Re: Filtering USB storage data in kernel module
On 11/18/2011 09:05 PM, Abhijit Pawar wrote: On 11/18/2011 08:16 PM, Greg KH wrote: On Fri, Nov 18, 2011 at 06:36:18PM +0530, Abhijit Pawar wrote: On 11/17/2011 08:19 PM, Greg KH wrote: On Thu, Nov 17, 2011 at 02:15:35PM +0530, Abhijit Pawar wrote: Hi All, I need to filter the data written/read to and from the USB storage disk. Why? I want to build a secure machine with data protection. I want to have a security around the machine where anyone can attach a usb disk and copy the data. but i want to make the copied data useless unless it has the trust relation with the host to which its connected. So if one has copied data from one secured machine and get that usb disk to other machine, he should see the encrypted garbage data. Interesting idea. What are you wanting to do at filter time? I want to encrypt the write data packets and decrypt the read data packets. Why just USB disks? What makes them special? They are the one which can be attached to the system easily. How are you going to determine if a disk is a USB device or not? You forgot to answer this question :) Yeah, I forgot that one. I am not very sure but if I can patch the USB core before it attaches the speficied class driver to the USB device. May be I can try and send some control request and get the class of the device. I think its not required as USB core itself will understand the class of the device and try to attach the proper driver. At this point of time, I will have some patch which will pass on the information to my module. I am not sure if there are any intercepting points or any functions / structures exported in the USB core stack. It seems that the Linux notification chain should give me information whenever a USB device is added. I need to register for a notification callback in my module. I have written a small module for this which uses the usb_register_notify() Here is the debug trace from kernel when I add my logitech mouse to the system. I get the device added notification. [30540.541134] usb 2-1.3: New USB device found, idVendor=046d, idProduct=c018 [30540.541143] usb 2-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [30540.541150] usb 2-1.3: Product: USB Optical Mouse [30540.541155] usb 2-1.3: Manufacturer: Logitech [30540.541162] device: '2-1.3': device_add [30540.541172] kobject: '2-1.3' (8800252b0898): kobject_add_internal: parent: '2-1', set: 'devices' [30540.549243] bus: 'usb': add device 2-1.3 [30540.549324] PM: Adding info for usb:2-1.3 [30540.549372] kobject: '2-1.3' (8800252b0898): kobject_uevent_env [30540.549384] kobject: '2-1.3' (8800252b0898): fill_kobj_path: path = '/devices/pci:00/:00:1d.0/usb2/2-1/2-1.3' [30540.549473] bus: 'usb': driver_probe_device: matched device 2-1.3 with driver usb [30540.549482] bus: 'usb': really_probe: probing driver usb with device 2-1.3 [30540.549512] usb 2-1.3: rpm_resume flags 0x4 [30540.549518] usb 2-1.3: rpm_resume returns 1 [30540.550214] device: '2-1.3:1.0': device_add [30540.550232] kobject: '2-1.3:1.0' (880100648040): kobject_add_internal: parent: '2-1.3', set: 'devices' [30540.550553] bus: 'usb': add device 2-1.3:1.0 [30540.550643] PM: Adding info for usb:2-1.3:1.0 [30540.550661] kobject: '2-1.3:1.0' (880100648040): kobject_uevent_env [30540.550678] kobject: '2-1.3:1.0' (880100648040): fill_kobj_path: path = '/devices/pci:00/:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0' [30540.550905] bus: 'usb': driver_probe_device: matched device 2-1.3:1.0 with driver usbserial_generic [30540.550923] bus: 'usb': really_probe: probing driver usbserial_generic with device 2-1.3:1.0 [30540.551178] usb 2-1.3: rpm_resume flags 0x4 [30540.551189] usb 2-1.3: rpm_resume returns 1 [30540.551458] bus: 'usb': driver_probe_device: matched device 2-1.3:1.0 with driver usbhid [30540.551473] bus: 'usb': really_probe: probing driver usbhid with device 2-1.3:1.0 [30540.551513] usb 2-1.3: rpm_resume flags 0x4 [30540.551523] usb 2-1.3: rpm_resume returns 1 [30540.552922] device: '0003:046D:C018.0002': device_add [30540.552939] kobject: '0003:046D:C018.0002' (88012b5b9898): kobject_add_internal: parent: '2-1.3:1.0', set: 'devices' [30540.552981] bus: 'hid': add device 0003:046D:C018.0002 [30540.553143] PM: Adding info for hid:0003:046D:C018.0002 [30540.553159] kobject: '0003:046D:C018.0002' (88012b5b9898): kobject_uevent_env [30540.553176] kobject: '0003:046D:C018.0002' (88012b5b9898): fill_kobj_path: path = '/devices/pci:00/:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/0003:046D:C018.0002' [30540.553352] bus: 'hid': driver_probe_device: matched device 0003:046D:C018.0002 with driver generic-usb [30540.553369] bus: 'hid': really_probe: probing driver generic-usb with device 0003:046D:C018.0002 [30540.555608] device: 'input17': device_add [30540.555628] kobject: 'input' (8800619af5a0): kobject_add_internal: parent: '2-1.3:1.0', set: '(null)' [30540.555677] kobject: 'input17'
Re: Filtering USB storage data in kernel module
On 11/17/2011 08:19 PM, Greg KH wrote: On Thu, Nov 17, 2011 at 02:15:35PM +0530, Abhijit Pawar wrote: Hi All, I need to filter the data written/read to and from the USB storage disk. Why? I want to build a secure machine with data protection. I want to have a security around the machine where anyone can attach a usb disk and copy the data. but i want to make the copied data useless unless it has the trust relation with the host to which its connected. So if one has copied data from one secured machine and get that usb disk to other machine, he should see the encrypted garbage data. What are you wanting to do at filter time? I want to encrypt the write data packets and decrypt the read data packets. Why just USB disks? What makes them special? They are the one which can be attached to the system easily. How are you going to determine if a disk is a USB device or not? Now the way USB is made known to OS is through SCSI and then respective filesystem ( mostly usbfs). Not really, usbfs is only one way, and it has nothing to do with usb disks. So is there any way I can intercept this stack and have my kernel module invoked so that I will get the data. Not easily. Even if its hard, can you please give details of how do I achieve this? I have been thinking on two approaches: 1. Use VFS and write a proxy filesystem for USB device which will filter the data. 2. checking SCSI and any intercepting point. Again, what are you trying to filter? That will determine where you make changes. thanks, greg k-h So what choice do I have now for this? ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Filtering USB storage data in kernel module
On Fri, Nov 18, 2011 at 06:36:18PM +0530, Abhijit Pawar wrote: On 11/17/2011 08:19 PM, Greg KH wrote: On Thu, Nov 17, 2011 at 02:15:35PM +0530, Abhijit Pawar wrote: Hi All, I need to filter the data written/read to and from the USB storage disk. Why? I want to build a secure machine with data protection. I want to have a security around the machine where anyone can attach a usb disk and copy the data. but i want to make the copied data useless unless it has the trust relation with the host to which its connected. So if one has copied data from one secured machine and get that usb disk to other machine, he should see the encrypted garbage data. Interesting idea. What are you wanting to do at filter time? I want to encrypt the write data packets and decrypt the read data packets. Why just USB disks? What makes them special? They are the one which can be attached to the system easily. How are you going to determine if a disk is a USB device or not? You forgot to answer this question :) Now the way USB is made known to OS is through SCSI and then respective filesystem ( mostly usbfs). Not really, usbfs is only one way, and it has nothing to do with usb disks. So is there any way I can intercept this stack and have my kernel module invoked so that I will get the data. Not easily. Even if its hard, can you please give details of how do I achieve this? I have been thinking on two approaches: 1. Use VFS and write a proxy filesystem for USB device which will filter the data. 2. checking SCSI and any intercepting point. Again, what are you trying to filter? That will determine where you make changes. thanks, greg k-h So what choice do I have now for this? Lots of work, best of luck with this task, it will not be simple or easy. greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Filtering USB storage data in kernel module
On 11/18/2011 08:16 PM, Greg KH wrote: On Fri, Nov 18, 2011 at 06:36:18PM +0530, Abhijit Pawar wrote: On 11/17/2011 08:19 PM, Greg KH wrote: On Thu, Nov 17, 2011 at 02:15:35PM +0530, Abhijit Pawar wrote: Hi All, I need to filter the data written/read to and from the USB storage disk. Why? I want to build a secure machine with data protection. I want to have a security around the machine where anyone can attach a usb disk and copy the data. but i want to make the copied data useless unless it has the trust relation with the host to which its connected. So if one has copied data from one secured machine and get that usb disk to other machine, he should see the encrypted garbage data. Interesting idea. What are you wanting to do at filter time? I want to encrypt the write data packets and decrypt the read data packets. Why just USB disks? What makes them special? They are the one which can be attached to the system easily. How are you going to determine if a disk is a USB device or not? You forgot to answer this question :) Yeah, I forgot that one. I am not very sure but if I can patch the USB core before it attaches the speficied class driver to the USB device. May be I can try and send some control request and get the class of the device. I think its not required as USB core itself will understand the class of the device and try to attach the proper driver. At this point of time, I will have some patch which will pass on the information to my module. I am not sure if there are any intercepting points or any functions / structures exported in the USB core stack. Now the way USB is made known to OS is through SCSI and then respective filesystem ( mostly usbfs). Not really, usbfs is only one way, and it has nothing to do with usb disks. So is there any way I can intercept this stack and have my kernel module invoked so that I will get the data. Not easily. Even if its hard, can you please give details of how do I achieve this? I have been thinking on two approaches: 1. Use VFS and write a proxy filesystem for USB device which will filter the data. 2. checking SCSI and any intercepting point. Again, what are you trying to filter? That will determine where you make changes. thanks, greg k-h So what choice do I have now for this? Lots of work, best of luck with this task, it will not be simple or easy. greg k-h Thanks. Its not that simple. I need to check the sCSI family code as well as USB core. Also VFS may be involved. :( :) Regards, Abhijit Pawar ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Filtering USB storage data in kernel module
Hi All, I need to filter the data written/read to and from the USB storage disk. Now the way USB is made known to OS is through SCSI and then respective filesystem ( mostly usbfs). So is there any way I can intercept this stack and have my kernel module invoked so that I will get the data. I have been thinking on two approaches: 1. Use VFS and write a proxy filesystem for USB device which will filter the data. 2. checking SCSI and any intercepting point. I am currently looking at USBMONITOR source code as well. Please let me know if there is any other way to achieve this. Regards, Abhijit Pawar ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Filtering USB storage data in kernel module
On Thu, Nov 17, 2011 at 02:15:35PM +0530, Abhijit Pawar wrote: Hi All, I need to filter the data written/read to and from the USB storage disk. Why? What are you wanting to do at filter time? Why just USB disks? What makes them special? How are you going to determine if a disk is a USB device or not? Now the way USB is made known to OS is through SCSI and then respective filesystem ( mostly usbfs). Not really, usbfs is only one way, and it has nothing to do with usb disks. So is there any way I can intercept this stack and have my kernel module invoked so that I will get the data. Not easily. I have been thinking on two approaches: 1. Use VFS and write a proxy filesystem for USB device which will filter the data. 2. checking SCSI and any intercepting point. Again, what are you trying to filter? That will determine where you make changes. thanks, greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies