Re: [RFC PATCH 3/4] usb: core: Plug the usb authentication capability

From: Alan Stern
Date: Mon Jun 30 2025 - 14:05:45 EST

Next message: Pali Rohár: "Re: [PATCH v6 4/6] fs: make vfs_fileattr_[get|set] return -EOPNOSUPP"
Previous message: neil . armstrong: "Re: [PATCH v3 0/5] Introduce "non-pixel" sub node within iris video node"
In reply to: Nicolas Bouchinet: "Re: [RFC PATCH 3/4] usb: core: Plug the usb authentication capability"
Next in thread: Nicolas Bouchinet: "Re: [RFC PATCH 3/4] usb: core: Plug the usb authentication capability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jun 30, 2025 at 01:20:27PM +0200, Nicolas Bouchinet wrote:
> We moved the `usb_authenticate_dev()` call in `usb_new_device()` in order to
> perform the authentication only once the device configuration is complete.

usb_new_device() does device initialization, not device configuration.
The default configuration is selected by usb_choose_configuration(), but
the config can be changed at any time by the user (via sysfs or usbfs).

> Also
> we think we need to split the problem of handling the authentication vs
> authorization in two parts.
>
> - which component has authority to set the two fields ?
> - where/how is it enforced ?
>
> To answer the first question :
>
> - We think that the authenticated field can only be set by the
> `usb_authenticate_dev()` function.
>
> - it is less clear for the authorized status which is already manipulated by
> the sysfs (usbguard) and the default hcd policy.
>
> The reconciliation between the two fields could be done at the enforcement
> point. In `usb_probe_interface()` instead of simply checking the authorized
> flag
> it could check a more complex policy. For example:
>
> +-------------------+----------------------------------------+----------------+
>
> |                   | authorized                             | not
> authorized |
> +-------------------+----------------------------------------+----------------+
>
> | authenticated     | OK                                     | NOK
> |
> +-------------------+----------------------------------------+----------------+
>
> | not authenticated | Depends on tolerance in local security
> |                |
> |                   | policy (set by cmdline or sysctl)      | NOK
>       |
> +-------------------+----------------------------------------+----------------+
>
>
> This way it would also help to handle internal devices. When
> `hcd->dev_policy` is
> set to USB_DEVICE_AUTHORIZE_INTERNAL, only internal devices are authorized
> by
> default on connection. So external devices will have to be authenticated and
> then authorized via the sysfs. Internal devices will be authorized and not
> authenticated.

Okay, that seems like a reasonable approach.

Alan Stern

Next message: Pali Rohár: "Re: [PATCH v6 4/6] fs: make vfs_fileattr_[get|set] return -EOPNOSUPP"
Previous message: neil . armstrong: "Re: [PATCH v3 0/5] Introduce "non-pixel" sub node within iris video node"
In reply to: Nicolas Bouchinet: "Re: [RFC PATCH 3/4] usb: core: Plug the usb authentication capability"
Next in thread: Nicolas Bouchinet: "Re: [RFC PATCH 3/4] usb: core: Plug the usb authentication capability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]