Use hidraw interface for OnlyKey App

Hi,

I have been trying for awhile to get app working that requires access to usb hid. I looked into hot swapping USB feature but it looks like that only supports usb serial interface. The app I am working with here communicates with USB devices over USB HID protocol. I also tried specifying usb-vendor and usb-product thinking that may work but everything I have tried results in the same error:

error:udev_watcher.cc(63)] Failed to begin udev enumeration.

That is except classic confinement, the app works fine with classic confinement so I am asking for exception allowing classic confinement or for auto-connection of hidraw interface. Or if I have missed something and there is another way to make this work that would be great!

Here is the full snapcraft.yaml

name: onlykey-app
version: ‘5.2.0’
summary: Setup and configure OnlyKey
description: |
Use this app to setup and configure OnlyKey for password management and 2-factor authentication.

grade: stable
confinement: classic

parts:
onlykey-app:
plugin: dump
source: OnlyKey_5.2.0_amd64.deb
source-type: deb
after:
- nwjs-support
- desktop-gtk3
stage-packages:
- gir1.2-gnomekeyring-1.0
- libasound2
- libgconf-2-4
- libgl1-mesa-glx
- libglu1-mesa
- libgnome-keyring0
- libcap2
- libgcrypt20
- libnotify4
- libnspr4
- libnss3
- libpulse0
- libxtst6
- libxss1

apps:
onlykey-app:
command: bin/desktop-launch $SNAP/opt/OnlyKey/nw
desktop: usr/share/applications/OnlyKey.desktop
environment:
TMPDIR: $XDG_RUNTIME_DIR
plugs:
- hidraw
- u2f-devices
- onlykey-usb
- network
- x11
- wayland
- desktop
- browser-sandbox
- browser-support
- screen-inhibit-control

plugs:
browser-sandbox:
interface: browser-support
allow-sandbox: true
onlykey-usb:
interface: hidraw
usb-vendor: 7504
usb-product: 24828
path: /dev/hidraw-onlykey

These attributes AFAIK are only meaningful for the slot side of things and not the plugs. So for example on an Ubuntu Core device with a gadget snap, you would declare this device in the gadget snap with those attributes. Have you explored using a gadget snap for your application at all?

I did search for examples of gadget snaps but couldn’t find any docs or examples of hidraw gadget snaps so not really sure how to go about this. The goal is to have the app automatically connect to a certain USB device, if this is possible with a gadget snap that would be great, examples would be greatly appreciated.

In order to use a gadget snap the easiest, you need to create an Ubuntu Core image with that gadget snap inside it. There’s some more information here and here. If you need more details on building gadget snaps, the #device category is a better place to ask

So it sounds to me like this is intended as a desktop application and so Ubuntu Core is not really relevant - for access to this device I notice you already plug u2f-devices - perhaps the existing u2f-devices interface in snapd just needs to be updated to list the OnlyKey device IDs as well?

@alexmurray Thanks, yes adding OnlyKey to this list may be what we need. I have created PR here - https://github.com/snapcore/snapd/pull/7638

If this does not work it sounds the the gadget snap is also not an option and we may have to get an exception for classic confinement or for auto-connection of hidraw interface for the app to work.

@cryptotrust - the PR landed. Can you test and verify it works? You will want to ‘sudo snap refresh core --edge’ on a system that supports snapd reexec (eg, Ubuntu) and verify reexec worked as expected with ‘snap version’.

The good news is that the PR needed to happen anyway so thanks for helping with that. I did ‘sudo snap refresh core --edge’ before generating the snap, here is the snap version:

snap version
snap 2.42+git1515.143caf4~ubuntu16.04.1
snapd 2.42+git1515.143caf4~ubuntu16.04.1
series 16
ubuntu 16.04
kernel 4.15.0-45-generic
host amd64 vmware

The bad news is it doesn’t look like the u2f-devices plug is working. I still get the error ‘[70364:70613:1024/170157.846367:ERROR:udev_watcher.cc(63)] Failed to begin udev enumeration.
[70364:70613:1024/170158.226016:ERROR:udev_watcher.cc(63)] Failed to begin udev enumeration.’

lsusb shows the device has the correct USB VID/PID

lsusb
Bus 001 Device 002: ID 0e0f:000b VMware, Inc.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 020: ID 1d50:60fc OpenMoko, Inc.

Has anyone tested that other U2F devices work or is there a known snap out there that supports U2F I could test to verify that at least works?

@alexmurray @jdstrand tested ‘snap install brave’ as brave browser supports U2F. However as I suspected U2F doesn’t work with the brave browser snap either. I then went and installed brave browser using their official install instructions and U2F works. brave does not have the u2f-devices plug though - https://github.com/snapcrafters/brave/blob/master/snap/snapcraft.yaml

Anyone know of a snap that uses the u2f-devices plug?

the chromium snap plugs u2f-devices

@ijohnson I tested the chromium snap out, it works fine with Yubikey. Its not working with OnlyKey though, thinking the chromium snap might not have the newest list of USB devices yet.

Yeah I’m not sure about that, but it seems possible that the issue is no longer with your snap not being able to access the device, but rather that the snap application files need to be updated to recognize your device.

@oSoMoN may be able to provide some assistance for the chromium snap with respect to what devices chromium will understand/work with

It seems to be that the Chromium snap doesn’t have the newest list of USB devices, things like installing Brave/Chromium without snapcraft work fine.

The list of USB devices is defined by the u2f-devices interface, not by the chromium snap.
If connecting chromium to u2f-devices is not enough to make your device recognized and usable, then the interface is probably missing something.

Note that there is already a bug report that tracks additions to the interface, so you might want to comment on the bug with details about your device and the denials you’re getting.