From: Greg KH <gregkh@linuxfoundation.org>
To: Allen Webb <allenwebb@google.com>
Cc: "linux-modules@vger.kernel.org" <linux-modules@vger.kernel.org>,
"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
mcgrof@kernel.org, christophe.leroy@csgroup.eu,
nick.alcock@oracle.com
Subject: Re: [PATCH v10 11/11] Documentation: add USB authorization document to driver-api
Date: Thu, 20 Apr 2023 11:51:32 +0200 [thread overview]
Message-ID: <ZEELJP_shBUF8tbu@kroah.com> (raw)
In-Reply-To: <20230406190030.968972-12-allenwebb@google.com>
On Thu, Apr 06, 2023 at 02:00:30PM -0500, Allen Webb wrote:
> There is a user-facing USB authorization document, but it is midding
> details a driver should have developer, so add them in a new document.
I'm sorry, but I can not parse this sentence :(
Can you rephrase it?
> Signed-off-by: Allen Webb <allenwebb@google.com>
> ---
> .../driver-api/usb/authorization.rst | 71 +++++++++++++++++++
> Documentation/driver-api/usb/index.rst | 1 +
> 2 files changed, 72 insertions(+)
> create mode 100644 Documentation/driver-api/usb/authorization.rst
>
> diff --git a/Documentation/driver-api/usb/authorization.rst b/Documentation/driver-api/usb/authorization.rst
> new file mode 100644
> index 000000000000..383dcc037a15
> --- /dev/null
> +++ b/Documentation/driver-api/usb/authorization.rst
> @@ -0,0 +1,71 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +====================
> +Device Authorization
> +====================
> +
> +This document is intended for driver developers. See
> +Documentation/usb/authorization.rst if you are looking for how to use
> +USB authorization.
> +
> +Authorization provides userspace a way to allow or block configuring
> +devices early during enumeration before any modules are probed for the
> +device. While it is possible to block a device by not loading the
> +required modules, this also prevents other devices from using the
> +module as well. For example someone might have an unattended computer
> +downloading installation media to a USB drive. Presumably this computer
> +would be locked to make it more difficult for a bad actor to access the
> +computer. Since USB storage devices are not needed to interact with the
> +lock screen, the authorized_default sysfs attribute can be set to not
> +authorize new USB devices by default. A userspace tool like USBGuard
> +can then vet the devices. Mice, keyboards, etc can be allowed by
> +writing to their authorized sysfs attribute so that the lock screen can
> +still be used (this important in cases like suspend+resume or docks)
> +while other devices can be blocked as long as the lock screen is shown.
> +
> +Sysfs Attributes
> +================
> +
> +Userspace can control USB device authorization through the
> +authorized_default and authorized sysfs attributes.
> +
> +authorized_default
> +------------------
> +
> +Defined in ``drivers/usb/core/hcd.c``
> +
> +The authorized_default sysfs attribute is only present for host
> +controllers. It determines the initial state of the authorized sysfs
> +attribute of USB devices newly connected to the corresponding host
> +controller. It can take on the following values:
> +
> ++---------------------------------------------------+
> +| Value | Behavior |
> ++=======+===========================================+
> +| -1 | Authorize all devices except wireless USB |
> ++-------+-------------------------------------------+
> +| 0 | Do not authorize new devices |
> ++-------+-------------------------------------------+
> +| 1 | Authorize new devices |
> ++-------+-------------------------------------------+
> +| 2 | Authorize new internal devices only |
> ++---------------------------------------------------+
> +
> +Note that firmware platform code determines if a device is internal or
> +not and this is reported as the connect_type sysfs attribute of the USB
> +port. This is currently supported by ACPI, but device tree still needs
> +an implementation. Authorizing new internal devices only can be useful
> +to work around issues with devices that misbehave if there are delays
> +in probing their module.
> +
> +authorized
> +----------
> +
> +Defined in ``drivers/usb/core/sysfs.c``
> +
> +Every USB device has an authorized sysfs attribute which can take the
> +values 0 and 1. When authorized is 0, the device still is present in
> +sysfs, but none of its interfaces can be associated with drivers and
> +modules will not be probed. When authorized is 1 (or set to one) a
> +configuration is chosen for the device and its interfaces are
> +registered allowing drivers to bind to them.
Why would a driver author care about any of this? It's all user-facing,
so shouldn't it go into the other document?
thanks,
greg k-h
prev parent reply other threads:[~2023-04-20 9:51 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAJzde06+FXNpyBzT+NfS2GCfqEERMkGDpdsmHQj=v1foLJW4Cw@mail.gmail.com>
2022-11-29 22:43 ` [PATCH v3] modules: add modalias file to sysfs for modules Allen Webb
2022-11-30 7:06 ` Greg Kroah-Hartman
2022-11-30 22:14 ` [PATCH v4] " Allen Webb
2022-12-01 4:33 ` kernel test robot
2022-12-01 6:06 ` Greg Kroah-Hartman
2022-12-01 9:46 ` kernel test robot
2022-12-08 2:34 ` [PATCH v3] " Luis Chamberlain
2022-12-08 14:22 ` Allen Webb
2022-12-08 15:20 ` Greg Kroah-Hartman
2022-12-16 22:16 ` [PATCH v7 0/5] Generate modules.builtin.alias from match ids Allen Webb
2022-12-16 22:16 ` [PATCH v7 1/5] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2022-12-17 3:49 ` kernel test robot
2022-12-17 3:59 ` kernel test robot
2022-12-17 4:50 ` kernel test robot
2022-12-17 10:05 ` Christophe Leroy
2022-12-19 15:56 ` Allen Webb
2022-12-16 22:17 ` [PATCH v7 2/5] modpost: Track module name " Allen Webb
2022-12-17 10:08 ` Christophe Leroy
2022-12-16 22:17 ` [PATCH v7 3/5] modpost: Add -b option for emitting built-in aliases Allen Webb
2022-12-17 10:10 ` Christophe Leroy
2022-12-16 22:17 ` [PATCH v7 4/5] file2alias.c: Implement builtin.alias generation Allen Webb
2022-12-17 0:47 ` kernel test robot
2022-12-17 3:09 ` kernel test robot
2022-12-17 10:13 ` Christophe Leroy
2022-12-16 22:17 ` [PATCH v7 5/5] build: Add modules.builtin.alias Allen Webb
2022-12-19 19:18 ` [PATCH v8 0/9] Generate modules.builtin.alias from match ids Allen Webb
2022-12-19 19:18 ` [PATCH v8 1/9] imx: Fix typo Allen Webb
2022-12-19 19:21 ` Greg Kroah-Hartman
2022-12-19 19:55 ` Allen Webb
2022-12-19 19:18 ` [PATCH v8 2/9] rockchip-mailbox: " Allen Webb
2022-12-19 19:18 ` [PATCH v8 3/9] scsi/BusLogic: Always include device id table Allen Webb
2022-12-19 19:18 ` [PATCH v8 4/9] stmpe-spi: Fix typo Allen Webb
2022-12-19 19:18 ` [PATCH v8 5/9] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2022-12-19 19:18 ` [PATCH v8 6/9] modpost: Track module name " Allen Webb
2022-12-19 19:18 ` [PATCH v8 7/9] modpost: Add -b option for emitting built-in aliases Allen Webb
2022-12-19 19:18 ` [PATCH v8 8/9] file2alias.c: Implement builtin.alias generation Allen Webb
2022-12-19 19:18 ` [PATCH v8 9/9] build: Add modules.builtin.alias Allen Webb
2022-12-19 20:06 ` [PATCH v8 0/9] Generate modules.builtin.alias from match ids Luis Chamberlain
2022-12-19 20:42 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 00/10] " Allen Webb
2022-12-19 20:46 ` [PATCH v9 01/10] imx: Fix typo Allen Webb
2022-12-19 21:23 ` Luis Chamberlain
2022-12-20 6:42 ` Greg Kroah-Hartman
2022-12-20 14:26 ` Allen Webb
2022-12-20 14:32 ` Greg Kroah-Hartman
2022-12-20 14:45 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 02/10] rockchip-mailbox: " Allen Webb
2022-12-20 6:46 ` Greg Kroah-Hartman
2022-12-20 14:58 ` Allen Webb
2022-12-20 18:12 ` Luis Chamberlain
2022-12-20 18:19 ` Allen Webb
2022-12-20 18:47 ` Luis Chamberlain
2022-12-20 19:49 ` Allen Webb
2022-12-20 20:03 ` Luis Chamberlain
2022-12-20 21:57 ` Allen Webb
2022-12-20 23:09 ` Luis Chamberlain
2022-12-27 17:42 ` Allen Webb
2023-01-10 0:25 ` Luis Chamberlain
2023-01-09 11:54 ` Nick Alcock
2023-01-10 18:20 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 03/10] scsi/BusLogic: Always include device id table Allen Webb
2022-12-19 20:46 ` [PATCH v9 04/10] stmpe-spi: Fix typo Allen Webb
2022-12-19 20:46 ` [PATCH v9 05/10] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2022-12-20 6:45 ` Greg Kroah-Hartman
2022-12-20 16:36 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 06/10] modpost: Track module name " Allen Webb
2022-12-19 20:46 ` [PATCH v9 07/10] modpost: Add -b option for emitting built-in aliases Allen Webb
2022-12-20 6:43 ` Greg Kroah-Hartman
2022-12-20 17:32 ` Allen Webb
2022-12-19 20:46 ` [PATCH v9 08/10] file2alias.c: Implement builtin.alias generation Allen Webb
2022-12-19 20:46 ` [PATCH v9 09/10] build: Add modules.builtin.alias Allen Webb
2022-12-19 20:46 ` [PATCH v9 10/10] docs: Include modules.builtin.alias Allen Webb
2022-12-19 20:49 ` Allen Webb
2022-12-19 21:23 ` Luis Chamberlain
2022-12-19 21:40 ` Allen Webb
2022-12-19 22:07 ` Luis Chamberlain
2022-12-19 22:20 ` Allen Webb
2022-12-19 22:51 ` Luis Chamberlain
2022-12-19 20:46 ` [PATCH v9 10/10] Documentation: " Allen Webb
2023-04-06 19:00 ` [PATCH v10 00/11] Generate modules.builtin.alias from match ids Allen Webb
2023-04-06 19:00 ` [PATCH v10 01/11] rockchip-mailbox: Remove unneeded MODULE_DEVICE_TABLE Allen Webb
2023-04-06 19:00 ` [PATCH v10 02/11] scsi/BusLogic: Always include device id table Allen Webb
2023-04-06 19:00 ` [PATCH v10 03/11] stmpe-spi: Fix MODULE_DEVICE_TABLE entries Allen Webb
2023-05-24 6:52 ` Luis Chamberlain
2023-05-24 6:52 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 04/11] module.h: MODULE_DEVICE_TABLE for built-in modules Allen Webb
2023-05-24 6:44 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 05/11] modpost: Track module name " Allen Webb
2023-04-20 9:47 ` Greg KH
2023-05-24 6:50 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 06/11] modpost: Add -b option for emitting built-in aliases Allen Webb
2023-05-24 6:54 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 07/11] file2alias.c: Implement builtin.alias generation Allen Webb
2023-05-24 7:00 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 08/11] build: Add modules.builtin.alias Allen Webb
2023-05-24 7:02 ` Luis Chamberlain
2023-07-19 19:51 ` Allen Webb
2023-07-26 18:30 ` Luis Chamberlain
2023-04-06 19:00 ` [PATCH v10 09/11] Documentation: Include modules.builtin.alias Allen Webb
2023-04-06 19:00 ` [PATCH v10 10/11] Documentation: Update writing_usb_driver for built-in modules Allen Webb
2023-04-06 19:00 ` [PATCH v10 11/11] Documentation: add USB authorization document to driver-api Allen Webb
2023-04-20 9:51 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZEELJP_shBUF8tbu@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=allenwebb@google.com \
--cc=christophe.leroy@csgroup.eu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=nick.alcock@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.