First, thanks for the help and the swift reply :).

So I should note that the yubikey works fine when accessed directly on the host, it only fails in the guest.

The virtualization software used by QubesOS is Xen. However, I found out that it uses a "USB proxy"[0] to protect the system from DMA attacks. They call it a "USB device passthrough using USBIP as a protocol, but qrexec as link layer" (qrexec is qube's cross-vm communication layer). What this means is that they tunnel a single USB device from the host to the guest using the USBIP protocol (instead of assigning the whole bus to the guest).

I tried using usbmon with wireshark as you suggested to find out more. The logs of the guest and host are attached (they are the same session). I'm not too sure what to make of it though. Clearly, the usb doesn't seem to answer in time to the Get Slot Status request. It looks like it times out after 100ms in both the guest and the host. Is it possible that the USB proxy would add latency, causing the timeout ? And if so, how can I increase this timeout ? I figured DEFAULT_COM_READ_TIMEOUT is where the timeout is defined, but it is specified as 3000ms in the source, whereas I timeout after 100ms, so I guess the timeout I'm seeing comes from somewhere else ?

I also have made another wireshark log of what happens in the host when accessing the yubikey directly from there (the scenario where the yubikey works) in case that's useful.

I'm contacting the Qubes mailing list, maybe they have more insight into what their usb proxy entails.

Again, thanks a lot for the help :)

Robin Lambertz

[0]: https://github.com/QubesOS/qubes-app-linux-usb-proxy

On 02/14/2017 09:48 AM, Maximilian Stein wrote:
On 14.02.2017 01:53, Robin Lambertz wrote:

I'm trying to get my Yubikey NEO to work with GPG in an archlinux VM on
Qubes OS. Unfortunately, it seems that PCSCD is unable to work with my
yubikey, it doesn't appear when running pcsc_scan.
This is probably a problem with your virtualisation software. I've found
that certain constellations of VirtualBox do not play nicely together
with non-mass-storage USB usage.

ReadUSB returns immediately with the TIMEOUT error (isn't that weird ?),
Not at all, the first InterruptRead is just to clear the interrupt
endpoint and therefore has a timeout of only 100ms, which expires in
your logs.

while the WriteUSB times out after 5 seconds. I'm not sure what to do to
further debug this. Any hint as to what I could do to figure out where
the issue is coming from ?
You could try to use a different virtualisation software or version,
updating guest additions (in case of VirtualBox). You could try a newer
kernel in the VM guest or a newer version of libusbx/libusb-1.0.

To further debug the problem you could monitor the USB traffic inside
the guest and on the host via usbmon [1]. Most probably you will see USB
traffic coming back from the device on the host, but not inside the guest.

Best regards and good luck,
Maximilian Stein


Pcsclite-muscle mailing list

Attachment: guest.pcap
Description: application/vnd.tcpdump.pcap

Attachment: host.pcap
Description: application/vnd.tcpdump.pcap

Attachment: host_direct_access.pcap
Description: application/vnd.tcpdump.pcap

Pcsclite-muscle mailing list

Reply via email to