Filtering USB storage data in kernel module

[apawar.linux@gmail.com (Abhijit Pawar)]

On 11/18/2011 09:05 PM, Abhijit Pawar wrote:
> On 11/18/2011 08:16 PM, Greg KH wrote:
>> On Fri, Nov 18, 2011 at 06:36:18PM +0530, Abhijit Pawar wrote:
>>> On 11/17/2011 08:19 PM, Greg KH wrote:
>>>> On Thu, Nov 17, 2011 at 02:15:35PM +0530, Abhijit Pawar wrote:
>>>>> Hi All,
>>>>> I need to filter  the data written/read to and from the USB storage
>>>>> disk.
>>>> Why?
>>> I want to build a secure machine with data protection. I want to
>>> have a security around the machine where anyone can attach a usb
>>> disk and copy the data. but i want to make the copied data useless
>>> unless it has the trust relation with the host to which its
>>> connected.
>>> So if one has copied data from one secured machine and get that usb
>>> disk to other machine, he should see the encrypted garbage data.
>> Interesting idea.
>>
>>>> What are you wanting to do at "filter" time?
>>> I want to encrypt the write data packets and decrypt the read data 
>>> packets.
>>>> Why just USB disks?  What makes them special?
>>> They are the one which can be attached to the system easily.
>>>> How are you going to determine if a disk is a USB device or not?
>> You forgot to answer this question :)
> Yeah, I forgot that one. I am not very sure but if I can patch the USB 
> core before it attaches the speficied class driver to the USB device. 
> May be I can try and send some control request and get the class of 
> the device.  I think its not required as USB core itself will 
> understand the class of the device and try to attach the proper 
> driver. At this point of time, I will have some patch which will pass 
> on the information to my module.
> I am not sure if there are any intercepting points or any functions / 
> structures exported in the USB core stack.

It seems that the Linux notification chain should give me information 
whenever a USB device is added. I need to register for a notification 
callback in my module.

I have written a small module for this which uses the usb_register_notify()

Here is the debug trace from kernel when I add my logitech mouse to the 
system. I get the device added notification.


[30540.541134] usb 2-1.3: New USB device found, idVendor=046d, 
idProduct=c018
[30540.541143] usb 2-1.3: New USB device strings: Mfr=1, Product=2, 
SerialNumber=0
[30540.541150] usb 2-1.3: Product: USB Optical Mouse
[30540.541155] usb 2-1.3: Manufacturer: Logitech
[30540.541162] device: '2-1.3': device_add
[30540.541172] kobject: '2-1.3' (ffff8800252b0898): 
kobject_add_internal: parent: '2-1', set: 'devices'
[30540.549243] bus: 'usb': add device 2-1.3
[30540.549324] PM: Adding info for usb:2-1.3
[30540.549372] kobject: '2-1.3' (ffff8800252b0898): kobject_uevent_env
[30540.549384] kobject: '2-1.3' (ffff8800252b0898): fill_kobj_path: path 
= '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3'
[30540.549473] bus: 'usb': driver_probe_device: matched device 2-1.3 
with driver usb
[30540.549482] bus: 'usb': really_probe: probing driver usb with device 
2-1.3
[30540.549512] usb 2-1.3: rpm_resume flags 0x4
[30540.549518] usb 2-1.3: rpm_resume returns 1
[30540.550214] device: '2-1.3:1.0': device_add
[30540.550232] kobject: '2-1.3:1.0' (ffff880100648040): 
kobject_add_internal: parent: '2-1.3', set: 'devices'
[30540.550553] bus: 'usb': add device 2-1.3:1.0
[30540.550643] PM: Adding info for usb:2-1.3:1.0
[30540.550661] kobject: '2-1.3:1.0' (ffff880100648040): kobject_uevent_env
[30540.550678] kobject: '2-1.3:1.0' (ffff880100648040): fill_kobj_path: 
path = '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0'
[30540.550905] bus: 'usb': driver_probe_device: matched device 2-1.3:1.0 
with driver usbserial_generic
[30540.550923] bus: 'usb': really_probe: probing driver 
usbserial_generic with device 2-1.3:1.0
[30540.551178] usb 2-1.3: rpm_resume flags 0x4
[30540.551189] usb 2-1.3: rpm_resume returns 1
[30540.551458] bus: 'usb': driver_probe_device: matched device 2-1.3:1.0 
with driver usbhid
[30540.551473] bus: 'usb': really_probe: probing driver usbhid with 
device 2-1.3:1.0
[30540.551513] usb 2-1.3: rpm_resume flags 0x4
[30540.551523] usb 2-1.3: rpm_resume returns 1
[30540.552922] device: '0003:046D:C018.0002': device_add
[30540.552939] kobject: '0003:046D:C018.0002' (ffff88012b5b9898): 
kobject_add_internal: parent: '2-1.3:1.0', set: 'devices'
[30540.552981] bus: 'hid': add device 0003:046D:C018.0002
[30540.553143] PM: Adding info for hid:0003:046D:C018.0002
[30540.553159] kobject: '0003:046D:C018.0002' (ffff88012b5b9898): 
kobject_uevent_env
[30540.553176] kobject: '0003:046D:C018.0002' (ffff88012b5b9898): 
fill_kobj_path: path = 
'/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/0003:046D:C018.0002'
[30540.553352] bus: 'hid': driver_probe_device: matched device 
0003:046D:C018.0002 with driver generic-usb
[30540.553369] bus: 'hid': really_probe: probing driver generic-usb with 
device 0003:046D:C018.0002
[30540.555608] device: 'input17': device_add
[30540.555628] kobject: 'input' (ffff8800619af5a0): 
kobject_add_internal: parent: '2-1.3:1.0', set: '(null)'
[30540.555677] kobject: 'input17' (ffff8800252b5b58): 
kobject_add_internal: parent: 'input', set: 'devices'
[30540.555879] PM: Adding info for No Bus:input17
[30540.555888] kobject: 'input17' (ffff8800252b5b58): kobject_uevent_env
[30540.555899] kobject: 'input17' (ffff8800252b5b58): fill_kobj_path: 
path = 
'/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17'
[30540.556072] kobject: 'input17' (ffff8800252b5b58): fill_kobj_path: 
path = 
'/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17'
[30540.556087] input: Logitech USB Optical Mouse as 
/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17
[30540.556140] device: 'mouse0': device_add
[30540.556153] kobject: 'mouse0' (ffff8800252b41b8): 
kobject_add_internal: parent: 'input17', set: 'devices'
[30540.556907] PM: Adding info for No Bus:mouse0
[30540.556924] kobject: 'mouse0' (ffff8800252b41b8): kobject_uevent_env
[30540.556940] kobject: 'mouse0' (ffff8800252b41b8): fill_kobj_path: 
path = 
'/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17/mouse0'
[30540.557125] device: 'event6': device_add
[30540.557139] kobject: 'event6' (ffff8800252b21c0): 
kobject_add_internal: parent: 'input17', set: 'devices'
[30540.558939] PM: Adding info for No Bus:event6
[30540.558953] kobject: 'event6' (ffff8800252b21c0): kobject_uevent_env
[30540.558969] kobject: 'event6' (ffff8800252b21c0): fill_kobj_path: 
path = 
'/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/input/input17/event6'
[30540.559198] device: 'hidraw0': device_add
[30540.559221] kobject: 'hidraw' (ffff8800619afa20): 
kobject_add_internal: parent: '0003:046D:C018.0002', set: '(null)'
[30540.559252] kobject: 'hidraw0' (ffff88012bfbc810): 
kobject_add_internal: parent: 'hidraw', set: 'devices'
[30540.559281] usbhid 2-1.3:1.0: rpm_resume flags 0x4
[30540.559293] usbhid 2-1.3:1.0: rpm_resume returns 1
[30540.559655] PM: Adding info for No Bus:hidraw0
[30540.559670] kobject: 'hidraw0' (ffff88012bfbc810): kobject_uevent_env
[30540.559687] kobject: 'hidraw0' (ffff88012bfbc810): fill_kobj_path: 
path = 
'/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/0003:046D:C018.0002/hidraw/hidraw0'
[30540.559805] generic-usb 0003:046D:C018.0002: input,hidraw0: USB HID 
v1.11 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1d.0-1.3/input0
[30540.559820] driver: '0003:046D:C018.0002': driver_bound: bound to 
device 'generic-usb'
[30540.559833] bus: 'hid': really_probe: bound device 
0003:046D:C018.0002 to driver generic-usb
[30540.559859] driver: '2-1.3:1.0': driver_bound: bound to device 'usbhid'
[30540.559874] bus: 'usb': really_probe: bound device 2-1.3:1.0 to 
driver usbhid
[30540.559892] usbhid 2-1.3:1.0: rpm_suspend flags 0x4
[30540.559908] usbhid 2-1.3:1.0: rpm_suspend returns 0
[30540.559939] device: 'ep_81': device_add
[30540.559950] kobject: 'ep_81' (ffff88009613f820): 
kobject_add_internal: parent: '2-1.3:1.0', set: 'devices'
[30540.560175] PM: Adding info for No Bus:ep_81
[30540.560189] kobject: 'ep_81' (ffff88009613f820): kobject_uevent_env
[30540.560198] kobject: 'ep_81' (ffff88009613f820): kobject_uevent_env: 
filter function caused the event to drop!
[30540.561372] usb_notify_subscriber
[30540.561378] usb_notify_subscriber:USB device added


So this notification is raised when everything is done by the USB core 
and it has already attached the driver to the device. In that case I 
think this is not that important and will not solve the purpose which I 
am looking for.


>>
>>>>> Now the way USB is made known to OS is through SCSI and then
>>>>> respective filesystem ( mostly usbfs).
>>>> Not really, usbfs is only one way, and it has nothing to do with usb
>>>> disks.
>>>>
>>>>> So is there any way I can intercept this stack and have my kernel 
>>>>> module
>>>>> invoked so that I will get the data.
>>>> Not easily.
>>> Even if its hard, can you please give  details of how do I achieve 
>>> this?
>>>>> I have been thinking on two approaches:
>>>>>
>>>>> 1. Use VFS and write a proxy filesystem for USB device which will 
>>>>> filter
>>>>> the data.
>>>>> 2. checking SCSI and any intercepting point.
>>>> Again, what are you trying to "filter"?  That will determine where you
>>>> make changes.
>>> thanks, greg k-h
>>> So what choice do I have now for this?
>> Lots of work, best of luck with this task, it will not be simple or
>> easy.
>>
>> greg k-h
> Thanks. Its not that simple. I need to check the sCSI family code as 
> well as USB core. Also VFS may be involved. :(  :)
>
> Regards,
> Abhijit Pawar

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111121/d118f5a4/attachment-0001.html