Bug 1205171

Summary: smartcard cannot work after restart guest
Product: Red Hat Enterprise Linux 6 Reporter: zhoujunqin <juzhou>
Component: spice-gtkAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: cfergeau, dblechte, djasa, fidencio, jherrman, marcandre.lureau, mzhan, rbalakri, tpelka, tzheng, xiaodwan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-gtk-0.26-4.el6 Doc Type: Bug Fix
Doc Text:
When using an emulated smart card on a virtual machine, the smart card was not properly re-initialized after disconnecting and reconnecting the guest. As a consequence, the smart card became unusable. With this update, the smart card state is set properly after reconnecting the guest, and no longer becomes unusable after the operation.
Story Points: ---
Clone Of:
: 1205548 (view as bug list) Environment:
Last Closed: 2015-07-22 06:32:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1205548    
Attachments:
Description Flags
After restart guest
none
rerun step4.4
none
debug info for step4.4 and restart guest none

Description zhoujunqin 2015-03-24 11:39:49 UTC
Description of problem:
when use virt-viewer to connect a guest with smartcard passthrough with option "reconnect"&"wait", after reboot guest, smartcard cannot work.

Version-Release number of selected component (if applicable):

virt-viewer-2.0-3.el6.x86_64
spice-server-0.12.4-12.el6.x86_64
gtk-vnc-0.4.2-5.el6.x86_64
gvnc-0.4.2-5.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepared a rhel6 guest with smartcard passthrough and have spice graphics:

...
    <smartcard mode='passthrough' type='spicevmc'>
      <alias name='smartcard0'/>
      <address type='ccid' controller='0' slot='0'/>
    </smartcard>
...
    <graphics type='spice' port='5900' autoport='yes'/>
...

2. On both of your host and guest. 
 #yum groupinstall "smart card support"
 #yum remove '*openct*'
 #Service pcscd start

3. Run on guest:

3.1 get root CA certificate and install it. For the setup above and Firefox, it can be obtained by following this procedure, but YMMV:
navigate to https://aakkiang-csvm1.idmqe.lab.eng.bos.redhat.com:9444/ca/ee/ca/ and choose "Retrieval" tab, and click "Import CA Certificate Chain" in the left list
Choose "Import the CA certificate chain into your browser" and click submit button
A "Downloading Certificate" dialog will come out, then click "View".
Choose "Details" tab, and click "Export..."
 Choose PEM format, append .pem extension to the file name
 copy the file to /etc/pam_pkcs11/cacerts directory(you need to create it manually)
 restore selinux context of the certificate and directories: 
# restorecon -FvvR /etc/pam_pkcs11
  install the certificate: 
# certutil -A -d /etc/pki/nssdb -n "<your name for the CA>" -t "CT,C,C" -i /etc/pam_pkcs11/cacerts/<ca_file>.pem

3.2 In console, run #pklogin_finder debug, your UID should be the username you filled and the certificate should be verified

3.3. Add a user with same name as your smartcard.
3.4  Click System->Administration->Authentication->Advanced options->Check enable Smart card support. DO NOT check "Required smart card for login"

4. In your host run:
4.1 use virt-viewer to open guest

  #virt-viewer $guest --spice-smartcard

4.2 Check pklogin_finder can reader the smartcard.

   #pklogin_finder debug

4.3 switch user in guest, change to new created user,select Smartcard Authentication,and input smardcard pin

4.4 close virt-viewer,re-run virt-viewer in client:

#virt-viewer --spice-smartcard --reconnect --wait --connect qemu:///system $guest

4.5 in another console,use virsh restart the guest

#virsh destroy $guest; virsh start $guest

4.6 check smartcard worked when guest restart


Actual results:
1. After step 4.3 and step4.4, gdm should recognize the card, prompt for the pin and upon entering correct pin, the user on the smartcard should be logged in.

2. But after restart guest, step4.6, smartcard cannot use in guest. As screenshot.

Expected results:
Using reconnect and wait, can keep smartcard worked when guest restart.

Additional info:
1. After step4.7, use Ctrl+c exit step4.4, and rerun step4.4 again, then smartcard can be work again, as screenshot-1.

2. I will attach debug info.

Comment 1 zhoujunqin 2015-03-24 11:42:26 UTC
Created attachment 1005803 [details]
After restart guest

Comment 2 zhoujunqin 2015-03-24 11:43:02 UTC
Created attachment 1005804 [details]
rerun step4.4

Comment 3 zhoujunqin 2015-03-24 11:45:16 UTC
Created attachment 1005805 [details]
debug info for step4.4 and restart guest

Comment 6 Marc-Andre Lureau 2015-03-24 17:39:13 UTC
With spice-gtk git, I can reproduce the issue.

Furthermore, when removing the card, I get a crash:

(virt-viewer:6176): GSpice-DEBUG: smartcard-manager.c:292 smartcard: card-removed

(virt-viewer:6176): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SpiceSmartcardChannel'

(virt-viewer:6176): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SpiceChannel'

(virt-viewer:6176): GSpice-CRITICAL **: spice_msg_out_new: assertion 'c != NULL' failed

Program received signal SIGSEGV, Segmentation fault.
send_msg_generic_with_data (channel=0xa61470, reader=<optimized out>, msg_type=VSC_CardRemove, data=0x0, data_len=0, serialize_msg=1) at channel-smartcard.c:372
372	    msg_out->marshallers->msgc_smartcard_header(msg_out->marshaller, &header);
(gdb) bt
#0  0x00007ffff50252db in send_msg_generic_with_data (channel=0xa61470, reader=<optimized out>, msg_type=VSC_CardRemove, data=0x0, data_len=0, serialize_msg=1) at channel-smartcard.c:372
#4  0x00007ffff079d34f in <emit signal ??? on instance 0x8dc990 [SpiceSmartcardManager]> (instance=<optimized out>, signal_id=signal_id@entry=255, detail=detail@entry=0) at gsignal.c:3365
    #1  0x00007ffff0782c55 in g_closure_invoke (closure=0x8fb280, return_value=return_value@entry=0x0, n_param_values=2, param_values=param_values@entry=0x7fffffffd190, invocation_hint=invocation_hint@entry=0x7fffffffd130)
    at gclosure.c:768
    #2  0x00007ffff07949e2 in signal_emit_unlocked_R (node=node@entry=0x8faf40, detail=detail@entry=0, instance=instance@entry=0x8dc990, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd190) at gsignal.c:3553
    #3  0x00007ffff079d121 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd320) at gsignal.c:3309
#5  0x00007ffff5027c43 in smartcard_monitor_dispatch (event=<error reading variable: value has been optimized out>, user_data=0x8dc990, user_data@entry=<error reading variable: value has been optimized out>)
    at smartcard-manager.c:293
#6  0x00007ffff50275ba in smartcard_source_dispatch (source=0x98dbd0, callback=<optimized out>, user_data=<optimized out>) at smartcard-manager.c:341
#7  0x00007ffff04837fb in g_main_context_dispatch (context=0x686210) at gmain.c:3111
#8  0x00007ffff04837fb in g_main_context_dispatch (context=context@entry=0x686210) at gmain.c:3710
#9  0x00007ffff0483b98 in g_main_context_iterate (context=0x686210, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781
#10 0x00007ffff0483ec2 in g_main_loop_run (loop=0x982590) at gmain.c:3975
#11 0x00007ffff6590055 in gtk_main () at gtkmain.c:1207
#12 0x000000000040f931 in main (argc=1, argv=0x7fffffffd828) at virt-viewer-main.c:119

Comment 7 Marc-Andre Lureau 2015-03-24 23:12:47 UTC
patch sent to ML:
http://lists.freedesktop.org/archives/spice-devel/2015-March/019232.html

Comment 12 errata-xmlrpc 2015-07-22 06:32:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1322.html