qemu

1
/*
2
 * U2F USB device.
3
 *
4
 * Copyright (c) 2020 César Belley <cesar.belley@lse.epita.fr>
5
 * Written by César Belley <cesar.belley@lse.epita.fr>
6
 *
7
 * Permission is hereby granted, free of charge, to any person obtaining a copy
8
 * of this software and associated documentation files (the "Software"), to deal
9
 * in the Software without restriction, including without limitation the rights
10
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11
 * copies of the Software, and to permit persons to whom the Software is
12
 * furnished to do so, subject to the following conditions:
13
 *
14
 * The above copyright notice and this permission notice shall be included in
15
 * all copies or substantial portions of the Software.
16
 *
17
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23
 * THE SOFTWARE.
24
 */
25

26
#include "qemu/osdep.h"
27
#include "qemu/module.h"
28
#include "qapi/error.h"
29
#include "hw/usb.h"
30
#include "hw/usb/hid.h"
31
#include "migration/vmstate.h"
32
#include "desc.h"
33

34
#include "u2f.h"
35

36
/* U2F key Vendor / Product */
37
#define U2F_KEY_VENDOR_NUM     0x46f4 /* CRC16() of "QEMU" */
38
#define U2F_KEY_PRODUCT_NUM    0x0005
39

40
enum {
41
    STR_MANUFACTURER = 1,
42
    STR_PRODUCT,
43
    STR_SERIALNUMBER,
44
    STR_CONFIG,
45
    STR_INTERFACE
46
};
47

48
static const USBDescStrings desc_strings = {
49
    [STR_MANUFACTURER]     = "QEMU",
50
    [STR_PRODUCT]          = "U2F USB key",
51
    [STR_SERIALNUMBER]     = "0",
52
    [STR_CONFIG]           = "U2F key config",
53
    [STR_INTERFACE]        = "U2F key interface"
54
};
55

56
static const USBDescIface desc_iface_u2f_key = {
57
    .bInterfaceNumber              = 0,
58
    .bNumEndpoints                 = 2,
59
    .bInterfaceClass               = USB_CLASS_HID,
60
    .bInterfaceSubClass            = 0x0,
61
    .bInterfaceProtocol            = 0x0,
62
    .ndesc                         = 1,
63
    .descs = (USBDescOther[]) {
64
        {
65
            /* HID descriptor */
66
            .data = (uint8_t[]) {
67
                0x09,          /*  u8  bLength */
68
                USB_DT_HID,    /*  u8  bDescriptorType */
69
                0x10, 0x01,    /*  u16 HID_class */
70
                0x00,          /*  u8  country_code */
71
                0x01,          /*  u8  num_descriptors */
72
                USB_DT_REPORT, /*  u8  type: Report */
73
                0x22, 0,       /*  u16 len */
74
            },
75
        },
76
    },
77
    .eps = (USBDescEndpoint[]) {
78
        {
79
            .bEndpointAddress      = USB_DIR_IN | 0x01,
80
            .bmAttributes          = USB_ENDPOINT_XFER_INT,
81
            .wMaxPacketSize        = U2FHID_PACKET_SIZE,
82
            .bInterval             = 0x05,
83
        }, {
84
            .bEndpointAddress      = USB_DIR_OUT | 0x01,
85
            .bmAttributes          = USB_ENDPOINT_XFER_INT,
86
            .wMaxPacketSize        = U2FHID_PACKET_SIZE,
87
            .bInterval             = 0x05,
88
        },
89
    },
90

91
};
92

93
static const USBDescDevice desc_device_u2f_key = {
94
    .bcdUSB                        = 0x0100,
95
    .bMaxPacketSize0               = U2FHID_PACKET_SIZE,
96
    .bNumConfigurations            = 1,
97
    .confs = (USBDescConfig[]) {
98
        {
99
            .bNumInterfaces        = 1,
100
            .bConfigurationValue   = 1,
101
            .iConfiguration        = STR_CONFIG,
102
            .bmAttributes          = USB_CFG_ATT_ONE,
103
            .bMaxPower             = 15,
104
            .nif = 1,
105
            .ifs = &desc_iface_u2f_key,
106
        },
107
    },
108
};
109

110
static const USBDesc desc_u2f_key = {
111
    .id = {
112
        .idVendor          = U2F_KEY_VENDOR_NUM,
113
        .idProduct         = U2F_KEY_PRODUCT_NUM,
114
        .bcdDevice         = 0,
115
        .iManufacturer     = STR_MANUFACTURER,
116
        .iProduct          = STR_PRODUCT,
117
        .iSerialNumber     = STR_SERIALNUMBER,
118
    },
119
    .full = &desc_device_u2f_key,
120
    .str  = desc_strings,
121
};
122

123
static const uint8_t u2f_key_hid_report_desc[] = {
124
    0x06, 0xd0, 0xf1, /* Usage Page (FIDO) */
125
    0x09, 0x01,       /* Usage (FIDO) */
126
    0xa1, 0x01,       /* Collection (HID Application) */
127
    0x09, 0x20,       /*    Usage (FIDO data in) */
128
    0x15, 0x00,       /*        Logical Minimum (0) */
129
    0x26, 0xFF, 0x00, /*        Logical Maximum (0xff) */
130
    0x75, 0x08,       /*        Report Size (8) */
131
    0x95, 0x40,       /*        Report Count (0x40) */
132
    0x81, 0x02,       /*        Input (Data, Variable, Absolute) */
133
    0x09, 0x21,       /*    Usage (FIDO data out) */
134
    0x15, 0x00,       /*        Logical Minimum (0) */
135
    0x26, 0xFF, 0x00, /*        Logical Maximum  (0xFF) */
136
    0x75, 0x08,       /*        Report Size (8) */
137
    0x95, 0x40,       /*        Report Count (0x40) */
138
    0x91, 0x02,       /*        Output (Data, Variable, Absolute) */
139
    0xC0              /* End Collection */
140
};
141

142
static void u2f_key_reset(U2FKeyState *key)
143
{
144
    key->pending_in_start = 0;
145
    key->pending_in_end = 0;
146
    key->pending_in_num = 0;
147
}
148

149
static void u2f_key_handle_reset(USBDevice *dev)
150
{
151
    U2FKeyState *key = U2F_KEY(dev);
152

153
    u2f_key_reset(key);
154
}
155

156
static void u2f_key_handle_control(USBDevice *dev, USBPacket *p,
157
               int request, int value, int index, int length, uint8_t *data)
158
{
159
    U2FKeyState *key = U2F_KEY(dev);
160
    int ret;
161

162
    ret = usb_desc_handle_control(dev, p, request, value, index, length, data);
163
    if (ret >= 0) {
164
        return;
165
    }
166

167
    switch (request) {
168
    case InterfaceRequest | USB_REQ_GET_DESCRIPTOR:
169
        switch (value >> 8) {
170
        case 0x22:
171
            memcpy(data, u2f_key_hid_report_desc,
172
                   sizeof(u2f_key_hid_report_desc));
173
            p->actual_length = sizeof(u2f_key_hid_report_desc);
174
            break;
175
        default:
176
            goto fail;
177
        }
178
        break;
179
    case HID_GET_IDLE:
180
        data[0] = key->idle;
181
        p->actual_length = 1;
182
        break;
183
    case HID_SET_IDLE:
184
        key->idle = (uint8_t)(value >> 8);
185
        break;
186
    default:
187
    fail:
188
        p->status = USB_RET_STALL;
189
        break;
190
    }
191

192
}
193

194
static void u2f_key_recv_from_guest(U2FKeyState *key, USBPacket *p)
195
{
196
    U2FKeyClass *kc = U2F_KEY_GET_CLASS(key);
197
    uint8_t packet[U2FHID_PACKET_SIZE];
198

199
    if (kc->recv_from_guest == NULL || p->iov.size != U2FHID_PACKET_SIZE) {
200
        return;
201
    }
202

203
    usb_packet_copy(p, packet, p->iov.size);
204
    kc->recv_from_guest(key, packet);
205
}
206

207
static void u2f_pending_in_add(U2FKeyState *key,
208
                               const uint8_t packet[U2FHID_PACKET_SIZE])
209
{
210
    uint8_t index;
211

212
    if (key->pending_in_num >= U2FHID_PENDING_IN_NUM) {
213
        return;
214
    }
215

216
    index = key->pending_in_end;
217
    key->pending_in_end = (index + 1) % U2FHID_PENDING_IN_NUM;
218
    ++key->pending_in_num;
219

220
    memcpy(key->pending_in[index], packet, U2FHID_PACKET_SIZE);
221
}
222

223
static uint8_t *u2f_pending_in_get(U2FKeyState *key)
224
{
225
    uint8_t index;
226

227
    if (key->pending_in_num == 0) {
228
        return NULL;
229
    }
230

231
    index = key->pending_in_start;
232
    key->pending_in_start = (index + 1) % U2FHID_PENDING_IN_NUM;
233
    --key->pending_in_num;
234

235
    return key->pending_in[index];
236
}
237

238
static void u2f_key_handle_data(USBDevice *dev, USBPacket *p)
239
{
240
    U2FKeyState *key = U2F_KEY(dev);
241
    uint8_t *packet_in;
242

243
    /* Endpoint number check */
244
    if (p->ep->nr != 1) {
245
        p->status = USB_RET_STALL;
246
        return;
247
    }
248

249
    switch (p->pid) {
250
    case USB_TOKEN_OUT:
251
        u2f_key_recv_from_guest(key, p);
252
        break;
253
    case USB_TOKEN_IN:
254
        packet_in = u2f_pending_in_get(key);
255
        if (packet_in == NULL) {
256
            p->status = USB_RET_NAK;
257
            return;
258
        }
259
        usb_packet_copy(p, packet_in, U2FHID_PACKET_SIZE);
260
        break;
261
    default:
262
        p->status = USB_RET_STALL;
263
        break;
264
    }
265
}
266

267
void u2f_send_to_guest(U2FKeyState *key,
268
                       const uint8_t packet[U2FHID_PACKET_SIZE])
269
{
270
    u2f_pending_in_add(key, packet);
271
    usb_wakeup(key->ep, 0);
272
}
273

274
static void u2f_key_unrealize(USBDevice *dev)
275
{
276
    U2FKeyState *key = U2F_KEY(dev);
277
    U2FKeyClass *kc = U2F_KEY_GET_CLASS(key);
278

279
    if (kc->unrealize != NULL) {
280
        kc->unrealize(key);
281
    }
282
}
283

284
static void u2f_key_realize(USBDevice *dev, Error **errp)
285
{
286
    U2FKeyState *key = U2F_KEY(dev);
287
    U2FKeyClass *kc = U2F_KEY_GET_CLASS(key);
288
    Error *local_err = NULL;
289

290
    usb_desc_create_serial(dev);
291
    usb_desc_init(dev);
292
    u2f_key_reset(key);
293

294
    if (kc->realize != NULL) {
295
        kc->realize(key, &local_err);
296
        if (local_err != NULL) {
297
            error_propagate(errp, local_err);
298
            return;
299
        }
300
    }
301
    key->ep = usb_ep_get(dev, USB_TOKEN_IN, 1);
302
}
303

304
const VMStateDescription vmstate_u2f_key = {
305
    .name = "u2f-key",
306
    .version_id = 1,
307
    .minimum_version_id = 1,
308
    .fields = (const VMStateField[]) {
309
        VMSTATE_USB_DEVICE(dev, U2FKeyState),
310
        VMSTATE_UINT8(idle, U2FKeyState),
311
        VMSTATE_UINT8_2DARRAY(pending_in, U2FKeyState,
312
            U2FHID_PENDING_IN_NUM, U2FHID_PACKET_SIZE),
313
        VMSTATE_UINT8(pending_in_start, U2FKeyState),
314
        VMSTATE_UINT8(pending_in_end, U2FKeyState),
315
        VMSTATE_UINT8(pending_in_num, U2FKeyState),
316
        VMSTATE_END_OF_LIST()
317
    }
318
};
319

320
static void u2f_key_class_init(ObjectClass *klass, void *data)
321
{
322
    DeviceClass *dc = DEVICE_CLASS(klass);
323
    USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
324

325
    uc->product_desc   = "QEMU U2F USB key";
326
    uc->usb_desc       = &desc_u2f_key;
327
    uc->handle_reset   = u2f_key_handle_reset;
328
    uc->handle_control = u2f_key_handle_control;
329
    uc->handle_data    = u2f_key_handle_data;
330
    uc->handle_attach  = usb_desc_attach;
331
    uc->realize        = u2f_key_realize;
332
    uc->unrealize      = u2f_key_unrealize;
333
    dc->desc           = "QEMU U2F key";
334
    dc->vmsd           = &vmstate_u2f_key;
335
}
336

337
static const TypeInfo u2f_key_info = {
338
    .name          = TYPE_U2F_KEY,
339
    .parent        = TYPE_USB_DEVICE,
340
    .instance_size = sizeof(U2FKeyState),
341
    .abstract      = true,
342
    .class_size    = sizeof(U2FKeyClass),
343
    .class_init    = u2f_key_class_init,
344
};
345

346
static void u2f_key_register_types(void)
347
{
348
    type_register_static(&u2f_key_info);
349
}
350

351
type_init(u2f_key_register_types)
352