blob: c069b6884c779ffc855133f634cf6b640a81da00 [file] [log] [blame]
Inaky Perez-Gonzalez732bb9e2007-07-31 20:34:08 -07001
2Authorizing (or not) your USB devices to connect to the system
3
4(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
5
6This feature allows you to control if a USB device can be used (or
7not) in a system. This feature will allow you to implement a lock-down
8of USB devices, fully controlled by user space.
9
10As of now, when a USB device is connected it is configured and
Matt LaPlanted9195882008-07-25 19:45:33 -070011its interfaces are immediately made available to the users. With this
Inaky Perez-Gonzalez732bb9e2007-07-31 20:34:08 -070012modification, only if root authorizes the device to be configured will
13then it be possible to use it.
14
15Usage:
16
17Authorize a device to connect:
18
Jean Delvarea87371b2009-09-12 17:00:46 +020019$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
Inaky Perez-Gonzalez732bb9e2007-07-31 20:34:08 -070020
21Deauthorize a device:
22
Jean Delvarea87371b2009-09-12 17:00:46 +020023$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
Inaky Perez-Gonzalez732bb9e2007-07-31 20:34:08 -070024
25Set new devices connected to hostX to be deauthorized by default (ie:
26lock down):
27
Jean Delvarea87371b2009-09-12 17:00:46 +020028$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
Inaky Perez-Gonzalez732bb9e2007-07-31 20:34:08 -070029
30Remove the lock down:
31
Jean Delvarea87371b2009-09-12 17:00:46 +020032$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
Inaky Perez-Gonzalez732bb9e2007-07-31 20:34:08 -070033
34By default, Wired USB devices are authorized by default to
35connect. Wireless USB hosts deauthorize by default all new connected
36devices (this is so because we need to do an authentication phase
37before authorizing).
38
39
40Example system lockdown (lame)
41-----------------------
42
43Imagine you want to implement a lockdown so only devices of type XYZ
44can be connected (for example, it is a kiosk machine with a visible
45USB port):
46
47boot up
48rc.local ->
49
Jean Delvarea87371b2009-09-12 17:00:46 +020050 for host in /sys/bus/usb/devices/usb*
Inaky Perez-Gonzalez732bb9e2007-07-31 20:34:08 -070051 do
52 echo 0 > $host/authorized_default
53 done
54
55Hookup an script to udev, for new USB devices
56
57 if device_is_my_type $DEV
58 then
59 echo 1 > $device_path/authorized
60 done
61
62
63Now, device_is_my_type() is where the juice for a lockdown is. Just
64checking if the class, type and protocol match something is the worse
65security verification you can make (or the best, for someone willing
66to break it). If you need something secure, use crypto and Certificate
67Authentication or stuff like that. Something simple for an storage key
68could be:
69
70function device_is_my_type()
71{
72 echo 1 > authorized # temporarily authorize it
73 # FIXME: make sure none can mount it
74 mount DEVICENODE /mntpoint
75 sum=$(md5sum /mntpoint/.signature)
76 if [ $sum = $(cat /etc/lockdown/keysum) ]
77 then
78 echo "We are good, connected"
79 umount /mntpoint
80 # Other stuff so others can use it
81 else
82 echo 0 > authorized
83 fi
84}
85
86
87Of course, this is lame, you'd want to do a real certificate
88verification stuff with PKI, so you don't depend on a shared secret,
89etc, but you get the idea. Anybody with access to a device gadget kit
90can fake descriptors and device info. Don't trust that. You are
91welcome.
92