Each controller has a mandatory attribute type,
- which must be one of "ide", "fdc", "scsi", "sata", or
+ which must be one of "ide", "fdc", "scsi", "sata", "ccid", or
"virtio-serial", and a mandatory attribute index
which is the decimal integer describing in which order the bus
controller is encountered (for use in controller
@@ -991,6 +991,99 @@
not used by qemu.
+
+ A virtual smartcard device can be supplied to the guest via the
+ smartcard element. A USB smartcard reader device on
+ the host cannot be used on a guest with simple device
+ passthrough, since it will then not be available on the host,
+ possibly locking the host computer when it is "removed".
+ Therefore, some hypervisors provide a specialized virtual device
+ that can present a smartcard interface to the guest, with
+ several modes for describing how credentials are obtained from
+ the host or even a from a channel created to a third-party
+ smartcard provider. Since 0.8.8
+
+ The <smartcard> element has a mandatory
+ attribute mode. The following modes are supported;
+ in each mode, the guest sees a device on its USB bus that
+ behaves like a physical USB CCID (Chip/Smart Card Interface
+ Device) card.
+
+
+
+
mode='host'
+
The simplest operation, where the hypervisor relays all
+ requests from the guest into direct access to the host's
+ smartcard via NSS. No other attributes or sub-elements are
+ required. See below about the use of an
+ optional <address> sub-element.
+
+
mode='host-certificates'
+
Rather than requiring a smartcard to be plugged into the
+ host, it is possible to provide three NSS certificate names
+ residing in a database on the host. These certificates can be
+ generated via the command certutil -d /etc/pki/nssdb -x -t
+ CT,CT,CT -S -s CN=cert1 -n cert1, and the resulting three
+ certificate names must be supplied as the content of each of
+ three <certificate> sub-elements. An
+ additional sub-element <database> can specify
+ the absolute path to an alternate directory (matching
+ the -d option of the certutil command
+ when creating the certificates); if not present, it defaults to
+ /etc/pki/nssdb.
+
+
mode='passthrough'
+
Rather than having the hypervisor directly communicate with
+ the host, it is possible to tunnel all requests through a
+ secondary character device to a third-party provider (which may
+ in turn be talking to a smartcard or using three certificate
+ files). In this mode of operation, an additional
+ attribute type is required, matching one of the
+ supported serial device types, to
+ describe the host side of the tunnel; type='tcp' is
+ typical. Further sub-elements, such
+ as <source>, are required according to the
+ given type, although a <target> sub-element
+ is not required (since the consumer of the character device is
+ the hypervisor itself, rather than a device visible in the
+ guest).
+
+
+
+ Each mode supports an optional
+ sub-element <address>, which fine-tunes the
+ correlation between the smartcard and a ccid bus controller.
+ If present, the element must have an attribute
+ of type='ccid' as well as a bus
+ attribute listing the index of the bus that the smartcard
+ utilizes. An optional slot attribute lists which
+ slot within the bus. For now, qemu only supports at most one
+ smartcard, with an address of bus=0 slot=0.
+