Possible to attach U2F-usb-stick to AppVM?

Before following the guides

YubiKey | Qubes OS and
U2F proxy | Qubes OS

I wanted to try out if a Hypersec HyperFIDO and a Feitian Tech ePass FIDO device work at all.

So I installed chromium and yubikey-personalization-gui in an AppVM temporarily. After attaching the aforementioned usb-sticks to the AppVM I was not able to get them to work. yubikey-personalization-gui can’t find a yubikey - I thought that is a standard and other vendors products would be recognized as well. chromium does recognize the devices but can’t erase or write to them.

Does anyone have experience with alternative vendors? Do I have to take further steps like rebooting (which makes installation in the template a must) to work with U2F, OTP and challenge-response?

@arkenoi: you wrote in another thread, OTP and challenge-response are proprietary…
@sven: you wrote in another thread to write to /rw/config of the sys-usb-template. Why does one want to run yubikey-personalization-gui in sys-usb, anyway? I believe I understand why one wants to create keys in a disposableVM, but why in sys-usb?

Can you link to it please? I am lacking context.

That was about getting a custom.LockScreen script persitent. I’m wondering why sys-usb is the preferred VM to install and use the tools in.

I’m planning to use Hypersec HyperFIDO for unlocking a KeePassXC-database in a vaultVM. U2F (or OTP) for webapps and Challenge-Response for screen locking might be nice to have, too, but is secondary at the moment.

I don’t think that’s the case. Obviously you don’t want anything of value in sys-usb. I don’t use my Nitrokey for anything except GPG, which I run in vault and I assign the Nitrokey to vault using the USD device tray icon.

Maybe the Nitrokey-App is easier to run in sys-usb and one could make the case that the secrets are stored in the key. But then again some of them would be accessible then in a compromised sys-usb.

I got it too to work in vault with the key assigned via tray icon / qvm-usb. However I stopped using it all-together a while ago.

My quoted response was merely about how to have something persists for use in a disposable. Not about the larger use case.

I agree.

This article YubiKey | Qubes OS is talking about USB-VM / sys-usb though.

That’s what I was trying to do, Well, at first in an AppVM to see if I can get those FIDO-Sticks to work.

So it’s vendor-specific?

I used to have a smartcard-reader and if I remember it correctly GPG worked with smartcard and reader out-of-the-box.

Anyway, installing the yubikey-personalization(-gui) in the template and restarting the AppVM didn’t help.

I tried this udev-rule after checking vendorIDs with lsusb, but that did not help detection with the yubikey-app, either.

The udev-rule was taken from yubico’s github repository.

@ckN6QwSZ I just don’t know enough about Yubikey and what you are trying to do to be helpful. I only answered because you called me by name. My use case is a Nitrokey and I only use it as a GPG ‘smart card’ … and that works great / out of the box.

1 Like

Thank you, still.

Most threads in this forum regarding yubikeys-problems yield to the solution

enable sys-usb

which I have been using from the beginning.

My use case is to use at least one of the mentioned FIDO-devices for additional protection of my KeePassXC database. As a first step. Screen locking (easy) or LUKS encryption (probably too much hassle) might be future use cases. So far KeePassXC has not detected my hardware keys for Challenge-Response. Chromium detects my FIDO devices but can not apply any changes.

I do have a GPG-Smartcard, a Hyperfido key and a Feitian ePass FIDO. All three devices are attachable to my vaultVM or testing appVM. And listable with qvm-usb in dom0 and lsusb in the respective appVM.

I installed libfido2, psclite (that’s on my testing appVM which is based on my arch linux template) and added a “CAC Module” to NSS database.

To what I have read I don’t need special drivers for FIDO-devices. Obviously I haven’t installed the correct driver or I have a permission problem (see udev rules).