Discussion:
[systemd-devel] Writing a udev rule for U2F security tokens?
Andy Lutomirski
2014-10-27 23:12:30 UTC
Permalink
Hi-

I'd like to write a generic udev rule for U2F security tokens and to
possibly get it integrated into systemd / udev, but I'm not sure how
to write it in the first place.

U2F tokens are USB HID devices that have a usage page 0xF1D0 that
contains usage 0x01. The rule should match any hidraw device with
that property. Can this be done without a user helper? Is there an
existing helper in which it would make sense to add such a check?

Here's the draft USB forum allocation:

http://www.usb.org/developers/hidpage/HUTRR48.pdf

Here's the draft spec from the FIDO Alliance:

https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf

In practice, I expect little change between the draft and final specs,
since these devices are already for sale and Chromium supports them.

Thanks,
Andy
Greg KH
2014-10-27 23:32:42 UTC
Permalink
Post by Andy Lutomirski
Hi-
I'd like to write a generic udev rule for U2F security tokens and to
possibly get it integrated into systemd / udev, but I'm not sure how
to write it in the first place.
U2F tokens are USB HID devices that have a usage page 0xF1D0 that
contains usage 0x01. The rule should match any hidraw device with
that property. Can this be done without a user helper? Is there an
existing helper in which it would make sense to add such a check?
http://www.usb.org/developers/hidpage/HUTRR48.pdf
https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf
In practice, I expect little change between the draft and final specs,
since these devices are already for sale and Chromium supports them.
I don't understand, what would a udev rule do with these devices?
Shouldn't they be exported automatically using the hid "raw" interface
so that userspace can talk to them? What else needs to be done?

thanks,

greg k-h
Andy Lutomirski
2014-10-27 23:37:14 UTC
Permalink
Post by Greg KH
Post by Andy Lutomirski
Hi-
I'd like to write a generic udev rule for U2F security tokens and to
possibly get it integrated into systemd / udev, but I'm not sure how
to write it in the first place.
U2F tokens are USB HID devices that have a usage page 0xF1D0 that
contains usage 0x01. The rule should match any hidraw device with
that property. Can this be done without a user helper? Is there an
existing helper in which it would make sense to add such a check?
http://www.usb.org/developers/hidpage/HUTRR48.pdf
https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf
In practice, I expect little change between the draft and final specs,
since these devices are already for sale and Chromium supports them.
I don't understand, what would a udev rule do with these devices?
Shouldn't they be exported automatically using the hid "raw" interface
so that userspace can talk to them? What else needs to be done?
Wow, I clearly failed to transfer my thoughts into email...

I want to set ID_SECURITY_TOKEN=1 or, more generally, cause the
uaccess tag to be set so that users have permission to use the token.

This rule works in Fedora for the existing tokens by Yubico:

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050",
ATTRS{idProduct}=="0113|0114|0115|0116|0120",
ENV{ID_SECURITY_TOKEN}="1"

but it won't work for other brands of U2F token.

--Andy
Greg KH
2014-10-28 08:40:53 UTC
Permalink
Post by Andy Lutomirski
Post by Greg KH
Post by Andy Lutomirski
Hi-
I'd like to write a generic udev rule for U2F security tokens and to
possibly get it integrated into systemd / udev, but I'm not sure how
to write it in the first place.
U2F tokens are USB HID devices that have a usage page 0xF1D0 that
contains usage 0x01. The rule should match any hidraw device with
that property. Can this be done without a user helper? Is there an
existing helper in which it would make sense to add such a check?
http://www.usb.org/developers/hidpage/HUTRR48.pdf
https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf
In practice, I expect little change between the draft and final specs,
since these devices are already for sale and Chromium supports them.
I don't understand, what would a udev rule do with these devices?
Shouldn't they be exported automatically using the hid "raw" interface
so that userspace can talk to them? What else needs to be done?
Wow, I clearly failed to transfer my thoughts into email...
I want to set ID_SECURITY_TOKEN=1 or, more generally, cause the
uaccess tag to be set so that users have permission to use the token.
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050",
ATTRS{idProduct}=="0113|0114|0115|0116|0120",
ENV{ID_SECURITY_TOKEN}="1"
but it won't work for other brands of U2F token.
If there's no sysfs attribute that you can read directly to determine
that it is a a U2F token, then it's not easy to write a udev rule.

You can write a "simple" program to read the hid pages from the hidraw
interface, and then set an environment variable from there if the "FIDO
Alliance Page" is present. You can use a udev rule for that, but it
will have to be an external tool.

hope this helps,

greg k-h
Andy Lutomirski
2014-10-28 16:44:38 UTC
Permalink
Post by Greg KH
Post by Andy Lutomirski
Post by Greg KH
Post by Andy Lutomirski
Hi-
I'd like to write a generic udev rule for U2F security tokens and to
possibly get it integrated into systemd / udev, but I'm not sure how
to write it in the first place.
U2F tokens are USB HID devices that have a usage page 0xF1D0 that
contains usage 0x01. The rule should match any hidraw device with
that property. Can this be done without a user helper? Is there an
existing helper in which it would make sense to add such a check?
http://www.usb.org/developers/hidpage/HUTRR48.pdf
https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf
In practice, I expect little change between the draft and final specs,
since these devices are already for sale and Chromium supports them.
I don't understand, what would a udev rule do with these devices?
Shouldn't they be exported automatically using the hid "raw" interface
so that userspace can talk to them? What else needs to be done?
Wow, I clearly failed to transfer my thoughts into email...
I want to set ID_SECURITY_TOKEN=1 or, more generally, cause the
uaccess tag to be set so that users have permission to use the token.
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050",
ATTRS{idProduct}=="0113|0114|0115|0116|0120",
ENV{ID_SECURITY_TOKEN}="1"
but it won't work for other brands of U2F token.
If there's no sysfs attribute that you can read directly to determine
that it is a a U2F token, then it's not easy to write a udev rule.
You can write a "simple" program to read the hid pages from the hidraw
interface, and then set an environment variable from there if the "FIDO
Alliance Page" is present. You can use a udev rule for that, but it
will have to be an external tool.
Would a tool like that be considered appropriate to distribute with
udev? It would have somewhat unpleasant overhead for what is
currently a niche use case.

I suppose the kernel could also be modified to expose this, but doing
that cleanly will involve exposing all the usage pages in sysfs, which
is more complexity than I really want to add.

--Andy

Loading...