Ubuntu
chromium-browser package

[snap] HyperFIDO Pro U2F security key doesn't work with chromium

Bug #1919268 reported by LG
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Released
Undecided
Olivier Tilloy
snapd 2.51
chromium-browser (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

HyperFIDO Pro U2F security key doesn't work with Chromium snap, but works with native Chromium.

Tried on Ubuntu 20.10 x64 with Chromium Version 89.0.4389.90 (Official Build) snap (64-bit).
Snap permission "u2f-devices" is allowed. Also tried with "raw-usb".

Steps to reproduce.
1) Insert HyperFIDO Pro U2F security key in USB port.
2) Launch Chromium snap.
3) Go to Settings -> Privacy and security -> Security -> Manage security keys -> Sign-in data
4) Dialog "Security key sign-in data. To continue, insert and touch your security key" appears.

Expected: After touching security key, or unplugging it and plugging it back in, the dialog will disappear and Chromium will show the interface for sign-in data on the key.

Observed: The dialog does not disappear until one clicks the "Cancel" button (which, of course, does not lead to the interface for sign-in data). Log data fom journalctl and dmesg is listed below.

Other notes: The U2F key cannot be used for website authentication either. However, if Chromium is ran natively (rather than via snap), it has no problem communicating with the key. Also, the key can be used by Firefox (native). Thus, the problem does not appear to be with the security key itself.

journalctl:
Mar 15 23:11:03 rnr systemd[1507]: app-chromium_chromium-abfaae28ec4c4a59add9f3f1237c7d53.scope: Succeeded.
Mar 15 23:11:11 rnr audit[79885]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c510:0" pid=79885 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 15 23:11:11 rnr kernel: [drm] Failed to add display topology, DTM TA is not initialized.
Mar 15 23:11:11 rnr kernel: audit: type=1400 audit(1615864271.606:53): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c510:0" pid=79885 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 15 23:13:01 rnr audit[79885]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c510:0" pid=79885 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 15 23:13:01 rnr kernel: audit: type=1400 audit(1615864381.271:54): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c510:0" pid=79885 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

dmesg:
[50172.135959] audit: type=1400 audit(1615864271.606:53): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c510:0" pid=79885 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[50281.798647] audit: type=1400 audit(1615864381.271:54): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c510:0" pid=79885 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Tags: snap
Revision history for this message
Olivier Tilloy (osomon) wrote :

With your key plugged, can you share the corresponding line of the output of `lsusb` ?

According to https://www.hyllusd.de/blog/06/11/2020/hypersecu-hyperfido-pro-mini-security-key-mit-debian-buster-nutzen/, for the HyperFIDO Pro this should be "2ccf:0854", and if this is correct, the product ID needs to be added to https://github.com/snapcore/snapd/blob/master/interfaces/builtin/u2f_devices.go.

Changed in chromium-browser (Ubuntu):
status: New → Incomplete
summary: - HyperFIDO Pro U2F security key doesn't work with Chromium snap
+ [snap] HyperFIDO Pro U2F security key doesn't work with chromium
tags: added: snap
Revision history for this message
LG (baiganiu) wrote :

This is the lsusb output:

Bus 006 Device 002: ID 2ccf:0854 Hypersecu HyperFIDO

Revision history for this message
Olivier Tilloy (osomon) wrote :

Thanks for the confirmation. I have added a snapd task to the bug, because this is where the bug should be fixed.

Changed in chromium-browser (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Olivier Tilloy (osomon) wrote :

And I submitted a fix to snapd: https://github.com/snapcore/snapd/pull/10080

Olivier Tilloy (osomon)
Changed in snapd:
status: New → In Progress
assignee: nobody → Olivier Tilloy (osomon)
Ian Johnson (anonymouse67)
Changed in snapd:
status: In Progress → Fix Released
milestone: none → 2.51
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.