USB Security dongles testing under Qubes->sys-usb->test-vm->qemu(TCG) : random "can't set config #1, error -32"

[tlaurion]

[tlaurion]

@marmarek : passing the device from test-vm to another vm and back to test-vm sometimes fix the issue, sometimes not. Seems like an issue with test-vm's qemu getting exclusive access. The test-vm definitely sees the device, but cannot set config to it I would say 2/3 of the times.

Any insights on the problem? Only mitigation here is to pass USB Security dongle to another vm, physically disconnecting USB Security dongle from host. And after a couple of retries, qemu gets exclusive access to the device passed to the device and eventually asks for PIN.

The behavior is reproducible from all qemu-coreboot-*-tpm1/tmp2 board under Heads. This is annoying when testing.

To replicate under master: make BOARD=qemu-coreboot-whiptail-tpm2 USB_TOKEN=NitrokeyStorage PUBKEY_ASC=~/Documents/Insurgo_2024_pub.asc ROOT_DISK_IMG=~/QubesIncoming/heads-tests/root.qcow2 inject_gpg && make BOARD=qemu-coreboot-whiptail-tpm2 USB_TOKEN=NitrokeyStorage PUBKEY_ASC=~/Documents/Insurgo_2024_pub.asc ROOT_DISK_IMG=~/QubesIncoming/heads-tests/root.qcow2 run

Where

• ROOT_DISK_IMG=~/QubesIncoming/heads-tests/root.qcow2 is installed debian or whatever OS you already installed (optional. I reuse the same raw disk across different boards, which is why I specify it)
• PUBKEY_ASC=~/Documents/Insurgo_2024_pub.asc the path of your public key matching USB security dongle's private key
• USB_TOKEN=NitrokeyStorage is my USB Security dongle, but could be NitrokeyPro, LibremKey or Nitrokey3NFC
• inject_gpg is the make statement to inject public key inside of the rom to be used by make run next (There is no flashrom support under Qemu so we simulate that part as described from docs under board dir for those boards
• make run runs qemu on the rom built with public key injected