Date: Mon, 8 Jan 2024 10:43:56 -0800 From: Xin LI <delphij@gmail.com> To: Warner Losh <imp@bsdimp.com> Cc: Kyle Evans <kevans@freebsd.org>, freebsd-current@freebsd.org Subject: Re: Move u2f-devd into base? Message-ID: <CAGMYy3tTG31ThX0sWH=kiDv=gdKniZ0FNRf-pZDgdt5uM58wWQ@mail.gmail.com> In-Reply-To: <CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ@mail.gmail.com> References: <ZZwLx1RxlY6xuvFV@lorvorc.mips.inka.de> <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com> <20240109013058.22807f3816603829316cef4c@dec.sakura.ne.jp> <b38c7956-17d8-4c6a-a56a-42befdf35c17@FreeBSD.org> <CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000373e64060e739558
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Mon, Jan 8, 2024 at 10:37=E2=80=AFAM Warner Losh <imp@bsdimp.com> wrote:
>
>
> On Mon, Jan 8, 2024 at 9:35=E2=80=AFAM Kyle Evans <kevans@freebsd.org> wr=
ote:
>
>> On 1/8/24 10:30, Tomoaki AOKI wrote:
>> > On Mon, 8 Jan 2024 08:18:38 -0700
>> > Warner Losh <imp@bsdimp.com> wrote:
>> >
>> >> On Mon, Jan 8, 2024, 7:55=E3=80=93AM Christian Weisgerber <naddy@mips=
.inka.de>
>> >> wrote:
>> >>
>> >>> We have FIDO/U2F support for SSH in base.
>> >>>
>> >>> We also have a group "u2f", 116, in the default /etc/group file.
>> >>>
>> >>> Why do we keep the devd configuration (to chgrp the device nodes)
>> >>> in a port, security/u2f-devd? Can't we just add this to base, too?
>> >>> It's just another devd configuration file.
>> >>>
>> >>
>> >> This properly belongs to devfs.conf no? Otherwise it's a race..
>> >>
>> >> Warner
>> >>
>> >> --
>> >>> Christian "naddy" Weisgerber
>> naddy@mips.inka.de
>> >
>> > It's devd.conf materials. It actually is security/usf-devd/files
>> > u2f.conf and its contents is sets of notify 100 { match "vendor" ...
>> > match "product" ... action "chgrpy u2f ..." };.
>> > Some hase more items in it, though.
>> >
>> > So it should be in ports to adapt for latest products more quickly tha=
n
>> > in base, I think.
>> >
>>
>> I don't see any obvious reason that we can't compromise and have a
>> baseline of products in base and just use the port for new products not
>> yet known to base. These vendors presumably aren't going to quickly
>> repurpose some PID for a non-u2f thing, much less in a way that we care
>> about.
>>
>
> Yea, I just wonder why it has to be devd.conf, and not devfs.conf. What a=
re
> we missing from that to make this doable generically? If we want it safe,
> we
> may need some additional work around the whole ugen thing it uses.
>
I think it's probably because of the lack of device ID matching capability
in devfs.conf (or in other words, there may be _some_ reason that I am not
aware of, to not expose all USB HID devices to desktop users; devd.conf
gives us the ability to selectively expose them based on what they claim
themselves to be, while with devfs.conf we can only say "expose HID
devices" vs "expose these allowlisted devices").
Cheers,
--000000000000373e64060e739558
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon=
t-family:monospace,monospace"><br></div></div><br><div class=3D"gmail_quote=
"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 8, 2024 at 10:37=E2=80=
=AFAM Warner Losh <<a href=3D"mailto:imp@bsdimp.com">imp@bsdimp.com</a>&=
gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0=
px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div =
dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote"><div =
dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 8, 2024 at 9:35=E2=80=AFAM Kyl=
e Evans <<a href=3D"mailto:kevans@freebsd.org" target=3D"_blank">kevans@=
freebsd.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">On 1/8/24 10:30, Tomoaki AOKI wrote:<br>
> On Mon, 8 Jan 2024 08:18:38 -0700<br>
> Warner Losh <<a href=3D"mailto:imp@bsdimp.com" target=3D"_blank">im=
p@bsdimp.com</a>> wrote:<br>
> <br>
>> On Mon, Jan 8, 2024, 7:55=E3=80=93AM Christian Weisgerber <<a h=
ref=3D"mailto:naddy@mips.inka.de" target=3D"_blank">naddy@mips.inka.de</a>&=
gt;<br>
>> wrote:<br>
>><br>
>>> We have FIDO/U2F support for SSH in base.<br>
>>><br>
>>> We also have a group "u2f", 116, in the default /etc=
/group file.<br>
>>><br>
>>> Why do we keep the devd configuration (to chgrp the device nod=
es)<br>
>>> in a port, security/u2f-devd?=C2=A0 Can't we just add this=
to base, too?<br>
>>> It's just another devd configuration file.<br>
>>><br>
>><br>
>> This properly belongs to devfs.conf no? Otherwise it's a race.=
.<br>
>><br>
>> Warner<br>
>><br>
>> -- <br>
>>> Christian "naddy" Weisgerber=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=
=3D"mailto:naddy@mips.inka.de" target=3D"_blank">naddy@mips.inka.de</a><br>
> <br>
> It's devd.conf materials. It actually is security/usf-devd/files<b=
r>
> u2f.conf and its contents is sets of notify 100 { match "vendor&q=
uot; ...<br>
> match "product" ... action "chgrpy u2f ..." };.<br=
>
> Some hase more items in it, though.<br>
> <br>
> So it should be in ports to adapt for latest products more quickly tha=
n<br>
> in base, I think.<br>
> <br>
<br>
I don't see any obvious reason that we can't compromise and have a =
<br>
baseline of products in base and just use the port for new products not <br=
>
yet known to base.=C2=A0 These vendors presumably aren't going to quick=
ly <br>
repurpose some PID for a non-u2f thing, much less in a way that we care <br=
>
about.<br></blockquote><div><br></div><div>Yea, I just wonder why it has to=
be devd.conf, and not devfs.conf. What are</div><div>we missing from that =
to make this doable generically? If we want it safe, we</div><div>may need =
some additional work around the whole ugen thing it uses.</div></div></div>=
</blockquote><div><br></div><div><div class=3D"gmail_default" style=3D"font=
-family:monospace,monospace">I think it's probably because of the lack =
of device ID matching capability in devfs.conf (or in other words, there ma=
y be _some_ reason that I am not aware of, to not expose all USB HID device=
s to desktop users; devd.conf gives us the ability to selectively expose th=
em based on what they claim themselves to be, while with devfs.conf we can =
only say "expose HID devices" vs "expose these allowlisted d=
evices").</div><br></div><div><div class=3D"gmail_default" style=3D"fo=
nt-family:monospace,monospace">Cheers,</div><br></div></div></div>
--000000000000373e64060e739558--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3tTG31ThX0sWH=kiDv=gdKniZ0FNRf-pZDgdt5uM58wWQ>