About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / usb / authorization.txt


Based on kernel version 4.16.1. Page generated on 2018-04-09 11:53 EST.

1	
2	Authorizing (or not) your USB devices to connect to the system
3	
4	(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
5	
6	This feature allows you to control if a USB device can be used (or
7	not) in a system. This feature will allow you to implement a lock-down
8	of USB devices, fully controlled by user space.
9	
10	As of now, when a USB device is connected it is configured and
11	its interfaces are immediately made available to the users.  With this
12	modification, only if root authorizes the device to be configured will
13	then it be possible to use it.
14	
15	Usage:
16	
17	Authorize a device to connect:
18	
19	$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
20	
21	Deauthorize a device:
22	
23	$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
24	
25	Set new devices connected to hostX to be deauthorized by default (ie:
26	lock down):
27	
28	$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
29	
30	Remove the lock down:
31	
32	$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
33	
34	By default, Wired USB devices are authorized by default to
35	connect. Wireless USB hosts deauthorize by default all new connected
36	devices (this is so because we need to do an authentication phase
37	before authorizing).
38	
39	
40	Example system lockdown (lame)
41	-----------------------
42	
43	Imagine you want to implement a lockdown so only devices of type XYZ
44	can be connected (for example, it is a kiosk machine with a visible
45	USB port):
46	
47	boot up
48	rc.local ->
49	
50	 for host in /sys/bus/usb/devices/usb*
51	 do
52	    echo 0 > $host/authorized_default
53	 done
54	
55	Hookup an script to udev, for new USB devices
56	
57	 if device_is_my_type $DEV
58	 then
59	   echo 1 > $device_path/authorized
60	 done
61	
62	
63	Now, device_is_my_type() is where the juice for a lockdown is. Just
64	checking if the class, type and protocol match something is the worse
65	security verification you can make (or the best, for someone willing
66	to break it). If you need something secure, use crypto and Certificate
67	Authentication or stuff like that. Something simple for an storage key
68	could be:
69	
70	function device_is_my_type()
71	{
72	   echo 1 > authorized		# temporarily authorize it
73	                                # FIXME: make sure none can mount it
74	   mount DEVICENODE /mntpoint
75	   sum=$(md5sum /mntpoint/.signature)
76	   if [ $sum = $(cat /etc/lockdown/keysum) ]
77	   then
78	        echo "We are good, connected"
79	        umount /mntpoint
80	        # Other stuff so others can use it
81	   else
82	        echo 0 > authorized
83	   fi
84	}
85	
86	
87	Of course, this is lame, you'd want to do a real certificate
88	verification stuff with PKI, so you don't depend on a shared secret,
89	etc, but you get the idea. Anybody with access to a device gadget kit
90	can fake descriptors and device info. Don't trust that. You are
91	welcome.
92	
93	
94	Interface authorization
95	-----------------------
96	There is a similar approach to allow or deny specific USB interfaces.
97	That allows to block only a subset of an USB device.
98	
99	Authorize an interface:
100	$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
101	
102	Deauthorize an interface:
103	$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
104	
105	The default value for new interfaces
106	on a particular USB bus can be changed, too.
107	
108	Allow interfaces per default:
109	$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
110	
111	Deny interfaces per default:
112	$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
113	
114	Per default the interface_authorized_default bit is 1.
115	So all interfaces would authorized per default.
116	
117	Note:
118	If a deauthorized interface will be authorized so the driver probing must
119	be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
120	
121	For drivers that need multiple interfaces all needed interfaces should be
122	authroized first. After that the drivers should be probed.
123	This avoids side effects.
Hide Line Numbers


About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog