Smartcard not usable after suspend/resume

[paride]

Versions

• Reader: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader
• /usr/sbin/pcscd --version: pcsc-lite version 1.9.8.

Platform

• OS: Ubuntu Kinetic (Linux 5.15.0-27-generic)
• Smarstcard: OpenPGP card v3.3

Issue

• What do you do?

1. Happily use my OpenPGP with GnuPG
2. Suspend and resume the system
3. Try using the smartcard again

• What result do you expect?

The smarcard works as usual.

• What result do you get instead?

The smartcard isn't detected by GnuPG, even if it shows up in opensc-tool -l. Restarting pcscd makes it work again as normal.

Log

The attached log file has a comment in the point when I suspend/resume the system.

Note that I never insert PINs: the "Insert PIN" prompt is enough for me to tell that the smartcard is working properly.

Also note that in the whole process I never remove the smartcard: it's already in the reader when I start pcscd, and it stays there up the the end. Once pcscd stops working (after suspend/resume), removing and reinserting the card doesn't make a difference, but pcscd shows the remove/insert events.

log.txt

[paride]

I can reproduce this compiling from git (c35130f). Compiled with ./configure --enable-usbdropdir=/usr/lib/pcsc/drivers and

$ find /usr/lib/pcsc/drivers                                                                               
/usr/lib/pcsc/drivers
/usr/lib/pcsc/drivers/ifd-ccid.bundle
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
/usr/lib/pcsc/drivers/serial
/usr/lib/pcsc/drivers/serial/libccidtwin.so

where libccid.so comes from libccid 1.5.0.

[LudovicRousseau]

I do not see any problem on the pcsc-lite or CCID driver side.
The communication with the card is working fine after the suspend/resume.

Just after the resume I see "Card Removed From Alcor Micro AU9540 00 00" so GnuPG should be notified that the card has been "removed" and reset its internal state.

It looks like a problem with GnuPG itself.

[paride]

Thanks @LudovicRousseau for looking at the logs. The thing is, no matter how I kill/restart gpg-agent and scdaemon, the result is always the same: the card is not detected. The only thing that works is restarting pcscd, that's why I suspect the issue is with pcscd.

[LudovicRousseau]

Try to enable logs in GnuPG. Maybe you will see something interesting.

[paride]

And I think there is indeed something interesting. This is what scdaemon logs when it gets in a "bad" state. At suspend it logs:

2022-07-16 11:28:41 scdaemon[1554523] DBG: Removal of a card: 0

which is fine I guess, as the reader is powered down. But then when I try to access the card again it logs sharing violation (0x8010000b) errors:

2022-07-16 11:28:51 scdaemon[1554523] detected reader 'Alcor Micro AU9540 00 00'
2022-07-16 11:28:51 scdaemon[1554523] reader slot 0: not connected
2022-07-16 11:28:51 scdaemon[1554523] pcsc_connect failed: sharing violation (0x8010000b)
2022-07-16 11:28:51 scdaemon[1554523] reader slot 0: not connected
2022-07-16 11:28:52 scdaemon[1554523] detected reader 'Alcor Micro AU9540 00 00'
2022-07-16 11:28:52 scdaemon[1554523] reader slot 0: not connected
2022-07-16 11:28:52 scdaemon[1554523] pcsc_connect failed: sharing violation (0x8010000b)
2022-07-16 11:28:52 scdaemon[1554523] reader slot 0: not connected
2022-07-16 11:28:53 scdaemon[1554523] detected reader 'Alcor Micro AU9540 00 00'
2022-07-16 11:28:53 scdaemon[1554523] reader slot 0: not connected
2022-07-16 11:28:53 scdaemon[1554523] pcsc_connect failed: sharing violation (0x8010000b)
[...]

so looks like that scdaemon isn't telling pcscd the release the exclusive smartcard access lock on card removal, or pcscd isn't correctly receiving it or acting on it.

What still puzzles be a bit is that even if I kill scdaemon the pcscd lock on the card isn't released (I need to restart pcscd). Shouldn't the lock be released in this case? This is at least what appears to be the expected behavior, see for example:

https://www.nitrokey.com/documentation/frequently-asked-questions-faq#how-to-make-gnupg-release-exclusive-smartcard-access

[paride]

OK, I think this is (almost) all wrong. There's a race between GnuPG, Firefox and Thunderbird for access to the smartcard. If I close both Firefox and Thunderbird then smartcard access is fully reliable after suspend/resume.

@LudovicRousseau sorry for the bogus bug report and thanks for the pointers.

[LudovicRousseau]

Firefox and Thunderbird are using OpenSC to access the OpenPGP card?

Maybe you can update GnuPG (or scdaemon) to use a shared PC/SC access instead of an exclusive access as documented in point 3 of How to make GnuPG release exclusive smartcard access?. Or, again, report the problem at GnuPG. GnuPG should be able to work fine even if Firefox is also running.

Thanks for the feedback.