Add fido(4), a HID driver for FIDO/U2F security keys

While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access.  Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.

It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser.  Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process.  This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems.  With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.

With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead.  The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.

With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits

49 files changed, 396 insertions, 162 deletions

diff --git a/etc/MAKEDEV.common b/etc/MAKEDEV.common
index bd611225f27..c726bfe8a0e 100644
--- a/etc/MAKEDEV.common
+++ b/etc/MAKEDEV.common
@@ -1,4 +1,4 @@
-vers(a, {-$OpenBSD: MAKEDEV.common,v 1.105 2019/12/14 05:05:46 deraadt Exp $-})dnl
+vers(a, {-$OpenBSD: MAKEDEV.common,v 1.106 2019/12/17 13:08:54 reyk Exp $-})dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
 dnl
@@ -177,6 +177,7 @@ __devitem(ramdisk, ramdisk, Ramdisk kernel devices,nothing)dnl
 dnl
 target(usb, usb, 0, 1, 2, 3, 4, 5, 6, 7)dnl
 target(usb, uhid, 0, 1, 2, 3, 4, 5, 6, 7)dnl
+twrget(usb, fido, fido)dnl
 target(usb, ulpt, 0, 1)dnl
 target(usb, ugen, 0, 1, 2, 3, 4, 5, 6, 7)dnl
 target(usb, ttyU, 0, 1, 2, 3)dnl
@@ -357,6 +358,10 @@ _mkdev({-usb-}, usb*, {-[ "$i" = "usb" ] && u= || u=$U
 	M usb$u c major_usb_c $U 640-})dnl
 __devitem(uhid, uhid*, Generic HID devices)dnl
 _mcdev({-uhid-}, uhid*, {-uhid-}, {-major_uhid_c-}, 600)dnl
+__devitem(fido, fido, fido/* nodes, fd)dnl
+_mkdev(fido, fido, {-RMlist[${#RMlist[*]}]=";mkdir -p fido;rm -f" n=0
+	while [ $n -lt 4 ];do M fido/$n c major_fido_c $n 666;n=Add($n, 1);done
+	MKlist[${#MKlist[*]}]=";chmod 555 fido"-})dnl
 __devitem(ulpt, ulpt*, Printer devices)dnl
 _mcdev({-ulpt-}, ulpt*, {-ulpt-}, {-major_ulpt_c-}, 600)dnl
 __devitem(ttyU, ttyU*, USB serial ports,ucom)dnl
diff --git a/etc/etc.alpha/MAKEDEV.md b/etc/etc.alpha/MAKEDEV.md
index 6fad20b04b8..67ef7d40778 100644
--- a/etc/etc.alpha/MAKEDEV.md
+++ b/etc/etc.alpha/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,alpha)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.71 2017/11/02 14:04:24 mpi Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.72 2019/12/17 13:08:54 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -55,6 +55,7 @@ _DEV(ttyU, 49)
 _DEV(uall)
 _DEV(ugen, 48)
 _DEV(uhid, 46)
+_DEV(fido, 70)
 _DEV(ulpt, 47)
 _DEV(usb, 45)
 _TITLE(spec)
diff --git a/etc/etc.amd64/MAKEDEV.md b/etc/etc.amd64/MAKEDEV.md
index c2a2c83b529..f46b52bd7d6 100644
--- a/etc/etc.amd64/MAKEDEV.md
+++ b/etc/etc.amd64/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,amd64)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.71 2019/12/13 21:03:57 deraadt Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.72 2019/12/17 13:08:54 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -59,6 +59,7 @@ _DEV(ttyU, 66)
 _DEV(uall)
 _DEV(ugen, 63)
 _DEV(uhid, 62)
+_DEV(fido, 98)
 _DEV(ulpt, 64)
 _DEV(usb, 61)
 _TITLE(spec)
diff --git a/etc/etc.arm64/MAKEDEV.md b/etc/etc.arm64/MAKEDEV.md
index cff1dec0515..a1687f0a62e 100644
--- a/etc/etc.arm64/MAKEDEV.md
+++ b/etc/etc.arm64/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,arm64)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.3 2018/08/20 16:07:39 kettenis Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.4 2019/12/17 13:08:55 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -51,6 +51,7 @@ _DEV(ttyU, 66)
 _DEV(uall)
 _DEV(ugen, 63)
 _DEV(uhid, 62)
+_DEV(fido, 98)
 _DEV(ulpt, 64)
 _DEV(usb, 61)
 _TITLE(spec)
diff --git a/etc/etc.armv7/MAKEDEV.md b/etc/etc.armv7/MAKEDEV.md
index 9f1d94462da..f6db282b7d3 100644
--- a/etc/etc.armv7/MAKEDEV.md
+++ b/etc/etc.armv7/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,armv7)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.14 2016/09/04 15:38:59 naddy Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.15 2019/12/17 13:08:55 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2004 Todd T. Fries <todd@OpenBSD.org>
@@ -60,6 +60,7 @@ _DEV(ttyU, 68)
 _DEV(uall)
 _DEV(ugen, 70)
 _DEV(uhid, 65)
+_DEV(fido, 106)
 _DEV(ulpt, 66)
 _DEV(usb, 64)
 _TITLE(spec)
diff --git a/etc/etc.hppa/MAKEDEV.md b/etc/etc.hppa/MAKEDEV.md
index 2c8ce6f3a60..0539e0c6845 100644
--- a/etc/etc.hppa/MAKEDEV.md
+++ b/etc/etc.hppa/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,hppa)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.60 2016/09/04 15:38:59 naddy Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.61 2019/12/17 13:08:55 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -53,6 +53,7 @@ _TITLE(usb)
 _DEV(uall)
 _DEV(usb, 40)
 _DEV(uhid, 41)
+_DEV(fido, 61)
 _DEV(ugen, 42)
 _DEV(ulpt, 43)
 _DEV(ttyU, 45)
diff --git a/etc/etc.i386/MAKEDEV.md b/etc/etc.i386/MAKEDEV.md
index 953d60277f8..ea3ff2783f8 100644
--- a/etc/etc.i386/MAKEDEV.md
+++ b/etc/etc.i386/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,i386)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.86 2019/12/13 21:03:57 deraadt Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.87 2019/12/17 13:08:55 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -60,6 +60,7 @@ _DEV(ttyU, 66)
 _DEV(uall)
 _DEV(ugen, 63)
 _DEV(uhid, 62)
+_DEV(fido, 98)
 _DEV(ulpt, 64)
 _DEV(usb, 61)
 _TITLE(spec)
diff --git a/etc/etc.landisk/MAKEDEV.md b/etc/etc.landisk/MAKEDEV.md
index f2c3660a3b2..50519ceed69 100644
--- a/etc/etc.landisk/MAKEDEV.md
+++ b/etc/etc.landisk/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,landisk)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.43 2016/09/11 19:59:53 deraadt Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.44 2019/12/17 13:08:55 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2004 Todd T. Fries <todd@OpenBSD.org>
@@ -64,6 +64,7 @@ _DEV(ttyU, 68)
 _DEV(uall)
 _DEV(ugen, 70)
 _DEV(uhid, 65)
+_DEV(fido, 106)
 _DEV(ulpt, 66)
 _DEV(usb, 64)
 _TITLE(spec)
diff --git a/etc/etc.loongson/MAKEDEV.md b/etc/etc.loongson/MAKEDEV.md
index 1dabb4d8260..606c923338e 100644
--- a/etc/etc.loongson/MAKEDEV.md
+++ b/etc/etc.loongson/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,loongson)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.27 2017/05/21 13:00:53 visa Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.28 2019/12/17 13:08:56 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -59,6 +59,7 @@ _DEV(ttyU, 66)
 _DEV(uall)
 _DEV(ugen, 63)
 _DEV(uhid, 62)
+_DEV(fido, 88)
 _DEV(ulpt, 64)
 _DEV(usb, 61)
 _TITLE(spec)
diff --git a/etc/etc.macppc/MAKEDEV.md b/etc/etc.macppc/MAKEDEV.md
index 5fbed02933a..f585046974d 100644
--- a/etc/etc.macppc/MAKEDEV.md
+++ b/etc/etc.macppc/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,macppc)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.70 2016/09/11 19:59:53 deraadt Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.71 2019/12/17 13:08:56 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -69,6 +69,7 @@ _DEV(uall)
 _DEV(ttyU, 66)
 _DEV(ugen, 63)
 _DEV(uhid, 62)
+_DEV(fido, 90)
 _DEV(ulpt, 64)
 _DEV(usb, 61)
 _TITLE(spec)
diff --git a/etc/etc.octeon/MAKEDEV.md b/etc/etc.octeon/MAKEDEV.md
index 173fb01913d..c192f0c1781 100644
--- a/etc/etc.octeon/MAKEDEV.md
+++ b/etc/etc.octeon/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,octeon)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.14 2019/07/17 14:36:31 visa Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.15 2019/12/17 13:08:56 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -65,6 +65,8 @@ _TITLE(usb)
 _DEV(ttyU, 66)
 _DEV(uall)
 _DEV(usb, 61)
+_DEV(uhid, 62)
+_DEV(fido, 76)
 _TITLE(spec)
 _DEV(au, 44)
 _DEV(bio, 49)
diff --git a/etc/etc.sgi/MAKEDEV.md b/etc/etc.sgi/MAKEDEV.md
index 69b4280ed97..74a566f5945 100644
--- a/etc/etc.sgi/MAKEDEV.md
+++ b/etc/etc.sgi/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,sgi)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.49 2016/09/11 19:59:54 deraadt Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.50 2019/12/17 13:08:56 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -68,6 +68,7 @@ _DEV(ttyU, 66)
 _DEV(uall)
 _DEV(ugen, 63)
 _DEV(uhid, 62)
+_DEV(fido, 76)
 _DEV(ulpt, 64)
 _DEV(usb, 61)
 _TITLE(spec)
diff --git a/etc/etc.sparc64/MAKEDEV.md b/etc/etc.sparc64/MAKEDEV.md
index 037a3840aed..125eaa882b9 100644
--- a/etc/etc.sparc64/MAKEDEV.md
+++ b/etc/etc.sparc64/MAKEDEV.md
@@ -1,6 +1,6 @@
 define(MACHINE,sparc64)dnl
 vers(__file__,
-	{-$OpenBSD: MAKEDEV.md,v 1.88 2019/10/20 16:31:10 kettenis Exp $-},
+	{-$OpenBSD: MAKEDEV.md,v 1.89 2019/12/17 13:08:56 reyk Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@@ -103,6 +103,7 @@ _DEV(ttyU, 95)
 _DEV(uall)
 _DEV(ugen, 92)
 _DEV(uhid, 91)
+_DEV(fido, 137)
 _DEV(ulpt, 93)
 _DEV(usb, 90)
 _TITLE(spec)
diff --git a/lib/libfido2/Makefile b/lib/libfido2/Makefile
index afbbf158e84..d6fb7aef060 100644
--- a/lib/libfido2/Makefile
+++ b/lib/libfido2/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2019/11/15 03:19:40 deraadt Exp $
+# $OpenBSD: Makefile,v 1.4 2019/12/17 13:08:54 reyk Exp $
 
 .PATH:	${.CURDIR}/man ${.CURDIR}/src
 
@@ -9,7 +9,6 @@ CDIAGFLAGS+=	-Wall -Wextra
 CDIAGFLAGS+=	-Werror
 
 LDADD+=		-L${BSDOBJDIR}/lib/libcbor -lcbor
-LDADD+=		-L${BSDOBJDIR}/lib/libusbhid -lusbhid
 
 SYMBOL_LIST=	Symbols.list
 VERSION_SCRIPT=	Symbols.map
diff --git a/lib/libfido2/src/hid_openbsd.c b/lib/libfido2/src/hid_openbsd.c
index 92b7c05b6f7..15af3ad5253 100644
--- a/lib/libfido2/src/hid_openbsd.c
+++ b/lib/libfido2/src/hid_openbsd.c
@@ -20,7 +20,7 @@
 #include "fido.h"
 
 #define MAX_UHID	64
-#define MAX_REPORT_LEN	(sizeof(((struct usb_ctl_report *)(NULL))->ucr_data))
+#define MAX_U2FHID_LEN	64
 
 struct hid_openbsd {
 	int fd;
@@ -33,11 +33,8 @@ fido_dev_info_manifest(fido_dev_info_t *devlist, size_t ilen, size_t *olen)
 {
 	size_t i;
 	char path[64];
-	int is_fido, fd;
+	int fd;
 	struct usb_device_info udi;
-	report_desc_t rdesc = NULL;
-	hid_data_t hdata = NULL;
-	hid_item_t hitem;
 	fido_dev_info_t *di;
 
 	if (ilen == 0)
@@ -47,7 +44,7 @@ fido_dev_info_manifest(fido_dev_info_t *devlist, size_t ilen, size_t *olen)
 		return (FIDO_ERR_INVALID_ARGUMENT);
 
 	for (i = *olen = 0; i < MAX_UHID && *olen < ilen; i++) {
-		snprintf(path, sizeof(path), "/dev/uhid%zu", i);
+		snprintf(path, sizeof(path), "/dev/fido/%zu", i);
 		if ((fd = open(path, O_RDWR)) == -1) {
 			if (errno != ENOENT && errno != ENXIO) {
 				log_debug("%s: open %s: %s", __func__, path,
@@ -55,49 +52,15 @@ fido_dev_info_manifest(fido_dev_info_t *devlist, size_t ilen, size_t *olen)
 			}
 			continue;
 		}
-		memset(&udi, 0, sizeof(udi));
-		if (ioctl(fd, USB_GET_DEVICEINFO, &udi) != 0) {
-			log_debug("%s: get device info %s: %s", __func__,
-			    path, strerror(errno));
-			close(fd);
-			continue;
-		}
-		if ((rdesc = hid_get_report_desc(fd)) == NULL) {
-			log_debug("%s: failed to get report descriptor: %s",
-			    __func__, path);
-			close(fd);
-			continue;
-		}
-		if ((hdata = hid_start_parse(rdesc,
-		    1<<hid_collection, -1)) == NULL) {
-			log_debug("%s: failed to parse report descriptor: %s",
-			    __func__, path);
-			hid_dispose_report_desc(rdesc);
-			close(fd);
-			continue;
-		}
-		is_fido = 0;
-		for (is_fido = 0; !is_fido;) {
-			memset(&hitem, 0, sizeof(hitem));
-			if (hid_get_item(hdata, &hitem) <= 0)
-				break;
-			if ((hitem._usage_page & 0xFFFF0000) == 0xf1d00000)
-				is_fido = 1;
-		}
-		hid_end_parse(hdata);
-		hid_dispose_report_desc(rdesc);
 		close(fd);
 
-		if (!is_fido)
-			continue;
+		memset(&udi, 0, sizeof(udi));
+		strlcpy(udi.udi_vendor, "OpenBSD", sizeof(udi.udi_vendor));
+		strlcpy(udi.udi_product, "fido(4)", sizeof(udi.udi_product));
+		udi.udi_vendorNo = 0x0b5d; /* stolen from PCI_VENDOR_OPENBSD */
 
-		log_debug("%s: %s: bus = 0x%02x, addr = 0x%02x",
-		    __func__, path, udi.udi_bus, udi.udi_addr);
 		log_debug("%s: %s: vendor = \"%s\", product = \"%s\"",
 		    __func__, path, udi.udi_vendor, udi.udi_product);
-		log_debug("%s: %s: productNo = 0x%04x, vendorNo = 0x%04x, "
-		    "releaseNo = 0x%04x", __func__, path, udi.udi_productNo,
-		    udi.udi_vendorNo, udi.udi_releaseNo);
 
 		di = &devlist[*olen];
 		memset(di, 0, sizeof(*di));
@@ -178,42 +141,15 @@ void *
 hid_open(const char *path)
 {
 	struct hid_openbsd *ret = NULL;
-	report_desc_t rdesc = NULL;
-	int len, usb_report_id = 0;
 
 	if ((ret = calloc(1, sizeof(*ret))) == NULL ||
 	    (ret->fd = open(path, O_RDWR)) < 0) {
 		free(ret);
 		return (NULL);
 	}
-	if (ioctl(ret->fd, USB_GET_REPORT_ID, &usb_report_id) != 0) {
-		log_debug("%s: failed to get report ID: %s", __func__,
-		    strerror(errno));
-		goto fail;
-	}
-	if ((rdesc = hid_get_report_desc(ret->fd)) == NULL) {
-		log_debug("%s: failed to get report descriptor", __func__);
-		goto fail;
-	}
-	if ((len = hid_report_size(rdesc, hid_input, usb_report_id)) <= 0 ||
-	    (size_t)len > MAX_REPORT_LEN) {
-		log_debug("%s: bad input report size %d", __func__, len);
-		goto fail;
-	}
-	ret->report_in_len = (size_t)len;
-	if ((len = hid_report_size(rdesc, hid_output, usb_report_id)) <= 0 ||
-	    (size_t)len > MAX_REPORT_LEN) {
-		log_debug("%s: bad output report size %d", __func__, len);
- fail:
-		hid_dispose_report_desc(rdesc);
-		close(ret->fd);
-		free(ret);
-		return NULL;
-	}	
-	ret->report_out_len = (size_t)len;
-	hid_dispose_report_desc(rdesc);
-	log_debug("%s: USB report ID %d, inlen = %zu outlen = %zu", __func__,
-	    usb_report_id, ret->report_in_len, ret->report_out_len);
+	ret->report_in_len = ret->report_out_len = MAX_U2FHID_LEN;
+	log_debug("%s: inlen = %zu outlen = %zu", __func__,
+	    ret->report_in_len, ret->report_out_len);
 
 	/*
 	 * OpenBSD (as of 201910) has a bug that causes it to lose
diff --git a/share/man/man4/fido.4 b/share/man/man4/fido.4
new file mode 100644
index 00000000000..363450d9470
--- /dev/null
+++ b/share/man/man4/fido.4
@@ -0,0 +1,54 @@
+.\" $OpenBSD: fido.4,v 1.1 2019/12/17 13:08:54 reyk Exp $
+.\"
+.\" Copyright (c) 2019 Reyk Floeter <reyk@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 17 2019 $
+.Dt FIDO 4
+.Os
+.Sh NAME
+.Nm fido
+.Nd FIDO/U2F security key support
+.Sh SYNOPSIS
+.Cd "fido* at uhidev?"
+.Sh DESCRIPTION
+The
+.Nm
+driver provides support for FIDO/U2F-compatible USB security keys.
+They are Human Interface Devices (HID) which can be accessed via the
+.Pa /dev/fido/N
+interface.
+.Pp
+The driver is compatible with the
+.Xr read 2 ,
+.Xr write 2 ,
+and
+.Xr ioctl 2
+operations of the generic
+.Xr uhid 4
+device but only accept the optional HID
+.Xr ioctl 2
+calls from root.
+.Sh FILES
+.Bl -tag -width /dev/fido/* -compact
+.It Pa /dev/fido/*
+.El
+.Sh SEE ALSO
+.Xr uhid 4 ,
+.Xr usb 4
+.Sh HISTORY
+The
+.Nm
+driver first appeared in
+.Ox 6.7 .
diff --git a/share/man/man4/usb.4 b/share/man/man4/usb.4
index 80f2fe72fc2..c780ddc28e5 100644
--- a/share/man/man4/usb.4
+++ b/share/man/man4/usb.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: usb.4,v 1.198 2019/12/07 08:45:28 kevlo Exp $
+.\"	$OpenBSD: usb.4,v 1.199 2019/12/17 13:08:54 reyk Exp $
 .\"	$NetBSD: usb.4,v 1.15 1999/07/29 14:20:32 augustss Exp $
 .\"
 .\" Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 7 2019 $
+.Dd $Mdocdate: December 17 2019 $
 .Dt USB 4
 .Os
 .Sh NAME
@@ -245,6 +245,8 @@ D-Link DSB-R100 USB radio device
 .El
 .Ss Human Interface Devices
 .Bl -tag -width 12n -offset ind -compact
+.It Xr fido 4
+FIDO/U2F security keys
 .It Xr ubcmtp 4
 Broadcom trackpad mouse
 .It Xr uhid 4
diff --git a/sys/arch/alpha/alpha/conf.c b/sys/arch/alpha/alpha/conf.c
index a08ba7a1490..533c8c9359c 100644
--- a/sys/arch/alpha/alpha/conf.c
+++ b/sys/arch/alpha/alpha/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.84 2017/11/02 14:04:24 mpi Exp $	*/
+/*	$OpenBSD: conf.c,v 1.85 2019/12/17 13:08:54 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.16 1996/10/18 21:26:57 cgd Exp $	*/
 
 /*-
@@ -111,6 +111,7 @@ cdev_decl(cy);
 /* USB Devices */
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -202,6 +203,7 @@ struct cdevsw	cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 67: fuse */
 	cdev_tun_init(NTUN,tap),	/* 68: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 69: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 70: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/alpha/conf/GENERIC b/sys/arch/alpha/conf/GENERIC
index 58d68043c43..2309131cafd 100644
--- a/sys/arch/alpha/conf/GENERIC
+++ b/sys/arch/alpha/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.263 2019/05/08 23:54:38 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.264 2019/12/17 13:08:54 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -106,6 +106,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?			# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?			# USB generic HID support
+fido*	at uhidev?			# FIDO/U2F security key support
 upd*	at uhidev?			# USB Power Devices sensors
 aue*	at uhub?			# ADMtek AN986 Pegasus Ethernet
 #atu*	at uhub?			# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/amd64/amd64/conf.c b/sys/arch/amd64/amd64/conf.c
index e96dda7be06..6330f6e442d 100644
--- a/sys/arch/amd64/amd64/conf.c
+++ b/sys/arch/amd64/amd64/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.64 2019/12/13 20:57:54 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.65 2019/12/17 13:08:54 reyk Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Charles M. Hannum.  All rights reserved.
@@ -151,6 +151,7 @@ cdev_decl(cy);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -297,6 +298,7 @@ struct cdevsw	cdevsw[] =
 	cdev_pvbus_init(NPVBUS,pvbus),	/* 95: pvbus(4) control interface */
 	cdev_ipmi_init(NIPMI,ipmi),	/* 96: ipmi */
 	cdev_switch_init(NSWITCH,switch), /* 97: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 98: FIDO/U2F security keys */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/amd64/conf/GENERIC b/sys/arch/amd64/conf/GENERIC
index 64d390905d9..17e88a9eb51 100644
--- a/sys/arch/amd64/conf/GENERIC
+++ b/sys/arch/amd64/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.482 2019/12/08 12:27:25 mpi Exp $
+#	$OpenBSD: GENERIC,v 1.483 2019/12/17 13:08:54 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -280,6 +280,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/arm/arm/conf.c b/sys/arch/arm/arm/conf.c
index a7e89367483..75e0d737754 100644
--- a/sys/arch/arm/arm/conf.c
+++ b/sys/arch/arm/arm/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.50 2017/01/23 08:37:08 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.51 2019/12/17 13:08:55 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.10 2002/04/19 01:04:38 wiz Exp $	*/
 
 /*
@@ -123,6 +123,7 @@ cdev_decl(pci);
 #include "ucom.h"
 #include "ugen.h"
 #include "uhid.h"
+#incluee "fido.h"
 #include "ulpt.h"
 
 /*
@@ -378,6 +379,7 @@ struct cdevsw cdevsw[] = {
 	cdev_pppx_init(NPPPX,pppx),		/* 103: pppx */
 	cdev_tun_init(NTUN,tap),		/* 104: Ethernet tap */
 	cdev_switch_init(NSWITCH,switch),	/* 105: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),		/* 106: FIDO/U2F security key */
 };
 
 int nblkdev = nitems(bdevsw);
diff --git a/sys/arch/arm64/arm64/conf.c b/sys/arch/arm64/arm64/conf.c
index a0fec1177c3..b4dd68e2505 100644
--- a/sys/arch/arm64/arm64/conf.c
+++ b/sys/arch/arm64/arm64/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.8 2019/12/13 20:57:54 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.9 2019/12/17 13:08:55 reyk Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Charles M. Hannum.  All rights reserved.
@@ -121,6 +121,7 @@ cdev_decl(spkr);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -255,6 +256,7 @@ struct cdevsw	cdevsw[] =
 	cdev_notdef(),			/* 95 */
 	cdev_notdef(),			/* 96 */
 	cdev_switch_init(NSWITCH,switch), /* 97: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 98: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/arm64/conf/GENERIC b/sys/arch/arm64/conf/GENERIC
index 42af8a132a0..cd0e66edef8 100644
--- a/sys/arch/arm64/conf/GENERIC
+++ b/sys/arch/arm64/conf/GENERIC
@@ -1,4 +1,4 @@
-# $OpenBSD: GENERIC,v 1.135 2019/12/03 09:12:46 patrick Exp $
+# $OpenBSD: GENERIC,v 1.136 2019/12/17 13:08:54 reyk Exp $
 #
 # GENERIC machine description file
 #
@@ -308,6 +308,7 @@ ucom*		at ucycom?
 uslhcom*	at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?		# USB generic HID support
+fido*		at uhidev?		# FIDO/U2F security key support
 upd*		at uhidev?		# USB Power Devices sensors
 aue*		at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*		at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/armv7/conf/GENERIC b/sys/arch/armv7/conf/GENERIC
index c6051b5c4f2..bce45d90eaf 100644
--- a/sys/arch/armv7/conf/GENERIC
+++ b/sys/arch/armv7/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.126 2019/10/27 19:19:10 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.127 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -297,6 +297,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/hppa/conf/GENERIC b/sys/arch/hppa/conf/GENERIC
index 30c6ca305d8..d1fb312f04c 100644
--- a/sys/arch/hppa/conf/GENERIC
+++ b/sys/arch/hppa/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.179 2019/05/08 23:54:39 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.180 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -110,6 +110,7 @@ wsmouse* at ums? mux 0
 ukbd*	at uhidev?		# USB keyboard
 wskbd*	at ukbd? mux 1
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 url*	at uhub?		# Realtek RTL8150L based adapters
diff --git a/sys/arch/hppa/hppa/conf.c b/sys/arch/hppa/hppa/conf.c
index 11766084833..ff36e34aca4 100644
--- a/sys/arch/hppa/hppa/conf.c
+++ b/sys/arch/hppa/hppa/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.66 2016/09/04 10:51:23 naddy Exp $	*/
+/*	$OpenBSD: conf.c,v 1.67 2019/12/17 13:08:55 reyk Exp $	*/
 
 /*-
  * Copyright (c) 1991 The Regents of the University of California.
@@ -111,6 +111,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -186,6 +187,7 @@ struct cdevsw   cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 58: fuse */
 	cdev_tun_init(NTUN,tap),	/* 59: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 60: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 61: FIDO/U2F security key */
 };
 int nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/i386/conf/GENERIC b/sys/arch/i386/conf/GENERIC
index 5e866cc1d4f..7aea599dd99 100644
--- a/sys/arch/i386/conf/GENERIC
+++ b/sys/arch/i386/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.847 2019/12/08 12:27:26 mpi Exp $
+#	$OpenBSD: GENERIC,v 1.848 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -283,6 +283,7 @@ ucom*	at uslhcom?
 uticom* at uhub?		# TI serial
 ucom*	at uticom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/i386/i386/conf.c b/sys/arch/i386/i386/conf.c
index e2e5dac35e8..adb6e4bef1e 100644
--- a/sys/arch/i386/i386/conf.c
+++ b/sys/arch/i386/i386/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.163 2019/12/13 20:57:54 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.164 2019/12/17 13:08:55 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.75 1996/05/03 19:40:20 christos Exp $	*/
 
 /*
@@ -145,6 +145,7 @@ cdev_decl(cy);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -290,6 +291,7 @@ struct cdevsw	cdevsw[] =
 	cdev_pvbus_init(NPVBUS,pvbus),	/* 95: pvbus(4) control interface */
 	cdev_ipmi_init(NIPMI,ipmi),	/* 96: ipmi */
 	cdev_switch_init(NSWITCH,switch), /* 97: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 98: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/landisk/conf/GENERIC b/sys/arch/landisk/conf/GENERIC
index fb4aa07244f..0c59680830a 100644
--- a/sys/arch/landisk/conf/GENERIC
+++ b/sys/arch/landisk/conf/GENERIC
@@ -1,4 +1,4 @@
-# $OpenBSD: GENERIC,v 1.54 2019/05/08 23:54:39 kettenis Exp $
+# $OpenBSD: GENERIC,v 1.55 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -136,6 +136,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/landisk/landisk/conf.c b/sys/arch/landisk/landisk/conf.c
index 71f2129945f..5cb64822446 100644
--- a/sys/arch/landisk/landisk/conf.c
+++ b/sys/arch/landisk/landisk/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.38 2017/01/23 08:37:08 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.39 2019/12/17 13:08:55 reyk Exp $	*/
 
 /*
  * Copyright (c) 1994-1998 Mark Brinicombe.
@@ -113,6 +113,7 @@ cdev_decl(pci);
 #include "ucom.h"
 #include "ugen.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ulpt.h"
 
 /*
@@ -352,6 +353,7 @@ struct cdevsw cdevsw[] = {
 	cdev_fuse_init(NFUSE,fuse),		/* 103: fuse */
 	cdev_tun_init(NTUN,tap),		/* 104: Ethernet network tap */
 	cdev_switch_init(NSWITCH,switch),	/* 105: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),		/* 106: FIDO/U2F security key */
 };
 
 int nblkdev = nitems(bdevsw);
diff --git a/sys/arch/loongson/conf/GENERIC b/sys/arch/loongson/conf/GENERIC
index bfac94f60ef..32f10728769 100644
--- a/sys/arch/loongson/conf/GENERIC
+++ b/sys/arch/loongson/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.60 2019/05/08 23:54:39 kettenis Exp $
+#	$OpenBSD: GENERIC,v 1.61 2019/12/17 13:08:55 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -163,6 +163,7 @@ wskbd*		at ukbd? mux 1
 uslhcom* 	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 upd*		at uhidev?	# USB Power Devices sensors
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
diff --git a/sys/arch/loongson/loongson/conf.c b/sys/arch/loongson/loongson/conf.c
index 87746db5225..27e7a5ec9f6 100644
--- a/sys/arch/loongson/loongson/conf.c
+++ b/sys/arch/loongson/loongson/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.24 2017/05/21 13:00:53 visa Exp $ */
+/*	$OpenBSD: conf.c,v 1.25 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -120,6 +120,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#incluee "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -223,6 +224,7 @@ struct cdevsw	cdevsw[] =
 	cdev_notdef(),			/* 85 */
 	cdev_notdef(),			/* 86 */
 	cdev_drm_init(NDRM,drm),	/* 87: drm */
+	cdev_fido_init(NFIDO,fido),	/* 88: FIDO/U2F security key */
 };
 
 int	nchrdev = nitems(cdevsw);
diff --git a/sys/arch/macppc/conf/GENERIC b/sys/arch/macppc/conf/GENERIC
index f6d3812cede..67020e6df45 100644
--- a/sys/arch/macppc/conf/GENERIC
+++ b/sys/arch/macppc/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.268 2019/05/08 23:54:39 kettenis Exp $g
+#	$OpenBSD: GENERIC,v 1.269 2019/12/17 13:08:56 reyk Exp $g
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -261,6 +261,7 @@ ucom*	at ucycom?
 uslhcom* at uhidev?		# Silicon Labs CP2110 USB HID UART
 ucom*	at uslhcom?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/macppc/macppc/conf.c b/sys/arch/macppc/macppc/conf.c
index 97491cbf275..061a11e9a2e 100644
--- a/sys/arch/macppc/macppc/conf.c
+++ b/sys/arch/macppc/macppc/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.68 2019/09/03 17:51:52 deraadt Exp $ */
+/*	$OpenBSD: conf.c,v 1.69 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1997 Per Fogelstrom
@@ -96,6 +96,7 @@ cdev_decl(com);
 #include "ksyms.h"
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -226,6 +227,7 @@ struct cdevsw cdevsw[] = {
 	cdev_drm_init(NDRM,drm),	/* 87: drm */
 	cdev_fuse_init(NFUSE,fuse),	/* 88: fuse */
 	cdev_switch_init(NSWITCH,switch), /* 89: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 90: FIDO/U2F security key */
 };
 int nchrdev = nitems(cdevsw);
 
diff --git a/sys/arch/octeon/conf/GENERIC b/sys/arch/octeon/conf/GENERIC
index 1596c05bc58..b2d36df9c7a 100644
--- a/sys/arch/octeon/conf/GENERIC
+++ b/sys/arch/octeon/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.53 2019/11/04 14:58:40 visa Exp $
+#	$OpenBSD: GENERIC,v 1.54 2019/12/17 13:08:56 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -155,6 +155,7 @@ ucom*		at ucycom?
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 upd*		at uhidev?	# USB Power Devices sensors
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/octeon/octeon/conf.c b/sys/arch/octeon/octeon/conf.c
index 6b96db3daab..1e80c9d93f4 100644
--- a/sys/arch/octeon/octeon/conf.c
+++ b/sys/arch/octeon/octeon/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.21 2019/07/17 14:36:32 visa Exp $ */
+/*	$OpenBSD: conf.c,v 1.22 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -133,6 +133,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -230,6 +231,7 @@ struct cdevsw	cdevsw[] =
 	cdev_notdef(),			/* 73: fuse on other mips64 */
 	cdev_tun_init(NTUN,tap),	/* 74: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 75: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 76: FIDO/U2F security key */
 };
 
 int	nchrdev = nitems(cdevsw);
diff --git a/sys/arch/sgi/conf/GENERIC-IP27 b/sys/arch/sgi/conf/GENERIC-IP27
index b171707b98a..af6d1b4f057 100644
--- a/sys/arch/sgi/conf/GENERIC-IP27
+++ b/sys/arch/sgi/conf/GENERIC-IP27
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC-IP27,v 1.65 2017/08/28 19:35:42 jasper Exp $
+#	$OpenBSD: GENERIC-IP27,v 1.66 2019/12/17 13:08:56 reyk Exp $
 #
 # THIS KERNEL IS FOR Origin, Onyx, Fuel, Tezro (IP27, IP35) SYSTEMS ONLY.
 #
@@ -127,6 +127,7 @@ wskbd*		at ukbd? mux 1
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
 axe*		at uhub?	# ASIX Electronics AX88172 USB Ethernet
diff --git a/sys/arch/sgi/conf/GENERIC-IP30 b/sys/arch/sgi/conf/GENERIC-IP30
index 09f27c50888..071d7babf95 100644
--- a/sys/arch/sgi/conf/GENERIC-IP30
+++ b/sys/arch/sgi/conf/GENERIC-IP30
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC-IP30,v 1.58 2017/08/28 19:35:42 jasper Exp $
+#	$OpenBSD: GENERIC-IP30,v 1.59 2019/12/17 13:08:56 reyk Exp $
 #
 # THIS KERNEL IS FOR Octane and Octane 2 (IP30) SYSTEMS ONLY.
 #
@@ -118,6 +118,7 @@ wskbd*		at ukbd? mux 1
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
 axe*		at uhub?	# ASIX Electronics AX88172 USB Ethernet
diff --git a/sys/arch/sgi/conf/GENERIC-IP32 b/sys/arch/sgi/conf/GENERIC-IP32
index 66e08ea58f2..4595a4eb60c 100644
--- a/sys/arch/sgi/conf/GENERIC-IP32
+++ b/sys/arch/sgi/conf/GENERIC-IP32
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC-IP32,v 1.49 2017/08/28 19:35:42 jasper Exp $
+#	$OpenBSD: GENERIC-IP32,v 1.50 2019/12/17 13:08:56 reyk Exp $
 #
 # THIS KERNEL IS FOR O2 (IP32) SYSTEMS ONLY.
 #
@@ -110,6 +110,7 @@ wskbd*		at ukbd? mux 1
 uslhcom*	at uhidev?	# Silicon Labs CP2110 USB HID UART
 ucom*		at uslhcom?
 uhid*		at uhidev?	# USB generic HID support
+fido*		at uhidev?	# FIDO/U2F security key support
 atu*		at uhub?	# Atmel AT76c50x based 802.11b
 aue*		at uhub?	# ADMtek AN986 Pegasus Ethernet  
 axe*		at uhub?	# ASIX Electronics AX88172 USB Ethernet
diff --git a/sys/arch/sgi/sgi/conf.c b/sys/arch/sgi/sgi/conf.c
index c88b0a48c1f..062bdfc1974 100644
--- a/sys/arch/sgi/sgi/conf.c
+++ b/sys/arch/sgi/sgi/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.39 2016/09/04 10:51:24 naddy Exp $ */
+/*	$OpenBSD: conf.c,v 1.40 2019/12/17 13:08:56 reyk Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -119,6 +119,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -210,6 +211,7 @@ struct cdevsw	cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 73: fuse */
 	cdev_tun_init(NTUN,tap),	/* 74: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 75: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 76: FIDO/U2F security key */
 };
 
 int	nchrdev = nitems(cdevsw);
diff --git a/sys/arch/sparc64/conf/GENERIC b/sys/arch/sparc64/conf/GENERIC
index 0809916040a..92c2157cde0 100644
--- a/sys/arch/sparc64/conf/GENERIC
+++ b/sys/arch/sparc64/conf/GENERIC
@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.313 2019/06/29 15:39:06 deraadt Exp $
+#	$OpenBSD: GENERIC,v 1.314 2019/12/17 13:08:56 reyk Exp $
 #
 # For further information on compiling OpenBSD kernels, see the config(8)
 # man page.
@@ -223,6 +223,7 @@ ucom*	at uslhcom?
 umsm*	at uhub?		# Qualcomm MSM EVDO
 ucom*	at umsm?
 uhid*	at uhidev?		# USB generic HID support
+fido*	at uhidev?		# FIDO/U2F security key support
 upd*	at uhidev?		# USB Power Devices sensors
 aue*	at uhub?		# ADMtek AN986 Pegasus Ethernet
 atu*	at uhub?		# Atmel AT76c50x based 802.11b
diff --git a/sys/arch/sparc64/sparc64/conf.c b/sys/arch/sparc64/sparc64/conf.c
index e0e45b7f9f4..f7afcfeab56 100644
--- a/sys/arch/sparc64/sparc64/conf.c
+++ b/sys/arch/sparc64/sparc64/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.80 2016/09/04 11:59:50 naddy Exp $	*/
+/*	$OpenBSD: conf.c,v 1.81 2019/12/17 13:08:56 reyk Exp $	*/
 /*	$NetBSD: conf.c,v 1.17 2001/03/26 12:33:26 lukem Exp $ */
 
 /*
@@ -103,6 +103,7 @@ cdev_decl(pci);
 
 #include "usb.h"
 #include "uhid.h"
+#include "fido.h"
 #include "ugen.h"
 #include "ulpt.h"
 #include "ucom.h"
@@ -292,6 +293,7 @@ struct cdevsw	cdevsw[] =
 	cdev_fuse_init(NFUSE,fuse),	/* 134: fuse */
 	cdev_tun_init(NTUN,tap),	/* 135: Ethernet network tunnel */
 	cdev_switch_init(NSWITCH,switch), /* 136: switch(4) control interface */
+	cdev_fido_init(NFIDO,fido),	/* 137: FIDO/U2F security key */
 };
 int	nchrdev = nitems(cdevsw);
 
diff --git a/sys/dev/hid/hid.h b/sys/dev/hid/hid.h
index ea033b13887..17de4065e0c 100644
--- a/sys/dev/hid/hid.h
+++ b/sys/dev/hid/hid.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hid.h,v 1.5 2016/09/12 09:10:05 mpi Exp $ */
+/*	$OpenBSD: hid.h,v 1.6 2019/12/17 13:08:54 reyk Exp $ */
 /*	$NetBSD: hid.h,v 1.8 2002/07/11 21:14:25 augustss Exp $	*/
 /*	$FreeBSD: src/sys/dev/usb/hid.h,v 1.7 1999/11/17 22:33:40 n_hibma Exp $ */
 
@@ -124,6 +124,7 @@ int	hid_is_collection(const void *, int, uint8_t, int32_t);
 #define HUP_CAMERA_CONTROL	0x0090
 #define HUP_ARCADE		0x0091
 #define HUP_VENDOR		0x00ff
+#define HUP_FIDO		0xf1d0
 #define HUP_MICROSOFT		0xff00
 /* XXX compat */
 #define HUP_APPLE		0x00ff
@@ -397,6 +398,11 @@ int	hid_is_collection(const void *, int, uint8_t, int32_t);
 /* Usages, Consumer */
 #define HUC_AC_PAN		0x0238
 
+/* Usages, FIDO */
+#define HUF_U2FHID		0x0001
+#define HUF_RAW_IN_DATA_REPORT	0x0020
+#define HUF_RAW_OUT_DATA_REPORT	0x0021
+
 #define HID_USAGE2(p, u) (((p) << 16) | u)
 #define HID_GET_USAGE(u) ((u) & 0xffff)
 #define HID_GET_USAGE_PAGE(u) (((u) >> 16) & 0xffff)
diff --git a/sys/dev/usb/fido.c b/sys/dev/usb/fido.c
new file mode 100644
index 00000000000..5d68cff520e
--- /dev/null
+++ b/sys/dev/usb/fido.c
@@ -0,0 +1,92 @@
+/*	$OpenBSD: fido.c,v 1.1 2019/12/17 13:08:54 reyk Exp $	*/
+
+/*
+ * Copyright (c) 2019 Reyk Floeter <reyk@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/param.h>
+#include <sys/tty.h>
+#include <sys/conf.h>
+
+#include <dev/usb/usb.h>
+#include <dev/usb/usbhid.h>
+#include <dev/usb/usbdevs.h>
+#include <dev/usb/usbdi.h>
+#include <dev/usb/usbdi_util.h>
+
+#include <dev/usb/uhidev.h>
+#include <dev/usb/uhid.h>
+
+int fido_match(struct device *, void *, void *);
+
+struct cfdriver fido_cd = {
+	NULL, "fido", DV_DULL
+};
+
+const struct cfattach fido_ca = {
+	sizeof(struct uhid_softc),
+	fido_match,
+	uhid_attach,
+	uhid_detach,
+};
+
+int
+fido_match(struct device *parent, void *match, void *aux)
+{
+	struct uhidev_attach_arg *uha = (struct uhidev_attach_arg *)aux;
+	int			  size;
+	void			 *desc;
+	int			  ret = UMATCH_NONE;
+
+	if (uha->reportid == UHIDEV_CLAIM_ALLREPORTID)
+		return (ret);
+
+	/* Find the FIDO usage page and U2F collection */
+	uhidev_get_report_desc(uha->parent, &desc, &size);
+	if (hid_is_collection(desc, size, uha->reportid,
+	    HID_USAGE2(HUP_FIDO, HUF_U2FHID)))
+		ret = UMATCH_IFACECLASS;
+
+	return (ret);
+}
+
+int
+fidoopen(dev_t dev, int flag, int mode, struct proc *p)
+{
+	return (uhid_do_open(dev, flag, mode, p));
+}
+
+int
+fidoioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
+{
+	int	 error;
+
+	switch (cmd) {
+	case FIONBIO:
+	case FIOASYNC:
+	case USB_GET_DEVICEINFO:
+		break;
+	default:
+		/*
+		 * Users don't need USB/HID ioctl access to fido(4) devices
+		 * but it can still be useful for debugging by root.
+		 */
+		if ((error = suser(p)) != 0)
+			return (error);
+		break;
+	}
+
+	return (uhidioctl(dev, cmd, addr, flag, p));
+}
diff --git a/sys/dev/usb/files.usb b/sys/dev/usb/files.usb
index 2a68642a9a9..0f697127e92 100644
--- a/sys/dev/usb/files.usb
+++ b/sys/dev/usb/files.usb
@@ -1,4 +1,4 @@
-#	$OpenBSD: files.usb,v 1.140 2019/07/09 05:43:03 kevlo Exp $
+#	$OpenBSD: files.usb,v 1.141 2019/12/17 13:08:54 reyk Exp $
 #	$NetBSD: files.usb,v 1.16 2000/02/14 20:29:54 augustss Exp $
 #
 # Config file and device description for machine-independent USB code.
@@ -74,7 +74,12 @@ file	dev/usb/uhidev.c		uhidev
 # Generic HID devices
 device	uhid: hid
 attach	uhid at uhidbus
-file	dev/usb/uhid.c			uhid			needs-flag
+file	dev/usb/uhid.c			uhid | fido		needs-flag
+
+# FIDO/U2F security keys
+device  fido: hid
+attach	fido at uhidbus
+file	dev/usb/fido.c			fido			needs-flag
 
 # Keyboards
 file	dev/usb/ukbdmap.c		hidkbd
diff --git a/sys/dev/usb/uhid.c b/sys/dev/usb/uhid.c
index 28faca5d82d..7cc74837a88 100644
--- a/sys/dev/usb/uhid.c
+++ b/sys/dev/usb/uhid.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uhid.c,v 1.72 2019/11/27 11:16:59 mpi Exp $ */
+/*	$OpenBSD: uhid.c,v 1.73 2019/12/17 13:08:54 reyk Exp $ */
 /*	$NetBSD: uhid.c,v 1.57 2003/03/11 16:44:00 augustss Exp $	*/
 
 /*
@@ -35,6 +35,8 @@
  * HID spec: http://www.usb.org/developers/devclass_docs/HID1_11.pdf
  */
 
+#include "fido.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
@@ -57,6 +59,7 @@
 #include <dev/usb/usbdi_util.h>
 
 #include <dev/usb/uhidev.h>
+#include <dev/usb/uhid.h>
 
 #ifdef UHID_DEBUG
 #define DPRINTF(x)	do { if (uhiddebug) printf x; } while (0)
@@ -67,33 +70,7 @@ int	uhiddebug = 0;
 #define DPRINTFN(n,x)
 #endif
 
-struct uhid_softc {
-	struct uhidev sc_hdev;
-
-	u_char *sc_obuf;
-
-	struct clist sc_q;
-	struct selinfo sc_rsel;
-	u_char sc_state;		/* driver state */
-#define	UHID_ASLP	0x01		/* waiting for device data */
-
-	int sc_refcnt;
-};
-
-#define	UHIDUNIT(dev)	(minor(dev))
-#define	UHID_CHUNK	128	/* chunk size for read */
-#define	UHID_BSIZE	1020	/* buffer size */
-
-void uhid_intr(struct uhidev *, void *, u_int len);
-
-int uhid_do_read(struct uhid_softc *, struct uio *uio, int);
-int uhid_do_write(struct uhid_softc *, struct uio *uio, int);
-int uhid_do_ioctl(struct uhid_softc*, u_long, caddr_t, int,
-			 struct proc *);
-
-int uhid_match(struct device *, void *, void *); 
-void uhid_attach(struct device *, struct device *, void *); 
-int uhid_detach(struct device *, int); 
+int uhid_match(struct device *, void *, void *);
 
 struct cfdriver uhid_cd = { 
 	NULL, "uhid", DV_DULL 
@@ -106,6 +83,28 @@ const struct cfattach uhid_ca = {
 	uhid_detach, 
 };
 
+struct uhid_softc *
+uhid_lookup(dev_t dev)
+{
+	struct uhid_softc *sc = NULL;
+	struct cdevsw *cdev;
+	struct cfdriver *cd;
+
+	cdev = &cdevsw[major(dev)];
+	if (cdev->d_open == uhidopen)
+		cd = &uhid_cd;
+#if NFIDO > 0
+	else if (cdev->d_open == fidoopen)
+		cd = &fido_cd;
+#endif
+	else
+		return (NULL);
+	if (UHIDUNIT(dev) < cd->cd_ndevs)
+		sc = cd->cd_devs[UHIDUNIT(dev)];
+
+	return (sc);
+}
+
 int
 uhid_match(struct device *parent, void *match, void *aux)
 {
@@ -201,13 +200,16 @@ uhid_intr(struct uhidev *addr, void *data, u_int len)
 int
 uhidopen(dev_t dev, int flag, int mode, struct proc *p)
 {
+	return (uhid_do_open(dev, flag, mode, p));
+}
+
+int
+uhid_do_open(dev_t dev, int flag, int mode, struct proc *p)
+{
 	struct uhid_softc *sc;
 	int error;
 
-	if (UHIDUNIT(dev) >= uhid_cd.cd_ndevs)
-		return (ENXIO);
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
-	if (sc == NULL)
+	if ((sc = uhid_lookup(dev)) == NULL)
 		return (ENXIO);
 
 	DPRINTF(("uhidopen: sc=%p\n", sc));
@@ -231,7 +233,8 @@ uhidclose(dev_t dev, int flag, int mode, struct proc *p)
 {
 	struct uhid_softc *sc;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	DPRINTF(("uhidclose: sc=%p\n", sc));
 
@@ -295,7 +298,8 @@ uhidread(dev_t dev, struct uio *uio, int flag)
 	struct uhid_softc *sc;
 	int error;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	sc->sc_refcnt++;
 	error = uhid_do_read(sc, uio, flag);
@@ -317,9 +321,13 @@ uhid_do_write(struct uhid_softc *sc, struct uio *uio, int flag)
 
 	size = sc->sc_hdev.sc_osize;
 	error = 0;
-	if (uio->uio_resid != size)
-		return (EINVAL);
-	error = uiomove(sc->sc_obuf, size, uio);
+	if (uio->uio_resid > size)
+		return (EMSGSIZE);
+	else if (uio->uio_resid < size) {
+		/* don't leak kernel memory to the USB device */
+		memset(sc->sc_obuf + uio->uio_resid, 0, size - uio->uio_resid);
+	}
+	error = uiomove(sc->sc_obuf, uio->uio_resid, uio);
 	if (!error) {
 		if (uhidev_set_report(sc->sc_hdev.sc_parent,
 		    UHID_OUTPUT_REPORT, sc->sc_hdev.sc_report_id, sc->sc_obuf,
@@ -336,7 +344,8 @@ uhidwrite(dev_t dev, struct uio *uio, int flag)
 	struct uhid_softc *sc;
 	int error;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	sc->sc_refcnt++;
 	error = uhid_do_write(sc, uio, flag);
@@ -386,7 +395,8 @@ uhidioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
 	struct uhid_softc *sc;
 	int error;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	sc->sc_refcnt++;
 	error = uhid_do_ioctl(sc, cmd, addr, flag, p);
@@ -402,7 +412,8 @@ uhidpoll(dev_t dev, int events, struct proc *p)
 	int revents = 0;
 	int s;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	if (usbd_is_dying(sc->sc_hdev.sc_udev))
 		return (POLLERR);
@@ -458,7 +469,8 @@ uhidkqfilter(dev_t dev, struct knote *kn)
 	struct klist *klist;
 	int s;
 
-	sc = uhid_cd.cd_devs[UHIDUNIT(dev)];
+	if ((sc = uhid_lookup(dev)) == NULL)
+		return (ENXIO);
 
 	if (usbd_is_dying(sc->sc_hdev.sc_udev))
 		return (EIO);
diff --git a/sys/dev/usb/uhid.h b/sys/dev/usb/uhid.h
new file mode 100644
index 00000000000..9b46dfc344f
--- /dev/null
+++ b/sys/dev/usb/uhid.h
@@ -0,0 +1,64 @@
+/*	$OpenBSD: uhid.h,v 1.1 2019/12/17 13:08:54 reyk Exp $ */
+/*	$NetBSD: uhid.c,v 1.57 2003/03/11 16:44:00 augustss Exp $	*/
+
+/*
+ * Copyright (c) 1998 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Lennart Augustsson (lennart@augustsson.net) at
+ * Carlstedt Research & Technology.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef _KERNEL
+
+struct uhid_softc {
+	struct uhidev sc_hdev;
+
+	u_char *sc_obuf;
+
+	struct clist sc_q;
+	struct selinfo sc_rsel;
+	u_char sc_state;		/* driver state */
+#define	UHID_ASLP	0x01		/* waiting for device data */
+
+	int sc_refcnt;
+};
+
+extern struct cfdriver uhid_cd;
+extern struct cfdriver fido_cd;
+
+#define	UHIDUNIT(dev)	(minor(dev))
+#define	UHID_CHUNK	128	/* chunk size for read */
+#define	UHID_BSIZE	1020	/* buffer size */
+
+void uhid_intr(struct uhidev *, void *, u_int);
+struct uhid_softc *uhid_lookup(dev_t);
+
+int uhid_do_open(dev_t, int, int, struct proc *);
+
+void uhid_attach(struct device *, struct device *, void *); 
+int uhid_detach(struct device *, int); 
+
+#endif /* _KERNEL */
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
index 48118f7f670..b43c8374fa5 100644
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.h,v 1.145 2018/08/31 04:20:37 visa Exp $	*/
+/*	$OpenBSD: conf.h,v 1.146 2019/12/17 13:08:54 reyk Exp $	*/
 /*	$NetBSD: conf.h,v 1.33 1996/05/03 20:03:32 christos Exp $	*/
 
 /*-
@@ -376,6 +376,13 @@ extern struct cdevsw cdevsw[];
 	0, dev_init(c,n,poll), (dev_type_mmap((*))) enodev, 0, 0, \
 	dev_init(c,n,kqfilter) }
 
+/* open, close, read, write, ioctl, poll, kqfilter */
+#define	cdev_fido_init(c,n) { \
+	dev_init(c,n,open), dev_init(c,uhid,close), dev_init(c,uhid,read), \
+	dev_init(c,uhid,write), dev_init(c,fido,ioctl), \
+	(dev_type_stop((*))) enodev, 0, dev_init(c,uhid,poll), \
+	(dev_type_mmap((*))) enodev, 0, 0, dev_init(c,uhid,kqfilter) }
+
 /* open, close, init */
 #define cdev_pci_init(c,n) { \
 	dev_init(c,n,open), dev_init(c,n,close), (dev_type_read((*))) enodev, \
@@ -604,6 +611,7 @@ cdev_decl(bktr);
 cdev_decl(usb);
 cdev_decl(ugen);
 cdev_decl(uhid);
+cdev_decl(fido);
 cdev_decl(ucom);
 cdev_decl(ulpt);
 cdev_decl(urio);