Authorizing (or not) your USB devices to connect to the system

Copyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation

This feature allows you to control if a USB device can be used (ornot) in a system. This feature will allow you to implement a lock-downof USB devices, fully controlled by user space.

As of now, when a USB device is connected it is configured andits interfaces are immediately made available to the users. With thismodification, only if root authorizes the device to be configured willthen it be possible to use it.

Usage

Authorize a device to connect:

$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized

De-authorize a device:

$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized

Set new devices connected to hostX to be deauthorized by default (ie:lock down):

$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default

Remove the lock down:

$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default

By default, Wired USB devices are authorized by default toconnect. Wireless USB hosts deauthorize by default all new connecteddevices (this is so because we need to do an authentication phasebefore authorizing). Writing “2” to the authorized_default attributecauses kernel to only authorize by default devices connected to internalUSB ports.

Example system lockdown (lame)

Imagine you want to implement a lockdown so only devices of type XYZcan be connected (for example, it is a kiosk machine with a visibleUSB port):

boot uprc.local -> for host in /sys/bus/usb/devices/usb* do    echo 0 > $host/authorized_default done

Hookup an script to udev, for new USB devices:

if device_is_my_type $DEVthen  echo 1 > $device_path/authorizeddone

Now, device_is_my_type() is where the juice for a lockdown is. Justchecking if the class, type and protocol match something is the worsesecurity verification you can make (or the best, for someone willingto break it). If you need something secure, use crypto and CertificateAuthentication or stuff like that. Something simple for an storage keycould be:

function device_is_my_type(){  echo 1 > authorized          # temporarily authorize it                               # FIXME: make sure none can mount it  mount DEVICENODE /mntpoint  sum=$(md5sum /mntpoint/.signature)  if [ $sum = $(cat /etc/lockdown/keysum) ]  then       echo "We are good, connected"       umount /mntpoint       # Other stuff so others can use it  else       echo 0 > authorized  fi}

Of course, this is lame, you’d want to do a real certificateverification stuff with PKI, so you don’t depend on a shared secret,etc, but you get the idea. Anybody with access to a device gadget kitcan fake descriptors and device info. Don’t trust that. You arewelcome.

Interface authorization

There is a similar approach to allow or deny specific USB interfaces.That allows to block only a subset of an USB device.

Authorize an interface:

$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized

Deauthorize an interface:

$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized

The default value for new interfaceson a particular USB bus can be changed, too.

Allow interfaces per default:

$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default

Deny interfaces per default:

$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default

Per default the interface_authorized_default bit is 1.So all interfaces would authorized per default.

Note:
If a deauthorized interface will be authorized so the driver probing mustbe triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe

For drivers that need multiple interfaces all needed interfaces should beauthorized first. After that the drivers should be probed.This avoids side effects.