| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 |
- Authorizing (or not) your USB devices to connect to the system
- (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
- This feature allows you to control if a USB device can be used (or
- not) in a system. This feature will allow you to implement a lock-down
- of USB devices, fully controlled by user space.
- As of now, when a USB device is connected it is configured and
- its interfaces are immediately made available to the users. With this
- modification, only if root authorizes the device to be configured will
- then it be possible to use it.
- Usage:
- Authorize a device to connect:
- $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
- Deauthorize a device:
- $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
- Set new devices connected to hostX to be deauthorized by default (ie:
- lock down):
- $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
- Remove the lock down:
- $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
- By default, Wired USB devices are authorized by default to
- connect. Wireless USB hosts deauthorize by default all new connected
- devices (this is so because we need to do an authentication phase
- before authorizing).
- Example system lockdown (lame)
- -----------------------
- Imagine you want to implement a lockdown so only devices of type XYZ
- can be connected (for example, it is a kiosk machine with a visible
- USB port):
- boot up
- rc.local ->
- for host in /sys/bus/usb/devices/usb*
- do
- echo 0 > $host/authorized_default
- done
- Hookup an script to udev, for new USB devices
- if device_is_my_type $DEV
- then
- echo 1 > $device_path/authorized
- done
- Now, device_is_my_type() is where the juice for a lockdown is. Just
- checking if the class, type and protocol match something is the worse
- security verification you can make (or the best, for someone willing
- to break it). If you need something secure, use crypto and Certificate
- Authentication or stuff like that. Something simple for an storage key
- could be:
- function device_is_my_type()
- {
- echo 1 > authorized # temporarily authorize it
- # FIXME: make sure none can mount it
- mount DEVICENODE /mntpoint
- sum=$(md5sum /mntpoint/.signature)
- if [ $sum = $(cat /etc/lockdown/keysum) ]
- then
- echo "We are good, connected"
- umount /mntpoint
- # Other stuff so others can use it
- else
- echo 0 > authorized
- fi
- }
- Of course, this is lame, you'd want to do a real certificate
- verification stuff with PKI, so you don't depend on a shared secret,
- etc, but you get the idea. Anybody with access to a device gadget kit
- can fake descriptors and device info. Don't trust that. You are
- welcome.
- Interface authorization
- -----------------------
- There is a similar approach to allow or deny specific USB interfaces.
- That allows to block only a subset of an USB device.
- Authorize an interface:
- $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
- Deauthorize an interface:
- $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
- The default value for new interfaces
- on a particular USB bus can be changed, too.
- Allow interfaces per default:
- $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
- Deny interfaces per default:
- $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
- Per default the interface_authorized_default bit is 1.
- So all interfaces would authorized per default.
- Note:
- If a deauthorized interface will be authorized so the driver probing must
- be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
- For drivers that need multiple interfaces all needed interfaces should be
- authroized first. After that the drivers should be probed.
- This avoids side effects.
|
