1 files changed, 171 insertions, 0 deletions
diff --git a/docs/system/devices/ccid.rst b/docs/system/devices/ccid.rst
new file mode 100644
index 0000000000..3b8c2ab46a
--- /dev/null
+++ b/docs/system/devices/ccid.rst
@@ -0,0 +1,171 @@
+Chip Card Interface Device (CCID)
+=================================
+
+USB CCID device
+---------------
+The USB CCID device is a USB device implementing the CCID specification, which
+lets one connect smart card readers that implement the same spec. For more
+information see the specification::
+
+  Universal Serial Bus
+  Device Class: Smart Card
+  CCID
+  Specification for
+  Integrated Circuit(s) Cards Interface Devices
+  Revision 1.1
+  April 22rd, 2005
+
+Smartcards are used for authentication, single sign on, decryption in
+public/private schemes and digital signatures. A smartcard reader on the client
+cannot be used on a guest with simple usb passthrough since it will then not be
+available on the client, possibly locking the computer when it is "removed". On
+the other hand this device can let you use the smartcard on both the client and
+the guest machine. It is also possible to have a completely virtual smart card
+reader and smart card (i.e. not backed by a physical device) using this device.
+
+Building
+--------
+The cryptographic functions and access to the physical card is done via the
+libcacard library, whose development package must be installed prior to
+building QEMU:
+
+In redhat/fedora::
+
+  yum install libcacard-devel
+
+In ubuntu::
+
+  apt-get install libcacard-dev
+
+Configuring and building::
+
+  ./configure --enable-smartcard && make
+
+Using ccid-card-emulated with hardware
+--------------------------------------
+Assuming you have a working smartcard on the host with the current
+user, using libcacard, QEMU acts as another client using ccid-card-emulated::
+
+  qemu -usb -device usb-ccid -device ccid-card-emulated
+
+Using ccid-card-emulated with certificates stored in files
+----------------------------------------------------------
+You must create the CA and card certificates. This is a one time process.
+We use NSS certificates::
+
+  mkdir fake-smartcard
+  cd fake-smartcard
+  certutil -N -d sql:$PWD
+  certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -t TC,TC,TC -n fake-smartcard-ca
+  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
+  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime -n signing-cert -c fake-smartcard-ca
+  certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType sslClient -n encryption-cert -c fake-smartcard-ca
+
+Note: you must have exactly three certificates.
+
+You can use the emulated card type with the certificates backend::
+
+  qemu -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
+
+To use the certificates in the guest, export the CA certificate::
+
+  certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
+
+and import it in the guest::
+
+  certutil -A -d /etc/pki/nssdb -i fake-smartcard-ca.cer -t TC,TC,TC -n fake-smartcard-ca
+
+In a Linux guest you can then use the CoolKey PKCS #11 module to access
+the card::
+
+  certutil -d /etc/pki/nssdb -L -h all
+
+It will prompt you for the PIN (which is the password you assigned to the
+certificate database early on), and then show you all three certificates
+together with the manually imported CA cert::
+
+  Certificate Nickname                        Trust Attributes
+  fake-smartcard-ca                           CT,C,C
+  John Doe:CAC ID Certificate                 u,u,u
+  John Doe:CAC Email Signature Certificate    u,u,u
+  John Doe:CAC Email Encryption Certificate   u,u,u
+
+If this does not happen, CoolKey is not installed or not registered with
+NSS. Registration can be done from Firefox or the command line::
+
+  modutil -dbdir /etc/pki/nssdb -add "CAC Module" -libfile /usr/lib64/pkcs11/libcoolkeypk11.so
+  modutil -dbdir /etc/pki/nssdb -list
+
+Using ccid-card-passthru with client side hardware
+--------------------------------------------------
+On the host specify the ccid-card-passthru device with a suitable chardev::
+
+  qemu -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
+       -usb -device usb-ccid -device ccid-card-passthru,chardev=ccid
+
+On the client run vscclient, built when you built QEMU::
+
+  vscclient <qemu-host> 2001
+
+Using ccid-card-passthru with client side certificates
+------------------------------------------------------
+This case is not particularly useful, but you can use it to debug
+your setup.
+
+Follow instructions above, except run QEMU and vscclient as follows.
+
+Run qemu as per above, and run vscclient from the "fake-smartcard"
+directory as follows::
+
+  qemu -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
+       -usb -device usb-ccid -device ccid-card-passthru,chardev=ccid
+  vscclient -e "db=\"sql:$PWD\" use_hw=no soft=(,Test,CAC,,id-cert,signing-cert,encryption-cert)" <qemu-host> 2001
+
+
+Passthrough protocol scenario
+-----------------------------
+This is a typical interchange of messages when using the passthru card device.
+usb-ccid is a usb device. It defaults to an unattached usb device on startup.
+usb-ccid expects a chardev and expects the protocol defined in
+cac_card/vscard_common.h to be passed over that.
+The usb-ccid device can be in one of three modes:
+
+* detached
+* attached with no card
+* attached with card
+
+A typical interchange is (the arrow shows who started each exchange, it can be client
+originated or guest originated)::
+
+  client event        |    vscclient           |    passthru    |    usb-ccid  |  guest event
+  ------------------------------------------------------------------------------------------------
+                      |    VSC_Init            |                |              |
+                      |    VSC_ReaderAdd       |                |    attach    |
+                      |                        |                |              |  sees new usb device.
+    card inserted ->  |                        |                |              |
+                      |    VSC_ATR             |   insert       |    insert    |  see new card
+                      |                        |                |              |
+                      |    VSC_APDU            |   VSC_APDU     |              | <- guest sends APDU
+  client <-> physical |                        |                |              |
+   card APDU exchange |                        |                |              |
+   client response -> |    VSC_APDU            |   VSC_APDU     |              |  receive APDU response
+                                                      ...
+                                      [APDU<->APDU repeats several times]
+                                                      ...
+     card removed  -> |                        |                |              |
+                      |    VSC_CardRemove      |   remove       |   remove     |   card removed
+                                                      ...
+                                      [(card insert, apdu's, card remove) repeat]
+                                                      ...
+    kill/quit         |                        |                |              |
+      vscclient       |                        |                |              |
+                      |    VSC_ReaderRemove    |                |   detach     |
+                      |                        |                |              |   usb device removed.
+
+libcacard
+---------
+Both ccid-card-emulated and vscclient use libcacard as the card emulator.
+libcacard implements a completely virtual CAC (DoD standard for smart
+cards) compliant card and uses NSS to retrieve certificates and do
+any encryption. The backend can then be a real reader and card, or
+certificates stored in files.