[Spice-devel] RFC - Direct smart card support in libcacard/spice-gtk

Robert Relyea rrelyea at redhat.com
Tue Jan 13 09:44:19 PST 2015


On 12/23/2014 12:49 PM, Jeremy White wrote:
>
>
> I am hoping to ask:
>
>   1.  Does this basic approach seem reasonable?
It depends on usage. The main thing to be careful of is card sharing 
between various VMs and hosts. They fall into two categories:

card locking - software like pcsc-lite allows applications to lock the 
card. APDUs are stateful, and if you have two entities* sending APDUs to 
the card at the same time you can run into various issues (like one 
entity switching applets out from under another entity, or the failure 
to complete on global platform secure channel (which requires full 
protocol of APDUs and responses orchestrated together without any 
intervening APDUs).

card login state - Cards are logged in or not logged in globally. This 
means that if the host or one VM is logged into a card, all of them are.

As long as you are only accessing the card from one VM at a time then 
you are fine.
>
>   2.  Anyone know what the origin of the VCARD_DIRECT code path was?  
> I use it here.  git-blame pins it back to the original libcacard 
> commit; not sure where it came from before then.  I was trying to find 
> an alternate consumer of that code to make sure I was aligned with it.
I think initially we emulated the card the client side of spice rather 
than in the VM. Upstream preferred it happening in the VM, and that a 
generic protocol smart card protocol should be used.

If you are just using APDU's as your protocol from the VM to the host, 
but are still emulating at the host, then you don't have any of the 
issues in 1 above.
>
> I believe that, with this change, a system that was not otherwise 
> using a smart card could relay that smart card on to a distant Spice 
> server. I'm uncertain what would happen in the case where the smart 
> card was in use by the local system.  That's something I'll need to 
> probe yet.  I imagine that it won't work, but have no real hard 
> evidence for that :-/.
If you aren't emulating, things will seem to work most of the time and 
fail randomly (when applications decide to colide)... and attackers in 
the VM could get access to a logged in smart card without supplying a 
ping. If you are emulating on the spice side, however, sending raw 
apdu's are just fine.

bob
>
> Cheers,
>
> Jeremy
>
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150113/e433ad69/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4264 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150113/e433ad69/attachment.bin>


More information about the Spice-devel mailing list