linux/Documentation/usb/authorization.txt
<<
>>
Prefs
   1
   2Authorizing (or not) your USB devices to connect to the system
   3
   4(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
   5
   6This feature allows you to control if a USB device can be used (or
   7not) in a system. This feature will allow you to implement a lock-down
   8of USB devices, fully controlled by user space.
   9
  10As of now, when a USB device is connected it is configured and
  11its interfaces are immediately made available to the users.  With this
  12modification, only if root authorizes the device to be configured will
  13then it be possible to use it.
  14
  15Usage:
  16
  17Authorize a device to connect:
  18
  19$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
  20
  21Deauthorize a device:
  22
  23$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
  24
  25Set new devices connected to hostX to be deauthorized by default (ie:
  26lock down):
  27
  28$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
  29
  30Remove the lock down:
  31
  32$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
  33
  34By default, Wired USB devices are authorized by default to
  35connect. Wireless USB hosts deauthorize by default all new connected
  36devices (this is so because we need to do an authentication phase
  37before authorizing).
  38
  39
  40Example system lockdown (lame)
  41-----------------------
  42
  43Imagine you want to implement a lockdown so only devices of type XYZ
  44can be connected (for example, it is a kiosk machine with a visible
  45USB port):
  46
  47boot up
  48rc.local ->
  49
  50 for host in /sys/bus/usb/devices/usb*
  51 do
  52    echo 0 > $host/authorized_default
  53 done
  54
  55Hookup an script to udev, for new USB devices
  56
  57 if device_is_my_type $DEV
  58 then
  59   echo 1 > $device_path/authorized
  60 done
  61
  62
  63Now, device_is_my_type() is where the juice for a lockdown is. Just
  64checking if the class, type and protocol match something is the worse
  65security verification you can make (or the best, for someone willing
  66to break it). If you need something secure, use crypto and Certificate
  67Authentication or stuff like that. Something simple for an storage key
  68could be:
  69
  70function device_is_my_type()
  71{
  72   echo 1 > authorized          # temporarily authorize it
  73                                # FIXME: make sure none can mount it
  74   mount DEVICENODE /mntpoint
  75   sum=$(md5sum /mntpoint/.signature)
  76   if [ $sum = $(cat /etc/lockdown/keysum) ]
  77   then
  78        echo "We are good, connected"
  79        umount /mntpoint
  80        # Other stuff so others can use it
  81   else
  82        echo 0 > authorized
  83   fi
  84}
  85
  86
  87Of course, this is lame, you'd want to do a real certificate
  88verification stuff with PKI, so you don't depend on a shared secret,
  89etc, but you get the idea. Anybody with access to a device gadget kit
  90can fake descriptors and device info. Don't trust that. You are
  91welcome.
  92
  93
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.