Enable USE_PCSC at build time, so libfido2 can use FIDO devices over
PCSC/contactless smartcard readers (e.g. NFC taps via a USB CCID reader),
not just the Linux kernel NFC subsystem or USB HID.
Background
----------
libfido2 has three transports on Linux: USB HID, the kernel NFC subsystem
(NFC_LINUX), and PCSC (USE_PCSC). The PCSC transport is for contactless
readers that the kernel's NFC subsystem doesn't drive directly -- e.g.
PC/SC-class readers like the ACS ACR1252, which are common, inexpensive,
and already fully supported by pcscd/pcsc-lite in Debian.
Upstream's CMakeLists.txt defaults USE_PCSC to ON on the current main
branch, but the maintainers disable it in the CMakeLists.txt shipped in
each release tag just before cutting a release, considering it
"experimental" (see upstream discussion:
https://github.com/Yubico/libfido2/discussions/855). Because of that,
every tagged release -- including 1.17.0 -- ships with USE_PCSC OFF by
default, and Debian's debian/rules doesn't override it, so the built
libfido2-1 package has no PCSC support at all (confirmed via ldd: no
libpcsclite linkage). libpcsclite-dev also isn't currently a
Build-Depends.
Since Debian already ships pcsc-lite and pcscd, and libpcsclite-dev is
readily available, there's no reason PCSC support can't be built in
alongside the existing USB and kernel-NFC transports.
Evidence it works
------------------
I built libfido2 from the upstream main branch with -DUSE_PCSC=ON
(pkg_check_modules picks up libpcsclite cleanly, no patches needed to
libfido2 itself), then built libpam-u2f 1.4.0 against it. Tested against
a YubiKey 5-series key resting on an ACS ACR1252 Dual Reader's
contactless (PICC) interface, with no USB connection:
$ fido2-token -L
pcsc://slot0: vendor=0x0000, product=0x0000 (PC/SC ACS ACR1252 Dual
Reader [ACR1252 Dual Reader PICC] 00 00)
$ fido2-token -I pcsc://slot0
[... full CTAP2 getInfo response, including "transport strings: nfc,
usb" ...]
I then used the same setup for real: pam_u2f authenticating `sudo` over
this transport, with the existing U2F credential (originally registered
over USB) working unmodified over PCSC/NFC -- no re-enrollment needed,
no APDU-chaining errors, clean round trip.
Proposed patch
--------------
Attached: two-line change to debian/control (add libpcsclite-dev to
Build-Depends) and debian/rules (pass -DUSE_PCSC=ON to
dh_auto_configure), diffed against debian/sid HEAD
(56ac1a33ba8953bec4fcc10243c6fb2d8b288c8d).