Yubikey init failed PCSCD
734 views
Skip to first unread message
Robin Lambertz
Feb 14, 2017, 1:49:44 AM2/14/17
to qubes...@googlegroups.com
Hello,
I'm trying to make my Yubikey Neo (a PGP smartcard) accessible to my GPG
Qube in a split-gpg + sys-usb setup. When attaching the Yubikey to the
GPG VM, however, PCSCD doesn't seem to detect my Yubikey (which leads it
to being unusable with gpg). I tried both an up-to-date archlinux and
the default fedora-23 templates, and in both cases the yubikey neo
doesn't show up in `pcsc_scan`.
I started pcscd with `sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground
--debug --apdu --color | tee log.txt` to get more info. The logs are
attached, but the interesting bits are here :
```
00000206 ccid_usb.c:621:OpenUSBByName() Found Vendor/Product: 1050/0111
(Yubico Yubikey NEO OTP+CCID)
00000012 ccid_usb.c:623:OpenUSBByName() Using USB bus/device: 2/4
00000010 ccid_usb.c:680:OpenUSBByName() bNumDataRatesSupported is 0
00001997 ccid_usb.c:1244:InterruptRead() before (0)
00103904 ccid_usb.c:1290:InterruptRead() after (0) (2)
00000072 -> 000000 65 00 00 00 00 00 00 00 00 00
00002614 <- 000000 81 00 00 00 00 00 00 00 00 00
00000050 -> 000000 65 00 00 00 00 00 01 00 00 00
00103063 ccid_usb.c:836:ReadUSB() read failed (2/4): -7 LIBUSB_ERROR_TIMEOUT
00000224 -> 000000 65 00 00 00 00 00 02 00 00 00
05002241 ccid_usb.c:797:WriteUSB() write failed (2/4): -7
LIBUSB_ERROR_TIMEOUT
00000242 ifdhandler.c:188:CreateChannelByNameOrChannel() failed
00000159 ccid_usb.c:879:CloseUSB() Closing USB device: 2/4
00000151 ccid_usb.c:889:CloseUSB() Last slot closed. Release resources
00000240 ccid_usb.c:189:close_libusb_if_needed() libusb_exit
00000476 readerfactory.c:1110:RFInitializeReader() Open Port 0x200000
Failed (usb:1050/0111:libudev:1:/dev/bus/usb/002/004)
00000161 readerfactory.c:375:RFAddReader() Yubico Yubikey NEO OTP+CCID
init failed.
```
When attaching the yubikey to the VM, ReadUSB returns immediately with
the TIMEOUT error (isn't that weird ?), while the WriteUSB times out
after 5 seconds. I'm wondering if it was possible the Qubes USB proxy
could cause those timeouts ? Anyone knows what else could cause those
errors ?
Thank you for your time :)
Robin Lambertz
I'm trying to make my Yubikey Neo (a PGP smartcard) accessible to my GPG
Qube in a split-gpg + sys-usb setup. When attaching the Yubikey to the
GPG VM, however, PCSCD doesn't seem to detect my Yubikey (which leads it
to being unusable with gpg). I tried both an up-to-date archlinux and
the default fedora-23 templates, and in both cases the yubikey neo
doesn't show up in `pcsc_scan`.
I started pcscd with `sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground
--debug --apdu --color | tee log.txt` to get more info. The logs are
attached, but the interesting bits are here :
```
00000206 ccid_usb.c:621:OpenUSBByName() Found Vendor/Product: 1050/0111
(Yubico Yubikey NEO OTP+CCID)
00000012 ccid_usb.c:623:OpenUSBByName() Using USB bus/device: 2/4
00000010 ccid_usb.c:680:OpenUSBByName() bNumDataRatesSupported is 0
00001997 ccid_usb.c:1244:InterruptRead() before (0)
00103904 ccid_usb.c:1290:InterruptRead() after (0) (2)
00000072 -> 000000 65 00 00 00 00 00 00 00 00 00
00002614 <- 000000 81 00 00 00 00 00 00 00 00 00
00000050 -> 000000 65 00 00 00 00 00 01 00 00 00
00103063 ccid_usb.c:836:ReadUSB() read failed (2/4): -7 LIBUSB_ERROR_TIMEOUT
00000224 -> 000000 65 00 00 00 00 00 02 00 00 00
05002241 ccid_usb.c:797:WriteUSB() write failed (2/4): -7
LIBUSB_ERROR_TIMEOUT
00000242 ifdhandler.c:188:CreateChannelByNameOrChannel() failed
00000159 ccid_usb.c:879:CloseUSB() Closing USB device: 2/4
00000151 ccid_usb.c:889:CloseUSB() Last slot closed. Release resources
00000240 ccid_usb.c:189:close_libusb_if_needed() libusb_exit
00000476 readerfactory.c:1110:RFInitializeReader() Open Port 0x200000
Failed (usb:1050/0111:libudev:1:/dev/bus/usb/002/004)
00000161 readerfactory.c:375:RFAddReader() Yubico Yubikey NEO OTP+CCID
init failed.
```
When attaching the yubikey to the VM, ReadUSB returns immediately with
the TIMEOUT error (isn't that weird ?), while the WriteUSB times out
after 5 seconds. I'm wondering if it was possible the Qubes USB proxy
could cause those timeouts ? Anyone knows what else could cause those
errors ?
Thank you for your time :)
Robin Lambertz
bbrr...@gmail.com
Feb 15, 2017, 6:30:41 PM2/15/17
to qubes-users, robinlam...@gmail.com
I've been able to use my Yubikey 4 on a debian 8 qube successfully. (Remember to patch the libccid_Info.plist). Might be worth giving it a try?
Robin Lambertz
Feb 19, 2017, 2:51:45 AM2/19/17
to qubes...@googlegroups.com
On 02/16/2017 12:30 AM, bbrr...@gmail.com
wrote:
What did you patch exactly ?
I found out after some fumbling around that the yubikey works perfectly
well if I don't use qvm-usb, and instead assign the entire USB bus to
the guest VM. My understanding is that this is less secure and opens me
up to DMA attacks. It's also a lot less flexible. After digging around,
I found out that qvm-usb uses qubes-usb-proxy[0], which seems to be the
party at fault here.
I tried using usbmon and wireshark to find out more. The logs of the
guest and host are attached (they log the same session). Clearly, the
usb doesn't seem to answer in time to the Get Slot Status request. It
looks like it times out after 100ms in both the guest and the host. Is
it possible that the USB proxy would add latency, causing the timeout ?
Should I try to increase the timeout in the PCSC software ?
I also have made another wireshark log of what happens in sys-usb when
accessing the yubikey directly from there (The scenario where the
yubikey works) in case that's useful.
Thanks for the help,
Robin Lambertz
[0]: https://github.com/QubesOS/qubes-app-linux-usb-proxy
wrote:
>
> I've been able to use my Yubikey 4 on a debian 8 qube successfully. (Remember to patch the libccid_Info.plist). Might be worth giving it a try?
>
Hi,
> I've been able to use my Yubikey 4 on a debian 8 qube successfully. (Remember to patch the libccid_Info.plist). Might be worth giving it a try?
>
What did you patch exactly ?
I found out after some fumbling around that the yubikey works perfectly
well if I don't use qvm-usb, and instead assign the entire USB bus to
the guest VM. My understanding is that this is less secure and opens me
up to DMA attacks. It's also a lot less flexible. After digging around,
I found out that qvm-usb uses qubes-usb-proxy[0], which seems to be the
party at fault here.
I tried using usbmon and wireshark to find out more. The logs of the
guest and host are attached (they log the same session). Clearly, the
usb doesn't seem to answer in time to the Get Slot Status request. It
looks like it times out after 100ms in both the guest and the host. Is
it possible that the USB proxy would add latency, causing the timeout ?
Should I try to increase the timeout in the PCSC software ?
I also have made another wireshark log of what happens in sys-usb when
accessing the yubikey directly from there (The scenario where the
yubikey works) in case that's useful.
Thanks for the help,
Robin Lambertz
[0]: https://github.com/QubesOS/qubes-app-linux-usb-proxy
bbrr...@gmail.com
Feb 19, 2017, 5:27:32 PM2/19/17
to qubes-users, robinlam...@gmail.com
On Sunday, February 19, 2017 at 7:51:45 AM UTC, Robin Lambertz wrote:
> On 02/16/2017 12:30 AM, bbrr...@gmail.com
> wrote:
> >
> > I've been able to use my Yubikey 4 on a debian 8 qube successfully. (Remember to patch the libccid_Info.plist). Might be worth giving it a try?
> >
>
> Hi,
>
> What did you patch exactly ?
> On 02/16/2017 12:30 AM, bbrr...@gmail.com
> wrote:
> >
> > I've been able to use my Yubikey 4 on a debian 8 qube successfully. (Remember to patch the libccid_Info.plist). Might be worth giving it a try?
> >
>
> Hi,
>
> What did you patch exactly ?
This is the script https://github.com/Yubico/yubioath-desktop-dpkg/blob/master/resources/linux-patch-ccid
But it does sound like this is not what is causing your problem
Reply all
Reply to author
Forward
0 new messages