Re: How to secure access to SD cards a la USBGuard?

[David Wright <deblis@lionunicorn.co.uk>]

On Fri 10 Dec 2021 at 17:20:52 (+0100), Andrei POPESCU wrote:
> On Lu, 06 dec 21, 10:18:49, David Wright wrote:
> > On Sun 05 Dec 2021 at 13:33:41 (+0100), Andrei POPESCU wrote:
> > > On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
> > > > 
> > > > As mentioned, the way to control it will depend on the specific tool
> > > > used to mount.  E.g. if it's mounted by hand via a rule in /etc/fstab,
> > > > then you can rules that specify the device via /etc/disk/by-uuid.
> > > > 
> > > > Do note that partition UUIDs are not designed to be reliable w.r.t
> > > > malicious uses (it's easy to create a partition with the same UUID as
> > > > some other).
> > > 
> > > /dev/disk/by-id/ should be device specific.
> > 
> > It certainly is, but specific to the card reader reading it,
> > not the card. And that's whether the card is plugged into a
> > slot on the computer, or into a discrete SD/USB adapter.
> 
> At least with the built-in reader on an Acer Chromebook R13 the ID 
> changes with every card I tested, but you are indeed right about USB 
> adapters (at least for the two I could test).

I did some comparisons between machines, and it would appear that
when the link starts with /dev/disk/by-id/mmc- then the ID is
that of the card, whereas when it starts with /dev/disk/by-id/usb-
then the ID is that of the card reader. Note that I did all the
comparisons using fullsize SD cards pushed into slots in the PCs,
so there were no separate adapters involved, neither SD→USB, nor µSD→SD.

As one might expect, googling mmc and usb is swamped with stuff about
MMC and SD /cards/, so I haven't read anything about the differences
between these slots on different computers. But I guess that if you
want to distinguish SD cards by their identification/serial number,
rather than strings that you write onto them (UUID/LABEL), you need
to use a PC with an mmc-style slot.

Cheers,
David.