Red Hat Bugzilla – Bug 879890
qemu should not support the ccid-card-emulated device, should support ccid-card-passthru
Last modified: 2013-04-15 05:09:47 EDT
Description of problem:
qemu only support the ccid-card-passthru with hardware and certificates for usb-ccid currently, but not support the ccid-card-emulated with hardware and certificates for usb-ccid device.
Version-Release number of selected component (if applicable):
# uname -r && rpm -q qemu-kvm
Steps to Reproduce:
1.check the qemu that not support ccid-card-emulated.
# /usr/libexec/qemu-kvm -device ?
name "usb-ccid", bus USB, desc "CCID Rev 1.1 smartcard reader"
name "ccid-card-passthru", bus ccid-bus, desc "passthrough smartcard"
2.fail to boot with ccid-card-emulated with hardware and certificates for usb-ccid device.
- using ccid-card-emulated with hardware
<qemu-kvm-command-line>...-usb -device usb-ccid -device ccid-card-emualated...
- using ccid-card-emulated with certificates
<qemu-kvm-command-line>...-usb -device usb-ccid -device
Qemu should also support the ccid-card-emulated with hardware and certificates for usb-ccid device, not only ccid-card-passthru.
I donot check the rhel7 whether support the ccid-card-emulated with hardware and certificates for usb-ccid device. Should I need to clone this bug for rhel7 for tracing this issue to fix correctly ?
I think it has been left out intentionally because it is unsupported. Alon?
Why do you want to have it in? Are there Customer requests?
[ yes, rhel-6 and rhel-7 should be identical here, so if we decide to enable
it on rhel-6 we should do the same on rhel-7 ]
Yep, we don't want to support it, so we left it out. About why, I guess mainly less code = less qa, less bugs, etc. . I'm not aware of any customer requests.
Use case for ccid is single-sign-on, which needs ccid-card-passthru so smartcard can be shared between host and guest.
So I'd say ccid-card-emulated should stay disabled on RHEL-7 too (unless there is customer demand).
So, just close/wountfix? Or do we have a tracker bug for device whitelist/blacklist?
There is a small problem; --disable-smartcard-nss also disables libcacard/vscclient and RHEL7 needs that.
So unless we add a separate toggle for ccid-card-emulated, we need to carry the device.
Once that is added upstream, please reassign this bug to mrezanin. If it's okay to keep ccid-card-emulated, close as WONTFIX.
Hmm. The actual smartcard emulation is in libcacard anyway, ccid-card-emulated is "only" the glue between libcacard and usb-ccid. So it might be not that bad after all to keep ccid-card-emulated, and it may be handy to have it for QE testing smardcard software in a virtual machine ...
I think it is more of a question for QE so that they can allocate their resources. Is there an actual usecase for ccid-card-emulated apart from testing? Would we require separate testing for passthru and emulated? Is it possible to do the bulk of the tests on emulated and little more than smoke-testing passthru?
I think the most interesting use case for ccid-card-emulated is to test the guest code without a physical card reader, which allows easy autotest integration for example.
Any, yes, I think we can reduce the passthru testing to guest-does-see-the-hardware level smoke testing (plus some hotplug tests) then.
Gerd, we already have support for hardware less tests, using file defined certificates:
ccid-card-passthru + remote-viewer --spice-smartcard-certificates cert1,cert2,cert3
There might be use cases for the emulated case - having certificates on the host and not the client.
Closing as wontfix.