From nobody Mon Feb 9 11:23:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=gmx.us ARC-Seal: i=1; a=rsa-sha256; t=1649169035; cv=none; d=zohomail.com; s=zohoarc; b=WLCYHkbmnoVJRtfiRQ8c20SjBqfV3aQ/BniSQvGBOvN8eIS0OnBGNuoIfy2vndtUB7GeqhkUY/yc/4IyN5mpZsO3xAHCAveqCG/9twNVhZDUXvzIne76qSjZ8hd5LW0skAXJHDcof3UbVPhQZyfDRYsC9atE7Eg9816xxKz1qqY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1649169035; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=iCnffCMzeM6wqWcneHimG+p+Q+Lih7AHAFEv64NiTW4=; b=NlCrevDMTVEd7bOGH8qMckKDlMgR3kQVmtJy3s6gRDiytR7hSHqTqOKd5vHIhSw4bv4VYNjhksNNzB9YAkkOwJHmcraYB6n3BQP19ZJEIv/2HEAFRwFZHa1lYL1Ohctn8gXrSXCbu6pMZP5iDxI4OjiKUPe/hkkGtnmuxwT96sc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1649169035923890.2418882306943; Tue, 5 Apr 2022 07:30:35 -0700 (PDT) Received: from localhost ([::1]:55226 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nbkCY-0001ZU-Qq for importer@patchew.org; Tue, 05 Apr 2022 10:30:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35900) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nbkBV-0000ou-H1 for qemu-devel@nongnu.org; Tue, 05 Apr 2022 10:29:29 -0400 Received: from mout.gmx.net ([212.227.17.20]:43875) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nbkBS-0002Hb-Lm for qemu-devel@nongnu.org; Tue, 05 Apr 2022 10:29:29 -0400 Received: from srq-net-003.hsd1.fl.comcast.net ([174.58.8.52]) by mail.gmx.net (mrgmx104 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MowGU-1oLYbe02uc-00qPkm; Tue, 05 Apr 2022 16:29:20 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1649168960; bh=6PRXonlX87DfoKp5MxKrYnJIC/CwPNAPBI62BOKiq2Y=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=PrKL+GRLmm7V2DNhTL/gW7Z7COCVlWctda+a+kszGEfSekQHTLfQEz1oxEjRn8Vo0 25/TH0kWdlsRdGsZUJIZ7yCowLCaQcThHZ/zIB/6Efm5pGKBeVgEviMx5vFKFpMrpH qH4Byheuqelc/Wnz2nkhQ4WXa/y6NCZlc+Fq1wkQ= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c From: oxr463@gmx.us To: qemu-devel@nongnu.org Subject: [PATCH] docs/ccid: convert to restructuredText Date: Tue, 5 Apr 2022 14:29:06 +0000 Message-Id: <20220405142906.21382-1-oxr463@gmx.us> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:EYvQNJZg1a/VNye2cotUo24K1CGoQUIfZuWHKDuNJXXh8Wd3R1N UbwPoXj209Nzvq4nY2Tvl5CaKCKLryeEIhxSh5RCEVtggqB03bMjChWi0TWatFDiXKkFqsa f3josSrnjZpT1T0HoImbUIpi0P84UhTykqTSEURJ/o/rmTi7zwZZhCg6DwSS8NgA64+LkUe N9MVF2fynv+jdDX2tdZ9Q== X-UI-Out-Filterresults: notjunk:1;V03:K0:g/L2ESCG1LY=:NmGqXd3GqPCEryaUrGQGhm 9A+H1vgq7COefOHkvmJQyZHUo8EudkMt0mMkbXfOAObKPzWWDT2/dQ1avwXbckPTPEbdZZIsP T49njHUMqsBRinhuPCvAnnl8yHMND/mq9x5Hn2AFot0hc36pzBbiOO1BSbVxuGDk+XkLjFW/g ENyk02luSkebgKQ5ReP3fefd9/m2njd1yk3p/YoWRprnjfRxpmBieXcVRH8gin0FVbEJaI6qR NlJ7IEo2n5pL4zHAVS1y4vNFrf3oDbiktF6WedvQLacjpbSl7xNsJ2Ei3AO5y49lwoO5iwcOG 2FYROp5rvAdC2TrdUyqivqIXYemdK6zweNqVpbXLllqGl10hCb4DRQQmdgZKWxtuclEXVy+vu 3Kd5KtIV0xLANH0CmwYhtKDNQEybFJRA1rsVUINIPtcbcm5NHCZwidirYapHYLvTrxDu9vYSp v1ccFQ2fWR/LeA6Bax8r/jdaX3tRNJzUYkUFGAVc3AkuOfl+RCGS6Msii0YXiwFbyDFmELKOr rL039x2+LYQXbLId7EtfYDynoeZEht+0ImcpC9OpDD/DJ/3MSpluryKdbodAPh654I/wRc+VP 29txCSA2nP2TqULJD5BaNf02XD1AU41jL/JG0zV3lfhZLCkgCQu/gafRS+cx8Pd9g3I/dCKv6 SuV+BSHvuqaGrz6cj/jbKWRPTqKiQKt0o+y3yZNfm+5o2P/cl8PV8/jEBPIO6Ezx/kzv88xSC 26niJHG9eJ7xtzTtg+WCJgKgD2V7ojTx1xxHLC3LoLacGaNeKbxnyyrsYIq4+40HZFtdpzOuT P+DhS65hvDW6tyeTaHW5oIMpBZIVwJcxHzymb6+dmM6X5oltdzQC5gPLecWrz68xt0vCQqfvl tKg1jV6S/g8OuiiavIhZpCG93ON7xt4XTbUvrc8n4/WKFvN2VkiGg00Nd8yuYUWBJ97Q3xk6I 7w1GWK0s73i3XcmtjQ1dC4pvt0U3iifxRHIncvCLMlet4fEp8t1xh8TiRxWKxz2mqDutC7cMd fRi9xBvsGyoTpnM+dnnWu7jFq/FKXceXHy0tnl1Xshi/vKs5kzFzK6o5tKNZSOp1ZUqkq0hMv x8zqGWSrr0qVTw= Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.227.17.20; envelope-from=oxr463@gmx.us; helo=mout.gmx.net X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, Lucas Ramage Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @gmx.net) X-ZM-MESSAGEID: 1649169037998100001 Content-Type: text/plain; charset="utf-8" From: Lucas Ramage Buglink: https://gitlab.com/qemu-project/qemu/-/issues/527 Signed-off-by: Lucas Ramage Reviewed-by: Damien Hedde --- docs/ccid.txt | 182 ------------------------------- docs/system/device-emulation.rst | 1 + docs/system/devices/ccid.rst | 171 +++++++++++++++++++++++++++++ 3 files changed, 172 insertions(+), 182 deletions(-) delete mode 100644 docs/ccid.txt create mode 100644 docs/system/devices/ccid.rst diff --git a/docs/ccid.txt b/docs/ccid.txt deleted file mode 100644 index 2b85b1bd42..0000000000 --- a/docs/ccid.txt +++ /dev/null @@ -1,182 +0,0 @@ -QEMU CCID Device Documentation. - -Contents -1. USB CCID device -2. Building -3. Using ccid-card-emulated with hardware -4. Using ccid-card-emulated with certificates -5. Using ccid-card-passthru with client side hardware -6. Using ccid-card-passthru with client side certificates -7. Passthrough protocol scenario -8. libcacard - -1. USB CCID device - -The USB CCID device is a USB device implementing the CCID specification, w= hich -lets one connect smart card readers that implement the same spec. For more -information see the specification: - - Universal Serial Bus - Device Class: Smart Card - CCID - Specification for - Integrated Circuit(s) Cards Interface Devices - Revision 1.1 - April 22rd, 2005 - -Smartcards are used for authentication, single sign on, decryption in -public/private schemes and digital signatures. A smartcard reader on the c= lient -cannot be used on a guest with simple usb passthrough since it will then n= ot be -available on the client, possibly locking the computer when it is "removed= ". On -the other hand this device can let you use the smartcard on both the clien= t and -the guest machine. It is also possible to have a completely virtual smart = card -reader and smart card (i.e. not backed by a physical device) using this de= vice. - -2. Building - -The cryptographic functions and access to the physical card is done via the -libcacard library, whose development package must be installed prior to -building QEMU: - -In redhat/fedora: - yum install libcacard-devel -In ubuntu: - apt-get install libcacard-dev - -Configuring and building: - ./configure --enable-smartcard && make - - -3. Using ccid-card-emulated with hardware - -Assuming you have a working smartcard on the host with the current -user, using libcacard, QEMU acts as another client using ccid-card-emulate= d: - - qemu -usb -device usb-ccid -device ccid-card-emulated - - -4. Using ccid-card-emulated with certificates stored in files - -You must create the CA and card certificates. This is a one time process. -We use NSS certificates: - - mkdir fake-smartcard - cd fake-smartcard - certutil -N -d sql:$PWD - certutil -S -d sql:$PWD -s "CN=3DFake Smart Card CA" -x -t TC,TC,TC -n= fake-smartcard-ca - certutil -S -d sql:$PWD -t ,, -s "CN=3DJohn Doe" -n id-cert -c fake-sm= artcard-ca - certutil -S -d sql:$PWD -t ,, -s "CN=3DJohn Doe (signing)" --nsCertTyp= e smime -n signing-cert -c fake-smartcard-ca - certutil -S -d sql:$PWD -t ,, -s "CN=3DJohn Doe (encryption)" --nsCert= Type sslClient -n encryption-cert -c fake-smartcard-ca - -Note: you must have exactly three certificates. - -You can use the emulated card type with the certificates backend: - - qemu -usb -device usb-ccid -device ccid-card-emulated,backend=3Dcertif= icates,db=3Dsql:$PWD,cert1=3Did-cert,cert2=3Dsigning-cert,cert3=3Dencryptio= n-cert - -To use the certificates in the guest, export the CA certificate: - - certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-= ca - -and import it in the guest: - - certutil -A -d /etc/pki/nssdb -i fake-smartcard-ca.cer -t TC,TC,TC -n = fake-smartcard-ca - -In a Linux guest you can then use the CoolKey PKCS #11 module to access -the card: - - certutil -d /etc/pki/nssdb -L -h all - -It will prompt you for the PIN (which is the password you assigned to the -certificate database early on), and then show you all three certificates -together with the manually imported CA cert: - - Certificate Nickname Trust Attributes - fake-smartcard-ca CT,C,C - John Doe:CAC ID Certificate u,u,u - John Doe:CAC Email Signature Certificate u,u,u - John Doe:CAC Email Encryption Certificate u,u,u - -If this does not happen, CoolKey is not installed or not registered with -NSS. Registration can be done from Firefox or the command line: - - modutil -dbdir /etc/pki/nssdb -add "CAC Module" -libfile /usr/lib64/pk= cs11/libcoolkeypk11.so - modutil -dbdir /etc/pki/nssdb -list - - -5. Using ccid-card-passthru with client side hardware - -on the host specify the ccid-card-passthru device with a suitable chardev: - - qemu -chardev socket,server=3Don,host=3D0.0.0.0,port=3D2001,id=3Dccid,= wait=3Doff \ - -usb -device usb-ccid -device ccid-card-passthru,chardev=3Dccid - -on the client run vscclient, built when you built QEMU: - - vscclient 2001 - - -6. Using ccid-card-passthru with client side certificates - -This case is not particularly useful, but you can use it to debug -your setup if #4 works but #5 does not. - -Follow instructions as per #4, except run QEMU and vscclient as follows: -Run qemu as per #5, and run vscclient from the "fake-smartcard" -directory as follows: - - qemu -chardev socket,server=3Don,host=3D0.0.0.0,port=3D2001,id=3Dccid,= wait=3Doff \ - -usb -device usb-ccid -device ccid-card-passthru,chardev=3Dccid - vscclient -e "db=3D\"sql:$PWD\" use_hw=3Dno soft=3D(,Test,CAC,,id-cert= ,signing-cert,encryption-cert)" 2001 - - -7. Passthrough protocol scenario - -This is a typical interchange of messages when using the passthru card dev= ice. -usb-ccid is a usb device. It defaults to an unattached usb device on start= up. -usb-ccid expects a chardev and expects the protocol defined in -cac_card/vscard_common.h to be passed over that. -The usb-ccid device can be in one of three modes: - * detached - * attached with no card - * attached with card - -A typical interchange is: (the arrow shows who started each exchange, it c= an be client -originated or guest originated) - -client event | vscclient | passthru | usb-cc= id | guest event ---------------------------------------------------------------------------= -------------------- - | VSC_Init | | = | - | VSC_ReaderAdd | | attach= | - | | | = | sees new usb device. -card inserted -> | | | = | - | VSC_ATR | insert | insert= | see new card - | | | = | - | VSC_APDU | VSC_APDU | = | <- guest sends APDU -client<->physical | | | = | -card APDU exchange| | | = | -client response ->| VSC_APDU | VSC_APDU | = | receive APDU response - ... - [APDU<->APDU repeats several times] - ... -card removed -> | | | = | - | VSC_CardRemove | remove | remove = | card removed - ... - [(card insert, apdu's, card remove) re= peat] - ... -kill/quit | | | = | - vscclient | | | = | - | VSC_ReaderRemove | | detach = | - | | | = | usb device removed. - - -8. libcacard - -Both ccid-card-emulated and vscclient use libcacard as the card emulator. -libcacard implements a completely virtual CAC (DoD standard for smart -cards) compliant card and uses NSS to retrieve certificates and do -any encryption. The backend can then be a real reader and card, or -certificates stored in files. - -For documentation of the library see docs/libcacard.txt. - diff --git a/docs/system/device-emulation.rst b/docs/system/device-emulatio= n.rst index 0b3a3d73ad..ae8dd233e8 100644 --- a/docs/system/device-emulation.rst +++ b/docs/system/device-emulation.rst @@ -83,6 +83,7 @@ Emulated Devices :maxdepth: 1 devices/can.rst + devices/ccid.rst devices/ivshmem.rst devices/net.rst devices/nvme.rst diff --git a/docs/system/devices/ccid.rst b/docs/system/devices/ccid.rst new file mode 100644 index 0000000000..0290265a18 --- /dev/null +++ b/docs/system/devices/ccid.rst @@ -0,0 +1,171 @@ +Chip Card Interface Device (CCID) +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D + +USB CCID device +--------------- +The USB CCID device is a USB device implementing the CCID specification, w= hich +lets one connect smart card readers that implement the same spec. For more +information see the specification:: + + Universal Serial Bus + Device Class: Smart Card + CCID + Specification for + Integrated Circuit(s) Cards Interface Devices + Revision 1.1 + April 22rd, 2005 + +Smartcards are used for authentication, single sign on, decryption in +public/private schemes and digital signatures. A smartcard reader on the c= lient +cannot be used on a guest with simple usb passthrough since it will then n= ot be +available on the client, possibly locking the computer when it is "removed= ". On +the other hand this device can let you use the smartcard on both the clien= t and +the guest machine. It is also possible to have a completely virtual smart = card +reader and smart card (i.e. not backed by a physical device) using this de= vice. + +Building +-------- +The cryptographic functions and access to the physical card is done via the +libcacard library, whose development package must be installed prior to +building QEMU: + +In redhat/fedora:: + + yum install libcacard-devel + +In ubuntu:: + + apt-get install libcacard-dev + +Configuring and building:: + + ./configure --enable-smartcard && make + +Using ccid-card-emulated with hardware +-------------------------------------- +Assuming you have a working smartcard on the host with the current +user, using libcacard, QEMU acts as another client using ccid-card-emulate= d:: + + qemu -usb -device usb-ccid -device ccid-card-emulated + +Using ccid-card-emulated with certificates stored in files +---------------------------------------------------------- +You must create the CA and card certificates. This is a one time process. +We use NSS certificates:: + + mkdir fake-smartcard + cd fake-smartcard + certutil -N -d sql:$PWD + certutil -S -d sql:$PWD -s "CN=3DFake Smart Card CA" -x -t TC,TC,TC -n f= ake-smartcard-ca + certutil -S -d sql:$PWD -t ,, -s "CN=3DJohn Doe" -n id-cert -c fake-smar= tcard-ca + certutil -S -d sql:$PWD -t ,, -s "CN=3DJohn Doe (signing)" --nsCertType = smime -n signing-cert -c fake-smartcard-ca + certutil -S -d sql:$PWD -t ,, -s "CN=3DJohn Doe (encryption)" --nsCertTy= pe sslClient -n encryption-cert -c fake-smartcard-ca + +Note: you must have exactly three certificates. + +You can use the emulated card type with the certificates backend:: + + qemu -usb -device usb-ccid -device ccid-card-emulated,backend=3Dcertific= ates,db=3Dsql:$PWD,cert1=3Did-cert,cert2=3Dsigning-cert,cert3=3Dencryption-= cert + +To use the certificates in the guest, export the CA certificate:: + + certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca + +and import it in the guest:: + + certutil -A -d /etc/pki/nssdb -i fake-smartcard-ca.cer -t TC,TC,TC -n fa= ke-smartcard-ca + +In a Linux guest you can then use the CoolKey PKCS #11 module to access +the card:: + + certutil -d /etc/pki/nssdb -L -h all + +It will prompt you for the PIN (which is the password you assigned to the +certificate database early on), and then show you all three certificates +together with the manually imported CA cert:: + + Certificate Nickname Trust Attributes + fake-smartcard-ca CT,C,C + John Doe:CAC ID Certificate u,u,u + John Doe:CAC Email Signature Certificate u,u,u + John Doe:CAC Email Encryption Certificate u,u,u + +If this does not happen, CoolKey is not installed or not registered with +NSS. Registration can be done from Firefox or the command line:: + + modutil -dbdir /etc/pki/nssdb -add "CAC Module" -libfile /usr/lib64/pkcs= 11/libcoolkeypk11.so + modutil -dbdir /etc/pki/nssdb -list + +Using ccid-card-passthru with client side hardware +-------------------------------------------------- +On the host specify the ccid-card-passthru device with a suitable chardev:: + + qemu -chardev socket,server=3Don,host=3D0.0.0.0,port=3D2001,id=3Dccid,wa= it=3Doff \ + -usb -device usb-ccid -device ccid-card-passthru,chardev=3Dccid + +On the client run vscclient, built when you built QEMU:: + + vscclient 2001 + +Using ccid-card-passthru with client side certificates +------------------------------------------------------ +This case is not particularly useful, but you can use it to debug +your setup. + +Follow instructions above, except run QEMU and vscclient as follows. + +Run qemu as per above, and run vscclient from the "fake-smartcard" +directory as follows:: + + qemu -chardev socket,server=3Don,host=3D0.0.0.0,port=3D2001,id=3Dccid,wa= it=3Doff \ + -usb -device usb-ccid -device ccid-card-passthru,chardev=3Dccid + vscclient -e "db=3D\"sql:$PWD\" use_hw=3Dno soft=3D(,Test,CAC,,id-cert,s= igning-cert,encryption-cert)" 2001 + + +Passthrough protocol scenario +----------------------------- +This is a typical interchange of messages when using the passthru card dev= ice. +usb-ccid is a usb device. It defaults to an unattached usb device on start= up. +usb-ccid expects a chardev and expects the protocol defined in +cac_card/vscard_common.h to be passed over that. +The usb-ccid device can be in one of three modes: +* detached +* attached with no card +* attached with card + +A typical interchange is (the arrow shows who started each exchange, it ca= n be client +originated or guest originated):: + + client event | vscclient | passthru | us= b-ccid | guest event + ------------------------------------------------------------------------= ------------------------ + | VSC_Init | | = | + | VSC_ReaderAdd | | at= tach | + | | | = | sees new usb device. + card inserted -> | | | = | + | VSC_ATR | insert | in= sert | see new card + | | | = | + | VSC_APDU | VSC_APDU | = | <- guest sends APDU + client <-> physical | | | = | + card APDU exchange | | | = | + client response -> | VSC_APDU | VSC_APDU | = | receive APDU response + ... + [APDU<->APDU repeats several times] + ... + card removed -> | | | = | + | VSC_CardRemove | remove | rem= ove | card removed + ... + [(card insert, apdu's, card remove= ) repeat] + ... + kill/quit | | | = | + vscclient | | | = | + | VSC_ReaderRemove | | det= ach | + | | | = | usb device removed. + +libcacard +--------- +Both ccid-card-emulated and vscclient use libcacard as the card emulator. +libcacard implements a completely virtual CAC (DoD standard for smart +cards) compliant card and uses NSS to retrieve certificates and do +any encryption. The backend can then be a real reader and card, or +certificates stored in files. + -- 2.34.1