[Pcsclite-muscle] Yubikey init failed
Robin Lambertz
robinlambertz+dev
Thu Feb 16 05:01:34 PST 2017
Hi,
First, thanks for the help and the swift reply :).
So I should note that the yubikey works fine when accessed directly on
the host, it only fails in the guest.
The virtualization software used by QubesOS is Xen. However, I found out
that it uses a "USB proxy"[0] to protect the system from DMA attacks.
They call it a "USB device passthrough using USBIP as a protocol, but
qrexec as link layer" (qrexec is qube's cross-vm communication layer).
What this means is that they tunnel a single USB device from the host to
the guest using the USBIP protocol (instead of assigning the whole bus
to the guest).
I tried using usbmon with wireshark as you suggested to find out more.
The logs of the guest and host are attached (they are the same session).
I'm not too sure what to make of it though. Clearly, the usb doesn't
seem to answer in time to the Get Slot Status request. It looks like it
times out after 100ms in both the guest and the host. Is it possible
that the USB proxy would add latency, causing the timeout ? And if so,
how can I increase this timeout ? I figured DEFAULT_COM_READ_TIMEOUT is
where the timeout is defined, but it is specified as 3000ms in the
source, whereas I timeout after 100ms, so I guess the timeout I'm seeing
comes from somewhere else ?
I also have made another wireshark log of what happens in the host when
accessing the yubikey directly from there (the scenario where the
yubikey works) in case that's useful.
I'm contacting the Qubes mailing list, maybe they have more insight into
what their usb proxy entails.
Again, thanks a lot for the help :)
Robin Lambertz
[0]: https://github.com/QubesOS/qubes-app-linux-usb-proxy
On 02/14/2017 09:48 AM, Maximilian Stein wrote:
> On 14.02.2017 01:53, Robin Lambertz wrote:
>> Hello,
> Hi
>
>> I'm trying to get my Yubikey NEO to work with GPG in an archlinux VM on
>> Qubes OS. Unfortunately, it seems that PCSCD is unable to work with my
>> yubikey, it doesn't appear when running pcsc_scan.
> This is probably a problem with your virtualisation software. I've found
> that certain constellations of VirtualBox do not play nicely together
> with non-mass-storage USB usage.
>
>> ReadUSB returns immediately with the TIMEOUT error (isn't that weird ?),
> Not at all, the first InterruptRead is just to clear the interrupt
> endpoint and therefore has a timeout of only 100ms, which expires in
> your logs.
>
>> while the WriteUSB times out after 5 seconds. I'm not sure what to do to
>> further debug this. Any hint as to what I could do to figure out where
>> the issue is coming from ?
> You could try to use a different virtualisation software or version,
> updating guest additions (in case of VirtualBox). You could try a newer
> kernel in the VM guest or a newer version of libusbx/libusb-1.0.
>
>
> To further debug the problem you could monitor the USB traffic inside
> the guest and on the host via usbmon [1]. Most probably you will see USB
> traffic coming back from the device on the host, but not inside the guest.
>
>
> Best regards and good luck,
> Maximilian Stein
>
> [1]https://www.kernel.org/doc/Documentation/usb/usbmon.txt
>
> _______________________________________________
> Pcsclite-muscle mailing list
> Pcsclite-muscle at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170216/286507de/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: guest.pcap
Type: application/vnd.tcpdump.pcap
Size: 8471 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170216/286507de/attachment-0003.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: host.pcap
Type: application/vnd.tcpdump.pcap
Size: 5231 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170216/286507de/attachment-0004.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: host_direct_access.pcap
Type: application/vnd.tcpdump.pcap
Size: 22078 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170216/286507de/attachment-0005.pcap>
More information about the pcsclite-muscle
mailing list