1ecefae6dSMauro Carvalho Chehab============================================================== 2ecefae6dSMauro Carvalho ChehabAuthorizing (or not) your USB devices to connect to the system 3ecefae6dSMauro Carvalho Chehab============================================================== 4ecefae6dSMauro Carvalho Chehab 5ecefae6dSMauro Carvalho ChehabCopyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation 6ecefae6dSMauro Carvalho Chehab 7ecefae6dSMauro Carvalho ChehabThis feature allows you to control if a USB device can be used (or 8ecefae6dSMauro Carvalho Chehabnot) in a system. This feature will allow you to implement a lock-down 9ecefae6dSMauro Carvalho Chehabof USB devices, fully controlled by user space. 10ecefae6dSMauro Carvalho Chehab 11ecefae6dSMauro Carvalho ChehabAs of now, when a USB device is connected it is configured and 12ecefae6dSMauro Carvalho Chehabits interfaces are immediately made available to the users. With this 13ecefae6dSMauro Carvalho Chehabmodification, only if root authorizes the device to be configured will 14ecefae6dSMauro Carvalho Chehabthen it be possible to use it. 15ecefae6dSMauro Carvalho Chehab 16ecefae6dSMauro Carvalho ChehabUsage 17ecefae6dSMauro Carvalho Chehab===== 18ecefae6dSMauro Carvalho Chehab 19ecefae6dSMauro Carvalho ChehabAuthorize a device to connect:: 20ecefae6dSMauro Carvalho Chehab 21ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized 22ecefae6dSMauro Carvalho Chehab 23ecefae6dSMauro Carvalho ChehabDe-authorize a device:: 24ecefae6dSMauro Carvalho Chehab 25ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized 26ecefae6dSMauro Carvalho Chehab 27ecefae6dSMauro Carvalho ChehabSet new devices connected to hostX to be deauthorized by default (ie: 28ecefae6dSMauro Carvalho Chehablock down):: 29ecefae6dSMauro Carvalho Chehab 30ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default 31ecefae6dSMauro Carvalho Chehab 32ecefae6dSMauro Carvalho ChehabRemove the lock down:: 33ecefae6dSMauro Carvalho Chehab 34ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default 35ecefae6dSMauro Carvalho Chehab 36ecefae6dSMauro Carvalho ChehabBy default, Wired USB devices are authorized by default to 37ecefae6dSMauro Carvalho Chehabconnect. Wireless USB hosts deauthorize by default all new connected 38ecefae6dSMauro Carvalho Chehabdevices (this is so because we need to do an authentication phase 39ecefae6dSMauro Carvalho Chehabbefore authorizing). Writing "2" to the authorized_default attribute 40ecefae6dSMauro Carvalho Chehabcauses kernel to only authorize by default devices connected to internal 41ecefae6dSMauro Carvalho ChehabUSB ports. 42ecefae6dSMauro Carvalho Chehab 43ecefae6dSMauro Carvalho Chehab 44ecefae6dSMauro Carvalho ChehabExample system lockdown (lame) 45ecefae6dSMauro Carvalho Chehab------------------------------ 46ecefae6dSMauro Carvalho Chehab 47ecefae6dSMauro Carvalho ChehabImagine you want to implement a lockdown so only devices of type XYZ 48ecefae6dSMauro Carvalho Chehabcan be connected (for example, it is a kiosk machine with a visible 49ecefae6dSMauro Carvalho ChehabUSB port):: 50ecefae6dSMauro Carvalho Chehab 51ecefae6dSMauro Carvalho Chehab boot up 52ecefae6dSMauro Carvalho Chehab rc.local -> 53ecefae6dSMauro Carvalho Chehab 54ecefae6dSMauro Carvalho Chehab for host in /sys/bus/usb/devices/usb* 55ecefae6dSMauro Carvalho Chehab do 56ecefae6dSMauro Carvalho Chehab echo 0 > $host/authorized_default 57ecefae6dSMauro Carvalho Chehab done 58ecefae6dSMauro Carvalho Chehab 59ecefae6dSMauro Carvalho ChehabHookup an script to udev, for new USB devices:: 60ecefae6dSMauro Carvalho Chehab 61ecefae6dSMauro Carvalho Chehab if device_is_my_type $DEV 62ecefae6dSMauro Carvalho Chehab then 63ecefae6dSMauro Carvalho Chehab echo 1 > $device_path/authorized 64ecefae6dSMauro Carvalho Chehab done 65ecefae6dSMauro Carvalho Chehab 66ecefae6dSMauro Carvalho Chehab 67ecefae6dSMauro Carvalho ChehabNow, device_is_my_type() is where the juice for a lockdown is. Just 68ecefae6dSMauro Carvalho Chehabchecking if the class, type and protocol match something is the worse 69ecefae6dSMauro Carvalho Chehabsecurity verification you can make (or the best, for someone willing 70ecefae6dSMauro Carvalho Chehabto break it). If you need something secure, use crypto and Certificate 71ecefae6dSMauro Carvalho ChehabAuthentication or stuff like that. Something simple for an storage key 72ecefae6dSMauro Carvalho Chehabcould be:: 73ecefae6dSMauro Carvalho Chehab 74ecefae6dSMauro Carvalho Chehab function device_is_my_type() 75ecefae6dSMauro Carvalho Chehab { 76ecefae6dSMauro Carvalho Chehab echo 1 > authorized # temporarily authorize it 77ecefae6dSMauro Carvalho Chehab # FIXME: make sure none can mount it 78ecefae6dSMauro Carvalho Chehab mount DEVICENODE /mntpoint 79ecefae6dSMauro Carvalho Chehab sum=$(md5sum /mntpoint/.signature) 80ecefae6dSMauro Carvalho Chehab if [ $sum = $(cat /etc/lockdown/keysum) ] 81ecefae6dSMauro Carvalho Chehab then 82ecefae6dSMauro Carvalho Chehab echo "We are good, connected" 83ecefae6dSMauro Carvalho Chehab umount /mntpoint 84ecefae6dSMauro Carvalho Chehab # Other stuff so others can use it 85ecefae6dSMauro Carvalho Chehab else 86ecefae6dSMauro Carvalho Chehab echo 0 > authorized 87ecefae6dSMauro Carvalho Chehab fi 88ecefae6dSMauro Carvalho Chehab } 89ecefae6dSMauro Carvalho Chehab 90ecefae6dSMauro Carvalho Chehab 91ecefae6dSMauro Carvalho ChehabOf course, this is lame, you'd want to do a real certificate 92ecefae6dSMauro Carvalho Chehabverification stuff with PKI, so you don't depend on a shared secret, 93ecefae6dSMauro Carvalho Chehabetc, but you get the idea. Anybody with access to a device gadget kit 94ecefae6dSMauro Carvalho Chehabcan fake descriptors and device info. Don't trust that. You are 95ecefae6dSMauro Carvalho Chehabwelcome. 96ecefae6dSMauro Carvalho Chehab 97ecefae6dSMauro Carvalho Chehab 98ecefae6dSMauro Carvalho ChehabInterface authorization 99ecefae6dSMauro Carvalho Chehab----------------------- 100ecefae6dSMauro Carvalho Chehab 101ecefae6dSMauro Carvalho ChehabThere is a similar approach to allow or deny specific USB interfaces. 102ecefae6dSMauro Carvalho ChehabThat allows to block only a subset of an USB device. 103ecefae6dSMauro Carvalho Chehab 104ecefae6dSMauro Carvalho ChehabAuthorize an interface:: 105ecefae6dSMauro Carvalho Chehab 106ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized 107ecefae6dSMauro Carvalho Chehab 108ecefae6dSMauro Carvalho ChehabDeauthorize an interface:: 109ecefae6dSMauro Carvalho Chehab 110ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized 111ecefae6dSMauro Carvalho Chehab 112ecefae6dSMauro Carvalho ChehabThe default value for new interfaces 113ecefae6dSMauro Carvalho Chehabon a particular USB bus can be changed, too. 114ecefae6dSMauro Carvalho Chehab 115ecefae6dSMauro Carvalho ChehabAllow interfaces per default:: 116ecefae6dSMauro Carvalho Chehab 117ecefae6dSMauro Carvalho Chehab $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default 118ecefae6dSMauro Carvalho Chehab 119ecefae6dSMauro Carvalho ChehabDeny interfaces per default:: 120ecefae6dSMauro Carvalho Chehab 121ecefae6dSMauro Carvalho Chehab $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default 122ecefae6dSMauro Carvalho Chehab 123ecefae6dSMauro Carvalho ChehabPer default the interface_authorized_default bit is 1. 124ecefae6dSMauro Carvalho ChehabSo all interfaces would authorized per default. 125ecefae6dSMauro Carvalho Chehab 126ecefae6dSMauro Carvalho ChehabNote: 127ecefae6dSMauro Carvalho Chehab If a deauthorized interface will be authorized so the driver probing must 128ecefae6dSMauro Carvalho Chehab be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe 129ecefae6dSMauro Carvalho Chehab 130ecefae6dSMauro Carvalho ChehabFor drivers that need multiple interfaces all needed interfaces should be 131ecefae6dSMauro Carvalho Chehabauthorized first. After that the drivers should be probed. 132ecefae6dSMauro Carvalho ChehabThis avoids side effects. 133