| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <892491bb-e7f4-4096-b502-f1bf2fd0fdec@rowland.harvard.edu> Date: Mon, 30 Jun 2025 14:04:45 -0400 From: Alan Stern <stern@...land.harvard.edu> To: Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Kannappan R <r.kannappan@...el.com>, Sabyrzhan Tasbolatov <snovitoll@...il.com>, Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>, Stefan Eichenberger <stefan.eichenberger@...adex.com>, Thomas Gleixner <tglx@...utronix.de>, Pawel Laszczak <pawell@...ence.com>, Ma Ke <make_ruc2021@....com>, Jeff Johnson <jeff.johnson@....qualcomm.com>, Luc Bonnafoux <luc.bonnafoux@....gouv.fr>, Luc Bonnafoux <luc.bonnafoux@....cyber.gouv.fr>, Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>, linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org Subject: Re: [RFC PATCH 3/4] usb: core: Plug the usb authentication capability On Mon, Jun 30, 2025 at 01:20:27PM +0200, Nicolas Bouchinet wrote: > We moved the `usb_authenticate_dev()` call in `usb_new_device()` in order to > perform the authentication only once the device configuration is complete. usb_new_device() does device initialization, not device configuration. The default configuration is selected by usb_choose_configuration(), but the config can be changed at any time by the user (via sysfs or usbfs). > Also > we think we need to split the problem of handling the authentication vs > authorization in two parts. > > - which component has authority to set the two fields ? > - where/how is it enforced ? > > To answer the first question : > > - We think that the authenticated field can only be set by the > `usb_authenticate_dev()` function. > > - it is less clear for the authorized status which is already manipulated by > the sysfs (usbguard) and the default hcd policy. > > The reconciliation between the two fields could be done at the enforcement > point. In `usb_probe_interface()` instead of simply checking the authorized > flag > it could check a more complex policy. For example: > > +-------------------+----------------------------------------+----------------+ > > | | authorized | not > authorized | > +-------------------+----------------------------------------+----------------+ > > | authenticated | OK | NOK > | > +-------------------+----------------------------------------+----------------+ > > | not authenticated | Depends on tolerance in local security > | | > | | policy (set by cmdline or sysctl) | NOK > | > +-------------------+----------------------------------------+----------------+ > > > This way it would also help to handle internal devices. When > `hcd->dev_policy` is > set to USB_DEVICE_AUTHORIZE_INTERNAL, only internal devices are authorized > by > default on connection. So external devices will have to be authenticated and > then authorized via the sysfs. Internal devices will be authorized and not > authenticated. Okay, that seems like a reasonable approach. Alan Stern
Powered by blists - more mailing lists