[systemd-devel] Supporting U2F over HID on Linux?
Andy Lutomirski
luto at amacapital.net
Mon Nov 3 11:19:34 PST 2014
On Mon, Nov 3, 2014 at 11:03 AM, David Herrmann <dh.herrmann at gmail.com> wrote:
> Hi
>
> On Sun, Nov 2, 2014 at 7:57 PM, Andy Lutomirski <luto at amacapital.net> wrote:
>> I want to get U2F (universal second factor, sometimes called "security
>> key" or even "gnubby") working on Linux. U2F tokens are HID devices
>> that speak a custom protocol. The intent is that user code will speak
>> to then using something like HIDAPI.
>>
>> The trick is that, for HIDAPI to work, something needs to recognize
>> these devices and get udev to set appropriate device permissions.
>
> [snip]
>
>> - An actual kernel driver for U2F devices using the hid group
>> mechanism for enumeration. This seems overcomplicated.
>
> Imho, this is the way to go. Create a proper char-dev for U2F, create
> an API and make it work.
>
> We had this discussion earlier about vendor-extensions that should be
> writable via hidraw from user-space. This turned out to be really
> messy.. and was discussed for several weeks straight. hidraw just
> wasn't designed as unprivileged user-space API. For instance, what
> happens if a device provides U2F plus something else? Both will be on
> the same hidraw device.
> We could split hidraw per usage, but I don't see how that is superior
> to a proper U2F API. And once one usage can affect a device as a whole
> (like power-off), you're screwed.
Agreed, mostly. My only real concern is that this could be annoying
for the userspace developers who will need to target Linux and HIDAPI
separately. Admittedly the Linux support will be trivial.
I can give the driver a try. It'll actually be simpler than the spec
makes it out, since a real kernel driver will have no need to
arbitrate with itself.
--Andy
>
> Just look at the libusb mess where some devices are handled in the
> kernel and some in user-space (eg., see Gnome cheese, media devices,
> ...). I don't think we should repeat that with HID.
>
> Thanks
> David
--
Andy Lutomirski
AMA Capital Management, LLC
More information about the systemd-devel
mailing list