1356656 – Windows guest VM - problems with shared smartcard detection

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1356656 - Windows guest VM - problems with shared smartcard detection

Summary: Windows guest VM - problems with shared smartcard detection

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Windows
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marc-Andre Lureau
QA Contact:	Qianqian Zhu
Docs Contact:	Jiri Herrmann
URL:
Whiteboard:
Depends On:	1331471
Blocks:	1277471 1401400 1477664
TreeView+	depends on / blocked

Reported:	2016-07-14 15:29 UTC by Radek Duda
Modified:	2020-09-10 09:40 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-18 16:11:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
failed to install smartcard driver, but smartcard reader installed (first case) (377.42 KB, image/png) 2016-07-18 11:16 UTC, Radek Duda	no flags	Details
Spice-debug.log while detaching and attaching smartcard reader from client (second case) (2.90 KB, text/plain) 2016-07-18 11:18 UTC, Radek Duda	no flags	Details
Win10 smartcard detection screenshot (306.82 KB, image/png) 2018-01-30 13:58 UTC, Radek Duda	no flags	Details
Win7 smartcard detection screenshot (373.77 KB, image/png) 2018-01-30 13:59 UTC, Radek Duda	no flags	Details
Hardware smart card test in qemu cli with rhel7.5 guest on 02272018 (511.32 KB, image/png) 2018-02-27 10:32 UTC, Gu Nini	no flags	Details
Hardware smart card test in qemu cli with win2016 guest on 02272018 (364.73 KB, image/png) 2018-02-27 10:32 UTC, Gu Nini	no flags	Details
Software smart card test in qemu cli with rhel7.5 guest on 02272018 (390.85 KB, image/png) 2018-02-27 10:34 UTC, Gu Nini	no flags	Details
Software smart card test in qemu cli with win2016 guest on 02272018 (289.46 KB, image/png) 2018-02-27 10:35 UTC, Gu Nini	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	1258423	0	None	None	None	2017-11-01 18:49:40 UTC

Description Radek Duda 2016-07-14 15:29:51 UTC

Description of problem:
Smartcard reader is not detected by Windows guest VM. Problem with Smartcard driver detection.


Version-Release number of selected component (if applicable):
client: rhel 7.3 nightly
Red Hat Virtualization Manager Version 4.0.1.1-0.1.el7ev
virt-viewer-2.0-10.el7.x86_64

guest: tried Win8, Win10, Win7 - all 64 bit 
SmartCardManagerSetup-1.1.0-13.win32.i386
RHEV-tools 4.0-4

Gemalto (was Gemplus) GemPC Twin SmartCard Reader

How reproducible: 75%


Steps to Reproduce:
1. Start guest Windows VM in rhev-m (with installed Smartcard manager and RHEV-tools)
2. Check Enable Smartcard in Console options
3. Connect to guest VM:
# remote-viewer console.vv

Actual results: Smartcard reader is not detected by guest VM


Expected results: Smartcard reader is detected and device initialized. Inserted Smartcard is detected.


Additional info: 
* Sometimes (one Win7 VM of four VMs) is Smartcard reader device detected and installed, nevertheless inserted Smartcard was not detected (driver not found)!!

* if I try Smartcard on non-virtualized Windows system, it works as it should.

I don't know if any log file is helpful to debug this thing or if this is directly esc component bug.

Comment 3 Radek Duda 2016-07-15 12:22:56 UTC

Well there are basically two behaviour scenarios:
1. The smartcard reader is detected (QEMU USB CCID), but after inserting smartcard token into reader Windows is searching for some driver for smartcard. Finally Windows fails to find any convenient driver and Smartcard is not enrolled to the system. (this happens for 1 of my 4 Win VMs in rhev-m portal (the Win7 one))
2. Smartcard reader is not detected at all. (happens for 3 of my 4 Win VMs in rhev-m portal)

I do not really know what is the cause the smartcard reader is or is not  detected. 
Recently, I installed Win7 64bit VM in virt-manager (not rhev-m) and the smamtcard reader was detected, but smartcard token not loaded as described as in the case 1..
As I have written I am not sure if it is a problem of ESC. Maybe it is not connected to ESC at all. Maybe it is a qemu issue.

Comment 4 Jack Magne 2016-07-15 17:27:53 UTC

OK:

First of all we do not support ESC on windows, so any part of not being able to provision a card ignore.

Second. Sounds like this could be some issue in Windows finding the driver for your reader?

Have you tried doing a search of the web  to manually locate the driver for your reader in question?

If you are able to install the correct driver and then unable to get smart card events of any kind, there is probably some issue with qemu as you state.

The first step though would be to try to install the driver for your reader on the vm's where the auto configure failed and see what happens.

thanks,
jack

Comment 5 Radek Duda 2016-07-18 11:13:28 UTC

Concerning the second case (comment 3). There is a problem of detecting Smartcard reader when the Smartcard is set to be SHARED between guest VM and client. There are not any records of smartcard detection or usage in spice-debug log (see attached).
If I redirect Smartcard reader via USB redirection in this case, the smartcard reader driver and coolkey driver are successfully installed and the token is recognized by ESC. So I think it is not an ESC issue but qemu.

Concerning the first case (comment 3). The smartcard reader is detected and the smartcard reader driver is installed (no usb redirection), but coolkey driver for smartcard is not found (attaching screenshot) even if I search for it manually through whole HDD. In case of USB redirection of smartcard reader - both drivers are found and installed and everything works well.

So I think there is some bug in smartcard sharing process. When the smartcard is redirected everything works well for both cases.

Comment 6 Radek Duda 2016-07-18 11:16:27 UTC

Created attachment 1181021 [details]
failed to install smartcard driver, but smartcard reader installed (first case)

Comment 7 Radek Duda 2016-07-18 11:18:44 UTC

Created attachment 1181022 [details]
Spice-debug.log while detaching and attaching smartcard reader from client (second case)

Comment 8 Jack Magne 2016-07-18 17:56:44 UTC

Thanks, it sounds to me that the problem is taking place at that low level. Coolkey pkcs#11 and esc are helpless and unaware if there is such a problem.

Should reassign this to another component. Thanks.

Comment 9 Marc-Andre Lureau 2016-07-19 16:51:50 UTC

The usb ccid smartcard reader should always be detected and working properly. If not, it could be a qemu ccid emulation bug (but it could also be a windows bug...)

However, having windows detecting the smartcard correctly is quite irrelevant. What do you try to do with it?

libcacard only supports coolkey module in the guest. Any other middleware or card is really hard to support without good documentation. 

Which CAC card do you have?

Imho, we should stop supporting sharing CAC cards on windows, as coolkey seems to be no longer maintained, and I don't know any real user of this "feature". Redirecting the reader is usually enough.

Comment 10 David Jaša 2016-07-20 12:35:32 UTC

Some customers do use smartcards to authenticate to both client and guest systems at the same time so use of USB redirection isn't sufficient for them (and some of them use SC readers embedded in keyboards IIRC from some customer discussion).

> libcacard only supports coolkey module in the guest. Any other middleware or
> card is really hard to support without good documentation. 

IIRC the main problem here was getting activClient library and card.

Comment 11 Radek Duda 2016-07-20 14:17:53 UTC

I use CAC card with coolkey middleware. The main problem here is that smartcard reader is not shared (or shared with problems) with the guest VM. In case I redirect smartcard reader using USB redirection, everything works fine.

Comment 12 Marc-Andre Lureau 2016-07-20 14:41:14 UTC

David, any known issue with CAC sharing and windows/coolkey? (Is this even part of testing?)

Comment 13 Marc-Andre Lureau 2016-08-11 09:25:35 UTC

unlikely to be solved in 7.3, moving to 7.4

Comment 14 Ademar Reis 2016-12-23 15:38:05 UTC

(In reply to Marc-Andre Lureau from comment #12)
> David, any known issue with CAC sharing and windows/coolkey? (Is this even
> part of testing?)

ping

Comment 33 Radek Duda 2018-01-30 13:57:34 UTC

Hi,

It is already long time ago and we (SPICE QE) do not have working setup of rhv4.0 any more.
I have dived again into this kind of testing on rhv4.2 setup (using latest win10 1709 ver. guest and win7-64bit guest):

versions:
client: rhel 7.5:
spice-gtk3-0.34-3.el7.x86_64
virt-viewer-5.0-10.el7.x86_64
esc-1.1.0-40.el7.x86_64

host: rhel7.4:
libcacard-2.5.2-2.el7.x86_64
qemu-kvm-rhev-2.9.0-16.el7_4.14.x86_64
spice-server-0.12.8-2.el7.1.x86_64
libvirt-client-3.2.0-14.el7_4.7.x86_64

guest:

Win10 (64 bit) 1709 freshly updated with
SmartCardManagerSetup-1.1.0-13.win32.i386.exe and
CoolkeySetup-1.0.0-2.win64.x64.exe
with all relevant drivers of RHV-toolsSetup_4.2_2 installed
or

Win7 (64 bit)
SmartCardManagerSetup-1.1.0-13.win32.i386.exe and
CoolkeySetup-1.0.0-2.win64.x64.exe
with all relevant drivers of RHV-toolsSetup_4.2_2 installed
VM is created in rhv4.2 manager (version 4.2.1.4-0.1.el7)

results.
In client is smartcard loaded by esc manager and token is recognized

In guest Win10 is smartcard reader successfully installed. After inserting smartcard into reader, it is recognized in device manager (see attached screenshot and red marking) and in Smart card manager's debug log is writen "NSS system initialized successfully". This is all - the token is not recognized. If I remove card from reader, Smart card device vanished from device manager.

In Win7 guest smart card is not recognized as well. But there is neither installed drivers for smartcard. See attached screenshot.

So known issue is that smartcard sharing is not functional. If smart card reader is USB redirected to VM guest, the smartcard token is recognized both in Win7 and Win10 guest. I tried again in rhel7.5 guest - it works there.

Comment 34 Radek Duda 2018-01-30 13:58:53 UTC

Created attachment 1388410 [details]
Win10 smartcard detection screenshot

Comment 35 Radek Duda 2018-01-30 13:59:39 UTC

Created attachment 1388411 [details]
Win7 smartcard detection screenshot

Comment 43 Gu Nini 2018-02-27 10:32:04 UTC

Created attachment 1401273 [details]
Hardware smart card test in qemu cli with rhel7.5 guest on 02272018

Comment 44 Gu Nini 2018-02-27 10:32:58 UTC

Created attachment 1401275 [details]
Hardware smart card test in qemu cli with win2016 guest on 02272018

Comment 45 Gu Nini 2018-02-27 10:34:38 UTC

Created attachment 1401276 [details]
Software smart card test in qemu cli with rhel7.5 guest on 02272018

Comment 46 Gu Nini 2018-02-27 10:35:52 UTC

Created attachment 1401277 [details]
Software smart card test in qemu cli with win2016 guest on 02272018

Comment 56 Marc-Andre Lureau 2018-04-18 16:11:18 UTC

I take the responsability to close this bug for now, as it has become too confusing and lost a real focus.

If you have a specific scenario that is supposed to work that doesn't, please open a new bug with as much details as possible about the setup.

If it involves a smartcard redirection though spice, it should be opened to the spice team first (which owns libcacard, and has real smartcard reader and CAC test hw), until it is clear which team can best help fix the bug.

For new requirements, regarding new cards or windows middleware etc, this should be handled by management first.

Thanks

Comment 58 Jakub Jelen 2018-04-19 07:23:22 UTC

This use case looks exactly like the one we are trying to solve in the bug #917867.
It is an issue of the libcacard and we hope we will address this in coming weeks.

Comment 59 Jakub Jelen 2018-05-31 11:27:06 UTC

Just a shot in a dark, I was recently fixing an issue in the USB CCID redirection, that I encountered while working on libcacard, which might be causing this issue:

https://github.com/qemu/qemu/commit/8030dca

If you can reliably reproduce the bug, please, retry with qemu patched using the commit above.

Note You need to log in before you can comment on or make changes to this bug.

areis
astepano
chayang
cliao
coli
cww
djasa
dmardones
fdelorey
hachen
jiyan
jjelen
juzhang
knoel
kraxel
marcandre.lureau
mharmsen
michen
mkalinin
mtessun
ngu
qzhang
rbalakri
rduda
smaudet
spice-qe-bugs
tpelka
virt-maint
xfu
xuma
zhguo