I watched the video above and read through the official documentation, CTAP Proxy not working, Qubes OS 4.2.2, Fedora 40 XFCE and this forum thread, but can’t seem to specify which qubes may access which credentials on my security key.
I followed the official documentation:
-
From dom0:
# Installed qubes-ctap-dom0 sudo qubes-dom0-update qubes-ctap-dom0 # Enabled the qubes-ctap-proxy service in the work AppVM qvm-service --enable work qubes-ctap-proxy # Configured per-qube key access echo "policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=dom0" > /etc/qubes/policy.d/30-user-ctapproxy.policy -
Installed
qubes-ctapin the TemplateVMs upstream of my sys-usb and work AppVMs -
I restarted sys-usb and work however, I could not locate Dom0’s
/etc/qubes-rpc/policy/u2f.Authenticatefile, which seems to be where the qube-to-key mapping would be configured. -
I found that I had to add the following to
/etc/qubes/policy.d/50-config-u2f.policyor my screen would be flooded with denied u2f authentication notificationsu2f.Authenticate * work sys-usb allow- Of note, it is better to configure this in the GUI to prevent the GUI from overwriting the settings via Global Config → USB Devices → U2F devices
- Though this necessary modification resolves the flood of deny notifications and enables security key access, without the
/etc/qubes-rpc/policy/u2f.AuthenticateI don’t see how we’re actually limiting or specifying which qubes can access specific keys as described in the video above or documentation
-
I even registered a security key from the work AppVM, but the
u2f.Authenticatefile never materialized in Dom0. -
Inferring from the rest of the documentation (namely the service name from the Non-default USB qube name section and the targeting of Dom0 in
/etc/qubes/policy.d/30-user-ctapproxy.policy, I looked to see if Dom0 had any services with ctap in the name viasystemctl list-units|grep ctap, but couldn’t find anything.