Solved USB passthrough for Nitrokey HSM 2 and/or YubiKey 5 smartcard devices?

dvanzuijlekom

Hi!

First of all: new XCP-ng user here, I really love the product. Thanks for this great piece of open source software.

Secondly: I would like to pass my Nitrokey HSM 2 and/or a YubiKey 5 Series to a VM, but they're not listed as a devices capable of being passed through.

This is what dmesg says about the Nitrokey HSM 2 (I have obfuscated the serial number):

[176309.527251] usb 1-1: new full-speed USB device number 8 using xhci_hcd
[176309.676769] usb 1-1: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
[176309.676771] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[176309.676771] usb 1-1: Product: Nitrokey HSM
[176309.676772] usb 1-1: Manufacturer: Nitrokey
[176309.676773] usb 1-1: SerialNumber: DENKXXXXXXXXXXXX

The output of lsusb:

Bus 001 Device 010: ID 20a0:4230 Clay Logic

This is what dmesg says about the YubiKey:

[177325.155898] usb 1-1: new full-speed USB device number 9 using xhci_hcd
[177325.305442] usb 1-1: New USB device found, idVendor=1050, idProduct=0407, bcdDevice= 5.43
[177325.305444] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[177325.305445] usb 1-1: Product: YubiKey OTP+FIDO+CCID
[177325.305445] usb 1-1: Manufacturer: Yubico
[177325.308053] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:1050:0407.0005/input/input5
[177325.368200] hid-generic 0003:1050:0407.0005: input,hidraw2: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input0
[177325.368823] hid-generic 0003:1050:0407.0006: hiddev96,hidraw3: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input1

The output of lsusb:

Bus 001 Device 009: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID

In both cases, xe pusb-list shows no output (I do get output when I try a USB memory stick). I'll probably need either a kernel module/driver or perhaps the opensc package on dom0? (as taken from Nitrokey's docs). I'd love to be able to use these devices and I'd like to help in making this possible (provided I am able to).
I'm not sure if adding the lsusb -v output of both devices will be of any help at this point, but please let me know if it is.

olivierlambert

This will work with a small "hack". You need to edit /etc/xensource/usb-policy.conf and comment some lines, like CDC or smartcards:

#DENY: class=0a # CDC-Data
#DENY: class=0b # Smartcard

Then do a xe pusb-scan and then you should be able to see it.

Obviously, there's a reason behind that DENY. But so far on a "non shared" host environment where I trust all VMs, I consider it fine. It's probably not secure to do it when you don't have a control on the host and potential other people on it.

olivierlambert

This will work with a small "hack". You need to edit /etc/xensource/usb-policy.conf and comment some lines, like CDC or smartcards:

#DENY: class=0a # CDC-Data
#DENY: class=0b # Smartcard

Then do a xe pusb-scan and then you should be able to see it.

Obviously, there's a reason behind that DENY. But so far on a "non shared" host environment where I trust all VMs, I consider it fine. It's probably not secure to do it when you don't have a control on the host and potential other people on it.

dvanzuijlekom

@olivierlambert Awesome! That worked, thank you so much!