Hi,
Is it possible to use a USB class filter driver to enforce a USB
topology on the system? To be more specific, I am trying to baseline a
system’s USB topology down to device and port it is connected to, and
prevent people from plugging devices into a different port (or alert).
This is not just for storage devices, but for any kind of USB device.
I also want the ability to do a soft policy like limit the number of
keyboards or other HID devices.
However, I do not really see a way to use a filter driver to find what
port devices are attached to. I can see the vid/pid by calling
WdfUsbTargetDeviceGetDeviceDescriptor to see the device descriptor for
each device, but nothing relating to the topology.
In userland, I can use SetupDiEnumDeviceInfo and get the
SP_DEVINFO_DATA device information sets, get device properties, and
then use the CM_ functions to determine what is a parent and child in
the device tree, but is there a similar way to do this in kernel space
(or is it not recommended)? If I do this in userspace, is it possible
to have the userspace service tell the driver to disallow a
non-permitted device or even do it from there?
Also, what method or IOCTLs should I filter to disconnect or prevent
connection of a USB device?
I realize this is not something the end user would install on a
system, but this is a research exercise.
Thanks.
Disabling host USB ports can be done efficiently in the BIOS
(this disables the ports in the ICH chip) and protected by admin password.
Do you also want to ban USB hubs?
Users can attach their stuff with hubs and confuse your “policy”.
– pa
On 12-Nov-2014 02:31, cruxpot wrote:
Hi,
Is it possible to use a USB class filter driver to enforce a USB
topology on the system? To be more specific, I am trying to baseline a
system’s USB topology down to device and port it is connected to, and
prevent people from plugging devices into a different port (or alert).
This is not just for storage devices, but for any kind of USB device.
I also want the ability to do a soft policy like limit the number of
keyboards or other HID devices.
However, I do not really see a way to use a filter driver to find what
port devices are attached to. I can see the vid/pid by calling
WdfUsbTargetDeviceGetDeviceDescriptor to see the device descriptor for
each device, but nothing relating to the topology.
In userland, I can use SetupDiEnumDeviceInfo and get the
SP_DEVINFO_DATA device information sets, get device properties, and
then use the CM_ functions to determine what is a parent and child in
the device tree, but is there a similar way to do this in kernel space
(or is it not recommended)? If I do this in userspace, is it possible
to have the userspace service tell the driver to disallow a
non-permitted device or even do it from there?
Also, what method or IOCTLs should I filter to disconnect or prevent
connection of a USB device?
I realize this is not something the end user would install on a
system, but this is a research exercise.
Thanks.
cruxpot wrote:
Is it possible to use a USB class filter driver to enforce a USB
topology on the system? To be more specific, I am trying to baseline a
system’s USB topology down to device and port it is connected to, and
prevent people from plugging devices into a different port (or alert).
This is not just for storage devices, but for any kind of USB device.
I also want the ability to do a soft policy like limit the number of
keyboards or other HID devices.
Why, for heaven’s sake?
However, I do not really see a way to use a filter driver to find what
port devices are attached to. I can see the vid/pid by calling
WdfUsbTargetDeviceGetDeviceDescriptor to see the device descriptor for
each device, but nothing relating to the topology.
USB hubs support an ioctl interface that lets you take an inventory of
their ports and the port content. Look at the usbview sample in the WDK
– it’s the best example of that interface. All those ioctls can be
sent from a kernel driver.
Of course, by the time you can query the hub, the devices have already
enumerated and had drivers loaded.
Also, what method or IOCTLs should I filter to disconnect or prevent
connection of a USB device?
Well, the terms “connect” and “disconnect” are not the right ones here.
In the USB world, that’s a physical activity. Assuming you are in the
stack, you can interrupt the loading of the function driver by returning
an error from AddDevice, although it will appear with a yellow bang in
Device Manager.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
A USB bus filter driver can filter at the PDO level on all hubs (root and
attached) and implement whatever policies you want. It is a major piece of
work and undocumented and bus filter drivers are only supported within the
confines of Redmond.
Mark Roddy
On Wed, Nov 12, 2014 at 1:03 PM, Tim Roberts wrote:
> cruxpot wrote:
> > Is it possible to use a USB class filter driver to enforce a USB
> > topology on the system? To be more specific, I am trying to baseline a
> > system’s USB topology down to device and port it is connected to, and
> > prevent people from plugging devices into a different port (or alert).
> > This is not just for storage devices, but for any kind of USB device.
> > I also want the ability to do a soft policy like limit the number of
> > keyboards or other HID devices.
>
> Why, for heaven’s sake?
>
>
> > However, I do not really see a way to use a filter driver to find what
> > port devices are attached to. I can see the vid/pid by calling
> > WdfUsbTargetDeviceGetDeviceDescriptor to see the device descriptor for
> > each device, but nothing relating to the topology.
>
> USB hubs support an ioctl interface that lets you take an inventory of
> their ports and the port content. Look at the usbview sample in the WDK
> – it’s the best example of that interface. All those ioctls can be
> sent from a kernel driver.
>
> Of course, by the time you can query the hub, the devices have already
> enumerated and had drivers loaded.
>
>
> > Also, what method or IOCTLs should I filter to disconnect or prevent
> > connection of a USB device?
>
> Well, the terms “connect” and “disconnect” are not the right ones here.
> In the USB world, that’s a physical activity. Assuming you are in the
> stack, you can interrupt the loading of the function driver by returning
> an error from AddDevice, although it will appear with a yellow bang in
> Device Manager.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> stack, you can interrupt the loading of the function driver by returning
an error from AddDevice, although it will appear with a yellow bang in
Device Manager.
Bus filter? filtering away the wrong device IDs?
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
>whatever policies you want. It is a major piece of work and undocumented and bus filter drivers are
only supported within the confines of Redmond.
Is there any existing inbox (included to Windows distro ISO) bus filter driver?
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
On 12-Nov-2014 21:42, Maxim S. Shatskih wrote:
Is there any existing inbox (included to Windows distro ISO) bus filter driver?
ACPI filters PCI, for example.
Would it be possible to delay loading of a driver for a device until
the filter driver can send a request to the userland service which
could then query the bus and/or check its policy set? This is probably
a very bad idea but I want to know if it’s possible.
Or is it possible to check the USB device attributes in the class
filter driver such as the port a USB device is connected to (such as
with the SetupDi* and CM_* functions) or is this too difficult to do?
Can I passively get the configuration and endpoint descriptors for a
USB device from the filter driver?
Also is it possible to use the
IOCTL_INTERNAL_USB_GET_TOPOLOGY_ADDRESS control code to grab a
USB_TOPOLOGY_ADDRESS structure and would that help me inside the class
filter driver to get topology data? I have seen little sample code on
this.
Thanks.
On Wed, Nov 12, 2014 at 12:03 PM, Tim Roberts wrote:
> cruxpot wrote:
>> Is it possible to use a USB class filter driver to enforce a USB
>> topology on the system? To be more specific, I am trying to baseline a
>> system’s USB topology down to device and port it is connected to, and
>> prevent people from plugging devices into a different port (or alert).
>> This is not just for storage devices, but for any kind of USB device.
>> I also want the ability to do a soft policy like limit the number of
>> keyboards or other HID devices.
>
> Why, for heaven’s sake?
>
>
>> However, I do not really see a way to use a filter driver to find what
>> port devices are attached to. I can see the vid/pid by calling
>> WdfUsbTargetDeviceGetDeviceDescriptor to see the device descriptor for
>> each device, but nothing relating to the topology.
>
> USB hubs support an ioctl interface that lets you take an inventory of
> their ports and the port content. Look at the usbview sample in the WDK
> – it’s the best example of that interface. All those ioctls can be
> sent from a kernel driver.
>
> Of course, by the time you can query the hub, the devices have already
> enumerated and had drivers loaded.
>
>
>> Also, what method or IOCTLs should I filter to disconnect or prevent
>> connection of a USB device?
>
> Well, the terms “connect” and “disconnect” are not the right ones here.
> In the USB world, that’s a physical activity. Assuming you are in the
> stack, you can interrupt the loading of the function driver by returning
> an error from AddDevice, although it will appear with a yellow bang in
> Device Manager.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer