Add fido(4), a HID driver for FIDO/U2F security keys

While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access.  Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.

It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser.  Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process.  This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems.  With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.

With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead.  The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.

With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits

32 files changed, 296 insertions, 71 deletions

diff --git a/sys/arch/alpha/alpha/conf.c b/sys/arch/alpha/alpha/conf.c
index a08ba7a1490..533c8c9359c 100644
--- a/sys/arch/alpha/alpha/conf.c
+++ b/sys/arch/alpha/alpha/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.84 2017/11/02 14:04:24 mpi Exp $	*/
+/*	$OpenBSD: conf.c,v 1.85 2019/12/17 13:08:54 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.16 1996/10/18 21:26:57 cgd Exp $	*/
 
 /*-
@@ -111,6 +111,7 @@ cdev_decl(cy);
 /* USB Devices */
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -202,6 +203,7 @@ struct cdevsw	cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 67: fuse */
 	cdev_tun_init(NTUN,tap),	/* 68: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 69: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 70: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/alpha/conf/GENERIC b/sys/arch/alpha/conf/GENERIC
index 58d68043c43..2309131cafd 100644
--- a/sys/arch/alpha/conf/GENERIC
+++ b/sys/arch/alpha/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.263 2019/05/08 23:54:38 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.264 2019/12/17 13:08:54 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -106,6 +106,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?			# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?			# USB generic HID support
+fido*	at uhidev?			# FIDO/U2F security key support
 upd*	at uhidev?			# USB Power Devices sensors
 aue*	at uhub?			# ADMtek AN986 Pegasus Ethernet
 #atu*	at uhub?			# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/amd64/amd64/conf.c b/sys/arch/amd64/amd64/conf.c
index e96dda7be06..6330f6e442d 100644
--- a/sys/arch/amd64/amd64/conf.c
+++ b/sys/arch/amd64/amd64/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.64 2019/12/13 20:57:54 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.65 2019/12/17 13:08:54 reyk Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Charles M. Hannum.  All rights reserved.
@@ -151,6 +151,7 @@ cdev_decl(cy);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -297,6 +298,7 @@ struct cdevsw	cdevsw[] =
 	cdev_pvbus_init(NPVBUS,pvbus),	/* 95: pvbus(4) control interface */
 	cdev_ipmi_init(NIPMI,ipmi),	/* 96: ipmi */
 	cdev_switch_init(NSWITCH,switch), /* 97: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 98: FIDO/U2F security keys */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/amd64/conf/GENERIC b/sys/arch/amd64/conf/GENERIC
index 64d390905d9..17e88a9eb51 100644
--- a/sys/arch/amd64/conf/GENERIC
+++ b/sys/arch/amd64/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.482 2019/12/08 12:27:25 mpi Exp $
+#	$OpenBSD: GENERIC,v 1.483 2019/12/17 13:08:54 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -280,6 +280,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/arm/arm/conf.c b/sys/arch/arm/arm/conf.c
index a7e89367483..75e0d737754 100644
--- a/sys/arch/arm/arm/conf.c
+++ b/sys/arch/arm/arm/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.50 2017/01/23 08:37:08 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.51 2019/12/17 13:08:55 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.10 2002/04/19 01:04:38 wiz Exp $	*/
 
 /*
@@ -123,6 +123,7 @@ cdev_decl(pci);
 #include "ucom.h"
 #include "ugen.h"
 #include "uhid.h"
+#incluee "fido.h"
 #include "ulpt.h"
 
 /*
@@ -378,6 +379,7 @@ struct cdevsw cdevsw[] = {
 	cdev_pppx_init(NPPPX,pppx),		/* 103: pppx */
 	cdev_tun_init(NTUN,tap),		/* 104: Ethernet tap */
 	cdev_switch_init(NSWITCH,switch),	/* 105: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),		/* 106: FIDO/U2F security key */
 };
 
 int nblkdev = nitems(bdevsw);
diff --git a/sys/arch/arm64/arm64/conf.c b/sys/arch/arm64/arm64/conf.c
index a0fec1177c3..b4dd68e2505 100644
--- a/sys/arch/arm64/arm64/conf.c
+++ b/sys/arch/arm64/arm64/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.8 2019/12/13 20:57:54 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.9 2019/12/17 13:08:55 reyk Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Charles M. Hannum.  All rights reserved.
@@ -121,6 +121,7 @@ cdev_decl(spkr);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -255,6 +256,7 @@ struct cdevsw	cdevsw[] =
 	cdev_notdef(),			/* 95 */
 	cdev_notdef(),			/* 96 */
 	cdev_switch_init(NSWITCH,switch), /* 97: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 98: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/arm64/conf/GENERIC b/sys/arch/arm64/conf/GENERIC
index 42af8a132a0..cd0e66edef8 100644
--- a/sys/arch/arm64/conf/GENERIC
+++ b/sys/arch/arm64/conf/GENERIC
@@ -1,4 +1,4 @@
-# $OpenBSD: GENERIC,v 1.135 2019/12/03 09:12:46 patrick Exp $
+# $OpenBSD: GENERIC,v 1.136 2019/12/17 13:08:54 reyk Exp $
 #
 # GENERIC machine description file
 #
@@ -308,6 +308,7 @@ ucom*		at ucycom?
 uslhcom*	at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?		# USB generic HID support
+fido*		at uhidev?		# FIDO/U2F security key support
 upd*		at uhidev?		# USB Power Devices sensors
 aue*		at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*		at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/armv7/conf/GENERIC b/sys/arch/armv7/conf/GENERIC
index c6051b5c4f2..bce45d90eaf 100644
--- a/sys/arch/armv7/conf/GENERIC
+++ b/sys/arch/armv7/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.126 2019/10/27 19:19:10 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.127 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -297,6 +297,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/hppa/conf/GENERIC b/sys/arch/hppa/conf/GENERIC
index 30c6ca305d8..d1fb312f04c 100644
--- a/sys/arch/hppa/conf/GENERIC
+++ b/sys/arch/hppa/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.179 2019/05/08 23:54:39 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.180 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -110,6 +110,7 @@ wsmouse* at ums? mux 0
 ukbd*	at uhidev?		# USB keyboard
 wskbd*	at ukbd? mux 1
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 url*	at uhub?		# Realtek RTL8150L based adapters
diff --git a/sys/arch/hppa/hppa/conf.c b/sys/arch/hppa/hppa/conf.c
index 11766084833..ff36e34aca4 100644
--- a/sys/arch/hppa/hppa/conf.c
+++ b/sys/arch/hppa/hppa/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.66 2016/09/04 10:51:23 naddy Exp $	*/
+/*	$OpenBSD: conf.c,v 1.67 2019/12/17 13:08:55 reyk Exp $	*/
 
 /*-
  * Copyright (c) 1991 The Regents of the University of California.
@@ -111,6 +111,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -186,6 +187,7 @@ struct cdevsw   cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 58: fuse */
 	cdev_tun_init(NTUN,tap),	/* 59: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 60: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 61: FIDO/U2F security key */
 };
 int nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/i386/conf/GENERIC b/sys/arch/i386/conf/GENERIC
index 5e866cc1d4f..7aea599dd99 100644
--- a/sys/arch/i386/conf/GENERIC
+++ b/sys/arch/i386/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.847 2019/12/08 12:27:26 mpi Exp $
+#	$OpenBSD: GENERIC,v 1.848 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -283,6 +283,7 @@ ucom*	at uslhcom?
 uticom* at uhub?		# TI serial
 ucom*	at uticom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/i386/i386/conf.c b/sys/arch/i386/i386/conf.c
index e2e5dac35e8..adb6e4bef1e 100644
--- a/sys/arch/i386/i386/conf.c
+++ b/sys/arch/i386/i386/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.163 2019/12/13 20:57:54 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.164 2019/12/17 13:08:55 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.75 1996/05/03 19:40:20 christos Exp $	*/
 
 /*
@@ -145,6 +145,7 @@ cdev_decl(cy);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -290,6 +291,7 @@ struct cdevsw	cdevsw[] =
 	cdev_pvbus_init(NPVBUS,pvbus),	/* 95: pvbus(4) control interface */
 	cdev_ipmi_init(NIPMI,ipmi),	/* 96: ipmi */
 	cdev_switch_init(NSWITCH,switch), /* 97: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 98: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/landisk/conf/GENERIC b/sys/arch/landisk/conf/GENERIC
index fb4aa07244f..0c59680830a 100644
--- a/sys/arch/landisk/conf/GENERIC
+++ b/sys/arch/landisk/conf/GENERIC
@@ -1,4 +1,4 @@
-# $OpenBSD: GENERIC,v 1.54 2019/05/08 23:54:39 kettenis Exp $
+# $OpenBSD: GENERIC,v 1.55 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -136,6 +136,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/landisk/landisk/conf.c b/sys/arch/landisk/landisk/conf.c
index 71f2129945f..5cb64822446 100644
--- a/sys/arch/landisk/landisk/conf.c
+++ b/sys/arch/landisk/landisk/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.38 2017/01/23 08:37:08 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.39 2019/12/17 13:08:55 reyk Exp $	*/
 
 /*
  * Copyright (c) 1994-1998 Mark Brinicombe.
@@ -113,6 +113,7 @@ cdev_decl(pci);
 #include "ucom.h"
 #include "ugen.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ulpt.h"
 
 /*
@@ -352,6 +353,7 @@ struct cdevsw cdevsw[] = {
 	cdev_fuse_init(NFUSE,fuse),		/* 103: fuse */
 	cdev_tun_init(NTUN,tap),		/* 104: Ethernet network tap */
 	cdev_switch_init(NSWITCH,switch),	/* 105: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),		/* 106: FIDO/U2F security key */
 };
 
 int nblkdev = nitems(bdevsw);
diff --git a/sys/arch/loongson/conf/GENERIC b/sys/arch/loongson/conf/GENERIC
index bfac94f60ef..32f10728769 100644
--- a/sys/arch/loongson/conf/GENERIC
+++ b/sys/arch/loongson/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.60 2019/05/08 23:54:39 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.61 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -163,6 +163,7 @@ wskbd*		at ukbd? mux 1
 uslhcom* 	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 upd*		at uhidev?	# USB Power Devices sensors
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
diff --git a/sys/arch/loongson/loongson/conf.c b/sys/arch/loongson/loongson/conf.c
index 87746db5225..27e7a5ec9f6 100644
--- a/sys/arch/loongson/loongson/conf.c
+++ b/sys/arch/loongson/loongson/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.24 2017/05/21 13:00:53 visa Exp $ */
+/*	$OpenBSD: conf.c,v 1.25 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -120,6 +120,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#incluee "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -223,6 +224,7 @@ struct cdevsw	cdevsw[] =
 	cdev_notdef(),			/* 85 */
 	cdev_notdef(),			/* 86 */
 	cdev_drm_init(NDRM,drm),	/* 87: drm */
+	cdev_fido_init(NFIDO,fido),	/* 88: FIDO/U2F security key */
 };
 
 int	nchrdev = nitems(cdevsw);
diff --git a/sys/arch/macppc/conf/GENERIC b/sys/arch/macppc/conf/GENERIC
index f6d3812cede..67020e6df45 100644
--- a/sys/arch/macppc/conf/GENERIC
+++ b/sys/arch/macppc/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.268 2019/05/08 23:54:39 kettenis Exp $g
+#	$OpenBSD: GENERIC,v 1.269 2019/12/17 13:08:56 reyk Exp $g
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -261,6 +261,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/macppc/macppc/conf.c b/sys/arch/macppc/macppc/conf.c
index 97491cbf275..061a11e9a2e 100644
--- a/sys/arch/macppc/macppc/conf.c
+++ b/sys/arch/macppc/macppc/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.68 2019/09/03 17:51:52 deraadt Exp $ */
+/*	$OpenBSD: conf.c,v 1.69 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1997 Per Fogelstrom
@@ -96,6 +96,7 @@ cdev_decl(com);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -226,6 +227,7 @@ struct cdevsw cdevsw[] = {
 	cdev_drm_init(NDRM,drm),	/* 87: drm */
 	cdev_fuse_init(NFUSE,fuse),	/* 88: fuse */
 	cdev_switch_init(NSWITCH,switch), /* 89: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 90: FIDO/U2F security key */
 };
 int nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/octeon/conf/GENERIC b/sys/arch/octeon/conf/GENERIC
index 1596c05bc58..b2d36df9c7a 100644
--- a/sys/arch/octeon/conf/GENERIC
+++ b/sys/arch/octeon/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.53 2019/11/04 14:58:40 visa Exp $
+#	$OpenBSD: GENERIC,v 1.54 2019/12/17 13:08:56 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -155,6 +155,7 @@ ucom*		at ucycom?
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 upd*		at uhidev?	# USB Power Devices sensors
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/octeon/octeon/conf.c b/sys/arch/octeon/octeon/conf.c
index 6b96db3daab..1e80c9d93f4 100644
--- a/sys/arch/octeon/octeon/conf.c
+++ b/sys/arch/octeon/octeon/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.21 2019/07/17 14:36:32 visa Exp $ */
+/*	$OpenBSD: conf.c,v 1.22 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -133,6 +133,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -230,6 +231,7 @@ struct cdevsw	cdevsw[] =
 	cdev_notdef(),			/* 73: fuse on other mips64 */
 	cdev_tun_init(NTUN,tap),	/* 74: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 75: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 76: FIDO/U2F security key */
 };
 
 int	nchrdev = nitems(cdevsw);
diff --git a/sys/arch/sgi/conf/GENERIC-IP27 b/sys/arch/sgi/conf/GENERIC-IP27
index b171707b98a..af6d1b4f057 100644
--- a/sys/arch/sgi/conf/GENERIC-IP27
+++ b/sys/arch/sgi/conf/GENERIC-IP27
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC-IP27,v 1.65 2017/08/28 19:35:42 jasper Exp $
+#	$OpenBSD: GENERIC-IP27,v 1.66 2019/12/17 13:08:56 reyk Exp $
 #
 # THIS KERNEL IS FOR Origin, Onyx, Fuel, Tezro (IP27, IP35) SYSTEMS ONLY.
 #
@@ -127,6 +127,7 @@ wskbd*		at ukbd? mux 1
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
 axe*		at uhub?	# ASIX Electronics AX88172 USB Ethernet
diff --git a/sys/arch/sgi/conf/GENERIC-IP30 b/sys/arch/sgi/conf/GENERIC-IP30
index 09f27c50888..071d7babf95 100644
--- a/sys/arch/sgi/conf/GENERIC-IP30
+++ b/sys/arch/sgi/conf/GENERIC-IP30
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC-IP30,v 1.58 2017/08/28 19:35:42 jasper Exp $
+#	$OpenBSD: GENERIC-IP30,v 1.59 2019/12/17 13:08:56 reyk Exp $
 #
 # THIS KERNEL IS FOR Octane and Octane 2 (IP30) SYSTEMS ONLY.
 #
@@ -118,6 +118,7 @@ wskbd*		at ukbd? mux 1
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
 axe*		at uhub?	# ASIX Electronics AX88172 USB Ethernet
diff --git a/sys/arch/sgi/conf/GENERIC-IP32 b/sys/arch/sgi/conf/GENERIC-IP32
index 66e08ea58f2..4595a4eb60c 100644
--- a/sys/arch/sgi/conf/GENERIC-IP32
+++ b/sys/arch/sgi/conf/GENERIC-IP32
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC-IP32,v 1.49 2017/08/28 19:35:42 jasper Exp $
+#	$OpenBSD: GENERIC-IP32,v 1.50 2019/12/17 13:08:56 reyk Exp $
 #
 # THIS KERNEL IS FOR O2 (IP32) SYSTEMS ONLY.
 #
@@ -110,6 +110,7 @@ wskbd*		at ukbd? mux 1
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
 axe*		at uhub?	# ASIX Electronics AX88172 USB Ethernet
diff --git a/sys/arch/sgi/sgi/conf.c b/sys/arch/sgi/sgi/conf.c
index c88b0a48c1f..062bdfc1974 100644
--- a/sys/arch/sgi/sgi/conf.c
+++ b/sys/arch/sgi/sgi/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.39 2016/09/04 10:51:24 naddy Exp $ */
+/*	$OpenBSD: conf.c,v 1.40 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -119,6 +119,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -210,6 +211,7 @@ struct cdevsw	cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 73: fuse */
 	cdev_tun_init(NTUN,tap),	/* 74: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 75: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 76: FIDO/U2F security key */
 };
 
 int	nchrdev = nitems(cdevsw);
diff --git a/sys/arch/sparc64/conf/GENERIC b/sys/arch/sparc64/conf/GENERIC
index 0809916040a..92c2157cde0 100644
--- a/sys/arch/sparc64/conf/GENERIC
+++ b/sys/arch/sparc64/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.313 2019/06/29 15:39:06 deraadt Exp $
+#	$OpenBSD: GENERIC,v 1.314 2019/12/17 13:08:56 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -223,6 +223,7 @@ ucom*	at uslhcom?
 umsm*	at uhub?		# Qualcomm MSM EVDO
 ucom*	at umsm?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/sparc64/sparc64/conf.c b/sys/arch/sparc64/sparc64/conf.c
index e0e45b7f9f4..f7afcfeab56 100644
--- a/sys/arch/sparc64/sparc64/conf.c
+++ b/sys/arch/sparc64/sparc64/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.80 2016/09/04 11:59:50 naddy Exp $	*/
+/*	$OpenBSD: conf.c,v 1.81 2019/12/17 13:08:56 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.17 2001/03/26 12:33:26 lukem Exp $ */
 
 /*
@@ -103,6 +103,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -292,6 +293,7 @@ struct cdevsw	cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 134: fuse */
 	cdev_tun_init(NTUN,tap),	/* 135: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 136: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 137: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/dev/hid/hid.h b/sys/dev/hid/hid.h
index ea033b13887..17de4065e0c 100644
--- a/sys/dev/hid/hid.h
+++ b/sys/dev/hid/hid.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hid.h,v 1.5 2016/09/12 09:10:05 mpi Exp $ */
+/*	$OpenBSD: hid.h,v 1.6 2019/12/17 13:08:54 reyk Exp $ */
 /*	$NetBSD: hid.h,v 1.8 2002/07/11 21:14:25 augustss Exp $	*/
 /*	$FreeBSD: src/sys/dev/usb/hid.h,v 1.7 1999/11/17 22:33:40 n_hibma Exp $ */
 
@@ -124,6 +124,7 @@ int	hid_is_collection(const void *, int, uint8_t, int32_t);
 #define HUP_CAMERA_CONTROL	0x0090
 #define HUP_ARCADE		0x0091
 #define HUP_VENDOR		0x00ff
+#define HUP_FIDO		0xf1d0
 #define HUP_MICROSOFT		0xff00
 /* XXX compat */
 #define HUP_APPLE		0x00ff
@@ -397,6 +398,11 @@ int	hid_is_collection(const void *, int, uint8_t, int32_t);
 /* Usages, Consumer */
 #define HUC_AC_PAN		0x0238
 
+/* Usages, FIDO */
+#define HUF_U2FHID		0x0001
+#define HUF_RAW_IN_DATA_REPORT	0x0020
+#define HUF_RAW_OUT_DATA_REPORT	0x0021
+
 #define HID_USAGE2(p, u) (((p) << 16) | u)
 #define HID_GET_USAGE(u) ((u) & 0xffff)
 #define HID_GET_USAGE_PAGE(u) (((u) >> 16) & 0xffff)
diff --git a/sys/dev/usb/fido.c b/sys/dev/usb/fido.c
new file mode 100644
index 00000000000..5d68cff520e
--- /dev/null
+++ b/sys/dev/usb/fido.c
@@ -0,0 +1,92 @@
+/*	$OpenBSD: fido.c,v 1.1 2019/12/17 13:08:54 reyk Exp $	*/
+
+/*
+ * Copyright (c) 2019 Reyk Floeter <reyk@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/param.h>
+#include <sys/tty.h>
+#include <sys/conf.h>
+
+#include <dev/usb/usb.h>
+#include <dev/usb/usbhid.h>
+#include <dev/usb/usbdevs.h>
+#include <dev/usb/usbdi.h>
+#include <dev/usb/usbdi_util.h>
+
+#include <dev/usb/uhidev.h>
+#include <dev/usb/uhid.h>
+
+int fido_match(struct device *, void *, void *);
+
+struct cfdriver fido_cd = {
+	NULL, "fido", DV_DULL
+};
+
+const struct cfattach fido_ca = {
+	sizeof(struct uhid_softc),
+	fido_match,
+	uhid_attach,
+	uhid_detach,
+};
+
+int
+fido_match(struct device *parent, void *match, void *aux)
+{
+	struct uhidev_attach_arg *uha = (struct uhidev_attach_arg *)aux;
+	int			  size;
+	void			 *desc;
+	int			  ret = UMATCH_NONE;
+
+	if (uha->reportid == UHIDEV_CLAIM_ALLREPORTID)
+		return (ret);
+
+	/* Find the FIDO usage page and U2F collection */
+	uhidev_get_report_desc(uha->parent, &desc, &size);
+	if (hid_is_collection(desc, size, uha->reportid,
+	    HID_USAGE2(HUP_FIDO, HUF_U2FHID)))
+		ret = UMATCH_IFACECLASS;
+
+	return (ret);
+}
+
+int
+fidoopen(dev_t dev, int flag, int mode, struct proc *p)
+{
+	return (uhid_do_open(dev, flag, mode, p));
+}
+
+int
+fidoioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
+{
+	int	 error;
+
+	switch (cmd) {
+	case FIONBIO:
+	case FIOASYNC:
+	case USB_GET_DEVICEINFO:
+		break;
+	default:
+		/*
+		 * Users don't need USB/HID ioctl access to fido(4) devices
+		 * but it can still be useful for debugging by root.
+		 */
+		if ((error = suser(p)) != 0)
+			return (error);
+		break;
+	}
+
+	return (uhidioctl(dev, cmd, addr, flag, p));
+}
diff --git a/sys/dev/usb/files.usb b/sys/dev/usb/files.usb
index 2a68642a9a9..0f697127e92 100644
--- a/sys/dev/usb/files.usb
+++ b/sys/dev/usb/files.usb
@@ -1,4 +1,4 @@
-#	$OpenBSD: files.usb,v 1.140 2019/07/09 05:43:03 kevlo Exp $
+#	$OpenBSD: files.usb,v 1.141 2019/12/17 13:08:54 reyk Exp $
 #	$NetBSD: files.usb,v 1.16 2000/02/14 20:29:54 augustss Exp $
 #
 # Config file and device description for machine-independent USB code.
@@ -74,7 +74,12 @@ file	dev/usb/uhidev.c		uhidev
 # Generic HID devices
 device	uhid: hid
 attach	uhid at uhidbus
-file	dev/usb/uhid.c			uhid			needs-flag
+file	dev/usb/uhid.c			uhid | fido		needs-flag
+
+# FIDO/U2F security keys
+device  fido: hid
+attach	fido at uhidbus
+file	dev/usb/fido.c			fido			needs-flag
 
 # Keyboards
 file	dev/usb/ukbdmap.c		hidkbd
diff --git a/sys/dev/usb/uhid.c b/sys/dev/usb/uhid.c
index 28faca5d82d..7cc74837a88 100644
--- a/sys/dev/usb/uhid.c
+++ b/sys/dev/usb/uhid.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uhid.c,v 1.72 2019/11/27 11:16:59 mpi Exp $ */
+/*	$OpenBSD: uhid.c,v 1.73 2019/12/17 13:08:54 reyk Exp $ */
 /*	$NetBSD: uhid.c,v 1.57 2003/03/11 16:44:00 augustss Exp $	*/
 
 /*
@@ -35,6 +35,8 @@
  * HID spec: http://www.usb.org/developers/devclass_docs/HID1_11.pdf
  */
 
+#include "fido.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
@@ -57,6 +59,7 @@
 #include <dev/usb/usbdi_util.h>
 
 #include <dev/usb/uhidev.h>
+#include <dev/usb/uhid.h>
 
 #ifdef UHID_DEBUG
 #define DPRINTF(x)	do { if (uhiddebug) printf x; } while (0)
@@ -67,33 +70,7 @@ int	uhiddebug = 0;
 #define DPRINTFN(n,x)
 #endif
 
-struct uhid_softc {
-	struct uhidev sc_hdev;
-
-	u_char *sc_obuf;
-
-	struct clist sc_q;
-	struct selinfo sc_rsel;
-	u_char sc_state;		/* driver state */
-#define	UHID_ASLP	0x01		/* waiting for device data */
-
-	int sc_refcnt;
-};
-
-#define	UHIDUNIT(dev)	(minor(dev))
-#define	UHID_CHUNK	128	/* chunk size for read */
-#define	UHID_BSIZE	1020	/* buffer size */
-
-void uhid_intr(struct uhidev *, void *, u_int len);
-
-int uhid_do_read(struct uhid_softc *, struct uio *uio, int);
-int uhid_do_write(struct uhid_softc *, struct uio *uio, int);
-int uhid_do_ioctl(struct uhid_softc*, u_long, caddr_t, int,
-			 struct proc *);
-
-int uhid_match(struct device *, void *, void *); 
-void uhid_attach(struct device *, struct device *, void *); 
-int uhid_detach(struct device *, int); 
+int uhid_match(struct device *, void *, void *);
 
 struct cfdriver uhid_cd = { 
 	NULL, "uhid", DV_DULL 
@@ -106,6 +83,28 @@ const struct cfattach uhid_ca = {
 	uhid_detach, 
 };
 
+struct uhid_softc *
+uhid_lookup(dev_t dev)
+{
+	struct uhid_softc *sc = NULL;
+	struct cdevsw *cdev;
+	struct cfdriver *cd;
+
+	cdev = &cdevsw[major(dev)];
+	if (cdev->d_open == uhidopen)
+		cd = &uhid_cd;
+#if NFIDO > 0
+	else if (cdev->d_open == fidoopen)
+		cd = &fido_cd;
+#endif
+	else
+		return (NULL);
+	if (UHIDUNIT(dev) < cd->cd_ndevs)
+		sc = cd->cd_devs[UHIDUNIT(dev)];
+
+	return (sc);
+}
+
 int
 uhid_match(struct device *parent, void *match, void *aux)
 {
@@ -201,13 +200,16 @@ uhid_intr(struct uhidev *addr, void *data, u_int len)
 int
 uhidopen(dev_t dev, int flag, int mode, struct proc *p)
 {
+	return (uhid_do_open(dev, flag, mode, p));
+}
+
+int
+uhid_do_open(dev_t dev, int flag, int mode, struct proc *p)
+{
 	struct uhid_softc *sc;
 	int error;
 
-	if (UHIDUNIT(dev) >= uhid_cd.cd_ndevs)
-		return (ENXIO);
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
-	if (sc == NULL)
+	if ((sc = uhid_lookup(dev)) == NULL)
 		return (ENXIO);
 
 	DPRINTF(("uhidopen: sc=%p\n", sc));
@@ -231,7 +233,8 @@ uhidclose(dev_t dev, int flag, int mode, struct proc *p)
 {
 	struct uhid_softc *sc;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	DPRINTF(("uhidclose: sc=%p\n", sc));
 
@@ -295,7 +298,8 @@ uhidread(dev_t dev, struct uio *uio, int flag)
 	struct uhid_softc *sc;
 	int error;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	sc->sc_refcnt++;
 	error = uhid_do_read(sc, uio, flag);
@@ -317,9 +321,13 @@ uhid_do_write(struct uhid_softc *sc, struct uio *uio, int flag)
 
 	size = sc->sc_hdev.sc_osize;
 	error = 0;
-	if (uio->uio_resid != size)
-		return (EINVAL);
-	error = uiomove(sc->sc_obuf, size, uio);
+	if (uio->uio_resid > size)
+		return (EMSGSIZE);
+	else if (uio->uio_resid < size) {
+		/* don't leak kernel memory to the USB device */
+		memset(sc->sc_obuf + uio->uio_resid, 0, size - uio->uio_resid);
+	}
+	error = uiomove(sc->sc_obuf, uio->uio_resid, uio);
 	if (!error) {
 		if (uhidev_set_report(sc->sc_hdev.sc_parent,
 		    UHID_OUTPUT_REPORT, sc->sc_hdev.sc_report_id, sc->sc_obuf,
@@ -336,7 +344,8 @@ uhidwrite(dev_t dev, struct uio *uio, int flag)
 	struct uhid_softc *sc;
 	int error;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	sc->sc_refcnt++;
 	error = uhid_do_write(sc, uio, flag);
@@ -386,7 +395,8 @@ uhidioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
 	struct uhid_softc *sc;
 	int error;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	sc->sc_refcnt++;
 	error = uhid_do_ioctl(sc, cmd, addr, flag, p);
@@ -402,7 +412,8 @@ uhidpoll(dev_t dev, int events, struct proc *p)
 	int revents = 0;
 	int s;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	if (usbd_is_dying(sc->sc_hdev.sc_udev))
 		return (POLLERR);
@@ -458,7 +469,8 @@ uhidkqfilter(dev_t dev, struct knote *kn)
 	struct klist *klist;
 	int s;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	if (usbd_is_dying(sc->sc_hdev.sc_udev))
 		return (EIO);
diff --git a/sys/dev/usb/uhid.h b/sys/dev/usb/uhid.h
new file mode 100644
index 00000000000..9b46dfc344f
--- /dev/null
+++ b/sys/dev/usb/uhid.h
@@ -0,0 +1,64 @@
+/*	$OpenBSD: uhid.h,v 1.1 2019/12/17 13:08:54 reyk Exp $ */
+/*	$NetBSD: uhid.c,v 1.57 2003/03/11 16:44:00 augustss Exp $	*/
+
+/*
+ * Copyright (c) 1998 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Lennart Augustsson (lennart@augustsson.net) at
+ * Carlstedt Research & Technology.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef _KERNEL
+
+struct uhid_softc {
+	struct uhidev sc_hdev;
+
+	u_char *sc_obuf;
+
+	struct clist sc_q;
+	struct selinfo sc_rsel;
+	u_char sc_state;		/* driver state */
+#define	UHID_ASLP	0x01		/* waiting for device data */
+
+	int sc_refcnt;
+};
+
+extern struct cfdriver uhid_cd;
+extern struct cfdriver fido_cd;
+
+#define	UHIDUNIT(dev)	(minor(dev))
+#define	UHID_CHUNK	128	/* chunk size for read */
+#define	UHID_BSIZE	1020	/* buffer size */
+
+void uhid_intr(struct uhidev *, void *, u_int);
+struct uhid_softc *uhid_lookup(dev_t);
+
+int uhid_do_open(dev_t, int, int, struct proc *);
+
+void uhid_attach(struct device *, struct device *, void *); 
+int uhid_detach(struct device *, int); 
+
+#endif /* _KERNEL */
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
index 48118f7f670..b43c8374fa5 100644
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.h,v 1.145 2018/08/31 04:20:37 visa Exp $	*/
+/*	$OpenBSD: conf.h,v 1.146 2019/12/17 13:08:54 reyk Exp $	*/
 /*	$NetBSD: conf.h,v 1.33 1996/05/03 20:03:32 christos Exp $	*/
 
 /*-
@@ -376,6 +376,13 @@ extern struct cdevsw cdevsw[];
 	0, dev_init(c,n,poll), (dev_type_mmap((*))) enodev, 0, 0, \
 	dev_init(c,n,kqfilter) }
 
+/* open, close, read, write, ioctl, poll, kqfilter */
+#define	cdev_fido_init(c,n) { \
+	dev_init(c,n,open), dev_init(c,uhid,close), dev_init(c,uhid,read), \
+	dev_init(c,uhid,write), dev_init(c,fido,ioctl), \
+	(dev_type_stop((*))) enodev, 0, dev_init(c,uhid,poll), \
+	(dev_type_mmap((*))) enodev, 0, 0, dev_init(c,uhid,kqfilter) }
+
 /* open, close, init */
 #define cdev_pci_init(c,n) { \
 	dev_init(c,n,open), dev_init(c,n,close), (dev_type_read((*))) enodev, \
@@ -604,6 +611,7 @@ cdev_decl(bktr);
 cdev_decl(usb);
 cdev_decl(ugen);
 cdev_decl(uhid);
+cdev_decl(fido);
 cdev_decl(ucom);
 cdev_decl(ulpt);
 cdev_decl(urio);