Re: BadUSB discussion

[Greg KH <greg () kroah com>]

On Fri, Aug 08, 2014 at 10:27:16PM +0400, (GalaxyMaster) wrote:
> Alexey,
>
> On Fri, Aug 08, 2014 at 09:57:49PM +0400, gremlin () gremlin ru wrote:
> > On 08-Aug-2014 09:21:02 -0700, Greg KH wrote:
> >  > That doesn't prevent any other USB HID device from being plugged
> >  > in and instantly working. Which again, you can prevent if you
> >  > want to, but no one seems to do that...
> >
> > Hmmm... To avoid possible confusion: that was CONFIG_USB_KBD - 
> > "USB HIDBP Keyboard (simple Boot) support", and CONFIG_USB_HID
> > was turned off.
>
> I think Greg was referring to kernel's feature of controlling power on
> USB ports (e.g. you can just switch of power for a port and nothing you
> insert there will have a chance to work until you instruct the kernel to
> switch the port back on).

No, that is one option (note, it doesn't work for all hardware.)  I was
referring to the "authorized_default" option the USB core provides.  You
can set it to be:
         0 - all devices plugged in are not authorized
         1 - all devices are plugged in are automatically authorized
        -1 - all devices are plugged in are automatically authorized,
             except for wireless USB devices, which have to be
             explicitly authorized.

-1 is the default value.

If you set it to 0, you can look at the device, but no driver can bind
to it until you authorize it (through a sysfs file) and then it can work
properly.

Paranoid systems should set the default to 0.

The option can be changed while the kernel runs, good idea to use -1 as
a default, boot up, all needed devices are found, then set it to 0 so no
new device can be plugged in (watch out, if you unplug and then plug, it
will not work, so power spikes that cause devices to drop off the bus
and come back can be a pain.)

thanks,

greg k-h