This tool is intended to securely forward CTAP challenge-response authentication between Web browser and CTAP HID token without exposing the browser and USB stack to one another.
This implements FIDO 2 with HID encapsulation.
- Qubes R4.1 or later
- TODO: For Debian template: Debian 10 (stretch) or later
- For Fedora template: Fedora 35 or later
- Python 3.7 or later
- https://github.com/Yubico/python-fido2
- For building manpages:
python3-sphinx
The guide assumes there is sys-usb
qube which holds the USB Host PCI device
and the qube which holds the browser (or other CTAP client) is named work
.
- In
debian-11
:
sudo apt install qubes-ctap
- In
fedora-38
:
sudo dnf install qubes-ctap
- In
dom0
:
qubes-dom0-update qubes-ctap-dom0
qvm-service --enable work qubes-ctap-proxy
In dom0
, create a file
/etc/qubes-rpc/policy/policy.RegisterArgument+u2f.Authenticate
with the
following content:
sys-usb $anyvm allow,target=dom0
Then truncate /etc/qubes-rpc/policy/u2f.Authenticate
to 0 bytes and register
your token. After doing this, any qube will have access only to tokens enrolled
using that particular qube. Also, any previously registered token will not work.
Threat model is two-ways, both frontend and backend are untrusted from each others point of view. It is assumed that either side could be taken control of by an attacker: for example the backend domain could have vulnerabilities in USB stack and frontend domain can be taken over via exploit against web browser. It is further assumed that either side is capable of sending arbitrary messages within the constraints of qrexec policy.
The aim of the frontend site would be typically to get unlimited access to token, and possibly key materiel if the token is software-only. The aim of the backend would be to get access to any secrets held in frontend domain, and there certainly are some, since the user is deploying CTAP authentication to protect them in the first place. That access should not be possible.
It is explicitly not a goal to ensure any security properties already provided by the CTAP protocol itself. It is also not a goal to prevent cooperative channels between the browser and the token.
WINK does not work, even if the underlying harware token does support it.