linux-imx

​

Authorizing (or not) your USB devices to connect to the system

​

(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation

​

This feature allows you to control if a USB device can be used (or

not) in a system. This feature will allow you to implement a lock-down

of USB devices, fully controlled by user space.

​

As of now, when a USB device is connected it is configured and

its interfaces are immediately made available to the users.  With this

modification, only if root authorizes the device to be configured will

then it be possible to use it.

​

Usage:

​

Authorize a device to connect:

​

$ echo 1 > /sys/bus/usb/devices/DEVICE/authorized

​

Deauthorize a device:

​

$ echo 0 > /sys/bus/usb/devices/DEVICE/authorized

​

Set new devices connected to hostX to be deauthorized by default (ie:

lock down):

​

$ echo 0 > /sys/bus/usb/devices/usbX/authorized_default

​

Remove the lock down:

​

$ echo 1 > /sys/bus/usb/devices/usbX/authorized_default

​

By default, Wired USB devices are authorized by default to

connect. Wireless USB hosts deauthorize by default all new connected

devices (this is so because we need to do an authentication phase

before authorizing). Writing "2" to the authorized_default attribute

causes kernel to only authorize by default devices connected to internal

USB ports.

​

​

Example system lockdown (lame)

-----------------------

​

Imagine you want to implement a lockdown so only devices of type XYZ

can be connected (for example, it is a kiosk machine with a visible

USB port):

​

boot up

rc.local ->

​

 for host in /sys/bus/usb/devices/usb*

 do

    echo 0 > $host/authorized_default

 done

​

Hookup an script to udev, for new USB devices

​

 if device_is_my_type $DEV

 then

   echo 1 > $device_path/authorized

 done

​