Re: [libvirt] [PATCHv3 1/5] smartcard: add XML support for <smartcard> device

On Wed, Jan 26, 2011 at 05:49:36PM +0200, Alon Levy wrote: > On Wed, Jan 26, 2011 at 12:25:06PM +0000, Daniel P. Berrange wrote: > > On Tue, Jan 25, 2011 at 05:36:54PM -0700, Eric Blake wrote: > > > + <dl> > > > + <dt><code>mode='host'</code></dt> > > > + <dd>The simplest operation, where the hypervisor relays all > > > + requests from the guest into direct access to the host's > > > + smartcard via NSS. No other attributes or sub-elements are > > > + required. However, in cases where extra permissions must be > > > + granted to the hypervisor to access the host's smartcard device, > > > + an optional <code>&lt;source > > > + dev='/path/to/smartcard'/&gt;</code> element is supported. > > > + Also, see below about the use of an > > > + optional <code>&lt;address&gt;</code> sub-element.</dd> > > > > Based on the mail about pcscd, we don't want a device path here > > after all. > > > > > + <dt><code>mode='host-certificates'</code></dt> > > > + <dd>Rather than requiring a smartcard to be plugged into the > > > + host, it is possible to provide three files residing on the host > > > + and containing NSS certificates. These certificates can be > > > + generated via the command <code>certutil -d /etc/pki/nssdb -x -t > > > + CT,CT,CT -S -s CN=cert1 -n cert1</code>, and the resulting three > > > + files must be supplied as the content of each of > > > + three <code>&lt;certificate&gt;</code> sub-elements. An > > > + additional sub-element <code>&lt;database&gt;</code> can specify > > > + an additional file to use as the database.</dd> > > > > What does the 'database' do ? This concept is somewhat specific > > to the NSS library afaict - other crypto libraries don't have a > > database like this. > > > > Should we also have 'database' for the 'host' mode if we need one ? > > Yes, without it the usage of certificates is limited to the default certificate > store, and if anyone wants to run multiple qemu's with different certificates they > may want to put them into different dbs. It is currently (well, there is only > one backend currently, speaking tech wise certificates and emulated both use > NSS) NSS specific, but I think winscard (started investigating that) also has some > relevant concept. True that it might not fit. Still I think it's more useful with it. What does QEMU/NSS do with the certificate database ? Is it a readonly database, or does QEMU/NSS also write to this ? I'm wondering why we need to specify x509 certificates, as well as the certificate database ?

Daniel