Bug 1356656
| Summary: | Windows guest VM - problems with shared smartcard detection | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Radek Duda <rduda> |
| Component: | qemu-kvm-rhev | Assignee: | Marc-Andre Lureau <marcandre.lureau> |
| Status: | CLOSED NOTABUG | QA Contact: | Qianqian Zhu <qizhu> |
| Severity: | medium | Docs Contact: | Jiri Herrmann <jherrman> |
| Priority: | medium | ||
| Version: | 7.3 | CC: | areis, astepano, chayang, cliao, coli, cww, djasa, dmardones, fdelorey, hachen, jiyan, jjelen, juzhang, knoel, kraxel, marcandre.lureau, mharmsen, michen, mkalinin, mtessun, ngu, qzhang, rbalakri, rduda, smaudet, spice-qe-bugs, tpelka, virt-maint, xfu, xuma, zhguo |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Windows | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-18 16:11:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1331471 | ||
| Bug Blocks: | 1277471, 1401400, 1477664 | ||
| Attachments: | |||
|
Description
Radek Duda
2016-07-14 15:29:51 UTC
Well there are basically two behaviour scenarios: 1. The smartcard reader is detected (QEMU USB CCID), but after inserting smartcard token into reader Windows is searching for some driver for smartcard. Finally Windows fails to find any convenient driver and Smartcard is not enrolled to the system. (this happens for 1 of my 4 Win VMs in rhev-m portal (the Win7 one)) 2. Smartcard reader is not detected at all. (happens for 3 of my 4 Win VMs in rhev-m portal) I do not really know what is the cause the smartcard reader is or is not detected. Recently, I installed Win7 64bit VM in virt-manager (not rhev-m) and the smamtcard reader was detected, but smartcard token not loaded as described as in the case 1.. As I have written I am not sure if it is a problem of ESC. Maybe it is not connected to ESC at all. Maybe it is a qemu issue. OK: First of all we do not support ESC on windows, so any part of not being able to provision a card ignore. Second. Sounds like this could be some issue in Windows finding the driver for your reader? Have you tried doing a search of the web to manually locate the driver for your reader in question? If you are able to install the correct driver and then unable to get smart card events of any kind, there is probably some issue with qemu as you state. The first step though would be to try to install the driver for your reader on the vm's where the auto configure failed and see what happens. thanks, jack Concerning the second case (comment 3). There is a problem of detecting Smartcard reader when the Smartcard is set to be SHARED between guest VM and client. There are not any records of smartcard detection or usage in spice-debug log (see attached). If I redirect Smartcard reader via USB redirection in this case, the smartcard reader driver and coolkey driver are successfully installed and the token is recognized by ESC. So I think it is not an ESC issue but qemu. Concerning the first case (comment 3). The smartcard reader is detected and the smartcard reader driver is installed (no usb redirection), but coolkey driver for smartcard is not found (attaching screenshot) even if I search for it manually through whole HDD. In case of USB redirection of smartcard reader - both drivers are found and installed and everything works well. So I think there is some bug in smartcard sharing process. When the smartcard is redirected everything works well for both cases. Created attachment 1181021 [details]
failed to install smartcard driver, but smartcard reader installed (first case)
Created attachment 1181022 [details]
Spice-debug.log while detaching and attaching smartcard reader from client (second case)
Thanks, it sounds to me that the problem is taking place at that low level. Coolkey pkcs#11 and esc are helpless and unaware if there is such a problem. Should reassign this to another component. Thanks. The usb ccid smartcard reader should always be detected and working properly. If not, it could be a qemu ccid emulation bug (but it could also be a windows bug...) However, having windows detecting the smartcard correctly is quite irrelevant. What do you try to do with it? libcacard only supports coolkey module in the guest. Any other middleware or card is really hard to support without good documentation. Which CAC card do you have? Imho, we should stop supporting sharing CAC cards on windows, as coolkey seems to be no longer maintained, and I don't know any real user of this "feature". Redirecting the reader is usually enough. Some customers do use smartcards to authenticate to both client and guest systems at the same time so use of USB redirection isn't sufficient for them (and some of them use SC readers embedded in keyboards IIRC from some customer discussion).
> libcacard only supports coolkey module in the guest. Any other middleware or
> card is really hard to support without good documentation.
IIRC the main problem here was getting activClient library and card.
I use CAC card with coolkey middleware. The main problem here is that smartcard reader is not shared (or shared with problems) with the guest VM. In case I redirect smartcard reader using USB redirection, everything works fine. David, any known issue with CAC sharing and windows/coolkey? (Is this even part of testing?) unlikely to be solved in 7.3, moving to 7.4 (In reply to Marc-Andre Lureau from comment #12) > David, any known issue with CAC sharing and windows/coolkey? (Is this even > part of testing?) ping Hi, It is already long time ago and we (SPICE QE) do not have working setup of rhv4.0 any more. I have dived again into this kind of testing on rhv4.2 setup (using latest win10 1709 ver. guest and win7-64bit guest): versions: client: rhel 7.5: spice-gtk3-0.34-3.el7.x86_64 virt-viewer-5.0-10.el7.x86_64 esc-1.1.0-40.el7.x86_64 host: rhel7.4: libcacard-2.5.2-2.el7.x86_64 qemu-kvm-rhev-2.9.0-16.el7_4.14.x86_64 spice-server-0.12.8-2.el7.1.x86_64 libvirt-client-3.2.0-14.el7_4.7.x86_64 guest: Win10 (64 bit) 1709 freshly updated with SmartCardManagerSetup-1.1.0-13.win32.i386.exe and CoolkeySetup-1.0.0-2.win64.x64.exe with all relevant drivers of RHV-toolsSetup_4.2_2 installed or Win7 (64 bit) SmartCardManagerSetup-1.1.0-13.win32.i386.exe and CoolkeySetup-1.0.0-2.win64.x64.exe with all relevant drivers of RHV-toolsSetup_4.2_2 installed VM is created in rhv4.2 manager (version 4.2.1.4-0.1.el7) results. In client is smartcard loaded by esc manager and token is recognized In guest Win10 is smartcard reader successfully installed. After inserting smartcard into reader, it is recognized in device manager (see attached screenshot and red marking) and in Smart card manager's debug log is writen "NSS system initialized successfully". This is all - the token is not recognized. If I remove card from reader, Smart card device vanished from device manager. In Win7 guest smart card is not recognized as well. But there is neither installed drivers for smartcard. See attached screenshot. So known issue is that smartcard sharing is not functional. If smart card reader is USB redirected to VM guest, the smartcard token is recognized both in Win7 and Win10 guest. I tried again in rhel7.5 guest - it works there. Created attachment 1388410 [details]
Win10 smartcard detection screenshot
Created attachment 1388411 [details]
Win7 smartcard detection screenshot
Created attachment 1401273 [details]
Hardware smart card test in qemu cli with rhel7.5 guest on 02272018
Created attachment 1401275 [details]
Hardware smart card test in qemu cli with win2016 guest on 02272018
Created attachment 1401276 [details]
Software smart card test in qemu cli with rhel7.5 guest on 02272018
Created attachment 1401277 [details]
Software smart card test in qemu cli with win2016 guest on 02272018
I take the responsability to close this bug for now, as it has become too confusing and lost a real focus. If you have a specific scenario that is supposed to work that doesn't, please open a new bug with as much details as possible about the setup. If it involves a smartcard redirection though spice, it should be opened to the spice team first (which owns libcacard, and has real smartcard reader and CAC test hw), until it is clear which team can best help fix the bug. For new requirements, regarding new cards or windows middleware etc, this should be handled by management first. Thanks This use case looks exactly like the one we are trying to solve in the bug #917867. It is an issue of the libcacard and we hope we will address this in coming weeks. Just a shot in a dark, I was recently fixing an issue in the USB CCID redirection, that I encountered while working on libcacard, which might be causing this issue: https://github.com/qemu/qemu/commit/8030dca If you can reliably reproduce the bug, please, retry with qemu patched using the commit above. |