PGP SmartCard Incus Container

kentonspr · April 14, 2024, 5:39pm

I’m attempting to get USB Redirection of a PGP smart card working. Currently tit works on the host and I’m passing it through to the container with the following profile config -

...
devices:
    nitrokey:
        productid: "4109"
        type: unix-hotplug
        vendorid: 20a0

I do see the device in the container -

root@packer-test:~# lsusb -s 003:029
Bus 003 Device 029: ID 20a0:4109 Clay Logic Nitrokey Storage

root@packer-test:~# usb-devices
...
T:  Bus=03 Lev=03 Prnt=10 Port=03 Cnt=01 Dev#= 29 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=20a0 ProdID=4109 Rev=01.01
S:  Manufacturer=Nitrokey
S:  Product=Nitrokey Storage
S:  SerialNumber=0000000000000
C:  #Ifs= 3 Cfg#= 1 Atr=80 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:  If#= 1 Alt= 0 #EPs= 3 Cls=0b(scard) Sub=00 Prot=00 Driver=usbfs
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=83(I) Atr=03(Int.) MxPS=  16 Ivl=4096ms
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:  If#= 2 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
E:  Ad=86(I) Atr=03(Int.) MxPS=  64 Ivl=2ms

I have the same packages in the container as on the host for managing the smart card but I cannot seem to get it working. pcscd is on the system and has a LIBUSB_ERROR_BUSY showing up both in debian/12 and ubuntu/22.04 containers -

root@packer-test:~# systemctl status pcscd
○ pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; preset: enabled)
    Drop-In: /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: inactive (dead) since Sun 2024-04-14 17:17:39 UTC; 20min ago
   Duration: 1min 1.070s
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
    Process: 174 ExecStart=/usr/sbin/pcscd --foreground --auto-exit $PCSCD_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 174 (code=exited, status=0/SUCCESS)
        CPU: 69ms

Apr 14 17:16:38 packer-test systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon.
Apr 14 17:16:38 packer-test pcscd[174]: 00000000 ccid_usb.c:683:OpenUSBByName() Can't claim interface 3/29: LIBUSB_ERROR_BUSY
Apr 14 17:16:38 packer-test pcscd[174]: 00000221 ifdhandler.c:161:CreateChannelByNameOrChannel() failed
Apr 14 17:16:38 packer-test pcscd[174]: 00000002 readerfactory.c:1134:RFInitializeReader() Open Port 0x200000 Failed (usb:20a0/4109:libudev:1:/dev/bus/usb/003/029)
Apr 14 17:16:38 packer-test pcscd[174]: 00000002 readerfactory.c:378:RFAddReader() Nitrokey Nitrokey Storage (0000000000000) init failed.
Apr 14 17:16:38 packer-test pcscd[174]: 00000046 hotplug_libudev.c:518:HPAddDevice() Failed adding USB device: Nitrokey Nitrokey Storage

Is there something I’m doing wrong? I’ve attempted privileged and unprivileged containers with the same result.

Kenton

kentonspr · April 14, 2024, 7:22pm

Sovled

This was an issue with the host pcscd process claiming the smartcard and preventing the container from claiming it. I disabled pcscd on the host and the container worked -

systemctl stop pcscd.socket
systemctl stop pcscd

Looks like unless pcscd is specifically needed, it may not even need to be installed and scdaemon can access the card directly.