USBGuard
USB guard fails because there are 2 AMD hub devices.... with the same Hash...
USB guard fails # lsusb Bus 002 Device 006: ID 1bcf:2c81 Sunplus Innovation Technology Inc. Bus 002 Device 005: ID 04ca:3015 Lite-On Technology Corp. Bus 002 Device 002: ID 0438:7900 Advanced Micro Devices, Inc. Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 012: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller Bus 001 Device 011: ID 06cb:2970 Synaptics, Inc. touchpad Bus 001 Device 002: ID 0438:7900 Advanced Micro Devices, Inc. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub # usbguard list-devices 11: allow id 1d6b:0002 serial "0000:00:12.0" name "EHCI Host Controller" hash "QRfWbwnc2Ui1MMyQsxucmxFW8JIqFj9+ud2pvrUmuQo=" parent-hash "sl5n3zGuhagw8tyny/92w1hrmN63hPN2CUVGXlUha2M=" via-port "usb1" with-interface 09:00:00 12: allow id 1d6b:0002 serial "0000:00:13.0" name "EHCI Host Controller" hash "Z1F2pMJ+LphP/VsHmWv0BQ27P6kQ4kiPNbdnwHy2ppo=" parent-hash "f2g37Tv6VYkhyUUPH/lInQ2XQ0/4vtZ+lJvoe7CNH8k=" via-port "usb2" with-interface 09:00:00 13: allow id 1d6b:0002 serial "0000:00:10.0" name "xHCI Host Controller" hash "OaNuvSNaOeze6zHErZKy1muRIivxiCQTz+wD9DK+gzo=" parent-hash "uJe4hkrsfruFDItPQnd5t9S9rfMuOHa2xMmtVtaEj9w=" via-port "usb3" with-interface 09:00:00 14: allow id 1d6b:0003 serial "0000:00:10.0" name "xHCI Host Controller" hash "eRz6hSAVxBdVKVB2J7+rHiwYKcJPWodv+QLcOqlHUpk=" parent-hash "uJe4hkrsfruFDItPQnd5t9S9rfMuOHa2xMmtVtaEj9w=" via-port "usb4" with-interface 09:00:00 15: allow id 0438:7900 serial "" name "" hash "eZ7XXThWiDfoIEASe1ze7D9s6GhVYypjUk3NyaVTGdo=" parent-hash "QRfWbwnc2Ui1MMyQsxucmxFW8JIqFj9+ud2pvrUmuQo=" via-port "1-1" with-interface 09:00:00 16: allow id 0438:7900 serial "" name "" hash "eZ7XXThWiDfoIEASe1ze7D9s6GhVYypjUk3NyaVTGdo=" parent-hash "Z1F2pMJ+LphP/VsHmWv0BQ27P6kQ4kiPNbdnwHy2ppo=" via-port "2-1" with-interface 09:00:00 17: allow id 06cb:2970 serial "" name " " hash "9T3ruO/49YQmNmFpo3HnnDT5v7ctxDZ4BMySuBjkoto=" parent-hash "eZ7XXThWiDfoIEASe1ze7D9s6GhVYypjUk3NyaVTGdo=" via-port "1-1.2" with-interface 03:00:00 18: allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW" hash "om34qyRbPxnt/bsdFrR3g2SWxDVsInxWWsiFkDIyEnY=" parent-hash "eZ7XXThWiDfoIEASe1ze7D9s6GhVYypjUk3NyaVTGdo=" via-port "1-1.4" with-interface ff:06:50 19: allow id 04ca:3015 serial "" name "" hash "lBlbxcwwRRaJ4ALINUy5Jg5PYbDNNVRskjOrY17QnxA=" parent-hash "eZ7XXThWiDfoIEASe1ze7D9s6GhVYypjUk3NyaVTGdo=" via-port "2-1.1" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } 20: block id 1bcf:2c81 serial "" name "HD WebCam" hash "+QfM/XOpeArIkeRgH8f2XB5Jmoq+DgvV9CP3S5Z3etY=" parent-hash "eZ7XXThWiDfoIEASe1ze7D9s6GhVYypjUk3NyaVTGdo=" via-port "2-1.2" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 }
id 15 & 16 in above list cause usbguard to ONLY work if via-port is activated. If not then part of the USB devices get the default action applied. This means for this system that the Video & Bluetooth worked according to the rules, while the touchpad & sdCardreader ceased to function. (even though they were explicitely allowed)
# lsusb -v -d 0438:7900 Bus 002 Device 002: ID 0438:7900 Advanced Micro Devices, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 1 Single TT bMaxPacketSize0 64 idVendor 0x0438 Advanced Micro Devices, Inc. idProduct 0x7900 bcdDevice 0.18 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xe0 Self Powered Remote Wakeup MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 12
Bus 001 Device 002: ID 0438:7900 Advanced Micro Devices, Inc. Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 9 Hub bDeviceSubClass 0 bDeviceProtocol 1 Single TT bMaxPacketSize0 64 idVendor 0x0438 Advanced Micro Devices, Inc. idProduct 0x7900 bcdDevice 0.18 iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 25 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xe0 Self Powered Remote Wakeup MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 9 Hub bInterfaceSubClass 0 bInterfaceProtocol 0 Full speed (or root) hub iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0001 1x 1 bytes bInterval 12
Hi. Thanks for this report. I'll try to think of a solution for such scenario. It looks like I'll have to change the device matching logic a bit or introduce a parameter that will cause USBGuard to include more information into the hash (via-port value?).
