1 QEMU U2F Key Device Documentation.
12 U2F is an open authentication standard that enables relying parties
13 exposed to the internet to offer a strong second factor option for end
16 The standard brings many advantages to both parties, client and server,
17 allowing to reduce over-reliance on passwords, it increases authentication
18 security and simplifies passwords.
20 The second factor is materialized by a device implementing the U2F
21 protocol. In case of a USB U2F security key, it is a USB HID device
22 that implements the U2F protocol.
24 In Qemu, the USB U2F key device offers a dedicated support of U2F, allowing
25 guest USB FIDO/U2F security keys operating in two possible modes:
26 pass-through and emulated.
28 The pass-through mode consists of passing all requests made from the guest
29 to the physical security key connected to the host machine and vice versa.
30 In addition, the dedicated pass-through allows to have a U2F security key
31 shared on several guests which is not possible with a simple host device
32 assignment pass-through.
34 The emulated mode consists of completely emulating the behavior of an
35 U2F device through software part. Libu2f-emu is used for that.
40 To ensure the build of the u2f-emulated device variant which depends
41 on libu2f-emu: configuring and building:
43 ./configure --enable-u2f && make
48 To work, an emulated U2F device must have four elements:
51 * counter (four bytes value)
52 * 48 bytes of entropy (random bits)
54 To use this type of device, this one has to be configured, and these
55 four elements must be passed one way or another.
57 Assuming that you have a working libu2f-emu installed on the host.
58 There are three possible ways of configurations:
63 Ephemeral is the simplest way to configure, it lets the device generate
64 all the elements it needs for a single use of the lifetime of the device.
66 qemu -usb -device u2f-emulated
68 Setup directory allows to configure the device from a directory containing
70 * certificate.pem: ec x509 certificate
71 * private-key.pem: ec private key
72 * counter: counter value
73 * entropy: 48 bytes of entropy
75 qemu -usb -device u2f-emulated,dir=$dir
77 Manual allows to configure the device more finely by specifying each
78 of the elements necessary for the device:
84 qemu -usb -device u2f-emulated,cert=$DIR1/$FILE1,priv=$DIR2/$FILE2,counter=$DIR3/$FILE3,entropy=$DIR4/$FILE4
89 On the host specify the u2f-passthru device with a suitable hidraw:
91 qemu -usb -device u2f-passthru,hidraw=/dev/hidraw0
96 The u2f-emulated device uses libu2f-emu for the U2F key emulation. Libu2f-emu
97 implements completely the U2F protocol device part for all specified
98 transport given by the FIDO Alliance.
100 For more information about libu2f-emu see this page:
101 https://github.com/MattGorko/libu2f-emu.