Bug 917860 - Smartcard emulation with Windows guest fails
Summary: Smartcard emulation with Windows guest fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Alon Levy
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 965152 997544 1005081
TreeView+ depends on / blocked
 
Reported: 2013-03-04 23:35 UTC by Marc-Andre Lureau
Modified: 2013-12-05 09:48 UTC (History)
13 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.385.el6
Doc Type: Bug Fix
Doc Text:
* Previously, smart card emulation with a Microsoft Windows guest in versions XP, 2003 and 7 failed due to inconsistent Answer To Reset (ATR) file length with a smart card I/O device error. This update creates an ATR file length with appropriate historical bytes, and disables USB signaling when necessary. Now, smart card emulation is possible, and failures no longer occur in the aforementioned scenario.
Clone Of:
: 997544 1005081 (view as bug list)
Environment:
Last Closed: 2013-11-21 06:42:13 UTC
Target Upstream Version:


Attachments (Terms of Use)
system error for windows with smart card (173.69 KB, image/png)
2013-05-08 02:19 UTC, Qunfang Zhang
no flags Details
screenshot of problematic smart card (392.73 KB, image/png)
2013-05-10 08:39 UTC, Chao Yang
no flags Details
windows event log (143.60 KB, text/x-log)
2013-08-15 09:32 UTC, Chao Yang
no flags Details
qemu log with adding debug=10 to usb-ccid and ccid-card-passthru (19.60 KB, text/x-log)
2013-08-19 04:46 UTC, Chao Yang
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1553 normal SHIPPED_LIVE Important: qemu-kvm security, bug fix, and enhancement update 2013-11-20 21:40:29 UTC

Description Marc-Andre Lureau 2013-03-04 23:35:31 UTC
Description of problem:

Windows doesn't let applications talk to the smartcard (tried XP, 2003 and 7)

Version-Release number of selected component (if applicable):
current (0.12.1.2-2.355), qemu upstream 

How reproducible:
always

Steps to Reproduce:
1. using smartcard emulation, windows guest
2. check windows event viewer / System errors
2. and/or run application accessing winscard (ex: ESC or smactty)
  
Actual results:
Inconsistent ATR length & smartcard IO error

Expected results:
Working smartcard

Additional info:
The main fixes are fixing the ATR, and disabling USB signaling in dwFeatures

Comment 2 William van de Velde 2013-05-06 11:09:23 UTC
Same issue here. The coolkey driver on a linux host works fine but not on windows 7 32bit.

Regards,
William

Comment 4 William van de Velde 2013-05-06 11:24:14 UTC
Is there an updated rpm available to test?

Regards,
William

Comment 11 Qunfang Zhang 2013-05-08 02:19:21 UTC
Created attachment 744955 [details]
system error for windows with smart card

Comment 14 Chao Yang 2013-05-10 08:38:02 UTC
Reproduced on qemu-kvm-0.12.1.2-2.355.el6.x86_64 by running a win-7 32bit guest. Inconsistent ATR length was observed. And snapshot will be attached.

CLI:
/usr/libexec/qemu-kvm -name test -M rhel6.4.0 -enable-kvm -cpu cpu64-rhel6 -m 2048 -smp 2,sockets=2,cores=1,threads=1 -nodefaults -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:76:36,bus=pci.0 -k en-us -vga qxl -spice port=7000,disable-ticketing -chardev spicevmc,name=smartcard,id=ccid -device usb-ccid -device ccid-card-passthru,chardev=ccid -usb -monitor stdio -boot menu=on -drive file=/home/win7.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0

Connect to qemu-kvm on a F18 system:
$ remote-viewer --spice-smartcard spice://$IP:7000

Comment 15 Chao Yang 2013-05-10 08:39:51 UTC
Created attachment 745991 [details]
screenshot of problematic smart card

Comment 21 Chao Yang 2013-08-15 09:31:06 UTC
This issue is reproducible with qemu-kvm-0.12.1.2-2.393.el6.x86_64. Below is the related logs:

Event[344]:
  Log Name: System
  Source: WudfUsbccidDriver
  Date: 2013-08-15T08:21:50.328
  Event ID: 1
  Task: Driver
  Level: Error
  Opcode: General
  Keyword: N/A
  User: S-1-5-19
  User Name: NT AUTHORITY\LOCAL SERVICE
  Computer: test-PC
  Description:
An operation has failed (0x9, 0x0, 0x0, 0x0).
UpdateCardCapabilities: Inconsistent ATR length.
HResult: {Unknown Disk Format}
The disk in drive %hs is not formatted properly.
Please check the disk, and reformat if necessary.

Event[348]:
  Log Name: System
  Source: Microsoft-Windows-Smartcard-Server
  Date: 2013-08-15T08:26:27.000
  Event ID: 610
  Task: N/A
  Level: Error
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: test-PC
  Description:
Smart Card Reader 'QEMU 0.12.1 QEMU USB CCID 0' rejected IOCTL POWER: The smart card is not responding to a reset.  If this error persists, your smart card or reader may not be functioning correctly.


CLI:
/usr/libexec/qemu-kvm -name test -M rhel6.4.0 -enable-kvm -cpu cpu64-rhel6 -m 2048 -smp 2,sockets=2,cores=1,threads=1 -nodefaults -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:76:36,bus=pci.0 -k en-us -vga qxl -spice port=7000,disable-ticketing -chardev spicevmc,name=smartcard,id=ccid -device usb-ccid -device ccid-card-passthru,chardev=ccid -usb -monitor stdio -boot menu=on -drive file=/home/win7.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0

Comment 22 Chao Yang 2013-08-15 09:32:27 UTC
Created attachment 786876 [details]
windows event log

Comment 23 Chao Yang 2013-08-15 09:36:02 UTC
Hi Alon,
 Can you please take a look at Comment 21 22? Thanks,

Comment 24 Alon Levy 2013-08-15 09:56:11 UTC
You need to use the latest libcacard too (that's where the ATR is coming from) which is used by the client. Unfortunately I missed this fact and didn't package it yet for RHEL. I'll add a bug and mark this as blocked by that.

Comment 25 Alon Levy 2013-08-15 17:31:00 UTC
(In reply to Alon Levy from comment #24)
> You need to use the latest libcacard too (that's where the ATR is coming
> from) which is used by the client. Unfortunately I missed this fact and
> didn't package it yet for RHEL. I'll add a bug and mark this as blocked by
> that.

Actually, despite having now a new version of libcacard, it seems the existing libcacard in rhel 6.4 (libcacard-0.15.0-2.el6.x86_64) works. So I'm no longer sure I need to do a new rhel 6.5 and rhel 6.4.z libcacard release. Could you please tell me which version of libcacard did you use in the client? I assume you used remote-viewer, since that's the client we support.

Thanks,
Alon

Comment 26 Chao Yang 2013-08-16 02:38:59 UTC
(In reply to Alon Levy from comment #25)
> (In reply to Alon Levy from comment #24)
> > You need to use the latest libcacard too (that's where the ATR is coming
> > from) which is used by the client. Unfortunately I missed this fact and
> > didn't package it yet for RHEL. I'll add a bug and mark this as blocked by
> > that.
> 
> Actually, despite having now a new version of libcacard, it seems the
> existing libcacard in rhel 6.4 (libcacard-0.15.0-2.el6.x86_64) works. So I'm
> no longer sure I need to do a new rhel 6.5 and rhel 6.4.z libcacard release.
> Could you please tell me which version of libcacard did you use in the
> client? I assume you used remote-viewer, since that's the client we support.
> 
I updated libcacard to latest one in F18 - libcacard-1.2.2-11.fc18.x86_64. Then connect through remote-viewer with --spice-smartcard, ATR error disappeared. And smart card service entered the running state in Event Viewer -> Windows Logs -> System . But I could not format/enroll in ESC, these buttons were grey and could not be clicked. Diagnostics told me:
***Active Smart Card Details***
Number of Smart Card Detected: 0

***Smart Card Activity***
[8/16/2013 2:24:20 AM] NSS system initialized successfully!

> Thanks
> Alon

Comment 27 Qunfang Zhang 2013-08-16 02:54:49 UTC
(In reply to chayang from comment #26)
> (In reply to Alon Levy from comment #25)
> > (In reply to Alon Levy from comment #24)
> > > You need to use the latest libcacard too (that's where the ATR is coming
> > > from) which is used by the client. Unfortunately I missed this fact and
> > > didn't package it yet for RHEL. I'll add a bug and mark this as blocked by
> > > that.
> > 
> > Actually, despite having now a new version of libcacard, it seems the
> > existing libcacard in rhel 6.4 (libcacard-0.15.0-2.el6.x86_64) works. So I'm
> > no longer sure I need to do a new rhel 6.5 and rhel 6.4.z libcacard release.
> > Could you please tell me which version of libcacard did you use in the
> > client? I assume you used remote-viewer, since that's the client we support.
> > 
> I updated libcacard to latest one in F18 - libcacard-1.2.2-11.fc18.x86_64.
> Then connect through remote-viewer with --spice-smartcard, ATR error
> disappeared. And smart card service entered the running state in Event
> Viewer -> Windows Logs -> System . But I could not format/enroll in ESC,
> these buttons were grey and could not be clicked. Diagnostics told me:
> ***Active Smart Card Details***
> Number of Smart Card Detected: 0
> 
> ***Smart Card Activity***
> [8/16/2013 2:24:20 AM] NSS system initialized successfully!
> 
> > Thanks
> > Alon

Hi, chayang

How about the rhel6.4 libcacard-0.15.0-2.el6.x86_64 mentioned by Alon? As we suggest to use the RHEL version the the client related packages.

Comment 28 Chao Yang 2013-08-16 03:16:21 UTC
And I tested with rhel remote-viewer and libcacard as well. The light didn't appear at all when connecting with remote-viewer.

Comment 29 Chao Yang 2013-08-16 03:18:33 UTC
(In reply to chayang from comment #28)
> And I tested with rhel remote-viewer and libcacard as well. The light didn't
> appear at all when connecting with remote-viewer.

Packages tested:
virt-viewer-0.5.6-7.el6.x86_64
libcacard-0.15.0-2.el6.x86_64

Comment 30 Alon Levy 2013-08-18 09:10:04 UTC
(In reply to chayang from comment #29)
> (In reply to chayang from comment #28)
> > And I tested with rhel remote-viewer and libcacard as well. The light didn't
> > appear at all when connecting with remote-viewer.
> 
> Packages tested:
> virt-viewer-0.5.6-7.el6.x86_64
> libcacard-0.15.0-2.el6.x86_64

Which card are you testing? does the card work with the client computer? does it work using coolkey? I'm testing using a simulated card using the --spice-smartcard-certificates option, with the same libcacard version and 0.5.6-6 virt-viewer.

Could you arrange for me to have access to your machine to run virt-viewer on it? I don't have a working card at the moment.

Comment 31 Alon Levy 2013-08-18 14:58:03 UTC
I've created http://koji.fedoraproject.org/koji/buildinfo?buildID=457274 , a fedora update, and I'll do the RHEL libcacard update tomorrow hopefully, as soon as I have all acks. The fedora update should be available in updates-testing tomorrow hopefully too. Please let me know if the fedora update allows you to remote a card to a windows 7 guest from a fedora 19 client, or not, and if not please set SPICE_DEBUG=1 and G_MESSAGES_DEBUG=all and in the guest add debug=10 for the ccid device and the passthru devices, and capture the output of both client and vm.

Comment 32 Chao Yang 2013-08-19 03:06:10 UTC
(In reply to Alon Levy from comment #30)
> (In reply to chayang from comment #29)
> > (In reply to chayang from comment #28)
> > > And I tested with rhel remote-viewer and libcacard as well. The light didn't
> > > appear at all when connecting with remote-viewer.
> > 
> > Packages tested:
> > virt-viewer-0.5.6-7.el6.x86_64
> > libcacard-0.15.0-2.el6.x86_64
> 
> Which card are you testing? does the card work with the client computer?
> does it work using coolkey? I'm testing using a simulated card using the
> --spice-smartcard-certificates option, with the same libcacard version and
> 0.5.6-6 virt-viewer.
> 
I tested this in a real windows 7 64-bit system. MSC could detect smart card, including 'Key ID', 'Status', 'Issuer' and so on. And 'Format', 'Reset Password' buttons are available to me.

Details In Device Manager:
e-gate Virtual Reader Enumerators
|
 ---e-gate Virtual Reader Enumerator

Smart card readers
|
 ---SCR3310 USB Smart Card Reader
Smart cards
|
 ---ActivIdentity Mini Driver(Gemalto Cyberflex Access 64K V2c)

> Could you arrange for me to have access to your machine to run virt-viewer
> on it? I don't have a working card at the moment.

Comment 33 Chao Yang 2013-08-19 04:45:12 UTC
(In reply to Alon Levy from comment #31)
> I've created http://koji.fedoraproject.org/koji/buildinfo?buildID=457274 , a
> fedora update, and I'll do the RHEL libcacard update tomorrow hopefully, as
> soon as I have all acks. The fedora update should be available in
> updates-testing tomorrow hopefully too. Please let me know if the fedora
> update allows you to remote a card to a windows 7 guest from a fedora 19
> client, or not, and if not please set SPICE_DEBUG=1 and G_MESSAGES_DEBUG=all
> and in the guest add debug=10 for the ccid device and the passthru devices,
> and capture the output of both client and vm.

I have updated libcacard in F19 to the one you provided in above link. I set SPICE_DEBUG=1 and G_MESSAGES_DEBUG=all in client, and debug=10 for the ccid device and the passthru devices. But there is no log captured in client, I only captured output of VM. Please check attachment.

Comment 34 Chao Yang 2013-08-19 04:46:45 UTC
Created attachment 787878 [details]
qemu log with adding debug=10 to usb-ccid and ccid-card-passthru

Comment 35 Chao Yang 2013-08-19 08:07:15 UTC
output from rhel6.5 host with Smart Card Reader plugged in.
# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Comment 36 Chao Yang 2013-08-20 10:00:43 UTC
Hi Marc-Andre, 
 Can you please retest with qemu-kvm-0.12.1.2-2.385.el6 and later? Thanks in advance.

Comment 37 Marc-Andre Lureau 2013-08-20 18:35:34 UTC
(In reply to chayang from comment #36)
> Hi Marc-Andre, 
>  Can you please retest with qemu-kvm-0.12.1.2-2.385.el6 and later? Thanks in
> advance.

After struggling with my rhel, I finally managed to verify with qemu-kvm-0.12.1.2-2.389.el6.x86_64.

Note that I use a libcacard built from qemu git, as the version in fc19 isn't good enough.

Comment 38 Alon Levy 2013-08-20 19:45:39 UTC
(In reply to Marc-Andre Lureau from comment #37)
> (In reply to chayang from comment #36)
> > Hi Marc-Andre, 
> >  Can you please retest with qemu-kvm-0.12.1.2-2.385.el6 and later? Thanks in
> > advance.
> 
> After struggling with my rhel, I finally managed to verify with
> qemu-kvm-0.12.1.2-2.389.el6.x86_64.
> 
> Note that I use a libcacard built from qemu git, as the version in fc19
> isn't good enough.

There is an update (it should be in updates-testing) 1.4.2-7 iirc, could you test that? (the latest, from this week).

Thanks,
Alon

Comment 39 Marc-Andre Lureau 2013-08-21 13:14:05 UTC
(In reply to Alon Levy from comment #38)

> There is an update (it should be in updates-testing) 1.4.2-7 iirc, could you
> test that? (the latest, from this week).
> 

I confirm, it works.

Comment 40 Chao Yang 2013-08-23 04:56:01 UTC
(In reply to Marc-Andre Lureau from comment #39)
> (In reply to Alon Levy from comment #38)
> 
> > There is an update (it should be in updates-testing) 1.4.2-7 iirc, could you
> > test that? (the latest, from this week).
> > 
> 
> I confirm, it works.

Hi, Marc-Andre
 I would be grateful if you could provide with qemu-kvm cli, and remote-viewer cli as well. If you used physical smartcard, can you please also offer the vendor/model of smartcard?

Comment 41 Marc-Andre Lureau 2013-08-23 11:26:40 UTC
(In reply to chayang from comment #40)
> Hi, Marc-Andre
>  I would be grateful if you could provide with qemu-kvm cli, and
> remote-viewer cli as well. If you used physical smartcard, can you please
> also offer the vendor/model of smartcard?

I don't have physical smartcard, so I use "NSS software smartcard", as described in this page: http://spice-space.org/page/SmartcardUsage. Once NSS can read the certficates, the smartcard emulation should give the same results, either from hw smartcard or files certificates. Emulation used to fail, and I verified it works now.

Comment 43 William van de Velde 2013-08-27 15:50:26 UTC
Hi,

i could give our smartcard a test (aet). But i would need access to an rpm package available for rhel 6.4 is there a package available?

Regards,
William

Comment 44 Ademar Reis 2013-08-28 14:26:15 UTC
(In reply to William van de Velde from comment #43)
>
> i could give our smartcard a test (aet). But i would need access to an rpm
> package available for rhel 6.4 is there a package available?
> 

Hi William. The package has been built and is going through our QA process, but unfortunately we can't distribute our development packages before they go through our QA, get proper gpg signatures and documentation via the errata.

If this issue is critical or in any way time sensitive to you or your organization, please raise a ticket through your regular Red Hat support channels so that they can give you a hotfix for testing (please point them to this bug). 

For information on how to contact the Red Hat production support team, please visit: https://www.redhat.com/support/process/production/#howto

Comment 46 Chao Yang 2013-08-29 08:26:29 UTC
Based on Comment 14, 37, 39, 42, this bug has been fixed.

Comment 48 Alon Levy 2013-09-02 09:07:27 UTC
fixed typo - Input/Output, not I/0 (I/zero).

Comment 49 errata-xmlrpc 2013-11-21 06:42:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1553.html


Note You need to log in before you can comment on or make changes to this bug.