Re: Virtual Smartcard GPG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2015-04-29 11:41, Alon Levy wrote:

On 04/29/2015 02:20 PM, roky@xxxxxxxxxxxxxxx wrote:

Hi. I am trying to get a virtual smartcard attached to a vm but I want
it to use GPG instead of NSS. RedHat focuses on NSS becuase of PKCS#11
requirements and FIPS approval, but for most of the community its GPG
that matters for smartcards.

Is is possible to use GPG on the host instead of NSS with virtual
smartcards? Please document how or add support for it.
Is using a virtual smartcard make the host less secure from a rogue vm? 
If there are bugs in GPG/NSS backend on the host can they be abused by
untrusted code in the vm?


There are two implementations, one is passthrough and another uses a
virtual card on the client side, both end up using the client NSS APIs
for access to the hardware card, assuming in your case host=client then
there is no more or less propensity for abuse then launching any local
program (with the same credentials as the spice viewer).
Does the mode with the virtual card on the client side still require use of a physical smartcard? I thought it read encryption secrets stored on the host but presented them to the guest securely in the manner of a virtual smartcard device. 

The host certificates mode implies it.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sub-section-libvirt-dom-xml-devices-smartcard.html
"This mode allows you to provide three NSS certificate names residing in a database on the host physical machine, rather than requiring a smartcard to be plugged into the host physical machine. These certificates can be generated via the command certutil -d /etc/pki/nssdb -x -t CT,CT,CT -S -s CN=cert1 -n cert1, and the resulting three certificate names must be supplied as the content of each of three certificate sub-elements."
It also gave me the idea that changing the path from /etc/pki/nssdb to gpg's pubkeyring is probable? 


_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel


_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]