[systemd-devel] Writing a udev rule for U2F security tokens?

Andy Lutomirski luto at amacapital.net
Mon Oct 27 16:37:14 PDT 2014


On Mon, Oct 27, 2014 at 4:32 PM, Greg KH <gregkh at linuxfoundation.org> wrote:
> On Mon, Oct 27, 2014 at 04:12:30PM -0700, Andy Lutomirski wrote:
>> Hi-
>>
>> I'd like to write a generic udev rule for U2F security tokens and to
>> possibly get it integrated into systemd / udev, but I'm not sure how
>> to write it in the first place.
>>
>> U2F tokens are USB HID devices that have a usage page 0xF1D0 that
>> contains usage 0x01.  The rule should match any hidraw device with
>> that property.  Can this be done without a user helper?  Is there an
>> existing helper in which it would make sense to add such a check?
>>
>> Here's the draft USB forum allocation:
>>
>> http://www.usb.org/developers/hidpage/HUTRR48.pdf
>>
>> Here's the draft spec from the FIDO Alliance:
>>
>> https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf
>>
>> In practice, I expect little change between the draft and final specs,
>> since these devices are already for sale and Chromium supports them.
>
> I don't understand, what would a udev rule do with these devices?
> Shouldn't they be exported automatically using the hid "raw" interface
> so that userspace can talk to them?  What else needs to be done?

Wow, I clearly failed to transfer my thoughts into email...

I want to set ID_SECURITY_TOKEN=1 or, more generally, cause the
uaccess tag to be set so that users have permission to use the token.

This rule works in Fedora for the existing tokens by Yubico:

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050",
ATTRS{idProduct}=="0113|0114|0115|0116|0120",
ENV{ID_SECURITY_TOKEN}="1"

but it won't work for other brands of U2F token.

--Andy


More information about the systemd-devel mailing list