|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Authorizing (or not) your USB devices to connect to the system
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
This feature allows you to control if a USB device can be used (or
|
|
Packit |
7b02f3 |
not) in a system. This feature will allow you to implement a lock-down
|
|
Packit |
7b02f3 |
of USB devices, fully controlled by user space.
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
As of now, when a USB device is connected it is configured and
|
|
Packit |
7b02f3 |
its interfaces are immediately made available to the users. With this
|
|
Packit |
7b02f3 |
modification, only if root authorizes the device to be configured will
|
|
Packit |
7b02f3 |
then it be possible to use it.
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Usage:
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Authorize a device to connect:
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Deauthorize a device:
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Set new devices connected to hostX to be deauthorized by default (ie:
|
|
Packit |
7b02f3 |
lock down):
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Remove the lock down:
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
By default, Wired USB devices are authorized by default to
|
|
Packit |
7b02f3 |
connect. Wireless USB hosts deauthorize by default all new connected
|
|
Packit |
7b02f3 |
devices (this is so because we need to do an authentication phase
|
|
Packit |
7b02f3 |
before authorizing).
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Example system lockdown (lame)
|
|
Packit |
7b02f3 |
-----------------------
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Imagine you want to implement a lockdown so only devices of type XYZ
|
|
Packit |
7b02f3 |
can be connected (for example, it is a kiosk machine with a visible
|
|
Packit |
7b02f3 |
USB port):
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
boot up
|
|
Packit |
7b02f3 |
rc.local ->
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
for host in /sys/bus/usb/devices/usb*
|
|
Packit |
7b02f3 |
do
|
|
Packit |
7b02f3 |
echo 0 > $host/authorized_default
|
|
Packit |
7b02f3 |
done
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Hookup an script to udev, for new USB devices
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
if device_is_my_type $DEV
|
|
Packit |
7b02f3 |
then
|
|
Packit |
7b02f3 |
echo 1 > $device_path/authorized
|
|
Packit |
7b02f3 |
done
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Now, device_is_my_type() is where the juice for a lockdown is. Just
|
|
Packit |
7b02f3 |
checking if the class, type and protocol match something is the worse
|
|
Packit |
7b02f3 |
security verification you can make (or the best, for someone willing
|
|
Packit |
7b02f3 |
to break it). If you need something secure, use crypto and Certificate
|
|
Packit |
7b02f3 |
Authentication or stuff like that. Something simple for an storage key
|
|
Packit |
7b02f3 |
could be:
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
function device_is_my_type()
|
|
Packit |
7b02f3 |
{
|
|
Packit |
7b02f3 |
echo 1 > authorized # temporarily authorize it
|
|
Packit |
7b02f3 |
# FIXME: make sure none can mount it
|
|
Packit |
7b02f3 |
mount DEVICENODE /mntpoint
|
|
Packit |
7b02f3 |
sum=$(md5sum /mntpoint/.signature)
|
|
Packit |
7b02f3 |
if [ $sum = $(cat /etc/lockdown/keysum) ]
|
|
Packit |
7b02f3 |
then
|
|
Packit |
7b02f3 |
echo "We are good, connected"
|
|
Packit |
7b02f3 |
umount /mntpoint
|
|
Packit |
7b02f3 |
# Other stuff so others can use it
|
|
Packit |
7b02f3 |
else
|
|
Packit |
7b02f3 |
echo 0 > authorized
|
|
Packit |
7b02f3 |
fi
|
|
Packit |
7b02f3 |
}
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Of course, this is lame, you'd want to do a real certificate
|
|
Packit |
7b02f3 |
verification stuff with PKI, so you don't depend on a shared secret,
|
|
Packit |
7b02f3 |
etc, but you get the idea. Anybody with access to a device gadget kit
|
|
Packit |
7b02f3 |
can fake descriptors and device info. Don't trust that. You are
|
|
Packit |
7b02f3 |
welcome.
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Interface authorization
|
|
Packit |
7b02f3 |
-----------------------
|
|
Packit |
7b02f3 |
There is a similar approach to allow or deny specific USB interfaces.
|
|
Packit |
7b02f3 |
That allows to block only a subset of an USB device.
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Authorize an interface:
|
|
Packit |
7b02f3 |
$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Deauthorize an interface:
|
|
Packit |
7b02f3 |
$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
The default value for new interfaces
|
|
Packit |
7b02f3 |
on a particular USB bus can be changed, too.
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Allow interfaces per default:
|
|
Packit |
7b02f3 |
$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Deny interfaces per default:
|
|
Packit |
7b02f3 |
$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Per default the interface_authorized_default bit is 1.
|
|
Packit |
7b02f3 |
So all interfaces would authorized per default.
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
Note:
|
|
Packit |
7b02f3 |
If a deauthorized interface will be authorized so the driver probing must
|
|
Packit |
7b02f3 |
be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
|
|
Packit |
7b02f3 |
|
|
Packit |
7b02f3 |
For drivers that need multiple interfaces all needed interfaces should be
|
|
Packit |
7b02f3 |
authroized first. After that the drivers should be probed.
|
|
Packit |
7b02f3 |
This avoids side effects.
|