XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    USB passthrough for Nitrokey HSM 2 and/or YubiKey 5 smartcard devices?

    Scheduled Pinned Locked Moved Solved Development
    3 Posts 2 Posters 777 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dvanzuijlekom
      last edited by

      Hi!

      First of all: new XCP-ng user here, I really love the product. Thanks for this great piece of open source software.

      Secondly: I would like to pass my Nitrokey HSM 2 and/or a YubiKey 5 Series to a VM, but they're not listed as a devices capable of being passed through.

      This is what dmesg says about the Nitrokey HSM 2 (I have obfuscated the serial number):

      [176309.527251] usb 1-1: new full-speed USB device number 8 using xhci_hcd
      [176309.676769] usb 1-1: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
      [176309.676771] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      [176309.676771] usb 1-1: Product: Nitrokey HSM
      [176309.676772] usb 1-1: Manufacturer: Nitrokey
      [176309.676773] usb 1-1: SerialNumber: DENKXXXXXXXXXXXX
      

      The output of lsusb:

      Bus 001 Device 010: ID 20a0:4230 Clay Logic
      

      This is what dmesg says about the YubiKey:

      [177325.155898] usb 1-1: new full-speed USB device number 9 using xhci_hcd
      [177325.305442] usb 1-1: New USB device found, idVendor=1050, idProduct=0407, bcdDevice= 5.43
      [177325.305444] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
      [177325.305445] usb 1-1: Product: YubiKey OTP+FIDO+CCID
      [177325.305445] usb 1-1: Manufacturer: Yubico
      [177325.308053] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:1050:0407.0005/input/input5
      [177325.368200] hid-generic 0003:1050:0407.0005: input,hidraw2: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input0
      [177325.368823] hid-generic 0003:1050:0407.0006: hiddev96,hidraw3: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input1
      

      The output of lsusb:

      Bus 001 Device 009: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
      

      In both cases, xe pusb-list shows no output (I do get output when I try a USB memory stick). I'll probably need either a kernel module/driver or perhaps the opensc package on dom0? (as taken from Nitrokey's docs). I'd love to be able to use these devices and I'd like to help in making this possible (provided I am able to).
      I'm not sure if adding the lsusb -v output of both devices will be of any help at this point, but please let me know if it is.

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by olivierlambert

        This will work with a small "hack". You need to edit /etc/xensource/usb-policy.conf and comment some lines, like CDC or smartcards:

        #DENY: class=0a # CDC-Data
        #DENY: class=0b # Smartcard
        

        Then do a xe pusb-scan and then you should be able to see it.

        Obviously, there's a reason behind that DENY. But so far on a "non shared" host environment where I trust all VMs, I consider it fine. It's probably not secure to do it when you don't have a control on the host and potential other people on it.

        D 1 Reply Last reply Reply Quote 1
        • D Offline
          dvanzuijlekom @olivierlambert
          last edited by

          @olivierlambert Awesome! That worked, thank you so much!

          1 Reply Last reply Reply Quote 0
          • olivierlambertO olivierlambert marked this topic as a question on
          • olivierlambertO olivierlambert has marked this topic as solved on
          • First post
            Last post