Smart Card problem with RHEL 7.3

[steelagent]

RHEL 7.3 doesn't see any smart cards when I attach an USB smart card reader to a virtual machine. I have installed both open-vm-tools-10.0.5-2.x86_64 and open-vm-tools-desktop-10.0.5-2.el7.x86_64 packages in RHEL 7.3. I installed an "EHCI+UHCI" USB controller to the virtual machine. I have tried to both directly attaching and sharing the smart card reader with the VM and RHEL 7.3 still doesn't see any smart cards. It does see the smart card reader, just not the smart cards. I have tried this with RHEL 6 and many different versions of Windows and it works, so I don't think it is my environment. I have also installed RHEL 7.3 on a physical workstation with the same smart card readers and smart cards, so I don't believe its a problem with RHEL either. I was wondering if its related to open-vm-tools ?

[virtLance]

What's your host OS? ESXi/Win/Fedora?

[virtLance]

I've tried RHEL7.3 on Win 8/Ubuntu 14/ESXi 6.5. All worked.
Please elaborate on the steps to reproduce so I can help.

Thanks,
Lance

[csamsel]

ESXi 6.5 has multiple issues with USB attached smartcard readers.
You'll have to enable CCID passthrough by adding (to the VM config file)

usb.generic.allowCCID = "TRUE"

and disable the native USB driver to allow working passthrough via (on the ESXI console):

esxcli system module set -m=vmkusb -e=FALSE

https://kb.vmware.com/kb/2147650

[virtLance]

1. That's because pcscd is required to support smartcard login.
   If you don't want to use smartcard to log in to the DCUI, yes, you can add the option to the vmx to enable CCID passthru
2. Many smart card readers have been tested so far with vmkusb. If you see issues, please provide vid:pid of the reader and steps to reproduce.

Thanks,
Lance

[csamsel]

Actually, the second issue is not specific for smartcard readers. From around 5-7 devices, which i'm operating using USB passthrough, not a single one worked correctly with the ESXi 6.5 native driver.

These include mostly various smartcard reader and UPSes. I'm at home now, the devices i have here are for example:
0463:ffff MGE UPS Systems (Eaton Ellipse ECO 800 UPS)
0bda:0165 Realtek Semiconductor Corp. (CSL - USB Chipkartenleser [cheap smartcard reader from Amazon.de])

The problem is always the same, the connection to the devices gets resetted / interrupted. Thats espacially bad for smartcard readers as that might leave the smartcard (in our case secure access modules for cryptograhic operations) in an undefined state which is only been healed by reconnecting it.
It take a few minutes (up to 30) until these problems occurs.

It seems to be common knowledge around the internet (e.g. reddit /r/homelab) that USB passthrough is broken in 6.5 (respectively in the native driver). So i assume VMware knows about this as well.

[virtLance]

Thanks for the info. I will take a look

[virtLance]

Hi,

Could you help verify if those devices happen to have Intr. endpoints. The following are the steps

lsusb

This shows all the USB devices on your host. For each device that does not work, please take a note on their bus number and device number

cat /dev/usbdevices | more

If the device in question is Bus 1, Dev 5 from lsusb, the record for it starts with the following line

T: Bus=01 Lev=XX Prnt=XX Port=XX Cnt=XX Dev# = 5 <-- Bus 1, Dev 5
Check if you see any
E: Ad=XX(I/O) Atr=XX(Intr) <-- Intr endpoint

I'm suspecting the issue is specific to any device containing Intr. endpoint.

Thanks,
Lance

[csamsel]

I cant post details of all devices at once but here is one that definitely does not work with the native VMware ESXi usb driver, but does so with the legacy linux driver: CSL - USB Chipkartenleser [cheap smartcard reader from Amazon.de]

[root@vmhost-t430-2:~] lsusb
Bus 003 Device 006: ID 0bda:0165 Realtek Semiconductor Corp. 
...

[root@vmhost-t430-2:~] cat /dev/usbdevices | more
...
T:  Bus= 03 Lev= 01 Prnt= 01 Port= 09 Cnt= 02 Dev#=  6 Spd=480  MxCh= 0
V:  Available for Passthrough, currently in use
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=0bda ProdID=0165 Rev=61.23
S:  Manufacturer=Generic
S:  Product=Smart Card Reader Interface
S:  SerialNumber=20070818000000000
C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=0b(scard) Sub=00 Prot=00 Driver=usbfs
E:  Ad=83(I) Atr=03(Int.) MxPS=  64 Ivl=16ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
...

[virtLance]

Thanks for the help. I found the issue with smart cards.

[csamsel]

Happy to hear, looking forward for the fix in the next version ;) do you still need more information about other devices?

[virtLance]

Yes, please (if it's not inconvenient)

[csamsel]

This is the UPS i use at home, which is also misbehaving.

[root@oxygen-vmhost:~] lsusb
Bus 003 Device 002: ID 0463:ffff MGE UPS Systems UPS

cat /dev/usbdevices | more
...
T:  Bus= 03 Lev= 01 Prnt= 01 Port= 03 Cnt= 01 Dev#=  2 Spd=1.5  MxCh= 0
V:  Available for Passthrough, currently in use
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  6
P:  Vendor=0463 ProdID=ffff Rev= 1.00
S:  Manufacturer=EATON
S:  Product=Ellipse ECO
S:  SerialNumber=000000000
C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 20mA
I:* If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbfs
E:  Ad=81(I) Atr=03(Int.) MxPS=   8 Ivl=20ms
C:  #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 20mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=
E:  Ad=81(I) Atr=03(Int.) MxPS=   8 Ivl=20ms
C:  #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 20mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=
E:  Ad=81(I) Atr=03(Int.) MxPS=   8 Ivl=20ms
C:  #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 20mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=

[virtLance]

Thanks. Both of the devices contain Intr. endpoints. I think I know where the problem is. Thanks for the help again

[steelagent]

Sorry for the long delay from my original post. I have doing some more testing and I have determined that the smart card reader works when I use the USB pass-thru option, but it doesn't work when I share the smart card reader with the virtual machine.

Here is the details of my setup:
RHEL 7.3 VM with all the latest updates
VMware Tools daemon, version 10.0.5.52125 (build-3227872)
The smart card reader is a SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader
The vSphere Client is 5.5.0
The vSphere Server is 5.5.0

Here is the output from the lsusb command when I use the USB pass-thru option with the vSphere client:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 005: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Here is the output from the dmesg command when I use the USB pass-thru option with the vSphere client:
[ 2032.808722] usb 2-2.1: USB disconnect, device number 4
[ 4951.254785] usb 2-2.1: new full-speed USB device number 5 using uhci_hcd
[ 4951.430662] usb 2-2.1: New USB device found, idVendor=04e6, idProduct=5116
[ 4951.430667] usb 2-2.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 4951.430668] usb 2-2.1: Product: SCR33xx v2.0 USB SC Reader
[ 4951.430670] usb 2-2.1: Manufacturer: SCM Microsystems

Here is the output from the lsusb command when I use the sharing option with the vSphere client:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 006: ID 0e0f:0004 VMware, Inc. Virtual CCID
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Here is the output from the dmesg command when I use the shared option with the vSphere client:
[ 9061.481196] usb 2-2.1: USB disconnect, device number 5
[ 9074.006845] usb 2-2.1: new full-speed USB device number 6 using uhci_hcd
[ 9074.159326] usb 2-2.1: New USB device found, idVendor=0e0f, idProduct=0004
[ 9074.159331] usb 2-2.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9074.159334] usb 2-2.1: Product: Virtual USB CCID
[ 9074.159336] usb 2-2.1: Manufacturer: VMware

[virtLance]

Shared smart card is a different story. Shared mode and passthru are mutual exclusive in ESXi. Shared mode is enabled to support DCUI login with smart card. So far, only DoD card and JAVA card are supported officially. That's because smart cards require middleware to work and the required middleware for the two cards are installed in ESXi by default.

Because of the above reason, smart card passthru is disabled by default unless you explicitly add 'usg.generic.allowCCID = "TRUE"' in the vmx file and stop pcsc service if it's already running.

The typical usage would be connecting your smart card to your client machine on which you have vmrc installed and connect remotely.