linux-id

command module

v0.1.1 Latest Latest Go to latest Published: May 24, 2024 License: MIT Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/matejsmycka/linux-id

Links

Open Source Insights

README ¶

linux-id

linux-id is FIDO token implementation for Linux that protects the token keys by using your system's TPM. linux-id uses Linux's uhid facility to emulate a USB HID device so that it is properly detected by browsers.

Setup

You can install by running the following commands:

git clone git@github.com:matejsmycka/linux-id.git
cd linux-id

go install

chmod +x install.sh
./install.sh

Or you can download the latest release from the [releases page](

TPM-FIDO

This project is a fork of Psanford's tpm-fido project. However, after a discussion with the author, I have decided to create a new repository to better reflect the changes I have made.

Differences

This project aims to be more accessible to average users.
I have updated old methods according to the latest Go standards.
Old dependencies (e.g. pinetry) were replaced with updated ones.

Future work

Add support for fingerprint and PIN authentication
Add to linux distro package managers

Manual setup

In order to run linux-id you will need permission to access /dev/tpmrm0. On Ubuntu and Arch, you can add your user to the tss group.

Your user also needs permission to access /dev/uhid so that linux-id can appear to be a USB device. I use the following udev rule to set the appropriate uhid permissions:

KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="SOME_UHID_GROUP_MY_USER_BELONGS_TO", MODE="0660"

To ensure the above udev rule gets triggered, I also add the uhid module to /etc/modules-load.d/uhid.conf so that it loads at boot.

To run:

# as a user that has permission to read and write to /dev/tpmrm0:
./linux-id

Note: do not run with sudo or as root, as it will not work.

Implementation details

linux-id uses the TPM 2.0 API. The overall design is as follows:

On registration linux-id generates a new P256 primary key under the Owner hierarchy on the TPM. To ensure that the key is unique per site and registration, linux-id generates a random 20 byte seed for each registration. The primary key template is populated with unique values from a sha256 hkdf of the 20 byte random seed and the application parameter provided by the browser.

A signing child key is then generated from that primary key. The key handle returned to the caller is a concatenation of the child key's public and private key handles and the 20 byte seed.

On an authentication request, linux-id will attempt to load the primary key by initializing the hkdf in the same manner as above. It will then attempt to load the child key from the provided key handle. Any incorrect values or values created by a different TPM will fail to load.

Dependencies

linux-id requires pinentry to be available on the system. If you have gpg installed you most likely already have pinentry. You will need go with version 1.22 or higher (only for compiling).

Contributing

Please feel free to open an issue or PR if you have any suggestions or improvements.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
attestation
fidoauth fidoauth implements the fido1 authentication API	fidoauth implements the fido1 authentication API
fidohid
internal
lencode
memory
pinentry
sitesignatures
statuscode
tpm

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL