Linux 5.1 Picking Up Option To Lockdown All But Internal USB Devices

Written by Michael Larabel in Linux Kernel on 24 February 2019 at 07:39 AM EST. 13 Comments
LINUX KERNEL
A change for Google's Chrome OS is working its way into the upstream Linux 5.1 codebase that adds a new mode to the kernel's USB authorization mechanism. This opt-in change will allow users/administrators to only authorize internal USB devices by default.

The Linux kernel's USB authorization code has already allowed the explicit authorization of all or none devices, should you want user-space to manage to what USB devices can interface with the system. The out-of-the-box behavior has been (and remains) authorizing all wired USB devices but wireless USB devices are de-authorized by default.

The new option coming with Linux 5.1 allows for only authorizing devices if connected to an internal USB port while any external USB devices would be denied. This mode makes sense for locked down devices where there may be some internal components operating off USB and thus desiring them to be authorized and immediately available but not for any non-hard-wired, externally connected devices.

Those desiring such behavior, as of Linux 5.1+ the usbcore.authorized_default=2 option can be used for enabling this only-authorize-internal-USB-devices-by-default mode. Google is using this functionality on Chrome OS for only enabling internal USB devices up until its user-space is going where it's running USBguard to control USB device access and try to fend off any rogue devices.

As part of the USB authorization framework, the per-device authorization state can be controlled by those with administrator privileges via sysfs or indirectly various user-space utilities like USBguard.

This new USB authorization mode is queued in usb-next ahead of Linux 5.1.
13 Comments
Related News
Linux 6.9-rc5 Released: The Diffstat "Looks A Bit Wonky" But Not Bad
Linux 6.9-rc5 Picking Up Fixes For Intel FRED, BHI & GFNI/VAES Checks
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.9-rc4 Brings More Bcachefs Fixes, Native BHI Mitigation
Linux 6.10 To Account For NUMA Node When Allocating Per-CPU Cpumasks
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Fedora Linux 40 Cleared For Release Next Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance