Solved USB passthrough for Nitrokey HSM 2 and/or YubiKey 5 smartcard devices?
First of all: new XCP-ng user here, I really love the product. Thanks for this great piece of open source software.
Secondly: I would like to pass my Nitrokey HSM 2 and/or a YubiKey 5 Series to a VM, but they're not listed as a devices capable of being passed through.
This is what
dmesgsays about the Nitrokey HSM 2 (I have obfuscated the serial number):
[176309.527251] usb 1-1: new full-speed USB device number 8 using xhci_hcd [176309.676769] usb 1-1: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01 [176309.676771] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [176309.676771] usb 1-1: Product: Nitrokey HSM [176309.676772] usb 1-1: Manufacturer: Nitrokey [176309.676773] usb 1-1: SerialNumber: DENKXXXXXXXXXXXX
The output of
Bus 001 Device 010: ID 20a0:4230 Clay Logic
This is what
dmesgsays about the YubiKey:
[177325.155898] usb 1-1: new full-speed USB device number 9 using xhci_hcd [177325.305442] usb 1-1: New USB device found, idVendor=1050, idProduct=0407, bcdDevice= 5.43 [177325.305444] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [177325.305445] usb 1-1: Product: YubiKey OTP+FIDO+CCID [177325.305445] usb 1-1: Manufacturer: Yubico [177325.308053] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:1050:0407.0005/input/input5 [177325.368200] hid-generic 0003:1050:0407.0005: input,hidraw2: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input0 [177325.368823] hid-generic 0003:1050:0407.0006: hiddev96,hidraw3: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-1/input1
The output of
Bus 001 Device 009: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
In both cases,
xe pusb-listshows no output (I do get output when I try a USB memory stick). I'll probably need either a kernel module/driver or perhaps the
openscpackage on dom0? (as taken from Nitrokey's docs). I'd love to be able to use these devices and I'd like to help in making this possible (provided I am able to).
I'm not sure if adding the
lsusb -voutput of both devices will be of any help at this point, but please let me know if it is.
This will work with a small "hack". You need to edit
/etc/xensource/usb-policy.confand comment some lines, like CDC or smartcards:
#DENY: class=0a # CDC-Data #DENY: class=0b # Smartcard
Then do a
xe pusb-scanand then you should be able to see it.
Obviously, there's a reason behind that
DENY. But so far on a "non shared" host environment where I trust all VMs, I consider it fine. It's probably not secure to do it when you don't have a control on the host and potential other people on it.
@olivierlambert Awesome! That worked, thank you so much!