Linux 6.9 Adds New Build-Time Control Whether To Authorize Attached USB Devices

The in-development Linux 6.9 kernel is introducing a new USB_DEFAULT_AUTHORIZATION_MODE Kconfig build-time switch to change the default authorization mode for how Linux should deal with attached USB devices.

Linux for years has allowed locking down USB devices to those that are internal or enforcing other restrictions on USB devices but for Linux 6.9 is the first time having a build-time control over the default USB authorization mode.

Making use of the new USB_DEFAULT_AUTHORIZATION_MODE build option can set the default mode to be authorized for all devices (the default behavior), unauthorized for all devices, or authorized only for internal USB devices. The authorization mode default can still be overrode at boot-time using the usbcore.authorized_default= command-line option. This Linux 6.9 option basically makes it easier for Linux distribution vendor kernels and administrators spinning their own kernels to have more control over how USB devices should behave according to their desired security policy.

The USB_DEFAULT_AUTHORIZATION_MODE help text sums up the new option as:

This option allows you to choose whether USB devices that are connected to the system can be used by default, or if they are locked down.

With value 0 all connected USB devices with the exception of root hub require user space authorization before they can be used.

With value 1 (default) no user space authorization is required to use connected USB devices.

With value 2 all connected USB devices with exception of internal USB devices require user space authorization before they can be used. Note that in this mode the differentiation between internal and external USB devices relies on ACPI, and on systems without ACPI selecting value 2 is analogous to selecting value 0.

This new plumbing plus various other USB and Thunderbolt additions for Linux 6.9 were sent in as part of today's pull request.