diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2019-12-17 13:08:57 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2019-12-17 13:08:57 +0000 |
| commit | 93c5a80cd9505a17528ed97b6fc75b8a12a2adc6 (patch) | |
| tree | b744b8472950e501afef29498928e14ae3b24652 /sys/arch/sgi | |
| parent | 3a713a9a6753ac8aa6d5e955f64f8b47b79e516a (diff) | |
Add fido(4), a HID driver for FIDO/U2F security keys
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
Diffstat (limited to 'sys/arch/sgi')
| -rw-r--r-- | sys/arch/sgi/conf/GENERIC-IP27 | 3 | ||||
| -rw-r--r-- | sys/arch/sgi/conf/GENERIC-IP30 | 3 | ||||
| -rw-r--r-- | sys/arch/sgi/conf/GENERIC-IP32 | 3 | ||||
| -rw-r--r-- | sys/arch/sgi/sgi/conf.c | 4 |
4 files changed, 9 insertions, 4 deletions
diff --git a/sys/arch/sgi/conf/GENERIC-IP27 b/sys/arch/sgi/conf/GENERIC-IP27 index b171707b98a..af6d1b4f057 100644 --- a/sys/arch/sgi/conf/GENERIC-IP27 +++ b/sys/arch/sgi/conf/GENERIC-IP27 @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC-IP27,v 1.65 2017/08/28 19:35:42 jasper Exp $ +# $OpenBSD: GENERIC-IP27,v 1.66 2019/12/17 13:08:56 reyk Exp $ # # THIS KERNEL IS FOR Origin, Onyx, Fuel, Tezro (IP27, IP35) SYSTEMS ONLY. # @@ -127,6 +127,7 @@ wskbd* at ukbd? mux 1 uslhcom* at uhidev? # Silicon Labs CP2110 USB HID UART ucom* at uslhcom? uhid* at uhidev? # USB generic HID support +fido* at uhidev? # FIDO/U2F security key support atu* at uhub? # Atmel AT76c50x based 802.11b aue* at uhub? # ADMtek AN986 Pegasus Ethernet axe* at uhub? # ASIX Electronics AX88172 USB Ethernet diff --git a/sys/arch/sgi/conf/GENERIC-IP30 b/sys/arch/sgi/conf/GENERIC-IP30 index 09f27c50888..071d7babf95 100644 --- a/sys/arch/sgi/conf/GENERIC-IP30 +++ b/sys/arch/sgi/conf/GENERIC-IP30 @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC-IP30,v 1.58 2017/08/28 19:35:42 jasper Exp $ +# $OpenBSD: GENERIC-IP30,v 1.59 2019/12/17 13:08:56 reyk Exp $ # # THIS KERNEL IS FOR Octane and Octane 2 (IP30) SYSTEMS ONLY. # @@ -118,6 +118,7 @@ wskbd* at ukbd? mux 1 uslhcom* at uhidev? # Silicon Labs CP2110 USB HID UART ucom* at uslhcom? uhid* at uhidev? # USB generic HID support +fido* at uhidev? # FIDO/U2F security key support atu* at uhub? # Atmel AT76c50x based 802.11b aue* at uhub? # ADMtek AN986 Pegasus Ethernet axe* at uhub? # ASIX Electronics AX88172 USB Ethernet diff --git a/sys/arch/sgi/conf/GENERIC-IP32 b/sys/arch/sgi/conf/GENERIC-IP32 index 66e08ea58f2..4595a4eb60c 100644 --- a/sys/arch/sgi/conf/GENERIC-IP32 +++ b/sys/arch/sgi/conf/GENERIC-IP32 @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC-IP32,v 1.49 2017/08/28 19:35:42 jasper Exp $ +# $OpenBSD: GENERIC-IP32,v 1.50 2019/12/17 13:08:56 reyk Exp $ # # THIS KERNEL IS FOR O2 (IP32) SYSTEMS ONLY. # @@ -110,6 +110,7 @@ wskbd* at ukbd? mux 1 uslhcom* at uhidev? # Silicon Labs CP2110 USB HID UART ucom* at uslhcom? uhid* at uhidev? # USB generic HID support +fido* at uhidev? # FIDO/U2F security key support atu* at uhub? # Atmel AT76c50x based 802.11b aue* at uhub? # ADMtek AN986 Pegasus Ethernet axe* at uhub? # ASIX Electronics AX88172 USB Ethernet diff --git a/sys/arch/sgi/sgi/conf.c b/sys/arch/sgi/sgi/conf.c index c88b0a48c1f..062bdfc1974 100644 --- a/sys/arch/sgi/sgi/conf.c +++ b/sys/arch/sgi/sgi/conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.c,v 1.39 2016/09/04 10:51:24 naddy Exp $ */ +/* $OpenBSD: conf.c,v 1.40 2019/12/17 13:08:56 reyk Exp $ */ /* * Copyright (c) 1992, 1993 @@ -119,6 +119,7 @@ cdev_decl(pci); #include "usb.h" #include "uhid.h" +#include "fido.h" #include "ugen.h" #include "ulpt.h" #include "ucom.h" @@ -210,6 +211,7 @@ struct cdevsw cdevsw[] = cdev_fuse_init(NFUSE,fuse), /* 73: fuse */ cdev_tun_init(NTUN,tap), /* 74: Ethernet network tunnel */ cdev_switch_init(NSWITCH,switch), /* 75: switch(4) control interface */ + cdev_fido_init(NFIDO,fido), /* 76: FIDO/U2F security key */ }; int nchrdev = nitems(cdevsw); |