-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
usbip runner does not work as a security dongle for Heads #564
Comments
The secrets app should be enabled in the usbip runner. Can you access it from the host system? What QEMU configuration do you use to pass through the USB device? |
@mkopec I would appreciate it if you can put more details here, so we can move this discussion forward. |
I'm also trying to understand what should be passed to qemu here. Maybe https://github.com/Nitrokey/nitrokey-3-firmware/blob/main/docs%2Fusbip.md should be clearer and be augmented on what is expected to be passed to qemu as usb device? For example for Heads qemu targets, make call typically looks like this to pass real nk3 device when translated: Ie, from Heads master:
expends to
So what should we point to here after official docs' Goal would be to have Thanks |
Looks like there’s something missing from the What exactly is the command that fails and the error message? |
nitrokey-hotp-verification uses CCID to communicate with the NK3. Per default, the USBIP runner only supports CTAPHID communication, see the “Limitations” section in the USBIP guide. So even if the USB device itself shows up, it cannot be accessed via CCID. You can try using |
I have no error message. The snippet above was qemu interfacing with physical nk3. I have not tried the usb runner yet. |
My question was: was this tested with qemu? Can someone from Nitrokey clone Heads master and try to make this work replicating above commands and report what is missing here from direct experience from Heads master? Thanks |
Excellent. Could give it a try:
But it seems like refered doc limitation section's bug #261 is blocker to this, referring to this discussion (no fix) : https://lore.kernel.org/lkml/ZBHxfUX60EyCMw5l@Sun/ |
Correct, I’m not aware of anybody using the USBIP runner with qemu so far.
The bug does not occur on every command. Maybe this particular setup does not trigger the bug. |
@robin-nitrokey . Can't build usb runner without following down rabbit in rabbit hole ie:
@robin-nitrokey : clearer instructions to provide so I do not spend hours trying to figure out what is missing in docs (not rust develoer here) to build usb-runner and test |
@tlaurion Do you happen to use Docker or Nix? Then I could directly provide you a working environment.
Yes. If you have a way to list USB devices, it should already show up when using the pre-compiled usbip runner e. g. for v1.8.0-rc.1 ( |
The goal would be to pack requirements under Heads flake.nix, create a modules/nk3-usb-runner and have Heads qemu-coreboot-fbwhitpail-tpm2-hotp board as in example be able to use either usb physical or emulated nk3 in test environement. Clear dependencies and build steps needed as per prior comment. So if you have flake.nix declared dependencies to point to, yes it would help since those would be added into Heads docker image built from nix develop environement. That would be ideal, since as noted, docs are not clear enough to be followed to build on top of debian-12 and I would prefer to not have to document this if it can be shipped with next revision of docker image and be able to document as code instead. Thanks |
I don’t have a flake but a { pkgs ? import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/da4024d0ead5d7820f6bd15147d3fe2a0c0cec73.tar.gz") {} }:
let
fenix = pkgs.callPackage
(pkgs.fetchFromGitHub {
owner = "nix-community";
repo = "fenix";
rev = "1a92c6d75963fd594116913c23041da48ed9e020";
hash = "sha256-L3vZfifHmog7sJvzXk8qiKISkpyltb+GaThqMJ7PU9Y=";
})
{ };
toolchain = fenix.fromToolchainFile {
dir = ./.;
};
in
pkgs.mkShell {
nativeBuildInputs = with pkgs.buildPackages; [
clang
git
gnumake
libclang
toolchain
];
shellHook = ''
export LIBCLANG_PATH="${pkgs.libclang.lib}/lib"
'';
} If you place it in the root directory of the repository, you can run:
This contains the same dependencies as listed in the usbip guide. But Debian stable does not package the required Rust version. The easiest way would probably be to install |
Was not able to easily add this under flake, will test after feature freeze it seems. If someone wants this for feature freeze, help needed. |
@robin-nitrokey pr welcome. |
My use case: Testing HOTP in Heads in QEMU without a physical dongle attached to the host system - see issue linuxboot/heads#1842 for more context
Currently when attempting to run OEM Factory Reset in Heads on QEMU, the process fails due to not detecting a security dongle, despite the dongle being listed in lsusb. I think this is because secrets-app is missing so HOTP isn't working, but there could be other issues too
The text was updated successfully, but these errors were encountered: