From: Mark Kettenis <mark.kettenis@xs4all.nl>
Subject: Re: another yubikey diff
To: Miod Vallat <miod@online.fr>
Cc: tech@openbsd.org
Date: Fri, 22 Aug 2025 14:43:13 +0200

> Date: Fri, 22 Aug 2025 12:30:15 +0000
> From: Miod Vallat <miod@online.fr>
> 
> The diff below attempts to make the yubikey situation less annoying.
> 
> With this diff, when you connect your yubikey, it will attach as a
> keyboard again, but that keyboard will not get connected to the mux
> automatically, which means that if you press the button, the data will
> get eaten by /dev/null.

I considered doing something similar; so your idea isn't crazy ;).

> Then, if you need to use the button, you can manually connect it to your
> mux by running wsconscfg -k n (where `n' is the wskbd unit number
> corresponding to your yubikey). Elevated privileges might be needed for
> this command to succeed, depending on how you are logged on the system.
> 
> Note that, a side effect of this diff is to impose the same behaviour on
> uthum/ugold devices, but that can be changed if people disagree with
> that policy change.

No opinion about that.  However...

> Index: arch/armv7/exynos/crosec_kbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/arch/armv7/exynos/crosec_kbd.c,v
> diff -u -p -r1.5 crosec_kbd.c
> --- arch/armv7/exynos/crosec_kbd.c	23 Jan 2023 09:36:39 -0000	1.5
> +++ arch/armv7/exynos/crosec_kbd.c	22 Aug 2025 12:13:21 -0000
> @@ -144,7 +144,7 @@ cros_ec_init_keyboard(struct cros_ec_sof
>  
>  	wskbd_cnattach(&cros_ec_keyboard_consops, sc, &cros_ec_keyboard_keymapdata);
>  	a.console = 1;
> -
> +	a.connect = 1;
>  	a.keymap = &cros_ec_keyboard_keymapdata;
>  	a.accessops = &cros_ec_keyboard_accessops;
>  	a.accesscookie = sc;
> Index: arch/luna88k/dev/lunaws.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/arch/luna88k/dev/lunaws.c,v
> diff -u -p -r1.16 lunaws.c
> --- arch/luna88k/dev/lunaws.c	8 Mar 2023 04:43:07 -0000	1.16
> +++ arch/luna88k/dev/lunaws.c	22 Aug 2025 12:13:21 -0000
> @@ -187,6 +187,7 @@ wsattach(struct device *parent, struct d
>  	printf("\n");
>  
>  	a.console = (args->hwflags == 1);
> +	a.connect = 1;
>  	a.keymap = &omkbd_keymapdata;
>  	a.accessops = &omkbd_accessops;
>  	a.accesscookie = (void *)sc;
> Index: arch/sparc64/dev/comkbd_ebus.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/arch/sparc64/dev/comkbd_ebus.c,v
> diff -u -p -r1.24 comkbd_ebus.c
> --- arch/sparc64/dev/comkbd_ebus.c	24 Oct 2021 17:05:03 -0000	1.24
> +++ arch/sparc64/dev/comkbd_ebus.c	22 Aug 2025 12:13:21 -0000
> @@ -217,6 +217,7 @@ comkbd_attach(struct device *parent, str
>  	sunkbd_setclick(ss, ss->sc_click);
>  
>  	a.console = console;
> +	a.connect = 1;
>  	if (ISTYPE5(ss->sc_layout)) {
>  		a.keymap = &sunkbd5_keymapdata;
>  #ifndef SUNKBD5_LAYOUT
> Index: arch/sparc64/dev/z8530kbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/arch/sparc64/dev/z8530kbd.c,v
> diff -u -p -r1.32 z8530kbd.c
> --- arch/sparc64/dev/z8530kbd.c	13 May 2024 01:15:50 -0000	1.32
> +++ arch/sparc64/dev/z8530kbd.c	22 Aug 2025 12:13:21 -0000
> @@ -372,6 +372,7 @@ zskbd_attach(struct device *parent, stru
>  	sunkbd_setclick(ss, ss->sc_click);
>  
>  	a.console = console;
> +	a.connect = 1;
>  	if (ISTYPE5(ss->sc_layout)) {
>  		a.keymap = &sunkbd5_keymapdata;
>  #ifndef	SUNKBD5_LAYOUT
> Index: dev/adb/akbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/adb/akbd.c,v
> diff -u -p -r1.16 akbd.c
> --- dev/adb/akbd.c	21 Oct 2022 22:42:36 -0000	1.16
> +++ dev/adb/akbd.c	22 Aug 2025 12:13:21 -0000
> @@ -248,6 +248,7 @@ akbdattach(struct device *parent, struct
>  		a.console = (++akbd_console_initted == 1);
>  	else
>  		a.console = 0;
> +	a.connect = 1;
>  	a.keymap = &akbd_keymapdata;
>  	a.accessops = &akbd_accessops;
>  	a.accesscookie = sc;
> Index: dev/hid/hidcc.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/hid/hidcc.c,v
> diff -u -p -r1.5 hidcc.c
> --- dev/hid/hidcc.c	14 Nov 2022 00:16:44 -0000	1.5
> +++ dev/hid/hidcc.c	22 Aug 2025 12:13:21 -0000
> @@ -764,6 +764,7 @@ hidcc_attach_wskbd(struct hidcc *sc)
>  	};
>  	struct wskbddev_attach_args a = {
>  		.console	= 0,
> +		.connect	= 1,
>  		.keymap		= &sc->sc_keymap,
>  		.accessops	= &accessops,
>  		.accesscookie	= sc,
> Index: dev/hid/hidkbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/hid/hidkbd.c,v
> diff -u -p -r1.15 hidkbd.c
> --- dev/hid/hidkbd.c	21 Oct 2024 19:05:31 -0000	1.15
> +++ dev/hid/hidkbd.c	22 Aug 2025 12:13:21 -0000
> @@ -289,13 +289,15 @@ hidkbd_attach(struct device *self, struc
>  
>  void
>  hidkbd_attach_wskbd(struct hidkbd *kbd, kbd_t layout,
> -    const struct wskbd_accessops *accessops)
> +    const struct wskbd_accessops *accessops, int connect)
>  {
>  	struct wskbddev_attach_args a;
>  
>  	ukbd_keymapdata.layout = layout;
>  
>  	a.console = kbd->sc_console_keyboard;
> +	a.connect = 1;

You probably want to drop this line.

> +	a.connect = connect;
>  	a.keymap = &ukbd_keymapdata;
>  	a.accessops = accessops;
>  	a.accesscookie = kbd->sc_device;
> Index: dev/hid/hidkbdsc.h
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/hid/hidkbdsc.h,v
> diff -u -p -r1.3 hidkbdsc.h
> --- dev/hid/hidkbdsc.h	9 Nov 2022 10:05:18 -0000	1.3
> +++ dev/hid/hidkbdsc.h	22 Aug 2025 12:13:21 -0000
> @@ -103,7 +103,7 @@ struct hidkbd_translation {
>  int	hidkbd_attach(struct device *, struct hidkbd *, int, uint32_t,
>  	    int, void *, int);
>  void	hidkbd_attach_wskbd(struct hidkbd *, kbd_t,
> -	    const struct wskbd_accessops *);
> +	    const struct wskbd_accessops *, int);
>  void	hidkbd_bell(u_int, u_int, u_int, int);
>  void	hidkbd_cngetc(struct hidkbd *, u_int *, int *);
>  int	hidkbd_detach(struct hidkbd *, int);
> Index: dev/hil/hilkbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/hil/hilkbd.c,v
> diff -u -p -r1.18 hilkbd.c
> --- dev/hil/hilkbd.c	6 Apr 2022 18:59:28 -0000	1.18
> +++ dev/hil/hilkbd.c	22 Aug 2025 12:13:21 -0000
> @@ -195,6 +195,7 @@ hilkbdattach(struct device *parent, stru
>  		a.console = 0;
>  	else
>  		a.console = hilkbd_is_console(ha->ha_console);
> +	a.connect = 1;
>  	a.keymap = ps2 ? &hilkbd_keymapdata_ps2 : &hilkbd_keymapdata;
>  	a.accessops = &hilkbd_accessops;
>  	a.accesscookie = sc;
> Index: dev/i2c/ikbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/i2c/ikbd.c,v
> diff -u -p -r1.3 ikbd.c
> --- dev/i2c/ikbd.c	7 Jan 2025 19:26:14 -0000	1.3
> +++ dev/i2c/ikbd.c	22 Aug 2025 12:13:21 -0000
> @@ -125,7 +125,7 @@ ikbd_attach(struct device *parent, struc
>  		ikbd_enable(sc, 1);
>  	}
>  
> -	hidkbd_attach_wskbd(kbd, KB_US | KB_DEFAULT, &ikbd_accessops);
> +	hidkbd_attach_wskbd(kbd, KB_US | KB_DEFAULT, &ikbd_accessops, 0);

And you need to pass 1 here instead of zero.

>  }
>  
>  int
> Index: dev/pckbc/pckbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/pckbc/pckbd.c,v
> diff -u -p -r1.51 pckbd.c
> --- dev/pckbc/pckbd.c	13 Aug 2023 21:54:02 -0000	1.51
> +++ dev/pckbc/pckbd.c	22 Aug 2025 12:13:23 -0000
> @@ -471,9 +471,8 @@ pckbdattach(struct device *parent, struc
>  			       pckbd_input, sc, sc->sc_dev.dv_xname);
>  
>  	a.console = isconsole;
> -
> +	a.connect = 1;
>  	a.keymap = &pckbd_keymapdata;
> -
>  	a.accessops = &pckbd_accessops;
>  	a.accesscookie = sc;
>  
> Index: dev/usb/ukbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/usb/ukbd.c,v
> diff -u -p -r1.91 ukbd.c
> --- dev/usb/ukbd.c	14 Aug 2025 14:39:44 -0000	1.91
> +++ dev/usb/ukbd.c	22 Aug 2025 12:13:23 -0000
> @@ -196,14 +196,6 @@ ukbd_match(struct device *parent, void *
>  	int size;
>  	void *desc;
>  
> -	/*
> -	 * Most Yubikey have OTP enabled by default, and the feature
> -	 * is difficult to disable.  Policy decision: Don't attach
> -	 * as a keyboard.
> -	 */
> -	if (uha->uaa->vendor == USB_VENDOR_YUBICO)
> -		return (UMATCH_NONE);
> -
>  	if (UHIDEV_CLAIM_MULTIPLE_REPORTID(uha))
>  		return (UMATCH_NONE);
>  
> @@ -225,6 +217,7 @@ ukbd_attach(struct device *parent, struc
>  	u_int32_t quirks, qflags = 0;
>  	int dlen, repid;
>  	int console = 1;
> +	int connect = 1;
>  	void *desc;
>  	kbd_t layout = (kbd_t)-1;
>  
> @@ -245,7 +238,15 @@ ukbd_attach(struct device *parent, struc
>  	  * Do not allow unwanted devices to claim the console.
>  	  */
>  	if (usb_lookup(ukbd_never_console, uha->uaa->vendor, uha->uaa->product))
> -		console = 0;
> +		console = connect = 0;
> +
> +	/*
> +	 * Most Yubikey have OTP enabled by default, and the feature
> +	 * is difficult to disable.  Policy decision: don't connect
> +	 * automatically to the mux.
> +	 */
> +	if (uha->uaa->vendor == USB_VENDOR_YUBICO)
> +		connect = 0;
>  
>  	quirks = usbd_get_quirks(sc->sc_hdev.sc_udev)->uq_flags;
>  	if (quirks & UQ_SPUR_BUT_UP)
> @@ -334,7 +335,7 @@ ukbd_attach(struct device *parent, struc
>  	usbd_delay_ms(sc->sc_hdev.sc_udev, 400);
>  	ukbd_set_leds(sc, 0);
>  
> -	hidkbd_attach_wskbd(kbd, layout, &ukbd_accessops);
> +	hidkbd_attach_wskbd(kbd, layout, &ukbd_accessops, connect);
>  
>  #ifdef DDB
>  	timeout_set(&sc->sc_ddb, ukbd_db_enter, sc);
> Index: dev/wscons/wskbd.c
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/wscons/wskbd.c,v
> diff -u -p -r1.124 wskbd.c
> --- dev/wscons/wskbd.c	18 Jul 2025 17:34:29 -0000	1.124
> +++ dev/wscons/wskbd.c	22 Aug 2025 12:13:23 -0000
> @@ -405,9 +405,11 @@ wskbd_attach(struct device *parent, stru
>  	sc->sc_base.me_ops = &wskbd_srcops;
>  #endif
>  #if NWSMUX > 0
> -	mux = sc->sc_base.me_dv.dv_cfdata->wskbddevcf_mux;
> -	if (mux >= 0)
> -		wsmux_sc = wsmux_getmux(mux);
> +	if (ap->connect) {
> +		mux = sc->sc_base.me_dv.dv_cfdata->wskbddevcf_mux;
> +		if (mux >= 0)
> +			wsmux_sc = wsmux_getmux(mux);
> +	}
>  #endif	/* NWSMUX > 0 */
>  
>  	if (ap->console) {
> Index: dev/wscons/wskbdvar.h
> ===================================================================
> RCS file: /OpenBSD/src/sys/dev/wscons/wskbdvar.h,v
> diff -u -p -r1.4 wskbdvar.h
> --- dev/wscons/wskbdvar.h	16 Feb 2022 06:23:42 -0000	1.4
> +++ dev/wscons/wskbdvar.h	22 Aug 2025 12:13:23 -0000
> @@ -67,6 +67,7 @@ struct wskbd_consops {
>   */
>  struct wskbddev_attach_args {
>  	int	console;				/* is it console? */
> +	int	connect;				/* connect to mux? */
>  	const struct wskbd_mapdata *keymap;
>  
>  	const struct wskbd_accessops *accessops;        /* access ops */
> 
>