[Pcsclite-muscle] Yubikey init failed

Ludovic Rousseau ludovic.rousseau
Thu Feb 16 06:02:22 PST 2017

2017-02-16 14:01 GMT+01:00 Robin Lambertz <robinlambertz+dev at gmail.com>:
> Hi,


> First, thanks for the help and the swift reply :).
> So I should note that the yubikey works fine when accessed directly on
the host, it only fails in the guest.
> The virtualization software used by QubesOS is Xen. However, I found out
that it uses a "USB proxy"[0] to protect the system from DMA attacks. They
call it a "USB device passthrough using USBIP as a protocol, but qrexec as
link layer" (qrexec is qube's cross-vm communication layer). What this
means is that they tunnel a single USB device from the host to the guest
using the USBIP protocol (instead of assigning the whole bus to the guest).
> I tried using usbmon with wireshark as you suggested to find out more.
The logs of the guest and host are attached (they are the same session).
I'm not too sure what to make of it though. Clearly, the usb doesn't seem
to answer in time to the Get Slot Status request. It looks like it times
out after 100ms in both the guest and the host. Is it possible that the USB
proxy would add latency, causing the timeout ? And if so, how can I
increase this timeout ? I figured DEFAULT_COM_READ_TIMEOUT is where the
timeout is defined, but it is specified as 3000ms in the source, whereas I
timeout after 100ms, so I guess the timeout I'm seeing comes from somewhere
else ?

The 100 ms timeout comes from

Note that (from your initial logs) the device + VM + USBIP + etc. responded
in  2.614 ms to the first PC_to_RDR_GetSlotStatus command (command 0x65)

00000072 -> 000000 65 00 00 00 00 00 00 00 00 00
00002614 <- 000000 81 00 00 00 00 00 00 00 00 00

So latency or timeout may not really be the problem here.

>From your usbmon traces guest.pcap & host.pcap I see that, even on the
host, the device does not answer to the second and third
PC_to_RDR_GetSlotStatus commands.

> I also have made another wireshark log of what happens in the host when
accessing the yubikey directly from there (the scenario where the yubikey
works) in case that's useful.

>From your log host_direct_access.pcap it looks like the token worked in
this case.
Yes, that is useful. The problem does not come from the token firmware or
CCID driver.

> I'm contacting the Qubes mailing list, maybe they have more insight into
what their usb proxy entails.

I, also, suspect a problem in QubesOS.

> Again, thanks a lot for the help :)


 Dr. Ludovic Rousseau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170216/77ae899a/attachment.html>

More information about the pcsclite-muscle mailing list