On Wed, Jan 26, 2011 at 12:25:06PM +0000, Daniel P. Berrange wrote:
On Tue, Jan 25, 2011 at 05:36:54PM -0700, Eric Blake wrote:
> + <dl>
> + <dt><code>mode='host'</code></dt>
> + <dd>The simplest operation, where the hypervisor relays all
> + requests from the guest into direct access to the host's
> + smartcard via NSS. No other attributes or sub-elements are
> + required. However, in cases where extra permissions must be
> + granted to the hypervisor to access the host's smartcard device,
> + an optional <code><source
> + dev='/path/to/smartcard'/></code> element is supported.
> + Also, see below about the use of an
> + optional <code><address></code>
sub-element.</dd>
Based on the mail about pcscd, we don't want a device path here
after all.
> +
<dt><code>mode='host-certificates'</code></dt>
> + <dd>Rather than requiring a smartcard to be plugged into the
> + host, it is possible to provide three files residing on the host
> + and containing NSS certificates. These certificates can be
> + generated via the command <code>certutil -d /etc/pki/nssdb -x -t
> + CT,CT,CT -S -s CN=cert1 -n cert1</code>, and the resulting three
> + files must be supplied as the content of each of
> + three <code><certificate></code> sub-elements. An
> + additional sub-element <code><database></code> can
specify
> + an additional file to use as the database.</dd>
What does the 'database' do ? This concept is somewhat specific
to the NSS library afaict - other crypto libraries don't have a
database like this.
Should we also have 'database' for the 'host' mode if we need one ?
Yes, without it the usage of certificates is limited to the default certificate
store, and if anyone wants to run multiple qemu's with different certificates they
may want to put them into different dbs. It is currently (well, there is only
one backend currently, speaking tech wise certificates and emulated both use
NSS) NSS specific, but I think winscard (started investigating that) also has some
relevant concept. True that it might not fit. Still I think it's more useful with it.
Regards,
Daniel