Re: Move u2f-devd into base?

From: Xin LI <delphij_at_gmail.com>
Date: Mon, 08 Jan 2024 18:43:56 UTC
On Mon, Jan 8, 2024 at 10:37 AM Warner Losh <imp@bsdimp.com> wrote:

>
>
> On Mon, Jan 8, 2024 at 9:35 AM Kyle Evans <kevans@freebsd.org> wrote:
>
>> On 1/8/24 10:30, Tomoaki AOKI wrote:
>> > On Mon, 8 Jan 2024 08:18:38 -0700
>> > Warner Losh <imp@bsdimp.com> wrote:
>> >
>> >> On Mon, Jan 8, 2024, 7:55〓AM Christian Weisgerber <naddy@mips.inka.de>
>> >> wrote:
>> >>
>> >>> We have FIDO/U2F support for SSH in base.
>> >>>
>> >>> We also have a group "u2f", 116, in the default /etc/group file.
>> >>>
>> >>> Why do we keep the devd configuration (to chgrp the device nodes)
>> >>> in a port, security/u2f-devd?  Can't we just add this to base, too?
>> >>> It's just another devd configuration file.
>> >>>
>> >>
>> >> This properly belongs to devfs.conf no? Otherwise it's a race..
>> >>
>> >> Warner
>> >>
>> >> --
>> >>> Christian "naddy" Weisgerber
>> naddy@mips.inka.de
>> >
>> > It's devd.conf materials. It actually is security/usf-devd/files
>> > u2f.conf and its contents is sets of notify 100 { match "vendor" ...
>> > match "product" ... action "chgrpy u2f ..." };.
>> > Some hase more items in it, though.
>> >
>> > So it should be in ports to adapt for latest products more quickly than
>> > in base, I think.
>> >
>>
>> I don't see any obvious reason that we can't compromise and have a
>> baseline of products in base and just use the port for new products not
>> yet known to base.  These vendors presumably aren't going to quickly
>> repurpose some PID for a non-u2f thing, much less in a way that we care
>> about.
>>
>
> Yea, I just wonder why it has to be devd.conf, and not devfs.conf. What are
> we missing from that to make this doable generically? If we want it safe,
> we
> may need some additional work around the whole ugen thing it uses.
>

I think it's probably because of the lack of device ID matching capability
in devfs.conf (or in other words, there may be _some_ reason that I am not
aware of, to not expose all USB HID devices to desktop users; devd.conf
gives us the ability to selectively expose them based on what they claim
themselves to be, while with devfs.conf we can only say "expose HID
devices" vs "expose these allowlisted devices").

Cheers,