I'm using the RPI to create a program, but I need to disable the USB ports so that the end user cannot plug in a keyboard or mouse and mess with the device.
Is this possible, and if so how is it done?
Asked
Active
Viewed 1.1k times
9
-
1I think this is what you are looking for: http://wpkg.org/Disable_/_enable_keyboard_and_mouse_in_Linux – Gerben Jul 15 '13 at 16:50
-
1Super-gluing the USB ports also works. That's what the banks used to do. :-P – Gerben Jul 15 '13 at 16:57
-
What are you afraid of the user could do? – Zurechtweiser Jul 15 '13 at 18:15
-
@Gerben your link explaining disable mouse/keyboard in X Window System, not the USB mouse/keyboard hardware. – gurcanozturk Jul 16 '13 at 07:30
-
Are you using X, or just the console? By default the console is password protected. Could you explain a bit more about the situation you want to use it for? – Gerben Jul 16 '13 at 11:32
5 Answers
4
You may find luck with this command:
echo 0x0 > /sys/devices/platform/bcm2708_usb/buspower
This seems to disable the USB ports. I haven't tested it though.
ronnied
- 86
- 2
-
2The usb ports will still be available during boot, so if the user can reboot the PI, this solution won't work. – pim Aug 30 '17 at 09:55
-
2
sudo sh -c "echo 0 > /sys/devices/platform/soc/3f980000.usb/buspower"
Will disable the USB ports but also the LAN port.
sudo sh -c "echo 1 > /sys/devices/platform/soc/3f980000.usb/buspower"
Reativates them.
Lennart
- 76
- 6
2
Each USB host controller in Linux exposes a setting called authorized_default, which controls the state of any new connected devices. Setting it to 0 makes all new devices disabled by default:
for host in /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done
A recommended way of running this script consists in using udev rules. This way, you're sure the script runs at the right time, when the host controller driver is already loaded, but none of the devices have yet been authorised. See this question for an example of this approach.
One thing you should understand is that software locks are only effective as long as the end user cannot unplug the SD card and remove the protections you have put in place.
Dmitry Grigoryev
- 26,688
- 4
- 44
- 133
1
I don't really know that it's directly possible... Why not just physically block the users ability to do so? Either by putting it where they can't get to, filling in the ports or by putting a locking mechanism over/around it.
Jacobm001
- 11,797
- 7
- 45
- 56
-
You don't know the environment the device will reside in. It could be located in a location that you have zero control over who has access to it, like in an AV rack somewhere in a remote location miles away. You could lock it away in a cabinet, but usually the on-site management or personnel will still have access to those cabinets. It's easier to give a block at software level to discourage people playing around. – ScottN Mar 24 '20 at 20:31
-
@ScottN: Sure, I guess. Filling in the ports with epoxy would solve that issue, but really... if someone has that level of physical access to the device, all other security considerations are more or less moot anyway. – Jacobm001 Mar 24 '20 at 21:51
-
Oh, filling the ports with epoxy is truly a last resort and forget having the device usable if it's returned for RMA or something. My main point was to discourage someone playing with it like staff that hooks up a keyboard and starts up YouTube and watches videos when that device is supposed to be used to do signage or whatever. – ScottN Mar 24 '20 at 22:23
0
use SELinux, look up this online and you'll have great many resources. It was developed for this purpose. You can then disable/enable ports and other features of your Linux system.
donitel
- 11