1 ==============================================================
2 Authorizing (or not) your USB devices to connect to the system
3 ==============================================================
5 Copyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
7 This feature allows you to control if a USB device can be used (or
8 not) in a system. This feature will allow you to implement a lock-down
9 of USB devices, fully controlled by user space.
11 As of now, when a USB device is connected it is configured and
12 its interfaces are immediately made available to the users. With this
13 modification, only if root authorizes the device to be configured will
14 then it be possible to use it.
19 Authorize a device to connect::
21 $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
23 De-authorize a device::
25 $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
27 Set new devices connected to hostX to be deauthorized by default (ie:
30 $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
32 Remove the lock down::
34 $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
36 By default, Wired USB devices are authorized by default to
37 connect. Wireless USB hosts deauthorize by default all new connected
38 devices (this is so because we need to do an authentication phase
39 before authorizing). Writing "2" to the authorized_default attribute
40 causes kernel to only authorize by default devices connected to internal
44 Example system lockdown (lame)
45 ------------------------------
47 Imagine you want to implement a lockdown so only devices of type XYZ
48 can be connected (for example, it is a kiosk machine with a visible
54 for host in /sys/bus/usb/devices/usb*
56 echo 0 > $host/authorized_default
59 Hookup an script to udev, for new USB devices::
61 if device_is_my_type $DEV
63 echo 1 > $device_path/authorized
67 Now, device_is_my_type() is where the juice for a lockdown is. Just
68 checking if the class, type and protocol match something is the worse
69 security verification you can make (or the best, for someone willing
70 to break it). If you need something secure, use crypto and Certificate
71 Authentication or stuff like that. Something simple for an storage key
74 function device_is_my_type()
76 echo 1 > authorized # temporarily authorize it
77 # FIXME: make sure none can mount it
78 mount DEVICENODE /mntpoint
79 sum=$(md5sum /mntpoint/.signature)
80 if [ $sum = $(cat /etc/lockdown/keysum) ]
82 echo "We are good, connected"
84 # Other stuff so others can use it
91 Of course, this is lame, you'd want to do a real certificate
92 verification stuff with PKI, so you don't depend on a shared secret,
93 etc, but you get the idea. Anybody with access to a device gadget kit
94 can fake descriptors and device info. Don't trust that. You are
98 Interface authorization
99 -----------------------
101 There is a similar approach to allow or deny specific USB interfaces.
102 That allows to block only a subset of an USB device.
104 Authorize an interface::
106 $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
108 Deauthorize an interface::
110 $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
112 The default value for new interfaces
113 on a particular USB bus can be changed, too.
115 Allow interfaces per default::
117 $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
119 Deny interfaces per default::
121 $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
123 Per default the interface_authorized_default bit is 1.
124 So all interfaces would authorized per default.
127 If a deauthorized interface will be authorized so the driver probing must
128 be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
130 For drivers that need multiple interfaces all needed interfaces should be
131 authorized first. After that the drivers should be probed.
132 This avoids side effects.
git.samba.org / sfrench / cifs-2.6.git / blob