TechQA.

Failure to use udev rule to change smart card device ownership in Xen/QubesOs VM

793 views Asked by At

In a Xen VM (within QubesOS) , I can see my handed-through USB smart card reader like this:

Prompt> lsusb
Bus 002 Device 002: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
...

Looking deeper with udevadm yields:

Prompt> udevadm info -a -p $(udevadm info -q path -n /dev/bus/usb/002/002)
looking at device '/devices/platform/vhci_hcd/usb2/2-1':
  KERNEL=="2-1"
  SUBSYSTEM=="usb"
  DRIVER=="usb"
  ATTR{authorized}=="1"
  ATTR{avoid_reset_quirk}=="0"
  ATTR{bConfigurationValue}=="1"
  ATTR{bDeviceClass}=="00"
  ATTR{bDeviceProtocol}=="00"
  ATTR{bDeviceSubClass}=="00"
  ATTR{bMaxPacketSize0}=="32"
  ATTR{bMaxPower}=="100mA"
  ATTR{bNumConfigurations}=="1"
  ATTR{bNumInterfaces}==" 1"
  ATTR{bcdDevice}=="0204"
  ATTR{bmAttributes}=="a0"
  ATTR{busnum}=="2"
  ATTR{configuration}=="CCID Class"
  ATTR{devnum}=="2"
  ATTR{devpath}=="1"
  ATTR{idProduct}=="5116"
  ATTR{idVendor}=="04e6"
  ATTR{ltm_capable}=="no"
  ATTR{manufacturer}=="SCM Microsystems Inc."
  ATTR{maxchild}=="0"
  ATTR{product}=="SCR3310 v2.0 USB SC Reader"
  ATTR{quirks}=="0x0"
  ATTR{removable}=="unknown"
  ATTR{speed}=="12"
  ATTR{urbnum}=="14"
  ATTR{version}==" 2.00"

looking at parent device '/devices/platform/vhci_hcd/usb2':
  KERNELS=="usb2"
  SUBSYSTEMS=="usb"
  DRIVERS=="usb"
...

Despite the fact that the permissions are set as follows:

Prompt> ls -la /dev/bus/usb/002/002
crw-rw-r-- 1 root root 189, 129 May  3 23:01 /dev/bus/usb/002/002

the result of a call to gpg2 --card-status works as root, but as a normal user yields a Card error. I try to remedy this with the following udev rule (/etc/udev/rules.d/51-SCR3310.rules):

KERNEL=="usb*", SUBSYSTEM=="usb", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="5116", MODE="0660", GROUP="user"

but no matter what I do, I cannot get a normal user to have access to the reader through gpg2.

Where am I screwing this up?

smartcard gnupg xen udev qubes-os
Original Q&A
1

There are 1 answers

0
balin On BEST ANSWER

After much googling (startpaging, that is), I finally found my answer here.

On top of needing a /etc/udev/rules.d/71-gpg-ccid.rules file with the following content to make udev allow my user's group (user) access to the device (taken from here)

ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="04e6", ENV{ID_MODEL_ID}=="5116", MODE="660", GROUP="user"

I was hit by interference of gnome-keyring with gpg-agent and adding

Hidden=true
X-GNOME-Autostart-enabled=false

to the ends of /etc/xdg/autostart/gnome-keyring-ssh.desktop and gnome-keyring-gpg.desktop mart smartcard access as a normal user work.

Related Questions in SMARTCARD

Related Questions in GNUPG

Related Questions in XEN

Related Questions in UDEV

Related Questions in QUBES-OS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions