I've been able to use my Yubikey 4 on a debian 8 qube successfully. (Remember to patch the libccid_Info.plist). Might be worth giving it a try?
Hi, What did you patch exactly ?I found out after some fumbling around that the yubikey works perfectly well if I don't use qvm-usb, and instead assign the entire USB bus to the guest VM. My understanding is that this is less secure and opens me up to DMA attacks. It's also a lot less flexible. After digging around, I found out that qvm-usb uses qubes-usb-proxy[0], which seems to be the party at fault here.
I tried using usbmon and wireshark to find out more. The logs of the guest and host are attached (they log the same session). Clearly, the usb doesn't seem to answer in time to the Get Slot Status request. It looks like it times out after 100ms in both the guest and the host. Is it possible that the USB proxy would add latency, causing the timeout ? Should I try to increase the timeout in the PCSC software ?
I also have made another wireshark log of what happens in sys-usb when accessing the yubikey directly from there (The scenario where the yubikey works) in case that's useful.
Thanks for the help, Robin Lambertz [0]: https://github.com/QubesOS/qubes-app-linux-usb-proxy -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/o847r7%24u2m%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
host.pcap
Description: application/vnd.tcpdump.pcap
host_direct_access.pcap
Description: application/vnd.tcpdump.pcap
guest.pcap
Description: application/vnd.tcpdump.pcap