[systemd-devel] Writing a udev rule for U2F security tokens?

Andy Lutomirski luto at amacapital.net
Tue Oct 28 09:44:38 PDT 2014


On Tue, Oct 28, 2014 at 1:40 AM, Greg KH <gregkh at linuxfoundation.org> wrote:
> On Mon, Oct 27, 2014 at 04:37:14PM -0700, Andy Lutomirski wrote:
>> On Mon, Oct 27, 2014 at 4:32 PM, Greg KH <gregkh at linuxfoundation.org> wrote:
>> > On Mon, Oct 27, 2014 at 04:12:30PM -0700, Andy Lutomirski wrote:
>> >> Hi-
>> >>
>> >> I'd like to write a generic udev rule for U2F security tokens and to
>> >> possibly get it integrated into systemd / udev, but I'm not sure how
>> >> to write it in the first place.
>> >>
>> >> U2F tokens are USB HID devices that have a usage page 0xF1D0 that
>> >> contains usage 0x01.  The rule should match any hidraw device with
>> >> that property.  Can this be done without a user helper?  Is there an
>> >> existing helper in which it would make sense to add such a check?
>> >>
>> >> Here's the draft USB forum allocation:
>> >>
>> >> http://www.usb.org/developers/hidpage/HUTRR48.pdf
>> >>
>> >> Here's the draft spec from the FIDO Alliance:
>> >>
>> >> https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf
>> >>
>> >> In practice, I expect little change between the draft and final specs,
>> >> since these devices are already for sale and Chromium supports them.
>> >
>> > I don't understand, what would a udev rule do with these devices?
>> > Shouldn't they be exported automatically using the hid "raw" interface
>> > so that userspace can talk to them?  What else needs to be done?
>>
>> Wow, I clearly failed to transfer my thoughts into email...
>>
>> I want to set ID_SECURITY_TOKEN=1 or, more generally, cause the
>> uaccess tag to be set so that users have permission to use the token.
>>
>> This rule works in Fedora for the existing tokens by Yubico:
>>
>> KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050",
>> ATTRS{idProduct}=="0113|0114|0115|0116|0120",
>> ENV{ID_SECURITY_TOKEN}="1"
>>
>> but it won't work for other brands of U2F token.
>
> If there's no sysfs attribute that you can read directly to determine
> that it is a a U2F token, then it's not easy to write a udev rule.
>
> You can write a "simple" program to read the hid pages from the hidraw
> interface, and then set an environment variable from there if the "FIDO
> Alliance Page" is present.  You can use a udev rule for that, but it
> will have to be an external tool.

Would a tool like that be considered appropriate to distribute with
udev?  It would have somewhat unpleasant overhead for what is
currently a niche use case.

I suppose the kernel could also be modified to expose this, but doing
that cleanly will involve exposing all the usage pages in sysfs, which
is more complexity than I really want to add.

--Andy


More information about the systemd-devel mailing list