Show Your Support: This site is primarily supported by advertisements. Ads are what have allowed this site to be maintained on a daily basis for the past 18+ years. We do our best to ensure only clean, relevant ads are shown, when any nasty ads are detected, we work to remove them ASAP. If you would like to view the site without ads while still supporting our work, please consider our ad-free Phoronix Premium.
Linux 5.1 Picking Up Option To Lockdown All But Internal USB Devices
The Linux kernel's USB authorization code has already allowed the explicit authorization of all or none devices, should you want user-space to manage to what USB devices can interface with the system. The out-of-the-box behavior has been (and remains) authorizing all wired USB devices but wireless USB devices are de-authorized by default.
The new option coming with Linux 5.1 allows for only authorizing devices if connected to an internal USB port while any external USB devices would be denied. This mode makes sense for locked down devices where there may be some internal components operating off USB and thus desiring them to be authorized and immediately available but not for any non-hard-wired, externally connected devices.
Those desiring such behavior, as of Linux 5.1+ the usbcore.authorized_default=2 option can be used for enabling this only-authorize-internal-USB-devices-by-default mode. Google is using this functionality on Chrome OS for only enabling internal USB devices up until its user-space is going where it's running USBguard to control USB device access and try to fend off any rogue devices.
As part of the USB authorization framework, the per-device authorization state can be controlled by those with administrator privileges via sysfs or indirectly various user-space utilities like USBguard.
This new USB authorization mode is queued in usb-next ahead of Linux 5.1.