Page 1 of 1

Disable USB human interface drivers and USB storage driver

Posted: 28 Jan 2019, 14:34
by fjulian
Hi there,

for security reasons, I would like to disable the use of USB keyboards/mouses as well as USB storage devices (thumb drive, external harddisk, ...). On a standard debian system, I would simply disable the kernel modules (aka drivers) "usbhid" and "usb_storage". However, running "lsmod" on my RevPi produces the following output:

pi@RevPixxxxx:~ $ lsmod
Module Size Used by
cfg80211 569765 0
rfkill 21574 2 cfg80211
evdev 12148 2
joydev 9890 0
snd_bcm2835 23454 0
snd_pcm 97861 1 snd_bcm2835
snd_timer 22848 1 snd_pcm
snd 69071 3 snd_timer,snd_bcm2835,snd_pcm
bcm2835_gpiomem 3823 0
ftdi_sio 32648 0
usbserial 29680 1 ftdi_sio
uio_pdrv_genirq 3842 0
uio 10334 1 uio_pdrv_genirq
spidev 7210 0
piControl 193129 0
ti_dac082s085 6086 0
mcp320x 11202 0
iio_mux 5216 0
mux_gpio 2464 0
mux_core 8067 2 mux_gpio,iio_mux
fixed 3061 0
gpio_74x164 3382 0
spi_bcm2835aux 4973 0
spi_bcm2835 7456 0
gpio_max3191x 9449 1 piControl
industrialio 66692 4 mcp320x,iio_mux,ti_dac082s085,piControl
crc8 1662 1 gpio_max3191x
i2c_dev 6977 0
ip_tables 13203 0
x_tables 21202 1 ip_tables
ipv6 434161 28

Neither "usbhid" nor "usb_storage" are present in this list. The only module from that list that sounds like it could have something to do with a keyboard is "evdev". Running "modinfo evdev" says that this is the "Input driver event char devices". However, after disabling it, the keyboard unfortunately still worked like a charm.

Therefore, my question is: what do I need to do to prevent the usage of USB keyboard/mouse and USB storage devices with the RevPi? Do I need to disable a driver? If yes, which one? If no, what else can I do?

Any help is greatly appreciated.
Kind regards,
fjulian

Re: Disable USB human interface drivers and USB storage driver

Posted: 28 Jan 2019, 15:17
by dirk
Hi with interest I am reading your question. Here at this post you may find an answer to your question.

Re: Disable USB human interface drivers and USB storage driver

Posted: 28 Jan 2019, 15:58
by fjulian
Hi Dirk,

thank you for your quick reaction! We already thought about powering down the USB ports. However, as far as I understood, this is not possible without also powering down the ethernet ports. Am I correct?

Since we strictly need the ethernet ports, this is no solution if they cannot be powered down separately.

Therefore I came up with the idea to apporach this from the OS side by disabling the corresponding drivers, so it would be great if you could share any insights that help me doing this.

Thank you!
fjulian

Re: Disable USB human interface drivers and USB storage driver

Posted: 29 Jan 2019, 07:43
by dirk
Hi fjulian, yes this is correct unfortunately the Ethernet interface is connected via USB as well and if you switch off USB power this interface is involved.
Your idea to disable the drivers in the OS is a good approach. I found this discussion on Stackoverflow. I hope that this will help you. It would be great if you would share your experiences here then.

Re: Disable USB human interface drivers and USB storage driver

Posted: 29 Jan 2019, 13:31
by fjulian
Hi Dirk,

thanks for your message.

I tried both approaches: first, using udev to disable "usbhid" and second, blacklisting the driver "usbhid" in /etc/modprobe.d. In addition, I also tried blacklisting "usbcore" via modprobe, which "usbhid" depends on in my desktop Debian. However, neither configuration helped. It seems like in Raspbian, another driver is used to support a keyboard. In the list that is the output of "lsmod", I couldn't find a driver that seems to fit.
Could you somehow find out the name of the driver for USB interface devices (mouse, keyboard) and the name of the driver for USB storage devices used in the Raspbian image distributed by Kunbus?

Thanks,
Julian

Re: Disable USB human interface drivers and USB storage driver

Posted: 03 May 2019, 08:07
by lukas
Hi Julian,

the "usbhid" driver is built-in to the kernel on Raspbian (and hence also in our image), so it's not a module and all the methods to blacklist the driver in the modprobe configuration won't work. There is no way to deregister the driver if it's built-in (at least none that I know of). It is possible to unbind the driver from a keyboard via sysfs after it's bound, but that's not what you want.

However the udev method mentioned in the above-linked stackoverflow article works fine, I've tested it successfully with our stretch image. So just add this to a new or an existing file in /etc/udev/rules.d/ ...

Code: Select all

SUBSYSTEMS=="usb", DRIVERS=="usbhid", ACTION=="add", ATTR{authorized}="0"
... and don't forget to either reload the udev configuration (sudo udevadm control -R) or reboot the machine.