Description of problem:
when use virt-viewer to connect a guest with smartcard passthrough with option "reconnect"&"wait", after reboot guest, smartcard cannot work.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Prepared a rhel6 guest with smartcard passthrough and have spice graphics:
<smartcard mode='passthrough' type='spicevmc'>
<address type='ccid' controller='0' slot='0'/>
<graphics type='spice' port='5900' autoport='yes'/>
2. On both of your host and guest.
#yum groupinstall "smart card support"
#yum remove '*openct*'
#Service pcscd start
3. Run on guest:
3.1 get root CA certificate and install it. For the setup above and Firefox, it can be obtained by following this procedure, but YMMV:
navigate to https://aakkiang-csvm1.idmqe.lab.eng.bos.redhat.com:9444/ca/ee/ca/ and choose "Retrieval" tab, and click "Import CA Certificate Chain" in the left list
Choose "Import the CA certificate chain into your browser" and click submit button
A "Downloading Certificate" dialog will come out, then click "View".
Choose "Details" tab, and click "Export..."
Choose PEM format, append .pem extension to the file name
copy the file to /etc/pam_pkcs11/cacerts directory(you need to create it manually)
restore selinux context of the certificate and directories:
# restorecon -FvvR /etc/pam_pkcs11
install the certificate:
# certutil -A -d /etc/pki/nssdb -n "<your name for the CA>" -t "CT,C,C" -i /etc/pam_pkcs11/cacerts/<ca_file>.pem
3.2 In console, run #pklogin_finder debug, your UID should be the username you filled and the certificate should be verified
3.3. Add a user with same name as your smartcard.
3.4 Click System->Administration->Authentication->Advanced options->Check enable Smart card support. DO NOT check "Required smart card for login"
4. In your host run:
4.1 use virt-viewer to open guest
#virt-viewer $guest --spice-smartcard
4.2 Check pklogin_finder can reader the smartcard.
4.3 switch user in guest, change to new created user,select Smartcard Authentication,and input smardcard pin
4.4 close virt-viewer,re-run virt-viewer in client:
#virt-viewer --spice-smartcard --reconnect --wait --connect qemu:///system $guest
4.5 in another console,use virsh restart the guest
#virsh destroy $guest; virsh start $guest
4.6 check smartcard worked when guest restart
1. After step 4.3 and step4.4, gdm should recognize the card, prompt for the pin and upon entering correct pin, the user on the smartcard should be logged in.
2. But after restart guest, step4.6, smartcard cannot use in guest. As screenshot.
Using reconnect and wait, can keep smartcard worked when guest restart.
1. After step4.7, use Ctrl+c exit step4.4, and rerun step4.4 again, then smartcard can be work again, as screenshot-1.
2. I will attach debug info.
Created attachment 1005803 [details]
After restart guest
Created attachment 1005804 [details]
Created attachment 1005805 [details]
debug info for step4.4 and restart guest
With spice-gtk git, I can reproduce the issue.
Furthermore, when removing the card, I get a crash:
(virt-viewer:6176): GSpice-DEBUG: smartcard-manager.c:292 smartcard: card-removed
(virt-viewer:6176): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SpiceSmartcardChannel'
(virt-viewer:6176): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SpiceChannel'
(virt-viewer:6176): GSpice-CRITICAL **: spice_msg_out_new: assertion 'c != NULL' failed
Program received signal SIGSEGV, Segmentation fault.
send_msg_generic_with_data (channel=0xa61470, reader=<optimized out>, msg_type=VSC_CardRemove, data=0x0, data_len=0, serialize_msg=1) at channel-smartcard.c:372
372 msg_out->marshallers->msgc_smartcard_header(msg_out->marshaller, &header);
#0 0x00007ffff50252db in send_msg_generic_with_data (channel=0xa61470, reader=<optimized out>, msg_type=VSC_CardRemove, data=0x0, data_len=0, serialize_msg=1) at channel-smartcard.c:372
#4 0x00007ffff079d34f in <emit signal ??? on instance 0x8dc990 [SpiceSmartcardManager]> (instance=<optimized out>, signal_id=signal_id@entry=255, detail=detail@entry=0) at gsignal.c:3365
#1 0x00007ffff0782c55 in g_closure_invoke (closure=0x8fb280, return_value=return_value@entry=0x0, n_param_values=2, param_values=param_values@entry=0x7fffffffd190, invocation_hint=invocation_hint@entry=0x7fffffffd130)
#2 0x00007ffff07949e2 in signal_emit_unlocked_R (node=node@entry=0x8faf40, detail=detail@entry=0, instance=instance@entry=0x8dc990, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd190) at gsignal.c:3553
#3 0x00007ffff079d121 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd320) at gsignal.c:3309
#5 0x00007ffff5027c43 in smartcard_monitor_dispatch (event=<error reading variable: value has been optimized out>, user_data=0x8dc990, user_data@entry=<error reading variable: value has been optimized out>)
#6 0x00007ffff50275ba in smartcard_source_dispatch (source=0x98dbd0, callback=<optimized out>, user_data=<optimized out>) at smartcard-manager.c:341
#7 0x00007ffff04837fb in g_main_context_dispatch (context=0x686210) at gmain.c:3111
#8 0x00007ffff04837fb in g_main_context_dispatch (context=context@entry=0x686210) at gmain.c:3710
#9 0x00007ffff0483b98 in g_main_context_iterate (context=0x686210, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781
#10 0x00007ffff0483ec2 in g_main_loop_run (loop=0x982590) at gmain.c:3975
#11 0x00007ffff6590055 in gtk_main () at gtkmain.c:1207
#12 0x000000000040f931 in main (argc=1, argv=0x7fffffffd828) at virt-viewer-main.c:119
patch sent to ML:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.