Bug 917860
Summary: | Smartcard emulation with Windows guest fails | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Marc-Andre Lureau <marcandre.lureau> | ||||||||||
Component: | qemu-kvm | Assignee: | Alon Levy <alevy> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||||||
Severity: | high | Docs Contact: | |||||||||||
Priority: | high | ||||||||||||
Version: | 6.5 | CC: | acathrow, alevy, bsarathy, chayang, dblechte, italkohe, juzhang, marcandre.lureau, michen, mkenneth, qzhang, virt-maint, w.vd.velde.04 | ||||||||||
Target Milestone: | rc | Keywords: | ZStream | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | qemu-kvm-0.12.1.2-2.385.el6 | Doc Type: | Bug Fix | ||||||||||
Doc Text: |
* Previously, smart card emulation with a Microsoft Windows guest in versions XP, 2003 and 7 failed due to inconsistent Answer To Reset (ATR) file length with a smart card I/O device error. This update creates an ATR file length with appropriate historical bytes, and disables USB signaling when necessary. Now, smart card emulation is possible, and failures no longer occur in the aforementioned scenario.
|
Story Points: | --- | ||||||||||
Clone Of: | |||||||||||||
: | 997544 1005081 (view as bug list) | Environment: | |||||||||||
Last Closed: | 2013-11-21 06:42:13 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 965152, 997544, 1005081 | ||||||||||||
Attachments: |
|
Description
Marc-Andre Lureau
2013-03-04 23:35:31 UTC
Same issue here. The coolkey driver on a linux host works fine but not on windows 7 32bit. Regards, William Is there an updated rpm available to test? Regards, William Created attachment 744955 [details]
system error for windows with smart card
Reproduced on qemu-kvm-0.12.1.2-2.355.el6.x86_64 by running a win-7 32bit guest. Inconsistent ATR length was observed. And snapshot will be attached. CLI: /usr/libexec/qemu-kvm -name test -M rhel6.4.0 -enable-kvm -cpu cpu64-rhel6 -m 2048 -smp 2,sockets=2,cores=1,threads=1 -nodefaults -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:76:36,bus=pci.0 -k en-us -vga qxl -spice port=7000,disable-ticketing -chardev spicevmc,name=smartcard,id=ccid -device usb-ccid -device ccid-card-passthru,chardev=ccid -usb -monitor stdio -boot menu=on -drive file=/home/win7.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0 Connect to qemu-kvm on a F18 system: $ remote-viewer --spice-smartcard spice://$IP:7000 Created attachment 745991 [details]
screenshot of problematic smart card
This issue is reproducible with qemu-kvm-0.12.1.2-2.393.el6.x86_64. Below is the related logs: Event[344]: Log Name: System Source: WudfUsbccidDriver Date: 2013-08-15T08:21:50.328 Event ID: 1 Task: Driver Level: Error Opcode: General Keyword: N/A User: S-1-5-19 User Name: NT AUTHORITY\LOCAL SERVICE Computer: test-PC Description: An operation has failed (0x9, 0x0, 0x0, 0x0). UpdateCardCapabilities: Inconsistent ATR length. HResult: {Unknown Disk Format} The disk in drive %hs is not formatted properly. Please check the disk, and reformat if necessary. Event[348]: Log Name: System Source: Microsoft-Windows-Smartcard-Server Date: 2013-08-15T08:26:27.000 Event ID: 610 Task: N/A Level: Error Opcode: Info Keyword: Classic User: N/A User Name: N/A Computer: test-PC Description: Smart Card Reader 'QEMU 0.12.1 QEMU USB CCID 0' rejected IOCTL POWER: The smart card is not responding to a reset. If this error persists, your smart card or reader may not be functioning correctly. CLI: /usr/libexec/qemu-kvm -name test -M rhel6.4.0 -enable-kvm -cpu cpu64-rhel6 -m 2048 -smp 2,sockets=2,cores=1,threads=1 -nodefaults -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:76:36,bus=pci.0 -k en-us -vga qxl -spice port=7000,disable-ticketing -chardev spicevmc,name=smartcard,id=ccid -device usb-ccid -device ccid-card-passthru,chardev=ccid -usb -monitor stdio -boot menu=on -drive file=/home/win7.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0 Created attachment 786876 [details]
windows event log
Hi Alon, Can you please take a look at Comment 21 22? Thanks, You need to use the latest libcacard too (that's where the ATR is coming from) which is used by the client. Unfortunately I missed this fact and didn't package it yet for RHEL. I'll add a bug and mark this as blocked by that. (In reply to Alon Levy from comment #24) > You need to use the latest libcacard too (that's where the ATR is coming > from) which is used by the client. Unfortunately I missed this fact and > didn't package it yet for RHEL. I'll add a bug and mark this as blocked by > that. Actually, despite having now a new version of libcacard, it seems the existing libcacard in rhel 6.4 (libcacard-0.15.0-2.el6.x86_64) works. So I'm no longer sure I need to do a new rhel 6.5 and rhel 6.4.z libcacard release. Could you please tell me which version of libcacard did you use in the client? I assume you used remote-viewer, since that's the client we support. Thanks, Alon (In reply to Alon Levy from comment #25) > (In reply to Alon Levy from comment #24) > > You need to use the latest libcacard too (that's where the ATR is coming > > from) which is used by the client. Unfortunately I missed this fact and > > didn't package it yet for RHEL. I'll add a bug and mark this as blocked by > > that. > > Actually, despite having now a new version of libcacard, it seems the > existing libcacard in rhel 6.4 (libcacard-0.15.0-2.el6.x86_64) works. So I'm > no longer sure I need to do a new rhel 6.5 and rhel 6.4.z libcacard release. > Could you please tell me which version of libcacard did you use in the > client? I assume you used remote-viewer, since that's the client we support. > I updated libcacard to latest one in F18 - libcacard-1.2.2-11.fc18.x86_64. Then connect through remote-viewer with --spice-smartcard, ATR error disappeared. And smart card service entered the running state in Event Viewer -> Windows Logs -> System . But I could not format/enroll in ESC, these buttons were grey and could not be clicked. Diagnostics told me: ***Active Smart Card Details*** Number of Smart Card Detected: 0 ***Smart Card Activity*** [8/16/2013 2:24:20 AM] NSS system initialized successfully! > Thanks > Alon (In reply to chayang from comment #26) > (In reply to Alon Levy from comment #25) > > (In reply to Alon Levy from comment #24) > > > You need to use the latest libcacard too (that's where the ATR is coming > > > from) which is used by the client. Unfortunately I missed this fact and > > > didn't package it yet for RHEL. I'll add a bug and mark this as blocked by > > > that. > > > > Actually, despite having now a new version of libcacard, it seems the > > existing libcacard in rhel 6.4 (libcacard-0.15.0-2.el6.x86_64) works. So I'm > > no longer sure I need to do a new rhel 6.5 and rhel 6.4.z libcacard release. > > Could you please tell me which version of libcacard did you use in the > > client? I assume you used remote-viewer, since that's the client we support. > > > I updated libcacard to latest one in F18 - libcacard-1.2.2-11.fc18.x86_64. > Then connect through remote-viewer with --spice-smartcard, ATR error > disappeared. And smart card service entered the running state in Event > Viewer -> Windows Logs -> System . But I could not format/enroll in ESC, > these buttons were grey and could not be clicked. Diagnostics told me: > ***Active Smart Card Details*** > Number of Smart Card Detected: 0 > > ***Smart Card Activity*** > [8/16/2013 2:24:20 AM] NSS system initialized successfully! > > > Thanks > > Alon Hi, chayang How about the rhel6.4 libcacard-0.15.0-2.el6.x86_64 mentioned by Alon? As we suggest to use the RHEL version the the client related packages. And I tested with rhel remote-viewer and libcacard as well. The light didn't appear at all when connecting with remote-viewer. (In reply to chayang from comment #28) > And I tested with rhel remote-viewer and libcacard as well. The light didn't > appear at all when connecting with remote-viewer. Packages tested: virt-viewer-0.5.6-7.el6.x86_64 libcacard-0.15.0-2.el6.x86_64 (In reply to chayang from comment #29) > (In reply to chayang from comment #28) > > And I tested with rhel remote-viewer and libcacard as well. The light didn't > > appear at all when connecting with remote-viewer. > > Packages tested: > virt-viewer-0.5.6-7.el6.x86_64 > libcacard-0.15.0-2.el6.x86_64 Which card are you testing? does the card work with the client computer? does it work using coolkey? I'm testing using a simulated card using the --spice-smartcard-certificates option, with the same libcacard version and 0.5.6-6 virt-viewer. Could you arrange for me to have access to your machine to run virt-viewer on it? I don't have a working card at the moment. I've created http://koji.fedoraproject.org/koji/buildinfo?buildID=457274 , a fedora update, and I'll do the RHEL libcacard update tomorrow hopefully, as soon as I have all acks. The fedora update should be available in updates-testing tomorrow hopefully too. Please let me know if the fedora update allows you to remote a card to a windows 7 guest from a fedora 19 client, or not, and if not please set SPICE_DEBUG=1 and G_MESSAGES_DEBUG=all and in the guest add debug=10 for the ccid device and the passthru devices, and capture the output of both client and vm. (In reply to Alon Levy from comment #30) > (In reply to chayang from comment #29) > > (In reply to chayang from comment #28) > > > And I tested with rhel remote-viewer and libcacard as well. The light didn't > > > appear at all when connecting with remote-viewer. > > > > Packages tested: > > virt-viewer-0.5.6-7.el6.x86_64 > > libcacard-0.15.0-2.el6.x86_64 > > Which card are you testing? does the card work with the client computer? > does it work using coolkey? I'm testing using a simulated card using the > --spice-smartcard-certificates option, with the same libcacard version and > 0.5.6-6 virt-viewer. > I tested this in a real windows 7 64-bit system. MSC could detect smart card, including 'Key ID', 'Status', 'Issuer' and so on. And 'Format', 'Reset Password' buttons are available to me. Details In Device Manager: e-gate Virtual Reader Enumerators | ---e-gate Virtual Reader Enumerator Smart card readers | ---SCR3310 USB Smart Card Reader Smart cards | ---ActivIdentity Mini Driver(Gemalto Cyberflex Access 64K V2c) > Could you arrange for me to have access to your machine to run virt-viewer > on it? I don't have a working card at the moment. (In reply to Alon Levy from comment #31) > I've created http://koji.fedoraproject.org/koji/buildinfo?buildID=457274 , a > fedora update, and I'll do the RHEL libcacard update tomorrow hopefully, as > soon as I have all acks. The fedora update should be available in > updates-testing tomorrow hopefully too. Please let me know if the fedora > update allows you to remote a card to a windows 7 guest from a fedora 19 > client, or not, and if not please set SPICE_DEBUG=1 and G_MESSAGES_DEBUG=all > and in the guest add debug=10 for the ccid device and the passthru devices, > and capture the output of both client and vm. I have updated libcacard in F19 to the one you provided in above link. I set SPICE_DEBUG=1 and G_MESSAGES_DEBUG=all in client, and debug=10 for the ccid device and the passthru devices. But there is no log captured in client, I only captured output of VM. Please check attachment. Created attachment 787878 [details]
qemu log with adding debug=10 to usb-ccid and ccid-card-passthru
output from rhel6.5 host with Smart Card Reader plugged in. # certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Hi Marc-Andre, Can you please retest with qemu-kvm-0.12.1.2-2.385.el6 and later? Thanks in advance. (In reply to chayang from comment #36) > Hi Marc-Andre, > Can you please retest with qemu-kvm-0.12.1.2-2.385.el6 and later? Thanks in > advance. After struggling with my rhel, I finally managed to verify with qemu-kvm-0.12.1.2-2.389.el6.x86_64. Note that I use a libcacard built from qemu git, as the version in fc19 isn't good enough. (In reply to Marc-Andre Lureau from comment #37) > (In reply to chayang from comment #36) > > Hi Marc-Andre, > > Can you please retest with qemu-kvm-0.12.1.2-2.385.el6 and later? Thanks in > > advance. > > After struggling with my rhel, I finally managed to verify with > qemu-kvm-0.12.1.2-2.389.el6.x86_64. > > Note that I use a libcacard built from qemu git, as the version in fc19 > isn't good enough. There is an update (it should be in updates-testing) 1.4.2-7 iirc, could you test that? (the latest, from this week). Thanks, Alon (In reply to Alon Levy from comment #38) > There is an update (it should be in updates-testing) 1.4.2-7 iirc, could you > test that? (the latest, from this week). > I confirm, it works. (In reply to Marc-Andre Lureau from comment #39) > (In reply to Alon Levy from comment #38) > > > There is an update (it should be in updates-testing) 1.4.2-7 iirc, could you > > test that? (the latest, from this week). > > > > I confirm, it works. Hi, Marc-Andre I would be grateful if you could provide with qemu-kvm cli, and remote-viewer cli as well. If you used physical smartcard, can you please also offer the vendor/model of smartcard? (In reply to chayang from comment #40) > Hi, Marc-Andre > I would be grateful if you could provide with qemu-kvm cli, and > remote-viewer cli as well. If you used physical smartcard, can you please > also offer the vendor/model of smartcard? I don't have physical smartcard, so I use "NSS software smartcard", as described in this page: http://spice-space.org/page/SmartcardUsage. Once NSS can read the certficates, the smartcard emulation should give the same results, either from hw smartcard or files certificates. Emulation used to fail, and I verified it works now. Hi, i could give our smartcard a test (aet). But i would need access to an rpm package available for rhel 6.4 is there a package available? Regards, William (In reply to William van de Velde from comment #43) > > i could give our smartcard a test (aet). But i would need access to an rpm > package available for rhel 6.4 is there a package available? > Hi William. The package has been built and is going through our QA process, but unfortunately we can't distribute our development packages before they go through our QA, get proper gpg signatures and documentation via the errata. If this issue is critical or in any way time sensitive to you or your organization, please raise a ticket through your regular Red Hat support channels so that they can give you a hotfix for testing (please point them to this bug). For information on how to contact the Red Hat production support team, please visit: https://www.redhat.com/support/process/production/#howto Based on Comment 14, 37, 39, 42, this bug has been fixed. fixed typo - Input/Output, not I/0 (I/zero). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1553.html |