Tuesday, 2018-07-03

« Monday, 2018-07-02 Index Wednesday, 2018-07-04 »
*** antosh has quit IRC00:23
*** DongHM has joined #openstack-barbican00:58
*** mhen has quit IRC01:32
*** mhen has joined #openstack-barbican01:32
*** antosh has joined #openstack-barbican01:39
*** annp has joined #openstack-barbican01:52
*** ricolin has joined #openstack-barbican02:09
*** antosh has quit IRC04:28
*** FrankZhang has quit IRC05:20
*** FrankZhang has joined #openstack-barbican05:20
*** FrankZhang has joined #openstack-barbican05:21
*** Luzi has joined #openstack-barbican06:00
*** openstackgerrit has joined #openstack-barbican06:56
openstackgerritDao Cong Tien proposed openstack/barbican master: Invalid sphinx syntax of link to static file in doc  https://review.openstack.org/57978106:56
*** ducnv has joined #openstack-barbican07:18
*** peereb has joined #openstack-barbican07:21
*** alee has joined #openstack-barbican07:22
*** serlex has joined #openstack-barbican07:24
*** ricolin has quit IRC07:55
*** DongHM has quit IRC07:58
*** DongHM has joined #openstack-barbican08:08
openstackgerritNguyen Van Trung proposed openstack/barbican master: Add doc8 to pep8 check for project  https://review.openstack.org/57981208:39
*** alee has quit IRC08:42
*** alee has joined #openstack-barbican08:43
*** pbourke has quit IRC09:10
*** pbourke has joined #openstack-barbican09:12
*** DongHM has quit IRC09:56
openstackgerritDao Cong Tien proposed openstack/barbican master: Activate html_static_path config option  https://review.openstack.org/57978110:01
*** abishop has joined #openstack-barbican10:15
*** alee has quit IRC10:28
*** alee has joined #openstack-barbican10:29
*** alee has quit IRC10:43
*** serlex has quit IRC10:59
*** alee has joined #openstack-barbican11:42
aleebarbican weekly meeting in 5 minutes ..11:50
aleeor 10 actually ..11:50
alee#startmeeting barbican12:00
openstackMeeting started Tue Jul  3 12:00:28 2018 UTC and is due to finish in 60 minutes.  The chair is alee. Information about MeetBot at http://wiki.debian.org/MeetBot.12:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.12:00
*** openstack changes topic to " (Meeting topic: barbican)"12:00
openstackThe meeting name has been set to 'barbican'12:00
alee#topic roll call12:00
*** openstack changes topic to "roll call (Meeting topic: barbican)"12:00
aleeanyone here -- I realize this is a big week for holidays ..12:01
alee?12:01
Luzio/12:01
mheno/12:01
aleehi Luzi mhen12:01
aleewe'll wait a couple of minutes for other folks to join ..12:02
Luzihi alee - is redrobot here today?12:02
aleeI think he's on PTO this week12:02
alee(holiday)12:03
aleegiven that tommorow is July 4th, many folks in the US are taking holidays12:03
alee(I would be - but I've been on holiday for the last two weeks)12:03
Luziah I see12:04
aleeok - lets get started12:04
aleeI dont have much of an agenda this week. still getting caught up.12:05
aleewe're still marching on to get all the rocky features in12:05
aleein particular the OVO feature12:05
mhenOVO?12:05
aleeI've done a ton of reviews and need other core (who are all on vacation) to do some as well12:06
aleeoslo versioned objects12:06
mhenah I see12:06
aleehere is tracker page for rocky -- https://etherpad.openstack.org/p/barbican-tracker-rocky12:07
aleein addition there is work ongoing to document policy in code and make some policy more consisitent12:07
aleeand some additional work to get the vault plugin tests running12:07
aleenot much more to report here except that there is a bunch to review and to do before rocky comes out12:08
mhen"SGX plugin" - sounds interesting12:08
aleenext milestone is week of July 2312:08
mhenis there any spec or PoC regarding that already?12:09
aleemhen, yeah - the Intel folks worked on a plugin for SGX which they got working ..12:09
aleeand they wrote a whitepaper12:09
aleesome folks here have tried it out12:09
mhendo you happen to have any links to that?12:10
aleelet me get link ..12:10
aleehttps://arxiv.org/abs/1712.0769412:10
*** raildo has joined #openstack-barbican12:10
aleehey raildo12:10
mhenthank you very much12:11
raildohey :)12:11
Luzihi raildo12:11
aleehttps://github.com/cloud-security-research/sgx-kms/tree/master/Barbican12:11
raildohello everyone!12:11
mhenwelcome :)12:12
aleethey have some good work there including some barbican changes to do attestation12:12
aleebut have not tried to upstream any of it yet.12:12
aleeif anyone is interested in working on that -- that would be a great addition for Stein12:12
mhenno promises yet but it could be relevant for our project - we'll have a look at it12:13
aleethere is another company called Fortanix which has built a solution based on SGX, which has used the pkcs11 plugin to work with their solution12:14
aleethey are going to write a gate soon12:14
aleemhen, that would be great12:14
alee#topic summit12:14
*** openstack changes topic to "summit (Meeting topic: barbican)"12:14
aleethe deadline for submissions for the Berlin summit is fast approaching12:15
aleeJuly 13 IIRC12:15
Luzii thought 1712:15
aleeso any barbican related topics would be great ..12:15
LuziJuly 17th or am I wrong?12:15
aleeno  I stand corrected12:16
aleeJuly 17th -- I think I was confused by some internal deadline here12:16
aleeanyone have any ideas of barbican related talks?12:16
aleebarbican/security?12:17
* mhen shrugs12:17
aleeI'm probably going to propose something related to the vault backend work I've been wokring on12:18
aleenot fleshed out yet12:18
raildoalee, that would be awesome12:19
aleeraildo, I assume you'll be doing something about the oslo.config work?12:19
raildoalee, are you saying about proposing something to the Summit, or just about the development?12:20
aleeraildo, summit12:20
alee(I know you're doing the development)12:20
raildoalee, well, probably, I'll skip this summit and maybe propose something for the next one, when we'll have some more mature12:21
raildoalee, using the castellan driver and so on12:21
aleeok12:21
aleewell just to keep deadline in mind12:21
raildoI'd rather do something showing that working, than just "this is the next steps"12:21
raildoalee, sure, thanks!12:21
aleeack12:21
alee#topic castellan as base service12:22
*** openstack changes topic to "castellan as base service (Meeting topic: barbican)"12:22
aleeso for a long time, the TC has been pushing to have castellan added as a base service12:22
aleeand finally that change has merged ..12:22
* alee finding review ..12:22
raildoyay12:22
aleehttps://review.openstack.org/#/c/572656/12:23
aleeso -- a castellan compatible service is now a base service - which means that developers should expect to use castellan to store secrets12:24
aleehopefully this will drive the secure and centralized storage of secrets12:24
aleeeither using vault or barbican12:25
mhenthis is great news!12:25
aleeyeah - took forever to get there :)12:25
alee#topic anything else?12:25
*** openstack changes topic to "anything else? (Meeting topic: barbican)"12:25
mheno/12:26
mhenthere's also "PKCS#11 (against soft crypto)" on the etherpad you linked before - any details on that?12:26
aleemhen, yeah - that was more aspirational -- nothing there12:27
mhenwhat does "soft crypto" mean actually? software-emulated HSM?12:27
aleeyup12:27
mhenI see12:27
mhensomething like Utimaco's simulator? https://hsm.utimaco.com/downloads/utimaco-portal/hsm-simulator/12:28
mhenor something more abstract?12:28
aleeyes - smething like that12:28
mhenbut isn't PKCS11 already implemented?12:28
aleemhen, yes - but the only tests for it have been against HSMs12:29
aleemhen, and so there are no gates12:29
aleemhen, it would be great to have a soft HSM gate -- also as an option for those who cant afford an HSM12:29
mhenI see12:30
mhenso we'd need a free HSM emulator/simulator I guess12:30
aleeof course, SGX fills that void too12:30
aleeright12:30
aleeand then we can create a gate job against that12:31
aleemhen, PKCS11 is tricky -- every vendor has their own idiosyncracies12:31
aleeand then there are various versions12:31
aleewe had some patches submitted to update the pkcs11 version, but we unable to merge without good testing12:32
aleemhen, Luzi - not sure if I've "met" you guys before.  can you do a brief intro and explain your interest in barbican?12:33
Luzimhen and i actually sit next to each other12:34
Luziwe work in the same team12:34
mhenthat's right :)12:34
Luzii started attending this meeting 2 weeks ago, to discuss aes-xts bit lengths12:34
aleeLuzi, thats right -- I remember reviewing your patch the other day12:35
Luziwe proposed a patch therefore, you already reviewed it.12:35
aleecool12:35
alee(I know you're name sounded familiar)12:36
mhenour team is working on SecuStack, a security-enhanced OpenStack12:36
aleeLuzi, I want to get feedback from redrobot and other folks on how best to fix the issue you raised12:37
aleemhen, cool - so using barbican for things like volume encryption and imge signing and swift object encrytion ?12:38
Luzithat's a good thing to hear12:38
mhenalee, exactly12:38
aleealso octavia stuff?12:38
aleeor magnum?12:38
mhennot yet12:38
mhenwe're currently focusing on a minimal set of components12:39
aleewhat backends are you guys looking at?12:39
mhenalee, are you referring to Barbican backends?12:39
aleeyup12:39
alee(I know you guys have been looking at SimpleCrypto :))12:40
mhenwe're currently evaluating the usage of a HSM, specifically one from Safenet12:40
aleegreat12:40
mhenbut the SGX one sounds very interesting as well12:40
mhenthis is worth checking out12:41
aleedefinitely.12:41
aleewell good to meet you guys - welcome aboard!12:42
mhenthank you :)12:42
Luzithanks :)12:42
aleeanything else?12:42
aleeok -- till next week then ..12:43
alee#endmeeting12:43
*** openstack changes topic to "Discussion about development of OpenStack Barbican and its client libraries. - Logs: http://eavesdrop.openstack.org/irclogs/%23openstack-barbican/"12:43
openstackMeeting ended Tue Jul  3 12:43:11 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)12:43
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-07-03-12.00.html12:43
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-07-03-12.00.txt12:43
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-07-03-12.00.log.html12:43
alee#endmeeting barbican12:43
mhenbtw, regarding the topic of HSMs, when I use "openstack secret order create key", is the secret supposed to be both generated _and_ stored in the HSM per default? (assuming the HSM connection has been configured correctly)12:45
*** d063130_ has quit IRC12:45
*** sapcc-bot has quit IRC12:45
aleemhen, if you're using the PKCS11 plugin, the only keys in the HSM are the master key12:46
*** d063130_ has joined #openstack-barbican12:46
*** sapcc-bot has joined #openstack-barbican12:46
aleemhen, the master key is used to encrypt the project KEKs which are stored in the db12:46
aleemhen, when a key is generated - it is generated in the HSM and wrapped with the project KEK12:47
aleeand then stored in the db12:47
aleeso - generated in the HSM, encrypted in the HSM, stored in the DB12:48
*** serlex has joined #openstack-barbican12:48
mhenalee, I see12:49
mhenalee, thanks for the quick rundown!12:49
*** rmascena has joined #openstack-barbican12:51
*** raildo has quit IRC12:51
aleemhen, no prob12:52
mhenis there any easy way to figure out, whether Barbican is actually using the HSM correctly in the backend?12:53
aleemhen, I recently created a sequence diagram for volume encryption with an hsm -- http://paste.openstack.org/show/724891/12:54
aleemhen, put that into websequencediagrams.com12:55
aleemhen, when I've connected to an hsm, I usually have set pkcs11 logging on in the hsm - and have examined the pkcs11 logs12:56
mhenalee, the pkcs11 logging is a good hint!12:56
mhenalee, are all key encryption/decryption processes involing the PKEK (encrypting secrets) or MKEK (encrypting PKEKs) done on the HSM exclusively?13:03
*** rmascena__ has joined #openstack-barbican13:17
*** rmascena has quit IRC13:20
aleemhen, they have to be.13:24
aleemhen, the only time the PKEK and MKEK is in the clear is in the HSM13:24
mhenalee, just as I assumed - great!13:25
mhenalee, thank you for you answers! You saved me a lot of research.13:26
aleemhen, np - happy to help13:26
*** jmlowe has quit IRC13:51
*** FrankZhang has quit IRC13:57
*** namnh has joined #openstack-barbican13:58
*** tidwellr has joined #openstack-barbican14:06
namnhalee: Hi Ade14:15
*** tidwellr has quit IRC14:15
namnhSorry, I did not join weekly meeting for this week.14:15
*** tidwellr has joined #openstack-barbican14:16
namnhalee: I got a lot of comments from you, and i think your comments are right for sure.14:16
namnhalee: i would like to discuss this issue with you on the patch: https://review.openstack.org/#/c/57640914:17
namnhcan you check it :)14:17
*** jmlowe has joined #openstack-barbican14:19
aleenamnh, looking14:19
aleenamnh, have not had a chance yet to look at your responses to my comments14:19
aleenamnh, had a nice long train ride with wifi so I could catch up on reviews14:20
*** tidwellr has quit IRC14:21
namnhalee: really, you are on vacation :)14:23
*** rmascena__ has quit IRC14:24
aleenamnh, yeah last day .. nothing else to do on the train14:29
aleenamnh, anyways -- looking14:29
*** raildo has joined #openstack-barbican14:30
namnhalee: thanks for great support :) i believe you had a great vacation14:31
namnhalee: no problem, i can wait for your comment. :)14:31
aleenamnh, just a question -- what do you mean by a default value of this ?14:32
aleeyou mean a default value of true?14:32
aleeA solution I have for now that. I will add a parameter with the __init__ method (named check_exception for example) and the default value of this.14:33
aleenamnh, ^^ your comment14:34
*** tidwellr has joined #openstack-barbican14:34
*** Luzi has quit IRC14:35
aleeor - I guess that wont work -- because OVO needs to instantiate with no args , right?14:35
namnhalee: yes, the default value of the parameter is True. Normally, when previous code call the model then the value of parameter is True and the code still raise exception14:36
aleenamnh, ok - thats fine then14:36
namnhBut when OVO call model then OVO will pass the value is False then exception can not be raised.14:37
aleenamnh, yup - thats fine14:37
namnhAfter OVO done, then we can remove the parameter.14:37
aleeack14:37
namnhwhat do you think?14:37
aleeworks for me14:37
namnhok, so i will try to push a new patch set to declare the idea14:38
alee(I commented as such on the review)14:38
aleecool14:39
*** tidwellr has quit IRC14:39
namnhgot your comment, thanks. i will do it.14:39
aleenamnh, cool -- thanks for sticking with all these reviews -- lots of changes!14:40
*** FrankZhang has joined #openstack-barbican14:40
namnh:)))14:42
namnhthanks14:42
*** jmlowe has quit IRC14:43
*** jmlowe has joined #openstack-barbican14:45
*** serlex has left #openstack-barbican15:01
*** peereb has quit IRC15:05
*** namnh has quit IRC15:44
*** namnh has joined #openstack-barbican15:44
*** namnh has quit IRC15:58
*** namnh has joined #openstack-barbican16:05
*** namnh has quit IRC16:10
*** namnh has joined #openstack-barbican17:54
*** namnh has quit IRC17:59
*** FrankZhang has quit IRC18:44
*** namnh has joined #openstack-barbican19:42
*** namnh has quit IRC19:47
*** abishop has quit IRC20:20
*** jmlowe has quit IRC20:26
*** raildo has quit IRC20:54
*** namnh has joined #openstack-barbican21:30
*** namnh has quit IRC21:34
*** jmlowe has joined #openstack-barbican22:36
*** namnh has joined #openstack-barbican22:41
*** namnh_ has joined #openstack-barbican22:46
*** namnh has quit IRC22:48
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Update two Barbican services to Docs  https://review.openstack.org/57605123:09
*** namnh_ has quit IRC23:15
*** antosh has joined #openstack-barbican23:22
« Monday, 2018-07-02 Index Wednesday, 2018-07-04 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!