1ecefae6dSMauro Carvalho Chehab============================================================== 2ecefae6dSMauro Carvalho ChehabAuthorizing (or not) your USB devices to connect to the system 3ecefae6dSMauro Carvalho Chehab============================================================== 4ecefae6dSMauro Carvalho Chehab 5ecefae6dSMauro Carvalho ChehabCopyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation 6ecefae6dSMauro Carvalho Chehab 7ecefae6dSMauro Carvalho ChehabThis feature allows you to control if a USB device can be used (or 8ecefae6dSMauro Carvalho Chehabnot) in a system. This feature will allow you to implement a lock-down 9ecefae6dSMauro Carvalho Chehabof USB devices, fully controlled by user space. 10ecefae6dSMauro Carvalho Chehab 11ecefae6dSMauro Carvalho ChehabAs of now, when a USB device is connected it is configured and 12ecefae6dSMauro Carvalho Chehabits interfaces are immediately made available to the users. With this 13ecefae6dSMauro Carvalho Chehabmodification, only if root authorizes the device to be configured will 14ecefae6dSMauro Carvalho Chehabthen it be possible to use it. 15ecefae6dSMauro Carvalho Chehab 16ecefae6dSMauro Carvalho ChehabUsage 17ecefae6dSMauro Carvalho Chehab===== 18ecefae6dSMauro Carvalho Chehab 19ecefae6dSMauro Carvalho ChehabAuthorize a device to connect:: 20ecefae6dSMauro Carvalho Chehab 21ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized 22ecefae6dSMauro Carvalho Chehab 23ecefae6dSMauro Carvalho ChehabDe-authorize a device:: 24ecefae6dSMauro Carvalho Chehab 25ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized 26ecefae6dSMauro Carvalho Chehab 27ecefae6dSMauro Carvalho ChehabSet new devices connected to hostX to be deauthorized by default (ie: 28ecefae6dSMauro Carvalho Chehablock down):: 29ecefae6dSMauro Carvalho Chehab 30ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default 31ecefae6dSMauro Carvalho Chehab 32ecefae6dSMauro Carvalho ChehabRemove the lock down:: 33ecefae6dSMauro Carvalho Chehab 34ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default 35ecefae6dSMauro Carvalho Chehab 36*f176638aSAlan SternBy default, all USB devices are authorized. Writing "2" to the 37*f176638aSAlan Sternauthorized_default attribute causes the kernel to authorize by default 38*f176638aSAlan Sternonly devices connected to internal USB ports. 39ecefae6dSMauro Carvalho Chehab 40ecefae6dSMauro Carvalho Chehab 41ecefae6dSMauro Carvalho ChehabExample system lockdown (lame) 42ecefae6dSMauro Carvalho Chehab------------------------------ 43ecefae6dSMauro Carvalho Chehab 44ecefae6dSMauro Carvalho ChehabImagine you want to implement a lockdown so only devices of type XYZ 45ecefae6dSMauro Carvalho Chehabcan be connected (for example, it is a kiosk machine with a visible 46ecefae6dSMauro Carvalho ChehabUSB port):: 47ecefae6dSMauro Carvalho Chehab 48ecefae6dSMauro Carvalho Chehab boot up 49ecefae6dSMauro Carvalho Chehab rc.local -> 50ecefae6dSMauro Carvalho Chehab 51ecefae6dSMauro Carvalho Chehab for host in /sys/bus/usb/devices/usb* 52ecefae6dSMauro Carvalho Chehab do 53ecefae6dSMauro Carvalho Chehab echo 0 > $host/authorized_default 54ecefae6dSMauro Carvalho Chehab done 55ecefae6dSMauro Carvalho Chehab 56ecefae6dSMauro Carvalho ChehabHookup an script to udev, for new USB devices:: 57ecefae6dSMauro Carvalho Chehab 58ecefae6dSMauro Carvalho Chehab if device_is_my_type $DEV 59ecefae6dSMauro Carvalho Chehab then 60ecefae6dSMauro Carvalho Chehab echo 1 > $device_path/authorized 61ecefae6dSMauro Carvalho Chehab done 62ecefae6dSMauro Carvalho Chehab 63ecefae6dSMauro Carvalho Chehab 64ecefae6dSMauro Carvalho ChehabNow, device_is_my_type() is where the juice for a lockdown is. Just 65ecefae6dSMauro Carvalho Chehabchecking if the class, type and protocol match something is the worse 66ecefae6dSMauro Carvalho Chehabsecurity verification you can make (or the best, for someone willing 67ecefae6dSMauro Carvalho Chehabto break it). If you need something secure, use crypto and Certificate 68ecefae6dSMauro Carvalho ChehabAuthentication or stuff like that. Something simple for an storage key 69ecefae6dSMauro Carvalho Chehabcould be:: 70ecefae6dSMauro Carvalho Chehab 71ecefae6dSMauro Carvalho Chehab function device_is_my_type() 72ecefae6dSMauro Carvalho Chehab { 73ecefae6dSMauro Carvalho Chehab echo 1 > authorized # temporarily authorize it 74ecefae6dSMauro Carvalho Chehab # FIXME: make sure none can mount it 75ecefae6dSMauro Carvalho Chehab mount DEVICENODE /mntpoint 76ecefae6dSMauro Carvalho Chehab sum=$(md5sum /mntpoint/.signature) 77ecefae6dSMauro Carvalho Chehab if [ $sum = $(cat /etc/lockdown/keysum) ] 78ecefae6dSMauro Carvalho Chehab then 79ecefae6dSMauro Carvalho Chehab echo "We are good, connected" 80ecefae6dSMauro Carvalho Chehab umount /mntpoint 81ecefae6dSMauro Carvalho Chehab # Other stuff so others can use it 82ecefae6dSMauro Carvalho Chehab else 83ecefae6dSMauro Carvalho Chehab echo 0 > authorized 84ecefae6dSMauro Carvalho Chehab fi 85ecefae6dSMauro Carvalho Chehab } 86ecefae6dSMauro Carvalho Chehab 87ecefae6dSMauro Carvalho Chehab 88ecefae6dSMauro Carvalho ChehabOf course, this is lame, you'd want to do a real certificate 89ecefae6dSMauro Carvalho Chehabverification stuff with PKI, so you don't depend on a shared secret, 90ecefae6dSMauro Carvalho Chehabetc, but you get the idea. Anybody with access to a device gadget kit 91ecefae6dSMauro Carvalho Chehabcan fake descriptors and device info. Don't trust that. You are 92ecefae6dSMauro Carvalho Chehabwelcome. 93ecefae6dSMauro Carvalho Chehab 94ecefae6dSMauro Carvalho Chehab 95ecefae6dSMauro Carvalho ChehabInterface authorization 96ecefae6dSMauro Carvalho Chehab----------------------- 97ecefae6dSMauro Carvalho Chehab 98ecefae6dSMauro Carvalho ChehabThere is a similar approach to allow or deny specific USB interfaces. 99ecefae6dSMauro Carvalho ChehabThat allows to block only a subset of an USB device. 100ecefae6dSMauro Carvalho Chehab 101ecefae6dSMauro Carvalho ChehabAuthorize an interface:: 102ecefae6dSMauro Carvalho Chehab 103ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized 104ecefae6dSMauro Carvalho Chehab 105ecefae6dSMauro Carvalho ChehabDeauthorize an interface:: 106ecefae6dSMauro Carvalho Chehab 107ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized 108ecefae6dSMauro Carvalho Chehab 109ecefae6dSMauro Carvalho ChehabThe default value for new interfaces 110ecefae6dSMauro Carvalho Chehabon a particular USB bus can be changed, too. 111ecefae6dSMauro Carvalho Chehab 112ecefae6dSMauro Carvalho ChehabAllow interfaces per default:: 113ecefae6dSMauro Carvalho Chehab 114ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default 115ecefae6dSMauro Carvalho Chehab 116ecefae6dSMauro Carvalho ChehabDeny interfaces per default:: 117ecefae6dSMauro Carvalho Chehab 118ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default 119ecefae6dSMauro Carvalho Chehab 120ecefae6dSMauro Carvalho ChehabPer default the interface_authorized_default bit is 1. 121ecefae6dSMauro Carvalho ChehabSo all interfaces would authorized per default. 122ecefae6dSMauro Carvalho Chehab 123ecefae6dSMauro Carvalho ChehabNote: 124ecefae6dSMauro Carvalho Chehab If a deauthorized interface will be authorized so the driver probing must 125ecefae6dSMauro Carvalho Chehab be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe 126ecefae6dSMauro Carvalho Chehab 127ecefae6dSMauro Carvalho ChehabFor drivers that need multiple interfaces all needed interfaces should be 128ecefae6dSMauro Carvalho Chehabauthorized first. After that the drivers should be probed. 129ecefae6dSMauro Carvalho ChehabThis avoids side effects. 130