Re: [libvirt] [RFC PATCHv2 3/5] smartcard: add XML support for <smartcard> device
On Fri, Jan 14, 2011 at 10:22:19AM -0700, Eric Blake wrote:
On 01/14/2011 05:24 AM, Daniel P. Berrange wrote:
> On Thu, Jan 13, 2011 at 05:34:35PM -0700, Eric Blake wrote:
>> Assuming a hypervisor that supports multiple smartcard devices in the
>> guest, this would be a valid XML description:
>
> This looks pretty reasonable, but is going to require additions
> to the security driver code. In the SetAllLabel method of the
> security drivers you'll need to iterate over all smartcards.
Good catch. I'm working on that portion now. I've gone ahead and
pushed 1 and 2, given that they were straight ack and were preliminary
patches useful even without smartcard support.
>
>>
>> <devices>
>> <smartcard mode='host'/>
>
> I guess there is some /dev/smartcard device that needs to
> be accessed and thus labelled here ?
I'm not sure. Alon, since -device ccid-card-emulated makes qemu use NSS
to access the host's smartcard, do we need to add any particular
permissions to a device file to allow qemu access to the host device
(and if so, is it /dev/smartcard or something else on the host)?
The host, in the non certificates backed card case, would have some smartcard
reader device, I've tested using CCID devices (the same device I'm emulating),
which is a USB device, so the device file in question is
/dev/bus/usb/<busnum>/<devicenum>
and qemu would need permissions to access that. There are serial port connected
readers I think too, so /dev/ttyS*. How would you determine the exact files?
you could maybe try to find out which devices NSS accesses? I'll try to
find some command (maybe certutil) or example with NSS to access this information.
> ACK for the patch
Even though patch 3 is just docs, I'll hold off pushing this until I've
completed incorporating the security driver fixes as well.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org