Forwarding a smartcard reader to a LXC.

[JMoreno]

Hi there,

I am runnig "Proxmox Virtual Environment 4.2-17/e1400248"

From this PC-internal gadget:

http://www.tooq.es/product_detail.php?id=1511

I am trying to forward the smartcard reader to a LXC.

The USB gadget, inc. the smartcard reader, seems to be succesfully recognized by Linux.

# lsusb -t
/: Bus 08.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 07.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 06.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 05.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 04.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 1: Dev 2, If 1, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 1: Dev 2, If 2, Class=Human Interface Device, Driver=usbhid, 12M
/: Bus 03.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M
|__ Port 2: Dev 2, If 0, Class=Chip/SmartCard, Driver=, 480M
|__ Port 2: Dev 2, If 1, Class=Mass Storage, Driver=usb-storage, 480M
|__ Port 2: Dev 2, If 2, Class=Vendor Specific Class, Driver=mceusb, 480M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M

I read links like:

https://forum.proxmox.com/threads/lxc-and-device-passthrough.26967/
https://forum.proxmox.com/threads/passthrough-usb-from-host-to-lxc.23856/

But I can not get the major:minor values of the smartcard reader on itself, to be added to:

/etc/pve/nodes/pmox/lxc/101.conf

in the form:

lxc.cgroup.devices.allow = c <major>:<minor> rwm

I remember that for KVMs you could provide with a line like:

https://forum.proxmox.com/threads/p...rwarded-to-two-different-vm.10575/#post-66561

Where you could be more specific with the USB element to be forwarded.

It is my first time with LXC, but I have experience with KVM and OVZ under the ProxMox environment.

I would apprecite your help.

Thanks in advance.

 

[manu]

Try the following command, with a inserted card inside the reader:

lsblk -o +model

the second column is the major:minor you're looking

 

[JMoreno]

Hi Manu,

Thanks for your reply. I followed your indications after inserting my card, but I am affraid it is not listing the smartcard values:

#lsblk -o +model
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT MODEL
sda 8:0 0 465,8G 0 disk WDC WD5000AAKX-6
└─sda1 8:1 0 465,8G 0 part
├─pve-root 251:0 0 46,6G 0 lvm /
├─pve-swap 251:1 0 6,5G 0 lvm [SWAP]
└─pve-data 251:2 0 412,7G 0 lvm /var/lib/vz
sr0 11:0 1 1024M 0 rom CDDVDW TS-H653R

If I am not wrong, I got the harddisk and DVD drive as block dives.

Did I missunderstand you? Any other tip for me?

Thanks in advance.

Regards.

 

[JMoreno]

Come on guys!! Somebody should have an idea on how to proceed...

 

[manu]

Can you see your device with the command

lsusb

it hsould list all your usb devices

 

[JMoreno]

Hi Manu,

Yes, I get it like this:

# lsusb -t
/: Bus 08.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 07.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 06.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 05.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 04.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 1: Dev 2, If 1, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 1: Dev 2, If 2, Class=Human Interface Device, Driver=usbhid, 12M
/: Bus 03.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M
|__ Port 2: Dev 2, If 0, Class=Chip/SmartCard, Driver=, 480M
|__ Port 2: Dev 2, If 1, Class=Mass Storage, Driver=usb-storage, 480M
|__ Port 2: Dev 2, If 2, Class=Vendor Specific Class, Driver=mceusb, 480M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M

In red the smartcard reader itself.

Many thanks for your time.
José Moreno

 

[JMoreno]

I believe I got the major:minor values, after running:

#lsusb -v
Bus 002 Device 002: ID 0bda:0161 Realtek Semiconductor Corp. Mass Storage Device
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0bda Realtek Semiconductor Corp.
idProduct 0x0161 Mass Storage Device
bcdDevice 61.23
iManufacturer 1 Generic
iProduct 2 USB2.0-CRW
iSerial 3 20070818000000000
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 139
bNumInterfaces 3
bConfigurationValue 1
iConfiguration 4 CARD READER
bmAttributes 0xa0
(Bus Powered)
Remote Wakeup
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 11 Chip/SmartCard
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 6 Smart Card Reader Interface
ChipCard Interface Descriptor:
bLength 54
bDescriptorType 33
bcdCCID 1.10 (Warning: Only accurate for version 1.0)
nMaxSlotIndex 0
bVoltageSupport 7 5.0V 3.0V 1.8V
dwProtocols 3 T=0 T=1
dwDefaultClock 3750
dwMaxiumumClock 7500
bNumClockSupported 0
dwDataRate 10080 bps
dwMaxDataRate 312500 bps
bNumDataRatesSupp. 0
dwMaxIFSD 254
dwSyncProtocols 00000000
dwMechanical 00000000
dwFeatures 00010030
...

Based on that I am adding the following lines to my /etc/pve/nodes/pmox/lxc/101.conf file:

lxc.cgroup.devices.allow = c 0bda:0161 rwm
lxc.mount.entry = /dev/bus/usb/002/002 /dev/bus/usb/001 none bind,optional,create=dir

Running:

#lxc-start -n 101 -o 101.log

I get the following:

lxc-start 1471088107.835 ERROR lxc_cgmanager - cgmanager.c:cgm_setup_limits:1387 - call to cgmanager_set_value_sync failed: invalid request
lxc-start 1471088107.835 ERROR lxc_cgmanager - cgmanager.c:cgm_setup_limits:1390 - Error setting cgroup devices:lxc/101 limit type devices.allow
lxc-start 1471088107.835 ERROR lxc_start - start.c:lxc_spawn:1084 - failed to setup the devices cgroup for '101'
lxc-start 1471088107.835 ERROR lxc_start - start.c:__lxc_start:1211 - failed to spawn '101'
lxc-start 1471088114.277 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start 1471088114.277 ERROR lxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode.
lxc-start 1471088114.277 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.

And the container does not start.

Any idea on how to proceed?

Thanks.

 

[manu]

Hi Jose
0bda:0161 corresponds here to the manufacturer:device id of the device. It it is not the major:minor you are looking for.

It seems the device you have is not recognized by Linux as no driver is attached to the usb device

Try to run the command

usb-devices

then find in the output the paragrah where you have the string 'Vendor=0bda' and post this paragraph here.

 

[JMoreno]

Hi Manu,

This is the command output:

#usb-devices
T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0bda ProdID=0161 Rev=61.23
S: Manufacturer=Generic
S: Product=USB2.0-CRW
S: SerialNumber=20070818000000000
C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=0b(scard) Sub=00 Prot=00 Driver=(none)
I: If#= 1 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=mceusb

Many, many thanks for your help.


Regards,
José Moreno

 

[manu]

So it looks that from your output the device has three components, but the kernel failed to load a driver for the card device. Maybe the device is not recognized by Linux.
Which kernel version do you have ( uname -r)

At that point you could either test if it's working properly with another OS or boot the latest Ubuntu or Fedora live CD and see if the device get recognized.

 

[JMoreno]

Hi Manu,

Before installing Debian+ProxMox on this machine, I had a Windows 7 installed. The gadget was successfully recognized and I could use it with my personal identity smartcard to login and interact with the spanish goverment sites.

In my current setup (Debian + ProxMox), I get my card correctly recognized if I run:

pcsc_scan

In addition and for testing pourposes, I created a Windows 7 KVM where I forwared the device adding:

usb0: host=2-2

in its the corresponding /etc/pve/nodes/pmox/qemu-server/201.conf file.

It is recognized and I can use my personal identity card successfully.

Strange, isn´t it?

As requested, this is the command output:

# uname -r
4.4.13-2-pve

Again, many thanks for you time and help.

Regards,
José Moreno
PD: the W7 KVM machine is permanently stopped. It was only started for testing and verifying the gadget forward.

 

[manu]

Ok The thing is I was looking with lsblk for block device similar to a sd card ( I don't have a smart card here so I didn't know how it looks like from the kernel side)

With KVM you can pass the whole usb port as you noticed.
With LXC you needed to pass the major:minor of a deviced as seen in /dev

If you have this working with KVM then go ahead this way.

If you want to use the smart card in a LXC container you need to need find out after inserting the device which entries are created in /dev, and passthrough these in the lxc configuration file. You also need to deactivate app armor or create new specific policies to allow the container to acess the entry points in /dev

 

[JMoreno]

Hi Manu,

Thank you very much for your help. Following your advice I run:

Before inserting the card:

# find /dev > noCardInserted.txt

After inserting the card:

# find /dev > withCardInserted.txt

Search for differences:

# diff noCardInserted.txt withCardInserted.txt

I am affraid I got nothing from the diff command, while:

# pcsc_scan

Correctly indentifies my card while inserted...

The point is, I preffer using LXC due to all the advantages we know compared with KVM machines (resources,...). Indeed, the final goal is to run this virual machine in a old hardware with no KVM support due to the processor technology.

In other tip you may have?


Regards,
José Moreno

 

[JMoreno]

Good news!!

Finally I found the problem. Very silly problem, by the way!!

The problem was... the LXC container .

My tests:

FAILED ==> debian-8.0-standard_8.4-1_amd64.tar.gz
SUCCESS ==> ubuntu-16.04-standard_16.04-1_amd64.tar.gz

Both templates were downloaded using the ProxMox web interface.

After creating the new container with Ubuntu (read above) everything started working inmediatelly.

# lsusb -t ---> Run in my ProxMox machine.
/: Bus 08.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 07.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 06.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 05.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
|__ Port 1: Dev 2, If 0, Class=(Defined at Interface level), Driver=, 1.5M
/: Bus 04.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 1: Dev 2, If 1, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 1: Dev 2, If 2, Class=Human Interface Device, Driver=usbhid, 12M
/: Bus 03.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M
|__ Port 2: Dev 2, If 0, Class=Chip/SmartCard, Driver=usbfs, 480M
|__ Port 2: Dev 2, If 1, Class=Mass Storage, Driver=usb-storage, 480M
|__ Port 2: Dev 2, If 2, Class=Vendor Specific Class, Driver=mceusb, 480M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M

I got the MAJOR:MINOR values from:

# ls -l /dev/bus/usb/002/002
crw-rw-r-- 1 root root 189, 129 sep 13 18:22 /dev/bus/usb/002/002

I added the following lines to my config file (/etc/pve/nodes/pmox/lxc/110.conf)

lxc.cgroup.devices.allow: c 189:129 rwm
lxc.mount.entry: /dev/bus/usb/002/002 dev/bus/usb/002/002 none bind,optional,create=file

I wish this helps others under similar circunstancies.

Thanks Manu for your time. I much appreciate your help.

Regards,
José Morneo