1 /*
2 * U2F USB device.
3 *
4 * Copyright (c) 2020 César Belley <cesar.belley@lse.epita.fr>
5 * Written by César Belley <cesar.belley@lse.epita.fr>
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23 * THE SOFTWARE.
24 */
25
26 #include "qemu/osdep.h"
27 #include "qemu/module.h"
28 #include "qapi/error.h"
29 #include "hw/usb.h"
30 #include "hw/usb/hid.h"
31 #include "migration/vmstate.h"
32 #include "desc.h"
33
34 #include "u2f.h"
35
36 /* U2F key Vendor / Product */
37 #define U2F_KEY_VENDOR_NUM 0x46f4 /* CRC16() of "QEMU" */
38 #define U2F_KEY_PRODUCT_NUM 0x0005
39
40 enum {
41 STR_MANUFACTURER = 1,
42 STR_PRODUCT,
43 STR_SERIALNUMBER,
44 STR_CONFIG,
45 STR_INTERFACE
46 };
47
48 static const USBDescStrings desc_strings = {
49 [STR_MANUFACTURER] = "QEMU",
50 [STR_PRODUCT] = "U2F USB key",
51 [STR_SERIALNUMBER] = "0",
52 [STR_CONFIG] = "U2F key config",
53 [STR_INTERFACE] = "U2F key interface"
54 };
55
56 static const USBDescIface desc_iface_u2f_key = {
57 .bInterfaceNumber = 0,
58 .bNumEndpoints = 2,
59 .bInterfaceClass = USB_CLASS_HID,
60 .bInterfaceSubClass = 0x0,
61 .bInterfaceProtocol = 0x0,
62 .ndesc = 1,
63 .descs = (USBDescOther[]) {
64 {
65 /* HID descriptor */
66 .data = (uint8_t[]) {
67 0x09, /* u8 bLength */
68 USB_DT_HID, /* u8 bDescriptorType */
69 0x10, 0x01, /* u16 HID_class */
70 0x00, /* u8 country_code */
71 0x01, /* u8 num_descriptors */
72 USB_DT_REPORT, /* u8 type: Report */
73 0x22, 0, /* u16 len */
74 },
75 },
76 },
77 .eps = (USBDescEndpoint[]) {
78 {
79 .bEndpointAddress = USB_DIR_IN | 0x01,
80 .bmAttributes = USB_ENDPOINT_XFER_INT,
81 .wMaxPacketSize = U2FHID_PACKET_SIZE,
82 .bInterval = 0x05,
83 }, {
84 .bEndpointAddress = USB_DIR_OUT | 0x01,
85 .bmAttributes = USB_ENDPOINT_XFER_INT,
86 .wMaxPacketSize = U2FHID_PACKET_SIZE,
87 .bInterval = 0x05,
88 },
89 },
90
91 };
92
93 static const USBDescDevice desc_device_u2f_key = {
94 .bcdUSB = 0x0100,
95 .bMaxPacketSize0 = U2FHID_PACKET_SIZE,
96 .bNumConfigurations = 1,
97 .confs = (USBDescConfig[]) {
98 {
99 .bNumInterfaces = 1,
100 .bConfigurationValue = 1,
101 .iConfiguration = STR_CONFIG,
102 .bmAttributes = USB_CFG_ATT_ONE,
103 .bMaxPower = 15,
104 .nif = 1,
105 .ifs = &desc_iface_u2f_key,
106 },
107 },
108 };
109
110 static const USBDesc desc_u2f_key = {
111 .id = {
112 .idVendor = U2F_KEY_VENDOR_NUM,
113 .idProduct = U2F_KEY_PRODUCT_NUM,
114 .bcdDevice = 0,
115 .iManufacturer = STR_MANUFACTURER,
116 .iProduct = STR_PRODUCT,
117 .iSerialNumber = STR_SERIALNUMBER,
118 },
119 .full = &desc_device_u2f_key,
120 .str = desc_strings,
121 };
122
123 static const uint8_t u2f_key_hid_report_desc[] = {
124 0x06, 0xd0, 0xf1, /* Usage Page (FIDO) */
125 0x09, 0x01, /* Usage (FIDO) */
126 0xa1, 0x01, /* Collection (HID Application) */
127 0x09, 0x20, /* Usage (FIDO data in) */
128 0x15, 0x00, /* Logical Minimum (0) */
129 0x26, 0xFF, 0x00, /* Logical Maximum (0xff) */
130 0x75, 0x08, /* Report Size (8) */
131 0x95, 0x40, /* Report Count (0x40) */
132 0x81, 0x02, /* Input (Data, Variable, Absolute) */
133 0x09, 0x21, /* Usage (FIDO data out) */
134 0x15, 0x00, /* Logical Minimum (0) */
135 0x26, 0xFF, 0x00, /* Logical Maximum (0xFF) */
136 0x75, 0x08, /* Report Size (8) */
137 0x95, 0x40, /* Report Count (0x40) */
138 0x91, 0x02, /* Output (Data, Variable, Absolute) */
139 0xC0 /* End Collection */
140 };
141
u2f_key_reset(U2FKeyState * key)142 static void u2f_key_reset(U2FKeyState *key)
143 {
144 key->pending_in_start = 0;
145 key->pending_in_end = 0;
146 key->pending_in_num = 0;
147 }
148
u2f_key_handle_reset(USBDevice * dev)149 static void u2f_key_handle_reset(USBDevice *dev)
150 {
151 U2FKeyState *key = U2F_KEY(dev);
152
153 u2f_key_reset(key);
154 }
155
u2f_key_handle_control(USBDevice * dev,USBPacket * p,int request,int value,int index,int length,uint8_t * data)156 static void u2f_key_handle_control(USBDevice *dev, USBPacket *p,
157 int request, int value, int index, int length, uint8_t *data)
158 {
159 U2FKeyState *key = U2F_KEY(dev);
160 int ret;
161
162 ret = usb_desc_handle_control(dev, p, request, value, index, length, data);
163 if (ret >= 0) {
164 return;
165 }
166
167 switch (request) {
168 case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
169 switch (value >> 8) {
170 case 0x22:
171 memcpy(data, u2f_key_hid_report_desc,
172 sizeof(u2f_key_hid_report_desc));
173 p->actual_length = sizeof(u2f_key_hid_report_desc);
174 break;
175 default:
176 goto fail;
177 }
178 break;
179 case HID_GET_IDLE:
180 data[0] = key->idle;
181 p->actual_length = 1;
182 break;
183 case HID_SET_IDLE:
184 key->idle = (uint8_t)(value >> 8);
185 break;
186 default:
187 fail:
188 p->status = USB_RET_STALL;
189 break;
190 }
191
192 }
193
u2f_key_recv_from_guest(U2FKeyState * key,USBPacket * p)194 static void u2f_key_recv_from_guest(U2FKeyState *key, USBPacket *p)
195 {
196 U2FKeyClass *kc = U2F_KEY_GET_CLASS(key);
197 uint8_t packet[U2FHID_PACKET_SIZE];
198
199 if (kc->recv_from_guest == NULL || p->iov.size != U2FHID_PACKET_SIZE) {
200 return;
201 }
202
203 usb_packet_copy(p, packet, p->iov.size);
204 kc->recv_from_guest(key, packet);
205 }
206
u2f_pending_in_add(U2FKeyState * key,const uint8_t packet[U2FHID_PACKET_SIZE])207 static void u2f_pending_in_add(U2FKeyState *key,
208 const uint8_t packet[U2FHID_PACKET_SIZE])
209 {
210 uint8_t index;
211
212 if (key->pending_in_num >= U2FHID_PENDING_IN_NUM) {
213 return;
214 }
215
216 index = key->pending_in_end;
217 key->pending_in_end = (index + 1) % U2FHID_PENDING_IN_NUM;
218 ++key->pending_in_num;
219
220 memcpy(key->pending_in[index], packet, U2FHID_PACKET_SIZE);
221 }
222
u2f_pending_in_get(U2FKeyState * key)223 static uint8_t *u2f_pending_in_get(U2FKeyState *key)
224 {
225 uint8_t index;
226
227 if (key->pending_in_num == 0) {
228 return NULL;
229 }
230
231 index = key->pending_in_start;
232 key->pending_in_start = (index + 1) % U2FHID_PENDING_IN_NUM;
233 --key->pending_in_num;
234
235 return key->pending_in[index];
236 }
237
u2f_key_handle_data(USBDevice * dev,USBPacket * p)238 static void u2f_key_handle_data(USBDevice *dev, USBPacket *p)
239 {
240 U2FKeyState *key = U2F_KEY(dev);
241 uint8_t *packet_in;
242
243 /* Endpoint number check */
244 if (p->ep->nr != 1) {
245 p->status = USB_RET_STALL;
246 return;
247 }
248
249 switch (p->pid) {
250 case USB_TOKEN_OUT:
251 u2f_key_recv_from_guest(key, p);
252 break;
253 case USB_TOKEN_IN:
254 packet_in = u2f_pending_in_get(key);
255 if (packet_in == NULL) {
256 p->status = USB_RET_NAK;
257 return;
258 }
259 usb_packet_copy(p, packet_in, U2FHID_PACKET_SIZE);
260 break;
261 default:
262 p->status = USB_RET_STALL;
263 break;
264 }
265 }
266
u2f_send_to_guest(U2FKeyState * key,const uint8_t packet[U2FHID_PACKET_SIZE])267 void u2f_send_to_guest(U2FKeyState *key,
268 const uint8_t packet[U2FHID_PACKET_SIZE])
269 {
270 u2f_pending_in_add(key, packet);
271 usb_wakeup(key->ep, 0);
272 }
273
u2f_key_unrealize(USBDevice * dev)274 static void u2f_key_unrealize(USBDevice *dev)
275 {
276 U2FKeyState *key = U2F_KEY(dev);
277 U2FKeyClass *kc = U2F_KEY_GET_CLASS(key);
278
279 if (kc->unrealize != NULL) {
280 kc->unrealize(key);
281 }
282 }
283
u2f_key_realize(USBDevice * dev,Error ** errp)284 static void u2f_key_realize(USBDevice *dev, Error **errp)
285 {
286 U2FKeyState *key = U2F_KEY(dev);
287 U2FKeyClass *kc = U2F_KEY_GET_CLASS(key);
288 Error *local_err = NULL;
289
290 usb_desc_create_serial(dev);
291 usb_desc_init(dev);
292 u2f_key_reset(key);
293
294 if (kc->realize != NULL) {
295 kc->realize(key, &local_err);
296 if (local_err != NULL) {
297 error_propagate(errp, local_err);
298 return;
299 }
300 }
301 key->ep = usb_ep_get(dev, USB_TOKEN_IN, 1);
302 }
303
304 const VMStateDescription vmstate_u2f_key = {
305 .name = "u2f-key",
306 .version_id = 1,
307 .minimum_version_id = 1,
308 .fields = (const VMStateField[]) {
309 VMSTATE_USB_DEVICE(dev, U2FKeyState),
310 VMSTATE_UINT8(idle, U2FKeyState),
311 VMSTATE_UINT8_2DARRAY(pending_in, U2FKeyState,
312 U2FHID_PENDING_IN_NUM, U2FHID_PACKET_SIZE),
313 VMSTATE_UINT8(pending_in_start, U2FKeyState),
314 VMSTATE_UINT8(pending_in_end, U2FKeyState),
315 VMSTATE_UINT8(pending_in_num, U2FKeyState),
316 VMSTATE_END_OF_LIST()
317 }
318 };
319
u2f_key_class_init(ObjectClass * klass,void * data)320 static void u2f_key_class_init(ObjectClass *klass, void *data)
321 {
322 DeviceClass *dc = DEVICE_CLASS(klass);
323 USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
324
325 uc->product_desc = "QEMU U2F USB key";
326 uc->usb_desc = &desc_u2f_key;
327 uc->handle_reset = u2f_key_handle_reset;
328 uc->handle_control = u2f_key_handle_control;
329 uc->handle_data = u2f_key_handle_data;
330 uc->handle_attach = usb_desc_attach;
331 uc->realize = u2f_key_realize;
332 uc->unrealize = u2f_key_unrealize;
333 dc->desc = "QEMU U2F key";
334 dc->vmsd = &vmstate_u2f_key;
335 }
336
337 static const TypeInfo u2f_key_info = {
338 .name = TYPE_U2F_KEY,
339 .parent = TYPE_USB_DEVICE,
340 .instance_size = sizeof(U2FKeyState),
341 .abstract = true,
342 .class_size = sizeof(U2FKeyClass),
343 .class_init = u2f_key_class_init,
344 };
345
u2f_key_register_types(void)346 static void u2f_key_register_types(void)
347 {
348 type_register_static(&u2f_key_info);
349 }
350
351 type_init(u2f_key_register_types)
352