Need to disable USB, but not network

[golfinguy]

We need to disable USB in that we don't want storage devices but also do not want keyboards other other input devices plugged in. We also want to be able to interrogate the device at any time to ensure someone hasn't turned the USB support back on.

Blacklisting 'usb_storage' (the most common suggestion I found) may not be enough given I want keyboards out as well. (incidentally, when I blacklisted 'usb_storage' it didn't prevent me from mounting a USB drive - so the examples do not work or I fat fingered something.). So this suggestion seems to be a no go, but let me know if I'm wrong.

The other suggestion was to write 0x0 to the /sys/devices/platform/bcm2708_usb/buspower file. This seemed to shutdown the network as well and I had to power cycle to get back in. Not the desired state as we just want USB off, not the network.

The last attempt was the kernel boot parameter 'nousb'. I bricked it! (time to go slide the SD card into my laptop and fix.......) Seems the NIC and USB are linked and any attempt to turn off USB, turns off the network as well. Once again, not the desired state.

So I came here to query better minds.

[mahjongg]

as ethernet of the PI is in essence an USB device contained in the same chip (LAN9512) as the built in USB hub, this is probably a hard thing to pull of in software. My solution would be to simply remove the USB connector (which is connected directly to the LAN9512 chip).

[golfinguy]

An option yes, but one we were trying to avoid given the volume of units we plan to deploy. Rat farts!

Thanks

[gilespeppe]

model A with usb to ethernet dongle?

[redhawk]

model A with usb to ethernet dongle?

This is not going to help since you could easily remove the dongle and connect a USB keyboard.
If you really want to disable USB functionality then you need to sabotage the data lines near the chip either by cutting or grounding and then covered over with blob of super hard epoxy resin.

Richard S.

[golfinguy]

I'm thinking giving our warehouse guys an epoxy gun and let em fill the ports!

Shame to have to do that, but if we must......

[rpdom]

The blacklist option won't work as the usb_storage and usbhid (keyboard/mouse) drivers are built into the kernel instead of being loadable modules. (This is essential if you are to have the ability to have your root filesystem on USB).

You could build your own kernel without USB storage and USB HID support, in fact drop out all drivers except for the hardware you will be using. This will take a bit of trial and error. It will also make the kernel and the modules directory smaller and probably lead to slightly faster boot times.

Otherwise your options are as previously mentioned "sabotage" the USB ports to make them unusable (by glue or desoldering), or get a model A and remove the single USB connector and hard-wire a network dongle to the board. You could possibly just remove R36 and R37 to disconnect the port, then wire the dongle to the pads where they were connected.

[golfinguy]

Perhaps I missed the obvious. Given that my concern is a keyboard and local access - seems I can just eliminate getty and get the security I need. Is it really that easy?

[rbiks]

Hi golfinguy,

It depends what exactly you are trying to prevent. Disabling getty might be sufficient. But what would prevent the attacker to just pull out the SD-card to reenable it? I would explain what exactly my concerns are. Maybe you can get some suggestions this way.

rbiks

[golfinguy]

Hi golfinguy,

It depends what exactly you are trying to prevent. Disabling getty might be sufficient. But what would prevent the attacker to just pull out the SD-card to reenable it? I would explain what exactly my concerns are. Maybe you can get some suggestions this way.

rbiks

We're looking at several options to attempt to ensure our build has not been altered (getty being only one thing among hundreds that can be altered). Its outside the scope of this particular question though.

[rbiks]

If you really can ensure that your build does not get altered then disabling getty should be enough. Logging into the system via console will be impossible then.

[Thaddy]

I would go for simply custom housing and have a custom pi box made. If you are really shipping numbers costs would be OK.
If you have a box that doesn't expose USB ports, users can't use it. And a sealed container is less destructive than some of the options suggested.