Tuesday, 2023-03-07

*** mhen_ is now known as mhen02:40
opendevreviewMerged openstack/python-barbicanclient master: Fixed typo in the release notes  https://review.opendev.org/c/openstack/python-barbicanclient/+/87633210:50
opendevreviewMerged openstack/barbican master: Release notes for secret consumers, microversions and CVE fix  https://review.opendev.org/c/openstack/barbican/+/87635310:53
rajiv_Hi,11:54
dmendiza[m]🙋‍♂️12:01
rajiv_helloo12:01
xekstartmeeting barbican12:02
xek=====================12:02
xek * startmeeting barbican12:02
xek=====================12:02
xekstartmeeting barbican12:02
xek=====================12:02
xekops12:02
dmendiza[m]🙋‍♂️12:02
xek#startmeeting barbican12:02
opendevmeetMeeting started Tue Mar  7 12:02:53 2023 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.12:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.12:02
opendevmeetThe meeting name has been set to 'barbican'12:02
dmendiza[m]🙋‍♂️12:03
Luzio/12:03
xekdmendiza, Luzi, o/12:03
xek#topic Roll Call12:04
xekCourtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung12:04
xekAs usual our agenda can be found here:12:04
xek#link https://etherpad.openstack.org/p/barbican-weekly-meeting12:04
xekWe have just the usual topics today12:05
xek#topic Review Past Meeting Action Items12:05
xek#link https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-02-28-12.01.html12:06
xekLook into why Zed release notes is broken https://docs.openstack.org/releasenotes/barbican/zed.html12:06
xekmharley took a look at it last week12:06
xekTurns out, we just didn't have any release notes for Zed12:06
xekIt was the same case for Antelope (for the barbican project)12:07
xekSo mharley ceated new reviews to add a few relevant release notes12:07
xekThey were merged today12:08
xek#topic Liaison Updates12:08
xek#link https://governance.openstack.org/election/12:10
xekTC Election and PTL Election end in 1d 11h 34m12:10
xekLuzi, dmendiza, do you have any updates to add?12:11
Luzinothing from my side12:12
dmendiza[m]Nothing here either12:12
xekAck, thanks!12:13
xekLet's go to the next topic12:13
xek#topic Open Discussion12:13
rajiv_hi, i have mailed you guys my query, sub : Query on Multiple backend Secret Order creation12:14
rajiv_did anyone get a chance to read the mail ?12:14
xekrajiv_, I did, but I don't have any experience with this part of barbican12:15
dmendiza[m]link to the ML?12:15
xekdmendiza it was a private message, alee forwarded it to you afaik12:16
rajiv_i also created a ticket with Thales but they closed the ticket saying its an application issue, we enabled cklog on the HSM device but found nothing from barbican12:16
xek"Query on Multiple backend Secret Order creation"12:16
rajiv_yes, Ade added you to the mail chain12:16
rajiv_yes12:16
* dmendiza[m] looks through the mountain of email12:17
dmendiza[m]rajiv_: I'd recommend sending it to the mailing list next time openstack-discuss@lists.openstack.org12:17
rajiv_ack, it was only 4 mails in the thread, including 2 follow-ups12:18
rajiv_long story short : my production barbican backend is using Thales A790, when we try to create an asymmetric secret order we get :12:18
rajiv_ERROR barbican.tasks.resources barbican.plugin.crypto.base.CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin backend that supports the requested operation: store or generate a secret of type ASYMMETRIC_KEY_GENERATION with algorithm rsa, bit length 1024, and mode None12:18
dmendiza[m]>  I think there was an option to select the secret store before creation ? or is this deprecated ?12:18
dmendiza[m]There is an API to set the preferred secret store per-project12:19
rajiv_my last mail (today) shared the selection of store : https://review.opendev.org/c/openstack/barbican/+/341803/13/doc/source/api/reference/store_backends.rst#26112:19
rajiv_is this selection allowed in prod as well ? it works fine.12:19
dmendiza[m]#link https://docs.openstack.org/barbican/zed/api/reference/store_backends.html12:19
rajiv_i want to understand if there are any known side-effects, etc12:19
rajiv_dmendiza[m]: is this fine enabling secret store per project in prod ? are there any known issues ?12:22
dmendiza[m]It's a fully supported feature12:22
dmendiza[m]So, yes, you can use it in prod12:22
dmendiza[m]> generate a secret of type ASYMMETRIC_KEY_GENERATION with algorithm rsa, bit length 1024, and mode None12:22
dmendiza[m]try again with mode=CBC12:22
dmendiza[m]oh whoops, never mind12:23
dmendiza[m]don't do that12:23
* dmendiza[m] is still waiting for coffee to kick in12:23
rajiv_thanks for your confirmation, would this be a workaround for the above error message or the actual functionality to proceed.12:23
rajiv_:) 12:23
dmendiza[m]> ASYMMETRIC_KEY_GENERATION 12:23
dmendiza[m]This has not been implemented for PKCS#11 (used for HSMs)12:23
dmendiza[m]#link https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L193-L19412:24
rajiv_ah ok, hence the above error message12:24
dmendiza[m]Yeah, so if the user's project is set to use the HSM backend, then they won't be able to generate asymmetric keys12:25
dmendiza[m]You'd have to set the backend to SimpleCrypto12:25
dmendiza[m]or you can help us implement that part of PKCS#11 backend 😄12:25
xekdmendiza, thanks for taking a look at this :)12:26
rajiv_sure, asymmetric certs is deprecated. keys works fine12:26
rajiv_:)12:26
xekrajiv_, if you think the documentation is lacking, maybe you can propose some changes12:26
xekI'll happily review those12:27
rajiv_xek: sure, is there docu on how to do it ? i would like to raise few PR's. In my prod, HSM integration on FIPS mode also works, until firmware 7.4.012:27
xekrajiv_, the documentation is in the project tree of either barbican or python-barbicanclient12:28
xekin doc/source/12:28
rajiv_roger that12:29
xekOk, let's go to the last topic12:30
xek#topic Bug Review12:30
xekThere is one new bug12:31
xeklink https://storyboard.openstack.org/#!/story/201062512:31
xek======================================================12:31
xek#link https://storyboard.openstack.org/#!/story/201062512:31
xekThe main issue seems to be the accumulating non-deleted entries in orders table12:33
xekwhen using castellan12:33
dmendiza[m]Yeah, reading through the bug report12:34
xekdmendiza, maybe we can sync later to decide if one of the proposed weys to get around this is how we want to proceed12:35
xek*ways12:35
dmendiza[m]Looks like they've started a thread on openstack-discuss as well:12:35
dmendiza[m]#link https://lists.openstack.org/pipermail/openstack-discuss/2023-March/032585.html12:35
xekOk, I guess we can continue the discussion there12:36
dmendiza[m]Grzegorz Grasza: yeah, let's get ade_lee 's opinion too12:36
xekOk, that completes the list of topics for today12:37
xekSee y'all next week!12:37
dmendiza[m]Thanks, Grzegorz Grasza !12:38
xek#endmeeting12:38
opendevmeetMeeting ended Tue Mar  7 12:38:12 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)12:38
opendevmeetMinutes:        https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-03-07-12.02.html12:38
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-03-07-12.02.txt12:38
opendevmeetLog:            https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-03-07-12.02.log.html12:38
*** blarnath is now known as d34dh0r5314:58
bkranendonkHello all. is it true that only the MKEK key will be stored in a HSM using the PCKS11 implementation?15:25
bkranendonkAnd that all KEK keys will be stored and encrypted in the MySQL db?15:26
dmendiza[m]Hi bkranendonk 18:43
dmendiza[m]Yes, the current implementation of the PKCS#11 backend only stores two keys in the hsm: The MKEK and the MHMAC18:44
dmendiza[m]All PKEKs are stored as ciphertext in the DB18:45
dmendiza[m]it was an early design decision due to severely constrained storage limits in Thales Luna HSMs18:45
dmendiza[m]e.g. a reasonably sized cloud could fill up the storage in an HSM in a matter of days18:46
dmendiza[m]PKEKs are only unwrapped inside the HSM and never leave the HSM unencrypted.18:48

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!