2019-04-16 05:56:01 +03:00
==============================================================
2007-08-01 07:34:08 +04:00
Authorizing (or not) your USB devices to connect to the system
2019-04-16 05:56:01 +03:00
==============================================================
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
Copyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
2007-08-01 07:34:08 +04:00
This feature allows you to control if a USB device can be used (or
not) in a system. This feature will allow you to implement a lock-down
of USB devices, fully controlled by user space.
As of now, when a USB device is connected it is configured and
2008-07-26 06:45:33 +04:00
its interfaces are immediately made available to the users. With this
2007-08-01 07:34:08 +04:00
modification, only if root authorizes the device to be configured will
then it be possible to use it.
2019-04-16 05:56:01 +03:00
Usage
=====
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
Authorize a device to connect::
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
De-authorize a device::
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
2007-08-01 07:34:08 +04:00
Set new devices connected to hostX to be deauthorized by default (ie:
2019-04-16 05:56:01 +03:00
lock down)::
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
Remove the lock down::
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
2007-08-01 07:34:08 +04:00
By default, Wired USB devices are authorized by default to
connect. Wireless USB hosts deauthorize by default all new connected
devices (this is so because we need to do an authentication phase
2019-02-17 10:21:51 +03:00
before authorizing). Writing "2" to the authorized_default attribute
causes kernel to only authorize by default devices connected to internal
USB ports.
2007-08-01 07:34:08 +04:00
Example system lockdown (lame)
2019-04-16 05:56:01 +03:00
------------------------------
2007-08-01 07:34:08 +04:00
Imagine you want to implement a lockdown so only devices of type XYZ
can be connected (for example, it is a kiosk machine with a visible
2019-04-16 05:56:01 +03:00
USB port)::
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
boot up
rc.local ->
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
for host in /sys/bus/usb/devices/usb*
do
echo 0 > $host/authorized_default
done
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
Hookup an script to udev, for new USB devices::
2007-08-01 07:34:08 +04:00
if device_is_my_type $DEV
then
echo 1 > $device_path/authorized
done
Now, device_is_my_type() is where the juice for a lockdown is. Just
checking if the class, type and protocol match something is the worse
security verification you can make (or the best, for someone willing
to break it). If you need something secure, use crypto and Certificate
Authentication or stuff like that. Something simple for an storage key
2019-04-16 05:56:01 +03:00
could be::
2007-08-01 07:34:08 +04:00
2019-04-16 05:56:01 +03:00
function device_is_my_type()
{
2007-08-01 07:34:08 +04:00
echo 1 > authorized # temporarily authorize it
# FIXME: make sure none can mount it
mount DEVICENODE /mntpoint
sum=$(md5sum /mntpoint/.signature)
if [ $sum = $(cat /etc/lockdown/keysum) ]
then
echo "We are good, connected"
umount /mntpoint
# Other stuff so others can use it
else
echo 0 > authorized
fi
2019-04-16 05:56:01 +03:00
}
2007-08-01 07:34:08 +04:00
Of course, this is lame, you'd want to do a real certificate
verification stuff with PKI, so you don't depend on a shared secret,
etc, but you get the idea. Anybody with access to a device gadget kit
can fake descriptors and device info. Don't trust that. You are
welcome.
2015-08-25 22:10:10 +03:00
Interface authorization
-----------------------
2019-04-16 05:56:01 +03:00
2015-08-25 22:10:10 +03:00
There is a similar approach to allow or deny specific USB interfaces.
That allows to block only a subset of an USB device.
2019-04-16 05:56:01 +03:00
Authorize an interface::
2015-08-25 22:10:10 +03:00
2019-04-16 05:56:01 +03:00
$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
Deauthorize an interface::
$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
2015-08-25 22:10:10 +03:00
The default value for new interfaces
on a particular USB bus can be changed, too.
2019-04-16 05:56:01 +03:00
Allow interfaces per default::
$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
Deny interfaces per default::
2015-08-25 22:10:10 +03:00
2019-04-16 05:56:01 +03:00
$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
2015-08-25 22:10:10 +03:00
Per default the interface_authorized_default bit is 1.
So all interfaces would authorized per default.
Note:
2019-04-16 05:56:01 +03:00
If a deauthorized interface will be authorized so the driver probing must
be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
2015-08-25 22:10:10 +03:00
For drivers that need multiple interfaces all needed interfaces should be
2018-11-26 17:49:26 +03:00
authorized first. After that the drivers should be probed.
2015-08-25 22:10:10 +03:00
This avoids side effects.