U2f-proxy on 4.2

Szewcu · August 29, 2023, 12:01pm

I want to setup u2f-proxy after in-place upgrade to 4.2 but can’t figured it out how to do that and what exactly causing a problem. I have always problems with understanding which services where are necessary but on 4.1 I was able to setup it. Now I have problem that Qubes Global Config tool tells me that I havn’t qubes-u2f service installed in sys-usb. My sys-usb is dvm based on minimal fedora-38. I have installed in the template qubes-usb-proxy, qubes-input-proxy-sender and qubes-u2f that fallback to qubes-ctap. In som0 I have installed qubes-u2f-dom0 which fallback to qubes-ctap-dom0.
I have enabled qubes-u2f-proxy service for each vm I want to use with u2f proxy, and also for sys-usb, but I can’t do

systemctl enable qubes-u2fproxy@sys-usb.service

anywhere.

moonlitOrca · October 7, 2023, 5:56pm

I am trying to do the same thing, and I was looking forward to a talk on CTAP2 at the QubesOS summit today, but it seems that talk didn’t occur. It seems the documentation (here) is no longer functional on 4.2 and refers only to Qubes 4.1? I also want to know if there is anyone aware how to do this on Qubes 4.2.

I am happy to even write up brief documentation on it if anyone can tell us how it can be set up and used on the new CTAP2 protocol.

Jarrah · October 8, 2023, 10:48am

It would seem adding the following policy works:


u2f.Register * @anyvm sys-usb allow

u2f.Authenticate * @anyvm sys-usb allow

ctap.GetInfo * @anyvm sys-usb allow

ctap.ClientPin * @anyvm sys-usb allow

If you use a webauthn test site without that you’ll see a bunch of
notifications warning that a policy denial has happened. I worked out
the above by adding things until the denials disappeared.

moonlitOrca · October 8, 2023, 4:04pm

Thanks @Jarrah ! So you are setting the policy manually then.

I was trying to go through the steps in the new Qubes Global Settings menu that has the U2F options and tells me that I need to install the service in my USB qube. Did you need to correctly set U2F in the menu alongside your policy update?

Szewcu · October 9, 2023, 10:00am

It is a bug, and fix is not yet merged into stable repo. Qubes R4.2.0-rc2 Qubes OS Global Config tool not see qubes-u2f installed in sys-usb · Issue #8463 · QubesOS/qubes-issues · GitHub

beto · December 22, 2023, 5:33am

Not working for me. where do you add the policy? I added it to /etc/qubes/policy.d/50-config-u2f.policy.

There was already some stuff there:


# THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
# Any changes made manually may be overwritten by Qubes Configuration Tools.

policy.RegisterArgument +u2f.Authenticate       sys-net @anyvm  allow target=@adminvm

and I added:

u2f.Register            *       @anyvm  sys-net allow
u2f.Authenticate        *       @anyvm  sys-net allow
ctap.GetInfo            *       @anyvm  sys-net allow
ctap.ClientPin          *       @anyvm  sys-net allow

My sys-usb is sys-net.

beto · December 22, 2023, 5:49am

Might have something to do with the fact that I have sys-net handling USB and no sys-usb.

user@beto:~$ tail /var/log/qubes/qctap 
2023-12-22 15:23:20,457 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:20,587 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:20,730 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:20,875 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,021 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,145 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,287 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,431 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,572 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
2023-12-22 15:23:21,716 CTAPHIDQrexecDevice.qrexec qrexec call was denied: vmname sys-usb rpcname u2f.Register returncode 126
user@beto:~$

Given that the appVM is running a sys-usb specific service:

user@beto:~$ systemctl status qubes-ctapproxy@sys-usb
● qubes-ctapproxy@sys-usb.service - CTAP proxy for sys-usb
     Loaded: loaded (/lib/systemd/system/qubes-ctapproxy@.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-12-22 15:14:30 AEST; 25min ago
   Main PID: 480 (qctap-proxy)
      Tasks: 2 (limit: 1084)
     Memory: 37.7M
        CPU: 6.799s
     CGroup: /system.slice/system-qubes\x2dctapproxy.slice/qubes-ctapproxy@sys-usb.service
             └─480 /usr/bin/python3 /usr/bin/qctap-proxy sys-usb

Seems like a bug.

apparatus · December 22, 2023, 5:53am

Related issue:

github.com/QubesOS/qubes-issues

CTAP Proxy Qrexec call destination should be @default for multiple USB qubes usage

opened 12:20PM - 09 Oct 23 UTC

ben-grande

T: enhancement C: core P: default C: usb proxy

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## The problem you're addressing (if any) The service `qubes.UpdatesProxy` uses `@default` as the destination and `sys-net` for `target=` parameter. This is very useful in case you have multiple ones, you can redirect simply by policy without having to manipulate VM services. ### The solution you'd like For people with multiple USB controlers and multiple USB qubes, the following would be useful. My proposal is for `qubes-ctapproxy.service` and the Qrexec policies to use: ``` ctap.ClientPin * @anyvm @default allow target=sys-usb user=root ctap.ClientPin * @anyvm @anyvm deny ctap.GetInfo * @anyvm @default allow target=sys-usb user=root ctap.GetInfo * @anyvm @anyvm deny u2f.Authenticate * @anyvm @default allow target=sys-usb user=root u2f.Authenticate * @anyvm @anyvm deny u2f.Register * @anyvm @default allow target=sys-usb user=root u2f.Register * @anyvm @anyvm deny ``` If user has multiple USB qubes, the user can use a policy with a lower number also using `@default` as destination and change the `target=` parameter. Example: ``` ctap.ClientPin +arg @tag:u2f-trusted @default allow target=sys-usb-left user=root ctap.ClientPin * @anyvm @anyvm deny ctap.GetInfo +arg @tag:u2f-trusted @default allow target=sys-usb-left user=root ctap.GetInfo * @anyvm @anyvm deny u2f.Authenticate +arg @tag:u2f-trusted @default allow target=sys-usb-left user=root u2f.Authenticate * @anyvm @anyvm deny u2f.Register +arg @tag:u2f-trusted @default allow target=sys-usb-left user=root u2f.Register * @anyvm @anyvm deny ``` What needs to be changed: - [Systemd file](https://github.com/QubesOS/qubes-app-u2f/blob/main/systemd/qubes-ctapproxy.service#L9) - [Policy dir](https://github.com/QubesOS/qubes-app-u2f/tree/main/qubes-rpc-policy) ### The value to a user, and who that user might be User with multiple USB controlers and USB qubes won't have to do in App qube settings in `/rw/config/rc.local` or Template VM enabling the service to a specified sys-usb qube in there. The management of multiple sys-usbs will become easier and will follow the convention that is on `qubes.UpdatesProxy`, which is a good practice.

Try to start the qubes-ctapproxy service for sys-net:

systemctl start qubes-ctapproxy@sys-net

beto · December 22, 2023, 5:55am

… an magically, it now works! Thanks.

moonlitOrca · December 28, 2023, 3:37am

This looks promising, but the qubes-ctapproxy service on my sys-usb is not willing to run. It doesn’t give me an error, and lets me start it, but when I check the status, I get the following output:

qubes-ctapproxy.service - Default instance of qubes-ctap-proxy
Loaded: loaded (/usr/lib/systemd/system/qubes-ctapproxy.service; indirect;>
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: inactive (dead)

Any ideas on why that remains “dead”? I don’t have any unusual setup to my knowledge, just trying to get basic u2f proxy through my sys-usb

apparatus · December 28, 2023, 4:29am

Did you check the status for sys-usb service?

systemctl status qubes-ctapproxy@sys-usb

moonlitOrca · December 28, 2023, 5:48pm

Ah! Clearly I don’t understand something about the services. I thought that @sys-usb was denoting where to run the command. But when I ran it exactly as you wrote it in sys-usb terminal (with @sys-usb appended), I get a better response saying it is runnning.

I am not sure why then I can’t seem to use the proxy. I can plug my key into the machine and then attach it directly to the qube I want to use and it will work that way, but isn’t the point of the proxy that I shouldn’t directly connect the key to the AppVM where I want to use it? If I don’t connect it to any VM, then it simply doesn’t work.

apparatus · December 28, 2023, 6:05pm

Did you install all required packages in dom0 and your template?
Maybe some problem with policy? Check the journalctl in dom0.

moonlitOrca · December 28, 2023, 6:34pm

I just verified all packages (as far as I know from Global Policy Gonfig Tool guidance) are installed. I had neglected to previously install qubes-u2f on one of my templates I was using.

So, I am now getting errors thrown saying that “u2f.authenticate” and “u2f.register” are denied from sys-usb to sys-usb. This sounds like a policy problem. But, I have copied the same policy as @beto above, and the Qubes Policy editor does not find errors, but still having denial issues. It is notable that the Qubes Global Config Tool does complain it can’t parse my new rules (it failed to create some of them itself so I had to add the last two lines myself), but it does say they are correct.

moonlitOrca · December 28, 2023, 6:42pm

Just as a note, here is my 50-config-u2f file:

#THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
#Any changes made manually may be overwritten by Qubes Configuration Tools.

Policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=@adminvm
u2f.Register * @anyvm sys-usb allow
u2f.Authenticate * @anyvm sys-usb allow
ctap.GetInfo * @anyvm sys-usb allow
ctap.GetClientPin * @anyvm sys-usb allow

Is there anything incorrect there?

Clodius · July 26, 2024, 1:48pm

personally, I can 't do either one of these systemctl examples in dom0 ,
Unit qubes-ctapproxy@sys-usb.service could not be found.

I’ve both the U2F&Ctap packages in the template and the dom0 per the Q documentation. Also in the Global config → USB devices → USB qube says sys-usb , and “enable the Qubes U2F proxy service, list of Qubes that can use the U2F proxy” is checked. Also "enable registering new keys with the u2F proxy service " is checked. (all qubes).
allow some qubes access to all your keys stored on u2f device, added the appvm

tried in the fedora and debian 12 template based appvm/qubes, also in chromium/firefox.

I also get the 100 continuous box that rolling onto the screen in columns telling me

apparatus · July 26, 2024, 7:28pm

That service should be running in the qube where you want to use u2f proxy, not in dom0.