20.16.8. Smartcard Devices
A virtual smartcard device can be supplied to the guest virtual machine via the
smartcardelement. A USB smartcard reader device on the host machine cannot be used on a guest with simple device passthrough, as it cannot be made available to both the host and guest, and can lock the host computer when it is removed from the guest. Therefore, some hypervisors provide a specialized virtual device that can present a smartcard interface to the guest virtual machine, with several modes for describing how the credentials are obtained from the host machine, or from a channel created by a third-party smartcard provider. To set parameters for USB device redirection through a character device, edit the following section of the domain XML:
... <devices> <smartcard mode='host'/> <smartcard mode='host-certificates'> <certificate>cert1</certificate> <certificate>cert2</certificate> <certificate>cert3</certificate> <database>/etc/pki/nssdb/</database> </smartcard> <smartcard mode='passthrough' type='tcp'> <source mode='bind' host='127.0.0.1' service='2001'/> <protocol type='raw'/> <address type='ccid' controller='0' slot='0'/> </smartcard> <smartcard mode='passthrough' type='spicevmc'/> </devices> ...
Figure 20.34. Devices - smartcard devices
smartcardelement has a mandatory attribute
mode. The following modes are supported; in each mode, the guest virtual machine sees a device on its USB bus that behaves like a physical USB CCID (Chip/Smart Card Interface Device) card.
The mode attributes are as follows:
Table 20.16. Smartcard mode elements
|In this mode, the hypervisor relays all direct access requests from the guest virtual machine to the host physical machine's smartcard via NSS. No other attributes or sub-elements are required. See below about the use of an optional |
|This mode allows you to provide three NSS certificate names residing in a database on the host physical machine, rather than requiring a smartcard to be plugged into the host physical machine. These certificates can be generated using the command |
|This mode allows you to tunnel all requests through a secondary character device to a third-party provider (which may in turn be talking to a smartcard or using three certificate files), rather than having the hypervisor directly communicate with the host physical machine. In this mode, an additional attribute |
Each mode supports an optional sub-element
address, which fine-tunes the correlation between the smartcard and a ccid bus controller (Refer to Section 20.16.3, “Device Addresses”).