From 2cfe4aa48239363143b2653ebd4996a3beaf65ec Mon Sep 17 00:00:00 2001 From: reyk <> Date: Tue, 17 Dec 2019 13:08:56 +0000 Subject: [PATCH] Add fido(4), a HID driver for FIDO/U2F security keys While FIDO/U2F keys were already supported by the generic uhid(4) driver, this driver adds the first step to tighten the security of FIDO/U2F access. Specifically, users don't need read/write access to all USB/HID devices anymore and the driver also improves integration with pledge(2) and unveil(2): It is pledge-friendly because it doesn't require any ioctls to discover the device and unveil-friendly because it uses a single /dev/fido/* directory for its device nodes. It also allows to support FIDO/U2F in firefox without further weakening the "sandbox" of the browser. Firefox does not have a proper privsep design and many operations, such as U2F access, are handled directly by the main process. This means that the browser's "fat" main process needs direct read/write access to all USB HID devices, at least on other operating systems. With fido(4) we can support security keys in Firefox under OpenBSD without such a compromise. With this change, libfido2 stops using the ioctl to query the device vendor/product and just assumes "OpenBSD" "fido(4)" instead. The ioctl is still supported but there was no benefit in obtaining the vendor product or name; it also allows to use libfido2 under pledge. With feedback from deraadt@ and many others OK kettenis@ djm@ and jmc@ for the manpage bits --- src/etc/MAKEDEV.common | 7 ++++++- src/etc/etc.alpha/MAKEDEV.md | 3 ++- src/etc/etc.amd64/MAKEDEV.md | 3 ++- src/etc/etc.arm64/MAKEDEV.md | 3 ++- src/etc/etc.armv7/MAKEDEV.md | 3 ++- src/etc/etc.hppa/MAKEDEV.md | 3 ++- src/etc/etc.i386/MAKEDEV.md | 3 ++- src/etc/etc.landisk/MAKEDEV.md | 3 ++- src/etc/etc.loongson/MAKEDEV.md | 3 ++- src/etc/etc.macppc/MAKEDEV.md | 3 ++- src/etc/etc.octeon/MAKEDEV.md | 4 +++- src/etc/etc.sgi/MAKEDEV.md | 3 ++- src/etc/etc.sparc64/MAKEDEV.md | 3 ++- 13 files changed, 31 insertions(+), 13 deletions(-) diff --git a/src/etc/MAKEDEV.common b/src/etc/MAKEDEV.common index bd611225..c726bfe8 100644 --- a/src/etc/MAKEDEV.common +++ b/src/etc/MAKEDEV.common @@ -1,4 +1,4 @@ -vers(a, {-$OpenBSD: MAKEDEV.common,v 1.105 2019/12/14 05:05:46 deraadt Exp $-})dnl +vers(a, {-$OpenBSD: MAKEDEV.common,v 1.106 2019/12/17 13:08:54 reyk Exp $-})dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries dnl @@ -177,6 +177,7 @@ __devitem(ramdisk, ramdisk, Ramdisk kernel devices,nothing)dnl dnl target(usb, usb, 0, 1, 2, 3, 4, 5, 6, 7)dnl target(usb, uhid, 0, 1, 2, 3, 4, 5, 6, 7)dnl +twrget(usb, fido, fido)dnl target(usb, ulpt, 0, 1)dnl target(usb, ugen, 0, 1, 2, 3, 4, 5, 6, 7)dnl target(usb, ttyU, 0, 1, 2, 3)dnl @@ -357,6 +358,10 @@ _mkdev({-usb-}, usb*, {-[ "$i" = "usb" ] && u= || u=$U M usb$u c major_usb_c $U 640-})dnl __devitem(uhid, uhid*, Generic HID devices)dnl _mcdev({-uhid-}, uhid*, {-uhid-}, {-major_uhid_c-}, 600)dnl +__devitem(fido, fido, fido/* nodes, fd)dnl +_mkdev(fido, fido, {-RMlist[${#RMlist[*]}]=";mkdir -p fido;rm -f" n=0 + while [ $n -lt 4 ];do M fido/$n c major_fido_c $n 666;n=Add($n, 1);done + MKlist[${#MKlist[*]}]=";chmod 555 fido"-})dnl __devitem(ulpt, ulpt*, Printer devices)dnl _mcdev({-ulpt-}, ulpt*, {-ulpt-}, {-major_ulpt_c-}, 600)dnl __devitem(ttyU, ttyU*, USB serial ports,ucom)dnl diff --git a/src/etc/etc.alpha/MAKEDEV.md b/src/etc/etc.alpha/MAKEDEV.md index 6fad20b0..67ef7d40 100644 --- a/src/etc/etc.alpha/MAKEDEV.md +++ b/src/etc/etc.alpha/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,alpha)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.71 2017/11/02 14:04:24 mpi Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.72 2019/12/17 13:08:54 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -55,6 +55,7 @@ _DEV(ttyU, 49) _DEV(uall) _DEV(ugen, 48) _DEV(uhid, 46) +_DEV(fido, 70) _DEV(ulpt, 47) _DEV(usb, 45) _TITLE(spec) diff --git a/src/etc/etc.amd64/MAKEDEV.md b/src/etc/etc.amd64/MAKEDEV.md index c2a2c83b..f46b52bd 100644 --- a/src/etc/etc.amd64/MAKEDEV.md +++ b/src/etc/etc.amd64/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,amd64)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.71 2019/12/13 21:03:57 deraadt Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.72 2019/12/17 13:08:54 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -59,6 +59,7 @@ _DEV(ttyU, 66) _DEV(uall) _DEV(ugen, 63) _DEV(uhid, 62) +_DEV(fido, 98) _DEV(ulpt, 64) _DEV(usb, 61) _TITLE(spec) diff --git a/src/etc/etc.arm64/MAKEDEV.md b/src/etc/etc.arm64/MAKEDEV.md index cff1dec0..a1687f0a 100644 --- a/src/etc/etc.arm64/MAKEDEV.md +++ b/src/etc/etc.arm64/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,arm64)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.3 2018/08/20 16:07:39 kettenis Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.4 2019/12/17 13:08:55 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -51,6 +51,7 @@ _DEV(ttyU, 66) _DEV(uall) _DEV(ugen, 63) _DEV(uhid, 62) +_DEV(fido, 98) _DEV(ulpt, 64) _DEV(usb, 61) _TITLE(spec) diff --git a/src/etc/etc.armv7/MAKEDEV.md b/src/etc/etc.armv7/MAKEDEV.md index 9f1d9446..f6db282b 100644 --- a/src/etc/etc.armv7/MAKEDEV.md +++ b/src/etc/etc.armv7/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,armv7)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.14 2016/09/04 15:38:59 naddy Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.15 2019/12/17 13:08:55 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2004 Todd T. Fries @@ -60,6 +60,7 @@ _DEV(ttyU, 68) _DEV(uall) _DEV(ugen, 70) _DEV(uhid, 65) +_DEV(fido, 106) _DEV(ulpt, 66) _DEV(usb, 64) _TITLE(spec) diff --git a/src/etc/etc.hppa/MAKEDEV.md b/src/etc/etc.hppa/MAKEDEV.md index 2c8ce6f3..0539e0c6 100644 --- a/src/etc/etc.hppa/MAKEDEV.md +++ b/src/etc/etc.hppa/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,hppa)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.60 2016/09/04 15:38:59 naddy Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.61 2019/12/17 13:08:55 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -53,6 +53,7 @@ _TITLE(usb) _DEV(uall) _DEV(usb, 40) _DEV(uhid, 41) +_DEV(fido, 61) _DEV(ugen, 42) _DEV(ulpt, 43) _DEV(ttyU, 45) diff --git a/src/etc/etc.i386/MAKEDEV.md b/src/etc/etc.i386/MAKEDEV.md index 953d6027..ea3ff278 100644 --- a/src/etc/etc.i386/MAKEDEV.md +++ b/src/etc/etc.i386/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,i386)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.86 2019/12/13 21:03:57 deraadt Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.87 2019/12/17 13:08:55 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -60,6 +60,7 @@ _DEV(ttyU, 66) _DEV(uall) _DEV(ugen, 63) _DEV(uhid, 62) +_DEV(fido, 98) _DEV(ulpt, 64) _DEV(usb, 61) _TITLE(spec) diff --git a/src/etc/etc.landisk/MAKEDEV.md b/src/etc/etc.landisk/MAKEDEV.md index f2c3660a..50519cee 100644 --- a/src/etc/etc.landisk/MAKEDEV.md +++ b/src/etc/etc.landisk/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,landisk)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.43 2016/09/11 19:59:53 deraadt Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.44 2019/12/17 13:08:55 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2004 Todd T. Fries @@ -64,6 +64,7 @@ _DEV(ttyU, 68) _DEV(uall) _DEV(ugen, 70) _DEV(uhid, 65) +_DEV(fido, 106) _DEV(ulpt, 66) _DEV(usb, 64) _TITLE(spec) diff --git a/src/etc/etc.loongson/MAKEDEV.md b/src/etc/etc.loongson/MAKEDEV.md index 1dabb4d8..606c9233 100644 --- a/src/etc/etc.loongson/MAKEDEV.md +++ b/src/etc/etc.loongson/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,loongson)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.27 2017/05/21 13:00:53 visa Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.28 2019/12/17 13:08:56 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -59,6 +59,7 @@ _DEV(ttyU, 66) _DEV(uall) _DEV(ugen, 63) _DEV(uhid, 62) +_DEV(fido, 88) _DEV(ulpt, 64) _DEV(usb, 61) _TITLE(spec) diff --git a/src/etc/etc.macppc/MAKEDEV.md b/src/etc/etc.macppc/MAKEDEV.md index 5fbed029..f5850469 100644 --- a/src/etc/etc.macppc/MAKEDEV.md +++ b/src/etc/etc.macppc/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,macppc)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.70 2016/09/11 19:59:53 deraadt Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.71 2019/12/17 13:08:56 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -69,6 +69,7 @@ _DEV(uall) _DEV(ttyU, 66) _DEV(ugen, 63) _DEV(uhid, 62) +_DEV(fido, 90) _DEV(ulpt, 64) _DEV(usb, 61) _TITLE(spec) diff --git a/src/etc/etc.octeon/MAKEDEV.md b/src/etc/etc.octeon/MAKEDEV.md index 173fb019..c192f0c1 100644 --- a/src/etc/etc.octeon/MAKEDEV.md +++ b/src/etc/etc.octeon/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,octeon)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.14 2019/07/17 14:36:31 visa Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.15 2019/12/17 13:08:56 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -65,6 +65,8 @@ _TITLE(usb) _DEV(ttyU, 66) _DEV(uall) _DEV(usb, 61) +_DEV(uhid, 62) +_DEV(fido, 76) _TITLE(spec) _DEV(au, 44) _DEV(bio, 49) diff --git a/src/etc/etc.sgi/MAKEDEV.md b/src/etc/etc.sgi/MAKEDEV.md index 69b4280e..74a566f5 100644 --- a/src/etc/etc.sgi/MAKEDEV.md +++ b/src/etc/etc.sgi/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,sgi)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.49 2016/09/11 19:59:54 deraadt Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.50 2019/12/17 13:08:56 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -68,6 +68,7 @@ _DEV(ttyU, 66) _DEV(uall) _DEV(ugen, 63) _DEV(uhid, 62) +_DEV(fido, 76) _DEV(ulpt, 64) _DEV(usb, 61) _TITLE(spec) diff --git a/src/etc/etc.sparc64/MAKEDEV.md b/src/etc/etc.sparc64/MAKEDEV.md index 037a3840..125eaa88 100644 --- a/src/etc/etc.sparc64/MAKEDEV.md +++ b/src/etc/etc.sparc64/MAKEDEV.md @@ -1,6 +1,6 @@ define(MACHINE,sparc64)dnl vers(__file__, - {-$OpenBSD: MAKEDEV.md,v 1.88 2019/10/20 16:31:10 kettenis Exp $-}, + {-$OpenBSD: MAKEDEV.md,v 1.89 2019/12/17 13:08:56 reyk Exp $-}, etc.MACHINE)dnl dnl dnl Copyright (c) 2001-2006 Todd T. Fries @@ -103,6 +103,7 @@ _DEV(ttyU, 95) _DEV(uall) _DEV(ugen, 92) _DEV(uhid, 91) +_DEV(fido, 137) _DEV(ulpt, 93) _DEV(usb, 90) _TITLE(spec)