13:01:48 <thelounge94> #startmeeting barbican
13:01:48 <opendevmeet> Meeting started Tue Oct 12 13:01:48 2021 UTC and is due to finish in 60 minutes.  The chair is thelounge94. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:01:48 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:01:48 <opendevmeet> The meeting name has been set to 'barbican'
13:02:14 <thelounge94> #topic Roll Call
13:03:48 <redrobot> Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work tosky xek nearyo oleksandry
13:03:56 <redrobot> #chair redrobot
13:04:03 <d34dh0r53> o/
13:04:16 <thelounge94> #chair redrobot
13:04:16 <opendevmeet> Warning: Nick not in channel: redrobot
13:04:16 <opendevmeet> Current chairs: redrobot thelounge94
13:06:54 <rajiv> Hi, i have question on Barbican-HSM integration, mailed openstack-discussion but had no response. Could ask now or wait till the end for Q&A ?
13:08:22 <redrobot> rajiv hi I'll add your topic to the agenda
13:08:30 <tosky> o/
13:08:35 <redrobot> hi tosky!
13:08:38 <redrobot> OK, let's get started
13:08:46 <redrobot> #topic Review Past Meeting Action Items
13:09:12 <redrobot> #link https://meetings.opendev.org/meetings/barbican/2021/barbican.2021-10-05-13.01.html
13:09:16 <redrobot> We didn't have any
13:09:19 <redrobot> moving on ...
13:09:46 <redrobot> #topic Liaison Updates
13:09:58 <redrobot> tosky do you have anything for us?
13:13:03 <tosky> nothing from my side
13:13:12 <redrobot> ack, thanks!
13:13:15 <redrobot> moving on
13:13:36 <redrobot> Topic Barbican+HSM integration
13:13:49 <redrobot> #topic Barbican+HSM integration
13:13:54 <redrobot> rajiv ^^^
13:14:10 <rajiv> Hi, i am switching from soft crypto plugin to HSM backend
13:14:17 <rajiv> Thales A790
13:14:22 <rajiv> i am told Barbican uses self- generated IV instead of module generated IV which FIPS do not support and shows incorrect parameter error in FIPS mode.
13:15:45 <rajiv> is this fixed in Barbican ? or Barbican doesnt run if FIPS Operation mode is enabled ?
13:16:17 <redrobot> I had to google "Thales A790"  Looks like it's the same as the Thales Luna Network HSM?
13:16:23 <rajiv> FIPS 140-2 L3 to be precise
13:16:43 <rajiv> yes, this is the latest device offered by Thales Luna Network HSM
13:16:50 <kim_s> yes, Luna A790 is the Thales Luna Network HSM, the Password based
13:18:14 <rajiv> https://cpl.thalesgroup.com/resources/encryption/openstack-barbican-integration-guide
13:18:14 <redrobot> Yeah, that seems right that FIPS mode does not work.  I think we've documented that limitation.  Let me look for a link
13:19:11 <redrobot> rajiv Oh yeah, I've seen that guide before
13:19:13 <kim_s> yes, you documented it, the question is: is it still the case? And why exactly, because it seems, that this restriction is only for Luna HSM.
13:19:26 <redrobot> rajiv open that PDF and scroll down to pre-requisites
13:19:35 <redrobot> > The OpenStack Barbican integration does not work with a SafeNet Luna HSM or
13:19:35 <redrobot> Data Protection on Demand HSM on Demand services operating in FIPS mode.
13:19:36 <kim_s> this Thales Integration Guide is quite old from 2019, we've some more actual
13:19:53 <redrobot> AFAIK there has bee no work done to add support to FIPS mode
13:20:02 <kim_s> yes, DPoD seems to work in FIPS Mode, and DPoD is Luna HSM
13:20:14 <rajiv> kim_s: thanks for reiterating the question
13:21:04 <rajiv> redrobot: yes, thats the page i am referring to, i would like to know why this restriction is in place
13:21:12 <rajiv> is there a workaround ?
13:21:43 <redrobot> rajiv probably because of the reasons you outlined with the IV being generated as you explained
13:22:19 <kim_s> the irritation is: Barbican with Luna HSM is per doku not FIPS Mode compatible, but Barbican with DPoD (which are Luna HSMs) are FIPS MOde compatible. Could we clearify this?
13:22:22 <redrobot> I do not know if there is a workaround.  You might try setting aes_gcm_generate_iv=False, but I don't know if that would work or not
13:22:31 <redrobot> https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L98-L100
13:22:52 <redrobot> kim_s I am not familiar with DPoD
13:23:35 <kim_s> I'm from Thales, so I'm a little bit familiar with DPoD and Luna HSMs, but unfortunatle I'm not familiar with Barbican
13:23:54 <rajiv> okay, i will try.
13:24:17 <redrobot> kim_s gotcha.  IIRC, the doc linked by rajiv was produced by Gemalto prior to being acquired by Thales
13:24:50 <redrobot> We (the barbican open source community) don't have access to HSM hardware for development, so that FIPS testing was done by Gemalto
13:25:22 <redrobot> in our documentation we do not mention DPoD
13:25:22 <kim_s> ah, ok, thx @redrobot
13:25:24 <redrobot> #link https://docs.openstack.org/barbican/latest/install/barbican-backend.html#thales-luna-network-hsm-safenet
13:25:31 <redrobot> Our note just says:
13:25:53 <redrobot> > Barbican does not support FIPS mode enabled for SafeNet Luna HSM or Data Protection on Demand HSM. Make sure that it’s operating in non-FIPS mode while integrating with Barbican.
13:26:08 <redrobot> oh, I guess we do mention DPoD
13:26:14 <redrobot> but our docs say we don't support that either
13:26:42 <redrobot> In any case, you mibhg be able to set that option to False and be OK.  I think that's the flag that Barbican checks to decide whether to generate an IV or not.
13:26:52 <redrobot> You might also need to tune the Mechanism
13:27:00 <redrobot> I am not sure GCM is supported in FIPS?
13:27:16 <kim_s> the actual DPoD Integration Guide doesn't speak about FIPS Mode incompatibility: https://thalesdocs.com/dpod/services/integrations/other/openstack/index.html
13:28:07 <redrobot> again, that's your doc, not one produced by the community. 😅
13:28:35 <kim_s> but as I understood Barbican Community did not do the Tests with Thales HSM, so I try to get any response from our Proctuct Management - again :)
13:29:39 <redrobot> For historical context:  Barbican was initally devleoped by Rackspace.  We had Safenet Lunas to develop the system, but we were not able to make them available to our community for testing, so all testing was done downstream.
13:29:54 <redrobot> Rackspace did not use FIPS mode, so we did not test that
13:30:02 <redrobot> I believe only Safenet/Gemalto tested FIPS mode
13:30:25 <redrobot> Currently most of the core team works at Red Hat
13:30:47 <rajiv> okay, so other vendor HSM devices work well on FIPS mode ?
13:30:52 <redrobot> we also have downstream Lunas for testing, but we are also unable to make them available to the community for testing.
13:31:09 <redrobot> rajiv I don't know.  I have not personally tested any HSM with FIPS mode enabled
13:31:46 <redrobot> rajiv kim_s, that said we'd be more than happy to review any patches to add FIPS mode support
13:32:02 <redrobot> I suggest start by tweaking the config options
13:32:51 <rajiv> redrobot: i will test this in my qa setup, would there be any config options to lookout for ? any downsides by setting it to true ?
13:32:53 <redrobot> e.g. turn of IV generation, and possibly change the mechanism to CKM_AES_CBC or something more compatible than GCM
13:32:53 <redrobot> https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L77-L79
13:33:14 <redrobot> rajiv yes, I linked the two options that are most relevant
13:34:25 <rajiv> sure, how about other plugins ?
13:34:40 <redrobot> rajiv all HSMs use the same plugin
13:34:51 <rajiv> KMIP ?
13:35:41 <redrobot> KMIP backend is not very well tested.  I doubt FIPS is supported  as we had the same situation where we had no HSMs for testing and were only using pykmip for testing.
13:36:19 <redrobot> Unfortunately the folks behind the KMIP backend (who had the downstream HSMs for development) are no longer contributing to the project
13:36:35 <redrobot> We can certainly review patches to add FIPS support to KMIP if needed.
13:37:00 <rajiv> ah i see, pkcs11 is the best best to start with i guess.
13:37:15 <kim_s> yes, pkcs#11 is the best option
13:38:06 <rajiv> maybe after testing the config options, etc i could raise a question/bug request for further assistance ?
13:40:43 <redrobot> Yeah, here or the mailing list are good places to ask kquestions
13:41:06 <redrobot> (although I haven't checked the ML in a few days an dmissed your email 😅)
13:41:25 <rajiv> thanks
13:41:33 <redrobot> rajiv you're welcome
13:41:39 <redrobot> OK, moving on
13:41:42 <redrobot> #topic PTG
13:42:10 <redrobot> #link https://etherpad.opendev.org/p/yoga-ptg-barbican
13:42:20 <redrobot> PTG is coming up next week
13:42:44 <redrobot> We have two sessions scheduled on Tuesday October 19 and Thursday October 21
13:42:59 <redrobot> both sessions start at 1300 UTC
13:43:13 <redrobot> #info weekly meeting next week is canceled
13:43:24 <redrobot> since we'll all be at the PTG
13:43:33 <redrobot> please sign up if you haven't yet.
13:44:13 <redrobot> Also feel free to add any topics you want to talk about to the etherpad I linked above
13:47:59 <redrobot> #topic Kanban Review
13:48:02 <redrobot> #link https://tree.taiga.io/project/dmend-openstack-barbican/kanban
13:49:35 <redrobot> not a whole lot of progress on my end
13:49:49 <redrobot> #topic New Bug Review
13:49:57 <redrobot> #link https://storyboard.openstack.org/#!/project_group/barbican
13:52:13 <redrobot> Looks like no new bugs
13:53:16 <redrobot> #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0
13:53:20 <redrobot> and no new Castellan bugs
13:53:48 <redrobot> #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0
13:53:55 <redrobot> and no new Cursvie bugs
13:54:11 <redrobot> #topic Open Discussion
13:54:22 <redrobot> We have a few minutes if anyone else has something quick to talk about?
13:55:42 <redrobot> rajiv please open a Storyboard bug about FIPS mode not working
13:59:06 <redrobot> That's all the time we have for today
13:59:10 <redrobot> thanks for joining, everyone!
13:59:12 <redrobot> #endmeeting