[Spice-devel] Help with SmartCards and XSpice

Tue Aug 5 01:12:14 PDT 2014

On 07/25/2014 12:01 AM, Jeremy White wrote:
>>> I think I have a tentative, but sufficient grasp of how the Smart Card
>>> stuff flows from the client into the server.  It's not quite as clear
>>> how the server bridges it into qemu, but I think I have the gist of it.
>>>
>>> However, that doesn't work for XSpice sessions.
>>
>> I'm not sure why it shouldn't. The qemu portion simply forwards the ccid
>> APDU's from the host. Spice has libcaccard which translates the CAC
>> requests into calls against your PKCS #11 token on your client side.
> 
> Alright, my ignorance is showing; perhaps I need to understand the qemu
> path better.
> 
> In what I think of a typical use case, you have a client with a smart
> card reader attached.  Let's say that is a Fedora 20 box.  Then you have
> a host system which runs qemu to start a guest VM; let's say the host
> system is RHEL and the guest VM is Fedora RawHide.
> 
> My understanding is that the client (essentially spice-gtk) interacts
> with the physical hardware, and uses libcacard to put the smartcard data
> onto the Spice smartcard channel.
> 
> This is passed over the spice channel into qemu (running on the host),
> which uses the spice server calls to decode the data, and then it writes
> the data to a virtual character device that appears in the guest as a
> USB CCID device.  RawHide detects that and treats it a 'real' hardware
> device.
> 
> How am I doing so far?  Is that about right?

Yes. But just note that spice-server doesn't do anything except move
bytes around. The actual protocols involved are:

qemu: ccid protocol: usb smartcard reader
spice-client via libcacard: smartcard

> 
> In the XSpice case, we have no qemu.  Instead, the host system runs Xorg
> against what is a virtual framebuffer, and runs the xf86-video-qxl xorg
> driver.
> 
> In my use case, I've got Xorg running, with spice, and I'm just about to
> launch xdm.  I'd really like to have a smartcard, if available, be part
> of the pam stack prior to launching xdm, so that it can be used by pam.
> 
> Given that, how do you expect the smartcard data to flow into that Xorg
> session?    I imagine that either the qxl driver, or a different utility
> (e.g. vd_agent) would be required in order to relay the smartcard data
> from the channel and into the pam stack.  Is there something I'm missing?

You are fine with only apps using pam_pkcs11 (i.e. anything using pam)
using the smartcard? if so your direction makes sense. But the protocol
is very low level for that - it passes what the CCID expects to get from
the card. In the guest there is a CCID driver (there are multiple, but
for coolkey I tested pcsclite
http://pcsclite.alioth.debian.org/ccid.html ), which is consumed by
coolkey via winscard.h and uses pcscd.

There are a few things you can do:
1. same components, minus usb bus
nss-libcacard-APDU-[:removed: ccid_device]-[:removed: usb
bus]-[:removed: usb bus driver]-[:new: spiceccid pcsc
module]-pcscd-pam_pkcs11/coolkey
2. new protocol - I guess you ruled that out already.
3. pam modlue consuming APDUs from card - what you proposed - same as 1
but using a pam module to consume the APDUs.

> 
>>
>>>
>>> It looks to me that this should be possible.  My research suggests
>>> that pam_pkcs11 is pluggable, and that it should be possible to write
>>> a module that would receive the cert information.
>> pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox
>> and other NSS applications). You would have to install this module in
>> your guest, however. I think redirecting the CCID USB data would be
>> easier, though.
> 
> Yeah, I saw that ccid was also pluggable, and I begin to see why that
> would be a better layer to plug into.  (Saves me the hassle of parsing
> the cert data, right?)
> 
> 
> Cheers,
> 
> Jeremy
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel