u2f(4): a HID driver for FIDO/U2F security keys
ClosedPublic
Actions

Authored by wulf on Jul 28 2025, 9:38 PM.

Details

Reviewers

emaste
manu
andrew

Commits

rG4a04e0a6c703: u2f(4): a HID driver for FIDO/U2F security keys

Summary

While FIDO/U2F keys were already supported by the generic uhid(4) and
hidraw(4) drivers, this driver adds some additional features an does
steps to tighten the security of FIDO/U2F access.

It automatically loads through devd.
Automatically enables HQ_NO_READAHEAD for FIDO/U2F devices.
Implements only miminum set of features.
Do not requires external devfs configuration to set character device permissions.
Names character device as u2f/# to make possible capsicum or any other pledge()-style sandboxing.

PR: 265528
MFC after: 1 week

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

wulf created this revision.Jul 28 2025, 9:38 PM

Herald added a reviewer: andrew. · View Herald TranscriptJul 28 2025, 9:38 PM

Herald added a reviewer: andrew. · View Herald Transcript

Herald added subscribers: riscv, ziaee, jhibbits, imp. · View Herald Transcript

wulf requested review of this revision.Jul 28 2025, 9:38 PM

Harbormaster completed remote builds in B65823: Diff 159377.Jul 28 2025, 9:38 PM

wulf added a parent revision: D41639: Add u2f(4), a HID driver for FIDO/U2F security keys.Jul 28 2025, 9:38 PM

wulf mentioned this in D51610: Add u2f(4), a HID driver for FIDO/U2F security keys.Jul 28 2025, 9:39 PM

lwhsu added a subscriber: lwhsu.Jul 29 2025, 6:10 AM

No other problems but some notes:

There is a kind of device call u2f zero that has customized blink command support and hardware rng. Other thing are same as normal u2f device. We can add support to these special device in the future.
The u2fhid support channel id (first few bytes) in their packet. Therefore, it is possible for multiple process to open this device by recording all channel usage status.