[systemd-devel] Supporting U2F over HID on Linux?

David Herrmann dh.herrmann at gmail.com
Mon Nov 3 11:03:05 PST 2014


Hi

On Sun, Nov 2, 2014 at 7:57 PM, Andy Lutomirski <luto at amacapital.net> wrote:
> I want to get U2F (universal second factor, sometimes called "security
> key" or even "gnubby") working on Linux.  U2F tokens are HID devices
> that speak a custom protocol.  The intent is that user code will speak
> to then using something like HIDAPI.
>
> The trick is that, for HIDAPI to work, something needs to recognize
> these devices and get udev to set appropriate device permissions.

[snip]

>  - An actual kernel driver for U2F devices using the hid group
> mechanism for enumeration.  This seems overcomplicated.

Imho, this is the way to go. Create a proper char-dev for U2F, create
an API and make it work.

We had this discussion earlier about vendor-extensions that should be
writable via hidraw from user-space. This turned out to be really
messy.. and was discussed for several weeks straight. hidraw just
wasn't designed as unprivileged user-space API. For instance, what
happens if a device provides U2F plus something else? Both will be on
the same hidraw device.
We could split hidraw per usage, but I don't see how that is superior
to a proper U2F API. And once one usage can affect a device as a whole
(like power-off), you're screwed.

Just look at the libusb mess where some devices are handled in the
kernel and some in user-space (eg., see Gnome cheese, media devices,
...). I don't think we should repeat that with HID.

Thanks
David


More information about the systemd-devel mailing list