summaryrefslogtreecommitdiff
path: root/Documentation/usb/authorization.txt
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/usb/authorization.txt')
-rw-r--r--Documentation/usb/authorization.txt75
1 files changed, 41 insertions, 34 deletions
diff --git a/Documentation/usb/authorization.txt b/Documentation/usb/authorization.txt
index 9dd1dc7b1009..9e53909d04c2 100644
--- a/Documentation/usb/authorization.txt
+++ b/Documentation/usb/authorization.txt
@@ -1,7 +1,8 @@
-
+==============================================================
Authorizing (or not) your USB devices to connect to the system
+==============================================================
-(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
+Copyright (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
This feature allows you to control if a USB device can be used (or
not) in a system. This feature will allow you to implement a lock-down
@@ -12,24 +13,25 @@ its interfaces are immediately made available to the users. With this
modification, only if root authorizes the device to be configured will
then it be possible to use it.
-Usage:
+Usage
+=====
-Authorize a device to connect:
+Authorize a device to connect::
-$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
+ $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
-Deauthorize a device:
+De-authorize a device::
-$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
+ $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
Set new devices connected to hostX to be deauthorized by default (ie:
-lock down):
+lock down)::
-$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
+ $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
-Remove the lock down:
+Remove the lock down::
-$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
+ $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
By default, Wired USB devices are authorized by default to
connect. Wireless USB hosts deauthorize by default all new connected
@@ -40,21 +42,21 @@ USB ports.
Example system lockdown (lame)
------------------------
+------------------------------
Imagine you want to implement a lockdown so only devices of type XYZ
can be connected (for example, it is a kiosk machine with a visible
-USB port):
+USB port)::
-boot up
-rc.local ->
+ boot up
+ rc.local ->
- for host in /sys/bus/usb/devices/usb*
- do
- echo 0 > $host/authorized_default
- done
+ for host in /sys/bus/usb/devices/usb*
+ do
+ echo 0 > $host/authorized_default
+ done
-Hookup an script to udev, for new USB devices
+Hookup an script to udev, for new USB devices::
if device_is_my_type $DEV
then
@@ -67,10 +69,10 @@ checking if the class, type and protocol match something is the worse
security verification you can make (or the best, for someone willing
to break it). If you need something secure, use crypto and Certificate
Authentication or stuff like that. Something simple for an storage key
-could be:
+could be::
-function device_is_my_type()
-{
+ function device_is_my_type()
+ {
echo 1 > authorized # temporarily authorize it
# FIXME: make sure none can mount it
mount DEVICENODE /mntpoint
@@ -83,7 +85,7 @@ function device_is_my_type()
else
echo 0 > authorized
fi
-}
+ }
Of course, this is lame, you'd want to do a real certificate
@@ -95,30 +97,35 @@ welcome.
Interface authorization
-----------------------
+
There is a similar approach to allow or deny specific USB interfaces.
That allows to block only a subset of an USB device.
-Authorize an interface:
-$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
+Authorize an interface::
-Deauthorize an interface:
-$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
+ $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
+
+Deauthorize an interface::
+
+ $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
The default value for new interfaces
on a particular USB bus can be changed, too.
-Allow interfaces per default:
-$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
+Allow interfaces per default::
+
+ $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
+
+Deny interfaces per default::
-Deny interfaces per default:
-$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
+ $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
Per default the interface_authorized_default bit is 1.
So all interfaces would authorized per default.
Note:
-If a deauthorized interface will be authorized so the driver probing must
-be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
+ If a deauthorized interface will be authorized so the driver probing must
+ be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
For drivers that need multiple interfaces all needed interfaces should be
authorized first. After that the drivers should be probed.