[Spice-devel] Virtual Smartcard GPG

roky at openmailbox.org roky at openmailbox.org
Wed Apr 29 11:22:59 PDT 2015 

On 2015-04-29 11:41, Alon Levy wrote:
> On 04/29/2015 02:20 PM, roky at openmailbox.org wrote:
>> Hi. I am trying to get a virtual smartcard attached to a vm but I want
>> it to use GPG instead of NSS. RedHat focuses on NSS becuase of PKCS#11
>> requirements and FIPS approval, but for most of the community its GPG
>> that matters for smartcards.
>> 
>> Is is possible to use GPG on the host instead of NSS with virtual
>> smartcards? Please document how or add support for it.
>> 
>> Is using a virtual smartcard make the host less secure from a rogue 
>> vm?
>> If there are bugs in GPG/NSS backend on the host can they be abused by
>> untrusted code in the vm?
> 
> There are two implementations, one is passthrough and another uses a
> virtual card on the client side, both end up using the client NSS APIs
> for access to the hardware card, assuming in your case host=client then
> there is no more or less propensity for abuse then launching any local
> program (with the same credentials as the spice viewer).
> 

Does the mode with the virtual card on the client side still require use 
of a physical smartcard? I thought it read encryption secrets stored on 
the host but presented them to the guest securely in the manner of a 
virtual smartcard device.

The host certificates mode implies it.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sub-section-libvirt-dom-xml-devices-smartcard.html

"This mode allows you to provide three NSS certificate names residing in 
a database on the host physical machine, rather than requiring a 
smartcard to be plugged into the host physical machine. These 
certificates can be generated via the command certutil -d /etc/pki/nssdb 
-x -t CT,CT,CT -S -s CN=cert1 -n cert1, and the resulting three 
certificate names must be supplied as the content of each of three 
certificate sub-elements."

  It also gave me the idea that changing the path from /etc/pki/nssdb to 
gpg's pubkeyring is probable?

>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list