feat(2fa): Enable 2FA token request proxying

Enables qctap-proxy in chrome VM, using givc to forward requests to
gui VM which owns the authentication tokens.

Author: slakkala

flake.lock

@@ -82,8 +82,7 @@
 
     # A set of useful nix packages and utilities for ghaf
     ghafpkgs = {
-      #url = "github:tiiuae/ghafpkgs?ref=pull/142/head";
-      url = "github:tiiuae/ghafpkgs";
+      url = "github:slakkala/ghafpkgs/qubes-ctap";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-parts.follows = "flake-parts";
@@ -106,7 +105,7 @@
 
     # Ghaf Inter VM communication and control library
     givc = {
-      url = "github:tiiuae/ghaf-givc";
+      url = "github:slakkala/ghaf-givc/dev/ctap";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-parts.follows = "flake-parts";

flake.nix

@@ -35,7 +35,10 @@ in
   config = mkIf cfg.enable {
     # Enable service and package for Yubikey
     services.pcscd.enable = true;
-    environment.systemPackages = [ pkgs.pam_u2f ];
+    environment.systemPackages = [
+      pkgs.pam_u2f
+      pkgs.qubes-ctap
+    ];
 
     security.pam.services = {
       sudo.u2fAuth = true;

modules/common/services/yubikey.nix

@@ -41,6 +41,7 @@ in
       admin = lib.head config.ghaf.givc.adminConfig.addresses;
       tls.enable = config.ghaf.givc.enableTls;
       enableUserTlsAccess = true;
+      enableExecModule = true;
       notifier.enable = true;
       socketProxy =
         lib.optionals (builtins.elem netvmName config.ghaf.common.vms) [
@@ -86,6 +87,9 @@ in
         }
       ];
     };
+    systemd.services.givc-gui-vm = {
+      path = [ pkgs.qubes-ctap ];
+    };
     systemd.services.dbus-proxy-networkmanager = {
       description = "DBus proxy for Network Manager ${guivmName}";
       serviceConfig = {

modules/givc/guivm.nix

@@ -7,9 +7,22 @@
   config,
   ...
 }:
+let
+  qrexec = pkgs.writeShellApplication {
+    name = "qrexec-client-vm";
+    runtimeInputs = [ pkgs.givc-cli ];
+    text = ''
+      	    shift
+      	    exec givc-cli ${config.ghaf.givc.cliArgs} ctap "$@"
+    '';
+  };
+in
 {
   chrome = {
-    packages = lib.optional config.ghaf.development.debug.tools.enable pkgs.alsa-utils;
+    packages = lib.optional config.ghaf.development.debug.tools.enable pkgs.alsa-utils ++ [
+      pkgs.qubes-ctap
+      qrexec
+    ];
     ramMb = 6144;
     cores = 4;
     borderColor = "#9C0000";
@@ -114,6 +127,22 @@
       ]);
     extraModules = [
       {
+        services.udev.extraRules = ''
+          ACTION=="remove", GOTO="qctap_hidraw_end"
+          SUBSYSTEM=="hidraw", MODE="0660", GROUP="users"
+          LABEL="qctap_hidraw_end"
+        '';
+        systemd.services.ctapproxy = {
+          enable = true;
+          description = "CTAP Proxy";
+          serviceConfig = {
+            ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/qubes";
+            ExecStart = "${pkgs.qubes-ctap}/bin/qctap-proxy --qrexec ${qrexec}/bin/qrexec-client-vm dummy";
+            Type = "notify";
+            KillMode = "process";
+          };
+          wantedBy = [ "multi-user.target" ];
+        };
         microvm.devices = [ ];
         imports = [
           ../services/wireguard-gui/wireguard-gui.nix