U2f-proxy on 4.2

I want to setup u2f-proxy after in-place upgrade to 4.2 but can’t figured it out how to do that and what exactly causing a problem. I have always problems with understanding which services where are necessary but on 4.1 I was able to setup it. Now I have problem that Qubes Global Config tool tells me that I havn’t qubes-u2f service installed in sys-usb. My sys-usb is dvm based on minimal fedora-38. I have installed in the template qubes-usb-proxy, qubes-input-proxy-sender and qubes-u2f that fallback to qubes-ctap. In som0 I have installed qubes-u2f-dom0 which fallback to qubes-ctap-dom0.
I have enabled qubes-u2f-proxy service for each vm I want to use with u2f proxy, and also for sys-usb, but I can’t do

systemctl enable qubes-u2fproxy@sys-usb.service

anywhere.

I am trying to do the same thing, and I was looking forward to a talk on CTAP2 at the QubesOS summit today, but it seems that talk didn’t occur. It seems the documentation (here) is no longer functional on 4.2 and refers only to Qubes 4.1? I also want to know if there is anyone aware how to do this on Qubes 4.2.

I am happy to even write up brief documentation on it if anyone can tell us how it can be set up and used on the new CTAP2 protocol.

It would seem adding the following policy works:


u2f.Register * @anyvm sys-usb allow

u2f.Authenticate * @anyvm sys-usb allow

ctap.GetInfo * @anyvm sys-usb allow

ctap.ClientPin * @anyvm sys-usb allow

If you use a webauthn test site without that you’ll see a bunch of
notifications warning that a policy denial has happened. I worked out
the above by adding things until the denials disappeared.

2 Likes

Thanks @Jarrah ! So you are setting the policy manually then.

I was trying to go through the steps in the new Qubes Global Settings menu that has the U2F options and tells me that I need to install the service in my USB qube. Did you need to correctly set U2F in the menu alongside your policy update?

It is a bug, and fix is not yet merged into stable repo. Qubes R4.2.0-rc2 Qubes OS Global Config tool not see qubes-u2f installed in sys-usb · Issue #8463 · QubesOS/qubes-issues · GitHub

Not working for me. where do you add the policy? I added it to /etc/qubes/policy.d/50-config-u2f.policy.

There was already some stuff there:


# THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
# Any changes made manually may be overwritten by Qubes Configuration Tools.

policy.RegisterArgument +u2f.Authenticate       sys-net @anyvm  allow target=@adminvm

and I added:

u2f.Register            *       @anyvm  sys-net allow
u2f.Authenticate        *       @anyvm  sys-net allow
ctap.GetInfo            *       @anyvm  sys-net allow
ctap.ClientPin          *       @anyvm  sys-net allow

My sys-usb is sys-net.

Might have something to do with the fact that I have sys-net handling USB and no sys-usb.

user@beto:~$ tail /var/log/qubes/qctap 
2023-12-22 15:23:20,457 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:20,587 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:20,730 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:20,875 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,021 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,145 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,287 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,431 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,572 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,716 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
user@beto:~$ 

Given that the appVM is running a sys-usb specific service:

user@beto:~$ systemctl status qubes-ctapproxy@sys-usb
● qubes-ctapproxy@sys-usb.service - CTAP proxy for sys-usb
     Loaded: loaded (/lib/systemd/system/qubes-ctapproxy@.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-12-22 15:14:30 AEST; 25min ago
   Main PID: 480 (qctap-proxy)
      Tasks: 2 (limit: 1084)
     Memory: 37.7M
        CPU: 6.799s
     CGroup: /system.slice/system-qubes\x2dctapproxy.slice/qubes-ctapproxy@sys-usb.service
             └─480 /usr/bin/python3 /usr/bin/qctap-proxy sys-usb

Seems like a bug.

Related issue:

Try to start the qubes-ctapproxy service for sys-net:

systemctl start qubes-ctapproxy@sys-net
1 Like

… an magically, it now works! Thanks.

This looks promising, but the qubes-ctapproxy service on my sys-usb is not willing to run. It doesn’t give me an error, and lets me start it, but when I check the status, I get the following output:

qubes-ctapproxy.service - Default instance of qubes-ctap-proxy
Loaded: loaded (/usr/lib/systemd/system/qubes-ctapproxy.service; indirect;>
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: inactive (dead)

Any ideas on why that remains “dead”? I don’t have any unusual setup to my knowledge, just trying to get basic u2f proxy through my sys-usb

Did you check the status for sys-usb service?

systemctl status qubes-ctapproxy@sys-usb

Ah! Clearly I don’t understand something about the services. I thought that @sys-usb was denoting where to run the command. But when I ran it exactly as you wrote it in sys-usb terminal (with @sys-usb appended), I get a better response saying it is runnning.

I am not sure why then I can’t seem to use the proxy. I can plug my key into the machine and then attach it directly to the qube I want to use and it will work that way, but isn’t the point of the proxy that I shouldn’t directly connect the key to the AppVM where I want to use it? If I don’t connect it to any VM, then it simply doesn’t work.

Did you install all required packages in dom0 and your template?
Maybe some problem with policy? Check the journalctl in dom0.

I just verified all packages (as far as I know from Global Policy Gonfig Tool guidance) are installed. I had neglected to previously install qubes-u2f on one of my templates I was using.

So, I am now getting errors thrown saying that “u2f.authenticate” and “u2f.register” are denied from sys-usb to sys-usb. This sounds like a policy problem. But, I have copied the same policy as @beto above, and the Qubes Policy editor does not find errors, but still having denial issues. It is notable that the Qubes Global Config Tool does complain it can’t parse my new rules (it failed to create some of them itself so I had to add the last two lines myself), but it does say they are correct.

Just as a note, here is my 50-config-u2f file:

#THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
#Any changes made manually may be overwritten by Qubes Configuration Tools.

Policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=@adminvm
u2f.Register * @anyvm sys-usb allow
u2f.Authenticate * @anyvm sys-usb allow
ctap.GetInfo * @anyvm sys-usb allow
ctap.GetClientPin * @anyvm sys-usb allow

Is there anything incorrect there?