tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1
2Authorizing (or not) your USB devices to connect to the system
3
4(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
5
6This feature allows you to control if a USB device can be used (or
7not) in a system. This feature will allow you to implement a lock-down
8of USB devices, fully controlled by user space.
9
10As of now, when a USB device is connected it is configured and
11its interfaces are immediately made available to the users. With this
12modification, only if root authorizes the device to be configured will
13then it be possible to use it.
14
15Usage:
16
17Authorize a device to connect:
18
19$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
20
21Deauthorize a device:
22
23$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
24
25Set new devices connected to hostX to be deauthorized by default (ie:
26lock down):
27
28$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
29
30Remove the lock down:
31
32$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
33
34By default, Wired USB devices are authorized by default to
35connect. Wireless USB hosts deauthorize by default all new connected
36devices (this is so because we need to do an authentication phase
37before authorizing). Writing "2" to the authorized_default attribute
38causes kernel to only authorize by default devices connected to internal
39USB ports.
40
41
42Example system lockdown (lame)
43-----------------------
44
45Imagine you want to implement a lockdown so only devices of type XYZ
46can be connected (for example, it is a kiosk machine with a visible
47USB port):
48
49boot up
50rc.local ->
51
52 for host in /sys/bus/usb/devices/usb*
53 do
54 echo 0 > $host/authorized_default
55 done
56
57Hookup an script to udev, for new USB devices
58
59 if device_is_my_type $DEV
60 then
61 echo 1 > $device_path/authorized
62 done
63
64
65Now, device_is_my_type() is where the juice for a lockdown is. Just
66checking if the class, type and protocol match something is the worse
67security verification you can make (or the best, for someone willing
68to break it). If you need something secure, use crypto and Certificate
69Authentication or stuff like that. Something simple for an storage key
70could be:
71
72function device_is_my_type()
73{
74 echo 1 > authorized # temporarily authorize it
75 # FIXME: make sure none can mount it
76 mount DEVICENODE /mntpoint
77 sum=$(md5sum /mntpoint/.signature)
78 if [ $sum = $(cat /etc/lockdown/keysum) ]
79 then
80 echo "We are good, connected"
81 umount /mntpoint
82 # Other stuff so others can use it
83 else
84 echo 0 > authorized
85 fi
86}
87
88
89Of course, this is lame, you'd want to do a real certificate
90verification stuff with PKI, so you don't depend on a shared secret,
91etc, but you get the idea. Anybody with access to a device gadget kit
92can fake descriptors and device info. Don't trust that. You are
93welcome.
94
95
96Interface authorization
97-----------------------
98There is a similar approach to allow or deny specific USB interfaces.
99That allows to block only a subset of an USB device.
100
101Authorize an interface:
102$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
103
104Deauthorize an interface:
105$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
106
107The default value for new interfaces
108on a particular USB bus can be changed, too.
109
110Allow interfaces per default:
111$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
112
113Deny interfaces per default:
114$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
115
116Per default the interface_authorized_default bit is 1.
117So all interfaces would authorized per default.
118
119Note:
120If a deauthorized interface will be authorized so the driver probing must
121be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
122
123For drivers that need multiple interfaces all needed interfaces should be
124authorized first. After that the drivers should be probed.
125This avoids side effects.