On Tue, Oct 28, 2014 at 1:40 AM, Greg KH <gre...@linuxfoundation.org> wrote: > On Mon, Oct 27, 2014 at 04:37:14PM -0700, Andy Lutomirski wrote: >> On Mon, Oct 27, 2014 at 4:32 PM, Greg KH <gre...@linuxfoundation.org> wrote: >> > On Mon, Oct 27, 2014 at 04:12:30PM -0700, Andy Lutomirski wrote: >> >> Hi- >> >> >> >> I'd like to write a generic udev rule for U2F security tokens and to >> >> possibly get it integrated into systemd / udev, but I'm not sure how >> >> to write it in the first place. >> >> >> >> U2F tokens are USB HID devices that have a usage page 0xF1D0 that >> >> contains usage 0x01. The rule should match any hidraw device with >> >> that property. Can this be done without a user helper? Is there an >> >> existing helper in which it would make sense to add such a check? >> >> >> >> Here's the draft USB forum allocation: >> >> >> >> http://www.usb.org/developers/hidpage/HUTRR48.pdf >> >> >> >> Here's the draft spec from the FIDO Alliance: >> >> >> >> https://fidoalliance.org/specs/fido-u2f-HID-protocol-v1.0-rd-20141008.pdf >> >> >> >> In practice, I expect little change between the draft and final specs, >> >> since these devices are already for sale and Chromium supports them. >> > >> > I don't understand, what would a udev rule do with these devices? >> > Shouldn't they be exported automatically using the hid "raw" interface >> > so that userspace can talk to them? What else needs to be done? >> >> Wow, I clearly failed to transfer my thoughts into email... >> >> I want to set ID_SECURITY_TOKEN=1 or, more generally, cause the >> uaccess tag to be set so that users have permission to use the token. >> >> This rule works in Fedora for the existing tokens by Yubico: >> >> KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", >> ATTRS{idProduct}=="0113|0114|0115|0116|0120", >> ENV{ID_SECURITY_TOKEN}="1" >> >> but it won't work for other brands of U2F token. > > If there's no sysfs attribute that you can read directly to determine > that it is a a U2F token, then it's not easy to write a udev rule. > > You can write a "simple" program to read the hid pages from the hidraw > interface, and then set an environment variable from there if the "FIDO > Alliance Page" is present. You can use a udev rule for that, but it > will have to be an external tool.
Would a tool like that be considered appropriate to distribute with udev? It would have somewhat unpleasant overhead for what is currently a niche use case. I suppose the kernel could also be modified to expose this, but doing that cleanly will involve exposing all the usage pages in sysfs, which is more complexity than I really want to add. --Andy _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
