^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) ==============================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) Authorizing (or not) your USB devices to connect to the system
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) ==============================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) Copyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) This feature allows you to control if a USB device can be used (or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) not) in a system. This feature will allow you to implement a lock-down
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) of USB devices, fully controlled by user space.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) As of now, when a USB device is connected it is configured and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) its interfaces are immediately made available to the users. With this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) modification, only if root authorizes the device to be configured will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) then it be possible to use it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) Usage
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) =====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) Authorize a device to connect::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) De-authorize a device::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) Set new devices connected to hostX to be deauthorized by default (ie:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) lock down)::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) Remove the lock down::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) By default, Wired USB devices are authorized by default to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) connect. Wireless USB hosts deauthorize by default all new connected
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) devices (this is so because we need to do an authentication phase
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) before authorizing). Writing "2" to the authorized_default attribute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) causes kernel to only authorize by default devices connected to internal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) USB ports.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) Example system lockdown (lame)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) ------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) Imagine you want to implement a lockdown so only devices of type XYZ
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) can be connected (for example, it is a kiosk machine with a visible
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) USB port)::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) boot up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) rc.local ->
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) for host in /sys/bus/usb/devices/usb*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) echo 0 > $host/authorized_default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) Hookup an script to udev, for new USB devices::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) if device_is_my_type $DEV
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) echo 1 > $device_path/authorized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) Now, device_is_my_type() is where the juice for a lockdown is. Just
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) checking if the class, type and protocol match something is the worse
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) security verification you can make (or the best, for someone willing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) to break it). If you need something secure, use crypto and Certificate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) Authentication or stuff like that. Something simple for an storage key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) could be::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) function device_is_my_type()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) echo 1 > authorized # temporarily authorize it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) # FIXME: make sure none can mount it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) mount DEVICENODE /mntpoint
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) sum=$(md5sum /mntpoint/.signature)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) if [ $sum = $(cat /etc/lockdown/keysum) ]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) echo "We are good, connected"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) umount /mntpoint
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) # Other stuff so others can use it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) echo 0 > authorized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) fi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) Of course, this is lame, you'd want to do a real certificate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) verification stuff with PKI, so you don't depend on a shared secret,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) etc, but you get the idea. Anybody with access to a device gadget kit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) can fake descriptors and device info. Don't trust that. You are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) welcome.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) Interface authorization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) -----------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) There is a similar approach to allow or deny specific USB interfaces.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) That allows to block only a subset of an USB device.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) Authorize an interface::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) Deauthorize an interface::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) The default value for new interfaces
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) on a particular USB bus can be changed, too.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) Allow interfaces per default::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) Deny interfaces per default::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) Per default the interface_authorized_default bit is 1.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) So all interfaces would authorized per default.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) Note:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) If a deauthorized interface will be authorized so the driver probing must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) For drivers that need multiple interfaces all needed interfaces should be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) authorized first. After that the drivers should be probed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) This avoids side effects.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags