U2F and Firefox on Funtoo

U2F is pretty neat. It can be used locally on a machine for authentication and for two factor authentication on websites. There are even plugins for using it on WordPress powered websites. At the time this article was written, Firefox does not enable U2F by default. Though, that looks to be changing with Firefox 68.

Enable U2F in Firefox

Enabling U2F in Firefox is fairly straightforward. In the URL bar enter: about:config. Then search for u2f. There should be an entry: security.webauth.u2f, set it to true.

Install pam_u2f

However, simply enabling U2F in Firefox is not enough for a U2F device to work. To get everything working, pam_u2f needs to be installed. On Funtoo, this is quite simple:

emerge -av pam_u2f

After installing pam_u2f, Firefox should now be able to query your U2F key.

XDM/SDDM Slow Startup Followup

As reference previously, recently, the XPS 15 9530 had an issue in startup where the login prompt in the shell was available but XDM/SDDM did not start until several key presses later. Waiting for it to start was a futile effort—once waited over 30 minutes to no avail. A full system reinstall did not help either.

Digging into the dmesg output revealed something interesting:

[83.413293] random: crng init done
[83.413299] random: 7 urandom warning(s) missed due to ratelimiting

It was taking over a minute and a half for random to generate enough entropy. And, this was with the keyboard getting mashed! Apparently, this is a relatively common issue to run into.

Since the XPS 15 9530 has a Haswell core CPU with RDRAND instruction support, an easy way around this is to enable “Trust CPU Vendor” in the kernel config:

CONFIG_RANDOM_TRUST_CPU=y

Now, this is not without consequence. There is concern that Intel’s RDRAND implementation was inappropriately influenced by external parties. An alternative workaround is to install haveged. This has its own issues—it is a software solution to inflate entropy. Finally, on the Gentoo forums, the recommendation is to continue to mash the keyboard until userland applications are updated with to more appropriate entropy requirements.

Fix Linux Boot Halting on “Run /init as init process”

In the process of removing the remaining SandForce controller based SSDs from service, the opportunity to completely refresh the Funtoo install on the XPS 15 9530 was taken. Part of this was to try to figure out why recently sddm would not start until a bit of keyboard mashing occurred (literally pushing the enter key a dozen times in a row caused sddm to start, waiting was simply not enough).

The install was fairly painless—most problems tend to be involve getting the proper device drivers compiled into the kernel. Given there was already a known good kernel config, that was used for the building the kernel on the new install. However, on the first boot off of the new SSD, the boot process halted at:

[2.754164] Freeing unused kernel image memory: 1020K
[2.756196] Write protecting the kernel read-only data: 20480k
[2.758698] Freeing unused kernel image memory: 1980K
[2.760892] Freeing unused kernel image memory: 620K
[2.764980] Run /sbin/init as init process

The init system (OpenRC), for some reason, did not actually kick off. Plugging in a USB device confirmed that the kernel itself was still running. Thus, it was not something simple such as the root device being inaccessible (that causes a kernel panic). But, in this state, the system was not usable (no login prompt).

After a bit of sleuthing and stumbling, a solution was found. The following was added to the kernel config:

CONFIG_DEVTMPFS_MOUNT=y

After rebuilding the kernel and rebooting, the system finally booted completely. Still, this is a little unnerving. This machine never needed this setting before. Additionally, I have not needed this setting on any other machine.

Fix Bluetooth Mouse Pairing but not Moving Cursor in Linux

I recently picked up a Logitech M585 to replace my old M577 which was randomly registering multiple clicks for each left click. This was the second button to go bad on that mouse so it was time for an upgrade (the back click action on the mouse wheel had gone out a year back).

While I had no problems pairing the M585 with my laptop running Linux, it was not moving the cursor and mouse clicks were not registering. This is not the first mouse that I’ve had issues with on this laptop, the Microsoft Bluetooth Mobile Mouse 3600 exhibited a similar behavior. Checking the system logs, I found the following clue:

[bluetoothd] input-hog profile accept failed for XX:XX:XX:XX:XX:XX

Where XX:XX:XX:XX:XX:XX is the bluetooth address for the mouse. After some digging, I came across the solution. CONFIG_UHID needs to be set to ‘y’ in the kernel config to enable userspace I/O driver support for the HID subsystem.

CONFIG_UHID=y

After making this change, recompiling the kernel and rebooting the M585 pairs and works properly as a mouse. Additionally, the MS Bluetooth Mobile Mouse 3600 now works properly as well.

-John Havlik

[end of transmission, stay tuned]

U2F and KDE/SDDM on Funtoo

U2F keys, such as the yubico YubiKey are relatively easy and inexpensive way to add two factor authentication to one’s workstation. Adding U2F authentication to local accounts on a linux machine is quite easy. In Gentoo/Funtoo, the pam_u2f ebuild will provide everything you need to get started.

Continue reading