1994e735cSHongren (Zenithal) Zheng.. _canokey: 2994e735cSHongren (Zenithal) Zheng 3994e735cSHongren (Zenithal) ZhengCanoKey QEMU 4994e735cSHongren (Zenithal) Zheng------------ 5994e735cSHongren (Zenithal) Zheng 6994e735cSHongren (Zenithal) ZhengCanoKey [1]_ is an open-source secure key with supports of 7994e735cSHongren (Zenithal) Zheng 8994e735cSHongren (Zenithal) Zheng* U2F / FIDO2 with Ed25519 and HMAC-secret 9994e735cSHongren (Zenithal) Zheng* OpenPGP Card V3.4 with RSA4096, Ed25519 and more [2]_ 10994e735cSHongren (Zenithal) Zheng* PIV (NIST SP 800-73-4) 11994e735cSHongren (Zenithal) Zheng* HOTP / TOTP 12994e735cSHongren (Zenithal) Zheng* NDEF 13994e735cSHongren (Zenithal) Zheng 14994e735cSHongren (Zenithal) ZhengAll these platform-independent features are in canokey-core [3]_. 15994e735cSHongren (Zenithal) Zheng 16994e735cSHongren (Zenithal) ZhengFor different platforms, CanoKey has different implementations, 17*c555b504SManos Pitsidianakisincluding both hardware implementations and virtual cards: 18994e735cSHongren (Zenithal) Zheng 19994e735cSHongren (Zenithal) Zheng* CanoKey STM32 [4]_ 20994e735cSHongren (Zenithal) Zheng* CanoKey Pigeon [5]_ 21994e735cSHongren (Zenithal) Zheng* (virt-card) CanoKey USB/IP 22994e735cSHongren (Zenithal) Zheng* (virt-card) CanoKey FunctionFS 23994e735cSHongren (Zenithal) Zheng 24994e735cSHongren (Zenithal) ZhengIn QEMU, yet another CanoKey virt-card is implemented. 25994e735cSHongren (Zenithal) ZhengCanoKey QEMU exposes itself as a USB device to the guest OS. 26994e735cSHongren (Zenithal) Zheng 27994e735cSHongren (Zenithal) ZhengWith the same software configuration as a hardware key, 28994e735cSHongren (Zenithal) Zhengthe guest OS can use all the functionalities of a secure key as if 29994e735cSHongren (Zenithal) Zhengthere was actually an hardware key plugged in. 30994e735cSHongren (Zenithal) Zheng 31120f765eSStefan WeilCanoKey QEMU provides much convenience for debugging: 32994e735cSHongren (Zenithal) Zheng 33120f765eSStefan Weil* libcanokey-qemu supports debugging output thus developers can 34994e735cSHongren (Zenithal) Zheng inspect what happens inside a secure key 35994e735cSHongren (Zenithal) Zheng* CanoKey QEMU supports trace event thus event 36994e735cSHongren (Zenithal) Zheng* QEMU USB stack supports pcap thus USB packet between the guest 37994e735cSHongren (Zenithal) Zheng and key can be captured and analysed 38994e735cSHongren (Zenithal) Zheng 39994e735cSHongren (Zenithal) ZhengThen for developers: 40994e735cSHongren (Zenithal) Zheng 41994e735cSHongren (Zenithal) Zheng* For developers on software with secure key support (e.g. FIDO2, OpenPGP), 42994e735cSHongren (Zenithal) Zheng they can see what happens inside the secure key 43994e735cSHongren (Zenithal) Zheng* For secure key developers, USB packets between guest OS and CanoKey 44994e735cSHongren (Zenithal) Zheng can be easily captured and analysed 45994e735cSHongren (Zenithal) Zheng 46994e735cSHongren (Zenithal) ZhengAlso since this is a virtual card, it can be easily used in CI for testing 47994e735cSHongren (Zenithal) Zhengon code coping with secure key. 48994e735cSHongren (Zenithal) Zheng 49994e735cSHongren (Zenithal) ZhengBuilding 50994e735cSHongren (Zenithal) Zheng======== 51994e735cSHongren (Zenithal) Zheng 52994e735cSHongren (Zenithal) Zhenglibcanokey-qemu is required to use CanoKey QEMU. 53994e735cSHongren (Zenithal) Zheng 54994e735cSHongren (Zenithal) Zheng.. code-block:: shell 55994e735cSHongren (Zenithal) Zheng 56994e735cSHongren (Zenithal) Zheng git clone https://github.com/canokeys/canokey-qemu 57994e735cSHongren (Zenithal) Zheng mkdir canokey-qemu/build 58994e735cSHongren (Zenithal) Zheng pushd canokey-qemu/build 59994e735cSHongren (Zenithal) Zheng 60994e735cSHongren (Zenithal) ZhengIf you want to install libcanokey-qemu in a different place, 61994e735cSHongren (Zenithal) Zhengadd ``-DCMAKE_INSTALL_PREFIX=/path/to/your/place`` to cmake below. 62994e735cSHongren (Zenithal) Zheng 63994e735cSHongren (Zenithal) Zheng.. code-block:: shell 64994e735cSHongren (Zenithal) Zheng 65994e735cSHongren (Zenithal) Zheng cmake .. 66994e735cSHongren (Zenithal) Zheng make 67994e735cSHongren (Zenithal) Zheng make install # may need sudo 68994e735cSHongren (Zenithal) Zheng popd 69994e735cSHongren (Zenithal) Zheng 70994e735cSHongren (Zenithal) ZhengThen configuring and building: 71994e735cSHongren (Zenithal) Zheng 72994e735cSHongren (Zenithal) Zheng.. code-block:: shell 73994e735cSHongren (Zenithal) Zheng 74994e735cSHongren (Zenithal) Zheng # depending on your env, lib/pkgconfig can be lib64/pkgconfig 75994e735cSHongren (Zenithal) Zheng export PKG_CONFIG_PATH=/path/to/your/place/lib/pkgconfig:$PKG_CONFIG_PATH 76994e735cSHongren (Zenithal) Zheng ./configure --enable-canokey && make 77994e735cSHongren (Zenithal) Zheng 78994e735cSHongren (Zenithal) ZhengUsing CanoKey QEMU 79994e735cSHongren (Zenithal) Zheng================== 80994e735cSHongren (Zenithal) Zheng 81994e735cSHongren (Zenithal) ZhengCanoKey QEMU stores all its data on a file of the host specified by the argument 82994e735cSHongren (Zenithal) Zhengwhen invoking qemu. 83994e735cSHongren (Zenithal) Zheng 84994e735cSHongren (Zenithal) Zheng.. parsed-literal:: 85994e735cSHongren (Zenithal) Zheng 86994e735cSHongren (Zenithal) Zheng |qemu_system| -usb -device canokey,file=$HOME/.canokey-file 87994e735cSHongren (Zenithal) Zheng 88994e735cSHongren (Zenithal) ZhengNote: you should keep this file carefully as it may contain your private key! 89994e735cSHongren (Zenithal) Zheng 90994e735cSHongren (Zenithal) ZhengThe first time when the file is used, it is created and initialized by CanoKey, 91994e735cSHongren (Zenithal) Zhengafterwards CanoKey QEMU would just read this file. 92994e735cSHongren (Zenithal) Zheng 93994e735cSHongren (Zenithal) ZhengAfter the guest OS boots, you can check that there is a USB device. 94994e735cSHongren (Zenithal) Zheng 95994e735cSHongren (Zenithal) ZhengFor example, If the guest OS is an Linux machine. You may invoke lsusb 96994e735cSHongren (Zenithal) Zhengand find CanoKey QEMU there: 97994e735cSHongren (Zenithal) Zheng 98994e735cSHongren (Zenithal) Zheng.. code-block:: shell 99994e735cSHongren (Zenithal) Zheng 100994e735cSHongren (Zenithal) Zheng $ lsusb 101994e735cSHongren (Zenithal) Zheng Bus 001 Device 002: ID 20a0:42d4 Clay Logic CanoKey QEMU 102994e735cSHongren (Zenithal) Zheng 103994e735cSHongren (Zenithal) ZhengYou may setup the key as guided in [6]_. The console for the key is at [7]_. 104994e735cSHongren (Zenithal) Zheng 105120f765eSStefan WeilDebugging 106120f765eSStefan Weil========= 107994e735cSHongren (Zenithal) Zheng 108994e735cSHongren (Zenithal) ZhengCanoKey QEMU consists of two parts, ``libcanokey-qemu.so`` and ``canokey.c``, 109994e735cSHongren (Zenithal) Zhengthe latter of which resides in QEMU. The former provides core functionality 110994e735cSHongren (Zenithal) Zhengof a secure key while the latter provides platform-dependent functions: 111994e735cSHongren (Zenithal) ZhengUSB packet handling. 112994e735cSHongren (Zenithal) Zheng 113994e735cSHongren (Zenithal) ZhengIf you want to trace what happens inside the secure key, when compiling 114994e735cSHongren (Zenithal) Zhenglibcanokey-qemu, you should add ``-DQEMU_DEBUG_OUTPUT=ON`` in cmake command 115994e735cSHongren (Zenithal) Zhengline: 116994e735cSHongren (Zenithal) Zheng 117994e735cSHongren (Zenithal) Zheng.. code-block:: shell 118994e735cSHongren (Zenithal) Zheng 119994e735cSHongren (Zenithal) Zheng cmake .. -DQEMU_DEBUG_OUTPUT=ON 120994e735cSHongren (Zenithal) Zheng 121994e735cSHongren (Zenithal) ZhengIf you want to trace events happened in canokey.c, use 122994e735cSHongren (Zenithal) Zheng 123994e735cSHongren (Zenithal) Zheng.. parsed-literal:: 124994e735cSHongren (Zenithal) Zheng 125994e735cSHongren (Zenithal) Zheng |qemu_system| --trace "canokey_*" \\ 126994e735cSHongren (Zenithal) Zheng -usb -device canokey,file=$HOME/.canokey-file 127994e735cSHongren (Zenithal) Zheng 128994e735cSHongren (Zenithal) ZhengIf you want to capture USB packets between the guest and the host, you can: 129994e735cSHongren (Zenithal) Zheng 130994e735cSHongren (Zenithal) Zheng.. parsed-literal:: 131994e735cSHongren (Zenithal) Zheng 132994e735cSHongren (Zenithal) Zheng |qemu_system| -usb -device canokey,file=$HOME/.canokey-file,pcap=key.pcap 133994e735cSHongren (Zenithal) Zheng 134994e735cSHongren (Zenithal) ZhengLimitations 135994e735cSHongren (Zenithal) Zheng=========== 136994e735cSHongren (Zenithal) Zheng 137994e735cSHongren (Zenithal) ZhengCurrently libcanokey-qemu.so has dozens of global variables as it was originally 138994e735cSHongren (Zenithal) Zhengdesigned for embedded systems. Thus one qemu instance can not have 139994e735cSHongren (Zenithal) Zhengmultiple CanoKey QEMU running, namely you can not 140994e735cSHongren (Zenithal) Zheng 141994e735cSHongren (Zenithal) Zheng.. parsed-literal:: 142994e735cSHongren (Zenithal) Zheng 143994e735cSHongren (Zenithal) Zheng |qemu_system| -usb -device canokey,file=$HOME/.canokey-file \\ 144994e735cSHongren (Zenithal) Zheng -device canokey,file=$HOME/.canokey-file2 145994e735cSHongren (Zenithal) Zheng 146994e735cSHongren (Zenithal) ZhengAlso, there is no lock on canokey-file, thus two CanoKey QEMU instance 147994e735cSHongren (Zenithal) Zhengcan not read one canokey-file at the same time. 148994e735cSHongren (Zenithal) Zheng 149994e735cSHongren (Zenithal) ZhengReferences 150994e735cSHongren (Zenithal) Zheng========== 151994e735cSHongren (Zenithal) Zheng 152994e735cSHongren (Zenithal) Zheng.. [1] `<https://canokeys.org>`_ 153994e735cSHongren (Zenithal) Zheng.. [2] `<https://docs.canokeys.org/userguide/openpgp/#supported-algorithm>`_ 154994e735cSHongren (Zenithal) Zheng.. [3] `<https://github.com/canokeys/canokey-core>`_ 155994e735cSHongren (Zenithal) Zheng.. [4] `<https://github.com/canokeys/canokey-stm32>`_ 156994e735cSHongren (Zenithal) Zheng.. [5] `<https://github.com/canokeys/canokey-pigeon>`_ 157994e735cSHongren (Zenithal) Zheng.. [6] `<https://docs.canokeys.org/>`_ 158994e735cSHongren (Zenithal) Zheng.. [7] `<https://console.canokeys.org/>`_ 159