Re: [libvirt] [PATCHv3 1/5] smartcard: add XML support for <smartcard> device
On Tue, Jan 25, 2011 at 05:36:54PM -0700, Eric Blake wrote:
+ <dl>
+ <dt><code>mode='host'</code></dt>
+ <dd>The simplest operation, where the hypervisor relays all
+ requests from the guest into direct access to the host's
+ smartcard via NSS. No other attributes or sub-elements are
+ required. However, in cases where extra permissions must be
+ granted to the hypervisor to access the host's smartcard device,
+ an optional <code><source
+ dev='/path/to/smartcard'/></code> element is supported.
+ Also, see below about the use of an
+ optional <code><address></code> sub-element.</dd>
Based on the mail about pcscd, we don't want a device path here
after all.
+
<dt><code>mode='host-certificates'</code></dt>
+ <dd>Rather than requiring a smartcard to be plugged into the
+ host, it is possible to provide three files residing on the host
+ and containing NSS certificates. These certificates can be
+ generated via the command <code>certutil -d /etc/pki/nssdb -x -t
+ CT,CT,CT -S -s CN=cert1 -n cert1</code>, and the resulting three
+ files must be supplied as the content of each of
+ three <code><certificate></code> sub-elements. An
+ additional sub-element <code><database></code> can
specify
+ an additional file to use as the database.</dd>
What does the 'database' do ? This concept is somewhat specific
to the NSS library afaict - other crypto libraries don't have a
database like this.
Should we also have 'database' for the 'host' mode if we need one ?
Regards,
Daniel