This patch series adds the U2F dedicated support to Qemu through a USB
U2F key device that can operate in two modes: pass-through and emulated.

This work is also part of the GSoC program of this year and follows the
proposal I made for the 'Virtual FIDO2/U2F security key' subject,
suggested and mentored by by Gerd Hoffmann.

U2F is an open authentication standard. It enables relying parties
exposed to the internet to offer a strong second factor option for end
user authentication.

The standard brings many advantages to both parties, client and server,
allowing to reduce over-reliance on passwords, it increases
authentication security and simplifies passwords.

The second factor is materialized by a device implementing the U2F
protocol. In case of a USB U2F security key, it is a USB HID device
that implements the U2F protocol.

The USB U2F key device given in this patch series allows to add guest
U2F security keys via two possible modes: pass-through and emulated.

The pass-through mode consists of passing all requests made from the
guest to the physical security key connected to the host machine and
vice versa. In addition, the dedicated pass-through allows to have a
U2F security key shared on several guests which is not possible with
a simple host device assignment pass-through.

The emulated mode consists of completely emulating the behavior of an
U2F device through software part. Libu2f-emu is used for that.

Regards,
César Belley

César Belley (13):
  hw/usb: Regroup USB HID protocol values
  docs: Add USB U2F key device documentation
  hw/usb: Add U2F key base class
  hw/usb: Add U2F key base class implementation
  hw/usb: Add U2F key passthru mode
  hw/usb: Add U2F key emulated mode
  hw/usb: Add U2F key build recipe
  configure: Add USB U2F key device
  docs/system: Add U2F key to the USB devices examples
  docs/qdev-device-use.txt: Add USB U2F key to the QDEV devices examples
  scripts: Add u2f-setup-gen script
  hw/usb: Add U2F device check to passthru mode
  hw/usb: Add U2F device autoscan to passthru mode

 configure                |  27 ++
 docs/qdev-device-use.txt |   1 +
 docs/system/usb.rst      |   3 +
 docs/u2f.txt             | 110 ++++++++
 hw/usb/Kconfig           |   5 +
 hw/usb/Makefile.objs     |   9 +
 hw/usb/dev-hid.c         |  26 +-
 hw/usb/dev-wacom.c       |  12 +-
 hw/usb/u2f-emulated.c    | 405 ++++++++++++++++++++++++++++
 hw/usb/u2f-passthru.c    | 551 +++++++++++++++++++++++++++++++++++++++
 hw/usb/u2f.c             | 352 +++++++++++++++++++++++++
 hw/usb/u2f.h             |  92 +++++++
 include/hw/usb/hid.h     |  17 ++
 scripts/u2f-setup-gen.py | 170 ++++++++++++
 14 files changed, 1752 insertions(+), 28 deletions(-)
 create mode 100644 docs/u2f.txt
 create mode 100644 hw/usb/u2f-emulated.c
 create mode 100644 hw/usb/u2f-passthru.c
 create mode 100644 hw/usb/u2f.c
 create mode 100644 hw/usb/u2f.h
 create mode 100644 include/hw/usb/hid.h
 create mode 100755 scripts/u2f-setup-gen.py

-- 
2.28.0

On Wed, Aug 12, 2020 at 11:41:22AM +0200, César Belley wrote:
> This patch series adds the U2F dedicated support to Qemu through a USB
> U2F key device that can operate in two modes: pass-through and emulated.
> 
> This work is also part of the GSoC program of this year and follows the
> proposal I made for the 'Virtual FIDO2/U2F security key' subject,
> suggested and mentored by by Gerd Hoffmann.
> 
> U2F is an open authentication standard. It enables relying parties
> exposed to the internet to offer a strong second factor option for end
> user authentication.
> 
> The standard brings many advantages to both parties, client and server,
> allowing to reduce over-reliance on passwords, it increases
> authentication security and simplifies passwords.
> 
> The second factor is materialized by a device implementing the U2F
> protocol. In case of a USB U2F security key, it is a USB HID device
> that implements the U2F protocol.
> 
> The USB U2F key device given in this patch series allows to add guest
> U2F security keys via two possible modes: pass-through and emulated.
> 
> The pass-through mode consists of passing all requests made from the
> guest to the physical security key connected to the host machine and
> vice versa. In addition, the dedicated pass-through allows to have a
> U2F security key shared on several guests which is not possible with
> a simple host device assignment pass-through.
> 
> The emulated mode consists of completely emulating the behavior of an
> U2F device through software part. Libu2f-emu is used for that.

Reviewed & tested.  Nice job.
Queued up for merge, pull req goes out in a moment.

Note there is a pending patch series converting the qemu build system
to meson which very likely conflicts with the Makefile changes.  So
there is a chance that the series needs a rebase because of that.

take care,
  Gerd