<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OperatingSystems - OpenCT Project - Trac</title><style type="text/css">
           @import url(trac.css);
          </style></head><body><div class="wikipage">
    <div id="searchable"><h1 id="OperatingSystems:GeneralNotes">Operating Systems: General Notes</h1>
<p>
Serial readers should work fine on all operating systems. Usb needs hotplug support, so that you can plugin
some new usb device, and if it is a smart card reader, openct needs to be notified. Unfortunatly hotplug on
linux is currently moving from hotplug to udev or hald, so we document all three systems. Freebsd has
usbd and dev, and no idea about all other systems. Readers in PCMCIA and PC-Card format are experimental
and only supported under linux so far, tested only with the udev setup (but adapting the setup should be easy).
</p>
<h2 id="Linux">Linux</h2>
<p>
We will discuss the very old hotplug setup below which nearly noone uses these days, the current udev setup and problems we know with it, and the new
hald setup.
</p>
<h3 id="OldHotplugSetup">Old Hotplug Setup</h3>
<p>
Serial support needs nothing special (only the serial driver for your
serial device), but usb support on linux has a few requirements:
</p>
<ul><li>Libusb needed during compilation and runtime.
</li><li>CONFIG_HOTPLUG so the kernel can let us know if you plugin a reader or token.
</li><li>hotplug utilities will be called by the kernel and run openct.
</li><li>CONFIG_USB_DEVICEFS so we can talk to usb devices from userspace.
</li><li>mount usbfs (kernel 2.4: usbdevfs) at /proc/bus/usb, to do that put this line into your /etc/fstab:
<pre class="wiki" xml:space="preserve">usbfs           /proc/bus/usb   usbfs   defaults                0       0
</pre>(replace "usbfs" with "usbdevfs" for linux kernel 2.4.* - will work on kernel 2.6.* too)
</li></ul><p>
Also the hotplug files need to be installed (see <a class="wiki" href="QuickStart.html" shape="rect">QuickStart</a> for full installation instructions):
</p>
<pre class="wiki" xml:space="preserve"># cp etc/openct.usermap /etc/hotplug/usb/openct.usermap
# cp etc/openct_usb /etc/hotplug/usb/openct
</pre><h3 id="NewudevSetup">New udev Setup</h3>
<p>
Serial support needs nothing special (only the serial driver for your
serial device), but usb support on linux has a few requirements:
</p>
<ul><li>Libusb needed during compilation and runtime.
</li><li>CONFIG_HOTPLUG so the kernel can let us know if you plugin a reader or token.
</li><li>udev needs to be installed. This comes with your distribution, and you are advised
not to install or update it yourself.
</li></ul><p>
OpenCT before 0.6.13 also needs:
</p>
<ul><li>CONFIG_USB_DEVICEFS so we can talk to usb devices from userspace. 
</li><li>mount usbfs (kernel 2.4: usbdevfs) at /proc/bus/usb, to do that put this line into your /etc/fstab:
<pre class="wiki" xml:space="preserve">usbfs           /proc/bus/usb   usbfs   defaults                0       0
</pre>(replace "usbfs" with "usbdevfs" for linux kernel 2.4.* - will work on kernel 2.6.* too)
</li></ul><p>
Also the udev files need to be installed (see <a class="wiki" href="QuickStart.html" shape="rect">QuickStart</a> for full installation instructions):
</p>
<pre class="wiki" xml:space="preserve"># cp etc/openct.udev /etc/udev/rules.d/50-openct.rules
# cp etc/openct_usb /lib/udev/openct_usb
# cp etc/openct_pcmcia /lib/udev/openct_pcmcia
# cp etc/openct_serial /lib/udev/openct_serial
</pre><p>
Some common problems with udev:
</p>
<ul><li>kernel versions and udev rules do not fit. Several kernels required new udev versions, so updating
the kernel without udev will not work. Updating udev is something you shouldn't do yourself, best
use the distribution udev. As a result you cannot update the kernel or need to update your whole
distribution.
</li><li>For a long time every distribution had usbfs mounted on /proc/bus/usb. Some stopped doing that and
thus broke OpenCT. This is fixed in OpenCT 0.6.13+. Note: OpenSuse uses hal for connecting linux kernel
and OpenCT and thus should work without usbfs mounted on /proc/bus/usb.
</li><li>Ubuntu 7.04 ("feisty") and maybe also older versions had usbfs mounted on /proc/bus/usb/.usbfs and
a bind mount from /dev/bus/usb to /proc/bus/usb. This broken OpenCT as the device we wanted to open
was always created to late. OpenCT 0.6.12 has added a work around for this. Ubuntu 7.10 will drop this
practice (but maybe not have /proc/bus/usb at all).
</li><li>Linux Kernel 2.6.22 has changes to the usb code that result in some uevents missing PRODUCT and TYPE
and DEVICE information. This will be fixed in 2.6.23 and 2.6.22.5. Please update your kernel.
</li><li>Linux Kernel 2.6.22+ has a new option CONFIG_USB_DEVICE_CLASS, which is marked deprecated. As long as
it is on everything is fine. But if turned off there could be problems. This option doesn't harm OpenCT
per se, but might break your udev code to generate /dev/bus/usb/xxx/yyy devices. As a result libusb
will not find any device (because /dev/bus/usb exists it doesn't look at /proc/bus/usb even if that one
is fine), and thus also our coldplug code run by "/etc/init.d/openct start" breaks.
</li><li>People could compile their kernel without the CONFIG_USB_DEVICEFS option. This option was only needed for
usbfs, and some might think with /dev/bus/usb it is no longer needed to have usbfs on /proc/bus/usb. But
without this option the kernel also doesn't add the DEVICE information to the kernel events, and thus
OpenCT can be notified by udev about new devices, but will not have the name of the new device and thus
cannot process this information. OpenCT 0.6.13+ can work without CONFIG_USB_DEVICEFS.
</li><li>udev has a mechanism as alternative to DEVICE, it is called DEVNAME. But it only works with the proper udev
rules and on many distributions those are not in place, resulting in DEVNAME like /dev/2-1.7 - something
openct can't work with. A proper udev rules looks like this:
<pre class="wiki" xml:space="preserve">  SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", \
    NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0644"
</pre>OpenCT 0.6.13+ has this rule and a modified script so we can construct the device name from udev information
stored from a previous event and read by udevinfo later.
</li></ul><h3 id="haldsetup">hald setup</h3>
<p>
Hald needs a fdi config file and a script it runs when something in the fdi config file matches.
To install these files:
</p>
<pre class="wiki" xml:space="preserve"># mkdir -p /usr/share/hal/fdi/information/10freedesktop/
# cp etc/openct.fdi /usr/share/hal/fdi/information/10freedesktop/10-usb-openct.fdi
# cp etc/openct.hald /usr/bin/hald-addon-openct
</pre><p>
OpenSuse ships OpenCT connected via hald to the kernel events. The fdi config file for hald in openct-0.6.12-10 however
does not match usb class information and thus will not work with all reades. Also the hald-addon-openct in openct-0.6.12-10
seems to be broken, as it uses /proc/bus/usb/ PATH, but as far as we know OpenSuse only has devices in /dev/bus/usb.
</p>
<p>
OpenCT 0.6.13+ comes with a hald fdi file and we hope the packages OpenSuse creates for this new version will work.
</p>
<p>
PCMCIA and PC-Card readers are not yet supported via hald, advice and patches are very welcome.
</p>
<p>
Hald documentation is available online at <a class="ext-link" href="http://people.freedesktop.org/~david/hal-spec/hal-spec.html" shape="rect"><span class="icon">http://people.freedesktop.org/~david/hal-spec/hal-spec.html</span></a>
</p>
<h2 id="FreeBSD">FreeBSD</h2>
<p>
Daniel Slezak reports for freebsd 5.4 :
</p>
<p>
I have sold a part of my problem by usbd in FreeBSD 5.4. I add to /etc/usbd.conf:
</p>
<pre class="wiki" xml:space="preserve">## Token Rainbow Technologies iKey 3000 Series
device "iKey 3000 Series"
         devname "ugen[0-9]+"
         vendor  0x04b9
         product 0x1300
         attach  "/usr/local/etc/rc.d/openct.sh start"
         detach  "/usr/local/etc/rc.d/openct.sh stop"

# The fallthrough entry: Nothing is specified, nothing is done.  And it isn't
# necessary at all :-) .  Just for pretty printing in debugging mode.
#
device "USB device"
         detach "/usr/local/sbin/openct-control shutdown"
</pre><p>
I has to add "detach /usr/local/etc/rc.d/openct.sh stop" in section "USB 
device" too, else it hasn't any effect.
I have to close openct framework before I take out
token. Else FreeBSD doesn't detach /dev/ugen0 and writes in logs:
usb_detach_wait: ugen0 didn't detach.
</p>
<p>
And he forwarded a note from Petr Holub for FreeBSD 6.0:
</p>
<pre class="wiki" xml:space="preserve">On 6.0-RELEASE:
1) Install from ports
   security/openct
   security/opensc
2) add to /etc/devd.conf:
# USB certificate token
attach 50 {
    match "vendor" "0x04b9";
    match "product" "0x1300";
    action "/usr/local/etc/rc.d/openct.sh start";
};
detach 50 {
    match "vendor" "0x04b9";
    match "product" "0x1300";
    action "/usr/local/etc/rc.d/openct.sh stop";
};
3) /etc/rc.d/devd restart
</pre><p>
List of issues for FreeBSD:
</p>
<ul><li>is devd a replacement of usbd? sorry, I'm confused. Also: above has only examples for one vendor/product each.
We could include example files for either or both in openct with all devices listed.
</li><li>above example uses the init script and start/stop. That will not work with several tokens, as it will always
end the processes for all of them. it would be better to call openct-control attach or ifdhandler.
On linux the hotplug system calls
<pre class="wiki" xml:space="preserve">/usr/sbin/openct-control attach /proc/bus/usb/003/002 usb:973/1
</pre>which has the device path as parameter and "usb:vendor/product" so openct knows the type (usb)
and the information (vendor and product) so it can read the openct.conf, look which driver is
used for that, and start an ifdhandler like that:
<pre class="wiki" xml:space="preserve">/usr/sbin/ifdhandler -H egate /proc/bus/usb/003/003
</pre>i.e. "-H" for hotplug, the driver name, and the device file to use. add -v or -vv or even more for
debugging. would be nice if freebsd could do something similar, or let us know how to deal with this
best.
</li></ul><h2 id="OpenBSD">OpenBSD</h2>
<pre class="wiki" xml:space="preserve">install from ports
cd /usr/ports/security/openct
make install clean
cd /usr/ports/security/opensc
make install clean
</pre><p>
Erase and key generation works so far, but openssl does not: the openssl shell 
exits after the engine load command for some unknown reason. Note you need to specify
the engine shared object file as *.so.0.0 (on linux it is simply *.so).
</p>
<p>
Also OpenBSD has a hotplugd, but so far it does not support usb devices. So you need to
run 
</p>
<pre class="wiki" xml:space="preserve">openct-control shutdown
openct-control init
</pre><p>
every time you add or remove a usb crypto token.
</p>
<p>
Now OpenBSD Current (2005-07-20) passes all OpenSC regression tests with an Aladdin eToken PRO.
</p>
<p>
Other tokens however did not work, these problems need to be investigated, as well as how to
get it to work without UGEN_DEBUG.
</p>
<h2 id="otherBSD">other BSD</h2>
<p>
OpenCT should work, but this wasn't tested for sometime. Latest OpenCT seems to not find libusb,
we are working on it.
</p>
<h2 id="Solaris">Solaris</h2>
<p>
Latest OpenCT supports Solaris fine and was tested to work.
</p>
<h2 id="Sunray">Sunray</h2>
<p>
Sunray including client/server architecture was recently added to OpenCT and 0.6.5 once release should work fine.
Till then please use a snapshot or svn trunk checkout.
</p>
</div>
   </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>