From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-m19731116.qiye.163.com (mail-m19731116.qiye.163.com [220.197.31.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4886B2F691B for ; Tue, 2 Dec 2025 08:42:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=220.197.31.116 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764664933; cv=none; b=E9C0tj5aAipsj/aYRck325BxPqsL14/kp/F9L9B9EbwZFLktjkU+Ty0xtwZVon0qxdP9TT4TI+YkoWD6h3YPqpNiam5ZGLou7EsIX0GBQ1mAnoO1wPgnTA8l6sZU6/7K/USh55Ap4BLtr+7vkuQmFWdgWwxhzLJMIExLCDMMzH0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764664933; c=relaxed/simple; bh=4IjPgFCEJG+awGEp8XZpiOufmWdPMJX5/l8mWmzQh24=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=dKd+6j+N1GSn1S4K2Go71JD/sygP8pFikNeKJ1VPEsELUFyDgFmnnlLTdFKlcgXpcf6oHnB9CZzk1yU4jILsTylL/EwOmzG2tTH/gqmfGIkCFL+jz4PlkvOtp0mmUsiruGz73IvulKCA2GpAV2zJ+sU4fIw9hXF7f+AstoxV1Pw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=leap-io-kernel.com; spf=pass smtp.mailfrom=leap-io-kernel.com; dkim=pass (2048-bit key) header.d=leap-io-kernel.com header.i=@leap-io-kernel.com header.b=MHWDBFft; arc=none smtp.client-ip=220.197.31.116 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=leap-io-kernel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=leap-io-kernel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=leap-io-kernel.com header.i=@leap-io-kernel.com header.b="MHWDBFft" Received: from localhost (unknown [222.130.22.244]) by smtp.qiye.163.com (Hmail) with ESMTP id 2ba9d5511; Tue, 2 Dec 2025 16:36:51 +0800 (GMT+08:00) Date: Tue, 2 Dec 2025 16:36:50 +0800 From: BaiKefan To: Yanteng Si Cc: alexs@kernel.org, dzm91@hust.edu.cn, corbet@lwn.net, linux-doc@vger.kernel.org, doubled@leap-io-kernel.com Subject: [RESEND] Re: [PATCH v3 3/8] docs/zh_CN: Add authorization.rst translation Message-ID: <20251202163650.000068e9@leap-io-kernel.com> In-Reply-To: <343e5b82-e78a-483b-a8db-57bef4f447eb@linux.dev> References: <343e5b82-e78a-483b-a8db-57bef4f447eb@linux.dev> Precedence: bulk X-Mailing-List: linux-doc@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-HM-Tid: 0a9ade3513b209d5kunm6950bf7c37bad8 X-HM-MType: 1 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVkZTEMdVklCS0tMGUlKSBgZTVYVFAkWGhdVEwETFh oSFyQUDg9ZV1kYEgtZQVlJSUlVSkhLVUlJVUlPT1lXWRYaDxIVHRRZQVlPS0hVSktISk5MSVVKS0 tVSkJLS1kG DKIM-Signature: a=rsa-sha256; b=MHWDBFftBFQbY6wNOxR2IMbwhLp4AQNFh/mKuJ3SM7AalAbPQN7miHD6Pptu2TEcfDeEZk0pUL8ls98aE/SYQpKLYZ6+S5bPIBNYpr0pof1T7Nz5DAqhNpE2tVSyl8YwBJ4N4ZX/tXg44COTzHFUUAXYG3U8ilhlaDQHDvYdtu1Jn6wVsgEzb33LdE4dRp5rX3qRebugyfiUzR97T/ALuqTXZeGllCjPN8LZoRVbVA/qv61bxi7n9/Zvjw6uIrul7EDWMtt5hnAxxjxInjKX7l6ZQMb4SH0yVY5/Th0RhdCjdvHWqTGNNRQaWOKNJp5ez1v/RxuHviGfFa4fs2WPCQ==; s=default; c=relaxed/relaxed; d=leap-io-kernel.com; v=1; bh=g4Y8ZWSqx6zQjsw8Ei/6rt0oEP51/PmtRmK5sTFcHlw=; h=date:mime-version:subject:message-id:from; Hi Yanteng, I am resending this reply due to encoding/display issues in my previous message. Thank you for your understanding. On Mon, 1 Dec 2025 14:54:53 +0800 Yanteng Si wrote: > > 在 2025/11/24 21:34, Kefan Bai 写道: > > Translate .../usb/authorization.rst into Chinese > > > > Update the translation through commit f176638af476 > > ("USB: Remove Wireless USB and UWB documentation") > > > > Signed-off-by: Kefan Bai > > --- > > .../translations/zh_CN/usb/authorization.rst | 125 > > ++++++++++++++++++ 1 file changed, 125 insertions(+) > > create mode 100644 > > Documentation/translations/zh_CN/usb/authorization.rst > > > > diff --git a/Documentation/translations/zh_CN/usb/authorization.rst > > b/Documentation/translations/zh_CN/usb/authorization.rst new file > > mode 100644 index 000000000000..2bcb3e9d4c5a > > --- /dev/null > > +++ b/Documentation/translations/zh_CN/usb/authorization.rst > > @@ -0,0 +1,125 @@ > > +.. SPDX-License-Identifier: GPL-2.0 > > +.. include:: ../disclaimer-zh_CN.rst > > + > > +:Original: Documentation/usb/authorization.rst > > +:翻译: > > + > > + 白钶凡 Kefan Bai > > + > > +:校译: > > + > > + > > +============================================================== > > +授权(或不授权)USB设备连接到系统 > > +============================================================== > > It's too long, please trim them. > > > Thanks, > > Yanteng > Thanks for the review. I'll shorten those overlong markers and check the rest of the translated files for similar issues. Thanks, Kefan > > + > > +版权 (C) 2007 Inaky Perez-Gonzalez > > 因特尔公司 + > > +此功能允许你控制系统中USB设备的使用权限。 > > +你可以借此实现USB设备的锁定,并由用户空间完全控制。 > > + > > +目前为止,当插入一个USB设备时,系统会配置该USB设备,其接口会立即对用户开放。 > > +通过此修改,只有在root授权配置设备后,用户才能使用它。 > > + > > + > > +使用方法 > > +========= > > + > > +授权设备连接:: > > + > > + $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized > > + > > +取消授权设备连接:: > > + $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized > > + > > +将新连接到hostX的设备默认设置为未授权(即:锁定):: > > + > > + $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default > > + > > +解除锁定:: > > + > > + $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default > > + > > +默认情况下,所有USB设备都是授权的。 > > +向authorized_default属性写入 "2" > > 会使内核默认只授权连接到内部USB端口的设备。 + > > +系统锁定示例(简单示例) > > +------------------------------ > > + > > +假设你想实现一个锁定功能,要求只有类型为XYZ的设备可以连接 > > +(例如,它是一个带有可见USB端口的自助服务终端):: > > + > > + 启动系统 > > + rc.local -> > > + > > + for host in /sys/bus/usb/devices/usb* > > + do > > + echo 0 > $host/authorized_default > > + done > > + > > +将一个脚本挂接到udev,当插入新的USB设备时,该脚本就会被自动触发:: > > + > > + if device_is_my_type $DEV > > + then > > + echo 1 > $device_path/authorized > > + done > > + > > + > > +这里的device_is_my_type()就是实现锁定的关键所在。 > > +仅仅检查class、type 和protocol是否匹配某个值, > > +是最差的安全验证方式(但对于想要破解的人却是最容易的)。 > > +如果你需要真正安全的方案,应使用加密、证书认证等手段。 > > +一个针对存储密钥的简单示例:: > > + > > + function device_is_my_type() > > + { > > + echo 1 > authorized # 暂时授权它 > > + # FIXME: 确保没有人能够挂载它 > > + mount DEVICENODE /mntpoint > > + sum=$(md5sum /mntpoint/.signature) > > + if [ $sum = $(cat /etc/lockdown/keysum) ] > > + then > > + echo "We are good, connected" > > + umount /mntpoint > > + # 添加一些额外的内容,以便其他人也可以使用它 > > + else > > + echo 0 > authorized > > + fi > > + } > > + > > + > > +当然,这种做法很简陋;实际上你应该使用基于PKI的真正证书验证, > > +这样就不会依赖共享密钥之类的东西。不过你明白我的意思。 > > +任何拿到设备仿真工具包的人都能伪造描述符和设备信息。 > > +所以千万不要信任这些信息。 > > + > > +接口授权 > > +--------- > > + > > +也有类似的方法用于允许或拒绝特定USB接口。这允许只阻止USB设备的一个子集。 > > + > > +授权接口:: > > + > > + $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized > > + > > +取消授权接口:: > > + > > + $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized > > + > > +也可以更改新接口在特定USB总线上的默认值。 > > + > > +默认允许接口:: > > + > > + $ echo 1 > > > /sys/bus/usb/devices/usbX/interface_authorized_default + > > +默认拒绝接口:: > > + $ echo 0 > > > /sys/bus/usb/devices/usbX/interface_authorized_default + > > +默认情况下,interface_authorized_default位为1。 > > +因此,所有接口默认都是授权的。 > > + > > +注意: > > + 如果要对一个未授权的接口进行授权,则必须通过将INTERFACE写入 > > + /sys/bus/usb/drivers_probe来手动触发驱动程序进行探测。 > > + 对于使用多个接口的驱动程序,需要先对所有使用的接口进行授权。 > > + 之后应探测驱动程序。这样做可以避免副作用。 > > -- > > 2.52.0 > > > >