diff options
| author |   reyk <reyk@openbsd.org> | 2019-12-17 13:08:54 +0000 |
|---|---|---|
| committer | reyk <reyk@openbsd.org> | 2019-12-17 13:08:54 +0000 |
| commit | 1ba9f8e24a930839b47e1417a70ad7b6ffac57d7 (patch) | |
| tree | 1d5e2b163818aa87203339af78045230b0d1eaac /sys/dev/usb/files.usb | |
| parent | There is no need to dynamically allocate struct as_set_head. (diff) | |
| download | wireguard-openbsd-1ba9f8e24a930839b47e1417a70ad7b6ffac57d7.tar.xz wireguard-openbsd-1ba9f8e24a930839b47e1417a70ad7b6ffac57d7.zip | |
Add fido(4), a HID driver for FIDO/U2F security keys
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
Diffstat (limited to 'sys/dev/usb/files.usb')
| -rw-r--r-- | sys/dev/usb/files.usb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/dev/usb/files.usb b/sys/dev/usb/files.usb index 2a68642a9a9..0f697127e92 100644 --- a/sys/dev/usb/files.usb +++ b/sys/dev/usb/files.usb @@ -1,4 +1,4 @@ -# $OpenBSD: files.usb,v 1.140 2019/07/09 05:43:03 kevlo Exp $ +# $OpenBSD: files.usb,v 1.141 2019/12/17 13:08:54 reyk Exp $ # $NetBSD: files.usb,v 1.16 2000/02/14 20:29:54 augustss Exp $ # # Config file and device description for machine-independent USB code. @@ -74,7 +74,12 @@ file dev/usb/uhidev.c uhidev # Generic HID devices device uhid: hid attach uhid at uhidbus -file dev/usb/uhid.c uhid needs-flag +file dev/usb/uhid.c uhid | fido needs-flag + +# FIDO/U2F security keys +device fido: hid +attach fido at uhidbus +file dev/usb/fido.c fido needs-flag # Keyboards file dev/usb/ukbdmap.c hidkbd |