Either the docs for Qubes CTAP proxy are incomplete/wrong or qubes-ctap-proxy doesn't work.

[xyhhx]

Qubes OS release

R4.1.2

Brief summary

I'm following the documentation to set up the CTAP proxy, but they're either incomplete or the proxy isn't working.

I have a non-default USB qube.

Steps to reproduce

(The following steps assume that disp-sys-usb is the USB qube)

1. Follow the steps in the CTAP Proxy documentation, including Advanced usage: per-qube key access and Non-default USB qube name

   1. Install qubes-ctap-dom0 in dom0
   2. Install qubes-ctap in the templates for both the USB qube and the client qube
   3. Clear /etc/qubes-rpc/policy/u2f.Authenticate
   4. Add a custom policy according to the per-qube access section

   policy.RegisterArgument +u2f.Authenticate disp-sys-usb @anyvm allow target=dom0
   

   5. In the client qube's template, disable the default CTAP proxy service and enable one specifying disp-sys-usb

   sudo systemctl disable qubes-ctapproxy
   sudo systemctl enable [email protected]
   

   6. Shutdown templates and restart all relevant qubes
   7. Try adding the hardware key to an account somewhere

Expected behavior

The U2F/CTAP proxy should forward the registration/authentication to disp-sys-usb

Actual behavior

Nothing happens.

More questions:

1. In the Installation section, it says to install qubes-ctap in Fedora and/or Debian templates, then to restart sys-usb and any qubes that use the proxy. Do we install qubes-ctap in the USB qube's template too? It's unclear. If so, do we also have to enable the qubes-ctap-proxy service?

2. The the Advanced usage: per-qube key access section, it says to clear /etc/qubes-rpc/policy/u2f.Authenticate but makes no mention of /etc/qubes-rpc/policy/u2f.Register (which I see on dom0). It also makes no mention of the u2f.Register policy anywhere, including in the advised 30-user-ctapproxy.policy file. Is that intentional?

3. The the Advanced usage: per-qube key access section, the custom policy described for allowing the example twitter qube to access the CTAP token in sys-usb is:

   policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=dom0
   

   Is this correct? This seems to allow to any VM.

4. In the Non-default USB qube name section, the service name is now qubes-ctapproxy whereas earlier the service enabled via qvm-service is qubes-ctap-proxy. This is confusing.

5. In the Non-default USB qube name section, it says

   Do not forget to change the sys-usb qube name in the policy /etc/qubes/policy.d/30-user-ctapproxy.policy.

   But this assumes that you followed the steps in Advanced usage: per-qube key access. If you didn't, presumably you have to edit both u2f.Authenticate and u2f.Register in the default policies? I am once again confused by no mention of u2f.Register

Let me rephrase the previous questions to be more concise:

1. In which qubes and/or templates must we enable qubes-ctap-proxy from Qube Manager?
2. In which qubes and/or templates must we enable the qubes-ctapproxy service (with or without the @USB_QUBE suffix)?
3. How do we handle the u2f.Register policy?
4. For disposable VMs, do we do anything differently?

[xyhhx]

There are another two policy files that aren't mentioned in the docs anywhere:

• /etc/qubes-rpc/policy/ctap.ClientPin
• /etc/qubes-rpc/policy/ctap.GetInfo

[github-actions]

This issue is being closed because:

• This issue is believed to affect only Qubes OS 4.1 (and possibly earlier).
• Qubes OS 4.1 has reached end-of-life (EOL).

If anyone believes that this issue should be reopened, please leave a comment saying so.
(For example, if a bug still affects Qubes OS 4.2, then the comment "Affects 4.2" will suffice.)