marmarek
commented
4 years ago Can you provide lsusb -v output of that OnlyKey? And kernel messages appearing in sys-usb after plugging it in?
Closed euidzero closed 2 years ago
marmarek
commented
4 years ago Can you provide lsusb -v output of that OnlyKey? And kernel messages appearing in sys-usb after plugging it in?
euidzero
commented
4 years ago Kernel :
[ 4683.410137] usb 2-2: new full-speed USB device number 7 using xhci_hcd [ 4683.536828] usb 2-2: New USB device found, idVendor=1d50, idProduct=60fc, bcdDevice= 1.00 [ 4683.536854] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 4683.536875] usb 2-2: Product: ONLYKEY [ 4683.536886] usb 2-2: Manufacturer: CRYPTOTRUST [ 4683.536900] usb 2-2: SerialNumber: 4294967295 [ 4683.538700] input: CRYPTOTRUST ONLYKEY as /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/0003:1D50:60FC.0003/input/input12 [ 4683.590358] hid-generic 0003:1D50:60FC.0003: input,hidraw1: USB HID v1.11 Keyboard [CRYPTOTRUST ONLYKEY] on usb-0000:00:06.0-2/input0 [ 4683.591642] hid-generic 0003:1D50:60FC.0004: hiddev96,hidraw2: USB HID v1.11 Device [CRYPTOTRUST ONLYKEY] on usb-0000:00:06.0-2/input1 [ 4683.766371] audit: type=1130 audit(1576485537.437:182): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=qubes-input-sender-keyboard@event8 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success
marmarek
commented
4 years ago [ 4683.590358] hid-generic 0003:1D50:60FC.0003: input,hidraw1: USB HID v1.11 Keyboard [CRYPTOTRUST ONLYKEY] on usb-0000:00:06.0-2/input0 [ 4683.591642] hid-generic 0003:1D50:60FC.0004: hiddev96,hidraw2: USB HID v1.11 Device [CRYPTOTRUST ONLYKEY] on usb-0000:00:06.0-2/input1
Ok, so it does provide separate interfaces for keyboard and other functions. Input proxy is started as expected. U2F proxy should be able to use the other interface. Maybe the issue is somewhere in U2F proxy?
Setup U2F proxy according to documentation and then enable debugging by creating empty file /etc/qubes/u2f-debug-enable in sys-usb. And see what happens.
euidzero
commented
4 years ago Trying to register on https://demo.yubico.com/webauthn-technical/registration
Dec 25 13:08:08 sys-usb qrexec-agent[450]: executed root:QUBESRPC u2f.Register personal pid 1466 Dec 25 13:08:09 sys-usb qu2f-register[1477]: mux no device, sending fake CONDITIONS_NOT_SATISFIED
The message is repeated until timeout in the browser with increasing PID number.
euidzero
commented
4 years ago Also tried with a SoloKey (the U2F implementation of OnlyKey is based on SoloKey) :
kernel:
[51751.790279] usb 2-2: Manufacturer: SoloKeys
[51751.791950] hid-generic 0003:0483:A2CA.0019: hiddev96,hidraw1: USB HID v1.11 Device [SoloKeys Solo 3.0.0] on usb-0000:00:06.0-2/input0
debug:
Jun 04 22:20:50 sys-usb qu2f-register[19576]: asyncio Using selector: EpollSelector
Jun 04 22:20:50 sys-usb qu2f-register[19576]: CommandAPDURegister from_buffer(untrusted_data=0001030000004045573936b88c6de63b3324ae682affb50957d889bf2573305413a1dce9d04a6ae628e3d57a75e0a221131be840c2dbd5c6d779c12fad3e631fba871494612d6e0000)
Jun 04 22:20:50 sys-usb qu2f-register[19576]: CommandAPDURegister from_buffer lc=64 untrusted_request_data=45573936b88c6de63b3324ae682affb50957d889bf2573305413a1dce9d04a6ae628e3d57a75e0a221131be840c2dbd5c6d779c12fad3e631fba871494612d6e
Jun 04 22:20:50 sys-usb qu2f-register[19576]: CommandAPDURegister __init__(untrusted_cla=0, untrusted_ins=1, untrusted_p1=3, untrusted_p2=0, untrusted_request_data=45573936b88c6de63b3324ae682affb50957d889bf2573305413a1dce9d04a6ae628e3d57a75e0a2>
Jun 04 22:20:50 sys-usb qu2f-register[19576]: mux pending=set()
Jun 04 22:20:50 sys-usb qu2f-register[19576]: mux no device, sending fake CONDITIONS_NOT_SATISFIED
Jun 04 22:20:50 sys-usb qu2f-register[19576]: root ResponseAPDU.__new__(cls=<class 'qubesu2f.proto.APDUConditionsNotSatisfiedError'>, *args=(), untrusted_sw=None, **kwargs={})
Jun 04 22:20:50 sys-usb qu2f-register[19576]: root ResponseAPDU.__new__ newcls=<class 'qubesu2f.proto.APDUConditionsNotSatisfiedError'>
Jun 04 22:20:50 sys-usb qu2f-register[19576]: root ResponseAPDU.__new__ superobj=<class 'Exception'>
Jun 04 22:20:50 sys-usb qu2f-register[19576]: root APDUError.__init__(*args=(), untrusted_sw=None, **kwargs={})
Jun 04 22:20:50 sys-usb qu2f-register[19576]: root ResponseAPDU.__init__(*args=(), untrusted_sw=b'i\x85', untrusted_response_data=b'', kwargs={})
Jun 04 22:20:50 sys-usb qu2f-register[19576]: root ResponseAPDU.__init__ sw
Jun 04 22:20:50 sys-usb qu2f-register[19576]: root ResponseAPDU.__init__ response_data
Jun 04 22:20:50 sys-usb qrexec-agent[19575]: pam_unix(qrexec:session): session closed for user rootWith fedora-33 in both the appVM and sys-usb, with qubes-u2f-1.2.8-1.fc33.noarch, the SoloKey works perfectly. The OnlyKey still fails to register but now I cannot find any message about the failure in journalctl (-k).
onlykey
commented
3 years ago We had a user report an issue here that may be related, if using u2f-proxy there may be issues as that does not support FIDO2 and only supports some U2F keys - https://onlykey.discourse.group/t/u2f-broken-on-qubesos-any-way-to-disable-u2f-personality/505/7?u=t11
euidzero
commented
2 years ago With Qubes 4.1 OnlyKey is now working as expected with u2f-proxy.
The problem you're addressing (if any) I'd like to use a OnlyKey simultaneously as a keyboard in dom0 and as U2F in sys-usb with U2F proxy. Onlykey is a composite USB device (single endpoint exposed).
Describe the solution you'd like I guess some changes around the current U2F and keyboard proxies could work.
Where is the value to a user, and who might that user be? OnlyKey is a powerful opensource security hardware devices. One of the main strength is the ability to input prerecorded password faking a keyboard input. This allow to avoid complicated (like chalenge response configuration) setup to secure the input of the LUKS passphrase and the initial user password. Thus any user could benefit this implementation.
Describe alternatives you've considered Having two physical keys (one U2F, one HID keyboard) defeat the purpose of the Onlykey.
Attaching the OnlyKey to a single VM disable the keyboard input in all the others.
Relevant documentation you've consulted Check the discussion on the qubes-users group.
OnlyKey with qubes documentation
Qubes U2F proxy
Qubes keyboard proxy
Related, non-duplicate issues