Linux 5.1 Picking Up Option To Lockdown All But Internal USB Devices

Written by Michael Larabel in Linux Kernel on 24 February 2019 at 07:39 AM EST. 13 Comments
LINUX KERNEL
A change for Google's Chrome OS is working its way into the upstream Linux 5.1 codebase that adds a new mode to the kernel's USB authorization mechanism. This opt-in change will allow users/administrators to only authorize internal USB devices by default.

The Linux kernel's USB authorization code has already allowed the explicit authorization of all or none devices, should you want user-space to manage to what USB devices can interface with the system. The out-of-the-box behavior has been (and remains) authorizing all wired USB devices but wireless USB devices are de-authorized by default.

The new option coming with Linux 5.1 allows for only authorizing devices if connected to an internal USB port while any external USB devices would be denied. This mode makes sense for locked down devices where there may be some internal components operating off USB and thus desiring them to be authorized and immediately available but not for any non-hard-wired, externally connected devices.

Those desiring such behavior, as of Linux 5.1+ the usbcore.authorized_default=2 option can be used for enabling this only-authorize-internal-USB-devices-by-default mode. Google is using this functionality on Chrome OS for only enabling internal USB devices up until its user-space is going where it's running USBguard to control USB device access and try to fend off any rogue devices.

As part of the USB authorization framework, the per-device authorization state can be controlled by those with administrator privileges via sysfs or indirectly various user-space utilities like USBguard.

This new USB authorization mode is queued in usb-next ahead of Linux 5.1.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week