| 
									
										
										
										
											2007-07-31 20:34:08 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | Authorizing (or not) your USB devices to connect to the system | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | This feature allows you to control if a USB device can be used (or | 
					
						
							|  |  |  | not) in a system. This feature will allow you to implement a lock-down | 
					
						
							|  |  |  | of USB devices, fully controlled by user space. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | As of now, when a USB device is connected it is configured and | 
					
						
							| 
									
										
										
										
											2008-07-25 19:45:33 -07:00
										 |  |  | its interfaces are immediately made available to the users.  With this | 
					
						
							| 
									
										
										
										
											2007-07-31 20:34:08 -07:00
										 |  |  | modification, only if root authorizes the device to be configured will | 
					
						
							|  |  |  | then it be possible to use it. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Usage: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Authorize a device to connect: | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-12 17:00:46 +02:00
										 |  |  | $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized | 
					
						
							| 
									
										
										
										
											2007-07-31 20:34:08 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | Deauthorize a device: | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-12 17:00:46 +02:00
										 |  |  | $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized | 
					
						
							| 
									
										
										
										
											2007-07-31 20:34:08 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | Set new devices connected to hostX to be deauthorized by default (ie: | 
					
						
							|  |  |  | lock down): | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-12 17:00:46 +02:00
										 |  |  | $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default | 
					
						
							| 
									
										
										
										
											2007-07-31 20:34:08 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | Remove the lock down: | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-12 17:00:46 +02:00
										 |  |  | $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default | 
					
						
							| 
									
										
										
										
											2007-07-31 20:34:08 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | By default, Wired USB devices are authorized by default to | 
					
						
							|  |  |  | connect. Wireless USB hosts deauthorize by default all new connected | 
					
						
							|  |  |  | devices (this is so because we need to do an authentication phase | 
					
						
							|  |  |  | before authorizing). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Example system lockdown (lame) | 
					
						
							|  |  |  | ----------------------- | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Imagine you want to implement a lockdown so only devices of type XYZ | 
					
						
							|  |  |  | can be connected (for example, it is a kiosk machine with a visible | 
					
						
							|  |  |  | USB port): | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | boot up | 
					
						
							|  |  |  | rc.local -> | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-12 17:00:46 +02:00
										 |  |  |  for host in /sys/bus/usb/devices/usb* | 
					
						
							| 
									
										
										
										
											2007-07-31 20:34:08 -07:00
										 |  |  |  do | 
					
						
							|  |  |  |     echo 0 > $host/authorized_default | 
					
						
							|  |  |  |  done | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Hookup an script to udev, for new USB devices | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |  if device_is_my_type $DEV | 
					
						
							|  |  |  |  then | 
					
						
							|  |  |  |    echo 1 > $device_path/authorized | 
					
						
							|  |  |  |  done | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Now, device_is_my_type() is where the juice for a lockdown is. Just | 
					
						
							|  |  |  | checking if the class, type and protocol match something is the worse | 
					
						
							|  |  |  | security verification you can make (or the best, for someone willing | 
					
						
							|  |  |  | to break it). If you need something secure, use crypto and Certificate | 
					
						
							|  |  |  | Authentication or stuff like that. Something simple for an storage key | 
					
						
							|  |  |  | could be: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | function device_is_my_type() | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |    echo 1 > authorized		# temporarily authorize it | 
					
						
							|  |  |  |                                 # FIXME: make sure none can mount it | 
					
						
							|  |  |  |    mount DEVICENODE /mntpoint | 
					
						
							|  |  |  |    sum=$(md5sum /mntpoint/.signature) | 
					
						
							|  |  |  |    if [ $sum = $(cat /etc/lockdown/keysum) ] | 
					
						
							|  |  |  |    then | 
					
						
							|  |  |  |         echo "We are good, connected" | 
					
						
							|  |  |  |         umount /mntpoint | 
					
						
							|  |  |  |         # Other stuff so others can use it | 
					
						
							|  |  |  |    else | 
					
						
							|  |  |  |         echo 0 > authorized | 
					
						
							|  |  |  |    fi | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Of course, this is lame, you'd want to do a real certificate | 
					
						
							|  |  |  | verification stuff with PKI, so you don't depend on a shared secret, | 
					
						
							|  |  |  | etc, but you get the idea. Anybody with access to a device gadget kit | 
					
						
							|  |  |  | can fake descriptors and device info. Don't trust that. You are | 
					
						
							|  |  |  | welcome. | 
					
						
							|  |  |  | 
 |