From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"César Belley" <cesar.belley@lse.epita.fr>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Cleber Rosa" <crosa@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>
Subject: [PULL 06/17] docs: Add USB U2F key device documentation
Date: Wed, 19 Aug 2020 07:46:33 +0200 [thread overview]
Message-ID: <20200819054644.30610-7-kraxel@redhat.com> (raw)
In-Reply-To: <20200819054644.30610-1-kraxel@redhat.com>
From: César Belley <cesar.belley@lse.epita.fr>
Add USB U2F key device documentation:
- USB U2F key device
- Building
- Using u2f-emulated
- Using u2f-passthru
- Libu2f-emu
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200812094135.20550-3-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
docs/u2f.txt | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 docs/u2f.txt
diff --git a/docs/u2f.txt b/docs/u2f.txt
new file mode 100644
index 000000000000..f60052882ec3
--- /dev/null
+++ b/docs/u2f.txt
@@ -0,0 +1,101 @@
+QEMU U2F Key Device Documentation.
+
+Contents
+1. USB U2F key device
+2. Building
+3. Using u2f-emulated
+4. Using u2f-passthru
+5. Libu2f-emu
+
+1. USB U2F key device
+
+U2F is an open authentication standard that enables relying parties
+exposed to the internet to offer a strong second factor option for end
+user authentication.
+
+The standard brings many advantages to both parties, client and server,
+allowing to reduce over-reliance on passwords, it increases authentication
+security and simplifies passwords.
+
+The second factor is materialized by a device implementing the U2F
+protocol. In case of a USB U2F security key, it is a USB HID device
+that implements the U2F protocol.
+
+In Qemu, the USB U2F key device offers a dedicated support of U2F, allowing
+guest USB FIDO/U2F security keys operating in two possible modes:
+pass-through and emulated.
+
+The pass-through mode consists of passing all requests made from the guest
+to the physical security key connected to the host machine and vice versa.
+In addition, the dedicated pass-through allows to have a U2F security key
+shared on several guests which is not possible with a simple host device
+assignment pass-through.
+
+The emulated mode consists of completely emulating the behavior of an
+U2F device through software part. Libu2f-emu is used for that.
+
+
+2. Building
+
+To ensure the build of the u2f-emulated device variant which depends
+on libu2f-emu: configuring and building:
+
+ ./configure --enable-u2f && make
+
+
+3. Using u2f-emulated
+
+To work, an emulated U2F device must have four elements:
+ * ec x509 certificate
+ * ec private key
+ * counter (four bytes value)
+ * 48 bytes of entropy (random bits)
+
+To use this type of device, this one has to be configured, and these
+four elements must be passed one way or another.
+
+Assuming that you have a working libu2f-emu installed on the host.
+There are three possible ways of configurations:
+ * ephemeral
+ * setup directory
+ * manual
+
+Ephemeral is the simplest way to configure, it lets the device generate
+all the elements it needs for a single use of the lifetime of the device.
+
+ qemu -usb -device u2f-emulated
+
+Setup directory allows to configure the device from a directory containing
+four files:
+ * certificate.pem: ec x509 certificate
+ * private-key.pem: ec private key
+ * counter: counter value
+ * entropy: 48 bytes of entropy
+
+ qemu -usb -device u2f-emulated,dir=$dir
+
+Manual allows to configure the device more finely by specifying each
+of the elements necessary for the device:
+ * cert
+ * priv
+ * counter
+ * entropy
+
+ qemu -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
+
+
+4. Using u2f-passthru
+
+On the host specify the u2f-passthru device with a suitable hidraw:
+
+ qemu -usb -device u2f-passthru,hidraw=/dev/hidraw0
+
+
+5. Libu2f-emu
+
+The u2f-emulated device uses libu2f-emu for the U2F key emulation. Libu2f-emu
+implements completely the U2F protocol device part for all specified
+transport given by the FIDO Alliance.
+
+For more information about libu2f-emu see this page:
+https://github.com/MattGorko/libu2f-emu.
--
2.18.4
next prev parent reply other threads:[~2020-08-19 5:57 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-19 5:46 [PULL 00/17] Usb 20200819 patches Gerd Hoffmann
2020-08-19 5:46 ` [PULL 01/17] hw: xhci: check return value of 'usb_packet_map' Gerd Hoffmann
2020-08-19 5:46 ` [PULL 02/17] hw: ehci: destroy sglist in error path Gerd Hoffmann
2020-08-19 5:46 ` [PULL 03/17] hw: ehci: check return value of 'usb_packet_map' Gerd Hoffmann
2020-08-19 5:46 ` [PULL 04/17] ehci: drop pointless warn_report for guest bugs Gerd Hoffmann
2020-08-19 5:46 ` [PULL 05/17] hw/usb: Regroup USB HID protocol values Gerd Hoffmann
2020-08-19 5:46 ` Gerd Hoffmann [this message]
2020-08-19 5:46 ` [PULL 07/17] hw/usb: Add U2F key base class Gerd Hoffmann
2020-08-19 5:46 ` [PULL 08/17] hw/usb: Add U2F key base class implementation Gerd Hoffmann
2020-08-19 5:46 ` [PULL 09/17] hw/usb: Add U2F key passthru mode Gerd Hoffmann
2020-08-19 5:46 ` [PULL 10/17] hw/usb: Add U2F key emulated mode Gerd Hoffmann
2020-08-19 5:46 ` [PULL 11/17] hw/usb: Add U2F key build recipe Gerd Hoffmann
2020-08-19 5:46 ` [PULL 12/17] configure: Add USB U2F key device Gerd Hoffmann
2020-08-19 5:46 ` [PULL 13/17] docs/system: Add U2F key to the USB devices examples Gerd Hoffmann
2020-08-19 5:46 ` [PULL 14/17] docs/qdev-device-use.txt: Add USB U2F key to the QDEV " Gerd Hoffmann
2020-08-19 5:46 ` [PULL 15/17] scripts: Add u2f-setup-gen script Gerd Hoffmann
2020-08-19 5:46 ` [PULL 16/17] hw/usb: Add U2F device check to passthru mode Gerd Hoffmann
2020-08-19 5:46 ` [PULL 17/17] hw/usb: Add U2F device autoscan " Gerd Hoffmann
2020-08-21 21:44 ` [PULL 00/17] Usb 20200819 patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200819054644.30610-7-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=berrange@redhat.com \
--cc=cesar.belley@lse.epita.fr \
--cc=crosa@redhat.com \
--cc=ehabkost@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.