| |
| Authorizing (or not) your USB devices to connect to the system |
| |
| (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation |
| |
| This feature allows you to control if a USB device can be used (or |
| not) in a system. This feature will allow you to implement a lock-down |
| of USB devices, fully controlled by user space. |
| |
| As of now, when a USB device is connected it is configured and |
| its interfaces are immediately made available to the users. With this |
| modification, only if root authorizes the device to be configured will |
| then it be possible to use it. |
| |
| Usage: |
| |
| Authorize a device to connect: |
| |
| $ echo 1 > /sys/usb/devices/DEVICE/authorized |
| |
| Deauthorize a device: |
| |
| $ echo 0 > /sys/usb/devices/DEVICE/authorized |
| |
| Set new devices connected to hostX to be deauthorized by default (ie: |
| lock down): |
| |
| $ echo 0 > /sys/bus/devices/usbX/authorized_default |
| |
| Remove the lock down: |
| |
| $ echo 1 > /sys/bus/devices/usbX/authorized_default |
| |
| By default, Wired USB devices are authorized by default to |
| connect. Wireless USB hosts deauthorize by default all new connected |
| devices (this is so because we need to do an authentication phase |
| before authorizing). |
| |
| |
| Example system lockdown (lame) |
| ----------------------- |
| |
| Imagine you want to implement a lockdown so only devices of type XYZ |
| can be connected (for example, it is a kiosk machine with a visible |
| USB port): |
| |
| boot up |
| rc.local -> |
| |
| for host in /sys/bus/devices/usb* |
| do |
| echo 0 > $host/authorized_default |
| done |
| |
| Hookup an script to udev, for new USB devices |
| |
| if device_is_my_type $DEV |
| then |
| echo 1 > $device_path/authorized |
| done |
| |
| |
| Now, device_is_my_type() is where the juice for a lockdown is. Just |
| checking if the class, type and protocol match something is the worse |
| security verification you can make (or the best, for someone willing |
| to break it). If you need something secure, use crypto and Certificate |
| Authentication or stuff like that. Something simple for an storage key |
| could be: |
| |
| function device_is_my_type() |
| { |
| echo 1 > authorized # temporarily authorize it |
| # FIXME: make sure none can mount it |
| mount DEVICENODE /mntpoint |
| sum=$(md5sum /mntpoint/.signature) |
| if [ $sum = $(cat /etc/lockdown/keysum) ] |
| then |
| echo "We are good, connected" |
| umount /mntpoint |
| # Other stuff so others can use it |
| else |
| echo 0 > authorized |
| fi |
| } |
| |
| |
| Of course, this is lame, you'd want to do a real certificate |
| verification stuff with PKI, so you don't depend on a shared secret, |
| etc, but you get the idea. Anybody with access to a device gadget kit |
| can fake descriptors and device info. Don't trust that. You are |
| welcome. |
| |