On 04/29/2015 09:22 PM, roky@xxxxxxxxxxxxxxx wrote: > On 2015-04-29 11:41, Alon Levy wrote: >> On 04/29/2015 02:20 PM, roky@xxxxxxxxxxxxxxx wrote: >>> Hi. I am trying to get a virtual smartcard attached to a vm but I want >>> it to use GPG instead of NSS. RedHat focuses on NSS becuase of PKCS#11 >>> requirements and FIPS approval, but for most of the community its GPG >>> that matters for smartcards. >>> >>> Is is possible to use GPG on the host instead of NSS with virtual >>> smartcards? Please document how or add support for it. >>> >>> Is using a virtual smartcard make the host less secure from a rogue vm? >>> If there are bugs in GPG/NSS backend on the host can they be abused by >>> untrusted code in the vm? >> >> There are two implementations, one is passthrough and another uses a >> virtual card on the client side, both end up using the client NSS APIs >> for access to the hardware card, assuming in your case host=client then >> there is no more or less propensity for abuse then launching any local >> program (with the same credentials as the spice viewer). >> > > Does the mode with the virtual card on the client side still require use > of a physical smartcard? I thought it read encryption secrets stored on > the host but presented them to the guest securely in the manner of a > virtual smartcard device. > > The host certificates mode implies it. > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sub-section-libvirt-dom-xml-devices-smartcard.html > > > "This mode allows you to provide three NSS certificate names residing in > a database on the host physical machine, rather than requiring a > smartcard to be plugged into the host physical machine. These > certificates can be generated via the command certutil -d /etc/pki/nssdb > -x -t CT,CT,CT -S -s CN=cert1 -n cert1, and the resulting three > certificate names must be supplied as the content of each of three > certificate sub-elements." Right, you can also use the virtual card emulation without hardware like the docs you quoted say. > > It also gave me the idea that changing the path from /etc/pki/nssdb to > gpg's pubkeyring is probable? > I don't know anything about that. >>> _______________________________________________ >>> Spice-devel mailing list >>> Spice-devel@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel