tree: 0244367a2be977fdbbef5009a0cfb3c4009062c9 [path history] [tgz]
  1. init/
  2. hid_interface.h
  7. tpm_vendor_cmd.h
  8. u2fd.gyp
  10. u2fhid.h
  12. uhid_device.h

U2Fd : U2FHID Emulation Daemon


U2Fd (Universal Second Factor Daemon) is a daemon emulating a U2FHID interface as defined by the FIDO Alliance FIDO U2F HID Protocol Specification and forwarding the raw U2F APDU it has extracted (as defined by FIDO U2F Raw Message Formats) to the actual U2F implementation.

It is used as part of the Integrated Second Factor Authentication in the Chromebook where the U2F implementation is provided by the on-board security chip firmware.

Data flow

The U2Fd daemon creates a new HID device from userspace using the UHID kernel interface and gets the U2F HID reports from there (as implemented by the UHidDevice class).

The daemon parses the HID reports and re-constructs the U2FHID messages from the succession of frames: one INIT and CONT (as implemented by the U2fHid class). It answers the INIT and LOCK messages as expected by the protocol specification, and when it gets a MSG message containing a U2F APDU as payload, it simply forwards it to the provided TransmitApduCallback function.

In this implementation, the U2F APDUs are sent to the cr50 firmware in the TPM security chip which has an extension to process U2F APDUs sent through a vendor defined command. The TpmVendorCommandProxy class encapsulates an APDU in the VENDOR_CC_U2F_APDU vendor command and sends it to the trunks daemon using a D-Bus connection. The latter communicates itself with the physical TPM through the kernel driver exposing /dev/tpm0.

The HID interface created by the U2Fd daemon is used by the usual un-modified security key clients (e.g. the Chrome browser through the permission broker).

Physical Presence

The U2F firmware is using the laptop power button as the user physical presence sensing. In order to avoid spurious UI actions when the user touches the power button to acknowledge their presence, the daemon scans the U2F requests and when it sees a physical presence test, it temporarily de-activates the next power button press forwarding to the UI (by sending a D-Bus message to powerd).


The daemon has 3 interfaces to the outside world:

  • the /dev/uhid kernel node to create/communicate with the HID device.
  • a D-Bus proxy to the trunksd daemon to send TPM messages.
  • a D-Bus proxy to the powerd daemon to send power button overrides.


The implementation can be tested on the laptop by using the HIDTest and U2FTest reference test programs.

HIDTest will also be converted to a unit-test for the U2fHid class.


The FIDO Alliance specifications: