dingus9 · February 25, 2025 05:30
diff --git a/gistfile1.txt b/gistfile1.txt
 # Sharing smartcards to libvirt/qemu guest VMs without passthrough and detatching from the host

 To support the Smartcard <smartcard mode="host"> option in Virtual Machine Manager or libvirt add a device and select smart card.

 ## Basic libvirt config xml block for a default usb ccid of 00, 00 (see pcsc_scan for id info)

 `pcsc_scan`

 ```
 Scanning present readers...
 0: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00
 1: Alcor Micro AU9540 01 00
 ```

 Note "00 00" in the 0: SCM Microsystems Inc.... device and the "01 00" in the 1: Alcor Micro AU9540 device seem to be the ccid IDs corrisponding to controller and slot

 This example uses controller 00 and slot 00 but the values in xml are just 0 and 0 respectively
 ```
 <smartcard mode="host">
  <alias name="smartcard0"/>
  <address type="ccid" controller="0" slot="0"/>
 </smartcard>
 ```

 ## Host/hypervisor setup prior to boot

 Qemu seems to require a configured nss db at `/etc/pki/nssdb/` so that will likely need to be created and set up similar to a FF nssdb but at /etc/

 ```bash
 sudo mkdir -p /etc/pki/nssdb
 sudo certutil -N -d /etc/pki/nssdb

 # make the nssdb readable (you might want to do this only for your user by managing group access instead of all uses)
 sudo chmod a+r -R /etc/pki/nssdb/

 certutil -L -d /etc/pki/nssdb

 #> Certificate Nickname                                         Trust Attributes
 #>                                                              SSL,S/MIME,JAR/XPI

 # Add the cac module to this db
 sudo modutil -dbdir "/etc/pki/nssdb" -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

 # verify modules and certs are listing
 modutil -dbdir /etc/pki/nssdb -list
 certutil -L -d /etc/pki/nssdb/ -h -all

 ```

 Thats all I had to do to get my VM to boot with the smartcard device attached. NBD right!

 ## Be sure to install the appropriate/desired opensc equiv pcsc libraries for FF and Chrome in Windows
	# Sharing smartcards to libvirt/qemu guest VMs without passthrough and detatching from the host

	To support the Smartcard <smartcard mode="host"> option in Virtual Machine Manager or libvirt add a device and select smart card.

	## Basic libvirt config xml block for a default usb ccid of 00, 00 (see pcsc_scan for id info)

	`pcsc_scan`

	```
	Scanning present readers...
	0: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00
	1: Alcor Micro AU9540 01 00
	```

	Note "00 00" in the 0: SCM Microsystems Inc.... device and the "01 00" in the 1: Alcor Micro AU9540 device seem to be the ccid IDs corrisponding to controller and slot

	This example uses controller 00 and slot 00 but the values in xml are just 0 and 0 respectively
	```
	<smartcard mode="host">
	<alias name="smartcard0"/>
	<address type="ccid" controller="0" slot="0"/>
	</smartcard>
	```

	## Host/hypervisor setup prior to boot

	Qemu seems to require a configured nss db at `/etc/pki/nssdb/` so that will likely need to be created and set up similar to a FF nssdb but at /etc/

	```bash
	sudo mkdir -p /etc/pki/nssdb
	sudo certutil -N -d /etc/pki/nssdb

	# make the nssdb readable (you might want to do this only for your user by managing group access instead of all uses)
	sudo chmod a+r -R /etc/pki/nssdb/

	certutil -L -d /etc/pki/nssdb

	#> Certificate Nickname Trust Attributes
	#> SSL,S/MIME,JAR/XPI

	# Add the cac module to this db
	sudo modutil -dbdir "/etc/pki/nssdb" -add "CAC Module" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

	# verify modules and certs are listing
	modutil -dbdir /etc/pki/nssdb -list
	certutil -L -d /etc/pki/nssdb/ -h -all

	```

	Thats all I had to do to get my VM to boot with the smartcard device attached. NBD right!

	## Be sure to install the appropriate/desired opensc equiv pcsc libraries for FF and Chrome in Windows