Linux Audio

Check our new training course

Open Menu / Documentation / usb / authorization.txt
Loading...
v4.6
  1
  2Authorizing (or not) your USB devices to connect to the system
  3
  4(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
  5
  6This feature allows you to control if a USB device can be used (or
  7not) in a system. This feature will allow you to implement a lock-down
  8of USB devices, fully controlled by user space.
  9
 10As of now, when a USB device is connected it is configured and
 11its interfaces are immediately made available to the users.  With this
 12modification, only if root authorizes the device to be configured will
 13then it be possible to use it.
 14
 15Usage:
 16
 17Authorize a device to connect:
 18
 19$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
 20
 21Deauthorize a device:
 22
 23$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
 24
 25Set new devices connected to hostX to be deauthorized by default (ie:
 26lock down):
 27
 28$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
 29
 30Remove the lock down:
 31
 32$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
 33
 34By default, Wired USB devices are authorized by default to
 35connect. Wireless USB hosts deauthorize by default all new connected
 36devices (this is so because we need to do an authentication phase
 37before authorizing).
 38
 39
 40Example system lockdown (lame)
 41-----------------------
 42
 43Imagine you want to implement a lockdown so only devices of type XYZ
 44can be connected (for example, it is a kiosk machine with a visible
 45USB port):
 46
 47boot up
 48rc.local ->
 49
 50 for host in /sys/bus/usb/devices/usb*
 51 do
 52    echo 0 > $host/authorized_default
 53 done
 54
 55Hookup an script to udev, for new USB devices
 56
 57 if device_is_my_type $DEV
 58 then
 59   echo 1 > $device_path/authorized
 60 done
 61
 62
 63Now, device_is_my_type() is where the juice for a lockdown is. Just
 64checking if the class, type and protocol match something is the worse
 65security verification you can make (or the best, for someone willing
 66to break it). If you need something secure, use crypto and Certificate
 67Authentication or stuff like that. Something simple for an storage key
 68could be:
 69
 70function device_is_my_type()
 71{
 72   echo 1 > authorized		# temporarily authorize it
 73                                # FIXME: make sure none can mount it
 74   mount DEVICENODE /mntpoint
 75   sum=$(md5sum /mntpoint/.signature)
 76   if [ $sum = $(cat /etc/lockdown/keysum) ]
 77   then
 78        echo "We are good, connected"
 79        umount /mntpoint
 80        # Other stuff so others can use it
 81   else
 82        echo 0 > authorized
 83   fi
 84}
 85
 86
 87Of course, this is lame, you'd want to do a real certificate
 88verification stuff with PKI, so you don't depend on a shared secret,
 89etc, but you get the idea. Anybody with access to a device gadget kit
 90can fake descriptors and device info. Don't trust that. You are
 91welcome.
 92
 93
 94Interface authorization
 95-----------------------
 96There is a similar approach to allow or deny specific USB interfaces.
 97That allows to block only a subset of an USB device.
 98
 99Authorize an interface:
100$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
101
102Deauthorize an interface:
103$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
104
105The default value for new interfaces
106on a particular USB bus can be changed, too.
107
108Allow interfaces per default:
109$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
110
111Deny interfaces per default:
112$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
113
114Per default the interface_authorized_default bit is 1.
115So all interfaces would authorized per default.
116
117Note:
118If a deauthorized interface will be authorized so the driver probing must
119be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
120
121For drivers that need multiple interfaces all needed interfaces should be
122authroized first. After that the drivers should be probed.
123This avoids side effects.
v3.1
 1
 2Authorizing (or not) your USB devices to connect to the system
 3
 4(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
 5
 6This feature allows you to control if a USB device can be used (or
 7not) in a system. This feature will allow you to implement a lock-down
 8of USB devices, fully controlled by user space.
 9
10As of now, when a USB device is connected it is configured and
11its interfaces are immediately made available to the users.  With this
12modification, only if root authorizes the device to be configured will
13then it be possible to use it.
14
15Usage:
16
17Authorize a device to connect:
18
19$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
20
21Deauthorize a device:
22
23$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
24
25Set new devices connected to hostX to be deauthorized by default (ie:
26lock down):
27
28$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
29
30Remove the lock down:
31
32$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
33
34By default, Wired USB devices are authorized by default to
35connect. Wireless USB hosts deauthorize by default all new connected
36devices (this is so because we need to do an authentication phase
37before authorizing).
38
39
40Example system lockdown (lame)
41-----------------------
42
43Imagine you want to implement a lockdown so only devices of type XYZ
44can be connected (for example, it is a kiosk machine with a visible
45USB port):
46
47boot up
48rc.local ->
49
50 for host in /sys/bus/usb/devices/usb*
51 do
52    echo 0 > $host/authorized_default
53 done
54
55Hookup an script to udev, for new USB devices
56
57 if device_is_my_type $DEV
58 then
59   echo 1 > $device_path/authorized
60 done
61
62
63Now, device_is_my_type() is where the juice for a lockdown is. Just
64checking if the class, type and protocol match something is the worse
65security verification you can make (or the best, for someone willing
66to break it). If you need something secure, use crypto and Certificate
67Authentication or stuff like that. Something simple for an storage key
68could be:
69
70function device_is_my_type()
71{
72   echo 1 > authorized		# temporarily authorize it
73                                # FIXME: make sure none can mount it
74   mount DEVICENODE /mntpoint
75   sum=$(md5sum /mntpoint/.signature)
76   if [ $sum = $(cat /etc/lockdown/keysum) ]
77   then
78        echo "We are good, connected"
79        umount /mntpoint
80        # Other stuff so others can use it
81   else
82        echo 0 > authorized
83   fi
84}
85
86
87Of course, this is lame, you'd want to do a real certificate
88verification stuff with PKI, so you don't depend on a shared secret,
89etc, but you get the idea. Anybody with access to a device gadget kit
90can fake descriptors and device info. Don't trust that. You are
91welcome.
92