Add rules for accessing HID devices with libusb

HID devices can be accessed with libusb or with hidraw. So far, we have mostly been using hidraw and our udev rules only apply to hidraw devices. This patch adds rules for access with libusb as recommended by the hidapi developers: https://github.com/libusb/hidapi/blob/ff67c77daddbd8e61ad3873ac16f8edc005f943f/udev/69-hid.rules
Nitrokey · Jan 13, 2025 · 0f459f5 · 0f459f5
1 parent ef3fef3
commit 0f459f5
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 9 deletions.
diff --git a/41-nitrokey.rules b/41-nitrokey.rules
@@ -9,18 +9,24 @@ ACTION!="add|change", GOTO="u2f_end"
 
 # Nitrokey U2F
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
 # Nitrokey FIDO U2F
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess"
 # Nitrokey FIDO2
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1", TAG+="uaccess"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1", TAG+="uaccess"
 # Nitrokey 3A Mini/3A NFC/3C NFC
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b2", TAG+="uaccess"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b2", TAG+="uaccess"
 # Nitrokey 3A NFC Bootloader/3C NFC Bootloader
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42dd", TAG+="uaccess"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42dd", TAG+="uaccess"
 # Nitrokey 3A Mini Bootloader
 ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42e8", TAG+="uaccess"
 # Nitrokey Passkey
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42f3", TAG+="uaccess"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42f3", TAG+="uaccess"
 # Nitrokey Passkey Bootloader
 ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42f4", TAG+="uaccess"
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Remove symlink rule for the Nitrokey Storage.  Users are advised to use
   label- or UUID-based mounting or setup a a custom rule for their device
   instead.
+- Add rules for accessing HID devices with libusb.
 
 ## [v1.0.0][] (2024-01-29)
 

diff --git a/Makefile b/Makefile
@@ -11,7 +11,7 @@ check:
 .PHONY: fix
 fix:
 	$(RUFF) check --fix
-	$(PYRIGHT) format
+	$(RUFF) format
 
 .PHONY: generate
 generate:

diff --git a/devices.toml b/devices.toml
@@ -2,31 +2,31 @@
 name = "Nitrokey U2F"
 vid = 0x2581
 pid = 0xf1d0
-hidraw = true
+hid = true
 
 [[u2f]]
 name = "Nitrokey FIDO U2F"
 vid = 0x20a0
 pid = 0x4287
-hidraw = true
+hid = true
 
 [[u2f]]
 name = "Nitrokey FIDO2"
 vid = 0x20a0
 pid = 0x42b1
-hidraw = true
+hid = true
 
 [[u2f]]
 name = "Nitrokey 3A Mini/3A NFC/3C NFC"
 vid = 0x20a0
 pid = 0x42b2
-hidraw = true
+hid = true
 
 [[u2f]]
 name = "Nitrokey 3A NFC Bootloader/3C NFC Bootloader"
 vid = 0x20a0
 pid = 0x42dd
-hidraw = true
+hid = true
 
 [[u2f]]
 name = "Nitrokey 3A Mini Bootloader"
@@ -38,7 +38,7 @@ all = true
 name = "Nitrokey Passkey"
 vid = 0x20a0
 pid = 0x42f3
-hidraw = true
+hid = true
 
 [[u2f]]
 name = "Nitrokey Passkey Bootloader"

diff --git a/generate.py b/generate.py
@@ -10,7 +10,7 @@ class Device:
     name: str
     vid: int
     pid: int
-    hidraw: bool = False
+    hid: bool = False
     gnupg: bool = False
     all: bool = False
 
@@ -25,12 +25,13 @@ def generate(self) -> str:
             ("ATTRS{idProduct}", "==", f"{self.pid:04x}"),
         ]
         uaccess = [("TAG", "+=", "uaccess")]
-        if self.hidraw:
+        if self.hid:
             s += generate_rule(
                 [("KERNEL", "==", "hidraw*"), ("SUBSYSTEM", "==", "hidraw")]
                 + attrs_vid_pid
                 + uaccess
             )
+            s += generate_rule([("SUBSYSTEMS", "==", "usb")] + attrs_vid_pid + uaccess)
         if self.gnupg:
             s += generate_rule(
                 attr_vid_pid