1
2Authorizing (or not) your USB devices to connect to the system
3
4(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
5
6This feature allows you to control if a USB device can be used (or
7not) in a system. This feature will allow you to implement a lock-down
8of USB devices, fully controlled by user space.
9
10As of now, when a USB device is connected it is configured and
11its interfaces are immediately made available to the users.  With this
12modification, only if root authorizes the device to be configured will
13then it be possible to use it.
14
15Usage:
16
17Authorize a device to connect:
18
19$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
20
21Deauthorize a device:
22
23$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
24
25Set new devices connected to hostX to be deauthorized by default (ie:
26lock down):
27
28$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
29
30Remove the lock down:
31
32$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
33
34By default, Wired USB devices are authorized by default to
35connect. Wireless USB hosts deauthorize by default all new connected
36devices (this is so because we need to do an authentication phase
37before authorizing).
38
39
40Example system lockdown (lame)
41-----------------------
42
43Imagine you want to implement a lockdown so only devices of type XYZ
44can be connected (for example, it is a kiosk machine with a visible
45USB port):
46
47boot up
48rc.local ->
49
50 for host in /sys/bus/usb/devices/usb*
51 do
52    echo 0 > $host/authorized_default
53 done
54
55Hookup an script to udev, for new USB devices
56
57 if device_is_my_type $DEV
58 then
59   echo 1 > $device_path/authorized
60 done
61
62
63Now, device_is_my_type() is where the juice for a lockdown is. Just
64checking if the class, type and protocol match something is the worse
65security verification you can make (or the best, for someone willing
66to break it). If you need something secure, use crypto and Certificate
67Authentication or stuff like that. Something simple for an storage key
68could be:
69
70function device_is_my_type()
71{
72   echo 1 > authorized		# temporarily authorize it
73                                # FIXME: make sure none can mount it
74   mount DEVICENODE /mntpoint
75   sum=$(md5sum /mntpoint/.signature)
76   if [ $sum = $(cat /etc/lockdown/keysum) ]
77   then
78        echo "We are good, connected"
79        umount /mntpoint
80        # Other stuff so others can use it
81   else
82        echo 0 > authorized
83   fi
84}
85
86
87Of course, this is lame, you'd want to do a real certificate
88verification stuff with PKI, so you don't depend on a shared secret,
89etc, but you get the idea. Anybody with access to a device gadget kit
90can fake descriptors and device info. Don't trust that. You are
91welcome.
92
93