Filtering USB storage data in kernel module

[apawar.linux@gmail.com (Abhijit Pawar)]

On 11/21/2011 07:25 PM, Abhijit Pawar wrote:
> On 11/18/2011 09:05 PM, Abhijit Pawar wrote:
>> On 11/18/2011 08:16 PM, Greg KH wrote:
>>> On Fri, Nov 18, 2011 at 06:36:18PM +0530, Abhijit Pawar wrote:
>>>> On 11/17/2011 08:19 PM, Greg KH wrote:
>>>>> On Thu, Nov 17, 2011 at 02:15:35PM +0530, Abhijit Pawar wrote:
>>>>>> Hi All,
>>>>>> I need to filter  the data written/read to and from the USB storage
>>>>>> disk.
>>>>> Why?
>>>> I want to build a secure machine with data protection. I want to
>>>> have a security around the machine where anyone can attach a usb
>>>> disk and copy the data. but i want to make the copied data useless
>>>> unless it has the trust relation with the host to which its
>>>> connected.
>>>> So if one has copied data from one secured machine and get that usb
>>>> disk to other machine, he should see the encrypted garbage data.
>>> Interesting idea.
>>>
>>>>> What are you wanting to do at "filter" time?
>>>> I want to encrypt the write data packets and decrypt the read data 
>>>> packets.
>>>>> Why just USB disks?  What makes them special?
>>>> They are the one which can be attached to the system easily.
>>>>> How are you going to determine if a disk is a USB device or not?
>>> You forgot to answer this question :)
>> Yeah, I forgot that one. I am not very sure but if I can patch the 
>> USB core before it attaches the speficied class driver to the USB 
>> device. May be I can try and send some control request and get the 
>> class of the device.  I think its not required as USB core itself 
>> will understand the class of the device and try to attach the proper 
>> driver. At this point of time, I will have some patch which will pass 
>> on the information to my module.
>> I am not sure if there are any intercepting points or any functions / 
>> structures exported in the USB core stack.
>
> It seems that the Linux notification chain should give me information 
> whenever a USB device is added. I need to register for a notification 
> callback in my module.
>
> I have written a small module for this which uses the 
> usb_register_notify()
>
> Here is the debug trace from kernel when I add my logitech mouse to 
> the system. I get the device added notification.
>
>
> [30540.541134] usb 2-1.3: New USB device found, idVendor=046d, 
> idProduct=c018
> [30540.541143] usb 2-1.3: New USB device strings: Mfr=1, Product=2, 
> SerialNumber=0
> [30540.541150] usb 2-1.3: Product: USB Optical Mouse
> [30540.541155] usb 2-1.3: Manufacturer: Logitech
> [30540.541162] device: '2-1.3': device_add
> [30540.541172] kobject: '2-1.3' (ffff8800252b0898): 
> kobject_add_internal: parent: '2-1', set: 'devices'
> [30540.549243] bus: 'usb': add device 2-1.3
> [30540.549324] PM: Adding info for usb:2-1.3
> [30540.549372] kobject: '2-1.3' (ffff8800252b0898): kobject_uevent_env
> [30540.549384] kobject: '2-1.3' (ffff8800252b0898): fill_kobj_path: 
> path = '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3'
> [30540.549473] bus: 'usb': driver_probe_device: matched device 2-1.3 
> with driver usb
> [30540.549482] bus: 'usb': really_probe: probing driver usb with 
> device 2-1.3
> [30540.549512] usb 2-1.3: rpm_resume flags 0x4
> [30540.549518] usb 2-1.3: rpm_resume returns 1
> [30540.550214] device: '2-1.3:1.0': device_add
> [30540.550232] kobject: '2-1.3:1.0' (ffff880100648040): 
> kobject_add_internal: parent: '2-1.3', set: 'devices'
> [30540.550553] bus: 'usb': add device 2-1.3:1.0
> [30540.550643] PM: Adding info for usb:2-1.3:1.0
> [30540.550661] kobject: '2-1.3:1.0' (ffff880100648040): kobject_uevent_env
> [30540.550678] kobject: '2-1.3:1.0' (ffff880100648040): 
> fill_kobj_path: path = 
> '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0'
> [30540.550905] bus: 'usb': driver_probe_device: matched device 
> 2-1.3:1.0 with driver usbserial_generic
> [30540.550923] bus: 'usb': really_probe: probing driver 
> usbserial_generic with device 2-1.3:1.0
> [30540.551178] usb 2-1.3: rpm_resume flags 0x4
> [30540.551189] usb 2-1.3: rpm_resume returns 1
> [30540.551458] bus: 'usb': driver_probe_device: matched device 
> 2-1.3:1.0 with driver usbhid
> [30540.551473] bus: 'usb': really_probe: probing driver usbhid with 
> device 2-1.3:1.0
> [30540.551513] usb 2-1.3: rpm_resume flags 0x4
> [30540.551523] usb 2-1.3: rpm_resume returns 1
> [30540.552922] device: '0003:046D:C018.0002': device_add
> [30540.552939] kobject: '0003:046D:C018.0002' (ffff88012b5b9898): 
> kobject_add_internal: parent: '2-1.3:1.0', set: 'devices'
> [30540.552981] bus: 'hid': add device 0003:046D:C018.0002
> [30540.553143] PM: Adding info for hid:0003:046D:C018.0002
> [30540.553159] kobject: '0003:046D:C018.0002' (ffff88012b5b9898): 
> kobject_uevent_env
> [30540.553176] kobject: '0003:046D:C018.0002' (ffff88012b5b9898): 
> fill_kobj_path: path = 
> '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/0003:046D:C018.0002'
> [30540.553352] bus: 'hid': driver_probe_device: matched device 
> 0003:046D:C018.0002 with driver generic-usb
> [30540.553369] bus: 'hid': really_probe: probing driver generic-usb 
> with device 0003:046D:C018.0002
> [30540.555608] device: 'input17': device_add
> [30540.555628] kobject: 'input' (ffff8800619af5a0): 
> kobject_add_internal: parent: '2-1.3:1.0', set: '(null)'
> [30540.555677] kobject: 'input17' (ffff8800252b5b58): 
> kobject_add_internal: parent: 'input', set: 'devices'
> [30540.555879] PM: Adding info for No Bus:input17
> [30540.555888] kobject: 'input17' (ffff8800252b5b58): kobject_uevent_env
> [30540.555899] kobject: 'input17' (ffff8800252b5b58): fill_kobj_path: 
> path = 
> '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17'
> [30540.556072] kobject: 'input17' (ffff8800252b5b58): fill_kobj_path: 
> path = 
> '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17'
> [30540.556087] input: Logitech USB Optical Mouse as 
> /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17
> [30540.556140] device: 'mouse0': device_add
> [30540.556153] kobject: 'mouse0' (ffff8800252b41b8): 
> kobject_add_internal: parent: 'input17', set: 'devices'
> [30540.556907] PM: Adding info for No Bus:mouse0
> [30540.556924] kobject: 'mouse0' (ffff8800252b41b8): kobject_uevent_env
> [30540.556940] kobject: 'mouse0' (ffff8800252b41b8): fill_kobj_path: 
> path = 
> '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17/mouse0'
> [30540.557125] device: 'event6': device_add
> [30540.557139] kobject: 'event6' (ffff8800252b21c0): 
> kobject_add_internal: parent: 'input17', set: 'devices'
> [30540.558939] PM: Adding info for No Bus:event6
> [30540.558953] kobject: 'event6' (ffff8800252b21c0): kobject_uevent_env
> [30540.558969] kobject: 'event6' (ffff8800252b21c0): fill_kobj_path: 
> path = 
> '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17/event6'
> [30540.559198] device: 'hidraw0': device_add
> [30540.559221] kobject: 'hidraw' (ffff8800619afa20): 
> kobject_add_internal: parent: '0003:046D:C018.0002', set: '(null)'
> [30540.559252] kobject: 'hidraw0' (ffff88012bfbc810): 
> kobject_add_internal: parent: 'hidraw', set: 'devices'
> [30540.559281] usbhid 2-1.3:1.0: rpm_resume flags 0x4
> [30540.559293] usbhid 2-1.3:1.0: rpm_resume returns 1
> [30540.559655] PM: Adding info for No Bus:hidraw0
> [30540.559670] kobject: 'hidraw0' (ffff88012bfbc810): kobject_uevent_env
> [30540.559687] kobject: 'hidraw0' (ffff88012bfbc810): fill_kobj_path: 
> path = 
> '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/0003:046D:C018.0002/hidraw/hidraw0'
> [30540.559805] generic-usb 0003:046D:C018.0002: input,hidraw0: USB HID 
> v1.11 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1d.0-1.3/input0
> [30540.559820] driver: '0003:046D:C018.0002': driver_bound: bound to 
> device 'generic-usb'
> [30540.559833] bus: 'hid': really_probe: bound device 
> 0003:046D:C018.0002 to driver generic-usb
> [30540.559859] driver: '2-1.3:1.0': driver_bound: bound to device 'usbhid'
> [30540.559874] bus: 'usb': really_probe: bound device 2-1.3:1.0 to 
> driver usbhid
> [30540.559892] usbhid 2-1.3:1.0: rpm_suspend flags 0x4
> [30540.559908] usbhid 2-1.3:1.0: rpm_suspend returns 0
> [30540.559939] device: 'ep_81': device_add
> [30540.559950] kobject: 'ep_81' (ffff88009613f820): 
> kobject_add_internal: parent: '2-1.3:1.0', set: 'devices'
> [30540.560175] PM: Adding info for No Bus:ep_81
> [30540.560189] kobject: 'ep_81' (ffff88009613f820): kobject_uevent_env
> [30540.560198] kobject: 'ep_81' (ffff88009613f820): 
> kobject_uevent_env: filter function caused the event to drop!
> [30540.561372] usb_notify_subscriber
> [30540.561378] usb_notify_subscriber:USB device added
>
>
> So this notification is raised when everything is done by the USB core 
> and it has already attached the driver to the device. In that case I 
> think this is not that important and will not solve the purpose which 
> I am looking for.
>
>
>>>
>>>>>> Now the way USB is made known to OS is through SCSI and then
>>>>>> respective filesystem ( mostly usbfs).
>>>>> Not really, usbfs is only one way, and it has nothing to do with usb
>>>>> disks.
>>>>>
>>>>>> So is there any way I can intercept this stack and have my kernel 
>>>>>> module
>>>>>> invoked so that I will get the data.
>>>>> Not easily.
>>>> Even if its hard, can you please give  details of how do I achieve 
>>>> this?
>>>>>> I have been thinking on two approaches:
>>>>>>
>>>>>> 1. Use VFS and write a proxy filesystem for USB device which will 
>>>>>> filter
>>>>>> the data.
>>>>>> 2. checking SCSI and any intercepting point.
>>>>> Again, what are you trying to "filter"?  That will determine where 
>>>>> you
>>>>> make changes.
>>>> thanks, greg k-h
>>>> So what choice do I have now for this?
>>> Lots of work, best of luck with this task, it will not be simple or
>>> easy.
>>>
>>> greg k-h
>> Thanks. Its not that simple. I need to check the sCSI family code as 
>> well as USB core. Also VFS may be involved. :(  :)
>>
>> Regards,
>> Abhijit Pawar
>
Hi ,
I found a rather very simple solution to the problem. Stackable filesystem.

Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120112/4475e6d5/attachment-0001.html