From 93c5a80cd9505a17528ed97b6fc75b8a12a2adc6 Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Tue, 17 Dec 2019 13:08:57 +0000 Subject: Add fido(4), a HID driver for FIDO/U2F security keys While FIDO/U2F keys were already supported by the generic uhid(4) driver, this driver adds the first step to tighten the security of FIDO/U2F access. Specifically, users don't need read/write access to all USB/HID devices anymore and the driver also improves integration with pledge(2) and unveil(2): It is pledge-friendly because it doesn't require any ioctls to discover the device and unveil-friendly because it uses a single /dev/fido/* directory for its device nodes. It also allows to support FIDO/U2F in firefox without further weakening the "sandbox" of the browser. Firefox does not have a proper privsep design and many operations, such as U2F access, are handled directly by the main process. This means that the browser's "fat" main process needs direct read/write access to all USB HID devices, at least on other operating systems. With fido(4) we can support security keys in Firefox under OpenBSD without such a compromise. With this change, libfido2 stops using the ioctl to query the device vendor/product and just assumes "OpenBSD" "fido(4)" instead. The ioctl is still supported but there was no benefit in obtaining the vendor product or name; it also allows to use libfido2 under pledge. With feedback from deraadt@ and many others OK kettenis@ djm@ and jmc@ for the manpage bits --- etc/etc.sparc64/MAKEDEV.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc/etc.sparc64/MAKEDEV.md') diff --git a/etc/etc.sparc64/MAKEDEV.md b/etc/etc.sparc64/MAKEDEV.md index 037a3840aed..125eaa882b9 100644 --- a/etc/etc.sparc64/MAKEDEV.md +++ b/etc/etc.sparc64/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,sparc64)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.88 2019/10/20 16:31:10 kettenis Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.89 2019/12/17 13:08:56 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -103,6 +103,7 @@ _DEV(ttyU, 95) _DEV(uall) _DEV(ugen, 92) _DEV(uhid, 91) +_DEV(fido, 137) _DEV(ulpt, 93) _DEV(usb, 90) _TITLE(spec) -- cgit v1.2.3