Page MenuHome GnuPG
Create Task
Maniphest T5065

scdaemon doesn't detect card removal after boot/resume (Identiv SPR332v2)
Closed, ResolvedPublic
Actions

Description

When the machine is booted or resumed from suspend, scdaemon fails to detect (first) card removal.

reader_x.status says USABLE and scd getinfo also returns information as if the card were still attached.

If the card is after this condition inserted, it is not working anymore. It needs to be removed and inserted back again, possibly two times until it is again detected normally. After this, it will work normally up to next reboot or resume from suspend, including arbitrary amount of card insert/removal. If scdaemon is reloaded (gpgconf --reload scdaemon) after first removal, it will detect card insert/removal correctly after that, up to next reboot or resume from suspend.

I'm using builtin ccid driver. This behavior is not present with Identiv proprietary pcsc-lite drivers.

Operating system: CentOS 8
gnupg: 2.2.23
Card: Floss-shop OpenPGP card (v3.3)
Reader: Identiv SPR332v2 (also from Floss-shop, no firmware updates)

Details

Version
2.2.23

Revisions and Commits

rG GnuPG
rG84020385be19 scd:openpgp: Public keys should be available for check_keyidstr.
rG1f1b68eef72b scd: Internal CCID driver: More fix for SPR532.
rG7db836c0e922 scd: Change handling of SPR532 card reader.
rGdd7cc24d5f92 scd: Fix CCID internal driver for interrupt transfer.
rG920f258eb601 scd: Internal CCID driver: More fix for SPR532.
rG684a52dffa8b scd: Change handling of SPR532 card reader.
rG7cbb513a2dc1 scd: Fix CCID internal driver for interrupt transfer.

Related Objects
Search...

Event Timeline

turkja created this task.Sep 14 2020, 3:37 AM
werner added projects: scd, gnupg (gpg22).Sep 14 2020, 7:59 AM
werner added a subscriber: werner.

Thanks for the detailed report. Does the green LED blink fast when it does not work?

turkja added a comment.Sep 14 2020, 9:45 AM

Thanks for prompt answer!

Yes, the LED blinks fast for ~5,5s and scdaemon log shows during that time:

reading public key failed: Card reset required
ccid_transceive failed: (0x10009)
apdu_send_simple(0) failed: card inactive
ccid_transceive failed: (0x10009)
apdu_send_simple(0) failed: card inactive
...

werner triaged this task as High priority.Sep 15 2020, 9:35 PM

Okay, I have the same problem at my office and thus I should be able to figure out the reason. I have ignored the problem until now because the wokraround is easy enough and in most cases I authenticate with my token anyway. But yes, this needs to be fixed.

gniibe added a subscriber: gniibe.Sep 16 2020, 7:39 AM

Is it an alias of SPR532? Please show me the USB vendor ID and product ID.

In our code for PC/SC, we have some code of workaround by detecting "SPRx32".
For the internal CCID driver, we also have a bit of code, but it is based on USB product ID of SPR532 (E003).

In general, if the vendor has to offer its proprietary driver, using without the driver won't work well...

werner added a comment.Sep 16 2020, 7:48 AM

Bus 001 Device 123: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard Reader

A new device is on its way to you.

werner added a comment.EditedSep 16 2020, 7:55 AM

Here is the output for an SCM SPR532

bcdUSB               2.00
bDeviceClass            0 
bDeviceSubClass         0 
bDeviceProtocol         0 
bMaxPacketSize0        16
idVendor           0x04e6 SCM Microsystems, Inc.
idProduct          0xe003 SPR532 PinPad SmartCard Reader
bcdDevice            5.10
iManufacturer           1 SCM Microsystems Inc.
iProduct                2 SPRx32 USB Smart Card Reader
iSerial                 5 21250809205470
bNumConfigurations      1

My device has the same info but with firmware version (bcdDevice) of 7.01 butshows Identive SPR332 V2 on its printed label.

gniibe added a comment.Sep 16 2020, 8:01 AM

Thanks for sending.

I confirmed that Identiv distributing proprietary driver (libscmccid.so.5.0.3).

gniibe claimed this task.Sep 16 2020, 8:04 AM
turkja added a comment.Sep 17 2020, 5:59 AM

Just wanted to add to my initial findings:

  • I was not using proprietary drivers (libscmccid.so.5.0.35), because the installer script fails to install on default CentOS 8 pcsc-lite. So the distribution pcsc-lite also doesn't have this issue.
  • Fastest way to test this condition is to just detach/attach the reader device.
  • Proprietary drivers doesn't support secure pin entry!
gniibe added a comment.Sep 17 2020, 8:23 AM

@turkja Thanks for your information.
May I ask you one thing?
Please show me the usb VID:PID of your card reader.
Is it 04e6:e003?
You can examine a line of the output by lsusb.

gniibe added a comment.Sep 17 2020, 8:27 AM

And please report the output of lsusb -d 04e6:e003 for the information of the card reader.

turkja added a comment.Sep 17 2020, 8:28 AM

This is everything lsusb knows about the device:

Bus 002 Device 058: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard Reader
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x04e6 SCM Microsystems, Inc.
  idProduct          0xe003 SPR532 PinPad SmartCard Reader
  bcdDevice            7.01
  iManufacturer           1 SCM Microsystems Inc.
  iProduct                2 SPRx32 USB Smart Card Reader
  iSerial                 5 51271834207869
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x005d
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          3 CCID Class
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower               90mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass        11 Chip/SmartCard
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              4 CCID Interface
      ChipCard Interface Descriptor:
        bLength                54
        bDescriptorType        33
        bcdCCID              1.10  (Warning: Only accurate for version 1.0)
        nMaxSlotIndex           0
        bVoltageSupport         7  5.0V 3.0V 1.8V 
        dwProtocols             3  T=0 T=1
        dwDefaultClock       4800
        dwMaxiumumClock     12000
        bNumClockSupported      0
        dwDataRate          12903 bps
        dwMaxDataRate      412903 bps
        bNumDataRatesSupp.      0
        dwMaxIFSD             254
        dwSyncProtocols  00000000 
        dwMechanical     00000000 
        dwFeatures       000104BA
          Auto configuration based on ATR
          Auto voltage selection
          Auto clock change
          Auto baud rate change
          Auto PPS made by CCID
          Auto IFSD exchange
          TPDU level exchange
        dwMaxCCIDMsgLen       271
        bClassGetResponse    echo
        bClassEnvelope       echo
        wlcdLayout           none
        bPINSupport             3  verification modification
        bMaxCCIDBusySlots       1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x85  EP 5 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval              16
gniibe added a commit: rG7cbb513a2dc1: scd: Fix CCID internal driver for interrupt transfer..Sep 24 2020, 1:00 PM
turkja added a comment.Sep 24 2020, 2:45 PM

Nice, thanks! If I want to try this fix, should I just compile the master tree?

gniibe added a comment.Sep 25 2020, 2:02 AM

Currently, yes. After some testing, I'll backport it to 2.2.

turkja added a comment.Sep 26 2020, 2:03 PM

Ok. Tried to test this with master, but failed. I got it compiled and installed, and it actually detected the first removal after reboot/suspend/reader attach/whatever reason, but after that when I inserted the card back, it didn't function anymore. I suppose you also tried that? I mean that's the use case, I suppose: to be able to remove/insert the card reliably all day long.

I also had a lot of other troubles, like not getting pinentry to work at all, so I suspect my dev environment was not in good shape. Maybe the KVM/libvirt usb redirection was causing troubles as well, who knows. I'll just wait for official release and try again later, or try again with real physical usb bus.

gniibe added a comment.Sep 28 2020, 1:44 AM

I tested with physical usb, did multiple operations with external events (insert/remove/etc. for card). I haven't seen any problem (if so, I were doing more fixes), so far.

Let's see for a while, I'll keep testing.

gniibe added a comment.EditedSep 28 2020, 4:53 AM

Testing more, I managed to encounter failure with physical usb.
Once in this failure mode, I need to remove the card reader from USB and reinsert again.
I need to figure out a sequence to avoid this situation and to reset the card reader correctly.

It seems that, after re-insertion of card, there is some period for the card reader, which returns an error when accessed from host. When the card reader is accessed in this period, it seems it goes to unrecoverable state.

turkja added a comment.Sep 28 2020, 5:58 AM

This is also what I found out with my tests with the libvirt usb: removing and redirecting back the device got it working again.

gniibe added a project: Restricted Project.EditedSep 28 2020, 6:37 AM

The patch rG684a52dffa8b: scd: Change handling of SPR532 card reader. makes me happier. It is more stable.

gniibe added a commit: rG684a52dffa8b: scd: Change handling of SPR532 card reader..Sep 28 2020, 6:38 AM
gniibe added a commit: rG920f258eb601: scd: Internal CCID driver: More fix for SPR532..Sep 30 2020, 3:59 AM
gniibe added a comment.EditedSep 30 2020, 4:01 AM

I observed that the card reader's going erroneous state when I removed a card during its communication.
In this state, it never reports the card removal by the interrupt transfer.
I applied rG920f258eb601: scd: Internal CCID driver: More fix for SPR532. for this problem.

gniibe added a commit: rGdd7cc24d5f92: scd: Fix CCID internal driver for interrupt transfer..Oct 6 2020, 5:04 AM
gniibe added a commit: rG7db836c0e922: scd: Change handling of SPR532 card reader..
gniibe added a commit: rG1f1b68eef72b: scd: Internal CCID driver: More fix for SPR532..
gniibe added a subtask: T5121: a race condition between intr_cb call back and libusb_free_transfer in do_close_reader.Nov 5 2020, 8:22 AM
gniibe changed the status of subtask T5121: a race condition between intr_cb call back and libusb_free_transfer in do_close_reader from Open to Testing.Nov 5 2020, 8:24 AM
werner mentioned this in T5052: Release GnuPG 2.2.24.Nov 17 2020, 9:33 AM
gniibe closed this task as Resolved.Nov 18 2020, 7:02 AM
gniibe closed subtask T5121: a race condition between intr_cb call back and libusb_free_transfer in do_close_reader as Resolved.
turkja added a comment.Nov 19 2020, 3:48 AM

I'm still having problems with 2.2.24. Now the card removal is detected correctly, but the initialization fails.

So if I try to do something requiring authentication, there seems to be a bit of a delay before pinentry hits, but it never asks for PIN, just fails.

Strange thing is that if I do "gpg --card-status" from terminal, it starts to work and asks PIN correctly, and authenticates.

Downgraded back to CentOS 8 default (2.2.9) and now I'm back in where it began: everything works but the first card removal.

gniibe added a commit: rG84020385be19: scd:openpgp: Public keys should be available for check_keyidstr..Nov 19 2020, 5:56 AM
gniibe added a comment.Nov 19 2020, 5:57 AM

Thanks again for your report.

I confirmed that the last change before the release breaks the use case in 2.2.
Fixed in rG84020385be19: scd:openpgp: Public keys should be available for check_keyidstr..

gniibe reopened this task as Testing.Nov 19 2020, 5:58 AM
werner moved this task from Backlog to Ready for release on the gnupg (gpg22) board.Nov 23 2020, 1:45 PM
werner mentioned this in T5140: Release GnuPG 2.2.25.Nov 23 2020, 2:16 PM
werner closed this task as Resolved.Nov 23 2020, 7:59 PM
turkja added a comment.Nov 24 2020, 1:27 AM

Stable now and works as expected. Thank you!