[systemd-devel] Supporting U2F over HID on Linux?

[Andy Lutomirski]

I want to get U2F (universal second factor, sometimes called "security
key" or even "gnubby") working on Linux.  U2F tokens are HID devices
that speak a custom protocol.  The intent is that user code will speak
to then using something like HIDAPI.

The trick is that, for HIDAPI to work, something needs to recognize
these devices and get udev to set appropriate device permissions.

My question is: how should this be done?  The official way to
enumerate U2F devices is to look for a HID usage page 0xf1d0
containing usage 0x1.

Options include:

 - A builtin udev helper that reads the sysfs report_descriptor for
hid or hidraw devices and sets attributes accordingly (either
ID_SECURITY_TOKEN or something more general).

- A udev helper that does this and doesn't live in the systemd tree.
I don't love this option -- I'd prefer for this to be as plug-and-play
as possible.

- HID core code in the kernel to add
HID_USAGES=f1d00001:lots:of:other:things to the uevent (or udev code
to do the same).  This might end up producing a rather long string or
some devices.

 - An actual kernel driver for U2F devices using the hid group
mechanism for enumeration.  This seems overcomplicated.

Concretely, my U2F device is:

/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/0003:1050:0120.0011/hidraw/hidraw0

The 0xf1d0 thing is enumerable on
/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/0003:1050:0120.0011.

Thoughts?

--Andy