<div dir="ltr"><div><div>2017-02-16 14:01 GMT+01:00 Robin Lambertz <<a href="mailto:robinlambertz%2Bdev@gmail.com">robinlambertz+dev@gmail.com</a>>:<br>> Hi,<br><br><br>Hello,<br><br>> First, thanks for the help and the swift reply :).<br>><br>> So I should note that the yubikey works fine when accessed directly on the host, it only fails in the guest.<br>><br>> The virtualization software used by QubesOS is Xen. However, I found out that it uses a "USB proxy"[0] to protect the system from DMA attacks. They call it a "USB device passthrough using USBIP as a protocol, but qrexec as link layer" (qrexec is qube's cross-vm communication layer). What this means is that they tunnel a single USB device from the host to the guest using the USBIP protocol (instead of assigning the whole bus to the guest).<br>><br>> I tried using usbmon with wireshark as you suggested to find out more. The logs of the guest and host are attached (they are the same session). I'm not too sure what to make of it though. Clearly, the usb doesn't seem to answer in time to the Get Slot Status request. It looks like it times out after 100ms in both the guest and the host. Is it possible that the USB proxy would add latency, causing the timeout ? And if so, how can I increase this timeout ? I figured DEFAULT_COM_READ_TIMEOUT is where the timeout is defined, but it is specified as 3000ms in the source, whereas I timeout after 100ms, so I guess the timeout I'm seeing comes from somewhere else ?<br><br></div>The 100 ms timeout comes from <a href="https://github.com/LudovicRousseau/CCID/blob/master/src/ifdhandler.c#L190">https://github.com/LudovicRousseau/CCID/blob/master/src/ifdhandler.c#L190</a><br><br></div>Note that (from your initial logs) the device + VM + USBIP + etc. responded in 2.614 ms to the first PC_to_RDR_GetSlotStatus command (command 0x65)
<div><br>00000072 -> 000000 65 00 00 00 00 00 00 00 00 00 <br>
00002614 <- 000000 81 00 00 00 00 00 00 00 00 00 <br><br></div><div>So latency or timeout may not really be the problem here.<br></div><div><br><div><div>From your usbmon traces guest.pcap & host.pcap I see that, even
on the host, the device does not answer to the second and third
PC_to_RDR_GetSlotStatus commands.<br></div><br>> I also have made another wireshark log of what happens in the host when accessing the yubikey directly from there (the scenario where the yubikey works) in case that's useful.<br><br>From your log host_direct_access.pcap it looks like the token worked in this case.<br></div><div>Yes, that is useful. The problem does not come from the token firmware or CCID driver.<br><br></div><div>> I'm contacting the Qubes mailing list, maybe they have more insight into what their usb proxy entails.<br><br>I, also, suspect a problem in QubesOS.<div><br></div>> Again, thanks a lot for the help :)<br><br></div><div>Bye<br></div><br><div>--<br> Dr. Ludovic Rousseau</div></div></div>