Documentation/usb/authorization.txt - kernel/mindspeed - Git at Google


 Authorizing (or not) your USB devices to connect to the system

 (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation

 This feature allows you to control if a USB device can be used (or
 not) in a system. This feature will allow you to implement a lock-down
 of USB devices, fully controlled by user space.

 As of now, when a USB device is connected it is configured and
 its interfaces are immediately made available to the users.  With this
 modification, only if root authorizes the device to be configured will
 then it be possible to use it.

 Usage:

 Authorize a device to connect:

 $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized

 Deauthorize a device:

 $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized

 Set new devices connected to hostX to be deauthorized by default (ie:
 lock down):

 $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default

 Remove the lock down:

 $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default

 By default, Wired USB devices are authorized by default to
 connect. Wireless USB hosts deauthorize by default all new connected
 devices (this is so because we need to do an authentication phase
 before authorizing).


 Example system lockdown (lame)
 -----------------------

 Imagine you want to implement a lockdown so only devices of type XYZ
 can be connected (for example, it is a kiosk machine with a visible
 USB port):

 boot up
 rc.local ->

  for host in /sys/bus/usb/devices/usb*
  do
     echo 0 > $host/authorized_default
  done

 Hookup an script to udev, for new USB devices

  if device_is_my_type $DEV
  then
    echo 1 > $device_path/authorized
  done


 Now, device_is_my_type() is where the juice for a lockdown is. Just
 checking if the class, type and protocol match something is the worse
 security verification you can make (or the best, for someone willing
 to break it). If you need something secure, use crypto and Certificate
 Authentication or stuff like that. Something simple for an storage key
 could be:

 function device_is_my_type()
 {
    echo 1 > authorized		# temporarily authorize it
                                 # FIXME: make sure none can mount it
    mount DEVICENODE /mntpoint
    sum=$(md5sum /mntpoint/.signature)
    if [ $sum = $(cat /etc/lockdown/keysum) ]
    then
         echo "We are good, connected"
         umount /mntpoint
         # Other stuff so others can use it
    else
         echo 0 > authorized
    fi
 }


 Of course, this is lame, you'd want to do a real certificate
 verification stuff with PKI, so you don't depend on a shared secret,
 etc, but you get the idea. Anybody with access to a device gadget kit
 can fake descriptors and device info. Don't trust that. You are
 welcome.

	Authorizing (or not) your USB devices to connect to the system

	(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation

	This feature allows you to control if a USB device can be used (or
	not) in a system. This feature will allow you to implement a lock-down
	of USB devices, fully controlled by user space.

	As of now, when a USB device is connected it is configured and
	its interfaces are immediately made available to the users. With this
	modification, only if root authorizes the device to be configured will
	then it be possible to use it.

	Usage:

	Authorize a device to connect:

	$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized

	Deauthorize a device:

	$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized

	Set new devices connected to hostX to be deauthorized by default (ie:
	lock down):

	$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default

	Remove the lock down:

	$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default

	By default, Wired USB devices are authorized by default to
	connect. Wireless USB hosts deauthorize by default all new connected
	devices (this is so because we need to do an authentication phase
	before authorizing).


	Example system lockdown (lame)
	-----------------------

	Imagine you want to implement a lockdown so only devices of type XYZ
	can be connected (for example, it is a kiosk machine with a visible
	USB port):

	boot up
	rc.local ->

	for host in /sys/bus/usb/devices/usb*
	do
	echo 0 > $host/authorized_default
	done

	Hookup an script to udev, for new USB devices

	if device_is_my_type $DEV
	then
	echo 1 > $device_path/authorized
	done


	Now, device_is_my_type() is where the juice for a lockdown is. Just
	checking if the class, type and protocol match something is the worse
	security verification you can make (or the best, for someone willing
	to break it). If you need something secure, use crypto and Certificate
	Authentication or stuff like that. Something simple for an storage key
	could be:

	function device_is_my_type()
	{
	echo 1 > authorized # temporarily authorize it
	# FIXME: make sure none can mount it
	mount DEVICENODE /mntpoint
	sum=$(md5sum /mntpoint/.signature)
	if [ $sum = $(cat /etc/lockdown/keysum) ]
	then
	echo "We are good, connected"
	umount /mntpoint
	# Other stuff so others can use it
	else
	echo 0 > authorized
	fi
	}


	Of course, this is lame, you'd want to do a real certificate
	verification stuff with PKI, so you don't depend on a shared secret,
	etc, but you get the idea. Anybody with access to a device gadget kit
	can fake descriptors and device info. Don't trust that. You are
	welcome.