On Mon, Nov 3, 2014 at 11:03 AM, David Herrmann <dh.herrmann@xxxxxxxxx> wrote: > Hi > > On Sun, Nov 2, 2014 at 7:57 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >> I want to get U2F (universal second factor, sometimes called "security >> key" or even "gnubby") working on Linux. U2F tokens are HID devices >> that speak a custom protocol. The intent is that user code will speak >> to then using something like HIDAPI. >> >> The trick is that, for HIDAPI to work, something needs to recognize >> these devices and get udev to set appropriate device permissions. > > [snip] > >> - An actual kernel driver for U2F devices using the hid group >> mechanism for enumeration. This seems overcomplicated. > > Imho, this is the way to go. Create a proper char-dev for U2F, create > an API and make it work. > > We had this discussion earlier about vendor-extensions that should be > writable via hidraw from user-space. This turned out to be really > messy.. and was discussed for several weeks straight. hidraw just > wasn't designed as unprivileged user-space API. For instance, what > happens if a device provides U2F plus something else? Both will be on > the same hidraw device. > We could split hidraw per usage, but I don't see how that is superior > to a proper U2F API. And once one usage can affect a device as a whole > (like power-off), you're screwed. Agreed, mostly. My only real concern is that this could be annoying for the userspace developers who will need to target Linux and HIDAPI separately. Admittedly the Linux support will be trivial. I can give the driver a try. It'll actually be simpler than the spec makes it out, since a real kernel driver will have no need to arbitrate with itself. --Andy > > Just look at the libusb mess where some devices are handled in the > kernel and some in user-space (eg., see Gnome cheese, media devices, > ...). I don't think we should repeat that with HID. > > Thanks > David -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
