2 Authorizing (or not) your USB devices to connect to the system
4 (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
6 Interface authorization part:
7 (C) 2015 Stefan Koch <skoch@suse.de> SUSE LLC
9 This feature allows you to control if a USB device can be used (or
10 not) in a system. This feature will allow you to implement a lock-down
11 of USB devices, fully controlled by user space.
13 As of now, when a USB device is connected it is configured and
14 its interfaces are immediately made available to the users. With this
15 modification, only if root authorizes the device to be configured will
16 then it be possible to use it.
20 Authorize a device to connect:
22 $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
26 $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
28 Set new devices connected to hostX to be deauthorized by default (ie:
31 $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
35 $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
37 By default, Wired USB devices are authorized by default to
38 connect. Wireless USB hosts deauthorize by default all new connected
39 devices (this is so because we need to do an authentication phase
43 Example system lockdown (lame)
44 -----------------------
46 Imagine you want to implement a lockdown so only devices of type XYZ
47 can be connected (for example, it is a kiosk machine with a visible
53 for host in /sys/bus/usb/devices/usb*
55 echo 0 > $host/authorized_default
58 Hookup an script to udev, for new USB devices
60 if device_is_my_type $DEV
62 echo 1 > $device_path/authorized
66 Now, device_is_my_type() is where the juice for a lockdown is. Just
67 checking if the class, type and protocol match something is the worse
68 security verification you can make (or the best, for someone willing
69 to break it). If you need something secure, use crypto and Certificate
70 Authentication or stuff like that. Something simple for an storage key
73 function device_is_my_type()
75 echo 1 > authorized # temporarily authorize it
76 # FIXME: make sure none can mount it
77 mount DEVICENODE /mntpoint
78 sum=$(md5sum /mntpoint/.signature)
79 if [ $sum = $(cat /etc/lockdown/keysum) ]
81 echo "We are good, connected"
83 # Other stuff so others can use it
90 Of course, this is lame, you'd want to do a real certificate
91 verification stuff with PKI, so you don't depend on a shared secret,
92 etc, but you get the idea. Anybody with access to a device gadget kit
93 can fake descriptors and device info. Don't trust that. You are
97 Interface authorization
98 -----------------------
99 There is a similar approach to allow or deny specific USB interfaces.
100 That allows to block only a subset of an USB device.
102 Authorize an interface:
103 $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
105 Deauthorize an interface:
106 $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
108 The default value for new interfaces
109 on a particular USB bus can be changed, too.
111 Allow interfaces per default:
112 $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
114 Deny interfaces per default:
115 $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
117 Per default the interface_authorized_default bit is 1.
118 So all interfaces would authorized per default.
121 If a deauthorized interface will be authorized so the driver probing must
122 be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
124 For drivers that need multiple interfaces all needed interfaces should be
125 authroized first. After that the drivers should be probed.
126 This avoids side effects.