Merge master.kernel.org:/pub/scm/linux/kernel/git/gregkh/usb-2.6

Authorizing (or not) your USB devices to connect to the system

(C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation

This feature allows you to control if a USB device can be used (or

not) in a system. This feature will allow you to implement a lock-down

of USB devices, fully controlled by user space.

As of now, when a USB device is connected it is configured and

it's interfaces inmediately made available to the users. With this

modification, only if root authorizes the device to be configured will

then it be possible to use it.

Usage:

Authorize a device to connect:

$ echo 1 > /sys/usb/devices/DEVICE/authorized

Deauthorize a device:

$ echo 0 > /sys/usb/devices/DEVICE/authorized

Set new devices connected to hostX to be deauthorized by default (ie:

lock down):

$ echo 0 > /sys/bus/devices/usbX/authorized_default

Remove the lock down:

$ echo 1 > /sys/bus/devices/usbX/authorized_default

By default, Wired USB devices are authorized by default to

connect. Wireless USB hosts deauthorize by default all new connected

devices (this is so because we need to do an authentication phase

before authorizing).

Example system lockdown (lame)

-----------------------

Imagine you want to implement a lockdown so only devices of type XYZ

can be connected (for example, it is a kiosk machine with a visible

USB port):

boot up

rc.local ->

 for host in /sys/bus/devices/usb*

 do

    echo 0 > $host/authorized_default

 done

Hookup an script to udev, for new USB devices

 if device_is_my_type $DEV

 then

   echo 1 > $device_path/authorized

 done

Now, device_is_my_type() is where the juice for a lockdown is. Just

checking if the class, type and protocol match something is the worse

security verification you can make (or the best, for someone willing

to break it). If you need something secure, use crypto and Certificate

Authentication or stuff like that. Something simple for an storage key

could be:

function device_is_my_type()

{

   echo 1 > authorized		# temporarily authorize it

                                # FIXME: make sure none can mount it

   mount DEVICENODE /mntpoint

   sum=$(md5sum /mntpoint/.signature)

   if [ $sum = $(cat /etc/lockdown/keysum) ]

   then

        echo "We are good, connected"

        umount /mntpoint

        # Other stuff so others can use it

   else

        echo 0 > authorized

   fi

}

Of course, this is lame, you'd want to do a real certificate

verification stuff with PKI, so you don't depend on a shared secret,

etc, but you get the idea. Anybody with access to a device gadget kit

can fake descriptors and device info. Don't trust that. You are

welcome.

  See http://www.uuhaus.de/linux/palmconnect.html for up-to-date

  information on this driver.

Winchiphead CH341 Driver

  This driver is for the Winchiphead CH341 USB-RS232 Converter. This chip

  also implements an IEEE 1284 parallel port, I2C and SPI, but that is not

  supported by the driver. The protocol was analyzed from the behaviour

  of the Windows driver, no datasheet is available at present.

  The manufacturer's website: http://www.winchiphead.com/.

  For any questions or problems with this driver, please contact

  frank@kingswood-consulting.co.uk.

Generic Serial driver

  If your device is not one of the above listed devices, compatible with

Verify that bus sockets are present.

# ls /sys/kernel/debug/usbmon

1s  1t  1u  2s  2t  2u  3s  3t  3u  4s  4t  4u

0s  0t  0u  1s  1t  1u  2s  2t  2u  3s  3t  3u  4s  4t  4u

#

Now you can choose to either use the sockets numbered '0' (to capture packets on

all buses), and skip to step #3, or find the bus used by your device with step #2.

2. Find which bus connects to the desired device

Run "cat /proc/bus/usb/devices", and find the T-line which corresponds to

# cat /sys/kernel/debug/usbmon/3u > /tmp/1.mon.out

to listen on a single bus, otherwise, to listen on all buses, type:

# cat /sys/kernel/debug/usbmon/0u > /tmp/1.mon.out

This process will be reading until killed. Naturally, the output can be

redirected to a desirable location. This is preferred, because it is going

to be quite long.

M:	hskinnemoen@atmel.com

S:	Supported

ATMEL USBA UDC DRIVER

P:	Haavard Skinnemoen

M:	hskinnemoen@atmel.com

L:	kernel@avr32linux.org

W:	http://avr32linux.org/twiki/bin/view/Main/AtmelUsbDeviceDriver

S:	Supported

ATMEL WIRELESS DRIVER

P:	Simon Kelley

M:	simon@thekelleys.org.uk