[PATCH 0/4] Build QEMU with smartcard support, to get GNOME Boxes working

  • Done
  • quality assurance status badge
Details
2 participants
  • Brice Waegeneire
  • Christopher Baines
Owner
unassigned
Submitted by
Christopher Baines
Severity
normal
C
C
Christopher Baines wrote on 14 Apr 2020 21:36
(address . guix-patches@gnu.org)
877dyh7tcn.fsf@cbaines.net
These patches make it possible to use gnome-boxes, at least for the
simple virtual machine I tried to run.

Previously, I was stuck with the following error:

Unable to start domain: unsupported configuration: this QEMU binary
lacks smartcard passthrough mode support



Christopher Baines (4):
gnu: Add softhsm.
gnu: Add libcacard.
gnu: qemu: Add libcacard as an input to enable smartcard support.
gnu: spice: Add libcacard as an input to enable smartcard support.

gnu/packages/security-token.scm | 28 +++++++++++++++++++
gnu/packages/spice.scm | 49 +++++++++++++++++++++++++++++++++
gnu/packages/virtualization.scm | 1 +
3 files changed, 78 insertions(+)
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl6WEKhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XcY+g//SIpkkBGx+d+IudXA0RoEFpFvpunIC0On7KIYsygEM8JJkfUHPVCd7QEN
URqIK5fbXg5me55Mp5kmnaDLUngIRKqZ5u8J58zbnQ3x/TJxWPnijGotyHGp14kT
m025Io6bpgTpLoGlWX4QLhQ6R5vpalvCVAJYTXiH/n8UcLh1IOKJ3w2CC7B1ljhk
POJuFpZJIMGyFI6z8QXhHW14nItmUG02Ye+FFVddfnxPY1mcS4yYjt8IwUKsS9RA
YZwuT1dByJqFAU2HjDzHDv3yv2yLzPCRjswnbx6ZnqKbieixzqTe4UvXCIi8xjzs
olcs9ZHtIwSUAE+f3UVdYlwEmVrqYyqqtineTPy199DMW7vSyhoCn471V9mKJcBy
DfdeW/0NNjC43ThK5o7powJUOYdaFAAlmm/ib2W63v8TDUeyBlLyJNzWLestWnAP
pm/O0+fWeXJpen6ikBZ3iY/PEH172//eIwejkvR8PM3vYM14Lphv21tuWAEzqkRn
yjxj+xZls6TJVUT2vu7ZDpnJNdyfd6XF3WK+w5qcKiV+rTivO35ZYiooSEzwUyf3
gRGQaj2u9SWd20KZEKxdT4ZLxrA1q9OZaFdM/SokYHhQhpKjSQ8WJwQX3XcLd7Vv
e9IRfnB/58ruo17hJW/UN5QMmdn9H8qKyowOgS9sTvYTr2cT/7U=
=vpND
-----END PGP SIGNATURE-----

C
C
Christopher Baines wrote on 14 Apr 2020 21:44
[PATCH 3/4] gnu: qemu: Add libcacard as an input to enable smartcard support.
(address . 40631@debbugs.gnu.org)
20200414194420.15589-3-mail@cbaines.net
This fixes an error in gnome-boxes when starting virtual machines:

Unable to start domain: unsupported configuration: this QEMU binary lacks
smartcard passthrough mode support

* gnu/packages/virtualization.scm (qemu)[inputs]: Add libcacard.
---
gnu/packages/virtualization.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index c00f3ef9a8..7d4aac0d40 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -217,6 +217,7 @@ exec smbd $@")))
("gtk+" ,gtk+)
("libaio" ,libaio)
("libattr" ,attr)
+ ("libcacard" ,libcacard) ; smartcard support
("libcap" ,libcap) ; virtfs support requires libcap & libattr
("libdrm" ,libdrm)
("libepoxy" ,libepoxy)
--
2.26.0
C
C
Christopher Baines wrote on 14 Apr 2020 21:44
[PATCH 2/4] gnu: Add libcacard.
(address . 40631@debbugs.gnu.org)
20200414194420.15589-2-mail@cbaines.net
Required for smartcard support in QEMU.

* gnu/packages/spice.scm (libcacard): New variable.
---
gnu/packages/spice.scm | 48 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)

Toggle diff (78 lines)
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 3445c64924..7d3525def6 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -21,6 +21,7 @@
(define-module (gnu packages spice)
#:use-module (gnu packages)
+ #:use-module (gnu packages base)
#:use-module (gnu packages compression)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages gl)
@@ -31,9 +32,11 @@
#:use-module (gnu packages image)
#:use-module (gnu packages libusb)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages nss)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages pulseaudio)
#:use-module (gnu packages python)
+ #:use-module (gnu packages security-token)
#:use-module (gnu packages tls)
#:use-module (gnu packages xorg)
#:use-module (gnu packages xdisorg)
@@ -287,6 +290,51 @@ resolution scaling on graphical console window resize.")
(home-page "https://www.spice-space.org")
(license license:gpl3+)))
+(define-public libcacard
+ (package
+ (name "libcacard")
+ (version "2.7.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "https://gitlab.freedesktop.org/spice/libcacard/uploads/"
+ "56cb2499198e78e560a1d4c716cd8ab1"
+ "/libcacard-" version ".tar.xz"))
+ (sha256
+ (base32
+ "0vyvkk4b6xjwq1ccggql13c1x7g4y90clpkqw28257azgn2a1c8n"))))
+ (build-system gnu-build-system)
+ (arguments
+ '(#:tests? #f ; TODO Tests require gnutls built with
+ ; p11-kit
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'patch
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "tests/setup-softhsm2.sh"
+ (("\\/usr\\/lib64\\/pkcs11\\/libsofthsm2\\.so")
+ (string-append (assoc-ref inputs "softhsm")
+ "/lib/softhsm/libsofthsm2.so")))
+ #t)))))
+ (propagated-inputs
+ `(("glib" ,glib) ; Requires: in the pkg-config file
+ ("nss" ,nss))) ; Requires.private: in the pkg-config
+ ; file
+ (native-inputs
+ `(("openssl" ,openssl)
+ ("nss" ,nss "bin")
+ ("opensc" ,opensc)
+ ("softhsm" ,softhsm)
+ ("gnutls" ,gnutls)
+ ("pkg-config" ,pkg-config)
+ ("which" ,which)))
+ (synopsis "Emulate and share smart cards with virtual machines")
+ (description
+ "The @acronym{CAC,Common Access Card} library can be used to emulate and
+share smart cards from client system to local or remote virtual machines.")
+ (home-page "https://gitlab.freedesktop.org/spice/libcacard")
+ (license license:lgpl2.1+)))
+
(define-public virt-viewer
(package
(name "virt-viewer")
--
2.26.0
C
C
Christopher Baines wrote on 14 Apr 2020 21:44
[PATCH 4/4] gnu: spice: Add libcacard as an input to enable smartcard support.
(address . 40631@debbugs.gnu.org)
20200414194420.15589-4-mail@cbaines.net
This is to fix an issue with gnome-boxes when trying to start a virtual
machine:

unsupported type name: smartcard

* gnu/packages/spice.scm (spice)[inputs]: Add libcacard.
---
gnu/packages/spice.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 7d3525def6..2115dd3d0b 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -212,6 +212,7 @@ which allows users to view a desktop computing environment.")
`(("cyrus-sasl" ,cyrus-sasl)
("glib" ,glib)
("libjpeg-turbo" ,libjpeg-turbo)
+ ("libcacard" ,libcacard) ; smartcard support
("lz4" ,lz4)
("opus" ,opus)
("orc" ,orc)
--
2.26.0
C
C
Christopher Baines wrote on 14 Apr 2020 21:44
[PATCH 1/4] gnu: Add softhsm.
(address . 40631@debbugs.gnu.org)
20200414194420.15589-1-mail@cbaines.net
Required for the libcacard tests.

* gnu/packages/security-token.scm (softhsm): New variable.
---
gnu/packages/security-token.scm | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)

Toggle diff (41 lines)
diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index c5cbb758da..2ff0abb248 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -167,6 +167,34 @@ the low-level development kit for the Yubico YubiKey authentication device.")
(home-page "https://developers.yubico.com/yubico-c/")
(license license:bsd-2)))
+(define-public softhsm
+ (package
+ (name "softhsm")
+ (version "2.5.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "https://dist.opendnssec.org/source/"
+ "softhsm-" version ".tar.gz"))
+ (sha256
+ (base32
+ "1cijq78jr3mzg7jj11r0krawijp99p253f4qdqr94n728p7mdalj"))))
+ (build-system gnu-build-system)
+ (arguments
+ '(#:configure-flags '("--disable-gost"))) ; TODO Missing the OpenSSL
+ ; engine for GOST
+ (inputs
+ `(("openssl" ,openssl)))
+ (native-inputs
+ `(("pkg-config" ,pkg-config)
+ ("cppunit" ,cppunit)))
+ (synopsis "Software implementation of a generic cryptographic device")
+ (description
+ "SoftHSM 2 is a software implementation of a generic cryptographic device
+with a PKCS #11 Cryptographic Token Interface.")
+ (home-page "https://www.opendnssec.org/softhsm/")
+ (license license:bsd-2)))
+
(define-public pcsc-lite
(package
(name "pcsc-lite")
--
2.26.0
B
B
Brice Waegeneire wrote on 28 Apr 2020 11:07
Re: bug#40631: [PATCH 0/4] Build QEMU with smartcard support, to get GNOME Boxes working
(address . mail@cbaines.net)(address . 40631@debbugs.gnu.org)
0d9b8d67ec45e445eac9b5ecbae268ad@waegenei.re
Hello Christopher,

I was thinking of packaging libcacard the other day, thankfully you've
already
done it.

If I understand correctly softhsm is needed to test libcacard, but it's
tests
can't be enabled because our gnutls is missing some features and
rebuilding it
would rebuild the world, right?

Toggle quote (8 lines)
> + (name "softhsm")
> + (version "2.5.0")
> + (source (origin
> + (method url-fetch)
> + (uri (string-append
> + "https://dist.opendnssec.org/source/"
> + "softhsm-" version ".tar.gz"))

The latest version is 2.6.0, even though the home-page don't list it,
it's present
in the source you defined or in their Github page[0].


Toggle quote (8 lines)
> + (add-after 'unpack 'patch
> + (lambda* (#:key inputs #:allow-other-keys)
> + (substitute* "tests/setup-softhsm2.sh"
> + (("\\/usr\\/lib64\\/pkcs11\\/libsofthsm2\\.so")
> + (string-append (assoc-ref inputs "softhsm")
> + "/lib/softhsm/libsofthsm2.so")))
> + #t)))))

Instead of 'patch' 'patch-tests' would be more descriptive.

LGTM otherwise, building and linting is successful.


- Brice
B
B
Brice Waegeneire wrote on 28 Apr 2020 12:11
(address . mail@cbaines.net)(address . 40631@debbugs.gnu.org)
5d315a2acd7cd2d992445c1eae59ea8e@waegenei.re
Toggle quote (8 lines)
> + (description
> + "The @acronym{CAC,Common Access Card} library can be used to
> emulate and
> +share smart cards from client system to local or remote virtual
> machines.")
> + (home-page "https://gitlab.freedesktop.org/spice/libcacard")
> + (license license:lgpl2.1+)))

I just founded out that 'acronym' isn't displayed at all by “guix show“
producing “The library can be used [...]”, it can be replaced by 'dfn'
which is displayed quoted: “The "CAC" library can be used [...]”. I wish
“guix lint“ would display 'acronym' which seems more usefull than
'defn'.

- Brice
C
C
Christopher Baines wrote on 3 May 2020 11:43
(name . Brice Waegeneire)(address . brice@waegenei.re)(address . 40631-done@debbugs.gnu.org)
87a72pmjz4.fsf@cbaines.net
Brice Waegeneire <brice@waegenei.re> writes:

Toggle quote (10 lines)
> I was thinking of packaging libcacard the other day, thankfully you've
> already
> done it.
>
> If I understand correctly softhsm is needed to test libcacard, but
> it's tests
> can't be enabled because our gnutls is missing some features and
> rebuilding it
> would rebuild the world, right?

Yep, I've got a bug open for that change [1].


Toggle quote (12 lines)
>> + (name "softhsm")
>> + (version "2.5.0")
>> + (source (origin
>> + (method url-fetch)
>> + (uri (string-append
>> + "https://dist.opendnssec.org/source/"
>> + "softhsm-" version ".tar.gz"))
>
> The latest version is 2.6.0, even though the home-page don't list it,
> it's present
> in the source you defined or in their Github page[0].

Ah, interesting, I've updated the package to 2.6.1.

Toggle quote (10 lines)
>> + (add-after 'unpack 'patch
>> + (lambda* (#:key inputs #:allow-other-keys)
>> + (substitute* "tests/setup-softhsm2.sh"
>> + (("\\/usr\\/lib64\\/pkcs11\\/libsofthsm2\\.so")
>> + (string-append (assoc-ref inputs "softhsm")
>> + "/lib/softhsm/libsofthsm2.so")))
>> + #t)))))
>
> Instead of 'patch' 'patch-tests' would be more descriptive.

Sure, I've changed the phase name.

Toggle quote (2 lines)
> LGTM otherwise, building and linting is successful.

Great, I've gone ahead and pushed these patches as
17adb70f78b34a490b8e692f1a110cef72097685.

Thanks for taking a look!

Chris
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl6ukl9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9Xfjdw/8CNVZeFDpNWTuJsEssw0ubOjbYvbLNVB3J2I09/TkE0gWYOkekAY3+APA
ixllSHK00t2biP8+uMoU9q/VlHYpgrh0mxa0/vCDuNEuM4xjYMLPfxPgm1kkPvgw
q7ujGX72Z9wCo0RMBdkC3pb7mtQ0qhVoXAGZcma8VQSR3qpQY8NFN9y1F/irMWUI
Sls5mWhcaLLcmB3VuQAjHNZtfmIJbscMb8jB/VrmpvQSXZK/0O1+wSs3VtWl0AgO
i9OOEXhGZVuWXYunEUHmcTY7c4I2ECLBG30906xNVflx00Ju0NQinoe8320lI0W0
qqV+utEl19hknkFNDgvEsaIj1TSdha9R0Tjxxo3HJvqarD7ajlyitceN93hun70W
N+mF8x9zk5D2t6Ddg1FiB6owNO50HrQgRoQckusFFOuxvVBisfu32YnoeiXALzDy
od7KULj/xodm4v5SUz6Z3TnYntY4LBfVSuk3/oA1mKonOuOHnL2xjJ+JPkjK2+vs
G4eSM8+oQzE0oc/zUV0/Bgj1RbpteIAsCob3OhqVTuCpHSfee8OBqdbvNONGp1xg
ApuLIIJTVq5RFHtTQSXEAdhgEW6SCYpQAmCbJCecX+BkOZQ7fSNVeqovqfISUq3X
/6QrH0B/GBQ3lxQ8OA59ViGjJ1kLWKIxOcLmtUDG6SASMV8Abpg=
=4GxP
-----END PGP SIGNATURE-----

Closed
C
C
Christopher Baines wrote on 3 May 2020 11:45
(name . Brice Waegeneire)(address . brice@waegenei.re)(address . 40631@debbugs.gnu.org)
878si9mjx1.fsf@cbaines.net
Brice Waegeneire <brice@waegenei.re> writes:

Toggle quote (14 lines)
>> + (description
>> + "The @acronym{CAC,Common Access Card} library can be used to
>> emulate and
>> +share smart cards from client system to local or remote virtual
>> machines.")
>> + (home-page "https://gitlab.freedesktop.org/spice/libcacard")
>> + (license license:lgpl2.1+)))
>
> I just founded out that 'acronym' isn't displayed at all by “guix show“
> producing “The library can be used [...]”, it can be replaced by 'dfn'
> which is displayed quoted: “The "CAC" library can be used [...]”. I wish
> “guix lint“ would display 'acronym' which seems more usefull than
> 'defn'.

So this is/was a bug in Guile [1] and should be fixed as of Guile 3.0.1
[2].

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl6ukqpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XcJ2g/7Bispz3+3ta6vGeTjq4LC+11XyhXtiA25nYqt5cd2rsM8/op/dqc1WN9+
l+sVIRJgDokUrshJZxF2iMXMar+B44QttPUOKZlWnlbH44mbuFoPXGwi3gx1OCWr
CsL7U2xbMaTXqM7+Q5Xcpjs83+V0qlIo2IG8BPwI58OS4rOfukOzCV/VyjqK2ht6
cX7wwss3rbUdsOKCT8u0avhlo5er2i23UyjahC+wCgu14YXIqqtJ3bobuXyabXSZ
oX/PAdQaZ8l0u6n2D8/655U8TeCTfPTofOLdaBceBgjNGnDlIRUqXoSTtpA8yju/
rC4MMpLUHZY9EEwJ2WjLHQo5os1BHJZm87jd/JVDfYosR2zFLqUt2OSpMaiWgZ+n
IaG7dY46dYfnM/y3GS6ZeFAt3C5muO0ZzsfUE4Nu2MV4+q6HCT6J3c1lpNHpIIyk
46ryz6d7OohZ8VDN1SpGqbArgQ4xopy2gMkpykg2ArvwTOwy16pPi1n2pzmWSWaX
1SHW04hY8jDcPvEOD22sn4vhIo0JLm1vvt/mAUnLc2I1fMN9b9FIBygZCWE+upfe
ymd1/ZEXpT+SGoTZ9Qaq9VtPmvikwZYIZaqcvpGcxjqy2JPNCLfLAn23RwyVYEmv
tcPl6WN0NLY6VPL/4aXtd3IYrJXKaUGJHtOzAOydI4xEt8/msGY=
=lpNg
-----END PGP SIGNATURE-----

?