Inaky Perez-Gonzalez | 732bb9e | 2007-07-31 20:34:08 -0700 | [diff] [blame] | 1 | |
| 2 | Authorizing (or not) your USB devices to connect to the system |
| 3 | |
| 4 | (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation |
| 5 | |
| 6 | This feature allows you to control if a USB device can be used (or |
| 7 | not) in a system. This feature will allow you to implement a lock-down |
| 8 | of USB devices, fully controlled by user space. |
| 9 | |
| 10 | As of now, when a USB device is connected it is configured and |
Matt LaPlante | d919588 | 2008-07-25 19:45:33 -0700 | [diff] [blame] | 11 | its interfaces are immediately made available to the users. With this |
Inaky Perez-Gonzalez | 732bb9e | 2007-07-31 20:34:08 -0700 | [diff] [blame] | 12 | modification, only if root authorizes the device to be configured will |
| 13 | then it be possible to use it. |
| 14 | |
| 15 | Usage: |
| 16 | |
| 17 | Authorize a device to connect: |
| 18 | |
Jean Delvare | a87371b | 2009-09-12 17:00:46 +0200 | [diff] [blame] | 19 | $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized |
Inaky Perez-Gonzalez | 732bb9e | 2007-07-31 20:34:08 -0700 | [diff] [blame] | 20 | |
| 21 | Deauthorize a device: |
| 22 | |
Jean Delvare | a87371b | 2009-09-12 17:00:46 +0200 | [diff] [blame] | 23 | $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized |
Inaky Perez-Gonzalez | 732bb9e | 2007-07-31 20:34:08 -0700 | [diff] [blame] | 24 | |
| 25 | Set new devices connected to hostX to be deauthorized by default (ie: |
| 26 | lock down): |
| 27 | |
Jean Delvare | a87371b | 2009-09-12 17:00:46 +0200 | [diff] [blame] | 28 | $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default |
Inaky Perez-Gonzalez | 732bb9e | 2007-07-31 20:34:08 -0700 | [diff] [blame] | 29 | |
| 30 | Remove the lock down: |
| 31 | |
Jean Delvare | a87371b | 2009-09-12 17:00:46 +0200 | [diff] [blame] | 32 | $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default |
Inaky Perez-Gonzalez | 732bb9e | 2007-07-31 20:34:08 -0700 | [diff] [blame] | 33 | |
| 34 | By default, Wired USB devices are authorized by default to |
| 35 | connect. Wireless USB hosts deauthorize by default all new connected |
| 36 | devices (this is so because we need to do an authentication phase |
| 37 | before authorizing). |
| 38 | |
| 39 | |
| 40 | Example system lockdown (lame) |
| 41 | ----------------------- |
| 42 | |
| 43 | Imagine you want to implement a lockdown so only devices of type XYZ |
| 44 | can be connected (for example, it is a kiosk machine with a visible |
| 45 | USB port): |
| 46 | |
| 47 | boot up |
| 48 | rc.local -> |
| 49 | |
Jean Delvare | a87371b | 2009-09-12 17:00:46 +0200 | [diff] [blame] | 50 | for host in /sys/bus/usb/devices/usb* |
Inaky Perez-Gonzalez | 732bb9e | 2007-07-31 20:34:08 -0700 | [diff] [blame] | 51 | do |
| 52 | echo 0 > $host/authorized_default |
| 53 | done |
| 54 | |
| 55 | Hookup an script to udev, for new USB devices |
| 56 | |
| 57 | if device_is_my_type $DEV |
| 58 | then |
| 59 | echo 1 > $device_path/authorized |
| 60 | done |
| 61 | |
| 62 | |
| 63 | Now, device_is_my_type() is where the juice for a lockdown is. Just |
| 64 | checking if the class, type and protocol match something is the worse |
| 65 | security verification you can make (or the best, for someone willing |
| 66 | to break it). If you need something secure, use crypto and Certificate |
| 67 | Authentication or stuff like that. Something simple for an storage key |
| 68 | could be: |
| 69 | |
| 70 | function device_is_my_type() |
| 71 | { |
| 72 | echo 1 > authorized # temporarily authorize it |
| 73 | # FIXME: make sure none can mount it |
| 74 | mount DEVICENODE /mntpoint |
| 75 | sum=$(md5sum /mntpoint/.signature) |
| 76 | if [ $sum = $(cat /etc/lockdown/keysum) ] |
| 77 | then |
| 78 | echo "We are good, connected" |
| 79 | umount /mntpoint |
| 80 | # Other stuff so others can use it |
| 81 | else |
| 82 | echo 0 > authorized |
| 83 | fi |
| 84 | } |
| 85 | |
| 86 | |
| 87 | Of course, this is lame, you'd want to do a real certificate |
| 88 | verification stuff with PKI, so you don't depend on a shared secret, |
| 89 | etc, but you get the idea. Anybody with access to a device gadget kit |
| 90 | can fake descriptors and device info. Don't trust that. You are |
| 91 | welcome. |
| 92 | |
Stefan Koch | 7f59c15 | 2015-08-25 21:10:10 +0200 | [diff] [blame] | 93 | |
| 94 | Interface authorization |
| 95 | ----------------------- |
| 96 | There is a similar approach to allow or deny specific USB interfaces. |
| 97 | That allows to block only a subset of an USB device. |
| 98 | |
| 99 | Authorize an interface: |
| 100 | $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized |
| 101 | |
| 102 | Deauthorize an interface: |
| 103 | $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized |
| 104 | |
| 105 | The default value for new interfaces |
| 106 | on a particular USB bus can be changed, too. |
| 107 | |
| 108 | Allow interfaces per default: |
| 109 | $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default |
| 110 | |
| 111 | Deny interfaces per default: |
| 112 | $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default |
| 113 | |
| 114 | Per default the interface_authorized_default bit is 1. |
| 115 | So all interfaces would authorized per default. |
| 116 | |
| 117 | Note: |
| 118 | If a deauthorized interface will be authorized so the driver probing must |
| 119 | be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe |
| 120 | |
| 121 | For drivers that need multiple interfaces all needed interfaces should be |
| 122 | authroized first. After that the drivers should be probed. |
| 123 | This avoids side effects. |