1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2022-2023 Vladimir Kondratyev <wulf@FreeBSD.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include "opt_hid.h" 29 30 #include <sys/param.h> 31 #ifdef COMPAT_FREEBSD32 32 #include <sys/abi_compat.h> 33 #endif 34 #include <sys/bus.h> 35 #include <sys/conf.h> 36 #include <sys/fcntl.h> 37 #include <sys/filio.h> 38 #include <sys/ioccom.h> 39 #include <sys/kernel.h> 40 #include <sys/lock.h> 41 #include <sys/malloc.h> 42 #include <sys/module.h> 43 #include <sys/mutex.h> 44 #include <sys/poll.h> 45 #include <sys/priv.h> 46 #include <sys/proc.h> 47 #include <sys/selinfo.h> 48 #include <sys/sysctl.h> 49 #include <sys/systm.h> 50 #include <sys/taskqueue.h> 51 #include <sys/uio.h> 52 53 #include <dev/evdev/input.h> 54 55 #define HID_DEBUG_VAR u2f_debug 56 #include <dev/hid/hid.h> 57 #include <dev/hid/hidbus.h> 58 #include <dev/hid/hidquirk.h> 59 60 #include <dev/usb/usb_ioctl.h> 61 62 #ifdef HID_DEBUG 63 static int u2f_debug = 0; 64 static SYSCTL_NODE(_hw_hid, OID_AUTO, u2f, CTLFLAG_RW, 0, 65 "FIDO/U2F authenticator"); 66 SYSCTL_INT(_hw_hid_u2f, OID_AUTO, debug, CTLFLAG_RWTUN, 67 &u2f_debug, 0, "Debug level"); 68 #endif 69 70 #define U2F_MAX_REPORT_SIZE 64 71 72 /* A match on these entries will load u2f */ 73 static const struct hid_device_id u2f_devs[] = { 74 { HID_BUS(BUS_USB), HID_TLC(HUP_FIDO, HUF_U2FHID) }, 75 }; 76 77 struct u2f_softc { 78 device_t sc_dev; /* base device */ 79 struct cdev *dev; 80 81 struct mtx sc_mtx; /* hidbus private mutex */ 82 struct task sc_kqtask; /* kqueue task */ 83 void *sc_rdesc; 84 hid_size_t sc_rdesc_size; 85 hid_size_t sc_isize; 86 hid_size_t sc_osize; 87 struct selinfo sc_rsel; 88 struct { /* driver state */ 89 bool open:1; /* device is open */ 90 bool aslp:1; /* waiting for device data in read() */ 91 bool sel:1; /* waiting for device data in poll() */ 92 bool data:1; /* input report is stored in sc_buf */ 93 int reserved:28; 94 } sc_state; 95 int sc_fflags; /* access mode for open lifetime */ 96 97 uint8_t sc_buf[U2F_MAX_REPORT_SIZE]; 98 }; 99 100 static d_open_t u2f_open; 101 static d_read_t u2f_read; 102 static d_write_t u2f_write; 103 static d_ioctl_t u2f_ioctl; 104 static d_poll_t u2f_poll; 105 static d_kqfilter_t u2f_kqfilter; 106 107 static d_priv_dtor_t u2f_dtor; 108 109 static struct cdevsw u2f_cdevsw = { 110 .d_version = D_VERSION, 111 .d_open = u2f_open, 112 .d_read = u2f_read, 113 .d_write = u2f_write, 114 .d_ioctl = u2f_ioctl, 115 .d_poll = u2f_poll, 116 .d_kqfilter = u2f_kqfilter, 117 .d_name = "u2f", 118 }; 119 120 static hid_intr_t u2f_intr; 121 122 static device_probe_t u2f_probe; 123 static device_attach_t u2f_attach; 124 static device_detach_t u2f_detach; 125 126 static void u2f_kqtask(void *context, int pending); 127 static int u2f_kqread(struct knote *, long); 128 static void u2f_kqdetach(struct knote *); 129 static void u2f_notify(struct u2f_softc *); 130 131 static struct filterops u2f_filterops_read = { 132 .f_isfd = 1, 133 .f_detach = u2f_kqdetach, 134 .f_event = u2f_kqread, 135 .f_copy = knote_triv_copy, 136 }; 137 138 static int 139 u2f_probe(device_t dev) 140 { 141 int error; 142 143 error = HIDBUS_LOOKUP_DRIVER_INFO(dev, u2f_devs); 144 if (error != 0) 145 return (error); 146 147 hidbus_set_desc(dev, "Authenticator"); 148 149 return (BUS_PROBE_GENERIC); 150 } 151 152 static int 153 u2f_attach(device_t dev) 154 { 155 struct u2f_softc *sc = device_get_softc(dev); 156 struct hid_device_info *hw = __DECONST(struct hid_device_info *, 157 hid_get_device_info(dev)); 158 struct make_dev_args mda; 159 int error; 160 161 sc->sc_dev = dev; 162 163 error = hid_get_report_descr(dev, &sc->sc_rdesc, &sc->sc_rdesc_size); 164 if (error != 0) 165 return (ENXIO); 166 sc->sc_isize = hid_report_size_max(sc->sc_rdesc, sc->sc_rdesc_size, 167 hid_input, NULL); 168 if (sc->sc_isize > U2F_MAX_REPORT_SIZE) { 169 device_printf(dev, "Input report size too large. Truncate.\n"); 170 sc->sc_isize = U2F_MAX_REPORT_SIZE; 171 } 172 sc->sc_osize = hid_report_size_max(sc->sc_rdesc, sc->sc_rdesc_size, 173 hid_output, NULL); 174 if (sc->sc_osize > U2F_MAX_REPORT_SIZE) { 175 device_printf(dev, "Output report size too large. Truncate.\n"); 176 sc->sc_osize = U2F_MAX_REPORT_SIZE; 177 } 178 179 mtx_init(&sc->sc_mtx, "u2f lock", NULL, MTX_DEF); 180 knlist_init_mtx(&sc->sc_rsel.si_note, &sc->sc_mtx); 181 TASK_INIT(&sc->sc_kqtask, 0, u2f_kqtask, sc); 182 183 make_dev_args_init(&mda); 184 mda.mda_flags = MAKEDEV_WAITOK; 185 mda.mda_devsw = &u2f_cdevsw; 186 mda.mda_uid = UID_ROOT; 187 mda.mda_gid = GID_U2F; 188 mda.mda_mode = 0660; 189 mda.mda_si_drv1 = sc; 190 191 error = make_dev_s(&mda, &sc->dev, "u2f/%d", device_get_unit(dev)); 192 if (error) { 193 device_printf(dev, "Can not create character device\n"); 194 u2f_detach(dev); 195 return (error); 196 } 197 #ifndef U2F_DROP_UHID_ALIAS 198 (void)make_dev_alias(sc->dev, "uhid%d", device_get_unit(dev)); 199 #endif 200 201 hid_add_dynamic_quirk(hw, HQ_NO_READAHEAD); 202 203 hidbus_set_lock(dev, &sc->sc_mtx); 204 hidbus_set_intr(dev, u2f_intr, sc); 205 206 return (0); 207 } 208 209 static int 210 u2f_detach(device_t dev) 211 { 212 struct u2f_softc *sc = device_get_softc(dev); 213 214 DPRINTF("sc=%p\n", sc); 215 216 if (sc->dev != NULL) { 217 mtx_lock(&sc->sc_mtx); 218 sc->dev->si_drv1 = NULL; 219 /* Wake everyone */ 220 u2f_notify(sc); 221 mtx_unlock(&sc->sc_mtx); 222 destroy_dev(sc->dev); 223 } 224 225 taskqueue_drain(taskqueue_thread, &sc->sc_kqtask); 226 hid_intr_stop(sc->sc_dev); 227 228 knlist_clear(&sc->sc_rsel.si_note, 0); 229 knlist_destroy(&sc->sc_rsel.si_note); 230 seldrain(&sc->sc_rsel); 231 mtx_destroy(&sc->sc_mtx); 232 233 return (0); 234 } 235 236 void 237 u2f_intr(void *context, void *buf, hid_size_t len) 238 { 239 struct u2f_softc *sc = context; 240 241 mtx_assert(&sc->sc_mtx, MA_OWNED); 242 243 DPRINTFN(5, "len=%d\n", len); 244 DPRINTFN(5, "data = %*D\n", len, buf, " "); 245 246 if (sc->sc_state.data) 247 return; 248 249 if (len > sc->sc_isize) 250 len = sc->sc_isize; 251 252 bcopy(buf, sc->sc_buf, len); 253 254 /* Make sure we don't process old data */ 255 if (len < sc->sc_isize) 256 bzero(sc->sc_buf + len, sc->sc_isize - len); 257 258 sc->sc_state.data = true; 259 260 u2f_notify(sc); 261 } 262 263 static int 264 u2f_open(struct cdev *dev, int flag, int mode, struct thread *td) 265 { 266 struct u2f_softc *sc = dev->si_drv1; 267 int error; 268 269 if (sc == NULL) 270 return (ENXIO); 271 272 DPRINTF("sc=%p\n", sc); 273 274 mtx_lock(&sc->sc_mtx); 275 if (sc->sc_state.open) { 276 mtx_unlock(&sc->sc_mtx); 277 return (EBUSY); 278 } 279 sc->sc_state.open = true; 280 mtx_unlock(&sc->sc_mtx); 281 282 error = devfs_set_cdevpriv(sc, u2f_dtor); 283 if (error != 0) { 284 mtx_lock(&sc->sc_mtx); 285 sc->sc_state.open = false; 286 mtx_unlock(&sc->sc_mtx); 287 return (error); 288 } 289 290 /* Set up interrupt pipe. */ 291 sc->sc_state.data = false; 292 sc->sc_fflags = flag; 293 294 return (0); 295 } 296 297 298 static void 299 u2f_dtor(void *data) 300 { 301 struct u2f_softc *sc = data; 302 303 #ifdef NOT_YET 304 /* Disable interrupts. */ 305 hid_intr_stop(sc->sc_dev); 306 #endif 307 308 mtx_lock(&sc->sc_mtx); 309 sc->sc_state.open = false; 310 mtx_unlock(&sc->sc_mtx); 311 } 312 313 static int 314 u2f_read(struct cdev *dev, struct uio *uio, int flag) 315 { 316 uint8_t buf[U2F_MAX_REPORT_SIZE]; 317 struct u2f_softc *sc = dev->si_drv1; 318 size_t length = 0; 319 int error; 320 321 DPRINTFN(1, "\n"); 322 323 if (sc == NULL) 324 return (EIO); 325 326 if (!sc->sc_state.data) 327 hid_intr_start(sc->sc_dev); 328 329 mtx_lock(&sc->sc_mtx); 330 if (dev->si_drv1 == NULL) { 331 error = EIO; 332 goto exit; 333 } 334 335 while (!sc->sc_state.data) { 336 if (flag & O_NONBLOCK) { 337 error = EWOULDBLOCK; 338 goto exit; 339 } 340 sc->sc_state.aslp = true; 341 DPRINTFN(5, "sleep on %p\n", &sc->sc_buf); 342 error = mtx_sleep(&sc->sc_buf, &sc->sc_mtx, PZERO | PCATCH, 343 "u2frd", 0); 344 DPRINTFN(5, "woke, error=%d\n", error); 345 if (dev->si_drv1 == NULL) 346 error = EIO; 347 if (error) { 348 sc->sc_state.aslp = false; 349 goto exit; 350 } 351 } 352 353 if (sc->sc_state.data && uio->uio_resid > 0) { 354 length = min(uio->uio_resid, sc->sc_isize); 355 memcpy(buf, sc->sc_buf, length); 356 sc->sc_state.data = false; 357 } 358 exit: 359 mtx_unlock(&sc->sc_mtx); 360 if (length != 0) { 361 /* Copy the data to the user process. */ 362 DPRINTFN(5, "got %lu chars\n", (u_long)length); 363 error = uiomove(buf, length, uio); 364 } 365 366 return (error); 367 } 368 369 static int 370 u2f_write(struct cdev *dev, struct uio *uio, int flag) 371 { 372 uint8_t buf[U2F_MAX_REPORT_SIZE]; 373 struct u2f_softc *sc = dev->si_drv1; 374 int error; 375 376 DPRINTFN(1, "\n"); 377 378 if (sc == NULL) 379 return (EIO); 380 381 if (uio->uio_resid != sc->sc_osize) 382 return (EINVAL); 383 error = uiomove(buf, uio->uio_resid, uio); 384 if (error == 0) 385 error = hid_write(sc->sc_dev, buf, sc->sc_osize); 386 387 return (error); 388 } 389 390 #ifdef COMPAT_FREEBSD32 391 static void 392 update_ugd32(const struct usb_gen_descriptor *ugd, 393 struct usb_gen_descriptor32 *ugd32) 394 { 395 /* Don't update hgd_data pointer */ 396 CP(*ugd, *ugd32, ugd_lang_id); 397 CP(*ugd, *ugd32, ugd_maxlen); 398 CP(*ugd, *ugd32, ugd_actlen); 399 CP(*ugd, *ugd32, ugd_offset); 400 CP(*ugd, *ugd32, ugd_config_index); 401 CP(*ugd, *ugd32, ugd_string_index); 402 CP(*ugd, *ugd32, ugd_iface_index); 403 CP(*ugd, *ugd32, ugd_altif_index); 404 CP(*ugd, *ugd32, ugd_endpt_index); 405 CP(*ugd, *ugd32, ugd_report_type); 406 /* Don't update reserved */ 407 } 408 #endif 409 410 static int 411 u2f_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, 412 struct thread *td) 413 { 414 #ifdef COMPAT_FREEBSD32 415 struct usb_gen_descriptor local_ugd; 416 struct usb_gen_descriptor32 *ugd32 = NULL; 417 #endif 418 struct u2f_softc *sc = dev->si_drv1; 419 struct usb_gen_descriptor *ugd = (struct usb_gen_descriptor *)addr; 420 uint32_t size; 421 422 DPRINTFN(2, "cmd=%lx\n", cmd); 423 424 if (sc == NULL) 425 return (EIO); 426 427 #ifdef COMPAT_FREEBSD32 428 switch (cmd) { 429 case USB_GET_REPORT_DESC32: 430 cmd = _IOC_NEWTYPE(cmd, struct usb_gen_descriptor); 431 ugd32 = (struct usb_gen_descriptor32 *)addr; 432 ugd = &local_ugd; 433 PTRIN_CP(*ugd32, *ugd, ugd_data); 434 CP(*ugd32, *ugd, ugd_lang_id); 435 CP(*ugd32, *ugd, ugd_maxlen); 436 CP(*ugd32, *ugd, ugd_actlen); 437 CP(*ugd32, *ugd, ugd_offset); 438 CP(*ugd32, *ugd, ugd_config_index); 439 CP(*ugd32, *ugd, ugd_string_index); 440 CP(*ugd32, *ugd, ugd_iface_index); 441 CP(*ugd32, *ugd, ugd_altif_index); 442 CP(*ugd32, *ugd, ugd_endpt_index); 443 CP(*ugd32, *ugd, ugd_report_type); 444 /* Don't copy reserved */ 445 break; 446 } 447 #endif 448 449 /* fixed-length ioctls handling */ 450 switch (cmd) { 451 case FIONBIO: 452 /* All handled in the upper FS layer. */ 453 return (0); 454 455 case USB_GET_REPORT_DESC: 456 size = MIN(sc->sc_rdesc_size, ugd->ugd_maxlen); 457 ugd->ugd_actlen = size; 458 #ifdef COMPAT_FREEBSD32 459 if (ugd32 != NULL) 460 update_ugd32(ugd, ugd32); 461 #endif 462 if (ugd->ugd_data == NULL) 463 return (0); /* descriptor length only */ 464 465 return (copyout(sc->sc_rdesc, ugd->ugd_data, size)); 466 467 case USB_GET_DEVICEINFO: 468 return(hid_ioctl( 469 sc->sc_dev, USB_GET_DEVICEINFO, (uintptr_t)addr)); 470 } 471 472 return (EINVAL); 473 } 474 475 static int 476 u2f_poll(struct cdev *dev, int events, struct thread *td) 477 { 478 struct u2f_softc *sc = dev->si_drv1; 479 int revents = 0; 480 bool start_intr = false; 481 482 if (sc == NULL) 483 return (POLLHUP); 484 485 if (events & (POLLOUT | POLLWRNORM) && (sc->sc_fflags & FWRITE)) 486 revents |= events & (POLLOUT | POLLWRNORM); 487 if (events & (POLLIN | POLLRDNORM) && (sc->sc_fflags & FREAD)) { 488 mtx_lock(&sc->sc_mtx); 489 if (sc->sc_state.data) 490 revents |= events & (POLLIN | POLLRDNORM); 491 else { 492 sc->sc_state.sel = true; 493 start_intr = true; 494 selrecord(td, &sc->sc_rsel); 495 } 496 mtx_unlock(&sc->sc_mtx); 497 if (start_intr) 498 hid_intr_start(sc->sc_dev); 499 } 500 501 return (revents); 502 } 503 504 static int 505 u2f_kqfilter(struct cdev *dev, struct knote *kn) 506 { 507 struct u2f_softc *sc = dev->si_drv1; 508 509 if (sc == NULL) 510 return (ENXIO); 511 512 switch(kn->kn_filter) { 513 case EVFILT_READ: 514 if (sc->sc_fflags & FREAD) { 515 kn->kn_fop = &u2f_filterops_read; 516 break; 517 } 518 /* FALLTHROUGH */ 519 default: 520 return(EINVAL); 521 } 522 kn->kn_hook = sc; 523 524 knlist_add(&sc->sc_rsel.si_note, kn, 0); 525 return (0); 526 } 527 528 static void 529 u2f_kqtask(void *context, int pending) 530 { 531 struct u2f_softc *sc = context; 532 533 hid_intr_start(sc->sc_dev); 534 } 535 536 static int 537 u2f_kqread(struct knote *kn, long hint) 538 { 539 struct u2f_softc *sc = kn->kn_hook; 540 int ret; 541 542 mtx_assert(&sc->sc_mtx, MA_OWNED); 543 544 if (sc->dev->si_drv1 == NULL) { 545 kn->kn_flags |= EV_EOF; 546 ret = 1; 547 } else { 548 ret = sc->sc_state.data ? 1 : 0; 549 if (!sc->sc_state.data) 550 taskqueue_enqueue(taskqueue_thread, &sc->sc_kqtask); 551 } 552 553 return (ret); 554 } 555 556 static void 557 u2f_kqdetach(struct knote *kn) 558 { 559 struct u2f_softc *sc = kn->kn_hook; 560 561 knlist_remove(&sc->sc_rsel.si_note, kn, 0); 562 } 563 564 static void 565 u2f_notify(struct u2f_softc *sc) 566 { 567 mtx_assert(&sc->sc_mtx, MA_OWNED); 568 569 if (sc->sc_state.aslp) { 570 sc->sc_state.aslp = false; 571 DPRINTFN(5, "waking %p\n", &sc->sc_buf); 572 wakeup(&sc->sc_buf); 573 } 574 if (sc->sc_state.sel) { 575 sc->sc_state.sel = false; 576 selwakeuppri(&sc->sc_rsel, PZERO); 577 } 578 KNOTE_LOCKED(&sc->sc_rsel.si_note, 0); 579 } 580 581 static device_method_t u2f_methods[] = { 582 /* Device interface */ 583 DEVMETHOD(device_probe, u2f_probe), 584 DEVMETHOD(device_attach, u2f_attach), 585 DEVMETHOD(device_detach, u2f_detach), 586 587 DEVMETHOD_END 588 }; 589 590 static driver_t u2f_driver = { 591 #ifdef U2F_DROP_UHID_ALIAS 592 "uf2", 593 #else 594 "uhid", 595 #endif 596 u2f_methods, 597 sizeof(struct u2f_softc) 598 }; 599 600 DRIVER_MODULE(u2f, hidbus, u2f_driver, NULL, NULL); 601 MODULE_DEPEND(u2f, hidbus, 1, 1, 1); 602 MODULE_DEPEND(u2f, hid, 1, 1, 1); 603 MODULE_VERSION(u2f, 1); 604 HID_PNP_INFO(u2f_devs); 605