Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set uaccess tag for U2F/FIDO2 keys #11996

Closed
nickray opened this issue Mar 13, 2019 · 3 comments

Comments

@nickray
Copy link

commented Mar 13, 2019

Is your feature request related to a problem? Please describe.
To use FIDO2 hardware authenticators, users need access to to the corresponding HIDRAW device. Some methods in use are

  • user adds rule manually
  • install package libu2f-host which includes a file 70-u2f.rules. This needs manual updating upstream. Debian does this I believe.
  • install packaged u2f-hidraw-policy which checks if the HID usage page is 0xf1d0

The first is tedious for the user, the second tedious for the vendor.

Describe the solution you'd like
I would like udev to subsume the functionality of u2f-hidraw-policy and tag FIDO devices as uaccess. This seems like the correct solution, given https://www.usb.org/sites/default/files/hutrr48.pdf

Describe alternatives you've considered
Listed above.

@poettering

This comment has been minimized.

Copy link
Member

commented Mar 14, 2019

It would probably be fine to fold the u2f-hidraw-policy callout stuff into usb_id, given that it is relatively short and simple. But this really needs a contributed patch

@FabianHenneke

This comment has been minimized.

Copy link
Contributor

commented Aug 17, 2019

Since I need a generic udev rule such as the one provided by u2f-hidraw-policy for a personal project, I would be willing to supply the patch.

Even though so far all available security tokens have used USB transport, all implementations I know of accept any kind of HID device with the right usage and usage page. Would it also be acceptable to go with the original proposal and add a hidraw_id module instead of integrating into usb_id?

The security concerns could potentially be alleviated by adding a libfuzz target for the HID descriptor parser. I could make the required modifications.

@FabianHenneke

This comment has been minimized.

Copy link
Contributor

commented Aug 19, 2019

I just created a pull request #13357 that combines a systemd-ized version of u2f-hidraw-policy with a test suite and a fuzzer for the descriptor parser. Please let me know what you think.

@yuwata yuwata added the has-pr label Aug 19, 2019

FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 20, 2019
udev: Add id program for hidraw devices. Fixes: systemd#11996.
Add a hidraw_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns environment variables based on the declared
usage.

The currently only purpose of this program is to automatically label
FIDO security tokens with ID_SECURITY_TOKEN, which allows access from
userspace. Until now, every new security token model had to be manually
 whitelisted.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 20, 2019
udev: Add id program for hidraw devices. Fixes: systemd#11996.
Add a hidraw_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns environment variables based on the declared
usage.

The currently only purpose of this program is to automatically label
FIDO security tokens with ID_SECURITY_TOKEN, which allows access from
userspace. Until now, every new security token model had to be manually
 whitelisted.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 20, 2019
udev: Add id program for hidraw devices. Fixes: systemd#11996.
Add a hidraw_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns environment variables based on the declared
usage.

The currently only purpose of this program is to automatically label
FIDO security tokens with ID_SECURITY_TOKEN, which allows access from
userspace. Until now, every new security token model had to be manually
 whitelisted.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 21, 2019
udev: Add id program for hidraw devices (e.g. security tokens)
Add a hidraw_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns environment variables based on the declared
usage.

The currently only purpose of this program is to automatically label
FIDO security tokens with ID_SECURITY_TOKEN, which allows access from
userspace. Until now, every new security token model had to be manually
whitelisted.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.

Fixes: systemd#11996.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 21, 2019
udev: Add id program for hidraw devices (e.g. security tokens)
Add a hidraw_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns environment variables based on the declared
usage.

The currently only purpose of this program is to automatically label
FIDO security tokens with ID_SECURITY_TOKEN, which allows access from
userspace. Until now, every new security token model had to be manually
whitelisted.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.

Fixes: systemd#11996.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 21, 2019
udev: Add id program and rule for FIDO security tokens
Add a fido_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns the ID_SECURITY_TOKEN environment variable if a
declared usage matches the FIDO_CTAPHID_USAGE declared in the FIDO CTAP
specification. This replaces the previous approach of whitelisting all
known security token models manually.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.

Fixes: systemd#11996.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 21, 2019
udev: Add id program and rule for FIDO security tokens
Add a fido_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns the ID_SECURITY_TOKEN environment variable if a
declared usage matches the FIDO_CTAPHID_USAGE declared in the FIDO CTAP
specification. This replaces the previous approach of whitelisting all
known security token models manually.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.

Fixes: systemd#11996.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 22, 2019
udev: Add id program and rule for FIDO security tokens
Add a fido_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns the ID_SECURITY_TOKEN environment variable if a
declared usage matches the FIDO_CTAPHID_USAGE declared in the FIDO CTAP
specification. This replaces the previous approach of whitelisting all
known security token models manually.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.

Fixes: systemd#11996.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 22, 2019
udev: Add id program and rule for FIDO security tokens
Add a fido_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns the ID_SECURITY_TOKEN environment variable if a
declared usage matches the FIDO_CTAPHID_USAGE declared in the FIDO CTAP
specification. This replaces the previous approach of whitelisting all
known security token models manually.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.

Fixes: systemd#11996.
FabianHenneke added a commit to FabianHenneke/systemd that referenced this issue Aug 22, 2019
udev: Add id program and rule for FIDO security tokens
Add a fido_id program meant to be run for devices in the hidraw
subsystem via an IMPORT directive. The program parses the HID report
descriptor and assigns the ID_SECURITY_TOKEN environment variable if a
declared usage matches the FIDO_CTAPHID_USAGE declared in the FIDO CTAP
specification. This replaces the previous approach of whitelisting all
known security token models manually.

This commit is accompanied by a test suite and a fuzzer target for the
descriptor parsing routine.

Fixes: systemd#11996.

@yuwata yuwata closed this in d45ee2f Sep 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.