xref: /openbmc/linux/Documentation/usb/authorization.rst (revision 7a836736b6537b0e2633381d743d9c1559ce243c)
1==============================================================
2Authorizing (or not) your USB devices to connect to the system
3==============================================================
4
5Copyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
6
7This feature allows you to control if a USB device can be used (or
8not) in a system. This feature will allow you to implement a lock-down
9of USB devices, fully controlled by user space.
10
11As of now, when a USB device is connected it is configured and
12its interfaces are immediately made available to the users.  With this
13modification, only if root authorizes the device to be configured will
14then it be possible to use it.
15
16Usage
17=====
18
19Authorize a device to connect::
20
21	$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
22
23De-authorize a device::
24
25	$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
26
27Set new devices connected to hostX to be deauthorized by default (ie:
28lock down)::
29
30	$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
31
32Remove the lock down::
33
34	$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
35
36By default, all USB devices are authorized.  Writing "2" to the
37authorized_default attribute causes the kernel to authorize by default
38only devices connected to internal USB ports.
39
40
41Example system lockdown (lame)
42------------------------------
43
44Imagine you want to implement a lockdown so only devices of type XYZ
45can be connected (for example, it is a kiosk machine with a visible
46USB port)::
47
48  boot up
49  rc.local ->
50
51   for host in /sys/bus/usb/devices/usb*
52   do
53      echo 0 > $host/authorized_default
54   done
55
56Hookup an script to udev, for new USB devices::
57
58 if device_is_my_type $DEV
59 then
60   echo 1 > $device_path/authorized
61 done
62
63
64Now, device_is_my_type() is where the juice for a lockdown is. Just
65checking if the class, type and protocol match something is the worse
66security verification you can make (or the best, for someone willing
67to break it). If you need something secure, use crypto and Certificate
68Authentication or stuff like that. Something simple for an storage key
69could be::
70
71 function device_is_my_type()
72 {
73   echo 1 > authorized		# temporarily authorize it
74                                # FIXME: make sure none can mount it
75   mount DEVICENODE /mntpoint
76   sum=$(md5sum /mntpoint/.signature)
77   if [ $sum = $(cat /etc/lockdown/keysum) ]
78   then
79        echo "We are good, connected"
80        umount /mntpoint
81        # Other stuff so others can use it
82   else
83        echo 0 > authorized
84   fi
85 }
86
87
88Of course, this is lame, you'd want to do a real certificate
89verification stuff with PKI, so you don't depend on a shared secret,
90etc, but you get the idea. Anybody with access to a device gadget kit
91can fake descriptors and device info. Don't trust that. You are
92welcome.
93
94
95Interface authorization
96-----------------------
97
98There is a similar approach to allow or deny specific USB interfaces.
99That allows to block only a subset of an USB device.
100
101Authorize an interface::
102
103	$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
104
105Deauthorize an interface::
106
107	$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
108
109The default value for new interfaces
110on a particular USB bus can be changed, too.
111
112Allow interfaces per default::
113
114	$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
115
116Deny interfaces per default::
117
118	$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
119
120Per default the interface_authorized_default bit is 1.
121So all interfaces would authorized per default.
122
123Note:
124  If a deauthorized interface will be authorized so the driver probing must
125  be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
126
127For drivers that need multiple interfaces all needed interfaces should be
128authorized first. After that the drivers should be probed.
129This avoids side effects.
130