[Spice-devel] Virtual Smartcard GPG

Alon Levy alon at pobox.com
Thu Apr 30 00:41:03 PDT 2015 

On 04/29/2015 09:22 PM, roky at openmailbox.org wrote:
> On 2015-04-29 11:41, Alon Levy wrote:
>> On 04/29/2015 02:20 PM, roky at openmailbox.org wrote:
>>> Hi. I am trying to get a virtual smartcard attached to a vm but I want
>>> it to use GPG instead of NSS. RedHat focuses on NSS becuase of PKCS#11
>>> requirements and FIPS approval, but for most of the community its GPG
>>> that matters for smartcards.
>>>
>>> Is is possible to use GPG on the host instead of NSS with virtual
>>> smartcards? Please document how or add support for it.
>>>
>>> Is using a virtual smartcard make the host less secure from a rogue vm?
>>> If there are bugs in GPG/NSS backend on the host can they be abused by
>>> untrusted code in the vm?
>>
>> There are two implementations, one is passthrough and another uses a
>> virtual card on the client side, both end up using the client NSS APIs
>> for access to the hardware card, assuming in your case host=client then
>> there is no more or less propensity for abuse then launching any local
>> program (with the same credentials as the spice viewer).
>>
> 
> Does the mode with the virtual card on the client side still require use
> of a physical smartcard? I thought it read encryption secrets stored on
> the host but presented them to the guest securely in the manner of a
> virtual smartcard device.
> 
> The host certificates mode implies it.
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sub-section-libvirt-dom-xml-devices-smartcard.html
> 
> 
> "This mode allows you to provide three NSS certificate names residing in
> a database on the host physical machine, rather than requiring a
> smartcard to be plugged into the host physical machine. These
> certificates can be generated via the command certutil -d /etc/pki/nssdb
> -x -t CT,CT,CT -S -s CN=cert1 -n cert1, and the resulting three
> certificate names must be supplied as the content of each of three
> certificate sub-elements."

Right, you can also use the virtual card emulation without hardware like
the docs you quoted say.

> 
>  It also gave me the idea that changing the path from /etc/pki/nssdb to
> gpg's pubkeyring is probable?
> 

I don't know anything about that.

>>> _______________________________________________
>>> Spice-devel mailing list
>>> Spice-devel at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>

More information about the Spice-devel mailing list