Re: [PATCH v2 0/1] HID: add malicious HID device detection driver

Next message: syzbot: "Re: [syzbot] [kernel?] INFO: rcu detected stall in kill"
Previous message: Eric Biggers: "[PATCH wireless-next 6/6] crypto: Remove michael_mic from crypto_shash API"
In reply to: Zubeyr Almaho: "[PATCH v2 1/1] HID: add malicious HID device detection driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Sun Apr 05 2026 - 01:32:26 EST

On Sat, Apr 04, 2026 at 04:37:44PM +0300, Zubeyr Almaho wrote:
> Hi Jiri, Benjamin,
>
> This series introduces hid-omg-detect, a passive HID monitor that scores
> potentially malicious keyboard-like USB devices (BadUSB / O.MG style)
> using:
>
> - keystroke timing entropy,
> - plug-and-type latency,
> - USB descriptor fingerprinting.
>
> When the configurable threshold is crossed, the module emits a warning
> with a userspace mitigation hint (usbguard).
>
> The driver does not block, delay, or modify HID input events.

That's cute, but no need to get security@xxxxxxxxxx involved as this is
a new feature, not a bug triage.

Also, why not just do this as an ebpf program instead as you have full
access to the hid data stream there?

thanks,

greg k-h