Site logo
Stories around the Genode Operating System RSS feed
Martin Stein avatarMartin Stein
Genode Labs

Martin is working at Genode Labs. He has been especially involved in the custom kernel, platform support, networking and testing. Furthermore, he is enthusiastic about Genode Labs' yearly Hack'n'Hike and the Microkernel Devroom at the FOSDEM.

GitHub m-stein

Martin Stein avatar

USB smart cards via PKCS#11

August 18 2022 by Martin Stein

With the 22.08 release, Genode gains support for accessing USB smart-card devices like typical authentication and HSM keys via PKCS#11.

A GOA-based port of the OpenSC PKCS#11-tool has become available in Sculpt through the package mstein -> pkcs11_tool. The package merely requires a route to the USB session of your USB smart card. In order to make this session available, you have to permit access for the tool at the USB driver first. Plug in the device and look up its vendor and product ID in the file /reports/drivers/usb_devices. With this information add a policy to the file /config/usb as follows (example IDs): 

 <usb>
   <policy label="runtime -> pkcs11_tool -> usb_device"
           vendor_id="0x4e6"
           product_id="0x5816"/>
 </usb>

You also may want to configure the PKCS#11 tool through its launcher before you start it: 

 <launcher ...>
   ...
   <config>

       <libc stdout="/dev/log"
             stderr="/dev/log"
             pipe="/dev/pipe"
             rtc="/dev/rtc"/>

       <vfs>
          <dir name="dev">
             <log/>
             <libusb/>
             <inline name="rtc">2022-07-12 00:01</inline>
             <dir name="pipe"> <pipe/> </dir>
          </dir>
          <dir name="ifd-ccid.bundle">
             <dir name="Contents">
                <rom name="Info.plist"/>
             </dir>
          </dir>
       </vfs>

       <arg value="pkcs11-tool" />
       <arg value="--module" />
       <arg value="opensc_pkcs11.lib.so" />
       <arg value="--login" />
       <arg value="--pin" />
       <arg value="123456" />
       <arg value="--list-objects" />

   </config>
 </launcher>

If you want to build the tool yourself, you need to have the external sources from the m-stein/goa_projects repository plus the current Genode source tree for some library dependencies. Make sure to have the following variables set appropriately in your .goarc file (example values): 

 set depot_dir                /depot
 set depot_user               martin
 set depot_overwrite          1
 set versions_from_genode_dir /genode

Build the required API archives from within the Genode repository into the configured depot directory (replace "martin" with your depot user-name): 

 /genode$ ./tool/depot/create -j8 \
   martin/api/libc martin/api/pcsc-lite martin/api/posix
   DEPOT_DIR=/depot/ UPDATE_VERSIONS=1 FORCE=1 REBUILD=

(By the way, these APIs are listed in goa_projects/pkcs11_tool/used_apis) Make sure that you have the most recent version of the GOA tool: 

 /goa_projects/pkcs11_tool$ goa update-goa

Now you can build and export the GOA project itself: 

 /goa_projects/pkcs11_tool$ goa export

Once, GOA has successfully exported the PKCS#11-tool package to your depot directory, you can use the repos/world/run/pkcs11_tool.run script in your Genode directory in order to test-drive the program in a Qemu VM on your host Linux.

pkcs11_tool.run listing the objects on a smart card

But first, make sure that your Genode build directory uses the same depot setup as GOA: 

 /genode/build/x86_64$ echo "RUN_OPT += --depot-user martin" >> etc/build.conf
 /genode/build/x86_64$ echo "RUN_OPT += --depot-dir /depot"  >> etc/build.conf

The script passes through a host USB device to the PKCS#11 tool in the VM. Before running the script, you have to determine the USB bus address and device address of the USB smart card: 

 /genode/build/x86_64$ lsusb
 ...
 Bus 001 Device 004: ID 20a0:4108 Clay Logic Nitrokey Pro

Then, you may have to make the USB device accessible to the user of the run script. A temporary way would be as follows: 

 /genode/build/x86_64$ sudo chmod a+rw /dev/bus/usb/001/004

The run script finally can be invoked by: 

 /genode/build/x86_64$ make run/pkcs11_tool \
   KERNEL=nova BOARD=pc USB_BUS_ADDR=1 USB_DEV_ADDR=4

The PKCS#11 tool can be equipped with individual command-line options inside the run script. For a reference of available command-line options please refer to the manual of the OpenSC PKCS#11 tool.

If you want to deploy your self-built PKCS#11 tool in Sculpt, you have to create the dependency binary archives via the Genode directory (again, replace the user name): 

 /genode$ ./tool/depot/create -j8 \
   martin/src/openssl
   martin/src/stdcxx
   martin/src/opensc_pkcs11
   martin/src/posix
   martin/src/libc
   martin/src/pcsc-lite
   martin/src/libusb
   martin/src/vfs
   martin/src/vfs_libusb
   martin/src/vfs_pipe
   DEPOT_DIR=/depot UPDATE_VERSIONS=1 FORCE=1 REBUILD=

(Note that these archives are listed in goa_projects/pkcs11_tool/pkg/pkcs11_tool/archives) Now, you can create an index entry for the tool (the version can be found in goa_projects/pkcs11_tool/version) and either directly use the target depot for your Sculpt distribution or publish all archives.

Discuss at reddit.com/r/genode
External Links