-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
- Loading branch information
Inaky Perez-Gonzalez
authored and
Greg Kroah-Hartman
committed
Oct 12, 2007
1 parent
e03f2e8
commit 732bb9e
Showing
1 changed file
with
92 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
|
|
||
| Authorizing (or not) your USB devices to connect to the system | ||
|
|
||
| (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation | ||
|
|
||
| This feature allows you to control if a USB device can be used (or | ||
| not) in a system. This feature will allow you to implement a lock-down | ||
| of USB devices, fully controlled by user space. | ||
|
|
||
| As of now, when a USB device is connected it is configured and | ||
| it's interfaces inmediately made available to the users. With this | ||
| modification, only if root authorizes the device to be configured will | ||
| then it be possible to use it. | ||
|
|
||
| Usage: | ||
|
|
||
| Authorize a device to connect: | ||
|
|
||
| $ echo 1 > /sys/usb/devices/DEVICE/authorized | ||
|
|
||
| Deauthorize a device: | ||
|
|
||
| $ echo 0 > /sys/usb/devices/DEVICE/authorized | ||
|
|
||
| Set new devices connected to hostX to be deauthorized by default (ie: | ||
| lock down): | ||
|
|
||
| $ echo 0 > /sys/bus/devices/usbX/authorized_default | ||
|
|
||
| Remove the lock down: | ||
|
|
||
| $ echo 1 > /sys/bus/devices/usbX/authorized_default | ||
|
|
||
| By default, Wired USB devices are authorized by default to | ||
| connect. Wireless USB hosts deauthorize by default all new connected | ||
| devices (this is so because we need to do an authentication phase | ||
| before authorizing). | ||
|
|
||
|
|
||
| Example system lockdown (lame) | ||
| ----------------------- | ||
|
|
||
| Imagine you want to implement a lockdown so only devices of type XYZ | ||
| can be connected (for example, it is a kiosk machine with a visible | ||
| USB port): | ||
|
|
||
| boot up | ||
| rc.local -> | ||
|
|
||
| for host in /sys/bus/devices/usb* | ||
| do | ||
| echo 0 > $host/authorized_default | ||
| done | ||
|
|
||
| Hookup an script to udev, for new USB devices | ||
|
|
||
| if device_is_my_type $DEV | ||
| then | ||
| echo 1 > $device_path/authorized | ||
| done | ||
|
|
||
|
|
||
| Now, device_is_my_type() is where the juice for a lockdown is. Just | ||
| checking if the class, type and protocol match something is the worse | ||
| security verification you can make (or the best, for someone willing | ||
| to break it). If you need something secure, use crypto and Certificate | ||
| Authentication or stuff like that. Something simple for an storage key | ||
| could be: | ||
|
|
||
| function device_is_my_type() | ||
| { | ||
| echo 1 > authorized # temporarily authorize it | ||
| # FIXME: make sure none can mount it | ||
| mount DEVICENODE /mntpoint | ||
| sum=$(md5sum /mntpoint/.signature) | ||
| if [ $sum = $(cat /etc/lockdown/keysum) ] | ||
| then | ||
| echo "We are good, connected" | ||
| umount /mntpoint | ||
| # Other stuff so others can use it | ||
| else | ||
| echo 0 > authorized | ||
| fi | ||
| } | ||
|
|
||
|
|
||
| Of course, this is lame, you'd want to do a real certificate | ||
| verification stuff with PKI, so you don't depend on a shared secret, | ||
| etc, but you get the idea. Anybody with access to a device gadget kit | ||
| can fake descriptors and device info. Don't trust that. You are | ||
| welcome. | ||
|
|