| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250620-usb_authentication-v1-2-0d92261a5779@ssi.gouv.fr>
Date: Fri, 20 Jun 2025 16:27:17 +0200
From: nicolas.bouchinet@....cyber.gouv.fr
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Alan Stern <stern@...land.harvard.edu>,
Kannappan R <r.kannappan@...el.com>,
Sabyrzhan Tasbolatov <snovitoll@...il.com>,
Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>,
Stefan Eichenberger <stefan.eichenberger@...adex.com>,
Thomas Gleixner <tglx@...utronix.de>, Pawel Laszczak <pawell@...ence.com>,
Ma Ke <make_ruc2021@....com>, Jeff Johnson <jeff.johnson@....qualcomm.com>,
Luc Bonnafoux <luc.bonnafoux@....gouv.fr>,
Luc Bonnafoux <luc.bonnafoux@....cyber.gouv.fr>,
Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>,
linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: [RFC PATCH 2/4] usb: core: Introduce usb authentication feature
From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
This includes the usb authentication protocol implementation bulk
exposed by the public usb_authenticate_device function.
The protocol exchange is driven by the host and can be decomposed into
three, mostly independent, phases:
- The Host can request a digest of each certificate own by the
peripheral.
- If the Host does not recognize the peripheral from one of its digests,
it can read one or more certificates from the device until a valid one
is found.
- The Host can issue an authentication challenge to the peripheral.
The usb_authenticate_device function implements the usb authentication
protocol.
It implements the three phases of the protocol :
First, it needs to communicate with the usb device in order to fetch its
certificate digests (usb_authent_req_digest).
Then if the device is unknown, the host fetches the device certificate
chains (usb_authent_read_cert_part, usb_authent_read_certificate).
Once at least a digest has been recognized or a certificate chain has
been validated the host challenges the device in order to authenticate
it (usb_authent_challenge_dev).
It also needs to communicate with a policy engine using the following
functions :
usb_policy_engine_check_digest
usb_policy_engine_check_cert_chain
usb_policy_engine_generate_challenge
usb_policy_engine_check_challenge
Co-developed-by: Luc Bonnafoux <luc.bonnafoux@....gouv.fr>
Signed-off-by: Luc Bonnafoux <luc.bonnafoux@....gouv.fr>
Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
---
drivers/usb/core/authent.c | 631 +++++++++++++++++++++++++++++++++++++++++++++
drivers/usb/core/authent.h | 166 ++++++++++++
2 files changed, 797 insertions(+)
diff --git a/drivers/usb/core/authent.c b/drivers/usb/core/authent.c
new file mode 100644
index 0000000000000000000000000000000000000000..46f048d45a909e0fef504d71072eb7854320d271
--- /dev/null
+++ b/drivers/usb/core/authent.c
@@ -0,0 +1,631 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * SPDX-FileCopyrightText: (C) 2025 ANSSI
+ *
+ * USB Authentication protocol implementation
+ *
+ * Author: Luc Bonnafoux <luc.bonnafoux@....gouv.fr>
+ * Author: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
+ *
+ */
+
+#include <linux/types.h>
+#include <linux/usb.h>
+#include <linux/usb/ch9.h>
+#include <linux/usb/hcd.h>
+#include <linux/usb/quirks.h>
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/device.h>
+#include <linux/delay.h>
+#include <asm/byteorder.h>
+
+#include "authent_netlink.h"
+
+#include "authent.h"
+
+/**
+ * usb_authent_req_digest - Check if device is known via its digest
+ * @dev: [in] pointer to the usb device to query
+ * @buffer: [inout] buffer to hold request data
+ * @digest: [out] device digest
+ *
+ * Context: task context, might sleep.
+ *
+ * This function sends a digest request to the usb device.
+ *
+ * Possible errors:
+ * - ECOMM : failed to send or received a message to the device
+ * - EINVAL : if buffer or mask is NULL
+ *
+ * Return: If successful, zero. Otherwise, a negative error number.
+ */
+static int usb_authent_req_digest(struct usb_device *dev, uint8_t *const buffer,
+ uint8_t digest[256], uint8_t *mask)
+{
+ int ret = 0;
+ struct usb_authent_digest_resp *digest_resp = NULL;
+
+ if (unlikely((buffer == NULL || mask == NULL))) {
+ pr_err("invalid arguments\n");
+ return -EINVAL;
+ }
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), AUTH_IN, USB_DIR_IN,
+ (USB_SECURITY_PROTOCOL_VERSION << 8) +
+ USB_AUTHENT_DIGEST_REQ_TYPE,
+ 0, buffer, 260, USB_CTRL_GET_TIMEOUT);
+ if (ret < 0) {
+ pr_err("Failed to get digest: %d\n", ret);
+ ret = -ECOMM;
+ goto exit;
+ }
+
+ // Parse received digest response
+ digest_resp = (struct usb_authent_digest_resp *)buffer;
+ pr_notice("received digest response:\n");
+ pr_notice(" protocolVersion: %x\n", digest_resp->protocolVersion);
+ pr_notice(" messageType: %x\n", digest_resp->messageType);
+ pr_notice(" capability: %x\n", digest_resp->capability);
+ pr_notice(" slotMask: %x\n", digest_resp->slotMask);
+
+ *mask = digest_resp->slotMask;
+ memcpy(digest, digest_resp->digests, 256);
+
+ ret = 0;
+
+exit:
+
+ return ret;
+}
+
+struct usb_auth_cert_req {
+ uint16_t offset;
+ uint16_t length;
+} __packed;
+
+/**
+ * @brief Request a specific part of a certificate chain from the device
+ *
+ * Context: task context, might sleep
+ *
+ * Possible errors:
+ * - ECOMM : failed to send or receive a message to the device
+ * - EINVAL : if buffer or cert_part is NULL
+ *
+ * @param [in] dev : handle to the USB device
+ * @param [in,out] buffer : buffer used for communication, caller allocated
+ * @param [in] slot : slot in which to read the certificate
+ * @param [in] offset : at which the certificate fragment must be read
+ * @param [in] length : of the certificate fragment to read
+ * @param [out] cert_part : buffer to hold the fragment, caller allocated
+ *
+ * @return 0 on SUCCESS else an error code
+ */
+static int usb_auth_read_cert_part(struct usb_device *dev, uint8_t *const buffer,
+ const uint8_t slot, const uint16_t offset,
+ const uint16_t length, uint8_t *cert_part)
+{
+ struct usb_auth_cert_req cert_req = { 0 };
+ int ret = -1;
+
+ if (unlikely(buffer == NULL || cert_part == NULL)) {
+ pr_err("invalid argument\n");
+ return -EINVAL;
+ }
+
+ cert_req.offset = offset;
+ cert_req.length = length;
+
+ // AUTH OUT request transfer
+ memcpy(buffer, &cert_req, sizeof(struct usb_auth_cert_req));
+ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), AUTH_OUT,
+ USB_DIR_OUT,
+ (USB_SECURITY_PROTOCOL_VERSION << 8) +
+ USB_AUTHENT_CERTIFICATE_REQ_TYPE,
+ (slot << 8), buffer,
+ sizeof(struct usb_auth_cert_req),
+ USB_CTRL_GET_TIMEOUT);
+ if (ret < 0) {
+ pr_err("Failed to send certificate request: %d\n", ret);
+ ret = -ECOMM;
+ goto cleanup;
+ }
+
+ // AUTH IN certificate read
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), AUTH_IN, USB_DIR_IN,
+ (USB_SECURITY_PROTOCOL_VERSION << 8) +
+ USB_AUTHENT_CERTIFICATE_RESP_TYPE,
+ (slot << 8), buffer, length + 4,
+ USB_CTRL_GET_TIMEOUT);
+ if (ret < 0) {
+ pr_notice("Failed to get certificate from peripheral: %d\n", ret);
+ ret = -ECOMM;
+ goto cleanup;
+ }
+
+ // TODO: parse received header
+ memcpy(cert_part, buffer + 4, length);
+
+ ret = 0;
+
+cleanup:
+
+ return ret;
+}
+
+/**
+ * usb_authent_read_certificate - Read a device certificate
+ * @dev: [in] pointer to the usb device to query
+ * @buffer: [inout] buffer to hold request data, caller allocated
+ * @slot: [in] certificate chain to be read
+ * @cert_der: [out] buffer to hold received certificate chain
+ * @cert_len: [out] length of received certificate
+ *
+ * Context: task context, might sleep.
+ *
+ * Possible errors:
+ * - EINVAL : NULL pointer or invalid slot value
+ * - ECOMM : failed to send request to device
+ * - ENOMEM : failed to allocate memory for certificate
+ *
+ * Return: If successful, zero. Otherwise, a negative error number.
+ */
+static int usb_authent_read_certificate(struct usb_device *dev, uint8_t *const buffer,
+ uint8_t slot, uint8_t **cert_der, size_t *cert_len)
+{
+ uint16_t read_offset = 0;
+ uint16_t read_length = 0;
+ uint8_t chain_part[64] = { 0 };
+
+ if (unlikely(slot >= 8 || buffer == NULL || cert_der == NULL || cert_len == NULL)) {
+ pr_err("invalid arguments\n");
+ return -EINVAL;
+ }
+
+ // First request to get certificate chain length
+ if (usb_auth_read_cert_part(dev, buffer, slot, 0,
+ USB_AUTH_CHAIN_HEADER_SIZE,
+ chain_part) != 0) {
+ pr_err("Failed to get first certificate part\n");
+ return -ECOMM;
+ }
+
+ // Extract total length
+ *cert_len = ((uint16_t *)chain_part)[0];
+ pr_notice("Received header of chain with length: %ld\n",
+ (*cert_len) + USB_AUTH_CHAIN_HEADER_SIZE);
+
+ // Allocate certificate DER buffer
+ *cert_der = kzalloc(*cert_len, GFP_KERNEL);
+ if (!(*cert_der))
+ return -ENOMEM;
+
+ // Write the chain header at the beginning of the chain.
+ memcpy(*cert_der, chain_part, USB_AUTH_CHAIN_HEADER_SIZE);
+ // Read the certificate chain starting after the header.
+ read_offset = USB_AUTH_CHAIN_HEADER_SIZE;
+
+ while (read_offset < *cert_len) {
+ read_length = (*cert_len - read_offset) >= 64 ? 64 : (*cert_len - read_offset);
+
+ if (usb_auth_read_cert_part(dev, buffer, slot, read_offset,
+ read_length, chain_part) != 0) {
+ pr_err("USB AUTH: Failed to get certificate part\n");
+ return -ECOMM;
+ }
+
+ memcpy(*cert_der + read_offset, chain_part, read_length);
+
+ read_offset += read_length;
+ }
+
+ return 0;
+}
+
+/**
+ * usb_authent_challenge_dev - Challenge a device
+ * @dev: [in] pointer to the usb device to query
+ * @buffer: [in] pointer to the buffer allocated for USB query
+ * @slot: [in] certificate chain to be used
+ * @slot_mask: [in] slot mask of the device
+ * @nonce: [in] nonce to use for the challenge, 32 bytes long
+ * @chall: [out] buffer for chall response, 204 bytes long, caller allocated
+ *
+ * Context: task context, might sleep.
+ *
+ * Possible errors:
+ * - EINVAL : NULL input pointer or invalid slot value
+ * - ECOMM : failed to send or receive message from the device
+ *
+ * Return: If successful, zero. Otherwise, a negative error number.
+ */
+static int usb_authent_challenge_dev(struct usb_device *dev, uint8_t *buffer,
+ const uint8_t slot, const uint8_t slot_mask, const uint8_t *const nonce,
+ uint8_t *const chall)
+{
+ int ret = -1;
+
+ if (unlikely(buffer == NULL || slot >= 8 || nonce == NULL)) {
+ pr_err("invalid arguments\n");
+ return -EINVAL;
+ }
+
+ // AUTH OUT challenge request transfer
+ memcpy(buffer, nonce, 32);
+ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), AUTH_OUT,
+ USB_DIR_OUT,
+ (USB_SECURITY_PROTOCOL_VERSION << 8) +
+ USB_AUTHENT_CHALLENGE_REQ_TYPE,
+ (slot << 8), buffer, 32, USB_CTRL_GET_TIMEOUT);
+ if (ret < 0) {
+ pr_err("Failed to send challenge request: %d\n", ret);
+ ret = -ECOMM;
+ goto cleanup;
+ }
+
+ // Complete the challenge with the request
+ chall[1] = USB_SECURITY_PROTOCOL_VERSION;
+ chall[0] = USB_AUTHENT_CHALLENGE_REQ_TYPE;
+ chall[2] = slot;
+ chall[3] = 0x00;
+ memcpy(chall+4, nonce, 32);
+
+ // AUTH IN challenge response transfer
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), AUTH_IN, USB_DIR_IN,
+ (USB_SECURITY_PROTOCOL_VERSION << 8) +
+ USB_AUTHENT_CHALLENGE_RESP_TYPE,
+ (slot << 8) + slot_mask, buffer, 168,
+ USB_CTRL_GET_TIMEOUT);
+ if (ret < 0) {
+ pr_err("Failed to get challenge response: %d\n", ret);
+ ret = -ECOMM;
+ goto cleanup;
+ }
+
+ pr_notice("received challenge response\n");
+
+ // Complete last part of the challenge with what is returned by the device
+ memcpy(chall+USB_AUTH_CHAIN_HEADER_SIZE, buffer, 168);
+
+ ret = 0;
+
+cleanup:
+
+ return ret;
+}
+
+/**
+ * @brief Create a device context according to USB Type-C Authentication Specification, chapter 5.5
+ * 1. Device Descriptor
+ * 2. Complete BOS Descriptor (if present)
+ * 3. Complete Configuration 1 Descriptor
+ * 4. Complete Configuration 2 Descriptor (if present)
+ * 5. ...
+ * 6. Complete Configuration n Descriptor (if present)
+ *
+ * Possible error codes:
+ * - EINVAL : invalid dev, ctx or size
+ *
+ * @param [in] dev : handle to the USB device
+ * @param [in, out] ctx : buffer to hold the device context, caller allocated
+ * @param [in] buf_size : available size in the context buffer
+ * @param [out] ctx_size : total size of the context if return equals 0
+ *
+ * @return 0 or error code
+ */
+static int usb_auth_create_dev_ctx(struct usb_device *dev, uint8_t *ctx,
+ const size_t buf_size, size_t *ctx_size)
+{
+ int desc_size = 0;
+
+ if (unlikely(dev == NULL || ctx == NULL)) {
+ pr_err("invalid inputs\n");
+ return -EINVAL;
+ }
+
+ *ctx_size = 0;
+
+ // Device descriptor
+ if (buf_size < (size_t)dev->descriptor.bLength) {
+ pr_err("buffer too small\n");
+ return -EINVAL;
+ }
+
+ memcpy(ctx, (void *) &dev->descriptor, (size_t) dev->descriptor.bLength);
+
+ *ctx_size += (size_t) dev->descriptor.bLength;
+
+ // Device BOS and capabilities
+ if (unlikely(dev->bos == NULL || dev->bos->desc == NULL)) {
+ pr_err("invalid BOS\n");
+ return -EINVAL;
+ }
+
+ desc_size = le16_to_cpu(dev->bos->desc->wTotalLength);
+
+ if (buf_size < (*ctx_size + desc_size)) {
+ pr_err("buffer too small\n");
+ return -EINVAL;
+ }
+
+ memcpy(ctx + (*ctx_size), (void *) dev->bos->desc, desc_size);
+
+ *ctx_size += desc_size;
+
+ // Device configuration descriptor
+ if (unlikely(dev->config == NULL)) {
+ pr_err("invalid configuration\n");
+ return -EINVAL;
+ }
+
+ desc_size = le16_to_cpu(dev->config->desc.wTotalLength);
+
+ if (buf_size < (*ctx_size + desc_size)) {
+ pr_err("buffer too small\n");
+ return -EINVAL;
+ }
+
+ memcpy(ctx + (*ctx_size), (void *) &dev->config->desc, 9);
+
+ *ctx_size += 9;
+
+ return 0;
+}
+
+/**
+ * @brief Check that the authentication can resume after a sleep
+ *
+ * @param [in] dev : the usb device
+ * @param [in] hub : the parent hub
+ *
+ * Possible error codes:
+ * - ENODEV : hub has been disconnected
+ *
+ * @return 0 if possible to resume, else an error code
+ */
+static int usb_auth_try_resume(struct usb_device *dev, struct usb_device *hub)
+{
+ // Test if the hub or the device has been disconnected
+ if (unlikely(hub == NULL || dev == NULL ||
+ dev->port_is_suspended == 1 ||
+ dev->reset_in_progress == 1)) {
+ return -ENODEV;
+ }
+
+ // TODO: test if the device has not been disconnected
+ // TODO: test if the device has not been disconnected then replaced with another one
+
+ return 0;
+}
+
+/**
+ * usb_authenticate_device - Challenge a device
+ * @dev: [inout] pointer to device
+ *
+ * Context: task context, might sleep.
+ *
+ * Authentication is done in the following steps:
+ * 1. Get device certificates digest to determine if it is already known
+ * if yes, go to 3.
+ * 2. Get device certificates
+ * 3. Challenge device
+ * 4. Based on previous result, determine if device is allowed under local
+ * security policy.
+ *
+ * Possible error code:
+ * - ENOMEM : failed to allocate memory for exchange
+ * - TODO: complete all possible error case
+ *
+ * Return: If successful, zero. Otherwise, a negative error number.
+ */
+int usb_authenticate_device(struct usb_device *dev)
+{
+ int ret = 0;
+
+ uint8_t is_valid = 0;
+ uint8_t is_known = 0;
+ uint8_t is_blocked = 0;
+ uint8_t chain_nb = 0;
+ uint8_t slot_mask = 0;
+ uint8_t slot = 0;
+ uint8_t digests[256] = { 0 };
+ uint8_t nonce[32] = {0};
+ uint8_t chall[204] = {0};
+ uint32_t dev_id = 0;
+ size_t ctx_size = 0;
+ int i = 0;
+
+ uint8_t *cert_der = NULL;
+ size_t cert_len = 0;
+
+ if (unlikely(dev == NULL || dev->parent == NULL))
+ return -ENODEV;
+
+ struct usb_device *hub = dev->parent;
+
+ // By default set authorization status at false
+ dev->authorized = 0;
+ dev->authenticated = 0;
+
+ uint8_t *buffer = NULL;
+ // Buffer to hold responses
+ buffer = kzalloc(512, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+
+ pr_notice("start of device authentication\n");
+
+ /*
+ * Send DIGEST request to determine if it is a known device
+ */
+ ret = usb_authent_req_digest(dev, buffer, digests, &slot_mask);
+ if (ret != 0) {
+ pr_err("failed to get digest: %d\n", ret);
+ goto cleanup;
+ }
+ pr_notice("received digest\n");
+
+ usb_unlock_device(hub);
+ ret = usb_policy_engine_check_digest(dev->route, digests, slot_mask,
+ &is_known, &is_blocked, &dev_id);
+ if (ret != 0) {
+ pr_err("failed to check digest: %d\n", ret);
+ usb_lock_device(hub);
+ goto cleanup;
+ }
+ pr_info("waking up\n");
+ usb_lock_device(hub);
+ ret = usb_auth_try_resume(dev, hub);
+ if (unlikely(ret != 0)) {
+ pr_err("failed to resume: %d\n", ret);
+ goto cleanup;
+ }
+
+ pr_info("resuming\n");
+
+ /*
+ * If the device is already known and blocked, reject it
+ */
+ if (is_known && is_blocked) {
+ ret = 0;
+ goto cleanup;
+ }
+
+ /*
+ * If device is not already known try to obtain a valid certificate
+ * Iterate over every device certificate slots, it gets them one by one
+ * in order to avoid spamming the device.
+ */
+ if (!is_known) {
+ // Iterate over slot containing a certificate until a valid one is found
+ for (i = 0; i < 8; i++) {
+ // Test if slot contains a certificate chain
+ if (1 == ((slot_mask >> i) & 1)) {
+ ret = usb_authent_read_certificate(dev, buffer,
+ chain_nb,
+ &cert_der,
+ &cert_len);
+ if (ret != 0) {
+ // Failed to read device certificate, abort authentication
+ // Apply security policy on failed device
+ goto cleanup;
+ }
+ pr_notice("received certificate\n");
+
+ // validate the certificate
+ usb_unlock_device(hub);
+ ret = usb_policy_engine_check_cert_chain(
+ dev->route, digests + i * 32, cert_der,
+ cert_len, &is_valid, &is_blocked,
+ &dev_id);
+ if (ret != 0) {
+ pr_err("failed to validate certificate: %d\n", ret);
+ usb_lock_device(hub);
+ goto cleanup;
+ }
+ pr_notice("validated certificate\n");
+ usb_lock_device(hub);
+
+ ret = usb_auth_try_resume(dev, hub);
+ if (unlikely(ret != 0)) {
+ pr_err("failed to resume: %d\n", ret);
+ goto cleanup;
+ }
+
+ pr_info("resuming\n");
+
+ if (is_valid && !is_blocked) {
+ // Found a valid and authorized certificate,
+ // continue with challenge
+ slot = i;
+ break;
+ } else if (is_valid && is_blocked) {
+ // Found a valid and unauthorized certificate,
+ // reject device
+ ret = 0;
+ goto cleanup;
+ }
+ }
+ }
+ } else {
+ // Pick a slot among the valid ones, take first one
+ for (i = 0; i < 8; i++) {
+ if (1 == ((is_known >> i) & 1)) {
+ slot = i;
+ break;
+ }
+ }
+ }
+
+ /*
+ * Authenticate the device with a challenge request
+ */
+ // Obtain a nonce for the challenge
+ usb_unlock_device(hub);
+ ret = usb_policy_engine_generate_challenge(dev_id, nonce);
+ if (ret != 0) {
+ pr_err("failed to generate challenge: %d\n", ret);
+ usb_lock_device(hub);
+ goto cleanup;
+ }
+ pr_notice("generated challenge\n");
+ usb_lock_device(hub);
+
+ ret = usb_auth_try_resume(dev, hub);
+ if (unlikely(ret != 0)) {
+ pr_err("failed to resume: %d\n", ret);
+ goto cleanup;
+ }
+
+ pr_info("resuming\n");
+
+ // Send a challenge request
+ ret = usb_authent_challenge_dev(dev, buffer, slot, slot_mask, nonce,
+ chall);
+ if (ret != 0) {
+ pr_err("failed to challenge device: %d\n", ret);
+ goto cleanup;
+ }
+ pr_notice("validated challenge\n");
+
+ // Create device context
+ ret = usb_auth_create_dev_ctx(dev, buffer, 512, &ctx_size);
+ if (ret != 0) {
+ pr_err("failed to create context: %d\n", ret);
+ goto cleanup;
+ }
+
+ // Validate the challenge
+ usb_unlock_device(hub);
+ ret = usb_policy_engine_check_challenge(dev_id, chall, buffer, ctx_size,
+ &is_valid);
+ if (ret != 0) {
+ pr_err("failed to check challenge: %d\n", ret);
+ usb_lock_device(hub);
+ goto cleanup;
+ }
+ pr_notice("checked challenge\n");
+ usb_lock_device(hub);
+
+ ret = usb_auth_try_resume(dev, hub);
+ if (unlikely(ret != 0)) {
+ pr_err("failed to resume: %d\n", ret);
+ goto cleanup;
+ }
+
+ pr_info("resuming\n");
+
+ // Apply authorization decision
+ if (is_valid) {
+ dev->authorized = 1;
+ dev->authenticated = 1;
+ }
+
+ ret = 0;
+
+cleanup:
+ kfree(buffer);
+ kfree(cert_der);
+
+ return 0;
+}
diff --git a/drivers/usb/core/authent.h b/drivers/usb/core/authent.h
new file mode 100644
index 0000000000000000000000000000000000000000..c3852636dbcea9150ed1663769e2a7b6348f528c
--- /dev/null
+++ b/drivers/usb/core/authent.h
@@ -0,0 +1,166 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * SPDX-FileCopyrightText: (C) 2025 ANSSI
+ *
+ * USB Authentication protocol definition
+ *
+ * Author: Luc Bonnafoux <luc.bonnafoux@....gouv.fr>
+ * Author: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
+ *
+ */
+
+#ifndef __USB_CORE_AUTHENT_H_
+#define __USB_CORE_AUTHENT_H_
+
+#include <linux/types.h>
+#include <linux/usb.h>
+#include <linux/usb/ch11.h>
+#include <linux/usb/hcd.h>
+
+/* From USB Type-C Authentication spec, Table 5-2 */
+#define USB_AUTHENT_CAP_TYPE 0x0e
+
+/* From USB Security Foundation spec, Table 5-2 */
+#define USB_SECURITY_PROTOCOL_VERSION 0x10
+
+#define AUTH_IN 0x18
+#define AUTH_OUT 0x19
+
+/* USB_DT_AUTHENTICATION_CAP */
+struct usb_authent_cap_descriptor {
+ __u8 bLength;
+ __u8 bDescriptorType;
+ __u8 bDevCapabilityType; /* Shall be set to USB_AUTHENT_CAP_TYPE */
+ /*
+ * bit 0: set to 1 if firmware can be updated
+ * bit 1: set to 1 to indicate the Device changes interface when updated
+ * bits 2-7: reserved, set to 0
+ */
+ __u8 bmAttributes;
+ __u8 bcdProtocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 bcdCapability; /* Set to 0x01 */
+
+} __packed;
+
+/* Certificate chain header, Table 3-1 */
+struct usb_cert_chain_hd {
+ __u16 length; /* Chain total length including header, little endian */
+ __u16 reserved; /* Shall be set to zero */
+ __u8 rootHash[32]; /* Hash of root certificate, big endian */
+} __packed;
+
+/* From USB Security Foundation spec, Table 5-3 and Table 5-9 */
+#define USB_AUTHENT_DIGEST_RESP_TYPE 0x01
+#define USB_AUTHENT_CERTIFICATE_RESP_TYPE 0x02
+#define USB_AUTHENT_CHALLENGE_RESP_TYPE 0x03
+#define USB_AUTHENT_ERROR_TYPE 0x7f
+#define USB_AUTHENT_DIGEST_REQ_TYPE 0x81
+#define USB_AUTHENT_CERTIFICATE_REQ_TYPE 0x82
+#define USB_AUTHENT_CHALLENGE_REQ_TYPE 0x83
+
+#define USB_AUTH_DIGEST_SIZE 32
+#define USB_AUTH_CHALL_SIZE 32
+
+#define USB_AUTH_CHAIN_HEADER_SIZE 36
+
+/* USB Authentication GET_DIGEST Request Header */
+struct usb_authent_digest_req_hd {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_DIGEST_REQ_TYPE */
+ __u8 param1; /* Reserved */
+ __u8 param2; /* Reserved */
+} __packed;
+
+/* USB Authentication GET_CERTIFICATE Request Header */
+struct usb_authent_certificate_req_hd {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_CERTIFICATE_REQ_TYPE */
+ __u8 certChainSlotNumber; /* Must be between 0 and 7 inclusive */
+ __u8 param2; /* Reserved */
+} __packed;
+
+/* USB Authentication GET_CERTIFICATE Request */
+struct usb_authent_certificate_req {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_CERTIFICATE_REQ_TYPE */
+ __u8 certChainSlotNumber; /* Must be between 0 and 7 inclusive */
+ __u8 param2; /* Reserved */
+ __u16 offset; /* Read index of Certificate Chain in bytes and little endian*/
+ __u16 length; /* Length of read request, little endian */
+} __packed;
+
+/* USB Authentication CHALLENGE Request Header */
+struct usb_authent_challenge_req_hd {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_CHALLENGE_REQ_TYPE */
+ __u8 certChainSlotNumber; /* Must be between 0 and 7 inclusive */
+ __u8 param2; /* Reserved */
+} __packed;
+
+/* USB Authentication CHALLENGE Request Header */
+struct usb_authent_challenge_req {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_CHALLENGE_REQ_TYPE */
+ __u8 certChainSlotNumber; /* Must be between 0 and 7 inclusive */
+ __u8 param2; /* Reserved */
+ __u32 nonce; /* Random Nonce chosen for the challenge */
+} __packed;
+
+/* USB Authentication DIGEST response Header */
+struct usb_authent_digest_resp {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_DIGEST_RESP_TYPE */
+ __u8 capability; /* Shall be set to 0x01 */
+ __u8 slotMask; /* Bit set to 1 if slot is set, indicates number of digests */
+ __u8 digests[8][32]; /* List of digests */
+} __packed;
+
+/* USB Authentication CERTIFICATE response Header */
+struct usb_authent_certificate_resp_hd {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_CERTIFICATE_RESP_TYPE */
+ __u8 slotNumber; /* Slot number of certificate chain returned */
+ __u8 param2; /* Reserved */
+} __packed;
+
+/* USB Authentication CHALLENGE response Header */
+struct usb_authent_challenge_resp_hd {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_CHALLENGE_RESP_TYPE */
+ __u8 slotNumber; /* Slot number of certificate chain returned */
+ __u8 slotMask; /* Bit set to 1 if slot is set */
+} __packed;
+
+/* USB Authentication CHALLENGE response */
+struct usb_authent_challenge_resp {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_CHALLENGE_RESP_TYPE */
+ __u8 slotNumber; /* Slot number of certificate chain returned */
+ __u8 slotMask; /* Bit set to 1 if slot is set */
+ __u8 minProtocolVersion;
+ __u8 maxProtocolVersion;
+ __u8 capabilities; /* Shall be set to 0x01 */
+ __u8 orgName; /* Organisation Name, USB-IF: 0 */
+ __u32 certChainHash; /* SHA256 digest of certificate chain, big endian */
+ __u32 salt; /* Chosen by responder */
+ __u32 contextHash; /* SHA256 digest of product information, big endian */
+ __u64 signature; /* ECDSA signature of request and response */
+} __packed;
+
+/* USB Authentication error codes, Foundation Table 5-18 */
+#define USB_AUTHENT_INVALID_REQUEST_ERROR 0x01
+#define USB_AUTHENT_UNSUPPORTED_PROTOCOL_ERROR 0x02
+#define USB_AUTHENT_BUSY_ERROR 0x03
+#define USB_AUTHENT_UNSPECIFIED_ERROR 0x04
+
+/* USB Authentication response header */
+struct usb_authent_error_resp_hd {
+ __u8 protocolVersion; /* Shall be set to USB_SECURITY_PROTOCOL_VERSION */
+ __u8 messageType; /* Shall be set to USB_AUTHENT_ERROR_TYPE */
+ __u8 errorCode;
+ __u8 errorData;
+} __packed;
+
+int usb_authenticate_device(struct usb_device *dev);
+
+#endif /* __USB_CORE_AUTHENT_H_ */
--
2.50.0
Powered by blists - more mailing lists