[Spice-devel] Help with SmartCards and XSpice

Jeremy White jwhite at codeweavers.com
Thu Jul 24 14:01:09 PDT 2014


>> I think I have a tentative, but sufficient grasp of how the Smart Card
>> stuff flows from the client into the server.  It's not quite as clear
>> how the server bridges it into qemu, but I think I have the gist of it.
>>
>> However, that doesn't work for XSpice sessions.
>
> I'm not sure why it shouldn't. The qemu portion simply forwards the ccid
> APDU's from the host. Spice has libcaccard which translates the CAC
> requests into calls against your PKCS #11 token on your client side.

Alright, my ignorance is showing; perhaps I need to understand the qemu 
path better.

In what I think of a typical use case, you have a client with a smart 
card reader attached.  Let's say that is a Fedora 20 box.  Then you have 
a host system which runs qemu to start a guest VM; let's say the host 
system is RHEL and the guest VM is Fedora RawHide.

My understanding is that the client (essentially spice-gtk) interacts 
with the physical hardware, and uses libcacard to put the smartcard data 
onto the Spice smartcard channel.

This is passed over the spice channel into qemu (running on the host), 
which uses the spice server calls to decode the data, and then it writes 
the data to a virtual character device that appears in the guest as a 
USB CCID device.  RawHide detects that and treats it a 'real' hardware 
device.

How am I doing so far?  Is that about right?

In the XSpice case, we have no qemu.  Instead, the host system runs Xorg 
against what is a virtual framebuffer, and runs the xf86-video-qxl xorg 
driver.

In my use case, I've got Xorg running, with spice, and I'm just about to 
launch xdm.  I'd really like to have a smartcard, if available, be part 
of the pam stack prior to launching xdm, so that it can be used by pam.

Given that, how do you expect the smartcard data to flow into that Xorg 
session?    I imagine that either the qxl driver, or a different utility 
(e.g. vd_agent) would be required in order to relay the smartcard data 
from the channel and into the pam stack.  Is there something I'm missing?

>
>>
>> It looks to me that this should be possible.  My research suggests
>> that pam_pkcs11 is pluggable, and that it should be possible to write
>> a module that would receive the cert information.
> pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox
> and other NSS applications). You would have to install this module in
> your guest, however. I think redirecting the CCID USB data would be
> easier, though.

Yeah, I saw that ccid was also pluggable, and I begin to see why that 
would be a better layer to plug into.  (Saves me the hassle of parsing 
the cert data, right?)


Cheers,

Jeremy


More information about the Spice-devel mailing list