07:55 u-Precision-7530 boltd[1198]: [00547989-414f-Thunderbolt Dock ] device added (/sys/devices/pci0000:00/0000:00:1c.0/0000:03:00.0/0000:04:00.0/0000:05:00.0/domain0/0-0/0-1/0-301)
 十 15 18:07:55 u-Precision-7530 boltd[1198]: [00547989-414f-Thunderbolt Dock ] dbus: exported device at /org/freedesktop/bolt/devices/00547989_414f...
 十 15 18:07:55 u-Precision-7530 gnome-shell[1369]: thunderbolt: [Thunderbolt Dock] auto enrollment: no

this is the case which not popup message for that unauthenticated TBT device which plugged-in before power on.

The fishy message are:

 十 15 18:13:27 u-Precision-7530 boltd[1391]: [1083787c-7a0f-Thunderbolt Cable ] dbus: exported deviceat /org/freedesktop/bolt/devices/1083787c_7a0f...
 十 15 18:13:27 u-Precision-7530 boltd[1391]: [00547989-414f-Thunderbolt Dock ] dbus: exported deviceat /org/freedesktop/bolt/devices/00547989_414f...
 十 15 18:13:27 u-Precision-7530 systemd[1]: Started Thunderbolt system service.

Gnome shell will show a notification on the login/unlock screen instructing users to disconnect and reconnect an unauthenticated device when
1. User logged out
2. Screen is locked

But the notification won't show if no one has been logging in.

Right, that's what Christian described. Could someone open a gnome-shell upstream ticket?b

I'll submit an issue to gnome-shell project.

@cktenn please kindly provide the link of the issue on gnome-shell project. Thanks

@Rex

The link is on also-affect project list.

https://gitlab.gnome.org/GNOME/gnome-shell/issues/1794