RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1479241 - [RFE] Make it possible to whitelist only encrypted USB flash drives
Summary: [RFE] Make it possible to whitelist only encrypted USB flash drives
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: usbguard
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: pre-dev-freeze
: 7.5
Assignee: Daniel Kopeček
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1490339 1646126
TreeView+ depends on / blocked
 
Reported: 2017-08-08 07:35 UTC by Daniel Kopeček
Modified: 2018-11-05 08:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1490339 1646126 (view as bug list)
Environment:
Last Closed: 2018-11-05 08:24:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dkopecek usbguard issues 198 0 None closed [RFE] Provide a policy to allow only encrypted USB devices 2020-08-21 15:14:30 UTC

Description Daniel Kopeček 2017-08-08 07:35:35 UTC 
Description of problem:

(From the upstream ticket)

Flash drives are widely used to share information between computers. In high security environments the use of the USB flash drives is not allowed because the data can be stolen. Network bound disk encryption allows data to be bound to network. So if a device can be encrypted and used only on the network then the data can't be stolen since it is encrypted. There is currently no integration with network bound disk encryption. The requested feature is to enhance USB guard to have a policy to allow only NBDE encrypted drives to enforce that only encrypted USB devices can be used in the high security environments and data is not leaked or stolen.
Comment 1 Jiri Jaburek 2017-08-08 10:25:24 UTC 
NBDE (well, clevis) is really just a way to get password for a LUKS keyslot over network, there's not much to "integrate" with. Maybe a generic usbguard rule match for drives with LUKS metadata, so anything non-LUKS would be blocked/rejected, but then you run into issues of partitions and the entire solutions becomes pretty "hacky".

Plus it can be easily faked via a fake LUKS header ie. in the first few-KB-wide partition, with the unencrypted data in the second one. Or with a partition scheme usbguard wouldn't anticipate (ie. GPT, Apple Partition Map, etc., all of which are recognized by the kernel).
Even if we were to allow only no-partition-LUKS, it could still be faked via a number of other ways.

What would make more sense to me instead is to provide another layer of security by using (generic) signatures at the beginning of the USB drive, possibly authenticated using tang (the "server" in the NBDE scheme), independently of whether the drive (or any partitions on it) is encrypted or not.
Comment 2 Nathaniel McCallum 2017-08-08 16:38:00 UTC 
I don't think the signature option can work. The signature would have to sign data reported by the USB device itself (such as manufacturer, product, serial, etc). However, this data can be easily spoofed by readily available and inexpensive programmable hardware. This would mean that an attacker could easily copy the signature from one device to another in order to foil the device level authentication.

Since we are depending on specially crafted partition/LUKS/clevis layouts anyway, we can just define a very narrow format we support and reject all others.
Comment 3 Nathaniel McCallum 2017-08-08 16:48:49 UTC 
Let's make a threat model. We assume that the goal of the attacker is to exfiltrate data on a trusted system using a USB key.

1. The user creates a normal filesystem with or without a partition table. USBGuard should reject this and allow only LUKS.

2. The user creates a LUKS device without a partition table. However, the user knows the LUKS password. USBGuard could check to see if there is clevis metadata with luksmeta.

However, since clevis itself listens to password prompts, the attacker could simply fake clevis metadata and then answer the prompt themselves with the known password. In order to bypass this, we need a way to disable these prompts.

This means that clevis needs to take over LUKS unlocking. A much less invasive change would be for clevis to define its own on-disk format and handle its own unlocking. In this case, clevis could define that the disk is non-interactive and would never prompt the user at all. USBGuard could then allow only these non-interactive volumes.
Note You need to log in before you can comment on or make changes to this bug.