13:01:48 <thelounge94> #startmeeting barbican 13:01:48 <opendevmeet> Meeting started Tue Oct 12 13:01:48 2021 UTC and is due to finish in 60 minutes. The chair is thelounge94. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:01:48 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:01:48 <opendevmeet> The meeting name has been set to 'barbican' 13:02:14 <thelounge94> #topic Roll Call 13:03:48 <redrobot> Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work tosky xek nearyo oleksandry 13:03:56 <redrobot> #chair redrobot 13:04:03 <d34dh0r53> o/ 13:04:16 <thelounge94> #chair redrobot 13:04:16 <opendevmeet> Warning: Nick not in channel: redrobot 13:04:16 <opendevmeet> Current chairs: redrobot thelounge94 13:06:54 <rajiv> Hi, i have question on Barbican-HSM integration, mailed openstack-discussion but had no response. Could ask now or wait till the end for Q&A ? 13:08:22 <redrobot> rajiv hi I'll add your topic to the agenda 13:08:30 <tosky> o/ 13:08:35 <redrobot> hi tosky! 13:08:38 <redrobot> OK, let's get started 13:08:46 <redrobot> #topic Review Past Meeting Action Items 13:09:12 <redrobot> #link https://meetings.opendev.org/meetings/barbican/2021/barbican.2021-10-05-13.01.html 13:09:16 <redrobot> We didn't have any 13:09:19 <redrobot> moving on ... 13:09:46 <redrobot> #topic Liaison Updates 13:09:58 <redrobot> tosky do you have anything for us? 13:13:03 <tosky> nothing from my side 13:13:12 <redrobot> ack, thanks! 13:13:15 <redrobot> moving on 13:13:36 <redrobot> Topic Barbican+HSM integration 13:13:49 <redrobot> #topic Barbican+HSM integration 13:13:54 <redrobot> rajiv ^^^ 13:14:10 <rajiv> Hi, i am switching from soft crypto plugin to HSM backend 13:14:17 <rajiv> Thales A790 13:14:22 <rajiv> i am told Barbican uses self- generated IV instead of module generated IV which FIPS do not support and shows incorrect parameter error in FIPS mode. 13:15:45 <rajiv> is this fixed in Barbican ? or Barbican doesnt run if FIPS Operation mode is enabled ? 13:16:17 <redrobot> I had to google "Thales A790" Looks like it's the same as the Thales Luna Network HSM? 13:16:23 <rajiv> FIPS 140-2 L3 to be precise 13:16:43 <rajiv> yes, this is the latest device offered by Thales Luna Network HSM 13:16:50 <kim_s> yes, Luna A790 is the Thales Luna Network HSM, the Password based 13:18:14 <rajiv> https://cpl.thalesgroup.com/resources/encryption/openstack-barbican-integration-guide 13:18:14 <redrobot> Yeah, that seems right that FIPS mode does not work. I think we've documented that limitation. Let me look for a link 13:19:11 <redrobot> rajiv Oh yeah, I've seen that guide before 13:19:13 <kim_s> yes, you documented it, the question is: is it still the case? And why exactly, because it seems, that this restriction is only for Luna HSM. 13:19:26 <redrobot> rajiv open that PDF and scroll down to pre-requisites 13:19:35 <redrobot> > The OpenStack Barbican integration does not work with a SafeNet Luna HSM or 13:19:35 <redrobot> Data Protection on Demand HSM on Demand services operating in FIPS mode. 13:19:36 <kim_s> this Thales Integration Guide is quite old from 2019, we've some more actual 13:19:53 <redrobot> AFAIK there has bee no work done to add support to FIPS mode 13:20:02 <kim_s> yes, DPoD seems to work in FIPS Mode, and DPoD is Luna HSM 13:20:14 <rajiv> kim_s: thanks for reiterating the question 13:21:04 <rajiv> redrobot: yes, thats the page i am referring to, i would like to know why this restriction is in place 13:21:12 <rajiv> is there a workaround ? 13:21:43 <redrobot> rajiv probably because of the reasons you outlined with the IV being generated as you explained 13:22:19 <kim_s> the irritation is: Barbican with Luna HSM is per doku not FIPS Mode compatible, but Barbican with DPoD (which are Luna HSMs) are FIPS MOde compatible. Could we clearify this? 13:22:22 <redrobot> I do not know if there is a workaround. You might try setting aes_gcm_generate_iv=False, but I don't know if that would work or not 13:22:31 <redrobot> https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L98-L100 13:22:52 <redrobot> kim_s I am not familiar with DPoD 13:23:35 <kim_s> I'm from Thales, so I'm a little bit familiar with DPoD and Luna HSMs, but unfortunatle I'm not familiar with Barbican 13:23:54 <rajiv> okay, i will try. 13:24:17 <redrobot> kim_s gotcha. IIRC, the doc linked by rajiv was produced by Gemalto prior to being acquired by Thales 13:24:50 <redrobot> We (the barbican open source community) don't have access to HSM hardware for development, so that FIPS testing was done by Gemalto 13:25:22 <redrobot> in our documentation we do not mention DPoD 13:25:22 <kim_s> ah, ok, thx @redrobot 13:25:24 <redrobot> #link https://docs.openstack.org/barbican/latest/install/barbican-backend.html#thales-luna-network-hsm-safenet 13:25:31 <redrobot> Our note just says: 13:25:53 <redrobot> > Barbican does not support FIPS mode enabled for SafeNet Luna HSM or Data Protection on Demand HSM. Make sure that itβs operating in non-FIPS mode while integrating with Barbican. 13:26:08 <redrobot> oh, I guess we do mention DPoD 13:26:14 <redrobot> but our docs say we don't support that either 13:26:42 <redrobot> In any case, you mibhg be able to set that option to False and be OK. I think that's the flag that Barbican checks to decide whether to generate an IV or not. 13:26:52 <redrobot> You might also need to tune the Mechanism 13:27:00 <redrobot> I am not sure GCM is supported in FIPS? 13:27:16 <kim_s> the actual DPoD Integration Guide doesn't speak about FIPS Mode incompatibility: https://thalesdocs.com/dpod/services/integrations/other/openstack/index.html 13:28:07 <redrobot> again, that's your doc, not one produced by the community. π 13:28:35 <kim_s> but as I understood Barbican Community did not do the Tests with Thales HSM, so I try to get any response from our Proctuct Management - again :) 13:29:39 <redrobot> For historical context: Barbican was initally devleoped by Rackspace. We had Safenet Lunas to develop the system, but we were not able to make them available to our community for testing, so all testing was done downstream. 13:29:54 <redrobot> Rackspace did not use FIPS mode, so we did not test that 13:30:02 <redrobot> I believe only Safenet/Gemalto tested FIPS mode 13:30:25 <redrobot> Currently most of the core team works at Red Hat 13:30:47 <rajiv> okay, so other vendor HSM devices work well on FIPS mode ? 13:30:52 <redrobot> we also have downstream Lunas for testing, but we are also unable to make them available to the community for testing. 13:31:09 <redrobot> rajiv I don't know. I have not personally tested any HSM with FIPS mode enabled 13:31:46 <redrobot> rajiv kim_s, that said we'd be more than happy to review any patches to add FIPS mode support 13:32:02 <redrobot> I suggest start by tweaking the config options 13:32:51 <rajiv> redrobot: i will test this in my qa setup, would there be any config options to lookout for ? any downsides by setting it to true ? 13:32:53 <redrobot> e.g. turn of IV generation, and possibly change the mechanism to CKM_AES_CBC or something more compatible than GCM 13:32:53 <redrobot> https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L77-L79 13:33:14 <redrobot> rajiv yes, I linked the two options that are most relevant 13:34:25 <rajiv> sure, how about other plugins ? 13:34:40 <redrobot> rajiv all HSMs use the same plugin 13:34:51 <rajiv> KMIP ? 13:35:41 <redrobot> KMIP backend is not very well tested. I doubt FIPS is supported as we had the same situation where we had no HSMs for testing and were only using pykmip for testing. 13:36:19 <redrobot> Unfortunately the folks behind the KMIP backend (who had the downstream HSMs for development) are no longer contributing to the project 13:36:35 <redrobot> We can certainly review patches to add FIPS support to KMIP if needed. 13:37:00 <rajiv> ah i see, pkcs11 is the best best to start with i guess. 13:37:15 <kim_s> yes, pkcs#11 is the best option 13:38:06 <rajiv> maybe after testing the config options, etc i could raise a question/bug request for further assistance ? 13:40:43 <redrobot> Yeah, here or the mailing list are good places to ask kquestions 13:41:06 <redrobot> (although I haven't checked the ML in a few days an dmissed your email π ) 13:41:25 <rajiv> thanks 13:41:33 <redrobot> rajiv you're welcome 13:41:39 <redrobot> OK, moving on 13:41:42 <redrobot> #topic PTG 13:42:10 <redrobot> #link https://etherpad.opendev.org/p/yoga-ptg-barbican 13:42:20 <redrobot> PTG is coming up next week 13:42:44 <redrobot> We have two sessions scheduled on Tuesday October 19 and Thursday October 21 13:42:59 <redrobot> both sessions start at 1300 UTC 13:43:13 <redrobot> #info weekly meeting next week is canceled 13:43:24 <redrobot> since we'll all be at the PTG 13:43:33 <redrobot> please sign up if you haven't yet. 13:44:13 <redrobot> Also feel free to add any topics you want to talk about to the etherpad I linked above 13:47:59 <redrobot> #topic Kanban Review 13:48:02 <redrobot> #link https://tree.taiga.io/project/dmend-openstack-barbican/kanban 13:49:35 <redrobot> not a whole lot of progress on my end 13:49:49 <redrobot> #topic New Bug Review 13:49:57 <redrobot> #link https://storyboard.openstack.org/#!/project_group/barbican 13:52:13 <redrobot> Looks like no new bugs 13:53:16 <redrobot> #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 13:53:20 <redrobot> and no new Castellan bugs 13:53:48 <redrobot> #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0 13:53:55 <redrobot> and no new Cursvie bugs 13:54:11 <redrobot> #topic Open Discussion 13:54:22 <redrobot> We have a few minutes if anyone else has something quick to talk about? 13:55:42 <redrobot> rajiv please open a Storyboard bug about FIPS mode not working 13:59:06 <redrobot> That's all the time we have for today 13:59:10 <redrobot> thanks for joining, everyone! 13:59:12 <redrobot> #endmeeting