DanBui
Contributor
Contributor

Can not enable passthrough USB etoken to guest OS.

Hey guys,

Now I want to connect USB etoken to Virtual Machine.

etoken not show when add new device/Host USB device

pastedImage_2.png

On Esxi host. Feitian token has been shown.

pastedImage_0.png

I run cmd in cli.

esxcli hardware usb passthrough device enable -d 1:4:096e:0703

Nothing change.

Did anyone know how to fix this?

update: I follow this article

VMware Knowledge Base

but pcscd is already not running

pastedImage_1.png

eToken still not list when add host USB device

Best regards,

0 Kudos
23 Replies
DanBui
Contributor
Contributor

Is there anyone can help me?

0 Kudos
bluefirestorm
Champion
Champion

How are you accessing the VM? Are you using VMware Workstation Pro or VMware Remote Console (VMRC)?

After adding the line

usb.generic.allowCCID = "TRUE"

to the vmx of the VM,

assuming that you use Workstation Pro or VMRC to access the VM, you should be able to see the CCID device in the "Removable Devices" menu of USB devices to connect to the VM.

0 Kudos
DanBui
Contributor
Contributor

Thank you for you reply.

I'm using Esxi 6.7 and Vsphere Vcenter 6.7.

If I used VMRC, I'm able to connect the CCID USB device to VM by the "Removable Devices" menu, with this solution, if I close the VMRC, CCID USB auto disconnect.

Therefore i need to plug CCID USB directly to Esxi host, and add CCID USB passthrough to VM

0 Kudos
bluefirestorm
Champion
Champion

I am not sure if this will work for you.

https://kb.vmware.com/s/article/1648

You could try adding to the vmx configuration file

usb.autoConnect.device0 = "096e:0703"

0 Kudos
DanBui
Contributor
Contributor

I have tried that solution. It does not work.

I found a couple of reasons

https://kb.vmware.com/s/article/55789

When users use smart card as the authentication to log into ESXi shell, PCSCD is the smart card daemon that claims and controls smart card readers

pastedImage_3.png

But PCSCD is not running.

In other solution

https://www.virtuallyghetto.com/2020/05/how-to-passthrough-usb-keyboard-mouse-hid-and-ccid-devices-t...

I think that, the CCID usb device has been claim by Esxi.

I added

usb.quirks.device0 = "0x096e:0x0703 allow"

to /etc/vmware/config file

added

CONFIG./USB/quirks=0x096e:0x0703::0xffff:UQ_KBD_IGNORE

to /bootbank/boot.cfg

it still does not work

0 Kudos
NathanosBlightc
Commander
Commander

Please change the USB Controller version/type (2/3/3.1) on the VM settings, and then try for your token detection once again.

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos
DanBui
Contributor
Contributor

pastedImage_0.png

I tried all USB Controller version/type (2/3) on the VM settings.

But my token is till not list in add New host USB device

pastedImage_1.png

0 Kudos
NathanosBlightc
Commander
Commander

Can you check it with: 1. Another physical USB port 2. Another ESXi host 3. Another VM? and give back the result?!

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos
bluefirestorm
Champion
Champion

If you read carefully at the virtuallyghetto link that you sent, there is a note under step 3 that indicates the steps to add to the bootbank/boot.cfg is not required for CCID device. And besides that keyword UQ_KBD_IGNORE the KBD likely stands for KeyBoarD.

The purpose of stopping the PCSCD is to stop ESXi from claiming it as KB55789 implies.

Anyway, adding to /etc/vmware/config is to make it global (i.e. applies to all VMs) instead of having to add to individual VM vmx configuration file one-by-one.

In the previous try with VMRC, if the device was not disconnected from the VM before shut down of the VM, there might be auto connect strings added by path (at least that is what happens with Workstation/Fusion).

It is probably best to try on the vmx configuration level first rather than /etc/vmware/config.

0 Kudos
DanBui
Contributor
Contributor

1. check with another physical USB (data USB) plug in to same port.

pastedImage_0.png

the USB has been listed in add Host USB Device

pastedImage_1.png

2. I have plugged etoken to another Esxi host. its still passthrough = disable

pastedImage_2.png

3. In another Esxi host, as mentioned above, when etoken passthrough disabled, it not listed in setting of other VM

0 Kudos
DanBui
Contributor
Contributor

thank bluefirestorm.

For security (policy) reason, eToken must be plugged to Esxi host, not via VMRC

0 Kudos
bluefirestorm
Champion
Champion

Have you tried using the autoconnect in the vmx configuration using the USB path instead of VID:PID?

From the documentation, looks like ESXi goes by USB path instead of VID:PID for the autoconnect.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-4C61BFEA-0EBD-4FE...

The USB passthrough autoconnect feature identifies the device by using the USB path of the device on the host. It uses the physical topology and port location instead of the device identity.

0 Kudos
DanBui
Contributor
Contributor

I have tried to config "USB path" instead of "VID:PID" for the autoconnect in the vmx configuration. but it did not work.

I think that is not cause. Why is only eToken passthrouh diabled when it pluged to Esxi?

pastedImage_0.png

0 Kudos
bluefirestorm
Champion
Champion

You don't have to keep pasting that similar screenshot again and again. That was already in your original post. It doesn't progress the discussion.

Anyway, was the USB path correct?

FWIW, with an Ubuntu host with VMware Workstation Pro 15.5.6

The output of lsusb -t

/:  Bus 04.Port 1: Dev 1, class="root_hub", Driver=xhci_hcd/6p, 5000M

/:  Bus 03.Port 1: Dev 1, class="root_hub", Driver=xhci_hcd/14p, 480M

    |__ Port 1: Dev 2, If 0, class="Human" Interface Device, Driver=usbhid, 1.5M

    |__ Port 2: Dev 3, If 1, class="Human" Interface Device, Driver=usbhid, 1.5M

    |__ Port 2: Dev 3, If 0, class="Human" Interface Device, Driver=usbhid, 1.5M

    |__ Port 4: Dev 4, If 0, class="Hub", Driver=hub/4p, 480M

        |__ Port 3: Dev 6, If 1, class="Audio", Driver=snd-usb-audio, 12M

        |__ Port 3: Dev 6, If 2, class="Human" Interface Device, Driver=usbhid, 12M

        |__ Port 3: Dev 6, If 0, class="Audio", Driver=snd-usb-audio, 12M

        |__ Port 4: Dev 7, If 0, class="Human" Interface Device, Driver=usbhid, 12M

        |__ Port 4: Dev 7, If 1, class="Human" Interface Device, Driver=usbhid, 12M

    |__ Port 5: Dev 8, If 0, class="Chip"/SmartCard, Driver=, 12M

    |__ Port 13: Dev 5, If 0, class="Wireless", Driver=btusb, 12M

    |__ Port 13: Dev 5, If 1, class="Wireless", Driver=btusb, 12M

/:  Bus 02.Port 1: Dev 1, class="root_hub", Driver=ehci-pci/2p, 480M

    |__ Port 1: Dev 2, If 0, class="Hub", Driver=hub/8p, 480M

/:  Bus 01.Port 1: Dev 1, class="root_hub", Driver=ehci-pci/2p, 480M

    |__ Port 1: Dev 2, If 0, class="Hub", Driver=hub/6p, 480M

The autoconnect for the SmartCard reader inserted by Workstation Pro after VM shutdown without disconnecting the SmartCard reader.

usb_xhci.autoConnect.device0 = "path:3/5 autoclean:1"

So that would be bus 3, port 5. So it looks like path is bus and port number.

The VM was configured with USB 3.1 gen 1 controller so I think that is why it shows up as usb_xhci

I think for your case you would want autoclean to be 0.

0 Kudos
DanBui
Contributor
Contributor

ok,

this is output of lsusb -t

pastedImage_2.png

In VM option I add Configuration Parameters

pastedImage_3.png

pastedImage_4.png

It did not work.

I also tried with

usb.autoConnect.device0 = "path:1/5 autoclean:1"

the same result

0 Kudos
bluefirestorm
Champion
Champion

It's hard to troubleshoot without any reference to the vmware.log of the VM.

From your screenshot of lsusb -t, it looks like there are multiple devices connected to the same USB hub. It would look like those are device numbers instead of port number. If possible, I would suggest try plugging to that is not a hub. Otherwise you should look for the lower level port number as well.

I think for your case you can leave out the autoclean altogether. Without the autoclean, the autoconnect will always remain there even if the device was not found. Or also try to autoconnect the Kingston thumb drive to see whether that also works. If the Kingston thumb drive does not autoconnect, something else is also wrong.

From the vmware.log of the VM I have, the autoconnect searches for the path,

I005: USB: Search for USB devices to connect [path:3/5]

I005: SOCKET creating new socket, connecting to /var/run/vmware/usbarbitrator-socket

Whether or not a device is connected, it still searches for it (I had removed the autoclean so the autoconnect string remains there even the device was not found).

When the device is found

I005: USB: Found device [name:OmniKey\ Smart\ Card\ Reader\ USB vid:076b pid:3021 path:3/5 speed:full family:smart-card arbRuntimeKey:6 version:3]

I005: USB: Autoconnecting device "OmniKey Smart Card Reader USB" matching pattern [path:3/5] prefer usb_xhci

I005: USB: Connecting device desc:name:OmniKey\ Smart\ Card\ Reader\ USB vid:076b pid:3021 path:3/5 speed:full family:smart-card arbRuntimeKey:6 version:3 id:0x10000006076b3021

For multiple devices connected to the same USB hub, it uses port number underneath and not the device ID. I assume it takes the If 0 as precedence.

I005: USB: Found device [name:Harman\ JBL\ Pebbles vid:05fc pid:0231 path:3/4/3 speed:full family:audio,hid serialnum:1.0.0 arbRuntimeKey:3 version:3]

I005: USB: Found device [name:Wacom\ CTH-470 vid:056a pid:00de path:3/4/4 speed:full family:hid,hid-bootable arbRuntimeKey:1 quirks:allow version:3]

You can see the path is 3/4/3 for the audio device and 3/4/4 for the HID.

/:  Bus 03.Port 1: Dev 1, class="root_hub", Driver=xhci_hcd/14p, 480M

    |__ Port 4: Dev 4, If 0, class="Hub", Driver=hub/4p, 480M

        |__ Port 3: Dev 6, If 1, class="Audio", Driver=snd-usb-audio, 12M

        |__ Port 3: Dev 6, If 2, class="Human" Interface Device, Driver=usbhid, 12M

        |__ Port 3: Dev 6, If 0, class="Audio", Driver=snd-usb-audio, 12M

        |__ Port 4: Dev 7, If 0, class="Human" Interface Device, Driver=usbhid, 12M

        |__ Port 4: Dev 7, If 1, class="Human" Interface Device, Driver=usbhid, 12

0 Kudos
DanBui
Contributor
Contributor

From the vmware.log of the VM

I125: USB: Found device [name:Kingston\ DataTraveler\ 3.0 vid:0951 pid:1666 path:0/1/3 speed:high family:storage,storage-bulk serialnum:60A44CB4644AE361A7728390 arbRuntimeKey:2 version:3]

I125: USB: Found device [name:Realtek\ USB3.0-CRW vid:0bda pid:0329 path:0/1/1/3 speed:super family:storage,storage-bulk serialnum:29203008282014000 arbRuntimeKey:1 version:3]

I can not found Feitian etoken.

In VM option I add Configuration Parameters

usb_xhci.autoConnect.device0 = "path:0/1/3 autoclean:1"

Autoconnect works well for Kingston data usb.

I have tried with

usb_xhci.autoConnect.device0 = "path:0/1/5 autoclean:1"

path:0/1/5 is my assumption about eToken' path.

It did not work

0 Kudos
bluefirestorm
Champion
Champion

Since the Kingston USB passthrough worked on path:0/1/3, have you tried plugging in the Feitian eToken on the same port where the Kingston USB was connected to? As it is based on USB port path, instead of VID:PID, assuming there is nothing else wrong, the Feitian eToken should work on the same port as where the Kingston USB was previously plugged in.

If that doesn't work, there is probably not much else that can be done other than making sure the points in the KB are adhered to

https://kb.vmware.com/s/article/55789?lang=en_us

0 Kudos
DanBui
Contributor
Contributor

Ok, I unplugged Kingston USB.

Plug the Feitian eToken to the same port as where the Kingston USB was previously plugged in

pastedImage_0.png

in vmware.log

I125: VUsbUpdateVigorFieldsAndAutoconnect: New set of 1 USB devices

I125: USB: Found device [name:Realtek\ USB3.0-CRW vid:0bda pid:0329 path:0/1/1/3 speed:super family:storage,storage-bulk serialnum:29203008282014000 arbRuntimeKey:1 version:3]

I125: Intel VT: FlexPriority enabled.

That doesn't work,

in my original post, I had shown that pcscd is not running

pastedImage_1.png

I have added this Parameter to vmx config file of VM

usb.generic.allowCCID = "TRUE"

not work Smiley Sad

0 Kudos